on 04-13-2011 10:27 PM
Hi All,
We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
Following Libraries are used:
logging.jar
i18n_cp.jar
iaik_jce.jar
com.sap.security.api.jar
com.sap.security.core.jar
rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
Following is the code which we are using.
//Instantiate the rpovider
IAIK provider = new IAIK();
Security.addProvider(provider);
//Instantiate the ticket
tv = new com.sap.security.core.ticket.imp.Ticket();
//set teh certificates
tv.setCertificates(certificates);
//set the MYSAPSSO2 cookie
tv.setTicket(strCookie);
if (!tv.isValid()){
System.out.println("Ticket is not valid");
}
//Verify the ticket
tv.verify();
isValid method is working fine - it is returning true or false exactly based on the validity.
ISSUE:
tv.verify();--->Raises the following exception:
java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
but the portal is providing the serial number in hexadecimal format.
So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
Could anyone help resolve this issue?
Thanks in advance.
Any Advice Please?
Do I need to post it in a different forum?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
im facing the exact same problem, and I think I found the reason for the behavior described above.
The Problem seems to be located at
[http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
from com.sap.security.api.jar, just like mentioned.
But the Problem seems to be the issuer, not the serial number.
When decompiling com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
you can see the following:
public static java.security.cert.X509Certificate[] findCertificates(
java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
if ((certificates == null) || (certificates.length == 0)) {
return null;
}
ArrayList certificateList = new ArrayList();
for (int i = 0; i < certificates.length; i++) {
java.security.cert.X509Certificate certificate = certificates<i>;
if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
certificateList.add(certificate);
}
}
if (certificateList.size() == 0) {
return null;
}
java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
.size()];
certificateList.toArray(matchedCertificates);
return matchedCertificates;
}
As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the issuer-parameter contains an issuer like
"OU=J2EE,CN=EXAMPLE"
the issuer retrieved from the certificate is
"OU=J2EE, CN=EXAMPLE"
(see toString() of the java.security.cert.X509Certificate)
You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
A workaround (a really UGLY one, I admit), is the following:
1. Open com.sap.security.api.jar with a ZIP-tool and delete
/com/sap/security/api/ticket/TicketVerifier.class
2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
3. Change
for (int i = 0; i < certificates.length; i++) {
java.security.cert.X509Certificate certificate = certificates<i>;
if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
certificateList.add(certificate);
}
}
to
for (int i = 0; i < certificates.length; i++) {
X509Certificate certificate = certificates<i>;
String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
BigInteger serialNumberFromCert = certificate.getSerialNumber();
if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
certificateList.add(certificate);
}
}
4. Package this class into a jar and make it available in your classpath.
5. Enjoy
To me, this is a huge bug in the SAP-Library and has to be fixed.
Regards
Matthias
Edited by: Matthias82 on Sep 29, 2011 12:47 PM
Hi,
Thanks for your efforts and response.
The problem still persist.
As indicated by you, I have recompiled the com/sap/security/api/ticket/TicketVerifier.class and tried to process the ticket.
It failed with the following exception :
[9/29/11 19:43:35:415 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: LtpaToken Value:
[9/29/11 19:43:35:425 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: JSESSIONID Value: (J2EE7557600)ID0376188251DB00876309990234114200End
[9/29/11 19:43:35:426 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: MYSAPSSO2 Value: AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA%2FwEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7%2FIxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG%2FN4weVBBdhs!QcuSSxWACFQDcpCV3rt%2F4gdO1IiPSNNnhaoTWwg%3D%3D
[9/29/11 19:43:35:433 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP isTargetInterceptor Found cookie in request
[9/29/11 19:43:35:434 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: LtpaToken Value:
[9/29/11 19:43:35:445 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: JSESSIONID Value: (J2EE7557600)ID0376188251DB00876309990234114200End
[9/29/11 19:43:35:446 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP getCookieFromArray Found Cookie - Name: MYSAPSSO2 Value: AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA%2FwEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7%2FIxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG%2FN4weVBBdhs!QcuSSxWACFQDcpCV3rt%2F4gdO1IiPSNNnhaoTWwg%3D%3D
[9/29/11 19:43:35:447 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP verifyTicketInfo Cookie value is read and converted to base64
[9/29/11 19:43:35:448 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP verifyTicketInfo SAP Verifier is verifying following ticket "AjExMDAgABRwb3J0YWw6QWRtaW5pc3RyYXRvcogAE2Jhc2ljYXV0aGVudGljYXRpb24BAAACAAMwMDADAANERVAEAAwyMDExMDkyOTA5MjcFAAQAAAAICgAA/wEGMIIBAgYJKoZIhvcNAQcCoIH0MIHxAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdEwgc4CAQEwIjAdMQwwCgYDVQQDEwNERVAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDkyOTA5MjczNlowIwYJKoZIhvcNAQkEMRYEFCi7/IxHbjbQfhz6YOynLQiIkTn!MAkGByqGSM44BAMEMDAuAhUA21ZitVG/N4weVBBdhs!QcuSSxWACFQDcpCV3rt/4gdO1IiPSNNnhaoTWwg=="
[9/29/11 19:43:35:878 GMT+05:30] 00000031 TAI4SAP E com.ibm.tai.sap.TAI4SAP verifyTicketInfo Could not verify SAP SSO Ticket
com.ibm.tai.sap.TicketVerifierException: Error in verifying ticket Certificate (Issuer="OU=J2EE,CN=DEP", S/N=0) not found.
at com.ibm.tai.sap.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:128)
at com.ibm.tai.sap.TAI4SAP.verifyTicketInfo(TAI4SAP.java:268)
at com.ibm.tai.sap.TAI4SAP.validateEstablishedTrust(TAI4SAP.java:158)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:127)
....
Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=DEP", S/N=0) not found.
at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)
at com.ibm.tai.sap.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:118)
... 29 more
[9/29/11 19:43:35:881 GMT+05:30] 00000031 TAI4SAP I com.ibm.tai.sap.TAI4SAP validateEstablishedTrust Invalid SAP Ticket
[9/29/11 19:43:35:881 GMT+05:30] 00000031 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: Invalid SAP Ticket
at com.ibm.tai.sap.TAI4SAP.validateEstablishedTrust(TAI4SAP.java:161)
...
[9/29/11 19:43:35:882 GMT+05:30] 00000031 WebCollaborat A SECJ0056E: Authentication failed for reason Invalid SAP Ticket
Edited by: santosh Malavade on Sep 30, 2011 1:19 PM
This is in continuation of my previous response.
I have generated new SAPLogonTicketKeyPair-cert with DN of Issuer as CN=DEP
It failed with the following exception:
[9/30/11 16:23:56:759 GMT+05:30] 00000014 TAI4SAP I com.ibm.tai.sap.TAI4SAP verifyTicketInfo SAP Verifier is verifying following ticket "AjExMDAgABBwb3J0YWw6UDAwMTAxOTU5iAATYmFzaWNhdXRoZW50aWNhdGlvbgEACVAwMDEwMTk1OQIAAzAwMAMAA0RFUAQADDIwMTEwOTMwMTA1MwUABAAAAAgKAAlQMDAxMDE5NTn/APkwgfYGCSqGSIb3DQEHAqCB6DCB5QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHFMIHCAgEBMBcwDjEMMAoGA1UEAxMDREVQAgUA!guh9jAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwOTMwMTA1MzQxWjAjBgkqhkiG9w0BCQQxFgQUpx3EfcX3jEoDb0w6gTNUIo!bWZ0wCQYHKoZIzjgEAwQvMC0CFBKBp5IlkrL1HlXWmBc4SnwQCJ9dAhUAhXessqqp/dQDrhcYU4WgLxnqeyw="
[9/30/11 16:23:56:761 GMT+05:30] 00000014 TAI4SAP E com.ibm.tai.sap.TAI4SAP verifyTicketInfo Could not verify SAP SSO Ticket
com.ibm.tai.sap.TicketVerifierException: Error in verifying ticket Certificate (Issuer="CN=DEP", S/N=4195066358) not found.
I have tried one more option. I have setup standalone UME. It failed too. In case of standalone ume, I am not able to set the logging properties. Its not generating any logs.
Hi,
May be the following information will help you in sorting it out...
While trying standalone UME option, I have activated log of the following location with a DEBUG
com.sap.security.core.ticket.imp.Ticket
Sep 30, 2011 6:51:48 PM ...vices.security.authentication.loginmodule.ticket.Ticket() [Thread[main,5,main]] Debug": No native ticket signer available.
[EXCEPTION]
java.lang.ClassNotFoundException: com.sap.security.ticket.JNIUtils
at java.lang.Class.forName(Class.java:152)
at com.sap.security.core.ticket.imp.Ticket.<init>(Ticket.java:270)
at SSO.main(SSO.java:198)
Am I missing any jar file ?
Rgds,
Santosh
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.