Hi All,
Issue: SMP using expired SAP Logon Tickets for Agentry Inventory Manager service account connection to ECC backend.
We are using SMP 3.0 sp07 and Inventory Manager 4.2.1, and have configured SSO for Inventory Manager by following the SAP Inventory Manager Installation guide.
SSO for Inventory Manager is configured to use SAP Logon Tickets issued by our Enterprise Portal and appropriate trust relationships have been configured between EP and the ECC backed of the Inventory Manager app.
Currently Enterprise Portal is configured to issue Logon Tickets with an 8 hour lifetime.
When we restart the Agentry Inventory Manager app on SMP, we are able to successfully authenticate to the app by using EP credentials.
However, after 8 hours expires from the time we restarted the Agentry IM app, users start getting an authentication error 'Error validation user password'.
If I look at the EP security log, I can see the user is being authenticated successfully against EP.
If I look in the SMP server log, I can see the following errors:
First error seen is:
2016 07 25 09:15:01#+0200#INFO#System.out##anonymous#Agentry Runtime Worker Thread###getRepository::Error Retrieving repository for 200 |
Second error seein is:
2016 07 25 09:15:01#+0200#INFO#System.out##anonymous#Agentry Runtime Worker Thread###getFunction::Error creating function /SYCLO/CORE_SUSR_LOGIN_CHECK : Initialization of repository destination DESTINATION_SERVICE failed: An expired SSO ticket was received ( grace period ). on xyz.hostname.com sysnr 00 |
I tried creating a new user and trying to authenticate, but I still received the error. This makes me think that it is not end user related, as a new user could not be issued an expired logon ticket.
(Of note, we also use the same EP to generate SAP Logon Tickets for NWBC on the same ECC system. This does not have any logon ticket expiration issues. Thus it leads me to believe it is not related to trusts, sso configuration, profile parameters or logon ticket expiration time settings)
I looked a little further at the EP security logs and noticed that the Agentry Inventory Manager service account (configured in JavaBE.ini) was also authenticating against EP when the application is restarted. Thus it makes me think that the service account gets a SAP Logon Ticket upon application start and that SAP Logon Ticket is used to authenticate the service account to the ECC backend of the Agentry app.
But then what happens when the SAP Logon Ticket issued to the service account on Agentry app startup expires?
I guess repository communication stops and user authentication fails?
There doesnt seem to be a documented method of re-authenticating the service account so that it gets a new logon ticket every xx:xx hours.
Has anyone else encountered this issue or completed a similar setup and have any tips?
Below is our JavaBE.ini file, in case that helps
[HOST]
server=xyz.hostname.com
; mobile application name configured in sap like SMART_WORK_MANAGER_51, SMART_CUSTOMER_SERVICE_10, SMART_ISU_WORK_MANAGER_10...etc
APPNAME=SAP_INVENTORY_MANAGER_42
[CONFIG]
; Used to get the SAP Configutaions from SAP if source=SAP or from JavaBE ini file
; SAP Configurations are [ENABLE_TABLE], [TABLE_CHECK], [TABLE_REFRESH], [BAPI_WRAPPER],
; [SAPOBJECT], [CT_SAPOBJECT], [CT_BAPI_WRAPPER], [CT_RETURN_TABLE], [CT_DELETE_TABLE].....etc
source=SAP
[JCO]
CLASS=JCO3
[JCO3_CUSTOM_PROPERTIES]
; be careful with this section as it can be used to both extend and/or override base property values on the destination
#### example for group logon with SSO
;jco.client.ashost=
;jco.client.sysnr=
;jco.client.mshost=MESSAGE_HOST_NAME
;jco.client.r3name=R3_NAME
;jco.client.group=GROUP_NAME
##### example for snc login
;jco.client.snc_mode=1
;jco.client.snc_partnername=p:CN=SAPSERVER_NAME, O=ORG_NAME, C=COUNTRY_NAME
;jco.client.snc_myname=p:CN=SMPSERVER_NAME, O=ORG_NAME, C=COUNTRY_NAME
;jco.client.snc_qop=3
;jco.client.snc_lib=sapcrypto.dll
;jco.client.snc_sso=0
##### for extra debugging information
jco.client.trace=1
jco.client.cpic_trace=3
[PUSH_LOGON]
ENABLED=false
UID=
UPASSWORD=
UPASSWORDENCODED=false
SHAREDCONNECTION=10
[CLIENT_NUM]
CLIENT=200
[SYSTEM_NUM]
SYSNUM=00
[LANGUAGE]
LANG=NO
[LOGGING]
;1=Fatal, 2=Error, 3=Warning, 4=Info, 5=debug, 6=trace
Level=6
[LOGON_METHOD]
; USER_AUTH if standard UID/Password authentication is used
; USER_AUTH_GLOBAL if pooled connections using single UID/Password is used
; USER_AUTH_GROUP if UID/Password authentication with SAP Message Server
; (load balancing) is used
; USER_AUTH_SSO if SSO2 ticket authentication with SAP Portal Server is used
; USER_AUTH_CUSTOM for a custom login module setup
LOGON_METHOD=USER_AUTH_SSO
[GLOBAL_LOGON]
; referenced when LOGON_METHOD=USER_AUTH_GLOBAL
; uses a pool of connections to the SAP backend all utilizing a single
; UID/password
UID=
UPASSWORD=
SHAREDCONNECTION=100
GET_PERSONNEL_INFO=N
[GROUP_LOGON]
; referenced when LOGON_METHOD=USER_AUTH_GROUP
; individual user authentication using an SAP Message Server which distributes
; client connections among a "group" of SAP application servers based on load
; balancing criteria
;
UID=
UPASSWORD=
SHAREDCONNECTION=
; host name or IP address of SAP Message Server
MESSAGE_SERVER=
R3_NAME=
GROUP_NAME=
SYSTEM_ID=
CLIENT=
SHAREDCONNECTIONS=
[USER_AUTH_CUSTOM]
; referenced when LOGON_METHOD=USER_AUTH_CUSTOM
; custom defined login configuration that use JAAS for authentication
;
MODULE_CLASS_1=com.syclo.sap.auth.LoginModuleBasic
MODULE_CLASS_1_FLAG=REQUIRED
MODULE_CLASS_1_OPTION_1_KEY=CLIENT_NUM
MODULE_CLASS_1_OPTION_1_VALUE=clientNum
MODULE_CLASS_1_OPTION_2_KEY=HOST
MODULE_CLASS_1_OPTION_2_VALUE=serverHostName
MODULE_CLASS_1_OPTION_3_KEY=SYS_NUM
MODULE_CLASS_1_OPTION_3_VALUE=sysNum
;MODULE_CLASS_2=
;MODULE_CLASS_2_FLAG=
;
;MODULE_CLASS_3=
;MODULE_CLASS_3_FLAG=
; class to instantiate for the callback handler
CALLBACK_HANDLER_CLASS=com.syclo.sap.auth.CallbackHandler
[REQUIRED_BAPI_WRAPPER]
com.syclo.sap.bapi.LoginCheckBAPI=/SYCLO/CORE_SUSR_LOGIN_CHECK
com.syclo.sap.bapi.RemoteUserCreateBAPI=/SYCLO/CORE_MDW_SESSION1_CRT
com.syclo.sap.bapi.RemoteParameterGetBAPI=/SYCLO/CORE_MDW_PARAMETER_GET
com.syclo.sap.bapi.SystemInfoBAPI=/SYCLO/CORE_SYSTINFO_GET
com.syclo.sap.bapi.ChangePasswordBAPI=/SYCLO/CORE_SUSR_CHANGE_PASSWD
com.syclo.sap.bapi.CTConfirmationBAPI=/SYCLO/CORE_OUTB_MSG_STAT_UPD
com.syclo.sap.bapi.DTBAPI=/SYCLO/CORE_DT_GET
com.syclo.sap.bapi.GetEmployeeDataBAPI=/SMERP/HR_DOEMPLOYEE_DATA_GET
com.syclo.sap.bapi.GetUserDetailBAPI=/SYCLO/CORE_USER_GET_DETAIL
com.syclo.sap.bapi.GetUserProfileDataBAPI=/SYCLO/CORE_USER_PROFILE_GET
com.syclo.sap.bapi.PushStatusUpdateBAPI=/SYCLO/CORE_PUSH_STAT_UPD
com.syclo.sap.bapi.RemoteObjectCreateBAPI=/SYCLO/CORE_MDW_USR_OBJ_CRT
com.syclo.sap.bapi.RemoteObjectDeleteBAPI=/SYCLO/CORE_MDW_USR_OBJ_DEL
com.syclo.sap.bapi.RemoteObjectGetBAPI=/SYCLO/CORE_MDW_SESSION_GET
com.syclo.sap.bapi.RemoteObjectUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD
com.syclo.sap.bapi.RemoteReferenceCreateBAPI=/SYCLO/CORE_MDW_USR_KEYMAP_CRT
com.syclo.sap.bapi.RemoteReferenceDeleteBAPI=/SYCLO/CORE_MDW_USR_KEYMAP_DEL
com.syclo.sap.bapi.RemoteReferenceGetBAPI=/SYCLO/CORE_MDW_SESSION_GET
com.syclo.sap.bapi.RemoteReferenceUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD
com.syclo.sap.bapi.RemoteSessionDeleteBAPI=/SYCLO/CORE_MDW_SESSION1_DEL
com.syclo.sap.bapi.RemoteUserDeleteBAPI=/SYCLO/CORE_MDW_SESSION1_DEL
com.syclo.sap.bapi.RemoteUserUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD
com.syclo.sap.bapi.SignatureCaptureBAPI=/SMERP/CORE_DOBDSDOCUMENT_CRT
com.syclo.sap.bapi.TransactionCommitBAPI=WFD_TRANSACTION_COMMIT
[REQUIRED_BAPI_CLASS_MAPPING]
ChangePasswordBAPI=com.syclo.sap.bapi.ChangePasswordBAPI
CTBAPI=com.syclo.sap.bapi.CTBAPI
CTConfirmationBAPI=com.syclo.sap.bapi.CTConfirmationBAPI
DTBAPI=com.syclo.sap.bapi.DTBAPI
GetEmployeeDataBAPI=com.syclo.sap.bapi.GetEmployeeDataBAPI
GetUserDetailBAPI=com.syclo.sap.bapi.GetUserDetailBAPI
GetUserProfileDataBAPI=com.syclo.sap.bapi.GetUserProfileDataBAPI
LoginCheckBAPI=com.syclo.sap.bapi.LoginCheckBAPI
PushClearUserQueueBAPI=com.syclo.sap.bapi.PushClearUserQueueBAPI
PushResetUserQueueBAPI=com.syclo.sap.bapi.PushResetUserQueueBAPI
PushStatusUpdateBAPI=com.syclo.sap.bapi.PushStatusUpdateBAPI
RemoteObjectCreateBAPI=com.syclo.sap.bapi.RemoteObjectCreateBAPI
RemoteObjectDeleteBAPI=com.syclo.sap.bapi.RemoteObjectDeleteBAPI
RemoteObjectGetBAPI=com.syclo.sap.bapi.RemoteObjectGetBAPI
RemoteParameterGetBAPI=com.syclo.sap.bapi.RemoteParameterGetBAPI
RemoteReferenceCreateBAPI=com.syclo.sap.bapi.RemoteReferenceCreateBAPI
RemoteReferenceDeleteBAPI=com.syclo.sap.bapi.RemoteReferenceDeleteBAPI
RemoteReferenceGetBAPI=com.syclo.sap.bapi.RemoteReferenceGetBAPI
RemoteUserCreateBAPI=com.syclo.sap.bapi.RemoteUserCreateBAPI
RemoteUserDeleteBAPI=com.syclo.sap.bapi.RemoteUserDeleteBAPI
SignatureCaptureBAPI=com.syclo.sap.bapi.SignatureCaptureBAPI
SystemInfoBAPI=com.syclo.sap.bapi.SystemInfoBAPI
[SERVICE_LOGON]
ENABLED=true
UID=xxxxxxxxx
UPASSWORD=xxxxxxxx
UPASSWORDENCODED=true
SERVERSERIALNUM=SAP_INVENTORY_MANAGER_42
[USER_AUTH_SSO]
PORTAL_URL=https://portal.domain:50001/irj/portal
VERIFICATION_USE=true
VERIFICATION_FILENAME=EPD.VERIFY.pse
VERIFICATION_PASSWORD=xxxxxxxx
VERIFICATION_PASSWORD_ENCODED=true
KEY_STORE_USE=false
;KEY_STORE_TYPE=WINDOWS-MY
;KEY_STORE_FILENAME=keystoreFileName
;KEY_STORE_PASSWORD=xxxxxxxx
;KEY_STORE_PASSWORD_ENCODED=true
TRUST_STORE_USE=true
TRUST_STORE_TYPE=WINDOWS-ROOT
;TRUST_STORE_FILENAME=truststoreFileName
;TRUST_STORE_PASSWORD=xxxxxxxx
;TRUST_STORE_PASSWORD_ENCODED=true
COOKIE=MYSAPSSO2
HTTPTYPE=https
SSL_VERSION=SSLv3
JAVA_SECURITY_DEBUG=true
JAVA_NET_DEBUG=true
SSOCLIENT_CLASS=com.syclo.sap.auth.sso.SSOClient
CALLBACK_HANDLER_CLASS=com.syclo.sap.auth.CallbackHandler
SAPCRYPTO_FILENAME=E:\\SSO\\sapcrypto.dll
[LastUpdates]
SERVICE_LOGON=10:6:15 6/27/2016
USER_AUTH_SSO=10:8:38 6/27/2016