Hi,

We are trying to setup a SNC connection between Business Objects Data Services 4.0 SP2 and a SAP Netweaver 7.4 SAP system. We are not planning yet to activate SSO.

I have followed the configuration procedure to do this but when the we try to logon from within BO-4 and make a SNC connection to SAP it fails with incomplete signon data and it causes those shortdumps in our SAP system. I have done quite some analysis and more and more I get the feeling that it might not work as  SNC can’t work with SSO.

Can you indicate if BO and SAP can communicate on a  SNC only basis without implementing SSO?

Thanks

Toon van Hunsel

Implementing Single Sign-On with Kerberos

With the latest release 2.0, SAP Single Sign-On offers support for SPNEGO for ABAP. Leveraging this Kerberos-based single sign-on technology, you can easily implement an SSO solution for your SAP systems. This four part video series provides a step-by-step installation & configuration tutorial.

Blog: Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Blog: Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment

Additional Resources

Troubleshooting SPNego for ABAP (OSS Note 1732610)

Single Sign-On to SAP HANA DB using Kerberos (OSS Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0 (Blog)

Mobile Single Sign On from iOS 7 to SAP NetWeaver (Blog)

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On (Blog)

Hello Colleagues,

we have still an old Non-SAP (LINUX) to SAP RFC connection with RFC SDK and SNC.

We have now the requirement to change the current DES algorithm to AES128 or different higher encryption.

How can I do that?

Many thanks in advance?

Regards,

Jochen

Recommendations

Microsoft Service User

Use one service user for all SAP server systems or create for every SAP server system an extra service user account?

We recommend to create for every SAP server system an extra service user account, with own Service Principal Name (SPN) and different and complex passwords. This concept will increase security. Why?

• If one Microsoft service user will be used for all SAP server systems and the password is no longer trustworthy, this would influence all SAP server systems. This is an issue that should be avoided.
• If one Microsoft service user will be used for one SAP server system and the password is no longer trustworthy, this would affect this SAP server system only.

Troubleshooting

Troubleshooting SAP GUI -> SAP AS ABAP

SAP AS ABAP Server does not start after SNC is enabled

If the Application Server ABAP is not starting anymore after SNC was enabled, verify in log file dev_w0 why SNC is not activated.

Missing Kerberos keyTab in Secure Login Library

Verify if the Kerberos keyTab (SAPSNCSKERB.PSE) is available and accessible by the SAP system user (who is starting the SAP server) .

Correct SPN configuration

Please verify the SPN configuration (also check upper-/lower-case).

Windows Configuration: SAP/SL-ABAP-<SID>

SAP SNC Configuration: SAP/SL-ABAP-<SID>@<DOMAIN NAME>

Windows Configuration: HTTP/ <Host Name>

SAP SPNEGO Configuration: HTTP/<Host Name>@<DOMAIN NAME>

Duplicated SPNs

Verify if there are duplicated SPN entries configured in the Microsoft Active Directory system using the command line tool setspn –X .

Wrong SNC Name configuration in SAP GUI Application

Compare the SNC name configuration in the SAP Logon application with the instance profile parameter snc/identity/as (RZ10).

Client not part of Windows Domain

Please check if the user is really authenticated to the Windows domain or the computer is really joined in the Windows domain.

Wrong/Missing user mapping information

Please check in the user management the SNC name configuration for the user (SU01).

Troubleshooting Web GUI -> SAP AS Java

Correct SPN configuration

Please verify the SPN configuration (also check upper-/lower-case).

Duplicated SPNs

Verify if there are duplicated SPN entries configured in the Microsoft Active Directory system using the command line tool setspn –X .

Windows User Authentication not enabled in browser

Please check if Windows Authentication in the browser application is enabled. Please check the security zone too (e.g. Local Intranet Zone).

User available in UME

The user name must be available in the SAP AS JAVA UME configuration  (e.g. UME configured for Microsoft Active Directory or Microsoft user name is in sync with SAP user name).

Troubleshooting SPNEGO Authentication on SAP AS ABAP

In case you are observing problems related to SPNEGO authentication on an AS ABAP system, please refer to SAP Note 1732610.

Dear experts,

We’ve followed the configurations steps for single sign-on on SAP Netweaver Portal and Success Factors.

http://scn.sap.com/docs/DOC-29737

However, we would not able to connect and navigate on Success Factors.

When I test the iView created, the message it shows the message “ERR_CONNECTION_TIMED_OUT”.

So I’ve already tried:

• Change the links.
• Review all the configuration steps.
• Download the Success Factors certificate.
• Upload again the Portal certificate.

Thanks for any inputs.

Regards,

Hi Experts:

     I'm work on a project using SNC/SPNEGO Single Sign-On.

     Followed the configeration manual in help.sap.com, Single Sign On using SAP GUI is successful. But using Browser to access web application, for example webgui, I got the  401 Unauthorized response from browser.

     Could you please give me some advice what cause the issue and how to solve it.

     Thanks a lot.

Lei

How to protect your AS JAVA application with Two-Factor-Authentication (2FA) based on Time-Based One-Time Passwords (TOTP)

Goal:You want to improve the security for an application running on AS Java server using а simple 2FAsolution

Prerequisite:You have а license for the SAP Single Sign-On product.

In this blog you will find the simple steps for configuring 2FA based on ТOTPfor an AS JAVA application using the SAP Single Sign-On product.

Time-Based One-Time Passwords (TOTP) are passcodes generated using an algorithm that computes aone-time password from a shared secret key and the current time (seeRFC 6238). SAP Single Sign-On product offers a two-factor authentication solution based onTOTP. Such authentication is considered more secure because TOTP passcodes are time-based (valid only 30 seconds), they could be used for only one logon attempt and they are issued by two means of identification: the user possesses something and the user knows something – the user possesses a mobile device, where the passcode generator is installed, and knows the password that unlocks the device. This makes the TOTP a perfect security solution for protecting a system or an application with strong authentication mechanism. SAP offers a passcode generator mobile application called “SAP Authenticator” (available at the moment for iOS and Android devices) that generates 6-digit or 8-digit passcodes.

Note: SAP Single Sign-On product offers also solutions for 2FA alternative to TOTP like One-time Password (OTP) sent via SMS or e-mail, or integration with RADIUS server (RSA, other.) but in this blog I will provide the configuration details only for 2FA based on TOTP.

How to use the 2FA based on TOTP for protecting an application running on AS JAVA:

We assume that the authentication stack of your application is currently configured to use the default Login Module calledBasicPasswordLoginModuleand users have to provide their UserID & Password in order to be authenticated.

In my configuration example I will use a sample Java application that simply displays the User name of the logged user and also provides information about the authentication method used.

Open the NWA using this linkhttps://<host>/nwaand the credentials of an administrative user.

Navigate to Configuration > Authentication and Single Sign-On > Authentication tab > Components

Find the respective Policy Configuration that you want to use and see the authentication stack. In my example the screenshot is from the Policy Configuration of my simple custom Java application.

Initial state of the configuration:

The User experience before to configure the 2FA based on TOTP is the following:

The user is requested to provide his/her User and Password:

When the credentials are correct, the user is successfully authenticated. Based on the logic of my simple application the User name is displayed and also the authentication method “Password”:

Now let’s do the configuration for implementing 2FA based on TOTP:

Click “Edit” for the Policy Configuration that you want to configure and change the Login Module of the Authentication stack for this Policy Configuration fromBasicPasswordLoginModuletoTOTPLoginModule,keep the flag “SUFFICENT” and click “Save”.

In our example we want to keep the first stage login with User & Password and to add a second stage login where the user will be prompted to provide a Passcode (TOTP). This is why we keep the OTP settings of the system with their default values (setting “First Factor Login Module” will be with its default value“BasicPasswordLoginModule”.) Here you can see a screenshot of the default configuration in the OTP Administrative UI. To open the OTP Administrative UI use this linkhttps://<host>/otpadminand the credentials of your administrative user:

Now it is time to test the configuration “Password + OTP”:

First the user will be prompted for his UserID and Password

As a second stage login, the user has to provide a TOTP passcode but because there is not a mobile device configure for his account yet, the user is informed that he/she needs to activate a mobile device:

In order to test the configuration to the end,  you need to setup your mobile device for TOTP:

Prerequisite: You have the SAP Authenticator mobile application installed on your mobile device.

1. Open the self-service for Mobile Device Setup via this link: https://<host>/otp and log-in with the test account
2. Click the link “Set Up Account on Device”

3. A QR Code will be displayed. While you are using the SAP Authenticator mobile application click to “Add new account”, scann the QR code and click “Done” on the mobile app. The mobile application will start generating the TOTP passcodes immediately but before to start using them you have to finish the setup by clicking “Finish” for the self-service procedure on the PC:

Now we can finally test the configuration:

You have to start the authentication again with the UserID and Password:

On second stage login you will be prompted to provide a passcode generated for your test user via the SAP Authenticator on your mobile device.Type the current passcode and click “Log On”:

When you provide a valid passcode you will be authenticated successfully and you will see that the authentication method is “Password + OTP”:

Note: In order to make your login form to display “Passcode” for the second stage of the authentication, you have to make sure that you are using the proper “Alias of Application for Customizing Login Pages (ume.logon.application.ui_resources_alias)” with value /otp_logon_ui_resources(This alias is coming with the implementation of theSSO AUTHENTICATION LIBRARY 2.0). You have to configure it here:

Navigate to Authentication and Single Sign-On > Authentication tab > Properties. See:

One more scenario “SPNEGO +OTP”:

If you are already using a single sign-on technology in your company, like for example Kerberos/SPNEGO, it is also possible to implement easily 2FA based on TOTP. You can simply combine the login module that you are using at the moment with OTP like for example “SPNEGO + OTP” or “X.509 +OTP”.

I will provide the details about the “SPNEGO + OTP” configuration and you will be able to do the configuration also for other Login Modules following the same approach.

Note: As usual, when you want to use SPNEGO as the first authentication attempt, your AS JAVA system needs to be already configured for SPNEGO (see the screenshot with the example):

If you are currently using the SPNegoLoginModule in the authentication stack for your application like here:

You have to do two things:

1) Simply replace the SPNegoLoginModule with TOTPLoginModulefor the authentication stack of your application (this is similar to the configuration we did for the scenario with “Password + OTP”) :

2) Go to the OTP administrative UI and change the default setting of the “First Factor Login Module” to be the SPNegoLoginModuleand don't forget to Save. See the screenshot with the configuration below:

Now you application will be using “SPNEGO + OTP” authentication.

Test of the new configuration:

If we test the access to the application with an account already authenticated to the Microsoft domain, the first authentication stage will be SPNEGO and the user will see only the second authentication stage, where he/she will be prompted to provide a TOTP:

When a correct TOTP will be provided, the user will be successfully authenticated and his authentication method will be “SPNEGO + OTP”:

An alternative scenario “SPNEGO or PASSWORD + OTP”:

This scenario is important when you have to protect an application that is used also on kiosk/shared PCs. In such cases you have one group of users, who have a Kerberos token and the SPNEGO could be working for them, but you also have to manage secure access for another group of users, who use shared PCs, where the single sign-on is not an option. For the protection of such application you can simply configure in the OTP settings both login modules using comma separation. Simply type the BasicPasswordLoginModule  after SPNegoLoginModule like this “SPNegoLoginModule,BasicPasswordLoginModule“.

With such simple configuration you will be able to offer “SPNEGO + OTP” authentication for the first group of users (who are logged into the Microsoft Domain), and “Password + OTP” authentication for the other group of users (who use the application via a kiosk/shared PC).

Note: Make sure the SPNegoLoginModule to be configured on the first place, otherwise every user will be prompted directly for a "password + OTP" and the SPNEGO will not be working even for users who have a Kerberos token available.

See the screenshot of the configuration:

More details about the 2FA based on TOTP and all settings available for configuration you will be able to find in our documentation here:

http://help.sap.com/download/sapsso/one_time_pwd_authentic_impl_guide_en.pdf

Dear all,

some algorithms got a bad reputation over lasts months and years. I am no algorithm expert but do some research on recommendations, standards and regulations to give some guidance to our organization.

So I learnt from TLS discussions that DES, MD5 and RC4 are to be considered broken.

What about Kerberos/SPNego? Do we have to consider RC4 and DES as broken for Kerberos too? I am not able to google a decent statement on this.

When I create a keytab in transaction SPNego I generate keys for the following algorithms:

Does anybody know how Kerberos negotiates which algorithm to use?

SAP systems seem to prefer RC4 over AES during handshake. Commandline tool klist on my pc shows that all my Kerberos token are AES with the exception of those for SAP systems which are RC4.

Shall I remove all DES and RC4 entries for security reasons?

This would only leave AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96.

Are there any known compatibility issues when limiting Kerberos to AES?

Luckily we don't have to support any Windows XP clients anymore.

I am asking for both Kerberos based SNC for GUI and RFC-Clients as well as for SPNego in browsers for both ABAP and JAVA stack (if this makes any difference).

Thanks a lot!

Lutz

Message was edited by: Lutz Rottmann

Hi, I moved this to SAP Single Sign On while hoping to get some feedback here. Regards, Lutz

Hello,

We are about to implement SPNego SSO for SAP Portal 7.3.

In portal, we have few HR sensitive pages (Tax forms, Salary Slip etc.). For such pages only, we want to deploy 2 factor authentication.

a. SPNego and b. Form based login

i.e. Users will have to pass SPNego and then again authenticate using FORM based authentication. How can we achieve this?

Note that we will use only SPNego SSO for rest of portal.

Regards,

Vinod Patil

Hello Experts,

I am encountering an issue in transaction SSO2 which relates to importing a certificate from Enterprise Portal to ECC for the purpose of using Portal to generate Logon Tickets and the ABAP system to accept the Logon Tickets.

Process:

I have exported the SAPLogonTicketKeypair-cert.cert from our Enterprise Portal

I then logon to client 000 of our ECC system and run transaction STRUSTSSO2

I import the certificate, add to certificate list and add to ACL

I then run transaction SSO2 and execute it with blank fields and the following warning is displayed - "The Digital Signature for This Certificate Cannot Be Verified" (as per below image)

I perform the same actions using the same certificate on our other ECC and SRM systems and everything works fine, testing of logon tickets works fine too.

Would anyone have any ideas as to what I can do to try and resolve the issue.

I have searched SCN, Googled, etc... but not found anything of value.

Thanks in advance for any responses

NWBC 5.0 PL9

We're configuring SSO and from a client perspective, SAPGUI is working, but I can't get NWBC working.

1. We use a centralized SAPUILandscapeGlobal.xml file on a file share that all the clients point to in order to pull their system connection information.  We're going through a 3 phase SAP implementation, so this is very handy as we roll out new modules/systems.

2. I've modified the .xml file to include the SNC information, set sncop="9" to enable it.

3. I can open SAPGUI on a client and it reads this information fine.  however, when I open NWBC, it does not create a secure connection and the 'pad-lock' symbol in the lower right of the NWBC client shows it's unsecure.  One interesting note however, is that I can right-click on a system in the system selection window and it does give me the option to do an SNC Logon with or without SSO.  But selecting either product the same result - the pad-lock is show unlocked.

4. However, I can, on the client itself, manually configure a connection in SAPGUI, and include the SNC information, then open NWBC and use that connection, it does show the secure connection via the locked pad-lock in NWBC.

So I'm a little confused why I can create a connection on the local machine and it works, but when I try to use the central SAPUILandscapeGlobal.xml file, it does not work.  I've compared my entries to the other xml files after creating the manual entry, but can't see any discrepancy.

Any help would be appreciated!  If more information is necessary, let me know.

Hello,

I'm a SAP BW/BI expert, so my question will be pretty basic :-)

At my company, SSO is enabled and we use SAP Secure Login Client:

My question is, can i (as a simple enduser) enable/disbale the SSO feature temporarily?

(Background: i want to test changes to BW authorization settings in the BW front-end tools BEX Analyzer & Analaysis for Office, but i want to do this with special created test-users. So i want to log in the the front-end tools with these users, but the SSO is blocking me from doing so)

Thanks in advance for any advice or tips!

Protect your AS Java Application with Two-Factor Authentication based on One-Time Passwords

Do you want to protect your application running on AS Java using two-factor authentication based on time-based one-time passwords? Check out Donka Dimitrova’s latest blog and learn how to configure this step-by-step. January 13, 2016

SP6 for SAP Single Sign-On 2.0 Now Available

SAP just released the latest support package for SAP Single Sign-On 2.0, including various enhancements in the areas of mobile single sign-on and risk-based authentication as well as new certificate lifecycle management for ABAP application servers. For more information and to download the new SP6, read Martina Kirschenmann’s blog. October 9, 2015

Simple and Secure User Authentication with SAP Single Sign-On 2.0

Read the new SAP Insider article by Christian Cohrs and Martina Kirschenmann and get a full introduction into the latest support packages for SAP Single Sign-On 2.0. Learn how the innovative new features enhance the user experience, strengthen security, and streamline administration. July 27, 2015

Enterprise readiness nowadays requires access for corporate users from anywhere and on any device. Is your IT team ready to answer properly all auditor’s questions related to business data security when it comes to granting access from outside the corporate network? Or access to business applications on mobile devices? There is always room for improvement when we talk about security. Below you find advanced security solutions, available with the SAP Single Sign-On product, that will help you to improve your corporate security for these challenging topics.

Two-Factor Authentication

With two-factor authentication you can implement a strong form of authentication for access to corporate resources – for example, for especially critical systems or securing access from outside the company. SAP Single Sign-On 2.0 supports two-factor authentication via time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. Alternatively, out-of-band transport of tokens, including one-time passwords sent via SMS or email or RSA/RADIUS, are supported.

More information:

Strong Two-Factor Authentication with One-Time Password Solution

One-Time Password Authentication

Simple Configuration Example for Implementing Two-Factor Authentication (2FA)

Risk-Based Authentication

SAP Single Sign-On 2.0 (since SP5) offers risk-based authentication. This means that an authentication process can dynamically adapt to the context of an individual authentication request based on custom-defined access policies. First, you check the context information of an authentication attempt. This could be the IP address of the client, location, date/time, device information, or user attributes such as groups, for example. Secondly, based on this context information you then make a dynamic decision on whether you accept or deny access, or alternatively enforce two-factor authentication in case the context indicates a higher risk. You could even reduce the privileges of the person accessing the backend system, thus limiting the business functionality available to this user.

More information:

Risk-Based Authentication for Your Critical Business Processes

Stronger Security for Your Business Data at Risk

Access Policies Implementation Guide

SAP Note 2151025: User Management Engine Support for Dynamic Authorizations

SAP Note 2057832: Web Access Policy API

RFID-Based Identification

For scenarios where users need quick access to a system to perform short tasks, you can use fast user identification via radio-frequency identification (RFID). The user is identified via an RFID token, such as a company batch card. RFID authentication is ideally suited to warehouse and production scenarios with dedicated kiosk PCs for authentication.

More information:

RFID-Based Identification of SAP Applications Using Employee Badges

Identification Using RFID Tokens

Digital Signatures

Digital signatures uniquely identify the signer, protect the integrity of the data, and provide the means for a binding signature that cannot be denied afterwards. SAP Single Sign-On supports digital signing using the Secure Store and Forward (SSF) interface. The Secure Login Client for SAP GUI can use X.509 certificates for digital signatures in an SAP environment. Server-side digital signatures are supported by the SAP Common Cryptographic Library. In addition, SAP Single Sign-On includes support for server-side digital signatures via hardware security modules, offering increased security and performance.

More information:

Digital Signing with Secure Store and Forward (SSF)

Digital Client Signature (SSF)

Digital Signatures in SAP GUI with One-Time Passwords

Digital Signatures (SSF) with a Hardware Security Module

SAP Note 1973271: Secure Login Library 2.0 HSM Configuration for SSF

Certificate Lifecycle Management for ABAP Application Servers

SAP Single Sign-On 2.0 (since SP6) supports automated renewal of X.509 certificates for SAP NetWeaver Application Server ABAP using Secure Login Server. This reduces manual efforts and prevents downtime.

More information:

Certificate Lifecycle Management Using Secure Login Server

SAP Note 2194174: Certificate Lifecycle Management with Secure Login Server – ABAP reports

Hi,

I could not find any document showing if we can implement SSO for SAP Screen Personas 3.0 or not. So I would like to ask if this scenario is possible; and if it's possible, what are the available options to implement SSO? Will Kerberos-based SSO (SPNEGO) work for Personas 3.0?

I would be very grateful for any feedback.

Best regards,

Duy

Hello there,

I've got an SAML2 Authentication running (IDP = SAP Portal; SP = ABAP HCM) and everything works fine so far.

Now I've got the requirements that this kind of authentication must be used in an kiosk scenario too.

In this scenario only the password is provided for the corresponding employee, the user id is created automatically and must be preset in the logon dialog.

( In the next step an alternate logon dialog should be provided for this case with just the password field visible...)

I'm already able to get the user id, but I've got no possibility to fill in this ID in the logon dialog of my IDP.

I've tracked down the problem, but the only solution I've found so far on ABAP side is to enhance the generated redirect URL to the IDP with the parameter "j_username".

https://idp.server.com/saml2/idp/sso?SAMLRequest=...&j_username=john

Is it possible to define custom parameters for an IDP Redirect-Url or is the only solution to enhance / modify the corresponding class generating this URL?

I'm not very familiar with logon procedures, so other solution hints are welcome, too!

Many thanks in advance.

Greetings

Kai Fischer

Hi!

We set up the authorization with contactless cards (RFID) for use Fiori apps on KIOSK.

We install SAP SSO SLS 2.0 SP6 PL1 and SAP Secure Login Client 2.0 SP6. Architecture requires kiosk registration in the domain under the technical accounts (AD) and SPNEGO kiosk authorization in SLS. Card numbers and user names pairs are stored in the LDS. SLS was configured by the note 1970286 - SAP SSO 2 with Contactless ID Tokens. On the client we download adn install root certificate (as I understand, this is need for the client to trust the SLS).

But authentication didn’t work.

The NWA logs have NOTHING, their customization failed (we cann’t find such logging settings as: Applications / Common / Security / SecureLoginServer / Authentication, Applications / Common / Security / NetweaverSSO / KeyStore, Applications / NetweaverSSO / Server).

Secure Login Client log file have error:

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] JSON Response: {"text":"Аутентификация пользователя не выполнена","status":"ACM_ACCESS_DENIED","config":{"keysize":2048},"view":"Auth","type":"2"}

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] } 80070005

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Переданные регистрационные данные не приняты сервером.Enrollment failed

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][sbus.dll    ][  2988] silent authentication failed -> abort

In translation:

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] JSON Response: {"text":" User authentication failed ( is not performed)","status":"ACM_ACCESS_DENIED","config":{"keysize":2048},"view":"Auth","type":"2"}

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] } 80070005

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbus.dll    ][  2988] The transmitted data is not accepted by the server. Enrollment failed

To simplify the situation we change authorization to x509 SSL, but error persists.

What can be the cause of this error? Google cann't help us(

Full log:

[2016.01.15 11:18:43.147000][TRACE][sbus.exe            ][sbus.dll    ][  5324] CPCSCMonitor::ReaderEvent(00000200, "HID OMNIKEY 5127 CK CL 0")

[2016.01.15 11:18:43.147000][TRACE][sbus.exe            ][sbus.dll    ][  5324] Trying to get CardId from reader ''

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CToken:: Secure Login token [toksw:mem://securelogin/SLSAuth] :: login

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: io_file_type (C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\base.xml)

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][IO          ][  2988] END  : io_file_type

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][LOADER      ][  2988] Loading config file 'base.xml' failed because file not existing in path 'C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\base.xml'

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::get_info

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::create_PSE

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::SetASC

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CAPIFilter:: Provider filter not set, just ignore own CSPs ...

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CAPIFilter:: CAPIFilterValidOnly() check

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CAPIFilter:: Certificate: [CN=KIOSK, O=*****, C=RU] accepted

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CAPIFilter:: Provider filter not set, just ignore own CSPs ...

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] CAPIFilter:: Certificate: [CN=KIOSK, O=*****, C=RU] accepted

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Ctoken_SL: NewPinType: password

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Ctoken_SL: gracePeriod: 0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Ctoken_SL: inactivityTimeout: 0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Ctoken_SL: ReAuthentication: 0

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbusresloade][  2988] { GetLocale

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbusresloade][  2988] }        0

[2016.01.15 11:18:43.179000][INFO ][sbus.exe            ][sbusslogin.d][  2988] Try to enroll SLS URL: https://sapsls. *****.local:50001/SecureLoginServer/slc2/doLogin?profile=28704b4a-579d-42fd-9e13-25b4e189f27f

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Creating SSL_CTX 0x38bc20 with default cipher suites !aNULL:!eNULL:HIGH:MEDIUM

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Parsing cipher suite configuration string: !aNULL:!eNULL:HIGH:MEDIUM

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Creating SSL_CTX 0x38bc20 with default preferred elliptic curves list EC_HIGH:EC_MEDIUM

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Parsing elliptic curves configuration string: EC_HIGH:EC_MEDIUM

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Adding curves matching EC_HIGH

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] EC_P256 added

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] EC_P384 added

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] EC_P521 added

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Adding curves matching EC_MEDIUM

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] EC_P224 added

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988] Configured preferred elliptic curves list in SSL_CTX:

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P256 (secp256r1) [optimized: FALSE]

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P384 (secp384r1) [optimized: FALSE]

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P521 (secp521r1) [optimized: FALSE]

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P224 (secp224r1) [optimized: FALSE]

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::loginBySystemParameters

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::needRealPSE

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] } 80004001

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] } a1e00015

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::getAllTrustedCerts

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::needRealPSE

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] } 80004001

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::getAllTrustedCerts

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::getTrustedCertList

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::Refresh

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::InitProviders

[2016.01.15 11:18:43.179000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.194000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.194000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.194000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.194000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::getOwnCertificate

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::needRealPSE

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] } 80004001

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTokenMgr::GetPCI

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] m_apTokens[0]->GetPCI()

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] m_apTokens[1]->GetPCI()

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { sec_store_test_own_Certificate

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Using token URI: [tokcapi:{4892BD14-BDD2-4DB1-88FE-219549A78DD9}(Microsoft Enhanced Cryptographic Provider v1.0)]

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        0

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] Key tokcapi:{4892BD14-BDD2-4DB1-88FE-219549A78DD9}(Microsoft Enhanced Cryptographic Provider v1.0)/00

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] Configure cipher suites and elliptic curves lists in SSL_CTX:

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] context      : 0x38bc20:

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] cipher suites: HIGH:MEDIUM

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] Configure cipher suites in SSL_CTX:

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] context      : 0x38bc20:

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] cipher suites: HIGH:MEDIUM

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] Parsing cipher suite configuration string: HIGH:MEDIUM

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988] Configured preferred elliptic curves list in SSL_CTX:

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P256 (secp256r1) [optimized: FALSE]

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P384 (secp384r1) [optimized: FALSE]

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P521 (secp521r1) [optimized: FALSE]

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][SSL         ][  2988]      curve: EC_P224 (secp224r1) [optimized: FALSE]

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbusslogin.d][  2988] { CSecureLogin_Protocol_2_0::Send_Init

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][sbusslogin.d][  2988] { CSecureLogin::Send_Any

[2016.01.15 11:18:43.210000][TRACE][sbus.exe            ][URL/H_URL_CT][  2988] url_ssl_factory: get ext ref

[2016.01.15 11:18:43.210000][INFO ][sbus.exe            ][sbusslogin.d][  5828] Generate RSA Key with keysize 2048

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][URL         ][  2988] Successfully connected to

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][URL         ][  2988] Address **.**.**.15 (sapsls. *****.local)

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][URL         ][  2988] Family: AF_INET (IPv4)

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][URL         ][  2988] Inner family: AF_INET (IPv4)

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][URL         ][  2988] Protocol: 6

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][URL         ][  2988] SockType: 1

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_setup_buffers returning 0. OK

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_init_finished_mac returning 0. OK

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][SSL         ][  2988] Session to be resumed did not fit preferences. Performing full handshake

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][BASE/RANDOM ][  2988] Get 28 bytes random data

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.random OctetString  (size="28" ):7D9FE4EA680D5FD0BA55CCB8FDEC64804CDFD97BE3DFA924CC373EA3

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][SSL         ][  2988] ClientHello.client_version: 3.3 (TLSv1.2)

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][SSL         ][  2988] ClientHello.session_id: no session ID submitted.

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<0> : TLS_RSA_WITH_AES128_GCM_SHA256

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<1> : TLS_RSA_WITH_AES256_GCM_SHA384

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<2> : TLS_RSA_WITH_AES128_CBC_SHA

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<3> : TLS_RSA_WITH_AES256_CBC_SHA

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<4> : TLS_RSA_WITH_3DES_EDE_CBC_SHA

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<5> : TLS_RSA_WITH_RC4_128_SHA

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.cipher_suites<6> : TLS_RSA_WITH_RC4_128_MD5

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.compression_methods.size: 1

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] ClientHello.compression_methods<0> = 0, NULL compression.

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Writing ClientHello extensions at offset 0x3b

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] No ClientHello extensions were written

[2016.01.15 11:18:43.225000][INFO ][sbus.exe            ][SSL         ][  2988] Sending SSLv3 ClientHello

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 59. OK

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_bytes returning 59. OK

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_do_write returning 1. OK

[2016.01.15 11:18:43.225000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_client_hello successfully returns 1.

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] ServerHello.server_version: 3.3 (TLSv1.2).

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] ServerHello.random : OctetString (size="32"):

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988]          0 5698AB63 01FEF964 C6F9F92B 5ECFFF64

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988]         10 88182698 F3ABD50C 458D7667 1484F4D7

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] ServerHello.session_id : OctetString (size="32"):

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988]          0 D90C9723 573DAC35 577CE163 30C6E19A

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988]         10 694EBC28 80E5385F 40DA7355 1EB53EDE

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] On receiving ServerHello: Creating new session.

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] Used protocol version: TLSv1.2

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] ServerHello.cipher_suite: TLS_RSA_WITH_AES128_CBC_SHA

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] ServerHello.compression_method: 0.

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_server_hello returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] Received server certificate chain.

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] Server certificate details:

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Subject     :CN=Kiosk, O=*****, C=RU

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Issuer      :CN=*****Intermediate CA, DC=*****, DC=local

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Serial number:0x3bd1d4f700000001522e

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988] Server CA certificate details:

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Subject     :CN=***** Intermediate CA, DC=*****, DC=local

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Issuer      :CN=*****Root CA, O=*****, C=RU

[2016.01.15 11:18:43.241000][INFO ][sbus.exe            ][SSL         ][  2988]     Serial number:0x61599eee000000000002

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: io_file_type (C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\ocsp.xml)

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] END  : io_file_type

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][LOADER      ][  2988] Loading config file 'ocsp.xml' failed because file not existing in path 'C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\ocsp.xml'

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: io_file_type (C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\pkix.xml)

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] END  : io_file_type

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][LOADER      ][  2988] Loading config file 'pkix.xml' failed because file not existing in path 'C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\pkix.xml'

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: io_file_type (C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\base.xml)

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] END  : io_file_type

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][LOADER      ][  2988] Loading config file 'base.xml' failed because file not existing in path 'C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\etc\base.xml'

[2016.01.15 11:18:43.241000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: io_file_type (C:\Users\*****-kiosk01\AppData\Local\sec)

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][IO          ][  2988] END  : io_file_type

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][IO          ][  2988] BEGIN: sec_io_statFile (C:\Users\*****-kiosk01\AppData\Local\sec\pse_verify_cache.upd)

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][IO          ][  2988] END  : sec_io_statFile

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][PKIX        ][  2988] Resetting verification cache (memory)

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::isInTrustedCerts

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { SBUSPSE::needRealPSE

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] } 80004001

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::isInTrustedCerts

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::Refresh

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] { CTrust::InitProviders

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][sbus.dll    ][  2988] }        1

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988] Certificate verification result:

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]   Certificate:

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       Subject     :CN=Kiosk, O=*****, C=RU

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       Issuer      :CN=****** Intermediate CA, DC=*****, DC=local

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       Serial number:0x3bd1d4f700000001522e

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       Validity:

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]         Not before  :Thu Jan 14 13:39:19 2016

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]         Not after   :Sat Jan 13 13:39:19 2018

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       Key:

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]         Key type    :rsaEncryption (1.2.840.113549.1.1.1)

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]         Key size    :2048

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]       PK_Fingerprint_MD5:5B7C C594 4D5B 2886 845E FD9C 0B50 781F

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]     Fingerprint_MD5:2A:9A:0F:FE:89:AF:AF:6E:67:4C:E6:9F:D2:8B:64:FE

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]     Fingerprint_SHA1:031F E0F9 41A5 0A15 7E07 BC02 0E4C 56D1 A743 640D

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]   Verification result:

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]     Status      :Successful

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]     Profile     :1.3.6.1.4.1.694.2.2.2.2

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][VERIFY      ][  2988]     DirectlyTrusted:Successful

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Connect:ssl_verify_peer_certificates Certificate verification returned  Certificate trusted

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_server_certificate returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_key_exchange returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.257000][INFO ][sbus.exe            ][SSL         ][  2988] Checking for CertificateRequest message

[2016.01.15 11:18:43.257000][INFO ][sbus.exe            ][SSL         ][  2988] Message type == ServerHelloDone; no client authentication requested

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_certificate_request returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.257000][INFO ][sbus.exe            ][SSL         ][  2988] Received ServerHelloDone message

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_server_done returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Initiate:ssl3_send_client_key_exchange uses servers encryption key

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][BASE/RANDOM ][  2988] Get 48 bytes random data

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_create_cipher_state_and_key_exchange_def returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 262. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_bytes returning 262. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_do_write returning 1. OK

[2016.01.15 11:18:43.257000][INFO ][sbus.exe            ][SSL         ][  2988] Sending ChangeCipherSpec message.

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 1. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_bytes returning 1. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_do_write returning 1. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_change_cipher_state returning 0. OK

[2016.01.15 11:18:43.257000][INFO ][sbus.exe            ][SSL         ][  2988] Sending "Finished" message.

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 16. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_bytes returning 16. OK

[2016.01.15 11:18:43.257000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_do_write returning 1. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_change_cipher_state returning 0. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_finish_mac returning 0. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_message returning 0. OK

[2016.01.15 11:18:43.303000][INFO ][sbus.exe            ][SSL         ][  2988] Received message of type "Finished". Peer has completed sending of handshake messages.

[2016.01.15 11:18:43.303000][INFO ][sbus.exe            ][SSL         ][  2988] SSL3 client: handshake successful with this server: CN=Kiosk, O=********, C=RU

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 448. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_bytes returning 448. OK

[2016.01.15 11:18:43.303000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_ex returning 448. OK

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning 0. OK

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_read successfully returns 512.

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_read successfully returns 31.

[2016.01.15 11:18:43.445000][INFO ][sbus.exe            ][SSL         ][  2988] Sending alert of level WARNING: close notify

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_write_pending returning 2. OK

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_dispatch_alert returning 2. OK

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_shutdown returning 0. OK

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] }        0

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] JSON Response: {"text":"Аутентификация пользователя не выполнена","status":"ACM_ACCESS_DENIED","config":{"keysize":2048},"view":"Auth","type":"2"}

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbusslogin.d][  2988] } 80070005

[2016.01.15 11:18:43.445000][TRACE][sbus.exe            ][sbus.dll    ][  2988] Переданные регистрационные данные не приняты сервером.Enrollment failed

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][sbus.dll    ][  2988] silent authentication failed -> abort

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][sbusslogin.d][  2988] { CSecureLogin_Protocol_2_0::Send_DeleteSession

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][sbusslogin.d][  2988] }        0

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_read_n returning error code 0xffffffff

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_get_record returning error code 0xffffffff

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_shutdown returning 0. OK

[2016.01.15 11:18:47.828000][INFO ][sbus.exe            ][SSL         ][  2988] SSL session released.

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][SSL         ][  2988] Function ssl3_free successfully returns (void type).

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][URL/H_URL_CT][  2988] No more external refs to url_ssl_factory.

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][PKIX        ][  2988] Cache: requests:1, returned:0, used:0

[2016.01.15 11:18:47.828000][TRACE][sbus.exe            ][URL/H_URL_CT][  2988] url_ssl_factory: destroy

[2016.01.15 11:22:45.360000][TRACE][sbus.exe            ][sbus.dll    ][  5324] CPCSCMonitor::ReaderEvent(00000100, "HID OMNIKEY 5127 CK CL 0")

[2016.01.15 11:22:45.360000][TRACE][sbus.exe            ][sbus.dll    ][  5788] CToken:: Secure Login token [toksw:mem://securelogin/SLSAuth] :: logout

Dear Colleagues,

Right now we are solving situation with licensig of SPNego SSO for SAP NetWeaver Portal (SAP AS Java).

For many years our customers and basically most of the customers on Czech market with SAP Portal have been using SPNego SSO to SAP Portal.

Its described for example here: http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=72940

The important information is that this functionallity was always free, included in SAP Portal licence, no additional license cost.

Now with launch of SAP Single Sign On it seems to me that this functionality is part of license?

Am I right?

What are you advising to tell to customers?

They are using some functionallity for years and for free and its not possible to explain them that functionallity which they alredy have and was free is now licensed...

I hope that I am wrong and SPNego for SAP Portal is still free and is not part of the SAP Portal/Java license.

To make it clear, I am talking only about SPNego for Portal/Java, not SPNego for ABAP/GUI.

Thanx a lot for any help, information and explanation

Regards

Ondrej

I would need to know what is a recommended way how to configure SAP Single Sign-On in clustered environment. If SNC configuration from Primary Cluster Node is used on Secondary Cluster Node, it is not possible to start SAP system, it returns the following error:

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.1) to SAP Netweaver Single Sign-On v1.xN SncInit(): found: snc/identity/as=p:CN=SAPServiceBW1@SKANSKA.ORGN *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1459]

N GSS-API(maj): No credentials were supplied

N Couldn't acquire ACCEPTING credentials for

N

N name="p:CN=SAPServicePRD@DOMAIN.TLD"

N FATAL SNCERR -- Accepting Credentials: "sapsso" (0x0003) not available!

N (debug hint: default acceptor = "p:CN=DummyCredential")

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

It seems that at least file pse.zip is binded to hardware/hostname. How to remedy such a situation? Do you recommend to create two independent

configurations (sec directories) that are used (e.g. using symbolic link) on a particular cluster node when SAP service is active on it? Or is it possible to use just one SNC configuration (pse.zip file) - how is it possible to create such a configuration in such a case?

Is it possible with SAP SSO 2 to set up an scenario where a SAP Portal user can access his MS Office365 Outlook Web Access with SSO?

In this case SAP is the IdP and MS Office365 is the SP. Reading the documentation SAP SSO can be federated to ADFS based on SAML 2.0, but I can not see SAP in the list of third-party identity providers that can be used to implement single sign-on (https://msdn.microsoft.com/en-us/library/azure/jj679342.aspx )

Currently we have a kiosk scenario where SAP Portal users can access to their  MS OWA 2010 with SSO using an ISAPI filter, but now we are planning to go to MS Office365 and we wonder if SAP SSO 2 could help.