Configure Sso
Configure Sso
Configure Sso
Page 1 of 4
If an Adapter Engine (SOAP adapter or RFC adapter) is involved, a trust relationship must also
be established between this Adapter Engine and the Integration Server.
Therefore, the Adapter Engine (based on AS Java) and the Integration Server (based on AS
ABAP) both act as server [S] and client [C], as shown in the following diagram:
[S]Adapter Engine[C] [S]IS[C] [S]Adapter Engine[C]
For the central Adapter Engine, this client must be different from other ABAP clients of the
Integration Server. Therefore, default client 000 must be changed anyway.
For the non-central Adapter Engine, you can use the default client 000, provided that there are
no conflicts due to a double-stack installation.
Proceed as follows:
...
a. Call the Visual Administrator and choose the Security Provider service.
b. Choose User Management Tab → Manage Security Stores →
CreateAssertionTicketLoginModule → View/Change Properties.
c. Set the property ume.configuration.active = true.
d. Choose the Configuration Adapter service to specify the corresponding client and ticket
keystore.
e. Choose cluster_data → server → cfg → services and switch to edit mode.
f. Choose the property sheet com.sap.security.core.ume.services and set the following
properties:
■ login.ticket_client = <client>
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 2 of 4
For the central Adapter Engine, this client must be different from any defined ABAP client.
■ login.ticket_portalid = auto
See also Specifying the J2EE Engine Client to Use for Logon Tickets in the SAP NetWeaver Security
Guide.
2. Install the J2EE server certificate
To issue SAP assertion tickets, the AS Java must sign them with a digital signature. For this purpose, a
private key must be created together with a certificate containing the public key and imported into the
J2EE keystore.
Proceed as follows:
...
a. Choose the Configuration Adapter service to specify the corresponding client and ticket
keystore.
b. Choose cluster_data → server → cfg → services and switch to edit mode.
c. Choose the property sheet com.sap.security.core.ume.services and set the following
properties:
■ login.ticket_keyalias = SAPLogonTicketKeypair
■ login.ticket_keystore = TicketKeystore
d. Choose the Key Storage service.
e. Create a self-signed private/public key pair under the corresponding keystore view/alias as
follows:
TicketKeyStore/SAPLogonTicketKeypair with the CN field set to the system ID of the
J2EE Engine.
See also Replacing the Public-Key Certificate to Use for Logon Tickets in the SAP NetWeaver
Security Guide.
a. On the Integration Server, call transaction STRUST to export the SAP assertion ticket
certificate (see the AS ABAP: Client Side section below).
b. Double-click System PSE in the navigation area.
c. Double-click the displayed own certificate in the upper group box.
d. Choose Export certificate in the lower group box and use file format Binary and file
extension .crt for the export.
To import a client certificate into the AS Java, proceed as follows:
...
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 3 of 4
Since the RFC adapter does not use a dedicated login module stack, the ACL must be globally
configured as described above.
3. Check the EvaluateAssertionTicketLoginModule.
The central user store configuration of the previous step can be overwritten in the individual module
stacks where the EvaluateAssertionTicketLoginModule can be configured explicitly. Therefore, you
should check that the login module stacks for the SOAP and XI adapters are correct. The login modules
are installed in the security provider service.
Proceed as follows:
a. In the Visual Administrator, choose the Security Provider service.
b. Choose the tab pages Runtime → Policy Configurations.
c. Check in the following modules whether the EvaluateAssertionTicketModule is the first one in
the list marked as SUFFICIENT:
SOAP Adapter:
■ sap.com/com.sap.aii.af.soapadapter’XISOAPAdapter
XI Adapter:
■ sap.com/com.sap.aii.af.ms.app*MessagingSystem
d. Check whether the ACL properties of the previous step are correctly set for the
EvaluateAssertionTicketModule.
For the RFC adapter, this step is not required, since it does not use a dedicated login module
stack.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010
Configuring a Trust Relationship for SAP Assertion Tickets (SAP Library - Configura... Page 4 of 4
The necessary steps to enable the AS ABAP server side to accept SAP assertion tickets are as follows:
...
1. Call transaction RZ11 to check whether the login/accept_sso2_ticket parameter has the value
1.
2. For each message-sending client, import the client certificate as follows:
a. Call transaction STRUST and open the System PSE folder.
b. In the certificate list, import the public certificate of the J2EE Engine required for the creation of
SAP assertion tickets.
3. For each message-sending client, maintain the access control list (ACL):
a. Call transaction STRUSTSSO2.
b. Add the system ID, client, and distinguished name of the client's certificate.
For more information, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine
in the SAP NetWeaver Security Guide.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/341a2176b74002e10000000a1... 10/13/2010