Single Sign-on with SAP Netweaver 7.3

 In this post lets discuss about how to configure Single Sign-on SAP Netweaver 7.3.

Two things are needed to be done for SSO between EP and SAP Backend system.

1)  Exporting the ticket from Portal and importing it in to SAP Backend system.
2)  Adding the backend owner certificate and importing it to the portal (Add trusted system).(You can also add the backend system as trusted system  By Querying Trusted System)

Profile Parameters-
Set below parameters in As ABAP system in instance profile-
  1. login/create_sso2_ticket=2
  2. login/accept_sso2_ticket=1
  3. login/password_change_for_SSO=0 (Optional) (The obligation to change the password is ignored)
  4. icm/host_name_full= <FQDN>
  5. SAPFQDN=<domain name> (Set this parameter in Default Profile)
Set below parameters in As Java in default profile-
  1. SAPFQDN=<domain name>

Note: After all the parameters are set, restart your system.


1) Go to URL http://<server>:<port>/sso2

Click on Add Trusted system – By Querying Trusted System

Select system Type- ABAP (In case of single sign-on between 2 As Java systems, select Java)
On next screen, enter details of As ABAP system

If you are not using SNC then keep option Disable in SNC Protection.
On next screen, click Finish.

Now system will be visible as trusted system.

2) Go to nwa of As Java (http://<server>:<port>/nwa)

Navigate to  Configuration >Authentication and Single Sign-ON > Authentication > Components > Policy Configuration Name > ticket.

a) Under authentication stack, select EvaluateTicketLoginModule Template, as a result of step 1, your called system will be automatically populated there.
Click on Edit.

b) Select Module CreateTicketLoginModule and Make its Flag as SUFFICIENT.
c) For CreateTicketLoginModule, Add following properties under Options of login module “CreateTicketLoginModule”
Name                                                 Value
Trusteddn1                                       CN=<SID>
Trustedss1                                         CN=<SID>
Trustedsys1                                       <SID>,<Client>                true

3) Go to nwa (http://<server>:<port>/nwa)

a) Go to Configuration- Certificates and Keys
b) Select TicketKeystore key storage views
c) Make sure that entry of your As ABAP system should be there.
d) Delete SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert under Details of view “TicketKeystore.
e) Click on Create Entry
Enter below details here-
Entry Name- SAPLogonTicketKeypair
Algorithm- DSA
Key Length- 1024
Select Store Certificate Option. And click next.
Enter below details-
Click on Finish. 
After that, SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries will populate.
4) Download certificate of As Java system and upload it on As ABAP system.

a) Go to nwa http://<server>:<port>/nwa
b) Go to Configuration- Certificates and Keys
c) Select TicketKeystore key storage views
d) Export SAPLogonTicketKeypair-cert certificate.
e) Select export format as Base64X.509

f) Import this portal certificate in As ABAP system in t-code strustsso2.
g) Add this portal certificate to Add to Certificate list  and Add to ACL (while adding to ACL list, Enter SID of As Java system and client as 000).
h) Restart the As Java system.

5) Go to http://<server>:<port>/irj/portal

a) Go to System Administration- System Landscape- System Landscape Overview- System Landscape.
b) Click on New.

c) Create System Object using Template. Please choose system template as per your requirement. In my case, I selected system template- SAP system using dedicated application server.
d) Enter details as below
System Name
System ID

e) Enter Alias Name and click on Add.

f) On Next screen, enter details for Connector, ITS and Web Application Server.

i) Connector

Enter all details (Under application host, please enter FQDN)
ii) ITS

Enter all details (Under ITS Host Name, please enter FQDN)
ITS Host Name- <FQDN>:<ITS Port>
ITS Path-  /sap/bc/gui/sap/its//webgui
ITS Protocal- HTTP (In case, HTTPS is activates then select HTTPS)
iii) User Management.
iv) Web Application Server (Web AS)

Enter all details (Under ITS Host Name, please enter FQDN)
ICM Host Name- <FQDN>:<As ABAP port>
ICM Protocol- HTTP (In case, HTTPS is activates then select HTTPS)
Under Additional Wizard Steps, unmark checkbox. And click on Finish.
g) Click on Connection Test for this object and perform connection test for Connector, ICM & Web AS. And all tests should be successful.

6) Check Single Sign-On. Go to http://<server>:<port>/irj/portal
a) System Administration – Support- Application Integration and Session Management- Test and Configuration tools.
b) Under Tool, Select Transaction and Click on run.
c) Under System, Select System that you created in step 5 and Enter any transaction code of your As ABAP system. And click on Go.
d) It should login to your backend As ABAP system without asking password.

By this way, Single Sign-On between your As ABAP and As Java system is configured.
In case, you face any problem during this test, then please refer to SAP note 495911 to activate trace and then analyze logs.
Cheers !!!

1 comment: