Deprecated
This page is now deprecated.
Please refer to the new location: SAP Host Agent
These instructions will explain how to configure the deployment of an SDA and the access to the deployed SDA using SSO certificates.
sso_admin_user
The profile parameter service/sso_admin_user_XX is NOT necessary in the cases described below.
Create Configuration File
Create the settings file in the location:
- Windows: "C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings"
- Unix: /usr/sap/hostctrl/exe/config.d/http.server.settings
On Unix, the owner of file "http.server.settings" must be root or sapadm and the file must not be writable for group/others. Otherwise the settings file is ignored.
Configure SSO deployment
URL: /SMDAgent/deploy {
authentication {
DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
}
}
This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to deploy the SDA via the URL "/SMDAgent/deploy".
Multiple SSO-distinguished names can be specified as a comma separated list. Also multiple "DN : " entries are allowed.
For example the following configuration are equivalent:
URL: /SMDAgent/deploy {
authentication {
DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
}
}
URL: /SMDAgent/deploy {
authentication {
DN : "CN=xyz.sap.corp, O=SAP AG, C=DE", "CN=abc.sap.corp, O=SAP AG, C=DE"
}
}
Configure SSO Access to SDA
URL: /lmsl/sda {
authentication {
DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
}
}
This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to access the SDA.
Like the SSO deployment configuration multiple SSO-distinguished names can be specified as a comma-separated list and multiple "DN : " entries can be specified.
An example settings file may looks like this:
URL: /SMDAgent/deploy {
authentication {
DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
}
}
URL: /lmsl/sda {
authentication {
DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
}
}
The SSO configuration is now finished.
The settings can be activated without the need to restart SAP HostAgent with the Webservice "ReloadConfiguration".
- <sha-dir>/saphostctrl -function ReloadConfiguration
Additional Configurations
Alternatively, an "include" settings can be specified:
URL: /lmsl/sda {
authentication {
include : /SMDAgent/deploy
}
}
This configuration includes the authentication setting from URL "/SMDAgent/deploy".
Additionally to SSO-distinguished names also usernames and groups can be specified.
URL: /lmsl/sda {
authentication {
DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
username: abcadm, myuser
group: sapsys, mygroup
}
}
In this configuration the SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE", the user "abcadm" and "myuser" and all members of the groups "sapsys" and "mygroup" have access to the URL /lmsl/sda
Different Deployment and Access DN´s
It is also possible to specify different SSO-distinguished names for the deployment and access to the SDA.
When doing so it is recommended to disable the automatic start of the SDA after the deployment because this may cause deployment errors.
A possible configuration may look like this:
URL: /SMDAgent/deploy {
authentication {
DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
}
start: no
}
URL: /lmsl/sda {
authentication {
DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
}
}
The SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE" is able to deploy the SDA and it will not be started after deployment.
The SSO DN "CN=xyz.sap.corp, O=SAP AG, C=DE" is able to access the SDA.
The SDA will be started automatically on access if it is not running.