on 05-03-2005 11:39 AM
Hello Everybody,
I want to add Single signon functionality in webdynpro without using portal. When i run my application it should provide me login page which has been done by checking check box of Basic authentication when creating application. Now when i am running my application and providing correct username and password it should create SAP logon ticket in web browser.
But i have checked for SAP Logon ticket cookie - MYSAPSSO2. This cookie is not created after successful login. Even i have also checked security.log file for the same.
But i didnt find it. So, it means, Ticket is not generated after successful login. Any other procedure required to accomplish this?
Thanks in Advance,
Bhavik
HI
We are also trying out the same scenario and had configured all the SSO settings but we are facing the same 401 error.
tCan u plz let us know how u solved this problem.
Regards
Arpit Seth
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Patrick,
I tried for Car rental application as suggested in the pdf. Now webservice for car rental is working fine. But still i m getting unauthorized error in my own webservice. I checked the difference between these two webservices. I got only one difference, i.e. Statefull communication option in logical port of the web service model in webdynpro.
In car rental application, which is already available as a tutorial application, Statefull communication is set to "Stateless communication". Whereas in my application statefull communication value is set to "Use HTTP cookie-based sessions".
So, what is the difference between these two.
And even i can't change these values also.
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi partick,
I have already done all things which described in that link.
Now i will explain both scenarios in detail.
1. webdynpro to webdynpro
I have created one application with user authentication and deployed same application on two different J2EE servers. Now, i have given one Link to URL element in one view of the application which points to the same application running on the another WAS server.
So, when first time my application runs, it asks for authentication. and then it generates one SAP logon ticket on browser. Now, i m clicking on the "link to URL" which points to the same application running on another WAS server. and also i m loading this on same brwoser only. So, it should accept ticket already created and should not ask authentication second time.
But application can't accept that ticket.
For this i have imported certificate of the first WAS server, and also specified required parameters for ACL in EvaluateTicketLoginModule.
2. Webdynpro to webservice.
For this, i have created webdynpro application with user authentication. I have imported webservice model in it, This webservice is deployed on the same WAS server. In webservice, in configuration file, i have specified HTTP authentication and Use SAP Logon Ticket.
I have also created one Destination in visual administrator. Thne in webdynpro before calling model for this webservice i specified DestinationName too.
When i run application and authenticates it creates ticket also.But, when i call webservice it gives me User unauthorized error.
--> One thing i would like to tell is both WAS servers are developer workstation. Both servers SID are same i.e. J2E.
What do you think where m i missing?
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
In first scenario for webdynpro to webdynpro, i am using
Browser -> webdynpro
-> webdynpro (SSO).
And for second scenario for webdynpro to webservice,
Browser -> webdynpro -> webservice.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Bhavik,
If I get your response right, in both cases the browser only interacts with the first WD application which in turn communicates to the latter (either WD or WebService). So please have a look at the link shown above, as this is the more accurate source of information to your problem. SSO is usually the term used if a browser has to access different applicatons on the same (intra server) or on different servers by authenticating only once. What you are tryng to achieve is forwarding the users identity to a backend service. The SAP standard way to do this usually is makeing use of the destination service.
Regards,
Patrick
Hi,
troubleshooting guide for SSO
Scenario 1:
1) Check wether user exist in both systems
Yes- Users are exist at both system.
I m using administrator user only.
2) Check wether servers are in the same domain
Both servers seems in same domain. But i have one
question. At the time of installing server, i have
choosen local installation. There were three
choices there. Local installation, Installation in
domain of the current user and Installation in
different domain. From these, I have choosen Local
installation for both servers.
So, is it in same domain?
3) Check wether there are appropriate entries in keystore for server which accepts ticket
Yes entries are there and correct also.
Scenario 2:
1) Check wether logical port in proxy has appropriate settings (Security tab->Authentification->"HTTP Authentification" "Use SAP Logon Ticket")
Yes i have checked for "Use SAP Logon Ticket".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for yr reply.
But is it not possible for simple HTTP. means without secure connection.
I have two scenarios.
1. I want to call webdynpro application running on one
WAS to webdynpro application running on another WAS.
But, in this case, when i try to call webdynpro
application running on another server, from first
webdynpro application it asks me for login twice.
It should not ask me for login for second time, as i
have already login for first application. and it
creates login ticket.So now application running on
another WAS should accept this logon ticket and
should not ask for login.
But it is askin for login second time also.
So, what m i missing in this???
2. I want to call webservice from the webdynpro using
logon tickets. Both are lying on same server. But
when i m going to call my web service it gives me
following exception.
Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized.
So, i m guessing that, web service is not accepting ticket properly.
I have checked that ticket is created properly.
Thanks in advance,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
troubleshooting guide for SSO :-):
Scenario 1:
1) Check wether user exist in both systems
2) Check wether servers are in the same domain
3) Check wether there are appropriate entries in keystore for server which accepts ticket
Scenario 2:
1) Check wether logical port in proxy has appropriate settings (Security tab->Authentification->"HTTP Authentification" "Use SAP Logon Ticket")
Regards, Maxim R.
Hi Bhavik,
could you please explain your scenario a bit better ? You stated:
> 1. I want to call webdynpro application running on one
> WAS to webdynpro application running on another WAS.
This sounds more like a connection like:
Browser -> WebDynpro1 -> WebDynpro2,
whereas the discussion so far was about
Browser -> WebDynpro1
-> WebDynpro2 (SSO)
In the first case, you may want to have a look at a tutorial from the documentation: https://www.sdn.sap.com/sdn/developerareas/security.sdn?page=application_access_protection_tutorials...
Which explains just this scenario, as there are some pitfalls you need to bypass.
This is not the same as browser based SSO, as you have to make sure, that your own application forwards the cookie to the backend (you are also talking about a webservice).
Regards,
Patrick Hildenbrand
Hi,
After installing the J2ee configuring SSO is difficult (Even i am not sure :-(( ) beacause you need to map the users manually !!!
While installation you have the option where you can select "strong" cryptography.Then you you need to deploy crypto graphy library.
Please go thorough the following link.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/security/how to configure sso in a complex system landscape.pdf
Regards, VIP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anilkumar,
Could u please elaborate this to understand it properly?
What r the excat steps for it.
I have J2EE server already installed. so can i do the same after installation?
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I've followed the steps below steps to accept certificates in webdynpro.
1.While installing J2EE , i have configured UME with ABAP backend system
2.After installation you need to import the certificate from the backend in the securestorage.
Makesure that SSL is running
Regards, VIP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey SAP experts,
No reply for my query..
If anybody has idea about this error and how to resolve it then please help me.
Thanks In advance,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Maksim,
I have set severity to all.
Hi Pran,
I checked cookies with javascript:document.cookie
and now i can see cookie for MYSAPSSO2.
Means, Ticket is creating properly, right?
But from webdynpro, i m trying to call webservice which is created on the same WAS server using accept SAP logon ticket. But it gives following exception.
Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized.
So, what is the reason for that?
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am checking for cookie MYSAPSS02. This cookie is not created. and also checked at security.log under Cluster ->Server0 -> log -> system. Here also i can't get any messege about creating ticket.
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hm, try following:
go to "log configurator" service. switch to advance mode. go to location, select "com.sap.security.core.server.jaas" set "severity" tp "All" and save it Because a lot of traces in CreateTicketLoginModule are debug.
Cluster ->Server0 -> log -> system - > security.log is not the place where this information is stored. Look at Cluster ->Server0 -> log -> defaultTrace.trc.... There should be something like "SAP Logon Ticket added to private credentials."
P.s.
are you using HTTPWatch to see cookies or similar tool?
p.p.s.
"ticket" component in security provider contains all 3 login modules with appropriate flags and options?
Hi Bhavik
Just some additional clarifications.
->The ticket template need not be assigned to a web dynpro application , because any changes on the ticket template affects all web dynpro applications globally
->From my testing it does not seem the login modules need to be configured for ticket creation on the client side. The createTicketLogin module is for creation of tickets at the application level which can be propogated to backend SAP systems through RFC calls
->The easiest way to check if MYSAPSSO2 has been created is type in this into the browser after a successful login
javascript:document.cookie
This will display all the cookies that are available in that client scope.(Using the browser to prompt for every cookie deposition sometimes does not help to ascertain what cookies have been created)
Regards
Pran
Hi maksim,
Its already there.
So, for that reason, when running application it shows login page. But after succesful login SAP Logon ticket is not created.
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes i know about that authentication tamplate "Ticket" in security provider. But we need to assign this tamplate to our application. and i don't know where we can assign this ticket tamplate to our webdynpro application.
And u r saying about "sap.authentication", which is same as checking checkbox at the time of creating application?
If no then where we have to sat this property and what we need to set for this?
thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Maksim,
Yes I already gone through all these documents. But for webdynpro application how can we adjust our login module stack? Even i have applied ticket tamplate for one j2ee application. But at the time of running this application it doesn't prompt for login page.
I understood whole process of accepting ticket. But i m not clear how to create this ticket.
Thanks,
Bhavik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Visual Admin->Server->Services->Security provider. Runtime tab, Policy configuration tab. In componsnts select "ticket". What is in "login modules" table? Did you define "sap.authentification" property for your application? Because as I can see if we use anonymous user "MYSAPSSO2" cookie is not created.
Regards, Maxim R.
Hi,
are you familiar with this document http://help.sap.com/saphelp_nw04/helpdata/en/8c/f03541c6afd92be10000000a1550b0/frameset.htm ? Look at http://help.sap.com/saphelp_nw04/helpdata/en/aa/bf503e1dac5b46e10000000a114084/content.htm
regards, Maxim R.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.