I am trying to setup SSO so that I can have the same AS ABAP system issue and receive a logon ticket. I have set the profile parameters login/create_sso2_ticket and login/accept_sso2_ticket both equal to 1. The way I test this is to run the CREATE_RFC_REENTRANCE_TICKET function module with SE37 and copy/paste the resulting ticket into a .NET program that uses the SAP .NET connector and it tries to connect to the system using this ticket in the MYSAPSSO2 property. The error I receive is “Cannot check issuer of SSO ticket”.
In transaction STRUSTSSO2 in client 000 I started from scratch by creating a new system PSE which generates its own self signed certificate. I have added the certificate to the list as well as to the ACL. The client I chose when adding to the ACL is the client that I am testing in which is 800. In transaction SSFA there is one application specific item for Logon Ticket using SAPSECULIB. When I run SSO2 without populating anything a destination is automatically created with the host and instance number. Then running SSO2 again and selecting that destination all lights are green.
I ran a trace in SM19 and the log in SM20 shows an RFC logon error of type T (Logon Ticket) and code 22 (Check of logon ticket digital signature failed). The work process trace shows the following:
ACTIVE TRACE LEVEL 2
* ACTIVE TRACE COMPONENTS all, N
*
N Tue Nov 17 08:17:26 2015
N dy_signi_ext: LOGON TICKET logon (client 800)
N mySAPUnwrapTicket: was called.
N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N HmskiFindTicketInCache: Try to find ticket with cache key: 800:16D6C23C8C948DC549BA7441D2B11083 .
N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N mySAP: Got the following SSF Params:
N DN =CN=DM1, OU=I00********, OU=SAP Web AS, O=SAP Trust Community, C=DE
N EncrAlg =DES-CBC
N Format =PKCS7
N Toolkit =SAPSECULIB
N HashAlg =SHA1
N Profile =/usr/sap/DM1/DVEBMGS00/sec/SAPSYS.pse
N PAB =/usr/sap/DM1/DVEBMGS00/sec/SAPSYS.pse
N Got the codepage 4103.
N Got ticket (head) AjQxMDMBABhHAFAARQBUAEUAUgBTAE8ATgAgACAA. Length = 200.
N *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c 144]
N {root-id=36344232424235353634423242423535}_{conn-id=00000000000000000000000000000000}_0
N SsfVerify returned 12 :: SSF_API_DECODE_FAILED :: Could not decode input.
N MYSAPSSO2 ticket SSF error description: SsfDecode operation failed .
N SsfVerify returned null for SignerList.
N *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 12. [ssoxxapi.c 235]
N *** ERROR => Ticket validation failed with rc = 20 and ssf_rc = 12. [ssoxxkrn.c 958]
N dy_signi_ext: ticket issuer not verified
M SecAudit(check_daily_file): audit file opened /usr/sap/DM1/DVEBMGS00/log/audit_20151117
N Tue Nov 17 08:18:46 2015
Note: I put the **** in the OU value.
I looked at note 1055856 but could not make head nor tail of it. I have also tried exporting the self-signed certificate to the database and the address book. It seems to me that the system either cannot decode the ticket so perhaps I cannot just copy and paste the ticket or it does not like its own certificate?
I am a functional consultant trying to work my way through this one so please feel free to point out the obvious that I must be missing!
Thanks in advance,
Grant