SSO Portal to System
13
Click here to load reader
-
Upload
manikandan-kamatchi-kamatchi -
Category
Documents
-
view
116 -
download
0
Transcript of SSO Portal to System
SSO Configuration - CCSS 1 | P a g e
1) How do I test SSO
Go to System Administration->Support->SAP Application-> Under Test and Config Tools select SAP Transaction-> Choose the mandatory parameters and enter the TCode here and click Go.If the username exists in the backend system(with permissions for the Tcode), you get logged in directly.If you are prompted for the user name and password, your SSO is not setup correctly.P.S Ensure that the test for SSO, has to be carried out with the same username existing in the backend and the portal or the user mapping being done.
2) SSO Procedure:
If you are planning SSO to R/3 System then follow the below procedure1. You go to Tcode : STRUSTSSO22. Delete existing Certificate of portal (only) from Certificate List and ACL3. Now go to portal System Admin->system Config->Keystore Admin press button "Download verify .der file".4. Now goto Tcode : STRUSTSSO2 again5. Import Certificate (downloaded from portal)6. Add to certificate list7. Add to ACL8. Check Tcode : RZ109. Select Profile : Instance Profile and redio box : Extended Maintainance10. Check 3 parameters If they exist with proper value if notthen you need to create those with corresponding value.a) login/accept_sso2_ticket = 1b) login/create_sso2_ticket = 2c) icm/host_name_full = <Backend_Host>.<domain>Checkout this plan with Basis Guy...Becz If u r changing RZ10 parameter entry then to reflect effect u need to restart the server.
3) SSO Configuration Steps
What is SSO?
Single sign-on (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again (enter Id and password).Definition:-
"Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session."Single Sign-On (SSO) is a key feature of the Enterprise Portal that eases user interaction with the many component systems available to the user in a portal environment. Once the user is authenticated to the enterprise portal, he/she can use the portal, to access external applications. With SSO in the Enterprise Portal, the user can access different systems and applications without having to repeatedly enter his or her user information for authentication.Why should we use SSO?
• A Typical net user needs at least nine passwords• 30% never change passwords, 29% less than once a year• 70% have forgotten a password at least once• 35% of people use the same password for multiple applications
SSO Configuration - CCSS 2 | P a g e
• 60% of people cycle two passwords across all applications
How to use it in SAP Net Weaver?
There are several user authentication and Single Sign-On (SSO) mechanisms available with SAP Net Weaver. The Enterprise Portal SSO mechanism is available in two variants depending on security requirements and the supported external applications:1. SSO with ID and password2. SSO with SAP logon ticketsBoth variants eliminate the need for repeated logons to individual applications after the initial authentication at the enterprise portal. SSO with user ID and password forwards the user's logon data (user ID and password) to the systems that a user wants to call, Whereas SSO with SAP logon tickets is based on a secure ticketing mechanism.1) Single Sign-On with User ID and Password
The Single Sign-On (SSO) mechanism with user name and password provides an alternative for applications that cannot accept and verify SAP logon tickets. With this SSO mechanism the Portal Server uses user mapping information provided by users or administrators to give the portal user access to external systems. The portal components connect to the external system with the user's credentials.Either the end user or the administrator must map each user's user ID and password to the user ID and passwords used in the component systems, if these are different to the portal user data. As the user's user ID and password are sent across the network, you should use a secure protocol such as Secure Sockets Layer (SSL) for sending data.2) Single Sign-On with SAP Logon Tickets
SAP logon tickets represent the user credentials. The Portal Server issues a logon ticket to a user after successful initial authentication. The logon ticket itself is stored as a cookie on the client and is sent with each request of that client. It can then be used by external applications such as SAP systems to authenticate the portal user to those external applications without any further user logons being required.SAP logon tickets contain information about the authenticated user. They do not contain any passwords.
Specifically, logon tickets contain the following items:
Portal user ID and one mapped user ID for external applications Validity period Information identifying the issuing system Digital signature
Thus SSO is very powerful technique to get access to all the resources with just one password. You don't have to remember passwords for accessing each resource once SSO is implemented. But we must be very careful while using SSO as that one password is the only key which can unlock all the other locks; hence it should be in safe hands.
SSO Configuration - CCSS 3 | P a g e
Configuring Single Sign-On (SSO) Between SAP EP 6.0 and the SAP Net Weaver 7.0 Portal Use
The logon method SAPLOGONTICKET ensures that no logon prompt appears when an SAP Net Weaver 7.0 iView is called in an SAP NetWeaver 2004 portal (SAP EP 6.0). The administrator or the actual user are not required to maintain users and passwords for each user manually.If you selected SAPLOGONTICKET as the logon method, proceed as follows:
Procedure
You configure Single Sign-On (SSO) in two steps:... 1. Export the portal certificate from the J2EE Engine of the SAP NetWeaver 7.0 portal. 2. Import the portal certificate to the SAP NetWeaver 2004 portal (SAP EP 6.0) and add it to the Access Control List (ACL).
Exporting the Portal Certificate from the SAP Net Weaver 7.0 Portal ( To be got from Backend system) ( Dewall42)
1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go. bat. 2. Connect to the portal server. 3. Choose <SID> ® Server<#> ® Services ® Key ® Storage. 4. IViews: Select the view TicketKeystore. 5. Entries: Select SAPLogonTicketKeypair-cert.
SSO Configuration - CCSS 4 | P a g e
If SAPLogonTicketKeypair-cert does not exist, you need to create a portal certificate manually.
i. Entry: Choose Create. Enter the following values in Key and Certificate Generation:-
● Subject Properties: Every key must have a value under Value. The value CN=Common Name is the first value that is displayed. This is the certificate name. The recommendation of <SID> from the portal server also applies.● Entry Name: SAPLogonTicketKeypair (the system generates the entry SAPLogonTicketKeypair-cert).● Store Certificate: X● Algorithm: DSA
ii. To generate the certificate, choose Generate. iii. Entries: Select SAPLogonTicketKeypair-cert.
SAPLogonTicketKeypair-cert.crt
6. Entry: Choose Export.
SSO Configuration - CCSS 5 | P a g e
7. Export the portal certificate as <PORTAL_SID>certificate.crt in the file format _X.509 Certificate
(*.crt).
Importing the Portal Certificate to the SAP NetWeaver 2004 Portal (SAP EP 6.0) (To be got from Portal system) -- Dewall35 Portal
1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.
2. Connect to the portal server.
3. Choose <SID> ® Server<#> ® Services ® Key ® Storage.
4. iViews: Select the view TicketKeystore.
5. Entry: Choose Load.
6. Open the file <PORTAL_SID>_certificate.crt.
In the Service Security Provider, under Ticket, perform the following steps to ensure that the SAP J2EE Engine
accepts SAP logon tickets from the SAP NetWeaver 7.0 portal as an external system.
7. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
8. Connect to the portal server.
9. Choose <SID> ® Server<#> ® Services ® Security ® Provider.
10. Components: Choose Ticket.
11. Choose the Authentication tab page.
12. Add the following values for com.sap.security.core.server.jaas.EvaluateTicketLoginModule:
○ trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
○ trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
○ trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
<Number> is an identical number for all three entries, but must be incremented by one for each external
system.
<PORTAL_SID> and <PORTAL_CLIENT> are the system ID and client of the SAP NetWeaver 7.0 portal. The
client is the value of the parameter login.ticket_client. The default value is 000.
<ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> are the values of [issuerDN] and
[DN] of certificate SAPLogonTicketKeypair-cert (see above).
You also have to add these values under evaluate_assertion_ticket:
13. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
14. Connect to the portal server.
15. Choose <SID> ® Server<#> ® Services ® Security ® Provider.
16. Components: Select evaluate_assertion_ticket.
17. Choose the Authentication tab page.
18. Add the following values for com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
○ trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
○ trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
○ trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
The values are the same as the above values under Ticket.
SSO Configuration - CCSS 6 | P a g e
Download the .DER file
Verify.der
Import it Backend System through GUI. But you should login in Client 000 only.
Similarly Import the CERT file into the Portal.
SSO Configuration - CCSS 7 | P a g e
Add To ACL:-
Then Go to Backend System (Dewall42)
STRUSTSSO2
Add the Certificate (.DER File)
SSO Configuration - CCSS 8 | P a g e
SSO Configuration - CCSS 9 | P a g e
SSO Configuration - CCSS 10 | P a g e
4) SSO Troubleshooting
Some things to check for resolving SSO problems
Profile Parameters
Check for the parameter login/accept_sso2_ticket and login/create_sso2_ticket exists in the default or
instance profile.
If you cant find it, insert the following parameters in the default profile, activate it and restart the system:
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
A nice way to check this out is by running the transaction SSO2, set NONE as the RFC Destinations. This
checks if the profile parameters is set correctly and the imported / existing certificates
Different Username
If you have a different username in the Portal as in the Backend System, the SSO will fail.
Full Host Name
SSO require full host name. Enter transaction RZ10 in your Backend System
Open the default or instance profile and check for the paramter icm/host_name_full. This profile tells you the
full hostname that you must use to make SSO works properly.
If you can't find the parameter, talk to the basis team or add it yourself.
This full hostname must be used when you referring to the system you want to connect from the Portal, and
the same value shoud be used when defining the system in the Portal
SSO Configuration - CCSS 11 | P a g e
Cookies
The logon ticket itself is stored as a cookie (MYSAPSSO2) on the client and is sent with each request. Log in
with your browser to check if the cookie is created. Firebug and FireCookie for Firefox are extremely useful
tools for checking session based browser cookies. HTTPWatch is a very useful IE Plug-in to inspect the HTTP
request including cookies when using Internet Explorer.
Not valid certificates ?
Sometimes there are client copy may remove your certicate and replacing the owner certificate from the
copied client. Run transaction STRUSTSSO2 and choose Replace on the System PSE, and then export it to the
Portal
Locked user ?
If the user you are using is locked in the backend and not in the Portal, the SSO may not work. Use
transaction SU01 to lock up the user.
ACL
Check if the ACL in the Backen: Transaction STRUSTSSO2 and the Portal : Choose Server --> Services -->
Security --> Provider --> Ticket is correct.
Log files
It is also useful to check the SM50 logs on the target SAP system to see if there are any associated
security/sso errors in the log. Sometimes they can give you a clue as to why SSO is not working.
This is just pointers of where to look when getting SSO to work. You should also use the DefaultTrace file for
"debugging" the situations.
This is a quick checklist to help you see if SSO is set up correctly in your backend system. Please use this list
before posting questions about SSO in the portal forums.
5) SSO checklist
If you are going to post a question in one of the portal forums relating to SSO, please ensure you read this
entry first. As a quick checklist, ensure:
1. you are using fully qualified domain names in the system landscape definition and when accessing
the portal;
2. your certificate hasn't expired;
3. your backend RZ10 settings are correct (login/accept_sso2_ticket);
4. you have uploaded the certificate to the backend system (STRUSTSSO2);
5. there is an entry in the ACL table (TWPSSO2ACL) in the back end client you are connecting can be
reached by SM30;
6. you have the same username in the portal and back end OR you have set up user mapping.
Copy the above checklist, plus your answers, to your forum post to show you have followed the steps and
explain what the SSO problem is.
If you use transaction SSO2 (that's the letter o) and enter NONE for the RFC destination, that will check the
value of the login/accept_sso2_ticket and a few other things.
SSO Configuration - CCSS 12 | P a g e
