Manual AS Java Configuration for Accepting Logon Tickets 

Use

You can use the following configuration steps in cases where the configuration wizard does not meet your configuration requirements. For example, you can use this configuration option in cases where the AS Java must use configurations for accepting logon tickets that are different from the configuration for accepting assertion tickets.

Prerequisites

To check the validity of a user’s logon ticket, the AS Java must be able to verify the issuing server’s digital signature.

●      If the AS Java is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.

●      If the ticket-issuing server is a different one, then this server’s public-key certificate must be made available in the keystore view that the AS Java uses for verifying logon tickets.

In the case where you use authentication assertion tickets for SSO between the AS ABAP and the AS Java, the corresponding module is EvaluateAssertionTicketLoginModule.

Procedure

       1.      Export the ticket-issuing server’s public-key certificate. Note the following:

○       If the ticket-issuing server is a AS Java or a SAP NetWeaver Enterprise Portal 6.0 SP3 and higher:

                                                  i.       Using the Keystore Management functions in the NWA for the ticket-issuing AS Java, select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry.

                                                ii.       Choose Export.

                                               iii.       Specify a file name. Use the file type X.509 Certificate with the extension .crt and choose OK.

○       If the ticket-issuing server is an SAP NetWeaver Enterprise Portal 6.0 SP2 or lower, then use the Keystore Manager on the portal to export the public-key certificate. Rename the file to use the extension .crt.

○       For an SAP NetWeaver Enterprise Portal 5.0, the certificate is the verify.der file in the file system. Change the extension of this file to .crt. For more information, see the Administration Guide for the Enterprise Portal 5.0 under Security → User Management and Security Files.

○       If the ticket-issuing server is AS ABAP, then use the trust manager to export the server’s public-key certificate:

...

                                                  i.       Log on to the AS ABAP server.

                                                ii.       Start the transaction STRUST.

                                               iii.       Select the Personal Security Environment (PSE) that is used for logon tickets (by default, this is the system PSE).

                                               iv.       The server’s public-key certificate appears in the upper section of the screen. The Distinguished Name appears in the Own. cert. field.

                                                 v.       Select the Distinguished Name with a double-click.

                                               vi.       The certificate appears in the lower section of the screen.

                                              vii.       Choose Certificate → Export.

                                            viii.       The Export Certificate dialog appears.

                                              ix.       Save the certificate to a file. Use DER encoding and the extension .crt.

       2.      Import the logon ticket-issuing system’s certificate into the TicketKeystore view on the logon ticket-accepting AS Java:

                            a.      Using the Keystore Management functions in the NWA on the accepting server, select the TicketKeystore view.

                            b.      Choose Load.

                            c.      Select the file from the file system and choose OK.

The certificate is stored in the selected view as a CERTIFICATE entry.

       3.      Note the server’s Distinguished Name ([DN]) and the issuer’s Distinguished Name ([IssuerDN]). You need these two Distinguished Names for the access control list (ACL) entries in the next step.

       4.      Maintain the logon ticket access control list in the options for the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule):

                            a.      Using the authentication configuration functions of the NWA, open the configuration options for the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule)

                            b.      Make the following entries in the login module configuration options for each ticket-issuing server from which the AS Java should accept logon tickets:

Name	Value
trustedsys<x>	<SID>, <Client> For more information, see Specifying the AS Java Client to Use for Logon Tickets.
trustediss<x>	<Issuer’s_Distinguished_Name> Distinguished Name of the issuer of the ticket-issuing system’s public-key certificate.
trusteddn<x>	<System’s_Distinguished_Name> Distinguished Name of the ticket-issuing system. If the ticket-issuing system uses a self-signed certificate, then these two Distinguished Names are identical.
ume.configuration.active	true

 

Result

The AS Java can accept logon or assertion tickets from the corresponding server.

Example

The following example shows an access control list for the AS Java that should accept logon tickets that have either been issued by the SAP system ABC, client 100 or from the AS Java with the system ID J2E.

Sample Access Control List Entries

Name	Value
trustedsys1	ABC, 100
trustediss1	CN=ABC, O=MyCompany, C=US
trusteddn1	CN=ABC, O=MyCompany, C=US
trustedsys2	J2E, 000
trustediss2	CN=J2E, O=MyCompany, C=US
trusteddn2	CN=J2E, O=MyCompany, C=US
ume.configuration.active	true