You must first configure the policy configurations of the security provider in the Application Server Java (AS Java) before you can begin configuring Single Sign-On for the CAF repository manager. You do this to restrict and manage access to resources deployed on the AS Java.
Configuring the SAP NetWeaver Portal UME Policy for SAP NetWeaver 7.0
Log on to Visual Administrator.
Choose
Open the Security Roles tab page of each of the following policy configurations:
Add your guest group Guests to the view-creator security role of policy configuration keystore - view.TicketKeystore
Add the group Everyone to the view-creator security role of policy confirmation keystore-view.securestorage.
Add the Guests group to the KeystoreViewsCreator security role of policy configuration of the J2EE Engine.
Configuring the SAP NetWeaver Portal Authentication Template
Choose
Open the Runtime tab page and then the Policy Configuration tab page.
Make sure the ticket template has the following login modules:
Login Modules |
Flag |
EvaluateTicketLoginModule |
SUFFICIENT |
BasicPasswordLoginModule |
REQUISITE |
CreateTicketLoginModule |
OPTIONAL |
Modify the EvaluateTicketLoginModule and CreateTicketLoginModule options with the following properties:
trustedsys : < a unique name issued by the user >, 000
For example: EP6,000
trustediss : < a unique name issued by the user >
For example: CN=EP6, OU=EPTeam, O=SAP Trust Community, C=DE
trusteddn: < a unique name issued by the user >
For example: CN=EP6, OU=EPTeam, O=SAP Trust Community, C=DE
You can find values for trusteddn and trustediss properties in the portal certificate ("DN of owner", "DN of issuer") fields. If you have to set up SSO authentication with more than one portal, you should add this property for each portal using a suffix at the end of a property.
For example, trustedsys1 or trustedsys2 .
For the components
sap.com/caf~km.ep.kmnodesvc*KMBaseServiceStdrWS_Config1
sap.com/caf~km.ep.kmnodesvc*KMNodeServiceSnrdWS_Config1
sap.com/caf~km.ep.kmnodesvc*KMRelationServiceStdrWS_Config1
configure the following login modules:
Login Modules |
Flag |
EvaluateAssertionTicketLoginModule |
SUFFICIENT |
EvaluateTicketLoginModule |
SUFFICIENT |
BasicPasswordLoginModule |
SUFFICIENT |
CreateTicketLoginModule |
SUFFICIENT |
All except BasicPasswordLoginModule must have the following options set:
trustedsys : < a unique name issued by the user >, 000
For example: C42,000
trustediss : < a unique name issued by the user >
For example: OU-J2EE,CN=C42
trusteddn: < a unique name issued by the user >
For example: OU-J2EE,CN=C42
ume.configuration.active : true