Show TOC Anfang des Inhaltsbereichs

Vorgehensweisen Configuring the J2EE Engine to Accept Logon Tickets Dokument im Navigationsbaum lokalisieren

Use

To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature. If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature. However, if the ticket-issuing server is a different one, then you must import this server’s public-key certificate (or its issuing CA’s root certificate) into the keystore view that the J2EE Engine uses for verifying logon tickets.

In addition, the J2EE Engine should only accept logon tickets issues from a trusted server. To specify another server as a trusted ticket-issuing server, you must enter its identity in the login module options on the J2EE Engine.

Hinweis

Per default, the J2EE Engine automatically accepts its own logon tickets. Therefore, if the J2EE Engine is both the ticket-issuing system as well as the accepting system, then you can omit this procedure.

Prerequisites

The login module stacks for applications that will accept logon tickets contain the login module EvaluateTicketLoginModule as described in Adjusting the Login Module Stacks for Using Logon Tickets.

Hinweis

For system connections between the SAP Web AS ABAP and the J2EE Engine that use the authentication assertion ticket, the corresponding module is EvaluateAssertionTicketLoginModule.

Procedure

If the ticket-issuing server is a different J2EE Engine, then:

...

       1.      Export the ticket-issuing server’s public-key certificate. Note the following:

¡        If the ticket-issuing server is a different J2EE Engine, then use the Key Storage service to export the certificate from the TicketKeystore view:

                                                  i.       Using the Key Storage service on the ticket-issuing server, select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry.

                                                ii.       Choose Export.

                                               iii.       Specify a filename. Use the file type X.509 Certificate with the extension .crt and choose OK.

¡        If the ticket-issuing server is an Enterprise Portal 6.0 SP2 or lower, then use the Keystore Manager on the portal to export the public-key certificate. Rename the file to use the extension .crt.

¡        For an Enterprise Portal 5.0, the certificate is the verify.der file in the file system. Change the extension of this file to .crt. For more information, see the Administration Guide for the Enterprise Portal 5.0 under Security  ® User Management and Security Files.

¡        If the ticket-issuing server is a SAP Web AS ABAP, then use the trust manager to export the server’s public-key certificate:

...

                                                  i.       Log on to the SAP Web AS ABAP server.

                                                ii.       Start the transaction STRUST.

                                               iii.       Select the Personal Security Environment (PSE) that is used for logon tickets (per default, this is the System PSE).

                                               iv.       The server’s public-key certificate appears in the upper section of the screen. The Distinguished Name appears in the Own. cert. field.

                                                 v.       Select the Distinguished Name with a double-click.

                                               vi.       The certificate appears in the lower section of the screen.

                                              vii.       Choose Certificate  ® Export.

                                            viii.       The Export Certificate dialog appears.

                                              ix.       Save the certificate to a file. Use DER encoding and the extension .crt.

       2.      Import this certificate into the TicketKeystore view on the accepting J2EE Engine:

                            a.      Using the Key Storage service on the accepting server, select the TicketKeystore view.

                            b.      Choose Load.

                            c.      Select the file from the file system and choose OK.

The certificate is stored in the selected view as a CERTIFICATE entry.

       3.      Note the server’s Distinguished Name ([DN]) and the issuer’s Distinguished Name ([IssuerDN]). You need these two Distinguished Names for the access control list (ACL) entries in the next step.

       4.      Maintain the logon ticket access control list in the options for the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule):

                            a.      Using the Security Provider service, choose User Management.

                            b.      Choose Manage Security Stores.

                            c.      Make sure the UME User Store is selected as the user store.

                            d.      Select the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) entry and choose View / Change Properties.

                            e.      Under Options, make the following entries for each ticket-issuing server from which the J2EE Engine should accept logon tickets:

Login Module Options

Name

Value

trustedsys<x>

<SID>, <Client>

Hinweis

See Specifying the J2EE Engine Client to Use for Logon Tickets.

trustediss<x>

<Issuer’s_Distinguished_Name>

Distinguished Name of the issuer of the ticket-issuing system’s public-key certificate.

trusteddn<x>

<System’s_Distinguished_Name>

Distinguished Name of the ticket-issuing system.

Hinweis

If the ticket-issuing system uses a self-signed certificate, then these two Distinguished Names are identical.

Also, the corresponding public-key certificate must exist in the SAPLogonTicket keystore view entry.

tenant<x>

Mulititenant portal only: <Tenant name>

Hinweis

This entry is necessary if the accepting J2EE Engine is part of a multitenant portal environment, but the ticket issuer is not. In this case, you need to specify the tenant name as defined in the multitenant portal. For more information, see StrukturlinkSetting Up Trust Between SAP Systems.

ume.configuration.active

true

       5.      Check the login module stack for the ticket template (or any other applications that use the EvaluateTicketLoginModule).

In the Security Provider service, choose Policy Configurations.

If the fully qualified name for the login module is displayed, for example, com.sap.security.core.server.jaas.EvaluateTicketLoginModule, then remove the login module and re-insert it. Position it at the top of the stack. Specify the flag SUFFICIENT.

Achtung

Changes to login module options in the user store are inherited to the login module stacks where the login module is used.

Alternatively, you can change the options in the login module stacks in the policy configurations. However, if you do make changes in the policy configurations, then changes in the login module in the user store are no longer inherited to the policy configurations for the applications. In this case, the fully qualified name of the login module is displayed in the login module stack.

Example

The following example shows an access control list for the J2EE Engine that should accept logon tickets that have either been issued by the SAP System ABC, client 100 or from the J2EE Engine with the system ID J2E.

Sample Access Control List Entries

Name

Value

trustedsys1

ABC, 100

trustediss1

CN=ABC, O=MyCompany, C=US

trusteddn1

CN=ABC, O=MyCompany, C=US

trustedsys2

J2E, 000

trustediss2

CN=J2E, O=MyCompany, C=US

trusteddn2

CN=J2E, O=MyCompany, C=US

ume.configuration.active

true

Sample Access Control List Entries for Multitenant System

Name

Value

trustedsys1

ABC, 100

trustediss1

CN=ABC, O=MyCompany, C=US

trusteddn1

CN=ABC, O=MyCompany, C=US

tenant1

TenantA

trustedsys2

J2E, 000

trustediss2

CN=J2E, O=MyCompany, C=US

trusteddn2

CN=J2E, O=MyCompany, C=US

tenant2

TenantB

ume.configuration.active

true

Hinweis

Users with logon tickets that are issued from system ABC, client 000, are associated with the tenant TenantA, while users with logon tickets issued from system J2E, client 000, are associated with the tenant TenantB.

Result

The J2EE Engine accepts logon tickets that have been issued by the corresponding server.

Continue with Testing the Use of Logon Tickets.

 

Ende des Inhaltsbereichs