Configuring UME
Policies and Authentication Templates
Use
You must first configure the policy configurations of the security provider in the Application Server Java (AS Java) before you can begin using Single Sign-On for the CAF repository manager. You do this in order to restrict and manage access to resources deployed on the AS Java.
Procedure
Configuring the CAF Authentication Templates
1. Launch the CAF AS Java Visual Administrator.
2. Choose Cluster → Server → Services → Security Provider → Runtime → Policy Configuration.
3. Select the evaluate_assertion_ticket template and add the following options to EvaluateAssertionTicketLoginModule:
¡ trustedsys:<the name of the KM AS Java system>,000 (for example: EP6,000)
¡ trustediss:<the distinguished name of the issuer from the ticket certificate of the KM system> (this is the value of the field issuerDN; for example: OU=J2EE,CN=EP6)
¡ trusteddn:<the distinguished name of the subject from the ticket certificate of the KM system> (this is the value of the field DN; for example: OU=J2EE,CN=EP6)
If the trustedsys, trustedissand trusteddn options are already used for trusting another system, you may use trustedsys1, trustediss1 and trusteddn1, or trustedsys2, trustediss2 and trusteddn2, and so on.
4. Repeat the previous step for the ticket template and its EvaluateTicketLoginModule.
5. Select the sap.com/caf~runtime~ear*CAFDataService_config component and set Authentication → Authentication template to ticket.
6. Set Authentication → Authentication template to evaluate_assertion_ticket for the following components, if they exist:
○ sap.com/caf~km.ep.kmnodesvc*KMBaseServiceStdrWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMNodeServiceSnrdWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMRelationSvcStdrWS_Config1
Configuring the KM Authentication Templates
1. Launch KM AS Java Visual Administrator.
2. Choose Cluster → Server → Services → Security Provider → Runtime → Policy Configuration.
3. Select the evaluate_assertion_ticket template and add the following options to EvaluateAssertionTicketLoginModule:
¡ trustedsys: <the name of the CAF AS Java system>,000 (for example: CAF,000)
¡ trustediss: <the distinguished name of the issuer from the ticket certificate of the CAF system> (this is the value of the field issuerDN; for example: OU=J2EE,CN=CAF)
¡ trusteddn: <the distinguished name of the subject from the ticket certificate of the CAF system> (this is the value of the field DN; for example: OU=J2EE,CN=CAF)
If the trustedsys, trustedissand trusteddn options are already used for trusting another system, you may use trustedsys1, trustediss1 and trusteddn1, or trustedsys2, trustediss2 and trusteddn2, and so on.
4. Repeat the previous step for the ticket template and its EvaluateTicketLoginModule.
5. Select the sap.com/caf~runtime~ear*CAFDataService_config component and set Authentication → Authentication template to evaluate_assertion_ticket.
6. Set Authentication → Authentication template to evaluate_assertion_ticket for the following components:
○ sap.com/caf~km.ep.kmcollaborationsvc*KMCollaborationSvcStrdWS_Config1
○ sap.com/caf~km.ep.kmindexsearchsvc*KMIndexSvcStdrWS_Config1
○ sap.com/caf~km.ep.kmcollaborationsvc*KMCollaborationSvcStrdWS_Config1
○ sap.com/caf~km.ep.kmindexsearchsvc*KMIndexSvcStdrWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMNodeServiceStrdWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMBaseServiceStdrWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMNodeServiceStrdWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMNodeServiceSnrdWS_Config1
○ sap.com/caf~km.ep.kmnodesvc*KMRelationSvcStdrWS_Config1
○ sap.com/caf~km.ep.kmnotifsvc*KMNotificationSvcStrdWS_Config1
○ sap.com/caf~km.ep.uploadsvc*CleanJobSnrdWS_Config1