Symptom
Error 'Connection Failed: The test of the HANA SSO ticket used to log
onto the HANA DB has failed due to: [10]: invalid username or password:
. (FWM 02133)' display while test the SAML SSO authentication to
HANA from CMC
Environment
- SAP BusinessObjects BI Platform 4.1
- SAP HANA database
Reproducing the Issue
- Finish configure the SAML SSO from BI to HANA. (With OpenSSL)
- Login CMC page.
- Double click Applications and then double click HANA Authentication.
- Double click on the entry that you would like to make the test.
- Fill the correct user and click Test Connection button.
- The error 'Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password: . (FWM 02133)' display
This is a very generic error that we will see while the SAML SSO was not correctly configured, in most cases, it's not really that the username or password is incorrect. The HANA SSO
will never success if such error present while test the connection from here.
Cause
After enable the index server trace from HANA, below errors were found from the trace.
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420605 d Authentication x509vfy.cc(00091) : Invalid SSL configuration: $ErrorText$
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420608 w Authentication x509vfy.cc(00092) : Unable to initialize trust store
Exit int xmlSecHDBX509StoreInitialize(xmlSecKeyDataStorePtr)(157usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420618 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420620 d Authentication SAMLAuthenticator.cpp(00236) : file: keysdata.c
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420621 d Authentication SAMLAuthenticator.cpp(00237) : line: 1330
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420623 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecKeyDataStoreCreate
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420625 d Authentication SAMLAuthenticator.cpp(00239) : errorObject: x509-store
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420626 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: id->initialize
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420627 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420628 d Authentication SAMLAuthenticator.cpp(00242) : msg:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420630 a Authentication x509vfy.cc(00120) : Enter void xmlSecHDBX509StoreFinalize(xmlSecKeyDataStorePtr)
Exit void xmlSecHDBX509StoreFinalize(xmlSecKeyDataStorePtr)(1usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420633 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420634 d Authentication SAMLAuthenticator.cpp(00236) : file: /HDB/IMP/NewDB100_REL/src/sys/src/Authentication/extern/libxmlsec/xmlsec_hdb/impl/crypto.cc
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420636 d Authentication SAMLAuthenticator.cpp(00237) : line: 298
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420637 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecHDBKeysMngrInit
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420638 d Authentication SAMLAuthenticator.cpp(00239) : errorObject:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420639 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: xmlSecKeyDataStoreCreate
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420640 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420640 d Authentication SAMLAuthenticator.cpp(00242) : msg: xmlSecHDBX509StoreId
Exit int xmlSecHDBKeysMngrInit(xmlSecKeysMngrPtr)(190usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420643 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420644 d Authentication SAMLAuthenticator.cpp(00236) : file: /HDB/IMP/NewDB100_REL/src/sys/src/Authentication/extern/libxmlsec/xmlsec_hdb/impl/app.cc
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420645 d Authentication SAMLAuthenticator.cpp(00237) : line: 340
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420646 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecHDBAppKeysMngrInitWithCertificateStore
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420647 d Authentication SAMLAuthenticator.cpp(00239) : errorObject:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420648 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: xmlSecHDBKeysMngrInit
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420649 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420650 d Authentication SAMLAuthenticator.cpp(00242) : msg:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420651 d Authentication SAMLAuthenticator.cpp(00602) : Unable to initialize key manager
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420712 i Authentication SAMLAuthenticator.cpp(00387) : Initialization of crypto engine failed
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420727 d Authentication ManagerAcceptor.cpp(00275) : Injecting logon name into method:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420778 i Authentication SAPLogonManager.cpp(00332) : SAPLogon/SAPAssertion authentication failed with return value: 1281
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420782 i Authentication MethodSAPLogon.cpp(00252) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420791 d Authentication ManagerAcceptor.cpp(00275) : Injecting logon name into method:
[38981]{-1}[41/-1] 2014-11-01 03:44:26.421815 d Authentication Connection.cc(04034) : [PRE AUTHENTICATION] logon name:
[38981]{-1}[41/-1] 2014-11-01 03:44:26.421830 d Authentication Connection.cc(04101) : [POST AUTHENTICATION] logon name:
[38978]{-1}[-1/-1] 2014-11-01 03:44:30.066167 d Authentication ManagerAcceptor.cpp(00039) : Prepare authentication: adding available methods
[38978]{-1}[-1/-1] 2014-11-01 03:44:30.066185 d Authentication Manager.cpp(00202) : getMechs: provided mechanism=SPNEGO
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420605 d Authentication x509vfy.cc(00091) : Invalid SSL configuration: $ErrorText$
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420608 w Authentication x509vfy.cc(00092) : Unable to initialize trust store
Exit int xmlSecHDBX509StoreInitialize(xmlSecKeyDataStorePtr)(157usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420618 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420620 d Authentication SAMLAuthenticator.cpp(00236) : file: keysdata.c
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420621 d Authentication SAMLAuthenticator.cpp(00237) : line: 1330
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420623 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecKeyDataStoreCreate
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420625 d Authentication SAMLAuthenticator.cpp(00239) : errorObject: x509-store
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420626 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: id->initialize
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420627 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420628 d Authentication SAMLAuthenticator.cpp(00242) : msg:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420630 a Authentication x509vfy.cc(00120) : Enter void xmlSecHDBX509StoreFinalize(xmlSecKeyDataStorePtr)
Exit void xmlSecHDBX509StoreFinalize(xmlSecKeyDataStorePtr)(1usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420633 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420634 d Authentication SAMLAuthenticator.cpp(00236) : file: /HDB/IMP/NewDB100_REL/src/sys/src/Authentication/extern/libxmlsec/xmlsec_hdb/impl/crypto.cc
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420636 d Authentication SAMLAuthenticator.cpp(00237) : line: 298
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420637 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecHDBKeysMngrInit
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420638 d Authentication SAMLAuthenticator.cpp(00239) : errorObject:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420639 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: xmlSecKeyDataStoreCreate
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420640 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420640 d Authentication SAMLAuthenticator.cpp(00242) : msg: xmlSecHDBX509StoreId
Exit int xmlSecHDBKeysMngrInit(xmlSecKeysMngrPtr)(190usec)
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420643 d Authentication SAMLAuthenticator.cpp(00235) : ERROR in libxmlsec
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420644 d Authentication SAMLAuthenticator.cpp(00236) : file: /HDB/IMP/NewDB100_REL/src/sys/src/Authentication/extern/libxmlsec/xmlsec_hdb/impl/app.cc
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420645 d Authentication SAMLAuthenticator.cpp(00237) : line: 340
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420646 d Authentication SAMLAuthenticator.cpp(00238) : func: xmlSecHDBAppKeysMngrInitWithCertificateStore
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420647 d Authentication SAMLAuthenticator.cpp(00239) : errorObject:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420648 d Authentication SAMLAuthenticator.cpp(00240) : errorSubject: xmlSecHDBKeysMngrInit
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420649 d Authentication SAMLAuthenticator.cpp(00241) : reason: 1
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420650 d Authentication SAMLAuthenticator.cpp(00242) : msg:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420651 d Authentication SAMLAuthenticator.cpp(00602) : Unable to initialize key manager
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420712 i Authentication SAMLAuthenticator.cpp(00387) : Initialization of crypto engine failed
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420727 d Authentication ManagerAcceptor.cpp(00275) : Injecting logon name into method:
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420778 i Authentication SAPLogonManager.cpp(00332) : SAPLogon/SAPAssertion authentication failed with return value: 1281
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420782 i Authentication MethodSAPLogon.cpp(00252) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!
[38981]{-1}[-1/-1] 2014-11-01 03:44:26.420791 d Authentication ManagerAcceptor.cpp(00275) : Injecting logon name into method:
[38981]{-1}[41/-1] 2014-11-01 03:44:26.421815 d Authentication Connection.cc(04034) : [PRE AUTHENTICATION] logon name:
[38981]{-1}[41/-1] 2014-11-01 03:44:26.421830 d Authentication Connection.cc(04101) : [POST AUTHENTICATION] logon name:
[38978]{-1}[-1/-1] 2014-11-01 03:44:30.066167 d Authentication ManagerAcceptor.cpp(00039) : Prepare authentication: adding available methods
[38978]{-1}[-1/-1] 2014-11-01 03:44:30.066185 d Authentication Manager.cpp(00202) : getMechs: provided mechanism=SPNEGO
Resolution
While configuring the SMAL SSO, one of the prerequisite is to
configure SSL for HANA. For this case OpenSSL library was used and the
problem is due to the SSL not properly configured for HANA.
After checking the configuration of SSL, identified the issue was due to the parameters sslCryptoProvider, sslKeyStore and sslTrustStore are not properly configured.
The values for ssltruststore and sslkeystore are depends on where you store the pem files, and the value for sslcryptoprovider is depends which SSL library is used,
HANA server supports CommonCryptoLib, OpenSSL and SAP Cryptographic Library. After the values for those parameters were correctly set, the trust.pem and key.pem
files need to be re-generated.
After checking the configuration of SSL, identified the issue was due to the parameters sslCryptoProvider, sslKeyStore and sslTrustStore are not properly configured.
- Open the SAP HANA Studio.
- Right click on the system that you would like to check the configuration.
- Select Configuration and Monitoring and then click Open Administration.
- Switch to Configuration tab to check the configuration.
- Double click on the blank below the System column to change the configuration.
The values for ssltruststore and sslkeystore are depends on where you store the pem files, and the value for sslcryptoprovider is depends which SSL library is used,
HANA server supports CommonCryptoLib, OpenSSL and SAP Cryptographic Library. After the values for those parameters were correctly set, the trust.pem and key.pem
files need to be re-generated.
Keywords
hana, smal sso, hana sso, ssl, openssl, bi sso to hana, 4.1, bi 4.1,
hana sso ticket, invalid user name or password, FWM 02133, Invalid SSL
configuration, $ErrorText$, Invalid SSL configuration: $ErrorText$,
sslCryptoProvider, sslKeyStore, sslTrustStore, ERROR in libxmlsec,
Unable to initialize trust store, libxmlsec, unsuccessful login attempt
with SAPLogon/SAPAssertion ticket, idt, idt hana sso, sso connection
Header Data
| Released On | 28.01.2015 03:52:23 | ||
| Release Status | Released to Customer | ||
| Component | BI-BIP-AUT Authentication, ActiveDirectory, LDAP, SSO, Vintela | ||
| Other Components |
| ||
| Priority | Normal | ||
| Category | Problem |
No comments:
Post a Comment