cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with SAP Logon ticket

Former Member
0 Kudos
95

Hi.

I am trying to send SAP Logon ticket from ECC 6.0 to the backend legacy using Soap adapter in receiver side. I get the following error in SXMB_MONI, so it looks like AF is not accepting the ticket. Can anybody tell me please, how I can identify that the ticket has been received in PI's side?

<Trace level="1" type="T">Principal Propagation connection attributes</Trace>

<Trace level="1" type="T">Host = hostname</Trace>

<Trace level="1" type="T">Port = 12345</Trace>

<Trace level="1" type="T">Transport protocol = HTTP</Trace>

<Trace level="1" type="T">Transport protocol vers = 1.0</Trace>

<Trace level="1" type="T">Message protocol = 003000</Trace>

<Trace level="1" type="T">Path = /MessagingSystem/receive/AFW/XI</Trace>

<Trace level="1" type="T">Security: Logon Ticket</Trace>

<Trace level="1" type="System_Error">Error while sending by HTTP (error code: 403, error text: Forbidden)</Trace>

</Trace>

Thanks, Jukka

Accepted Solutions (0)

Answers (1)

Answers (1)

JoelTrinidade
Active Contributor
0 Kudos

Hi Jukka,

SSO is a separate configuration why would you need to send sap logon ticket through your adapter . Please elaborate what you are trying to achieve.

Regards

joel

Former Member
0 Kudos

Hi Joel.

It's possible that I've managed to make a simple issue to too complicated one...

But, initially I should deliver username token to a soap receiver. I've understood that that this would be possible, I should use Principle Propagation (PP) in both sender and receiver agreements. And to use PP successfully I have to add participating systems to trusted systems list in NWA(?) (In this step I might have already lost my goal?) And to add systems to trusted systems list, they have to create SAP Logon ticket...

Well, I am not quite sure any more if it's needed to add the interface in the sender backend system to the propagation list, but this way I've been able to send the user id of the actual user from SAP to PI.

This about the background. Quite confusing I guess?

Br. Jukka

Former Member
0 Kudos

Hi,

hmmm.......seems you have slightly complicated your scenario..........let me try to analyze it........

i think your scenario is ECC - XI proxy - PI - SOAP reciver - Legacy application.........is it okay?

if the above is your scenario, your objective of using PP is to send your user to Legacy application - is it okay?

And to use PP successfully I have to add participating systems to trusted systems list in NWA(?) - Yes

Now if you are sending a proxy msg from R/3 to XI, then is SXMB_MONI of R/3 showing msg as okay or the error is thrown there?

Have you ticked the PP parameter in sender XI comm channel and reciver SOAP comm channel?

Ask your basis guys that have they made your PI and R/3 systems trusted to eachother in ABAP stack by transaction STRUST?

Regards,

Rajeev Gupta

Former Member
0 Kudos

Hi.

I have had some progress. Actually Principal Propagation works well now, thanks to instructions in http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/frameset.htm

But I think I have now found out that the principal progation might not be a direct answer to my problem. In the end of the day I should be able to deliver UsernameToken in my soap message header. Something like this:

<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

| <wsu:Timestamp wsu:Id="Timestamp-12134742" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

| <wsu:Created>2007-10-14T12:45:34.656Z</wsu:Created>

| <wsu:Expires>2007-10-14T12:46:34.656Z</wsu:Expires>

| </wsu:Timestamp>

| <wsse:UsernameToken wsu:Id="UsernameToken-33259721" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

| <wsse:Username>test</wsse:Username>

| <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>

| </wsse:UsernameToken>

| </wsse:Security>

I just have not found any documentation which I could utilize in Abap Proxy - PI 7.1 - Soap Receiver scenario. Just wondering should I create my own customized soap envelope and disable the Pi envelope in SOAP communication channel...

Do you know if there's any "standard way" to configure this kind of configuration?

Br. Jukka

Former Member
0 Kudos

Hi,

let me try to understand again - tell me do you want the username to be sent to SOAP reciver in <wsse:Username> node only as you have said in the above post or any node is okay in SOAP header having the username in it...........

see if any node with username is okay, then if you are using Principal propagation, then i think in SOAP msg header you will be getting <SAP:User> node containing the username of the user.......please check in SOAP reciver msg header are you getting this node or not - i think you should be getting this node.........then in the data of this node you will be having your username in it............so can't your SOAP reciver application process it.........

Regards,

Rajeev Gupta

Former Member
0 Kudos

Hi

I've been discussing with legacy people and currently they only support <wsse:Username> solution. I've also checked that the request is received successfully in the Soap adapter with the user id, which triggered the request in SAP backend, but the SAP:User is not delivered to Soap header.

Quite challenging, not so sure how to continue. If the SAP:User was delivered to Soap header, it might be possible to utilize it in the legacy side.

In a way this all makes sense(?), because e.g. when you configure trusted systems, you can only add Web AS systems to the list, not third party systems...

Or then it's only question that some configuration simply is not completed...

Br. Jukka

Former Member
0 Kudos

Hi,

i think you are correct that SAP:user is not in the SOAP header which is received in the target SOAP application because in SXMB_MONI, this SAP:user node is in the SAP:runtime node of SOAP header but this SAP:Runtime node will not be there in the message sent to SOAP application because i think it is used for containing information which SAP systems require to process your req msg by invoking the corresponding msg processing pipeline..............

I've been discussing with legacy people and currently they only support <wsse:Username> solution - This feature is available in PI7.1 in WS adapter.....for this you will have to ask your basis guys to configure WS-Runtime in your PI7.1 system and SAML also........then you can configure your scenario using WS adapter and then when you will get or send a SOAP msg, then this wsse:Username node will be there in the header msg of the receiving application.

Let us know if you are able to send wsse:Username node to the reciver SOAP application in the header of the output SOAP msg by using WS adapter as i suggested above.

Regards,

Rajeev Gupta

Former Member
0 Kudos

Thank you Rajeev.

I'll try this and let you know how it goes.

Br. Jukka

Joseph_BERTHE
Active Contributor
0 Kudos

HI,

Have some news regarding the solution ?

Regards