Thursday, June 11, 2009

Security Web Service Proxy Authentication Deployment Problems in

Problem Description

Two kinds of Web service client related problems (deployable proxies) can occur:

Deployment problems

Authentication problems

Scenario Type:

Error analysis

NetWeaver Component:

J2EE (Web service)

Validity:

J2EE version >= 6.30

Decision Roadmap

Prerequisites

-

Main Tools

Log Viewer or Visual Administrator

Analysis

Deployment problems

Technical Background:

During deployment, configuration data is taken from the ws-deployment-descriptor.xml and stored in the configuration manager under /webservices (service Configuration Adapter). When the Web services are called, the configuration data is looked up.

This graphic is explained in the accompanying text

Solution:

Problems of this kind should not appear after SP4. If they do they appear, they are due to lock timeouts. Change the property locking.timeout of service Web Service Security (tc~sec~wssec~service) to a higher value (default 30000 = 30 seconds).

Standalone and Web Dynpro proxies

Symptom:

(Warning ! Protocol Implementation [com.sap.security.core.client.ws.SecurityProtocol] could not be loaded (ClassNotFound) ! Error Message is :com.sap.security.core.client.ws.SecurityProtocol Warning ! Provider [SecurityProtocol] not found for feature in logical port

Problem:

The class loading references are not set correctly. Typically this happens when a standalone proxy is used inside the server (in other words, by Web Dynpro).

Solution:

Running inside the server: set a reference to tc~sec~wssec~service

Standalone applications: add tc~sec~wssec~lib (shipped with the IDE) to the class path of the application.

Deployable proxies: checking used credentials and URL

Each time a deployable proxy is called, the data is retrieved from the destination service and logged in the security log.

Severity : Info

Location : com.sap.security.core.client.ws.AuthenticationContext.setDestination

Source Name : /System/Security

Message : An destination was set with the following properties: {DEFAULT_URL=https://localhost:50001/Stocks/basic_ssl?style=rpc, SLD_WS_NAME=, CLIENT_AUTHENTICATION_KEYSTORE_VIEW=WebServiceSecurity, CLIENT_AUTHENTICATION_KEYSTORE_CERTIFICATE=XMLEncryption, SLD_URL=, SLD_WS_PORT=, Authentication=BASIC, URL_CHOICE=Custom, URL=https://p111854:50701/Stocks/basic_ssl?style=rpc, SSO2=XXX ,SSL_SERVER_AUTHENTICATION=IGNORE, USERNAME=wss_cst0, PROXY_ENABLED=false, PROXY_URL=, SLD_WS_SYSTEM_NAME=, PASSWORD=XXX}.

Datasource : 74126650:./log/system/security.log

Used URL:

Look for the value of field URL_CHOICE.

URL_CHOICE=Custom

See field URL

URL_CHOICE=SLD

See field URL

URL_CHOICE=Default

See field DEFAULT_URL

Used Authentication:

Look for the value of field Authentication

Authentication=None

No authentication used

Authentication=Basic

HTTP Basic used. See also fields USERNAME, PASSWORD (hidden)

Authentication=Logon Ticket

SSO2 is being used. If an SSO2 ticket was issued during logon, an entry SSO2=XXX should be in the property list.

Authentication= X.509 Client Certificate

X.509 client certificates are used. See also fields CLIENT_AUTHENTICATION_KEYSTORE_VIEW, CLIENT_AUTHENTICATION_KEYSTORE_CERTIFICATE.

SSL server certificates:

Look for the value of field SSL_SERVER_AUTHENTICATION

SSL_SERVER_AUTHENTICATION=Ignore

No verification of server certificates.

SSL_SERVER_AUTHENTICATION=

Chain verification of server certificate against keystore view .

Symptom:

com.sap.engine.services.webservices.jaxrpc.wsdl2java.ClientProtocolException: An error occured while reading data from the destination sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.stocks.Stocks/basic_sslPort_Rpc. The error was: com.sap.security.core.server.destinations.api.DestinationException The properties for destination sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.stocks.Stocks/basic_sslPort_Rpc of type WebService could not be located.

Problem:

Destination missing

Solution:

The destination is by default created when a deployable proxy is started after deployment. When a destination is missing, it has either been deleted in the destination service, or a technical error occurred. In this case, check the security log and try to stop and start the application containing the proxy (web service container).

Symptom:

Incorrect destination settings

Problem:

Setting for a Web service is logical different from the settings in the IDE (that is, IDE has SSO2 for authentication; destination has basic for authentication).

Solution:

Delete the destination in the destination service and stop and restart the proxy application to recreate the destination.

Symptom:

The SLD URL in the Destination service is still blank after a restart. The Log Viewer reports the following error in the security.log:

Severity : Error

Location : com.sap.security.core.client.ws.DeployableSecurityProtocol.updateSLD

Source Name : /System/Security/WS/SecurityProtocol

Thread : SAPEngine_System_Thread[impl:4]_81

Message : Update of URL from SLD for destination sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.stocks.Stocks/basicPort_Rpc failed. Error was com.sap.engine.services.webservices.exceptions.WSException .

Datasource : 3723550:./log/system/security.log

Resource Bundlename : com.sap.security.core.client.ws.DeployableSecurityProtocolMessage

Problem:

The SLD is not configured correctly or the data could not be read.

Solution:

Check the documentation how to set SLD correctly (see Setting up an SLD Test Server), also see SAP Note 688983.

Symptom:

java.net.ConnectException: Connection refused: connect

Problem:

Invalid URL.

Solution:

Check the destination settings. Changes take affect after the proxy application is restarted. See Checking used credentials and URL.

Symptom:

An error occurred while reading data from the destination sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.stocks.Stocks/basic_sslPort_Rpc. The error was: com.sap.engine.services.keystore.exceptions.BaseRemoteException (thread: SAPEngine_Application_Thread[impl:3]_2,view:demo_view, entry: , user: wss_cst0) - checkPermissions 'isExistsView': com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized!.

Symptom:

iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

Problem:

Server certificate not be accepted.

Solution:

Add the certificate of the server to a keystore view that is used by the destination. See Checking used credentials and URL.

Symptom:

Error message: No SAP Logon Ticket was found for the user. Please ensure the user authenticated using HTTP/HTTPS and the JAAS login stack has been configured correctly.

Problem:

No SSO2 ticket issued because JAAS login stack does not contain the CreateLogonTicket module.

Solution:

Change the login stack of the application to issue a ticket (see the documentation on SSO).

Symptom:

While using HTTPS and certificate authentication this error message is displayed: InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized

Problem:

Either your SSL Service does not request client certificates or it requests a wrong one, or the certificate you attached to your request is not mapped to a user.

Solution:

Check if your SSL Service requests/requires client certificates. Also check if the client certificate you attached to your request is (a) generated by one of your Trusted Certificate Authorities of your SSL Service and (b) mapped to a user in your user store.

Blog Archive