on 2010 Mar 24 3:31 PM
Hi experts,
I'm facing an issue in SNC implementation based on SAP Cryptographic library. I need it to enable ldap authentication for user that need to access BW based reports in WEBI.
I followed all step outlined in guide, but running report I get error "SAP incomplete logon".Looking in posts I found this thread in wich Ingo says that snc name need to be filled in Entitlement Systems. I didn't fill this information as I understood that this is required only to enable client side SNC authentication, while I need it only for webi.
Can someone confirm that for server side SNC authentication based on SAP CryptoLibrary snc name in Entitlement Systems is not needed?
Anybody has any idea about why I get SAP Incomplete Logon. Services are running under LocalSystem, so I granted .pse access to SYSTEM user with command:
sapgenpse seclogin -p myBOE.pse -O SYSTEM
Regards.
Roberto.
Hi,
which SNC software are you using ?
which configuration steps did you complete ?
ingo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo,
software: SAP Crypto Library win x86 (BOE side, BW side I don't know as I implemented only BOE side steps, BW side steps were followed by other people).
configuration steps:
-Configuration of SAP BW server side trust.
-Generation of BOE PSE certificate
-Creation of BOE .cert file
-Import of BOE .cert in BW
-Export BW .cert in BOE
-Configuration of ACL
-Link of BW.cert to BOE.pse
-Changing the user OS associated to tomcat and SIA Services.
-Grantig access to PSE to OS associated to tomcat and SIA
-Configuration of SNC settings in CMC Authentication
-Adding alias of SAP user in ldap user USERA
-Create Universe UNIVERSE1 with setting "SSO at refresh time"
-Use ldap user USERA to access webi and create a report on top of UNIVERSE1.
I have a doubt related to SNC settings in CMC. BW basis who implemented BW step told me that SAP SNC name is p:CN=XX1, OU=XXC, O=XXXXXS, C=DE but in If run command sapgenpse.exe. maintain_pk -l I see just CN=XX1 both as SubjectName and IssuerName . So I guess I have to set only p:CN=XX1 as SAP SNC name in CMC settings. Am I right?
Thanks.
Roberto.
Edited by: Roberto G. on Mar 25, 2010 7:01 AM
Edited by: Roberto G. on Mar 25, 2010 8:56 AM
Hi Ingo,
checking in log and I see:
<6628>SAPMODULE:Authentication model for SAP connectivity is SSO
<6628>SAPMODULE:Determining if we can connect using SNC. Calling CanAuthenticate...
<6628>SAPMODULE:Serialized session exists, try deserializing it.
After that I see the uri passed for connection:
Trying to connect to SAP using this URI : occa:sap://;PROVIDER=sapbw_bapi, ASHOST=<server> SYSNR=XX CLIENT=XXX LANG=EN SNC_MODE=1 SNC_QOP=1 SNC_LIB=<path> SNC_PARTNERNAME=<snc name> SNC_MYNAME=<SNC Name> EXTIDDATA=<user name> EXTIDTYPE=UN
and a error:
LOCATION CPIC (TCP/IP) on local host with Unicode
ERROR SNCERR_GSSAPI
An operation failed at the GSS-API level
sec_avail="false"
TIME Fri Mar 26 11:42:33 2010
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxx.c
DETAIL SncInit
COUNTER 2
I have two doubt:
1) the uri passed is very similar to the one you mentioned as correct in other post:
ASHOST=<server> SYSNR=XX CLIENT=XXX LANG=EN SNC_MODE=1 SNC_QOP=9 SNC_LIB=<path> SNC_PARTNERNAME=<snc name> SNC_MYNAME=<SNC Name> EXTIDTYPE=UN EXTIDDATA=<user name>
only differences are about:
-preceeding occa:sap://;PROVIDER=sapbw_bapi,
-the QOP=1 for me, but I set QOP=Authorization in CMC.
-I have EXTIDDATA information before EXTIDTYPE
Could you tell me if such URI is acceptable
2)About ERROR SNCERR_GSSAPI
An operation failed at the GSS-API level
sec_avail="false
I found other people having same error, but he solved checking case sensitive of of User running SIA. I tried the same, but still having error.
Regards.
Roberto.
Hi,
I guess a first Issue is that I can't run SIA under "LocalSystem" user but I need a domain user. Anybody can confirm my supposition?
Regards.
Roberto.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
75 | |
9 | |
9 | |
8 | |
8 | |
7 | |
7 | |
6 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.