on 2008 Apr 10 6:51 PM
Hi!
I have problem in establishing connection with our new copied production portal and a R3 system. When I tried to access I get an error message saying connection to partner broke. But when I do a test connection to portal system to R3 system and BW system , Connection is successful.
This new portal is a copy of an existing production portal and the R3 system is a copy of existing production R3 system. We are testing to upgrade our BW system to BI and try to establish a connection test with Portal and R3,BW systems before moving to live production portal.
Steps I have done.
In portal
1. Created a new R3 (UR3) system and set connector properties to copied R3 system as it sits on a different server and named as different. Also this R3 system is different than our production R3 system as it is not load balanced. Because of this I created a dedicated system instead of SAP system with load balancing.
Properties of UR3
Portal System Name: UR3
Application Host: 10.58.32.250
Logical System Name : UR3CLNT400
Remote Host Type : 3
SAP Client : 400
SAP System ID: UR3
SAP System Number: 02
Server Port: 3602
System Type : SAP_R3
Logon Method : SAPLOGONTICKET
User Mapping Type : admin,user
Alias: UR3
2. Created a SAP Reference system with
Properties of Reference System( UR3 is used as Reference System)
Portal System Name: SAP Reference System
Application Host: 10.58.32.250
Logical System Name : UR3CLNT400
Remote Host Type : 3
SAP Client : 400
SAP System ID: UR3
SAP System Number: 02
Server Port: 3602
System Type : SAP_R3
Logon Method : UIDPW
User Mapping Type : admin,user
Alias: SAP_REF_SYSTEM
3. Created a new BW system
Properties of Copied BW system (USE)
Application Host: 10.58.32.250
Logical System Name : USECLNT480
Remote Host Type : 3
SAP Client : 480
SAP System ID: USE
SAP System Number: 01
Server Port: 3601
System Type : SAP_BW
Logon Method: SAPLOGONTICKET
User Mapping Type: admin,user
Alias: USE
4. UM Configuration > Security Settings
Assigned the SAP Reference System. Restarted the portal.
Question :
UM Configuration > SAP System
Under this I can see Client , User ID , Password. Do I have to change this? What User ID should I used here. Since this is a copy I guess I dont need to change this.
5. In the Portal created a new Certificate Key pair. Here DN of the owner is changed to CN=BC1.
Question: Our copied portal system ID is UPO. Whether DN of the owner should be CN=UPO?
Question :
Under the ACL , whether I have to add both portal system and UR3 system certificates.
6. I log in as a UME user and we use single sign on with logon tickets to back end systems. Also use a SAP reference system as our users R3 username is different from portal user name. I am not doing user mapping here as we use logon ticket. System is going to use LDAP as a data source. However we havent configured LDAP for this test. But in the UM Configuration we have still mentioned the LDAP settings.
Do I need to do anything other than mentioned above?
Your help is much appreciated.
Ramesh
Hi Ramesh,
A fair amount of questions posed so let me take some time to attempt to answer you in a step by step sequence:
At point 4 to your question consider the following:
http://help.sap.com/saphelp_nw04/helpdata/en/9e/fdcf3d4f902d10e10000000a114084/content.htm
Depending on how you performed your copy (which if it included the file system would include) the DataSource configuration, then generally the settings for this would be included.
At point 5, since you have a new key pair you will need to:
a.)If your old (copied) system CN=BC1 and the new system CN=UP0 then I would suggest that you regenerated the certificate (just be cautious here as you need to first create the new one then delete the old then restart - do not delete it then try create a new one because then you will not have authority to do so on the system)
b.) Once you have generated the certificate you can then export it either from the config tool or download it from the keystore area in the portal and import it into the recieving SAP system(s) using STRUSTSSO2. As for the ACL's your delegating system (the portal) needs to have its trust consumed by the receiving system (ECC/BW etc.) your ACL will thus only have one entry per portal for the accepting systems effectively. Should you require trusts to be established in ECC with BW you will add the BW cert to the ECC ACL too ... and so on for each trust needed. So the short answer is in all probability that no, you would not usually require a system to trust itself.
At point 6 ... this is where everything falls apart
Since you mentioned that you have ABAP UM configuration it usually means that your data source is either local DB + ABAP or just ABAP - but since you mentioned that you have local users different to your ABAP stack I assume it is the former. Now you talk about LDAP amongst the mix. You cannot have a portal with local DB/ABAP and LDAP as its DataSource . You can only have one of the following combinations:
DB
ABAP (+DB)
LDAP (+DB)
Also, a word of caution once you change your DataSource to either ABAP or LDAP - you cannot change it back to DB only, nor can you change between LDAP or ABAP without loosing SAP support. SAP has defined that under such activity one should perform a default install and then migrate content or they will not support DataSource changes of this nature as they may result in logical inconsistencies, potential UME corruption and even system failure.
Although you can edit your DataSource file to leverage elements in different repositories (effectively having a hybrid DataSource ) it is not widely leveraged since it usually means that there is not a centrally managed security policy in place with 1 system being delegated as the master for all access control.
Additionally accessing the R/3 system depending on which system alias you use for either UID/Pass or by logonticket can only be done if the ID exists in both systems. This is a prerequisite for SSO. If you do not have the same UID in both systems then you will be required to perform user mapping between systems.
To establish SSO for SAP systems you may want to consider the following article:
http://help.sap.com/saphelp_nw04s/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/content.htm
As for you question to having missed anything
- your security parameters in transaction RZ10 may need to be modified to handle SSO effectively (also can be modified depending on your corporate policies).
- When you have issues with "connection to partner broken" it is often as a result of your connection settings not being correctly defined. Ensure that the correct port numbers are being used. Also, ensure that the SLD and JCo connections are correctly defined.
Hope I understood all you were trying to achieve ... if not forgive me as I had to make a few assumptions from your information you provided.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi! Douglas,
Thanks for your valuable points.
Few things to clarify/confirm.
__My question under point 4__
We don't use ABAP system as datasource. We use LDAP as a datasource. But still for this test we havn't configured to establish LDAP connection, though we have all LDAP settings in th UM configuration as this is a copied system of our working production system. So my question is if we are not using R3 as a data source whether I need to put any parameters under SAP System tab within UM configuration. When I checked our live production portal settings for this I see PW field is filled with asterics. But the Client and username fields are blank. Whether this is standard for EP6. Since password field has asterics I thought who ever configured this has entered that.
My question under quetion 5
I need to clarify this little more. Our new portals system ID is UPO. When I create the portal certificate key pair. for the DN of the owner should I need to put CN=UPO or this can be anthing that we like it to be named.
About user mapping
For this test I am using a UME user. My portal UME user and the R3(SAP Reference System)/BW syetm user name are same. Since we use single sign on with logonticket I believe we don't need to map the user to alias of the SAP Reference system. Am I correct here?
Connection Properties.
Under here we have put the server port as 3602 for our R3 system. Here 02 is the system number for R3 system. Whether 36 is standard? if not where I can find this?
For BW system properties, I have entered the WAS conncetion details. Whether this is necessary.
If I have entered this conncetion details wrong, when I do the connection test can it be successful. For me when I do connection test, I get successfull connection result.
SLD and JCo connections
Could you please explain this more? What should I check here and where to check?
Thanks again for your speedy reply
Regards
Ramesh
>
> __My question under point 4__
>
> We don't use ABAP system as datasource. We use LDAP as a datasource. But still for this test we havn't configured to establish LDAP connection, though we have all LDAP settings in th UM configuration as this is a copied system of our working production system. So my question is if we are not using R3 as a data source whether I need to put any parameters under SAP System tab within UM configuration. When I checked our live production portal settings for this I see PW field is filled with asterics. But the Client and username fields are blank. Whether this is standard for EP6. Since password field has asterics I thought who ever configured this has entered that.
>
No - since you are not connecting to an ABAP datasource there is no need to complete the connection details. The password will always be illustrated as ********* even though it may or may not contain any value(s).
>
> My question under quetion 5
>
> I need to clarify this little more. Our new portals system ID is UPO. When I create the portal certificate key pair. for the DN of the owner should I need to put CN=UPO or this can be anthing that we like it to be named.
>
Yes - it is recommended that you use the same SYSTEMID value for your CN.
>
> About user mapping
>
> For this test I am using a UME user. My portal UME user and the R3(SAP Reference System)/BW syetm user name are same. Since we use single sign on with logonticket I believe we don't need to map the user to alias of the SAP Reference system. Am I correct here?
>
Correct - no need for mapping since you have logon ticket and UID's are the same in both environments.
>
> Connection Properties.
>
> Under here we have put the server port as 3602 for our R3 system. Here 02 is the system number for R3 system. Whether 36 is standard? if not where I can find this?
>
> For BW system properties, I have entered the WAS conncetion details. Whether this is necessary.
>
> If I have entered this conncetion details wrong, when I do the connection test can it be successful. For me when I do connection test, I get successfull connection result.
>
Since port values can be set custom - although there is a methodolgy followed - you should be able to find this information in your ICM settings. If you have a 6.40 ITS it is integrated so these values will often be the same as your WAS in this scenario. 6.20 allowed for a standalone ITS scenario and thus those settings could differ somewhat.
The ITS/WAS and Connector settings all leverage different connection protocols in the various environments so you may well need to establish a test for each. If you want users to connect via WINGUI from the portal your connector settings must be defined as this uses a different protocol than that of the ITS and WAS.
Effectively you will find this out when you attempt to connect via the various protocols during your developments.
>
> SLD and JCo connections
>
> Could you please explain this more? What should I check here and where to check?
>
>
> Thanks again for your speedy reply
>
> Regards
>
Depending on your deployment scenarios I reccomend that you configure these with expert assistance if you do not know how they work.
SLD Setup example for MSS http://help.sap.com/saphelp_erp2005/helpdata/en/cf/917b401c976d1de10000000a1550b0/content.htm
JCo Steup Example
http://help.sap.com/saphelp_erp2005/helpdata/en/ca/115e4088dc0272e10000000a155106/content.htm
User | Count |
---|---|
66 | |
11 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.