SS0-SAP Logon Ticket Configuration

Single Sign-On with Logon Tickets

Purpose
Logon tickets represent the user credentials. The portal server issues a logon ticket to a user after successful initial authentication. The logon ticket itself is stored as a cookie on the client and is sent with each request of that client. It can then be used by external applications such as SAP systems to authenticate the portal user to those external applications without any further user logons being required. Logon tickets contain information about the authenticated user. They do not contain any passwords. Specifically, logon tickets contain the following items: 1. 2. 3. 4. Portal user ID and one mapped user ID for external applications Authentication scheme Validity period Information identifying the issuing system

5. Digital signature When using logon tickets, one system must be the ticket-issuing system. This can either be the portal or another system. We recommend using the portal as the ticket-issuing system, since the portal should be a users single point of access to all applications. To allow SSO using logon tickets between the portal and its component systems you perform the following steps: Configure the component systems to accept and verify logon tickets Configure the portal server to allow SSO with logon tickets

First of all Make sure that All systems i.e. Portal, BI WAS (WAS ABAP), J2EE Server (WAS JAVA) belongs to same domain Enter the fully qualified host alias in the hosts file of Windows system. (Find it from C:\winnt (or windows)\system32\drivers\etc ) Make the following entry. #IP ADDRESS *.*.*.* *.*.*.* .. Create this entry in hosts file for server and all client system hostname ts999epd ts999bwd FQDN ts999epd.dom999.com ts999bwd.dom999.com

Configure the component systems to accept and verify logon tickets :

Download public-key certificate of portal server Use the Keystore Administration tool to download the verify.der file from the portal. Login in to portal with Administrator user. Navigate System Administration System Configuration Keystore Administration Select SAPLogonTicketKeypair-cert

Click on Download verify.der file Click Save. Unzip the verify.der.zip file.. u get verify.der file

Import public-key certificate of portal server to component system's certificate list and add portal server to ACL of component system In the SAP System, start transaction STRUSTSSO2.

Click

In the certificate section, choose Import Certificate

The Import Certificate screen appears.

Choose the File tab. In the File path field, enter the path of the portals verify.der file. Set the file format to Binary and confirm

Click on Add to Certificate List.

Click

Here

Choose Add to ACL, to add the portal server to the ACL list

Click

Here

In the dialog box that appeared, enter the portals system ID and client. By default, the portals system ID is the common name (CN) of the distinguished name entered during installation of the portal. The default client is 000.

Save your entry.

Set profile parameters

In SAP system we need to do some modification in profile to accept logon tickets. We need to perform the following steps Click Start Transaction RZ10

Here

select instance profile

Click

Here

check Extended Maintenance option and click the Change button Chec k it

Click

Click on Create Parameters

Click

Here

Create the parameters o o o login/accept_sso2_ticket=1 login/create_sso2_ticket=2 icm/host_name_full= FQDN name of the SAP System(itc.corp.com)

Save ,activate and restart the ABAP system

Configure the portal server to allow SSO with logon tickets Add-In installations only: Change the J2EE Engine client used in the logon tickets This configuration is done only to the dual-stack installations i.e J2EE+ABAP engine installations. So in this it is not required. Configure the lifetime of the Logon ticket Go To System Administration->System Configuration->UME Configuration ->Security Settings -> set the time for Lifetime of Logon Ticket Map portal user IDs to user IDs in other systems If users portal user IDs are same as user IDs in the component systems, this mapping is not necessary. (if userIDs are different ,that scenario is dealt in next document) SAP Systems only: Set logon method to Logon tickets in portal system landscape Create a system to connect to SAP System. Provide all the details in the Connector Property category. In User Management property category Set the value of the property Logon Method to SAPLOGONTICKET. Save your changes Now everything is Got Set Ready for the BANG!!! Test the application : Go To System Administration-> Support-> SAP Application-> SAP Transaction Select the system u have just now created, provide the transaction code e.g. Se38, SAP GUI Type as SAP GUI for Windows and Press on go button

BAM !!!

u have entered into the SAP system without providing logon details

using SAP Logon Tickets

Trouble shooting This is the error occurred when u access the backend system with SAP Logon Ticket method without configuring the SSO using Logon Ticket

Once u configure the Logon Ticket this error is resolved

Changing logon stack Apart from this setup, we need to adjust the JAAS module stacks for irj application portal through visual administrator. The step required for doing this is Login to Visual Administrator with Administrator privilege Select Cluster -> Server ->Services ->Security Provider From the Policy Configurations Tab -> sap.com/irj*irj -> Add a new Login module Select CreateTicketLoginModule from the list , flag as SUFFICIENT , options as NONE Now you will have BasicPasswordLoginModule (flag - optional ) and CreateTicketLoginModule ( flag - Sufficient ) respectively. The previous steps will enable the portal to create logon tickets for authenticated users. in

SAP Notes 701205 - Single Sign-On using SAP Logon Tickets 929512 - The system is unable to interpret the SSO ticket received

If these checks do not resolve the problem, and you configure SSO to an ABAP system, create an SM50 trace with only the security component turned to trace level 2. In order to do so, run transaction SM50 and select some of the dialog work processes (around 5). Then choose 'Processes -> Trace -> Active components' from the menu (or use CTRL-SHIFTF7). Set the trace level to 2 and select only the 'Security' component. Reproduce the SSO problem, and note the time. Return to the SAP system to check the traces you just started (CTRL-SHIFT-F8 in SM50). This trace collects information on work process level. Therefore, you need to find the work process that has handled the authentication attempt. This procedure is described in Note 495911 in more detail.

This is my entry of r/3 in my EP server. And same should be done in the host file of the R/3 server.

This is my entry in the services file of the EP.