Show TOC Anfang des Inhaltsbereichs

Vorgehensweisen Configuring SAP Systems to Accept and Verify Logon Tickets  Dokument im Navigationsbaum lokalisieren

Use

The portal server digitally signs logon tickets as it issues them to the portal users. SAP Systems need to accept the tickets and verify the portal server’s digital signature. The following information is important for the SAP System to be able to accept and verify logon tickets:

·        The SAP System should only accept logon tickets issued from their designated portal server. Therefore, the identity of the portal server needs to be entered in the SAP System’s Single Sign-On (SSO) access control list (ACL).

·        The SAP System needs to be able to verify the portal server’s digital signature. The portal server has a self-signed certificate, therefore the SAP System needs access to the portal server’s public-key information, which needs to be entered in the SAP System’s certificate list.

Prerequisites

     The SAP System has release 4.0B or higher. logon tickets are not supported in releases lower than 4.0B.

     For SAP Systems with Release less than 6.20, the portal plug-in that corresponds to the portal release must be installed in the SAP System. SAP Systems based on SAP NetWeaver Application Server (AS) 6.20 or higher do not require the plug-in.

     The required kernel patches have been applied to SAP systems prior to Release 4.6C. For more information, see the section on implementing new kernels for the AS in SAP Note 177895. Note that after applying the kernel patches, you may need to patch the operating system of the SAP system so that the new kernel works.

     Users must have the same user IDs in all SAP Systems that are accessed with SSO with logon tickets. If the SAP user IDs are different to the portal user IDs, you must define a SAP reference system. See Defining an SAP Reference System for User Data.

     The SAP Security Library is installed on all of the system's application servers. For best practices, we recommend installing the most recent version of the library, which is available on the SAP Service Marketplace in the software distribution center at service.sap.com/swdc under Download  ® Support Packages and Patches ® Entry by Application Group. Select SAP Technology Components and then SAPSECULIB.

     You have configured the portal server for SSO with logon tickets. See Configuring Portal Server for SSO with Logon Tickets.

Procedure

Hinweis

In SAP systems with Release 4.6C or higher you can use transaction STRUSTSSO2 to complete the first 2 steps of the following procedure. This is described in Using Transaction STRUSTSSO2 in SAP System >= 4.6C.

Add Portal Server to ACL of component system

The portal server is identified by system ID, client, and the name in the certificate. You must enter these details in the access control list of the component system as follows.

...

       1.      In the component system, maintain table TWPSSO2ACL with transaction SM30.

       2.      Create a new entry for the portal server by choosing New entries.

       3.      Enter the portal’s system ID and client. By default, the portal’s system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.

If you are using an Add-In installation, you must change the client to a value other than 000. For more information, see Specifying the J2EE Engine Client to Use for Logon Tickets.

       4.      Enter the following values for Subject name, Issuer name, and Serial number.

Field

Value

Subject name

Distinguished name (DN) of owner of portal server certificate. This is the DN that was entered during installation of the portal.

For example: CN=EP6, OU=Portal Installation, OU=Enterprise Portal, O=SAP Trust Community, C=DE

Issuer name

Distinguished name of issuer of portal server certificate. If the portal is using a self-signed certificate, this is the same as the above entry.

Serial number

00

Empfehlung

You can look up the subject name, issuer name, and serial number of the portal server certificate in the Keystore Administration tool.

       5.      Save your entries.

Import public-key certificate of Portal Server to component system's certificate list

This procedure is release-specific.

·         If the SAP component system is based on Release 4.6C or higher, follow the procedure detailed in Importing Portal Certificate into SAP System >= 4.6C.

·         If the SAP component system is based on Release 4.0B to 4.6B, follow the procedure detailed in Importing Portal Certificate into SAP System < 4.6C

Set profile parameters

On all of the component system's application servers:

...

       1.      Set the profile parameter login/accept_sso2_ticket to the value 1 in every instance profile.

       2.      If the application server should also be able to create logon tickets, set the profile parameter login/create_sso2_ticket to the value 1 or 2 in every instance profile. For more information about which value to use, see Configuring the System for Issuing Logon Tickets.

Hinweis

See SAP Note 557350 for obtaining a correction in Releases 6.10 and 6.20.

See SAP Note 612670 for information about additional configuration steps if you are using applications that use the SAP GUI HTML control.

       3.      For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file name) of the SAP Security Library.

Result

The SAP component systems are able to accept logon tickets and verify the portal server's digital signature when they receive a logon ticket from a user.

Ende des Inhaltsbereichs