Hey Patrick,
my linux path is ending after /usr/sap/<SAPSID>/<Instance_Name>/. There is no j2ee folder at our system. Might it be, we are missing Java at all?
How can I check this? And how can I make sure that it is absolutely needed for the username token? I guess our Basis team will kick me out if I ask them to install AS Java for this feature.
Cheers Jan
You can use function RSEC_INSERT_FLAT_AUTH for restricting key figures:
Use this function with the below parameters:
- Your authorization name (I_AUTH)
- Your range of what you want to insert - I_RANGE (InfoObject - 0TCAKYFNM; Sign - E or I ; Option - EQ; Low - The Key figure you want to exclude/Include)
Sign
This field allows you to enter either "I" or "E".
"I" (Inclusive) means that the single value or range you specified is selected itself.
"E" (Exclusive) means that the single value or range you specified is excluded from the selection. The default is "I".
Hope this helps to solve your issue.
Hi Jan,
maybe you are simply following the wrong documentation, if you are on ABAP, the steps would be different. Please see the docs for Message based authenticaiton in ABAP on this.
There is also a configuration example available.
Regards,
Patrick
Hi Otto,
Thanks,
But, i am requesting one of the functionality is not working for only one user and not for remaining 4000+ users.
Hi Charles,
I don't think that we have any such table which stores information where dialog user has user.
This table VARID will give only infomation of variants created for a particular program along with values...
Thanks
Firoz.
Hi Joe,
Q: In other words, what if I have both objects K_PCA for profit center and K_CCA for cost center, whihc use RESPAREA?
A: When you enter the values they are prefixed with the object type e.g. PC for profit centre, KS for cost centre, therefore only the relevant ones can be used for K_PCA, K_CCA, K_ORDER etc. Your profit centre values will not apply to your cost centres.
Q: Will both values show up in both objects or will only the tabs documented in table KBEROBJ be populated for each respective object?
A: The latter.
Hope that helps.
Cheers
Hello PRASANTH
can you please check below to see it helps.
http://help.sap.com/saphelp_nw04/helpdata/en/37/1a9b6a338cca448508f3a48d2d1e2d/content.htm
Best Regards,
Yong Luo
Antonio,
You would appear to be getting LDAP Error 32, which is a No Such Object Error. Check your bind credentials and make sure that the DNs are correct for the login and for the starting point that you are using.
I've often found that missing or misplaced commas can be a root cause of these issues. Typos in the DN components could also be an issue.
Let me know if you have questions
Matt
Hi Alex
We tried promoting this field using entries in a table (can't remember off-hand but we put an X in all of the fields)
It works fine.. as long as (as you said) your design allows for it.
After promotion we found that the roles now amalgamated the individual field values into one org level component thus losing the granularity it had at object level.
Reversing the promotion left us with the same amalgamated values but now in the separate auth objects rather than restoring the individual values.
Cheers
David
Hi,
I have problems establishing 2 way ssl connection between the SMP server (which acts as a client in this senario) which runs on java stack and SAP gateway system GKQ/G3T. I have imported the SAPnetCA.cer in SMP trustore and am able to establish a single(1-way ssl) between SMP and the gateway system. When i try establishing a 2-way ssl importing the signed CA into SMP keystore for G3T/GKQ i am not able to establish a connection.
the handshake logs for both server and client are provided below.
SAP GKQ server logs from SMICM
------------------------------------------------------------------------------------------------------------------------------
remote host: 10.21.84.209:57518 ()
status: NOP
connect time: 25.07.2013 14:30:44
MPI request: <0> MPI response: <0>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 140389356902144] MPI 19: event flag already open:7959 key=16959
[Thr 140389356902144] MPI 19: event flag already open:7958 key=16958
[Thr 140389356902144] MPI:19 create pipe 7faef63e34d8 1
[Thr 140389356902144] MPI<115d>13#1 Open( ANONYMOUS 19 1 ) -> 19
[Thr 140389356902144] MPI<115d>13#2 Open( ANONYMOUS 19 0 ) -> 19
[Thr 140389356902144] MPI 1: event flag already open:7995 key=16995
[Thr 140389356902144] MPI 1: event flag already open:7994 key=16994
[Thr 140389356902144] MPI:1 create pipe 7faef63e13a8 1
[Thr 140389356902144] MPI<115e>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 140389356902144] MPI<115e>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 140389356902144] ->> SapSSLSessionInit(&sssl_hdl=7faef635b850, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))
[Thr 140389356902144] <<- SapSSLSessionInit()==SAP_O_K
[Thr 140389356902144] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 140389356902144] out: sssl_hdl = 12872f0
[Thr 140389356902144] ->> SapSSLSetNiHdl(sssl_hdl=12872f0, ni_hdl=384)
[Thr 140389356902144] NiIBlockMode: set blockmode for hdl 384 TRUE
[Thr 140389356902144] SSL NI-sock: local=10.66.12.84:44380 peer=10.21.84.209:57518
[Thr 140389356902144] <<- SapSSLSetNiHdl(sssl_hdl=12872f0, ni_hdl=384)==SAP_O_K
[Thr 140389356902144] ->> SapSSLSessionStart(sssl_hdl=12872f0)
[Thr 140389356902144] NiIBlockMode: set blockmode for hdl 384 FALSE
[Thr 140389356902144] NiIHdlGetStatus: hdl 384/sock 50 ok, no data pending
[Thr 140389356902144] NiIBlockMode: set blockmode for hdl 384 TRUE
[Thr 140389356902144] SSL_get_state() returned 0x000011a1 "SSLv3 read certificate verify B"
[Thr 140389356902144] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 140389356902144] session uses PSE file "/usr/sap/GKQ/DVEBMGS80/sec/SAPSSLS.pse"
[Thr 140389356902144] SecudeSSL_SessionStart: SSL_accept() failed --
[Thr 140389356902144] secude_error 536871698 (0x20000312) = "the client did not send a certificate verify handshake message for au
[Thr 140389356902144] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 140389356902144] ERROR in ssl3_get_cert_verify: (536871698/0x20000312) the client did not send a certificate verify handshake m
[Thr 140389356902144] << ---------- End of Secude-SSL Errorstack ----------
[Thr 140389356902144] <<- ERROR: SapSSLSessionStart(sssl_hdl=12872f0)==SSSLERR_SSL_ACCEPT
[Thr 140389356902144] ->> SapSSLErrorName(rc=-56)
[Thr 140389356902144] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 140389356902144] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1689]
[Thr 140389356902144] ->> SapSSLSessionDone(&sssl_hdl=7faef635b850)
[Thr 140389356902144] <<- SapSSLSessionDone()==SAP_O_K
[Thr 140389356902144] in: sssl_hdl = 12872f0
[Thr 140389356902144] ... ni_hdl = 384
[Thr 140389356902144] NiICloseHandle: shutdown and close hdl 384/sock 50
[Thr 140389356902144] MPI<115d>13#3 Close( 13 ) opt=4 del=0( 1 0 ) wakeup=0-> MPI_OK
[Thr 140389356902144] MPI<115d>13#5 Delete( 13 ) -> MPI_OK
[Thr 140389356902144] MPI<115d>13#4 Close( 13 ) opt=4 del=1( 0 0 ) wakeup=0-> MPI_OK
[Thr 140389356902144] MPI<115e>1#3 Close( 1 ) opt=4 del=0( 0 1 ) wakeup=0-> MPI_OK
[Thr 140389356902144] MPI<115e>1#5 Delete( 1 ) -> MPI_OK
[Thr 140389356902144] MPI<115e>1#4 Close( 1 ) opt=4 del=1( 0 0 ) wakeup=0-> MPI_OK
-----------------------------------------------------------------------------------------------------------------------------------------------------------
SMP server(client) initializes the connection and verifies server cert and provides the client cert and then gets an unexpected error due to error on SAP gateway server
Java Client ssl handshake log:
-----------------------------------------------------------------------------------------------------------------------------------------------------------
*** Finished
verify_data: { 15, 9, 188, 118, 38, 46, 235, 37, 204, 16, 76, 81 }
***
http-bio-8080-exec-7, WRITE: TLSv1 Handshake, length = 48
http-bio-8080-exec-7, READ: TLSv1 Alert, length = 2
http-bio-8080-exec-7, RECV TLSv1 ALERT: fatal, unexpected_message
%% Invalidated: [Session-9, TLS_RSA_WITH_AES_128_CBC_SHA]
http-bio-8080-exec-7, called closeSocket()
http-bio-8080-exec-7, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
http-bio-8080-exec-7, IOException in getSession(): javax.net.ssl.SSLException: Received fatal alert: unexpected_message
http-bio-8080-exec-7, called close()
http-bio-8080-exec-7, called closeInternal(true)
------------------------------------------------------------------------------------------------------------------------------------------------------------
the entire client log is in the attached file.
hope to get some help soon, Thanks in advance.
Regards,
Anil
Hi David,
That is an unfortunate side effect. Once you do have it sorted then it works very well if your design requires it.
Cheers
Are SU01 and SU10 the only transactions you have added to the role or are there others? What does the overview icon next to the object tell you when you click it?
You'll see that the instance is of status NEW, which should be interesting.
Message was edited by: Will Dunkerley - clarity.
Hi Mayuresh
Please check the validity date of the roles assigned to the positions and also users aligned to positions in PP02.
for roles and users info type will be 1001
Subty: B007(roles)
A008(users)
For Example . 5000001 is a position and i have assigned a role X to this position with a Valid
date xx.xx.2012-- till xx.xx.2013 using pp02.
If you assign this position 5000001 to a user with validity date till.31.12.9999
Role will expired after xx.xx.2013,
please let me know if I am not clear
Hi Sunder
Run program PRGN_COMPRESS_TIMES using SE38 or SA38.
It removes duplicate roles as well as expired roles.
users vs roles can be taken from table AGR_USERS.
You Can give specific users and execute the program as well
The reason behind sap not restricting duplicate roles is , roles can be assigned directly or indirectly(position based using org structure). So it will be a total mess.
Hi Alex,
Thank you again for your response. I have just tested out this solution in our ECC 6.0 system with Enhancement Pack 4 and this is what I found:
KN Cost center group
KS Cost center
HI Cost center standard hierarchy nodes OR Order
BP Business process
BH Business process nodes
PC Profit center
PH Profit center nodes
So profit centers and cost centers are listed in both objects for authorization element RESPAREA. The question is this: Do we not care because the cost center prefixes will be disregarded in profit center authorizations and vice versa?
Thanks again for your feedback!!!
Warm Regards,
Joe Klein
There should be trusted RFC connection
Go to SM59 refresh Trusted connection to CRM production .
It should work
Basis people can help you on this
Hi Sushma
There should be trusted RFC connection
Go to SM59 refresh Trusted connection to CRM production .
It should work
Basis people can help you on this
Ah, but they are pronounced differently and this helps me to keep the two concepts appart.
Your own ECC application "Customer Tables" for debtors (KNA1 etc) are a crispy English "C". Phonetically: "Cööstöömöör".
The SU25 "Customer Tables" for your own proposals (USOBT_C etc) were developed by a german basis programmer in Walldorf who sees the world outside SU22 as his customer, so it is a heavier "K", as in "Kuhfladen" or "Kraichgau". Phonetically: "Kaastaamaa".
I would not worry about it to much... :-)
Cheers,
Julius
Hi Maram
The Last Maintained Auth object will be unchanged,even if any one of the tcodes is removed as well.
The condition here is if the two tcodes have same proposed values in Su24.
I repeat .. Maintained (you have just added values, but not changed values which are set in Su24)
Thanks
Pavan M
Hello Akshay,
Customer might be blocked in XD05 so first you unblock the customer there
then changes should be updated in XD02.
Thanks
Yogesh
