SSO Configuration between ABAP and JAVA AS (Logon Tickets) – Step-by-step procedure
SAP 4.0B, 4.5B, 4.6D, 6.40 and 7x kernel release systems.
This document will guide you to setup Single Sign-on between ABAP and JAVA Application Servers. In this document I refer Portal as Java system and BI as ABAP system.
Author(s): Siva Kumar Arivinti
Company: Deloitte Consulting India Pvt Ltd.
Created on: 30 March 2012
Siva Kumar Arivinti is currently working with Deloitte Consulting India Pvt Ltd., as Consultant in AMS service line.
SAP NetWeaver Consultant with around 6+ years of experience in SAP NW Basis and DB2 DBA Administration.
Expertise in Production support, Installations and Software Life Cycle Management including EHP/Release Upgrades.
To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP System. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.
a. Maintain the following the instance profile parameters.
b. Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.
c. End users need to configure their Web browsers to accept cookies.
d. Any Web servers or SAP Web AS servers that are to accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.
e. The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.
SAP System application servers (to include the SAP Web AS) receive a key pair and a self-signed public-key certificate during the installation process. By default, the system uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to use a different PSE in the following cases:
– If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.
– If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.
f. Systems that accept logon tickets must have access to the issuing server’s public-key certificate so that they can verify the digital signature provided with the ticket.
Depending on the type of certificate you use, the server’s certificate is either sent with the logon ticket to the accepting system or the information is entered in the accepting system’s certificate list. We provide a configuration tool, the SSO administration wizard (transaction SSO2), that automatically establishes the appropriate configuration for the accepting system.
I. Export Certificate from JAVA AS
1. Open Visual Administrator and go to Server à Services à KeyStorage à TicketKeystore
2. Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field)
Note: Choose either X.509 or Base64 Encoded Format.
II. Import JAVA AS certificate into backend ABAP AS.
1. Execute transaction code STRUSTSSO2 in client 000.
2. Click on Certificate à Import from the menu.
3. Choose the path of JAVA AS certificate where we saved in step I and continue.
4. Once JAVA AS certificate details are displayed under Certificate area, click on Add to Certificate List button as shown below.
5. Click the button Add to ACL to maintain Java certificate in Access Control List.
Specify your Java SID in System ID and 000 in Client fields.
Note: 000 is the default client for JAVA AS.
6. Click on SAVE.
Note: We have to add the certificate to ACL by logging into production client, otherwise SSO won’t work. It means first add from client 000 and then from Production client (ex: 100). SID= JAVA SID and client = 000.
III. Export ABAP certificate and Import into JAVA AS
1. Execute transaction STRUSTSSO2 and double click the Owner Certificate and choose Export to save the certificate with .crt extension.
2. Login Visual Administrator and choose Server à Services à KeyStorage à TicketKeystore and press Load and choose the Certificate.
3. Maintain backend ABAP system details in Java ACL as follows.
a. Choose Server –> Services –> Security Provider –> Ticket
b. Go to Change Mode, select com.sap.security.core.server.jaas.EvaluateTicketLoginModule, click on Modify button and add the entries as follows.
ume.configuration.active = true
trustedsys<n>= <ABAP SID>, <Prod. Client>
trustediss<n>= CN=<ABAP SID>
trusteddn<n>= CN=<ABAP SID>
Note: We need add two sets of above said entries. One for client 000 and other one for Production client.