These instructions will explain how to configure the deployment of an SDA and the access to the deployed SDA using SSO certificates.
The profile parameter service/sso_admin_user_XX is NOT necessary in the cases described below.
Create Configuration File
Create the settings file in the location:
- Windows: "C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings"
- Unix: /usr/sap/hostctrl/exe/config.d/http.server.settings
On Unix, the owner of file "http.server.settings" must be root or sapadm and the file must not be writable for group/others. Otherwise the settings file is ignored.
Configure SSO deployment
This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to deploy the SDA via the URL "/SMDAgent/deploy".
Multiple SSO-distinguished names can be specified as a comma separated list. Also multiple "DN : " entries are allowed.
For example the following configuration are equivalent:
Configure SSO Access to SDA
This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to access the SDA.
Like the SSO deployment configuration multiple SSO-distinguished names can be specified as a comma-separated list and multiple "DN : " entries can be specified.
An example settings file may looks like this:
The SSO configuration is now finished.
The settings can be activated without the need to restart SAP HostAgent with the Webservice "ReloadConfiguration".
- <sha-dir>/saphostctrl -function ReloadConfiguration
Alternatively, an "include" settings can be specified:
This configuration includes the authentication setting from URL "/SMDAgent/deploy".
Additionally to SSO-distinguished names also usernames and groups can be specified.
In this configuration the SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE", the user "abcadm" and "myuser" and all members of the groups "sapsys" and "mygroup" have access to the URL /lmsl/sda
Different Deployment and Access DN´s
It is also possible to specify different SSO-distinguished names for the deployment and access to the SDA.
When doing so it is recommended to disable the automatic start of the SDA after the deployment because this may cause deployment errors.
A possible configuration may look like this:
The SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE" is able to deploy the SDA and it will not be started after deployment.
The SSO DN "CN=xyz.sap.corp, O=SAP AG, C=DE" is able to access the SDA.
The SDA will be started automatically on access if it is not running.
SSO configuration for SDA operations
The SDA is shipping its own Host Agent operations which are so far
The authorization for each operation is configured in the operation configuration file in the Host Agent "operations.d" directory. The operation configuration files can be customized to change the authorization for each operation individually. However, changing the configuration will be undone with the next SDA upgrade or redeployment. Since Host Agent 7.22 PL 56 there is another way to customize the authorization for each operation which will also persist an SDA upgrade or redeployment. This can be configured in the Host Agent configuration file "http.server.settings".
Example how to add an authorization configuration to a single operation
1. line: The word "operation" is a keyword similar to "URL" which means that the following configuration is for an operation. After the colon follows the operation name.
2. line: In the context of an operation only "authentication" can be configured.
3. line: The keyword "DN" stands for distinguished name. The colon follows the distinguished name for which the operation should be allowed to be executed.
With this example the operation "configureDS" can now be executed also with an SSO DN "CN=company.sap.corp, O=SAP AG, C=DE".
Configuration done in "http.server.settings" for an operation is in addition to what is already configured in its operation configuration file. Configuration from both sources are considered. One configuration does not overwrite the other.
In order to make the changes done in "http.server.settings" effective the webservice "ReloadConfiguration" has to be executed or the Host Agent has to be restarted.
The authentication configuration for an operation is similar to above described configuration for URLs. Besides the "DN" keyword also "username", "group", and "include" is available to operation configurations.
In case to change the authentication configuation for more than one operation in the same way it can be done conviniently like this
Instead of a single operation name a list of operation names can be given which needs to be enclosed in double quotes and comma separated.
In case there is already a configuration for URL "/lmsl/sda" and operations should be allowed to be executed the same as the URL is allowd to be accessed it can be achieved with the "include" keyword
Since there is a cross reference between "operation" and "URL" configuration there needs to be the prefix "URL/" before the actual URL which is different to the example above with URLs only.
The "include" configuration can also be used in the same context "operation" as follows