Thursday 26 September 2013

How to configure Single Sign On (SSO) between SAP GUI (backend system) and Portal (Front end)

How to bypass the second layer of login authentication when accessing portal from SAP GUI.

Scenario:
Once the SAP Solution Manager installation complete, access of "SOLMAN_WORKCENTER" through SAP GUI would require additional level of login authentication on all the portal features.

Example:

1) Additional authentication required

2) Portal login screen

3) Portal menu

This additional login level can be overcome with the integration of Single Sign On (SSO) by setting up a trusted relationship between the backend system and the portal.

Steps to configure the SSO integration between backend system and front end portal:

A) Front End: Export certificate from portal 

1) Login to Visual Administrator
    Refer to How to execute or run J2EE Engine Visual Administrator

2)  Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Export" button

3) Save the file on the backend server (SAP system)

4) Enter filename. Ex: portal_sid_certificate.crt

B) Backend: Create a user "SAPJSF" 

1) Execute TCODE: SU01 -> display user: SAPJSF" (if user not exist create a new user, user type: system)

2) Assign roles "SAP_BC_JSF_COMMUNICATION" and "SAP_BC_USR_CUA_CLIENT_RFC"

3) Check "icm/host_name_full parameter" been configured correctly in Default profile

4) Execute TCODE: RZ10 to ensure parameter for "login/accept_sso2"_ticket and "login/create_sso2_ticket" are ready or create it if necessary

5) Select Instance profile

5) Click "Extended maintenance" and "Change" button

6) If the 2 parameters not available, Click the "Parameter" icon to create it

7) Enter Parameter name: login/accept_sso2_ticket, Parameter val: 1 and click "Copy" button

8) Enter Parameter name: login/create_sso2_ticket, Parameter val: 2 and click "Copy" button

9) Make sure the parameters are correct

10) Save the profile

11) Restart the SAP system

12) Restart with sapmmc

 13) Click "OK:

14) Wait for the reboot

C) Backend: Import the front end certificate created earlier

1) Execute TCODE: STRUSTSSO2

2) Click "Certificate" -> "Import"

3) Click 'Binary" and Select the portal certificate created earlier

4) Click the "tick" button

5) Click "Allow"

6) Certificate imported successfully

7) Click "Add to certificate list and continue clicking on the "Add to ACL" button

8) Enter System ID: J2E, Client: 000

9) New entry created at the Logon ticket section

10) Click "Save" button

D) Backend: Export certificate

 1) Click the "Export" button

2) Select "Binary" and enter filename ex: abap_back end_certificate.crt (to be import into front end server)

3) Click "OK"

E) Front end: Create a JCo RFC provider 

1) Execute TCODE: SMGW and mark down the LU Name, TP Name

2) Select Cluster: Server -> Services -> JCo RFC provider -> Runtime tab -> Bundles tab ->
     Registered server
     Enter Program Id: sapj2ee_port, Gateway host: LU Name, Gateway service: sapgw00,
     Server Count (1..20): 1

3) Click Repository: Specify Application Server
    Enter: Application server host: LU Name, System number: 00 (according to the relevant SAP system),
    Client: 000 (according to the relevant SAP system), Language: EN, User: SAPJSF,
    Password: master password created during installation or password reset for user: SAPJSF
    Click "Set" button

F) Front end: Add back end to security providers list

1) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: ticket
    Click the "Pencil" button to switch to edit mode  

2) Select Authentication tab -> "com.sap.security.core.server.jaas.EvaluateTicketLoginModule"
    Click Modify" button

3) Enter the following details:
    Name: ume.configuration.active, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button

4) Select cluster: Server -> Services -> Security Provider -> Runtime tab -> Policy Configuration ->
    Components: evaluate_assertion_ticket
    Select Authentication tab -> "EvaluateAssertionTicketLoginModule"
    Enter the following details:
    Name: ume.configuration.active, Value: true
    Name: trustedsys1, Value: SID,Client number
    Name: trustediss1, Value: CN=SID
    Name: trusteddn1, Value: CN=SID
    Click "OK" button
    Click Modify" button

G) Front end: Import the backend certificate 

1) Select Cluster: Server -> Services -> Key Storage -> Runtime tab -> Views: TicketKeystore ->  
     Entries: SAPLogonTicketKeypair-cert -> Click "Load" button

2) Select the "abap_back end_certificate.crt" that created from the backend system

3) The certificate imported successfully

4) Click "Yes" to exit the Visual Administrator

5) Restart the SAP system with sapmmc

H) Backend: Create and test the RFC connection

1) Execute TCODE: SM59 -> Select "TCP/IP Connection" -> Click "Create" icon

2) Enter RFC Destination: RFC_TO_PORTAL, Connection Type: T, Program ID: sapj2ee_port

3) Enter Gateway host = LU Name, Gateway service: sapgw00

4) Save and test the connection

5) Connection is ready

I) Login to portal

1) Execute TCODE: SOLMAN_WORKCENTER

2) The second layer authentication login screen will be bypass

3) That all for the SSO integration between backend system and front end portal

Error importing Front end: Import the backend certificate (section G)

1) Sample error appear during the import process

2) Rename the filename to a shorter filename

3) The import of the certificate will be successful




5 comments: