The portal server digitally signs logon tickets as it issues them to the portal users. Systems that accept logon tickets need verify the portal server's digital signature. The following information is important to enable SAP NetWeaver Application Server (AS) ABAP systems to accept and verify portal issued logon tickets:
The identity of the portal server must in the AS ABAP's Single Sign-On (SSO) access control list (ACL).
The portal server has a self-signed certificate, therefore the AS ABAP needs to access the portal server's public-key information, which must be in the AS ABAP's certificate list.
Logon tickets are not supported in releases lower than 4.0B.
AS ABAP based on SAP NetWeaver Application Server 6.20 or higher do not require the plug-in.
If the ABAP user IDs are different from the portal user IDs, configure user mapping.
More information: Configuring User Mapping with Tickets for SSO
For best practices, we recommend installing the most recent version of the library, which is available on the SAP Service Marketplace in the software distribution center at service.sap.com/swdc under Download → Support Packages and Patches → Entry by Application Group. Select SAP Technology Components and then SAPSECULIB.
More information: Configuring the Portal for SSO with Logon Tickets
In AS ABAP with release 4.6C or higher you can use transaction STRUSTSSO2 to complete the first 2 steps of the following procedure.
More information: Using Transaction STRUSTSSO2 in AS ABAP >= 4.6C
Add Portal Server to ACL of a component AS ABAP
The portal server is identified by system ID, client, and the name in the certificate. You must enter these details in the access control list of the component system as follows.
By default, the portal's system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.
If you are using an Add-In installation, you must change the client to a value other than 000.
More information: Specifying the AS Java Client to Use for Logon Tickets
Field | Value |
---|---|
Subject name |
Distinguished name (DN) of owner of portal server certificate. This is the DN that was entered during installation of the portal. For example: CN=EP6, OU=Portal Installation, OU=Enterprise Portal, O=SAP Trust Community, C=DE |
Issuer name |
Distinguished name of issuer of portal server certificate. If the portal is using a self-signed certificate, this is the same as the above entry. |
Serial number |
00 |
You can look up the subject name, issuer name, and serial number of the portal server certificate in the Keystore Administration tool.
Import public-key certificate of Portal Server to component AS ABAP's certificate list
This procedure is release-specific.
If the AS ABAP component system is Release 4.6C or higher, see Importing Portal Certificate into AS ABAP >= 4.6C .
If the SAP component system is based on Release 4.0B to 4.6B, see Importing Portal Certificate into AS ABAP < 4.6C
Set profile parameters
On all of the component system's application servers:
login/accept_sso2_ticket
login/create_sso2_ticket
See SAP Note 557350 for obtaining a correction in Releases 6.10 and 6.20.
See SAP Note 612670 for information about additional configuration steps if you are using applications that use the SAP GUI HTML control.
SAPSECULIB
The AS ABAP component systems are able to accept logon tickets and verify the portal server's digital signature when they receive a logon ticket from a user.