November 8, 2012

Single Sign On Configuration


                                                      Single Sign On Configuration


1. Ensure host file of both abap and portal server contain the full DNS hostname of the server (eg: abcdprd.sapserver.com)

2. Ensure that there is entry in the services file for the gateway service on both servers (sapgw00 3300/tcp)

3. Logon to Portal (URL: http://abcdprd.sapserver.com:50000/irj/portal  using administrator user id and password.

4.Go to -> System administration -> stem configuration ->  Keystore Administrator

5. Export saplogticketKeypair-cert à EP Certificate onto the local desktop. Verify.der file extract the file from zip.

6. Install SAP Cryptographic Library on the connecting SAP System. (Extract Crypto Lib from http://service.sap.com/swdc)

7. May need to set environment variable USER=<sid>adm and     SECUDIR=/usr/sap/<SID>/DVEBMGS<nn>/sec in <sid>adm environment.

Note: Steps no. 4 & 5 may not be necessary, with WAS 640 SAP Cryptographic library is already present in the kernel directory.

8. On ABAP system set profile parameters to accept and create SAPLOGON tickets.     login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
icm/host_name_full = hostname.domainname.com

9.Restart connecting SAP System(s) after parameter changes.

10. Run transaction STRUSTSSO2 in connecting SAP system.

Import the EP Certificate in SAP; add the same to Certificate List (PSE) as well as to ACL

Provide details:
SID: EPP  
CLNT: 000 à save the configuration.

11. In transaction STRUSTSSO2 go to -> Environment -> SAP Logon Tickets; specify RFC Destination as NONE and execute (Everything should be green including version information of SECULIB)

12. STRUSTSSO2 --> Environment --> SAP Logon Tickets, do not specify RFC Destination and execute (Everything should be green including version information of SECULIB)

13. For 6.40 Systems (Integrated ITS) check the SICF setting for /default_host/sap/bc right click Activate - group activate

14. For 6.40 Systems (Integrated ITS) check the SICF setting for /default_host/sap/bc/gui/sap/its

Click Setting and ensure the below parameters are set
~MYSAPCOMUSESSO2COOKIE 1
~LOGIN                                                                                                                         ~PASSWORD                                                                                                                 ~COOKIES 1

15. For 6.20 System, go to the ITS directory under services folder edit the file global.srvc and ensure following parameters are set.
~mysapcomusesso2cookie 1
~login
~password
~cookies 1
Restart ITS for 6.20

16. Set the relevant parameters in Systems defined in EP. (User Management --> SAPLOGONTICKETS, ITS settings, Connector settings)

UME Configuration. (Change UME User store to an ABAP Database)

17. Create J2EE_GUEST and SAPJSF_EPD user in ABAP System as communication user, Role for SAPJSF user SAP_BC_JSF_COMMUNICATION, SAP_BC_JSF_COMMUNICATION_RO and SAP_BC_USR_CUA_CLIENT_RFC (only needed is CUA is in use)
Note: Generate above two roles after user assignment

18.Do not assign any role to J2EE_GUEST.

19. Ensure that the users defined in ABAP System are not already available in EP. (Delete the users in EP if required of vice versa)

20. Start configtool and set the below parameters.
Cluster data
Global Server Configuration
Services

com.sap.security.core.ume.service

    1. ume.login.guest_user.uniqueids = J2EE_GUEST
    2. ume.logon.security_policy.auto_ullock_time = 9999999
    3. ume.logon.security_policy.lock_after_invalid_attempts = 0
    4. ume.logon.security_policy.oldpass_in_newpass_allowed = FALSE
    5. ume.logon.security_policy.password_max_length = 8
    6. ume.logon.security_policy.useridmaxlength = 12
    7. ume.persistence.data_source_configuration = dataSourceConfiguration_r3.xml

(dataSourceConfiguration_r3_rw.xml à This template is used for read write on both portal and ERP side – We have set this for ECC in DMS)

    1. ume.r3.connection.master.ashost = mdecctst.corp.mahindra.com
    2. ume.r3.connection.master.client = 300
    3. ume.r3.connection.master.user = SAPJSF_EPD
    4. ume.r3.connection.master.passwd = ******
    5. ume.r3.connection.master.sysnr = 00

21. Restart EP.

Problem encountered:

22. mshost problem reported while starting EP. Problem was because we has defined ume.r3.connection.master.r3name (this parameter is only to be specified if using Logon Groups)

23. J2EE_GUEST was not created in ABAP Database. EP refused to start.

24. Some users were being reported twice in the user management screen in EP. This was because identical users were present in both EP and ABAP before changing the UME config. Deleted the EP User from EP.

User SAPJSF_EPP has no RFC authorization for function group SYS Role generation problem




Testing:
Logon with a user – created in abap (this user should not have been created earlier in portal)

You will see screen as given below.









No comments:

Post a Comment