Show TOC

Single Sign-On ConfigurationLocate this document in the navigation structure

Procedure

As a standard installation of SAP Process Integration (PI) includes components based on AS ABAP and AS Java, configuring Single Sign-On for Process Integration (PI) tools includes configuration of both directions:

  • AS ABAP > AS Java

  • AS Java > AS ABAP

This section provides additional information on the steps to configure Single Sign-On for PI tools.

Procedure for PI Web Components

In the standard configuration of SAP PI, the Java-based components of PI are accessed to by user name and password (basic authentication template). To ensure that Single Sign-On works properly between the PI Web components, you need to change their authentication template from basic to ticket . To do this, perform the following steps:

  1. From SAP NetWeaver Administrator, choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Authentication End of the navigation path.

  2. Search for the following Web PI components.

  3. Select each component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown menu.

    • sap.com/com.sap.xi.repository*rep

    • sap.com/com.sap.xi.directory*dir

    • sap.com/com.sap.xi.services*run

    • sap.com/com.sap.xi.mdt2*mdt

    • sap.com/com.sap.xi.rwb*rwb

    • sap.com/com.sap.lcr*sld

    • sap.com/com.sap.aii.ib.rprof.app*exchangeProfile

    • sap.com/com.sap.aii.af.app*AdapterFramework

    • service.naming

  4. Search for the Service component service.naming .

  5. Select the component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown list box.

  6. Save your changes.

    All these changes take effect immediately and will remain in effect after subsequent redeployments.

  7. Access the Exchange Profile and expand the IntegrationBuilder node.

  8. Specify the following property as true:

    com.sap.aii.ib.core.sso.enabled

  9. Refresh AII Properties .

  10. Refresh the PI start page.

    From now on, the logon dialog will be displayed only once for each available component.

Additional Procedure for the Runtime Workbench

Since the Runtime Workbench communicates with AS ABAP, the Java logon ticket key pair must be modified, and the corresponding certificate must be exported from AS Java and imported to AS ABAP.

Note

With the following configuration settings you make sure that Single Sign-On is configured for the communication path AS Java > AS ABAP.

  1. Change the client value of the Java logon ticket to a client number that is not used in AS ABAP.

    For example 888, as described in the section Specifying the Client to Use for Logon Tickets .

  2. Restart AS Java.

  3. Create a new SAPLogonTicketKeypair certificate with a distinguished name (DN) other than the one used in AS ABAP.

    More information: Replacing the Key Pair to Use for Logon Tickets .

  4. Export the Java SAPLogonTicketKeypair certificate.

    • From SAP NetWeaver Administrator, choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Certificates and Keys End of the navigation path.

    • Select the keystore view TicketKeystore and remove the entry.

    • Select the keystore entry SAPLogonTicketKeypair-cert and remove the entry.

    • Export the certificate in either X.509 or Base64 Encoded format.

  5. Check the SSO Parameter of AS ABAP.

    To check whether the application server accepts logon tickets, call transaction SSO2 and execute it without any parameters.

    If the check fails, the following profile parameters must be set:

    Parameter

    Value

    Note

    login/accept_sso2_ticket

    1

    Allows the server to accept an existing logon ticket.

  6. Import the Java certificate into AS ABAP.

    • Log on to the Integration Server (for example, in client 100) and call transaction STRUSTSSO2.

    • In the Certificate frame, choose Import Certificate and select the previously exported Java SAPLogonTicketKeypair-cert . Use binary format for the X.509 and Base64 format for the Base64 Encoded formatted export.

    • Choose Add to Certificate List and Add to ACL. While adding the certificate to the access control list (ACL), specify the system ID (which is the certificate's common name, that is, the value for CN=) and the client (the client specified as login.ticket_client in the UME Provider service, 888 in this example).

  7. Switch to fully qualified host names.

    To ensure that single sign-on works properly, all services must be called with the fully qualified host name. Proceed as follows:

    • On AS ABAP, set the profile parameter icm/host_name_full.

    • In the exchange profile, change the host name to a fully-qualified one for the following parameters:

      • com.sap.aii.rwb.server.centralmonitoring.r3.ashost (under Runtime Workbench)

      • com.sap.aii.connect.repository.name (under Connections)

      • com.sap.aii.connect.rwb.name (under Connections)

    • Use the SAP NetWeaver Administrator and choose Start of the navigation path Configuration Management Next navigation step Infrastructure Next navigation step Java System Properties Next navigation step Details Next navigation step Services End of the navigation path to change the host name and port numbers to fully-qualified ones for the following properties of the service XPI Service: CPA Cache :

      • SLD.selfregistration.httpPort

      • SLD.selfregistration.httpsPort

      • SLD.selfregistration.hostName

    • Restart the XPI service.

  8. Set the profile parameter login/accept_sso2_ticket to 1.

    More information: Configuring the AS ABAP to Accept Logon Tickets .

Configuration Steps for Communication AS ABAP > AS Java

With the following configuration settings you make sure that Single Sign-On is configured for the direction AS ABAP > AS Java. Only then, you can access the Java-based PI components by calling transaction SXMB_IFR.

You need to export the certificate from AS ABAP and import it into AS Java.

  1. Implement SAP notes 1509384 Information published on SAP site and 1520843 Information published on SAP site in the system of the Integration Server (AS ABAP).

  2. To export the ABAP certificate from AS ABAP to a file, choose transaction STRUSTSSO2.

  3. Follow the instructions from the SAP notes mentioned above and import the certificate to AS Java.

    To do that, log on to SAP NetWeaver Administrator and choose Start of the navigation path Configuration Next navigation step Trusted Systems Next navigation step Add Trusted System By Querying Trusted System End of the navigation path.

    More information: Configuring the AS Java to Accept Logon Tickets

Enable Single Sign-On to a Remote AS Java

If components are distributed across various SAP Application Servers, for example, if the SLD runs on an AS Java other than the one used by PI, single sign-on can also be configured from the AS Java of PI to the AS Java of the SLD.

In this case, the public-key certificate ( SAPLogonTicketkeypair-cert ) from the ticket-issuing AS Java must be uploaded to the keystore of the accepting AS Java. The DN of the certificate and of the issuer must be entered in the login module.

In the procedure described below, the ticket issuer is the AS Java of the PI system, and the AS Java of the SLD has to accept the ticket.

  1. Start the SAP NetWeaver Administrator on your SLD system and perform the following steps to upload the certificate:

    • Choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Trusted Systems Next navigation step Single Sign-On with SAP Logon Tickets End of the navigation path.

    • Choose Start of the navigation path Edit Next navigation step Add Trusted System End of the navigation path and select the ticket-issuing PI system as follows:

      1. Select the landscape type All Technical Systems and choose Go.

      2. Select the ticket-issuing Java system from the displayed list of systems and choose OK .

    • Provide the user name and password to use for the connection to the selected system.

      The remaining Connection Properties for the selected system are automatically displayed.

    • Choose Next and upload the X.509 certificate for the ticket-issuing system.

      Note

      You only have to perform this step if the AS Java cannot retrieve the certificate for the ticket-issuing system from the SLD.

    • Review the configuration details for the ticket-issuing system and choose Next .

    • Choose Close to complete the wizard.

  2. Perform the following steps to check whether the public-key certificate has been uploaded:

    • Choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Certificates and Keys End of the navigation path.

    • Check whether the public key certificate of the ticket-issuing system has been added to the keystore view.

  3. Perform the following steps to check the policy configuration:

    • Choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Authentication Components End of the navigation path.

    • In the list of component policy configurations, select the component sap.com/com.sap.lcr*sld .

      On the Authentication Stack tab, select the login module EvaluateTicketLoginModule .

    • Check whether the following login module options exist:

      • trustediss<n>

        Issuer DN of the login ticket certificate uploaded above.

      • trusteddn<n>

        Subject DN of the login ticket certificate.

      • trustedsys<n>

        System ID <SID> of the Integration Server and client <client> specified as login.ticket_client in the UME Provider service com.sap.security.core.ume.service .

More Information