Setting Up Trust
Applicable to: remote role assignment, remote delta link, WSRP application sharing (between NetWeaver portals only)
Use
Logon tickets are used to establish trust between producer and consumer portal in a federated portal network. Logon tickets are digitally signed by the issuing server; the accepting systems need public key of the issuing server to verify this digital signature.
To set up trust between each producer and consumer portal pairing, you need to exchange a server certificate file between the systems of each portal. This is a one-time procedure.
The content usage mode you plan to use determines if you need to exchange the certificate file in one direction only (consumer to producer) or in both directions (consumer to producer, and producer to consumer) :
● A system administrator on the producer portal must manually import the certificate key file obtained from a system administrator on the consumer portal, and then configure certain authorization settings.
This certificate file exchange is mandatory so that remote users on the portal consumer are recognized as authenticated users when they request content from the producer portal.
Since the authentication mechanisms of different portal vendors are not compatible with one another, this procedure is not relevant to an SAP NetWeaver Portal and non-SAP portal pairing.
● A system administrator on the consumer portal must import the certificate key file obtained from a system administrator on the producer portal, and then configure certain authorization settings.
This key certificate file exchange is optional. It is only needed if you want remote role assignments to be automatically removed on relevant consumer portals when their respective roles are deleted on the producer portal.
Prerequisites
● On the ticket-accepting and ticket-issuer server, you have access to a central SAPNetWeaver Administrator tool or the local SAP NetWeaver Administrator tool on the ticket-accepting server.
You must be assigned to the System Administration role in SAP NetWeaver Administrator tool to use the keystore and authentication administration functions.
● The server clocks of the producer portal and consumer portal must be synchronized at all times.
To compensate for clocks running at different speeds, the authentication mechanism of AS Java provides a maximum skew time of 3 minutes in either direction.
The procedure (described below) for setting up trust does not fail if the clocks are not synchronized. Errors resulting from unsynchronized clocks only become evident at runtime during data flow when the ticket-accepting system receives an invalid logon ticket from the ticket-issuing system. For example, when the consumer requests the navigation structure and framework of a remote role from the producer portal.
Procedure
The following procedure describes how to exchange certificate key files between the producer and the consumer. If you are setting up the mandatory one-way trust configuration, perform the procedure once only. If you are setting up the optional two-way trust configuration, perform the procedure twice by alternating the producer and consumer as shown in the following table.
|
Ticket-Issuer System |
Ticket-Accepting System |
Exchange 1 (mandatory) |
Consumer |
Producer |
Exchange 2 (optional) |
Producer |
Consumer |
If you configuring trust with an earlier release of SAP NetWeaver, such as SAP NetWeaver 7.0, you can use a verify.der file as the certificate key file.
1. Activities on the Ticket-Issuer System
This section describes how to export a certificate key file from your ticket-issuer system.
...
1. Open the local SAP NetWeaver Administrator on the ticket-issuer system, or use a central SAP NetWeaver Administrator to connect to the local instance.
To access the SAPNetWeaver Administrator directly, add /nwa to the AS Java URL (for example: http://<hostname>:<port>/nwa).
2. In the SAP NetWeaver Administrator, open the Key Storage application.
To quickly navigate to the Key Storage application, you can add the quick-link /nwa/key-storage to the AS Java URL (for example: http://<hostname>:<port>/nwa/key-storage).
3. In the Content tab, select TicketKeystore from the available keystore views.
4. Click Edit.
5. Select SAPLogonTicketKeypair-cert from the available view entries.
6. Click Export Entry.
7. Select Binary X.509 Certificate File as the export format.
This file format is equivalent to the verify.der/crt file used in previous releases of SAP NetWeaver, such as 7.0. It can be uploaded to a ticket accepting AS ABAP or AS Java.
8. Click Download to export the file.
9. Manually transfer the file to a system administrator of the ticket-accepting system.
2. Activities on the Ticket-Accepting Portal
This section describes how to manually import the certificate key file you received from the ticket-issuer system and to configure the necessary authorization settings.
Importing the Key File
...
1. Open the local SAP NetWeaver Administrator on the ticket-accepting system, or use a central SAPNetWeaver Administrator to connect to the local instance.
To access the SAP NetWeaver Administrator directly, add /nwa to the AS Java URL (for example: http://<hostname>:<port>/nwa).
2. In the SAP NetWeaver Administrator, open the Key Storage application.
To quickly navigate to the Key Storage application, you can add the quick-link /nwa/key-storage to the AS Java URL (for example: http://<hostname>:<port>/nwa/key-storage).
3. In the Content tab, select TicketKeystore from the available keystore views.
4. Click Edit.
5. Click Import Entry.
6. Select X.509 Certificate as the entry type.
7. Browse to the location where you saved the certificate key file that you obtained from the ticket-issuer system.
8. Click Import.
Configuring Authorization Settings
...
1. Open the local SAP NetWeaver Administrator on the ticket-accepting system, or use a central SAPNetWeaver Administrator to connect to the local instance.
2. In the SAPNetWeaver Administrator, open the Authentication application.
To quickly navigate to the Authentication application, you can add the quick-link /nwa/auth to the AS Java URL (for example: http://<hostname>:<port>/nwa/auth).
3. In the Login Modules tab, select EvaluateTicketLogonModule from the available login module views.
4. Click Edit.
5. In the login module details view, add the following parameters:
Parameter Name |
Value |
trusteddn1 |
Enter the distinguished name of the certificate owner. You can obtain this value as follows: ... 1. In the SAP NetWeaver Administrator, navigate to the Key Storage administration function. 2. In the TicketKeystore keystore view, display the details of the key file you imported earlier. 3. Copy the value of the Subject name. For example: OU=J2EE, CN=PS2 |
trustediss1 |
Enter the distinguished name of the certificate issuer. You can obtain this value as follows: ... ... 1. In the SAP NetWeaver Administrator, navigate to the Key Storage administration function. 2. In the TicketKeystore keystore view, display the details of the key file you imported earlier. 3. Copy the value of the Issuer name. For example: OU=J2EE, CN=PS2 |
trustedsys1 |
Enter the system ID and client ID of the ticket-issuer portal. Use the <System_ID>,<client_ID> format and separate values with a comma (,). For example: GP1,000 ● System ID: Specifies the 3-letter ID defined during installation. ●
Client
ID: Specifies the client
ID as specified in the login.ticket_client property of the UME Provider. For a Java
stack, the default client ID is 000; however, in an Add-In installation, the
client ID must be unique and therefore cannot be 000. For more information, see
|
Specifying the Client
to Use for Logon Tickets
Define a new set of parameters in the login module for each ticket-issuer system. For each set of parameters, increment the suffix in the parameter name. For example: trusteddn2, trustediss2, trustedsys2, and so on.
8. Restart the server.