Configuring the J2EE Engine to Accept Logon Tickets 

Use

The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.

For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.

Prerequisites

To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature.

●      If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.

●      If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.

Procedure

The Trusted Systems → SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.

       1.      Open the SSO Wizard.

Note the following:

○       If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management → Configuration → Trusted Systems.

○       If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.

The system which you configure is displayed in the Selected Accepting System section.

There are two ways to add a trusted system:

○       By connecting to the system and requesting its certificate.

If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.

○       By manually uploading the certificate of the system.

Adding a Trusted System by Connecting to It

                            a.      In the Trusted Systems section, choose Add Trusted System → By Querying Trusted System.

                            b.      The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.

If you cannot find the system you want to add, choose Cancel and provide the connection details:

                                                  i.       Select the type of the system from the System Type dropdown list.

                                                ii.       Enter the necessary connection details.

If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.

                            c.      Enter your user name and password in the provided fields and choose Next.

                            d.      The details about the selected system’s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.

Adding a Trusted System by Manually Uploading its Certificate

Before you start the following procedure, you must export the trusted system’s certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.

...

                            a.      In the Trusted Systems section choose Add Trusted System → By Uploading Certificate Manually.

                            b.      Enter the System ID and Client in the provided fields.

                            c.      Browse to the location of the system’s certificate. Select the certificate and choose Open.

                            d.      Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.

       2.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.

                            a.      In the Security Provider Service choose Runtime → Policy Configurations → Authentication tab.

                            b.      Select the policy configuration for the application component to accept logon tickets from the Components list.

                            c.      Choose the Switch to edit mode button.

                            d.      Choose Add New. The list of available login modules for the component appears.

                            e.      Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.

If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.

If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.

Result

After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.

More Information

Checking or Updating the Certificates of Trusted Systems

Testing the Use of Logon Tickets

Sample Login Module Stacks for Using Logon Tickets