Configuring Logon with X.509 Certificates with Asymmetric Encryption and Signature (AS Java)

This procedure provides a detailed process of all necessary steps to secure Web Services with asymmetric encryption and signature and to set up the authentication of the users using the X.509 client certificate. This example uses two AS Java systems and individual SOA Management configuration. Wiht this procedure, you set up the trust relationship between the systems so that the provider system trusts the consumer system. To do this, you need to prepare the use of both signatures and encryption as described below.

Note Note

To prepare the use of signatures and encryption, the certificate System-cert is always exported, by default. In this parner system, this is then imported for signatures into the keystore view WebServiceSecurity and for encryption into the keystore view WebServiceSecurity_Certs.

End of the note.

Prerequisites

The systems are set up to use X.509 client certificates, and the prerequisites described in Maintaining the User's Certificate Infomration have been fulfilled.

Procedure

1. Preparing for the Use of Signatures and User Authentication in the Consumer System

Prepare the signature for the consumer system query. Create the trust relationship through which the provider system trusts the consumer system.

In the consumer system, export the system-cert certificate from the keystore view WebServiceSecurity to a file.
1. In the consumer system, in SAP NetWeaver Administrator, choose Configuration Managemnt Certificates and Keys .
2. Select the keystore view WebServiceSecurity.
3. Under Details of the Keystore View, select the encryption certificate System-cert.
4. Choose Export to a File.
5. Enter Base64 X.509 as the export format.
6. Choose Download.
7. Choose Save, and enter a name for the file (such as System_cert_<SID>).
In the provider system, import the consumer certificate System_cert_<SID> in the keystore view WebServiceSecurity.
1. In SAP NetWeaver Administrator, choose Configuration Managemnt Certificates and Keys .
2. Select the keystore view WebServiceSecurity.
3. Choose Import from File.
4. Choose the import type X.509 certificate.
5. Specify the path to the certificate file System_cert_<SID>, and choose Import.

2. Assigning an X.509 Certificate to a Service User

Once the certificate has been successfully checked, the user to which the certificate is assigned is looged on.

In the provider system, in the SAP NetWeaver Administrator choose Operation Management Users and Access Identity Management .
Find the service user to be used, under iwhich the Web service is to be executed, and select it in the results list.
Switch to edit mode, and upload the consumer system certificate on the Certificates tab page (such as System_cert_<consumer system SID>).

Note
If the Certificates tab page is not displayed, check the UME parameter ume.logon.allow.cert.

End of the note.
To assign the certificate, save the user.

3. Preparing for the Use of Signatures in the Provider System

Prepare the signature for the provider system response. Create the trust relationship through which the consumer system trusts the provider system.

In the provider system, export the system-cert certificate from the keystore view WebServiceSecurity to a file:
1. In the provider system, in SAP NetWeaver Administrator, choose Configuration Managemnt Certificates and Keys .
2. Select the keystore view WebServiceSecurity.
3. Under Details of the Keystore View, select the encryption certificate System-cert.
4. Choose Export to a File.
5. Enter Base64 X.509 as the export format.
6. Choose Download.
7. Choose Save, and enter a name for the file (such as System_cert_<SID>).
In the consumer system, import the provider certificate System_cert_<SID> in the keystore view WebServiceSecurity.
1. In SAP NetWeaver Administrator, choose Configuration Managemnt Certificates and Keys .
2. Select the keystore view WebServiceSecurity.
3. Choose Import from File.
4. Choose the import type X.509 certificate.
5. Specify the path to the certificate file System_cert_<SID>, and choose Import.

3. Preapring Encryption

Import the certificate for the provider system (by default, System-cert) into the keystore view WebServiceSecurity_Certs in the consumer system:

In SAP NetWeaver Administrator, choose Configuration Managemnt Certificates and Keys .
Select the keystore view WebServiceSecurity_Certs.
Choose Import from File.
Choose the import type X.509 certificate.
Specify the path to the certificate file System_cert_<SID>, and choose Import.

4. Creating a Logical Port

In the SAP NetWeaver Administartor of the provider system, choose SOA Management Application and Scenario Communication Single Service Administration , and then the tab page Service Definitions.
Find the service that is to be accessed using an X.509 client certificate and for which you now want an endpoint, and select it in the list of search results.
On the Configuration tab page, select the Runtime Configuration radio button.
Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:
1. In step 1, specify the name of the new endpoint (such as ASYM_X509), and choose whether you want to add this to an existing service or to a new service to be created.
2. In step 2, set the options for security at transport and at message level:
  - For Transport Protocol, choose the HTTP radio button
  - For Authentication Message Authentication, check teh X.509 Client Certificate checkbox
  - Under Message Security, check the Require Signature, Add Signature, Require Encryption, and Add Encryption
    
    Choose Details.
    
    Under Outbound Signature, specify the keystore view (by default, WebServiceSecurity) and the signature certificate (by default, System-key) of your own system, which you have imported into the consumer system as the basis of the trust relationship.
    
    Under Outbound Encryption, select the option Use the Signature Certificate of the Inbound Request.
    Since the consumer system includes the signature certificate with the signature, the provider system can use this certificate to encrypt the response.
  Note
  The additional Assistant steps are not absolutely necessary for this example configuration.
  
  End of the note.
3. Choose Finish.
On the WSDLs tab page, select the endpoint that you created above (for example, ASYM_X509), and call up its WSDL document.

5. Creating a Logical Port

In the SAP NetWeaver Administrator of the consumer system, choose SOA Management Application and Scenario Communication Single Service Administration , and then the Service Definitions tab page.
Find the consumer proxy through which the service endpoint is to be accessed and for which you want to create a logical endpoint, and select the proxy in the list of search results.
On the Configuration tab page, select the Runtime Configuration radio button.
Start the configuration assistant by choosing the New button, and enter the following information in the relevant steps:
1. In step 1, choose Import from WSDL-URL to import the logical endpoint from the WSDL document that you called in the provider system.
2. In step 2, in the provider system, copy the WSDL of the endpoint that you created above (for example, ASYM_X509) from the WSDLs tab page, and insert this in the consumer system in the WSDL URL field.
3. In step 3, specify the endpoint created in the provider system.
4. In step 4, specify a name for the logical port.
5. In step 5, customize the security settings. To do this, under Message Security, choose the Details button.
  - Under Outbound Signature, specify the keystore view (by default, WebServiceSecurity) and the signature certificate (by default, System-key) of your own system, which you have imported into the provider system as the basis of the trust relationship.
  - Under Outbound Encryption, specify the keystore view (by default, WebServiceSecurity_Certs) and the certificate (as imported above, System_cert_<SID>) of the provider system.
Note
The sequence of Assistant steps depends on your entries. For this example configuration, we have made only the necessary settings, and not the optional settings.

End of the note.
Choose Finish.