Skip to Content

SSO Problem: Unexpected Signature Algorithm


I'm re-configuring SSO between J2EE engine and BI ABAP side now, 'cause the old certificate expires. After I imported a new SSL Certificate, error occurs when J2EE engine tries to connect BI master system.

There is one error entry in the trace file saying that "Signature algorithm for chain #1 is 1.2.840.113549.1.1.5 and does not match the expected value 1.2.840.10040.4.3".

I guess the new certificate changes its algorithm to add SSL support. Right? How can I proceed with the configuration?

Btw, J2EE engine is on SP12 (1000.

Thanks & Best Regards,


Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Nov 15, 2007 at 01:05 PM

    Hello Shady,

    First, let's clarify the terminology. SSO stands for Single Sign-On and it has nothing to deal with SSL (Secure Socket Layer). SSO at SAP is implemented via SAP proprietary mechanism called SAP Logon Ticket.

    When created, the SAP Logon Ticket (sometimes called also SSO ticket or SSO token) is digitally signed by a dedicated private key. On the J2EE side this proviate key is located in Keystore service -> TicketKeystore view -> SAPLogonTicketKeypair entry. In this TicketKeystore view are stored also the public keys & certificates of the trusted SAP systems. As the digital signature signing and verification is provided by the third-party IAIK library, SAP AS Java can sign and verify the data only when the signing key is with DSA algorithm type 1.2.840.10040.4.3. Otherwise the digital signature cannot be verified.

    How to fix your issue? As far as I see ABAP side is the ticket creating system and AS Java side is the ticket accepting system (it must verify the SSO ticket). Then you have to create a new ticket signing entry on ABAP side using DSA 1.2.840.10040.4.3 and reimport in onto the Java side.

    Additinally you can refer to SAP" target="_blank">">SAP Note 991505 that describes your issue.

    Kind regards,


    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 15, 2007 at 04:47 PM

    Hi Tsvetomir,

    Thanks for your reply. It is really helpful.

    Can you tell me how I can specify the algorithm when creating a new ticket signing entry on ABAP side? By far, what I've done is generate a certificate request from Trust Manager and import a Certificate Response got from Service market place. How can I specify which algorithm to use when exporting the certificate from Trust Manager?



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 22, 2007 at 03:04 AM


    The problem is solved.

    It seems that I have done it the whole thing in a wrong way. I don't need a SSL Certificate at all, 'cause SSL Certificate is signed using a different algorithm.

    My solution is just to re-create the system PSE in the Trust Manager and export the newly created BW Certificate to Portal. (change the security provider service configuration accordingly if issueDN and DN is different from your previous certificate).

    Hope this piece of info is useful.

    And thanks again to Tsvetomir Tsvetanov. Your clue is very useful for me to figure this thing out.



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.