SSO between EP and GRC systems

Similar Messages

• Setting up SSO between EP and back-end SAP systems

  Can anybody give me some insight about setting up SSO between EP and back-end SAP systems. If possible some links to write up would be great.
  Thanu

  Hi,
  This link gives you a detailed information on setting up SSO : http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  Some How-guides:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e676ec90-0201-0010-cfa3-90b7c1291903
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/77378b3d-0b01-0010-ffa5-c6941e286c43
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80fbc690-0201-0010-1aba-93d5c8232b4a
  Regards,
  Sunil

• SSO between Portal and Nakia.....problem with SSO... library not found..

  Hi Sdn's  and Nakisa tehnical experts,
  We have a Portal environment 7.02 , a Nakisa environment 3.0  (CE) and and HR backend environment 701 (604).
  We are busy setting up SSO between Portal and Nakisa via the, URL iview for the Org chart (http://<host>:<port>OrgChart/default.jsp).
  We have done as indicated in wiki:
  http://wiki.sdn.sap.com/wiki/display/ERPHCM/SAPSSOAuthenticationwithverify.pseusingSAPSSOEXT
  We are however stil having issues with the SSO and in the cds.log the following is being displayed:
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null++
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0++
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)++
  Can someone indicate what I am doing wrong?
  Regards Dries

  Hi Luke,
  thanks a lot for your help so far.
  I have created a root/XML folder under the diretory, and the path is now as follows:
  K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__Sasol_DEV_LIVE\.delta\root\XML
  It seems like it finds the verify.pse, but not the library, sapsecu.dll.
  My credentials.xml file is as follows:
  <credentials>
  <assembly name="SapSso"/>
    <info>
      <item name="PseFilePath">XML\verify.pse</item>
      <item name="SsfLibFilePath">XML\sapsecu.dll</item>
      <item name="PsePassword"></item>
      <item name="WindowsPlatform">64</item>
      <item name="TicketFile"></item>
      <item name="Base64decode">true</item>
     </info>
  </credentials>
  I however stilll get the following in the cds.log
  15 Aug 2011 13:59:53 INFO  com.nakisa.Logger  - Tenant ID: 000
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - LoginSettingsObject Load: 1719
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Using cert: K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\XML\verify.pse
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Version of SAPSSOEXT: SAPSSOEXT 4
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : SCUE LIB base path is:
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User to authenticate null
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User authenticated null
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D}
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User population provider is Database
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner : ensurePool : Current pool size:0
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner : ensurePool : Current pool size:0
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner.executeFunctionDirect: /NAKISA/RFC_REPORT took: 266ms
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - BAPI_SAP_OTFProcessor_Report :  WhereClause : ( (Userid is null) or (Userid='') ); Table : (SAP_UserPopulation); Dataelement : (UserPopulationInfo)
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User populated
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Role mapping provider is: SAP
  15 Aug 2011 14:00:00 ERROR com.nakisa.Logger  - SAPRoleMapping_SAP.MapRoles() : while trying to invoke the method java.lang.String.toUpperCase() of an object loaded from local variable 'value'
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Login process finished with errors
  Any ideas? Should I maybe hardcode the location in the credentials.xml?
  Kind regards
  Dries Yssel

• SSO Between EP  and R/3 6.4

  Hi,
  I am trying to implement SSO between SAP EP 6.0 and SAP R/3 6.4 using logon tickets.
  I've downloaded the .pse and .der files from Portal,uploaded the .pse in the backend system,added it to the ACL,but when i tried to test the connection in portal using system admin->system configuration->UM configuration->SAP system
  i am getting an error----
  (System ID): com.sap.mw.jco.JCO$Exception: (101) RFC_ERROR_PROGRAM: 'mshost' missing
  (System ID & System Number): com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM TYPE=A ASHOST=ctsgvcsap3 SYSNR=03 GWHOST=ctsgvcsap3 GWSERV=sapgw03 PCS=1 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR service '?' unknown TIME Thu Feb 23 16:24:39 2006 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -3 COUNTER 2
  Where am i going wrong?Please help.
  If anyone is having detailed documentation please forward the same.
  Thanks in advance
  SwarnaDeepika.
  Message was edited by: SwarnaDeepika

  Hi Swarna
  the procedure for importing portal certificate in r3 system i already mentioned
  u have a  authorization for strustsso2 on r3 system
  ask for that to basis person or done with their id
  after importing portal certificate into r3 system u have to restart the r3 system no need to restart the portal system
  and make sure for SSO  both portal and R3 system are in same domain.
  i.e
  sapr3.mydomain.com
  portal.mydomain.com
  if not u have to specify the DNS entry for that by creating alias.
  regards,
  kaushal

• Different ways to establish SSO between Portal and ADP

  Hi,
  We are implementing payroll with the help of ADP.
  Please let me know different ways of establishing SSO between portal  and ADP
  Thanks
  Bala Duvvuri

  You may a few issues. SSO with logon tickets is based on accessing web sites in the same domain. So, if the portal is on http://ourportal.company.com, then the web site being accessed needs to have a URL like http://adphosted.company.com. Is the ADP system accessible by a DNS alias that is within company.com? If so, you're OK. If not, then there will be problems.
  The other SSO method is user mapping, but the security implications are not good...

• SSO between ITS and EP

  We are implementing ESS MSS on 4.7 , ITS 4.7 with EP 6.0
  Can some one point me as to how to configure the SSO between these various landscapes. I Think we would require SSO between EP and ITS for ESS in MSS services.
  regards
  Sam
  Message was edited by:
          sameer chilama

  Hi Sameer,
  All the information you are looking for is in the help.sap.com
  http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
  This help guide is really very clear and thorough.
  Regards
  Daniel

• SSO between Portal and Java WD application

  Hi Experts,
  I am using CE 7.2 on localhost and I am very new to SAP.
  I need to know how can I get SSO between Portal and Java WD.  I have a WD application that displays the logged in user using "IUser currentUser = WDClientUser.getCurrentUser().getSAPUser()", as well I can use "IUser user = UMFactory.getAuthenticator().getLoggedInUser()".  Both work.
  Q1. What is the difference in the 2 above?
  Q2. My WD application is set to authenticate user.  The WD application is in URL iView.  I need SSO between Portal and WD application.   Is there a way to get this SSO without SAP Backend (ECC), for now I just need SSO between Portal and Java WD appl.
  Everything is in localhost.
  Please advice. Thanks.

  > need to know how can I get SSO between Portal and Java WD.
  Then I suggest you ask your question in the Web Dynpro Java forum instead of the Web Dynpro ABAP one.

• Standard XML schema for Vendor data exchange between SAP and other system

  Is there a SAP standard way of XML schema that we exchange between SAP and other system? Please let me know.
  Thanks.

  See SAP Interface Repository (http://ifr.sap.com).
  My proposal is to leave old SAP connectors staff and use SAP Exchange Infrastructure. There is a support of industry XML standards in XI 3.0 like xCBL.

• DataSource / Structures mismatched between Dev and Test Systems. ..!!

  Hi,
  We are doing a scenario. Where XI will update the data into PSA through ABAP proxy.
  Scenario worked perfectly in development system.
  We transported the objects from Dev to test. The Strucures are mismatched in SE11 between development and Test systems as below.
  Data sources (ZDS_RECIHDR and ZDS_RECTPALL) looks ok. But when I saw the structures in SE11 they are not correct, they got mismatched.
  Development:
  /BIC/CQZDS_REC00001000 - Header (ZDS_RECIHDR)
  /BIC/CQZDS_REC00003000 - Allocation (ZDS_RECTPALL)
  Test:
  /BIC/CQZDS_REC00001000 - Allocation (ZDS_RECTPALL)
  /BIC/CQZDS_REC00003000 - Header (ZDS_RECIHDR)
  Kindly let me know where it might have gone wrong?
  Thanks
  Deepthi

  We done it already. Still it is failing.
  While transporting, it is failing and showing the error as
  Program ZPI_CL_IA_PAYMENT_ALLOCATION1=CP, Include ZPI_CL_IA_PAYMENT_ALLOCATION1=CM001: Syntax error in line 000016
  The data object 'L_S_DATA' has no component called'/BIC/ZSALENUM', but there is a component called
  Program ZPI_CL_IA_PAYMENT_HEADER======CP, Include ZPI_CL_IA_PAYMENT_HEADER======CM001: Syntax error in line 000016
  The data object 'L_S_DATA' has no component called'/BIC/ZTRANDATE', but there are the following com
  The Structure is mismatched in SE11 between header and allocation structures. That is the reason it is failing.
  Any more ideas pls?

• Consistency between dev and prod systems!!!!

  Hi All,
  I wuld like to check the consistency between Dev and Prod systems for all the Data model and other objects existing. I would like to do this sanity check to see whether the two systems are in sync. Are there any tools or transaction codes within SAP framework which can guide me in this direction.
  Kind Regards,
  Surya Tamada.

  Hi Surya ,
  First build whole data flow :
  1 .Create Infoarea ,Infoobjects & Masterdata ,Infoproviders ,Infoobject Catelog under Infoarea,MetaData - Characteristics MeteData - Key Figures 
  2 DSOs  ,Infocubes ,Infosets, Multiproviders ,Views in the development system ,Datasources for BW system,Flat File Datasources,Transformations
  then get data from the se11 tables as per your requirement :
  like RSDVCHA ,RSDBCHATR,RSDCUBEIOBJ,RSDICMULTIIOBJ etc and built view on it  as per your requirement .
  then built flat file data sources and transformation .
  get all data downloaded to flat file in ur PC .In the same way from other system.
  make flow from PC File Datasource -> DSO -> Infocube and build queries for different objects .load the downloaded files to them and then run query .
  ex : query to compare cube will take cube name and systems name as input and compare objects .
  Regards,
  Jaya

• Can you tell me some differences between R2 and R3 systems?

  Hi,
  Can you tell me some differences between R2 and R3 systems?
  I guess R2 is used only for mainframe systems some time back. But i dont know why we prefered R3 over R2.
  Please clarify this!
  Thanks,
  Venkatesh.R.

  SAP R/3 is
  Client server
  3 tier
  Presentation
  Application
  Database
  Relatively hardware and database independent
  ABAP/4 applications runs on application servers.
  Dispatcher, shared memory, gateway, work processes are major components of an application server.
  SAP R/3 offers
  Comprehensive suite of integrated applications meeting the needs of most business
  Best practice process design
  Ability to configure to
  Industry sector
  Unique business requirements
  In a R/2  System - it is a 2 Tier System based on Mainframe Systems with Intelligent terminals
  R/3 is based 3 tier Client Server architechture and supports the R/2 system as well.
  R/3 Middleware -
  Client server
  Uses underlying relational databases
  Oracle
  SQL server
  Ingress
  Sybase
  Its graphical user interface
  Sap GUI
  hence R/3 is preffered over R/2 systems because they support Client Server Architecture which is easily configurable,scalable and can integrate with ERP systems and integrate with SOA or Web based Apps.
  Thanks,
  Saurabh Shukla

• SSO between EP and ECC-- JCo RFC Provider- Error-- JCO_ERROR_SERVER_STARTUP

  Hello Everyone
  I am setting Up SSO between my EP 7.0 and my ECC 6.0 system. During the phase JCO RFC PRovider i am giving the following values:
  The following was done;
  1. start Visual Administrator -> Service : Choose JCo RFC Provider
  2. Created JCo RFC provider:
  Program ID: SAPJ2EE_Port
  Gateway host: EPDEV ( host of my EP System)
  Gateway service: sapgw00
  Server Count 5
  Application Server Host: ERP6 ( Host of my ECC System)
  System Number: 00
  Client: 000
  Language: EN
  User: SAPJSF
  Password: ..
  When i click on SET i am getting the error " ERROR When ADDING TO BUNDLE" Check LOG FOR DETAILS".
  I checked the DEFAULTTRACE.TRC and get the following MEssage :
  Date , Time , Message , Severity , Category , Location , Application , User
  03/01/2011 , 3:33:30:101 , Error changing bundle SAPJ2EE_PORT , Error , /System/Server , com.sap.engine.services.rfcengine.RFCRuntimeInterfaceImpl.addBundle(BundleConfiguration conf) ,  , Administrator
  03/01/2011 , 3:33:30:085 , com.sap.mw.jco.JCO$Exception: (129) JCO_ERROR_SERVER_STARTUP: Server startup failed at Tue Mar 01 03:33:30 PST 2011.
  This is caused by either a) erroneous server settings, b) the backend system has been shutdown, c) network problems. Will try next startup in 1 seconds.
  Could not start server: Connect to SAP gateway failed
  Connect parameters: TPNAME=SAPJ2EE_PORT GWHOST=EPDEV GWSERV=sapgw00
  ERROR       partner 'EPDEV:sapgw00' not reached
  TIME        Tue Mar 01 03:33:30 2011
  RELEASE     700
  COMPONENT   NI (network interface)
  VERSION     38
  RC          -10
  MODULE      nixxi.cpp
  LINE        2823
  DETAIL      NiPConnect2
  SYSTEM CALL connect
  ERRNO       10061
  ERRNO TEXT  WSAECONNREFUSED: Connection refused
  COUNTER     1
  I have configured my SLD as well. Any suggestions. Please Advise.

  Hi Ahmed,
  Please do check the validity of the certificate.
  Please do cross check these steps again.
  1.     Transaction u2013 STRUSTSSO2 (Trust Manager for Logon Ticket)
  2.     Double Click Owner certificate. It gets reflected under the certificate tab.
  3.                  Choose Format Binary
  4.                  Choose File Path.
  5.                  Enter the File Name
  6.                 saved in local drive.
  You can import into portal as x.509 certificate.
  check this thread -
  Certificate no longer has signature (use restriction)
  Renew certificate via SAP MarketPlace, and install from tcode slicense.  If you are working on a trial version, there is a SAP license request application form. Fill the form with the hardware key. you will get the new license via email. Install using slicense. Then try exporting the certificate.
  Thanks,
  Divya
  Edited by: Divya V on Mar 10, 2011 11:25 AM

• Error in SSO between Portal and IDM

  Hi All,
  In my scenario i need to configure the IDM workflow in portal and do SSO between them. I followed the steps given in IDM-Workflow installation document and did following things.
  1. Uploaded the par file available in IDM installation kit in to portal.
  2. Imported the Portal Content package (epa file) in to portal.I got the role Identity Center in my masthead.
  3. Created System as said in the document.
  4. Completed the necessary steps for transporting certificate between them.
  But when click on the role 'Identy Center' or do preview of any iViews of IDM i am getting the following error.
  Portal runtime error.
  An exception occurred while processing your request. Send the exception ID to your portal administrator.
  Exception ID: 05:58_06/12/08_0860_1657450
  Refer to the log file for details about this exception.
  Here is my default trace log for that exception id.
  #1.5 #0019BBDC2B650079000000440000161C00045D5E6D4D111F#1228560048914#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#tventhan#24261##n/a##e764b200c37c11ddca800019bbdc2b65#SAPEngine_Application_Thread[impl:3]_16##0#0#Error#1#/System/Server#Java###Exception ID: 05:58_06/12/08_0860_1657450
  [EXCEPTION]
  #1#com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Portal Component
  Component : pcd:portal_content/com.sap.idm/iviews/workflow/com.sap.idm.workflow.home_overview
  Component class : com.sapportals.portal.sapapplication.SAPApplicationIntegratorComponent
  User : xxxxx
       at com.sapportals.portal.prt.core.PortalRequestManager.handlePortalComponentException(PortalRequestManager.java:973)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:343)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
       at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
       at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
       at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: Exception in SAP Application Integrator occured: Unable to parse template &\#39;&lt;System.protocol&gt;://&lt;System.hostname&gt;/&lt;System.appcontext&gt;/welcome.php?SAPIDStore=&lt;System.idstore&gt;&amp;wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression &lt;System.appcontext&gt; because Invalid System Attribute:
  System:    &amp;\#39;SAP_LocalSystem&amp;\#39;,
  Attribute: &amp;\#39;appcontext&amp;\#39;.
       at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContentPass(AbstractIntegratorComponent.java:123)
       at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContent(AbstractIntegratorComponent.java:98)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.doPreview(AbstractPortalComponent.java:240)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:168)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       ... 29 more
  Please help me to get rid of this issue.
  Thanks & Regards,
  Tamil K

  Hi Tamil,
  Please have a look in your log
  Exception in SAP Application Integrator occured: Unable to parse template &\#39;<System.protocol>://<System.hostname>/<System.appcontext>/welcome.php?SAPIDStore=<System.idstore>&wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression <System.appcontext> because Invalid System
  Please check the above values in system properties which are in bold
  regards
  Anand.M

• Users mapping between EP and ABAP system

  Hello
  I'd like to ask for some guidance in my quest
  Current situation looks like this:
  I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.
  Now I have application in WD which authorizes via EP/AD - works fine.
  And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)
  I've found a bunch of help pages starting from
  http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
  But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.
  Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?
  Any help will be appreciated.
  BTW: whole environment is in version 7.11
  Best regards
  Maciej

  There is no equivalent to SPNEGO on the ABAP side.
  If your goal is to propagate the user, then possible options are:
  -> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
  -> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
  -> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
  Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
  I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
  Cheers,
  Julius

• Problem SSO between VPN and NAC

  Hello
  Description of our problem : SSO doesn't work
  -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
  -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
  The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
  Step 1 Add Default Login Page =ok
  Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
  Step 3 Enable L3 Support on the CAS = ok
  Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
  Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
  Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
  Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
  Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
  Step 9 Add VPN Concentrator as a Floating Device =ok
  Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
  the database for vpn authentication is cisco secure acs(192.168.1.30).
  Tanks to any anybody to give us a possible solution.
  FILALI Saad
  Ares Maroc

  Hi
  I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
  First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
  1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
  This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
  2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
  3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
  Follow from step 15 in following link
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
  4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
  Try these things first.
  Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  You may find it useful too.
  Dale