cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO EP6.0 SP2 Patch 2 and ITS

Former Member

on ‎10-22-2004 2:41 PM

0 Kudos

hello,

i tried to implement SSO for R/3 System via ITS but it doesn't work ?? can you hlep me ??

my Config:

global srcv on the ITS System:

~routestring

~messageserver

~logingroup

~systemname DIA

~appserver bilbo.it-motive.de

~systemnumber 00

~client

~login

~password

~mysapcomusesso2cookie 1

~language

~timeout 60

~usertimeout 24

~theme 99

~runtimemode dm

~cookies 1

~multiinstanceservices 1

~urlarchive /scripts/sapawl.dll

~urlimage /sap/its/graphics

~urlmime /sap/its/mimes

~exiturl http://itmportal:50000/irj

~clientcert 1

~hostunsecure bilbo.it-motive.de

~portunsecure 8080

~hostsecure bilbo.it-motive.de

~portsecure 443

~xgateways sapdiag,sapxgwfc,sapxginet,sapxgbc,sapxgadm,sapextauth

~xgateway sapdiag

##################################################

SSO2 Transaction (R/3 System ) output:

Workplace

R/3-System DIA Mandant 026

Workplace-Zertifikat

Inhaber CN=C11

Aussteller CN=C11

Seriennummer 00

Pru00FCfsumme

Profilparameter login/create_sso2_ticket = 0

Der Workplace DIA erzeugt keine SSO-Tickets.

Das Workplace-Zertifikat von DIA ist in der Zertifikatsliste des Systemes DIA enthalten.

SSO-Tickets des Workplace DIA werden vom System DIA akzeptiert.

-

Eigene Systemdaten

R/3-System DIA Mandant 026

Profilparameter login/accept_sso2_ticket = 1

SSO-Tickets werden akzeptiert

Zertifikatsliste

Mit der Zertifikatsliste wird die Digitale Signatur des SSO-Tickets auf Gu00FCltigkeit gepru00FCft.

D:\usr\sap\DIA\DVEBMGS00\sec\SAPSYS.pse

Inhaber CN=C11

Aussteller CN=C11

Seriennummer 00

Dies ist das Workplace-Zertifikat

Inhaber CN=Portal EP 5.0

Aussteller CN=Portal EP 5.0

Seriennummer 00

Inhaber CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Aussteller CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Seriennummer 00

Systeme deren SSO-Tickets von DIA akzeptiert werden.

Die Access-Control-Liste definiert, von welchen Workplace Systemen SSO-Tickets zur Anmeldung akzeptiert werden.

Tabelle TWPSSO2ACL

R/3-System DIA Mandant 026

Inhaber CN=C11

Aussteller CN=C11

Seriennummer 00

Dies ist das Workplace-Zertifikat

R/3-System EP5 Mandant 026

Inhaber CN=Portal EP 5.0

Aussteller CN=Portal EP 5.0

Seriennummer 00

R/3-System EP6 Mandant 000

Inhaber CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Aussteller CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Seriennummer 00

##################################################

Trace from TRNSACTION SM50:

Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]

Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]

M SsfParseCertificate(SUMMARY): Buffer too short (512 - 1443)Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]

#######################################################

MYSAPSSO2 session cookie will be craeted

#######################################################

User mapping data for R/3 System are correctly saved

#######################################################

SSO doesn't work , i get always the logon seite of the ITS ??

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

steven_foo
Participant
‎12-05-2007 11:18 AM
0 Kudos

Hi Hafedh,

Do you have the solution to your problem. I am also having the same problem.

I have change my full domain on my portal server A (nw2004s) that connect to my ITS that connect to our server B 4.6C.

My SSO is working while testing using transaction iview. Only the through ITS it is not working.

Anyone have ideas? Thanks in advance.

Steven

Show replies
Show replies
Former Member
‎12-06-2007 1:09 PM
0 Kudos

Hi Steven,

Do you use User Mapping in the Portal?

That's the reason why the Transaction iView is working in the portal.

Regards,

Ridouan

ChrisSolomon
Active Contributor
‎11-29-2005 6:51 PM
0 Kudos

@Hafedh Ghamgui

Make sure you use the FULL domain name when accessing the portal to ITS. For example, if you use "http://myportal:50300/irj/" instead of "http://myportal.mycompany.com:50300/irj/", SSO will fail between ITS and the portal. Also within the portal, the ITS instance must be configured by the full domain name. Lastly, the ITS instances must reside on the same domain as the portal otherwise an additional WAS will be needed to accept the Logon Tickets from the portal and then pass them to ITS (*see docs on this site for info on this)

@Uttam

That is the whole point of using SSO...so you do not have to worry or manage passwords between systems (that was a HUGE problem in the early days of Workplace...haha). Basically by using the SAP Logon Ticket, you are saying "this system trusts this system". They ignore the passwords after initial login and authentication. From that point, the user is authenticated. The Logon Ticket then passes the user name to the other system. Since the other system is set up to "trust" the portal, it merely looks up the user based on the user name passed. As you might guess, keeping user names in synch is needed...else you will need to use User Mapping. Hope this helps.

Show replies
Show replies
Former Member
‎10-22-2004 8:27 PM
0 Kudos

Hi Hafedh,

I believe this to be a wrong setup of the certificates.

I cannot understand all the information, but the error would make me check STRUSTSSO2 to see whether I have imported the portals certificate and added it to the ACL.

Regards,

Thomas Mouritsen

Show replies
Show replies
Former Member
‎11-29-2005 1:51 PM
0 Kudos

Hi Thomas,

I had a query regarding SSO. Suppose i have EP 6.0 and R/3 system. Let us suppose i have done the SSO between the 2 systems, but after say 15 days someone changes the password of the SAP R/3. Then do we have to take any other care for it in the EP 6.0. or for the Single Sign On. Please advice.

Regards,

Uttam

Ask a Question