cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP MII NetWeaver AS Java 7.5 Create MYSAPSSO2 Cookie

Go to solution
former_member330827
Explorer

on ‎2018 Mar 26 2:09 PM

0 Kudos
878 
MII 15.1 SP3 Patch 16 / NetWeaver 7.5 AS Java

Is there a way to generate a MYSAPSSO2 cookie from MII?

Business scenario: Users log into the MII web client. There is a MII web application that has a URL link to an application running on SAP Gateway server. The user should not be required to enter log in credentials when loading the application hosted on the gateway server. Users exist in both systems. Both systems are on the same domain.

Cookies:

Cookies with MYSAPSSO2:

Both MII and Gateway servers have security certificates imported into the ticket keystore from the other client. The Gatway server creates a MYSAPSSO2 cookie. We need MII to create this cookie also.

Additional information (NetWeaver Authentication and Single Sign-On: Authentication):

  • NetWeaver is not configured to support SAML 2.0
  • ume.login.context = ticket
  • ume.login.auth_method = FORM
  • ume.login.basicauthentication = 1
  • ume.logonAuthenticationFactory = com.sap.security.core.logon.imp.SAPJ2EEAuthenticator
  • ume.logon.security.local_redirect_only = true
  • ume.logon.force_password_change_on_sso = true
  • ume.logon.userpwd_automatic_logon = true
  • ume.logon.apply_logon_policies = false
  • ume.logon.allow_cert = false
  • ume.logon.show_failed_login_attempts = false
  • ume.logon.client_certificate_enroll = Disabled
  • login.authschemes.default = default
  • login.authschemes.definition.file = authschemes.xml

Component ticket Policy Configuration:

  1. EvaluateTicketLoginModule: SUFFICIENT
  2. SPNegoLoginModule: SUFFICIENT
  3. BasicPasswordLoginModule: REQUISITE
  4. CreateTicketLoginModule: OPTIONAL

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

former_member330827
Explorer
‎2018 Mar 28 6:53 PM
0 Kudos

I was able to get it to create the MYSAPSSO2 cookie.

  1. Changed logging to All for /System/Security/Authentication
  2. Logged into MII web client to create a record in the log file
  3. Opened log file on MII server .\log\system\security_0#.log
  4. Found a record:

  5. After the SPNegoLoginModule check passed, it did not proceed to CreateTicketLoginModule, so I had to change the ticket policy configuration in NetWeaver Administrator to:

  6. After the ticket policy change, I logged back into MII and checked the log file and the cookie:

    In Chrome, I see the cookie is created.

  7. I am still seeing a security prompt when trying to access the Gateway application, but it is most likely due to it having the same system ID of 001. I will change this value and update this answer with my findings.

UPDATE:

After changing the system ID in Java System Properties > Services > User Management Engine > login.ticket_client to 002 and updating the respective client number in the other systems (ACL) it is working as needed. I did have to change the sap.com/xapps~xmii~ear*XMII policy configuration so the MYSAPSSO2 cookie would be created if someone went to the application URL directly bypassing the sap.com/tc~wd~dispwda*webdynpro_dispatcher.

UPDATE 8/14/2018:

I changed the sap.com/xapps~xmii~ear*XMII login policy to use the ticket template and changed the ticket template to the following so the BasicPasswordLoginModule would work. I verified both automated Windows authentication and user / password worked after this change and created the MYSAPSSO2 cookie. Scheduled transactions that use credential stores were also holding onto user sessions, this change resolved the issue.

Show replies
Show replies

Answers (0)

Ask a Question