SSO To ECC System PDF

SSO Logon to ECC System
Neha Singh 120 posts since Dec 26, 2008

SSO Logon to ECC System Sep 2, 2009 7:24 AM
Hi,
I want to do SSO with SRM Systems.
I am writting the process in detail.
Please rectify me if I am wrong.
1. Login to Portal as System Administrator.
2. First, there should be a System Object for the SRM System.
3. There should be System Alias for the System Object which should be mapped with
users of SRM Systems.
4. Choose System Administration --> System Configuration --> System Landscape.
5. Find the system you want to assign Single Sign on to and open it and it should be the
SRM System object which is already made by us and test connection done.
6. Choose User Management as Property Category
7. Set Logon Method to SAPLOGONTICKET
Create a Portal Certificate.
8. Log in to the Visual Administrator.
9. Log in should be done by Admin User.
I have one query.
What is OS User?
10. Choose Server --> Services --> KeyStorage --> TicketKeystore.
11. Delete SAPLogonTicketKeypair-cert and SAPLogonTicketKeypair.
12. Choose Create (Create button in the Entry field) and
type in the following information:
a. mark Store Certificate
b. Common Name: Your <SID> (just example)
c. Entry Name: SAPLogonTicketKeypair
d. Store Certificate: Mark it
e. Key Length: 1024
f. Algorithm: DSA
g. Press Generate
Now you will have two entries in the TicketKeyStore:
SAPLogonTicketKeypair
SAPLogonTicketKeypair-cert
Generated by Jive on 2015-02-10+01:00

1
Step 13 - Export the Portal certificate

13.1 Choose Server --> Services --> KeyStorage --> TicketKeystore
13.2 Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field)
a. Fill in a name of the Certificate
To keep track of your certificate, call it the SID of the Portal
b. Choose either X.509 or Base64 Encoded Format
Now, again I have a query.
What is the difference between X.509 or Base64 Encoded Format?
Which should be used on what type of systems?
Import the Portal certificate to the Backend System
14.1 Log in to the Backend System
In my example, I log in to ERP 2004
I think we have to run STUSTSSO2 from R/3 or ECC System.
Please correct me if I am wrong.
Export the Backend certificate to your Portal
15.1 You are still in the transaction STRUSTSSO2. Doubleclick the Owner Certificate and choose Export and
store in on the file system
15.2 Log into Visual Administrator
Choose Server --> Services --> KeyStorage --> TicketKeystore and press Load and choose the Certificate
15.3 Set the Backend System as "ACL" in the Portal
Choose Server --> Services --> Security --> Provider --> Ticket
Choose the Authentication tab and add the following on the
com.sap.security.core.server.jass.EvaluateTicketLoginModule:
#u203A trustedsys<Number>=<ABAP_SID>, <CLIENT> (for example, ABA, 200)
#u203A trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= ABA)
#u203A trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=ABA)

2
You have set up a trusted relationship between your portal and the backend system. To do so with several
system, run this guide again from step 4.
Regards
Neha Singh.
Note: Additional points will be helpful.
Edited by: Neha Singh on Sep 2, 2009 7:24 AM
Glenn Mendonca 1,162 posts since Apr 7, 2008

Re: SSO Logon to ECC System Sep 2, 2009 7:56 AM
Neha,
The steps you have documented look fine. What also you should add probably is the paramater settings in
RZ10
icm/host_name_full
XXX.XXX.COM login/create_sso2_ticket
2 login/accept_sso2_ticket
To logon to the VA you need a OS level user like administrator -- I hope this answer the question about what is
os level user.
Choose either X.509 or Base64 Encoded Format - You have to choose Base64.
STRUSTSSO2 is the tcode you have to execute from the ECC system.
Thanks,
GLM

Re: SSO Logon to ECC System Sep 2, 2009 4:25 PM
Hi GLM,
I did the all steps for the SSO for SRM.
I followed the wiki.
https://wiki.sdn.sap.com/wiki/display/SRM/Enabling%20SSO%20for%20SRM%20and%20Portal
It is not working.
Regards
Neha Singh

3

While adding the certificate to ACL, which client did you use ? It should be 000, just verify it.
ok, how you are testing the SSO now after the configuration ? What is the error ?

Hi Anjali,
My onsite team is doing it and showing me the screens in Netmeeting which itself is confusing.
Client 000 is also created for SRM Systems.
First we added the client 000 in acl and failed.
Then we, added client 100 in acl and did all steps from begining to end.
The error, is same.
While login to the portal, after clicking on the SRM Contents
I am getting this error:
No switch to HTTPS occurred, so it is not secure to send password.
SSO logon not possible; browser logon ticket cannot be accepted.
No switch to HTTPS occurred, so it is not secure to send a password.
Regards
Neha Singh

Neha,
Whats the "Web AS Protocol" for the SRM system object? is it http or https.
Thanks,
GLM

Hi GLM,
Please specify.
You are talking about System Administration--> System Configuration
and then creating system object there.
Also, creating system alias for system object.
Mapping system alias with user mapping.

4
Actually, it is handled from the client side by onsite team.

I found out the system object in the portal yesterday and the test connection was fine.
Today, morning I am not getting those systems.
But how to maintain web AS https in the system object.
Regards
Neha Singh

Yes I am referring to the system object for SRM itself. For that system you will have a property for WAS
Protocol. Just needed to confirm that it is HTTP and not HTTPS. You can check that by opening the system
object and then looking at the WAS Protocol property
Thanks,
GLM

Web AS Protocol
Yes it is already set to http.
The problem is with SSO part,
as the system object is showing this message while doing conection test for
Test Connection with Connector
Test Details: The test consists of the following steps: 1. Retrieve the default alias of the sy
Regards
Neha Singh
Sandeep Sharma 130 posts since Oct 31, 2006


5
Hello Neha ,
This is because you need to use a FQDN name of your portal ...something like :
http://<servername>.abc.xyz.com:50000/irj
I guess what you are using is :

http://servername.50000/irj
The portal open both ways but SSO fails due to this since ur system u created in Portal might had the FQDN
name .
and so are the RZ10 entries in ECC system .
Check with FQDN name of portal .. I belive it would work ..
Regards
Sandeep Sharma

Hi Sandeep,
Where to give the FQDN name in the portal?
The RZ10 transaction does not ask for FQDN name.
Please help.
Regards
Neha Singh

You need to access the portal by FQDN .. try doing that ...
and see if it works .. and ur system test pass ..and let me know ..
Regards
Sandeep

6

Hi Sandeep,
Please specify me the icm/host_name_full
XXX.XXX.COM
Is it SRM FQDN or Enterprise Portal FQDN in RZ10?
I am confused here.
I can login to portal by FQDN.
There is no ECC System here.
I need do SSO for SRM through Portal.
According to my logic icm/host_name_full
XXX.XXX.COM
would be portal FQDN in RZ10 transaction.
Regards
Neha Singh

It is the SRM FQDN ....
So the test is being passed by FQDN .. Now check that Iview on which it shows that
No switch to HTTPS occurred, so it is not secure to send a password
This would be ok now.. Test thsi and let me know ....
PS: Dont forget to use FQDN of the portal
Regards
Sandeep

Hi Sandeep,
You are telling that I need to give SRM System FQDN in RZ10.

7
The portal FQDN is working with Internet Explorer.

I can login to portal normally.
http://servername:56000/irj
Regards
Neha Singh

Yes you will have to mention the FQDN in RZ10 and also in the system object for SRM which you have created
in the portal.
Thanks,
GLM

Also please be sure that SRM FQDN as in RZ10 should be same as name of system in Portal --under system
administration > system configuration navigate to ur system --> check connector proprties ---> see here the
FQDN of ur SRM should be maintained .
Hope this helps and does not pop up the error message -No switch to HTTPS occurred, so it is not secure to
send a password
Points if helpful ..
Regards
Sandeep

FQDN name of Portal is to be given in Brwoser for Prtal accessing .. I am talking of the Sytsem you created in
System administration
this shud be same as RZ10 parameter of ICM host name full -- in ur case its pointing to SRM ECC system ..
\Regards
Sandeep

8

Hi Sandeep,
Do it include port number
like http://ss.ssqsjhk.net:8040
or without port number
like http://ss.ssqsjhk.net only.
Also, there is big mistake.
The wiki document does not write the step to generate the certificate
with SID which is the first step.
Regards
Neha Singh

Hi Sandeep/GLM,
I repeated all the steps but the SSO for SRM failed.
It is giving the same eror as before.
Regards
Neha Singh

Hello Neha ,
Please tell me the details as below :
1. icm/host_name_full : This should not contain the Port number
2. Is the above name same as System Name which You created in Portal --> This means the Connector
Propertis setting.
3. Did u try and use the FQDN name of Portal and Try accessing that SRM Iview , does this pass or it still
shows that mesage : "No swtich to HTTPS...."
4. are you trying to see the connection test in Portal ..If itis failing.. Pleas let me know whcih User management
settings you had configured in the system you created . Normally we use logontickets .
5. By any chance in above step are ypou trying to check the tests by logged in as administrator .
Please answer above question and let me see if i cud suggest you anything on this .
Regards

9
Sandeep

Hi Sandeep,
icm_hostname : I have changed it to fqdn with port number which should be FQDN only.
It was previously FQDN without port number.
We did not did SAP Reference Objects as we are using same user id to login to Portal as well as SRM.
So, ideally our will be SSO for SRM using SAPLogon Tickets without any user mapping (SAP Reference
Systems).
That we were doing.
Regards
Neha Singh

Is the system test connection failing ..
arde u using the administrator ID for tetsing connection .. Please also answer above question in Yes / NO
If possible ..

Is the system test connection failing ..
System Test Connection DS1CLNT100 is failing.
But test connection is passing in Web As and ITS
arde u using the administrator ID for tetsing connection ..
yes
Please also answer above question in Yes / NO
If possible ..
But the point is my TL who is in onsite is not using User Mapping
with SAP Reference as the user id in portal and SRM is same.
But there is a system object under System Administration-> System Configuration->

10
System Lanscape-> DS1CLNT100

He tells the System Refernece object part is not mandatory as the user id in SRM and portal is same.
I don't have the admin rights to do the thing.
Regards
Neha Singh
Edited by: Neha Singh on Sep 9, 2009 1:58 PM

Hi Neha ,
I now understand why the system test is failing in case of connector of system
I guess the backend SRM system does not had any user Administrator .....
That is why test is failing .. only if there i User Mapping done in case of administrator from User Management
Role in Portal.
Regards'
Sandeep

Hi Sandeep/GLM,
I have two points how to know the version of SRM System.
As SRM is an ABAP based System.
2nd, I have the roles I have in portal (SAP NetWeaver 7.0) for neha user are:
Super Administration
Standard User Role
SRM Administrator
Standard User Role
SRM Administrator
Everyone role
SRM Portal Toolkit
I also login to SRM by kaba user, but I don't know how to check
that is SRM Administrator Role or not?
I also, want to know the SRM Version from the SRM Side.
On the portal side, it is showing;

11
Content Administration-> Portal Content-> Portal Content->Content Provided by SAP->

specialist->SRM 7.0
But that does not prove that we have SRM 7.0 installed.
Also, another question, is creation of System Object, System Alias and UME with System Alias a mandatory
step as I have same user neha in Portal and SRM with same password.
If it is necessary then, I need System Lanscape->Technical System->Web AS ABAP defined as SRM is ABAP
System.
I am till now getting the same error.
Regards
Neha Singh
Kaushik Banerjee 10 posts since Sep 3, 2009

Hi Neha,
Please give proper name to the subject.
1> The subject name is SSO for ECC System
while this is SSO for SRM System.
2> Please, make a new Certificate.
The important part is the Common name
and the Certificate Expiry Date would be a future date.
If the SAP NetWeaver is loaded with J2E as Common name,
then it would be used as the common name of your certificate.
This steps you need to do in Visual Admin as Administrator User.
No need to restart the SAP NetWeaver Server.
3> Use STRUTSSO2 Transaction and click on Certificate Import.
While importing the Certificate, please do Add to Certificate List and
Add to ACL.
While doing Add to ACL, please give the sid of your portal.
If it is L2F, then give L2F only with client 000.
Please let me know if your issue is resolved.
Regards
Kaushik Banerjee

12

SSO To ECC System PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SSO To ECC System PDF

Загружено:

Авторское право:

Доступные форматы

SSO Logon to ECC System

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Step 13 - Export the Portal certificate

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Glenn Mendonca 1,162 posts since Apr 7, 2008

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Re: SSO Logon to ECC System Sep 2, 2009 11:54 PM

Neha Singh 120 posts since Dec 26, 2008

Glenn Mendonca 1,162 posts since Apr 7, 2008

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Actually, it is handled from the client side by onsite team.

Glenn Mendonca 1,162 posts since Apr 7, 2008

Neha Singh 120 posts since Dec 26, 2008

Test Connection with Connector

Sandeep Sharma 130 posts since Oct 31, 2006

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

I guess what you are using is :

Neha Singh 120 posts since Dec 26, 2008

Sandeep Sharma 130 posts since Oct 31, 2006

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Neha Singh 120 posts since Dec 26, 2008

Sandeep Sharma 130 posts since Oct 31, 2006

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

The portal FQDN is working with Internet Explorer.

Glenn Mendonca 1,162 posts since Apr 7, 2008

Sandeep Sharma 130 posts since Oct 31, 2006

Sandeep Sharma 130 posts since Oct 31, 2006

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Re: SSO Logon to ECC System Sep 3, 2009 12:00 PM

Neha Singh 120 posts since Dec 26, 2008

Sandeep Sharma 130 posts since Oct 31, 2006

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Neha Singh 120 posts since Dec 26, 2008

Sandeep Sharma 130 posts since Oct 31, 2006

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

System Lanscape-> DS1CLNT100

Sandeep Sharma 130 posts since Oct 31, 2006

Neha Singh 120 posts since Dec 26, 2008

Generated by Jive on 2015-02-10+01:00

SSO Logon to ECC System

Content Administration-> Portal Content-> Portal Content->Content Provided by SAP->

Kaushik Banerjee 10 posts since Sep 3, 2009

Generated by Jive on 2015-02-10+01:00

Вам также может понравиться