cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem accessing R/3 with SSO ticket from the EP6.0

Former Member

on ‎06-25-2004 4:52 PM

0 Kudos

Here is a problem:

When I read SSO ticket from the Cookie in WebDynpro application and then use this ticket to creat JCO Connection it fails, because ticket is incorrect.

If I use ticket from the same portal generated for portal internal iView (from the log file) and compare two tickets they are different. I can creat JCO connection with second ticket. Can anyone explain what's going on. How it's possible to have two different tickets from the same portal for the same user.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎05-12-2005 4:50 AM
0 Kudos

Hi,

I have a simple question: how to read SSO ticket from the Cookie in WebDynpro application and then use this ticket to creat JCO Connection? could anyone give me some webdynpro code example?

Thanks very much!

Deyang

Show replies
Show replies
MarkusKlein
Active Contributor
‎06-18-2005 12:24 PM
0 Kudos

Did you get your problem solved Shakeel? I have the same problem and need a few hints.

Regards,

Markus

Former Member
‎06-18-2005 7:47 PM
0 Kudos

Sorry! Markus, I have no updates on this problem.

MarkusKlein
Active Contributor
‎06-20-2005 8:23 AM
0 Kudos

Hi Shakeel,

i got my problem fixed. I had two flaws:

1. I used the certificate of the portals underlaying j2ee-system to try to authenticate the ticket at the different back-end systems. But i had to use the certificate (verify.der file) right from the portal itself. This of course wasnt documented in any of the SAP relasted guides!

2. I added the ACL-list entries to the ticket template itself in addition to the UME User Store.

Maybe this will help ya too

greetings,

Markus

Former Member
‎06-26-2004 2:19 PM
0 Kudos

I am not sure why the cookie read by the web dynpro application would be different from cookie read by Java iView . But it is easier to use the createTicketLoginModule and configure the JCO destinations to use SSO inorder achieve sso between WAS and R/3

Show replies
Show replies
Former Member
‎06-29-2004 3:48 AM
0 Kudos

Hi Pran,

That is interesting..Could you give some more information regarding the usage of createTicketLoginModule . Probably with some dummy code for a WD app?

Thanks and Regards,

Sam Mathew

Former Member
‎06-29-2004 2:46 PM
0 Kudos

Hi Sam

This is more of a configuration work to get SSO working.

A web dynpro application needs to accept logon tickets and validate it if it needs to be integrated into the Portal and create tickets to single sign onto backend SAP systems.

For this you will have to first import the EP certificate into WAS and import WAS certificate into SAP.

After which you will have to apply the ticket authentication template to the web dynpro dispatcher through the security provider in Visual Admin.

The JCO destinations for the web dynpro applications should also be configured to use SSO instead of userid and password.

More info is available in this link.

http://help.sap.com/saphelp_nw04/helpdata/en/62/c0503e1dac5b46e10000000a114084/content.htm

Former Member
‎06-29-2004 5:45 PM
0 Kudos

Thank you Pran.

Cheers,

Sam

Former Member
‎07-08-2004 10:05 PM
0 Kudos

Hi Pran,

I configured SSO between EP6.0 and WAS as described in manual but I still can't make it working. When I try to open URL that points to WAS from the EP6.0 iView I get prompt for user name and password. In security.log file on the WAS side I found the following message:

<b>Info#1#com.sap.engine.services.security#Plain###No user name provided.#</b>

EP6.0 can access R/3 with SSO without any problems.

Any ideas what's going on. Looks like to me ticket is not passed to WAS from EP6.0.

Thanks,

Andrei

Former Member
‎07-09-2004 2:45 AM
0 Kudos

Could you post me details on what options you have specified in the EvaluateTicketLoginModule

Does EP and WAS exist on the same domain ?

Have you also checked if the clocks for both the Portal and WAS is synchronized

Former Member
‎07-09-2004 2:20 PM
0 Kudos

Hi Pran,

Here is what I have in EvaluateTicketLoginModule for template ticket in Security Provider:

<b>ume.configuration.active true

trustediss1 CN=WPO, OU=QA, OU=NRX, O=SAP Trust Community, C=DE

trusteddn1 CN=WPO, OU=QA, OU=NRX, O=SAP Trust Community, C=DE

trustedsys1 WPO, 000</b>

Also my question is for what component I should set EvaluateTicketLoginModule. In last document published on sdn it says to configure EvaluateTicketLoginModule for template ticket. Right now I'm trying to access URL

http://server:50000/useradmin from Portal iView.

I also tried to access WebDynpro component from the Portal and got the same result. Also document says that I should see MYSAPSSO2 cookie in security.log file, I don't see it. Both EP and WAS are in the same domain. I'm not sure about clocks. The difference is 1-2 seconds. I remember you wrote that one system clock could be slower than on another, but I didn't understand on which one. <i>"Also ensure that the ticket receiving system has its clock synchronized with the ticket accepting system or at least slower than the ticket receiving system."</i>.

Thanks,

Andrei

Former Member
‎07-10-2004 1:56 AM
0 Kudos

Hi Andrei

The Web Dynpro components will not available in the list within the Security Provider, so you need not apply the ticket template against any component. You just need to comfigure your ticket authentication template and all web dynpro applications becomes SSO enabled.

By the same domain I meant that the Portal URL and the Web Dypro component URL has the same FQDN(Fully qualified Domain name). (http://server:50000/useradmin does not have a FQDN).

Secondly instead of trying it on the useradmin which I am not sure is a Web Dynpro component or configured to accept SSO tickets, I would suggest you build a web dynpro component and enable its authentication property

Finally the WAS server which is your ticket accepting system should have a clock which is faster than the issuing system (Though this can be worked around to accept tickets from servers running in different time zones lets try to keep it simple for now)

Regards

Pran

Former Member
‎07-12-2004 9:24 PM
0 Kudos

Hi Pran,

Thanks a lot for all your help, finally i was able to make it working. The last thing I did, I synchronized clocks on accepting and receiving servers.

Andrei

Former Member
‎07-13-2004 1:39 AM
0 Kudos

Thats great

I think your next goal will be to achieve SSO between WAS and R/3 , this is pretty straight forward and you should be able to nail this easily

Regards

Pran

Ask a Question