Configuring the AS Java to Issue Logon Tickets (SAP Library - Configuring Authentication and Single Sign-On)

Configuring the AS Java to Issue Logon Tickets

Use

When a user requests access to a AS Java application, the AS Java processes the stack of login modules that apply to the application. Therefore, to configure the AS Java as a logon ticket-issuing system, you adjust the login module stacks for the policy configurations of AS Java applications.

Prerequisites

The AS Java has to possesses a public and private key pair and public-key certificate that it can use to digitally sign the logon ticket. By default, the AS Java is delivered with a key pair and a public-key certificate to use for issuing logon tickets that are stored in the AS Java’s TicketKeystore.

In addition, the systems that accept logon tickets from the AS Java must have an established trust relationship with the AS Java and access to the AS Java’s public-key certificate to verify the digital signature provided with the ticket.

Procedure

Configuring the Login Module Stacks to Issue Logon Tickets

Use the authentication configuration functions of the SAP NetWeaver Administrator (NWA) to configure the login module stacks. For more information, see Managing Login Modules and Managing Authentication Policy.

...

1. Choose the Components tab and use the provided buttons to switch to Edit mode.

2. From the list in the Component Policy Configurations table, select the policy configuration for the component name that corresponds to the application for which the AS Java issues a logon ticket upon user logon.

Using the ticket Template to Configure the Login Module Stacks for Issuing Logon Tickets

a. From the Authentication Stack tab for the selected component policy configuration, choose ticket from the dropdown list for Referenced Authentication Template.

b. The login module stack specified by the ticket template appears in the table Login Modules. The login modules appear as shown in the table below:

Login Modules	Flag
EvaluateTicketLoginModule	SUFFICIENT
BasicPasswordLoginModule	REQUISITE
CreateTicketLoginModule	OPTIONAL

Note

For this login module stack, the AS Java is both a ticket-accepting and ticket-issuing system. The AS Java first checks to see if the user presents a valid logon ticket with the EvaluateTicketLoginModule. If this is the case, the AS Java accepts the logon ticket and authenticates the user with the valid logon ticket.

If no logon ticket exists for the user, then the AS Java authenticates the user using Basic Authentication. If successful, then the user is issued a logon ticket.

Configuring the Login Module Stacks for Issuing Logon Tickets Manually

To adapt another template or to manually adjust the login module stacks to issue logon tickets for access to individual applications, follow the steps below:

...

a. From the Authentication Stacktab for the selected component’s policy configuration, add the login module that authenticates the user before issuing a ticket and choose its flag.

For example, to authenticate users with user names and passwords, you can add the BasicPasswordLoginModule with a REQUISITE flag.

b. Add the login module CreateTicketLoginModule to the login module stack so that it takes place after the login module that actually authenticates the user.

c. Assign the flag SUFFICIENT to the CreateTicketLoginModule.

3. Save your changes and restart the application for the changes to take effect.

Configuring Logon Ticket Options

To change logon ticket options, edit the following UME properties accordingly:

● login.ticket_lifetime

Note

The time tolerance when verifying the creation and the expiration date of login tickets is set to 3 minutes.

● login.ticket_client

Caution

In a combined ABAP and Java system, where both servers have the same system ID, you must specify a unique client ID to use for logon tickets on the AS Java. For more information, see Specifying the Client to Use for Logon Tickets.

For more information about changing UME properties, see Editing UME Properties.

Result

When the user accesses the application, it processes the login module stack as specified. After successfully authenticating the user, the JAAS login module CreateTicketLoginModule creates a logon ticket for the user.

Note

From the Own Ticket tab in Trusted Systems → Single Sign-On with SAP Logon Tickets configuration functions of the NWA, you can see the key that the AS Java uses to sign issued logon tickets. To change the key, use the TicketKeystore keystore view that is accessible from the Key Storagemanagement functions of the NWA. For more information, see Replacing the Key Pair to Use for Logon Tickets and Using the AS Java Key Storage.