Skip to Content
author's profile photo Former Member
Former Member

SSO configuration from CE 7.2 to ERP 6.0 EhP4

Hi All,

We are trying to configure SSO from our CE 7.2 system to our ERP 6.0 EhP4 system, such that we can use logon tickets for the ERP destination template. We have completed the following configuration:

1. Added the ERP system as a trusted system in CE 7.2

a. NWA --> Configuration Management --> Security --> Trusted Systems

b. Add Trusted System --> By Querying Trusted System

2. Exported the public key from CE and imported into ERP

a. NWA --> Configuration Management --> Security --> Certificates and Keys

b. Highlighted TicketKeystore, then SAPLogonTicketKeypair-cert

c. Export Entry

d. Logged into client 000 of ERP system

e. STRUSTSS02

f. Imported certificate, adding it to both the certificate list and the ACL

3. Configure the Destination Template to Use Logon Tickets

a. NWA --> SOA Management --> Destination Template Management

b. Highlighed the ERP DT

c. Clicked on the Security tab

d. Selected the Logon Ticket radio button

We are using a very simple Visual Composer applciation to test the destination template. The VC app calls a service in the ERP system and returns data from a query. When we run the VC app, we are receiving the following error message:

Error in Connection :Could not retrieve metadata

Error occurred while executing the service. Error in Connection :Could not retrieve metadata

Error occurred while executing the servcie. Error occurred while executing the service. Error in Connection :Could not retrive metadata

Log /usr/sap/<SID>/<instance>/j2ee/cluster/server0/log/system/security_00.0.log contains the following information:

2.0^H#2010 12 14 11:34:09:918#0-500#Info#/System/Security/Authentication#

#BC-JAS-SEC#security#00215E5F4572076100000000002AC0D6#15716050000000004#sap.com/tcwddispwda#com.sap.engine.s

ervices.security.authentication.logincontext.table#u799592#36##FA086DC2079F11E0A097000000EFCED2#a18a3387079f11

e0810b000000efced2#a18a3387079f11e0810b000000efced2#0#Thread[HTTP Worker [@1945118155],5,Dedicated_Application

_Thread]#Plain##

LOGIN.OK

User: u799592

IP Address: 168.136.241.36

Authentication Stack: sap.com/tcwddispwda*webdynpro_dispatcher

Login Module Flag Initialize Login

Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false

false

\#1 trusteddn1 = CN=QAS,OU=I0820037617,OU=SAP Web AS,O=SAP Trust Community,C=DE

\#2 trustediss1 = CN=QAS,OU=I0820037617,OU=SAP Web AS,O=SAP Trust Community,C=DE

\#3 trustedsys1 = QAS,000

\#4 ume.configuration.active = true

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true

true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true

True

#2.0^H#2010 12 14 11:34:15:011#0-500#Warning#/System/Security/Authentication#

com.sap.ASJ.secsrv.000129#BC-JAS-SEC#security#00215E5F4572076300000008002AC0D6#15716050000000004#sap.com/tjh_d

evcomp_impl#com.sap.engine.services.security.authentication.loginmodule.ticket#u799592#36##FA086DC2079F11E0A09

7000000EFCED2#afdb20ac079f11e09268000000efced2#afdb20ac079f11e09268000000efced2#0#Thread[HTTP Worker [@6734794

70],5,Dedicated_Application_Thread]#Plain##

Key under alias [SAPLogonTicketKeypair] cannot be retrieved from keystore view [TicketKeystore]. Authenticatio

n stack: [<null>]. The default kestore view is [TicketKeystore]. The default keypair alias is [SAPLogonTicketK

eypair]. Check the login module options and UME properties.#

Any ideas as to what configuration may be wrong/missing?

Thanks in advance for any help you can provide.

Add a comment
10|10000 characters needed characters exceeded

Related questions

12 Answers

  • Best Answer
    Posted on Dec 15, 2010 at 04:41 AM

    have you checked all the prerequisite? like the domain, time clock,,,,

    also at the ecc side, have you changed the profile to accept logon ticket.....

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 17, 2010 at 06:30 AM

    Hi,

    While renewing the SAPLogonTicketKeypair certificate, which algorithm did you choose? DSA or RSA? DSA is used for http protocol that is normally used. Also in NWA while generating cert, did you select Binary or Base64? Binary option is normally used. Once you save it locally, import it to the ABAP system. While importing in STRUSTSSO2, select option Binary in the radio button. Add to Certificate list and Add to ACL. Add to Cert list is client Independant and Add to ACL is Client dependant.

    Ensure the check box Store certificate is checked while generating the verify.der cert.

    You could check all of these settings while generating the certificate and if it still fails let me know.

    Rgds,

    Soujanya

    Edited by: Soujanya Holla on Dec 17, 2010 7:50 AM

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 19, 2011 at 01:57 PM

    Hello,

    when you try to use sso for a service in destination template management you have to define the system you are calling to as reference system in the portal. You can define a reference system by calling the portal than choose system administration -> system configuration -> ume configuration -> user assignment.

    Kind Regards

    Nico Luhr

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 14, 2010 at 08:38 PM

    One more piece of information...

    The UIDs in CE are the same as in ERP.

    Thanks!

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 15, 2010 at 12:22 PM

    Hi John,

    Thanks for your reply. Yes, we have changed the profile on the ECC side to accept logon tickets. Our ECC and CE system are in the same domain and their clocks are configured with the same time. However, I do not remember seeing any prerequisites related to domain or time. Could you send me more details?

    Can you think of anything else that could be causing the error?

    Thanks again!

    Tommye

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2010 at 07:39 AM

    Hi,

    You can also login to NWA, check if the ticket is valid under NWA. Goto NWA-> Configuration Management-> Security-> Certificate and Keys. Goto Ticket Key store and then SAPLogonTicketKeypair entry and check if the ticket is valid. If not delete it and renew it. Then download and upload the same on ur backend.

    Hope this helps. If it stil doesnt, let me know. We'l think of another alternative.

    Rgds,

    Soujanya

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2010 at 12:58 PM

    Hi Craig,

    No, we have not resolved the issue. If/when we find a resolution I will post it in this thread.

    Thanks very much for the suggestion on using assertion tickets. I would like to give that a try. Can you post a link to the documentation you used for the configuration or post some instructions?

    Thanks again,

    Tommye

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2010 at 01:06 PM

    Hi Soujanya,

    Thanks for your reply. I checked the SAPLogonTicketKeypair entry as you instructed. All of the lights are green. I tried creating a new key pair and then importing the certificate into the ERP system anyway, but I am still getting the same error.

    I also tried setting option "ume.configuration.active=true" in the login module "CreateTicketLoginModule" per SAP Note 1159962, and restarting the system, but this did not resolve the issue, either.

    I would welcome any other suggestions you have.

    Thanks!

    Tommye

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2010 at 05:10 PM

    Hi John,

    We are using a very simple Visual Composer applciation to test the destination template. The VC app calls a service in the ERP system and returns data from a query. This VC app works if we use a UID and password.

    Thanks!

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 18, 2010 at 01:50 AM

    Hi Soujanya,

    Yes, when generating the new certificate I selected, DSA, 1024 bit, and binary. I also selected store certificate. When uploading it to the ERP system, I logged into client 000 and imported the certificate in binary mode via STRUSTSS02. I then added the certificate to the certificate list and the ACL.

    Thanks!

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.