cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single-Sign on From Portal EP6 to r/3 ECC 5.0

Go to solution
Former Member

on ‎04-17-2006 6:23 AM

0 Kudos

Hi,

We have implemented ESS 60.2 on EP6SP13 (WAS 6.40).I am are trying to configure Single-Sign-On from Portal to R/3 (ECC 5.0) system. We have

an integrated ITS (within WAS 6.40). I have created and Ess user and a portal user. Both have the same username

The portal is the ticket-issuing system

Now I have to Configure SAP System to Accept and Verify SAP Logon

Tickets.I Have done the following steps for this:

a) Add Portal Server to ACL of component system - maintained table

TWPSSO2ACL with transaction SM30.

b) Downloaded the public-key certificate of the portal server

(verify.der file) using KeyStore Administration tool. Then I logon to

transaction STRUSTSSO2 and try to add the file using the 'ADD TO

CERTIFICATE LIST' tab. But i get an error saying 'Error during Import'.

c) Exported the J2EE signing certificate to Cluster-> Server -> Services->Key Storage->Runtime->

TicketKeystore->SAPLogonTicketKeypair–cert. Then I imported this file successfully into R/3 (ECC 5.0) using STRUSTSSO2.

d) Set the profile parameter login/accept_sso2_ticket to the value 1 in every instance profile

e) Also set the fully qualified domain name of the server in transaction RZ10

Then i test the JCo connection in Content Administration tool for which I get an error 'RFC_ERROR_LOGON_FAILURE : Name or Password is incorect'.

My question is are the steps mentioned above right ? If so, how do i test the SSO connectivity between EP and R/3 ?

Also, I am facing errors in step (b) and while testing JCO connectivity...

Could anyone please advise on the same

Thanks and Regards

Reshma

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-18-2006 11:08 AM
0 Kudos

Hi Siddhartha/Samta,

Thanks a lot for the answers..Really appreciated your quick responses.

I have a small doubt here...

I have around 10,000 ESS users.I will be importing these users to the portal.

But for the system SAP_Webdynpro_XSS i maintain the users under permissions. i.e System administration->System landscape->systems->SAP_Webdynpro_XSS->permissions

Here i give the ess user and check the enduser checkbox against it.

But ho do i do this for mass ess users...Do i have to manually maintain this step for each ess user

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 11:17 AM
0 Kudos

HI,

Reshma,either you can create a group to which all the users would be added and provide permission to that group.

Else,you can allow the group <b>Everyone</b> the read permission check the enduser checkbox against it.

Regards,

Siddhartha

Answers (13)

Answers (13)

Former Member
‎04-18-2006 11:30 AM
0 Kudos

Hi Siddhartha,

Thanks a lot for the helpful answer.

Greatly appreciated for all the help and your quick replies.

Thanks a lot

Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 1:05 PM
0 Kudos

Hi Reshma,

Reward points for useful answers.

Thanks,

Samta

Former Member
‎04-18-2006 9:49 AM
0 Kudos

Hi Samta,

I think i got the problem

If i access the portal using my domain name i.e

http://epserver.iscodom.com:50000/irj then i get this problem.

But if i login using the ipaddress

http://128.200.21.213:50000/irj/portal i can see all the ess iviews..

Dose this mean that domain name is not properly maintained ?

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 10:00 AM
0 Kudos

Hi Reshma,

The pop up window appears becuase the Windows domain for the portal and R/3 server is not the same.

For logon ticket to work,both the backend R/3 server and poral server should have the same DNS domain.(I repeat only DNS domain should be same & not Windows domain)

What you need to do is -

On both the servers, your portal server and backend R/3 server make an entry in the hosts file for both of them.

Say in our case we had done the following -

172.25.1.1 - backend.tt.com

172.3.1.2 - portal.tt.com

On both the servers, make this entry.

In the above scene the servers are not in the same domain however, the alias names that have same DNS domain names(eg in this case - tt.com)

This should solve your problem.

Thanks

Samta

Former Member
‎04-18-2006 10:06 AM
0 Kudos

Hi Reshma,

When the domain name is not a part of the url accessing the portal server,the logon ticket <b>MYSAPSSO2</b> is not generated.See SAP note 654982.

So we need to ensure that we use the fully qualified domain name.

To maintain the name,add the entry to the host file of the portal server and the systems accesing the EP.

The host file can be found at:

C:\WINNT\system32\drivers\etc\hosts

edit it and enter the server name with domain mapped to the IP as<b>

128.200.21.213 epserver.iscodom.com

</b>

After adding entry,press enter to leave a blank line and save .

NOw check if the problem occurs.

Regards,

Siddhartha

Former Member
‎04-18-2006 8:47 AM
0 Kudos

Hi Siddhartha/Samta,

Thanks a lot ...That really helped...Now the jco connection tests are successful(as user admin) with LOGON TICKET.

But when i login as an ess user, i click on overview tab, it again pops up the login screen, i enter the user/password (of r/3). it takes the user but doesnt show anything up...it agin comes back to login screen..

Plz note : the ess user id isame in r/3 as well as portal.

Earlier when i was using the USERID/PWD i could see the ESS screens. The problem has come up after LOGONTICKET configuration.

I have not maintained any user mapping for the system

SAP_Webdynpro_XSS

Please advise

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 9:43 AM
0 Kudos

Hi Reshma,

What pop up window are you talking about?

See, I will tell you a simple solution for this.

JCO are required to get a connection between your portal and R/3. Maintain this connection using a user id which has sufficient communication roles in R/3.

In your JCo connection, put the user id and password for connecting to the backend system.Dont access this through logon ticket. Test the Jco connections.

Now, once you are connected through JCo, now your logon tickets come into picture, i.e. the backend R/3 retrieves your portal user-id from the logon ticket. For this, specify the "Authentication Type" of your R/3 system as "LOGONTICKET".

Now, your connection to backend is permanently established using JCO and your access rights depend on the LOGONTICKET passed to R/3

Hope i am clear.

Thanks,

Samta.

Former Member
‎04-18-2006 7:42 AM
0 Kudos

Hi Samta -

I gave the roles

a) system_admin_role

b) content admin role

to user 'admin'.

now i login as admin, but still i cant access the webdynpro tab under Content administrator->webdynpro

It gives the error

Missing permission

U do not have the needed permision to start the webdynpro content administrator

Plz contact ur system administrator

Show replies
Show replies
Former Member
‎04-18-2006 7:54 AM
0 Kudos

Hi Reshma,

Navigate to User Admin -> Groups

Search for "Administrators" group

Add the "admin" user to this group.

This works, for sure.

Thanks,

Samta

Former Member
‎04-18-2006 7:26 AM
0 Kudos

Hi Siddhartha/Samta,

Yes, i think i got the problem...Thanks a lot..

i am loggin in using 'administrator' user . But i dont have this user in r/3...

I have a user on portal 'admin'( this user id exists in r/3 also) .. But this portal user has all the authorizations on portal..but still he cannot access Webdynpro Content administrator..How do i give access for this role to him on portal

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 7:34 AM
0 Kudos

Hi Reshma -

Login through administrator to portal.

Navigate to User Administration -> Roles -> Assign the System Admin role to the user you want to test with, i guess "admin".

Now the user "admin" will have the Content Admin Role assigned.

And he can test using Content Admin -> Web Dynpro.

Thanks,

Samta

Former Member
‎04-18-2006 7:35 AM
0 Kudos

HI Reshma,

Firstly,

if the user Admin exists on both-Portal as well as R/3 ECC backend,then you assign the <b>com.sap.pct.ess.employee_self_service</b> to the user and log in to the portal and see if the iviews for ESS are displayed.

Secondly,if you want the user admin to access Web Dynpro Content Administration,try by adding him to the Group <b>Administrators.</b>

Hope this helps,

Regards,

Siddhartha

Former Member
‎04-18-2006 6:04 AM
0 Kudos

Hi,

I configured SSO and tested transaction sso2,and press the execute button.I can see a green flag with the message "logon tickets are accepted".

But in Jco destinations, wen i test using LOGON TICKET , i get an error saying "RFC_ERROR_LOGON_FAILURE':Name or password incorrect.

I have maintained LOGON TICKET as user authentication method in System landscape..Also wen i do a connection test for the systems , the tests are not successful

Could anyone please guide on this issue ?

also,...just wanted to know how do i chek whether both my EP server and ECC server are in the same domain ?

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-18-2006 6:33 AM
0 Kudos

Hi Reshma,

Refer to this link for the configuration of ESS-MSS package.

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/21eb036a-0a01-0010-25a3-b22...

As far as your query regarding the same domain goes, the DNS domain has to be the same. What you can do is, in the host file of the two servers involved, make the entry of the other server.That is, enter the ip address of the other server in the portal server's host file (and add a tab) and enter the other server's alias. Now the imp thing is the alias should be in the form

alias.<companyname>.com

Similarly in the other server's host file enter the ip address of the portal followed by the alias in the form

<portalalias>.<companyname>.com.The comapnyname should be the same.

More importantly now refer to these servers by the above two names only.Thus we simulate the domains of the two servers.

Regards,

Prathamesh

Former Member
‎04-18-2006 6:40 AM
0 Kudos

Hi Reshma,

The reason why its giving "Logon Failure:User id and password incorrect" is -

1) When you test using logon tickets the user id must be same for both portal and backend R/3.

2) Right now, you are testing the JCO destinations, which i guess you must be testing using administrator user id.

3) is "administrator" a valid user-id for the back end R/3 ?

Thanks,

Samta

Former Member
‎04-18-2006 6:57 AM
0 Kudos

HI Reshma,

As in previous post

"While performing the connection test using Logon tickets,<b>make sure that the user performing the test exists in the backend system</b> and when using the User mapping,the mapping for the user should have been done for the system alias."

Do note the following points:

For the systems in EP,property category User managemnt:

1)For the systems,logon method as LOGON tickets

In JCo Destinations:

For Destination type Metadata,use a generic user existing in backend.

For destination type Application,use logon method as Ticket.

Regards,.

Siddhartha

Message was edited by: Siddhartha Jain

Former Member
‎04-17-2006 12:59 PM
0 Kudos

Thanks Ami,

I have followed this blog and done the steps mentioned in this blog. I need to test the SSO connetivity . Right now r/3 is down. Once it is up i will test and get back to you

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-17-2006 12:50 PM
0 Kudos

Hi Gahlaut,

Have you created an JCo RFC provider in J2EE engine of portal system?

You can refer to following link:

Hope it helps.

Best Regards,

Ami.

Show replies
Show replies
Former Member
‎04-17-2006 12:40 PM
0 Kudos

Hi Siddhartha,

Thanks a lot for the reply . I will test the connectivity once my backend system is up and will get back to you regarding the same

Regards

reshma

Show replies
Show replies
Former Member
‎04-17-2006 12:17 PM
0 Kudos

Hi Siddhartha,

Thanks...that was a ral valuable info..

Yes..with user/id password i could see the ESS iviews..

There are some issues pertainin to HRFORMS ..But we are applying HR patchs for the same to ECC 5.0. This should hopefully resolve the issue

Right now the Backend system is down on account of HR patch application.So i cant test SSO.Once it is up i will definitely get back on this.

One more thing why do we need to create SAP_BSP_EREC system. We are using internal ITS (ITS 6.40)

Also, just wanted to know..when i test these systems, which test should i go for ?

a)SAP Web AS Connection

b)Connection Test for Connectors

c)ITS connection

How do i know to test which one for the different systems ?

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-17-2006 12:26 PM
0 Kudos

HI Reshma,

SAP_BSP_EREC is used for the BSP applications from the E-Recruiting workset.

For system SAP_ITS_EBU,you have to specify the properties for ITS.The ITS comes integrated with WAS 6.4 but we need to provide the values for the same.

1)ITS host name: <ITS 6.40 Name>:<Port>

2)ITS path: /sap/bc/gui/sap/its

3)ITS protocol: http or https

The path refers to the path for the ITS service under transaction SICF.

For the connection test,we test for the properties we have supplied the values for.

Say,for SAP_BSP_EREC,we perform the test for

a)SAP Web AS Connection

b)Connection Test for Connectors

While for the SAP_Webdynpro_XSS,the Web As test would suffice.

While performing the connection test using Logon tickets,make sure that the user performing the test exists in the backend system and when using the User mapping,the mapping for the user should have been done for the system alias.

Regards,

Siddhartha

Former Member
‎04-17-2006 11:36 AM
0 Kudos

Hi Siddhartha,

Thanks for the very valuable inofrmation. I had actually refferd to your blog before i configured SSO.It is really very informative.

I had a few doubts :

I have created only 3 systems on the portal unde System Landscape

a) SAP_Webdynpro

b) SAP_R3_FINANCIALS

c) SAP_ITS_EBU

While i maintained the following JCO destinations under Webdynpro Content Administrator

• SAP_R3_HumanResources

• SAP_R3_HumanResources_MetaData

• SAP_R3_Financials

• SAP_R3_Financials_MetaData

• SAP_R3_SelfServiceGenerics

• SAP_R3_SelfServiceGenerics_MetaData

• SAP_R3_Travel

• SAP_R3_Travel_MetaData

Do i have to create a system under system lanscape for each of the above Jco destination ...i.e

SAP_R3_HumanResources

SAP_R3_SelfServiceGenerics

SAP_R3_Travel etc...

One more thing ...the template for the systems which i have already created..i have selected as

SAP System with Load Balancing. I hope it is right

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-17-2006 11:57 AM
0 Kudos

HI Reshma,

NO you don't have to create the systems for the JCo destinations.

The systems need to be created in EP with aliases as:

1)SAP_WebDynpro_XSS

2)SAP_ITS_EBU

3)SAP_BSP_EREC

4)SAP_R3_Financials

The template SAP system with load balancing is right but Do check the values provided for the properties for the systems.

The JCo destinations are used by web dynpro applications for interacting with the back end and the systems in EP are used by the iViews for interacting with the web dynpro/other applications.

When you use Userid/password are you able to see the iviews for ESS?

Try by providing the userid/password for ECC backend in the JCo destinations itself.

Do check the points i mentioned in the previous post.

HOpe this helps,

Regards,

Siddhartha

Former Member
‎04-17-2006 8:54 AM
0 Kudos

Hi Swarna,

Thanks for the reply . I tested in SSO2 (i dint mention any RFC destination name) . I get the message "logon tickets are accepted". But when i test the Jco Connection in maintain JCo destination ( i tested for SAP_R3_FINANCIALS with Ticket as authentication method)) I get an error saying RFC_ERROR_LOGON_FAILURE : Name or password incorrect.

Also, when i test the SAP_Webdynpro system using TICKET as in User Management..and do a test for connectors, connection test fails..

However if i test using UIDPWD it is successful.

Can you tell y is this so ?

Also, i have a basic question ...i need to set my r/3 system as ticket-accepting system..Do i have to configure r/3 as ticket-creating system as well ?

Thanks and Regards

Reshma

Show replies
Show replies
Former Member
‎04-17-2006 10:27 AM
0 Kudos

HI,

You can follow the Article on Configuring ESS for mySAPERP 2004 via link <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3467">Configuring The Business Package For Employee Self Service (ESS)-mySAP ERP 2004</a>

IF the test passes for UID password then please check a few things.

For the System,say <b>SAP_R3_FINANCIALS</b>,in the system landscape,ensure that the in the User Management for the system ,the Logon Method used is set to SAP Logon Tickets

Also,in the JCO destination in the web dynpro content administrator ,make sure that the user authentication method is set to <b>Tickets</b>.

Also,make sure that in the JCo destinations created,for the meta data type,userid/password is used(default) while for application type,Ticket is used.

Hope this helps,

Regards,

Siddhartha

Message was edited by: Siddhartha Jain

Former Member
‎04-17-2006 6:46 AM
0 Kudos

hi,

have u restarted the r/3 server after changing the profile parameters....after doing it,go to transaction sso2,and press the execute button,if u see a green flag with the message "logon tickets are accepted",then ur configurations are perfect!

plz refer the following

<a href="https://www.sdn.sap.com/irj/sdn/thread?forumID=41&threadID=115891&messageID=1295147">thread</a>

i faced the same problem sometime back,but got through it successfully!

(see the suggesstions tat came in for my thread ,in the above link)

regrads

SwarnaDeepika

Message was edited by: SwarnaDeepika

Show replies
Show replies
Ask a Question