on 01-14-2015 10:32 PM
Greetings all,
We ran a pilot test of SSO 1.0 a few years ago and have decided to revisit SSO 2.0. I have found the implemetation guide and the master document as well as the great SSO 1.0 - based videos, but I find that the screens we encountered in 1.0 have absolutely no match to those in 2.0 and the current guides don't have any screen shots and don't follow a logical sequence. I'm struggling to even match the terminology used between the 1.0 and 2.0 screens. Is there anywhere to find good documentation on this product?
Thanks,
Mike Dumas
Hi Alexander,
I did try and change the option and the error was gone. However, it seems that the EvaluateTicketLoginModule still fails. Thus, leading to the basic password login module.
LOGIN.OK
User: Administrator
IP Address: 172.21.200.76
Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
#1 trusteddn1 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE
#2 trusteddn2 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE
#3 trusteddn3 = OU=J2EE,CN=C74
#4 trustediss1 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE
#5 trustediss2 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE
#6 trustediss3 = OU=J2EE,CN=C74
#7 trustedsys1 = DV2,503
#8 trustedsys2 = DV2,000
#9 trustedsys3 = C74,000
#10 ume.configuration.active = true
2. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false
#1 Rule1.attributeName = CN
#2 Rule1.getUserFrom = subjectName
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false false
#1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true true
Central Checks true
Regards,
Tom
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
on a first sight, I'd guess your logon stack is not correct.
For the EvaluateTicketLogin to work, CreateTicketLogin has to be gone through.
Based on your above stack, I'd assume the following could be correct:
1. EvaluateTicketLogin: Sufficient
2. ClientCertLoginModule: Optional
3. CreateTicketLogin: Sufficient
4. BasicPassword: Requisite
5. CreateTicketLogin: Optional
see User Authentication and Single Sign-On - SAP Library for a discussion of the different options.
Kind regards,
Patrick
Hello,
have you tried the videos?
http://scn.sap.com/docs/DOC-40178
http://scn.sap.com/docs/DOC-40179
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mike,
If you want to use SPNego for ABAP for Web UI and NWBC then the following video should be helpfull:
You can have more informaton in the impelmentation guide http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.7.5 Kerberos Authentication for HTML-Based User Interfaces Using SAP NetWeaver AS for ABAP with SPNego
KR
Valerie
Hi Alexander,
Just a follow-up question regarding SSO 2.0. I did manage to get it working on the AS ABAP end with the help of the 40179 demo. However, I can't quite figure out the configuration for AS JAVA (without SSL).
My questions are...
(1) it is possible to use SSO 2.0 without SSL?
(2) can I configure AS JAVA to use AS ABAP UME, unlike secure login server where UME should be LDAP?
Please advise. Thank you.
Regards,
Tom
Hello,
to (1): The communication between Secure Login Server and Secure Login Client should be secured by SSL to prevent eavesdropping. So its recommended.
Why do you not want to use SSL ? Or do you mean the communication against ABAP? Here you can use SNC with SAP GUI instead of the web based UI with SSL.
to (2) : Yes you can bind the UME against an AS ABAP DB. Then as authentication method on the Secure Login Server the "Basic Password authentication" can be used.
But if you use Kerberos/SPNEGO as authentication method with Secure Login Server, its recommended to use the Virtual User feature or bind the Active Directory against the UME.
What kind of authentication method do you want to use?
best regards
Alexander Gimbel
Hi Alexander,
Thank you for your response.
(1) is there a tutorial for its setup? 40179 demo only shows w/ SSL configuration.
(2) the authentication method as of the moment is SPNEGO, and UME is binded with AS ABAP which is probably why single sign-on does not work.
Again, thank you.
Regards,
Tom
Hello Thomas,
(1) for SSL Java configuration there is a help page
http://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htm
But it describes not how to get a certified SSL key/certificate with the help of Secure Login Server.
This must be done like this :
1. go to Secure Login Server Administration Console, Certificate Management
2. select the SSL Sub CA and press the button issue entry
3. but in the fully qualified hostname of the AS Java server in DNS name and Common Name Field
4. go to Netweaver Administration SSL configuration
5.goto edit mode and under Server Identity, Copy entry
6. Choose View "SercureLoginServer" and entry the generated key (not the -cert entry), import
7. delete the self signed certificate
8. press Save in SSL configuration, all should be green now.(maybe a ICM restart is required)
(2) Can you please add a "security trouble shooting wizard" trace (server trace) for one SPNEGO authentication request from the Secure Login Client to the Secure Login Server? It will help to analyze the problem.
best regards
Alexander Gimbel
Hi Alexander,
Here's the error I got from the trace...
Cannot initialize login module com.sap.engine.services.security.server.jaas.ClientCertLoginModule.
[EXCEPTION]
com.sap.engine.services.security.server.jaas.cclm.InvalidOptionsException: getUserFrom 'SubjectName' is not a legal option!
GetUserFrom field - cannot assign value :Subject
at com.sap.engine.services.security.server.jaas.cclm.RuleHelper.options2Rules(RuleHelper.java:104)
at com.sap.engine.services.security.server.jaas.ClientCertLoginModule.initialize(ClientCertLoginModule.java:96)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:204)
at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:186)
at com.sap.engine.services.security.login.FastLoginContext.logoutSession(FastLoginContext.java:853)
at com.sap.engine.services.security.login.SecuritySession.logout(SecuritySession.java:365)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
...
Regards,
Tom
Hi Thomas,
if you want a SPENGO authentication with the Secure Login Client you use the wrong stack.
You can use the default SecureLoginSPNEGOStack.
1. goto the Secure Login Server Console
2. search for your authentication profile you use and goto edit mode
3. on the "User Authentication" tab below, choose the SecureLoginSPNEGOStack as policy configuration .
4. press save.
best regards
Alexander Gimbel
Hi Alexander,
Thanks for the help. Unfortunately, my colleagues decided to have SSL instead, and now I am faced with another issue. I hope you can still help me out.
Certificate Error: Navigation Blocked - "Server's certificate does not match the URL."
Although, I can continue (not recommended), I hope that it can be rectified. Upon checking, it seems that the certificate in question is the SSL certificate. Including the Secure Login Server Root CA to the SSL Trusted CAs didn't work either.
Thanks, again.
Regards,
Tom
Hi Thomas,
this is an easy one. The server certificate contains a so called common name (CN) which should be the name of the host. This needs to be the same as the hostname which is part of the URL.
In your case it seams, that the CN is something like firsthost.somedomain.com but the URL looks like http://otherhost.somedomain.com.
You can either change the URL or change the certificate of the server.
regards,
Patrick
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.