Solved: SSO configuration from CE 7.2 to ERP 6.0 EhP4

THorton · ‎12-14-2010

Hi All,

We are trying to configure SSO from our CE 7.2 system to our ERP 6.0 EhP4 system, such that we can use logon tickets for the ERP destination template. We have completed the following configuration:

1. Added the ERP system as a trusted system in CE 7.2

a. NWA --> Configuration Management --> Security --> Trusted Systems

b. Add Trusted System --> By Querying Trusted System

2. Exported the public key from CE and imported into ERP

a. NWA --> Configuration Management --> Security --> Certificates and Keys

b. Highlighted TicketKeystore, then SAPLogonTicketKeypair-cert

c. Export Entry

d. Logged into client 000 of ERP system

e. STRUSTSS02

f. Imported certificate, adding it to both the certificate list and the ACL

3. Configure the Destination Template to Use Logon Tickets

a. NWA --> SOA Management --> Destination Template Management

b. Highlighed the ERP DT

c. Clicked on the Security tab

d. Selected the Logon Ticket radio button

We are using a very simple Visual Composer applciation to test the destination template. The VC app calls a service in the ERP system and returns data from a query. When we run the VC app, we are receiving the following error message:

Error in Connection :Could not retrieve metadata

Error occurred while executing the service. Error in Connection :Could not retrieve metadata

Error occurred while executing the servcie. Error occurred while executing the service. Error in Connection :Could not retrive metadata

Log /usr/sap/<SID>/<instance>/j2ee/cluster/server0/log/system/security_00.0.log contains the following information:

2.0^H#2010 12 14 11:34:09:918#0-500#Info#/System/Security/Authentication#

#BC-JAS-SEC#security#00215E5F4572076100000000002AC0D6#15716050000000004#sap.com/tc_wddispwda#com.sap.engine.s

ervices.security.authentication.logincontext.table#u799592#36##FA086DC2079F11E0A097000000EFCED2#a18a3387079f11

e0810b000000efced2#a18a3387079f11e0810b000000efced2#0#Thread[HTTP Worker [@1945118155],5,Dedicated_Application

_Thread]#Plain##

LOGIN.OK

User: u799592

IP Address: 168.136.241.36

Authentication Stack: sap.com/tc_wddispwda*webdynpro_dispatcher

Login Module Flag Initialize Login

Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false

false

\#1 trusteddn1 = CN=QAS,OU=I0820037617,OU=SAP Web AS,O=SAP Trust Community,C=DE

\#2 trustediss1 = CN=QAS,OU=I0820037617,OU=SAP Web AS,O=SAP Trust Community,C=DE

\#3 trustedsys1 = QAS,000

\#4 ume.configuration.active = true

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true

true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true

True

#2.0^H#2010 12 14 11:34:15:011#0-500#Warning#/System/Security/Authentication#

com.sap.ASJ.secsrv.000129#BC-JAS-SEC#security#00215E5F4572076300000008002AC0D6#15716050000000004#sap.com/tjh_d

evcomp_impl#com.sap.engine.services.security.authentication.loginmodule.ticket#u799592#36##FA086DC2079F11E0A09

7000000EFCED2#afdb20ac079f11e09268000000efced2#afdb20ac079f11e09268000000efced2#0#Thread[HTTP Worker [@6734794

70],5,Dedicated_Application_Thread]#Plain##

Key under alias [SAPLogonTicketKeypair] cannot be retrieved from keystore view [TicketKeystore]. Authenticatio

n stack: [<null>]. The default kestore view is [TicketKeystore]. The default keypair alias is [SAPLogonTicketK

eypair]. Check the login module options and UME properties.#

Any ideas as to what configuration may be wrong/missing?

Thanks in advance for any help you can provide.

junwu · ‎12-15-2010

have you checked all the prerequisite? like the domain, time clock,,,,

also at the ecc side, have you changed the profile to accept logon ticket.....

Former Member · ‎03-04-2011

Try step 2 with your "business client".

nico_luhr · ‎01-19-2011

Hello,

when you try to use sso for a service in destination template management you have to define the system you are calling to as reference system in the portal. You can define a reference system by calling the portal than choose system administration -> system configuration -> ume configuration -> user assignment.

Kind Regards

Nico Luhr

THorton · ‎01-03-2011

Hi All,

This issue is still unresolved. I would appreciate any suggestions.

Thanks very much!

Tommye

THorton · ‎12-18-2010

Hi Soujanya,

Yes, when generating the new certificate I selected, DSA, 1024 bit, and binary. I also selected store certificate. When uploading it to the ERP system, I logged into client 000 and imported the certificate in binary mode via STRUSTSS02. I then added the certificate to the certificate list and the ACL.

Thanks!

Former Member · ‎12-17-2010

Hi,

While renewing the SAPLogonTicketKeypair certificate, which algorithm did you choose? DSA or RSA? DSA is used for http protocol that is normally used. Also in NWA while generating cert, did you select Binary or Base64? Binary option is normally used. Once you save it locally, import it to the ABAP system. While importing in STRUSTSSO2, select option Binary in the radio button. Add to Certificate list and Add to ACL. Add to Cert list is client Independant and Add to ACL is Client dependant.

Ensure the check box Store certificate is checked while generating the verify.der cert.

You could check all of these settings while generating the certificate and if it still fails let me know.

Rgds,

Soujanya

Edited by: Soujanya Holla on Dec 17, 2010 7:50 AM

THorton · ‎12-16-2010

Hi John,

We are using a very simple Visual Composer applciation to test the destination template. The VC app calls a service in the ERP system and returns data from a query. This VC app works if we use a UID and password.

Thanks!

THorton · ‎12-16-2010

Hi Soujanya,

Thanks for your reply. I checked the SAPLogonTicketKeypair entry as you instructed. All of the lights are green. I tried creating a new key pair and then importing the certificate into the ERP system anyway, but I am still getting the same error.

I also tried setting option "ume.configuration.active=true" in the login module "CreateTicketLoginModule" per SAP Note 1159962, and restarting the system, but this did not resolve the issue, either.

I would welcome any other suggestions you have.

Thanks!

Tommye

THorton · ‎12-16-2010

Hi Craig,

No, we have not resolved the issue. If/when we find a resolution I will post it in this thread.

Thanks very much for the suggestion on using assertion tickets. I would like to give that a try. Can you post a link to the documentation you used for the configuration or post some instructions?

Thanks again,

Tommye

Former Member · ‎12-16-2010

Hi,

You can also login to NWA, check if the ticket is valid under NWA. Goto NWA-> Configuration Management-> Security-> Certificate and Keys. Goto Ticket Key store and then SAPLogonTicketKeypair entry and check if the ticket is valid. If not delete it and renew it. Then download and upload the same on ur backend.

Hope this helps. If it stil doesnt, let me know. We'l think of another alternative.

Rgds,

Soujanya

THorton · ‎12-15-2010

Hi John,

Thanks for your reply. Yes, we have changed the profile on the ECC side to accept logon tickets. Our ECC and CE system are in the same domain and their clocks are configured with the same time. However, I do not remember seeing any prerequisites related to domain or time. Could you send me more details?

Can you think of anything else that could be causing the error?

Thanks again!

Tommye

THorton · ‎12-14-2010

One more piece of information...

The UIDs in CE are the same as in ERP.

Thanks!

SSO configuration from CE 7.2 to ERP 6.0 EhP4

Accepted Solutions (1)

Accepted Solutions (1)

Answers (11)

Answers (11)

Re: Not able to delete SAP Business One License

For SAP Data Archiving, if I want to implement SAP...

Re: Not able to delete SAP Business One License

Re: Not able to delete SAP Business One License

Need Info on System Owner Permissions for SAC,DSP