Show TOC

Procedure documentationSingle Sign-On Configuration Locate this document in the navigation structure

Procedure

Procedure for PI Web Components

To ensure that Single Sign-On works properly between the PI Web components, you must change their authentication template from basic to ticket. To do so, you have to perform the following steps:

  1. Use the SAP NetWeaver Administrator and choose Configuration Management Security Authentication.

  2. Search for the following Web PI components.

  3. Select each component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown menu.

    • sap.com/com.sap.xi.repository*rep

    • sap.com/com.sap.xi.directory*dir

    • sap.com/com.sap.xi.services*run

    • sap.com/com.sap.xi.mdt2*mdt

    • sap.com/com.sap.xi.rwb*rwb

    • sap.com/com.sap.lcr*sld

    • sap.com/com.sap.aii.ib.rprof.app*exchangeProfile

    • sap.com/com.sap.aii.af.app*AdapterFramework

    • sap.com/tc~esi~esp~er~ui~addon~ear*sr

  4. Search for the Service component service.naming.

  5. Select the component and change the referenced authentication template from basic to ticket by selecting ticket in the dropdown menu.

  6. Save your changes.

    All these changes are effective immediately and will still be effective after subsequent redeployments.

  7. Access the Exchange Profile and expand the IntegrationBuilder node.

  8. Specify the following property as true:

    com.sap.aii.ib.core.sso.enabled

  9. Refresh the AII Properties.

  10. Refresh the PI start page.

    From now on, the logon dialog will be displayed only once and then no longer for each available component.

More information:

Additional Procedure for the Runtime Workbench

Since the Runtime Workbench communicates with AS ABAP, the Java logon ticket key pair must be modified, and the corresponding certificate must be exported from AS Java and imported to AS ABAP.

  1. Change the client value of the Java logon ticket to a client number that is not used in AS ABAP, for example 888, as described under Specifying the Client to Use for Logon Tickets.

  2. Restart AS Java.

  3. Create a new SAPLogonTicketKeypair certificate with a distinguished name (DN) other than the one used in AS ABAP as described under Replacing the Key Pair to Use for Logon Tickets.

  4. Export the Java SAPLogonTicketKeypair certificate.

    • Use the SAP NetWeaver Administrator and choose Configuration Management Security Certificates and Keys.

    • Select the keystore view TicketKeystore.

    • Select the keystore entry SAPLogonTicketKeypair-cert.

    • Export the certificate in either X.509 or Base64 Encoded format.

  5. Check the SSO Parameter of AS ABAP.

    To check whether the application server accepts logon tickets, call transaction SSO2 and execute it without any parameters.

    If the check fails, the following profile parameters must be set:

    Parameter

    Parameter

    Value

    Note

    login/accept_sso2_ticket

    1

    Allows the server to accept an existing logon ticket.

  6. Import the Java certificate into AS ABAP.

    • Log on to the Integration Server (for example with client 100) and call transaction STRUSTSSO2.

    • In the Certificate frame, choose Import Certificate and select the previously exported Java SAPLogonTicketKeypair-cert. Use binary format for the X.509 and Base64 format for the Base64 Encoded formatted export.

    • Choose Add to Certificate List and Add to ACL. While adding the certificate to the access control list (ACL), specify the system ID (which is the certificate's common name, that is, the value for CN=) and the client (the client specified as login.ticket_client in the UME Provider service, 888 in this example).

  7. Switch to fully qualified host names.

    To ensure that single sign-on works properly, all services must be called with the fully qualified host name. Proceed as follows:

    • On AS ABAP, set the profile parameter icm/host_name_full.

    • In the exchange profile, change the host name to a fully qualified one for the following parameters:

      • com.sap.aii.rwb.server.centralmonitoring.r3.ashost (under Runtime Workbench)

      • com.sap.aii.connect.repository.name (under Connections)

      • com.sap.aii.connect.rwb.name (under Connections)

    • Use the SAP NetWeaver Administrator and choose Configuration Management Infrastructure Java System Properties Details Services to change the host name and port numbers to fully qualified ones for the following properties of the service XPI Service: CPA Cache:

      • SLD.selfregistration.httpPort

      • SLD.selfregistration.httpsPort

      • SLD.selfregistration.hostName

    • Restart the XPI service.

  8. Set the profile parameter login/accept_sso2_ticket to 1.

    More information: Configuring the AS ABAP to Accept Logon Tickets.

Enable Single Sign-On to a Remote AS Java

If components are distributed across various SAP Application Servers, for example, if the SLD runs on an AS Java other than the one used by PI, single sign-on can also be configured from the AS Java of PI to the AS Java of the SLD.

In this case, the public-key certificate (SAPLogonTicketkeypair-cert) from the ticket-issuing AS Java must be uploaded to the keystore of the accepting AS Java. The DN of the certificate and of the issuer must be entered in the login module.

In the procedure described below, the ticket issuer is the AS Java of the PI system, and the AS Java of the SLD has to accept the ticket.

  1. Start the SAP NetWeaver Administrator on your SLD system and perform the following steps to upload the certificate:

    • Choose Configuration Management Security Trusted Systems Single Sign-On with SAP Logon Tickets.

    • Choose Edit Add Trusted System and select the ticket-issuing PI system as follows:

      1. Select the landscape type All Technical Systems and choose Go.

      2. Select the ticket-issuing Java system from the displayed list of systems and choose OK.

    • Provide the Username and Password to use for the connection to the selected system.

      The remaining Connection Properties for the selected system are automatically displayed.

    • Choose Next and upload the X.509 certificate for the ticket-issuing system.

      Note Note

      You only have to perform this step if the AS Java cannot retrieve the certificate for the ticket-issuing system from the SLD.

      End of the note.

    • Review the configuration details for the ticket-issuing system and choose Next.

    • Choose Close to complete the wizard.

  2. Perform the following steps to check whether the public-key certificate has been uploaded:

    • Choose Configuration Management Security Certificates and Keys.

    • Check whether the public-key certificate of the ticket-issuing system has been added to the keystore view.

  3. Perform the following steps to check the policy configuration:

    • Choose Configuration Management Security Authentication Components.

    • In the list of component policy configurations, select the component sap.com/com.sap.lcr*sld.

      On the Authentication Stack tab page, select the login module EvaluateTicketLoginModule.

    • Check whether the following login module options exist:

      • trustediss<n>

        Issuer DN of the login ticket certificate uploaded above.

      • trusteddn<n>

        Subject DN of the login ticket certificate.

      • trustedsys<n>

        System ID <SID> of the Integration Server and client <client> specified as login.ticket_client in the UME Provider service com.sap.security.core.ume.service.

More Information

Configuring the AS Java to Accept Logon Tickets