Configuring Component Systems to Accept Portal Logon Tickets

Use

The portal server digitally signs logon tickets as it issues them to the portal users. Systems that accept logon tickets need verify the portal server's digital signature. The following information is important to enable SAP NetWeaver Application Server (AS) ABAP systems to accept and verify portal issued logon tickets:

The AS ABAP should only accept logon tickets issued from known portal servers.
The identity of the portal server must in the AS ABAP's Single Sign-On (SSO) access control list (ACL).
The AS ABAP must be able to verify the portal server's digital signature.
The portal server has a self-signed certificate, therefore the AS ABAP needs to access the portal server's public-key information, which must be in the AS ABAP's certificate list.

Prerequisites

The AS ABAP has release 4.0B or higher.
Logon tickets are not supported in releases lower than 4.0B.
For AS ABAP with release less than 6.20, the portal plug-in that corresponds to the portal release must be installed in the AS ABAP.
AS ABAP based on SAP NetWeaver Application Server 6.20 or higher do not require the plug-in.
The required kernel patches have been applied to AS ABAP prior to Release 4.6C. For more information, see the section on implementing new kernels for the AS in SAP Note 177895. Note that after applying the kernel patches, you may need to patch the operating system of the AS ABAP so that the new kernel works.
Users must have the same user IDs in all systems that are accessed with SSO with logon tickets.
If the ABAP user IDs are different from the portal user IDs, configure user mapping.

More information: Configuring User Mapping with Tickets for SSO
The SAP Security Library is installed on all of the system's application servers.

Note

For best practices, we recommend installing the most recent version of the library, which is available on the SAP Service Marketplace in the software distribution center at service.sap.com/swdc under Download → Support Packages and Patches → Entry by Application Group. Select SAP Technology Components and then SAPSECULIB.
You have configured the portal server for SSO with logon tickets.
More information: Configuring the Portal for SSO with Logon Tickets

Procedure

Add Portal Server to ACL of a component AS ABAP

The portal server is identified by system ID, client, and the name in the certificate. You must enter these details in the access control list of the component system as follows.

On the AS ABAP, maintain table TWPSSO2ACL with transaction SM30.
Create a new entry for the portal server by choosing New entries.
Enter the portal's system ID and client.
By default, the portal's system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.

If you are using an Add-In installation, you must change the client to a value other than 000.

More information: Specifying the AS Java Client to Use for Logon Tickets

Enter the following values for Subject name, Issuer name, and Serial number.

Field	Value
Subject name	Distinguished name (DN) of owner of portal server certificate. This is the DN that was entered during installation of the portal. For example: `CN=EP6, OU=Portal Installation, OU=Enterprise Portal, O=SAP Trust Community, C=DE`
Issuer name	Distinguished name of issuer of portal server certificate. If the portal is using a self-signed certificate, this is the same as the above entry.
Serial number	00

Field

Value

Subject name

Distinguished name (DN) of owner of portal server certificate. This is the DN that was entered during installation of the portal.

For example: CN=EP6, OU=Portal Installation, OU=Enterprise Portal, O=SAP Trust Community, C=DE

Issuer name

Distinguished name of issuer of portal server certificate. If the portal is using a self-signed certificate, this is the same as the above entry.

Serial number

00

Save your entries.

Import public-key certificate of Portal Server to component AS ABAP's certificate list

This procedure is release-specific.

If the AS ABAP component system is Release 4.6C or higher, see Importing Portal Certificate into AS ABAP >= 4.6C .

If the SAP component system is based on Release 4.0B to 4.6B, see Importing Portal Certificate into AS ABAP < 4.6C

Set profile parameters

On all of the component system's application servers:

Set the profile parameter
```
login/accept_sso2_ticket
```
to the value 1 in every instance profile.
If the application server should also be able to create logon tickets, set the profile parameter
```
login/create_sso2_ticket
```
to the value 1 or 2 in every instance profile. For more information about which value to use, see Configuring the System for Issuing Logon Tickets .

Note

See SAP Note 557350 for obtaining a correction in Releases 6.10 and 6.20.

See SAP Note 612670 for information about additional configuration steps if you are using applications that use the SAP GUI HTML control.
For Releases 4.0 and 4.5, also set the profile parameter
```
SAPSECULIB
```
to the location (path and file name) of the SAP Security Library.

Result

The AS ABAP component systems are able to accept logon tickets and verify the portal server's digital signature when they receive a logon ticket from a user.