on 09-13-2004 4:45 AM
Hi All,
Now i have implemented the SSO from EP6 to other application by using SAPLOGONTICKET method, so everthing is work except the ITS SSO is not work. I have installed the EP6 and ITS into the same server and create the system for connect to ITS.
Anybody ever implmented it work, please advise me.
Thanks in advance,
Pongsak
Hi
Try to change the path of the ITS to be the same as the host name!!
ITS Host Name - itsserver.company.com:81
ITS Path - itsserver.company.com:81
Thanx,
Demorgan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Im sorry, mistakenly said to set the parameter
~cookies=0
!!!!SET THE ~cookies = 1 !!!!
Thanks
Jeremy Baker
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I had the same problem and it was caused by me not calling the portal with a fully-qualified domain name.
Example: http://myportal:50000/irj
instead of http://myportal.mycompanydomain.com:50000/irj
.....I won't forget that in a hurry, as I spent all day on the problem!
Team,
When you create a system in your portal (we are runing EP 6.0 SP7 on WAS 6.20 SP8) there are three options for R/3 connectivity as shown below
a.Dedicated Application Server for R/3 System
b.R/3 System via Connection String
c.R/3 System with Load Balancing
Remove the entry called sapms<SID> 3600/tcp from your windows services file if you select the option a for R/3 connection. If it's still not working try to create your R/3 system using option c (you need to change your global.srvc file accordingly).
Good Luck,
John Vinh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Team,
I did make it work and here is my global.srvc
~appserver "full DNS name of your R/3 application"
~client 010
~clientcert 1
~cookies 1
~exiturl
~hostsecure "full DNS name of your ITS server"
~hostunsecure "full DNS name of your ITS server"
~language
~login
~logingroup
~messageserver
~multiinstanceservices 1
~mysapcomgetsso2cookie
~mysapcomusesso2cookie 1
~mysapcomssonoits 1
~password
~portsecure 443
~portunsecure 90
~routestring
~runtimemode pm
~systemname "SAP SID Name"
~systemnumber 00
~theme 99
~timeout 60
~urlarchive /scripts/sapawl.dll
~urlimage /sap/its/graphics
~urlmime /sap/its/mimes
~usertimeout 24
~xgateway sapdiag
~xgateways sapxgadm,sapdiag,sapxgwfc,sapxginet,sapextauth
- In your SAP Enterprise Portal, you need to enter port number application server 3200, system no, system R/3 SID, client No
- In the ITS configuration:
ITS Hostname: Full DNS name:90
ITS path /scripts/wgate
- User Management
Log Method: SAPLOGONTICKET
User mapping type: admin,user
Good Luck,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
John,
Thanks for the reference. We did exactly what you have, but still does not work for us. I still need to logon twice (once to portal and once to ITS ESS).
Please help me to verify our setting. Thanks.
On the ITS side :
A) The global.srvc file is defined as :
~appserver appserver.company.com
~client 240
~clientcert 1
~cookies 1
~designs sap_streamline
~exiturl
~hostsecure itsserver.compamy.com
~hostunsecure itsserver.company.com
~language
~login
~logingroup
~menu2002 1
~messageserver
~multiinstanceservices 1
~mysapcomgetsso2cookie
~mysapcomusesso2cookie 1
~mysapcomssonoits 1
~password
~portsecure 443
~portunsecure 81
~routestring
~runtimemode pm
~systemname "SID"
~systemnumber 20
~theme 99
~timeout 15
~urlarchive /scripts/sapawl.dll
~urlimage /sap/its/graphics
~urlmime /sap/its/mimes
~usertimeout 24
~webgui_theme 2002
~xgateway sapdiag
~xgateways sapxgadm,sapdiag,sapxgwfc,sapxginet,sapxgbc,sapextauth
On the portal side :
A) We have created a system call SID_ITS and its defined properties are :
Connector :
Application Host - appserver.company.com
Remote Host Type - 3
SAP Client - 240
SAP System Name - SID
SAP System Number - 20
Server Port - 3220
System Type - SAP_R3
ITS :
ITS Description - ITS for SID
ITS Host Name - itsserver.company.com:81
ITS Path - /scripts/wgate
ITS Protocol - http
User Management :
Logon Method - SAPLOGONTICKET
R/3 Reference System - 0
User Mapping Type - admin, user
Others :
Session Cookie Name - JSESSIONID (default)
Session URL Name - jsessionid (default)
B) System Aliases - A few aliases are created for this system as per ESS installation instruction
C) UM Configuration -
Data Source - Database Only
On the SAP side :
The portal signature has been uploaded to the R/3 "SID" system using SSTRUSTO2 transactions and it is proven that we could use SSO to access "SID" from the portal directly.
Thanks for your help!!
I have tried this once and it worked. I was able to do SSO for BSP iviews, but not for IAC iviews.
I set the parameter ~cookies = 0
In the ITS
Let me know if this helps
Jeremy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I would like to check the following
- Appropriate WP-Plugin is imported in the R/3 system
- SAPLOGONTICKET as the logon method defined in your
SYSTEM definition
- User IDs are same in Portal and in R/3 (just checking)
Good luck.
- PK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
These are the parameters to be set on global.srvc file to let ITS work work with SAPLOGONTICKETS
~login <space>
~password <space>
~mysapcomusesso2cookie 1
then it works.
Nagesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I als tried to implemented SSO from EP6 to other application by using SAPLOGONTICKET method. Everthing works fine except the ITS SSO. The ITS still gives me a sign-on screen. The portal and ITS are on diiferent servers (Windows 2000).
I also defined the parameters for global.srvc.
Should i do something specific with the ITS-URL inside the portal? Now i use http://<name of its-server>:83/scripts/wgate/webgui/!
Should i add something to this URL?
regards
Bertil Rebergen
Hi Bertil,
if you have already set the "~" parameters according to what my co-posters have written, please check teh following:
1) are EP6 and ITS running in the same DNS domain? (say: portal.company.com and its.company.com) If not, the saplogonticket won't get forwarded to ITS
2) Are you using the full qualified host name (i.e. host.domain.com) for the ITS? neither IP address nor unqualified host name will work.
3) Has the R/3 system behind ITS configured to accept a SAP Logon Ticket logon? (check with transaction SSO2)
4) Have you imported the EP's public key certificate on R/3 (again SSO2)?
5) Any error messages? You could for instance perform a system trace in SM50 on the R/3 connected to ITS. Switch on "security trace" and set trace level to "2".
Regards,
Dominik
Hi Domonik,
I checked the things you mentioned but still it doesn't work.
This is the ouput on the R/3 when using SSO2:
Own System Data
SAP System C34 Client 090
Profile Parameters login/accept_sso2_ticket = 1
Logon Tickets Are Accepted
Certificate List
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
E:\usr\sap\C34\DVEBMGS34\sec\SAPSYS.pse
Owner CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE
Issuer CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE
Serial Number 00
Systems for Which C34 Accepts Verified Logon Tickets
The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From
Table TWPSSO2ACL
SAP System PCD Client 000
Owner CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE
Issuer CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE
Serial Number 00
Application server PSE:
ID: CN=C99
Namespace:
Profiles: E:\usr\sap\C34\DVEBMGS34\sec\SAPSYS.pse
OK: file available, length: 1.908
OK: local PSE identical to original in database
OK: security toolkit available
Version
SSFLIBSO Version 1.555.10 ; SECUDE(tm) Version 5.4.27C (c) SECUDE GmbH 1990-2001#SAPSECULIB - digital signature / without encryption
OK: signature tested successfully
The trace doesn't give me any errors
Do i need to install something on the ITS server?
regards
Bertil
Hi Bertil,
if I may assume that "PCD" is your portal, then the SSO2 configuration in R/3 looks fine.
You said, SM50 does not show up anything interesting. YOu should at least see "something" in there if you try to enter via ITS. If ITS sends the SSO2 ticket to R/3 for authenticating the user you should see some lines that describe the ticket evaluation process.
Have you tried an ordinary (password based) logon over ITS? In this case, you should see your logon attempt in SM50. Maybe you simply caught the wrong work process? (every process listed in SM50 keeps its own trace file).
Additionally, you should check, if your browser really sends the SAP Logon Ticket to ITS. You can use a network sniffer (like Ethereal or TCP DUMP) for this. As an alternative, try "HTTP Watch" (http://www.simtec.ltd.uk/), but this one is a commercial tool). You should see a line in the HTTP header sent from your client to ITS that contains a line cookie: MYSAPSSO2=AjE.......
Regards,
DOminik
Hi Dominik,
When i use the portal to startup the connection to the ITS (by using a R/3 transaction) i get the logon screen of the R/3 system.
When i use the command 'javascript:document.cookie' inside the browser before and after logging into the R/3 system i get the following text:
sapj2ee_*=1808186064; JSESSIONID=ID1808186064DB0.5967332475447783End
I would expect something like MYSAPSSO2 ... or not?
Bertil
Bertil,
yes, I would also suppose a mysapsso2 cookie to be present. If you browser doesn't possess this cookie, then SSO naturally won't work.
So, the question is: Why is the cookie not being forwarded to ITS. I still strongly suppose my idea no. 1 (same DNS domain). What are the exact URLs you use for calling EP resp. ITS?
Regards,
Dominik
Hi Dominik,
This is the URL to the portal: http://nebula:50000/irj
The R/3 system is Galileo. Inside the portal i defined a system Galileo with the following specs:
Usermanagement:
Logon Method: SAPLOGONTICKET
R/3 reference system: - Select -
User mapping type - select -
Internet Transacton Server:
ITS Description : its server
ITS Host Name : its-srv.lt.nl
ITS PATH : :81/scripts/wgate/webgui/!
I have been to the TechED in Munich. There i described the problem and they told me to use the DNS domain also to adress the portal itself. So i changed the URL for the portal to http://nebula.lt.nl:50000/irj
Quess what?
If I now logon to the portal I am not able to logon. If i put in correct login userdata the portal gives me just the same logon screen again with all the userdata deleted!!!
Does this have anything with the SSO problem? We have put this problem inside SDN (see /thread/17767 [original link is broken] )
Hope this information helps
would be great if you could help.
Bertil
Message was edited by: Bertil Rebergen
Hi Bertil,
I am facing the same issue during configuration of SSO ( Logon tickets ) between Portal - R3 via ITS. Were you able to make it work ? When I enter "javascript:document.cookie" on the Portal Browser window , I get "sapj2ee_*=1723218202; JSESSIONID=ID1723218202DB0.8816322719526332End", which means that the Logon cookie is not passing to the ITS . Any suggestions or clues would be greatly appreciated.
Thanks,
-Mayur
Hi Nagesh,
Even after setting these parameters in the Global.serv file, I am still getting the ITS Login screen. I have a feeling that the Logon ticket is not being passed from my browser to ITS. Any solution for that ?
I have verified the Domain Names and they are both on the same domain.
Any suggestions ?
-Mayur
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.