Show TOC

Procedure documentationConfiguring the Authentication Assertion Ticket with HTTPS (AS Java) Locate this document in the navigation structure

 

This procedure provides a detailed process of all necessary steps to secure Web Services with SSL and to set up the authentication of the users using authentication assertion tickets. This example uses two AS Java systems and individual SOA Management configuration.

Prerequisites

Procedure

1. Setting Up an SSL Trust Relationship

Set up the trust relationship between the systems so that the consumer system trusts the provider system.

  1. Export the server certicate of the provider system. To do this, in SAP NetWeaver Administrator, under   Configuration Management   Security   Certificates and Keys  , select the standard SSL server keystore view ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views, on the View Entries tab page, select the ssl-credentials-cert entry.

    2. Choose Export to File, and use the download link to save the certificate as a file in the file system (file format: Base64 X.509).

  2. Import the server certificate of the provider system into the consumer system. To do this, in SAP NetWeaver Administrator, under   Configuration Management   Security   Certificates and Keys  , select the client SSL keystore view Client_ICM_SSL_<instance ID>.

    1. Under Details of Keystore Views, on the View Entries tab page, choose the Import from File buttmon.

    2. In the Import Entry dialog box, specify the entry type X.509 certificate and the path in the file system, and choose Import.

2. Setting Up a Ticket Trust Relationship

Set up the ticket trust relationship in the provider system with the SSO2 Assistant. This imports the consumer system certificate into the TicketKeystore keystore from the view SAPLogonTicketKeypair-cert.

  1. In the SAP NetWeaver Administrator of the provider system, under   Configuration Management   Trusted Systems  , choose the tab page Single Sign-On with SAP Logon Tickets.

  2. Under Trusted Systems, start the Assistant by choosing   Add Trusted System   By Querying the Trusted System  .

  3. Specify the system type Java.

    The following required entry fields are then displayed, which you also need to fill out:

    Field

    Value

    Schema

    HTTP: Without server authentication

    HTTPS: With server authentication

    The server authentication ensures that the certificate that is to be trusted actually comes from the system.

    Host Name

    Port number

    User name

    Name of the user to be used to access the consumer system.

    Password

    Password of the user in the consumer system.

    Choose Next and then Finish.

3. Creating an Endpoint in the Provider System

In the SAP NetWeaver Administartor of the provider system, choose   SOA Management   Application and Scenario Communication   Single Service Administration  , and then the tab page Service Definitions.

  1. Find the service that is to be accessed using an authentication assertion ticket, and for which you now want to create an endpoint, and select it in the list of search results.

  2. On the Configuration tab page, check the Runtime Configuration checkbox and choose New.

  3. Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:

    1. In step 1, specify the name of the new endpoint (such as SSL_AuthTic), and choose whether you want to add this to an existing service or to a new service to be created.

    2. In step 2, set the options for security at transport and at message level:

      • For Transport Protocol, choose the HTTPS (Security at transport level) radio button

      • For Authentication, under HTTP Authentication, check the Logon Ticket checkbox

    3. Choose Finish.

    Note Note

    The additional Assistant steps are not absolutely necessary for this example configuration.

    End of the note.

  4. On the WSDLs tab page, select the endpoint that you created above (for example, SSL_AuthTic), and call up its WSDL document.

4. Creating a Logical Port in the Consumer System

In the SAP NetWeaver Administrator of the consumer system, choose   SOA Management   Application and Scenario Communication   Single Service Administration  , and then the Consumer Proxies tab page.

  1. On the Consumer Proxies tab page, search for the consumer proxy with which the service endpoint is to be accessed for which you want to create a logical port, and select it in the list of search results.

  2. On the Configuration tab page, select Runtime Configuration.

  3. Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:

    1. In step 1, choose Import from WSDL-URL to import the logical endpoint from the WSDL document that you called in the provider system.

    2. In step 2, copy the URL of the WSDL document opened above for the endpoint you created above (such as SSL_AuthTic), and enter this in the field WSDL URL.

    3. In step 3, specify the endpoint created in the provider system.

    4. In step 4, specify a name for the logical port.

    5. Choose Finish.