Quantcast
Channel: SCN: Message List - Security
Viewing all articles
Browse latest Browse all 5338

AS ABAP as a ticket-issuing and a ticket-accepting system issue

$
0
0

I am trying to setup SSO so that I can have the same AS ABAP system issue and receive a logon ticket. I have set the profile parameters login/create_sso2_ticket and login/accept_sso2_ticket both equal to 1. The way I test this is to run the CREATE_RFC_REENTRANCE_TICKET function module with SE37 and copy/paste the resulting ticket into a .NET program that uses the SAP .NET connector and it tries to connect to the system using this ticket in the MYSAPSSO2 property. The error I receive is “Cannot check issuer of SSO ticket”.

In transaction STRUSTSSO2 in client 000 I started from scratch by creating a new system PSE which generates its own self signed certificate. I have added the certificate to the list as well as to the ACL. The client I chose when adding to the ACL is the client that I am testing in which is 800. In transaction SSFA there is one application specific item for Logon Ticket using SAPSECULIB. When I run SSO2 without populating anything a destination is automatically created with the host and instance number. Then running SSO2 again and selecting that destination all lights are green.

I ran a trace in SM19 and the log in SM20 shows an RFC logon error of type T (Logon Ticket) and code 22 (Check of logon ticket digital signature failed). The work process trace shows the following:

 

ACTIVE TRACE LEVEL 2

*  ACTIVE TRACE COMPONENTS      all, N

*

N Tue Nov 17 08:17:26 2015

N  dy_signi_ext: LOGON TICKET logon (client 800)

N  mySAPUnwrapTicket: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 800:16D6C23C8C948DC549BA7441D2B11083 .

N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N  mySAP: Got the following SSF Params:

N         DN =CN=DM1, OU=I00********, OU=SAP Web AS, O=SAP Trust Community, C=DE

N         EncrAlg =DES-CBC

N         Format  =PKCS7

N         Toolkit =SAPSECULIB

N         HashAlg =SHA1

N         Profile =/usr/sap/DM1/DVEBMGS00/sec/SAPSYS.pse

N         PAB     =/usr/sap/DM1/DVEBMGS00/sec/SAPSYS.pse

N  Got the codepage 4103.

N  Got ticket (head) AjQxMDMBABhHAFAARQBUAEUAUgBTAE8ATgAgACAA. Length = 200.

N  *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c   144]

N {root-id=36344232424235353634423242423535}_{conn-id=00000000000000000000000000000000}_0

N   SsfVerify returned 12 :: SSF_API_DECODE_FAILED :: Could not decode input.

N  MYSAPSSO2 ticket SSF error description: SsfDecode operation failed .

N   SsfVerify returned null for SignerList.

N  *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 12. [ssoxxapi.c   235]

N  *** ERROR => Ticket validation failed with rc = 20 and ssf_rc = 12. [ssoxxkrn.c   958]

N  dy_signi_ext: ticket issuer not verified

M SecAudit(check_daily_file): audit file opened /usr/sap/DM1/DVEBMGS00/log/audit_20151117

N Tue Nov 17 08:18:46 2015

 

Note: I put the **** in the OU value.

 

I looked at note 1055856 but could not make head nor tail of it. I have also tried exporting the self-signed certificate to the database and the address book. It seems to me that the system either cannot decode the ticket so perhaps I cannot just copy and paste the ticket or it does not like its own certificate?

 

I am a functional consultant trying to work my way through this one so please feel free to point out the obvious that I must be missing!

 

Thanks in advance,

Grant


Viewing all articles
Browse latest Browse all 5338

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>