JCO connection to SAP ECC 6.0 using X.509 based ce...

Former Member · ‎09-27-2010

I have need to create the connection from non-SAP (java) application to SAP ECC 6.0 system to make the RFC/BAPI call to fetch the data. i want to JCO api methods which provides SSO logon tickets and X.509 Certicate based communication using the following given api method :

"addClientPool(java.lang.String key, int max_connections, java.lang.String client, java.lang.String user, java.lang.String passwd, java.lang.String lang, java.lang.String mshost, java.lang.String r3name, java.lang.String group)

Creates an instance of a client pool to a remote SAP system (with load balancing).

Note: Depending on the SAP system release, logins using Single-Sign-On (SSO) or X509 certificates are being supported.

For SSO specify the user to be $MYSAPSSO2$ and pass the base64 encoded ticket as as the passwd parameter.

For X509 specify the user to be $X509CERT$ and pass the base64 encoded certificate as the passwd parameter."

Does any body used this method or way to get the secured RFC connection pls help me on the same.

sdipanjan · ‎09-27-2010

Please check the following SAP Notes and let us know if you have any questions on this:

743470 Certificate Logon Through JCo with SNC and X.509 in EP 6.0

698181 IPC security: Maintaining parameters for SNC-RFC connections

720523 IPC security: Maintaining params for SSL secured connections

817854 RFC using SNC secure connection

942093 HTTPS secure connection configuration for CMS

842930 Secure RFC destination for KPI determination

658464 Security check of IPC

Regards,

Dipanjan

mvoros · ‎09-28-2010

Hi,

Don't forget that both methods can be only used with SNC so you need to set this up first. The text pasted by you describes what you need to do. In case you want to user SSO then pass string "$MYSAPSSO2$" to variable user of method addClientPool and set variable password to SSO ticket encoded using base64. For more info check [Java documentation for class JCO|http://help.sap.com/javadocs/NW04S/SPS09/jc/com/sap/mw/jco/JCO.html]. You will get a SSO ticket when you authenticate against SAP application server.

Have you been thinking about using different technology such as web services or RESTful interface? Both methods can use SSL to protect transfer data, it's pretty easy to call them from Java and usually the system needs SSL for other services so there is no extra configuration needed.

Cheers

Former Member · ‎09-28-2010

I checked the JCO Java doc but it does not give any information interms of how to get the base64 encoded ticket or certificate to pass into JCO API.

Edited by: Sandeep Kumar Agarwal on Sep 28, 2010 4:34 PM

mvoros · ‎09-29-2010

Hi,

if you connect to any web based service on application server with enabled SSO then you get a cookie with name MYSAPSSO2 which contains binary data. This is a SSO ticket which you need to pass to JCO API. So your application needs to get this cookie first. The easies solution is to make a HTTP request over SSL to a dummy service which will just return a SSO ticket. Then you will reuse it to other connections. Don't forget that each SSO ticket has expiry time (by default it should be 12 hours) so you will have to get a new one after old one expires.

In case of certificate it's simpler. You just need to issue valid certificate and then load it from disk to your application and encode it into base64. Check [SAP documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/frameset.htm] for more info about using X.509 certificates for authentication.

Cheers

Former Member · ‎09-29-2010

Hi Martin,

Thanks for response.

Let me specify here that my landscape is having Java-JSP application deployed on tomcat 7.x which needs to communicate with ECC6.0 using the JCO api via secured call i.e. either using logon tickets or x509 certificates.

I have following question:

Whether it is feasible in above mentioned landscape, where we dont not have application deployed on Application server(SAP WAS).

If yes where and how should I generate the tickets or certificate to use in tomcat intern JCO API?

Edited by: Sandeep Kumar Agarwal on Sep 29, 2010 11:10 AM

Edited by: Sandeep Kumar Agarwal on Sep 29, 2010 11:12 AM

mvoros · ‎09-30-2010

Hi,

to generate certificates for your users you need to set up KPI. Obviously, you have no idea what it is and setting KPI is a complicated task. Basically, you need to set up certification authority which will issue a X.509 certificate to each user and configure SAP AS to accept users with certificate issued by your certification authority. It does not look like way to go for you. SAP offers [Trust Center Service|http://help.sap.com/saphelp_nw04s/helpdata/en/7c/1d0101f63d4410b5c80df326f412dd/frameset.htm] which might help.

to use SSO then you need to configure your SAP AS to issue SSO tickets. Check [SAP documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/f8/18da3a82f9cc38e10000000a114084/frameset.htm] how to do it. After that you still need to get valid SSO ticket from SAP AS. As I said this ticket will be valid for restricted time (by default 12 hours) therefore you will have to get new ticket every two hours. The easies way to get a valid ticket is to call some SAP service and pass user name and password in form fields of HTTP request. The reply will contain a cookie with name MYSAPSSO2 which is a SSO ticket in binary form. So you can reuse it for additional RFC calls.

As I said and as it was confirmed by Tim you also need to use SNC for this case. Therefore I repeat my question wouldn't be easier to replace JCo with web services or REST based interface over SSL?

Cheers

Former Member · ‎09-30-2010

Hi,

I don't understand why it would be necessary to use SNC for the JCO connection to the ABAP system.

I have setup the JCO destinations for the ESS application and I just had to configure the "Ticket" method for user Authentication.

My understanding is that the RFC protocol is able to transmit the MYSAPSSO2 ticket (not as a cookie obviously).

Of course the portal certificate must have been previously imported in the STRUSTSSO2 transaction of the abap system to establish the trust relationship.

Regards,

Olivier

Former Member · ‎09-30-2010

Hi Oliver,

My question is that, how and where you have generated the ticket to use in ESS application. if I am not wrong you must be having portal in your landscape.

Former Member · ‎09-30-2010

Hi Martin,

Thanks for replying.

Couple of questions.

How the secured authentication will take place using webservices.

Can you give some understaning how to use web services to access the data in my scenarios. because our data can only be fetched via BAPI/RFCs.

Is there any other way to generate the SSO tickets from any third party tool or sap tool (must be freeware) to pass in to SAP system for authentication via tomcat using JCO api.

Edited by: Sandeep Kumar Agarwal on Sep 30, 2010 3:31 PM

Former Member · ‎09-30-2010

Hi again,

Of course I have a SAP¨portal : ESS runs inside a SAP portal !

You wrote about JCO, so I assumed that your java system is a SAP J2EE system.

If your java system needing to make calls in an abap system is not a SAP one, don't use JCO (RFC) but use web services it will be much easier and you will be able to use X.509 authentication if you want.

Regards,

Olivier

mvoros · ‎09-30-2010

Hi,

I've never tested it but here is a quote from Java documentation


The logon with SSO or X.509 is based on SNC-encryption and can only be used in combination with a secure network connection.

My guess is that JCo API does not know how to work with X.509 certificate and it needs some additional library (SNC). I don't understand why it's needed for SSO. In your case you get a SSO ticket from portal and pass it to ABAP stack which trusts cookies signed by portal (trust relationship). Obviously, you don't need SNC for regular RFC call.

Cheers

mvoros · ‎09-30-2010

Hi,

web service call is usually over HTTP or HTTPS. So if you want to have it secure then obviously you need to use HTTPS. Therefore you need to set up SSL on your AS (search for documentation, it's pretty easy).

Any RFC enabled FM can be exported as web service. So you just need to identify all FMs and export them as web services. Each web service has WSDL which can be used to generate proxy Java classes. How to do it depends on your tools and libraries.

Theoretically, it is possible. SSO ticket is just bunch of data in some format and signed by certificate. You might be able to find format description and re-implement this part in Java. You can generate a special certificate for your Java stack and configure ABAP stack to accept cookies signed by that certificate. Basically, same scenrario as it was described by Oliver (portal generates SSO tickets and ABAP stack accepts cookies signed by portal)

Cheers

tim_alsop · ‎09-29-2010

Hi,

If your JCO application is using SAP RFC to communicate with SAP ABAP system, then SNC has to be used, and so you need an SNC Library on the server where JCO is used. You will also need an SNC library on the ABAP stack. Then you woudl need to specify the correct SNC parameters in the JCO connection string and the authentication will work. This is common, but I have more experience of using Kerberos isntead of x.509 - both are possible if you have the correct SNC libraries.

Thanks,

Tim

Former Member · ‎10-03-2010

hi

this could be helpful for u...

first check "HTTPS" service is active or not using "smicm".

In ECC system using "STRUSTSSO2" create certificate for SSLserver standard.

Send it to Verisign. and they will provide one url link & certificate

download this certificate &rename this certificate with pk7b to pk7b.cer

Next using URL link download in the format pkcs#7 , save it in notepad without spaces with extension .p7b

Then double click on that <ex>.p7b , select certificates >> <hostname.domainname> >> certification path >> view certificate >>

Details >> Copy the file to desktop by selecting [ Base64 ] & this is an intermediate certificate save with extension ".cer".

In the same way copy Root certificate from .p7b extension file.

path:

Verisign class3 >> view certificate >>Details >> Cop file >> Base64 >>save it as <root.cer>.

Merged cetificate:

copy the contents of Intermediate certificate and append it at the end of Root certificate save it as <merge.cer>

Regards

santhoshn

Former Member · ‎10-04-2010

Hi,

>Send it to Verisign. and they will provide one url link & certificate

Are you a Verisign share holder ?

Regards,

Olivier

JCO connection to SAP ECC 6.0 using X.509 based certificate