cancel
Showing results for 
Search instead for 
Did you mean: 

BI RWS authentication failure from BW system using x509 certificate

zoltan_sekeres
Explorer
0 Kudos
761

We have a request to set up an integration according to this note:

  • 2812939 - How to configure BW Events-based scheduling in BI Platform

The BW client is a Netweaver 7.50 system. It is supposed to access BI 4.2 SP8. The requests target a RESTful web service on a WACS instance hosted on AIX. Using Tomcat is currently a no-go.

Per referenced note 2798804 we have tried to set up authentication via x509 certificates:

  1. Created a shared key in CMC and stored it as described.
  2. Created an Enterprise user in CMC with name of BW system. Password is valid and CMC logon via password is possible.
  3. Created SSL server certificate for BI and SSL client certificate for the BW client.
  4. SSL handshake works: Connection test in SM59 in BW is successful with response code 200 (if client certificate is in place).
  5. But trying to access events from BW system (transaction RSPC) always returns error FWB 00008 (see below).
  6. Accessing https://<bi-host>:<port>/biprws/v1/logon/trustedx509 from the browser (BW client certificate was imported) results in the same error and exception trace on BI server.

Has anybody successfully implemented this? Any hints what causes "FWB 00008"?

We have opened an incident with SAP but they keep referrering us to Tomcat related articles and notes which do not seem to be applicable in our case.

Note that I am aware of these blog entries:

BI stacktrace:

com.sap.bip.rs.exceptions.InvalidEntSessionException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
        at com.sap.bip.rs.exceptions.InvalidEntSessionException.LogonFailed(InvalidEntSessionException.java:42)
        at com.sap.bip.rs.session.SessionFactory.getX509TrustedSession(SessionFactory.java:460)
        at com.sap.bip.rs.authentication.LogonResource.doX509Logon(LogonResource.java:414)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<...>
Caused by: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)


cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)


The server supplied the following details: OCA_Abuse exception 10496 at [exceptionmapper.cpp : 67]  42040 {}
        ...Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)


-- Zoltan

Stefan_Backhaus
Participant
0 Kudos

Hi Zoltan,

I just could make it work few minutes ago after hours and hours of frustrating tries.

To be honest, I am not sure, what _exactly_ did make it work.

But I assume it was when I entirely re-configured the Tomcat server.xml - Connector information.

Because we were still using the old/deprecated server.xml syntax. In the old syntax there we had clientAuth="false" which is opposing the new and required certificateVerification="optional" to make the /biprws ask for a certificate at all. Howver, still now, I do not understand, why the browser is not asking me for a certificate. But I did a last try and - magic- it worked.

Please find my connector info here (sorry for bad format).

Best regards

Stefan

<Connector port="443" address="10.10.10.10" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="800" minSpareThreads="80" scheme="https" secure="true" connectionTimeout="20000" relaxedQueryChars="[,]" redirectPort="443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" enableLookups="false" noCompressionUserAgents="gozilla, traviata" compressibleMimeType="application/vnd.sap.cvom+vbo,text/html,text/xml,text/plain, text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" maxHttpHeaderSize="65536"> 
	<SSLHostConfig protocols="TLSv1.2" certificateVerification="optional" truststoreFile="D:\SAP BusinessObjects\sso_conf\cacerts" truststorePassword="demopwd">
<Certificate certificateKeystoreFile="D:\SAP BusinessObjects\sso_conf\company.com.key" certificateKeyAlias="mykey" certificateKeystorePassword="anotherpwd"/>
	</SSLHostConfig>
	</Connector>

see also

Note 1648573

zoltan_sekeres
Explorer
0 Kudos

Thanks for the additional data point, Stefan!

Unfortunately we have to use WACS, Tomcat is currently not an option.

And SSL handshake actually works including verification of the client certifcate.

But somehow there is an authentication issue later on which keeps popping up whatever we do...

--

zoltan

Stefan_Backhaus
Participant
0 Kudos

Zoltan,

one more idea: In your step 2 - enterprise user with name of your BW system.

Did you make sure it is the name as you can see it in BW-System STRUST, own certificate -> CN attribute (CN=my_complicated BW-System name including spaces)?

I was at some point only giving the name as three digit system ID which was not correct.

bastorino72
Explorer
0 Kudos

hello zoltan

I'm having exactly the same issue.

did you solve yours?

thank you

bastorino72
Explorer
0 Kudos

solved really one second ago.

the step 4 of sap note 2812939 - How to configure BW Events-based scheduling in BI Platform solved the issue (created a user excatly as the CN of the ssl client certificate)

Accepted Solutions (0)

Answers (0)