Tuesday, July 26, 2011

J2EE SSO Configuration


1. Logon to Visual Administrator -Server=>Services=>Security Provider,
a. select UserManagement tab and the pencil icon.
b. Select Manage Security Stores; highlight UME User Store and EvaluateTicketLogonModule; Click Views/Change Properties.
i. Under Options fill in the Name and Value as follows:
These parameters are in sets with each system that has a relationship to this J2EE engine. The consumer portal is 1, the production client is 2 and the system client is 3. The values for ddn and iss must match the certificates in use on the system.
Name Value
trustedsys1 , 000
trustedsys2 , 100
trustedsys3 , 000
trusteddn1 CN=, OU=J2EE
trusteddn2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trusteddn3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss1 CN=, OU=J2EE
trustediss2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
ume.configuration.active true
ii. Click OK and ignore message about ‘unable to apply to SDK–XMLA Policy Configuration’
c. Select Manage Security Stores; highlight UME User Store and EvaluateAssertionTicketLogonModule; Click Views/Change Properties.
i. Under Options fill in the Name and Value as follows:
These parameters are in sets with each system that has a relationship to this J2EE engine. The consumer portal is 1, the production client is 2 and the system client is 3. The values for ddn and iss must match the certificates in use on the system.
Name Value
trustedsys1 , 000
trustedsys2 , 100
trustedsys3 , 000
trusteddn1 CN=, OU=J2EE
trusteddn2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trusteddn3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss1 CN=, OU=J2EE
trustediss2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
Click OK and ignore message about ‘unable to apply to SDK–XMLA Policy Configuration’
2. Choose Policy Configurations tab and highlight ticket.
a. If the fully qualified name for the login module is displayed, for example, com.sap.security.core.server.jaas.EvaluateTicketLoginModule, then remove the login module (highlight it and choose the remove button below).
b. If you removed it or it didn’t exist, now choose the add button below. You can now choose EvaluateTicketLoginModule and add/re-add it. Position it at the top of the stack (choose the modify button below and use the down arrow (for location) to move EvaluateTicketLoginModule to position 1. Verify the flag SUFFICIENT and the ACL info is correct for EvaluateTicketLoginModule.
c. Check EvaluateAssertionTicketLogonModule - may need to be modified from REQUIRED to SUFFICIENT.
3. Import Consumer Portal certificate:
a. From VA - Using the Key Storage service on the accepting server, select the TicketKeystore view. Choose Load. Select the file from the file system (.crt) and choose OK.
b. The certificate is stored in the selected view as a CERTIFICATE entry.
4. Import ABAP certificate: (same as step 7, just a different file):
a. From VA - Using the Key Storage service on the accepting server, select the TicketKeystore view. Choose Load. Select the file from the file system (_abap.crt) and choose OK.
b. The certificate is stored in the selected view as a CERTIFICATE entry.

1 comment:

Tani said...

So detailed explanation you have provided for J2EE SSO Configuration. Really appreciate your efforts for collecting so much understanding content.
sap support costs