on 06-25-2004 4:52 PM
Here is a problem:
When I read SSO ticket from the Cookie in WebDynpro application and then use this ticket to creat JCO Connection it fails, because ticket is incorrect.
If I use ticket from the same portal generated for portal internal iView (from the log file) and compare two tickets they are different. I can creat JCO connection with second ticket. Can anyone explain what's going on. How it's possible to have two different tickets from the same portal for the same user.
Hi,
I have a simple question: how to read SSO ticket from the Cookie in WebDynpro application and then use this ticket to creat JCO Connection? could anyone give me some webdynpro code example?
Thanks very much!
Deyang
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shakeel,
i got my problem fixed. I had two flaws:
1. I used the certificate of the portals underlaying j2ee-system to try to authenticate the ticket at the different back-end systems. But i had to use the certificate (verify.der file) right from the portal itself. This of course wasnt documented in any of the SAP relasted guides!
2. I added the ACL-list entries to the ticket template itself in addition to the UME User Store.
Maybe this will help ya too
greetings,
Markus
I am not sure why the cookie read by the web dynpro application would be different from cookie read by Java iView . But it is easier to use the createTicketLoginModule and configure the JCO destinations to use SSO inorder achieve sso between WAS and R/3
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sam
This is more of a configuration work to get SSO working.
A web dynpro application needs to accept logon tickets and validate it if it needs to be integrated into the Portal and create tickets to single sign onto backend SAP systems.
For this you will have to first import the EP certificate into WAS and import WAS certificate into SAP.
After which you will have to apply the ticket authentication template to the web dynpro dispatcher through the security provider in Visual Admin.
The JCO destinations for the web dynpro applications should also be configured to use SSO instead of userid and password.
More info is available in this link.
http://help.sap.com/saphelp_nw04/helpdata/en/62/c0503e1dac5b46e10000000a114084/content.htm
Hi Pran,
I configured SSO between EP6.0 and WAS as described in manual but I still can't make it working. When I try to open URL that points to WAS from the EP6.0 iView I get prompt for user name and password. In security.log file on the WAS side I found the following message:
<b>Info#1#com.sap.engine.services.security#Plain###No user name provided.#</b>
EP6.0 can access R/3 with SSO without any problems.
Any ideas what's going on. Looks like to me ticket is not passed to WAS from EP6.0.
Thanks,
Andrei
Hi Pran,
Here is what I have in EvaluateTicketLoginModule for template ticket in Security Provider:
<b>ume.configuration.active true
trustediss1 CN=WPO, OU=QA, OU=NRX, O=SAP Trust Community, C=DE
trusteddn1 CN=WPO, OU=QA, OU=NRX, O=SAP Trust Community, C=DE
trustedsys1 WPO, 000</b>
Also my question is for what component I should set EvaluateTicketLoginModule. In last document published on sdn it says to configure EvaluateTicketLoginModule for template ticket. Right now I'm trying to access URL
http://server:50000/useradmin from Portal iView.
I also tried to access WebDynpro component from the Portal and got the same result. Also document says that I should see MYSAPSSO2 cookie in security.log file, I don't see it. Both EP and WAS are in the same domain. I'm not sure about clocks. The difference is 1-2 seconds. I remember you wrote that one system clock could be slower than on another, but I didn't understand on which one. <i>"Also ensure that the ticket receiving system has its clock synchronized with the ticket accepting system or at least slower than the ticket receiving system."</i>.
Thanks,
Andrei
Hi Andrei
The Web Dynpro components will not available in the list within the Security Provider, so you need not apply the ticket template against any component. You just need to comfigure your ticket authentication template and all web dynpro applications becomes SSO enabled.
By the same domain I meant that the Portal URL and the Web Dypro component URL has the same FQDN(Fully qualified Domain name). (http://server:50000/useradmin does not have a FQDN).
Secondly instead of trying it on the useradmin which I am not sure is a Web Dynpro component or configured to accept SSO tickets, I would suggest you build a web dynpro component and enable its authentication property
Finally the WAS server which is your ticket accepting system should have a clock which is faster than the issuing system (Though this can be worked around to accept tickets from servers running in different time zones lets try to keep it simple for now)
Regards
Pran
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.