Setting Up Trust 

Applicable to: remote role assignment, remote delta link, WSRP application sharing (between NetWeaver portals only)

Use

Logon tickets are used to establish trust between producer and consumer portal in a federated portal network. Logon tickets are digitally signed by the issuing server; the accepting systems need public key of the issuing server to verify this digital signature.

To set up trust between each producer and consumer portal pairing, you need to exchange a portal server certificate file (verify.der) between the portals. This is a one-time procedure.

The content usage mode you plan to use determines if need to exchange the certificate file in one direction only (consumer to producer) or in both directions:

Ticket Exchange	Description	Ticket-Issuer Portal	Ticket-Accepting Portal
Exchange #1 (mandatory)	This certificate file exchange ensures that remote users on the portal consumer are recognized as authenticated users when they request content from the producer portal. A system administrator on the consumer portal exports a portal server certificate file and transfers it to a system administrator on the producer-side. The system administrator on the producer-side then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool.	Consumer	Producer
Exchange #2 (optional)	This certificate file exchange is only needed if you want remote role assignments to be automatically removed on relevant consumer portals when their respective roles are deleted on the producer portal. A system administrator on the producer portal exports a portal server certificate file and transfers it to a system administrator on the consumer-side. The system administrator on the consumer-side then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool.	Producer	Consumer

Since the authentication mechanisms of different portal vendors are not compatible with one another, this procedure is not relevant to an SAP NetWeaver Portal and non-SAP portal pairing.

This topic describes the trust configuration procedure from a federated portal network perspective. For detailed information about the use of logon tickets for Single Sign-On in an SAP system environment, refer to Using Logon Tickets for Single Sign-On.

Prerequisites

●      To export a portal server certificate file, you have access to the keystore administration tool in the standard System Admin role on the ticket-issuer portal.

●      You have access to the SAP NetWeaver Administrator tool on the ticket-accepting portal.

●      The server clocks of the producer portal and consumer portal must be synchronized at all times.

To compensate for clocks running at different speeds, the authentication mechanism of AS Java provides a maximum skew time of 3 minutes in either direction.

The procedure (described below) for setting up trust does not fail if the clocks are not synchronized. Errors resulting from unsynchronized clocks only become evident at runtime during data flow when the producer (the ticket-accepting system) receives an invalid logon ticket from the consumer (the ticket-issuing system). For example, when the consumer requests the navigation structure and framework of a remote role from the producer portal.

●      If you have problems accessing the SSO wizard as described in the procedure below, ensure that the following SDA files are deployed on the relevant portal. If you do not have the SDA files, they are attached to SAP Note 1083421.

○       tc~sec~auth~jmx~ear.sda 

○       tc~sec~auth~sso2~wizard.sda 

Procedure

The following procedure describes how to exchange portal server certificate files between the producer and the consumer portals. If you are setting up the mandatory one-way trust configuration, perform the procedure once only. If you are setting up the optional two-way trust configuration, perform the procedure twice by alternating the producer and consumer.

The table above specifies which portal is the ticket-issuer portal and which is the ticket-accepting portal in each exchange.

1. Activities on the Ticket-Issuer Portal

This section describes how to export a keystore file from your portal (the ticket-issuer portal).

...

       1.      In the portal, navigate to System Administration → System Configuration → Keystore Administration.

       2.      In the Content tab, click Download verify.der File.

       3.      Browse to the folder in which you want to save the file, and save it. Assign the ZIP extension to the file name.

       4.      Open the compressed file and extract the verify.der file.

       5.      Manually transfer the verify.der file to a system administrator of the ticket-accepting portal.

2. Activities on the Ticket-Accepting Portal

This section describes how to import the certificate file you received from another portal (the ticket-issuer portal).

...

    1.      Open the SSO wizard using the following URL: http://<host>:<port>/sso2 

Alternatively, you can access the wizard by logging on to the SAP NetWeaver Administrator tool and navigating to the Trusted Systems area.

       2.      In the wizard, choose Add Trusted System → By Uploading Certificate Manually.

       3.      Enter the system ID and client ID of the ticket-issuer portal:

○       System ID: Specifies the 3-letter ID defined during the installation of the portal.

○       Client: Specifies the client ID as specified in the login.ticket_client property of the UME Provider in the portal. For a Java stack, the default client ID is 000; however, in an Add-In installation, the client ID must be unique and therefore cannot be 000. For more information, see Specifying the J2EE Engine Client to Use for Logon Tickets.

       4.      In the Certificate File field, browse to the location where you stored the portal certificate file that obtained from the ticket-issuer portal.

       5.      Click Next and then Finish.

More Information:

●      Configuring the J2EE Engine to Accept Logon Tickets 

●      Checking or Updating the Certificates of Trusted Systems