cancel
Showing results for 
Search instead for 
Did you mean: 

Connection error with portal to R3 .

Former Member
0 Kudos
543

Hi!

I have problem in establishing connection with our new copied production portal and a R3 system. When I tried to access I get an error message saying ‘connection to partner broke’. But when I do a test connection to portal system to R3 system and BW system , Connection is successful.

This new portal is a copy of an existing production portal and the R3 system is a copy of existing production R3 system. We are testing to upgrade our BW system to BI and try to establish a connection test with Portal and R3,BW systems before moving to live production portal.

Steps I have done.

In portal

1. Created a new R3 (UR3) system and set connector properties to copied R3 system as it sits on a different server and named as different. Also this R3 system is different than our production R3 system as it is not load balanced. Because of this I created a dedicated system instead of SAP system with load balancing.

Properties of UR3

Portal System Name: UR3

Application Host: 10.58.32.250

Logical System Name : UR3CLNT400

Remote Host Type : 3

SAP Client : 400

SAP System ID: UR3

SAP System Number: 02

Server Port: 3602

System Type : SAP_R3

Logon Method : SAPLOGONTICKET

User Mapping Type : admin,user

Alias: UR3

2. Created a SAP Reference system with

Properties of Reference System( UR3 is used as Reference System)

Portal System Name: SAP Reference System

Application Host: 10.58.32.250

Logical System Name : UR3CLNT400

Remote Host Type : 3

SAP Client : 400

SAP System ID: UR3

SAP System Number: 02

Server Port: 3602

System Type : SAP_R3

Logon Method : UIDPW

User Mapping Type : admin,user

Alias: SAP_REF_SYSTEM

3. Created a new BW system

Properties of Copied BW system (USE)

Application Host: 10.58.32.250

Logical System Name : USECLNT480

Remote Host Type : 3

SAP Client : 480

SAP System ID: USE

SAP System Number: 01

Server Port: 3601

System Type : SAP_BW

Logon Method: SAPLOGONTICKET

User Mapping Type: admin,user

Alias: USE

4. UM Configuration > Security Settings

Assigned the SAP Reference System. Restarted the portal.

Question :

UM Configuration > SAP System

Under this I can see Client , User ID , Password. Do I have to change this? What User ID should I used here. Since this is a copy I guess I don’t need to change this.

5. In the Portal created a new Certificate Key pair. Here DN of the owner is changed to CN=BC1.

Question: Our copied portal system ID is UPO. Whether DN of the owner should be CN=UPO?

Question :

Under the ACL , whether I have to add both portal system and UR3 system certificates.

6. I log in as a UME user and we use single sign on with logon tickets to back end systems. Also use a SAP reference system as our users R3 username is different from portal user name. I am not doing user mapping here as we use logon ticket. System is going to use LDAP as a data source. However we haven’t configured LDAP for this test. But in the UM Configuration we have still mentioned the LDAP settings.

Do I need to do anything other than mentioned above?

Your help is much appreciated.

Ramesh

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Ramesh,

A fair amount of questions posed so let me take some time to attempt to answer you in a step by step sequence:

At point 4 to your question consider the following:

http://help.sap.com/saphelp_nw04/helpdata/en/9e/fdcf3d4f902d10e10000000a114084/content.htm

Depending on how you performed your copy (which if it included the file system would include) the DataSource configuration, then generally the settings for this would be included.

At point 5, since you have a new key pair you will need to:

a.)If your old (copied) system CN=BC1 and the new system CN=UP0 then I would suggest that you regenerated the certificate (just be cautious here as you need to first create the new one then delete the old then restart - do not delete it then try create a new one because then you will not have authority to do so on the system)

b.) Once you have generated the certificate you can then export it either from the config tool or download it from the keystore area in the portal and import it into the recieving SAP system(s) using STRUSTSSO2. As for the ACL's your delegating system (the portal) needs to have its trust consumed by the receiving system (ECC/BW etc.) your ACL will thus only have one entry per portal for the accepting systems effectively. Should you require trusts to be established in ECC with BW you will add the BW cert to the ECC ACL too ... and so on for each trust needed. So the short answer is in all probability that no, you would not usually require a system to trust itself.

At point 6 ... this is where everything falls apart

Since you mentioned that you have ABAP UM configuration it usually means that your data source is either local DB + ABAP or just ABAP - but since you mentioned that you have local users different to your ABAP stack I assume it is the former. Now you talk about LDAP amongst the mix. You cannot have a portal with local DB/ABAP and LDAP as its DataSource . You can only have one of the following combinations:

DB

ABAP (+DB)

LDAP (+DB)

Also, a word of caution once you change your DataSource to either ABAP or LDAP - you cannot change it back to DB only, nor can you change between LDAP or ABAP without loosing SAP support. SAP has defined that under such activity one should perform a default install and then migrate content or they will not support DataSource changes of this nature as they may result in logical inconsistencies, potential UME corruption and even system failure.

Although you can edit your DataSource file to leverage elements in different repositories (effectively having a hybrid DataSource ) it is not widely leveraged since it usually means that there is not a centrally managed security policy in place with 1 system being delegated as the master for all access control.

Additionally accessing the R/3 system depending on which system alias you use for either UID/Pass or by logonticket can only be done if the ID exists in both systems. This is a prerequisite for SSO. If you do not have the same UID in both systems then you will be required to perform user mapping between systems.

To establish SSO for SAP systems you may want to consider the following article:

http://help.sap.com/saphelp_nw04s/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/content.htm

As for you question to having missed anything

- your security parameters in transaction RZ10 may need to be modified to handle SSO effectively (also can be modified depending on your corporate policies).

- When you have issues with "connection to partner broken" it is often as a result of your connection settings not being correctly defined. Ensure that the correct port numbers are being used. Also, ensure that the SLD and JCo connections are correctly defined.

Hope I understood all you were trying to achieve ... if not forgive me as I had to make a few assumptions from your information you provided.

Former Member
0 Kudos

Hi! Douglas,

Thanks for your valuable points.

Few things to clarify/confirm.

__My question under point 4__

We don't use ABAP system as datasource. We use LDAP as a datasource. But still for this test we havn't configured to establish LDAP connection, though we have all LDAP settings in th UM configuration as this is a copied system of our working production system. So my question is if we are not using R3 as a data source whether I need to put any parameters under SAP System tab within UM configuration. When I checked our live production portal settings for this I see PW field is filled with asterics. But the Client and username fields are blank. Whether this is standard for EP6. Since password field has asterics I thought who ever configured this has entered that.

My question under quetion 5

I need to clarify this little more. Our new portals system ID is UPO. When I create the portal certificate key pair. for the DN of the owner should I need to put CN=UPO or this can be anthing that we like it to be named.

About user mapping

For this test I am using a UME user. My portal UME user and the R3(SAP Reference System)/BW syetm user name are same. Since we use single sign on with logonticket I believe we don't need to map the user to alias of the SAP Reference system. Am I correct here?

Connection Properties.

Under here we have put the server port as 3602 for our R3 system. Here 02 is the system number for R3 system. Whether 36 is standard? if not where I can find this?

For BW system properties, I have entered the WAS conncetion details. Whether this is necessary.

If I have entered this conncetion details wrong, when I do the connection test can it be successful. For me when I do connection test, I get successfull connection result.

SLD and JCo connections

Could you please explain this more? What should I check here and where to check?

Thanks again for your speedy reply

Regards

Ramesh

Former Member
0 Kudos

>

> __My question under point 4__

>

> We don't use ABAP system as datasource. We use LDAP as a datasource. But still for this test we havn't configured to establish LDAP connection, though we have all LDAP settings in th UM configuration as this is a copied system of our working production system. So my question is if we are not using R3 as a data source whether I need to put any parameters under SAP System tab within UM configuration. When I checked our live production portal settings for this I see PW field is filled with asterics. But the Client and username fields are blank. Whether this is standard for EP6. Since password field has asterics I thought who ever configured this has entered that.

>

No - since you are not connecting to an ABAP datasource there is no need to complete the connection details. The password will always be illustrated as ********* even though it may or may not contain any value(s).

>

> My question under quetion 5

>

> I need to clarify this little more. Our new portals system ID is UPO. When I create the portal certificate key pair. for the DN of the owner should I need to put CN=UPO or this can be anthing that we like it to be named.

>

Yes - it is recommended that you use the same SYSTEMID value for your CN.

>

> About user mapping

>

> For this test I am using a UME user. My portal UME user and the R3(SAP Reference System)/BW syetm user name are same. Since we use single sign on with logonticket I believe we don't need to map the user to alias of the SAP Reference system. Am I correct here?

>

Correct - no need for mapping since you have logon ticket and UID's are the same in both environments.

>

> Connection Properties.

>

> Under here we have put the server port as 3602 for our R3 system. Here 02 is the system number for R3 system. Whether 36 is standard? if not where I can find this?

>

> For BW system properties, I have entered the WAS conncetion details. Whether this is necessary.

>

> If I have entered this conncetion details wrong, when I do the connection test can it be successful. For me when I do connection test, I get successfull connection result.

>

Since port values can be set custom - although there is a methodolgy followed - you should be able to find this information in your ICM settings. If you have a 6.40 ITS it is integrated so these values will often be the same as your WAS in this scenario. 6.20 allowed for a standalone ITS scenario and thus those settings could differ somewhat.

The ITS/WAS and Connector settings all leverage different connection protocols in the various environments so you may well need to establish a test for each. If you want users to connect via WINGUI from the portal your connector settings must be defined as this uses a different protocol than that of the ITS and WAS.

Effectively you will find this out when you attempt to connect via the various protocols during your developments.

>

> SLD and JCo connections

>

> Could you please explain this more? What should I check here and where to check?

>

>

> Thanks again for your speedy reply

>

> Regards

>

Depending on your deployment scenarios I reccomend that you configure these with expert assistance if you do not know how they work.

SLD Setup example for MSS http://help.sap.com/saphelp_erp2005/helpdata/en/cf/917b401c976d1de10000000a1550b0/content.htm

JCo Steup Example

http://help.sap.com/saphelp_erp2005/helpdata/en/ca/115e4088dc0272e10000000a155106/content.htm