Skip to Content

When you open the PI start page and click ‘Enterprise Services Builder’, and logon.

And then there is a logon window again.

I’m tired of it. Why not Single Sign-On? Just follow the steps to make it happen.

Modify Instance Profile

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

icm/host_name_full = hostname.domain

Add Login Module to J2EE Engine

NetWeaver Administrator, Configuration Management, Security, Authentication:

Click Edit, add EvaluateTicketLoginModule and save.

 

Change Authentication template for the Web components

NetWeaver Administrator, Configuration Management, Security, Authentication:

Select each component and change the referenced authentication template from basic to ticket.

  • sap.com/com.sap.xi.repository*rep
  • sap.com/com.sap.xi.directory*dir
  • sap.com/com.sap.xi.services*run
  • sap.com/com.sap.xi.mdt2*mdt
  • sap.com/com.sap.xi.rwb*rwb
  • sap.com/com.sap.lcr*sld
  • sap.com/com.sap.aii.ib.rprof.app*exchangeProfile
  • sap.com/com.sap.aii.af.app*AdapterFramework

  

 

Modify PI Exchange Profile 

 

 
Note: After changed the Exchange Profile, you don't need to restart system for PI 7.1.

   

 

Application like Alert Configuration  in Runtime Workbench is based on the ABAP application server. We need to configure sso between ABAP AS and J2EE stack. There are some additional steps:

 

  1. Export ABAP certification, and import it to J2EE.
  2. Export Java certification, and import it to ABAP.

NetWeaver Administrator, Configuration Management, Security, Certificates and Keys: 

 

At last, restart the PI system and SSO will work. 

If you didn’t change the instance profile, and didn’t perform the additional steps, SSO will become effective immediately, without restart. I have double check in my systems, you can trust me.

To report this post you need to login first.

15 Comments

You must be Logged on to comment or reply to a post.

  1. Tulsan Mady
    I followed your steps and after restarting the system, I logged onto PI ABAP(7.1) and executed SXMB_IFR. From there when I clicked on ESB, I still get the prompt but this with the below message.

    “Single Sign-On failed”.

    Any ideas what went wrong? I’ve double checked the settings with yours..

    Thanks

    (0) 
      1. Tulsan Mady
        Thanks for checking. I tried that one too but didn’t work. I’ll undo everything and redo the config and post the result back here.

        (0) 
    1. Abinash Nanda
      Please use the NWA useradmin tool, Role perspective, and             
      assign all 3 ‘keystore-view.TicketKeystore’ actions to Role ‘Everyone’
                                                                  
      Actions:                                                             
                                                                           
      UME keystore-view.TicketKeystore entry-actions.all.all               
      UME keystore-view.TicketKeystore property-actions.all.all            
      UME keystore-view.TicketKeystore view-actions.all.all                
                                                                           
      to the role Everyone in UME.  
      (0) 
  2. Paul Hardy
    We are upgrading to the latest version of PI next week. If this means I can then follow your instructions and not have to enter my password every two seconds then that is the best news I’ve had all year. BW used to be the same i.e. entering password constantly. However since PI is predominantly intended as middleware i.e. to let different systems COMMUNICATE with each other, yet the two halves of PI cannot talk to each other without password verification, that is just embarassing for SAP.
    (0) 
  3. Shivpal Reddy
    Did all the steps you outlined.
    1. Added 3 profile parameters.
    2. Changed the auth template to tick for all the listed PI components.
    3. Create Login cert in j2ee VA and imported into abap.
    4. enabled sso in exchangeProfle
    5. rebooted the system.

    Still no joy. Any advice, I am using PI7.1_Ehp

    (0) 
    1. Shen Peng Post author
      Did you miss this part ‘add EvaluateTicketLoginModule to SAP J2EE Engine’?

      There is NO VA in PI 7.1x.

      (0) 
        1. Shen Peng Post author
          add EvaluateTicketLoginModule to SAP J2EE Engine

          is

          different from

          change the auth template to “ticket” for all the listed PI components
          !!!!!!!!

          (0) 
          1. Shivpal Reddy
            Sorry for the confusion, yes I add EvaluateTicketLoginModule to SAP J2EE Engine

            On logon I get the error and the security log shows this message..

            #2.0 #2010 06 09 11:11:03:176#0-700#Warning#/System/Security#
            #BC-JAS-SEC#security#0050568D615800C60000000000000EFC#17360950000000002##com.sap.engine.services.security.authentication.loginmodule.ticket.EvaluateTicketLoginModule#J2EE_GUEST#0##68670CD5068D1006B422EA6C4ABC19F8#68670cd5068d1006b422ea6c4abc19f8#68670cd5068d1006b422ea6c4abc19f8#0#Thread[RMI/IIOP Worker [3],5,Dedicated_Application_Thread]#Java##
            Keypair for signing not found in keystore view [{0}] under alias [{1}]. Authentication stack: [{2}]. The default kestore view is [{3}]. The default keypair alias is [{4}]. Check the login module options and UME properties.#5#TicketKeystore#SAPLogonTicketKeypair#service.naming#TicketKeystore#SAPLogonTicketKeypair#

            #2.0 #2010 06 09 11:11:03:176#0-700#Info#/System/Security/Authentication#
            ###0050568D615800C60000000100000EFC#17360950000000002##com.sap.engine.services.security.authentication.logincontext.table#J2EE_GUEST#0##68670CD5068D1006B422EA6C4ABC19F8#68670cd5068d1006b422ea6c4abc19f8#68670cd5068d1006b422ea6c4abc19f8#0#Thread[RMI/IIOP Worker [3],5,Dedicated_Application_Thread]#Plain##
            LOGIN.FAILED
            User: N/A
            Authentication Stack: service.naming

            Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
            1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   SUFFICIENT  ok          false                 false     
            2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception             true       Signing key pair not found.#

            (0) 

Leave a Reply