Show TOC

Procedure documentationConfiguring the UsernameToken Profile with HTTPS (AS Java) Locate this document in the navigation structure

 

SAP NetWeaver enables you to configure the use of UsernameToken profiles to authenticate access to Web services at the message level based on a user ID and a password.

Username token profile authentication for WS access uses the SOAP message headers for transporting the user ID and password information to the WS provider. You can transfer the password for the authentication either in plaintext or in hash format. To increase the security of the password during the transfer, WS-Security also allows the use of a randome value or a nonce. You can also add a timestamp to the password hash.

Caution Caution

Although using digest password can protect WS access against directly reading plain-text passwords, it does not offer significantly increased security protection. Therefore, for increased security protection and message confidentiality, we recommend that you configure the use of SSL or XML encryption in addition to username token authentication.

End of the caution.

Prerequisites

Procedure

1. Setting Up an SSL Trust Relationship

Set up the trust relationship between the systems so that the consumer system trusts the provider system.

  1. Export the server certicate of the provider system. To do this, in SAP NetWeaver Administrator, under   Configuration Management   Security   Certificates and Keys  , select the standard SSL server keystore view ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views, on the View Entries tab page, select the ssl-credentials-cert entry.

    2. Choose Export to File, and use the download link to save the certificate as a file in the file system (file format: Base64 X.509).

  2. Import the server certificate of the provider system into the consumer system. To do this, in SAP NetWeaver Administrator, under   Configuration Management   Security   Certificates and Keys  , select the client SSL keystore view Client_ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views, on the View Entries tab page, choose the Import from File buttmon.

    2. In the Import Entry dialog box, specify the entry type X.509 certificate and the path in the file system, and choose Import.

2. Preparing for the Use of Signatures

  1. Prepare the signature for the consumer system query. Create the trust relationship through which the provider system trusts the consumer system.

    1. In the consumer system, export the system-cert certificate from the keystore view WebServiceSecurity to a file.

      1. In the consumer system, in SAP NetWeaver Administrator, choose   Configuration Managemnt   Certificates and Keys  .

      2. Select the keystore view WebServiceSecurity.

      3. Under Details of the Keystore View, select the encryption certificate System-cert.

      4. Choose Export to a File.

      5. Enter Base64 X.509 as the export format.

      6. Choose Download.

      7. Choose Save, and enter a name for the file (such as System_cert_<SID>).

    2. In the provider system, import the consumer certificate System_cert_<SID> in the keystore view WebServiceSecurity.

      1. In SAP NetWeaver Administrator, choose   Configuration Managemnt   Certificates and Keys  .

      2. Select the keystore view WebServiceSecurity.

      3. Choose Import from File.

      4. Choose the import type X.509 certificate.

      5. Specify the path to the certificate file System_cert_<SID>, and choose Import.

  2. Prepare the signature for the provider system response. Create the trust relationship through which the consumer system trusts the provider system.

    1. In the provider system, export the system-cert certificate from the keystore view WebServiceSecurity to a file:

      1. In the provider system, in SAP NetWeaver Administrator, choose   Configuration Managemnt   Certificates and Keys  .

      2. Select the keystore view WebServiceSecurity.

      3. Under Details of the Keystore View, select the encryption certificate System-cert.

      4. Choose Export to a File.

      5. Enter Base64 X.509 as the export format.

      6. Choose Download.

      7. Choose Save, and enter a name for the file (such as System_cert_<SID>).

    2. In the consumer system, import the provider certificate System_cert_<SID> in the keystore view WebServiceSecurity.

      1. In SAP NetWeaver Administrator, choose   Configuration Managemnt   Certificates and Keys  .

      2. Select the keystore view WebServiceSecurity.

      3. Choose Import from File.

      4. Choose the import type X.509 certificate.

      5. Specify the path to the certificate file System_cert_<SID>, and choose Import.

3. Preapring Encryption

Import the certificate for the provider system (by default, System-cert) into the keystore view WebServiceSecurity_Certs in the consumer system:

  1. In SAP NetWeaver Administrator, choose   Configuration Managemnt   Certificates and Keys  .

  2. Select the keystore view WebServiceSecurity_Certs.

  3. Choose Import from File.

  4. Choose the import type X.509 certificate.

  5. Specify the path to the certificate file System_cert_<SID>, and choose Import.

4. Configure a WS Service Endpoint for Providing a Web Service (Provider System)

  1. In NetWeaver Administrator, choose   SOA Management   Application and Scenario Communication   Single Service Administration   Service Definitions  .

  2. Find the service for the service endpoint that you want to configure, and select it.

  3. On the Configuration tab page, select the service endpoint to be configured, or create a new endpoint by choosing the New button.

  4. In change mode on the Security tab page, select the HTTPS or HTTP option under Transport Protocol.

  5. Under Message Authentication, check the User ID/Password checkbox to permit the use of authentication from Web service consumers with logon tickets.

  6. Under Message Security, select the Require Signature, Add Signature, Require Encryption, and Add Encryption options.

  7. Choose Details and enter the following:

    • Signing Key: Keystore view WebServiceSecurity and private key System-key

    • Certificate for Encryption: Use the signature from the inbound request

  8. Save your entries, or choose Finish in the Assistant.

5. Configure a WS port for Consuming a Web Service (Consumer System)

  1. In NetWeaver Administrator, choose   SOA Management   Application and Scenario Communication   Single Service Administration   Consumer Proxies  .

  2. Find the service for the service endpoint for which you want to configure a logical port, and select it.

  3. On the Configuration tab page, select the logical port to be configured, or create a new logical port by choosing the New button.

  4. On the Security tab page, under Authentication, choose the Message Authentication option, and check the User ID/Password (Basic) checkbox. Use the Details button to enter a user ID and password for the authentication.

  5. Under Message Security, Choose the Details button, and enter the following:

    • Signing Key: Keystore view WebServiceSecurity and private key System-key

    • Certificate for Encryption: Keystore view WebServiceSecurity_Certs and the signature certificate of the provider system imported into the consumer system (such as System-cert_<SID>)