Show TOC

Configuring the Authentication Assertion Ticket with HTTPS (AS Java)Locate this document in the navigation structure

Use

This procedure provides a detailed process of all necessary steps to secure Web Services with SSL and to set up the authentication of the users using authentication assertion tickets. This example uses two AS Java systems and individual SOA Management configuration.

Prerequisites
Procedure

1. Setting Up an SSL Trust Relationship

Set up the trust relationship between the systems so that the consumer trusts the provider.

  1. Export the server certicate of the provider. To do this, in SAP NetWeaver Administrator, under Start of the navigation path Configuration Management Next navigation step Security Next navigation step Certificates and Keys End of the navigation path, select the standard SSL server keystore view ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views , on the View Entries tab page, select the ssl-credentials-cert entry.

    2. Choose Export to File , and use the download link to save the certificate as a file in the file system (file format: Base64 X.509).

  2. Import the provider's server certificate into the consumer. To do this, in SAP NetWeaver Administrator, under Start of the navigation path Configuration Management Next navigation step Security Next navigation step Certificates and Keys End of the navigation path, select the client SSL keystore view Client_ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views , on the View Entries tab page, choose the Import from File buttmon.

    2. In the Import Entry dialog box, specify the entry type X.509 certificate and the path in the file system, and choose Import .

2. Setting Up a Ticket Trust Relationship

Set up the ticket trust relationship in the provider with the SSO2 Assistant. This imports the consumer's certificate into the keystore TicketKeystore from the view SAPLogonTicketKeypair-cert.

  1. In the SAP NetWeaver Administrator of the provider, under Start of the navigation path Configuration Management Next navigation step Trusted Systems End of the navigation path, choose the tab page Single Sign-On with SAP Logon Tickets .

  2. Under Trusted Systems , start the Assistant by choosing Start of the navigation path Add Trusted System Next navigation step By Querying the Trusted System End of the navigation path.

  3. Specify the system type Java .

    The following required entry fields are then displayed, which you also need to fill out:

    Field

    Value

    Schema

    HTTP: Without server authentication

    HTTPS: With server authentication

    The server authentication ensures that the certificate that is to be trusted actually comes from the system.

    Host Name

    Not applicable

    Port number

    Not applicable

    User name

    Name of the user to be used to access the consumer.

    Password

    Password of the user in the consumer.

    Choose Next and then Finish .

3. Creating an Endpoint in the Provider

In the SAP NetWeaver Administrator of the provider, choose Start of the navigation path SOA Management Next navigation step Application and Scenario Communication Next navigation step Single Service Administration End of the navigation path, and then the tab page Service Definitions .

  1. Find the service that is to be accessed using an authentication assertion ticket, and for which you now want to create an endpoint, and select it in the list of search results.

  2. On the Configuration tab page, check the Runtime Configuration checkbox and choose New .

  3. Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:

    1. In step 1, specify the name of the new endpoint (such as SSL_AuthTic), and choose whether you want to add this to an existing service or to a new service to be created.

    2. In step 2, set the options for security at transport and at message level:

      • For Transport Protocol , choose the HTTPS (Security at transport level) radio button

      • For Authentication , under HTTP Authentication , check the Logon Ticket checkbox

    3. Choose Finish .

    Note

    The additional Assistant steps are not absolutely necessary for this example configuration.

  4. On the WSDLs tab page, select the endpoint that you created above (for example, SSL_AuthTic), and call up its WSDL document.

4. Creating a Logical Port in the Consumer

In the SAP NetWeaver Administrator of the WS consumer, choose Start of the navigation path SOA Management Next navigation step Application and Scenario Communication Next navigation step Single Service Administration End of the navigation path, and then the Consumer Proxies tab page.

  1. On the Consumer Proxies tab page, search for the consumer proxy with which the service endpoint is to be accessed and for which you want to create a logical port, and select it in the list of search results.

  2. On the Configuration tab page, select Runtime Configuration .

  3. Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:

    1. In step 1, choose Import from WSDL-URL to import the logical endpoint from the WSDL document that you called in the provider.

    2. In step 2, copy the URL of the WSDL document called above in the provider for the endpoint you created above (such as SSL_AuthTic), and enter this in the field WSDL URL .

    3. In step 3, specify the endpoint created in the provider.

    4. In step 4, specify a name for the logical port.

    5. Choose Finish .