SAPLogon Ticket

Hi Guys,
Ok first I would like to tell you what exactly I am doing, I have to check weather portal certificate is exists in the backend or not. I am working on WD.
I am able to retrieve the information of certificate from Backend now I need to get the information about Portal Logon Ticket e.g. issuer of certificate.
so that I can compare it from Backend.
Can any one tell me how can I read the content of SAPLogon Ticket.
Thanks
Regards
Yasir Noman

Yasir, try reading accurately.
The documentation also talks about the Java Ticket Verification Library.
"The Java Ticket Verification Library is coded in pure Java. It provides functions that allow non-SAP applications to verify SAP logon tickets and extract the user ID from the logon ticket. Use this library in preference to the C Ticket Verification Library and the dynamic link library SAPSSOEXT."
The javadocs can be found here:
https://media.sdn.sap.com/javadocs/NW04/SP12/ume/com/sap/security/api/ticket/TicketVerifier.html
I really don't know why you need more...
Regards, Karsten

Similar Messages

Document Auth and saplogon Ticket

Hi all,
I have an EJb in which i am accesing a RFC using RFC destination. I have exposed the Ejb as web service with Document Authentication.
In RFC Destination i have congfigured the destination to use SAP logon ticket.
In Security provide i have changed that Web service Component to use Ticket template.
but when i access the web service it give the error the No logon Ticket Found.
I was able to use same web service with out Document Authentication. but with Document Authentication it does not work.
does Document Auth supports sap logon ticket.
Regards
Divyakumar Jain

Hi,
Thanks for you reply and co-oprations
Currently I am using username & password based Authentication. Latter i have to use certificate base authentication. Actually i am trying all the scenarios i my free time.
For Http authentication every thing is working fine. but for Document based authentication i am facing problem.

Is the IP Address embeded in the SapLogon Ticket?

Hi,
We are in the middle of the development of a SSO solution and we have a question, does the IP address goes embedded into the SAP logon Ticket?
Thanx a lot!

I Found this in a Presentation.
SAP logon tickets contain:
User ID(s)
Authentication scheme
Validity period
Issuing system
Digital signature
SAP logon tickets do NOT contain
any passwords!
So according to this The IP address does not travel into the SAP logon ticket

How to change the existing sap logon ticket

HI
I did the System copy from my production server to Quality server.
Now everthing is working except Single Sign On. This is due to SAPlogon ticket.
the SAPlogon ticket show the PRD sid. I am not able to change the existing sid in ticket.
Tell me how to chage the old saplogon ticket with new one.
Workaround i did in my server.
generated the new certificate for Quality server and try to import in R/3 000 client. but not successful.

Hello Lee,
You dont have to import the certificate from R/3 into portal
we have to generate the certificate in portal and then import in R/3
To generate the portal certificate in quality Portal system and uploading in R/3,please find the method:
Log on to the Visual Admin of Portal with administrator id and password. Go to the following node: Server 0 1_34158->services and then Key Storage
In Key Storage, go to TicketKeyStorage
Under Entry, choose Create.
The Key and Certificate Generation dialog appears
Enter the Subject Properties in the corresponding fields
CN=<Common Name>, OU=<Organization Unit Name>, O=<Organization Name>, L=< Locality Name >, ST=<State/Province>, C=DE. give SID of portal in CN
Give the Entry name as SAPLogonTicketKeypair.
Select Algorithm as DSA,also click on store certificate and then generate
You will see along with SAPLogonTicketKeypair, SAPLogonTicketKeypair-cert will also get generated.
Now we will have to import this SAPLogonTicketKeypair-cert in the ABAP systems
First we will have to download the certificate from the portal.
Now logon to the SAP Netweaver Portal with user administrator
Go to System Administration->System Configuration and then Keystore Administration.
In the Content tab you will find the list of certificates
We have to download SAPLogonTicketKeypair-cert .Click on Download verify.der file
To your desktop
Now we have to import the certificate in ABAP system.
Log on to the ABAP system 000 client and use T-Code STRUSTSSO2
Under Certificate, click on Import certificate
Give the path of verify.der file. The file format should be Binary
And upload it.
Now you can see the certificate has been uploaded. Check for the validity
Now click on Add to certificate to add this.
Now click on Add to ACL.
Enter System ID as the portal SID(i.e is SPQ) and client as 000 and click on Ok
Then save your entries
Hope this makes it clear
Rohit

How can we hide the URL with Webdispatcher after SSO redirect

Repost in correct forum
We have setup SSO with Kerberos and SPNEGO for NWBC and now we want to expose it to the internet via SAP Webdispatcher.
NWBC is on a singelstack ABAP system on server1 and we have configured a standalone J2EE system on server 2 for isuing the saplogon ticket.
This works fine with the redirect from icf NWBC -> Error Pages -> Logon Error -> Redirec to URL (Form Fields) http://server2:port/redirect/redirect.jsp
on server2 we have a java application (redirect/redirect.jsp) witch has %response.sendRedirect("http://server1:port/nwbc")%
Problem is that when the webdispatcher calls http://server1:port/nwbc the URL in the browser is hidden with MYDOMAIN.COM/nwbc but when the Logon-error (no saplogon ticket yet) is redirecting to http://server2:port/redirect/redirect.jsp the browser is showing the actual URL http://server2:port/redirect/redirect.jsp and also when returning to NWBC the browser is showing http://server1:port/nwbc.
And we don't wan't to expose hostnames (server1 and server2) to the internet.
I got this answer:
This question belongs to the SAP NetWeaver Application Server space, this space is for NWSSO topics only, the separately licensed product from SAP.
Regarding your question you have to configure Web Dispatcher for both AS JAVA and AS ABAP and refer to Web Dispatcher URLs only. That includes ICF node configuration and the redirect servlet. The URL generation in AS ABAP needs to be configured so that URLs are generated to point to the Web Dispatcher. Use table HTTPURLLOC for that.
But how do I set up webdispatcher for both ABAP http://server1:port/nwbc (this is working fine before SSO config.) and JAVA http://server2:port/redirect/redirect.jsp?
This is my profile on webdispatcher:
SAPSYSTEMNAME = SID
SAPGLOBALHOST = LOCALHOST
SAPSYSTEM = XX
INSTANCE_NAME = INS
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
#SAP Cryptolib
DIR_INSTANCE = D:\usr\sap\SID\INS
ssl/ssl_lib = D:\usr\sap\SID\INS\sec\sapcrypto.dll
ssf/ssfapi_lib = D:\usr\sap\SID\INS\sec\sapcrypto.dll
sec/libsapsecu = D:\usr\sap\SID\INS\sec\sapcrypto.dll
ssf/name = SAPSECULIB
wdisp/ssl_encrypt = 0
icm/HTTPS/verify_client=0
wdisp/add_client_protocol_header = true
wdisp/auto_refresh = 120
wdisp/max_servers = 100
ssl/server_pse = D:\usr\sap\SID\INS\sec\sid2SSL.pse
rdisp/mshost = <ip for abap server1
ms/http_port = <ms http port for abap server1
# Configuration for large scenario
icm/max_conn = 16384
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 250
mpi/total_size_MB = 500
mpi/max_pipes = 21000
# SAP Web Dispatcher Ports
is/HTTP/default_root_hdl = abap
icm/HTTP/j2ee_0 = PROT=HTTP,HOST=Server2,PORT=5xxxx
icm/server_port_1 = PROT=HTTP,HOST=localhost,PORT=xxxxx
icm/server_port_0 = PROT=HTTPS,HOST=mydomain,PORT=xxx
icm/HTTP/mod_0 = d:\usr\sap\SID\SYS\profile\filter_rules.txt
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=xxxxx,HOST=LOCALHOST
and this is the filter_rules.txt
# Rules
if %{HTTP_HOST} RegIMatch MYDOAMIN.COM*
RegIRewriteUrl ^/$ /sap/bc/nwbc?sap-client=200
if %{HTTP_HOST} RegIMatch mydomain.com*
RegIRewriteUrl ^/$ /sap/bc/nwbc?sap-client=200
if %{HTTPS_HOST} RegIMatch MYDOMAIN.COM*
RegIRewriteUrl ^/$ /sap/bc/nwbc?sap-client=200
if %{HTTPS_HOST} RegIMatch mydomain.com*
RegIRewriteUrl ^/$ /sap/bc/nwbc?sap-client=200
I am new to this area

You can use Web Dispatcher for multiple systems, in your case one AS ABAP and one AS JAVA. See the documentation, Implement one webdispatcher for multiple systems - Basis Corner - SCN Wiki and Name-based virtual hosts and one SAP Web Dispatcher to access multiple SAP systems.

BusinessObjects Portal Integration - iView Template Missing

Hello
I have installed my BusinessObjects for Portal as follows:
1. We already have BI 7.0 on SQL 2005 on BIDEMOSER SERVER.
2. Installed BusinessObjects Enterprise 3.1 , Crystal Reports 2008, SAP GUI 7.1 and SAP Integration Kit on this new server name : BODEMOSER.
3. We already have EP 7.0 on Oracle 10.2 on EPDEMOSER SERVER.
I have installed the BOE 3.1 and Integrated with the BI Server and imported the roles and all the functions are working fine between BO and BI.For Portal Integration i have transferred the masterview file from BODEMO SERVER com.businessobjects.pct.masteriview.par to the EPDEMOSER SERVER.
And it was uploaded in the EPDEMOSER SERVER System Administration--> Support --> uploaded successfully.And I have followed the SSO configuration as per te guide. And values in the Web.xml files are properly as per the guide.
After the uploading the masterview par file i could not able to view the iView template in the System.I have cleaned the cookes and all temp files.
As per the guide I have created an folde name BI_BO and SYstem name as BI_BO_DEMO.Now when I started creating a iView Template by right clicking the System name BI_BO_DEMO and provided the following parameters for each Property Category.
CRYSTAL Enterprise server:
Host Name of Crystal Enterprise Server      :     BODEMOSER.srv.com:8080
Path of Crystal Enterprise Server      :     /SAP
Protocol of Crystal Enterprise Server      :     http
User Management
Authentication Ticket Type     :     SAP Logon Ticket
Logon Method                :     SAPLOGON TICKET
User Mapping Fields
User Mapping Type
Connector
Application Host      :     BIDEMODER.srv.com
Gateway Host      :     BIDEMODER.srv.com
Gateway Service      :     sapgw00
Logical System Name      :     BIDCLNT001
Remote Host Type      :     3
SAP Client           :     001
SAP System ID      :     BID
SAP System Number      :     00
Server Port
SNC Library Path
SNC Mode - Select -01
SNC Name
SNC Partner Name
SNC QOP (Security Level) :     0
System Type      :     SAP_BW
Trace Mode           :     0
System Alias
Created a System Alias as : SAP_BW
And tested the connection where it gives as
Test Connection with Connector
Test Details:
The test consists of the following steps:
1. Retrieve the default alias of the system
2. Check the connection to the backend application using the connector defined in this system object
Results
Retrieval of default alias successful
Connection failed. Make sure that Single Sign-On is configured correctly
Whether i should install the BO Integration kit in EP portal also or any Portal Inetgration kit is available.
Regards
Bala

Hi,
1. Whether Integration kit for SAP should be installed in EP Server also ( which has been installed in BO server for BI and the SSO for BI and EP STRUSTSSO2 also works fine.
- the portal is acting as the frontend for viewing content and yes there needs to be trust between your portal and your BW system
2. the connector parameter and the iview template object parameter as correct as per the distributed enviorment.
When i checked with portal; admin they asked doubt what should be crystal enterprise server ( BO) and the what is the server should connector parameter should have.
- the Crystal Enterprise parameter do not influence the connector properties and do not lead to the point that the connector settings fail. the Crystal Enterprise parameters are only relevant when viewing SAP BusinessObjects related content.
Make sure you connector settings work even without the Crystal Enterprise parameters first.
ingo

Mobile sales online installation for CRM5.0(ABAP+JAVA)

Hi ,
Client wanted to implement Mobile sales online for NW2004s component CRM5.0(ABAPJAVA) stack. We have already installed CRM5.0 with ABAPJAVA engine and EP7.0.Currently we are using EP with CRM5 using PCUIscreens. Also configured SSO(SAP logon ticket) between EP and CRM and BI7.0.
I found the document which says about NW04 instance CRM ABAP stack and need to install JAVA satck seperately then do SSO and deploy .sca files etc...but could not find for MSON on NW2004s using EP.
We have already integrated CRM5,BI7 with EP7.0 using SSO saplogon ticket,now my concern is
1. Do i need to use MSON configuration like SSO,SLD,deployment on existing CRM5.0 ABAP and Java engine , which is installed in one system ?
<b>or</b>
2. Can i use MSON config through CRM5.0 already integrated with EP7.0 ? which is already configured SSO and SLD etc..
Which method is recomended for Blackberry to communicate CRM5.0 system?
Any sugessions would be appriciated.
Thanks,
Shaik

any help will be appriciated.

URGENT: JCO.Client: null

Hello
We're using SAP EP 7.0 with webdynpro connected to SAP R3 4.6C by SapLogon Ticket.
The connection can be done with certificates for our customers (authentification header) or via logon/password for internal test on our LAN.
These webdynpro work fine on the LAN but when we connect via the web we have the error below :
com.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: Error connecting using JCO.Client: null
Do you have any idea ?
It's on our production environment so very urgent )
Thanks

Hi
1.May be JCO's are not configured properly.Check your JCO's are up and running by pinging it in ContentAdmin->WebDynpro.
2. its a simple problem of connection pooling. In your JCO connection settings change the maximum connections to 200. It will work.it is good After you execute the Model please release the connection. The reason you are getting this JCO Client null is because the connection is not getting released.
When you say the following code
wdContext.current<BAPI_INPUT>.modelObject().execute();
//Get the reference to the model and release the connection
If your Model name is say "MO_Mymodel" then
MO_Mymodel model = (MO_Mymodel) WDModelFactory.getModelInstance(MO_Mymodel.class);
model.disconnectIfAlive();
This should release your connections. Also ensure you release the connections even if there is a exception :).
Please refer the below forum also:
Error connection using JCO.Client :null
JCO.Client: null
com.sap.mw.jco.JCO$Exception: (102) JCO_ERROR_COMMUNICATION: JCO.Client not
Thanks
susmita

NW RFC SDK: Non-SAP to ABAP with username (trust relationship)

Hello,
I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.
Hereu2019s the scenario:
An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)
The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.
Instead, I want the ABAP server to trust the RFC client the same way it might
a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or
b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)
The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.
I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):
- I download run a program that creates a certificate file (public key?) which I import into the ABAP system.
- The same program creates a matching file (private key?) for the RFC client.
- For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.
- The Java SE application uses the JCo library to connect to the ABAP system.
- When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.
- On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.
Is that possible at all? How would you solve this?
Thank you very much in advance and best regards,
Thorsten

Hello,
Thanks a lot for your extremely high-quality replies. Iu2019ve been trying to work with them.
Frankly, just when (after Gregoru2019s and Timu2019s posts) I was hoping that working my way deeply enough into SNC, I would be able to solve my problem, Wolfgang comes along and tells me what Iu2019m aiming at wonu2019t work. Now Iu2019m confused.
The way I understand Wolfgang, the special trust an AS ABAP can put into another AS ABAP or an AS Java (u201Cremote RFC client, give me one certificate and I will accept every username if they come from youu201D) can not be put into a custom-made remote server software (such as the Oracle server application) acting as the RFC client, because when acting as RFC clients, the remote AS Java or AS ABAP use proprietary elements of the RFC protocol which are not available to me when I program my RFC client in the Oracle application.
@Wolfgang, is that correct?
Solution 1: Individual X.509 Certificates
Instead, I can establish X.509-based trust relationships at the level of individual usernames: create a certificate for each Oracle user, import them into the AS ABAP, map them to an ABAP user, and store the certificate on the Oracle side (Iu2019m still note sure about the different certificates and keys used publicly and privately here).
Solution 2: AS ABAP as User Management Engine for the Oracle Application
I can also see an alternative that would spare me the trouble of generating, importing, mapping and storing the certificates: delegate the user management to the AS ABAP and delete the (custom-built) logon and password-checking mechanism in the PL/SQL application:
Users are created centrally in CUA and distributed along with their passwords into (among others) the AS ABAP.
When a user logs on to the PL/SQL application, the username and password are sent for validation to an ABAP BAPI.
If authentication is successful, the AS ABAP returns a SAPLogon ticket which can be stored in the session context of the PL/SQL application and used in subsequent RFC calls. The password (a hash?) would only be transferred once during logon.
What do you think? Would both solutions work or am I still getting something wrong? Can you see a better alternative that would reduce
for solution 1 the administrative overhead for synchronization
for solution 2 the run-time dependency Oracle-ABAP and the change impact on the Oracle applicationu2019s user management concept?
Thanks a lot,
Thorsten

System connection error

Hi,
I am using Portal nw2004s and this portal system have ABAP+Java Stacks.I developed web Dynpro Abap application on abap stack. In order to run this abap application from java stack I confiugered a connection from Java to Abap with saplogon ticket method. But this connection does not work. I get an error message in dev_jrfc.trc.This error message is "Issuer of SSO ticket is not authorized".What's the problem.

Hi,
Did you add to the login/create_sso2_ticket & login/accept_sso2_ticket to the profile, make sure you did STRUSTSSO2 and re-import the ticket.
Jean

Time out functionality in Portal

Hi All,
If my portal is inactive for some fixed time, the user should be logged off automatically and an information message should be displayed on the login page.
How to achieve this ?
Regards,
Nikhil

I think there is no such timeout functionality...for portal..
Portal sessions are cookie based. On successful logon to the portal, the Portal issues a SAP logon ticket, with a default validity of 8 hours. That is a users session can atmost be of length 8 hours. Timout of the user's session is not possible.
Also if you reduce the default length of session, you will have to adjust the expiration time of the SAPlogon ticket by setting the "Lifetime of SAP Logon Ticket" in "Security settings" at "System Administration" --> "System Configuration" --> "UM Configuration".
However, please note that the cookie will eventually expire after this time setting, whether or not the user is idle. He has to renew the ticket after expiration.
Edited by: Anagha Jawalekar on Mar 20, 2009 3:15 PM

Moving SAP ERP Servers to a different domain.

Hello Experts
I currently have 3 SAP ERP 6.0 servers (central installs) a solution manager 7.0 EHP1 and netweaver CE machine all located in one windows domain (currenlty windows 2003 domain controllers) all running Oracle databases. I have been asked to look into moving all of these severs into the main corporate domain (currently windows 2008 r2 domain controllers) with a view to streamlining the domain structure. All the SAP installs are domain installs and therefore the accounts would need migrating to the new domain, what I would like to know, is are there any other factors other than those listed below that I need to consider:-
Migrate SAP user and service account to new domain
Adjust Profile Parameters for SAP G:\usr\sap\<SID>\sys\profile
Change frontend gui's to reference new domain (SSO has reference to the sap service account from the users domain)
Review folder permissions to ensure security is maintained (the current dommain no users log on to this domain- the new domain everyone logs onto)
Is there anything specific for oracle that should be changed??
It would be usful to know if anyone has done this and any pitfuls to avoid.
Thanks you.
Liz

Hi,
If some of your SAP systems will stay in the previous domain, you may have problems with the saplogon tickets because, as http cookies, they are valid for a domain. So SSO between SAP systems in different domains may generate problems (which can be solved).
If you use BSP or web dynpro applications, and use URL rewrites or redirects ,the change of FQDN may also need some configuration changes.
Concerning Oracle, check your OPS$ users.
Regards,
Olivier

Urgent: UWL XML Config file

Hi all!
I copied the business object EXTSRV to ZEXTSRV and created a new method zprocess that is mainly a copy of the Process method of the EXTSRV BO just that the creation part of the url is diffirent. I kept the call_browser function.
Then, I assigned this method to a task in the workflow this task is copy of the standard task TS50000075. I added the itemtype to the UWL XML config file and uploaded it to the system successfuly then i cleared the cash.
When i double click on the item in the UWL it partially works. I see the text written in the task but it is supposed to pop up a window. This window doesn't appear.
Can anyone help with that?
Thank you in advance,
Hajar

Hi
Just check this out Please do not forget to give points
User Roles     Restricts who can get work items via the user role. For example, you can assign a portal role here, such as buyer. Only users with the role buyer will see items from the provider system in UWL.You can have multiple user roles separated by semi-colon. By specifying user roles for the portal users, it can be restricted as to who gets the work items in UWL. For example, you can assign a portal role to a user, such as buyer. Only users with the role buyer will see items from a system, for example, B7QCLNT000 in UWL.
Pull Channel Delta Refresh Period (in Seconds)     Delta Pull mechanism of UWL enables new items to be fetched from the back end SAP systems every minute by default every 60 seconds, and every 30 seconds for alerts. However, this can be configured. The user does not need to use the refresh function to update the inbox. Once items are retrieved, timestamps are updated for the users whose items are successfully retrieved. These retrieved items are updated in the UWL cache. Setup necessary from Business Workflow to enable Delta Pull MechanismSome configuration settings are required if you use the UWL and the Extended Notifications for SAP Business Workflow. Define the following two batch jobs:...●      Background job (for example UWL_DELTA_PULL_1), consisting of a single step of ABAP report RSWNUWLSEL in FULL mode, using a report variant.Run the job once a day.1.     ●      A background job (for example UWL_DELTA_PULL_2), consisting of a single step of ABAP report RSWNUWLSEL in DELTA mode (default mode is delta, so report variant is optional).Run the job every one to three minutes (depending on the performance of the back end SAP system).Setup necessary from UWL to enable Delta Pull Mechanism The UWL service user in portal, with user id uwl_service, has to be granted access to the corresponding back end systems. This is a predefined service user provided by UWL. When the back end system is configured in the UWL administration page, an automated process is triggered to create a corresponding UWL service user in the back end system.Check role assignments and profiles status of this automated generated UWL service user and perform user comparison if necessary.●      If SAPLogon ticket is used (without using user mapping), you first create the system entry. A message about uwl_service user appears. Then in the back-end system give the uwl_service user an initial password. Now edit the system entry.●      If user mapping is used, you can first configure the back end system in the UWL administration page. Then access the respective back end system to initialize the password for the user uwl_service. Then, do user mapping in the portal as usual for service user uwl_service.In case uwl_service fails to be created in the back end and does not exist, you can manually create a back end user with the id uwl_service and assign the role SAP_BC_UWL_SERVICE and the rights as other end users.ORMap uwl_service to an existing back end user. Make sure that there is no multiple user mapping (there must not be two portal users mapped to the same back end user). This back end user must have the role SAP_BC_UWL_SERVICE.
Snapshot Refresh Period (in minutes)     All items at the current time are fetched from the backend (for example from the SAP Business Workflow). The cache is synchronized thereafter. New / modified / deleted / updated items are fetched every session (every log on) if you leave the field value empty or enter a negative number.To specify a particular time frame for which the refresh occurs, enter the number of minutes
The above registration procedure is usually sufficient to use a UWL iView. Item type retrieval and registration requires a connection to the systems and may take a couple of minutes.
For each system, they are generated as the configuration named uwl.webflow.<system_alias> or uwl.alert.<system_alias>.
In Manager Self-Service (MSS), the Universal Worklist groups together in Workset: Work
Overview the various workflow tasks and alerts that are relevant for a manager.
The standard MSS delivery includes the configuration file com.sap.pct.erp.mss.001.xml for the universal worklist.
1. In the portal, choose System Administration →System Configuration →Universal
Worklist and Workflow →Universal Worklist →UWL Systems Configuration.
2. Create the following system connections:
If you have already registered a suitable connector to the system connected to
the system alias, the existing connector is sufficient and you do not have to
register an additional one.
○ System alias: SAP_ECC_Financials
Connection types:
■ WebFlowConnector
■ AlertConnector
○ System alias: SAP_ECC_HumanResources
Connection type WebFlowConnector
○ System alias: SAP_SRM
Connection type WebFlowConnector
Leave the Web Dynpro Launch System field blank for all system connections.
with regards
subrato

Universal Worklist Configuration

Hey guys
Please can someone tell me where I can find a universal wordlist config guide for EP7.0?
Many thanks in advance
Jo-lize

Hi
This are the steps need to be followed.please do give full points
The Universal Worklist (UWL) gives users unified and centralized way to access their work and the relevant information in the Enterprise Portal. It collects tasks and notifications from multiple provider systems SAP Business Workflow, Collaboration Task, Alert Framework and Knowledge Management Recent Notifications - in one list for one-stop access.
Administration and configuration for the Universal Worklist (UWL) is described.
General Prerequisites
1.     As an administrator, you have full administration rights for the Portal and the required business workflow rights in back end system (reference roles such as SAP_BC_BMT_WFM_UWL_ADMIN and SAP_BC_UWL_ADMIN_USER). Refer to SAP note 941589.
Summary
Symptom
UWL administrative and/or end users are not allowed to perform or look up business workflow functions or data in the backend system.
Reason and Prerequisites
Corresponding adminsitrative and end users in the backend systems are created from scratch and have zero initial authorization.
These roles are provided as an option to enable UWL administrative and end user authorization to readily utitlize the APIs of the SAP Business Workflow and relevant basis components remotely.
(Note: Usually these roles are not needed as backend user is already assigned with roles that have sufficient authorization.)
Also refer to BWF note 938717 for the corresponding roles required by business workflow.
SAP_BC_UWL_ADMIN_USER
For UWL administrative user who mainly deals with business workflow system registration.
SAP_BC_UWL_END_USER
For UWL end user to carry out all business workflow actions currently supported in UWL.
Solution
The roles can only be imported with a support package
Header Data
Release Status:     Released for Customer
Released on:     25.04.2006 04:57:52
Priority:     Recommendations/additional info
Category:     Advance development
Primary Component:     EP-BC-UWL Universal Worklist
Releases
SoftwareComponent     Release     FromRelease     ToRelease     AndsubsequentSAP_BASIS     60     640     640      SAP_BASIS     70     700     700
Highest Implemented Support Package
SupportPackages     Release     PackageNameSAP_BASIS     640     SAPKB64017SAP_BASIS     640     SAPKB64019SAP_BASIS     700     SAPKB70008SAP_BASIS
Summary
Symptom
This note delivers two roles (PFCG) with the authorizations required to display and edit Business Workflow work items in the universal worklist.
SAP_BC_BMT_WFM_UWL_ADMIN
This role has the workflow authorizations required to perform the configuration for the Business Workflow connection in the universal worklist. These are authorizations for Business Workflow interfaces on the back-end system. The role does not have any authorizations for the portal or other interfaces used by the universal worklist.
SAP_BC_BMT_WFM_UWL_END_USER
This role has all workflow authorizations required by end users to be able to edit Business Workflow work items with the universal worklist. The role does not have any authorizations for the portal or other interfaces used by the universal worklist.
You can either use the two roles directly or as templates for your own roles.
Note 941589 contains more information about roles with authorizations for the universal worklist.
Other terms
Universal worklist
Solution
The roles can only be imported with the relevant Support Package.
Header Data
Release Status:     Released for Customer
Released on:     20.04.2006 07:43:26
Priority:     Recommendations/additional info
Category:     Advance development
Primary Component:     BC-BMT-WFM Business Workflow
Secondary Components:     EP-BC-UWL Universal Worklist
Releases
SoftwareComponent     Release     FromRelease     ToRelease     AndsubsequentSAP_BASIS     60     640     640      SAP_BASIS     70     700     700
Highest Implemented Support Package
SupportPackages     Release     PackageNameSAP_BASIS     640     SAPKB64017SAP_BASIS     700     SAPKB70008
Related Notes
941589 - UWL: administrative and end user roles
Attributes
1.     Make sure that each user is known to all connected SAP systems as per role requirement (make sure that there is one-to-one mapping between the portal user and the backend user)
If an iView is based on a system object defined in your system landscape, you must assign user permission for the relevant user, group, or role to the system object, as well. User permissions assigned to a system permits the iView to retrieve data from the respective back end application through the system object at runtime.
2.      Each connected SAP system for back end system (below release 7.0, WP-PI plug-in 6.0) has the connection to its respective SAP Internet Transaction Server (ITS)
Authorizations needed for working with Business Workflow
Normally, when the corresponding back end system user already has the correct authorization to work on the Business Workflow directly, no additional setup is required when working in UWL. However, manual configuration to assign RFC access authorization to the following function groups may be needed (Note: this is not common):
1.     ●      Function group and transaction SWK1 (for back end systems using WP-PI plug-in)
2.     ●      Function group SWN_UWL_WL (for back end system on release 6.40 and above, without the need of WP-PI plug-in)
3.     ●      Function group SWRC, SSCV (for all cases)
4.     ●      Authorization rights for SDTX
User Mapping:
1.      Navigate to User Administration ®identity Managementà User Mapping.
       2.      There are three scenarios:
○     Portal user ID is different than the back end SAP user ID and back end SAP user IDs are different in all back end SAP systems connected to the portal (UIDPW)
1.      Maintain the user mapping for each portal user corresponding to all the respective back end systems
2.      Portal user ID is different than the back end SAP user ID and backend SAP user ids are the same in all back end SAP systems connected to the portal (logon ticket)
Maintain the user mapping for each portal user to the reference system
3.     Portal user ID is the same as the back end SAP user and back end SAP user IDs are the same in all back end SAP systems connected to the portal (logon ticket)
1.       No user mapping is necessary
User Permissions
According to the prerequisites, if an iView is based on a system object defined in your system landscape, you must assign user permission for the relevant user, group, or role to the system object, as well.
User permissions assigned to a system permits the iView to retrieve data from the respective back end application through the system object at runtime.
     Procedure
       1.      Navigate to System Administration ® System Configuration ® Portal Content. Open the folder where the existing systems were created.
       2.      From the available system list, click with the secondary mouse button on the system name and choose Open ® Permissions.
       3.      Assign permissions. Make sure that under the Administrator column you assign Read permissions for the assigned role (for example for role eu_role). Also mark the check box End User.
       4.      Choose Save.
     Registering the Provider Systems
Each UWL iView can retrieve work items from multiple Business Workflow back end systems. Register each back-end connection to be used with the following procedure:
On the port...
       1.      On the portal, choose System Administration ® System Configuration ® Universal Worklist and Workflow ® Universal Worklist Administration.
The Universal Worklist Systems list appears. Here you can define connectors and systems as item providers for the Universal Worklist.
       2.      To add a new entry, choose New. To edit existing information, select (highlight) the row and choose Edit.
       3.      To save the current system registration, choose Ok.
       4.      Multiple system connections are defined by repeating the above steps 1 to 3.
Table describing the parameters
Parameter     Description and Use
Connector     This is the identifier with which the connector is registered. It indicates the type of items retrieved through the connection. For example: WebFlowConnector.For connector types WebFlowConnector or Alert Connector item types have to be registered with the UWL service after defining a new system connection.
Configuration Groups     Leave this blank, when working with the default UWL iView. You can add a number of configuration groups separated by commas but only one configuration group per iView. first installed, one UWL iView is defined. The System Configuration Group property for that iView is empty (blank). This means that no System Configuration Group is named, but in effect there is only a single group. The default behavior for the blank setting is this: when any user logs onto the UWL iView, UWL tries to log that user onto all registered back end systems. There is a limitation with the blank setting. When a large number of systems are accessed during log on, the overall portal load is increased. Also, the user receives error messages from those back end systems that have no user account for the particular UWL user. For large system landscapes do the following:...       1.      Partition back end systems into groups. This is accomplished by creating additional UWL iView instances, each of which refers to a specific group of backend systems. The group is defined, using the System Configuration Group iView property.       2.      Then use the value of the System Configuration Group property when registering back end systems by placing it in parameter Configuration Group, when you register the SAP system.
System alias     The name of the alias for the back end system, as defined in the system landscape. The length cannot exceed 25 characters.If Web Dynpro applications are configured on a SAP NetWeaver Application Server which is different from the SAP NetWeaver Application Server of the system alias, then specify that system alias as a Web Dynpro system
Web Dynpro Launch System     Enter the Web Dynpro system name if the SAP NetWeaver Application Server for the system is not the same as that running the Web Dynpro.Leave empty otherwise
User Roles     Restricts who can get work items via the user role. For example, you can assign a portal role here, such as buyer. Only users with the role buyer will see items from the provider system in UWL.You can have multiple user roles separated by semi-colon. By specifying user roles for the portal users, it can be restricted as to who gets the work items in UWL. For example, you can assign a portal role to a user, such as buyer. Only users with the role buyer will see items from a system, for example, B7QCLNT000 in UWL.
Pull Channel Delta Refresh Period (in Seconds)     Delta Pull mechanism of UWL enables new items to be fetched from the back end SAP systems every minute by default every 60 seconds, and every 30 seconds for alerts. However, this can be configured. The user does not need to use the refresh function to update the inbox. Once items are retrieved, timestamps are updated for the users whose items are successfully retrieved. These retrieved items are updated in the UWL cache. Setup necessary from Business Workflow to enable Delta Pull MechanismSome configuration settings are required if you use the UWL and the Extended Notifications for SAP Business Workflow. Define the following two batch jobs:...●      Background job (for example UWL_DELTA_PULL_1), consisting of a single step of ABAP report RSWNUWLSEL in FULL mode, using a report variant.Run the job once a day.1.     ●      A background job (for example UWL_DELTA_PULL_2), consisting of a single step of ABAP report RSWNUWLSEL in DELTA mode (default mode is delta, so report variant is optional).Run the job every one to three minutes (depending on the performance of the back end SAP system).Setup necessary from UWL to enable Delta Pull Mechanism The UWL service user in portal, with user id uwl_service, has to be granted access to the corresponding back end systems. This is a predefined service user provided by UWL. When the back end system is configured in the UWL administration page, an automated process is triggered to create a corresponding UWL service user in the back end system.Check role assignments and profiles status of this automated generated UWL service user and perform user comparison if necessary.●      If SAPLogon ticket is used (without using user mapping), you first create the system entry. A message about uwl_service user appears. Then in the back-end system give the uwl_service user an initial password. Now edit the system entry.●      If user mapping is used, you can first configure the back end system in the UWL administration page. Then access the respective back end system to initialize the password for the user uwl_service. Then, do user mapping in the portal as usual for service user uwl_service.In case uwl_service fails to be created in the back end and does not exist, you can manually create a back end user with the id uwl_service and assign the role SAP_BC_UWL_SERVICE and the rights as other end users.ORMap uwl_service to an existing back end user. Make sure that there is no multiple user mapping (there must not be two portal users mapped to the same back end user). This back end user must have the role SAP_BC_UWL_SERVICE.
Snapshot Refresh Period (in minutes)     All items at the current time are fetched from the backend (for example from the SAP Business Workflow). The cache is synchronized thereafter. New / modified / deleted / updated items are fetched every session (every log on) if you leave the field value empty or enter a negative number.To specify a particular time frame for which the refresh occurs, enter the number of minutes
The above registration procedure is usually sufficient to use a UWL iView. Item type retrieval and registration requires a connection to the systems and may take a couple of minutes.
For each system, they are generated as the configuration named uwl.webflow..
In Manager Self-Service (MSS), the Universal Worklist groups together in Workset: Work
Overview the various workflow tasks and alerts that are relevant for a manager.
The standard MSS delivery includes the configuration file com.sap.pct.erp.mss.001.xml for the universal worklist.
1. In the portal, choose System Administration →System Configuration →Universal
Worklist and Workflow →Universal Worklist →UWL Systems Configuration.
2. Create the following system connections:
If you have already registered a suitable connector to the system connected to
the system alias, the existing connector is sufficient and you do not have to
register an additional one.
○ System alias: SAP_ECC_Financials
Connection types:
■ WebFlowConnector
■ AlertConnector
○ System alias: SAP_ECC_HumanResources
Connection type WebFlowConnector
○ System alias: SAP_SRM
Connection type WebFlowConnector
Leave the Web Dynpro Launch System field blank for all system connections.
With regards
subrato kundu

Unable to see Default alias in Identity management

Hi Experts!!!!!
I have added a new system in the portal which connects my backend system, I have defined the system alias and in the screen it shows me the alias is ready for user mapping,
But i have selected SAPLOGON ticket, then the system is not visible in the identity management.But when i select uwidp the system is available for user mapping.Due to this the connector test gets failed.
I have seen in some of the posts and found that eu_role should be given in permissions i have done it.Does this needs server restart to make the changes to take effect.
What would be the problem I am able to see the alias in the other system when i selected SAPLOGON ticket.
After creating the alias do we need to make any changes?
I have followed the help document of SAP.
Regards,
Vamshi.

Hi Vamshi,
basically, SAP NetWeaver Portal offers two different Single Sing-on techniques to connect seamlessly with integrated backend systems.
1) SAP Logon Ticket
2) User Mapping
This are two totally different techniques to achieve the same goal: Single Sign-on.
Using SAP Logon Ticket, the SAP NetWeaver Portal issues an encrypted and signed HTTP coockie containing the portal user's logon id. The backend system checks the ticket and authenticates the corresponding user.
Using User Mapping, the SAP NetWeaver Portal uses previously given backend credentials (username/password) to log into backend application on behalf of the users. The user can enter his credentials either via personalization dialog (therefore the user needs the eu_core_role) or in identity management.
If you select SAP Logon Ticket the user does not need to map his backend credentials. That's why you do not see the system in the identity management (tab user mapping).
However, if you select User Mapping (UIDPWD) and run a connection test the SAP NetWeaver Portal tries to log into the backend system using the mapped credentials of the current user. If the current user did not map any credentials (or if he entered wrong credentials) the connection test will fail.
Hope this helps you to understand how the portal works.
Best regards,
Martin

SAPLogon Ticket

Similar Messages

Maybe you are looking for