SAP PI\PO Mail Adapter OAuth Troubleshooting Guide

Most common issues facing while setting up OAuth 2.0 configuration in SAP PI\PO,  You can find more details below.

 1)if the value of refresh token as displayed on browser is 0.ALSKDHLAKSYOQEW…..alsdll, then in channel add following value “0.ALSKDHLAKSYOQEW…..alsdll”).

Solution: In case of multi server environment, the OAuth tokens stored in the Cache are not retrieved properly. This leads to failure of the scenario during the runtime (error being: Refresh token has to be generated again)

Please apply the patch as present in this note (  3169585 ). After applied while generating the refresh token the value of the token is displayed on the screen( You can copy the token value) ,  Additionally a new “Additional Parameter” (as shown in the below screenshot) is added for the mail sender channel with the name as ‘IMail.refreshToken’ and the value of refresh token should be stored with this parameter in the mail sender channel (Make sure you include double quotes in your token)

2)Key ID **************************************_Refresh already exists in database: com.sap.sql.exception.OpenSQLIntegrityConstraintViolationException: ORA-00001: unique constraint (UNKNOWN.obj#=*********) violated

       OpenSQLExceptionCategories: [NON_TRANSIENT, INTEGRITY_CONSTRAINT_VIOLATION]

Solution: From SP24 onwards once refresh token generated successfully no need to generate it again, If you generate you will get exception like above, Existing token will be available as per the time line in DB.

3)Can I enable startTLS enable for OAuth Scenarios

Solution: For OAuth Scenario you should be disable StartTLS parameter, If you set both OAuth\StartTLS together  you will get the exception  saying connection error.

4) “Peer Certificate error” while generating the refresh token

Solution: If you facing an error like  “Peer Certificate error” while generating the refresh token then, please follow the below steps :

• Download the below certificates from Microsoft site
  • BaltimoreCyberTrustRoot.crt
  • DigiCertGlobalCAG2 (1).crt
  • DigiCertGlobalRootCA.crt
  • stamp2.login.microsoftonline.com.crt
• Please import all the certificates under TrustedCAs view(in NWA page) one by one with X509 category, You can see in browser site view information.
• Try generating the refresh token again. It will be successful

5)Not able to find  Trace Location in XPI trace example:com.sap.aii.af.sdk.xi.util.MailOAuthUtil

Solution: 1761446 – Creating custom trace locations for 7.10/7.11/7.30 system

6)Can I use Redirect URIs  scheme will be http?

Solution: Redirect URIs  scheme will be https, I think http will be only for localhost.

7)Error: RefreshToken has to be generated again.

Solution: Solution: Please apply the patch as present in this note (  3169585 ). After applied while generating the refresh token the value of the token is displayed on the screen( You can copy the token value) ,  Additionally a new “Additional Parameter” (as shown in the below screenshot) is added for the mail sender channel with the name as ‘IMail.refreshToken’ and the value of refresh token should be stored with this parameter in the mail sender channel.

8)PI\PO OAuth Logs with XPI Inspector

Solution:

Refresh Token Generation Issue:

com.sap.aii.af.sdk.xi.util.MailOAuthUtil

com.sap.aii.adapter.soap.web.MessageServlet

For all Mail Adapter OAuth issues:

com.sap.aii.adapter.mail

com.sap.aii.af.sdk.xi.net

com.sap.aii.af.sdk.xi.srt

9)Exception able to connect to the mailbox via Oauth, but after a few hours we started to get this error:

Solution: If you are in multi server node environment , From SP24 onwards once refresh token generated successfully no need to generate it again, If you generate you will get exception, Existing token will be available as per the time line.

10)Exception caught during processing mail message; java.io.IOException: Reason : :”AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: …..\r\nCorrelation ID: XXXX\r\nTimestamp: …….”

Solution: If you are providing refresh token as additional parameter in the channel , please make sure include double quotes in your token.

11)Authentication Unsuccessful\Connection timeout \ Failed to call the endpoint  [null “null”]; nested exception caused by

Solution: Please check with network team to get the logs for user, Issue seems to be 587 port block or some firewall is blocking in organisation.

12)Changing client ID in channel

Exception caught during processing mail message; java.io.IOException: Reason : :”AADSTS700016: Application with identifier ’73dd’ was not found in the directory ‘company’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: cfd00\r\nCorrelation ID: ea4134c85\r\nTimestamp: 2022-12-08 16:18:40Z”

Solution: Client ID is the one of the prerequisite parameter to generate refresh token , if you change it will redirect to different address. You have to generate token again with new ID.

13)A3 BAD USER IS AUTHENTICATED BUT NOT CONNECTED.

Solution:

1) Remove browser cache and try again. or “new incognito window”

2)  configuration tasks in the Azure Active Directory, user should have roles. Please check required roles for user with Azure team.

14) Refresh token generation in different SPs:

1.  (SP16 to SP23 single server node)You can generate refresh token and token will be saved in    cache for 90 days, In between system\instance restart you have to generate it again.
2.  (SP16 to SP23 Multiserver node) In case of multi server environment, the OAuth tokens     stored in the Cache are not retrieved properly. This leads to failure of the scenario during the runtime,  Please apply the patch as present in this note  3169585. Additionally a new “Additional Parameter” is added for the mail sender channel with the name as ‘IMail.refreshToken’ and the value of refresh token should be stored with this parameter in the mail sender channel.
3. From SP24 (Note:  3165141) onwards Refresh token will generate and save in DB table, no need to regenerate when system\instance restart.

Note: Refresh token gets expired in 90 days(by default).

15) New Message Servlet for OAuth from SP28  onwards.

3321222 – New Servlet for token generation in PI Mail adapter

From SP28 onwards ,the URL is now changed to the following by doing code changes . The older SPs do not need to implement these changes . The new URL is :

“http://<host>:<port>/ XIMAILAdapter/MailOAuthServlet?channel=<Channel-Name>&party=<Party-Name>&service=<Service-Name>”