SSO to a hosted R/3 system
Can we use SSO with logon tickets when the R/3 system is hosted by an external partner and the domain name is not the same as the domain name of the portal server? We're accessing the R/3 trough a VPN tunnel.
Will SSO work also when accessing the portal from the internet???
Hi,
1. in common domain ITS is a problem. Let's say you have portal.intranet.company.com and its.outsourced.company.com. In this case you can set in portal using relax-domain setting of UME, that cookie will be generated for *.company.com. Portal works, ITS works. But when you logoff, you are still logged in. The problem is, that ITS resent SSO ticket after accepting portal's one (no advice helped to get rid of this "feature", although with latest PL). If logoff deletes ITS's one (because HTTP is a stupid protocol, it happens), you cannot logoff really, browser sends ticket issued by portal and you are in again. There are also ugly backside effects with exceptions and so on.
2. If you create alias its.intranet.company.com (from point 1), you use in portal this alias and cookie is issued for *.intranet.company.com (default setting) , browser can see both server in the same domain. I made a simple test and that worked. So I do not know about potential backside effects.
Definitelly, in HTTP (stupid one) server does not know, who issued some cookie and for which domain, so R/3 will never know it in any case (of course, content contains SID of ticket issuer)
3. Well, you will need proxy will manipulation of headers and content of HTTP traffic. This means SSL from browser must terminate in proxy and optionally start again here and continue to portal - this. I think that there is a thread in these forums how to do it. You will need to study in detail SAP's document about Apache reverse proxy (probably you use apache on solaris). I'm afraid I could not find a link quickly, try search in SDN.
4. IMHO SAP logon tickets are suitable and secure enough for most of applications like internet shops, customer support... There are weaker solutions of other vendors deployed in Internet without problems. But surely in case of bank applications for VIP customers every wise consultant will recommend additional security.
The problem I met with is possible to eliminate with setting cookie only for reverse proxy. If you set cookie's domain restriction too wide (e.g. *.company.com), it will be delivered to any server in *.company.com. This is a well-know weakness of HTTP. There were simple cracks in the past, that somebody created non-authorized server thehacker.company.com (well, internet is large and ugly place sometimes) - if you have access to DNS of some internet provider and if your end user clicks OK in every dialog window (what most of users obviously does , you are in trouble, this unathorized server might receive the ticket. Probability is low, as hacker must have knowledge of logon ticket feature, your architecture and application, write access to DNS, create some fake page forwarding to hacker's server and so on. But why not? I expect that every serious hacker reads all relevant forums. Who can guarentee you that some of answers here (also this are not hacker's trojan horses? If you talk about security, if you use sources that are not 100% trusted, you should double check and analyse. And count the risk and possible loss of money.
Pavol
Similar Messages
-
Getting error in sso from ep to r/3 system
Hi,
I configured SSO from EP to R/3 system.When iam checking SSO through System Administration-Support- SAP Application--
SAP system by alias in the drop list menu.
Enter a transaction in the Transaction code field.
Choose the Go button--then it open the r/3 gui and in below iam getting error name or password incorrect(repeat logon),guide me for the same.
ThankuChinnu,
The Password for the user id that you are using to connect to Backend System might have been changed or the User ID has been Locked.
You need to change the user's password in the backend system or unlock the user and try to use the correct password to connect to backend using SSO.
Check out this:
[Configuring SSO with User ID and Password to SAP Systems |http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm]
Regards,
Karthick Eswaran -
No Hosts Found - Technical system not well defined
We are performing Diagnostic configuration for managed system.We are trying to configure solution manager has managed system with ABAP and Java stack.
Though we have defined the Java instances in the following format,system is throwing an error saying No hosts found,Technical system is not well defined - for solution managed Java.
Instance server role server
J2EESERVER_KRESSAPCRM_00 DISPATCHER Dispatcher kressapcrm
J2EESERVER_KRESSAPCRM_01 SERVER J2EE-Server kressapcrm
What might me the issue?
Regards
ShailajaHi,
All these details are entered in SMSY
Abap stack header data:
Message server : KRESSAPCRM
System Number : 00
Database : SOL
Abap stack Instances data:
Instance : KRESSAPCRM_SOL_00
Server : KRESSAPCRM
Java stack header data:
Message server : KRESSAPCRM
Installation Number : 0020190937
Dispatcher : 2062900
Database : SOL
Java stack Instances data:
Instance : J2EESERVER_KRESSAPCRM_00
Server Role : J2EE server
Server : KRESSAPCRM
Regards
Shailaja -
Will SSO accepts "Alias name" in bakend system through portal?
Hi All,
Our issues comes here.... Our client user ids are different from backend user ids...let's say.. <b>pradeep.venkat</b> in portal and <b>pradeep</b> in R/3. we want to use microsoft ADS as LDAP. if i want to user SSO deftly the user names must be same..or i need to make reference system.
My question is:
Whether SSO accepts "Alias name" in backend system(<b>Pradeep</b> as <b>pradeep.venkat</b>.
If yes then what all the services of ITS which needs to be activated?
how to integrate portalw with R/3 using Alias name when sso is active?
<b>OR</b>
Is there any possibility of using usernames as alias names in ADS(LDAP).
Ur suggestions are highly appreciated with rwds points..
Does this issues occured any where...with anybody...
rgds
pradeepThe ADS admin can add a SAP entry to the schema which can include user name in the different systems such as BW, R/3, etc. This can then be populated by the admin or user to include the different logons and passwords in each system. Modifying the schema is not what they like to do but the hassle of syncronizing the users logon to the NT logon is more then your end uses can handle. I know because I had to do it once. It took months for everything to settle down. See notes 608781, 386762. These should explain the proccess.
Please award points if this was helpfull.
Greg -
IView N/A Component N/A check host entries for System SAP_ITS_XSS
Hi,
if i enter the purchasing are and by each link the same failure occurs:
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Application URL ':///sap(ZT1CNE1Oa0dZV2NVTnNGTlBrTjJOZkF3JTNEJTNENnIwcUVRM0ZVdlRJN1QwQVd3dDdRdyUzRCUzRA==)/bc/gui/sap/its/BBPSC01' is not valid! Please check the protocol and host entries for system 'SAP_ITS_XSS'..
See the details for the exception ID in the log file.
the url changes each time.
can anyone help me?
regards
sleepy_headHi,
Please check the System Definition of SAP_ITS_XSS in SYSTEM ADMINISTRATION. In this, Please check the CONNECTOR and ITS properties.
Please check if all the entries are fine.
Regards,
<i><b>Raja Sekhar</b></i> -
Failed auto update on ASA-SSM-20 The host is not trusted. Add the host to the system's trusted TLS certificates.
errorMessage: WebSession::sessionTask TLS connection exception: handshake incomplete.
Messages, like this one, in the category - TLS connection failure - were logged 1464 times in the last 21461 seconds. name=errTransportSam,
See the other post in the list talking about your problem, "host not trusted".
I had the same problem and the fix was to upgrade the IPS to 7.1(9)E4 .
Mike -
How to recover vm host os file system (e.g / ,/boot )
how to recover vm host os file system (e.g / ,/boot ) from the destroy os ,at the same time ,it dosen't impact other image
Anybody knows if the source code of scadm tool is available somewhere ? (opensolaris etc. ?)
I don't have any additional advice to offer other than asking that you to try the flash-update all over again,
one more time, as if it were the beginning again.Yes but how because the SC is not discovered anymore by Solaris :
"rmclomv: WARNING: DP_GET_SDP_VERSION failed, ret=4"
"The SC hardware could not be initialized."
Can you try to flash the mainalomfw ? Your log contained only the flash of the alombootfw !
/usr/platform/`uname -i`/sbin/scadm download alommainfw
I guess jumper JP2 allows to recover from a failed flash by selecting the un-touched half the PROM.It does not work as the SC is not responding anymore to Solaris
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
v210:~#
v210:~# cd /usr/platform/`uname -i`/lib/images
v210:/usr/platform/SUNW,Sun-Fire-V210/lib/images# /usr/platform/`uname -i`/sbin/scadm download alommainfw
scadm: The SC hardware could not be initialized.
v210:/usr/platform/SUNW,Sun-Fire-V210/lib/images#
ERROR: ERROR: Unable to open the SC device.
It's a pitty that obtaining OBP/ALOM updates requires a service contract. I got a V210 recently.
Unfortunately both OBP and ALOM are the intial release 4.8.2 / 1.0.I agree but it's probably also because you need support in case it fails ;-)
Thanks for your answers! -
SSO to R3 not working after system copy
Hi Experts,
Recently our QA R3 client XXX was deleted and the whole system was rebuild using system copy of client ZZZ of R3 production. Now we had to reconfigure the SSO between portal and QA R3 with the new client.
But it is not working. It was found that the QA R3's own self signed certificate shows CN=ERP (same as R3 Prod) and not ERU as it should have been. We changed the CN value to ERP,in Visual Admin (Services ->key storage , Ticket ). Still the result is same.
How to re-generate the self signed certificate in R3 with CN=ERU ?
or a workaround for this problem.
Regards
JimmyHI Jayendra
Recreate the saplogonticketkeypair following the procedure outlined here
http://help.sap.com/saphelp_nw70/helpdata/en/75/c80b424c6cc717e10000000a155106/content.htm
Then you can export the SAPLogonticketkeypair-cert (public key certificate) of the Java AS and import it into the target ABAP system
Important: the following two steps must be done in the ABAP client that will receive the logon tickets i.e the ABAP client that the component/application on the Java AS is configured to connect to e.g the client specified in the portal iview properties or the client specified in a Web Dynpro JCo Destination
(1) Import the public-key certificate of the Java AS into the ABAP systems certificate list using transaction STRUSTSSO2
(2) Add the certificate to access control list
When adding the certificate to the ACL the SID should be set to the SID of the ticket issuing Java AS and the client should be set to the client that the Java AS is writing to the logon tickets i.e the value of login.ticket_client in the Java AS
Remember, in an Add-In installation, where the system IDs are the same, you must change the default client for the J2EE Engine (000) to a client that does not exist on the SAP Web AS ABAP system e.g change login.ticket_client to 999
See: http://help.sap.com/saphelp_nw70/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/content.htm
The reason for this change is that the system ID and client combination must be unique when tickets are to be accepted by an SAP Web AS ABAP system
By the way it is better to start a new thread with your question rather than bumping a thread that was already set to 'answered' -
SSO to mulitple SAP GUI based systems in the Portal
Hi Experts,
I need to create links for multiple SAP Systems (based on the SAP GUI) in the portal and implement SSO for them. Can someone tell me where and how to place these links in the portal? Is there a standard approach for this, like a "Systems" iview or something?
Regards,
ShobhitHi,
So have you created 5 diiferent systems on Portal corresponding to your backend systems :
SAP ERP Dev
SAP ERP Qua
SAP ERP Prd
SAP CRM Dev
SAP SEM Dev
Once you create the systems and the alias to these systems, you can create 5 iviews, one for each of these systems using SAP transaction iviews. The transaction code could be S000.
To learn how to create systems and SAP Transaction iviews, use these links :
<b>Creating system :</b> http://help.sap.com/saphelp_nw70/helpdata/en/ec/0fe43d19734b5ae10000000a11405a/content.htm
<b>Editing system -> Editing SAP System properties </b> http://help.sap.com/saphelp_nw70/helpdata/en/42/11e43d19734b5ae10000000a11405a/frameset.htm
The above links should help you create SAP systems and their aliases.
Then you need to create SAP Transaction iviews:
http://help.sap.com/saphelp_nw70/helpdata/en/88/266a3e54a2e946e10000000a114084/frameset.htm
To open these iviews as a pop-up or in a new window, set the following property for each of these iviews in the property category "Drag and Relate" : Launch in New Window = Display in separate window.
Set the <b>permission Read for Group Everyone</b> for each of these iviews.
Hope this helps.
Cheers,
Sunil -
What is the use of Host in Technical system
Hi experts,
While creating Technical sytem what is the use of creating Host.
while creating Business System we create Logical System.When we are creating for Sap system then there we give client logical sytem name,but while creating for third party systems what is the use of it.....
while creating Technical system and Business system v have 4 radio buttons
Web As ABAP
Web as Java
Standalone
thirdParty
what is the use of Standalone when and in which senario we use this Standalone.
Note:valuable anser will be rewarded.
Regards,
PhaniHi
1. Third Party: Can be any Tech System. For example you want to send a xml message from a file adapter residing on your PC. You can define your PC as a 3rd party Tech/Business System.
2. StandAlone Java: WEBAS640 has got Basis and Java Stacks. If you installed <b>only the standalone java Stack on a server</b>, then you define a standalone java tech system.
Regards
krishna -
Allowing SSO via Hyperlink from one BO system to another
Hi all,
I am looking into a possible scenario where I want to allow users to open a WEBi report which us owned by one BO environment within another BO system.
In the same way that I can allow a user to open and work with a WEBi report from NW portal via via an Iview and with SSO, I wish to achieve the same thing by allowing a user to click on a hyperlink in a European BO system which opens a report in the APAC BO system.
Is this possible, and what would be needed in terms of SSO set up?
We are currently using SAP BW authentication in our BO systems and most data is via BEx/BICS
Any suggestions gratefully received.If you have an opendoc hyperlink that conatins the username you could setup trustedauth using query string.
-
LMS 4.2.4 User Tracking End Host Report The system cannot find the path specified
Hello at all,
I have a problem when creating a scheduled User Tracking End Host Report.
I always get the message "The system cannot find the path specified" and the job fails.
An immediate report is successful.
I tried to change the "Report Publish Path" from "C:/Program Files (x86)/CSCOpx/" to "C:/PROGRA~2/CSCOpx/", but that did'nt worked.
Has anybody an idea?
Regards, KerstinShare the screenshot of the following directory :
NMSROOT\CSCOpx\campus\etc\cwsi
In case it is blank, try following :
1.Stop the services : net stop crmdmgtd
2.Take a copy of > C:/Progra~2/campus/etc/users and place it under C:/Progra~2/campus/etc/cwsi
3.Start the services : net start crmdmgtd
Please try and let me know the updates.
-Thanks
Vinod
**Encourage Contributors. RATE them.** -
SAP authentication and SSO into BI4 with multiple SAP systems
We have already setup SAP authentication and SSO between ECC6 and BI4, e.g. to run CR 2011 reports with data based on ECC infosets, or BEx (operational BI on ECC). ECC is the main point of entry for users, so ECC user accounts and role imports are used in BI4.
Now if we add BW to this, with Crystal or WebI or Analysis OLAP sourcing data from BW, can we still leverage detailed authorizations in BW on the corresponding BW user - with user accounts and role imports in BI4 still being ECC-based?Hi,
Let's say the trust relationship is setup between those systems. Then the simple example is to use Enterprise authentication in BI4, and assertion tickets are issued when making requests to ECC or BW. I assume LDAP/AD authentication would work as well.
>> You also have to setup trust between the BI 4 and ECC & between BI4 and BW. Thats part of the setup for the SSO Token Service.
But does this scenario rule out SAP authentication or not? I was hoping that I can still logon to BI4 with an ECC-issued logon ticket, and then BI4 would nevertheless issue assertion tickets for my BW alias.
>> And that is still possible. Setup the SSO Token Service, setup the aliases for the users. then you could logon with ECC credentials and run a BW report because the token service would then generate the token towards the BW system.
ingo -
Multiple dialog instances on same host for different System
Dear Sir,
I install two dialog instances on same host ,one for DEV one for QAS.
First I install dialog instance for DEV and startup with no error.
Second dialog instance for QAS install with success end ,but can not start dispatchers.
Service
sapmsDEV 3600/tcp # SAP System Message Port
sapmsQAS 3601/tcp # SAP System Message Port
sapdp01s 4701/tcp # SAP System Dispatcher Security Port
sapgw01s 4801/tcp # SAP System Gateway Security Port
sapdp00 3200/tcp # SAP System Dispatcher Port
sapdp00s 4700/tcp # SAP System Dispatcher Security Port
sapgw00 3300/tcp # SAP System Gateway Central Instance Port
sapgw00s 4800/tcp # SAP System Gateway Security Port
Disp_dev
***LOG Q0I=> NiPConnect2: SiPeekPendConn (10061: WSAECONNREFUSED: Connection refused) [nixxi.cpp 8716]
ERROR => MsIAttachEx: NiBufConnect to sap-qas/sapmsQAS failed (rc=NIECONN_REFUSED) [msxxi.c 633]
***LOG Q0L=> DpLoopInit, nomscon () [dpxxdisp.c 1549]
Stderr
D:\usr\sap\QAS\D01\work>ntscmgr start MSSQLSERVER -m sap-qas
failure: StartService, NT ErrorMessage: An instance of the service is already running. StartService SUCCESS
D:\usr\sap\QAS\D01\work>ntscmgr start SQLSERVERAGENT -m sap-qas
failure: StartService, NT ErrorMessage: An instance of the service is already running. StartService SUCCESS
It seem that first startup dialog instance already start MSSQLSERVER -m sap-dev and SQLSERVERAGENT -m sap-dev, so next instance can not start again ,and cause NICONN_REFUSED.
Could someone help me?
Thanks
Regards,
MattIt appears to be possible, at least in IDM 7.1
The release notes and Installation guide reference a setting called waveset.serverId that you set in your application server startup script like so:
-Dwaveset.serverId=Name
This would allow each JVM to identify itself differently from any others running on the same physical server.
I haven't tried this yet myself, so caveat emptor.
Jason -
Sending an email to user on same domain but hosted on another system
I need to be able to send emails to users of the same domain, but where their mailbox is hosted by a different (non-Exchange) system.
I've attempted it but got the usual "The email address you entered couldn't be found. Please check the recipient's email address and try to resend the message. If the problem
continues, please contact your helpdesk."
Is there something I can set up in ECP?
RogerHi ,
Please have a look in to the below mentioned options.
option 1 :
1.Please add the recipient email address domain suffix as the authoritative domain in the accepted domain list in the exchange .
2.In case if you have the recipient mail email address domain suffix is already added on the accepted domain list as an authoritative domain . Then the next step is to have the mail enabled contact for the recipient mailbox which is hosted on the non-exchange
system.Otherwise you will be getting an NDR which says that the recipient address is not found on the exchange system.Because recipient email address domain suffix is added as authoritative.That means our exchange server is responsible for the sending and
receiving emails for that particular domain.
3.Then you need to have the send connector to send emails to the address space of the mailbox which is located on the non-exchange system.
Option 2 :
1.Second option would be to add the recipient domain suffix as an internal relay on the exchange server's accepted domain list .On such case you don't need to have the mail enabled contact for the mailbox which is hosted on the non exchange system.
2.Then you need to have the send connector to send emails to the address space of the mailbox which is located on the non-exchange system.
Note : In case you have any of the above option implemented but still you are facing the issues means then we need to suspect the auto complete cache in the outlook .So please clear the particular email address from the autocomplete in the outlook and check
the results.Same time while composing the new emails please try to select the email address from the GAL instead of choosing it from OAB.
Please reply me if anything is unclear.
Thanks & Regards S.Nithyanandham
Maybe you are looking for
-
my ex girlfriend stepped on my fone and decided to type in the wrong security code numerous times till it got locked for 23,648,410 minutes. the guy at genius bar said i should do a restore but once i done it its now stuck on "conect to itunes" scree
-
iTunes Match deleted songs from my hard drive. How can I prevent this from happening if I try it again?
-
Backup to Tape ; Some Design questions
Version : We have DBs on 10.2, 11.2 Enterprise Edition Platform: Solaris 5.10 SPARC Helloo.. Never worked on Tape before. Currently , all our RMAN Backup Pieces are going to Disk and from there Sysadmin moves it to the tape using TSM. 1. If you were
-
Report Writer Row and Column Format
Hi Was wondering if there is a possible solution to this :- Understand that column format is controlled by format groups. This means that all figures in the same column will take the same format (such as scaling and decimal place). Scenario is ->
-
I've created a 16x20 crop aspect via the Develop / Crop & Straighten tools as I did in LR v2. However, when I move the 16x20 crop overlay, up or down for example, it changes it to the 4 x 5 / 8 x 10 crop aspect. I'm not even changing the size of