Configuring the System for Accepting Logon Tickets
Use
Accepting systems need to be able to verify the logon tickets and the issuing server’s digital signature. The following information is necessary for the verification:
- The system should only accept logon tickets issued from a trusted server. Therefore, the identity of the trusted server needs to be entered in the accepting system’s SSO access control list.
- The system must be able to verify the issuing server’s digital signature. If the issuing server possesses a public-key certificate that is signed by the SAP CA, the accepting system can verify the issuing server’s digital signature without needing any additional information. However, if the certificate is a self-signed certificate, then the accepting system needs access to the issuing server’s public-key information, which needs to be entered in the system’s certificate list.
- The system needs to know where the information is stored that it uses to verify the issuing server’s digital signature. The file name and location where this information is stored (the server’s designated SSO PSE) is release-dependent. See
SSO Personal Security Environment (SSO PSE) for the file name and location of the SSO PSE according to release.
The SSO administration wizard accomplishes these configuration tasks automatically. The rest of the configuration tasks and the steps you need to take to use the SSO administration wizard are described below.
Prerequisites
The issuing server must possess a public and private key pair and a public-key certificate. This information needs to be available in the issuing server’s SSO PSE.
If the accepting system is an SAP Systems <= Release 4.6D, then the system must have the Workplace PlugIn installed and must meet the following release requirements:
- Release 4.6x: 4.6D kernel as of Support Package level 74
- Release 4.5x: 4.5B kernel as of Support Package level 459
- Release 4.0x: 4.0B kernel as of Support Package level 758
The SAP Security Library (or the SAP Cryptographic Library) must be installed on all of the accepting system's application servers.
You can obtain the most recent version of the SAP Security Library from the
sapserv<x> under /general/misc/security/SAPSECU/<platform>.
The SAP Cryptographic Library is available on the SAP Service Marketplace at http://service.sap.com/swcenter. Note however, the delivery of this library underlies German export regulations and is not available to all customers. For more information, see
Using the Secure Sockets Layer Protocol.
Procedure
On all of the accepting system's application servers
Set the profile parameter login/accept_sso2_ticket = 1. Set login/create_sso2_ticket = 0 unless the server should also be able to issue tickets. (Use DEFAULT.PFL.)
For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file name) of the SAP Security Library (or SAP Cryptographic Library).
On one of the accepting system's application servers
Execute the SSO administration wizard (transaction SSO2).
The SSO2 Administration screen appears.
Enter the RFC destination or the <host name> and <system number> for the issuing server in the appropriate fields.
Note the following:
- You must specify the destination host for the issuing server's logical system, namely, the system ID and client.
- If you do not enter a destination host in the SSO2 Administration screen, then the status for the local system is displayed.
- If you enter the
<host name> and <system number>, the system automatically creates a corresponding RFC destination to use for the connection.
The SSO administration report for the designated server is displayed.
The following information is shown in the report:
- Profile parameter values on both the issuing server and on the accepting system’s application server.
- The accepting system’s SSO access control list.
- The accepting system’s certificate list.
Red traffic lights in any of these areas indicate configurations that are not operational for using logon tickets.
- If the report indicates errors on the issuing server (for example, profile parameters are not set correctly), correct these errors on the issuing server and re-execute the SSO administration wizard on the accepting system.
- To initiate the configuration steps on the accepting system, choose Edit ®
Activate Workplace ().
The following occurs:
- The SSO administration wizard enters the issuing server’s system ID and client in the accepting system’s access control list.
- If the issuing server’s public-key certificate is a self-signed certificate, then the SSO administration wizard enters the public-key information contained in the certificate in the accepting system’s certificate list.
- The SSO administration wizard makes the SSO PSE available to the accepting system’s application servers:
- In Releases >= 4.6C, the SSO administration wizard distributes the SSO PSE to all of the system’s application servers.
- In Releases < 4.6C, it stores the SSO PSE in the directory specified by the profile parameter
DIR_PROFILE.
If the
DIR_PROFILE directory is not globally accessible to all of the application servers in the accepting system, then you have to manually copy the SSO PSE to each application server’s DIR_PROFILE directory.
All changes take place immediately and you do not have to explicitly save any data.
If any of the areas indicate errors, correct these errors and re-execute the SSO administration wizard.
You can also add or delete entries from the access control list or certificate list by placing the cursor on the appropriate line and choosing Edit ®
<function>.
For example:
- To add the issuing server's system ID and client to the SSO access control list, place the cursor on the line
SAP System <Workplace_Server_SID> Client <client> and choose Edit ®
Enter ACL.
To delete an entry from the certificate list, place the cursor on the system ID and choose Edit ®
Delete from certificate list.
To add the SAP CA certificate to the certificate list, choose Edit ®
Add SAP CA.
You can also manually change the access control list (table TWPSSO2ACL) using the table maintenance transactions (for example, SM30).
You can also manually change the certificate list using the PSE maintenance transaction (PSEMAINT) or the trust manager (transaction STRUST).
The PSE maintenance transaction PSEMAINT is available for SAP Systems <= Release 4.6D and the trust manager (transaction STRUST) is available with the SAP Web Application Server.
Result
The accepting systems are able to accept logon tickets and verify the issuing server’s digital signature when they receive an logon ticket from a user.
You may execute the SSO administration wizard at any time and as often as you wish.