Embed Size (px)
Citation preview
SS0-SAP Logon Ticket Configuration
Single Sign-On with Logon Tickets
PurposeLogon tickets represent the user credentials. The portal server issues a logon ticket to a user after successful initial authentication. The logon ticket itself is stored as a cookie on the client and is sent with each request of that client. It can then be used by external applications such as SAP systems to authenticate the portal user to those external applications without any further user logons being required.
Logon tickets contain information about the authenticated user. They do not contain any passwords. Specifically, logon tickets contain the following items:
1. Portal user ID and one mapped user ID for external applications
2. Authentication scheme
3. Validity period
4. Information identifying the issuing system
5. Digital signature
When using logon tickets, one system must be the ticket-issuing system. This can either be the portal or another system. We recommend using the portal as the ticket-issuing system, since the portal should be a user’s single point of access to all applications.
To allow SSO using logon tickets between the portal and its component systems you perform the following steps:
Configure the component systems to accept and verify logon tickets
Configure the portal server to allow SSO with logon tickets
First of all Make sure that All systems i.e. Portal, BI WAS (WAS ABAP), J2EE Server (WAS JAVA) belongs to same domain
Enter the fully qualified host alias in the hosts file of Windows system. (Find it from C:\winnt (or windows)\system32\drivers\etc )
Make the following entry.
#IP ADDRESS hostname FQDN
*.*.*.* ts999epd ts999epd.dom999.com
*.*.*.* ts999bwd ts999bwd.dom999.com
…..
Create this entry in hosts file for server and all client system
Configure the component systems to accept and verify logon tickets :
Download public-key certificate of portal server
Use the Keystore Administration tool to download the verify.der file from the portal.
Login in to portal with Administrator user.
Navigate System Administration System Configuration Keystore Administration
Select SAPLogonTicketKeypair-cert
Click on Download verify.der file
Click Save.
Unzip the verify.der.zip file….. u get verify.der file
Import public-key certificate of portal server to component system's certificate list and add portal server to ACL of component system
In the SAP System, start transaction STRUSTSSO2.
In the certificate section, choose Import Certificate
Click
The Import Certificate screen appears.
Choose the File tab.
In the File path field, enter the path of the portal’s verify.der file.
Set the file format to Binary and confirm
Click on Add to Certificate List.
Choose Add to ACL, to add the portal server to the ACL list
Click Here
In the dialog box that appeared, enter the portal’s system ID and client. By default, the portal’s system ID is the common name (CN) of the distinguished name entered during installation of the portal. The default client is 000.
Click Here
Save your entry.
Set profile parameters
In SAP system we need to do some modification in profile to accept logon tickets. We need to perform the following steps
Start Transaction RZ10Click Here
select instance profile
check Extended Maintenance option and click the Change button
Click Here
Check it
Click
Click on Create Parameters
Create the parameters
o login/accept_sso2_ticket=1
o login/create_sso2_ticket=2
o icm/host_name_full= FQDN name of the SAP System(itc.corp.com)
Click Here
• Save ,activate and restart the ABAP system
Configure the portal server to allow SSO with logon tickets
Add-In installations only: Change the J2EE Engine client used in the logon tickets
This configuration is done only to the dual-stack installations i.e J2EE+ABAP engine installations. So in this it is not required.
Configure the lifetime of the Logon ticket
Go To System Administration->System Configuration->UME Configuration ->Security Settings -> set the time for ‘Lifetime of Logon Ticket’
Map portal user IDs to user IDs in other systems
If users’ portal user IDs are same as user IDs in the component systems, this mapping is not necessary. (if userIDs are different ,that scenario is dealt in next document)
SAP Systems only: Set logon method to Logon tickets in portal system landscape
Create a system to connect to SAP System. Provide all the details in the ‘Connector’ Property category.
In ‘User Management’ property category Set the value of the property Logon Method to SAPLOGONTICKET.
Save your changes
Now everything is ‘Got Set Ready’ for the BANG!!!
Test the application :
Go To System Administration-> Support-> SAP Application-> SAP Transaction
Select the system u have just now created, provide the transaction code e.g. Se38,SAP GUI Type as SAP GUI for Windows and Press on ‘go’ button
BAM !!! u have entered into the SAP system without
providing logon details using SAP Logon Tickets
Trouble shooting
This is the error occurred when u access the backend system with SAP Logon Ticket method without configuring the SSO using Logon Ticket
Once u configure the Logon Ticket this error is resolved
Changing logon stack
Apart from this setup, we need to adjust the JAAS module stacks for ‘irj application‘ in portal through visual administrator.
The step required for doing this is
• Login to Visual Administrator with Administrator privilege • Select Cluster -> Server ->Services ->Security Provider• From the Policy Configurations Tab -> sap.com/irj*irj -> Add a new Login module • Select CreateTicketLoginModule from the list , flag as SUFFICIENT , options as NONE
Now you will have BasicPasswordLoginModule (flag - optional ) and CreateTicketLoginModule ( flag - Sufficient ) respectively.The previous steps will enable the portal to create logon tickets for authenticated users.
SAP Notes
701205 - Single Sign-On using SAP Logon Tickets
929512 - The system is unable to interpret the SSO ticket received
If these checks do not resolve the problem, and you configure SSO to an ABAP system, create an SM50 trace with only the security component turned to trace level 2.
In order to do so, run transaction SM50 and select some of the dialog work processes (around 5).
Then choose 'Processes -> Trace -> Active components' from the menu (or use CTRL-SHIFT-F7).
Set the trace level to 2 and select only the 'Security' component. Reproduce the SSO problem, and note the time.
Return to the SAP system to check the traces you just started (CTRL-SHIFT-F8 in SM50). This trace collects information on work process level.
Therefore, you need to find the work process that has handled the authentication attempt. This procedure is described in Note 495911 in more detail.
This is my entry of r/3 in my EP server. And same should be done in the host file of the R/3 server.
This is my entry in the services file of the EP.
