Post navigation Previous Next SSO Configuration between ABAP and JAVA AS (Logon Tickets) Step-by-step procedure Posted

ted on April 13, 2012 Benefits To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP System. This ticket can then be presented to other systems (SAP or nonSAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket. Pre-requisites a. Maintain the following the instance profile parameters. login/create_sso2_ticket 2 login/accept_sso2_ticket

b. Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems. c. End users need to configure their Web browsers to accept cookies. d. Any Web servers or SAP Web AS servers that are to accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain. e. The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket. SAP System application servers (to include the SAP Web AS) receive a key pair and a self-signed public-key certificate during the installation process. By default, the system uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to use a different PSE in the following cases: - If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE. - If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used. f. Systems that accept logon tickets must have access to the issuing servers public-key certificate so that they can verify the digital signature provided with the ticket. Depending on the type of certificate you use, the servers certificate is either sent with the logon ticket to the accepting system or the information is entered in the accepting systems certificate list. We provide a configuration tool, the SSO administration wizard (transaction SSO2), that automatically establishes the appropriate configuration for the accepting system. Installation

I. Export Certificate from JAVA AS 1. Open Visual Administrator and go to Server Services KeyStorage TicketKeystore 2. Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field) Note: Choose either X.509 or Base64 Encoded Format.

II. Import JAVA AS certificate into backend ABAP AS. 1. Execute transaction code STRUSTSSO2 in client 000. 2. Click on Certificate Import from the menu. 3. Choose the path of JAVA AS certificate where we saved in step I and continue. 4. Once JAVA AS certificate details are displayed under Certificate area, click on Add to Certificate List button as shown below. 5. Click the button Add to ACL to maintain Java certificate in Access Control List. Specify your Java SID in System ID and 000 in Client fields. Note: 000 is the default client for JAVA AS. 6. Click on SAVE. Note: We have to add the certificate to ACL by logging into production client, otherwise SSO wont work. It means first add from client 000 and then from Production client (ex: 100). SID= JAVA SID and client = 000.

III. Export ABAP certificate and Import into JAVA AS 1. Execute transaction STRUSTSSO2 and double click the Owner Certificate and choose Export to save the certificate with .crt extension. 2. Login Visual Administrator and choose Server Services KeyStorage TicketKeystore and press Load and choose the Certificate. 3. Maintain backend ABAP system details in Java ACL as follows. a. Choose Server > Services > Security Provider > Ticket b. Go to Change Mode, select com.sap.security.core.server.jaas.EvaluateTicketLoginModule, click on Modify button and add the entries as follows. ume.configuration.active = true trustedsys<n>= <ABAP SID>, <Prod. Client> trustediss<n>= CN=<ABAP SID>

trusteddn<n>= CN=<ABAP SID> Note: We need add two sets of above said entries. One for client 000 and other one for Production client.