cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Configuration

Former Member
0 Kudos
249

Dears,

I need to configure SSO on our Netweaver 2004s server that contains ABAP+JAVA stack.I want to configure it for my ECC5 server.

Steps that I followed for it are:

Created a system and maintained all settings like Alias,user management,connector.

In System Administration >> System Configuration >> Keystore Administration >> Content

Download verify.der File

in my netweaver 04s portal server.

on ECC5

In STRUSTSS02 imported the certificate and Add to ACL and save.

But SSO is not working fine and Its looking to me that something is missing in my configuration.

Please check my steps and suggest what i am missing.

Shivam

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Shivam,

Looks like you are in the right track, but you would have to check certain parameters in the backend system like.

In Tcode RZ10.

a) login/accept_sso2_ticket = 1

b) login/create_sso2_ticket = 2

c) icm/host_name_full = <Backend_Host>.<domain>

Check these links and verify, if all the parameters are in place.

https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2btroubleshooting

https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2bchecklist

https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/single%2bsign-on%2band%2bcookies

https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2bprocedure

NOTE : After you do Add to Certificate, you would have to do ADD to ACL, here it would ask you to enter the SID and client number.

Enter the EP system SID and client number as 000 .

Hope this helps.

Cheers,

Sandeep Tudumu

Former Member
0 Kudos

Hi Sandeep,

Followed the procedure but still facing some issue,

When I click in tcode strustsso2 in enviroment->sap logon ticket

without entering any RFC destination then it shows everything OK means all parameters are set properly.

Own System Data

SAP System PRO Client 100

Profile Parameters login/accept_sso2_ticket = 1

Logon Tickets Are Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse

Owner CN=NET

Issuer CN=NET

Serial Number E21E43EC

Systems for Which PRO Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System NET Client 001

Owner CN=NET

Issuer CN=NET

Serial Number E21E43EC

Application server PSE:

ID: CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

Namespace:

Profiles: D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse

OK: file available, length: 1.945

OK: local PSE identical to original in database

OK: security toolkit available

Version

SSFLIBSO Version 1.555.17 ; SECUDE(tm) SAPCRYPTOLIB - SNC for SAP Server components and SSL - Version 5.5.5C (c) SECUDE GmbH 1990-20

OK: signature tested successfully

But When I check after enter RFC and instance number it shows error:

The Certificate for System NET Is not Included In the Certificate List for System PRO

System PRO Does not Accept Verified Logon Tickets for System NET

This Entry for System NET Does not Include the Corresponding Certificate

NET is my portal system and PRO my ECC5 system.

Also in portal when i execute any tcode it shows error:

"Issuer of SSO ticket is not authorized".

Please suggest.

All parameters have been set as suggested.

Shivam

Former Member
0 Kudos

To Sandeep Tudumu :

a) login/accept_sso2_ticket = 1
b) login/create_sso2_ticket = 2

login/create_sso2_ticket = 2 --> It's only for BW systems, the normal R3 systems -->

login/create_sso2_ticket = 1

You can use "login/create_sso2_ticket = 1" if public-key certificate signed by the SAP CA

"login/create_sso2_ticket = 2" if the certificate is self-signed. If you are not sure, then use the value 2. It means best to do as you say ...

P.S. only if you want to your ECC server can issues the tickets. If you not want set to 0.

To Shivam Mittal:

Try to read my last post in this thread

Regards.

Former Member
0 Kudos

Hi Sergo,

My SSO has started working means now from portal I am able to logon to my R/3 system.

But in tcode strustsso2->Environment->SAP logon ticket I am still getting two errors:

"The Certificate for System NET Is not Included In the Certificate List for System PRO"

"The Digital Signature for This Certificate Cannot Be Verified"

Is there any other way also to check that my SSO is configured properly.

Please suggest.

Shivam

Edited by: Shivam Mittal on Sep 30, 2008 5:57 AM

Former Member
0 Kudos

Try to delete this sertificate from ACL, after from Certificate list, login in 000 client , add in certificate list anew same verify.der from your portal. Relogin in required client and add certificate in ACL. After check are error comes now?

Regards.

Former Member
0 Kudos

Hi,

I performed :

Try to delete this sertificate from ACL, after from Certificate list, login in 000 client , add in certificate list anew same verify.der from your portal.

but after this when I am doing add to ACL after loging in required its showing no certificate found.

Also selected the added certificate but same no certification seleted.

Please suggest.

Shivam

Former Member
0 Kudos

You add in "Certificate list" , under "Owner" you see your added certificate, like "OU=J2EE, CN=NET" -->

Double clique on "OU=J2EE, CN=NET" --> under "Certificate" you will see infromation about this certificate, check Valid from , are correct? After information are under "Certificate" you can add it in ACL. Regards.

Former Member
0 Kudos

Hi Sergo,

By that way of double clicking I added to ACL but still same error.

Issuing System for the Logon Ticket

SAP System NET Client 001

Certificate of the Issuing System for the Logon Ticket

Owner CN=NET

Issuer CN=NET

Serial Number 00

Validity 20091219 174638 20380101 000001

Check Sum 1B:B3:E5:83:EE:FB:74:C5:B0:4B:05:F8:5E:23:B5:EB

Profile Parameters login/create_sso2_ticket = 2

System NET Is Creating Logon Tickets That Do not Include Its Certificate

The Certificate for System NET Is not Included In the Certificate List for System PRO

System PRO Accepts Verified Logon Tickets for System NET

Own System Data

SAP System PRO Client 100

Profile Parameters login/accept_sso2_ticket = 1

Logon Tickets Are Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse

Owner CN=NET

Issuer CN=NET

Serial Number E21E43EC

Systems for Which PRO Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System NET Client 000

Owner CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

Issuer CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

Serial Number 00

SAP System NET Client 001

Owner CN=NET

Issuer CN=NET

Serial Number 00

This Is the Certificate of the Issuing System for Logon Tickets

The Digital Signature for This Certificate Cannot Be Verified.

Please suggest.

Shivam

Former Member
0 Kudos

Why you have 2 certificate added frome same portal mashine with 000 client and 001 client?? It must be only one... check the "login.ticket_client" in your Portal (by default it 000 if you not change it)

Regards

Former Member
0 Kudos

"login.ticket_client" is 000,That entry was added as the RFC which i was using for testing was for 001 client of NET.

I have changed the RFC client and now error is:

Issuing System for the Logon Ticket

SAP System NET Client 000

Certificate of the Issuing System for the Logon Ticket

Owner CN=NET

Issuer CN=NET

Serial Number 00

Validity 20091219 174638 20380101 000001

Check Sum 1B:B3:E5:83:EE:FB:74:C5:B0:4B:05:F8:5E:23:B5:EB

Profile Parameters login/create_sso2_ticket = 2

System NET Is Creating Logon Tickets That Do not Include Its Certificate

Error- The Certificate for System NET Is not Included In the Certificate List for System PRO

System PRO Accepts Verified Logon Tickets for System NET

Shivam

Former Member
0 Kudos

What you do DIRECTLY ? -->

I'm on NW 7.0 (or ECC 6.0) Go to strustsso2 --> Environment --> Logon ticket --> After do not specify anything only press "Execute" (F8)

What you see now ?

Regards.

Former Member
0 Kudos

Output is:

Own System Data

SAP System PRO Client 100

Profile Parameters login/accept_sso2_ticket = 1

Logon Tickets Are Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse

Owner CN=NET

Issuer CN=NET

Serial Number E21E43EC

Systems for Which PRO Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System NET Client 000

Owner CN=NET

Issuer CN=NET

Serial Number 00

The Digital Signature for This Certificate Cannot Be Verified

Application server PSE:

ID: CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

Namespace:

Profiles: D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse

OK: file available, length: 1.945

OK: local PSE identical to original in database

OK: security toolkit available

Version

SSFLIBSO Version 1.555.17 ; SECUDE(tm) SAPCRYPTOLIB - SNC for SAP Server components and SSL - Version 5.5.5C (c) SECUDE GmbH 1990-20

OK: signature tested successfully

Shivam

Former Member
0 Kudos

And SSO works fine? Looks like no problem, only Serial Number E21E43EC

is strange. Regards

Former Member
0 Kudos

SSO is not working fine now giving same error:

"Issue of SSO not authorized"

Shivam

Former Member
0 Kudos

Shivam Mittal can you say what means : -->

Application server PSE:

ID: CN=NET , OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

you say your ABAP are PRO? are you do it on your NET server ABAP stack?

Regards.

Former Member
0 Kudos

Hi,

Can you explain your landscape again??

You have ABAP + JAVA stack, system ID : PRO.

On this JAVA stack you have installed portal ??

System ID for ABAP system and Portal is same ?? i.e. PRO?

If the answer is yes and you have add in installation of JAVA stack then please refer to

http://help.sap.com/saphelp_nw04/helpdata/en/75/c80b424c6cc717e10000000a155106/frameset.htm

Please check point 2 "If you have an Add-In installation" from the link.

This should solve your problem.

Regards

Ashutosh

Former Member
0 Kudos

Dears,

PRO is my ECC5 system to which I want to connect my portal system NET.

NET is Netweaver 2004s server contains ABAP+JAVA stack.

Shivam

Former Member
0 Kudos

When please check in strustsso2 in your PRO server, the owner are?

CN=NET , OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE

? Why on PRO server owner are NET? Regards.

Former Member
0 Kudos

I don't know how is there NET.

it by PRO or delete it.

Shivam

Edited by: Shivam Mittal on Oct 1, 2008 8:55 AM

Edited by: Shivam Mittal on Oct 1, 2008 8:56 AM

Former Member
0 Kudos

Are you create PRO system by copying NET system? I'm see same situation after heterogeneous system copy.

You can recreate Own certificate, http://help.sap.com/saphelp_nw70/helpdata/EN/d4/085e3a1d589804e10000000a114084/frameset.htm

But you need know why it are so strange, try to Open OSS call to sap. Regards.