cancel
Showing results for 
Search instead for 
Did you mean: 

MySapEvalLogonTicketEx failed (Internal Error): SSO with custom WebApp

Former Member
0 Kudos

Hi Friends,

I am trying to achieve SSO between SAP EP and custom Web App. I downloaded SAPSSOEXT and sapseculib from service.sap.com.

Using SSO2Ticket class in the jsp file, I am trying to decrypt the ticket. But ending up receiving "java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0" error.

The SPSSOEXT loaded successfully and am able to print the version of it using getVersion method. JSP throws an exception on execution of evalLogonTicket method.


        Object [] o = null;
        try 
      {
		// Validate logon ticket.
		String x ="/home/sapj2ee/verify.pse";
		 System.out.println(SSO2Ticket.getVersion());
		o = SSO2Ticket.evalLogonTicket(ticket, x, null);
		//System.out.println (o.toString());
        } 

All the required files, verify.pse, sapssoext.so and sapsecu.so have got all permissions.

Regards,

Nilz

Message was edited by:

nilz

Message was edited by:

nilz

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Nilesh,

I've just fund out that seven years ago you faced the same problem as I now.

Could you or someone from SAP community find any solution to this problem?

Many thanks and take care

Lajos

Steffi_Warnecke
Active Contributor
0 Kudos

Hello ,

7 years is a very, veeery long time. Especially in IT. Please create a thread of your own to get help for your issue and provide information regarding your problem, what your portal version is, what you tried so far, etc in there.

Regards,

Steffi.

Former Member
0 Kudos

Hi Nilz,

I just looked up the error code. Bad luck. Error code 9 means "Internal error". There is no further description of the error.

But I can give you some general advise. Do not use the verify.pse but the verify.der. Load the verify.der into the keystore used by your custom WebApp. You will find a detailed explanation in thread <a href="https://www.sdn.sap.com/irj/sdn/thread?threadID=303229">SSO implementation between SAP Portal and third party java application</a> and thread <a href="https://www.sdn.sap.com/irj/sdn/thread?messageID=3041587#3041587">MySapEvalLogonTicketEx Error codes</a>.

Some information to the input parameter of method evalLogonTicket(pa7Ticket, pa7PrivAddrBook, pa7Password).

Parameter pa7Ticket: SAP Logon Ticket

Parameter pa7PrivAddrBook: Keystore where you keep the portal server's certificate

Parameter: Password to access the keystore

I suggesst you download the verify.der file from your portal server. The verify.der file contains the portal server's certificate. The portal server's certificate is needed to check the signature of the SAP Logon Ticket. Load the portal server's certificate into your keystore. Set the parameters of method evalLogonTicket() accordingly and try again. You will find a lot of background information in the above mentioned threads.

Hope I could help,

Best regards,

Martin

Former Member
0 Kudos

I have taken Martin's great recent posts about using SSO with non SAP webapps and created a wiki page <a href="https://wiki.sdn.sap.com/wiki/display/EP/SSOconnectivitytononSAP+backends">here</a>. Feel free to modify the content (especially, you, Martin!)

Cheers

Former Member
0 Kudos

Hi Martin,

Thanx for your reply. I have few questions:

1>

Why do we need libsapsecu.so? and where do we exactly use it in the java code (SSO2Ticket.java)?

2>

I have downloaded SECULIB54_1-10002909.SAR from Service Marketplace. It contains 3 folders named: linux-glibc2.1-46D, linux-glibc2.2, linux-glibc2.3.

As we are using glibc-2.2.5-164 I am using files from linux-glibc2.2 folder. It contains 3 files called libsapsecu.so, libsecude.so, sapsecin.

Now I am confused with which files I should use and where should I put these files (LD_LIBRARY_PATH). Am I supposed to use a different folder? and if not, Do I need all the three files ?

3>

Now after all this issues, I rolled back all the steps and doing it again (right from download). Now the error I am getting is "java.lang.UnsatisfiedLinkError: evalLogonTicket ". Now its a different error altogether.

For your reference, I am attaching the JSP code:


<html>
<head>
<title>mySAP.com logon ticket sample verifier</title>
<body>
<%@ page import="java.security.cert.*" %>
<%@ page import="java.io.*" %>

<%  Cookie[] all_Cookies = request.getCookies ();
     String   ticket      = "";
    int      i           = 0;
    for (i=0; i<all_Cookies.length; i++) {
        //Get MYSAPSSO2 cookie from request context...
        if ("MYSAPSSO2".equals (all_Cookies<i>.getName ())) {
            ticket = all_Cookies<i>.getValue ();
            break;
        }
    }
    //If no ticket present we output an error page
    if ("".equals(ticket)) {
%>
<h1>Error</h1><p>No mySAP.com logon ticket found.
<%
    }
    else {
%>
<p>
<p>
<%      Object [] o;
        o=null;
        try {
            // Validate logon ticket.
            o = SSO2Ticket.evalLogonTicket (ticket, "SAPdefault", null);
        } catch (Exception e) {
		System.out.println(e.toString());
%>
   An error occured. The error message is <b><i><%= e.toString () %></b></i>
<%      } catch (Throwable te) { 
		System.out.println(te.toString());
%>
   An error occured. The error message is <b><i><%= te.toString () %></b></i>
<%      }
		String user = "Error in Getting User";
		if (o != null)
		{
        user   = (String)o[0]; //First element is the SAP system user
        String Sysid  = (String)o[1]; //Second element is the id of the issuing system
        String Client = (String)o[2]; //Third element is the client of the issuing system
        String PrtUsr = (String)o[4]; //Portal user
		}
		else System.out.println("Object is null.");
%>

The user identified by this ticket is <i><%= user %></i>.
<% } %>
</body>
</html>
    


 
 

Regards,

Nilz

Former Member
0 Kudos

Hi Nilz,

the The SAPSECULIB provides functions for creating and verifying digital signatures used within the SAP System.

Find more information about digital signatures in the [/url=http://help.sap.com/saphelp_nw2004s/helpdata/en/35/26b412afab52b9e10000009b38f974/content.htm]SAP Library[/url]. Basically, digital signature guarantee that the component that signs a digital document really is who it claims to be (in our case the portal server). It also protects the integrity of signed data; if even one bit in either the signed data or in the signature is changed, then the signature is invalid.

The SAP Logon Ticket is signed by the issuing portal server. Therefore you need a piece of software that actually can verify the signature of a SAP Logon Ticket. That's the SAPSECULIB.

On contrary, the SAPSSOEXT library provides functions that enable non-SAP applications to verify SAP Logon Tickets (with help of the SAPSECULIB) and extract the user ID from the logon ticket.

But back to your problem. I'll try to explain the meaning of the three files you found in the folder linux-glibc2.2.

<b>libsapsecu.so:</b> That's the SAPSECULIB for Unix. You are going to need this library.

<b>libsecude.so:</b> In SAP systems all cryptographic functions needed to use the SSL protocol are performed by the SAP Cryptographic Library. The libsecude.so is the the SAP Cryptographic library for Unix. I do not think that you will need that library for your third party application.

<b>sapsecin:</b> As far as I could find out this is supposed to be a shell version of SAPSECU. I reckon you won't need it here and its included for test purposes only.

The code you provided looks pretty much the like sample code provided by SAP. Should be alright. From my point of view the error message indicates that the library SAPSSOEXT cannot be found. You need to put both libraries (SAPSSOEXT and SAPSECU) in a directory that's included in your $PATH variable. Enter echo $PATH and you will see all directories included in your $PATH variable.

Hope I could help!

Best regards,

Martin