Enable Debug mode in J2EE System

To enable debug in J2EE , launch the J2EE Config Tool via usr/sap/SID/JC/j2ee/configtool/configtool.sh . Then click on Instance and in the right pane navigate to the Servers Debug tab. There select the Debuggable tick box as well as the Enable Debug Mode tick below it.

Sample Login Module Stacks for Using Logon Tickets

Sample Login Module Stack for Creating Logon Tickets When processing the following login module stack, the server will issue the user a logon ticket after successful authentication using the Basic Authentication mechanism (user ID and password). Login Modules Flag BasicPasswordLoginModule OPTIONAL CreateTicketLoginModule SUFFICIENT Sample Login Module Stack for Accepting Logon Tickets When processing the following login module stack, the server will accept a user’s logon ticket. If the user does not possess a valid logon ticket, then the server reverts to using Basic Authentication. Login Modules Flag EvaluateTicketLoginModule SUFFICIENT BasicPasswordLoginModule SUFFICIENT Sample Login Module Stack for Creating and Accepting Logon Tickets When processing the following login module stack, the server will revert to authentication using Basic Authentication if the user does not possess a valid logon ticket. After successful authentication, the server then issues a logon ticket to the user. This is the login module stack provided with the ticket component. Login Modules Flag EvaluateTicketLoginModule SUFFICIENT BasicPasswordLoginModule REQUISITE CreateTicketLoginModule OPTIONAL

Configuring the J2EE Engine to Accept Logon Tickets

The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user. For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.

To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature. ● If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature. ● If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.

Open the SSO wizard by following the path System Management -> Configuration ->Trusted Systems. There are two ways to add a trusted system. 1) Add a Trusted System by connecting to it.

• In the Trusted Systems section, choose Add Trusted System -> By Querying Trusted System.
• The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
• Enter your user name and password in the provided fields and choose Next.
• The details about the selected system’s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.

2) Adding a Trusted System by Manually Uploading its Certificate.

• Export the ticket issuing Trusted System certificate.
• In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
• Enter the System ID and Client in the provided fields.
• Browse to the location of the system’s certificate. Select the certificate and choose Open.
• Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.

Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.

• In the Security Provider Service choose Runtime -> Policy Configurations -> Authentication tab.
• Select the policy configuration for the application component to accept logon tickets from the Components list.
• Choose the Switch to edit mode button.
• Choose Add New. The list of available login modules for the component appears.
• Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.

After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.

Deploying SSO wizard for SAP Netweaver 7.0 SP13 or lower

To deploy SSO wizard for SAP Netweaver 7.0 SP13 or lower, check SAP Note 1083421. Once you deployed SDA files to above note the SSO2 wizard is accessible at :/sso2">http://:/sso2 For SAP Netweaver SP14 or higher, we can access the SSO wizard by following the path System Management --> Configuration --> Trusted Systems.

Unicode Conversion troubleshooting guide

I found a good SAP note with checklists and a troubleshooting guide attached on when problems or errors occur during conversion from non-Unicode SAP System to Unicode SAP System. Have a look at SAP Note 765475.