Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Portal Websphere to SAP BW using x509 Certificate issues

Former Member
0 Kudos
263

Hello,

We are trying to setup Single Sign on between the WebSphere Portal and SAP BW (WAS 640).

As per our requirements, our end users login to WebSphere portal and access the EJB source code which inturn retrieves the data from the SAP BW system via SAP JCO. This setup works perfectly when the user passes his user id and password every time manually.

We would like automate this process using Single Sign on mechanism using x509 Certificates (user to be $X509CERT$ and pass the base64 encoded certificate as the passwd parameter).

As a part of this setup, we implemented the following steps on SAP BW system

1. Installed the SAP CryptoLib

2. Adapted the following parameters

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

3. Imported a WebSphere portal issued public certificate to SAP BW trust manager (CN=POCUSER2, OU=IBM, C=US) via

strustsso2 and added the certificate and ACL

4. Completed the "Assignment of External ID to users" using the SM30 view VUSREXTID with the following

External ID type DN DN of Certificate (X.500)

-


External ID CN=POCUSER2, OU=IBM, C=US

Seq. No. 000

User POCUSER2

Now when the user from the websphere portal passes the user=$X509CERT$ and his certificate, which is imported to the SAP BW system, he gets an error saying "SNC Setup required" on the Websphere portal side.

Do I need to setup a similar SNC on SAP BW side or is it just the Websphere portal side?

Any one implemented SSO between Websphere Portal (NON SAP EP) and SAP BW System?

Do you think this process is going to work or Do I need to configure the SAP BW system for SSL instead of SNC as the user is coming via browser not SAP GUI.

Thanks for your time.

-Sreeni

11 REPLIES 11

yonko_yonchev
Advisor
Advisor
0 Kudos
152

Hi Sreeni,

you'd definitely need to go with SSL not SNC. SNC works for connections over RFC (that is between SAP ABAP systems) or between the SAP GUI and the ABAP backend.

The cause for the error you got is that the client (in your case the Websphere portal) needs to be SNC enabled as well, and this wasn't the case.

Regards,

Yonko

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
152

SSL can only authenticate the <b>communication peers</b>, which in this scenario are two servers (IBM WebSphere server and SAP BW server). <u>SSL cannot be used for user authentication (SSO) in that scenario</u>.

When using a webbrowser, the case is different: in that case the SSL client is a "user agent" (web browser) which is exclusively used by one single user (at that given point of time). Therefore it is legal to assign that SSL client certificate to a user account (on the server side).

For such system-to-system calls (where the user is authenticated at the first system and where the second system is supposed to launch a user session assigned to the same user) you need <b>(authentication) assertions</b>.

Such <u>assertions</u> could be:

- SAP Authentication Assertion Ticket (proprietary)

- SAML Assertions (in future, currently not accepted by ABAP backends, therefore not of use in this scenario)

Well, another option would be: let the first system perform the SSL verification and forward the verified X.509 client certificate (Base64 encoded) to the second system (that technique was used by the external ITS, at times where ABAP systems have not been called "Web Application Server", yet). In that case the second system needs to trust the first one; this trust is established via SNC (which is mandatory). If you want to go that way kindly have a look on the <a href="http://service.sap.com/iron/fm/011000358700000431401997E/0645876">SAP Note 645876</a> (notice: there are attached documents) for SNC configuration. In addition you need to setup your ABAP backend similiar to the description in <a href="http://service.sap.com/iron/fm/011000358700000431401997E/0358469">SAP Note 358469</a> (=> transaction SNC0: enter SNC name of JCO and tick option "X.509" instead of "

ext.ID").

Cheers, Wolfgang

0 Kudos
152

Thanks Wolfgang for your detailed explaination.So based on your response, now i feel, i am heading in a right direction by opting SNC configuration instead of SSL as it is a communication between two servers (Websphere and SAP BW).

Before i started this message, i followed this great weblog closely,

weblog:/people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc

Here is what we did on our SAP BW Server

1. Installed the SAP Cryptolibrary

2. Following parameters have been changed in Instance Parameter file

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/enable 1

snc/accept_insecure_rfc 1

snc/accept_insecure_gui 1

snc/accept_insecure_cpic 1

snc/permit_insecure_start 1

snc/data_protection/min 1

snc/extid_login_diag 1

snc/extid_login_rfc 1

sec/rsakeylengthdefault = 1024

snc/data_protection/max = 3

snc/data_protection/min = 1

snc/data_protection/use =3

snc/r3int_rfc_secure =0

snc/r3int_rfc_qop =3

snc/accept_insecure_r3int_rfc =1

snc/accept_insecure_start =1

snc/force_logon_screen =0

snc/identity/as "p:CN=SBC, OU=IT, O=COMP1, C=US"

snc/gssapi_lib /usr/sap/SBC/SYS/exe/run/libsapcrypto.o

ssf/name SAPSECULIB

ssf/ssfapi_lib /usr/sap/SBC/SYS/exe/run/libsapcrypto.o

3.Completed the "Assignment of External ID to users" using the SM30 view VUSREXTID with the following

External ID type DN

DN of Certificate (X.500)

-


External ID CN=POCUSER2, OU=IBM, C=US

Seq. No. 000

User POCUSER2

Now, I have the Public Certificate from the WebSphere and i want to import to my SAP BW system under the SNC PSE Node in the trust manager.I am unable to do this, as I donot see my SNC PSE Node in the trust manager, even i installed the SAP Crypto and parameter changes correctly as stated above. Do you see any conflict of the parameters for SNC and other type of PSE's.

Should i deactivate the System PSE if i am working for SNC PSE?

Thanks again for your time and great response,

Regards

Sreeni.

0 Kudos
152

Hi Sreeni,

you need to differentiate between three entirely different certificates respectively PSEs (which might all be visible in transaction STRUST):

1. SSL certificates / PSEs (server, client)

<i><u>not</u> relevant in <u>this</u> context</i>

2. System PSE / dedicated PSE for "SAP logon ticket"

<i><u>not</u> relevant in <u>this</u> context</i>

3. SNC certificate / PSE

only displayed in STRUST if SAPCRYPTOLIB is also used as SSF library

(which should be the case according to the profile parameters you have quoted).

Worse comes worse you have to use the command line tool sapgenpse, again.

Well, did you restart your ABAP application server instance after changing the profile parameters? What (current) values are displayed by program RSPARAM? Are you using an older ABAP release?

Once you've managed to configure SNC and still experience logon problems, follow the trace analysis approach described in <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0495911">SAP Note 495911</a>

Good luck,

Wolfgang

0 Kudos
152

Hi Wolfgang,

I am using the following versions

SAP_ABA 640 0018 Cross-Application Component

SAP_BASIS 640 0018 SAP Basis Component

PI_BASIS 2005_1_640 0009 Basis Plug-In (PI_BASIS)

SAP_BW 350 0018 Business Information Warehouse

BI_CONT 353 0011 Business Intelligence Content

Surprising that, the current instance profile parameters values does not show in RSPARAM even though, we restarted the server couple of times, i think i need to go back to Basis team on this, as why RSPARAM donot show the the latest parameter values.

As stated, i will try using the SAPGENPSE tool to import the certificate as a last choice even after the basis correction of RSPARAM.

Wolfgang, i have one more question, we are going to have atleast 5000 users logging into Websphere portal client,

Do i need to import the public key certificate of each user issued by Websphere portal to the SAP BW under SNC PSE Node and do a user mapping for each user in VUSREXTID (SM30) or With SNC setup just one time certificate import is sufficient for all users?

Thanks again

Sreeni

0 Kudos
152

Well, NetWeaver 2004 (SAP_BASIS 6.40) is definetly "recent enough".

But, if RSPARAM does not list those parameter values, then they are not considered "effective".

Regarding your last question:

yes, for each user you require an entry in the certificate mapping table. But if that mapping is rule-based (i.e. ABAP userID is contained somewhere in the subject name, with a static prefix and a static suffix) you can generate those mapping entries using the ABAP program RSUSREXTID.

<u>Important:</u>

Please notice that the mapping entries need to contain the printable notation of the certificate's subject name as displayed in transaction STRUST (when displaying the content of an uploaded certificate). Regarding the visualization of certain OIDs (e.g. "e-mail address") there might be differences between the SAP libraries (SAPSECULIB / SAPCRYPTOLIB) and other keystores (e.g. Microsoft keystore).

0 Kudos
152

Sure, I will check with my Basis team to get the parameters effective and thanks for the program RSUSREXTID.

I will post my updates and points to this message as soon as proceed further.

Thanks a lot for your time and quick response.

-Sreeni

0 Kudos
152

Hi Wolfgang,

We have configured the SNC parameters and restarted the server and basis did some changes, by which the trust manager now shows the SNC PSE. But when i try creating the PSE by right click on SNC PSE and accepting a small popup window which shows the CN,O,OU,C (as stated in the snc/identity/as)parameters and then i can get an error saying "Error while creating PSE"

Should i delete the system PSE or move to other directory, Are there any other parameters i should look into.

Thanks for your time and great support.

-Sreeni

0 Kudos
152

Please leave the System PSE untouched!

That PSE is not related to SNC at all - but used for digital signatures (e.g. for SAP logon tickets, unless using a dedicated PSE for them, which I personally would recommend).

Well, to analyse your problem it would be best to take a look on it (via remote connection). That's why I'd recommend to submit a support request to SAP (component: BC-SEC-SSF / BC-SEC-SNC). You might refer to this SDN conversation in your support ticket.

Best regards,

Wolfgang

Former Member
0 Kudos
152

Wolfgang and Srini,

Your postings provided good information to me. I am working on a Event Management (part SCM 5.0) project. Where we installed a proxy server and websprere web server to autheticate external users using siteminder product on the firewall. Event management has a software component called Web Communication Layer, which runs on Java Stack. Its function is to call Event Management server (ABAP stack) using JCO RFC. Web Communication Layer software can be configured to use SAP Logon tickets or X.509 certicates as per SAP documentation.

My questions are -

1. Since WebSphere web server and siteminder are going to authenticate external users, we need to implement SSO to avoid autheticating again when users login to Web Communication Layer. In this scenario, do we need to use SAP Logon tickets or X.509 ? Could you elaborate the situations where we need to use one or the other ?

Your help is appreciated.

Thanks,

PV

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
152

Hi "PV",

your case / scenario is different from the one described by Sreeni: you are not using X.509 client certificates but Siteminder for authentication.

<u>Good news</u>: you access the ABAP backend systems through an NWAS Java (via JCO). In that case you can use <b>own JAAS login modules</b> (on NWAS Java) to evaluate the Siteminder credentials. Once you have a J2EE session (with assigned "principal", i.e. "authenticated user") you can configure the system to use "<b>SAP Authentication Assertion Tickets</b>" for the JCO communication. In contrast to "SAP Logon Tickets" (which will simply be forwarded and therefore have to be received by the NWAS Java), "SAP Authentication Assertion Tickets" will be created on demand - exclusively for the outbound JCO connection. Notice: you require a NWAS Java 6.40 (with some SPs), in order to be able to use the "<b>Destination Service</b>".

Cheers, Wolfgang