on 2008 Sep 29 7:43 AM
Dears,
I need to configure SSO on our Netweaver 2004s server that contains ABAP+JAVA stack.I want to configure it for my ECC5 server.
Steps that I followed for it are:
Created a system and maintained all settings like Alias,user management,connector.
In System Administration >> System Configuration >> Keystore Administration >> Content
Download verify.der File
in my netweaver 04s portal server.
on ECC5
In STRUSTSS02 imported the certificate and Add to ACL and save.
But SSO is not working fine and Its looking to me that something is missing in my configuration.
Please check my steps and suggest what i am missing.
Shivam
Hi Shivam,
Looks like you are in the right track, but you would have to check certain parameters in the backend system like.
In Tcode RZ10.
a) login/accept_sso2_ticket = 1
b) login/create_sso2_ticket = 2
c) icm/host_name_full = <Backend_Host>.<domain>
Check these links and verify, if all the parameters are in place.
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2btroubleshooting
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2bchecklist
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/single%2bsign-on%2band%2bcookies
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/sso%2bprocedure
NOTE : After you do Add to Certificate, you would have to do ADD to ACL, here it would ask you to enter the SID and client number.
Enter the EP system SID and client number as 000 .
Hope this helps.
Cheers,
Sandeep Tudumu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sandeep,
Followed the procedure but still facing some issue,
When I click in tcode strustsso2 in enviroment->sap logon ticket
without entering any RFC destination then it shows everything OK means all parameters are set properly.
Own System Data
SAP System PRO Client 100
Profile Parameters login/accept_sso2_ticket = 1
Logon Tickets Are Accepted
Certificate List
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse
Owner CN=NET
Issuer CN=NET
Serial Number E21E43EC
Systems for Which PRO Accepts Verified Logon Tickets
The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From
Table TWPSSO2ACL
SAP System NET Client 001
Owner CN=NET
Issuer CN=NET
Serial Number E21E43EC
Application server PSE:
ID: CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE
Namespace:
Profiles: D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse
OK: file available, length: 1.945
OK: local PSE identical to original in database
OK: security toolkit available
Version
SSFLIBSO Version 1.555.17 ; SECUDE(tm) SAPCRYPTOLIB - SNC for SAP Server components and SSL - Version 5.5.5C (c) SECUDE GmbH 1990-20
OK: signature tested successfully
But When I check after enter RFC and instance number it shows error:
The Certificate for System NET Is not Included In the Certificate List for System PRO
System PRO Does not Accept Verified Logon Tickets for System NET
This Entry for System NET Does not Include the Corresponding Certificate
NET is my portal system and PRO my ECC5 system.
Also in portal when i execute any tcode it shows error:
"Issuer of SSO ticket is not authorized".
Please suggest.
All parameters have been set as suggested.
Shivam
To Sandeep Tudumu :
a) login/accept_sso2_ticket = 1
b) login/create_sso2_ticket = 2
login/create_sso2_ticket = 2 --> It's only for BW systems, the normal R3 systems -->
login/create_sso2_ticket = 1
You can use "login/create_sso2_ticket = 1" if public-key certificate signed by the SAP CA
"login/create_sso2_ticket = 2" if the certificate is self-signed. If you are not sure, then use the value 2. It means best to do as you say ...
P.S. only if you want to your ECC server can issues the tickets. If you not want set to 0.
To Shivam Mittal:
Try to read my last post in this thread
Regards.
Hi Sergo,
My SSO has started working means now from portal I am able to logon to my R/3 system.
But in tcode strustsso2->Environment->SAP logon ticket I am still getting two errors:
"The Certificate for System NET Is not Included In the Certificate List for System PRO"
"The Digital Signature for This Certificate Cannot Be Verified"
Is there any other way also to check that my SSO is configured properly.
Please suggest.
Shivam
Edited by: Shivam Mittal on Sep 30, 2008 5:57 AM
Hi,
I performed :
Try to delete this sertificate from ACL, after from Certificate list, login in 000 client , add in certificate list anew same verify.der from your portal.
but after this when I am doing add to ACL after loging in required its showing no certificate found.
Also selected the added certificate but same no certification seleted.
Please suggest.
Shivam
You add in "Certificate list" , under "Owner" you see your added certificate, like "OU=J2EE, CN=NET" -->
Double clique on "OU=J2EE, CN=NET" --> under "Certificate" you will see infromation about this certificate, check Valid from , are correct? After information are under "Certificate" you can add it in ACL. Regards.
Hi Sergo,
By that way of double clicking I added to ACL but still same error.
Issuing System for the Logon Ticket
SAP System NET Client 001
Certificate of the Issuing System for the Logon Ticket
Owner CN=NET
Issuer CN=NET
Serial Number 00
Validity 20091219 174638 20380101 000001
Check Sum 1B:B3:E5:83:EE:FB:74:C5:B0:4B:05:F8:5E:23:B5:EB
Profile Parameters login/create_sso2_ticket = 2
System NET Is Creating Logon Tickets That Do not Include Its Certificate
The Certificate for System NET Is not Included In the Certificate List for System PRO
System PRO Accepts Verified Logon Tickets for System NET
Own System Data
SAP System PRO Client 100
Profile Parameters login/accept_sso2_ticket = 1
Logon Tickets Are Accepted
Certificate List
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse
Owner CN=NET
Issuer CN=NET
Serial Number E21E43EC
Systems for Which PRO Accepts Verified Logon Tickets
The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From
Table TWPSSO2ACL
SAP System NET Client 000
Owner CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE
Issuer CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE
Serial Number 00
SAP System NET Client 001
Owner CN=NET
Issuer CN=NET
Serial Number 00
This Is the Certificate of the Issuing System for Logon Tickets
The Digital Signature for This Certificate Cannot Be Verified.
Please suggest.
Shivam
"login.ticket_client" is 000,That entry was added as the RFC which i was using for testing was for 001 client of NET.
I have changed the RFC client and now error is:
Issuing System for the Logon Ticket
SAP System NET Client 000
Certificate of the Issuing System for the Logon Ticket
Owner CN=NET
Issuer CN=NET
Serial Number 00
Validity 20091219 174638 20380101 000001
Check Sum 1B:B3:E5:83:EE:FB:74:C5:B0:4B:05:F8:5E:23:B5:EB
Profile Parameters login/create_sso2_ticket = 2
System NET Is Creating Logon Tickets That Do not Include Its Certificate
Error- The Certificate for System NET Is not Included In the Certificate List for System PRO
System PRO Accepts Verified Logon Tickets for System NET
Shivam
Output is:
Own System Data
SAP System PRO Client 100
Profile Parameters login/accept_sso2_ticket = 1
Logon Tickets Are Accepted
Certificate List
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse
Owner CN=NET
Issuer CN=NET
Serial Number E21E43EC
Systems for Which PRO Accepts Verified Logon Tickets
The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From
Table TWPSSO2ACL
SAP System NET Client 000
Owner CN=NET
Issuer CN=NET
Serial Number 00
The Digital Signature for This Certificate Cannot Be Verified
Application server PSE:
ID: CN=NET, OU=I0020240172, OU=SAP Netweaver, O=SAP Trust Community, C=DE
Namespace:
Profiles: D:\usr\sap\PRO\DVEBMGS00\sec\SAPSYS.pse
OK: file available, length: 1.945
OK: local PSE identical to original in database
OK: security toolkit available
Version
SSFLIBSO Version 1.555.17 ; SECUDE(tm) SAPCRYPTOLIB - SNC for SAP Server components and SSL - Version 5.5.5C (c) SECUDE GmbH 1990-20
OK: signature tested successfully
Shivam
Hi,
Can you explain your landscape again??
You have ABAP + JAVA stack, system ID : PRO.
On this JAVA stack you have installed portal ??
System ID for ABAP system and Portal is same ?? i.e. PRO?
If the answer is yes and you have add in installation of JAVA stack then please refer to
http://help.sap.com/saphelp_nw04/helpdata/en/75/c80b424c6cc717e10000000a155106/frameset.htm
Please check point 2 "If you have an Add-In installation" from the link.
This should solve your problem.
Regards
Ashutosh
Are you create PRO system by copying NET system? I'm see same situation after heterogeneous system copy.
You can recreate Own certificate, http://help.sap.com/saphelp_nw70/helpdata/EN/d4/085e3a1d589804e10000000a114084/frameset.htm
But you need know why it are so strange, try to Open OSS call to sap. Regards.
User | Count |
---|---|
67 | |
10 | |
10 | |
10 | |
10 | |
8 | |
8 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.