Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

Former Member
0 Kudos

I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).

I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).

Situation:

We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)

and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.

Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.

1.) It is possible to assign manually the user public key to every user --> But to much effort

2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.

3.) In the distinguished name of the user certificate there is no information about the SAP username itself

--> you are not able to use any information of the DN to bind a user in the Login Module configuration.

Now my question:

Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?

As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?

At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

10 REPLIES 10

tim_alsop
Active Contributor
0 Kudos

We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.

This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.

I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

Your approach is quite interesting, would you like to share more on this? I want to use your solution to solve my problem:

i use read only LDAP as UME data source, however, for a number of users, i have to map them to different login ID in the backend system, eg: NT ID = A needs to be mapped to B in the SAP system, while our corporate LDAP is readonly for me, i have to find another way to do the user mapping. I am thinking to develop a java class inherits from com.sap.security.core.server.jaas.CreateTicketLoginModule, ....but so far no idea where to start, so your help is much appreciated.

regards,

Shawn

tim_alsop
Active Contributor
0 Kudos

Shawn,

I cannot share details concerning commercial products on SDN. From what you have described concerning your mapping requirement, it looks like our existing mapping login module would do what you want. All of your mapping rules would be stored in a table in an ABAP system, either on same host as Java stack or on a different server in network.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

thank you for the valuable and fast response

It seems that an own login module (mapping module) would be the best solution.

I am not able to estimate the efforts for such a login module?

Thanx,

Frane

0 Kudos

If you are using SNC for SAP GUI logon/SSO then this implies that you must be using a product from a SAP partner. Maybe you can ask that partner to help you with coding a login module so that your J2EE authentication can also use the same mapping rules ? Of course, you can always consider moving away from using x.509 and use Kerberos instead, and you can get all you need off-the-shelf, SAP certified and fully supported

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Sorry, Tim - but I think you got it wrong.

If I have understood Frane correctly, then it's about using X.509 client certificates (PKI already exists, mapping to ABAP user accounts already exists) to authenticate at both stacks, NWAS ABAP and NWAS Java. Now it's only about creating the missing certificate mapping for the NWAS Java.

@Frane: if you operate your own PKI you should be able to assign certificates to users and most likely you store them in an LDAP directory. So you could use that information to setup the missing certificate mapping (UME) - maybe it requires some coding effort, but in principle that should be possible. Or you consider to purchase some Identity Management (IdM) solution.

Regards, Wolfgang

0 Kudos

Hi Wolfgang,

thank you for your answer. In our case we are using temporarily user certificates (valid for e.g. 10 hours). This user certificate will be created automatically every day.

I know the possibility to assign the User Public Key to an SAP User in the User Administration (or linking via LDAP ).

My current status is to search for an SAP Login Module which is able to establish an SAP User Mapping depending to the Distinguished Name of the User Certificate, stored in the SAP ABAP Server System.

Thank you Wolfgang,

Frane

Former Member
0 Kudos

I want to update my status and how i setup a solution.

I have a solution using a customer Login Module. With this customized Login Module it is possible to use an existing SNC user mapping configuration in a SAP ABAP System for the X.509 User Authentication to the SAP JAVA System (e.g. SAP Enterprise Portal).

Cheers,

Frane Milicevic

0 Kudos

Hello Frane,

Could you let us how did you build this custom Login Module, we have the same situation.

I would appreciate if you could give me step-by-step instructions.

Lorven.

0 Kudos

Hi Frane

I too am faced with a similar problem to yours.

Could you help me out with how to create a custom login module?

Thanks

Anton