Additional Blogs by Members
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
I think a lot of people after installing SAP Enterprise portal, look at how to connect it to existing SAP systems (BW, R/3, CRM etc.). Me too. I spent a lot of time searching for a guide, that describes it in detail. And in one piece also. There's a lot of documents on activities in backend systems, portal itself, sap-help on configuring J2EE. But I couldn't find The-One-Full-How-To. So I wrote it.  It's quite small and brief, I do not have time to make screenshots, because it's my live system 🐵 But it seems quite clear for me, and I hope for you. You will need basic knowledge of J2EE tools, SAP basis and portal.  Please note. These steps worked for me. But they could not to work for you, it depends on landscape. If so, try to contact me via e-mail (klim at dennisk.org). I'm also not to-much-experienced guru, and could be wrong somewhere. Please use this document at your own risk! 🐵 I will not cover process of providing content from backend systems in portal. At least not in this article. Probably later.  So here they are, 10 simple steps 🐵  1) Export certificate from portal (verify.der and verify.pse) ..... a) Navigate to 'System Administration' >> 'System configuration' >> 'Keystore Administration'. ..... b) in 'Content' select "SAPLogonTicketKeypar-cert" and press'n'save "Download verify.pse file" and "Download verify.der file".  2) Check existence of SAPJSF user in target system ..... a) Create if necessary using transaction SU01. ..... b) User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place). ..... c) Probably you will have to generate profiles for those roles in target system (transaction PFCG).  3) Check profile parameters ..... a) use transaction RZ10 ..... b) choose instance profile, 'extended maintenance', then 'Change' ..... c) make sure that "login/create_sso2_ticket" is set to "2" and "login/accepte_sso2_ticket" set to "1" 4) Export certificate from target system (the system to which you want to connect using SSO from portal) ..... a) use transaction STRUSTSSO2 ..... b) double-click on "Own Certif." on "CN=..." part. ..... c) press on "Export certificate" button in the middle of the screen and provide file name and path, where to save certificate file. 5) Import portal certificate to target system ..... a) Use transaction STRUSTSSO2 in target system ..... b) push "Import certificate" button in the middle of the screen ..... c) in 'File path' field enter path to *.der file, you created in step 1 (or point at it via 'Browse' button) ..... d) Press "Enter" ..... e) Press 'Add to certificate list' button and then 'Add to ACL button 6) Create an JCo RFC provider in J2EE engine of portal system. ..... a) Logon to J2EE using J2EE Admin tool (go.bat) ..... b) navigate to 'Server' >> 'JCo RFC provider' node ..... c) On the right side of the screen choose any entry in 'Available RFC destinations' area. ..... d) Enter information about new destination: ..... ..... - Program ID: name of the program (you will need it later) - sapj2ee_port, for example ..... ..... - Gateway host - FQDN of target system - server.domain.com, for example ..... ..... - Gateway service - sapgw00 for example ..... e) in 'Repository' section enter: ..... ..... - Application server host - FQDN of target system - server.domain.com, for example ..... ..... - system number - 00, for example ..... ..... - client - 100, for example ..... ..... - logon language - EN ..... ..... - user - SAPJSF (from step 2) ..... ..... - password (from step 2) ..... f) press 'Set' 7) Add target system to Security providers list ..... a) Open J2EE Admin and navigate to 'Server' >> 'Services' >> 'Security Provider'. In components select 'Ticket'. Enter edit mode (button with pencil above) ..... b) select 'Login module' "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" and press 'Modify' ..... c) ensure that "ume.configuration.active" is set to "true" ..... d) enter following info: ..... ..... - Name - 'trustedsysN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustedsys1'). Enter , as a value (C11,100 for example) ..... ..... - Name - 'trustedissN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustediss1'). Enter CN= as a value (CN=C11 for example) ..... ..... - Name - 'trusteddnN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trusteddn1'). Enter CN= as a value (CN=C11 for example) ..... e) Press 'OK' ..... f) Do substeps b,c,d,e in 'evaluate_assertion_ticket' view for "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module. 😎 Import target system certificate to J2EE of portal system (from step 4) ..... a) Open J2EE Administrator and logon to portal instance ..... b) Navigate to 'Server" >> 'Services' >> 'Key storage' ..... c) in 'Ticket keystore' view press 'load' and select certificate of target system, you exported in step 3. 9) Restart J2EE instance. 10) Create RFC connection in target system ..... a) use transaction SM59 ..... b) Point to TCP/IP connections and press 'New' ..... c) Enter name for new connection ("RFC_to_portal", for example), enter connection type "T" (external TCP/IP application) and description. Save. ..... d) in 'Technical settings' choose "Registered server program" and enter application name from step 6d in "Program ID" field. Provide 'Gateway host' and 'Gateway service' same as in step 6d. Save. Test connection. RFC connection ready.  If You had to change or add parameters in RZ10 (in step 3), do not forget to restart target system.  Also double-check that portal server and target system are in a same domain, this is important for ticket issuing. This thing is always mentioned in various documents.    Now SSO is configured. Try to test it by creating simple iView, that launches WebGUI. Or just simply by going to System Admin - > Support -> SAP Application (thanks, Pankaj Kumar!)  P.S. I tested it on systems, which are based on WebAS 6.20 and 6.40 (BW, XI, CRM). Hope all above is true for older releases.
P.P.S. Some more SAPs documentation links (thanks Karsten Stombrowski!!!):
Single Sign-On with SAP Logon Tickets on help.sap.com: http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
Security Guide:
https://service.sap.com/~sapdownload/011000358700004812692003E/SecurityGuide_60_SP2_v33.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
User Authentication and Single Sign-On:
http://help.sap.com/saphelp_nw04/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm
Perform Cross Domain Single Sign-On with SAP Logon Tickets on service marketplace:
https://service.sap.com/~sapdownload/011000358700001345182005E/Cross_Domain.zip
37 Comments