Authentication Using Logon Tickets

8/9/2019 Authentication Using Logon Tickets

1/27

SAP NetWeaver

Demo

Configure Principal Propagation

using Logon tickets in Net weaver

Process Integration 7.1

Applied To :

SAP Net Weaver Process Integration 7.1x and higher

Topic Area:SOA Middleware

Capability:

Security

Version 1.0

March 2009


2/27

Applied To :

SAP Netweaver Process Integration 7.1

SAP Application Server ABAP 7.1SAP Application Server ABAP 7.0 SP14

Summary :

Single Sign On has been one of the most popular security mechanisms wherever transport level

security is required.This document describes how Principal Propagation can be done for PI 7.1

systems.

Author : Neha Khasgiwale

Company : SAP GDC , Gurgaon

Created On : 17 Feb 2009

Author Bio

Neha Khasgiwale is working in SAP GD in SAP PI from 2007-2009.Prior to that she has also worked

in IBM from 2005-2006


3/27


4/27


5/27

Table of Contents

1. Busin ess Scenario ..........................................................................................................1

1.1 Introduction...............................................................................................................1

1.2 Scenario Description.................................................................................................2

2. Background Information .................................................................................................3

2.1 Software...................................................................................................................3

2.1.1 Supported releases.......................................................................................3

3. Configuration Steps in Detail..........................................................................................4

3.1 Enabling Principal Propagation .................................................................................4

3.2 Enabling the Sender .................................................................................................4

3.3 Issue Logon tickets from the sender system..............................................................5

3.4 Configure the System to accept login tickets .............................................................6

3.5 Install Certificates in Client and Server system..........................................................7

3.6 Directory Configurations..........................................................................................15


6/27

How To Configure SAML Authentication Using PI 7.1 systems

April 2009 1

1. Business Scenario

1.1Introduction

Principal propagation means the ability to forward the user context of a message unchanged from thesender to the receiver .This implies that the receiver interface runs under the same identity as the

sender. SAP Logon tickets act as a flexible central authentication token used in the SAP world and

can be used for SSO to all SAP products in the back end.

SAP logon tickets provide authentication for various client and server components of the AS ABAP

system .The user is authenticated using the Logon Ticket as the authentication Token. The user only

needs to be authenticated once (for eg: using a valid User and Password) and the system can issue

the Logon ticket to the user. This SAP logon ticket is stored as per session cookie or the client

browser .The authenticity and integrity is protected using digital signatures whereas the confidentiality

of the token protected through the use of SSL protocol while in the transport. As a third measure the

SAP Logon Ticket contains a validity period that can be configured in the security settings of the SAP

Application server.

This security system is highly beneficial in a complex system environment where there are many

different types of SAP systems in the system landscape .With the logon ticket the user can enter

subsequent system without the need to reenter the user or Password.

For SAP Logon Authentication with client components ( for example , SAP GUI for Windows ) ,users

must have the same user ID in all of the systems they need to access and their Web Browsers must

accept cookies.

For server authentication between server components, both the accepting systems and issuing server

must have the synchronized system clocks. The issuing server must process a public and private key

pair so that i t can digitally sign the Logon Ticket. And the accepting systems must be in the same

Domain Name Server (DNS) domain as the issuing servers and the systems must have the public key

certificate top verify the digital signature of the logon ticket.

It is recommended that you identify one system in your system landscape as the ticket-issuing system

before you configure other systems to accept tickets from this system. By default, the Personal

security Environment (PSE) is used to store the certificates. You can configure the AS ABAP system

to issue log-on tickets by setting profile parameter login/create_sso2_ticket to 2.

In the AS ABAP system needs to accept Logon tickets from a J2EE Engine, then you need to install

SAP Cryptographic library and set the same profile parameter on AS ABAP system .In addition you

also need to manually import the J2EE engine public key certificate into the PSE using transaction

STRUST or STRUSTSSO2 (Trust Manager) .Use transaction STRUSTSSO2 to add J2EE Engines

system ID and its Distinguished Name to the access control list .

You would like to use this feature in your SAP Netweaver PI 7.1 system.

Note

SAP Net Weaver PI 7.1 system is referred to as PI system, WS provider system as

Provider and WS consumer system as Consumer in the remainder of this document.


7/27


8/27


April 2009 3

2. Background Information

This security guide explains the security features included in SAP Net weaver included in PI and

recommends how to apply these features to protect data through Principal Propagation through SAP

Logon Tickets.

2.1Software

This section provides the details of supported releases for the applications (Consumer, Integration

Server and Provider) and the version details of ABAP service pack, ABAP Kernel and Crypto library.

The technology stack of backend can be AS ABAP, AS Java, or external system.

This guide makes the following assumptions:

An ABAP back-end is used at the consumer .

SAP NetWeaver PI 7.1 is installed.

2.1.1 Supported releasesConsumer AS ABAP 7.0 >= SP14

Integration Server AS ABAP 7.1 and higher

Provider AS ABAP 7.0 >= SP14


9/27


April 2009 4

3. Configuration Steps in Detail

This chapter covers the configuration steps required in back-end systems and PI system for message

processing with Integration Server communication.

3.1 Enabling Principal Propagation

Go tosxmb_adm -> Configure Principal Propagation .Then Activate Principal Propagation .This needs

to be done on all the systems involved in Principal Propagation- Issuing system (Sender) ,

Intermediary system (PI System) , Receiver system .

This executes the report RSXMB_CONFIG_PP. This report creates the type 3 RFCdestination SAPXIPP, where represents the three-digit client of therespective messaging component. In addition, it generates the system user PIPPUSERwith a random password and the role SAP_XI_APPL_SERV_USER.

Figure 1 : Enable Principal Propagation

3.2 Enabling the SenderIn the sender system maintain a Dialog user on EC6 System with roleSAP_XI_APPL_SERV_USER

.This user will be propagated from one application to the other.

Enable RFC to Send Logon Tickets:

In transaction SM59 enable the RFC to Send SAP Logon tickets.

1. Go to Transaction sm59.

2. Go to Connection Type TCP/IP connections.

3. Enter a short description and go to the tab Logon and Security.

4. Click on the Check box Send SAP Logon Ticket


10/27


11/27


April 2009 6

Figure 3 : Profil e parameter to create logon ticket

Note : The parameters change to default when the server is restarted

3.4 Configure the System to accept login tickets

Goto RZ11 add the parameter login/accept_sso2_ticket = 1 .Click on Change Value.


12/27


April 2009 7

Figure 4 : Maintain Profile parameter to accept the ticket

3.5 Install Certificates in Client and Server system

Export the Sender certificate system in AS ABAP client

1. On ABAP Client [C], call transaction STRUST and export the certificate as shown below:


13/27


April 2009 8

Figure 5: Export WS Consumer system certificate

2. Choose Binary file format as shown below:

Figure 6: Export dialog

You have made the certificate available as a file, which you can later import into the ABAP

Server [S] system.


14/27


April 2009 9

3. On ABAP Server [S], call transaction STRUSTSSO2 and import the certificate as shown

below:

Figure 7: Import certificate into ABAP Server [S]

4. Select Binary file format and import the client certificate which is saved as file from step 2

5. Click on Add to Certificate List button to add this certificate to the list

6. Click on Add to ACL button to add the client system to Access Control List of server as

shown below:


15/27


April 2009 10

Figure 8:Add to ACL

Save the data now and as a result, you will be able to see the ABAP Client [C] system added as

an entry to the Access Control List window as given below:

Figure 9: Access Cont ro l List w indow

You need to perform the above steps for every client-server combination as explained in the above

important note for establishing the SSO trust between all systems.

Install the AS Java server certificate

To issue SAP assertion tickets, the AS Java must sign them with a digital signature. For this purpose,

a private key must be created together with a certificate containing the public key and imported into

the AS Java keystore.

1. Start the AS Java configuration tool

2. Expand the nodesConfigurations cluster_config globals clusternode_config

workernode services

3. Expand the service com.sap.security.core.ume.service and choose the Propertysheet

properties.

Change to edit mode and set the following properties:

i. login.ticket_keyalias = SAPLogonTicketKeypair

ii. login.ticket_keystore = TicketKeystore

iii. login.ticket_client = .


16/27


17/27


April 2009 12

Figure 10 : Property adjustment in SAP Login Module

d. Go to Import from File and import this certificate to all the ticket accepting systems.

Figure 11: Import certificate from the Ticketkeystore

Configuring the AS Java to Accept Logon Tickets

The AS Java usesEvaluateTicketLoginModuleto accept logon tickets for SSO. After receiving the

logon ticket from the users Web browser, the AS Java verifies the ticket signature based on the


18/27


19/27


April 2009 14

Figure 13: Final screen of the accepted trusted system

Manual AS Java Configuration for Accepting Logon Tickets

1. Export the ticket-issuing servers public-key certificate. Note the following:

If the ticket-issuing server is a AS Java or a SAP NetWeaver Enterprise Portal 6.0 SP3 and

higher:

i. Using the Keystore Management functions in the NWA for the ticket-issuing AS

Java, select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry.

ii. ChooseExport.

iii. Specify a file name. Use the file type X.509 Certificate with the extension .crt and

chooseOK.

2. Maintain the logon ticket access control list in the options for the login module

EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule):

a. Using the authentication configuration functions of the NWA, open the configuration

options for the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule)

b. Make the following entries in the login module configuration options for each ticket-

issuing server from which the AS Java should accept logon tickets:

Name Value

trustedsys ,

trustediss


20/27


21/27


April 2009 16

Sender Communication Channel

Sender Agreement


22/27


April 2009 17

Receiver Agreement:


23/27


April 2009 18


24/27


April 2009 19

Receiver Communication Channel

1.Enter the Adapter Type as SOAP

2.Enter the URL thats picked up from the WSDL provided in SOAMANAGER of the receiving system .

3.Give the Keystore Entry and the Keystore View

In SOAMANAGER of EC6 system:


25/27


26/27


April 2009 21

3. Go to the Runtime workbench Adapter Monitor .The sender RFC shows green signal i.e the

sender is successfully authenticated.

4. Go to the PI system in the transaction sxmb_moni :

5. Also as you had activated the principal propagation in the sender and receiver communication

channel you find that the ppActivated option equals to true.

6. As the sales order has been created and the user name has been propagated from the sender

to the receiver you would be able to see that the user has been propagated in the table


27/27

Documents

Authentication Using Logon Tickets