Configuring SAP Systems to Accept and Verify
SAP Logon Tickets 
Use
The Portal Server digitally signs SAP logon tickets as it issues them to the portal users. SAP component systems need to accept the tickets and verify the Portal Server’s digital signature. The following information is important for the SAP component system to be able to accept and verify SAP logon tickets:
· The SAP component system should only accept SAP logon tickets issued from their designated Portal Server. Therefore, the identity of the Portal Server needs to be entered in the component system’s SSO access control list (ACL).
·
The SAP component system
needs to be able to verify the Portal Server’s digital signature. If the
Portal Server possesses 
a public-key certificate that is signed by the
SAP Trust Center Service, the SAP component system can verify the Portal
Server’s digital signature without needing any additional information.
However, if the certificate is a self-signed certificate, then the SAP
component system needs access to the Portal Server’s public-key
information, which needs to be entered in the component system’s
certificate list.
Prerequisites
· The SAP System has Release 4.0B or higher. SAP logon tickets are not supported in releases lower than 4.0B.
· The Enterprise Portal Plug-In that corresponds to the Enterprise Portal release has been installed in the component system.
· The required kernel patches have been applied to R/3 Systems prior to Release 4.6C. For more information, see the section on implementing new kernels for the SAP Application Server in SAP Note 177895. Note that after applying the kernel patches, you may need to patch the operating system of the R/3 System so that the new kernel works.
· Users must have the same user IDs in all SAP Systems that are accessed via Single Sign-On with SAP logon tickets. If the SAP user IDs are different to the portal user IDs, you must define a SAP reference system. See Defining an SAP R/3 Reference System for User Data.
· The SAP Security Library is installed on all of the component system's application servers. For best practices, we recommend installing the most recent version of the library, which is available on the sapserv<x> under /general/misc/security/SAPSECU/<platform>.
· You have configured the Portal Server for Single Sign-On with logon tickets. See Configuring Portal Server for SSO with SAP Logon Tickets.
Procedure
In SAP systems with Release 4.6C or higher you can use transaction STRUSTSSO2 to complete the first 2 steps of the following procedure. This is described in Using Transaction STRUSTSSO2 in SAP System >= 4.6C.
Add Portal Server to ACL of component system
The Portal Server is identified by system ID, client, and the name in the certificate. You must enter these details in the access control list of the component system as follows.
Note that if you want to enter more than one Portal Server in the same ACL, you must configure one of the Portal Servers as described in Using More Than One Portal.
...
1. In the component system, maintain table TWPSSO2ACL with transaction SM30.
2. Create a new entry for the Portal Server by choosing New entries.
3. Enter 'WP3' as System ID and '000' as Client. These are the default values for these parameters.
Normally you
only need to change these default values if you are entering more than one Portal
Server in the ACL. If
you do wish to define different values, you must change the parameters
login.ticket_issuer and
login.ticket_client
respectively in the file usermanagement.properties on the Portal Server.
4. Enter the following values for Subject name, Issuer name, and Serial number.
|
Field |
Value |
|
Subject name |
CN=Portal EP 5.0 |
|
Issuer name |
· CN=Portal EP 5.0 (if using self-signed certificate) · Issuer of certificate (if using certificate signed by SAP Trust Center Service)
You can get the
issuer name by viewing the public key certificate in the |
|
Serial number |
00 |
Again, these
are default values. You only need to change them if you are entering
more than one Portal
Server in the ACL or
if you are using a server certificate signed by the SAP Trust
Center. If you do wish
to define different values, you must change the parameter
login.ticket_dn in the
file usermanagement.properties on the Portal Server.
5. Save your entries.
Import public-key certificate of Portal Server to component system's certificate list
This step is not necessary if the Portal Server’s public key certificate is signed by the SAP Trust Center.
This procedure is release-specific.
· If the SAP component system is based on Release 4.6C or higher, follow the procedure detailed in Importing Portal Certificate into SAP System >= 4.6C.
· If the SAP component system is based on Release 4.0B to 4.6B, follow the procedure detailed in Importing Portal Certificate into SAP System < 4.6C
Set profile parameters
On all of the component system's application servers:
...
1. Set the profile parameters login/accept_sso2_ticket = 1 and login/create_sso2_ticket = 0 in every instance profile.
2. For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file name) of the SAP Security Library.
Set ITS service parameters
On each of the ITS servers of the SAP component system, in the global service file global.srvc , set the following parameters:
|
Set the Parameter |
To the Value |
Comment |
|
~login |
(space) |
|
|
~password |
(space) |
|
|
~mysapcomusesso2cookie |
1 |
Enables the user to log on to the system using an existing SAP logon ticket. |
Result
The SAP component systems are able to accept SAP logon tickets and verify the Portal Server's digital signature when they receive a logon ticket from a user.