Skip to Content
Author's profile photo Mathias Essenpreis

Troubleshoot Certificate logon for ABAP Web Services

While calling a Web Service endpoint you get the error message “Logon failed (trace key xxxxxxx)”. Most probably you get this error because you did not map the PSE’s certificate that is used for authentication to a Sap user in the provider system. Here is a small how-to on how to create this mapping.


In SOAMANAGER you configured a certificate based authentication for your Web Service endpoint. In the SOAMANAGER Single Configuration this can either be

  • X.509 SSL Client Certificate as transport channel authentication or
  • X.509 Certificate as message authentication.

You also created a Logical Port out of the WSDL for this endpoint and you selected a signature PSE. 

Note: For Web Service endpoints with X.509 certificate authentication you have to create the logical port out of a WSDL with format “Policy”. This way the security settings are done automatically. SOAMANAGER will only ask you to supply the required credentials like in this case the signature certificate.

The manual creation does not support X.509 certificates.


Map the name of the certificate to a SAP user in the system.

  1. Logon to the provider system and start transaction STRUST. You will see a tree with all the PSEs of your system. The entries are divided by use case. Therefore there are PSEs for SSL, WS Security, SSF, …
  2. Select the WS Security PSE you’ve chosen for the logical port and double click on it. The right part of the screen now shows the Own Certificate and the Certificate List.
  3. Mark the name of the PSE’s certificate (behind the field labeled Owner) and copy this name to your clipboard (STRG+C).

One option to maintain the mapping is by using transaction EXTID_DN.

  1. Start transaction EXTID_DN. A table view maitenance screen appears with a list of certificate names and the corresponding SAP user names.
  2. In the button row click New Entries.A new screen appears where you can create the mapping.
  3. Click on the pen behind the field External ID. A new dialog window opens.
  4. Paste in (STRG+V) the certificate name you extracted out of transaction STRUST and confirm the popup.
  5. Enter the SAP user which should be logged on in field User.
  6. Check field Activated in order to make this mapping active.
  7. Save the mapping by using the save icon or by pressing (STRG+S).

 The X.509 certificate mapping is maintained now and the error should be gone.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks for sharing the blog. I know it  works great for individual user mapping but we have around 7000 users and we are looking this process automated. Whenever we get new user this mapping should happen with any manual efforts.

      What are the options we have in this case?

      Thanks again for your time in sharing this information.