Enable SAP Logon Ticket for J2EE

1.     Launch Visual Admin and go to Server >> Services >> Security Provider >> Runtime >> Policy Configurations.

2.     Under Components, modify the Authentication template to ticket for:

• sap.com/com.sap.xi.repository*rep
• sap.com/com.sap.xi.directory*dir
• sap.com/com.sap.xi.services*run
• sap.com/com.sap.xi.rwb*rwb_mdt
• sap.com/com.sap.xi.mdt*mdt
• sap.com/com.sap.xi.rwb*rwb
• sap.com/com.sap.lcr*sld
• sap.com/com.sap.rprof.remoteProfile*exchangeProfile
• sap.com/com.sap.aii.af.app*AdapterFramework

Enable SSO for Integration Builder Web Start Applications

3.     Launch Internet Explorer and go to URL http://<XI hostname server>:<XI port#>/exchangeProfile. (e.g. http://mysapapp02:50000/exchangeProfile)

4.     Expand IntegrationBuilder and click on com.sap.aii.ib.core.sso.enabled.

5.     Ensure the value is true and save your change.

6.     Launch Internet Explorer and go to URL http://<XI hostname server>:<XI port#>/rep. (e.g. http://mysapapp02:50000/rep) to go to the Exchange Infrastructure tools page.

7.     Go to Administration, Under the Repository tab, click All Properties and click Refresh to ensure the value created in above step is set to true.

Ensuring Fully qualified hostname is used

Note: The SAP Logon Ticket is issued to the domain of the web application. Therefore, it is mandatory that the full qualified hostname is used for accessing the SAP XI applications.

8.     Launch Internet Explorer and go to URL http://<XI hostname server>:<XI port#>/exchangeProfile. (e.g. http://mysapapp02:50000/exchangeProfile)

9.     Browse the parameters on the left and ensure the below values have a fully qualified hostname and save your changes if you made changes.

• com.sap.aii.connect.cr.name
• com.sap.aii.connect.directory.name
• com.sap.aii.connect.integrationserver.name
• com.sap.aii.connect.landscape.name
• com.sap.aii.connect.repository.name
• com.sap.aii.connect.rwb.name
• com.sap.aii.ib.server.connect.webas.r3.ashost
• com.sap.aii.rwb.server.centralmonitoring.r3.ashost

10.  Launch Internet Explorer and go to URL http://<XI hostname server>:<XI port#>/rep. (e.g. http://mysapapp02:50000/rep) to go to the Exchange Infrastructure tools page.

11.  Go to Administration, Under the Repository tab, click All Properties and click Refresh to ensure the values modified in above step is set to fully qualified hostname.

12.  Launch Visual Administrator >> Server >> Services >> SAP AF CPA Cache

13.  Enter the appropriate values for:

• SLD.selfregistration.hostname (Use fully qualified hostname)
• SLD.selfregistration.httpPort (e.g. 50000)
• SLD.selfregistration.httpsPort (e.g. 50001)

14.  Save the changes and restart the service.

15.  In Visual Administrator >> Server >> Services >> Deploy >> Application restart the applications below:

• com.sap.aii.af.cpa.app
• com.sap.aii.af.app

Verify the SLD has the fully qualified hostnames

16.  Launch Internet Explorer and go to URL http://<XI hostname server>:<XI port#>/sld. (e.g. http://mysapappx02:50000/sld) to go to the Exchange Infrastructure tools page.

17.  Go to Content Maintenance, select ‘XI Adapter Framework’ .

18.  Click on the Assoc’s link for the XI Adapter Framework

19.  Click on the ‘XI Adapter Hosted HTTP Service Port ’  and click on the link ‘Basic URLs of Adapter Engine on….’ and validate that SecureURL and URL are using the fully qualified hostname.

Enable SSO from the J2EE into the ABAP

20.  Modify and activate the Instance profile for the below parameters:

• login/accept_sso2_ticket = 1
• login/create_sso2_ticket = 1
• SAPLOCALHOSTFULL = <fully qualified hostname>

21.  Launch Visual Administrator >> Server >> Services >> Configuration Adapter.

22.  On the right, go to Cluster Data >> server >> cfg >> services >> double click in Propertysheet com.sap.security.core.ume.service and change the value of the parameter ‘login.ticket.client’ to a client that does not exist (e.g. 001) and restart J2EE.

23.  Restart the Instance.

Create new J2EE Engine SAPLogonTicketKeyPair

24.  Launch Visual Administrator >> Server >> Services >> Key Storage.

25.  Select ‘TicketKeystore’ in the Runtime tab and delete both SAPLogonTicketKeyPair and SAPLogonTicketKeypair_Cert.

26.  Create a new entry called ‘SAPLogonTicketKeypair’ with the following values:

• Entry Name = SAPLogonTicketKeypair
• Country Name = US
• State = Arizona
• Locality Name = Tempe
• Organization Name = IEI
• Organization Unit Name = <SID Name>
• Common Name = <SID Name>
• Check store certificate
• Key length = 1024
• Algorithm = DSA

Then click Generate.

Export the J2EE SAPLogonTicketKeypair Certificate

27.  Launch Visual Administrator >> Server >> Services >> Key Storage.

28.  Select ‘TicketKeystore’ in the Runtime tab and highlight SAPLogonTicketKeypair_Cert and click Export with X.509 format on to the XI server with filename <SID>_J2EE_XISSO (e.g. NWX_J2EE_XISSO).

Import the J2EE Certificate to the SAP ABAP

29.  FTP the exported J2EE SSO certificate to your machine.

30.  Login to SAP and go to STRUSTSSO2, in the Certificate section click on Import Certificate and browse to the J2EE SSO certificate file to import the certificate with Binary format.

31.  Click Add to Certificate List.

32.  Click Add to ACL and enter System ID = <Command Name> (e.g. NWX) and client 001.