SAP Offline Word Template -...

Building Block Configuration Guide

Document Version: 1.1 – 2016-04-06

CUSTOMER

SAP S4HANA Fiori Basic Network and Security Configuration (MAB)

Typographic ConventionsType Style Description

Example Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.Textual cross-references to other documents.

Example Emphasized words or expressions.EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .

2

CUSTOMER © 2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP S4HANA Fiori Basic Network and Security Configuration (MAB)Table of Contents

Document HistoryRevision Date Change

1 2015-11-15 Version 11.1 2016-04-06 Technical update

SAP S4HANA Fiori Basic Network and Security Configuration (MAB)Document History

CUSTOMER© 2016 SAP SE or an SAP affiliate company. All rights

reserved. 3

Table of Contents1 Purpose

2 Preparation2.1 Prerequisites

3 Securing Network Channels3.1 Enabling SNC between Gateway and ABAP back-end system (Optional)

3.1.1 Enabling SNC for the ABAP System3.1.2 Securing an RFC Connection with SNC

3.2 Enable Web Dispatcher to Use HTTPS3.3 Enabling Front-End Server to Use HTTPS

3.3.1 Preparation for Front-End Server3.3.2 Installing the SAP Cryptographic Library3.3.3 Configuration Steps in Front-End Server3.3.4 Verify the configuration with Task List

3.4 Enabling SSL between Web Dispatcher and ABAP Front-End Server3.4.1 Import root certificate to SSL Client PSE with sapgenpse Tool3.4.2 Import root certificate to SSL Client PSE through Web Administration Interface

(Optional)3.5 Enabling ABAP Back-End Server to Use HTTPS

4 Additional Network Security4.1 Activating HTTP Security Session Management on AS ABAP4.2 User Management

4.2.1 Authorization Concept

5 Single Sign-On (SSO) with SSO25.1 Configuring SSO with SSO2 between Business Suite and Gateway

5.1.1 Configure the Gateway system to create SAP logon ticket5.1.2 Configuring Trust Relationship in Business Suite System5.1.3 Configuring Trust Relationship in Gateway System5.1.4 Activating Single Sign-On Trust Relationship in Business Suite System

5.2 SSO with SSO2 verification

6 Transportation

4


SAP S4HANA Fiori Basic Network and Security Configuration (MAB)Table of Contents

1 Purpose The purpose of this document is to describe the SAP Fiori related basic security configuration.When running the SAP Business Suite system, make sure that the business needs supported by the data and processes do not allow unauthorized access to the critical information. User errors, negligence, or attempted manipulation of the system must not result in loss of information or processing time. These security requirements apply equally to SAP Fiori applications.The document covers the following topics:1. Provides the steps required to manually enable internal deployment security.2. Provides the steps to enable the Single Sign-On(SSO) with SSO2(which is a shortcut for SAP logon

tickets) in the whole system landscape.

Advanced security configuration including various SSO mechnism like Kerberos, SAML, X.509 etc. can be found in a specific guide ( MAC ) in standalone S/4 HANA UX Best Practice package.

SAP S4HANA Fiori Basic Network and Security Configuration (MAB)Single Sign-On (SSO) with SSO2


reserved. 5

2 Preparation

2.1 Prerequisites

Before you start installing this scope item, you must install the prerequisite building blocks. For more information, see the Building Block Prerequisites Matrix for SAP Fiori Apps rapid-deployment solution. You will find this document in the content library included in the documentation package.

PSEs must be correctly created, and SSL should be enabled in every server.

Regarding how to create PSEs in Trust Manager in ABAP systems, refer to http://help.sap.com → SAP NetWeaver → Function-Oriented View → Security → System Security → System Security for SAP NetWeaver AS ABAP Only → Trust Manager.

6



http://help.sap.com/

3 Securing Network ChannelsSecuring Network Channels is a way of transferring data that is resistant to overhearing and tampering. The network topology for SAP Fiori components is based on the topology used by SAP NetWeaver Gateway, SAP NetWeaver, and SAP HANA. To ensure confidentiality and integrity of data, we recommend encrypting all communication channels. The following table shows the communication channels used by the SAP Fiori apps, the protocol used for the connections, and the type of data transferred.

NoteDB related encryption method is supported but it is a separate activity and will not be described in this document. The scenario about the encryption methods between front-end and back-end are listed as below.

Communication Path Protocol Used

Type of Data Transferred Related App Types

Web browser to SAP Web Dispatcher

OData HTTP/HTTPS

Application data and security credentials

Fact Sheets, Analytical Apps

NoteIt is optional if the customer only deploys transactional apps in the system landscape

SAP Web Dispatcher to ABAP front-end server(SAP NetWeaver Gateway)

OData HTTP/HTTPS

Application data and security credentials

All

NoteIt is optional if the customer only deploys transactional apps in the system landscape.

SAP Web Dispatcher to ABAP back-end server(ERP,CRM,SRM,SCM)

INA HTTP/HTTPS

Application data and security credentials(for search and back-end transactions)

Fact Sheets

NoteIt is optional if the customer only deploys transactional apps in the system



reserved. 7

Communication Path Protocol Used

Type of Data Transferred Related App Types

landscape.ABAP front-end server to ABAP back-end server(ERP,CRM,SRM,SCM)

RFC Application data and security credentials

Transactional Apps and Fact sheets

ABAP back-end server to SAP HANA / any DB

SQL Application data and security credentials

Analytical Apps

3.1 Enabling SNC between Gateway and ABAP back-end system (Optional)

SNC secures the data communication paths between the various SAP system client and server components. There are well-known cryptographic algorithms that have been implemented by security products supported and with SNC. These algorithms can be applied to the data, to increase the protection. With SNC, all communication that takes place between two SNC-protected components is secured. It is an optional step for the customer and its as per the customer's customized security policy.

3.1.1 Enabling SNC for the ABAP System

CautionIf the SNC is not globally activated for the SAP system instances, follow these steps to enable SNC for both SAP NetWeaver Gateway system and SAP Backend Suite system.

1. Go to transaction RZ10 and choose the instance profile and under Edit Profile select Extended maintenance. Then click Change.

2. Choose Create (F5).3. Set the following parameter.

Parameter Explanation Valuesnc/enable Activate SNC 1snc/gssapi_lib Path and file name of the

external shared library Example$(DIR_EXECUTABLE)/libsapcrypto.so

snc/identity/as SNC name of the application server as known by the external security product

Examplep/secude: CN=ABA, O=SAP-AG, C=DE

snc/r3int_rfc_secure

Internal RFC connections are not SNC-protected

0

4. Restart the system.

8



NoteIf accepting conventional connections that are not protected with SNC in parallel is also expected, then the following parameters are also needed to be set.

Parameter Explanation Valuesnc/accept_insecure_gui Accept unprotected SAP GUI logons 1snc/accept_insecure_rfc Accept unprotected RFCs 1snc/accept_insecure_cpic Accept unprotected CPICs 1snc/permit_insecure_start Allows the gateway to start programs

without using SNC-protected communications

1

snc/accept_insecure_r3int_rfc

Accept unprotected internal RFC connections

1

3.1.2 Securing an RFC Connection with SNC1. In SAP Backend Suite System, access the activity using one of the following navigation options:

Transaction Code SM59

SAP Menu Tools → Administration→ Administration → Network → RFC Destinations

2. On the Configuration of RFC Connections screen, place the cursor on the RFC destination to the Gateway System and choose Change.

3. Choose the Logon & Security tab page.4. Under Status of Secure Protocol choose the SNC button. The Change View "SNC Extension: Details"

screen appears. 5. Enter the quality of protection in the QoP field. Keep default value 8.

(QoP = Quality of Protection, the default value is 8, the maximum value is 9)6. Enter the SNC name of the communication partner in the Partners field. Here input the SNC name

of the SAP NetWeaver Gateway system which, was defined in the previous section.

Examplep/secude:CN=ABA, O=SAP-AG, C=DE

7. Save the SNC options. Return to the destination maintenance screen. 8. Choose the radio button “Active” under Status of Secure Protocol.9. Save the settings.Logon to the SAP NetWeaver Gateway system, and add the SAP Backend Suite System which has already been configured the SNC in previous steps to the access control list.10. In the SAP NetWeaver Gateway system, open transaction SNC0.11. Choose “New Entries” and specify the system ID and the SAP Backend Suite systems SNC name,

Examplep:CN=ERP, O=SAP-AG, C=DE

12. Choose the checkbox before “Entry for RFC activated”.



reserved. 9

13. Save the changes.14. Access the activity using one of the following navigation options:

Transaction Code SM59

SAP Menu Tools → Administration→ Administration → Network → RFC Destinations

15. On the Configuration of RFC Connections screen, place the cursor on the RFC destination to the Backend Suite System and choose Display.

16. Choose menu Utilities→Test→Connection Test.17. Choose menu Utilities→Test→Authorization Test.

3.2 Enable Web Dispatcher to Use HTTPS

PrerequisitesMake sure that the SAP CRYPTOGRAPHIC LIBRARY (SAPCRYPTOLIB) has been downloaded and extracted already.For more detail information regarding the installation of the SAP CRYPTOGRAPHIC LIBRARY (SAPCRYPTOLIB), please refer to Software and Delivery Requirements.

Procedure1. Access the operating system of SAP Web Dispatcher; edit its Instance Profile WDP_W<Instance

Number>_<hostname>.

NoteThis is an example for Linux system. The SAP Web Dispatcher must be used when the customer wants to deploy the analytical app and fact sheet. It is an optional component if the customer only deploys transactional apps.

2. To enable HTTPS for Web Dispatcher, make sure that sapcrypto.dll file have been installed already. Add and adapt the following profile parameters in the instance profile WDP_W<Instance Number>_<hostname> to the customers' business requirements.

DIR_INSTANCE = <SECUDIR_Directory> ssl/ssl_lib = <Location_of_SAP_Cryptographic_Library> ssl/server_pse = <Location_of_SSL_server_PSE> ssl/client_pse = < Location_of_SSL_client_PSE > wdisp/ssl_encrypt = 1 wdisp/ssl_auth = 1 icm/HTTPS/forward_ccert_as_header = true wdisp/ping_protocol = https icm/HTTPS/verify_client = 1

10



NoteThe parameter wdisp/ssl_encrypt determines whether the SAP Web Dispatcher encrypts the request again with SSL before forwarding it.wdisp/ssl_encrypt = 0 (receives https encrypted data, web dispatcher decrypts the data and forwards unencrypted data to SAP Backend)wdisp/ssl_encrypt = 1 (receives https encrypted data, web dispatcher decrypts the data, re-encrypt again and forwards encrypted data to SAP Backend)wdisp/ssl_encrypt = 2 (the SSL is not terminated and request is sent encrypted to SAP Backend)

ExampleThe following example shows the profile parameter settings to enable HTTPS for Web Dispatcher.

wdisp/ssl_encrypt = 1 wdisp/ssl_auth = 1 icm/HTTPS/forward_ccert_as_header = true wdisp/ping_protocol = https icm/HTTPS/verify_client = 1 DIR_INSTANCE = ./ ssl/ssl_lib = /sapmnt/ABA/exe/uc/linuxx86_64/libsapcrypto.so ssl/server_pse = /usr/sap/WDP/W03/sec/SAPSSLS.pse ssl/client_pse = /usr/sap/WDP/W03/sec/SAPSSLC.pse3. Test the Web Dispatcher URLs using web browser:https://<Web Dispatcher Hostname>:<Web Dispatcher Port>/sap/admin/public/default.html

3.3 Enabling Front-End Server to Use HTTPS

3.3.1 Preparation for Front-End Server1. Download the SAP Cryptographic Library Installation Package.

For more detail information regarding download the SAP Cryptographic Library, refer to Software and Delivery Requirements.

2. Download SAPCAR installation Package.For more detail information regarding download the tool SAPCAR, refer to Software and Delivery Requirements.

3. Use tool SAPCAR to extract the package with the following command:SAPCAR –xvf <Package Path> -R <Extract to Folder>.

Note The SAP Cryptographic Library installation package contains the following files:

o The SAP Cryptographic Library (sapcrypto.dll for Windows NT or libsapcrypto. <ext> for UNIX).



reserved. 11

o A corresponding license ticket (ticket).o The configuration tool sapgenpse.exe.

3.3.2 Installing the SAP Cryptographic Library1. Logon the front-end system using user <SID>adm.2. Copy the library file and the configuration tool sapgense.exe to the directory specified by the

application server’s profile parameter DIR_EXECUTABLE.3. Check the file permissions for the SAP Cryptographic Library. Make sure the <SID>adm or

SAPService <SID> is able to execute the library’s function.4. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE).5. Set the environment variable SECUDIR to the sec sub-directory. The application server uses the

variable to locate the ticket and its credentials at run-time.

NoteIf the environment variable is set by using the command line, then the value may not be applied to the server's processes. Therefore, we recommend setting SECUDIR in the startup profile for the server's user or in the registry (Windows NT).

3.3.3 Configuration Steps in Front-End Server1. Log on to the SAP NetWeaver Gateway system.2. Access the transaction using the following transaction code:

Transaction Code RZ10

3. Add the following parameters:ssl/ssl_lib=<DIR_EXECUTABLE>/sapcrypto.dllsec/libsapsecu=<DIR_EXECUTABLE>/sapcrypto.dllssf/name=SAPSECULIBssf/ssfapi_lib=<DIR_EXECUTABLE>/sapcrypto.dllicm/server_port_1=PROT=HTTPS,PORT=443<System No.>,TIMEOUT=30,EXTBIND=1

CautionThis is an example for Linux.

4. Save and restart the SAP instance.5. Creating Personal Security Environment (PSEs).

o Transaction STRUST is used to manage the configuration of the system’s SSL certificates and the secure containers within which they are stored (known as PSEs).

o A Personal Security Environment (PSE) is a secure, operating system level file, managed by an SAP system that holds both the public and private information of either a user or a component.

o This information includes the owner’s public-key certificate, a private address book of certificates and their private key.

12



o Each component within an SAP system that requires the use of SSL based communication typically has its own PSE. Each PSE can contain a list of trusted certificates that will be used during communication with a particular secure server.

NoteFor more information regarding how to configure PSE, refer to http://help.sap.com → Technology → SAP NetWeaver Platform → Function Oriented View → Security → Network and Transport Layer Security→ Transport Layer Security on the AS ABAP → Configuring the AS ABAP for Supporting SSL.

o Next, create the “SSL Server Standard” PSE. This is the PSE that holds the SSL server’s certificate.

o The “SSL Client (Standard)” PSE holds a list of trusted certificates used when NW Gateway acts as an HTTPS client. For example, during back-channel communication with the Identity Provider.

Recommendationo The PSEs called “SSF SAML2 Service Provider – E” and “SSF SAML2 Service Provider - S”

belong to SAP’s Secure Store & Forward (SSF) component. Unless non-standard settings need to be used, do not create these PSEs manually. They are created when the SAML2 configuration wizard is run.

NoteSSF SAML2 Service Provider – E Used by SSF to encrypt data sent to the Identity Provider.SSF SAML2 Service Provider – S Used by SSF to sign data sent to the Identity provider. Signed data can be sent either in encrypted form or as plain text.

CautionIt is must to import the CA root certificate of the “SSL Server Standard” PSE’s own certificate into the trusted certificates list of “SSL Client (Standard)” PSE and “SSL Client (Anonymous)” to support the inner SSL connection in the ABAP Front-end server.

6. After that verify, if the service can be called in a Web browser, using the https prefix, https://<SAP NW Gateway Host>:<https port>/sap/bc/ping?sap-client=<SAP-Client>.

Examplehttps://mo-026968435.mo.sap.corp:44300/sap/bc/ping?sap-client=080

3.3.4 Verify the configuration with Task List

UseYou use task list SAP_BASIS_SSL_CHECK to verify the SSL enablement settings for the Front-End server.

Procedure1. Log on to your SAP ABAP system.



reserved. 13

https://mo-026968435.mo.sap.corp:44300/sap/bc/ping?sap-client=080

http://help.sap.com/

2. Call the following transaction:

Transaction Code STC01

3. On the Task Manager for Technical Configuration screen, insert SAP_BASIS_SSL_CHECK in the Task List field.

4. Choose Generate Task List Run (F8). The Maintain Task List Run screen is displayed.5. Choose Start/Resume Task List Run in Dialog. Once the task list run has been finished successfully,

green lights appear in the Status column.

ResultThe task list run SAP_BASIS_SSL_CHECK has been carried out successfully.

3.4 Enabling SSL between Web Dispatcher and ABAP Front-End Server

In order to have end-to-end secure communication, the Web Dispatcher need to have SSL connection with various backend systems, for Transactional apps with ABAP Front-End Server ( Gateway ) and for Factsheets with Suite System having Search Engine enabled.Since both Gateway and Suite System are ABAP systems, the general steps are similar. The root certifiate import steps below talked about ABAP Front-end server, but they're also valid for Suite System, if Factsheets are to be used.

NoteThese steps only need to be perfomed seperately for Suite System when self-signed certificate is used. When it comes to CA certificate, normally Gateway and Suite System are using the same root CA, thus no need to repeat for Suite System.

14



3.4.1 Import root certificate to SSL Client PSE with sapgenpse Tool

Note Below is an example for Linux.

1. Access the Operating System of SAP Web Dispatcher, copy the root certificate of front-end server SSL standard certificate to security path as /usr/sap/<Webdispatcherinstance>/W<Instance Nr.>/sec/<root certificate>.cer. o If the front-end SSL server standard PSE is signed by a public CA certificate, then the copied

root certificate should be the public CA certificate. o If the front-end SSL server standard PSE is self-signed, then the copied root certificate should

be the SSL server standard certificate. In self-signed case, the SSL server standard certificate itself acts as the root certificate.

2. In Command Prompt, use sapgenpse tool to run below command. The root certificate should be the same certificate as in the step above. ./sapgenpse maintain_pk -p /usr/sap/<Webdispatcherinstance>/W<Instance Nr.>/sec/SAPSSLC.pse -a <root certificate>.cer

NoteIf the sapgenpse tool is used to import the root certificate, it is a must to restart the SAP Web Dispatcher to reload the new configuration.

3.4.2 Import root certificate to SSL Client PSE through Web Administration Interface (Optional)

UseThis is supplementary procedure as alternative to use sapgenpse tool in previous chapter. To import root certificate to SSL client PSE of the SAP Web Dispatcher, proceed as follows.

Procedure1. Start the Web Administration Interface of the Web Dispatcher at the following URL:

http://<WebDispacherHost>:<WebDispacherPort>/sap/admin/2. Go to the PSE Management under SSL and Trust Configuration in the left navigation pane.3. In the Manage PSE screen area, choose SAPSSLC.pse from the drop-down menu.4. Open the <root certificate> with a text editor.5. Copy the content(include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)6. Click the button Import Certificate.



reserved. 15

NoteThe button Import Certificate is used to imports and adds a public-key certificate of a communication partner into the own trusted list of certificates (known as PSE PKList). The certificate is imported via a text editor. Therefore it has to be available as a PEM-Encoded Certificate (Base64 encoded).

7. Paste the content into the text area of Import Certificate to Trusted List of PSE SAPSSLC.pse8. Choose Import9. The <root certificate> has been added into the certificate list under Trusted Certificates

successfully.

3.5 Enabling ABAP Back-End Server to Use HTTPSSince the ABAP Backend Server is also based on SAP NetWeaver, it has the same configuration steps with ABAP front-end. For enabling the ABAP Back -End Server to use HTTPS, refer to chapter Enabling Front-end server to use HTTPS.

16



4 Additional Network SecurityThis section describes session security protection. Establish the session security protection for the ABAP front-end server.

4.1 Activating HTTP Security Session Management on AS ABAP

1. Start HTTP Session Management (transaction SICF_SESSIONS).A list of all of the clients that exist in the system appears.

2. Select the relevant line and choose Activate.The Security Audit Log records the activation or deactivation of HTTP Security Session Management.

NoteSAP Fiori apps support only logout with the ABAP front-end server. If additional SAP NetWeaver Gateway systems are deployed, the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.

4.2 User ManagementSAP Fiori apps adopt the user management and authorization concepts provided by SAP NetWeaver ABAP.Therefore, the security recommendations and guidelines for user and role administration and authorization asdescribed in the SAP NetWeaver Application Server ABAP Security Guide also apply to the SAP Fiori apps.

4.2.1 Authorization ConceptTo use SAP Fiori apps, users need the following types of entities: UI: The SAP Fiori UI entities that define which SAP Fiori apps are displayed to the user. Authorizations: The authorizations that are required to use the business logic of the SAP Fiori

apps.The SAP Fiori apps retrieve dynamic content using OData services. OData services define the requiredauthorizations.



reserved. 17

5 Single Sign-On (SSO) with SSO2

UseSingle Sign-On (SSO) is a key feature of the SAP NetWeaver Portal that eases user interaction with the many components. With SSO, the user can access different systems and applications without having to repeatedly enter his or her user information for authentication. SAP NetWeaver Application Server (AS) ABAP supports several Single Sign-On (SSO) mechanisms. The following sections describe the configuration steps of enabling SSO with SSO2 (a shortcut for SAP logon tickets), which means to use the SAP Logon Ticket to realize the Single Sign-On.

CautionSingle Sign-On with SAP logon ticket is recommended for test and PoC purpose only. Customers who use SAP Logon Tickets are faced with several restrictions:

o Users IDs have to be identical in all systems - user mapping is not possibleo All connected systems have to be within the same DNS domaino The DSA 1024 algorithm used for SAP Logon Tickets cannot be extended to reflect state-of-

the-art security technology.

5.1 Configuring SSO with SSO2 between Business Suite and Gateway

UseThis will be used when the customers deploy the fact sheets in their SAP Fiori system landscape.

5.1.1 Configure the Gateway system to create SAP logon ticket

1. Logon to the NetWeaver Gateway system.2. Go to transaction RZ10 and choose the instance profile and under Edit Profile select Extended

maintenance. Then click Change.3. Set the following parameter.

Parameter Explanation ValueLogin/create_sso2_ticket

Enable the AS ABAP to issue logon and assertion tickets.

2

4. Restart the system.

18



5.1.2 Configuring Trust Relationship in Business Suite System

1. Logon to the Business Suite system. 2. Start the Trust Manager application (transaction STRUSTSSO2).3. On the Trust Manager for Single Sign-On with Logon Ticket screen, the green node of the gateway

host is displayed by expanding System PSE.4. Go to the menu Certificate→Import.5. In the Import Certificate dialog box, provide the path to the SAP Logon Ticket certificate of the

gateway system.

NoteUse the certificate that has been downloaded from the SAP NetWeaver Gateway system. It can be found in the Own Certificate tab under the System PSE node in the SAP NetWeaver Gateway system

6. Choose continue.7. In the pop-up SAP GUI Security dialog box, choose Allow.8. On the screen, choose Add to Certificate List.9. Choose Add to ACL, enter the gateway system and client parameters. 10. Choose Ok.11. Choose Save.

5.1.3 Configuring Trust Relationship in Gateway System1. Logon to the SAP NetWeaver Gateway system. 2. Start the Trust Manager application (transaction STRUSTSSO2).3. On the Trust Manager for Single Sign-On with Logon Ticket screen, the green node of the gateway

host is displayed by expanding System PSE.4. Go to the menu Certificate→Import.5. In the Import Certificate dialog box, provide the path to the SAP Logon Ticket certificate of the

business suite system.

NoteUse the certificate downloaded from the SAP Business Suite system. It could be found in the Own Certificate tab under the System PSE node in the SAP Business Suite system.

6. Choose continue.7. In the pop-up SAP GUI Security dialog box, choose Allow.8. On the screen, choose Add to Certificate List.9. Choose Add to ACL.10. Enter the business suite system and client parameters. 11. Choose Ok.12. Choose Save.



reserved. 19

5.1.4 Activating Single Sign-On Trust Relationship in Business Suite System

1. Logon to the Business Suite system. 2. Access the activity using the following navigation options:

Transaction Code SSO2

SAP Reference IMG Menu SAP NetWeaver → Application Server → System Administration → Maintain the Public Key Information for the system→ Workplace Single Sign-On Administration

3. Enter the parameters in the table below. Either the destination or host name parameter is needed to be entered.

Field Name Field ValueDestination <RFC destination of the system issuring the

logon ticket>,

Example

GW2CLNT100

Host Name <Host name of the system accepting the logon ticket>,

Example

Cbq021.sapcoe.sap.com

Instance Number <instance number of the system accepting the logon ticket>,

Example

00

20



4. Choose . In this step, there will be error displayed as Error: System xxx Does not Accept Verified Logon Tickets for system xxx. This error will disappear after performing the activation process in the next step.

5. Choose in the screenshot below to activate the Single Sign-On.

5.2 SSO with SSO2 verification

UseIn this activity, perform the following steps to do the SSO with SSO2 verification.

Note Make sure that the cookies have been cleaned in the Web browser.

PrerequisitesMake sure that the user has necessary authorizations in specific systems

Procedure1. Open the Chrome or Firefox browser from the local PC.2. Enter the testing URL:

https://<WebDispatcher Host>:<WebDispatcher port>/sap/bc/ping?sap-client=<sap gateway client>



reserved. 21

3. Input user and password for the gateway system4. Input the Enterprise Search URL from back end ABAP in the URL field: 5. https://<WebDispatcher Host>:<WebDispatcher port>/sap/es/search6. If the SSO with SSO2 between Business Suite system and Gateway system have been set up

successfully back end search service reached without asking for user and password.

ResultSingle Sign-On with SSO2 has been set up successfully.

22



6 Transportation

UseWhen implementing and configuring this rapid-deployment solution in a multi-tier customer landscape, the applied configuration settings need to be transported from one system landscape to the next (that is, from a development landscape to a quality landscape and to a productive landscape in case of a 3 tier landscape environment). This section describes additional aspects which need to be taken into consideration while configuring SAP Fiori in a multi-tier landscape. As a prerequisite, the ABAP transport system between the systems needs to be configured properly.

ProcedureSince all the activities described in this configuration guide are carried through on system level the described configuration settings need to be applied in each tier system landscape completely.



reserved. 23

www.sap.com/contactsap

© 2016 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark

http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark

SAP Offline Word Template -...

Documents

Transcript of SAP Offline Word Template -...