The update option to perform parameter change with TCODE: RZ11 is not available by default.
Steps on how to re-activate the hidden edit option.
1) Execute TCODE: RZ11
2) The editable option for parameter change is not available
3) Enter "int" to enable the hidden edit button
4) The "edit" option appear for parameter change
5) Perform the changes and click save to update the new parameter value
Pages
▼
Thursday, 26 September 2013
How to configure Single Sign On (SSO) between SAP GUI (backend system) and Portal (Front end)
How to bypass the second layer of login authentication when accessing portal from SAP GUI.
Scenario:
Once the SAP Solution Manager installation complete, access of "SOLMAN_WORKCENTER" through SAP GUI would require additional level of login authentication on all the portal features.
Example:
1) Additional authentication required
2) Portal login screen
3) Portal menu
This additional login level can be overcome with the integration of Single Sign On (SSO) by setting up a trusted relationship between the backend system and the portal.
Steps to configure the SSO integration between backend system and front end portal:
A) Front End: Export certificate from portal
1) Login to Visual Administrator
Refer to How to execute or run J2EE Engine Visual Administrator
2) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->
Entries: SAPLogonTicketKeypair-cert -> Click "Export" button
3) Save the file on the backend server (SAP system)
4) Enter filename. Ex: portal_sid_certificate.crt
B) Backend: Create a user "SAPJSF"
1) Execute TCODE: SU01 -> display user: SAPJSF" (if user not exist create a new user, user type: system)
2) Assign roles "SAP_BC_JSF_COMMUNICATION" and "SAP_BC_USR_CUA_CLIENT_RFC"
3) Check "icm/host_name_full parameter" been configured correctly in Default profile
4) Execute TCODE: RZ10 to ensure parameter for "login/accept_sso2"_ticket and "login/create_sso2_ticket" are ready or create it if necessary
5) Select Instance profile
5) Click "Extended maintenance" and "Change" button
6) If the 2 parameters not available, Click the "Parameter" icon to create it
7) Enter Parameter name: login/accept_sso2_ticket, Parameter val: 1 and click "Copy" button
8) Enter Parameter name: login/create_sso2_ticket, Parameter val: 2 and click "Copy" button
9) Make sure the parameters are correct
10) Save the profile
11) Restart the SAP system
12) Restart with sapmmc
13) Click "OK:
14) Wait for the reboot
C) Backend: Import the front end certificate created earlier
1) Execute TCODE: STRUSTSSO2
2) Click "Certificate" -> "Import"
3) Click 'Binary" and Select the portal certificate created earlier
4) Click the "tick" button
5) Click "Allow"
6) Certificate imported successfully
7) Click "Add to certificate list and continue clicking on the "Add to ACL" button
8) Enter System ID: J2E, Client: 000
9) New entry created at the Logon ticket section
10) Click "Save" button
D) Backend: Export certificate
1) Click the "Export" button
2) Select "Binary" and enter filename ex: abap_back end_certificate.crt (to be import into front end server)
3) Click "OK"
E) Front end: Create a JCo RFC provider
1) Execute TCODE: SMGW and mark down the LU Name, TP Name
2) Select Cluster: Server -> Services -> JCo RFC provider -> Runtime tab -> Bundles tab ->
Registered server
Enter Program Id: sapj2ee_port, Gateway host: LU Name, Gateway service: sapgw00,
Server Count (1..20): 1
3) Click Repository: Specify Application Server
Enter: Application server host: LU Name, System number: 00 (according to the relevant SAP system),
Client: 000 (according to the relevant SAP system), Language: EN, User: SAPJSF,
Password: master password created during installation or password reset for user: SAPJSF
Click "Set" button
F) Front end: Add back end to security providers list
1) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
Components: ticket
Click the "Pencil" button to switch to edit mode
2) Select Authentication tab -> "com.sap.security.core.server.jaas.EvaluateTicketLoginModule"
Click Modify" button
3) Enter the following details:
Name: ume.configuration.active, Value: true
Name: trustedsys1, Value: SID,Client number
Name: trustediss1, Value: CN=SID
Name: trusteddn1, Value: CN=SID
Click "OK" button
4) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
Components: evaluate_assertion_ticket
Select Authentication tab -> "EvaluateAssertionTicketLoginModule"
Enter the following details:
Name: ume.configuration.active, Value: true
Name: trustedsys1, Value: SID,Client number
Name: trustediss1, Value: CN=SID
Name: trusteddn1, Value: CN=SID
Click "OK" button
Click Modify" button
G) Front end: Import the backend certificate
1) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->
Entries: SAPLogonTicketKeypair-cert -> Click "Load" button
2) Select the "abap_back end_certificate.crt" that created from the backend system
3) The certificate imported successfully
4) Click "Yes" to exit the Visual Administrator
5) Restart the SAP system with sapmmc
H) Backend: Create and test the RFC connection
1) Execute TCODE: SM59 -> Select "TCP/IP Connection" -> Click "Create" icon
2) Enter RFC Destination: RFC_TO_PORTAL, Connection Type: T, Program ID: sapj2ee_port
3) Enter Gateway host = LU Name, Gateway service: sapgw00
4) Save and test the connection
5) Connection is ready
I) Login to portal
1) Execute TCODE: SOLMAN_WORKCENTER
2) The second layer authentication login screen will be bypass
3) That all for the SSO integration between backend system and front end portal
Error importing Front end: Import the backend certificate (section G)
1) Sample error appear during the import process
2) Rename the filename to a shorter filename
3) The import of the certificate will be successful
Scenario:
Once the SAP Solution Manager installation complete, access of "SOLMAN_WORKCENTER" through SAP GUI would require additional level of login authentication on all the portal features.
Example:
1) Additional authentication required
2) Portal login screen
3) Portal menu
This additional login level can be overcome with the integration of Single Sign On (SSO) by setting up a trusted relationship between the backend system and the portal.
Steps to configure the SSO integration between backend system and front end portal:
A) Front End: Export certificate from portal
1) Login to Visual Administrator
Refer to How to execute or run J2EE Engine Visual Administrator
2) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->
Entries: SAPLogonTicketKeypair-cert -> Click "Export" button
3) Save the file on the backend server (SAP system)
4) Enter filename. Ex: portal_sid_certificate.crt
B) Backend: Create a user "SAPJSF"
1) Execute TCODE: SU01 -> display user: SAPJSF" (if user not exist create a new user, user type: system)
2) Assign roles "SAP_BC_JSF_COMMUNICATION" and "SAP_BC_USR_CUA_CLIENT_RFC"
3) Check "icm/host_name_full parameter" been configured correctly in Default profile
4) Execute TCODE: RZ10 to ensure parameter for "login/accept_sso2"_ticket and "login/create_sso2_ticket" are ready or create it if necessary
5) Select Instance profile
5) Click "Extended maintenance" and "Change" button
6) If the 2 parameters not available, Click the "Parameter" icon to create it
7) Enter Parameter name: login/accept_sso2_ticket, Parameter val: 1 and click "Copy" button
8) Enter Parameter name: login/create_sso2_ticket, Parameter val: 2 and click "Copy" button
9) Make sure the parameters are correct
10) Save the profile
11) Restart the SAP system
12) Restart with sapmmc
13) Click "OK:
14) Wait for the reboot
C) Backend: Import the front end certificate created earlier
1) Execute TCODE: STRUSTSSO2
2) Click "Certificate" -> "Import"
3) Click 'Binary" and Select the portal certificate created earlier
4) Click the "tick" button
5) Click "Allow"
6) Certificate imported successfully
7) Click "Add to certificate list and continue clicking on the "Add to ACL" button
8) Enter System ID: J2E, Client: 000
9) New entry created at the Logon ticket section
10) Click "Save" button
D) Backend: Export certificate
1) Click the "Export" button
2) Select "Binary" and enter filename ex: abap_back end_certificate.crt (to be import into front end server)
3) Click "OK"
E) Front end: Create a JCo RFC provider
1) Execute TCODE: SMGW and mark down the LU Name, TP Name
2) Select Cluster: Server -> Services -> JCo RFC provider -> Runtime tab -> Bundles tab ->
Registered server
Enter Program Id: sapj2ee_port, Gateway host: LU Name, Gateway service: sapgw00,
Server Count (1..20): 1
3) Click Repository: Specify Application Server
Enter: Application server host: LU Name, System number: 00 (according to the relevant SAP system),
Client: 000 (according to the relevant SAP system), Language: EN, User: SAPJSF,
Password: master password created during installation or password reset for user: SAPJSF
Click "Set" button
F) Front end: Add back end to security providers list
1) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
Components: ticket
Click the "Pencil" button to switch to edit mode
2) Select Authentication tab -> "com.sap.security.core.server.jaas.EvaluateTicketLoginModule"
Click Modify" button
3) Enter the following details:
Name: ume.configuration.active, Value: true
Name: trustedsys1, Value: SID,Client number
Name: trustediss1, Value: CN=SID
Name: trusteddn1, Value: CN=SID
Click "OK" button
4) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
Components: evaluate_assertion_ticket
Select Authentication tab -> "EvaluateAssertionTicketLoginModule"
Enter the following details:
Name: ume.configuration.active, Value: true
Name: trustedsys1, Value: SID,Client number
Name: trustediss1, Value: CN=SID
Name: trusteddn1, Value: CN=SID
Click "OK" button
Click Modify" button
G) Front end: Import the backend certificate
1) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->
Entries: SAPLogonTicketKeypair-cert -> Click "Load" button
2) Select the "abap_back end_certificate.crt" that created from the backend system
3) The certificate imported successfully
4) Click "Yes" to exit the Visual Administrator
5) Restart the SAP system with sapmmc
H) Backend: Create and test the RFC connection
1) Execute TCODE: SM59 -> Select "TCP/IP Connection" -> Click "Create" icon
2) Enter RFC Destination: RFC_TO_PORTAL, Connection Type: T, Program ID: sapj2ee_port
3) Enter Gateway host = LU Name, Gateway service: sapgw00
4) Save and test the connection
5) Connection is ready
I) Login to portal
1) Execute TCODE: SOLMAN_WORKCENTER
2) The second layer authentication login screen will be bypass
3) That all for the SSO integration between backend system and front end portal
Error importing Front end: Import the backend certificate (section G)
1) Sample error appear during the import process
2) Rename the filename to a shorter filename
3) The import of the certificate will be successful