Show TOC

 Security ConfigurationLocate this document in the navigation structure

Use

Web service clients use the HTTP protocol for sending SOAP requests to the server. The J2EE Engine supports the following authentication options:

  • User name and password (HTTP Basic Authentication) using plain HTTP (no SSL)
  • User name and password (HTTP Basic Authentication) using HTTP secured through SSL
  • X.509 Client Certificates using HTTP secured through SSL
  • SAP Logon Tickets using HTTP
  • SAP Logon Tickets using HTTP secured through SSL (SSL)
Features

For standalone proxies, authentication must be configured through the security protocol. For deployable proxies, a destination in the Destinations Service is created for each logical port. Each Web service destination can be configured using the Destinations Service in the Visual Administrator. For dynamic proxies, you can create a destination in the Web Services Security Service.

Activities

Configuring Security on a Standalone Proxy

The authentication data is set using the security protocol, accessed through the virtual interface.

Note 
StockWSImpl ws = new StockWSImpl();
Remote remote = ws.getLogicalPort(StockWS2ViRpc.class);
StockWS2ViRpc stocksWS = (StockWS2ViRpc) remote;
BaseGeneratedStub stub = (BaseGeneratedStub) remote;
SecurityProtocol securityProtocol = (SecurityProtocol) stub._getGlobalProtocols().getProtocol("SecurityProtocol");
AuthenticationContext = securityProtocol.getAuthenticationContext();
  • Using user name and password for authentication

    These are set with the AuthenticationContext methods:

    • public void setPassword(String password)
    • public void setUsername(String password)
  • Using X.509 Client Certificates

    The AuthenticationContext provides the following method for passing client certificates for authentication:

    • public void addClientCertificate(X509Certificate[] certificates, PrivateKey privateKey) throws KeyStoreException
  • Other SSL options

    By default, any certificate of the server that provides the Web service is accepted. If an application needs to check for SSL server certificates, then use the following method of the AuthenticationContext:

    • public void setIgnoreSSLServerCertificate(boolean ignoreSSLServerCertificate)

    To set java.util.List of java.security.cert.X509Certificate , use:

    • public void setServerCertificateList(List serverCertificateList)
  • Setting HTTP headers

    To set additional HTTP headers use the following method of the Client Security protocol:

    • public void addHeader(String key, String value)
      Note

      When using the client security protocol from an application or library running in the engine (i.e. from a Web Dynpro application), you need to set a class loader reference to service tc~sec~wssec~service.

Configuring Security on a Deployable Proxy

For each logical port of a deployable proxy, a destination is created in Destination Service. You can edit the destination in the Visual Administrator. All data in the destinations is stored in the Secure Storage Service . If you want to configure the destinations for your logical port, then start the J2EE Engine Visual Administrator and select the Destinations Service.

  • Using user name and password for authentication

    Select the destination from the left-hand frame and choose BASIC from the Authentication drop-down menu. The Basic Authentication section is enabled and you can enter a user name and password. If the SAP Cryptographic Toolkit has been installed, the data is encrypted by Secure Storage.

  • Using X.509 client certificates

    Select a desination and select X.509 Client Certification from the Authentication drop-down menu. The X.509 client certificates are stored in Keystore Service. The Client Certificates Authentication is enabled and you can select the keystore view and certificate from the corresponding drop-down menus.

  • Using SAP Logon Ticket

    If the server calls a Web service in another SAP system on behalf of a user, the Web service proxy can provide the user identity in an SAP Logon Ticket.

    To enable this feature, perform the following steps:

    • Select SAP Logon Ticket from the Authentication drop-down menu
    • Ensure that the JAAS Login Stack of the application (to which the user connects initially) contains CreateTicketLoginModule . A ticket is created for the user.
  • Other SSL options

    By default, any certificate of the server that provides the Web service is accepted. If an application needs to check for server certificates, the server certificates accepted by the Web service proxy can be limited to certificates that are stored in the Keystore Service.

    To limit the accepted server certificates, choose Accept Certificates in Keystore View and select a keystore view.

Configuring Security on a Dynamic Proxy

If you are using a dynamic Web service proxy and you want to configure the authentication method, you have to create a destination for the logical port of the proxy. All data in the destination is stored in the Secure Storage Service.

In the J2EE Engine Visual Administrator, select the Web Services Security Service and choose Runtime → Security Administration → Security Configuration → Web Service Clients → sap.com → DynamicWSProxies → Create. Enter a name for the security configuration that you will create and choose OK. Enter connection information for the destination such as custom target URL and, for an ABAP-based destination, the system ID, client and language. If this destination is used for metadata retrieval only, then in URL specify the path to the inspection.wsil file. For AS Java this is: http://host:port/inspection.wsil , and for AS ABAP: http://host:port/

Select the authentication method to use for the connection and if applicable, enter the authentication parameters in the corresponding fields.

If the connection uses HTTPS in the URL, then select the corresponding option under Server Certificates. Select the keystore view that contains the CA root certificates that you accept or select to ignore server certificates.