Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
27Activity
0 of .
Results for:
No results containing your search query
P. 1
EP-SSO-How to Implement Security Using

EP-SSO-How to Implement Security Using

Ratings: (0)|Views: 2,144|Likes:
Published by abhisona76

More info:

Published by: abhisona76 on Jan 29, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

05/20/2013

pdf

text

original

 
How to implement Security Using:
SAP WebDispatcher and SSL
Authentication into J2EE application (like EP) using X.509 client certificates
Swap an expired SSL certificate to a new oneBackground and Requirement:
The following document will describe how the NCC portal security was implemented.This documented should be used for SAP Consulting knowledge sharing purposesonly. Do not distribute this to non-SAP parties as it contains sensitive information likethe hostnames of our architecture.
The NCC portal infrastructure consisted of 3 servers:Tsphl834.phl.sap.corp – DatabaseTsphl845.phl.sap.corp – CI + SCS + 1 J2EE Dispatcher + 2 Server NodesTsphl884.phl.sap.corp - 1 J2EE Dispatcher + 2 Server NodesAn instance of SAP Web Dispatcher was created to run on tsphl834.phl.sap.corp to provide a single point of entry to the portal infrastructure and also load balance the trafficto the J2EE cluster evenly.There was also a need to provide SSL communications to the end user along with ClientCertificate authentication. Each end user would have a unique client X.509 certificatewhich would be forwarded by the browser. The following is an example.
 
 
Design:
The SAP WebDispatcher would have to accept and decrypt incoming SSL requests whichhave the X.509 client certificate as well. Once it receives this, the SAP WebDispatcher would have to:1.Extract the X.509 certificate information and add them to the HTTP header request to be forwarded to the backend application.2.Re-encrypt the outgoing request with another SSL certificate and forward it to the backend application. This is would be a self-signed certificate.3.The backend J2EE engine is configured to receive the request, decrypt it, use theX.509 certificate information from the HTTP header variables, trust the enduser’sidentity from the client certificate’s information and authenticate them into theapplication.
The SAP WebDispatcher profile file:
---------- BEGIN OF PROFILE FILE -------------------------------# Profile generated by sapwebdisp bootstrap## unique instance number SAPSYSTEMNAME = WDDSAPSYSTEM = 01## Accesssability of Message Serversrdisp/mshost = tsphl845.phl.sap.corpms/http_port = 8101# ms/https_port=8104# ms/server_port_0=3601## SAP Web Dispatcher Parameter wdisp/auto_refresh = 120wdisp/max_servers = 100# SAP Web Dispatcher Web Administrationicm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin# SAP Web Dispatcher Portsicm/server_port_0 = PROT=HTTP,PORT=80, TIMEOUT=900
 
icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900# SAP Web Dispacher Security Info# Location of SAP Crypto Lib and PSE
 
 
DIR_INSTANCE = D:\sapwebdispatcher ssl/ssl_lib = D:\sapwebdispatcher\sapcrypto.dllssl/server_pse = D:\sapwebdispatcher\sec\SAPSSLS.psessl/client_pse = D:\sapwebdispatcher\sec\SAPSSLC.pse# Re-Encryption of outgoing request to Backend Applicationwdisp/ssl_encrypt = 1wdisp/ssl_auth = 2wdisp/ssl_cred = D:\sapwebdispatcher\sec\SAPSSLC.psewdisp/ssl_certhost = nccportal.phl.sap.corp## Description of the Resourcesicm/min_threads = 20icm/max_threads = 40icm/max_conn = 500# Communication Buffer mpi/total_size_MB = 100mpi/buffer_size = 65536# Forwarding X.509 Digital Certificate to the backend applicationicm/HTTPS/forward_ccert_as_header = true
 
icm/HTTPS/trust_client_with_issuer = CN=SSO_CA,O=SAP-AG,C=DEicm/HTTPS/trust_client_with_subject = CN=SSO_CA,O=SAP-AG,C=DEicm/HTTPS/verify_client = 1---------- END OF PROFILE FILE -------------------------------The text highlighted in Yellow is to accept incoming SSL requests from end-users.The text highlighted in Green is to re-encrypt and forward the SSL request to the backendapplication.The text highlighted in Dark Yellow is read the X.509 client certificate from theincoming request and forward it to the backend application in the request header.
The SSL Setup for SAP WebDispatcher:
Most of the SSL set up is documented on the SAP Online Help Portal. Please follow thefollowing link to find out more.http://help.sap.com/saphelp_erp2005/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
 

Activity (27)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
rukyke liked this
Honglim Yang liked this
newcity_20 liked this
panarayana69 liked this
panarayana69 liked this
23.devesh liked this
Dharam Vir liked this
Ramesh Napa liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->