Information about active Usage Types

Easiest way to find out what Usage Types were installed in a SAP System: URL : http://host:http_port/utl/UsageTypesInfo Login with Administrator Id/password.

Note that the Usage Types delivered with other tools - like SDM (via manual deployment of corresponding SCAs) - are not presented here.

Installing SAP Webdispatcher

1. Read SAP Note 538405
2. Read SAP Help: http://help.sap.com/saphelp_nw70/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm
3. Download the webdispatcher from http://service.sap.com/ ->Support Packages and Patches-> Entry by Application Group-> Additional Components-> SAP Kernel-> SAP Kernel 32 Bit or SAP Kernel 64 Bit-> SAP Kernel 7.01 -> Operating system platform-> Database independent ->The package is called sapwebdisp_<>-<...>.SAR, where <> indicates the patch level
4. Create a direactory /usr/sap/SID/webdisp on server and copy the downloaded webdispatcher sapwebdisp_35-10006297.sar
5. Uncar the downloaded file
6. /usr/sap/SID/SYS/exe/run/SAPCAR -xvf sapwebdisp_35-10006297.sar
7. chown SIDadm:sapsys *
8. 
9. Run this commnad to install webdispatcher: sapwebdisp.pfl -cleanup -shm_attach_mode 4 -auto_restart -bootstrap
10. Installation process provide the values to below parameters:
11. Hostname of Message Server (rdisp/mshost):messageserver hostname
12. HTTP Port of Message Server (ms/http_port): 81Instance_Number
13. Unique Instance Number for SAP Web Dispatcher (SAPSYSTEM): Give a unique name
14. HTTP port number for SAP Web Dispatcher: 280_Instance_Number
15. Create configuration for s(mall), m(edium), l(arge) system (default: medium): l
16. At the end you will see this message, SAP Web Dispatcher bootstrap ended (rc=0), ð *** SAP Web Dispatcher up and operational (pid: 12956) ***
17. Then start the webdispatcher: sapwebdisp pf=sapwebdisp.pfl -checkconfig
18. Make sure the dispatcher started :
19. ps -ef grep webdisp
20. SIDadm 14561 11954 0 16:32:13 pts/2 0:00 grep sapwebdisp
21. SIDadm 12956 1 0 16:26:29 pts/1 0:01 sapwebdisp pf=sapwebdisp.pfl -shm_attach_mode 6

How to start/stop SDM on UNIX

To start or stop the SDM Server of the J2EE Engine, proceed as follows:

1. Log in as SIDadm
2. Navigate to the usr/sap/SID/INSTANCE_NUMBER/SDM/program directory of your J2EE Engine installation.
3. To stop the SDM Server, execute the command: StopServer.sh password=sdm_password
4. To start the SDM Server, execute the command: StartServer.sh

Creating Jco Connections in Portal

1. Maintain the default URL of the IGS as documented in SAP note 704604. The URL should be http://host:4SN80
2. Make sure the IGS has been installed correctly on ECC as per SAP note 454042.
3. Access the WebDynpro Content Administrator (open a browser and point to: http://host:5SN00/irj
4. Navigate to Content Administration -> Web Dynpro
5. Click the “Maintain JCo Destinations” button
6. Click the Create link for SAP_R3_Financials_MetaData
7. Accept the default for the J2EE cluster and click Next
8. Make sure that “Dictionary Meta Data” is selected and click Next
9. Select the right message server and then click Next
10. Enter a user name and password that was defined earlier in the ECC system. Then click Next.
11. Verify that everything looks okay, and then click Finish. The status indicator should turn to green
12. Next, set up the SAP_R3_Financials connection
13. Accept the default for the J2EE cluster and click Next
14. Make sure that “Application Data” is selected and click Next
15. Select the right message server and then click Next
16. Select Ticket for Used Method in USer Authentication. Then click Next
17. Verify that everything looks okay, and then click Finish. The status indicator should turn to green
18. Continue the above procedure with other connections.

Single Sing On with Kerberos Authentication

We can use the SPNego configuration wizard to enable authentication for all users belonging to a Active Directory to log on transparently to the AS Java with Single Sign-On.

• WebAS Java 640 SP15 or higher
• JDK 1.4 or higher
• Microsoft Windows Server 2000/2003 Active Directory

How to start the wizard:

1) http://host:port/spnego

2) In the SAP NetWeaver Administrator by following the path System Management -> Configuration -> SPNEGO Configuration Wizard. Steps: 1) Create and configure a service user on the Active Directory Servers (ADS), which act as a Kerberos Domain Controllers (KDC) with the below properties

• The password of the user must never expire.
• The user must be enabled to use DES encryption.

2) On the ADS for each Kerberos Realm, register with the ADS service user a Service Principal Name (SPN) for every DNS name that can be used to access the AS Java with Kerberos authentication.

• setspn -a HTTP/FQDN serviceusername
• setspn -a HTTP/hostname serviceusername
• Do a quick check with setspn -L to see the settings are succssful.
• setspn -L serviceusername
• You should get the below screen.

3) LDAP settings in Configtool

• Logon to the Configtool and navigate to cluster-data -> UME LADAP data
• We have to connect j2ee UME to ADS. In order to do this, upload dataSourceConfiguration_ads_readonly_db_with_krb5.xml attached to the SAP Note 994791

• Enter the data in Connection details
• Make sure to test the connection and Test Authentication
• Restart the J2ee system.

4) Run SPNego wizard

• Start the SPNego wizard
• Select the check box Service user is created and configured in Active Directory to confirm that this step is completed
• Select the checkbox UME configuration includes SPNego specific settings to confirm that this step is completed
• Choose Next to proceed
• In the Jerberos Realm screen, Enter the name of the Kerberos Realm or Windows Domain inside the input field Realm Name.
• Choose Add KDC to add the host address and port for the Key Distribution Center (KDC).
• Choose Retrieve Principal to retrieve the AS Java Kerberos Principal Name (KPN), registered for the AS Java service user in the LDAP Directory. a. Enter the Service User Name. b. Enter the Service User Password.
• Choose Type Principal to manually enter the AS Java’s KPN. a. Enter the KPN of the AS Java in Principal. b. Enter the password for the AS Java service user in Password
• Choose Next to proceed
• Choose the Resolution Mode to use
• Use the Test resolution Mode functions to test the resolution of user ids from the configured domains
• Choose Next to proceed
• Choose the policy configuration to configure for Kerberos. a. Choose Use existing to select an existing template for Kerberos. b. Choose Create new to create a new policy configuration template.
• Add fallback authentication mechanisms for the case when Kerberos authentication fails. a. Choose Enable Basic Password Fallback to enable the login modules for authenticating users with a user id and password as a fallback mechanism. b. Choose Enable SSO with SAP Logon Tickets to enable the login modules for authenticating users with logon tickets as a fallback mechanism
• Choose Next to proceed
• Review the displayed information about the Kerberos configuration changes you made. The confirmation screen shows the configuration information for each of the configured Kerberos Realms or Windows Domains.
• Choose Finish to commit the changes. The wizard proceeds to the Final step and displays a confirmation of the changes you made.
• Restart J2ee system.

Final Steps:

• Logon to Visual Administrator and navigate to Server -> Services ->Security Provider, in Runtime -> Policy Configurations -> Components, select ticket.
• Switch to Edit mode and select spnego from Authentication template
• Select com.sun.security.jgss.accept from Components and choose Login Modul com.sun.security.auth.module.Krb5LoginModule
• Add isInitiator=false
• Change the Internet Explorer settings to use Integrated Windows authentication and test.
• Restart J2ee system.

TEST SSO:

Hit the URL http://host:port/irj/portal, It shoud not ask for username/password.