cancel
Showing results for 
Search instead for 
Did you mean: 

Error in Starting Visual Administration - SSO Configuration

Former Member
0 Kudos

We have installed EP 7 SP 14 on Enterprise Linux 5.0

Initially, i.e. after installation, only the following login module stack was used under sap j2ee engine

BasicPasswordLoginModule - SUFFICIENT

To check the SSO with other nw 7 java system in our landscape, I have changed it to the following using Visual Administration

EvaluateTicketLoginModule - SUFFICIENT

BasicPasswordLoginModule - OPTIONAL

CreateTicketLoginModule - REQUISITE

I have restarted ep

Now, I am able to login to the system using Administrator login from the browser.

I checked the SSO. It was not working.

I tried to log in to Visual Administrator to make changes, its giving me the following error

Error while connecting

com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.

How do I proceed ?

Rgds,

Santosh

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Given below is the output from the log file security.0.log available at

/usr/sap/DEP/JC00/j2ee/cluster/server0/log/system

#1.#00505696557D00650000002A0000779100045465B00B0CB5#1218695628786

#/System/Security/Authentication

#sap.com/irj

#com.sap.engine.services.security.authentication.logincontext

#P00101959#920##n/a##f3ef9d2069ca11ddcff800505696557d

#SAPEngine_Application_Thread[impl:3]_37##0#0#Info#1

#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.OK

User: P00101959

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true

Central Checks true #

#1.#00505696557D00650000002B0000779100045465B00B1048#1218695628787

#/System/Security/Audit#sap.com/irj

#com.sap.security.core.util.SecurityAudit

#P00101959#920##n/a##f3ef9d2069ca11ddcff800505696557d#SAPEngine_Application_Thread[impl:3]_37##0#0#Info#1

#com.sap.security.core.util.SecurityAudit#Plain###P00101959

| LOGIN.OK

| USER.CORP_LDAP.p00101959

|

| IP Address=[172.18.40.68]#

Rgds,

Santosh

Former Member
0 Kudos

Hi Santosh,

So you need SSO between SAP J2EE & IBM Tivoli Directory server ? Then it's other story ...

Maybe this will help you: http://www.ibm.com/developerworks/tivoli/library/t-ssosapnwas/index.html

Regards,

Andrei

Former Member
0 Kudos

first of all thanks to you all for your respones.

hi Andrei,

i tried the option provided by you and restarted j2ee instances.

still sso is not working.

hi sandeep,

if i remove the CreateTicketLoginModule. how my system will generate tickets ?

hi Vamshi,

my user data resides in IBM Tivoli Directory server. my both systems points to the same LDAP and i am checking sso with non administrator user.

i would like to know, if my system is able to generate log on tickets. how will i find it out ?

rgds,

santosh

Former Member
0 Kudos

Hi Santosh,

You can try to login with the SAP* user (super user).

To activate super user you need to change property using config tool, restart j2ee and login with SAP* (search this forum to find which property to change [https://www.sdn.sap.com/irj/sdn/advancedsearch?cat=sdn_all&query=activatesuperuser&adv=false&sortby=cm_rnd_rankvalue|https://www.sdn.sap.com/irj/sdn/advancedsearch?cat=sdn_all&query=activatesuperuser&adv=false&sortby=cm_rnd_rankvalue]).

Regards,

Andrei

Former Member
0 Kudos

Thanks for your response.

My problem pertaining to visual administration is solved with the help of sap note no. 957355.

However, the problem of sso configuration still remains.

Rgds,

Santosh

Former Member
0 Kudos

Hi Santosh,

Try reimporting the certificate. It should work.

Cheers,

Sandeep Tudumu

Former Member
0 Kudos

How do I change the log in module stack to enable my ep to issue tickets ?

Rgds,

Santosh

Former Member
0 Kudos

Hi Santosh,

Your options is not correct. You call CreateTicketLoginModule even if basic authentification wasn't successfull.

Here should be:

EvaluateTicketLoginModule SUFFICIENT

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL

After changing this properties restart of j2ee is required.

Regards,

Andrei

Edited by: Andrei Smolkin on Aug 12, 2008 5:43 PM

Former Member
0 Kudos

Santosh,

I understand that you have followed the SAP NOTE : 957355

But did you also get to look at this help document.

http://help.sap.com/saphelp_nw04/helpdata/en/76/fb72ec091f4bf8a2d8ba321bb7e8d9/content.htm

According to this "Remove the CreateTicketLoginModule. (This login module can be used only by Web applications.)"

Cheers,

Sandeep Tudumu

Former Member
0 Kudos

Hi Santosh,

Though a silly question.

Does the user ID. through which you are logging into the Portal exist in R3 Backend. Because I guess you are testing SSO with Administrator.

Thanks,

Vamshi