These instructions will explain how to configure the deployment of SDA and the access to the deployed SDA using SSO certificates.
The profile parameter service/sso_admin_user_XX is NOT necessary in the cases described below.
Create Configuration File
Create the settings file in the location:
- Windows: "C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings"
- Unix: /usr/sap/hostctrl/exe/config.d/http.server.settings
On Unix, the owner of file "http.server.settings" must be root or sapadm and the file must not be writable for group/others. Otherwise the settings file is ignored.
Configure SSO deployment
This configuration allows the SSO distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to deploy the SDA via the URL "/SMDAgent/deploy".
Multiple SSO distinguished names can be specified as a comma separated list. Also multiple "DN : " entries are allowed.
For example the following configuration are equivalent:
Configure SSO Access to SDA
This configuration allows the SSO distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to access the SDA.
Like the SSO deployment configuration multiple SSO distinguished names can be specified as a comma separated list and multiple "DN : " entries can be specified.
An example settings file may looks like this:
The SSO configuration is now finished.
The settings can be activated without the need to restart SAP HostAgent with the Webservice "ReloadConfiguration".
- <sha-dir>/saphostctrl -function ReloadConfiguration
Alternatively an "include" settings can be specified:
This configuration includes the authentication setting from URL "/SMDAgent/deploy".
Additionally to SSO distinguished names also usernames and groups can be specified.
In this configuration the SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE", the user "abcadm" and "myuser" and all members of groups "sapsys" and "mygroup" have access to the URL /lmsl/sda
Different Deployment and Access DN´s
It is also possible to specify different SSO distinguished names for the deployment and access to the SDA.
When doing so it is recommended to disable the automatic start of the SDA after the deployment because this may cause deployment errors.
A possible configuration may look like this:
The SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE" is able to deploy the SDA and it will not be started after deployment.
The SSO DN "CN=xyz.sap.corp, O=SAP AG, C=DE" is able to access the SDA.
On access the SDA will be started automatically if it is not running.