11
How-to Guide SAP xRPM 4.0 How To … Configure SSO in an SAP NetWeaver 2004s Dual Stack Version 1.00 – December 2005 Applicable Releases: SAP xRPM 4.0

Sso Config Sap Dual Stack

  • Upload
    msr61

  • View
    144

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Sso Config Sap Dual Stack

How-to Guide

SAP xRPM 4.0

How To … Configure SSO in an SAP NetWeaver 2004s Dual Stack Version 1.00 – December 2005

Applicable Releases:

SAP xRPM 4.0

Page 2: Sso Config Sap Dual Stack

© Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data

contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. SAP NetWeaver “How-to” Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting. Any software coding and/or code lines / strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

Page 3: Sso Config Sap Dual Stack

1 (Business) Scenario

As of SAP xApp Resource and Portfolio Management (SAP xRPM) 4.0, you can install SAP xRPM in a dual stack environment (ABAP and Java stack of SAP NetWeaver 2004s in one system). If you also want to implement SAP xApp Product Definition (SAP xPD) 2.0, it makes sense to keep both products in one system.

This guide explains how to configure Single Sign-On (SSO) for such a dual stack environment.

2 Introduction

The SSO configuration for a dual stack installation is different to the configuration required for distributed installations. The identity of the certificate issuer is determined by the distinguished name (DN), and the combination of system ID (SID) and client. Both the DN and SID/client pair must be unique in the whole system.

Since the ABAP stack and the Java stack use the same DN and client number (000) by default, you must change the DN and client number in the Java stack.

The sections below describe how to change this data.

This guide is written for xRPM 4.0 and SAP NetWeaver 2004s SP4. Since the guide will not be updated in the future, we strongly recommend that you check that the procedure described here is still up-to-date. Particularly when using a different basis release, such as SAP NetWeaver 2004s SR1.

For details and updates, see SAP Note 701205.

Page 4: Sso Config Sap Dual Stack

3 The Step-By-Step Solution

The following section provides an example of how to configure Single Sign-On (SSO) in a dual- stack system.

This process consists of the following steps:

1. Create a new SAPLogonTicketkeypair for the Java stack. This is necessary to have a different distinguished name (DN) to the system ID (SID) in the ABAP system.

2. Change the client of the Java stack. Since the ABAP system already uses the default client 000, you must change the client.

3. Set the ABAP profile variables so the system accepts SSO tickets.

4. Import the Java stack certificate into the ABAP stack.

3.1 Creating a New SAP LogonTicketKeypair

The distinguished name (DN) is embedded in the certificate that the Java stack issues when you log on to SAP Enterprise Portal. Since the DN of the Java stack must be different to the DN of the ABAP stack, you must rename the default SAPLogonTicketKeypair and create a new SAPLogonTicketKeypair with a different DN.

For more information, see SAP Note 701205.

1. Log on to the Visual Administrator of the Java stack as an administrator and choose cluster-data à Instance_... à server_... à services à Key Storage.

Page 5: Sso Config Sap Dual Stack

2. Navigate to TicketKeystore and rename your existing SAPLogonTicketKeypair.

Repeat this step for SAPLogonTicketKeypair-cert.

3. Create a new SAPLogonTicketKeypair as follows:

Enter a common name; make sure that you use a different common name to your SID.

Select the algorithm DSA, and select Store Certificate.

4. Choose Generate. An old pair and a new pair of SAPLogonTickets appear:

Page 6: Sso Config Sap Dual Stack

3.2 Changing the Java Stack Client

When the ABAP stack reads a certificate issued by the Java stack, it uses the combination of system ID (SID) and client number to identify the issuer. This combination must be unique. However, since the default client in the Java stack is 000 and this combination is already in use by the ABAP stack, in a dual stack installation, you must change the client number of the Java stack.

There are two locations where you can maintain the client number. Depending on whether ume.configuration.active is set to true or false, it gets the information from UME property sheet or options for the login module.

Since ume.configuration.active is set to true by default, the following steps only describe this scenario. For more information, see SAP Note 701205.

1. Check that the parameter ume.configuration.active is set to true.

Page 7: Sso Config Sap Dual Stack

2. Open the Config Tool and choose cluster-data à Instance_... à server_... à services à com.sap.security.core.ume.service à login.ticket_client

Page 8: Sso Config Sap Dual Stack

3. Enter a client number for login.ticket_client. Make sure that the client number entered here is not already in use in the ABAP stack.

4. To activate the changes to the UME settings, restart the Java stack.

3.3 Setting ABAP Profile Parameters

You must set up the ABAP stack to accept logon tickets.

Since this step is usually well-known, it is not described in this guide. See the Configuring the System for Issuing Logon Tickets section in SAP Help Portal at help.sap.com/nw2004s à English à SAP NetWeaver Library à SAP NetWeaver by Key Capability à Security à User Authentication and Single Sign-On à Authentication on the SAP Web Application Server ABAP à Using Logon Tickets à Configuring the System for Issuing Logon Tickets.

Page 9: Sso Config Sap Dual Stack

3.4 Importing the Java Stack Certificate into the ABAP Stack

The last step is to export SAPLogonTicketKeypair and import it into the ABAP stack.

1. Log on to the Visual Administrator of the Java stack as an administrator and choose <SID> à Server... à services à Key Storage

2. Select SAPLogonTicketKeypair-cert and click Export. Save the object in a folder that you can access from the PC on which the SAP GUI is running.

3. Start your SAP GUI and log on to the ABAP stack as an administrator.

Start transaction STRUSTSSO2.

Page 10: Sso Config Sap Dual Stack

4. Import the certificate into the ABAP stack.

Note: The certificate file is uploaded through the SAP GUI. This means that you do not need to browse through the server’s file system, but your PC’s file system.

Once the certificate is successfully uploaded, the certificate information appears.

5. Add the certificate to the certificate list.

The certificate appears in the top part of the screen.

6. Add the certificate to the access control list (ACL).

Note: Make sure that you enter the new client number.

Page 11: Sso Config Sap Dual Stack

7. Save your entries.

The figure below is an example of how the final screen looks:


STUDENT SSO

STUDENT SSO

Documents
STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

Documents
Open sso fisl9.0

Open sso fisl9.0

Technology
e-config Installation Guidelines - IBM WWW Page e-config Installation Guidelines Page 1 of 43 e-config Upgrade Installation Guidelines Version 1.0 Author: e-config Team Owner: e-config

e-config Installation Guidelines - IBM WWW Page e-config Installation Guidelines Page 1 of 43 e-config Upgrade Installation Guidelines Version 1.0 Author: e-config Team Owner: e-config

Documents
Single Sign-On (SSO) Instructions - State of · PDF fileRegistering for Single Sign-On (SSO) and CHAMPS Create SSO User ID Create SSO Password Subscribe to CHAMPS Access CHAMPS ***Have

Single Sign-On (SSO) Instructions - State of · PDF fileRegistering for Single Sign-On (SSO) and CHAMPS Create SSO User ID Create SSO Password Subscribe to CHAMPS Access CHAMPS ***Have

Documents
zuloagarefugio.files.wordpress.com€¦  · Web viewRouter(config)#interface fa0/0. Router(config-if)#ip address 172.16.1.17 255.255.255.240. Router(config-if)#no shutdown. Router(config-if)#

zuloagarefugio.files.wordpress.com€¦  · Web viewRouter(config)#interface fa0/0. Router(config-if)#ip address 172.16.1.17 255.255.255.240. Router(config-if)#no shutdown. Router(config-if)#

Documents
SSO Case Study - cdn.ttgtmedia.comcdn.ttgtmedia.com/searchSecurity/downloads/EDITED_GRIMES_CASE.… · SSO Case Study: The USPS Gives SSO Its ... Secrets to a successful SSO project?

SSO Case Study - cdn.ttgtmedia.comcdn.ttgtmedia.com/searchSecurity/downloads/EDITED_GRIMES_CASE.… · SSO Case Study: The USPS Gives SSO Its ... Secrets to a successful SSO project?

Documents
Cisco Wide Area Application Services Command Reference · (config) aaa accounting 212 (config) alarm overload-detect 216 (config) asset 218 (config) authentication 219 (config) auto-register

Cisco Wide Area Application Services Command Reference · (config) aaa accounting 212 (config) alarm overload-detect 216 (config) asset 218 (config) authentication 219 (config) auto-register

Documents
Horizontal stacking - CiscoConfigure a Switch Stack Configuring a Network Port as Stack Port Switch1(config)# switch 1 hstack-port 1 tenGigabitEthernet1/0/1 Do you want to continue?[confirm]

Horizontal stacking - CiscoConfigure a Switch Stack Configuring a Network Port as Stack Port Switch1(config)# switch 1 hstack-port 1 tenGigabitEthernet1/0/1 Do you want to continue?[confirm]

Documents
AppScaler SSO Active Directory GuideAppScaler SSO Active Directory Guide Add one SSO Profile for AAA Server To add one SSO Profile for AAA Server: Login webUI navigate to SLB -> Profiles

AppScaler SSO Active Directory GuideAppScaler SSO Active Directory Guide Add one SSO Profile for AAA Server To add one SSO Profile for AAA Server: Login webUI navigate to SLB -> Profiles

Documents
Sso Walter

Sso Walter

Documents
 · Web viewSetting device to VTP Server mode for VLANS DLS1(config)# vlan 10 DLS1(config-vlan)# name Finance DLS1(config-vlan)# vlan 20 DLS1(config-vlan)# name Engineering DLS1(config-vlan)#

 · Web viewSetting device to VTP Server mode for VLANS DLS1(config)# vlan 10 DLS1(config-vlan)# name Finance DLS1(config-vlan)# vlan 20 DLS1(config-vlan)# name Engineering DLS1(config-vlan)#

Documents
ConfiguringSecurity - Cisco€¦ · apic1(config-host)# timeout 3 apic1(config-host)# descr "My primary RADIUS server" apic1(config-host)# key myRaDiUSpassWoRd apic1(config-host)#

ConfiguringSecurity - Cisco€¦ · apic1(config-host)# timeout 3 apic1(config-host)# descr "My primary RADIUS server" apic1(config-host)# key myRaDiUSpassWoRd apic1(config-host)#

Documents
SSO ANTECEDENTES

SSO ANTECEDENTES

Documents
SSO Manager

SSO Manager

Technology
O365/Outlook Integration with SSO - view.zendesk.com · O365/Outlook Integration with SSO FAQs Can we utilize SSO without the O365/Outlook integration and vice versa? • SSO and

O365/Outlook Integration with SSO - view.zendesk.com · O365/Outlook Integration with SSO FAQs Can we utilize SSO without the O365/Outlook integration and vice versa? • SSO and

Documents
Design Considerations for Integrated Features · DesignConsiderationsforIntegratedFeatures •SingleSign-On(SSO)Considerations,onpage1 Single Sign-On (SSO)Considerations TheSingleSign-on(SSO

Design Considerations for Integrated Features · DesignConsiderationsforIntegratedFeatures •SingleSign-On(SSO)Considerations,onpage1 Single Sign-On (SSO)Considerations TheSingleSign-on(SSO

Documents
SonicWall™ SSO API · 2020. 9. 24. · SSO API Reference Guide SSO Overview 1 3 SSO Overview This document specifies the external application program interface (API) for third party

SonicWall™ SSO API · 2020. 9. 24. · SSO API Reference Guide SSO Overview 1 3 SSO Overview This document specifies the external application program interface (API) for third party

Documents
Sun One Web SSO Config Guide

Sun One Web SSO Config Guide

Documents
Single Sign-On Instructions (SSO) - michigan.gov · Single Sign-On Instructions (SSO) Registration for the SSO Step 1: Registration to Single Sign-On (SSO) Skip this section if you’ve

Single Sign-On Instructions (SSO) - michigan.gov · Single Sign-On Instructions (SSO) Registration for the SSO Step 1: Registration to Single Sign-On (SSO) Skip this section if you’ve

Documents
Gestion Sso

Gestion Sso

Documents
SSO & Kerberos

SSO & Kerberos

Documents
Tririga sso

Tririga sso

Documents
Config SSO IBM WebSphere Portal and Domino

Config SSO IBM WebSphere Portal and Domino

Documents
Horizontal stacking a Switch Stack Configuring a Network Port as Stack Port Switch1(config)# switch 1 hstack-port 1 tenGigabitEthernet1/0/1 Do you want to continue?[confirm] New Horizontal

Horizontal stacking a Switch Stack Configuring a Network Port as Stack Port Switch1(config)# switch 1 hstack-port 1 tenGigabitEthernet1/0/1 Do you want to continue?[confirm] New Horizontal

Documents
INTRODUCING OPEN SOURCE MANO · Config. vSwitch Config. NIC Config. Acceleration Config. ... Basic NSD BASIC AND HAND-MADE NETWORK SERVICE ... •No other commercial distros were

INTRODUCING OPEN SOURCE MANO · Config. vSwitch Config. NIC Config. Acceleration Config. ... Basic NSD BASIC AND HAND-MADE NETWORK SERVICE ... •No other commercial distros were

Documents
Alfresco SSO

Alfresco SSO

Documents
WSO2Con USA 2015: Implementing SSO Across our Science-as-a-Service Web and API Stack at TACC

WSO2Con USA 2015: Implementing SSO Across our Science-as-a-Service Web and API Stack at TACC

Technology
Generic SSO

Generic SSO

Documents
Single Sign-On (SSO) Single Sign-On (SSO) Strong Authentication

Single Sign-On (SSO) Single Sign-On (SSO) Strong Authentication

Documents