Scribd
Upload
179 views

SSO - Configuration - Step by Step Procedure

This document outlines the step-by-step process for configuring single sign-on (SSO) between ABAP and Java systems using logon tickets. Key steps include exporting and importing certificates between the systems, adding the certificates to the appropriate access control lists, and configuring trusted systems and issuers in the Java security provider. This allows a user authenticated on one system to access other linked systems without re-authenticating via logon tickets.

Uploaded by

irfanyell
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
179 views

SSO - Configuration - Step by Step Procedure

This document outlines the step-by-step process for configuring single sign-on (SSO) between ABAP and Java systems using logon tickets. Key steps include exporting and importing certificates between the systems, adding the certificates to the appropriate access control lists, and configuring trusted systems and issuers in the Java security provider. This allows a user authenticated on one system to access other linked systems without re-authenticating via logon tickets.

Uploaded by

irfanyell
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

SSO Configuration between ABAP and JAVA AS (Logon Tickets) Step-by-step pro...

Page 1 of 4

SAPERRORS.COM
[email protected]

SSO Configuration between ABAP and JAVA AS (Logon


Tickets) Step-by-step procedure
Posted on April 13, 2012
Benefits
To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP System. This ticket
can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for
authentication, the user is allowed access to the system after the system has verified the logon ticket.

Pre-requisites
a. Maintain the following the instance profile parameters.

login/create_sso2_ticket

login/accept_sso2_ticket

b. Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all
systems.
c. End users need to configure their Web browsers to accept cookies.
d. Any Web servers or SAP Web AS servers that are to accept the logon ticket as the authentication mechanism must be placed in the same DNS
domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.
e. The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.
SAP System application servers (to include the SAP Web AS) receive a key pair and a self-signed public-key certificate during the installation
process. By default, the system uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to
use a different PSE in the following cases:
- If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.
- If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.
f. Systems that accept logon tickets must have access to the issuing servers public-key certificate so that they can verify the digital signature
provided with the ticket.
Depending on the type of certificate you use, the servers certificate is either sent with the logon ticket to the accepting system or the
information is entered in the accepting systems certificate list. We provide a configuration tool, the SSO administration wizard (transaction
SSO2), that automatically establishes the appropriate configuration for the accepting system.
Installation

I. Export Certificate from JAVA AS


1. Open Visual Administrator and go to Server Services KeyStorage TicketKeystore
2. Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field)

http://saperrors.com/2012/04/13/sso-configuration-between-abap-and-java-as-logon-tic... 4/18/2012

SSO Configuration between ABAP and JAVA AS (Logon Tickets) Step-by-step pro... Page 2 of 4

Note: Choose either X.509 or Base64 Encoded Format.

II.

Import JAVA AS certificate into backend ABAP AS.

1. Execute transaction code STRUSTSSO2 in client 000.


2. Click on Certificate Import from the menu.

3. Choose the path of JAVA AS certificate where we saved in step I and continue.

4. Once JAVA AS certificate details are displayed under Certificate area, click on Add to Certificate List button as shown below.

http://saperrors.com/2012/04/13/sso-configuration-between-abap-and-java-as-logon-tic... 4/18/2012

SSO Configuration between ABAP and JAVA AS (Logon Tickets) Step-by-step pro... Page 3 of 4

5. Click the button Add to ACL to maintain Java certificate in Access Control List.

Specify your Java SID in System ID and 000 in Client fields.


Note: 000 is the default client for JAVA AS.
6. Click on SAVE.
Note: We have to add the certificate to ACL by logging into production client, otherwise SSO wont work. It means first add from client 000 and
then from Production client (ex: 100). SID= JAVA SID and client = 000.

III. Export ABAP certificate and Import into JAVA AS


1. Execute transaction STRUSTSSO2 and double click the Owner Certificate and choose Export to save the certificate with .crt extension.

2. Login Visual Administrator and choose Server Services KeyStorage TicketKeystore and press Load and choose the Certificate.
3. Maintain backend ABAP system details in Java ACL as follows.
a. Choose Server > Services > Security Provider > Ticket
b. Go to Change Mode, select com.sap.security.core.server.jaas.EvaluateTicketLoginModule, click on Modify button and add the entries as follows.
ume.configuration.active = true
trustedsys<n>= <ABAP SID>, <Prod. Client>
trustediss<n>= CN=<ABAP SID>
trusteddn<n>= CN=<ABAP SID>

http://saperrors.com/2012/04/13/sso-configuration-between-abap-and-java-as-logon-tic... 4/18/2012

SSO Configuration between ABAP and JAVA AS (Logon Tickets) Step-by-step pro... Page 4 of 4

Note: We need add two sets of above said entries. One for client 000 and other one for Production client.

Source: http://scn.sap.com/docs/DOC-26142

This entry was posted in Documentatation, J2EE Engine by SAPerrors. Bookmark the permalink.

http://saperrors.com/2012/04/13/sso-configuration-between-abap-and-java-as-logon-tic... 4/18/2012

You might also like