Skip to Content
0
Former Member
Jul 29, 2016 at 01:19 PM

SMP3.0 sp07 - Agentry SSO Logon Ticket expire - service account

149 Views

Hi All,

Issue: SMP using expired SAP Logon Tickets for Agentry Inventory Manager service account connection to ECC backend.

We are using SMP 3.0 sp07 and Inventory Manager 4.2.1, and have configured SSO for Inventory Manager by following the SAP Inventory Manager Installation guide.

SSO for Inventory Manager is configured to use SAP Logon Tickets issued by our Enterprise Portal and appropriate trust relationships have been configured between EP and the ECC backed of the Inventory Manager app.

Currently Enterprise Portal is configured to issue Logon Tickets with an 8 hour lifetime.

When we restart the Agentry Inventory Manager app on SMP, we are able to successfully authenticate to the app by using EP credentials.

However, after 8 hours expires from the time we restarted the Agentry IM app, users start getting an authentication error 'Error validation user password'.

If I look at the EP security log, I can see the user is being authenticated successfully against EP.

If I look in the SMP server log, I can see the following errors:

First error seen is:

2016 07 25 09:15:01#+0200#INFO#System.out##anonymous#Agentry Runtime Worker Thread###getRepository::Error Retrieving repository for 200 |

Second error seein is:

2016 07 25 09:15:01#+0200#INFO#System.out##anonymous#Agentry Runtime Worker Thread###getFunction::Error creating function /SYCLO/CORE_SUSR_LOGIN_CHECK : Initialization of repository destination DESTINATION_SERVICE failed: An expired SSO ticket was received ( grace period ). on xyz.hostname.com sysnr 00 |

I tried creating a new user and trying to authenticate, but I still received the error. This makes me think that it is not end user related, as a new user could not be issued an expired logon ticket.

(Of note, we also use the same EP to generate SAP Logon Tickets for NWBC on the same ECC system. This does not have any logon ticket expiration issues. Thus it leads me to believe it is not related to trusts, sso configuration, profile parameters or logon ticket expiration time settings)

I looked a little further at the EP security logs and noticed that the Agentry Inventory Manager service account (configured in JavaBE.ini) was also authenticating against EP when the application is restarted. Thus it makes me think that the service account gets a SAP Logon Ticket upon application start and that SAP Logon Ticket is used to authenticate the service account to the ECC backend of the Agentry app.

But then what happens when the SAP Logon Ticket issued to the service account on Agentry app startup expires?

I guess repository communication stops and user authentication fails?

There doesnt seem to be a documented method of re-authenticating the service account so that it gets a new logon ticket every xx:xx hours.

Has anyone else encountered this issue or completed a similar setup and have any tips?

Below is our JavaBE.ini file, in case that helps

[HOST]

server=xyz.hostname.com

; mobile application name configured in sap like SMART_WORK_MANAGER_51, SMART_CUSTOMER_SERVICE_10, SMART_ISU_WORK_MANAGER_10...etc

APPNAME=SAP_INVENTORY_MANAGER_42

[CONFIG]

; Used to get the SAP Configutaions from SAP if source=SAP or from JavaBE ini file

; SAP Configurations are [ENABLE_TABLE], [TABLE_CHECK], [TABLE_REFRESH], [BAPI_WRAPPER],

; [SAPOBJECT], [CT_SAPOBJECT], [CT_BAPI_WRAPPER], [CT_RETURN_TABLE], [CT_DELETE_TABLE].....etc

source=SAP

[JCO]

CLASS=JCO3

[JCO3_CUSTOM_PROPERTIES]

; be careful with this section as it can be used to both extend and/or override base property values on the destination

#### example for group logon with SSO

;jco.client.ashost=

;jco.client.sysnr=

;jco.client.mshost=MESSAGE_HOST_NAME

;jco.client.r3name=R3_NAME

;jco.client.group=GROUP_NAME

##### example for snc login

;jco.client.snc_mode=1

;jco.client.snc_partnername=p:CN=SAPSERVER_NAME, O=ORG_NAME, C=COUNTRY_NAME

;jco.client.snc_myname=p:CN=SMPSERVER_NAME, O=ORG_NAME, C=COUNTRY_NAME

;jco.client.snc_qop=3

;jco.client.snc_lib=sapcrypto.dll

;jco.client.snc_sso=0

##### for extra debugging information

jco.client.trace=1

jco.client.cpic_trace=3

[PUSH_LOGON]

ENABLED=false

UID=

UPASSWORD=

UPASSWORDENCODED=false

SHAREDCONNECTION=10

[CLIENT_NUM]

CLIENT=200

[SYSTEM_NUM]

SYSNUM=00

[LANGUAGE]

LANG=NO

[LOGGING]

;1=Fatal, 2=Error, 3=Warning, 4=Info, 5=debug, 6=trace

Level=6

[LOGON_METHOD]

; USER_AUTH if standard UID/Password authentication is used

; USER_AUTH_GLOBAL if pooled connections using single UID/Password is used

; USER_AUTH_GROUP if UID/Password authentication with SAP Message Server

; (load balancing) is used

; USER_AUTH_SSO if SSO2 ticket authentication with SAP Portal Server is used

; USER_AUTH_CUSTOM for a custom login module setup

LOGON_METHOD=USER_AUTH_SSO

[GLOBAL_LOGON]

; referenced when LOGON_METHOD=USER_AUTH_GLOBAL

; uses a pool of connections to the SAP backend all utilizing a single

; UID/password

UID=

UPASSWORD=

SHAREDCONNECTION=100

GET_PERSONNEL_INFO=N

[GROUP_LOGON]

; referenced when LOGON_METHOD=USER_AUTH_GROUP

; individual user authentication using an SAP Message Server which distributes

; client connections among a "group" of SAP application servers based on load

; balancing criteria

;

UID=

UPASSWORD=

SHAREDCONNECTION=

; host name or IP address of SAP Message Server

MESSAGE_SERVER=

R3_NAME=

GROUP_NAME=

SYSTEM_ID=

CLIENT=

SHAREDCONNECTIONS=

[USER_AUTH_CUSTOM]

; referenced when LOGON_METHOD=USER_AUTH_CUSTOM

; custom defined login configuration that use JAAS for authentication

;

MODULE_CLASS_1=com.syclo.sap.auth.LoginModuleBasic

MODULE_CLASS_1_FLAG=REQUIRED

MODULE_CLASS_1_OPTION_1_KEY=CLIENT_NUM

MODULE_CLASS_1_OPTION_1_VALUE=clientNum

MODULE_CLASS_1_OPTION_2_KEY=HOST

MODULE_CLASS_1_OPTION_2_VALUE=serverHostName

MODULE_CLASS_1_OPTION_3_KEY=SYS_NUM

MODULE_CLASS_1_OPTION_3_VALUE=sysNum

;MODULE_CLASS_2=

;MODULE_CLASS_2_FLAG=

;

;MODULE_CLASS_3=

;MODULE_CLASS_3_FLAG=

; class to instantiate for the callback handler

CALLBACK_HANDLER_CLASS=com.syclo.sap.auth.CallbackHandler

[REQUIRED_BAPI_WRAPPER]

com.syclo.sap.bapi.LoginCheckBAPI=/SYCLO/CORE_SUSR_LOGIN_CHECK

com.syclo.sap.bapi.RemoteUserCreateBAPI=/SYCLO/CORE_MDW_SESSION1_CRT

com.syclo.sap.bapi.RemoteParameterGetBAPI=/SYCLO/CORE_MDW_PARAMETER_GET

com.syclo.sap.bapi.SystemInfoBAPI=/SYCLO/CORE_SYSTINFO_GET

com.syclo.sap.bapi.ChangePasswordBAPI=/SYCLO/CORE_SUSR_CHANGE_PASSWD

com.syclo.sap.bapi.CTConfirmationBAPI=/SYCLO/CORE_OUTB_MSG_STAT_UPD

com.syclo.sap.bapi.DTBAPI=/SYCLO/CORE_DT_GET

com.syclo.sap.bapi.GetEmployeeDataBAPI=/SMERP/HR_DOEMPLOYEE_DATA_GET

com.syclo.sap.bapi.GetUserDetailBAPI=/SYCLO/CORE_USER_GET_DETAIL

com.syclo.sap.bapi.GetUserProfileDataBAPI=/SYCLO/CORE_USER_PROFILE_GET

com.syclo.sap.bapi.PushStatusUpdateBAPI=/SYCLO/CORE_PUSH_STAT_UPD

com.syclo.sap.bapi.RemoteObjectCreateBAPI=/SYCLO/CORE_MDW_USR_OBJ_CRT

com.syclo.sap.bapi.RemoteObjectDeleteBAPI=/SYCLO/CORE_MDW_USR_OBJ_DEL

com.syclo.sap.bapi.RemoteObjectGetBAPI=/SYCLO/CORE_MDW_SESSION_GET

com.syclo.sap.bapi.RemoteObjectUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD

com.syclo.sap.bapi.RemoteReferenceCreateBAPI=/SYCLO/CORE_MDW_USR_KEYMAP_CRT

com.syclo.sap.bapi.RemoteReferenceDeleteBAPI=/SYCLO/CORE_MDW_USR_KEYMAP_DEL

com.syclo.sap.bapi.RemoteReferenceGetBAPI=/SYCLO/CORE_MDW_SESSION_GET

com.syclo.sap.bapi.RemoteReferenceUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD

com.syclo.sap.bapi.RemoteSessionDeleteBAPI=/SYCLO/CORE_MDW_SESSION1_DEL

com.syclo.sap.bapi.RemoteUserDeleteBAPI=/SYCLO/CORE_MDW_SESSION1_DEL

com.syclo.sap.bapi.RemoteUserUpdateBAPI=/SYCLO/CORE_MDW_SESSION_UPD

com.syclo.sap.bapi.SignatureCaptureBAPI=/SMERP/CORE_DOBDSDOCUMENT_CRT

com.syclo.sap.bapi.TransactionCommitBAPI=WFD_TRANSACTION_COMMIT

[REQUIRED_BAPI_CLASS_MAPPING]

ChangePasswordBAPI=com.syclo.sap.bapi.ChangePasswordBAPI

CTBAPI=com.syclo.sap.bapi.CTBAPI

CTConfirmationBAPI=com.syclo.sap.bapi.CTConfirmationBAPI

DTBAPI=com.syclo.sap.bapi.DTBAPI

GetEmployeeDataBAPI=com.syclo.sap.bapi.GetEmployeeDataBAPI

GetUserDetailBAPI=com.syclo.sap.bapi.GetUserDetailBAPI

GetUserProfileDataBAPI=com.syclo.sap.bapi.GetUserProfileDataBAPI

LoginCheckBAPI=com.syclo.sap.bapi.LoginCheckBAPI

PushClearUserQueueBAPI=com.syclo.sap.bapi.PushClearUserQueueBAPI

PushResetUserQueueBAPI=com.syclo.sap.bapi.PushResetUserQueueBAPI

PushStatusUpdateBAPI=com.syclo.sap.bapi.PushStatusUpdateBAPI

RemoteObjectCreateBAPI=com.syclo.sap.bapi.RemoteObjectCreateBAPI

RemoteObjectDeleteBAPI=com.syclo.sap.bapi.RemoteObjectDeleteBAPI

RemoteObjectGetBAPI=com.syclo.sap.bapi.RemoteObjectGetBAPI

RemoteParameterGetBAPI=com.syclo.sap.bapi.RemoteParameterGetBAPI

RemoteReferenceCreateBAPI=com.syclo.sap.bapi.RemoteReferenceCreateBAPI

RemoteReferenceDeleteBAPI=com.syclo.sap.bapi.RemoteReferenceDeleteBAPI

RemoteReferenceGetBAPI=com.syclo.sap.bapi.RemoteReferenceGetBAPI

RemoteUserCreateBAPI=com.syclo.sap.bapi.RemoteUserCreateBAPI

RemoteUserDeleteBAPI=com.syclo.sap.bapi.RemoteUserDeleteBAPI

SignatureCaptureBAPI=com.syclo.sap.bapi.SignatureCaptureBAPI

SystemInfoBAPI=com.syclo.sap.bapi.SystemInfoBAPI

[SERVICE_LOGON]

ENABLED=true

UID=xxxxxxxxx

UPASSWORD=xxxxxxxx

UPASSWORDENCODED=true

SERVERSERIALNUM=SAP_INVENTORY_MANAGER_42

[USER_AUTH_SSO]

PORTAL_URL=https://portal.domain:50001/irj/portal

VERIFICATION_USE=true

VERIFICATION_FILENAME=EPD.VERIFY.pse

VERIFICATION_PASSWORD=xxxxxxxx

VERIFICATION_PASSWORD_ENCODED=true

KEY_STORE_USE=false

;KEY_STORE_TYPE=WINDOWS-MY

;KEY_STORE_FILENAME=keystoreFileName

;KEY_STORE_PASSWORD=xxxxxxxx

;KEY_STORE_PASSWORD_ENCODED=true

TRUST_STORE_USE=true

TRUST_STORE_TYPE=WINDOWS-ROOT

;TRUST_STORE_FILENAME=truststoreFileName

;TRUST_STORE_PASSWORD=xxxxxxxx

;TRUST_STORE_PASSWORD_ENCODED=true

COOKIE=MYSAPSSO2

HTTPTYPE=https

SSL_VERSION=SSLv3

JAVA_SECURITY_DEBUG=true

JAVA_NET_DEBUG=true

SSOCLIENT_CLASS=com.syclo.sap.auth.sso.SSOClient

CALLBACK_HANDLER_CLASS=com.syclo.sap.auth.CallbackHandler

SAPCRYPTO_FILENAME=E:\\SSO\\sapcrypto.dll

[LastUpdates]

SERVICE_LOGON=10:6:15 6/27/2016

USER_AUTH_SSO=10:8:38 6/27/2016