cancel
Showing results for 
Search instead for 
Did you mean: 

Issue while parsing the MYSAPSSO2 Cookie

Former Member
0 Kudos

Hi All,

We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.

Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.

Following Libraries are used:

logging.jar

i18n_cp.jar

iaik_jce.jar

com.sap.security.api.jar

com.sap.security.core.jar

rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).

Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.

The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.

Following is the code which we are using.

//Instantiate the rpovider

IAIK provider = new IAIK();

Security.addProvider(provider);

//Instantiate the ticket

tv = new com.sap.security.core.ticket.imp.Ticket();

//set teh certificates

tv.setCertificates(certificates);

//set the MYSAPSSO2 cookie

tv.setTicket(strCookie);

if (!tv.isValid()){

System.out.println("Ticket is not valid");

}

//Verify the ticket

tv.verify();

isValid method is working fine - it is returning true or false exactly based on the validity.

ISSUE:

tv.verify();--->Raises the following exception:

java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.

When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format

but the portal is providing the serial number in hexadecimal format.

So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.

The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.

Could anyone help resolve this issue?

Thanks in advance.

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Any Advice Please?

Do I need to post it in a different forum?

Former Member
0 Kudos

Any advice please?

Do I need to post it in a different forum?

Former Member
0 Kudos

Any advice please?

Do I need to post it in a different forum?

Former Member
0 Kudos

Hi,

Did you get any solution to your problem.

I am facing similar problem while implementing SSO between SAP Netweaver Portal 7.0 and IBM WebSphere Portal.

I tried it long back i.e. in october, 2010.

Reference thread url is given

/thread/1798972 [original link is broken]

Thanks.

Santosh

Former Member
0 Kudos

Hi,

im facing the exact same problem, and I think I found the reason for the behavior described above.

The Problem seems to be located at

[http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]

from com.sap.security.api.jar, just like mentioned.

But the Problem seems to be the issuer, not the serial number.

When decompiling com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),

you can see the following:

	public static java.security.cert.X509Certificate[] findCertificates(
			java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
		if ((certificates == null) || (certificates.length == 0)) {
			return null;
		}

		ArrayList certificateList = new ArrayList();
		for (int i = 0; i < certificates.length; i++) {
			java.security.cert.X509Certificate certificate = certificates<i>;
			if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
				certificateList.add(certificate);
			}
		}

		if (certificateList.size() == 0) {
			return null;
		}

		java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
				.size()];
		certificateList.toArray(matchedCertificates);
		return matchedCertificates;
	}

As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the issuer-parameter contains an issuer like

"OU=J2EE,CN=EXAMPLE"

the issuer retrieved from the certificate is

"OU=J2EE, CN=EXAMPLE"

(see toString() of the java.security.cert.X509Certificate)

You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like

java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.

A workaround (a really UGLY one, I admit), is the following:

1. Open com.sap.security.api.jar with a ZIP-tool and delete

/com/sap/security/api/ticket/TicketVerifier.class

2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java

3. Change

for (int i = 0; i < certificates.length; i++) {
	java.security.cert.X509Certificate certificate = certificates<i>;
	if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
		certificateList.add(certificate);
	}
}

to

for (int i = 0; i < certificates.length; i++) {
	X509Certificate certificate = certificates<i>;
	String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
	BigInteger serialNumberFromCert = certificate.getSerialNumber();
	if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
		certificateList.add(certificate);
	}
}

4. Package this class into a jar and make it available in your classpath.

5. Enjoy

To me, this is a huge bug in the SAP-Library and has to be fixed.

Regards

Matthias

Edited by: Matthias82 on Sep 29, 2011 12:47 PM

Former Member
0 Kudos

Hi,

Thanks for your efforts and response.

The problem still persist.

As indicated by you, I have recompiled the com/sap/security/api/ticket/TicketVerifier.class and tried to process the ticket.

It failed with the following exception :

[9/29/11 19:43:35:415 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: LtpaToken Value: 
[9/29/11 19:43:35:425 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: JSESSIONID Value: (J2EE7557600)ID0376188251DB00876309990234114200End
[9/29/11 19:43:35:426 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: MYSAPSSO2 Value: AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA%2FwEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7%2FIxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG%2FN4weVBBdhs!QcuSSxWACFQDcpCV3rt%2F4gdO1IiPSNNnhaoTWwg%3D%3D
[9/29/11 19:43:35:433 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP isTargetInterceptor Found cookie in request
[9/29/11 19:43:35:434 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: LtpaToken Value: 
[9/29/11 19:43:35:445 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: JSESSIONID Value: (J2EE7557600)ID0376188251DB00876309990234114200End
[9/29/11 19:43:35:446 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP getCookieFromArray  Found Cookie - Name: MYSAPSSO2 Value: AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA%2FwEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7%2FIxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG%2FN4weVBBdhs!QcuSSxWACFQDcpCV3rt%2F4gdO1IiPSNNnhaoTWwg%3D%3D
[9/29/11 19:43:35:447 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP verifyTicketInfo Cookie value is read and converted to base64
[9/29/11 19:43:35:448 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP verifyTicketInfo SAP Verifier is verifying following ticket "AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA/wEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7/IxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG/N4weVBBdhs!QcuSSxWACFQDcpCV3rt/4gdO1IiPSNNnhaoTWwg=="
[9/29/11 19:43:35:878 GMT+05:30] 00000031 TAI4SAP       E com.ibm.tai.sap.TAI4SAP verifyTicketInfo Could not verify SAP SSO Ticket
                                 com.ibm.tai.sap.TicketVerifierException: Error in verifying ticket Certificate (Issuer="OU=J2EE,CN=DEP", S/N=0) not found.
	at com.ibm.tai.sap.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:128)
	at com.ibm.tai.sap.TAI4SAP.verifyTicketInfo(TAI4SAP.java:268)
	at com.ibm.tai.sap.TAI4SAP.validateEstablishedTrust(TAI4SAP.java:158)
	at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:127)
	....
Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=DEP", S/N=0) not found.
	at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)
	at com.ibm.tai.sap.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:118)
	... 29 more

[9/29/11 19:43:35:881 GMT+05:30] 00000031 TAI4SAP       I com.ibm.tai.sap.TAI4SAP validateEstablishedTrust Invalid SAP Ticket
[9/29/11 19:43:35:881 GMT+05:30] 00000031 WebAuthentica E   SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: Invalid SAP Ticket
	at com.ibm.tai.sap.TAI4SAP.validateEstablishedTrust(TAI4SAP.java:161)
	...
[9/29/11 19:43:35:882 GMT+05:30] 00000031 WebCollaborat A   SECJ0056E: Authentication failed for reason Invalid SAP Ticket

Edited by: santosh Malavade on Sep 30, 2011 1:19 PM

Former Member
0 Kudos

This is in continuation of my previous response.

I have generated new SAPLogonTicketKeyPair-cert with DN of Issuer as CN=DEP

It failed with the following exception:


[9/30/11 16:23:56:759 GMT+05:30] 00000014 TAI4SAP       I com.ibm.tai.sap.TAI4SAP verifyTicketInfo SAP Verifier is verifying following ticket "AjExMDAgABBwb3J0YWw6UDAwMTAxOTU5iAATYmFzaWNhdXRoZW50aWNhdGlvbgEACVAwMDEwMTk1OQIAAzAwMAMAA0RFUAQADDIwMTEwOTMwMTA1MwUABAAAAAgKAAlQMDAxMDE5NTn/APkwgfYGCSqGSIb3DQEHAqCB6DCB5QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHFMIHCAgEBMBcwDjEMMAoGA1UEAxMDREVQAgUA!guh9jAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwOTMwMTA1MzQxWjAjBgkqhkiG9w0BCQQxFgQUpx3EfcX3jEoDb0w6gTNUIo!bWZ0wCQYHKoZIzjgEAwQvMC0CFBKBp5IlkrL1HlXWmBc4SnwQCJ9dAhUAhXessqqp/dQDrhcYU4WgLxnqeyw="
[9/30/11 16:23:56:761 GMT+05:30] 00000014 TAI4SAP       E com.ibm.tai.sap.TAI4SAP verifyTicketInfo Could not verify SAP SSO Ticket
                                 com.ibm.tai.sap.TicketVerifierException: Error in verifying ticket Certificate (Issuer="CN=DEP", S/N=4195066358) not found.


I have tried one more option. I have setup standalone UME. It failed too. In case of standalone ume, I am not able to set the logging properties. Its not generating any logs.

Former Member
0 Kudos

Hi,

May be the following information will help you in sorting it out...

While trying standalone UME option, I have activated log of the following location with a DEBUG

com.sap.security.core.ticket.imp.Ticket


	Sep 30, 2011 6:51:48 PM  ...vices.security.authentication.loginmodule.ticket.Ticket() [Thread[main,5,main]] Debug": No native ticket signer available. 
[EXCEPTION]
 java.lang.ClassNotFoundException: com.sap.security.ticket.JNIUtils
	at java.lang.Class.forName(Class.java:152)
	at com.sap.security.core.ticket.imp.Ticket.<init>(Ticket.java:270)
	at SSO.main(SSO.java:198)

Am I missing any jar file ?

Rgds,

Santosh