Enabling the UWL Push Mechanism with X.509 Client Certificates

The universal worklist (UWL) push mechanism enables Business Process Management (BPM) to push complete events for tasks into the UWL. As a result, completed tasks are removed from the actual owner's task list automatically and manual refresh is not needed. This procedure describes how you enable the push mechanism to work with X.509 client certificates for authentication.

Procedure

1. Prepare a Key Pair Entry for the UWL Push Mechanism

On the BPM side, log on to SAP NetWeaver Administrator through http://<host>:<port>/nwa and navigate to Configuration Management Security Certificates and Keys .
On the Key Storage Content tab, create a key store view with a name that corresponds to the UWL push target, for example BPMUWLPushKeyStore.
For more information about creating a key store view, see Managing Key Storage Views.
In this key store view, create a new entry with an arbitrary name, for example BPMUWLPushEntry and with a common name equal to the fully qualified domain name of the provider system as it is displayed in the consumer system.
For more information, see Creating a Key Pair and Public-Key Certificate.
Generate a CSR Request for this entry. Select the Base64 PKCS#10 format and sign it with a trusted certification authority (CA) which is in the trusted CAs in the consumer and provider systems. Choose Download.
Choose the Import CSR Response pushbutton and from the file system choose the file that contains the signed CSR request.
Export the entry's own certificate. To do that, choose the Export To File pushbutton, select PKCS#8 Key Pair format, select the first X.509 Certificate file entry with file name containing “cert1” and choose Download to store it in the file system.
On the UWL side, log in as an administrator to the user management engine (UME) through http://<host>:<port>/useradmin.
Choose the Identity Management pushbutton and search for user uwl_service.
Select the uwl_service user and on the Certificates tab page choose Modify Browse to upload the certificate that you have exported.

Note
If the Certificates tab page is not displayed, check the UME parameter ume.logon.allow_cert and set it to true if it is false.

End of the note.

2. Configure the UWL Push Web Service to Accept X.509 Certificate Authentications

On the UWL side, log on to SAP NetWeaver Administrator and navigate to SOA Management Application and Scenario Communication Single Service Administration Service Definitions .
On the Search tab page, enter TaskEventListener and choose the Go pushbutton.
Select the TaskEventListener service definition and on the Configuration tab page select the TaskEventListenerPort endpoint.
On the Security tab page, choose the Edit pushbutton and under Transport Protocol, select the HTTPS radio button.
Under HTTP Authentication, check the X.509 Client Certificate checkbox to permit Single Sign-On with X.509 client certificates.
In case you want to enable only X.509 certificates, deselect the other options and choose the Save pushbutton.

3. Configure the UWL Push Web Service Client on the BPM Side to Initiate Calls with X.509 Certificate

On the BPM side, log on to SAP NetWeaver Administrator and navigate to SOA Management Application and Scenario Communication Single Service Administration Consumer Proxies .
On the Search tab page, enter TaskEventListener and choose the Go pushbutton.
Select the TaskEventListener service definition and on the Configuration tab page select the TaskEventListenerPort endpoint.
On the Security tab page, choose the Edit pushbutton and under Authentication, select the X.509 Client Certificate radio button.
Under Details, specify the keystore view and the entry you have created in section 1 above. Choose the Save pushbutton.

4. Configure the UWL Push General Settings on the BPM Side

For more information, see Enabling the UWL Push Mechanism, Remote section.