cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Logon Ticket-based Single Sign-On - Exception

Former Member
0 Kudos

Hi everyone,

For doing SSO for non-sap java based applications, i followed the weblog by Robert Chu (very good weblog).

The sample code given here is working fine with my local tomcat and a local sandbox EP available with me (SP9). But when i am now trying this is our Dev server (SP11) i am getting exceptions. I have followed all the steps. Also i have checked that the domains are same. Still geting the error. The cookie is also getting passed...

<i>exception

com.sap.test.TicketVerifierException: Error in verifying ticket Certificate (Issuer="CN=RID", S/N=0) not found.

at com.sap.test.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:147)

at com.sap.test.TicketVerifierServlet.getUserFromRequest(TicketVerifierServlet.java:97)

at com.sap.test.TicketVerifierServlet.doPost(TicketVerifierServlet.java:80)

at com.sap.test.TicketVerifierServlet.doGet(TicketVerifierServlet.java:68)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)

at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:263)

at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)

at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)

at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)

at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

at java.lang.Thread.run(Thread.java:534)

Caused by: java.security.SignatureException: Certificate (Issuer="CN=RID", S/N=0) not found.

at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:849)

at com.sap.test.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:132)

... 36 more</i>

I also tried in another server(also sp11) but there i am getting another exception ...

<i>com.sap.test.TicketVerifierException: Error in verifying ticket class configured for Signature(provider: IAIK)cannot be found.

iaik.security.dsa.RawDSA

at com.sap.test.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:147)

at com.sap.test.TicketVerifierServlet.getUserFromRequest(TicketVerifierServlet.java:97)

at com.sap.test.TicketVerifierServlet.doPost(TicketVerifierServlet.java:80)

at com.sap.test.TicketVerifierServlet.doGet(TicketVerifierServlet.java:68)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)

at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)

at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:263)

at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)

at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)

at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)

at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

at java.lang.Thread.run(Thread.java:534)

Caused by: java.security.NoSuchAlgorithmException: class configured for Signature(provider: IAIK)cannot be found.

iaik.security.dsa.RawDSA

at java.security.Security.doGetImpl(Security.java:1145)

at java.security.Security.doGetImpl(Security.java:1084)

at java.security.Security.getImpl(Security.java:1045)

at java.security.Signature.getInstance(Signature.java:169)

at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:899)

at com.sap.test.SAPTicketVerifier.verifyTicket(SAPTicketVerifier.java:132)

... 36 more</i>

Both the exceptions are diff..

Can somebody help me out with this. I am suspecting that there is something wrong with the verify.der or maybe with the impored JAR files (version problem). But can somebody point me in right direction.

Any kind of pointers will be helpfull....

Regards

Gaurav Gandhi

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Try using verify.pse file...

Download it...Put it in some location on the server.

Give the path of the file as "/usr/sap/...../verify_servername.pse" in the JSP.

Hope that helps.

Thanks.

JP

Former Member
0 Kudos

Hi John

Thanx for this..i will try this out and let you know.. but not confident whether it will work bcos that article tells to use the verify.der file. Now when i am trying to access the link for SSO to non-SAP Java Appli, i am getting 404 Error in SDN, SDN has moved it i suppose. Can you tell me where will i find the old SDN articles..i am getting 404 Error on this link https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/enabling single sign-on from sap j2ee engine to non-sap java applications.article

I will try now with the PSE file in the servlet sample code which i got from the article..

Regards

Gaurav Gandhi

Former Member
0 Kudos

Hi John

I tried using the verify.pse instead of verify.pse but it does not work. I am not even able to import this .pse file into the Key Store.

I got the following exception at command prompt while importing the file into Key Stokeytool error:

<u>java.lang.Exception: Input not an X.509 certificatere.</u>

The .pse file is not a certificate or is it?

Please help me and tell me what to do now. Is there any other solution for these exceptions??

Regards

Gaurav Gandhi

Former Member
0 Kudos

I think the weblog has been removed for some reason.

But I can send you if you can give me your mailID.

And from experience...you need not import the .pse file into the Key Store at all...

Just put the .pse file into the server and specify the path of the .pse file in the JSP.

It worked for me...

All the best...

JP

Former Member
0 Kudos

Hi JP,

Actually the weblog which i used

SAP Logon Ticket-based Single Sign-On

is still there at this link: https://www.sdn.sap.com/sdn/weblogs.sdn?blog=/pub/wlg/960. [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken]

In this there is a section

If your backend is a Java application running on a non-SAP application server, you can insert some code into your application so it can accept the SAP logon ticket, retrieve the user id from the ticket, and grant access basing on the user id. Tim Mullé and Stephan Boecker have discussed how to do so <u>here</u>.

In this the here takes you to https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/enabling Single Sign-On from SAP J2EE Engine to Non-SAP Java Applications.article and this link is missing. If you have this acticle please send me to gauravfeb10@gmail.com

Also regarding the KeyStore, i was actually following the steps given in that article and the sample code was i was using is also for verify.der and not verify.pse.

So i dont know what code is to be modified if i need to use veify.pse and not include it in portal.store.

If you have all the correct steps for implementing SSO (any doc, link etc) plz send me the code ot the link. If possible explain.

Please let me know everything in detail..(which path, which JSP you are talking abt)

Regards

Gaurav Gandhi

Former Member
0 Kudos

Hope you got my mail...

Was it a success?

Regards,

JP

Former Member
0 Kudos

Hi John..

I got your mail just now..I have replied to it...Do check your mail please..

Thanx a lot John

Regards

Gaurav Gandhi

Former Member
0 Kudos

Hi John,

Thanks for all your help and support. The problem has been resolved now and now i will move that code to my other EP Environments.

I also sent u one last mail. Kindly check that one and if possible please reply to that...

Thanx a lot

Regards

Gaurav Gandhi

Former Member
0 Kudos

Hello Gurav,

I am implementing SSO between EP 6.0 and SRM 4.0.

I have imported the public keys into the SRM's ACL

I also made the following changes

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 0

I have created a system in portal with the SRM's properties.

However, when I test the connection between the connection using SAPLOGONTICKET as the Logon Method, the ITS test is ok, but the other Connector tests fails.

After making all the configuratio settings how do I test that SSO is working?

Thank you

Former Member
0 Kudos

Have you installed sapjco. Check out the following weblog.

https://www.sdn.sap.com/sdn/weblogs.sdn?blog=/pub/wlg/1853 [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken]

SamuliKaski
Active Participant
0 Kudos

Please check your UME settings. If you are using LOGONTICKET make sure that your portal user ID also exists in your SRM system. If you are using UID & PW make sure you have maintained User Mapping.

Former Member
0 Kudos

Hello Gaurav/John,

I am unable to find the code for the SSO Demo at the location :

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/security/enabling single sign-on from sap j2ee engine to non-sap java applications.article

I would be grateful if you could indicate to me via email the exact location for downloading the supporting source code

samples [zip] and the war file ....

many thanks,

ws_dev2001@yahoo.com

Former Member
0 Kudos

Hello Gaurav/John,

I am unable to find the code for the SSO Demo at the location :

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/security/enabling single sign-on from sap j2ee engine to non-sap java applications.article

I would be grateful if you could indicate to me via return email the exact location for downloading the supporting source code

samples [zip] and the war file ....

many thanks,

ws_dev2001@yahoo.com

Former Member
0 Kudos

Hope you got my mail.

All the best.

Regards,

JP

Former Member
0 Kudos

Could someone please send it to me, too? Thx.

Former Member
0 Kudos

I cannot open the link associated with the below article can anyone help me where can i found this doc.

If your backend is a Java application running on a non-SAP application server, you can insert some code into your application so it can accept the SAP logon ticket, retrieve the user id from the ticket, and grant access basing on the user id. Tim Mullé and Stephan Boecker have discussed how to do so here.

Thanks,

Naveen

Former Member
0 Kudos

Can you send me the article too?

Thanks

nick987nick123@yahoo.com

Former Member
0 Kudos

Hi John,

Can you please send me the referred weblog at koride.nagaraju@gmail.com.

THNguyen
Participant
0 Kudos

Hi John,

Could you please kindly send the me source code example and .war file for the article "Enabling Single Sign-On from SAP J2EE Engine-EP to Non-SAP Java Applications" by Tim Mullé, Stephan Boecker.

the_hung_nguyen@yahoo.com

Many thanks in advance.

The-Hung Nguyen

Former Member
0 Kudos

Hi John and guys,

Can you send me the link and app too.

Thanks in advance,

Igor ikravzov@nrx.com

Former Member
0 Kudos

Hi all,

Can you send me the documentation and the application file ? I'm not able to download from a link.

p79@libero.it

Thanks a lot.

Stefano

Former Member
0 Kudos

Hope you all (rabihr@yahoo.com, nick987nick123@yahoo.com, the_hung_nguyen@yahoo.com, koride.nagaraju@gmail.com, ikravzov@nrx.com, p79@libero.it) got my mail.

Hope that helps.

Former Member
0 Kudos

Can you please email me the doc at shahketul@gmail.com

Former Member
0 Kudos

Hello John,

I really appreciate the SDN, but I am a bit disappointed about the numerous dead links that I discovered so far.

The practice of requesting the removed article and example source-code by mail seems not to match the blogging philosophy...

Nevertheless, I also have the task to integrate a non-SAP application into the SAP portal, so I would really appreciate if you send me the information to i_kellner"at"web.de.

And maybe it is possible to make these resources available to the public again, so that the blog discusses the technology and is not bloated with email requests...

Regards, Ingmar Kellner

Former Member
0 Kudos

Hi,

Sorry...I think it's a bit late...But do you still need the docos?

Cheers

John

Answers (3)

Answers (3)

Former Member
0 Kudos

hello i get hte following exepction when i'm trying to read to MYSAPSSO2 from a non SAP application "com.sap.test.TicketVerifierException: Error in verifying ticket class configured for Signature(provider: IAIK)cannot be found."

I Implemented a working solution on our lokal development enviroment but on the customer system it don't work .

Former Member
0 Kudos

Was reading through your posts regarding SSO of SAPEP with Java Applications couldnt trace the article and code to work. I am getting exception at 

Object o[] = evalLogonTicket(Cookie, pab!=null?pab:"SAPdefault" , pwd);

saying Null Pointer exception.

Could you help me with the document you achieved/prepared this with, as I am using Spring architecture in Java and want to do with SSO for SAPEP.

I am eagerly looking forward for your kind help on the same.

As we are stuck on this activity, your sharing of the doc for the same would be of great help and highly appreciated.

thanks in advance

aditya

Former Member
0 Kudos

Hi guys,

Could someone send me article and source code?

Thanks

Artur [testinf@gazeta.pl]

Former Member
0 Kudos

Hi guys,

Could someone send me article and source code?

Thanks

Antonio

[antonio.ardito@accenture.com]

Former Member
0 Kudos

Please, email me the doc at shahketul@gmail.com

Ketul Shah.

Former Member
0 Kudos

Hello,

Can you please send me the article. Greatly appreciated.

Rabih

rabihr@yahoo.com