Show TOC

Configuring the AS Java to Issue Logon TicketsLocate this document in the navigation structure


When a user requests access to an AS Java application, the AS Java processes the stack of login modules that apply to the application. Therefore, to configure the AS Java as a logon ticket-issuing system, you adjust the login module stacks for the policy configurations of AS Java applications.


The AS Java has to possesses a public and private key pair and public-key certificate that it can use to digitally sign the logon ticket. By default, the AS Java is delivered with a key pair and a public-key certificate to use for issuing logon tickets that are stored in the AS Java's TicketKeystore .

In addition, the systems that accept logon tickets from the AS Java must have an established trust relationship with the AS Java and access to the AS Java's public-key certificate to verify the digital signature provided with the ticket.


Configuring the Login Module Stacks to Issue Logon Tickets

Use the authentication configuration functions of the SAP NetWeaver Administrator to configure the login module stacks. For more information, see Managing Login Modules and Managing Authentication Policy .

  1. Choose Start of the navigation path Configuration Management Next navigation step Authentication and Single Sign-On Next navigation step Authentication End of the navigation path and the Components tab.

  2. From the list of policy configurations, select the policy configuration for the component name that corresponds to the application for which the AS Java issues a logon ticket upon user logon.

Using the Ticket Template to Configure the Login Module Stacks for Issuing Logon Tickets

  1. On the Authentication Stack tab for the selected component policy configuration, choose ticket from the dropdown list for Used Template .

  2. The login module stack specified by the ticket template appears in the table Login Modules . The login modules appear as shown in the table below:

    Login Modules









    For this login module stack, the AS Java is both a ticket-accepting and ticket-issuing system. The AS Java first checks to see if the user presents a valid logon ticket with the EvaluateTicketLoginModule . If this is the case, the AS Java accepts the logon ticket and authenticates the user with the valid logon ticket.

    If no logon ticket exists for the user, the AS Java authenticates the user using Basic Authentication. If successful, then the user is issued a logon ticket.

  3. Save your changes and restart the application for the changes to take effect.

Configuring the Login Module Stacks for Issuing Logon Tickets Manually

To adapt another template or to manually adjust the login module stacks to issue logon tickets for access to individual applications, follow the steps below:

  1. On the Authentication Stack tab for the selected component's policy configuration, add the login module that authenticates the user before issuing a ticket and choose its flag.

  2. For example, to authenticate users with user names and passwords, you can add the BasicPasswordLoginModule with a REQUISITE flag.

  3. Add the login module CreateTicketLoginModule to the login module stack so that it takes place after the login module that actually authenticates the user.

  4. Assign the flag SUFFICIENT to the CreateTicketLoginModule .

  5. Save your changes and restart the application for the changes to take effect.

Configuring Logon Ticket Options

To change logon ticket options, edit the following UME properties accordingly:

  • login.ticket_lifetime


    The time tolerance when verifying the creation and the expiration date of login tickets is set to 3 minutes.

  • login.ticket_client


    In a combined ABAP and Java system, where both servers have the same system ID, you must specify a unique client ID to use for logon tickets on the AS Java. For more information, see Specifying the Client to Use for Logon Tickets .

For more information about changing UME properties, see Editing UME Properties .


When the user accesses the application, it processes the login module stack as specified. After successfully authenticating the user, the JAAS login module CreateTicketLoginModule creates a logon ticket for the user.


You can see the key that the AS Java uses to sign issued logon tickets on the Show SSO Certificate tab in the Start of the navigation path Trusted Systems Next navigation step Single Sign-On with SAP Logon Tickets  End of the navigation path configuration functions of the SAP NetWeaver Administrator. To change the key, use the TicketKeystore keystore view that is accessible from the Key Storage management functions of the SAP NetWeaver Administrator. For more information, see Replacing the Key Pair to Use for Logon Tickets and Using the AS Java Key Storage .