Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Introduction

Here I will show you how to setup a Federated Portal Network (FPN) between two NetWeaver 7 portals and use Remote Role Assignment (RRA) to bind users in the consumer portal to content provided by the producer portal.

Setup the FPN

Steps to take to setup an FPN
  • Setup trust relation between the two portal
  • Enable SSO between the portals
  • Enable content registration
  • Register content in the consumer
  • Provide content in the producer
Setup a trust relation between the two portals

In order for users from the consumer portal to be able to actually make use of content provided by the producer portal you have to setup a trust relation between the two portals. An, and this is something quite a lot of peole seem to miss in their first steps in setting up an FPN, it may also be needed to set a trust relation between the consumer portal and the ABAP stack of the producer.
 
In case you wonder, why you should or have to do so, imagine this:
In your HR-Portal you probably have some scenarios that make use of WebDynpro for Java, this is the easy case, and it is covered by a trust relation between the two Java stacks. But you may also have some scenarios that make use of Web Dynpro for ABAP or even some content that is provided by the ABAP stack by means of other technology such as an IAC iView with an old WebGui. So in these cases, obviously, the user still gets authenticated by the consumer portal first but is then redirected directly to the ABAP stack of the producer without being routed through the Java stack of the producer and that means you need to have a trust relation between the consumer portal and your producer ABAP stack alongside with a trust relation between the two portals involved.

Setting up trust is done by exporting the LogonTicket Certificate of consumer J2EE Engine and then import it in the corresponding other system, that means in the ABAP and in the Java stack. For Content sharing modes other then RRA you must also export the LogonTicket Certificate of the producer J2EE engine and import it in the consumer.
 
Don't hesitate, it's done quite easy as the next steps show.

Export of the keys

Download the certificate from consumer and producer portal by logging on to the portal as Administrator for Java only and J2EE_ADMIN for a doublestack installation and navigate to
-> System administration
-> System configuration
-> Administrate key storage
-> Download file verify.der

I would suggest naming it according to the SID of the portal as it just makes it easier to recocgnize.

Import of the keys in the Java stack

Next step is to import the certificate of the producer in the consumer and vice versa. Again logon to the portal (you are of course still logged on, are you not?) and navigate to
-> System administration
-> System configuration
-> Administrate key storage
-> import trusted certificate

Import of the keys in the ABAP stack

Remember you only have to do this on the producer and you obviously have to do it with a SAPGui. Logon to the producer as ddic in client 000. Call transaction STRUSTSSO2 and open the so called System PSE - it's the topmost of the PSE's shown. In case there is no PSE available, which you will recocgnize by the red cross left to the name System PSE, create a new one and supply the necessary information such asa SID, organization and country (for this you have to hit the funny red and green icon next to Certificate Authority. 
 
In the openend System PSE you can see three areas in the right pane of the screen. In the middle is a little button called import (hover over it to see it's tooltip with import to appear). Hit this button and provide the path to the exported key of your consumer portal. Now, after the certificate is loaded, add it to the certificate list, save and logoff.
 
Now, log back in BUT THIS TIME IN YOUR PRODUCTIVE CLIENT. Again call transaction STRUSTSSO2 and open the System PSE. In the PSE double click on the just imported certificate of your consumer portal and click on Add to ACL. Provide the necessary information such as SI (of your consumer portal) and Client (this is the value of the ume property ume.logon_client and should usually be 000). SAve the System PSE again and your done.

Add the consumer as a trusted system in the producer

On the producer portal call up the NetWeaver administrator (NWA) and navigate to Configuration -> Trusted Systems.

Choose Add Trusted System from certificate file.

Enter the data of the consumer like System ID and Client. Beware, client is the value of the UME-property ume.login_client - just in case you changed that for example on a double stack installation with a portal.

Thats it - now the producer trusts the client and we can go on and adapt the login module stack of the producer so that it accepts tickets created by the consumer.

Adapt the producers Login-Module-Stack

You only need to do that once even if you happen to have multiple server nodes in one instance!

Fire up the visual admin and navigate to
-> Cluster - Server - Services
-> Security Provider
-> Runtime - Policy Configuration
-> Edit the Login Module Stack for tickets

Make sure that the following modules are available in this specific order:

Name

Flag

Option

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true...}

BasicPasswordLoginModule

REQUISITE

{}

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

EvaluateAssertionTicketLoginModule

SUFFICIENT

{}

See the 3 dots on the end of the options for the first login module EvaluateTicketLoginModule up in my list? These indicate you have to add more options here. More specifically you need to enter the Distinguished Name (DN) of the certificate of the consumer, the DN of the Certificate Authority (CA) that signed the certificate of the consumers certificate and the SAPSID and the client of the consumer. See this example:

Name

Description

Value (Example)

trusteddn1

DN of the certificate of consumer

OU=J2EE,CN=EPD

trustediss1

DN of the CA for this certificate

OU=J2EE,CN=EPD

trustedsys1

SID and Client of consumer

EPD,000

If you ask yourself why you have to do this, the remember this: The consumer authenticates the user and then creates a logon ticket for her/him. This logon ticket contains a digital signature of the consumer portal that is signed with the private key of the consumer portal and therefore contains these information like the DN, the CA and the system and client coded into the signature. So basically we are dealing with an SSL type of validation here. I will explain that in much more detail in a different blog soon.

For now, all you should need to know is that, after all the portal that creates the SAP Logon Ticket has it's information coded in the ticket and our producer needs to validate these in order to do the single sign on once the user requests it's content.

By the way, if your producer needs to trust more then one portal then just add the same information as above with a 2, 3 and so forth for each of the options.

Unfortunately with the LoginModuleStack being part of a core service you need to restart you instance now.

Configure the Producer-Consumer Relation

Set a Registration Password on the Producer

This is a security measurement and you should do so - if you not do this, anyone who knows the hostname and port is allowed to consume the content offered by this portal and you might not even be aware of this, which can lead to all sorts of issues.

Follow these steps:

  1. Logon to the Producer Portal using Internet Explorer (works only in IE) as an administrative person
  2. Navigate to System Administration -> System Configuration -> Service Configuration
  3. Unfold the Portal Catalog and look for the application com.sap.portal.ivs.wsrpservice
  4. Now open the node AutoGenProducer1_0
  5. Enter your desired registration password REGISTRATION_PASSWORD. The default password is 'password'. If you empty the field, the password gets deleted - DON'T DO THAT!
  6. Save and close the service

Now any potential consumer has to enter the registration password.

Setup the producer and consumer registration

To register the producer in the consumer, logon to the consumer portal (of course as an adminstrative person) and navigate to
-> Systemadministration
-> Portal im Verbund
-> NetWeaver content producer
-> Add a new NetWeaver producer (right click)

Choose a speaking producer name and ID (I would suggest creating a joint and broadly valid name and ID structure for all portal elements anyway - maybe I write a blog about this too)

Example
Producer-Name: D1H PRO HR-Portal Development
Producer-ID: pc_D1H_PRO_hr_portal_development

Name

Description

Value

Name

The producer portal name

D1H PRO HR-Portal Devel

ID

Internal producer ID

pc_D1H_PRO_hr_portal_devel

Prefix

Appended to the ID

de.realtech

Protocol

HTTP/HTTPS

https

Hostname

FQDN

sap-d1h.realtech.com

Port

HTTP-Port of the producer

53000

P4-communication

 

 

Connection

Direct or via Message Server

Message Server

Security

With or without SSL

None - not good

Hostname

FQDN of the producer

sap-d1h.realtech.com

Port

P4-Port

53004

After this we do a flip and register the consumer in the producer. So, while still being in the consumer portal navigate to
-> System administration
-> Portal im Verbund
-> NetWeaver Content Producer
-> Rihjt click on NetWeaver Producer
-> Open it and click on Register Producer

Enter the registration password that you choose and the values of the following table:

Name

Description

Value

Consumer-Name Name

of the consumer as it should show up in the producer

EPD CON Central Devel

Host name

FQDN of the consumer

sap-portal-t.realtech.com

Port

HTTP-Port of the consumer

50100

P4-Communication

 

 

Connection

Direct or via Message Server

Message Server

Security

With or without SSL

None - not good

P4-Hostname

FQDN of the consumer

sap-portal-t.realtech.com

Port

P4-Port

50604

The result of these steps: the consumer is now registered on the producer and can consume content provided.

Set a sharing folder on the producer

When a producer is available on the consumer and the consumer is allowed to consume it's content (remember the registration password) as default the consumer can see the producers content all from the root Portal Content Folder. If you are like me, than you probably dont't really like this. So here is how to set a root folder from which content is to be shared on the producer:

  1. In the producer portal navigate to System Administration -> System Configuration -> Service Configuration
  2. Unfold the Portal Catalog and find the application com.sap.portal.ivs.wsrpservice
  3. Open AutoGenProducer1_0
  4. Enter the PCD-path to the content folder
  5. Save and close the service

You find this mentioned PCD-path when you click on the folder from you want to share your content and have a look at the details.

Restart the wsrpservice application

After the start folder is set you now need to setup some user rights.

Setting User Rights

Set a content content-admin on producer and consumer

You need a dedicated content-admin on both the producer and consumer portal to share the content and make it available. This account needs to have administration and content-administration (surprise) rights to be able to provide roles from the producer to users on the consumer:

Name

Type

Everyone

Group

super_admin_role

Role

content_admin_role

Role

Administrator

Role

Set permissions for the content on the producer
On the producer navigate to
-> Content Administration
-> Portal Content
-> Open user rights for this folder

Set the following permissions:

Name

Type

Permission

User

Role

everyone

Group

read

Yes

No

super_admin_role

Role

Rights Owner

Yes

Yes

content_admin_role

Role

Read

Yes

Yes

Administrator

Role

Read/Write

Yes

Yes

Set permissions on the consumer
In the consumer portal navigate to
-> System Administration
-> Permissions
-> NetWeaver Content Producer
-> Open the producer and choose permissions

On object level set the following permissions:

Name

Type

Permission

User

everyone

Group

Read

Yes

super_admin_role

Role

Rights Owner

Yes

content_admin_role

Role

Read

Yes

Administrator

Role

Read/Write

Yes

Content Sharing with Remote Role Assignment

We are done now. The only thing left is actually assign users to roles provided by the producer. So have a look, open up your consumer portal, click on user management and check for roles provided by your producer - you do remember it's name, don't you?

Hope this is helpful to at least some of you,

Christian Guenther

2 Comments

  1. Unfortunately the "Set a sharing folder on the producer" works only for non-SAP WSRP consumers.

  2. Guest

    Hi Christian,

    What is the impact of producer portal not available on the consumer portal. Would it be still accessible or some configuration is needed to ensure the same.