Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

 

These instructions will explain how to configure the deployment of SDA and the access to the deployed SDA using SSO certificates.

sso_admin_user

The profile parameter service/sso_admin_user_XX is NOT necessary in the cases described below.

 

Create Configuration File

Create the settings file in the location:

  • Windows: "C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings"
  • Unix: /usr/sap/hostctrl/exe/config.d/http.server.settings

On Unix, the owner of file "http.server.settings" must be root or sapadm and the file must not be writable for group/others. Otherwise the settings file is ignored.

 

Configure SSO deployment
URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

This configuration allows the SSO distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to deploy the SDA via the URL "/SMDAgent/deploy".
Multiple SSO distinguished names can be specified as a comma separated list. Also multiple "DN : " entries are allowed.

For example the following configuration are equivalent:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
        DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}
URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE", "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}

 


Configure SSO Access to SDA
URL: /lmsl/sda {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

This configuration allows the SSO distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to access the SDA.
Like the SSO deployment configuration multiple SSO distinguished names can be specified as a comma separated list and multiple "DN : " entries can be specified.

An example settings file may looks like this:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}
URL: /lmsl/sda {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}

The SSO configuration is now finished.

The settings can be activated without the need to restart SAP HostAgent with the Webservice "ReloadConfiguration".

  • <sha-dir>/saphostctrl -function ReloadConfiguration

 

Additional Configurations

Alternatively an "include" settings can be specified:

URL: /lmsl/sda {
	authentication {
		include : /SMDAgent/deploy
	}
}

This configuration includes the authentication setting from URL "/SMDAgent/deploy".

Additionally to SSO distinguished names also usernames and groups can be specified.

URL: /lmsl/sda {
	authentication {
        DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
        username: abcadm, myuser
        group: sapsys, mygroup
	}
}

In this configuration the SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE", the user "abcadm" and "myuser" and all members of groups "sapsys" and "mygroup" have access to the URL /lmsl/sda

Different Deployment and Access DN´s

It is also possible to specify different SSO distinguished names for the deployment and access to the SDA.
When doing so it is recommended to disable the automatic start of the SDA after the deployment because this may cause deployment errors.

A possible configuration may look like this:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
	start: no
}
URL: /lmsl/sda {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

The SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE" is able to deploy the SDA and it will not be started after deployment.
The SSO DN "CN=xyz.sap.corp, O=SAP AG, C=DE" is able to access the SDA.
On access the SDA will be started automatically if it is not running.

 

  • No labels