- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SSO Problem: Unexpected Signature Algorithm
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SSO Problem: Unexpected Signature Algorithm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 2:43 PM
Hi,
I'm re-configuring SSO between J2EE engine and BI ABAP side now, 'cause the old certificate expires. After I imported a new SSL Certificate, error occurs when J2EE engine tries to connect BI master system.
There is one error entry in the trace file saying that "Signature algorithm for chain #1 is 1.2.840.113549.1.1.5 and does not match the expected value 1.2.840.10040.4.3".
I guess the new certificate changes its algorithm to add SSL support. Right? How can I proceed with the configuration?
Btw, J2EE engine is on SP12 (1000.7.00.12.9.20070827131438).
Thanks & Best Regards,
Shady
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2007 1:05 PM
Hello Shady,
First, let's clarify the terminology. SSO stands for Single Sign-On and it has nothing to deal with SSL (Secure Socket Layer). SSO at SAP is implemented via SAP proprietary mechanism called SAP Logon Ticket.
When created, the SAP Logon Ticket (sometimes called also SSO ticket or SSO token) is digitally signed by a dedicated private key. On the J2EE side this proviate key is located in Keystore service -> TicketKeystore view -> SAPLogonTicketKeypair entry. In this TicketKeystore view are stored also the public keys & certificates of the trusted SAP systems. As the digital signature signing and verification is provided by the third-party IAIK library, SAP AS Java can sign and verify the data only when the signing key is with DSA algorithm type 1.2.840.10040.4.3. Otherwise the digital signature cannot be verified.
How to fix your issue? As far as I see ABAP side is the ticket creating system and AS Java side is the ticket accepting system (it must verify the SSO ticket). Then you have to create a new ticket signing entry on ABAP side using DSA 1.2.840.10040.4.3 and reimport in onto the Java side.
Additinally you can refer to <a href="https://service.sap.com/sap/support/notes/991505">SAP Note 991505</a> that describes your issue.
Kind regards,
Tsvetomir
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2007 1:05 PM
Hello Shady,
First, let's clarify the terminology. SSO stands for Single Sign-On and it has nothing to deal with SSL (Secure Socket Layer). SSO at SAP is implemented via SAP proprietary mechanism called SAP Logon Ticket.
When created, the SAP Logon Ticket (sometimes called also SSO ticket or SSO token) is digitally signed by a dedicated private key. On the J2EE side this proviate key is located in Keystore service -> TicketKeystore view -> SAPLogonTicketKeypair entry. In this TicketKeystore view are stored also the public keys & certificates of the trusted SAP systems. As the digital signature signing and verification is provided by the third-party IAIK library, SAP AS Java can sign and verify the data only when the signing key is with DSA algorithm type 1.2.840.10040.4.3. Otherwise the digital signature cannot be verified.
How to fix your issue? As far as I see ABAP side is the ticket creating system and AS Java side is the ticket accepting system (it must verify the SSO ticket). Then you have to create a new ticket signing entry on ABAP side using DSA 1.2.840.10040.4.3 and reimport in onto the Java side.
Additinally you can refer to <a href="https://service.sap.com/sap/support/notes/991505">SAP Note 991505</a> that describes your issue.
Kind regards,
Tsvetomir
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2007 4:47 PM
Hi Tsvetomir,
Thanks for your reply. It is really helpful.
Can you tell me how I can specify the algorithm when creating a new ticket signing entry on ABAP side? By far, what I've done is generate a certificate request from Trust Manager and import a Certificate Response got from Service market place. How can I specify which algorithm to use when exporting the certificate from Trust Manager?
Regards,
Shady
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2007 3:04 AM
Hi,
The problem is solved.
It seems that I have done it the whole thing in a wrong way. I don't need a SSL Certificate at all, 'cause SSL Certificate is signed using a different algorithm.
My solution is just to re-create the system PSE in the Trust Manager and export the newly created BW Certificate to Portal. (change the security provider service configuration accordingly if issueDN and DN is different from your previous certificate).
Hope this piece of info is useful.
And thanks again to Tsvetomir Tsvetanov. Your clue is very useful for me to figure this thing out.
Cheers,
Shady
- SAP Managed Tags:
- Security
