Scribd Logo
Unggah

Selamat datang di Scribd!

  • Configuring Trust for SAP Assertion Tickets

    Diunggah oleh

    Robbin Pinto
    198 tayangan4 halaman
    Each communication step along the way from the sender to the receiver requires a separate authentication for each messaging component before the message is executed. Since an SAP assertion ticket is consumed during authentication, a new ticket is generated each time a message is forwarded to the next messaging component. Since the configuration for AS ABAP and AS Java is different, four configuration variants apply.

    Deskripsi Asli:

    Judul Asli

    Configure Sso

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Each communication step along the way from the sender to the receiver requires a separate authentication for each messaging component before the message is executed. Since an SAP assertion ticket is consumed during authentication, a new ticket is generated each time a message is forwarded to the next messaging component. Since the configuration for AS ABAP and AS Java is different, four configuration variants apply.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    198 tayangan4 halaman

    Configuring Trust for SAP Assertion Tickets

    Diunggah oleh

    Robbin Pinto
    Each communication step along the way from the sender to the receiver requires a separate authentication for each messaging component before the message is executed. Since an SAP assertion ticket is consumed during authentication, a new ticket is generated each time a message is forwarded to the next messaging component. Since the configuration for AS ABAP and AS Java is different, four configuration variants apply.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 4

    Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura...

    Page 1 of 4

    Configuring a Trust Relationship for SAP Assertion


    Tickets
    Principal propagation is implemented using authentication via SAP assertion tickets between the involved
    messaging components. Each communication step along the way from the sender to the receiver requires a
    separate authentication for each messaging component before the message is executed. This implies that the
    message is executed under the same user in all participating messaging components. Since an SAP
    assertion ticket is consumed during authentication, a new ticket is generated each time a message is
    forwarded to the next messaging component.
    Wherever you want to use an SAP assertion ticket for authentication between a sending and a receiving
    messaging component, you have to configure a trust relationship between the underlying application servers
    first.
    Since the configuration for AS ABAP and AS Java is different and since a distinction is made between the
    sender (client) and the receiver (server) side, four configuration variants apply:
    ● AS ABAP client configuration
    ● AS ABAP server configuration
    ● AS Java client configuration
    ● AS Java server configuration
    All four configuration variants are described in the following sections.

    If an Adapter Engine (SOAP adapter or RFC adapter) is involved, a trust relationship must also
    be established between this Adapter Engine and the Integration Server.
    Therefore, the Adapter Engine (based on AS Java) and the Integration Server (based on AS
    ABAP) both act as server [S] and client [C], as shown in the following diagram:
    [S]Adapter Engine[C]  [S]IS[C]  [S]Adapter Engine[C]

    AS Java: Client Side


    The following steps are required to enable the client side of a AS Java to issue SAP assertion tickets. This is
    necessary, for example, for inbound messages propagated to the Integration Server and for outbound
    messages sent to an external receiver system. (See also Single Sign-On Configuration for the Runtime
    Workbench.)
    ...

    1. Set an SAP client in the AS Java.


    As the SAP assertion ticket requires an SAP system client, the AS Java must also have configured a
    system client.

    For the central Adapter Engine, this client must be different from other ABAP clients of the
    Integration Server. Therefore, default client 000 must be changed anyway.
    For the non-central Adapter Engine, you can use the default client 000, provided that there are
    no conflicts due to a double-stack installation.
    Proceed as follows:
    ...

    a. Call the Visual Administrator and choose the Security Provider service.
    b. Choose User Management Tab → Manage Security Stores →
    CreateAssertionTicketLoginModule → View/Change Properties.
    c. Set the property ume.configuration.active = true.
    d. Choose the Configuration Adapter service to specify the corresponding client and ticket
    keystore.
    e. Choose cluster_data → server → cfg → services and switch to edit mode.
    f. Choose the property sheet com.sap.security.core.ume.services and set the following
    properties:
    ■ login.ticket_client = <client>

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
    Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 2 of 4

    For the central Adapter Engine, this client must be different from any defined ABAP client.
    ■ login.ticket_portalid = auto
    See also Specifying the J2EE Engine Client to Use for Logon Tickets in the SAP NetWeaver Security
    Guide.
    2. Install the J2EE server certificate
    To issue SAP assertion tickets, the AS Java must sign them with a digital signature. For this purpose, a
    private key must be created together with a certificate containing the public key and imported into the
    J2EE keystore.
    Proceed as follows:
    ...

    a. Choose the Configuration Adapter service to specify the corresponding client and ticket
    keystore.
    b. Choose cluster_data → server → cfg → services and switch to edit mode.
    c. Choose the property sheet com.sap.security.core.ume.services and set the following
    properties:
    ■ login.ticket_keyalias = SAPLogonTicketKeypair
    ■ login.ticket_keystore = TicketKeystore
    d. Choose the Key Storage service.
    e. Create a self-signed private/public key pair under the corresponding keystore view/alias as
    follows:
    TicketKeyStore/SAPLogonTicketKeypair with the CN field set to the system ID of the
    J2EE Engine.
    See also Replacing the Public-Key Certificate to Use for Logon Tickets in the SAP NetWeaver
    Security Guide.

    AS Java: Server Side


    The following steps are required to enable the server side of a AS Java to issue SAP assertion tickets. This is
    necessary, for example, for inbound messages authenticated with an SAP assertion ticket and for outbound
    messages from the Integration Server to an Adapter Engine.
    See also Configuring the J2EE Engine to Accept Logon Tickets in the SAP NetWeaver Security Guide.
    ...

    1. Import the server certificate of each client.


    For each client system authenticating with an SAP assertion ticket, the corresponding server certificate
    must be imported into the keystore of the J2EE Engine under the TicketKeystore view.
    For the trust relationship between the Integration Server and an Adapter Engine, the Integration
    Server’s certificate must be imported into the Adapter Engine.
    To export the Integration Server's certificate, proceed as follows:
    ...

    a. On the Integration Server, call transaction STRUST to export the SAP assertion ticket
    certificate (see the AS ABAP: Client Side section below).
    b. Double-click System PSE in the navigation area.
    c. Double-click the displayed own certificate in the upper group box.
    d. Choose Export certificate in the lower group box and use file format Binary and file
    extension .crt for the export.
    To import a client certificate into the AS Java, proceed as follows:
    ...

    a. In the Visual Administrator, choose the Key Storageservice.


    b. Choose the TicketKeystore view.
    c. Choose the load function to import the client’s server certificate (that is, at least the certificate
    of the Integration Server).
    2. Maintain the ACL for the EvaluateAssertionTicketLoginModule.
    Proceed as follows:
    a. In the Visual Administrator, choose the Security Provider service.
    b. Choose User Management → Manage User Stores → EvaluateAssertionTicketLoginModule
    →View/Change Properties.
    c. To define the ACL of the J2EE Engine, set the following properties for each client <n>:

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
    Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 3 of 4

    ■ trustedsys<n>= system ID and client of the client’s system, for example:


    trustedsys1 = XIB, 001
    ■ trustediss<n>= distinguished name of the issuer as specified in the client’s server
    certificate, for example:
    trustediss1 = CN=XIB,OU=SAP,O=SAP,C=SG
    ■ trusteddn<n>= distinguished name of the system as specified in the client’s server
    certificate, for example:
    trusteddn1 = CN=XIB,OU=SAP,O=SAP,C=SG
    In addition, set the following property:
    ■ ume.configuration.active = true

    Since the RFC adapter does not use a dedicated login module stack, the ACL must be globally
    configured as described above.
    3. Check the EvaluateAssertionTicketLoginModule.
    The central user store configuration of the previous step can be overwritten in the individual module
    stacks where the EvaluateAssertionTicketLoginModule can be configured explicitly. Therefore, you
    should check that the login module stacks for the SOAP and XI adapters are correct. The login modules
    are installed in the security provider service.
    Proceed as follows:
    a. In the Visual Administrator, choose the Security Provider service.
    b. Choose the tab pages Runtime → Policy Configurations.
    c. Check in the following modules whether the EvaluateAssertionTicketModule is the first one in
    the list marked as SUFFICIENT:
    SOAP Adapter:
    ■ sap.com/com.sap.aii.af.soapadapter’XISOAPAdapter
    XI Adapter:
    ■ sap.com/com.sap.aii.af.ms.app*MessagingSystem
    d. Check whether the ACL properties of the previous step are correctly set for the
    EvaluateAssertionTicketModule.

    For the RFC adapter, this step is not required, since it does not use a dedicated login module
    stack.

    AS ABAP: Client Side


    To issue SAP assertion tickets for principal propagation, the AS ABAP client must be configured. This can be
    the case for ABAP outbound proxies (see Configuring the Sender) or for the Integration Server (see
    Configuring Principal Propagation in the Integration Directory).
    The necessary steps to enable the AS ABAP client side to issue SAP assertion tickets are as follows:
    ...

    1. Call transaction STRUST to check whether a system PSE is maintained.


    By default, a self-signed system PSE should exist, which is sufficient. If a certificate signed by the SAP
    CA is needed, you can import and configure it with transaction STRUST.
    2. Call transaction RZ11 to check whether the login/create_sso2_ticket parameter has the value
    1 or 2.
    ○ Value 1 means that the AS ABAP certificate is included in the SAP assertion ticket.
    ○ Value 2 means that the AS ABAP certificate is not included in the SAP assertion ticket.
    Use value 2 if the certificate is self-signed; otherwise, use value 1.
    For more information, see Configuring the System for Issuing Logon Tickets in the SAP NetWeaver
    Security Guide.

    AS ABAP: Server Side


    To accept SAP assertion tickets for principal propagation, the AS ABAP server must be configured. This can
    be the case for ABAP inbound proxies or for the Integration Server (receiving messages from ABAP outbound
    proxies and from Adapter Engines).

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
    Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 4 of 4

    The necessary steps to enable the AS ABAP server side to accept SAP assertion tickets are as follows:
    ...

    1. Call transaction RZ11 to check whether the login/accept_sso2_ticket parameter has the value
    1.
    2. For each message-sending client, import the client certificate as follows:
    a. Call transaction STRUST and open the System PSE folder.
    b. In the certificate list, import the public certificate of the J2EE Engine required for the creation of
    SAP assertion tickets.
    3. For each message-sending client, maintain the access control list (ACL):
    a. Call transaction STRUSTSSO2.
    b. Add the system ID, client, and distinguished name of the client's certificate.
    For more information, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine
    in the SAP NetWeaver Security Guide.

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010

    Anda mungkin juga menyukai