SSO on AS Abap/JAVA using Kerberos

Similar Messages

• SSO within an ABAP+JAVA on the same host

  Experts:
  We have a dual stack (ABAP+JAVA) NW04s on the same host.
  The usage type EP7 is enabled.
  From this EP7 we want to access its own ITS thru SSO.
  We configured the SSO just like we did for the EP7 + ECC on 2 different hosts.
  However, we are always asked for an ID/password when trying to test the SSO from the EP7.
  The error is:
  "SSO logon not possible; browser logon ticket cannot be accepted"
  Please advise. Points guaranteed. Thanks!

  hi,
  I also tried to do the same, but i think it's not possible.
  I read somewhere that SAP recommends to use different instances of ABAP and Java. I installed seperate ABAP and Java instances on the same host and then configured SSO using the Configuration Wizard in NWA configuration. and it works perfectly.
  regards,
  Ankur

• NWBC 2.0 logon failure to ABAP/JAVA stack system

  Hi,
  Maybe not the correct forum, but there isn't any for the NWBC.
  I am testing the Netweaver business client 2.0. It seems to work fine for portal connections, but when i try to connect to a netweaver system (abap+java) using the internal ITS url (http://host:8000/sap/bc/gui/sap/its/webgui), i get an error saying:
  Could not open the logon window on server <host> (server URL http:// <host>:8000/sap/bc/gui/sap/its/webgui, logon URL http://<host>:8000/ticketissuer/TicketIssuer?NWBC_avoidCache=460486210'); check if the URL is valid and the server is running
  The URL works fine on the NWBC 1.0. Is there something significantly changed in 2.0? Does the 2.0 version only accept portal URLs? I can't find any documentation on this.
  regards,
  Bas

  hi,
  There might be problem in Properties in the Connection Sections
  Also see the below documentation as i dont know what parameters you might have given for configuring.
  [Configuring NWBC|http://help.sap.com/saphelp_nw70/helpdata/en/46/5549df9d3651eae10000000a114a6b/content.htm]
  [Adjusting properties. |http://help.sap.com/saphelp_nw70/helpdata/en/46/554a149d3651eae10000000a114a6b/content.htm]

• SSO To J2EE engine of ABAP+JAVA Addin Install

  Hi all,
  I have setup an SAP system as a ABAPJAVA Addin Install.  The system is running NW04s SP11.  I have an SAP Portal installed on the JAVA side to support some BW functions.  I would like to do SSO from the users desktop directly to the portal component.  Is this possible with this type of install?  I have setup Kerberos / SPNego with a JAVA only install connected to a Microsoft ADS.  I have also configured the system to use MYSAPSSO2 tickets from another SAP system, but that requires the users to go to the other SAP system before going to ABAPJAVA Addin system.  I would like the users to go directly to the ABAP+JAVA Addin system via a URL like http://server:port/irj/... and get single signed on to the system.  Is this possible?
  Any help is appreciated!
  Russ Scherbarth

  Hello Russ,
  yes it is possible to configure SSO using SPNego Loginmodule (Kerberos) for this type of system as well. You also can use the SPNego configuration wizard to get the configuration work done, but you need to perform some manual follow up work as well.
  So my recommendation is check the online documentation for wizard based configuration AND manual configuration, perform the wizard based configuration (more or less the same as you did for the other system) and afterwards (depending on your JDK) you might have to perform some manual follow up activities.
  Select as user resolution mode prefixbased, the attribute to be used is uniquename. In addition you need to create the service user in the portal database (when using SUN JDK), as you do not have direct connection to Active Directory.
  With best regards,
  René

• SSO on WAS 6.20 (unix) using kerberos and Windows Active Directory (AD)

  Hi Gurus!!
  We are looking for the way to implement the Single Sign On in our R/3 Systems installed on unix of the Active Directory (obviously windows) users using Microsoft Kerberos.
  I'm not able to find a documentation about this arquitecture.
  Can somebody help me?
  Is any documentation related with this topic?
  Did Somwbody configure this kind of SSO?
  Thank you very much in advanced,
  Edorta Ramos

  Ramos,
  I should have made it clearer. When I referred to AS, I was referring to the SAP ABAP AS (e.g. application server). Of course the KDC (e.g. Microsoft Active Directory) has an AS service as well...
  yes, you can Kerberos enable (Kerberize) the SAP ABAP AS and SAP GUI using Kerberos libraries for Windows and AIX. As I mentioned already, since AIX is involved you should consider evaluating and buying SAP certified SNC libraries available from a SAP partner. Your first place to look is in SAP EcoHub (click link at top of this SDN forum to enter EcoHub) and search for SNC or Kerberos.
  You asked about gssapi library - as I have said a few times, there is no gssapi (e.g. SNC library) provided by SAP for UNIX or Linux, so if you are using AIX you need to look elsewhere (e.g. SAP partner) and the SAP partner will also provide the compatible/supported library for the Windows workstations as well so you get a complete solution from the vendor.
  Thanks,
  Tim

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• How do I use Kerberos Auth in Java 6?

  Hi,
  I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.
  Here is part of the code:
          System.setProperty("java.security.auth.login.config", "/etc/login.conf");
          System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
          System.out.println("Trying to login using kerberos...");
          KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
          LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
          loginContext.login();
          System.out.println("Login succeeded");
          //Login succeeds on both java 5 and java 6
          Subject.doAs(loginContext.getSubject(), new JndiAction());
          System.out.println("Connected through Kerberos successfully");The failure happens in the JndiAction:
      public class JndiAction implements PrivilegedExceptionAction<Integer>
          public Integer run() throws Exception
              String username = user + "@" + domain;
              System.out.println("User to connect to Kerberos is " + username);
              System.out.println("Provider URL is: " + url);
              Hashtable<String, String> env = new Hashtable<String, String>();
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put("java.naming.ldap.derefAliases", "finding");
              env.put(Context.PROVIDER_URL, url);
              env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
              System.out.println("Trying to create context...");
              new InitialLdapContext(env, null);
              return 0;
      }An exception occures when calling new InitialLdapContext:
  Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.Subject.doAs(Unknown Source)
          at KerberosAuth.connectKerberos(KerberosAuth.java:71)
          at KerberosAuth.main(KerberosAuth.java:29)
  Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
          at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
          at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
          at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
          at javax.naming.InitialContext.init(Unknown Source)
          at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
          at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
          at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
          ... 4 more
  Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
          ... 18 more
  Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          ... 19 more
  Caused by: KrbException: Server not found in Kerberos database (7)
          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
          ... 22 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
          ... 27 moreI want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.
  Does anybody know what I should do to solve this problem?
  TIA,
  Dikla

  Note: This thread was originally posted in the [Java Secure Socket Extension  (JSSE)|http://forums.sun.com/forum.jspa?forumID=2] forum, but moved to this forum for closer topic alignment.

• ABAP+JAVA system copy using 3rd party export/import tools

  Hi all,
  I am trying to do a homogenous system copy.  I am following the syscopy guide for SAP NW 7.0 SR3 ABAP+JAVA systems
  We are running AIX 5.L and Oracle.
  My question is this.  We are using an IBM XiV system for our disk storage, and we are able to restore from "snaps" which is their version of images.  Does anyone know if it is possible to restore or "import" the data in a system copy using an outside tool like this?  If so, do you have any information on how to?
  I know it is possible to restore the database from an offline backup using BRTools rather than r3load and jload, and I just wanted to see if I can restore from a snap as it would save a lot of time in the procedure.
  Any help or ideas would be much appreciated.
  Thanks!

  >My question is this.  We are using an IBM XiV system for our disk storage, and we are able to restore from "snaps" which is their version of images.  Does anyone know if it is possible to restore or "import" the data in a system copy using an outside tool like this?  If so, do you have any information on how to?
  That approach is not supported.
  The reason is: combined instances write the instance name and hostname in various places, on the filesystem in .properties files, in the JDBC configuration, depending on the java applications you run on top in various other places. What you're trying to do is effectively "renaming" an instance.
  Technically it's possible to do it and to get it run, yes, but the supported way is running sapinst and choose ABAP + Java system copy. This will prevent you from lots of (not really documented) manual work after the copy.
  Markus

• What is ABAP/JAVA Proxy and whats the use of it?

  Hello All,
  What is ABAP/JAVA Proxy. And why do we need to use them? I am not sure of the definitions given on help.sap.com. Thats the reason I am posting this question. Right answer will be rewarded. Thanks in advance.
  Regards,
  Farooq.

  HI Farooq
  <u><i>ABAP Proxy</i></u>
  ABAP server proxy is created for the inbound interface creted in XI's Integration repository proxy should be created in the business system for which the interface is created .
  U can reference following link :
  http://help.sap.com/saphelp_nw2004s/helpdata/en/02/265c3cf311070ae10000000a114084/frameset.htm
  Server Proxies are generated for Inbound Message Interfaces. These are used to Process the Data coming into SAP System from an external application.
  Sproxy is the transaction to generate Proxies.
  Plz refer to this blog on abap server proxies
  /people/siva.maranani/blog/2005/04/03/abap-server-proxies
  <u><i>Java Proxy</i></u>
  Java Proxoies are used to allows your java Applications ( j2ee, j2se applications )to interact directly to the Integration Server of XI without any special adapters.
  All documents are available on SDN itself .
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/7d4db211-0d01-0010-1e8e-9b07fc2113ab - How To Work with XI 3.0 Java Proxies
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/a068cf2f-0401-0010-2aa9-f5ae4b2096f9- Java Proxies and SAP XI - The Inside Story, Part 1
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/f272165e-0401-0010-b4a1-e7eb8903501d - Java Proxies and SAP XI - The Inside Story, Part 2
  Proxies help you achieve non-standard functionality for which the out of box XI adapters do not suffice. Just to give you an example, consider a system with which XI has to integrate , the only interface the system offers is a TCP / IP socket based interface. You could write a Java proxy which would interact over sockets with your target system, which is not possible with other standard adapters which are shipped with your XI installation
  You can refer demo on SDN TV, on this link
  https://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/110ff05d-0501-0010-a19d-958247c9f798 [original link is broken]
  Cheers..
  Vasu
  <i>** Reward Points if found useful **</i>

• Duration of an Abap Function call from Java using Jco3

  Hi guys!
  I would like to use this discussion to get some refernces of the duration Timespan of an RFC call from Java to SAP. At the moment, i need at last about 200ms to call the Abap function. I'm just using one simple import and export parameter (so no deep structures). I think that the reason for my poor performance is, that the Java Tool and the SAP instance are not in the same network. So, i hope some of you have some data, how fast an RFC call from Java using Jco can be executed.
  greetings, Hannes

  Hi Hannes,
  I think you have already got the answer to your question - the network set-up you have is probably the bottleneck.  Whenever I've worked with Java <-> ABAP and they are in the same network, I've had no performance problems at all.
  Does your RFC contain any complex logic or business processes?  Are you able to try and call something that does nothing, say it just accepts an input string and returns it straight away as an export.  Do you have any scope for testing with your Java tool on the same network as the SAP system?
  Cheers,
  G.

• Access ABAP tables using NWDS Java Code

  All,
  I am planning to write a program to autmatically update is_url entries in sxmb_admin using a Java program.
  Is there a way we can access the ABAP tables using standalone Java Code? would it something like dblookup that we use in the mappings?
  Your Thoughts....
  Thanks.

  Hi Vicky - Interesting..Seems like you are trying to automate every single thing
  However you can make use of Jco to connect to ABAP tables..
  Check the below thread..
  Help on accessing tables of SAP from the Java Application
  I assume the table name is "SXMSCONFVLV" which you might have to update but not sure..

• Can we create Interactive forms only with ABAP & without using GP,  or Java

  Hi,
  I would like to know if we can create Interactive forms only with ABAP & without using GP or Java. We want to develop an offline solution using Interactive forms, but would like to use only ABAP for creating the forms. All the documents so far either refer to creating the forms, in reference to / in sync with: ISR (Service Requests), GP (General Procedures) or Java. Can this be done with ABAP alone?
  Regards,
  Ramesh
  Edited by: Ramesh Nallabelli on Apr 16, 2008 12:02 AM

  Hello Ramesh,
  You should be able to create Adobe Interactive Forms using only the ABAP stack (without GP, Java, etc). Please refer to the thread below. Hope it helps.
  Re: help for-offline interactive forms based on sending receiving mails in ABAP
  Regards,
  Rao

• How could JAVA API and ABAP API useful to MDM.

  Hi Experts,
  How could JAVA API and ABAP API useful to MDM, and any coding in Java or ABAP is required in MDM.

  Hi Reema,
  Java API and ABAP API are verry usefull to MDM to integrate MDM with other SAP componants like SAP R\3, EP etc. :
  It dose not required any coding in MDM infact in JAVA API coding can be done on NWDS(Netweaver Developer Studio).And for ABAP API coding is done on SAP R\3 System in ABAP editor.
  JAVA API:
  By using Java API MDM client operations can be performed.For one need to install NWDS and to deploy some .jar files and with the help of standard classes and interfaces it can be connected to MDM server and various operations like create repository ,connect to repository ,Data mainuplation etc.
  ABAP API:
  Suppose you have an Expert abaper and you want him to perform MDM operations.In that case he need not to learn MDM basic Data types infact by doing some settings on R\3 and MDM server side an ABAPer  can perform
  MDM Cnsole and MDM Data Manager level operations.
  you can go through these links
  http://help.sap.com/javadocs/MDM/SP06/overview-summary.html
  /people/bv.pillai/blog/2006/11/28/installing-mdmtech-add-on-and-configuring-the-mdm4a-mdm-for-abap-api
  Here the coding is done on SAP R\3 system.
  hope it will give you some idea about Java API and ABAP API
  Reward if helpful
  Thanks ,
  Vinay Yadav

• Need help with ABAP coding using java

  Dear experts,
  I have used ABAP to code many reports/function modules.However as i know java quite well,i want to achieve the same using java.I have utilized JCO to retrieve information from RFC in this mission.
  However i realized that i had to code all things using ABAP and use java only as interface to connect to
  SAP fetch that module and display information on console.It was not that fun.
  I want that i should not Login to SAP but work only using java.
  I heard SAP Netweaver is a good choice.But i dont know much about it.Will i be able to develop reports only by java and how ?
  Plz suggest.

  hi,
  I hope that you already have the J2ME Toolkit and that your emulator works okay. In the toolkit you get several examples to show you how to program a MIDlet. One has to do with a HTTP client server connection. Also in the API documentation for the J2ME there is a Connector class that you used to set up this communication and in the description of this class it pretty thoroughly explains how to set up an HTTP protocol client.
  However, if you want to do some other kind of networking then you are pretty much out of luck, as the TCPIP socket protocol has not been fully implemented and is optional to the J2ME specifications, only the HTTP protocol is certain to be available. This means that mobile phone companies can add other networking functionality to their phone's java virtual machine if they feel like it. This is a bummer I know.
  I hope this helps.
  Cheers,
  Mark

• Portal integration with AD using Kerberos

  I am trying to setup my EP7 portal to use my AD as the UME.  I need to setup SSO and SNC presumably using Kerberos.
  My Portal is on UNIX.
  Does anyone have installation instructions to setup this scenario
  Thanks
  Graham

  Graham,
  I think you are a bit confused, so I will try and help.
  1. SNC is used for secure communication between ABAP system and between SAP GUI and ABAP (e.g. for SSO or secure network communications).
  2. SNC can be used to authenticate and secure a connection between code running on a portal and an ABAP system, but this is not often used, and I see nothing in your requriements that suggests this is needed.
  3. If you are using the SAP SPNEGO login module for Web SSO, then you can configure the Java stack (which is running the portal) so that it uses AD as UME data source. If you don't want to do this and instead, you prefer to use ABAP as user data source, then you can use a third party product which is not dependant on the UME configuration, and provides Web SSO using Kerberos.
  4. If you want to implement SSO for SAP GUI, then SNC will be used. This is completely different to Web/Portal SSO and not to be confused.
  I hope this helps.
  Thanks,
  Tim