Single Sign-On in Remote Scenarios
The first part of this blog series dealt with accessing one or more ABAP back end systems (see here NWBC meets Single Sign-On: Simplify Secure Data… | SCN). Part two describes how to access multiple systems. Referencing from one system to the other via PFCG mapping.
For the following scenario no additional Java Server or Secure Login Server is needed.
You have a leading system (also your role system, let’s call it system one, SY1) but you need to execute certain applications in a remote system (SY2). Alternatively, you are using what is known as side-by-side scenario* (see the screenshot below) to enhance transactions of older systems (e.g. by nice HTML5 charts), integrated remotely in PFCG, with a side panel that was not available before NetWeaver 7.03.
The procedure below describes a side-by-side scenario where a user calls a classic dynpro (sales order) with remote side panel content (charts, route planer). The main application running in SY1, the side panel content running in SY2.
*If your SAP ERP system is based on a release older than SAP ERP 6.0 EHP6 (not
older than SAP ERP ECC 6.0) and you want to avoid having to upgrade the system, you
can use the side panels in a side-by-side scenario. This means that the side
panels and application transactions do not run in the same physical system. The
role system contains the side panel definitions, CHIPs (including the
corresponding coding) and the tag table entries, based on SAP NetWeaver 7.31 and
SAP Business Suite Foundation 7.31 SP03 or higher. The application system
(back-end server) contains the dynpro applications and does not have to be
upgraded to SAP ERP 6.0 EHP6.
Source: SAP Note 1795171
NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3
- Implement SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, for example System 1, in SAP Logon.
- Set up the NWBC and SAP GUI connections as described in part one of this blog series (including SNC, Secure Network Communication).
- Define the RFC destinations used by NWBC in SM59 (see SAP NetWeaver Business Client Administration Guide -> Role Maintenance in PFCG -> Remote Systems).
- Insert remote applications in PFCG and reference the target system (see SAP NetWeaver Business Client Administration Guide -> Role Maintenance in PFCG -> Remote Systems).
Define RFC Connections in SM59
Information to access transactions in system SY2 is derived from SY2CLNT001. SY2CLNT001_HTTP is mainly used for accessing web based applications.
Note: You set up these destinations for NWBC only. At runtime, RFC technology is not involved; NWBC simply evaluates a number of destination properties in order to generate navigation URLs.
Define RFC Destination for Application in Remote System (SY2CLNT001)
Tab: Technical Settings
Relevant fields: Target Host, System Number
Tab: Logon & Security
Relevant fields: Client
Note: SNC and load balancing settings are derived from the SAP GUI connection that is assigned to the NWBC connection for SY2. Define such NWBC connections for each SY2 application server (details in SAP NetWeaver Business Client End User Guide -> Configuring System Connections -> SAP GUI Logon Description).
Define RFC Destination for Application in Remote System (SY2CLNT001_HTTP)
Tab: Technical Settings
Relevant fields: Target Host (<server>.<domain>), Service No. (<port>).
To activate SSL, you can either create a destination SY2CLNT001_HTTPS, or activate it in a SY2CLNT001_HTTP connection in the “Logon & Security” settings as shown below.
Relevant fields: Client, SSL
Remote Applications in PFCG
Runtime: Single Sign-On for user, SNC for transaction, SSL for Web Dynpro Applications
Find more information in the SCN Space for SAP NetWeaver Single-Sign On.
Find more information on side panels in Julies article: NWBC: Side Panels and Page Builder Entry Pages