Gateway SSO2 logon ticket cannot be verified by HANA

Dear Expert,

I am trying Single Sign-On configuration by using SSO2 logon ticket between gateway and HANA DB. As the trust relationship is single direction trust from gateway to HANA (only HANA trust gateway and gateway do not need to trust HANA), we have achieved that in our DEV system, but now it does not work in our AT system. We have checked out that all necessary configuration is completed from both gateway side and HANA side, just as we did in DEV system.

we used the SAPSSOEXE method to verify the logon ticket issued from gateway, but failed that way, which means the logon ticket issued from gateway cannot be accepted by HANA. Here are the level 2 trace file details below,

---------------------------------------------------

trc file: "tracefile", trc level: 2, release: "720"

---------------------------------------------------

[Thr 6628] Wed Mar 19 19:26:56 2014

[Thr 6628]    Initializing SAPSSOEXT Version 8

[Thr 6628]    Built at Jul 10 2013 00:18:47 using release 720, patch 436

[Thr 6628]    PC with Windows NT on multithread environment with (SAP_CHAR/size_t/void* = 8/64/64)

[Thr 6628] DlLoadLib success: LoadLibrary("sapsecu.dll"), hdl 0, addr 0000000010000000

[Thr 6628]    using "C:\Users\C5180597.GLOBAL\Desktop\Xian‘ an Su\07_SAML+WEB Dispatcher\SAML 2.0 config\PSE test tool\windows64\ssosample\C\sapsecu.dll"

[Thr 6628]    Initializing SSF Library Version

[Thr 6628]    SAPSECULIB Version 5.4.28M-6

[Thr 6628] Ticket key as new PSE loaded

[Thr 6628] *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c  144]

[Thr 6628]  SsfVerify returned 7 :: SSF_API_UNKNOWN_PAB :: Priv.Addr.Book (PSE file) not found.

[Thr 6628] MYSAPSSO2 ticket last error from SSF: ERROR in af_open: (4356) PSEFile

[Thr 6628] ERROR in secsw_open: (4356) PSEFile

[Thr 6628] ERROR in sec_parse_PSEInfo_cont: (4356) PSEFile

[Thr 6628] ERROR in d_PSEFile: (18) decoding error for : "PSEFile"

[Thr 6628]  .

[Thr 6628]  SsfVerify returned null for SignerList.

[Thr 6628] *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 7. [ssoxxapi.c  235]

[Thr 6628] *** ERROR => Validate ticket failed with rc=458772. [ssoxxext.c  542]

[Thr 6628] *** ERROR => MySapEvalLogonTicketEx returns 458772. [ssoxxext.c  969]

The verify PSE file and logon ticket are both Ok.  Could you please help resolve this issue?

Best regards,

Xian' an