Basis Errors and Solutions

Symptom
1. Mapping entries that were created using the program RSUSREXT or RSUSREXTID are invalid.2. Mapping entries for X.509 user certificates could be created (using transaction EXTID_DN or SM30 (for view VUSREXTID, type DN)) only without specifying the issuer.3. The SOAP runtime reports the error “USER_RESTORE_FAILED” (message SOAP_SEQ_SCD_1:023) or “RBAM_USERINFO_RESTORE_ERROR” (runtime error, triggered by SPAF_RUNTIME_PROXY_CALL).4. Users whose account should be valid only in the time period from 01/01/0001 to 01/01/0001 can still log on.5. When you use the destination service (see Note 897583 or Note 910285) with the authentication methods “Assertion Ticket”, specifications for the intended recipient (system ID, client) are saved and they are not checked when they are received by an ABAP system.

Other terms

RSUSREXT, RSUSREXTID, USREXTID, USREXTIDH, RSEC_CALC_HASH_FOR_ISSUER, SUSR_GET_USREXTID_MAPPING_LIST, SUSR_GET_X509CERT_MAPPING_LIST,
CREATE_RFC_REENTRANCE_TICKET, RSR_BEX_LAUNCH, SUSR_CHECK_LOGON_DATA, TICKET_WRONG_RECIPIENT, SSFC_CERTIFICATE_EXPORT, SSFC_CERTIFICATE_IMPORT, SSFCERTENC, Aliasname_to_Username, CL_USERINFO_DATA_BINDING, PreserveUserInfoWithData, CheckX509CertIssuer, GetUsrExtId, create_AuthenticationAssertionTicket, message 00 147

Reason and Prerequisites
1. If the resulting mapping entry (subject) consists of more than 112 characters, the system determines an internal hash value. Before the system determines the hash value, the code page must be converted. Otherwise, invalid entries are created (provided that the current code page is not “1100″). The same applies for processing an issuer name that was an optional specification.2. You cannot transfer X.509 certificates by uploading them to the server because this may automatically transfer all information that is relevant for mapping from the certificate. Only the assignment to a user must still be performed manually.3. The methods of the class CL_USERINFO_DATA_BINDING (implemented in the kernel) determined the language in which the user logged onto the system instead of the current language. If the language is changed during a session, the incorrect language specifications are processed. This triggers the exception USERINFO_ALREADY_SET (class CX_USERINFO_DATA_BINDING).4. The kernel incorrectly assesses the date 01.01.0001 as invalid and therefore disallows the account validity check.5. Up to now, the kernel did not valuate the specifications for the intended recipient that are contained in an assertion ticket. After you use the new kernel, these specifications are checked and the system issues an error telling you that the assertion ticket is not determined for this system.

Solution

Combined use of a new kernel and a Support Package:
NetWeaver 7.0 (SAP_BASIS 7.00): Support Package 14 and kernel 7.00 patch number 125 (correction of points 1 to 3 and point 5) or kernel 7.00 patch number 129 (point 4)NetWeaver 7.1 (SAP_BASIS 7.00): Support Package Stack 4

New functions

In addition to the specified error corrections, the combined use of kernel corrections and ABAP corrections in SAP_BASIS 7.00 allows “Re-entrance tickets” to be issued. These “Re-entrance tickets” allow Single Sign-On when you call the BEx Analyzer from a Web application (using RSR_BEX_LAUNCH).