Skip to Content
0
Former Member
Nov 22, 2006 at 08:27 PM

Logon tickets from WAS(ABAP) to J2EE

57 Views

I'm going to pick this up from the end of thread:

Mapping X.509 Cert. info to J2EE user

because our prototype is going to try a different approach.

Initially, we wanted to implement an X509 single sign on infrastructure for our J2EE. We already have an existing PKI that is based on users' unique employee ID, which is not their SAP login. For an existing WAS (BSP) application, we have been using the corporate PKI to provide X509 SSO by mapping the unique IDs in table USREXTID to the SAP login ID. This is an automated process already in place. But that specific methodolgy is not possible out of the box with J2EE, so rather than rely on users to automatically map their own certs or manually map each of the 10,000 users, we have decided to investigate the possibility of having the users log into a BSP on the WAS and then immediately pass them into the J2EE with a logon ticket. Presumably this would be accomplished in the same browser session using the MYSAPSSO2 cookie as the login ticket to J2EE. This will also allow us to administer the X509s in one place - the ABAP side. In many ways, this is no different than relying on any other external authentication mechanism like LDAP, VPN, SAML authority, etc.

So our goal is to pass a logged in user to a BSP on a NW04 ABAP system over to a J2EE application via tickets.

We have met the prerequisites in:

http://help.sap.com/saphelp_nw2004s/helpdata/en/62/c0503e1dac5b46e10000000a114084/frameset.htm

On the ABAP side, I have exported the cert and imported it into the keystore of the J2EE engine.

I have adjusted the EvaluateAssertionTicketLoginModule as follows:

trustedsys2 = SID, 200

trustediss2 = <cert Issuer>

trustedddn2 = <cert DN> (same as issuer)

ume.configuration.active = true

(i used index #2 because we have the EvaulateTicketLoginModule configured to read other tickets from another J2EE issuing system)

I have added that module to the top of the ticket authentication template with SUFFICIENT option

I can log into the issuing WAS system and verify that a MYSAPSSO2 cookie is issued by accessing URL 'javascript.document.cookie'.

While in the same IE session, I then link to a URL on the J2EE (receiving system) and still get presented with a logon screen. I see no evidence in the traces or even security log that a MYSAPSSO2 cookie is received.

The modules are configured for the ticket template as follows:

EvaluateAssertionTicket (SUFFICIENT)

EvaluateTicketLoginModule (SUFFICIENT)

ClientCertLoginModule (OPTIONAL)

CreateTicketLoginModule (SUFFICIENT)

BasicPasswordLoginModule (REQUISITE)

CertPersistorLoginModule (OPTIONAL)

CreateTicketLoginModule (OPTIONAL)

The above module works fine for:

a.) accepting X509s

b.) accepting login tickets from another J2EE system

All I did was add the EvaluateAssertion module so that it would look for a cookie/ticket from a WAS session.

I did all this according to:

http://help.sap.com/saphelp_nw2004s/helpdata/en/62/c0503e1dac5b46e10000000a114084/frameset.htm

What else might I be missing?