cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Configuration

Go to solution
Former Member

on ‎10-25-2010 8:38 AM

0 Kudos

Dear all,

I need to configure the SSO.My requirement is SAP ECC6.0 Server with SP22 both at java and abap level. PI, EP,BI and ABAP all are installed and integrated as addon to abap. For this configuration I need to configure the SSO configuration so that BI will work in accepting the reports and BW related data in portal and also while logging in the sap and java will create some certificates to the users and will not ask any sort of userid and password to logon either of the applications. Just a certificate prompting there session and its validity would be fine. Kindly help me on how to configure the same.

As i am a newbie a step by step approcah will be highly helpful for me.

Your help is highly appreciated.

Kind regards

Hemanth

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-26-2010 5:32 AM
0 Kudos

Hi,

You can try the following steps :-

First at EP server end :

Go to Visual Admin of the EP Server and generate Portal Certificate.

Choose Server -> Services -> KeyStorage -> TicketKeystore

You can delete existing cert pairs (like SAPLogonTicketKeypair-cert,SAPLogonTicketKeypair)

Then choose Create with the following information:

1) Mark Store Certificate

2) Common Name: <SID>

3) Entry Name: SAPLogonTicketKeypair

4) Store Certificate: Mark it

5) Key Length: 1024

6) Algorithm: DSA

7) Press Generate

Now you will have two entries in the TicketKeyStore:

SAPLogonTicketKeypair

SAPLogonTicketKeypair-cert

Choose SAPLogonTicketKeypair-cert & Export it (You can choose either X.509 or Base64 Encode Format).

Now at ABAP end :-

Go to ABAP System (Client 000) excute STRUSTSSO2

Import Certificate (Button in the Certificate field) & open the generated certificate from

Press Add to Certificate List button (Button in the Certificate field)

Now Go to the business client & Add to ACL button (Button in the Certificate field) in STRUSTSSO2.

Put <SID> of your EP system, Enter Client 000 & Save.

Also set the following two profile parameters :-

login/create_sso2_ticket = 2

login/accept_sso2_ticket = 1

Then activate the requisite services by SICF. And publish the SICF services.

Authentication at ABAP end :-

Go to ABAP backend system & execute STRUSTSSO2. Doubleclick the Owner Certificate and choose Export and store it on the file system [Nomenclature: <SID>_CERTIFICATE].

Go to VA at EP system :-

Server -> Services -> KeyStorage -> TicketKeystore & Load and choose the Certificate.

Set the Backend System as "ACL" in the Portal

Choose Server -> Services -> Security Provider -> ticket

Choose the Authentication tab and add the following on the com.sap.security.core.server.jass.EvaluateTicketLoginModule:

a) trustedsys<Sys No> : <SID>, <CLIENT>

b) trustediss<Sys No> : CN= <SID>

c) trusteddn<Sys No> : CN= <SID>

Show replies
Show replies
Former Member
‎10-26-2010 10:23 AM
0 Kudos

Hello Shivaji,

I applied the configuration as suggested by you. however when i try to open the bex WAD report i am getting the following error.

RSBOLAP 018 java system error An unknown error occured during portal communication. Seems to be still there is some communication error is there from abap to portal.

the system configuration is an addon portal installed on the abap instance. is there any modification we need to do during the sso configuration so that portal accepts abap certificate and abap accepts the portal certificate.

either abap nor java is not showing any certificate as generated during logon. still they are asking for userid and passwords.

Hemanth

dao_ha
Active Contributor
‎10-27-2010 1:50 PM
0 Kudos

Hi Hemanth,

Please check out the suggested solutions in the following threads

/thread/517702 [original link is broken]

/thread/1432337 [original link is broken]

Hope it helps.

Regards,

Dao

Former Member
‎10-28-2010 5:05 AM
0 Kudos

Hi I checked the links and in one of the links they suggested that we need to define an alternate ID for configuring the SSO for DUAL Stack with same SID for both java and abap. Alternate ID in the sence how to do that. do we need to use a different SID which doesnt exist in the SYSTEM while creating in Ticket key store in visual admin in java. For example if my SID is PRD and system numer is 00 then we need to use other SID like DEV instead of PRD?

dao_ha
Active Contributor
‎10-28-2010 2:44 PM
0 Kudos

Hi Hemanth,

The answer to your question "how" was given in the same thread (attachments of Note 917950). Anyway, I also have some reservations about that solution. We also have a dual-stack BI system and we didn't have to do that.

However, you'd need to provide a 'custom value' for the login.ticket_client key of the j2ee engine (i.e. you cannot use the default value '000' as the client for the j2ee engine). This value would be used when you add the j2ee certificate to the ACL of the ABAP system; e.g. SID: 'PRD' - Client: '333' (instead of '000')

Please refer to this link for further details

http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm

(Configuring Authentication Mechanisms -> Using Logon Tickets fro SSO -> Configuring the Use of Logon Tickets -> Specifying the J2EE Engine Client to Use for Logon Tickets)

Also, when you define the BI ABAP system in the BI portal, the Authentication Ticket Type between Java&ABAP stacks should be 'SAP Assertion Ticket' and make sure that you configure everything properly in Visual Admin.

Hope it helps.

Regards,

Dao

Former Member
‎10-28-2010 6:16 PM
0 Kudos

Hi Doa,

Thank you very much. I understood that we need to give the client which doesnt exist in ABAP for dual stack systems and change the default client 000 to some anonymous client in property login.ticket_client in the UME property sheet in config tool and add the same client number in abap acl list. however i do have a few more querries on the same. actually we have 3 clients in dual stack of existing ides system.

1. 000

2. 800

3. 001

1. I have added these 3 clients in java ticket store EvaluateTicketLoginModule in visual admin tool. Now do we need to remove all these clients in java and keep only the anonymous client whcih we decided to keep and added in UME property sheet?

2. I am also a bit confused in giving the logon modules for various components under policy configurations. what are the components we need to change and what changes we need to make so that during logon it will promt for a ticket once logged in.

is it just enough to modify the component ticket under policy to make the portal or abap to accept the tickets or do we need to modify all the components or any specific components are there to mention which need to accept ticket and which no need or which need to have a basic logon authentication.Kindly suggest to proceed further..

dao_ha
Active Contributor
‎10-28-2010 9:24 PM
0 Kudos

Hi,

No, do not remove these entries in VA (you need it to receive tickets from the ABAP clients). Please make sure that you also enter these values in the EvaluateAssertionTicketLoginModule (if you do use the SAP Assertion Ticket for Authentication Ticket Type).

The dummy client must be added by setting the property 'login.ticket_client' in the UME property sheet (as described in SAP Library). Then, when you import the Java certificate in the ABAP system using STRUSTSSO2, add to ACL, you'd use the dummy client to indicate the Java system (with the same SID).

I don't know why you'd want to put all the other systems (PI, EP) as java add-on to the BI ABAP. In fact, I believe the lately SAP recommendation is that we do not install BI Java as an add-on of BI ABAP (i.e. should be installed as separate systems instead of dual stack). PI, itself, requires a dual stack if I'm not mistaken and I don't know if it'd work as an add-on of a BI ABAP system.

Regards,

Dao

Former Member
‎10-30-2010 6:35 AM
0 Kudos

Hi Dao,

Thank you very much. Your guidence is really very helpful. It solved the sso problem. Now my support desk tool is green. What i really miseed is to change the default client number 000 to some anonymous client. now when we logon to abap if any link points to portal then it is not asking any password. for eg rsplan click on start modeller it will not ask any password.

However now i do identified one more new problem, in WAD.

when a webtemplate is executed it is not pointing to the web template in the browser rather it is going to normal enterprise portal without showing the web template.

I checked various options with no luck. how can we solve this?

dao_ha
Active Contributor
‎10-30-2010 9:25 PM
0 Kudos

Hi Hemanth,

I'm glad I was able to help. Please mark this thread as answered and close it.

For your issue with SAP WAD, please open a new thread in Enterprise Information Management --> EIS - General; you'd have a much better chance of getting a right solution.

Please also provide more details to make it easier for others to help, did you click on "Publish in a web browser"? Did you follow all the post-installation steps (of your BI system) to configure your BEx? Did you get any error? Did you clear your cache? Please also check out SAP Note 917950 and the following thread might help

Regards,

Dao

Answers (2)

Answers (2)

Former Member
‎11-04-2010 2:52 AM
0 Kudos

Hi Thank you very much for all of you for resolving my issues. thanks a lot for your patience in helping me to resolve the error.

Show replies
Show replies
Former Member
‎11-04-2010 4:26 AM
0 Kudos

Have you considered using x.509 certificates for SSO instead of logon tickets?

sunny_pahuja2
Active Contributor
‎10-25-2010 10:52 AM
0 Kudos

Hi,

You need to decide between which system, you need to configure SSO. Check below link for SSO configuration:

http://wiki.sdn.sap.com/wiki/display/EP/SSO,ConfigurationSteps

Thanks

Sunny

Show replies
Show replies
Ask a Question