Accepting Logon Tickets Issued by Another AS ABAP

Use

Use this procedure to configure the AS ABAP to accept a logon ticket issued by another AS ABAP system in your landscape.

Prerequisites

  • The issuing server must possess a public and private key pair and a public-key certificate. For the AS ABAP, this information must be available in the issuing server's SSO PSE.

  • If the accepting system is an SAP system <= Release 4.6D, then the system must have the Workplace Plug-In installed and must meet the following release requirements:

    • Release 4.6x: 4.6D kernel as of Support Package level 74

    • Release 4.5x: 4.5B kernel as of Support Package level 459

    • Release 4.0x: 4.0B kernel as of Support Package level 758

  • The SAP Cryptographic Library must be installed on all of the accepting system's application servers. For more information, see SAP Note 1848999 Information published on SAP site.

    For releases that are not covered by SAP Note 1848999 Information published on SAP site, you can obtain the most recent version of the SAP Security Library from SAP Service Marketplace in the SAP Support Portal Start of the navigation pathSoftware Downloads Next navigation step Support Packages and Patches Next navigation step Entry by Application Group Next navigation step Additional Components Next navigation step SAPSECULIBEnd of the navigation path.

Procedure

Configure the required parameters on all the logon ticket accepting AS ABAP systems.

  1. Set the profile parameter login/accept_sso2_ticket= 1.

  2. For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file name) of the SAP Cryptographic Library.

For each of the accepting AS ABAP systems

  1. Execute the SSO administration wizard (transaction SSO2).

    The SSO2 Administration screen appears.

  2. Enter the RFC destination or the <host name> and <system number> for the issuing server in the appropriate fields.

    The SSO administration report for the designated server is displayed. The following information is shown:

    • Profile parameter values on both the issuing server and on the accepting system's application server.

    • The accepting system's SSO access control list.

    • The accepting system's certificate list.

    Red traffic lights in any of these areas indicate configurations that are not operational for using logon tickets.

  3. If the report indicates errors on the issuing server (for example, profile parameters are not set correctly), correct these errors on the issuing server and re-execute the SSO administration wizard on the accepting system.

  4. To initiate the configuration steps on the accepting system, choose Start of the navigation pathEdit Next navigation step ActivateEnd of the navigation path ().

    The following occurs:

    • The SSO administration wizard enters the issuing server's system ID and client in the accepting system's access control list.

    • If the issuing server's public-key certificate is a self-signed certificate, then the SSO administration wizard enters the public-key information contained in the certificate in the accepting system's certificate list.

    • The SSO administration wizard makes the SSO PSE available to the accepting system's application servers:

      • In Releases >= 4.6C, the SSO administration wizard distributes the SSO PSE to all of the system's application servers.

      • In Releases < 4.6C, it stores the SSO PSE in the directory specified by the profile parameter DIR_PROFILE.

    All changes take place immediately and you do not have to explicitly save any data.

  5. If any of the areas indicate errors, correct these errors and re-execute the SSO administration wizard.

Result

The accepting systems are able to accept logon tickets and verify the issuing server's digital signature when they receive a logon ticket from a user.