Configure Principal Propagation using Logon tickets in Net weaver Process Integration 7.1

Similar documents
Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee

Configure SSO in an SAP NetWeaver 2004s Dual Stack

SAP NetWeaver How-To Guide How To... Configure SAP HANA for CTS

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

Identity Provider for SAP Single Sign-On and SAP Identity Management

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Functional Upgrade NetWeaver 7.0 BI - Java

Federated Portal for Composite Environment 7.1

SAP NetWeaver SAP NetWeaver Process Integration Simple Use Cases for Advanced Adapter Engine Extended (AEX)

opensap How-to Guide for Exercise Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

HPE Enterprise Integration Module for SAP Solution Manager 7.1

SAP NetWeaver Guide. Advanced Supportability Setup Guide. for. Solution Manager Diagnostics. SAP NetWeaver 04

Administrating ABAP+JAVA and SLD Problems of SAP PI 7.1

Authentication of a WS Client Using a SAP Logon Ticket

Enterprise Integration Module for SAP Solution Manager 7.2

HOW TO USE THE WEB DYNPRO CONTENT ADMINISTRATOR. SAP NetWeaver 04 SP Stack 9 JOCHEN GUERTLER

How-To Guide SAP NetWeaver Document Version: How To... Configure CM Services in SAP NetWeaver 7.3 and up

HP Enterprise Integration Module for SAP Solution Manager

Federated Portal Network Remote Role Assignment Step-by- Step Configuration

SAP Security in a Hybrid World. Kiran Kola

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

SOA Software Policy Manager Agent v6.1 for WebSphere Application Server Installation Guide

Configuring SAML-based Single Sign-on for Informatica Web Applications

How to Configure Mutual Authentication using X.509 Certificate in SMP SAP Mobile Platform (3.X)

SAP Note Setting up SSL on Web Application Server ABAP

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

Synchronization of Services between the IBM WebSphere Services Registry & Repository and SAP s Services Registry

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Configuring Secure Network Communications for SAP

Encrypt all the things; don t forget your SAP communication!

SOA Software Policy Manager Agent v6.1 for tc Server Application Server Installation Guide

Configuring SAP Targets and Runtime Users

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Mandy Krimmel and Joachim Orb. SAP NetWeaver. Process Integration. Bonn Boston

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

SAP Certified Technology Associate - System Administration (SAP HANA) with SAP NetWeaver 7.5

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Using SSL to Secure Client/Server Connections

SAML-Based SSO Configuration

keyon / PKCS#11 to MS-CAPI Bridge User Guide V2.4

Data Handling in the SAP NetWeaver System Landscape Directory Step by Step

edocument for Italy - SAP Cloud Platform Integration Guide

SAP NETWEAVER - TRANSPORT MANAGEMENT

A Solution in Transition: Installing SAP s Solution Manager 4.0. on DVDs, you can download the software from

Sophos Mobile Control Installation guide

Introduction to application management

SAP Single Sign-On 2.0 Overview Presentation

Secure Login for SAP Single Sign-On Sizing Guide

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Step by Step Guide for PI Server Start and Stop Procedure

Installation Description. OrgPublisher for SAP solutions: OrgPublisher SAP Interface Version 7.0

Enabling SAML Authentication in an Informatica 10.2.x Domain

Creating Multiple Methods/Operations and Exposing BAPI as a Webservice

Cisco Unified Serviceability

Cisco TEO Adapter Guide for SAP Java

ADM800 AS Java 7.3 Administration

Security and Risk Management

Troubleshooting Single Sign-On

Printer Landscape Made Easy!!

Troubleshooting Single Sign-On

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Federated Identity Manager Business Gateway Version Configuration Guide GC

JCo 3.0 in Web Channel 7.54

How to Add a Web Dynpro App to Fiori Launchpad Step-by-Step

ADP Federated Single Sign On. Integration Guide

Oracle Access Manager Configuration Guide

SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

Integration Guide. Document Version:

SAP Directory Content Migration Tool

Azure MFA Integration with NetScaler

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

SAP Web Dispatcher SSL Certificate Forwarding How to Configure SAP Web Dispatcher to Forward SSL Certificates for X.

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

McAfee Cloud Identity Manager

Entrust Connector (econnector) Venafi Trust Protection Platform

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

McAfee Cloud Identity Manager

Access SAP Business Functions (ABAP) via Web Services

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

SAP Enhancement Package 1 for SAP NetWeaver PI 7.1. SAP NetWeaver Process Integration - Demo Example Configuration

Security 3. NiFi Authentication. Date of Publish:

SAP EDUCATION SAMPLE QUESTIONS: C_TBIT51_73. Questions. Note: There are 2 correct answers to this question. developer. the basis administrator.

Configure Unsanctioned Device Access Control

Dominic Yow-Sin-Cheung SAP GRC Regional Implementation Group (RIG) elearning Series Part 5 of 5

Michael Wegelin and Michael Englbrecht SAP. Interface Programming. Bonn Boston

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

SPNegoLoginModule configuration for multi-forest scenarios with SUN JDK

SAP NetWeaver How-To Guide. How To... Configure SAP Cloud Platform Cloud Foundry for CTS

Open XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -

Upgrade to and Installation of SQL Server 2008 (R2) in an SAP Environment

DoD Common Access Card Authentication. Feature Description

F-Secure PSB Getting Started Guide

Executing Remote Static Checks in Context of HANA Migration

Oracle Cloud Using the SAP Adapter. Release 17.3

SAP NetWeaver SAP NetWeaver Process Integration - Demo Example Configuration

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Banking services from SAP 8.0 (FSAPPL400, FSAPPL450)

Transcription:

SAP NetWeaver Demo Configure Principal Propagation using Logon tickets in Net weaver Process Integration 7.1 Applied To : SAP Net Weaver Process Integration 7.1x and higher Topic Area: SOA Middleware Capability: Security Version 1.0 March 2009

Applied To : SAP Netweaver Process Integration 7.1 SAP Application Server ABAP 7.1 SAP Application Server ABAP 7.0 SP14 Summary : Single Sign On has been one of the most popular security mechanisms wherever transport level security is required.this document describes how Principal Propagation can be done for PI 7.1 systems. Author : Neha Khasgiwale Company : SAP GDC, Gurgaon Created On : 17 Feb 2009 Author Bio Neha Khasgiwale is working in SAP GD in SAP PI from 2007-2009.Prior to that she has also worked in IBM from 2005-2006

Table of Contents 1. Business Scenario...1 1.1 Introduction...1 1.2 Scenario Description...2 2. Background Information...3 2.1 Software...3 2.1.1 Supported releases...3 3. Configuration Steps in Detail...4 3.1 Enabling Principal Propagation...4 3.2 Enabling the Sender...4 3.3 Issue Logon tickets from the sender system...5 3.4 Configure the System to accept login tickets...6 3.5 Install Certificates in Client and Server system...7 3.6 Directory Configurations...15

1. Business Scenario 1.1Introduction Principal propagation means the ability to forward the user context of a message unchanged from the sender to the receiver.this implies that the receiver interface runs under the same identity as the sender. SAP Logon tickets act as a flexible central authentication token used in the SAP world and can be used for SSO to all SAP products in the back end. SAP logon tickets provide authentication for various client and server components of the AS ABAP system.the user is authenticated using the Logon Ticket as the authentication Token. The user only needs to be authenticated once (for eg: using a valid User and Password) and the system can issue the Logon ticket to the user. This SAP logon ticket is stored as per session cookie or the client browser.the authenticity and integrity is protected using digital signatures whereas the confidentiality of the token protected through the use of SSL protocol while in the transport. As a third measure the SAP Logon Ticket contains a validity period that can be configured in the security settings of the SAP Application server. This security system is highly beneficial in a complex system environment where there are many different types of SAP systems in the system landscape.with the logon ticket the user can enter subsequent system without the need to reenter the user or Password. For SAP Logon Authentication with client components ( for example, SAP GUI for Windows ),users must have the same user ID in all of the systems they need to access and their Web Browsers must accept cookies. For server authentication between server components, both the accepting systems and issuing server must have the synchronized system clocks. The issuing server must process a public and private key pair so that it can digitally sign the Logon Ticket. And the accepting systems must be in the same Domain Name Server (DNS) domain as the issuing servers and the systems must have the public key certificate top verify the digital signature of the logon ticket. It is recommended that you identify one system in your system landscape as the ticket-issuing system before you configure other systems to accept tickets from this system. By default, the Personal security Environment (PSE) is used to store the certificates. You can configure the AS ABAP system to issue log-on tickets by setting profile parameter login/create_sso2_ticket to 2. In the AS ABAP system needs to accept Logon tickets from a J2EE Engine, then you need to install SAP Cryptographic library and set the same profile parameter on AS ABAP system.in addition you also need to manually import the J2EE engine public key certificate into the PSE using transaction STRUST or STRUSTSSO2 (Trust Manager).Use transaction STRUSTSSO2 to add J2EE Engine s system ID and its Distinguished Name to the access control list. You would like to use this feature in your SAP Netweaver PI 7.1 system. Note SAP Net Weaver PI 7.1 system is referred to as PI system, WS provider system as Provider and WS consumer system as Consumer in the remainder of this document. April 2009 1

1.2Scenario Description Now lets us configure a test case to understand it better: Principal propagation means the ability to forward the user context of a message unchanged from the sender to the receiver. It enables the authentication of a message in the receiver system with the same user that issued the message in the corresponding sender system. Thus, the receiver application is virtually part of the sender application, and the permissions and audit functions of the receiver application can be applied to the original user of the sender application. Principal Propagation is implemented using authentication via SAP assertion tickets between the involved messaging components. Each communication step along the way from the sender to the receiver requires a separate authentication for each messaging component before the message is executed Wherever you want to use an SAP assertion ticket for authentication between a sending and a receiving messaging component, you have to configure a trust relationship between the underlying application servers first. In the following, we describe the processes when the issuing or accepting server is the SAP J2EE Engine. Note however, depending on the scenario you use, other server components may act as the issuer or acceptor. The entire scenario can be expressed as a two step scenario : Receiving a Logon Ticket from the SAP J2EE Engine AS Java client configuration AS ABAP client configuration Using the Logon Ticket to Access the SAP J2EE Engine as an Accepting System AS ABAP server configuration AS Java server configuration If an Adapter Engine (SOAP adapter or RFC adapter) is involved, a trust relationship must also be established between this Adapter Engine and the Integration Server. Therefore, the Adapter Engine (based on AS Java) and the Integration Server (based on AS ABAP) both act as server [S] and client [C], as shown in the following diagram: Figure 1: Overview of the process [S]Adapter Engine[C] [S]IS[C] [S]Adapter Engine[C] The user that is executing the message equals the user that is to be propagated. April 2009 2

2. Background Information This security guide explains the security features included in SAP Net weaver included in PI and recommends how to apply these features to protect data through Principal Propagation through SAP Logon Tickets. 2.1Software This section provides the details of supported releases for the applications (Consumer, Integration Server and Provider) and the version details of ABAP service pack, ABAP Kernel and Crypto library. The technology stack of backend can be AS ABAP, AS Java, or external system. This guide makes the following assumptions: An ABAP back-end is used at the consumer. SAP NetWeaver PI 7.1 is installed. 2.1.1 Supported releases Consumer AS ABAP 7.0 >= SP14 Integration Server AS ABAP 7.1 and higher Provider AS ABAP 7.0 >= SP14 April 2009 3

3. Configuration Steps in Detail This chapter covers the configuration steps required in back-end systems and PI system for message processing with Integration Server communication. 3.1 Enabling Principal Propagation Go to sxmb_adm -> Configure Principal Propagation.Then Activate Principal Propagation.This needs to be done on all the systems involved in Principal Propagation- Issuing system (Sender), Intermediary system (PI System), Receiver system. This executes the report RSXMB_CONFIG_PP. This report creates the type 3 RFC destination SAPXIPP<clnt>, where <clnt> represents the three-digit client of the respective messaging component. In addition, it generates the system user PIPPUSER with a random password and the role SAP_XI_APPL_SERV_USER. Figure 1 : Enable Principal Propagation 3.2 Enabling the Sender In the sender system maintain a Dialog user on EC6 System with role SAP_XI_APPL_SERV_USER.This user will be propagated from one application to the other. Enable RFC to Send Logon Tickets: In transaction SM59 enable the RFC to Send SAP Logon tickets. 1. Go to Transaction sm59. 2. Go to Connection Type TCP/IP connections. 3. Enter a short description and go to the tab Logon and Security. 4. Click on the Check box Send SAP Logon Ticket April 2009 4

Figure 2 : RFC connections maintained to send SAP Logon Ticket This RFC destination would be used when you trigger the Sender RFC.Whenever the RFC is triggered a ticket is issued a Logon ticket is issued 3.3 Issue Logon tickets from the sender system 1. Go to RZ11 2. Enter the profile parameter login/create_sso2_ticket= 1 in case of CA certificates and login/create_ssso2_ticket= 2 in case of self signed certificates. 3. Enter the Profile Value = 2 You need to create a logon ticket configuration once on the Ticket issuing side, and then on the PI system as well. April 2009 5

Figure 3 : Profile parameter to create logon ticket Note : The parameters change to default when the server is restarted 3.4 Configure the System to accept login tickets Goto RZ11 add the parameter login/accept_sso2_ticket = 1.Click on Change Value. April 2009 6

Figure 4 : Maintain Profile parameter to accept the ticket 3.5 Install Certificates in Client and Server system Export the Sender certificate system in AS ABAP client 1. On ABAP Client [C], call transaction STRUST and export the certificate as shown below: April 2009 7

Figure 5: Export WS Consumer system certificate 2. Choose Binary file format as shown below: Figure 6: Export dialog You have made the certificate available as a file, which you can later import into the ABAP Server [S] system. April 2009 8

3. On ABAP Server [S], call transaction STRUSTSSO2 and import the certificate as shown below: Figure 7: Import certificate into ABAP Server [S] 4. Select Binary file format and import the client certificate which is saved as file from step 2 5. Click on Add to Certificate List button to add this certificate to the list 6. Click on Add to ACL button to add the client system to Access Control List of server as shown below: April 2009 9

Figure 8: Add to ACL Save the data now and as a result, you will be able to see the ABAP Client [C] system added as an entry to the Access Control List window as given below: Figure 9: Access Control List window You need to perform the above steps for every client-server combination as explained in the above important note for establishing the SSO trust between all systems. Install the AS Java server certificate To issue SAP assertion tickets, the AS Java must sign them with a digital signature. For this purpose, a private key must be created together with a certificate containing the public key and imported into the AS Java keystore. 1. Start the AS Java configuration tool 2. Expand the nodes Configurations cluster_config globals clusternode_config workernode services 3. Expand the service com.sap.security.core.ume.service and choose the Propertysheet properties. Change to edit mode and set the following properties: i. login.ticket_keyalias = SAPLogonTicketKeypair ii. login.ticket_keystore = TicketKeystore iii. login.ticket_client = <unique client>. April 2009 10

Figure 9: Property adjustment in SAP Login Module Note The system ID and client combination must be unique when tickets are accepted by an AS ABAP system. Therefore, in a combined ABAP and Java installation, where the system IDs are the same, you must change the default client for the AS Java (000) to a client that does not exist on the AS ABAP system.here in this case the client has been changed to 007. 4. Use the SAP NetWeaver Administrator and choose Configuration Management Security Management Key Storage 5. Select the TicketKeyStore view and then the SAPLogonTicketKeypaircertificate. 6. In a dual-stack system where the SIDs for both the AS ABAP and the AS Java are the same, you must replace one of the key pairs so that the Distinguished Names are unique. 7. Select a TicketKeystore View. 8. Delete thesaplogonticketkeypair andsaplogonticketkeypair-cert entries. 9. Create a Key Pair and a Public-Key Certificate with the following properties. For more information about creating key pairs in a key store view a. Enter SAPLogonTicketKeypair as the key pair Entry Name. b. ChooseDSA as the algorithm to use. c. Select the options to store the public key certificate Enter the Subject Properties in the corresponding fields. The entries in these fields build a Distinguished Name in the form: CN=<Common Name>, OU=<Organization Unit Name>, O=<Organization Name>, L=< Locality Name >, ST=<State/Province>, C=DE The AS Java uses this public-key certificate to digitally sign logon tickets. April 2009 11

Figure 10 : Property adjustment in SAP Login Module d. Go to Import from File and import this certificate to all the ticket accepting systems. Figure 11: Import certificate from the Ticketkeystore Configuring the AS Java to Accept Logon Tickets The AS Java uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user s Web browser, the AS Java verifies the ticket signature based on the April 2009 12

established trust relationship with the issuing system. Based on the ticket validity, the AS Java authenticates the user. 1. Go to NWA -> Trusted Systems SSO Wizard There are two ways to add a trusted system 1.) By connecting to the system and requesting its certificate.2.) By manually uploading the certificate of the system. 2. In the Trusted Systems section, choose Add Trusted System By Querying Trusted System. The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically. 3. Enter your user name and password in the provided fields and choose Next. 4. The details about the selected system s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back. 5. After you complete the wizard the ticket issuing system is shown in the trusted system list. The AS java issues logon tickets that have been issued by the corresponding server. Figure 12: Add the trusted system April 2009 13

Figure 13: Final screen of the accepted trusted system Manual AS Java Configuration for Accepting Logon Tickets 1. Export the ticket-issuing server s public-key certificate. Note the following: If the ticket-issuing server is a AS Java or a SAP NetWeaver Enterprise Portal 6.0 SP3 and higher: i. Using the Keystore Management functions in the NWA for the ticket-issuing AS Java, select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry. ii. Choose Export. iii. Specify a file name. Use the file type X.509 Certificate with the extension.crt and choose OK. 2. Maintain the logon ticket access control list in the options for the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule): a. Using the authentication configuration functions of the NWA, open the configuration options for the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) b. Make the following entries in the login module configuration options for each ticketissuing server from which the AS Java should accept logon tickets: Name trustedsys<x> trustediss<x> Value <SID>, <Client> <Issuer s_distinguished_name> April 2009 14

trusteddn<x> ume.configuration.active True <System s_distinguished_name> Distinguished Name of the ticketissuing system. 3.6Directory Configurations In the PI system you need to maintain the configurations on the sender and the receiver side both. After doing all the directory configurations maintain the sender RFC configurations in the sender communication and then go to the sender agreement and enable Principal Propagation. April 2009 15

Sender Communication Channel Sender Agreement April 2009 16

Receiver Agreement: April 2009 17

April 2009 18

Receiver Communication Channel 1.Enter the Adapter Type as SOAP 2.Enter the URL that s picked up from the WSDL provided in SOAMANAGER of the receiving system. 3.Give the Keystore Entry and the Keystore View In SOAMANAGER of EC6 system: April 2009 19

On configuring the end point check the Logon Ticket option under Authentication Mechanism, with no Transport Guarantee. Results : 1. User PPUSER maintained in all systems for Principal Propagation.Trigger the RFC.Result ID is obtained under ID. April 2009 20

3. Go to the Runtime workbench Adapter Monitor.The sender RFC shows green signal i.e the sender is successfully authenticated. 4. Go to the PI system in the transaction sxmb_moni : 5. Also as you had activated the principal propagation in the sender and receiver communication channel you find that the ppactivated option equals to true. 6. As the sales order has been created and the user name has been propagated from the sender to the receiver you would be able to see that the user has been propagated in the table April 2009 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback