Hi,
We are trying to generate SAP Assertion Tickets using the SSOEXT library from a java app, but our ABAP backend refuses our generated tickets.
The ABAP backend is already configured to accept Logon tickets issued by Java stacks, so the general SSO config works. The certificate to sign the ticket is uploaded to the SYSTEM.PSE and an ACL is configured with a sysid and a client for the certificate. The serial of the certificate is correct in table TWPSSO2ACL.
We have the Java app using the SOOEXT library to generate the assertion ticket and sign it from a PSE. The sample java code delivered with the SSOEXT library successfully validates the ticket for our receiving SID and client using the same certificate.
The ABAP stack refuses the ticket however.
We see errors 23 in the security audit log "Issuer of the logon ticket/authentication assertion ticket is not in the ACL table", but the certificate seems configured correctly for the ACL.
We see the following in the system traces via SM50; our ABAP backend is sysid BID, client 001. The assertion ticket is issued by OBD 001 for BID 001.
N Wed Jun 11 13:29:42 2014
N dy_signi_ext: LOGON TICKET logon (client 001)
N mySAPUnwrapTicket: was called.
N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .
N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N mySAP: Got the following SSF Params:
N DN =CN=BID
N EncrAlg =DES-CBC
N Format =PKCS7
N Toolkit =SAPSECULIB
N HashAlg =SHA1
N Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N PAB =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N Got the codepage 4102.
N Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.
N Convert ticket content from SAP_CODEPAGE >4110< to >4102<
N MskiValidateTicket returns 0.
N Got content client = .
N Got content sysid = .
N No entry in TWPSSO2ACL for SYS and CLI .
N CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 1065]
N {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1
N Data from ticket: sysid= , client=
N My system data: sysid=BID , client=001
N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c 1071]
N {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1
N dy_signi_ext: ticket issuer not trusted
N dy_signi_ext: ASSERTION TICKET logon (client 001)
N mySAPUnwrapTicket: was called.
N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .
N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N mySAP: Got the following SSF Params:
N DN =CN=BID
N EncrAlg =DES-CBC
N Format =PKCS7
N Toolkit =SAPSECULIB
N HashAlg =SHA1
N Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N PAB =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N Got the codepage 4102.
N Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.
N Convert ticket content from SAP_CODEPAGE >4110< to >4102<
N MskiValidateTicket returns 0.
N Got content client = .
N Got content sysid = .
N No entry in TWPSSO2ACL for SYS and CLI .
N CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 1065]
N {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1
N Data from ticket: sysid= , client=
N My system data: sysid=BID , client=001
N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c 1071]
N {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1
N dy_signi_ext: ticket issuer not trusted
As mentionned, the assertion ticket gets validated succesfully by the sample java code with the SSOEXT for our receiving system:
PS C:\Data\software\sap\sapsso\myssosample> java SSO2Ticket -i .\test.ticket -crt .\obi_tests.cer -exsid BID -excli 001
SAPSSOEXT loaded.
static part ends.
Start SSO2TICKET main
-------------- test version --------------
Version of SAPSSOEXT: SAPSSOEXT 10
***********************************************
Output of program:
***********************************************
The ticket
AjQxMTABAAZFWEE1MzICAAMwMDADAAN <lots more> X598NhjdkNU1c=
was successfully validated.
Type : SAP Assertion Ticket
User : <myuserid>
Ident of ticket issuing system:
Sysid : OBD
Client : 000
External ident of user:
PortalUsr: <myuserid>
Auth : basicauthentication
Ticket validity in seconds:
Valid (s): 60
Certificate data of issuing system:
Subject : CN=OBI Assertion Tests
Issuer : CN=OBI Assertion Tests
Does anyone have any clue why our ABAP backend might not recognize the target sysID and client fields from the assertion ticket?
Thanks in advance!
Pieter