Using SSO to access ABAP Search Help in Process Orchestration
In ABAP, you may find search helps defined to make it easy for the end user to select values from a list. This is highly useful in avoiding typographical errors, and also doesn’t need the user to remember any specific value. Another advantage is in the speed of filling the form. These savings in time will be compounded if there are a significant number of fields on the form.
You might often encounter such situations while filling fields in the NetWeaver BPM task UI forms. If these values could be filled in from a backend then BPM Value Help is a very handy feature available in SAP Process Orchestration as of SAP NetWeaver 7.3 EhP1 SP10. This would significantly facilitate the entry of these form fields.
Using the search help defined in the backend
Before you can use the search help defined within the ABAP backend(thereby promoting re-use and hence reducing the TCO), you need to configure the NW BPM Value Help in NetWeaver Administrator. The steps involved in this configuration are:
- Creation of a new ABAP Alias
- Assignment of role(s) allowed to access the Alias
- (Optional) Filter definition for the Alias
A Value Help Alias is an indirection that allows you to decouple the development of the BPM Task UI from the configuration of the Value Help. It also allows you fine-grained access control of the help values.
The Alias needs to be bound to the ABAP Search Help by providing the necessary details that resolve the Search Help at runtime. One of the parameters that needs to be provided during alias creation is an NWA Destination of type RFC. I will refrain from going into too many details of creating an alias as you can refer to those on a related blog or the help documentation. The focus of this blog is using SSO as authentication mechanism.
1 Connect to the backend
In order to connect to the backend, you need to create a destination of type RFC in NWA.
Navigate to the Destinations application in NWA as follows:
- Login to NWA and Select the Configuration Tab
- Select the Connectivity sub-menu
- Click on Destination
Now you are ready to create a destination.
1.1 Create a Destination
- Click on the Create button and fill-in the details
- Destination Name: Provide a name for the Destination
- Destination Type: Select RFC as the Destination type
1.2 Provide connection details
- Load Balancing: select No (For simplicity, we will not be using Load Balancing here).
- Fill in the rest of the details corresponding to the screenshots below
1.3 Configure user details
- To use SSO, choose Current User (Assertion Ticket) for the Authentication field (refer to the image below)
- Provide additional details and save the Destination
- If you have already imported the J2EE server certificate in the ABAP server, then you should be able to ping the destination
(An user with same name as logged on user should exist in ABAP system)
- If you have not yet imported the certificates from the J2EE server, follow the steps in the next section for the SSO set-up.
2 Preparing the ABAP system to accept SSO communication from J2EE server
SSO communication is based on a trust relationship between two systems. To achieve this two systems exchange certificates before communication can be initiated using SSO. As in case of NW BPM Value Help, the request is only one way i.e., from J2EE to ABAP system, which means that only the ABAP System needs to import the certificates of J2EE server. Here’s the procedure to do that.
- The same username should exist on both the ABAP and J2EE systems
- Use Transaction RZ11 and make sure these values are set (refer to images below)
- Profile Parameter login/accept_sso2_ticket = 1
- Profile Parameter login/create_sso2_ticket = 0
2.2 Export the J2EE cerificate
Now, we export the SAPLogonTicketKeypair-cert
- Navigate to Configuration > Certificates and Keys
- Select the Key Storage Tab
- Filter for name TicketKeystore
- Select the row SAPLogonTicketKeypair-cert
- Click on Export Entry button
- Choose the export format as Base64 X.509
- Click on the download link and Save the file
2.3 Import the certificate to the ABAP System
- Run the Transaction STRUSTSSO2
- On the Certificate Menu, click Import
- Select the certificate from the filesystem that you had exported in the previous step
- Click Add to Certificate List
- Next, click Add to ACL. Provide the J2EE engine System ID, for example 001.
- Click Save
Once the ABAP system has been configured to accept the certificate of the J2EE server, you will be able to configure the NWA destination using SSO as described above. After this using this destination, you can look up the values of Search Help.
3 Technical User vs SSO
Both approaches give you control over who can access the backend data. But the SSO option is more flexibile. In case of a technical user, the user accessing the Value Help utilizes the technical user’s authorization provided by the ABAP backend to access the value. This means in terms of connecting and accessing the backend, all users accessing Value Help (beyond alias level authorization) have the same level of authorization. This is good enough when the level of complexity is not too high.
In case you want more sophisticated control over the specific Value Helps in the ABAP backend, then SSO should be your choice. You can define different levels of authorization within the backend for the different users(the login user should also exist in ABAP) accessing the Value Helps.