Single Sign On Configuration
1. Ensure host file of both
abap and portal server contain the full DNS hostname of the server (eg: abcdprd.sapserver.com)
2. Ensure that there is entry
in the services file for the gateway service on both servers (sapgw00
3300/tcp)
3. Logon to Portal (URL: http://abcdprd.sapserver.com:50000/irj/portal
using administrator user id and
password.
4.Go to -> System administration -> stem configuration -> Keystore Administrator
5. Export
saplogticketKeypair-cert à EP Certificate onto the local desktop. Verify.der
file extract the file from zip.
6. Install SAP Cryptographic
Library on the connecting SAP System. (Extract Crypto Lib from
http://service.sap.com/swdc)
7. May need to set
environment variable USER=<sid>adm and SECUDIR=/usr/sap/<SID>/DVEBMGS<nn>/sec in <sid>adm
environment.
Note:
Steps no. 4 & 5 may not be necessary, with WAS 640 SAP Cryptographic
library is already present in the kernel directory.
8. On ABAP system set profile
parameters to accept and create SAPLOGON tickets. login/create_sso2_ticket
= 2
login/accept_sso2_ticket = 1
9.Restart connecting SAP
System(s) after parameter changes.
10. Run transaction STRUSTSSO2
in connecting SAP system.
Import the EP
Certificate in SAP; add the same to Certificate List (PSE) as well as to ACL
Provide
details:
11. In transaction STRUSTSSO2
go to -> Environment -> SAP Logon Tickets;
specify RFC Destination as NONE and execute (Everything should be green
including version information of SECULIB)
12. STRUSTSSO2 -->
Environment --> SAP Logon Tickets, do not specify RFC Destination and
execute (Everything should be green including version information of
SECULIB)
13. For 6.40 Systems
(Integrated ITS) check the SICF setting for /default_host/sap/bc right
click Activate - group activate
14. For 6.40 Systems
(Integrated ITS) check the SICF setting for /default_host/sap/bc/gui/sap/its
Click Setting and ensure the
below parameters are set
15. For 6.20 System, go to the
ITS directory under services folder edit the file global.srvc and ensure
following parameters are set.
~mysapcomusesso2cookie 1
16. Set the relevant
parameters in Systems defined in EP. (User Management -->
SAPLOGONTICKETS, ITS settings, Connector settings)
UME Configuration. (Change UME User store to an ABAP Database)
17. Create J2EE_GUEST and
SAPJSF_EPD user in ABAP System as communication user, Role for SAPJSF user
SAP_BC_JSF_COMMUNICATION, SAP_BC_JSF_COMMUNICATION_RO and SAP_BC_USR_CUA_CLIENT_RFC
(only needed is CUA is in use)
Note:
Generate above two roles after user assignment
18.Do not assign any role to
J2EE_GUEST.
19. Ensure that the users
defined in ABAP System are not already available in EP. (Delete the users
in EP if required of vice versa)
20. Start configtool and set
the below parameters.
Cluster data
com.sap.security.core.ume.service
- ume.login.guest_user.uniqueids
= J2EE_GUEST
- ume.logon.security_policy.auto_ullock_time
= 9999999
- ume.logon.security_policy.lock_after_invalid_attempts
= 0
- ume.logon.security_policy.oldpass_in_newpass_allowed
= FALSE
- ume.logon.security_policy.password_max_length
= 8
- ume.logon.security_policy.useridmaxlength
= 12
- ume.persistence.data_source_configuration
= dataSourceConfiguration_r3.xml
(dataSourceConfiguration_r3_rw.xml
à This template is used for read
write on both portal and ERP side – We have set this for ECC in DMS)
- ume.r3.connection.master.ashost
= mdecctst.corp.mahindra.com
- ume.r3.connection.master.client
= 300
- ume.r3.connection.master.user
= SAPJSF_EPD
- ume.r3.connection.master.passwd
= ******
- ume.r3.connection.master.sysnr
= 00
21. Restart EP.
Problem
encountered:
22. mshost problem reported
while starting EP. Problem was because we has defined ume.r3.connection.master.r3name
(this parameter is only to be specified if using Logon Groups)
23. J2EE_GUEST was not created
in ABAP Database. EP refused to start.
24. Some users were being
reported twice in the user management screen in EP. This was because
identical users were present in both EP and ABAP before changing the UME config. Deleted the EP User from EP.
User
SAPJSF_EPP has no RFC authorization for function group SYS Role
generation problem
Testing:
You
will see screen as given below.
1. Ensure host file of both abap and portal server contain the full DNS hostname of the server (eg: abcdprd.sapserver.com)
2. Ensure that there is entry in the services file for the gateway service on both servers (sapgw00 3300/tcp)
3. Logon to Portal (URL: http://abcdprd.sapserver.com:50000/irj/portal using administrator user id and password.
4.Go to -> System administration -> stem configuration -> Keystore Administrator
6. Install SAP Cryptographic Library on the connecting SAP System. (Extract Crypto Lib from http://service.sap.com/swdc)
7. May need to set environment variable USER=<sid>adm and SECUDIR=/usr/sap/<SID>/DVEBMGS<nn>/sec in <sid>adm environment.
8. On ABAP system set profile parameters to accept and create SAPLOGON tickets. login/create_sso2_ticket = 2
9.Restart connecting SAP System(s) after parameter changes.
10. Run transaction STRUSTSSO2 in connecting SAP system.
11. In transaction STRUSTSSO2 go to -> Environment -> SAP Logon Tickets; specify RFC Destination as NONE and execute (Everything should be green including version information of SECULIB)
12. STRUSTSSO2 --> Environment --> SAP Logon Tickets, do not specify RFC Destination and execute (Everything should be green including version information of SECULIB)
13. For 6.40 Systems (Integrated ITS) check the SICF setting for /default_host/sap/bc right click Activate - group activate
14. For 6.40 Systems (Integrated ITS) check the SICF setting for /default_host/sap/bc/gui/sap/its
15. For 6.20 System, go to the ITS directory under services folder edit the file global.srvc and ensure following parameters are set.
16. Set the relevant parameters in Systems defined in EP. (User Management --> SAPLOGONTICKETS, ITS settings, Connector settings)
17. Create J2EE_GUEST and SAPJSF_EPD user in ABAP System as communication user, Role for SAPJSF user SAP_BC_JSF_COMMUNICATION, SAP_BC_JSF_COMMUNICATION_RO and SAP_BC_USR_CUA_CLIENT_RFC (only needed is CUA is in use)
18.Do not assign any role to J2EE_GUEST.
19. Ensure that the users defined in ABAP System are not already available in EP. (Delete the users in EP if required of vice versa)
20. Start configtool and set the below parameters.
- ume.login.guest_user.uniqueids
= J2EE_GUEST
- ume.logon.security_policy.auto_ullock_time
= 9999999
- ume.logon.security_policy.lock_after_invalid_attempts
= 0
- ume.logon.security_policy.oldpass_in_newpass_allowed
= FALSE
- ume.logon.security_policy.password_max_length
= 8
- ume.logon.security_policy.useridmaxlength
= 12
- ume.persistence.data_source_configuration
= dataSourceConfiguration_r3.xml
- ume.r3.connection.master.ashost
= mdecctst.corp.mahindra.com
- ume.r3.connection.master.client
= 300
- ume.r3.connection.master.user
= SAPJSF_EPD
- ume.r3.connection.master.passwd
= ******
- ume.r3.connection.master.sysnr
= 00
22. mshost problem reported while starting EP. Problem was because we has defined ume.r3.connection.master.r3name (this parameter is only to be specified if using Logon Groups)
23. J2EE_GUEST was not created in ABAP Database. EP refused to start.
24. Some users were being reported twice in the user management screen in EP. This was because identical users were present in both EP and ABAP before changing the
No comments:
Post a Comment