Configuring the SSO Ticket Authentication

Prerequisites

Ensure the following two .dll libraries are located within the SAP Mobile Platform installation directory. If they were not copied to the SAP Mobile Platform installation directory during the SAP Mobile Platform installation through the installer, copy them now:

SAPSSOEXT.DLL
SAPSECU.DLL

These libraries are needed for SSO ticket verification.

Context

Use the following procedure to configure SSO ticket authentication. See the topic Configuring SSO and JAAS in the JavaBE.ini File for detailed descriptions on all the parameters.

Procedure

Open the JavaBE.ini file in your text editor of choice and navigate to the [LOGON_METHOD] section.
Set the LOGON_METHOD parameter to USER_AUTH_SSO, as shown in the step result.
Sample Code
```
[LOGON_METHOD]
LOGON_METHOD=USER_AUTH_SSO
```
Navigate to the [USER_AUTH_SSO] section for Steps 4–11.
Set the PORTAL_URL parameter to the http or https of your SAP NetWeaver gateway portal server. The portal URL is the URL that the module uses to log in and retrieve the SSO2 token.
Sample Code
```
PORTAL_URL=https://<server>:<port>/irj/portal
```
If you decide to verify tickets on the server, you can set the VERFICATION_USE parameter to true. Generate a verification PSE file from the SAP GUI on the SAP server (transaction code STRUST or STRUSTSSO2) and enter the file name in the VERIFICATION_FILENAME parameter. This is the file name relative to the installation directory of your server. If you choose to have the file password-protected, enter the password here as well. If you opt to have the password encoded, set the VERIFICATION_PASSWORD_ENCODED parameter to true.

If there is a chance the user name of the back-end server differs from the user name of the SAP server, set the verification file. Otherwise, this step is optional.
Sample Code
```
VERIFICATION_USE=false
VERIFICATION_FILENAME=verify.pse
VERIFICATION_PASSWORD=1234
VERIFICATION_PASSWORD_ENCODED=false
```
Note

If you do not want clear text passwords in your configuration files, use the QUICKPW.exe application provided with the installer.
To set up a keystore or truststore, set its respective _USE flag to true, supply the _TYPE parameter, and give the _FILENAME as a relative path to the server installation directory. Fill in the _PASSWORD parameter. Similarly to Step 5, if you do not want clear text passwords in the JavaBE.ini file, use the QUICKPW.exe tool to encode it. Be sure to set the _PASSWORD_ENCODED flag to true if you do encode the password.
Keystore and truststore contain the same options and are very similar. The keystore is used if your SAP server requires client authentication for its SSL implementation (i.e., if the SAP NetWeaver gateway portal server requires any https connections to provide credentials to the web server). The truststore is used by the SSL client to verify that the SAP NetWeaver gateway portal server connected to is the one intended to connect to (it operates identically to the list of trusted CA certificates loaded in your typical web browser). The truststore is required if your SAP NetWeaver gateway portal server is running over SSL (https), while the keystore is optional, depending on the setup of your SAP NetWeaver gateway portal server.

On Windows machines, there are default key/truststores, which you can choose to use with certain keywords as the _TYPE parameter. The system keystore of the user has a type of WINDOWS-MY and the default truststore of the system is WINDOWS-ROOT. If you have valid certificates installed on the SAP Mobile Platform server for viewing the SAP NetWeaver gateway portal server, it is possible that using the existing Windows key/truststores is sufficient.
Sample Code
```
KEY_STORE_USE=false
KEY_STORE_FILENAME=keystoreFileName
KEY_STORE_PASSWORD=1234
KEY_STORE_PASSWORD_ENCODED=false

TRUST_STORE_USE=true
TRUST_STORE_TYPE=WINDOWS-ROOT
TRUST_STORE_FILENAME=truststoreFileName
TRUST_STORE_PASSWORD=1234
TRUST_STORE_PASWORD_ENCODED=false
```
Note

More details on creating keystores/truststores can be found in the topic Configuring SSO and JAAS in the JavaBE.ini File.
The COOKIE parameter is the name of the cookie to examine for the SSO2 ticket in the response of the server. This parameter is MYSAPSSO2 by default.
Sample Code
```
COOKIE=MYSAPSS02
```
HTTPTYPE should reflect the PORTAL_URL (i.e., is it a secure connection or not: http or https).
Sample Code
```
HTTPTYPE=https
```
The SSL_VERSION parameter lets you customize the version of SSL/TLS for Java to use.
Sample Code
```
SSL_VERSION=SSLv3
```
The JAVA_SECURITY_DEBUG and JAVA_NET_DEBUG parameters set system flags that provide more details about the logon procedure within the Java code to the console window of the Agentry application. These options may help if there are connectivity issues, but should be left as false otherwise.

JAVA_SECURITY_DEBUG=falseJAVA_NET_DEBUG=false
If end users want to customize their own SSOClient and/or CallbackHandler classes, they can provide subclassed versions of the provided classes and denote them in the SSOCLIENT_CLASS and CALLBACK_HANDLER_CLASS parameters.
Note

While the supplied implementation works for most default installations, some end users may have more specific requirements or customizations to add, and can do so using these parameters.
Sample Code
```
SSOCLIENT_CLASS=com.mysap.sso.SSOClient
CALLBACK_HANDLER_CLASS=com.syclo.sap.auth.CallbackHandler
```

Results

The SSO ticket authentication configuration is complete.

Next Steps

If the server is running, restart the SAP Mobile Platform server so the changes to the JavaBE.ini file can take effect. Once the server is running with the changes in place, log in with a valid user. If that logon succeeds, the configuration and installation was successful. If an exception is thrown, troubleshoot the configuration and installation parameters.