Show TOC Start of Content Area

Background documentation Configuring a Trust Relationship for SAP Assertion Tickets  Locate the document in its SAP Library structure

Principal propagation is implemented using authentication via SAP assertion tickets between the involved messaging components. Each communication step along the way from the sender to the receiver requires a separate authentication for each messaging component before the message is executed. This implies that the message is executed under the same user in all participating messaging components. Since an SAP assertion ticket is consumed during authentication, a new ticket is generated each time a message is forwarded to the next messaging component.

Wherever you want to use an SAP assertion ticket for authentication between a sending and a receiving messaging component, you have to configure a trust relationship between the underlying application servers first.

Since the configuration for AS ABAP and AS Java is different and since a distinction is made between the sender (client) and the receiver (server) side, four configuration variants apply:

      AS Java client configuration

      AS Java server configuration

      AS ABAP client configuration

      AS ABAP server configuration

All four configuration variants are described in the following sections.

Note

If an Adapter Engine (SOAP adapter or RFC adapter) is involved, a trust relationship must also be established between this Adapter Engine and the Integration Server.

Therefore, the Adapter Engine (based on AS Java) and the Integration Server (based on AS ABAP) both act as server [S] and client [C], as shown in the following diagram:

à[S]Adapter Engine[C] à [S]IS[C] à [S]Adapter Engine[C]à

AS Java: Client Side

The following steps are required to enable the client side of a AS Java to issue SAP assertion tickets. This is necessary, for example, for inbound messages propagated to the Integration Server and for outbound messages sent to an external receiver system. (More information: Single Sign-On Configuration for the Runtime Workbench.)

...

       1.      Set an SAP client in the AS Java.

As the SAP assertion ticket requires an SAP system client, the AS Java must also have configured a system client.

Note

For the central Adapter Engine, this client must be different from other ABAP clients of the Integration Server. Therefore, default client 000 must be changed anyway.

For the non-central Adapter Engine, you can use the default client 000, provided that there are no conflicts due to a double-stack installation.

Proceed as follows:

...

                            a.      Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Authentication(alias:/nwa/auth).

                            b.      Select the login module CreateAssertionTicketLoginModule.

                            c.      Add the option ume.configuration.active with value true.

                            d.      Start the AS Java configuration tool.

                            e.      Expand the nodes Configurations cluster_config globals clusternode_config workernode services.

                              f.      Expand the service com.sap.security.core.ume.service and choose the Propertysheet properties.

                            g.      Change to edit mode and set the following properties:

       login.ticket_client = <client>

Caution

For the central Adapter Engine, this client must be different from any defined ABAP client.

       login.ticket_portalid = auto

More information: Specifying the Client to Use for Logon Tickets in the SAP NetWeaver Security Guide.

       2.      Install the AS Java server certificate

To issue SAP assertion tickets, the AS Java must sign them with a digital signature. For this purpose, a private key must be created together with a certificate containing the public key and imported into the AS Java keystore.

Proceed as follows:

...

                            a.      Start the AS Java configuration tool.

                            b.      Expand the nodes Configurations cluster_config globals clusternode_config workernode services.

                            c.      Expand the service com.sap.security.core.ume.service and choose the Propertysheet properties.

                            d.      Change to edit mode and set the following properties:

       login.ticket_keyalias = SAPLogonTicketKeypair

       login.ticket_keystore = TicketKeystore

                            e.      Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Key Storage (alias:/nwa/key-storage).

                              f.      Select the TicketKeyStore view and then the SAPLogonTicketKeypaircertificate.

                            g.      Check whether the CN fields are set to the AS Java system ID.

More information: Replacing the Key Pair to Use for Logon Tickets in the SAP NetWeaver Security Guide.

AS Java: Server Side

The following steps are required to enable the server side of a AS Java to issue SAP assertion tickets. This is necessary, for example, for inbound messages authenticated with an SAP assertion ticket and for outbound messages from the Integration Server to an Adapter Engine.

More information: Configuring AS Java to Accept Logon Tickets in the SAP NetWeaver Security Guide.

...

       1.      Import the server certificate of each client.

For each client system authenticating with an SAP assertion ticket, the corresponding server certificate must be imported into the AS Java keystore under the TicketKeystore view.

For the trust relationship between the Integration Server and an Adapter Engine, the Integration Server’s certificate must be imported into the Adapter Engine.

To export the Integration Server's certificate, proceed as follows:

...

                            a.      On the Integration Server, call transaction STRUST to export the SAP assertion ticket certificate (refer to the AS ABAP: Client Sidesection below).

                            b.      Double-click System PSE in the navigation area.

                            c.      Double-click the displayed own certificate in the upper group box.

                            d.      Choose Export certificate in the lower group box and use file format Binary and file extension .crt for the export.

To import a client certificate into the AS Java, proceed as follows:

...

                            a.      Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Key Storage (alias:/nwa/key-storage).

                            b.      Select the TicketKeyStore view.

                            c.      Import the client’s server certificate (that is, at least the certificate of the Integration Server).

       2.      Maintain the ACL for the EvaluateAssertionTicketLoginModule.

Proceed as follows:

                            a.      Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Trusted Systems (alias:/nwa/trusted-systems).

                            b.      To define the AS Java ACL, add a trusted system with the following properties for each client:

       SID: SAP system ID of the client’s system.

       Client: SAP client of the client’s system.

       Subject DN: distinguished name of the system as specified in the client’s server certificate.

       Issuer DN: distinguished name of the issuer as specified in the client’s server certificate.

                            c.      In addition, choose Configuration Management Security Management Authentication (alias:/nwa/auth).

                            d.      Select the login module CreateAssertionTicketLoginModule.

                            e.      Set the option ume.configuration.active to true.

Note

Since the RFC adapter does not use a dedicated login module stack, the ACL must be globally configured as described above.

       3.      Check the EvaluateAssertionTicketLoginModule.

The central user store configuration of the previous step can be overwritten in the individual module stacks where the EvaluateAssertionTicketLoginModule can be configured explicitly. Therefore, you should check that the login module stacks for the SOAP and XI adapters are correct. Proceed as follows:

                            a.      Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Authentication (alias:/nwa/auth).

                            b.      Select the following components and check whether the EvaluateAssertionTicketLoginModule is the first one in the list marked as SUFFICIENT:

SOAP Adapter:

       sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter

XI Adapter:

       sap.com/com.sap.aii.af.ms.app*MessagingSystem

                            c.      Check whether the ACL properties of the previous step are correctly set for the EvaluateAssertionTicketLoginModule.

Note

For the RFC adapter, this step is not required, since it does not use a dedicated login module stack.

AS ABAP: Client Side

To issue SAP assertion tickets for principal propagation, the AS ABAP client must be configured. This can be the case for ABAP outbound proxies (more information: Configuring the Sender) or for the Integration Server (more information: Configuring Principal Propagation in the Integration Directory).

The necessary steps to enable the AS ABAP client side to issue SAP assertion tickets are as follows:

...

       1.      Call transaction STRUST to check whether a system PSE is maintained.

By default, a self-signed system PSE should exist, which is sufficient. If a certificate signed by the SAP CA is needed, you can import and configure it with transaction STRUST.

       2.      Call transaction RZ11 to check whether the login/create_sso2_ticket parameter has the value 1 or 2.

       Value 1 means that the AS ABAP certificate is included in the SAP assertion ticket.

       Value 2 means that the AS ABAP certificate is not included in the SAP assertion ticket.

Use value 2 if the certificate is self-signed; otherwise, use value 1.

More information: Configuring the AS ABAP for Issuing Logon Tickets in the SAP NetWeaver Security Guide.

AS ABAP: Server Side

To accept SAP assertion tickets for principal propagation, the AS ABAP server must be configured. This can be the case for ABAP inbound proxies or for the Integration Server (receiving messages from ABAP outbound proxies and from Adapter Engines).

The necessary steps to enable the AS ABAP server side to accept SAP assertion tickets are as follows:

...

       1.      Call transaction RZ11 to check whether the login/accept_sso2_ticket parameter has the value 1.

       2.      For each message-sending client, import the client certificate as follows:

                            a.      Call transaction STRUST and open the System PSE folder.

                            b.      In the certificate list, import the AS Java public certificate required for the creation of SAP assertion tickets.

       3.      For each message-sending client, maintain the access control list (ACL):

                            a.      Call transaction STRUSTSSO2.

                            b.      Add the system ID, client, and distinguished name of the client's certificate.

More information: Accepting Logon Tickets Issued by the AS Java in the SAP NetWeaver Security Guide.

 

End of Content Area