Skip to Content

Implementing an FPN with RRA

Implementing a Federated Portal Network on SAP NetWeaver Portal 7


In this rather longish blog I will show you how to setup a Federated Portal Network (FPN) between two NetWeaver 7 portals and use Remote Role Assignment (RRA) to bind users in the consumer portal to content provided by the producer portal.

Setup the FPN

Steps to take to setup an FPN
  • Setup trust relation between the two portal
  • Enable SSO between the portals
  • Enable content registration
  • Register content in the consumer
  • Provide content in the producer

Setup a trust relation between the two portals

In order for users from the consumer portal to be able to actually make use of content provided by the producer portal you have to setup a trust relation between the two portals. An, and this is something quite a lot of peole seem to miss in their first steps in setting up an FPN, it may also be needed to set a trust relation between the consumer portal and the ABAP stack of the producer.
In case you wonder, why you should or have to do so, imagine this:
In your HR-Portal you probably have some scenarios that make use of WebDynpro for Java, this is the easy case, and it is covered by a trust relation between the two Java stacks. But you may also have some scenarios that make use of Web Dynpro for ABAP or even some content that is provided by the ABAP stack by means of other technology such as an IAC iView with an old WebGui. So in these case, obviously, the user still gets authenticated by the consumer portal first but is then redirected directly to the ABAP stack of the producer without being routed through the Java stack of the producer and that means you need to have a trust relation between the consumer portal and your producer ABAP stack alongside with a trust relation between the two portals involved.
Setting up trust is done by exporting the LogonTicket Certificate of consumer J2EE Engine and then import it in the corresponding other system, that means in the ABAP and in the Java stack. For Content sharing modes other then RRA you must also export the LogonTicket Certificate of the producer J2EE engine and import it in the consumer.
Don’t hesitate, it’s done quite easy as the next steps show.

Export of the keys

Download the certificate from consumer and producer portal by logging on  to the portal as Administrator for Java only and J2EE_ADMIN for a doublestack installation and navigate to
-> System administration
  -> System configuration
    -> Administrate key storage
      -> Download file verify.der
I would suggest naming it according to the SI of the portal - just makes it easier to recocgnize.

Import of the keys in the Java stack

Next step is to import the certificate of the producer in the consumer and vice versa. Again logon to the portal (you are of course still logged on, are you not?) and navigate to
-> System administration
  -> System configuration
    -> Administrate key storage
      -> import trusted certificate


Import of the keys in the ABAP stack

Remember you only have to do this on the producer and you obviously have to do it with a SAPGui. Logon to the producer as ddic in client 000. Call transaction STRUSTSSO2 and open the so called System PSE – it’s the topmost of the PSE’s shown. In case there is no PSE available, which you will recocgnize by the red cross left to the name System PSE, create a new one and supply the necessary information such asa SID, organization and country (for this you have to hit the funny red and green icon next to Certificate Authority. 
In the openend System PSE you can see three areas in the right pane of the screen. In the middle is a little button called import (hover over it to see it’s tooltip with import to appear). Hit this button and provide the path to the exported key of your consumer portal. Now, after the certificate is loaded, add it to the certificate list, save and logoff.
Now, log back in BUT THIS TIME IN YOUR PRODUCTIVE CLIENT. Again call transaction STRUSTSSO2 and open the System PSE. In the PSE double click on the just imported certificate of your consumer portal and click on Add to ACL. Provide the necessary information such as SI (of your consumer portal) and Client (this is the value of the ume property ume.logon_client and should usually be 000). SAve the System PSE again and your done.

Add the consumer as a trusted system in the producer

On the producer portal call up the NetWeaver administrator (NWA) and navigate to Configuration -> Trusted Systems.
Choose Add Trusted System from certificate file and choose the certificate file you exported from the consumer portal.
Enter the data of the consumer like System ID and Client. Beware, client is the value of the UME-property ume.login_client – just in case you changed that for example on a double stack installation with a portal.
Thats it – now the producer trusts the client and we can go on and adapt the login module stack of the producer so that it accepts tickets created by the consumer.

Adapt the producers Login-Module-Stack

You only need to do that once even if you happen to have multiple server nodes in one instance!
Fire up the visual admin and navigate to
-> Cluster – Server – Services
  -> Security Provider
    -> Runtime – Policy Configuration
      -> Edit the Login Module Stack for tickets
Make sure that the following modules are available in this specific order:
Name  Flag
EvaluateTicketLoginModule SUFFICIENT {…}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {}
EvaluateAssertionTicketLoginModule SUFFICIENT {}

See the 3 dots on the end of the options for the first login module EvaluateTicketLoginModule up in my list? These indicate you have to add more options here. More specifically you need to enter the Distinguished Name (DN) of the certificate of the consumer, the DN of the Certificate Authority (CA) that signed the certificate of the consumers certificate and the SAPSID and the client of the consumer. See this example:


Value (Example)
trusteddn1 DN of the certificate of consumer OU=J2EE,CN=EPD
trustediss1 DN of the CA for this certificate OU=J2EE,CN=EPD
trustedsys1 SID and Client of consumer EPD,000



If you ask yourself why you have to do this, the remember this: The consumer authenticates the user and then creates a logon ticket for her/him. This logon ticket contains a digital signature of the authenticating portal that is signed with the private key of the consumer portal and therefore contains the information like the DN, the CA and the system and client coded into the signature. So basically we are dealing with an SSL type of validation here. I will explain that in much more detail in a different blog soon. 

For now, all you should need to know is that, after all the portal that creates the SAP Logon Ticket has it’s information coded in the ticket and our producer needs to validate these in  order to do the single sign on once the user requests it’s content.
By the way, if your producer needs to trust more then one portal then just add the same information as above with a 2, 3 and so forth for each of the options.
Unfortunately with the LoginModuleStack being part of a core service you need to restart you instance now.

Configure the Producer-Consumer Relation

Set a Registration Password on the Producer

This is a security measurement and you should do so – if you not do this, anyone who knows the hostname and port is allowed to consume the content offered by this portal and you might not even be aware of this, which can lead to all sorts of issues.
Follow these steps:
  1. Logon to the Producer Portal using Internet Explorer (works only in IE) as an administrative person
  2. Navigate to System Administration -> System Configuration -> Service Configuration
  3. Unfold the Portal Catalog and look for the application
  4. Now open the node
  5. Enter your desired registration password REGISTRATION_PASSWORD. The default password is ‘password’. If you empty the field, the password gets deleted – DON’T DO THAT!
  6. Save and close the service
Now any potential consumer has to enter the registration password.

Setup the producer and consumer registration

To register the producer in the consumer, logon to the consumer portal (of course as an adminstrative person) and navigate to
-> Systemadministration
  -> Federated Portal
    -> NetWeaver content producer
      -> Add a new NetWeaver producer (right click)
Choose a speaking producer name and ID (I would suggest creating a joint and broadly valid name and ID structure for all portal elements anyway – maybe I write a blog about this too). The name and ID should reflect the fact that this is a produce, the scenario that it provides (as in is it an HR, BI or Collaboration Portal) and the SID.
Producer-Name: D1H PRO HR-Portal Development
Producer-ID: pc_D1H_PRO_hr_portal_development
Name The producer portal name D1H PRO HR-Portal Devel
ID Internal producer ID pc_D1H_PRO_hr_portal_devel
Prefix Appended to the ID de.realtech
Protocol HTTP/HTTPS https
Hostname FQDN of the producer portal
Port HTTP-Port of the producer 53000
Connection Direct or via Message Server Message Server
Security Connection with or without SSL None – not good 😉
Hostname FQDN of the producer portal
Port P4-Port 53004


After this we do a flip and register the consumer in the producer. So, while still being in the consumer portal navigate to
-> System administration
  -> Federated Portal
    -> NetWeaver Content Producer
      -> Rihjt click on  NetWeaver Producer
        -> Open it and click on Register Producer
Enter the registration password that you choose and the values of the following table:
Name Description  Value
Consumer-Name Name of the consumer as it should show up in the producer EPD CON Central Devel
Host name FQDN of the consumer
Port HTTP-Port of the consumer 50100
Connection Direct or via Message Server Message Server
Security Connection with or without SSL None – not good 😉
P4-Hostname FQDN of the consumer
Port P4-Port 50604

The result of these steps: the consumer is now registered on the producer and can consume content provided.

Set a sharing folder on the producer

When a producer is available on the consumer and the consumer is allowed to consume it’s content (remember the registration password) as default the consumer can see the producers content all from the root Portal Content Folder. If you are like me, than you probably dont’t really like this. So here is how to set a root folder from which content is to be shared on the producer:
  1. In the producer portal navigate to System Administration -> System Configuration -> Service Configuration
  2. Unfold the Portal Catalog and find the application
  3. Open AutoGenProducer1_0
  4. Enter the PCD-path to the content folder
  5. Save and close the service
You find this mentioned PCD-path when you click on the folder from you want to share your content and have a look at the details.
Restart the wsrpservice application
After the start folder is set you now need to setup some user rights.

Setting User Rights

Set a content content-admin on producer and consumer

You need a dedicated content-admin on both the producer and consumer portal to share the content and make it available. This account needs to have administration and content-administration (surprise) rights to be able to provide roles from the producer to users on the consumer:
Everyone  Group
super_admin_role  Role
content_admin_role Role
Administrator Role

Set permissions for the content on the producer

On the producer navigate to
-> Content Administration
  -> Portal Content
    -> Open user rights for this folder
Set the following permissions:
Name  Type
everyone Group read Yes No
super_admin_role Role Rights Owner Yes Yes
content_admin_role Role Read Yes Yes
Administrator Role Read/Write Yes Yes






Set permissions on the consumer

In the consumer portal navigate to
-> System Administration
  -> Permissions
    -> NetWeaver Content Producer
      -> Open the producer and choose permissions
On object level set the following permissions:
everyone Group Read Yes
super_admin_role Role Rights Owner  Yes
content_admin_role Role Read Yes
Administrator Role Read/Write  Yes



Content Sharing with Remote Role Assignment

We are done now. The only thing left is actually assign users to roles provided by the producer. So have a look, open up your consumer portal, click on user management and check for roles provided by your producer – you do remember it’s name, don’t you?
In a following blog I will tell some more about the background as this was meant as a step by step hand on guide.
Hope it was helpful,
   Christian Guenther
You must be Logged on to comment or reply to a post.
  • One thing to keep in mind with FPN is that both portals have to be visible to the client accessing the main portal(consumer). If producer is under a firewall the client will not be able to see the producer’s content as the consumer simply forwards remote data to consumer server. This was a little confusing and unknown as it seems the whole purpose of FPN is just a javascript redirection to where data is….
    • Hi Paulo,

      you are absolutely right and I did not emphasis this in here enough. I did write this in my introduction Blog to FPN that references this Guide but did not repeat it in here.

      Thanks for your comment.