Show TOC

Configuring UME Policies and Authentication TemplatesLocate this document in the navigation structure

Use

You must first configure the policy configurations of the security provider in the Application Server Java (AS Java) before you can begin configuring Single Sign-On for the CAF repository manager. You do this to restrict and manage access to resources deployed on the AS Java.

Procedure

Configuring the SAP NetWeaver Portal UME Policy for SAP NetWeaver 7.0

  1. Log on to Visual Administrator.

  2. Choose Start of the navigation path Global Configuration  Next navigation step Security Provider  Next navigation step  Runtime  Next navigation step  Policy Configuration.  End of the navigation path

  3. Open the Security Roles tab page of each of the following policy configurations:

    1. Add your guest group Guests to the view-creator security role of policy configuration keystore - view.TicketKeystore

    2. Add the group Everyone to the view-creator security role of policy confirmation keystore-view.securestorage.

    3. Add the Guests group to the KeystoreViewsCreator security role of policy configuration of the J2EE Engine.

Configuring the SAP NetWeaver Portal Authentication Template

  1. Choose Start of the navigation path Server Node Next navigation step Services  Next navigation step  Security Provider  End of the navigation path

  2. Open the Runtime tab page and then the Policy Configuration tab page.

    Note

    Make sure the ticket template has the following login modules:

    Login Modules

    Flag

    EvaluateTicketLoginModule

    SUFFICIENT

    BasicPasswordLoginModule

    REQUISITE

    CreateTicketLoginModule

    OPTIONAL

    1. Modify the EvaluateTicketLoginModule and CreateTicketLoginModule options with the following properties:

      • trustedsys : < a unique name issued by the user >, 000

        For example: EP6,000

      • trustediss : < a unique name issued by the user >

        For example: CN=EP6, OU=EPTeam, O=SAP Trust Community, C=DE

      • trusteddn: < a unique name issued by the user >

        For example: CN=EP6, OU=EPTeam, O=SAP Trust Community, C=DE

        You can find values for trusteddn and trustediss properties in the portal certificate ("DN of owner", "DN of issuer") fields. If you have to set up SSO authentication with more than one portal, you should add this property for each portal using a suffix at the end of a property.

        For example, trustedsys1 or trustedsys2 .

    2. For the components

      • sap.com/caf~km.ep.kmnodesvc*KMBaseServiceStdrWS_Config1

      • sap.com/caf~km.ep.kmnodesvc*KMNodeServiceSnrdWS_Config1

      • sap.com/caf~km.ep.kmnodesvc*KMRelationServiceStdrWS_Config1

      configure the following login modules:

      Login Modules

      Flag

      EvaluateAssertionTicketLoginModule

      SUFFICIENT

      EvaluateTicketLoginModule

      SUFFICIENT

      BasicPasswordLoginModule

      SUFFICIENT

      CreateTicketLoginModule

      SUFFICIENT

      All except BasicPasswordLoginModule must have the following options set:

      • trustedsys : < a unique name issued by the user >, 000

        For example: C42,000

      • trustediss : < a unique name issued by the user >

        For example: OU-J2EE,CN=C42

      • trusteddn: < a unique name issued by the user >

        For example: OU-J2EE,CN=C42

      • ume.configuration.active : true