Outline the steps required to configure the AS Java to accept logon tickets from a ticket issuing system.
There are two main aspects to the configuration required for the Java AS to accept logon tickets from other systems:
Import public key certificate of issuing system
The ticket issuing server’s public key certificate must be imported into the TicketKeystore view of the AS Java’s key storage service in order to verify the digital signature of the received logon tickets.
Configure EvaluateTicketLoginmodule/EvaluateAssertionTicketLoginmodule ACL options
Any applications where the received logon tickets are to be used for authentication must use an appropriately configured login module stack containing the EvaluateTicketLoginmodule/EvaluateAssertionTicketLoginmodule and the login module's Access Control List must be configured accordingly for each ticket issuing system:
The following EvaluateTicketLoginmodule/ EvaluateAssertionTicketLoginmodule options form the Access Control List:
- trustedsys<n> = <System ID of the ticket issuing system>,<client of the ticket issuing system>
- trustediss<n> = <Distinguished Name of Issuer (issuerDN) in public key certificate>
- trusteddn<n> = <Distinguished Name(DN) in public key certificate>
The above two configuration steps are carried out using the SSO2 Wizard which is accessed at http://<host>:<port>/sso2.
When a public key certificate of a ticket issuing system is imported into the AS Java using the SSO2 wizard, the wizard places the certificate in the TicketKeystore view in the AS Java’s key storage service and configures the Access Control List options specific to that ticket issuing system in the EvaluateTicketLoginModule and EvaluateAssertionTicketLoginModule in the AS Java user store. All existing policy configurations that already include either of these login modules in their login module stack inherit the ACL options introduced by the SSO2 wizard allowing authentication to take place using logon tickets issued by that ticket issuing system.
There are two ways to import the public key certificate of the ticket issuing system ‘by uploading certificate manually’ and ‘By Querying trusted system’.
Manually uploading the certificate requires the manual export of the public key certificate from the key storage of the respective ticket issuing system, transaction STRUSTSSO2 if it is an ABAP AS and if it is an AS Java from the key storage service. Then by selecting Add Trusted System -> by uploading certificate manually in the SSO2 wizard UI you can browse to the location of the public key certificate exported from the ticket issuing system and import it into the AS Java.
Importing the certificate by ‘Querying trusted system’ can be done in two ways, by choosing the ticket issuing system from the SLD or by manually entering the connection details of the ticket issuing system. In both cases the SSO2 wizard connects to the ticket issuing system, retrieves the public key certificate and imports it into the AS Java.
As mentioned above, the SSO2 wizard automatically configures the EvaluateTicketLoginModule and EvaluateAssertionTicketLoginModule in the AS Java user store with the required ACL options. If there is an example deployed on the AS Java that does not make use of a policy configuration that currently includes either of these login modules, when they are added to the policy configuration they will inherit the ACL options. If it is not intended that logon tickets from a specific trusted ticket issuing system are used for authentication when accessing an application, you must manually remove the ACL options specific to that ticket issuing system from the EvaluateTicketLoginModule/EvaluateAssertionTicketLoginModule in the applications policy configuration. The management of policy configurations and login modules is done in configuration Management Security Authentication and Single Sign-On Authentication
Configuring trust by Querying ticket issuing system or by manually uploading the public key certificate of the ticket issuing system
No system available in SLD, so by choosing from either ABAP or Java system type the system connection details can be entered
Entering the connection details for a Java system
Details of the java ticket issuing systems public key certificate that will be imported
Public key certificate of the java ticket issuing system imported into the ticket accepting java system via the SSO2 wizard
The wizard updates the EvaluteTicketLoginModule and EvaluteTicketAssertionModule in the user store and any policy configurations containing these login modules show the resulting ACL entries
Querying trusted system: Entering the connection details for a ABAP system
Details of the ABAP system's public key certificate that will be imported
ABAP systems public key certificate imported
Again the policy configurations show the changes made by the SSO2 wizard
The TicketKeystore view showing the two public key certificates imported by the SSO2 wizard
Related SAP Notes/KBAs
1083421 SSO2 Wizard