Wednesday, February 15, 2012

sap single sign on configuration & step by step sso configuration


Purpose of SSO:
This item will give you step-by-step instructions in configuring Single Sign-On with the SAP Netweaver Portal to the SAP Systems. Single Sign-On uses SAP Logon Tickets and helps streamline the user logon process while implementing strong security settings for the systems and network.

   Prerequisites for Single sign on :


  • SAP Netweaver Portal and the SAP Systems are in the same domain.
  • SAP Systems registered in the portal according Building Block
  • User has Administrator roles assigned.

 Export Certificate from Portal

SAP Netweaver Portal
System Administration à System Configuration à Keystore Administration
  1. Go to System Administration à System Configuration à Keystore Administration
  2. Select SAPLogonTicketKeypar-cert from the drop list menu (default)












  1. Choose Download verify.der File button.
  2. Save file to a folder on your hard drive (i.e. C:\Best_Practices\verify.der.zip)
  3. Extract the zip file and save the verify.der file to the hard drive (i.e. C:\Best_Practices\verify.der)

Create a System user in SAP system with Required Roles

Check the SAP system for the SAPJSP and required roles
  1. Enter transaction SU01.
  2. Choose Enter.
  3. Enter SAPJSF in the User text field.
    1. Choose Create button
  4. Enter a Last Name in the required Last Name text field.
Roles
  1. Choose Roles tab.
  2. Enter SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC in the Roles table.
  3. Choose Save button.
Logon Data
  1. If prompted, Enter initial password under Initial password and Repeat password
  2. Choose Save button

 Check Profile Parameters

  1. Enter transaction /nRZ10.
  2. Choose Enter.
  3. Choose the Profile Browse button   .
  4. Choose your Instance Profile.
  5. Choose Extended Maintenance radio button.
  6. Choose Change button
  7. Make sure login/create_sso2_ticket = 2 and login/accept_sso2_ticket is set to 1 else choose the Create Parameter button and create the parameter with their respective values.

  Export / Import Certificates

Export SAP System Certificate
  1. Enter /nSTRUSTSSO2.
  2.  Choose Enter.
  3. Double-click “CN= in the Own Certif text field.

    The Certificate data will appear in the Certificate section.
  4. Choose Export certificate button  in the Certificate section and save to your hard drive (i.e. C:\Best_Practices\)
Import Portal Certificate
  1. Choose Import certificate button  in the Certificate section.
  2. Choose the Browse button in the File path text field and select the verify.der you exported from the portal.
  3. Choose OK button.

    1. Choose Add to Certificate List button
    2. Choose Add to ACL button
    3. Add the Portal Instance name to the System ID text field.
    4. Add 00 to the Client text field.
    5. Choose OK button.
    6. Choose Save.

        Create a JCo RFC provider in the J2EE Engine

    1. Launch the J2EE Visual Administrator.
    2. Double-click the go.bat file for the J2EE Visual Administrator (i.e. C:\usr\sap\J2E\JC00\j2ee\admin\go.bat
    3. Select Connect button.
    4. Enter the Administrator password in the password text field.
    5. Choose Connect.
    6. Expand Server à Services à JCo RFC provider node.
    J2EE Visual Administrator
    Server ## à Services à JCo RFC Provider
    1. Choose JCo RFC provider node.
    2. Enter values in the following tables:
    Field name
    Field Entry
    Program Id
    <Name of Program> (for example, sapj2ee_port. You will need it later)>
    Gateway host
    < (for example, server.domain.com)>
    Gateway service
    < (for example, sapgw00)>
    Server Count (1..20)
    Enter a number from 1 to 20

    Field name
    Field Entry
    Application server host
    < (for example, server.domain.com)>
    System number
    <(for example, 00)>
    Client
    <(for example, 050)>
    Language

    User
    <user from step 2>
    Password
    <password from step 2>
    1. Choose Set button.

         Add SAP System to Security providers list

    1. Choose Server ## à Services à Security Provider
    J2EE Visual Administrator
    Server ## à Services à Security Provider
    1. Choose ticket in the Components menu.
    2. Choose Edit mode button
    Choose com.sap.security.core.server.jaas.EvaluateTicketLoginModule in the Login Modules table









  1. Choose Modify button. An Edit Login Module dialog box displays.
  2. Enter the following information:
Name
Value
ume.configuration.active
<true (default)>
trustedsys#
(change # to a number, for example trustedys1)
<SID>, <client> (for example, D2B, 100)>
trustediss#
(change # to a number, for example trustediss1)
CN=<SID> (for example CN=D2B)
trustedn#
(change # to a number, for example trustedn1)
CN=<SID> (for example CN=D2B)
  1. Choose OK button.
  2. Choose com.sap.security.core.server.jaas.CreateTicketLoginModule.
  3. Choose Modify button. An Edit Login Module dialog box displays.
  4. Enter the following information:
Name
Value
ume.configuration.active
<true (default)>
trustedsys#
(change # to a number, for example trustedys1)
<SID>, <client> (for example, D2B, 100)>
trustediss#
(change # to a number, for example trustediss1)
CN=<SID> (for example CN=D2B)
trustedn#
(change # to a number, for example trustedn1)
CN=<SID> (for example CN=D2B)
  1. Choose OK button.
Import SAP system certificate to J2EE of portal system
  1. Navigate to Server à Services à Key storage
J2EE Visual Administrator
Server ## à Services à Key Storage
  1. Choose TicketKeystore in the Views menu.
     
  2. Choose the Load button.
  3. Choose the certificate of the SAP system from step 3.
Restart the J2EE instance
  1. Right-click the Server ## and choose Reboot.
Create RFC connection in the SAP system
  1. Switch to the SAP system.
  2. Enter transaction SM59.
  3. Right-click TCP/IP connections and choose Create.
  4. Enter the following values:
Name
Value
RFC Destination
<Name (for example, RFC_to_portal)>
Connection Type
T
Description
<description of connection>
  1. Choose Save button.
  2. Enter the following values into the Technical settings:
Name
Value
Gateway host
<from step 6>
Gateway service
<from step 6>
Restart SAP System
1. If you changed parameters in RZ10, restart the SAP System
Test Connections
  1. Create a test user in the SAP system with transaction SU01.
  2. Enter transaction SU01 in the SAP System.                   
  3. Create a test user in the portal system with the same user name.
  4. Switch to the portal.
  5. Navigate to User Administration à Create User.
  6. Enter the following information:
Name
Value
Name
Username of logon for both portal and SAP System
Last Name
<from step 6 (for example, gw)>
First Name

Email address

  1. Choose Create (scroll to the bottom of the iView)
  2. Choose Registered server program under Technical settings.
  3. Enter the Application Name in the Program ID field from step 7.7
  4. Enter Gateway host step 7.7
  5. Enter Gateway service step 7.7
  6. Choose Save.
  7. Test Connection.
Test iView
  1. Switch to the portal.
  2. Go to System Administration à Support à SAP Application
SAP Netweaver Portal
System Administration à Support à SAP Application
  1. Choose SAP Transaction link.
  2. Choose your SAP system by alias in the drop list menu.
  3. Enter a transaction in the Transaction code field (ie VA21).
  4. Choose the Go button.
    You should see the transaction displayed as WebGui iView.


 


Reactions:

0 comments:

Post a Comment