Single Sign-On for Java Remote Method Invocation

Use

Java Remote Method Invocation (RMI) enables the AS Java to use communication between applications running on remote Java Virtual Machines (JVMs). An example of the use of RMI is the communication between external Java applications and the AS Java. You can use RMI either with the P4 protocol, which is an SAP proprietary protocol, or the Internet Inter-ORB Protocol (IIOP).

Both RMI over P4 and RMI over IIOP enable you to use client authentication with a user name and password In addition, for communication in insecure environments and for SSO, the AS Java enables you to configure the use of the SSL with client certificate authentication and transport layer security.

Integration

The authentication and security aspects of RMI communication are configured on the server during application development. This means that application developers configure the security requirements for the server-side application using the deployment descriptors (in the case of EJB applications), or using programmatic authentication in the remote objects code. The client, on the other hand, uses the configured security methods to authenticate itself to the server-side application and to get access to its business methods.

The security aspects for RMI-IIOP applications are defined by the Common Secure Interoperability V2 Specification. The AS Java's Object Request Broker (ORB) implementation fully supports conformance level 0 of this specification. The client-side ORB must also implement this specification so that the client can use the various security functions for executing methods on the remote objects.

Features

Authentication aspects for RMI-P4

RMI-P4 clients authenticate themselves to the naming system on the AS Java when they obtain an InitialContext to access server side EJBs and Java classes that implement remote interfaces. The authentication is performed using a user name and password and the user name and password of the RMI-P4 client are provided as environment properties in the source code or RMI-P4 client applications.

For more information, see Authentication for RMI-P4 Clients .

In addition you can configure the use of SSL for the RMI-P4 communication. For this case the authentication is performed using the underlying SSL security protocol.

For more information about configuring the use of SSL, see Using P4 Protocol Over a Secure Connection .

Authentication aspects for RMI-IIOP

For RMI-IIOP applications, you can specify the authentication mechanisms to be used for user authentication and the realm that the client credentials are valid for. The AS Java's ORB supports authentication by user name and password only.

For more information, see Security for RMI-IIOP Applications .

In addition, you can require that the messages transport is conducted over an SSL layer to ensure data integrity and confidentiality. Also, you can specify the handshake procedure to be used - one- or bi-directional. for this case, client and server authentication is handled by the underlying SSL security protocol.

For more information, see Configuring the AS Java for IIOP Security .