Configuring the AS Java to Accept Logon Tickets

Use

The AS Java uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user's Web browser, the AS Java verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the AS Java authenticates the user.

Prerequisites

To check the validity of a user's logon ticket, the AS Java must be able to verify the issuing server's digital signature.

If the AS Java is both the ticket-issuing server and the accepting server, it can automatically verify its own digital signature.
If the ticket-issuing server is a different server, that server's public-key certificate must be available in the keystore view that the AS Java uses for verifying logon tickets.

Procedure

The Start of the navigation path Trusted Systems Next navigation step SSO Wizard End of the navigation path configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the AS Java.

Open the SSO Wizard.

Note the following:

If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by choosing Configuration Management Security Trusted Systems.
If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, you must first deploy the SSO Wizard. For more information, see SAP Note 1083421.

The system which you configure is displayed in the Selected Accepting System section.

There are two ways to add a trusted system:
By connecting to the system and requesting its certificate.

Caution

If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. For more information, see SAP Note 1083421.
By manually uploading the certificate of the system.

Adding a Trusted System by Connecting to It

In the Trusted Systems section, choose Add Trusted System By Querying Trusted System.
The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK . The connection details for the selected system are displayed automatically.
Note

If you cannot find the system you want to add, choose Cancel and provide the connection details:
1. Select the type of the system from the System Type dropdown list.
2. Enter the necessary connection details.
Note

If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system using its license key, which you received from SAP.
Enter your user name and password in the provided fields and choose Next .
The details about the selected system's certificate appear. To add the system, choose Finish . If you want to make changes, choose Back .

Adding a Trusted System by Manually Uploading its Certificate

Before you start the following procedure, you must export the trusted system's public-key certificate.

In the Trusted Systems section choose Add Trusted System By Uploading Certificate Manually.
Enter the System ID and Client in the relevant fields.
Browse to the location of the system's certificate. Select the certificate and choose Open .
Choose Next . The information about the system and the certificate is displayed. To add the system as trusted, choose Finish . If you want to make changes, choose Back .

Configuring the Login Module Stack

Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule ) to the login module stacks for the AS Java policy configurations of the application components that accept login tickets for SSO.

In the SAP NetWeaver Administrator go to Configuration Management Security Authentication and Single Sign-On Authentication.
Select the policy configuration for the application component to accept logon tickets from the Policy Configuration Name table.
In the Details of policy configuration <name> section, choose the Edit pushbutton.
Choose the Add pushbutton with the quick info text Add login module to the policy configuration .
Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule ) from the Login Module Name list and choose the Add pushbutton. Choose the Save pushbutton.

Note

If you change the options of a login module in the user store, the changes are inherited by all policy configurations that use this login module.

If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case, the login module will no longer inherit its options from the user store. To restore the inheritance, change the options in the policy configuration or in the user store so that they are identical.

Result

After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The AS Java accepts logon tickets that have been issued by the corresponding server.

More Information

Checking or Updating the Certificates of Trusted Systems

Testing the Use of Logon Tickets

Sample Login Module Stacks for Using Logon Tickets