SSO between EP and GRC systems
Hi,
We have EP 7.0 and GRC 5.3 systems in our landscape. In the login page of the portal, we have a link configured to the GRC system to use the Compliant User Provisioning application.
On clicking the GRC link for accessing CUP, the user is prompted to enter the username and password to login to the GRC system. In our landscape both the EP and GRC systems have the ECC ABAP system as the UME and hence the user credentials are exactly the same for both EP and GRC systems for a particular user.
I would like to avoid another logon for the user in GRC as he has already logged in with the same user credentials in EP system.This, i believe is achieved through SSO but i'm not sure about configuring SSO between two Java systems.
Please help me in the configuration.
Regards,
Ragav
Ragav_ss wrote:
Everything is working fine when i click User Logon link in GRC system which comes up through the link from EP. The SSO is working fine there. But when i click Request Access or Request Status link, the SSO does not work.
Any clues.
GRC version is 5.3 SP 12
Did you ever get that resolved? I'm having the same problem with 5.3 SP 15.
Regards,
Sean
Similar Messages
-
Setting up SSO between EP and back-end SAP systems
Can anybody give me some insight about setting up SSO between EP and back-end SAP systems. If possible some links to write up would be great.
ThanuHi,
This link gives you a detailed information on setting up SSO : http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
Some How-guides:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e676ec90-0201-0010-cfa3-90b7c1291903
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/77378b3d-0b01-0010-ffa5-c6941e286c43
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80fbc690-0201-0010-1aba-93d5c8232b4a
Regards,
Sunil -
Hi Sdn's and Nakisa tehnical experts,
We have a Portal environment 7.02 , a Nakisa environment 3.0 (CE) and and HR backend environment 701 (604).
We are busy setting up SSO between Portal and Nakisa via the, URL iview for the Org chart (http://<host>:<port>OrgChart/default.jsp).
We have done as indicated in wiki:
http://wiki.sdn.sap.com/wiki/display/ERPHCM/SAPSSOAuthenticationwithverify.pseusingSAPSSOEXT
We are however stil having issues with the SSO and in the cds.log the following is being displayed:
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null++
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0++
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)++
Can someone indicate what I am doing wrong?
Regards DriesHi Luke,
thanks a lot for your help so far.
I have created a root/XML folder under the diretory, and the path is now as follows:
K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__Sasol_DEV_LIVE\.delta\root\XML
It seems like it finds the verify.pse, but not the library, sapsecu.dll.
My credentials.xml file is as follows:
<credentials>
<assembly name="SapSso"/>
<info>
<item name="PseFilePath">XML\verify.pse</item>
<item name="SsfLibFilePath">XML\sapsecu.dll</item>
<item name="PsePassword"></item>
<item name="WindowsPlatform">64</item>
<item name="TicketFile"></item>
<item name="Base64decode">true</item>
</info>
</credentials>
I however stilll get the following in the cds.log
15 Aug 2011 13:59:53 INFO com.nakisa.Logger - Tenant ID: 000
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - LoginSettingsObject Load: 1719
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Using cert: K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\XML\verify.pse
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Version of SAPSSOEXT: SAPSSOEXT 4
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : SCUE LIB base path is:
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User to authenticate null
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User authenticated null
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D}
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User population provider is Database
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner : ensurePool : Current pool size:0
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner : ensurePool : Current pool size:0
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner.executeFunctionDirect: /NAKISA/RFC_REPORT took: 266ms
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - BAPI_SAP_OTFProcessor_Report : WhereClause : ( (Userid is null) or (Userid='') ); Table : (SAP_UserPopulation); Dataelement : (UserPopulationInfo)
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User populated
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Role mapping provider is: SAP
15 Aug 2011 14:00:00 ERROR com.nakisa.Logger - SAPRoleMapping_SAP.MapRoles() : while trying to invoke the method java.lang.String.toUpperCase() of an object loaded from local variable 'value'
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Login process finished with errors
Any ideas? Should I maybe hardcode the location in the credentials.xml?
Kind regards
Dries Yssel -
SSO Between EP and R/3 6.4
Hi,
I am trying to implement SSO between SAP EP 6.0 and SAP R/3 6.4 using logon tickets.
I've downloaded the .pse and .der files from Portal,uploaded the .pse in the backend system,added it to the ACL,but when i tried to test the connection in portal using system admin->system configuration->UM configuration->SAP system
i am getting an error----
(System ID): com.sap.mw.jco.JCO$Exception: (101) RFC_ERROR_PROGRAM: 'mshost' missing
(System ID & System Number): com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM TYPE=A ASHOST=ctsgvcsap3 SYSNR=03 GWHOST=ctsgvcsap3 GWSERV=sapgw03 PCS=1 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR service '?' unknown TIME Thu Feb 23 16:24:39 2006 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -3 COUNTER 2
Where am i going wrong?Please help.
If anyone is having detailed documentation please forward the same.
Thanks in advance
SwarnaDeepika.
Message was edited by: SwarnaDeepikaHi Swarna
the procedure for importing portal certificate in r3 system i already mentioned
u have a authorization for strustsso2 on r3 system
ask for that to basis person or done with their id
after importing portal certificate into r3 system u have to restart the r3 system no need to restart the portal system
and make sure for SSO both portal and R3 system are in same domain.
i.e
sapr3.mydomain.com
portal.mydomain.com
if not u have to specify the DNS entry for that by creating alias.
regards,
kaushal -
Different ways to establish SSO between Portal and ADP
Hi,
We are implementing payroll with the help of ADP.
Please let me know different ways of establishing SSO between portal and ADP
Thanks
Bala DuvvuriYou may a few issues. SSO with logon tickets is based on accessing web sites in the same domain. So, if the portal is on http://ourportal.company.com, then the web site being accessed needs to have a URL like http://adphosted.company.com. Is the ADP system accessible by a DNS alias that is within company.com? If so, you're OK. If not, then there will be problems.
The other SSO method is user mapping, but the security implications are not good... -
We are implementing ESS MSS on 4.7 , ITS 4.7 with EP 6.0
Can some one point me as to how to configure the SSO between these various landscapes. I Think we would require SSO between EP and ITS for ESS in MSS services.
regards
Sam
Message was edited by:
sameer chilamaHi Sameer,
All the information you are looking for is in the help.sap.com
http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
This help guide is really very clear and thorough.
Regards
Daniel -
SSO between Portal and Java WD application
Hi Experts,
I am using CE 7.2 on localhost and I am very new to SAP.
I need to know how can I get SSO between Portal and Java WD. I have a WD application that displays the logged in user using "IUser currentUser = WDClientUser.getCurrentUser().getSAPUser()", as well I can use "IUser user = UMFactory.getAuthenticator().getLoggedInUser()". Both work.
Q1. What is the difference in the 2 above?
Q2. My WD application is set to authenticate user. The WD application is in URL iView. I need SSO between Portal and WD application. Is there a way to get this SSO without SAP Backend (ECC), for now I just need SSO between Portal and Java WD appl.
Everything is in localhost.
Please advice. Thanks.> need to know how can I get SSO between Portal and Java WD.
Then I suggest you ask your question in the Web Dynpro Java forum instead of the Web Dynpro ABAP one. -
Standard XML schema for Vendor data exchange between SAP and other system
Is there a SAP standard way of XML schema that we exchange between SAP and other system? Please let me know.
Thanks.See SAP Interface Repository (http://ifr.sap.com).
My proposal is to leave old SAP connectors staff and use SAP Exchange Infrastructure. There is a support of industry XML standards in XI 3.0 like xCBL. -
Hi,
We are doing a scenario. Where XI will update the data into PSA through ABAP proxy.
Scenario worked perfectly in development system.
We transported the objects from Dev to test. The Strucures are mismatched in SE11 between development and Test systems as below.
Data sources (ZDS_RECIHDR and ZDS_RECTPALL) looks ok. But when I saw the structures in SE11 they are not correct, they got mismatched.
Development:
/BIC/CQZDS_REC00001000 - Header (ZDS_RECIHDR)
/BIC/CQZDS_REC00003000 - Allocation (ZDS_RECTPALL)
Test:
/BIC/CQZDS_REC00001000 - Allocation (ZDS_RECTPALL)
/BIC/CQZDS_REC00003000 - Header (ZDS_RECIHDR)
Kindly let me know where it might have gone wrong?
Thanks
DeepthiWe done it already. Still it is failing.
While transporting, it is failing and showing the error as
Program ZPI_CL_IA_PAYMENT_ALLOCATION1=CP, Include ZPI_CL_IA_PAYMENT_ALLOCATION1=CM001: Syntax error in line 000016
The data object 'L_S_DATA' has no component called'/BIC/ZSALENUM', but there is a component called
Program ZPI_CL_IA_PAYMENT_HEADER======CP, Include ZPI_CL_IA_PAYMENT_HEADER======CM001: Syntax error in line 000016
The data object 'L_S_DATA' has no component called'/BIC/ZTRANDATE', but there are the following com
The Structure is mismatched in SE11 between header and allocation structures. That is the reason it is failing.
Any more ideas pls? -
Consistency between dev and prod systems!!!!
Hi All,
I wuld like to check the consistency between Dev and Prod systems for all the Data model and other objects existing. I would like to do this sanity check to see whether the two systems are in sync. Are there any tools or transaction codes within SAP framework which can guide me in this direction.
Kind Regards,
Surya Tamada.Hi Surya ,
First build whole data flow :
1 .Create Infoarea ,Infoobjects & Masterdata ,Infoproviders ,Infoobject Catelog under Infoarea,MetaData - Characteristics MeteData - Key Figures
2 DSOs ,Infocubes ,Infosets, Multiproviders ,Views in the development system ,Datasources for BW system,Flat File Datasources,Transformations
then get data from the se11 tables as per your requirement :
like RSDVCHA ,RSDBCHATR,RSDCUBEIOBJ,RSDICMULTIIOBJ etc and built view on it as per your requirement .
then built flat file data sources and transformation .
get all data downloaded to flat file in ur PC .In the same way from other system.
make flow from PC File Datasource -> DSO -> Infocube and build queries for different objects .load the downloaded files to them and then run query .
ex : query to compare cube will take cube name and systems name as input and compare objects .
Regards,
Jaya -
Can you tell me some differences between R2 and R3 systems?
Hi,
Can you tell me some differences between R2 and R3 systems?
I guess R2 is used only for mainframe systems some time back. But i dont know why we prefered R3 over R2.
Please clarify this!
Thanks,
Venkatesh.R.SAP R/3 is
Client server
3 tier
Presentation
Application
Database
Relatively hardware and database independent
ABAP/4 applications runs on application servers.
Dispatcher, shared memory, gateway, work processes are major components of an application server.
SAP R/3 offers
Comprehensive suite of integrated applications meeting the needs of most business
Best practice process design
Ability to configure to
Industry sector
Unique business requirements
In a R/2 System - it is a 2 Tier System based on Mainframe Systems with Intelligent terminals
R/3 is based 3 tier Client Server architechture and supports the R/2 system as well.
R/3 Middleware -
Client server
Uses underlying relational databases
Oracle
SQL server
Ingress
Sybase
Its graphical user interface
Sap GUI
hence R/3 is preffered over R/2 systems because they support Client Server Architecture which is easily configurable,scalable and can integrate with ERP systems and integrate with SOA or Web based Apps.
Thanks,
Saurabh Shukla -
SSO between EP and ECC-- JCo RFC Provider- Error-- JCO_ERROR_SERVER_STARTUP
Hello Everyone
I am setting Up SSO between my EP 7.0 and my ECC 6.0 system. During the phase JCO RFC PRovider i am giving the following values:
The following was done;
1. start Visual Administrator -> Service : Choose JCo RFC Provider
2. Created JCo RFC provider:
Program ID: SAPJ2EE_Port
Gateway host: EPDEV ( host of my EP System)
Gateway service: sapgw00
Server Count 5
Application Server Host: ERP6 ( Host of my ECC System)
System Number: 00
Client: 000
Language: EN
User: SAPJSF
Password: ..
When i click on SET i am getting the error " ERROR When ADDING TO BUNDLE" Check LOG FOR DETAILS".
I checked the DEFAULTTRACE.TRC and get the following MEssage :
Date , Time , Message , Severity , Category , Location , Application , User
03/01/2011 , 3:33:30:101 , Error changing bundle SAPJ2EE_PORT , Error , /System/Server , com.sap.engine.services.rfcengine.RFCRuntimeInterfaceImpl.addBundle(BundleConfiguration conf) , , Administrator
03/01/2011 , 3:33:30:085 , com.sap.mw.jco.JCO$Exception: (129) JCO_ERROR_SERVER_STARTUP: Server startup failed at Tue Mar 01 03:33:30 PST 2011.
This is caused by either a) erroneous server settings, b) the backend system has been shutdown, c) network problems. Will try next startup in 1 seconds.
Could not start server: Connect to SAP gateway failed
Connect parameters: TPNAME=SAPJ2EE_PORT GWHOST=EPDEV GWSERV=sapgw00
ERROR partner 'EPDEV:sapgw00' not reached
TIME Tue Mar 01 03:33:30 2011
RELEASE 700
COMPONENT NI (network interface)
VERSION 38
RC -10
MODULE nixxi.cpp
LINE 2823
DETAIL NiPConnect2
SYSTEM CALL connect
ERRNO 10061
ERRNO TEXT WSAECONNREFUSED: Connection refused
COUNTER 1
I have configured my SLD as well. Any suggestions. Please Advise.Hi Ahmed,
Please do check the validity of the certificate.
Please do cross check these steps again.
1. Transaction u2013 STRUSTSSO2 (Trust Manager for Logon Ticket)
2. Double Click Owner certificate. It gets reflected under the certificate tab.
3. Choose Format Binary
4. Choose File Path.
5. Enter the File Name
6. saved in local drive.
You can import into portal as x.509 certificate.
check this thread -
Certificate no longer has signature (use restriction)
Renew certificate via SAP MarketPlace, and install from tcode slicense. If you are working on a trial version, there is a SAP license request application form. Fill the form with the hardware key. you will get the new license via email. Install using slicense. Then try exporting the certificate.
Thanks,
Divya
Edited by: Divya V on Mar 10, 2011 11:25 AM -
Error in SSO between Portal and IDM
Hi All,
In my scenario i need to configure the IDM workflow in portal and do SSO between them. I followed the steps given in IDM-Workflow installation document and did following things.
1. Uploaded the par file available in IDM installation kit in to portal.
2. Imported the Portal Content package (epa file) in to portal.I got the role Identity Center in my masthead.
3. Created System as said in the document.
4. Completed the necessary steps for transporting certificate between them.
But when click on the role 'Identy Center' or do preview of any iViews of IDM i am getting the following error.
Portal runtime error.
An exception occurred while processing your request. Send the exception ID to your portal administrator.
Exception ID: 05:58_06/12/08_0860_1657450
Refer to the log file for details about this exception.
Here is my default trace log for that exception id.
#1.5 #0019BBDC2B650079000000440000161C00045D5E6D4D111F#1228560048914#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#tventhan#24261##n/a##e764b200c37c11ddca800019bbdc2b65#SAPEngine_Application_Thread[impl:3]_16##0#0#Error#1#/System/Server#Java###Exception ID: 05:58_06/12/08_0860_1657450
[EXCEPTION]
#1#com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Portal Component
Component : pcd:portal_content/com.sap.idm/iviews/workflow/com.sap.idm.workflow.home_overview
Component class : com.sapportals.portal.sapapplication.SAPApplicationIntegratorComponent
User : xxxxx
at com.sapportals.portal.prt.core.PortalRequestManager.handlePortalComponentException(PortalRequestManager.java:973)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:343)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: Exception in SAP Application Integrator occured: Unable to parse template &\#39;<System.protocol>://<System.hostname>/<System.appcontext>/welcome.php?SAPIDStore=<System.idstore>&wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression <System.appcontext> because Invalid System Attribute:
System: &\#39;SAP_LocalSystem&\#39;,
Attribute: &\#39;appcontext&\#39;.
at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContentPass(AbstractIntegratorComponent.java:123)
at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContent(AbstractIntegratorComponent.java:98)
at com.sapportals.portal.prt.component.AbstractPortalComponent.doPreview(AbstractPortalComponent.java:240)
at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:168)
at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
... 29 more
Please help me to get rid of this issue.
Thanks & Regards,
Tamil KHi Tamil,
Please have a look in your log
Exception in SAP Application Integrator occured: Unable to parse template &\#39;<System.protocol>://<System.hostname>/<System.appcontext>/welcome.php?SAPIDStore=<System.idstore>&wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression <System.appcontext> because Invalid System
Please check the above values in system properties which are in bold
regards
Anand.M -
Users mapping between EP and ABAP system
Hello
I'd like to ask for some guidance in my quest
Current situation looks like this:
I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.
Now I have application in WD which authorizes via EP/AD - works fine.
And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)
I've found a bunch of help pages starting from
http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.
Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?
Any help will be appreciated.
BTW: whole environment is in version 7.11
Best regards
MaciejThere is no equivalent to SPNEGO on the ABAP side.
If your goal is to propagate the user, then possible options are:
-> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
-> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
-> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
Cheers,
Julius -
Problem SSO between VPN and NAC
Hello
Description of our problem : SSO doesn't work
-on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
-although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
Step 1 Add Default Login Page =ok
Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
Step 3 Enable L3 Support on the CAS = ok
Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
Step 9 Add VPN Concentrator as a Floating Device =ok
Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
the database for vpn authentication is cisco secure acs(192.168.1.30).
Tanks to any anybody to give us a possible solution.
FILALI Saad
Ares MarocHi
I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
Follow from step 15 in following link
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
Try these things first.
Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
You may find it useful too.
Dale
Maybe you are looking for
-
I have a very old apple ID that was used to install some of my first apps that I still use today such as Whats App. I cannot install updates for these apps because my apple ID is no longer operational and when I try and reset this apple ID I get an e
-
Ok so I have been travelling South America for 3 months. In the first 6?weeks my iPAd and I phone were syncing and working well. When I updated my phone and iPad to the 7.o2 my iPad started asking for my apple account which then was coming up incorre
-
A useful boot CD for your notebook
I thought everyone could benefit from having one of these discs. I'd like to point you to a site, Ultimate Boot CD. This utility contains many helpful pieces of software which you can utilize to help solve computer problems. This includes diagnosti
-
Replace Faulty 3G with a 3GS?
Hi, I bought the original iphone 3G off ebay and replaced it to a refurb at Apple Store. After about 2 weeks, the microphone stops working from time to time (sometimes works sometimes not). I tried cleaning the jack, restart, reset, restore, plugging
-
Music disappearing from iTunes 9.2.1
music has been disappearing. some disappeared altogether, others still show in my library but can't be played because music "can't be located". much of it is still in my iTouch and can be listened to there. in my "purchased" folder, there are about 7