Contents:

1. INTRODUCTION............................................................................................................................. 2

2. PREPARATION FOR THE SINGLE SIGN-ON CONFIGURATION...........................................2

2.1 DOCUMENTS REQUIRED...................................................................................................................... 22.2 OSS NOTES REQUIRED....................................................................................................................... 22.3 PREREQUISITES.................................................................................................................................. 22.4 CDS REQUIRED.................................................................................................................................. 3

3. CONFIGURATION STEPS.............................................................................................................. 3

3.1 CONFIGURING SINGLE SIGN-ON BETWEEN EP AND BI........................................................................33.2 TEST SINGLE SIGN-ON CONFIGURATION...........................................................................................12

Confidential Page: 1

Version: 3.00 Page: 1 / 17

1. Introduction

This document describes the Configuration steps and document checklist per the Single Sign –On (SSO) Configuration that have been completed on the Siemens Canada setup by SISL.

Please note that the Configuration guide as per the Service Market Place is the final document and this does not replace the original guide provided by SAP.

SISL has configured SSO between the EP and BI Development Systems on NW2004s components with SPS10 installed.

2. Preparation for the Single Sign-On

2.1 Documents requiredThe document is available under http://help.sap.com/saphelp_nw2004s

2.2 OSS Notes required

2.3 Prerequisites

Jdk version 1.4 to be installed on the Windows server. You may download this from the Internet. The actua file used is j2sdk-1_4_2_13-windows-ia64.exe

The Operating System loaded is Windows 2003 SP 1 NW2004s EP with SPS10 NW2004s BI with SPS10

Confidential Page: 2

Version: 3.00 Page: 2 / 17

2.4 CDs required

3. Configuration Steps

3.1 Configuring Single Sign-On between EP and BI

1) Export certificate from portal (verify.der and verify.pse) a) Navigate to 'System Administration' >> 'System configuration' >> 'Keystore Administration'. b) in 'Content' select "SAPLogonTicketKeypar-cert" and press'n'save "Download verify.pse file" and "Download verify.der file".

2) Check existence of SAPJSF user in target system a) Create if necessary using transaction SU01. b) User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place). c) Probably you will have to generate profiles for those roles in target system (transaction PFCG).

Confidential Page: 3

Version: 3.00 Page: 3 / 17

3) Check profile parameters a) use transaction RZ10 b) choose instance profile, 'extended maintenance', then 'Change' c) make sure that "login/create_sso2_ticket" is set to "2" and "login/accept_sso2_ticket" set to "1"

4) Export certificate from target system (the system to which you want to connect using SSO from portal) a) use transaction STRUSTSSO2 b) double-click on "Own Certif." on "CN=..." part.

Confidential Page: 4

Version: 3.00 Page: 4 / 17

c) press on "Export certificate" button in the middle of the screen and provide file name and path, where to save certificate file.

5) Import portal certificate to target system a) Use transaction STRUSTSSO2 in target system b) push "Import certificate" button in the middle of the screen

Confidential Page: 5

Version: 3.00 Page: 5 / 17

c) in 'File path' field enter path to *.der file, you created in step 1 (or point at it via 'Browse' button)

d) Press "Enter" e) Press 'Add to certificate list' button and then 'Add to ACL button6) Create an JCo RFC provider in J2EE engine of portal system. a) Logon to J2EE using J2EE Admin tool (go.bat) b) navigate to 'Server' >> 'JCo RFC provider' node c) On the right side of the screen choose any entry in 'Available RFC destinations' area. d) Enter information about new destination: - Program ID: name of the program (you will need it later) - sapj2ee_port, for example - Gateway host - FQDN (Fully Qualified Domain Name) of target system - server.domain.com, for example - Gateway service - sapgw00 for example e) in 'Repository' section enter: - Application server host - FQDN of target system - server.domain.com, for example - system number - 00, for example - client - 100, for example - logon language - EN - user - SAPJSF (from step 2) - password (from step 2) f) press 'Set'

Confidential Page: 6

Version: 3.00 Page: 6 / 17

7) Add target system to Security providers list a) Open J2EE Admin and navigate to 'Server' >> 'Services' >> 'Security Provider'. In components select 'Ticket'. Enter edit mode (button with pencil above) b) select 'Login module' "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" and press 'Modify'

c) ensure that "ume.configuration.active" is set to "true"

Confidential Page: 7

Version: 3.00 Page: 7 / 17

d) enter following info: - Name - 'trustedsysN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustedsys1'). Enter <SID>,<client> as a value (C11,100 for example) - Name - 'trustedissN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustediss1'). Enter CN=<SID> as a value (CN=C11 for example) - Name - 'trusteddnN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trusteddn1'). Enter CN=<SID> as a value (CN=C11 for example) e) Press 'OK'

f) Do sub steps b, c, d, e in 'evaluate_assertion_ticket' view for "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module.

Confidential Page: 8

Version: 3.00 Page: 8 / 17

8) Import target system certificate to J2EE of portal system (from step 4) a) Open J2EE Administrator and logon to portal instance b) Navigate to 'Server" >> 'Services' >> 'Key storage' c) in 'Ticket keystore' view press 'load' and select certificate of target system, you exported in step 3.

Confidential Page: 9

Version: 3.00 Page: 9 / 17

9) Restart J2EE instance.10) Create RFC connection in target system a) use transaction SM59 b) Point to TCP/IP connections and press 'New' c) Enter name for new connection ("RFC_to_portal", for example), enter connection type "T" (external TCP/IP application) and description. Save. d) In 'Technical settings' choose "Registered server program" and enter application name from step 6d in "Program ID" field. Provide 'Gateway host' and 'Gateway service' same as in step 6d. Save. Test connection. RFC connection ready.

Confidential Page: 10

Version: 3.00 Page: 10 / 17

If You had to change or add parameters in RZ10 (in step 3), do not forget to restart target system.

Confidential Page: 11

Version: 3.00 Page: 11 / 17

3.2 Test Single Sign-On Configuration1. Testing from EPa) Goto System Administration-> System Configuration-> System Landscapeb) Create a System using the System Template for Dedicated App Server.

c) Set the User Mapping Configuration

d) Set the Connector Properties

Confidential Page: 12

Version: 3.00 Page: 12 / 17

e) Create System Alias

Confidential Page: 13

Version: 3.00 Page: 13 / 17

f) Test connection

Confidential Page: 14

Version: 3.00 Page: 14 / 17

Note:

This might not work sometimes – which does not necessarily mean that the SSO configuration is incorrectly done.

f) Goto Content Administration-> Portal Content and create a Transactional iView which uses the above System Alias we created and check if it works.

Confidential Page: 15

Version: 3.00 Page: 15 / 17

2. Testing from BI System

Goto Transaction STRUSTSSO2Goto Environment-> SAP Logon Ticket

Enter the RFC destination as NONE and Execute

Confidential Page: 16

Version: 3.00 Page: 16 / 17

Confidential Page: 17

Version: 3.00 Page: 17 / 17