Setting Up Trust
Applicable to: remote role assignment, remote delta link, WSRP application sharing (between NetWeaver portals only)
Use
Logon tickets are used to establish trust between producer and consumer portal in a federated portal network. Logon tickets are digitally signed by the issuing server; the accepting systems need public key of the issuing server to verify this digital signature.
This topic
describes the trust configuration procedure from a federated portal network
perspective. For detailed information about the use of logon tickets for
Single Sign-On in an SAP system environment, refer to
Using Logon Tickets
with AS Java.
To set up trust between each producer and consumer portal pairing, you need to exchange a server certificate file between the systems. This is a one-time procedure.
The content usage mode determines if you need to exchange the certificate file in one direction only (consumer to producer) or in both directions (consumer to producer, and producer to consumer):
Ticket Exchange |
Description |
Ticket-Issuer System |
Ticket-Accepting System |
Exchange #1 |
This certificate file exchange ensures that remote users on the portal consumer are recognized as authenticated users when they request content from the producer portal. A system administrator on the consumer portal exports the certificate file and transfers it to a system administrator on the producer-side. The system administrator on the producer-side then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool. |
Consumer |
Producer |
Exchange #2 |
You only need perform this certificate file exchange if you want remote role assignments to be automatically removed on relevant consumer portals when their respective roles are deleted on the producer portal. A system administrator on the producer exports the server certificate file and transfers it to a system administrator on the consumer. The system administrator on the consumer then imports the file using the SSO Wizard in the SAP NetWeaver Administrator tool. |
Producer |
Consumer |
Since the authentication mechanisms of different portal vendors are not compatible with one another, this procedure is not relevant to an SAP NetWeaver Portal and non-SAP portal pairing.
Prerequisites
● On the ticket-issuer system, you have access to the Key Storage application in SAP NetWeaver Administrator tool.
● On the ticket-accepting system, you have access to the SAP NetWeaver Administrator tool.
● The server clocks of the producer portal and consumer portal must be synchronized at all times.
To compensate for clocks running at different speeds, the authentication mechanism of AS Java provides a maximum deviation of 3 minutes in either direction.
The procedure (described below) for setting up trust does not fail if the clocks are not synchronized. Errors resulting from unsynchronized clocks only become evident at runtime during data flow when the producer (the ticket-accepting system) receives an invalid logon ticket from the consumer (the ticket-issuing system); for example, when the consumer requests the navigation structure and framework of a remote role from the producer portal.
● If you have problems accessing the SSO wizard on the ticket-accepting system, as described in the procedure below, ensure that the following SDA files are deployed. If you do not have the SDA files, they are attached to SAP Note 1083421.
○ tc~sec~auth~jmx~ear.sda
○ tc~sec~auth~sso2~wizard.sda
Procedure
The following procedure describes how to manually exchange certificate files between the producer and the consumer systems. If you are setting up the mandatory one-way trust configuration (Exchange #1 only), perform the procedure once only. If you are also setting up the two-way trust configuration (Exchange #1 and #2), perform the procedure twice by alternating the producer and consumer.
1. Activities on the Ticket-Issuer System
This section describes how to export a certificate key file from your ticket-issuer system.
...
1. Open the local SAP NetWeaver Administrator on the ticket-issuer system, or use a central SAP NetWeaver Administrator to connect to the local instance.
To access the SAPNetWeaver Administrator directly, add /nwa to the AS Java URL (for example: http://<hostname>:<port>/nwa).
2. In the SAP NetWeaver Administrator, open the Key Storage application.
To navigate quickly to the Key Storage application, you can add the quick-link /nwa/key-storage to the AS Java URL (for example: http://<hostname>:<port>/nwa/key-storage).
3. In the Content tab, select TicketKeystore from the available keystore views.
4. Click Edit.
5. Select SAPLogonTicketKeypair-cert from the available view entries.
6. Click Export Entry.
7. Select Binary X.509 Certificate File as the export format.
This file format is equivalent to the verify.der/crt file used in previous releases of SAP NetWeaver, such as 7.0. It can be uploaded to a ticket-accepting AS ABAP or AS Java server.
8. Click Download to export the file.
9. Manually transfer the file to a system administrator working on the ticket-accepting system.
2. Activities on the Ticket-Accepting System
This section describes how to manually import the certificate file you received from the ticket-issuer system.
...
1. Open the SSO wizard using the following URL: http://<host>:<port>/sso2
Alternatively, you can access the wizard by logging on to the SAP NetWeaver Administrator tool and navigating to the Trusted Systems area.
2. In the wizard, choose Add Trusted System → By Uploading Certificate Manually.
3. Enter the system ID and client ID of the ticket-issuer system:
○ System ID: Indicates the 3-letter ID defined during the installation of the system.
○
Client: Indicates
the client ID as specified in the login.ticket_client property of the UME
Provider in the portal. For a Java stack, the default client ID is
000; however, in an
Add-In installation, the client ID must be unique and therefore cannot be
000. For more
information, see
Specifying the Client
to Use for Logon Tickets.
4. In the Certificate File field, browse to the location where you stored the portal certificate file obtained from the ticket-issuer system.
5. Click Next and then Finish.
More Information:
●
Configuring the AS
Java to Accept Logon Tickets
●
Checking or Updating
the Certificates of Trusted Systems