Troubleshooting SSO between AS-ABAP and AS-JAVA

 Where are you asked to enter credentials?

• AS ABAP prompts to enter credentials (AS-JAVA is the ticket issuer)
• AS JAVA prompts to enter credentials (AS-JAVA is the ticket accepting system)

In case AS-ABAP prompts for credentials perform the steps below:

Step 1: Start the SSO2 wizard on the J2EE engine and check it's own certificate:

Step 2: Note down the client the j2ee engine issues the MYSAPSSO2 cookies. (999 in the screenshot above)

Step 3: Click on View certificate and check the "Issuer DN" and the "Not valid after" period of the J2EE certificate. The validity period must not exceed the date:
January 01 2038. See note: #1055856 - Common error messages when setting up Single Sign-On for more details on the expiration period.

Step 4: Start transaction STRUSTSSO2 on the ABAP client which is called from the SAP J2EE engine. (E.g. if ABAP client 001 is called from the engine STRUSTSSO2 must be started in that client.)

Step 5: Select the j2ee certificate from the certificate list. You can find it based on the "Issuer DN" property from Step 3. Make sure that the validity period is the same in STRUSTSSO2 as in the SSO2 wizard. This is just to ensure that the certificate was not exchanged in the meantime.

Step 6: Make sure that an ACL entry exists which contains the SID of the AS-JAVA installation, the client and the "Issuer DN" shown in the SSO2 wizard. (In our example the ACL must contain an entry with ERP, 999, and the "Issuer DN")

Step 7: If all the aboves are correct (e.g. the correct certificate was imported and the ACL entry is also OK) prepare the ABAP system to create a security trace as per note:
#495911 Trace analysis for logon problems

Step 8: Reproduce the issue as follows:

a) logon to any j2ee application which issues a MYSAPSSO2 cookie like:

http://<AS-JAVA FQDN>:<j2ee port>/useradmin

b) then call this from the same browser (make sure that the ping service was activated in transaction SICF before):

http://<AS-ABAP FQDN>:<ICM port>/sap/bc/ping?sap-client=<ABAP client>

Make sure AS-JAVA and AS-ABAP are accessed through the same domain!

Step 9: Investigate the recent dev_w traces on the ABAP system and report a message on BC-SEC if you can't solve the problem on your own.

_{Back to top .}

In case AS-JAVA prompts for credentials perform the steps below:

Important notice: it may happen that you don't see the logonpage of the ticket accepting system, but the following scenarions fail: FPN test, search for Remote Roles on the producer portal in the FPN scenario, BI supportdesktool shows red lights at certain locations.

Step 1: Start the SSO2 wizard on the called system and make sure the calling system is configured as trusted. There must be a green light at the certificate of the calling system:

Step 2: In case the issue happens in an FPN, or the AS JAVA is called from the BI transaction RSPLAN, add the EvaluateAssertionTicketLoginModule to the second position of the ticket stack with the same options as the EvaluateTicketLoginModule.

Step 2: Start the webdiagtool on the called system as described under Example 3 in SAP Note: #1045019 Web diagtool for collecting traces and reproduce the issue.

Step 3: search for errors above the row where the LOGIN.FAIL was protocolled:

Typical errors will be like:

None of the systems defined in the ACL of EvaluateTicketLoginModule in [ticket] authentication stack equals to SAP Logon Ticket issuing system.

Step 4: if you can't fix the problem on your own, report a message on BC-JAS-SEC-LGN containing the following information:

• the ZIP file generated by the webdiagtool
• the SIDs of the calling and called systems
• an httpwatch trace about the error reproduction