on 01-15-2015 11:20 AM
Hi,
Can anyone tell me if it's possible to set a RFC destination in HCP for SSO RFC connecting to ABAP system ( via Cloud connector ) ?
Best regards,
Yu
Hi Yu,
yes, this is possible. Please have a look into the documentation and get back to us in case of questions.
Best regards,
Timo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Timo,
I tried to config the Cloud Connector and My ABAP instance.
Now the problem is according to read the user's guide of SNC, I cannot understand how to config a system SNC for Cloud Connector, can you share me some kindly of Step by Step guide for teaching how to set SNC?
currently the error when i'm trying to call via RFC/SNC:
ERROR SNCERR_BAD_NT_PREFIX
SncPImportPrName() parsing error
name="CN=SCC, OU=HCP Scenarios, OU=Server, O=SAP Trust
Community, C=DE"
Best regards,
Yu
Hello Yu,
this cannot be described in general, it is heavily depending on the SNC solution used. Please follow the instructions of your SNC solution how to make a process use a certain identity. This configuration is not SCC specific, but is a general one for arbitrary processes.
Best regards,
Markus
Hi Tolksdorf,
thanks for your comments, after i read some documentations. I think i have figure out how to do the config in the command line, before that my problem is that I set the pse file to the wrong user, I set to "root" user before, but actually for SCC I should set PSE to "sccadmin" user. After that I found another problem when I'm trying to call RFC with SNC:
the error is on below:
com.sap.scc.protocol.rfc.RfcException: Unable to create authentication token for I070219
at com.sap.scc.protocol.rfc.RfcRuntime.getAuthenticationToken(RfcRuntime.java:299)
at com.sap.scc.protocol.rfc.RfcRuntime.queueRfcData(RfcRuntime.java:129)
at com.sap.scc.protocol.rfc.RfcProtocolProcessor.processBlock(RfcProtocolProcessor.java:82)
at com.sap.scc.protocol.rfc.RfcProtocolProcessorRunnable.run(RfcProtocolProcessorRunnable.java:96)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:812)
Caused by: java.lang.IllegalStateException: Failed to create X509 certificate for I070219
at com.sap.scc.cert.CertificateGenerator.generateToken(CertificateGenerator.java:73)
at com.sap.scc.sso.SccBackendTokenGenerator.generateToken(SccBackendTokenGenerator.java:50)
at com.sap.scc.protocol.rfc.RfcRuntime.getAuthenticationToken(RfcRuntime.java:296)
... 6 more
Caused by: java.lang.IllegalStateException: No system certificate available, which is required for supporting Principal Propagation.
at com.sap.scc.cert.CertificateGenerator.generateSignedCertificate(CertificateGenerator.java:83)
at com.sap.scc.cert.CertificateGenerator.generateToken(CertificateGenerator.java:60)
... 8 more|
according to this log, I thought that might because i haven't set system certificate in my cloud connector.
To import the system certificate, should i generate p12 file from the pse file?
if yes, I found another problem, after i use sapgenpse to export p12 file, the p12 file can be generated successfully, but when i import the p12 file into cloud connector the error is here:
com.sap.scc.servlets.CriticalSccException: no certificate were loaded.
at com.sap.scc.servlets.ConfigurationServlet.uploadCertificate(ConfigurationServlet.java:413)
at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:67)
at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:38)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:23)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:812)|
Can you help me for this?
Best regards,
Yu
Hello Yu,
for some reason, the P12 generated by sapgenpse cannot be loaded by all JCE implementations, including the ones included in SAP JVM and standard JVM. IBM's JCE implementation, however, doesn't show this problem. You can notice this, when trying to process the P12 with the keytool executable contained in the JDK.
A workaround for this issue is to import the P12 to a browser certificate store, and export a new one from the browser secure store. The newly generated one will work afterwards together with SCC.
Best regards,
Markus
Hi Tolksdorf,
Thanks for your idea, I imported p12 file into ie browser and exported another pfx file, then when i'm trying to import this file into Cloud connector, error occurred:
2015-01-21 08:08:30,026#ERROR#com.sap.scc.ui#http-bio-8443-exec-3# | #System Certificate Import failed null |
com.sap.scc.servlets.CriticalSccException: keyStoreUpdate failed
at com.sap.scc.config.SccKeyStore.store(SccKeyStore.java:54)
at com.sap.scc.servlets.ConfigurationServlet.uploadCertificate(ConfigurationServlet.java:417)
at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:67)
at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:38)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:23)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at |
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:812)
Caused by: com.sap.scc.servlets.CriticalSccException: Unable to create key managers using key store /opt/sap/scc/scc_config/scc.jks
at com.sap.scc.util.KeyStoreFile.getKeyManagers(KeyStoreFile.java:224)
at com.sap.scc.ssl.SSLContextBuilder.createReencryptionSSLContext(SSLContextBuilder.java:17)
at com.sap.scc.config.SccConfig.keyStoreUpdated(SccConfig.java:559)
at com.sap.scc.config.SccKeyStore.store(SccKeyStore.java:50)
... 27 more
Caused by: java.security.UnrecoverableKeyException: excess private key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:338)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:792)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at com.sap.scc.util.KeyStoreFile.getKeyManagers(KeyStoreFile.java:219)
... 30 more|
Do you have any idea about this?
Best regards,
Yu
Hi Tolksdorf,
thanks so much for your help.
SNC RFC from my cloud application to ABAP system is working now.
But there is still another problem. How can i make the ABAP system automatically create a user and assign CN=<USER ID> in t-code EXTID_DN?
Should I config a SAPID saml in ABAP system? Is that possible to share me any documentation?
Best regards,
Yu
Hi Yu,
well, the EXTID_DN transaction will never automatically generate entries. Thus, you can decide to not allow all users to access the ABAP system via that mechanism. In case you don't want to block specific users and your system is newer than 7.3 EhP1 (aka 7.31), you can use transaction CERTRULE as described here:
Rule-Based Certificate Mapping - User Authentication and Single Sign-On - SAP Library
Best regards,
Markus
No - in order to create an user account you need to know (much) more than simply the username.
In order to logon to ABAP systems, an user account needs to pre-exist.
The only exception is SAML - if the SAML assertion contains all relevant attributes which are required to create an user account and if the SAML SP configuration contains instructions (rules) how to derive the user account attributes from the SAML attributes.
Using the SAP Cloud Connector there is no end-to-end SAML authentication: the SAP Cloud Connector "consumes" the SAML assertion and creates a (short-lived) X.509 client certificate in exchange (acting similiar to a STS); the ABAP backend only receives that X.509 client certificate - and not the SAML assertion. The "token conversion" (SAML -> X.509 certificate) only preserves the "user principal" information; all additional SAML attributes get lost (they are not contained in the X.509 client certificate). Well, as written above: even if they would have been added to the X.509 client certificate, they would not be evaluated on the ABAP side.
Well, it can also be considered an advantage that only users which do (pre-)exist onPremise can access data hosted on / use services provided by onPremise systems by using the SAP Cloud Connector. Applications running in the cloud need to know whether they require access to onPremise systems; if this is the case, then the pre-requisite is that the cloud user has an (equivalent) onPremise user account.
"Identity Management Solutions" help you to achieve the required "User Provisioning" - not only to create users but also to remove/deactivate them in case the are no longer valid/required. This second aspect is very important with regards to security and certain compliance rules (e.g. after an employee has left the company (s)he must no longer be able to access company-confidential data/services).
Best regards, Wolfgang
Hi Wolfgang,
Thanks for your reply.
I got your point. But if we have such requirements:
1. We want to provide a website for everyone in HANA Cloud.
2. The frontend of Website is in HANA CLOUD, backend is in an ABAP system.
How can we implement user creation in ABAP system?
if we need to manually create users in ABAP system, I think it's not possible to create all users from SAPID in ABAP systems.
Best regards,
Yu
I'm not sure whether I've got your point regarding "everyone".
Are you referring to the "general public" (i.e. any internet user) or are you referring to "any employee" (aka "tenant member", a HCP instance is owned by a "tenant")?
This question is closely linked to the question how the users are logging onto HCP.
HCP is using SAML, so users will logon at the SAML IdP - that could either be SAP's (Cloud) ID Service or the customer's onPremise IdP or any other SAML IdP.
If that SAML IdP offers "self-registration" capabilies, and if such self-registered cloud users should also be able to consume onPremise services under their own account, then it is required to create such an onPremise account - e.g. using "user (de-)provisioning" services provided by some Identity Management System. Such a system takes care that the user has an account in all systems where he needs one - with the required authorizations (not more but also not less).
BR Wolfgang
Hi Wolfgang,
Thanks for your information.
here i want share more information of my project:
Current Landscape:
1. NW JAVA ( Frontend HTML5, JCO ) and NW ABAP ( Business logic, Data storage, Remote function modules ).
2. NW JAVA configured SAPID service as IDP in SAML.
3. NW JAVA and NW ABAP used same UME. ( So if user go to our page login with SAML, user will be created automatically in NW JAVA and NW ABAP ).
Now we are thinking if we can migrate NW JAVA part into HANA Cloud.
So from my understanding the only impact is:
How to make backend user created automatically, because there will be only RFC connections between Hana Cloud and onPremise ABAP, HANA CLOUD and ABAP can not share there UME.
Is there any solution for resolve this problem?
Best regards,
Yu
Well, unfortunately you did not answer the most important questions:
Are we talking of employees or (unknown) internet users?
Do they possess different authorizations (roles) or are they equally empowered?
BR Wolfgang
Hi Wolfgang,
Here is my answers:
Since you asked the types of users if they are employees or internet users, do you mean if we only support employees we can do the ldap config in ABAP?
Best regards,
Yu
Yu Yu wrote:
- For now we are supporting all users including P user which is registered in the SP we requested, so we are talking of internet users including employees. In the existing landscape we grant different roles for the user types from SAPID service. We have different roles ( employee, partner, customer, prospect ).
- Yes, we have already have the p users registered from SAPID service, after that they can create a solution in our system. So it's possible in the system they have already had the personalized data on-Premise backend system.
- Everyone have the personalized data in the system, the changes will be a lot, if we change SSO connection to a technical user connection. And also that means all roles from ABAP system cannot be reused.
Since you asked the types of users if they are employees or internet users, do you mean if we only support employees we can do the ldap config in ABAP?
Apparently you are referring to the SAP ID Service (i.e. the SAML IdP which is used by SAP for SCN and other SAP cloud services, knowing all employees, customer users, etc. - https://accounts.sap.com). I thought that you are referrring to the SAP Cloud Identity solution (part of HCP, user management is under sole control of the customer).
So, I see the problem: you cannot simply replicate every SAP ID Service user to your backend (in advance) - because SAP ID Service knows millions of users and only a small fraction might ever use your service. So, what you are actually looking for is a kind of "user provisioning on-the-fly" (resp. "on demand"). The challenge is: this needs to be an instant (synchronous) provisioning (since it's blocking the request processing). Ordinary user provisioning is not that time-critical, so I'm not sure whether there is any solution available already - such instant provisioning is a new requirement.
Thanks for your reply.
If there not existing solution in system configuration.
I have an idea:
1. I setup two RFC destinations: One for Business call ( SSO ), Another for user creation or update ( no SSO configured with a system user who has the authority to create or update users ).
2. Every user login to HCP frontend, frontend java application call the second RFC destination for checking if user has already been created, if not create users in the ABAP system by BAPI.
3. Then all business scenarios should call via first RFC destination.
Best regards,
Yu
Well, that's a feasible way - but you have to code it yourself:
Instead of a pre-check on the user existence, I'd create the missing user account only if the normal logon attempt fails due to a missing mapping - the specific error code (34) can be examined so that you can react accordingly. After the user was created you can repeat the logon attempt, once - but make sure that you avoid an infinite loop...
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.