Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure SAP ABAP as service provider using SAML holder-of-key

tombo_larsen
Active Participant

‎10-18-2010 2:14 PM

0 Kudos

Hi

We are trying to configure "SAML Holder of key" between Microsoft (as

a service consumer) and SAP ABAP (as service provider).

The service provider/SAP ABAP is release 7.11 and we need to configure this component.

We have found SAP note 1254821 and are trying to follow the instructions for

the "SAML Holder of key" scenario:

However there is one step that we do not understand: step 5 "The private key to decrypt the

encrypted....at the provider system must be a WS Security Identity in transaction TRUST"

Anyone who can elaborate of the meaning of this step and describe a procedure for what

exactly to do?

BR

Tom Bo

5 REPLIES 5

Former Member

‎10-18-2010 5:46 PM

0 Kudos

This message was moderated.

mvoros
Active Contributor

‎10-19-2010 12:24 AM

0 Kudos

Hi,

a service provider needs to check two things when processing message. The first thing is that SAML assertion was issued by STS by checking signature of SAML assertion. The SAML assertion is signed by STS (step 4 in OSS note). The second thing is to verify that sender knows key from SubjectConfirmation element (that's why it is called holder of key). One way is to encrypt and sign SOAP message using symmetric key. There is also option to use asymmetric key. The key is encrypted by STS using the public key of service provider. Therefore the private key must be imported in service provider system (step 5 from OSS note). More info can be found [here|http://help.sap.com/saphelp_nw73/helpdata/en/e5/9f9913fc9c418db98c8693b2bbdb7c/frameset.htm].

Cheers

tombo_larsen
Active Participant
In response to mvoros

‎10-19-2010 7:34 AM

0 Kudos

Hi

Ok, thanks for the insight and link for further documentation.

We know understand the concept, but is any concreate configuration to be done regarding step 5:

5) The private key to decrypt the encrypted symmetric key at the provider system must be a WS Security Identity in transaction STRUST.

What is meant with "...must be a WS Security Identity in transaction STRUST"? The provider system holds its keypair in the system PSE, is this enough or must further configuration be done regarding this step?

BR

Tom Bo

mvoros
Active Contributor
In response to mvoros

‎10-19-2010 9:33 AM

0 Kudos

Hi,

the system PSE is not the right one. It uses two different key stores: WSSKEY and WSSCRT. You can see them defined in table STRUSTWSSE. The filename of this PSE is SAPWSSE.pse. You should see this PSE in STRUST. I am not sure where and I can't check it right now.

Cheers

mathias_essenpreis
Employee
Employee
In response to mvoros

‎01-12-2011 9:13 PM

0 Kudos

Hi Tom Bo,

The various PSEs shown in the tree of transaction STRUST have use cases. As there are PSEs for SSL Client or the System PSE there are also PSEs for the use case "Web Service Security". So the SAP note references PSEs in the STRUST tree starting with "Web Service Security".

The note stated that basically every "Web Service Security" PSE can be used to decrypt messages. Typically you export the certificate of the "Web Service Security Keys" (WSSKEY) PSE and let the WS Consumer encrypt the SOAP message with it.

By adding your own Web Service Security PSEs to table STRUSTWSSE you could define another decryption key. This is what Martin explained.

Regards,

Mathias