SSO logon ticket Theory

Saturday, February 9, 2008

Just for starters the AS ABAP (BI) system as of Feb 1st 2008 is on SP 13 patch 15 and the Portal 7.0 is on SPS13. The latest GUI patch is Patch #5 and the BEx Tools patch is Patch #3.


Rule #1: When a user logs in to the Portal a non –persistent HTTP cookie is generated which holds the SAPlogonticket in the user’s browser. In order to accept this cookie in the browser the internet options settings has to welcome this cookie to sit in the browser. You ask me how to do it?? The answer is below. 'Tools' --> 'Internet Options --> 'Privacy' menu option.


Rule #2: The backend needs to accept the logon ticket from the Portal and for that acceptance the profile parameters of the Instance has to be maintained as follows: login/accept_sso2_ticket= 1 login/create_sso2_ticket= 2 (recommended) or 1. Icm/host needs its name full.
Login to AS-ABAP -> Start T-code RZ10 -> Menu: Utilities -> Import profiles -> Of all active servers Profile: -> Select: Default -> Mark: Extended Maintenance -> Change .Add the both parameter -> Save and Activate the profile -> Restart the system.


Rule #3: To enable the Internet browser accept the SSO2 cookie, you must enter a fully qualified host name in accordance with Notes 434918 and 654982.


Rule #4: The SAPSECULIB / SAPCRYPTOLIB have to be set accordingly.


Rule #5: Transaction STRUST In this transaction, you define which systems are meant to accept logon tickets. This is necessary, for example, if you want to access data from one system of a BW application to another application of another system, without having to log on again.


Rule # 6: A configuration test can be done to ensure that the SSO works on your AS ABAP. Follow the below steps:SAP delivers the sso2test.htm BSP application.You can use this application to check whether an SSO2 cookie can be created.Start Transaction SE80 > ‘SYSTEM’ BSP application > Pages with flow logic > Right-click sso2test.htm > Test > Follow the instructions on the screen.























Rule # 7: You can also execute the following JavaScript command from the address bar of your Internet browser to check whether an SSO2 cookie currently exists: javascript: alert (document. cookie) As a result, all current cookies are issued in an alert box. If an SSO2 cookie exists, an entry would have to exist that begins with 'MYSAPSSO2=....'If you cannot display an SSO2 cookie despite this information, check the logon as described in Note 495911 and if necessary, open a message under the component BC-SEC-SSF


Rule# 8: When exporting certificate from the AS-ABAP (BI) system, the system PSE must be properly configured. To do this Start transaction STRUSTSSO2, if the System PSE does not have a green status, right mouse-click on System PSE, click on Create, accept initial values. Save the changes. If you have problems refer SAP note no. 662340.


Rule#9: When configuring the Webdynpro Jco destination connectivity the configuration of SLD your system is pointing (local or central) should work properly.Logon to the Web Dynpro Welcome page http://host:port/webdynpro/welcome/Welcome.jspand then go to Content Administrator -> Check SLD Connection -> Test Connection.The relevant connection settings will be brought out before. Make sure they are correct. The test result is listed on the bottom of the page.If the test fails, verify and adjust the SLD settings in the visual admin:1. Go to sld data supplier -> tab Run time -> tab(bottom) http settings,adjust all the parameters.2. Go to sld data supplier -> tab Run time -> tab (bottom) CIM Client Generation Settingsadjust all the parameters.3. Go to configuration adapter -> CTC -> Property sheet System Properties,adjust all the SLD relevant settings.4. Retest.


Rule #10: The AS ABAP (BI) system has to be registered in the SLD. If it is not registered in the SLD logon to the SLD: http ://:/sld. (Your configured SLD (central or local SLD))Please check in Home -> Technical Systems -> select type ABAP. This should have configuration of your ABAP (BI) system.If it is missing, logon to your ABAP (BI) system -> goto transaction RZ70. Fill in the SLD bridge: gateway info -> Activate -> Start data collection.If a error message like "ABAP backend doesn't exist in the SLD" pops up while running the template installer, there could be different possibilities for this error. Starting SP14 more detailed error sources will be popped up. For lower SPS the exact reason of the error can be found in the default trace file.

Rule #11:

The SAP SS02 cookie is a major part of the EP SSO environment. As such, it is
useful to be able to view the contents to assist in problem resolution.

Check for SSO cookies
Use a URL : http://portalserver:port/irj/servlet/prt/portal/prtroot/SSOSupport.default

Rule # 12:
Start transaction SA3 8
Enter RSPFPAR as the Program Name and hit Execute (F8 1 , and
Logon to the SAP System/Client using SAPgui
Execute (F8) on the next screen.
Search for the string login/ using the Search icon.
The parameter should be set as follows:
login/accept-sso2-ticket = 1
If the parameters are not set correctly, they must be changed using
transaction RZ10, whcih requires an SAP system restart.

Rule #13: When configuring the connectivity between the AS-ABAP (BI) and AS-JAVA system, a "Logon Group" must be provided for the user input. Login to AS-ABAP -> Start T-code SMLG -> Create -> Enter Logon Group name (e.g. PUBLIC) and select an Instance -> Copy -> Save


Make sure that the user has authorizations for function group SYST in the SAP Web Application Server ABAP part of your SAP NetWeaver BI system


Rule #14:
Activate the BEx services in the AS ABAP (BI) system: T-code: SICF. Default host / sap / bw -> Mark "bw": Right-Click -> Activate Service -> Press "Y" to activate the whole tree
Additional Notes:
EXECUTION: In the user input part (UI) please specify the application server host name of both Java and backend (ABAP) system with the full domain name in case there is only one field for host (later releases). It should look like "server.company.com". In newer releases (with patch) there are two fields for host and domain separately. In this case please specify host (without the domain name) and domain (without the host name) respectively.
CENTRAL SLD: If you use a central SLD please make sure that the user (including it's appropriate authorization) that you provide for setting up WD JCo destinations exist on both, BI System and central SLD, as well.
TEST WD JCo DESTINATIONS: If you want to check the WD JCo Destinations (http://:/index.html -> Web Dynpro -> Content Administrator -> Maintain Jco Destinations -> In the detailed navigation: System defined Content: BI_METADATA / BI_MODELDATA / WD_ALV_METADATA_DEST /WD_ALV_MODELDATA_DEST) with the "Test" button, make sure that the user with which you login to the Content Administrator page(e.g. j2ee_admin), has the RFC authorization on ABAP side (Role: SAP_BC_JSF_COMMUNICATION, Profile: S_BW_RFC and S_BI-WX_RFCA). Otherwise the test will fail, because SSO is used.


Related Information:
http://help.sap.com/saphelp_webas620/helpdata/en/17/ f8973814eb481fe10000009b38f8cf/frameset.htm
http://service.sap.com/security

2 comments:

Unknown said...

Great indepth analysis.Thanks for the blog

Unknown said...

should be clear more than wht ur... any way good thanx