04-18-2011 2:40 PM
Hi everyone,
I was trying to achieve SSO between SAP EP (ep.domain1.com) to a backend ABAP (abap.domain2.com).
I follow that guide before implementing particular issues on Cross Domain:
/people/dennis.kleymeonov/blog/2005/09/15/connecting-sap-systems-to-enterprise-portal-with-sso
To achive cross domain config I was trying to log into the portal to configure an appintegrator iview on the second domain but now I can't log in to the portal.
I get following error:
Source: com.sap.engine.services.security.exceptions.BaseSecurityException: AddPermission[com.sap.engine.lib.security.EnginePermission] fails.; Description: Code permissions for domain[sap.com/com.sap.portal.fpn.shared] and keystore operation [{VIEW_ALIASES TicketKeystore }] are not granted; Consequences: domain [sap.com/com.sap.portal.fpn.shared] has not code permission to execute keystore operation [{VIEW_ALIASES TicketKeystore }]; Countermeasures:check log for details[]
And followinfg warning:
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule OPTIONAL ok exception true Received no SAP Authentication Assertion Ticket.
Has anyone know how to undo SSO configuration on portal so I can log normally and do first Cross Domain config?
Versions are:
SAP EP 7.0 EHP2
WAS ABAP 7.02
Thanks!
04-30-2011 12:53 AM
Hi,
Have you added this EvaluateAssertionTicketLoginModule? If you set the login module stack to the one below you should be able to authenticate normally:
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL
You can change it in the Visual Administrator -> server -> services -> security provider. In the Components list select ticket and change it there. Save and it should work.
Thanks,
Anderson
05-05-2011 10:48 AM
Hi everyone,
Issue resolved. I described the stpes:
1.- Changes in RZ10 of WAS ABAP weren't saved correctly. We have re-added the parameters login/accept_sso2_ticket=1 and login/create_sso2_ticket=2.
2.- To resolve Cross-Domain issue in the easiest way, we have defined a DNS alias for backend to be in the same domain that portal and change EP Conf so the system (representing the backend) points to the new URL.
That's all.