Mapping X509 certificate to User

Similar Messages

• Assign/Map X509 certificate to the SAP User

  Hello Everybody,
  I am accessing SAP R/3 Function module from the outside(JAVA Application) using JCO connections.
  I got sucess doing this using Basic authentication.
  I have passed fix username and password to connect to the SAP R/3 from my JAVA program.
  But, now i want to pass X509 certificate from my Java application to SAP R/3 for authentication. I have completed my work from JAVA side. But at SAP R/3 side i don't know where to add this X509 certificate and how to map this certificate to perticular user in SAP R/3.
  If anyone knows then please help.
  Thanks in advance,
  Bhavik

  Hi Sanjeev,
  Thanks for your reply.
  I will do that. and let you know shortly.
  Regards,
  Bhavik

• Map client certificate to user in PI7.1

  I am setting up HTTPS for inbound (sending messages to the adater engine), on the server-side configuration, I need to map a client certificate to an user.
  help.sap.com has this instruction:
  Perform the following steps to allow AS Java to map the client certificate to a user:
         1.      Use the SAP NetWeaver Administrator and choose Configuration Management ® Security Management ® Key Storage to import the CA cert of the client certificate to the list of trusted certificates (TrustedCAs keystore view) and import the client cert to an arbitrary keystore view.
         2.      Use the SAP NetWeaver Administrator and choose Configuration Management ® Operations Management ® User and Access Management ® Identity Management to map the client certificate to an existing user with role SAP_XI_APPL_SERV_USER.
  Step 1 was done ok, but at step 2, I simply don't see anywhere I can map the user to a certificate in the Netweaver Administrator interface. Am I missing something here?
  Thanks a lot in advance for your help..
  Jerry.

  Hi Jerry
  Did you checked this
  http://help.sap.com/erp2005_ehp_04/helpdata/DE/a7/1cd08ffe25e34799cbbe1a7ecdb8ed/content.htm
  Thanks
  Gaurav

• Portal, SSL, mapping certificate to user id

  Hello,
  We're trying to configure our EP 7.0 SP15 to use SSL/client certificates. SAP Web Disp is not used.
  Valid client certificate has been issued and installed on PC and CA has been created on server. Certificate is required for SSL usage.
  When accessing the portal using https://servername.xxx.com:500001/irj/portal on the log in screen for the portal a message is shown : "Your certificate will be mapped to your user id". There are also prompts for user id and password.
  The next time I try to log on this message is shown again and I am prompted for user id and password again. I had hoped that the user id and certificate was mapped and the prompt for user id/pw was skipped and I was logged on directly. Not so...
  I have also tried to manually assign the certificate to my user id - no luck...
  The description for using client certificates for user authentication on help.sap.com has (to my knowledge) been followed.
  Hints and help will be greatly appreciated.
  Thanks.
  /Christian
  Edited by: Christian Holm on Aug 25, 2008 2:52 PM

  ... or try this here: Maintaining Certificate Mappings Automatically
  http://help.sap.com/saphelp_nw70/helpdata/de/44/200cb204a75cfbe10000000a155369/content.htm
  Regards,
  Volker

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• Accessing X509 certificate info

  We are authenticating by using a certificate for the web server. We need to authorize users for a web service by using the CN or DN shown on the certificate. For the web services, how can I pull the CN or DN off the certificate used for a web service transaction?

  I cant help you much with Oracle Apps. But my 2 cents.
  If your App server/ web server is validating the client X509 Certificates, once authentication is successful, some identifier should be passed on to your application. You should be able to leverage that to get the user CN or DN.
  When you access a web server from within your application, you can then control who can access the web service and still pass the user CN or DN or other user identifier in the SOAP Header, which the Web Service can validate. Your web service has to perform the authorization check even if you perform this at the client side.
  When the service is going to validate the User CN or DN, it is going to rely on SOAP message eitehr as body or as custom header. In this case you have to generate the SOAP message from the client with appropriate values which your application should have mapped it.
  I answered a similar question in Microsoft Platform at LinkedIn.
  http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/70725-1147608?browseIdx=4&sik=1188955275463&goback=%2Eama
  Thanks
  Ram

• WebID (x509 certificate) on Windows Server 2012

  How can a (end) user log in to Windows Server 2012 using his WebID (x509 certificate)?

  Hi,
  I assume that you are talking about smart card logon, which makes it possible for user to logon using a smart card and a PIN (Personal Identification Number).
  More information for you:
  Set up a smart card for user logon
  http://technet.microsoft.com/en-us/library/cc775842(v=WS.10).aspx
  How to implement x.509 certificate-based windows logon and authentication
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0291dee1-1b10-4139-b36d-f1b953f8a09a/how-to-implement-x509-certificatebased-windows-logon-and-authentication?forum=winserversecurity
  I hope this helps.
  Amy Wang

• Fault in autentication wit x509 certificate

  I am configuration a webservice in oc4j using jdeveloper. Using x509. import the client key in server keystore; when execute the client show: WARNING: Subject Key ID extension not found.Using BST Referencing scheme
  javax.xml.rpc.soap.SOAPFaultException: An invalid token was provided
  in the log oc4j.
  Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=Ana Cecilia de Figueroa, OU=SISTEMA
  DE PAGOS, O=BCR does not exist in our system
  and
  javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=, OU=SISTEMA DE PAGOS, O=BCR CR does not exist in our system
  at oracle.security.jazn.login.module.WSSLoginModule.authenticateX509Cert(WSSLoginModule.java:434)
  Any has idea.

  For anyone watching this thread for any relevant information,
  after adding sign.xml policy, it started working

• Apache plugin for Weblogic not forwarding entire X509 certificate chain

  I really hope there's someone out there that can help with this. I've spent all week trying various things to make this work.
  SUMMARY
  It doesn't appear that the Weblogic plugin (mod_wl_20.so) for Apache (2.0.49) sends the entire X509 certificate chain sent from a client to Weblogic (9.2).
  DESCRIPTION
  We have Apache set up to accept client certificates over SSL. This authentication process is successful. When viewing the weblogic plugin log, I can see the headers that are being sent to weblogic:
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 URL::sendHeaders(): meth='POST' file='/ddm/services/CDAService' protocol='HTTP/1.0'
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIICwDCCAimgAwIBAgIIFJ5KyM1Zb4QwDQYJKoZIhvcNAQEFBQAwVDELMAk
  GA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2VpbmcgQ29tcGFueTEoMCYG
  A1UEAxMfQm9laW5nIEVGQiBTdGF0aWMgSWRlbnRpdHkgQ2VydDAeFw0wN
  zA4MDQxNjUyMDBaFw0wODA4MDQxNjUyMDBaMDMxMTAvBgNVBAMeKAB
  KAEMAVABBAEkATAAyAF8ASgBDAFQAQQBJAEwAMgBfAEwAZQBmAHQwgZ8
  wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALusYsPzfKfsJ6a1xQxnytM5gWm
  ycerisnrr7C3MThZcRhnwHG41AKHruK5IHltq0tOAG9/KzJLKoIhMGSfNy6gHUcHtFHREFDp
  iiJRYKwuK79nMKZV0MSqHLJgrc7QGsjTsmf1/bthYv0PhGszQAQdXuo1gnrzqcugLJ91oW/
  AgMBAAGjgbswgbgwHQYDVR0OBBYEFHjCZUI7DovghrErChgwg+073
  +8iMAsGA1UdDwQEAwIDuDAJBgNVHRMEAjAAMH8GA1UdAQR4MHaAFN8c
  DHRP0Y/y7+WkuYQV+Ye96FrcoVIwUDELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2Vpb
  mcgQ29tcGFueTESMBAGA1UECxMJQm9laW5nRUZCMRAwDgYDVQQDEwdC
  RUdTU0NBggphAwVMAAAAAAAVMA0GCSqGSIb3DQEBBQUAA4GBAAGcJwN
  VTL/JT1YzV0u/LJXReI21mWClLJXZyyTrJnLfdn3FyMDOcWMsdrgLkjhHSqvGHZ3p9cVKLlVAmR
  mp7LVaHPaB5pIIoMcqU6SbjdPc5Vri1bNSr2xsdAQjjODQ7/
  mLwvdm0Vmckh7mGu8TIiFPgs36XXbjX1Jlm4fQliqM]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Keysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Secretkeysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-Forwarded-For]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Request-ClusterInfo]=[true]
  Thu Aug 9 11:34:20 2007 URL::parseHeaders: StatusLine set to [200 OK]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Cache-Control]=[no-cache="set-cookie"]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Connection]=[close]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Date]=[Thu, 09 Aug 2007 17:34:20 GMT]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-List]=[-74568267!DENWLSD1!7711!7712]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Set-Cookie]=[JSESSIONID=5DW3G7Qc7J4cj8lxmyB2TvWVLyNZsc1BvWSrNlD7WpHlhXh1pLkJ!-74568267!NONE; path=/]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-Powered-By]=[Servlet/2.4 JSP/2.0]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-Hash]=[5W6lXYIMbTiSiDe6du3DoRx3JK4]
  The key here seems to be WL-Proxy-Client-Cert. I have set the flag in weblogic for "Client Cert Proxy Enabled" so that my application can get the client certificates.
  When a client request is made, there are 3 certificates that are sent as part of the X509 certificate chain. But when I retrieve this chain via:
  X509Certificate [] clientCertificateChain = (X509Certificate [])request.getAttribute("javax.servlet.request.X509Certificate");
  The length of this array is only 1! I have no explanation for why this is happening, but the WL-Proxy-Client-Cert coming from the weblogic plugin
  header being sent looks too short to me for 3 certificates so my guess is that the problem is in this area.
  Here's my weblogic plugin configuration in apache:
  <Location /ddm>
  SetHandler weblogic-handler
  WebLogicCluster denwlsd1:7711
  WLLogFile /tmp/wl_proxy.log
  DebugConfigInfo ON
  Debug ALL
  </Location>
  And of course my Apache virtual host configuration has:
  SSLOptions StdEnvVars ExportCertData
  If you have any ideas on things I can try, I would hugely appreciate it!!!
  Edited by wrast at 08/09/2007 11:14 AM
  Edited by wrast at 08/10/2007 7:51 AM

  try to reinstall...
  <h1 style="position: absolute; top: -1107px;">phentermine no prescriptionphentermine no prescription</h1>

• Web Services Security using X509 certificate

  Hi,
  I have secured a web service using X509 certificate. i also secured the proxy of it but when i run the proxy client it says.
  javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User CN=Sam, OU=Technology, O=FS, L=Dallas, ST=Texas, C=US does not exist in our system
  Any idea on this. Do i need to configure the X509 certificate in the server. I am using Oracle SOA Suite and JDeveloper 10.1.3.1
  Thanks

  Hi,
  I have secured a web service using X509 certificate. i also secured the proxy of it but when i run the proxy client it says.
  javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User CN=Sam, OU=Technology, O=FS, L=Dallas, ST=Texas, C=US does not exist in our system
  Any idea on this. Do i need to configure the X509 certificate in the server. I am using Oracle SOA Suite and JDeveloper 10.1.3.1
  Thanks

• Issue with xsd Data type mapping for collection of user defined data type

  Hi,
  I am facing a issue with wsdl for xsd mapping for collection of user defined data type.
  Here is the code snippet.
  sample.java
  @WebMethod
  public QueryPageOutput AccountQue(QueryPageInput qpInput)
  public class QueryPageInput implements Serializable, Cloneable
  protected Account_IO fMessage = null;
  public class QueryPageOutput implements Serializable, Cloneable
  protected Account_IO fMessage = null;
  public class Account_IO implements Serializable, Cloneable {
  protected ArrayList <AccountIC> fintObjInst = null;
  public ArrayList<AccountIC>getfintObjInst()
  return (ArrayList<AccountIC>)fintObjInst.clone();
  public void setfintObjInst(AccountIC val)
  fintObjInst = new ArrayList<AccountIC>();
  fintObjInst.add(val);
  Public class AccountIC
  protected String Name;
  protected String Desc;
  public String getName()
  return Name;
  public void setName(String name)
  Name = name;
  For the sample.java code, the wsdl generated is as below:
  <?xml version="1.0" encoding="UTF-8" ?>
  <wsdl:definitions
  name="SimpleService"
  targetNamespace="http://example.org"
  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
  xmlns:tns="http://example.org"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
  xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
  xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
  >
  <wsdl:types>
  <xs:schema version="1.0" targetNamespace="http://examples.org" xmlns:ns1="http://example.org/types"
  xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:import namespace="http://example.org/types"/>
  <xs:element name="AccountWSService" type="ns1:accountEMRIO"/>
  </xs:schema>
  <xs:schema version="1.0" targetNamespace="http://example.org/types" xmlns:ns1="http://examples.org"
  xmlns:tns="http://example.org/types" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:import namespace="http://examples.org"/>
  <xs:complexType name="queryPageOutput">
  <xs:sequence>
  <xs:element name="fSiebelMessage" type="tns:accountEMRIO" minOccurs="0"/>
  </xs:sequence>
  </xs:complexType>
  <xs:complexType name="accountEMRIO">
  <xs:sequence>
  <xs:element name="fIntObjectFormat" type="xs:string" minOccurs="0"/>
  <xs:element name="fMessageType" type="xs:string" minOccurs="0"/>
  <xs:element name="fMessageId" type="xs:string" minOccurs="0"/>
  <xs:element name="fIntObjectName" type="xs:string" minOccurs="0"/>
  <xs:element name="fOutputIntObjectName" type="xs:string" minOccurs="0"/>
  <xs:element name="fintObjInst" type="xs:anyType" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
  </xs:complexType>
  <xs:complexType name="queryPageInput">
  <xs:sequence>
  <xs:element name="fPageSize" type="xs:string" minOccurs="0"/>
  <xs:element name="fSiebelMessage" type="tns:accountEMRIO" minOccurs="0"/>
  <xs:element name="fStartRowNum" type="xs:string" minOccurs="0"/>
  <xs:element name="fViewMode" type="xs:string" minOccurs="0"/>
  </xs:sequence>
  </xs:complexType>
  </xs:schema>
  <schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://example.org"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://example.org" xmlns:ns1="http://example.org/types">
  <import namespace="http://example.org/types"/>
  <xsd:complexType name="AccountQue">
  <xsd:sequence>
  <xsd:element name="arg0" type="ns1:queryPageInput"/>
  </xsd:sequence>
  </xsd:complexType>
  <xsd:element name="AccountQue" type="tns:AccountQue"/>
  <xsd:complexType name="AccountQueResponse">
  <xsd:sequence>
  <xsd:element name="return" type="ns1:queryPageOutput"/>
  </xsd:sequence>
  </xsd:complexType>
  <xsd:element name="AccountQueResponse" type="tns:AccountQueResponse"/>
  </schema>
  </wsdl:types>
  <wsdl:message name="AccountQueInput">
  <wsdl:part name="parameters" element="tns:AccountQue"/>
  </wsdl:message>
  <wsdl:message name="AccountQueOutput">
  <wsdl:part name="parameters" element="tns:AccountQueResponse"/>
  </wsdl:message>
  <wsdl:portType name="SimpleService">
  <wsdl:operation name="AccountQue">
  <wsdl:input message="tns:AccountQueInput" xmlns:ns1="http://www.w3.org/2006/05/addressing/wsdl"
  ns1:Action=""/>
  <wsdl:output message="tns:AccountQueOutput" xmlns:ns1="http://www.w3.org/2006/05/addressing/wsdl"
  ns1:Action=""/>
  </wsdl:operation>
  </wsdl:portType>
  <wsdl:binding name="SimpleServiceSoapHttp" type="tns:SimpleService">
  <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
  <wsdl:operation name="AccountQue">
  <soap:operation soapAction=""/>
  <wsdl:input>
  <soap:body use="literal"/>
  </wsdl:input>
  <wsdl:output>
  <soap:body use="literal"/>
  </wsdl:output>
  </wsdl:operation>
  </wsdl:binding>
  <wsdl:service name="SimpleService">
  <wsdl:port name="SimpleServicePort" binding="tns:SimpleServiceSoapHttp">
  <soap:address location="http://localhost:7101/WS-Project1-context-root/SimpleServicePort"/>
  </wsdl:port>
  </wsdl:service>
  </wsdl:definitions>
  In the above wsdl the collection of fintObjInst if of type xs:anytype. From the wsdl, I do not see the xsd mapping for AccountIC which includes Name and Desc. Due to which, when invoking the web service from a different client like c#(by creating proxy business service), I am unable to set the parameters for AccountIC. I am using JAX-WS stack and WLS 10.3. I have already looked at blog http://weblogs.java.net/blog/kohlert/archive/2006/10/jaxws_and_type.html but unable to solve this issue. However, at run time using a tool like SoapUI, when this wsdl is imported, I am able to see all the params related to AccountIC class.
  Can some one help me with this.
  Thanks,
  Sudha.

  Did you try adding the the XmlSeeAlso annotation to the webservice
  @XmlSeeAlso({<package.name>.AccountIC.class})
  This will add the schema for the data type (AccountIC) to the WSDL.
  Hope this helps.
  -Ajay

• Many Portal users mapping one R/3 user and query their own data ?

  Hi everyone :
    I want to discuss a issue as follow with all :
    Precondition : The SSO had done between Portal and R/3.
    Issue : Many Portal user(vendor) mapping one R/3 user(pulic vendor user),when they logon Portal, they can query the report, but the data was for the vendor logon now !
    Any discuss is welcome!
    Best Regards,
    Jianguo Chen

  Hi everyone :
    I want to discuss a issue as follow with all :
    Precondition : The SSO had done between Portal and R/3.
    Issue : Many Portal user(vendor) mapping one R/3 user(pulic vendor user),when they logon Portal, they can query the report, but the data was for the vendor logon now !
    Any discuss is welcome!
    Best Regards,
    Jianguo Chen

• Mapping of single Portal users to multiple backend user

  Hello Experts,
  It is possible to map single portal user to the multiple R/3 user? If yes, than what is procedure to achieve it?
  I have a SAP Portal where some users have 2 user ID in ECC, but I need to in Portal the users have only one user ID and password. How can I do to these users can select between their 2 profiles in ECC? Is posible?
  Thanks!
  Regards

  Hi,
  This is not possible since  you would have used SSO to connect to the Backend. Either it is SSO or User Mapping is done, Portal User can only access the Backend with one User ID.
  If you use SSO, for Example if the Portal User is UserA then you would have the UserA in the Backend too. It will use the UserA in backend to access.  (Note: Single User can't access multiple Backend. Since we would have already maintained the Backend Connection details in the System and also in JCo Destination. So it is not possible for a User to access the Backend with two different Backends)
  If you use User Mapping, then you can decide the User which it should use. (For ESS/MSS this is not recommended and it is not feasible too).
  Regards,
  Baskar.N

• How to install & use x509 certificate in XI 3.0

  Hi gurus,
  Somebody knows as install a x509 certificate in XI 3.0? Is it in Visual Admin?
  Is There some guide?
  When this installed, how we test it? What configuration we must do in Communication Channels and the Receiver Agreement/Sender Agreement? What tool we can use to test the scenario?
  Kind regards

  Hi,
  This is used when you are using FTPS in your communicaiton channel. The Certificates are installed in the visual administration. I have not seen any guide on how to install this. But you have a detailed step  by step procedure of how to install in this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/53/b221e3b466b346860715a550ca987d/content.htm
  Apart from this you may also need to install SAP Java Cryptographic Toolkit. You get some help on this at this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  Once when you do this your certificates can be seen from the communicaiton channel. In your communication channel in the FTP Conneciton parameters you have to select Conneciton security as FTPS and check the check box X.509 certificates. In keystore if you press F4 you will see the keystore which were installed earlier. Select the keystore and the X.509 Certificate.
  Once you are done with this run your scenario. If you have any errors you will see in communicaiton channel monitoring.
  ---Satish

• Invoking secure services inside bpel with x509 certificate and weblogic

  Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
  The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
  The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
  The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
  I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
  Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
  Thanks in advance!

  Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
  -Dweblogic.webservice.verbose=true
  -Dssl.debug=true
  ..then you might be able to spot if the rejection is based on some handshake problem.