Post-Installation of Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0: SAP Enterprise Portal 7.0

Perform the tasks in this section if you are configuring Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0 on SAP Enterprise Portal 7.0. This section includes a variety of short configuration tasks that are required for the agent to work on this specific deployment container. Complete all the tasks described in this section before performing the applicable tasks described in Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2.

To Add a Reference From sap.com/irj to the New AmSAPAgent2.2 Library for SAP Enterprise Portal 7.0

This is one of the post-installation tasks required when Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0 has been installed on SAP Enterprise Portal 7.0.

This task description explains how to add a library reference from the sap.com/irj application to the newly deployed AmSAPAgent2.2 library.

Use the command line for this task.

1. Telnet to the J2EE telnet port by issuing a command such as the following:

   $ telnet j2ee-engine-host instance-telnet-port

   j2ee-engine-host

   represents the machine that hosts the SAP Enterprise Portal 7.0 instance.

   instance-telnet-port

   represents the port number of the telnet administration service of the SAP Enterprise Portal 7.0 instance.

   The following example demonstrates the format of the telnet command to issue:

   telnet saphost.example.com 50008

   For a graphical representation of telnet administration as described in the steps that follow in this task, see the following figure.

   Figure 4–8 SAP J2EE Telnet Administration: Adding the Agent Library reference to SAP Enterprise Portal 7.0

   
   

2. Log in using Administrator as the user and the corresponding Administrator password.

3. Issue the following command:

   $ jump 0

   A message such as the following appears:

   You jumped on node 4503950

4. Issue the following command:

   $ add deploy

5. Issue the following command:

   $ CHANGE_REF -m sap.com/irj library:AmSAPAgent2.2

   The following message appears:

   The reference between application sap.com/irj and 
   library:AmSAPAgent2.2 was made!

6. Stop and start the SAP Enterprise Portal 7.0 instance.

To Provide Access to the New Login Module for SAP Enterprise Portal 7.0

This is one of the post-installation tasks required when Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0 has been installed on SAP Enterprise Portal 7.0.

This task description explains how to add the new login module to the J2EE engine list of login modules.

1. (Conditional) If the SAP Enterprise Portal 7.0 is not running, start it now.

2. Start the Visual Administration tool.

   The following example provides the path to the Visual Administration tool on UNIX systems:

   /usr/sap/SID/instanceName/j2ee/admin/go

   SID

   represents the SAP system ID.

   instanceName

   represents the SAP Enterprise Portal 7.0 instance.

3. Log in to the Visual Administration tool.

   For a graphical representation of the Visual Administration tool as described in the steps that follow in this task, see Figure 4–9.

4. Select the Security Provider service.

5. Select the User Management tab.

6. Switch to the edit mode by clicking the pencil icon in the far left corner of the right panel.

7. Click Manage Security Stores.

8. Click Add Login Module.

   A dialog box appears.

9. Click OK.

10. In the Class Name text field, enter the following:

    com.sun.identity.agents.sap.v70.AmSAPEP70LoginModule

11. In the Display Name text field, enter the following:

    AmSAPEP70LoginModule

12. Click OK.

    Figure 4–9 SAP Visual Administrator: Adding a New Login Module

    
    

To Modify the Ticket Template to Use the New Login Module for SAP Enterprise Portal 7.0

This is one of the post-installation tasks required when Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0 has been installed on SAP Enterprise Portal 7.0.

This task description explains how to modify the ticket template in order to list the new login module that you just added to the J2EE engine list of login modules.

Before You Begin

If necessary, start and log in to the Visual Administration tool as detailed in the preceding task description.

For a graphical representation of the Visual Administration tool as described in the steps in this task, see Figure 4–10.

1. Select the Security Provider service.

2. Select the Policy Configurations tab.

3. Switch to the edit mode by clicking the pencil icon in the far left corner of the right panel.

4. In the Components list, select the ticket authentication template.

5. Delete all login modules, except for the following:

   com.sap.security.core.server.jaas.EvaluteTicketLoginModule
   com.sap.security.core.server.jaas.CreateTicketLoginModule

6. Click Add New.

7. From the list of modules, select AmSAPEP70LoginModule.

8. Click Modify.

9. Move AmSAPEP70LoginModule between the following two remaining login modules:

   com.sap.security.core.server.jaas.EvaluteTicketLoginModule
   com.sap.security.core.server.jaas.CreateTicketLoginModule

   The new ticket authentication template appears as such:

   EvaluateTicketLoginModule

   SUFFICIENT

   AmSAPEP70LoginModule

   REQUISITE

   CreateTicketLoginModule

   OPTIONAL

   ---

   Caution –

   Ensure that the ticket authentication template resembles the preceding list in that it follows the same sequence (EvaluateTicketLoginModule, AmSAPEP70LoginModule, and CreateTicketLoginModule) with the same values (SUFFICIENT, REQUISITE, and OPTIONAL).

   ---

   Figure 4–10 SAP Visual Administrator: Modifying the Ticket Template

   
   

Next Steps

Save the ticket authentication template configuration.

To Configure the ume.logoff.redirect.url Parameter for SAP Enterprise Portal 7.0

This is one of the post-installation tasks required when Agent for SAP Enterprise Portal 7.0/Web Application Server 7.0 has been installed on SAP Enterprise Portal 7.0.

1. Start the J2EE Engine configuration tool.

   The following example provides the path to the configuration tool on UNIX systems:

   /usr/sap/SID/instanceName/j2ee/configtool/configtool.sh

   SID

   represents the SAP system ID.

   instanceName

   represents the SAP Enterprise Portal 7.0 instance.

   For a graphical representation of the configuration tool as described in the steps that follow in this task, see Figure 4–11.

2. Click the pencil icon to switch to the configuration editor mode.

3. Click the pencil and glasses icon.

4. Select cluster_data -> server -> cfg -> services.

   The UME service property sheet appears.

5. Double click the following property sheet: com.sap.security.core.ume.service

6. Add the following custom value to the property named ume.logoff.redirect.uri:

   http://AMServices-host:AMServices-port/amserver/UI/Login?arg=newsession

   AMServices-host

   represents the fully qualified host name of the server where Access Manager Services are installed.

   AMServices-port

   represents the port number of the server where Access Manager Services are installed.

   Figure 4–11 SAP Config Tool: Configuring the ume.logoff.redirect.url Parameter

   
   

To Enable Cookie Reset for SAP Enterprise Portal 7.0

This task enables single logout between the Access Manager instance and the SAP Enterprise Portal 7.0 instance. Otherwise, single logout might fail, potentially creating a security risk.

1. Access the J2EE agent AMAgent.properties configuration file.

2. Change the following properties as shown:

   • com.sun.identity.agents.config.cookie.reset.enable = true

   • com.sun.identity.agents.config.cookie.reset.name[0] = MYSAPSSO2

   • com.sun.identity.agents.config.cookie.reset.domain[MYSAPSSO2] = EP–DomainName

   where EP–DomainName represents the name of the domain of the machine where the SAP Enterprise Portal 7.0 instance is installed, such as .example.com.