Single Sign-On Configuration

Procedure for PI Web Components

To ensure that Single Sign-On works properly between the PI Web components, you must change their authentication template from basic to ticket. To do so, you have to perform the following steps:

...

       1.      Use the Visual Administrator and navigate to Server ® Services ® Security Provider.

       2.      Choose tab page Runtime ® Policy Configuration and specify the login module ticket from the Authentication template for each of the following PI Web components.

The PI Web components are:

0       sap.com/com.sap.xi.repository*rep

0       sap.com/com.sap.xi.directory*dir

0       sap.com/com.sap.xi.services*run

0       sap.com/com.sap.xi.rwb*rwb_mdt

0       sap.com/com.sap.xi.mdt*mdt

0       sap.com/com.sap.xi.rwb*rwb

0       sap.com/com.sap.lcr*sld

0       sap.com/com.sap.rprof.remoteProfile*exchangeProfile

0       sap.com/com.sap.aii.af.app*AdapterFramework

All these changes are effective immediately and will still be effective after subsequent redeployments.

       3.      Access the Exchange Profile and set the following property to true:

com.sap.aii.ib.core.sso.enabled

       4.      Refresh the AII Properties.

       5.      Refresh the Integration Builder start page.

From now on, the logon dialog will be displayed only once and then no longer for each available component.

See also:

Configuring Authentication Mechanisms

Working with the Development Environment

Additional Procedure for the Repository and Directory

If you have used the following exchange profile parameters to configure the message server-based RMI/P4 logon to the Integration Repository and the Integration Directory, you must add ticket authentication to the login module stack of the component service.naming.

?      com.sap.aii.connect.repository.mshost

?       com.sap.aii.connect.repository.mshttpport

?      com.sap.aii.connect.repository.mshttpsport

?      com.sap.aii.connect.directory.mshost

?      com.sap.aii.connect.directory.mshttpport

?      com.sap.aii.connect.directory.mshttpsport

Perform the following steps:

...

       1.      Use the J2EE Visual Administrator and navigate to Server ® Services ® Security Provider.

       2.      Choose tab page Runtime -> Policy Configuration.

       3.      Choose component service.naming and add the new login module EvaluateTicketLoginModule to the login module stack.

       4.      Modify login module EvaluateTicketLoginModule as follows:

                            a.      Set Position to 1.

                            b.      Set Option ume.configuration.active to true.

The resulting login module stack should look as follows:

Login Modules

Flag

Options

com.sap.security.core.server.jaas.EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

SUFFICIENT

{}

Additional Procedure for the Runtime Workbench

Since the Runtime Workbench communicates with AS-ABAP, the Java logon ticket key pair must be modified, and the corresponding certificate must be exported from the J2EE Engine and imported to AS-ABAP.

...

       1.      Change the client value of the Java logon ticket as described under Using Logon Tickets.

                            a.      Use the Visual Administrator to navigate to Server ® Services ® Configuration Adapter.

                            b.      Expand the nodes cluster_data ® server ® cfg ® services.

                            c.      Change to edit mode.

                            d.      Open the property sheet com.sap.security.core.ume.service.

                            e.      Change the value of login.ticket_client to a client number that is not used in AS-ABAP, for example 001.

                              f.      Restart the J2EE Engine.

       2.      Create a new SAPLogonTicketKeypair certificate with a distinguished name (DN) other than the one used in AS-ABAP.

                            a.      Use the Visual Administrator and navigate to Server ® Services ® Key Storage.

                            b.      In the frame on the right-hand side, select TicketKeystore under Views on the Runtime tab page and mark the entry SAPLogonTicketKeypair-cert.

                            c.      Choose Delete and delete the entry.

                            d.      Do the same with the entry SAPLogonTicketKeypair.

                            e.      Choose Create and create a new SAPLogonTicketKeypair entry with a DN other than the one used in AS-ABAP.

                              f.      Make sure that you

¦       mark Store Certificate

¦       use Key Length 1024

¦       select Algorithm DSA

¦       specify your <SID> as Common Name

¦       fill the values for the other keys as appropriate

       3.      Export the SAPLogonTicketKeypair certificate of the J2EE Engine.

                            a.      Use the Visual Administrator and navigate to Server ® Services ® Key Storage.

                            b.      In the frame on the right-hand side, select TicketKeystore and mark the entry SAPLogonTicketKeypair-cert.

                            c.      Choose Export and export the certificate in either X.509 or Base64 Encoded format.

       4.      Import the J2EE certificate into AS-ABAP.

                            a.      Log on to the Integration Server (for example with client 100) and call transaction STRUSTSSO2.

                            b.      In the Certificate frame, choose Import Certificate and select the previously exported J2EE SAPLogonTicketKeypair-cert. Use binary format for the X.509 and Base64 format for the Base64 Encoded formatted export.

                            c.      Choose Add to Certificate List and Add to ACL. While adding the certificate to the access control list (ACL), specify the system ID (which is the certificate’s common name, that is, the value for CN=) and the client (the client specified as login.ticket_client in the UME Provider service, 001 in this example).

       5.      Switch to fully qualified host names.

To ensure that Single Sign-On works properly, all services must be called with the fully qualified host name. Proceed as follows:

                            a.      On AS-ABAP, change the profile parameter icm/server_port_<n> to reflect the fully qualified host name in the HOST section.

                            b.      Change the host name to a fully qualified one for the following parameters in the exchange profile:

¦       com.sap.aii.rwb.server.centralmonitoring.r3.ashost (under Runtime Workbench)

¦       com.sap.aii.connect.repository.name (under Connections)

¦       com.sap.aii.connect.rwb.name (under Connections)

                            c.      Use the Visual Administrator to change the host name and port numbers to fully qualified ones for the following properties of the J2EE service SAP XI AF CPA Cache:

¦       SLD.selfregistration.httpPort

¦       SLD.selfregistration.httpsPort

¦       SLD.selfregistration.hostName

See also:

SAP Notes 768456 and 757373