Show TOC Start of Content Area

Procedure documentation Setting Up Trust  Locate the document in its SAP Library structure

Applicable to: remote role assignment, remote delta link, WSRP application sharing (between NetWeaver portals only)

Use

Logon tickets are used to establish trust between producer and consumer portal in a federated portal network. Logon tickets are digitally signed by the issuing server; the accepting systems need public key of the issuing server to verify this digital signature.

This topic describes the trust configuration procedure from a federated portal network perspective. For detailed information about the use of logon tickets for Single Sign-On in an SAP system environment, refer to Using Logon Tickets for Single Sign-On.

To set up trust between each producer and consumer portal pairing, you need to exchange a portal server certificate file (verify.der) between the portals. This is a one-time procedure.

The content usage mode determines if you need to exchange the certificate file in one direction only (consumer to producer) or in both directions (consumer to producer, and producer to consumer):

Ticket Exchange

Description

Ticket-Issuer System

Ticket-Accepting System

Exchange #1

This certificate file exchange ensures that remote users on the portal consumer are recognized as authenticated users when they request content from the producer portal.

A system administrator on the consumer exports a server certificate file and transfers it to a system administrator on the producer. The system administrator on the producer then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool.

Consumer

Producer

Exchange #2

You need to perform this certificate file exchange only if you want remote role assignments to be automatically removed on relevant consumer portals when their respective roles are deleted on the producer portal.

A system administrator on the producer exports a server certificate file and transfers it to a system administrator on the consumer. The system administrator on the consumer then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool.

Producer

Consumer

Note

Since the authentication mechanisms of different portal vendors are not compatible with one another, this procedure is not relevant to an SAP NetWeaver Portal and non-SAP portal pairing.

Prerequisites

      On the ticket-issuer portal, you have access to the keystore administration tool in the standard System Admin role.

      On the ticket-accepting portal, you have access to the SAP NetWeaver Administrator tool.

      The server clocks of the producer portal and consumer portal must be synchronized at all times.

To compensate for clocks running at different speeds, the authentication mechanism of AS Java provides a maximum deviation of 3 minutes in either direction.

Note

The procedure (described below) for setting up trust does not fail if the clocks are not synchronized. Errors resulting from unsynchronized clocks only become evident at runtime during data flow when the producer (the ticket-accepting system) receives an invalid logon ticket from the consumer (the ticket-issuing system); for example, when the consumer requests the navigation structure and framework of a remote role from the producer portal.

      If you have problems accessing the SSO wizard as described in the procedure below, ensure that the following SDA files are deployed on the relevant portal. If you do not have the SDA files, they are attached to SAP Note 1083421.

       tc~sec~auth~jmx~ear.sda 

       tc~sec~auth~sso2~wizard.sda 

Procedure

The following procedure describes how to exchange portal server certificate files between the producer and the consumer portals. If you are setting up the one-way trust configuration (Exchange #1 only), perform the procedure once only. If you are setting up the two-way trust configuration (Exchange #1 and Exchange #2), perform the procedure twice by alternating the producer and consumer.

1. Activities on the Ticket-Issuer System

This section describes how to export a keystore file from the portal on the ticket-issuer system.

...

       1.      In the portal, navigate to System Administration ® System Configuration ® Keystore Administration.

       2.      In the Content tab, click Download verify.der File.

       3.      Browse to the folder in which you want to save the file, and save it. Assign the ZIP extension to the file name.

       4.      Open the compressed file and extract the verify.derfile.

       5.      Manually transfer the verify.der file to a system administrator of the ticket-accepting system.

2. Activities on the Ticket-Accepting System

This section describes how to manually import the certificate file you received from the ticket-issuer system.

...

       1.      Open the SSO wizard using the following URL: http://<host>:<port>/sso2 

Note

Alternatively, you can access the wizard by logging on to the SAP NetWeaver Administrator tool and navigating to the Trusted Systems area.

       2.      In the wizard, choose Add Trusted System ® By Uploading Certificate Manually.

       3.      Enter the system ID and client ID of the ticket-issuer system:

       System ID: Indicates the 3-letter ID defined during the installation of the portal.

       Client: Indicates the client ID as specified in the login.ticket_client property of the UME Provider in the portal. For a Java stack, the default client ID is 000; however, in an Add-In installation, the client ID must be unique and therefore cannot be 000. For more information, see Specifying the J2EE Engine Client to Use for Logon Tickets.

       4.      In the Certificate File field, browse to the location where you stored the certificate file obtained from the ticket-issuer system.

       5.      Click Next and then Finish.

More Information:

      Configuring the J2EE Engine to Accept Logon Tickets 

      Checking or Updating the Certificates of Trusted Systems 

 

End of Content Area