Thursday, January 28, 2010

Setup SSO between Portal and Target System...

Sometimes the SSO configuration between the Portal and an ABAP system can be pretty quirky, so I thought I would post a step-by-step guide here to help anyone out there who is having trouble with this.


1. Export certificate from the Portal (verify.der and verify.pse)
- a. Navigate to 'System Administration' >'System configuration' >'Keystore Administration'
- b. In 'Content' select "SAPLogonTicketKeypar-cert" and select and save both "Download verify.pse file" and "Download verify.der file"

2. Check SAPJSF user in target system
- a. Create if necessary using transaction SU01
- b. User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place)
- c. You may have to generate profiles for these roles in the target system (transaction PFCG)

3. Check profile parameters
- a. Open transaction RZ10 in target system
- b. Select the instance profile, choose 'extended maintenance', then 'Change'
- c. Verify "login/create_sso2_ticket" is set to "2" and "login/accept_sso2_ticket" set to "1"
- d. If these parameters are not set, you will need to set them and restart the target system

4. Export certificate from target system
- a. Open transaction STRUSTSSO2 in target system
- b. Double-click on "CN=..." in the "Own Certif." section, this will populate the center section fields with data
- c. Select "Export certificate" in the center section and provide file name and path to save certificate file

5. Import Portal certificate to target system
- a. Open transaction STRUSTSSO2 in target system
- b. Select "Import certificate" in the center section
- c. Browse to the *.der file created in step 1 and press "Enter"
- d. Select the “Add to certificate list” and then “Add to ACL” (most likely the Portal client needs to be 000)

6. Create a JCo RFC provider in the J2EE engine of the Portal system
- a. Logon to J2EE using J2EE Visual Admin tool (/j2ee/admin/go.bat)
- b. navigate to 'Server' >'JCo RFC provider'
- c. On the right side of the screen choose any entry in 'Available RFC destinations' area
- d. Enter information about new destination:
- - i. Program ID: name of the program (you will need it later) - sapj2ee_port, for example
- - ii. Gateway host - FQDN of target system - server.domain.com, for example
- - iii. Gateway service - sapgw00 for example
- e. In the 'Repository' section enter:
- - i. Application server host - FQDN of target system - server.domain.com, for example
- - ii. System number - 00, for example
- - iii. Client - 100, for example
- - iv. Logon language – EN
- - v. User - SAPJSF (from step 2)
- - vi. Password (from step 2)
- f. Press 'Set'

7. Add target system to Security providers list
- a. Open J2EE Visual Admin and navigate to 'Server' >'Services' >'Security Provider'. In components select 'Ticket'. Enter edit mode (button with pencil above)
- b. Select 'Login module' ’EvaluateTicketLoginModule" and press 'Modify'
- c. Ensure that "ume.configuration.active" is set to "true"
- d. Enter following info:
- - i. Name - 'trustedsysN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustedsys1'). Enter , as a value (C11,100 for example)
- - ii. Name - 'trustedissN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustediss1'). Enter CN= as a value (CN=C11 for example)
- - iii. Name - 'trusteddnN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trusteddn1'). Enter CN= as a value (CN=C11 for example)
- e. Press 'OK'
- f. Do substeps b,c,d,e in 'evaluate_assertion_ticket' view for "EvaluateAssertionTicketLoginModule" login module

8. Import target system certificate to J2EE of portal system (from step 4)
- a. Open J2EE Administrator and logon to portal instance
- b. Navigate to 'Server" >'Services' >'Key storage'
- c. In 'Ticket keystore' view press 'load' and select certificate of target system (exported in step 3)

9. Restart J2EE instance

10. Create RFC connection in target system
- a. Open transaction SM59 in the target system
- b. Select TCP/IP connections and press 'New'
- c. Enter name for new connection ("RFC_to_portal", for example), enter connection type "T", description, and select Save
- d. In 'Technical settings' choose "Registered server program" and enter application name (from step 6d) in "Program ID" field, provide 'Gateway host' and 'Gateway service' (same as in step 6d), save, and test the connection

Also, if you are running nto trouble testing the connection on the Portal side, the generic "Make sure SSO is setup correctly" error message is not very helpful. For a more detail error, scroll to the last entry in the dev_jrfc.trc file located in the /j2ee/cluster/serverX/ directory

I hope this helps...