Configuring the Authentication Assertion Ticket with HTTPS (AS ABAP)

This procedure provides a detailed process of all necessary steps to secure Web Services with SSL and to set up the authentication of the users using authentication assertion tickets. This example uses two AS ABAP systems and individual SOA Manager configuration.

Prerequisites

SSL is set up on the AS ABAP systems (more information: Configuring AS ABAP for SSL Support).
The same general prerequisites apply as for Provider Configuration.

Procedure

Set up the trust relationship between the systems so that the WS consumer trusts the WS provider.
1. Export the server certicate of the WS provider.
  - For self-signed certificates:
    In the Trust Manager (transaction STRUST) of the WS provider, open the SSL server standard PSE by double-clicking the SSL Server Standard node. Double-click the entry in the Owner field. In the Certificate group box, choose the Export Certificate button. Save the certificate as a file in the file system (file format: binary).
  - For certificates signed by a Certification Authority (CA):
    Export the CA root certificate from your browser. For more information, refer to the documentation for your browser.
2. Import the WS provider's server certificate into the WS consumer. To do this, in the Trust Manager (transaction STRUST) of the WS consumer, open the PSE SSL Client (Anonymous) by double-clicking it. In the Certificate group box, choose the Import Certificate button. Specify the certificate file expoerted from the WS provider, and choose ENTER. Choose the Add to certificate list button. Save your entries.
In the SOA Manager of the WS provider, on the Service Administration tab page, choose the link Configuration of Individual Services.
1. Find the service that is to be accessed using the authentication assertion ticket and for which you now want to define an end point.
2. Select the service in the list of search results and choose Apply Selection.
3. On the Configurations tab page, choose the Create End Point button.
4. In the dialog box, specify the name of the new service, its description, and the name of the end point (binding name, such as SSL_AuthTic), and choose Copy Settings.
5. Scroll down, to specify the options for security at transport and message levels on the Provider Security tab page.
6. Under Transport Guarantee, select the SSL (HTTPS, Transport Channel Security) radio button, and under Authentication Method, under Authentication at Transport Level, select SSO Using Authentication Assertion Ticket.
7. Save your entries.
8. On the Overview tab page, use the input help to select the endpoint defined above (for example, SSL_AuthTic). Choose the link Open WSDL Document for Selected Binding.
9. Enter the name and password of the user that has access authorization for the WSDL document.
In the SOA Manager of the WS consumer, on the Service Administration tab page, choose the link Configuration of Individual Services.
1. Find the consumer proxy that is to be used to access the service end point, and for which you want to define a logical port.
2. Select the consumer proxy in the list of search results and choose Apply Selection.
3. On the Configurations tab page, choose the Create Log. Port button.
4. Specify the following in the dialog box:
  - The name of the new service
  - The name of the logical port and its description
  - For configuration type, select the WSDL-Based Configuration button
  - Under WSDL access settings, select the Using HTTP Access radio button
  - Under WSDL location, copy the URL that you called for the WSDL document in the WS provider to the field URL for WSDL Access:.
  - WSDL Access User: Any user
  - WSDL Access user Password: User's password
  - Choose the Copy settings button.
5. Save your entries.