Configuring Single Sign-On (SSO) Between SAP EP 6.0 and the SAP NetWeaver 7.x Portal

Use

The logon method SAPLOGONTICKET ensures that no logon prompt appears when an SAP NetWeaver 7.x iView is called in an SAP NetWeaver 2004 portal (SAP EP 6.0). The administrator or the actual user are not required to maintain users and passwords for each user manually.

If you selected SAPLOGONTICKET as the logon method, proceed as follows:

Procedure

You configure Single Sign-On (SSO) in two steps:

Export the portal certificate from the J2EE Engine of the SAP NetWeaver 7.x portal.
Import the portal certificate to the SAP NetWeaver 2004 portal (SAP EP 6.0) and add it to the Access Control List (ACL).

Exporting the Portal Certificate from the SAP NetWeaver 7.x Portal

Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.
Connect to the portal server.
Choose <SID> → Server<#> → Services → Key → Storage.
iViews: Select the view TicketKeystore.
Entries: Select SAPLogonTicketKeypair-cert.
Note

If SAPLogonTicketKeypair-cert does not exist, you need to create a portal certificate manually.
1. Entry: Choose Create. Enter the following values in Key and Certificate Generation:
  - Subject Properties: Every key must have a value under Value. The value CN=Common Name is the first value that is displayed. This is the certificate name. The recommendation of <SID> from the portal server also applies.
  - Entry Name: SAPLogonTicketKeypair (the system generates the entry SAPLogonTicketKeypair-cert).
  - Store Certificate: X
  - Algorithm: DSA
2. To generate the certificate, choose Generate.
3. Entries: Select SAPLogonTicketKeypair-cert.
Entry: Choose Export.
Export the portal certificate as <PORTAL_SID>_certificate.crt in the file format X.509 Certificate (*.crt).

Importing the Portal Certificate to the SAP NetWeaver 2004 Portal (SAP EP 6.0)

Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.
Connect to the portal server.
Choose <SID> → Server<#> → Services → Key → Storage.
iViews: Select the view TicketKeystore.
Entry: Choose Load.
Open the file <PORTAL_SID>_certificate.crt.

In the Service Security Provider, under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts SAP logon tickets from the SAP NetWeaver 7.x portal as an external system.

Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
Connect to the portal server.
Choose <SID> → Server<#> → Services → Security → Provider.
Components: Choose Ticket.
Choose the Authentication tab page.
Add the following values for com.sap.security.core.server.jaas.EvaluateTicketLoginModule:
- trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
- trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
- trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
  
  Note
  
  <Number> is an identical number for all three entries, but must be incremented by one for each external system.
  
  <PORTAL_SID> and <PORTAL_CLIENT> are the system ID and client of the SAP NetWeaver 7.x portal. The client is the value of the parameter login.ticket_client. The default value is 000.
  
  <ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> are the values of [issuerDN] and [DN] of certificate SAPLogonTicketKeypair-cert (see above).

You also have to add these values under evaluate_assertion_ticket:

Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
Connect to the portal server.
Choose <SID> → Server<#> → Services → Security → Provider.
Components: Select evaluate_assertion_ticket.
Choose the Authentication tab page.
Add the following values for com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
- trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
- trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
- trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
The values are the same as the above values under Ticket.