Procedure documentation Single Sign-On Configuration 

Procedure for PI Web Components

To ensure that Single Sign-On works properly between the PI Web components, you must change their authentication template from basic to ticket. To do so, you have to perform the following steps:

...

  1.  Use the SAP NetWeaver Administrator and choose Configuration Management Security Authentication.

  2.  Search for the following Web PI components.

  3.  Select each component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown menu.

  sap.com/com.sap.xi.repository*rep

  sap.com/com.sap.xi.directory*dir

  sap.com/com.sap.xi.services*run

  sap.com/com.sap.xi.mdt2*mdt

  sap.com/com.sap.xi.rwb*rwb

  sap.com/com.sap.lcr*sld

  sap.com/com.sap.aii.ib.rprof.app*exchangeProfile

  sap.com/com.sap.aii.af.app*AdapterFramework

  4.  Search for the Service component service.naming.

  5.  Select the component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown menu.

  6.  Save your changes.

All these changes are effective immediately and will still be effective after subsequent redeployments.

  7.  Access the Exchange Profile and expand the IntegrationBuilder node.

  8.  Specify the following property as true:

com.sap.aii.ib.core.sso.enabled

  9.  Refresh the AII Properties.

  10.  Refresh the PI start page.

From now on, the logon dialog will be displayed only once and then no longer for each available component.

More information:

  Configuring Authentication Mechanisms

  Working with the Development Environment

Additional Procedure for the Runtime Workbench

Since the Runtime Workbench communicates with AS ABAP, the Java logon ticket key pair must be modified, and the corresponding certificate must be exported from AS Java and imported to AS ABAP.

...

  1.  Change the client value of the Java logon ticket as described under Using Logon Tickets with AS ABAP.

  a.  Start the AS Java Config Tool.

  b.  Switch to edit mode.

  c.  Expand the nodes cluster_config system custom_global cfg services

  d.  Open the property sheet com.sap.security.core.ume.service.

  e.  Change the value of login.ticket_client to a client number that is not used in AS ABAP, for example 001.

  f.  Restart AS Java.

  2.  Create a new SAPLogonTicketKeypair certificate with a distinguished name (DN) other than the one used in AS ABAP.

  a.  Use the SAP NetWeaver Administrator and choose Configuration Management Security Certificates and Keys.

  b.  Select the keystore view TicketKeystore.

  c.  Select the keystore entry SAPLogonTicketKeypair-cert and remove the entry.

  d.  Select the keystore entry SAPLogonTicketKeypair and remove the entry.

  e.  Make sure that you

  mark Store Certificate

  use Key Length 1024

  select Algorithm DSA

  specify your <SID> as Entry Name

  fill the values for the other keys as appropriate

  3.  Export the Java SAPLogonTicketKeypair certificate.

  a.  Use the SAP NetWeaver Administrator and choose Configuration Management Security Certificates and Keys.

  b.  Select the keystore view TicketKeystore.

  c.  Select the keystore entry SAPLogonTicketKeypair-cert.

  d.  Export the certificate in either X.509 or Base64 Encoded format.

  4.  Check the SSO Parameter of AS ABAP.

To check whether the application server accepts logon tickets, call transaction SSO2 and execute it without any parameters.

If the check fails, the following profile parameters must be set:

Parameters

Parameter

Value

Note

login/accept_sso2_ticket

1

Allows the server to accept an existing logon ticket.

 

 

  5.  Import the Java certificate into AS ABAP.

  a.  Log on to the Integration Server (for example with client 100) and call transaction STRUSTSSO2.

  b.  In the Certificate frame, choose Import Certificate and select the previously exported Java SAPLogonTicketKeypair-cert. Use binary format for the X.509 and Base64 format for the Base64 Encoded formatted export.

  c.  Choose Add to Certificate List and Add to ACL. While adding the certificate to the access control list (ACL), specify the system ID (which is the certificate’s common name, that is, the value for CN=) and the client (the client specified as login.ticket_client in the UME Provider service, 001 in this example).

  6.  Switch to fully qualified host names.

To ensure that single sign-on works properly, all services must be called with the fully qualified host name. Proceed as follows:

  a.  On AS ABAP, change the profile parameter icm/server_port_<n> to reflect the fully qualified host name in the HOST section.

  b.  Change the host name to a fully qualified one for the following parameters in the exchange profile:

  com.sap.aii.rwb.server.centralmonitoring.r3.ashost (under Runtime Workbench)

  com.sap.aii.connect.repository.name (under Connections)

  com.sap.aii.connect.rwb.name (under Connections)

  c.  Use the SAP NetWeaver Administratorand choose Configuration Management Infrastructure Java System Properties Details Services to change the host name and port numbers to fully qualified ones for the following properties of the service XPI Service: CPA Cache:

  SLD.selfregistration.httpPort

  SLD.selfregistration.httpsPort

  SLD.selfregistration.hostName

  d.  Restart the XPI service.

Enable Single Sign-On to a Remote AS Java

If components are distributed across various SAP Application Servers, for example, if the SLD runs on an AS Java other than the one used by PI, single sign-on can also be configured from the AS Java of PI to the AS Java of the SLD.

In this case, the public-key certificate (SAPLogonTicketkeypair-cert) from the ticket-issuing AS Java must be uploaded to the keystore of the accepting AS Java. The DN of the certificate and of the issuer must be entered in the login module.

In the procedure described below, the ticket issuer is the AS Java of the PI system, and the AS Java of the SLD has to accept the ticket.

...

  1.  Start the SAP NetWeaver Administrator on your SLD system and perform the following steps to upload the certificate:

...

  a.  Choose Configuration Management Security Trusted Systems Single Sign-On with SAP Logon Tickets.

  b.  Choose Edit Add Trusted System and select the ticket-issuing PI system as follows:

  i.  Select the landscape type All Technical Systems and choose Go.

  ii.  Select the ticket-issuing Java system from the displayed list of systems and choose OK.

  c.  Provide the Username and Password to use for the connection to the selected system.

The remaining Connection Properties for the selected system are automatically displayed.

  d.  Choose Next and upload the X.509 certificate for the ticket-issuing system.

Note

You only have to perform this step if the AS Java cannot retrieve the certificate for the ticket-issuing system from the SLD.

  e.  Review the configuration details for the ticket-issuing system and choose Next.

  f.  Choose Close to complete the wizard.

  2.  Perform the following steps to check whether the public-key certificate has been uploaded:

 

  a.  Choose Configuration Management Security Certificates and Keys.

  b.  Check whether the public-key certificate of the ticket-issuing system has been added to the keystore view.

  3.  Perform the following steps to check the policy configuration:

...

  a.  Choose Configuration Management Security Authentication Components.

  b.  In the list of component policy configurations, select the component sap.com/com.sap.lcr*sld.

  c.  On the Authentication Stack tab page, select the login module EvaluateTicketLoginModule.

  d.  Check whether the following login module options exist:

  trustediss<n>

Issuer DN of the login ticket certificate uploaded above.

  trusteddn<n>

Subject DN of the login ticket certificate.

  trustedsys<n>

System ID <SID> of the Integration Server and client <client> specified as login.ticket_client in the UME Provider service com.sap.security.core.ume.service.

More information: Configuring the AS Java to Accept Logon Tickets.

 

Was this page helpful to you?