Professional Documents
Culture Documents
Trouble Shoot Portal Issues
Trouble Shoot Portal Issues
com/community/netweaver-administrator/blog/2015/03/19/common-single-sign-on-j2eeto-abap-issues-solutions-and-further-troubleshooting
Purpose
Here at SAP Active Global Support (SAP AGS) we constantly receive issues from our customers related
to Single Sign On (SSO) between the J2EE and the ABAP Netweaver stacks.
The purpose of this document is help in "PROACTIVELY" checking common SSO issues on the actual
servers involved and list steps on further troubleshooting if the need arises.
Example Scenario
Lets say the configured Single Sign On (SSO) setup between SAP Portal and the R/3
system fails and you get a logon page.
Another example of an error would be that you test a portal system connection
(Configure System Connection in SAP Enterprise Portal) and this fails with an SSO
error:
More help:
http://wiki.sdn.sap.com/wiki/display/EP/Troubleshooting+SSO+between+AS-ABAP+and+AS-JAVA
2)
Check SAP note 842635, especially for
3)
Do make sure that you are on the latest SAPJVM level so that the issues as mentioned in SAP
4)
The client mentioned in the J2EE UME property login.ticket_client should be part of the
TCode /nSTRUSTSSO2 ACL(Access Control List) on the R/3 server.
There is a possibility that say the login.ticket_client is set to 000, which is already a value that is a
client in the ABAP server. If so, SSO may not work cause client 000 is also available on the ABAP
server as this can lead to inconsistencies. The only option here would be to change the
login.ticket_client value to a client that is not present in the ABAP server (say 678) and restart the J2EE
server. Then run the SSO2 wizard (as per SAP note:1083421) and this will update the strustsso2 table.
NOTE: See the comments section for more information.
5)
The SSO enabling parameters should be set on the R/3 server. The parameters
are login/accept_sso2_ticket andlogin/create_sso2_ticket. More info:
Configuring the AS ABAP for Issuing Tickets for Logon - User Authentication and Single Sign-On - SAP
Library
6)
Do see see SAP Note 1055856 which has more information on issues on the R/3 end.
7)
See SAP Note 1761987, point 7 and synchronize the ABAP and the J2EE server clocks. This will make
sure that the ABAP and the J2EE servers have the same time as this can lead to issues with the validity
of the cookie. You need to make sure that the J2EE and the ABAP server time zones are the same. You
can change the timezone by setting the JVM parameter "-Duser.timezone=<desired timezone>" in
ConfigTool. More help:
Time zone settings with SAP Process Integration - Process Integration - SCN Wiki
8)
If the actual ticket has expired (or is corrupt), then regenerate the ticket again (always keep a backup
of the existing ticket before creating a new one). Check the below link for more info on creating a new
certificate.
Further Troubleshooting
Say the above settings are all fine but the issue persists. Now it is time to delve
deep into the server logs and investigate further. This is needed to narrow down the
issue as to whether it is an ABAP server, J2ee, tickets, browser issue etc and help in an END TO
END trace. The detailed steps are:
1)
Clear all the browser cache.
2)
Set the security trace level in the ticket accepting system (R/3 server)
======================================================
2.1. Call transaction SM50 (process list):
2.2. Process -> Trace -> Reset -> Workprocess Files
2.3. Key combination: F5 (select all), CTRL-Shift-F7 => Dialog box;
2.4. Set trace level=3 and ONLY(!) check the "Security" component;
If necessary, you must repeat these steps for each server (see transaction SM51), unless you can
use a specific server for reproducing the error (for example, by excluding the
load distribution).
======================================================
3)
Run the web diagtool as outlined in SAP Note 1045019 (example 1) if you are on SAP Netweaver
release 6.40 or 7.00 or as per SAP Note 1332726 (incident "General Security") if you are on
7.1, 7,2, 7.3, 7.4 or 7.5 version. It will be ideal to run it on the server 0 (check SAP Note
1589567).
4)
While the diagtool is running, reproduce a failed SSO scenario to the backend.
5)
When the SSO fails, wait for a minute and then press return in the diagtool console so that the
References
Configure System Connection in SAP Enterprise Portal
Configuring the AS ABAP for Issuing Tickets for Logon - User Authentication and Single Sign-On - SAP
Library
SAP Note 1055856:Common error messages when setting up Single Sign-On
SAP Note 1761987: SAP Logon Tickets Rejected Due to Clock Synchronization Issue
Time zone settings with SAP Process Integration - Process Integration - SCN Wiki
4 Comments
Hi Hemanth,
Great outline of troubleshooting steps, thanks.
I have one question, though. Under Common Error Scenarios, point 4, you talk about
login.ticket_client being set to 000 as a problem. However, at least with older J2EE/Portal
systems (such as 7.01) this is the default setting, and in years past the instructions for setting
up SSO between a Portal and an ABAP system involved importing the ticket issued by the
portal via STRUSTSSO2 and setting the client to 000 during the import. I'd have to dig to find
it, but I recall this being a distinct instruction, and indeed it is how I've configured our portal to
work. It has been this way for ten years now, without an issue (it was originally on NetWeaver
7.00, but since upgraded to 7.01).
On the other hand, I always did the STRUSTSSO2 import in the working client, not client 000,
despite some warnings indicating this should be done in 000. This never caused a problem,
either.
Cheers,
Matt
Like (2)
o
Hemanth Kumar Mar 23, 2015 11:35 AM (in response to Matt Fraser)
Hi Matt,
Thank you for your inputs. Nice catch
o
Hemanth Kumar Feb 5, 2016 11:30 PM (in response to Stefan Mahnke)
Thanks Stefan!!