Show TOC Start of Content Area

Procedure documentation Adjusting the Login Module Stacks for Using Logon Tickets  Locate the document in its SAP Library structure

Use

When a user is authenticated on the J2EE Engine, the server processes the stack of login modules that apply to the application that the user accesses. If the user is to receive a logon ticket after authentication, then you must adjust the login module stack for such applications to include the login module for creating tickets.

We deliver the login modules for creating and verifying logon tickets with the UME or DBMS user stores. The modules are named CreateTicketLoginModule and EvaluateTicketLoginModule for creating and verifying logon tickets respectively. We also deliver the authentication template ticket, which contains these modules in the correct order for using logon tickets and which you can use as a template for your other applications.

Note

When using the authentication assertion ticket for system connections between the SAP Web AS ABAP and a J2EE Engine, the corresponding login module and template are EvaluateAssertionTicketLoginModule and evaluate_assertion_ticket respectively.

Using Templates

You can either adjust individual login module stacks, or you can adjust any of the corresponding policy configuration templates (basic, form, client_cert, digest, ticket,evaluate_assertion_ticket). If you change any of these templates, then any applications that use these templates for their login modules are then also automatically configured accordingly. For more information, see Managing Authentication Modules and Using Authentication Templates.

Example

Examples

·         If most or all of your applications use the basic template for authentication, then adjust the basic template to contain the ticket-relevant login modules.

·         If the J2EE Engine should not create logon tickets, but only verify those created by a different server, then assign the module EvaluateTicketLoginModule to the corresponding applications or templates.

·         If only certain applications should use logon tickets, but for both creating and accepting them, then assign the authentication template ticket to these applications.

For additional examples, see Sample Login Module Stacks for Using Logon Tickets.

Prerequisites

The login modules CreateTicketLoginModule,  EvaluateTicketLoginModule, and EvaluateAssertionTicketLoginModule exist in the active user store. These modules are delivered with the UME user store and the DBMS user store. For the UME user store, they are prefixed with com.sap.security.core.server.jaas.

Procedure

Adjusting the Login Module Stacks Manually

If you want to adjust any of the templates, for example, basic, or if you want to adjust the login module stacks for individual applications, then adjust them according to the procedure below.

Using the Security Provider service:

...

       1.      Choose the Policy Configuration tab page.

       2.      For each template or application that is to be able to create logon tickets, select the template or application and choose the Authentication tab page. Adjust the login module stack accordingly:

                            a.      Add the login module CreateTicketLoginModule to the login module stack.

                            b.      Move the CreateTicketLoginModule in the stack so that it takes place after the login module that actually authenticates the user, for example, BasicPasswordLoginModule. (Choose Modify and adjust the position.)

                            c.      Assign it the flag SUFFICIENT.

                            d.      Also assign the authenticating module (for example, BasicPasswordLoginModule) the flag OPTIONAL.

       3.      For each template or application that is to accept logon tickets, select the template or application and choose the Authentication tab page. Adjust the login module stack accordingly:

                            a.      Add the login module EvaluateTicketLoginModule to the login module stack.

                            b.      Move this login module to occur at the beginning of the login stack, for example, before an alternative login module such as BasicPasswordLoginModule. If the user does not present a valid logon ticket or the ticket cannot be accepted, then the server processes this login module.

                            c.      Assign it the flag SUFFICIENT.

       4.      To make sure the login modules take effect when the application is accessed, use the Application Tracing service to restart the affected applications.

Adjusting the Login Module Stacks Using the ticket Template

To adjust the login module stacks using the ticket template, use the procedure below.

Using the Security Provider service,

...

       1.      Choose the Policy Configuration tab page.

       2.      For each application that is to be able to create logon tickets, select the template or application and choose the Authentication tab page.

       3.      In the Authentication template field, select the component ticket from the list of templates and applications.

       4.      The login module stack specified by the ticket component appears. It is specified with the following modules and flags:

Ticket Login Module Stack

Login Modules

Flag

EvaluateTicketLoginModule

SUFFICIENT

BasicPasswordLoginModule

REQUISITE

CreateTicketLoginModule

OPTIONAL

Note

When using this login module stack, the J2EE Engine first checks to see if the user presents a valid logon ticket. If this is the case, the J2EE Engine accepts the logon ticket and stops further processing.

If no logon ticket exists for the user, then the J2EE Engine authenticates the user using Basic Authentication. If successful, then the user is issued a logon ticket.

       5.      To make sure the login modules take effect when the application is accessed, use the Application Tracing service to restart the affected applications.

Adjusting the Login Module Stacks for Using Authentication Assertion Tickets

For applications that are to accept authentication assertion tickets:

...

       1.      Select the application and choose the Authentication tab page.

       2.      Either specify that the application is to use the evaluate_assertion_ticket template or add the login module EvaluateAssertionTicketLoginModule to the application’s login module stack.

If the login module stack only contains this module, then its flag should be set to REQUIRED. This is the default in the template.

       3.      If you want to include additional login modules (for example, to check for Basic Authentication if no authentication assertion ticket is provided, then modify the login module stack accordingly. Move the login module EvaluateAssertionTicketLoginModule so that it occurs at the beginning of the login stack and assign it the flag SUFFICIENT.

Result

When the user accesses the application, it processes the login module stack as specified. If it processes the module CreateTicketLoginModule after successfully authenticating the user, then it creates a logon ticket for the user. If it processes either of the evaluate modules, then it verifies the an incoming logon or authentication assertion ticket.

As part of this verification process, the issuing server’s digital signature is checked. Therefore, before the J2EE Engine can accept logon tickets from other servers, you must import the other server’s public-key certificate into the J2EE Engine’s keystore and maintain the access control list for logon tickets. See Configuring the J2EE Engine to Accept Logon Tickets.

 

End of Content Area