Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Between the NW04s Portal and a JSP Application

Go to solution
Former Member

‎02-14-2007 4:31 PM

0 Kudos

I am trying to determine how I go about providing single sign-on between the NW04s portal and a custom developed JSP application using the SAP Portal generated SAPLogonTicket.

I have downloaded the SAPSSOEXT files and read through the documentation. The programming required to perform the interrogation and consumption of the SAPLogonTicket seems pretty straightforward, but I am confused with a couple of things.

First, all this document covers is the programmatic changes required to interrogate and consume the SAPLogonTicket. It mentions briefly the standard SAP SECULIB library but it is not clear how this is used or deployed. I assume it depends on the application server where it is being deployed but I am not certain. Also, what is the use of the sapssoext.dll included in the download?

Second, the document really seems to only cover one half of the authentication mechanism as I understand it. What allows us to logon a user without a password is an existing trusted relationship between the application and the SAPPortal environment creating the SAPLogonTicket. I am familiar with creating this trusted relationship using the SAPGENPSE tool. I do not see an mention of SAPGENPSE in the documentation included in the download. How do we create this trusted relationship between the SAPPortal and the application?

Thanks for your help ahead of time.

Michael

1 ACCEPTED SOLUTION

Go to solution
yonko_yonchev
Active Participant

‎02-15-2007 9:50 AM

0 Kudos

Hi Michael,

The SAPGENPSE is used for establishing trust when PSEs are used. The portal, however, uses the AS Java Keystore service to maintain certificates and key pairs and thereby has no (or rather limited) notion of PSEs. When the Portal is the ticket issuing system it signs the issued ticket with the private key of the key pair in keystore view TicketKeystore. So, you want to export the <u>public key certificate</u> for the keypair in this keystore view and make it available to the ticket accepting systems so that it can verify the signature of the ticket.

You can make this certificate available in a PSE but then you'll have to have something that allows your application to read it so that it can verify the signature. If your application is deployed on a SAP NetWeaver Java system this will be done for your application by the EvaluateTicketLoginModule, the security provider service and the keystore service among others. Here's the SAP NetWeaver documentation on this subject:

http://help.sap.com/saphelp_nw04s/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm

For the other question(s) take a look at this document:

http://help.sap.com/saphelp_nw04s/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm

as is mentioned there the "SAPSSOEXT library provides functions that enable non-SAP applications to verify SAP logon tickets and extract the user ID from the logon ticket. The library is coded in C and has a JNI Java interface and a COM (Windows) interface. The library comes with Java, C, and C# sample files that demonstrate how you can implement the library in the source code of a high level programming language such as Visual Basic, C, Java, or .NET."

AFAIK the seculib library is used to access the verify.pse as a key storage environment, given your ticket accepting server uses a PSE. This is used for stand alone applications

Hope this helps you. Take a look at the docu links in any case to familiarize yourself with the logon ticket key management in the Portal. Where are you going to deploy your JSP at? A SAP NetWeaver system or another Java server?

Best Regards,

Yonko

9 REPLIES 9

Go to solution
yonko_yonchev
Active Participant

‎02-15-2007 9:50 AM

0 Kudos

Hi Michael,

The SAPGENPSE is used for establishing trust when PSEs are used. The portal, however, uses the AS Java Keystore service to maintain certificates and key pairs and thereby has no (or rather limited) notion of PSEs. When the Portal is the ticket issuing system it signs the issued ticket with the private key of the key pair in keystore view TicketKeystore. So, you want to export the <u>public key certificate</u> for the keypair in this keystore view and make it available to the ticket accepting systems so that it can verify the signature of the ticket.

You can make this certificate available in a PSE but then you'll have to have something that allows your application to read it so that it can verify the signature. If your application is deployed on a SAP NetWeaver Java system this will be done for your application by the EvaluateTicketLoginModule, the security provider service and the keystore service among others. Here's the SAP NetWeaver documentation on this subject:

http://help.sap.com/saphelp_nw04s/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm

For the other question(s) take a look at this document:

http://help.sap.com/saphelp_nw04s/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm

as is mentioned there the "SAPSSOEXT library provides functions that enable non-SAP applications to verify SAP logon tickets and extract the user ID from the logon ticket. The library is coded in C and has a JNI Java interface and a COM (Windows) interface. The library comes with Java, C, and C# sample files that demonstrate how you can implement the library in the source code of a high level programming language such as Visual Basic, C, Java, or .NET."

AFAIK the seculib library is used to access the verify.pse as a key storage environment, given your ticket accepting server uses a PSE. This is used for stand alone applications

Hope this helps you. Take a look at the docu links in any case to familiarize yourself with the logon ticket key management in the Portal. Where are you going to deploy your JSP at? A SAP NetWeaver system or another Java server?

Best Regards,

Yonko

Go to solution
Former Member

‎02-15-2007 1:33 PM

0 Kudos

Yonko ,

Thanks for the information.

To answer your question, the jsp application is running on WebLogic. Since I am not using a PSE I am still not clear how to make the public key certificate from the SAP J2EE AS available to the JSP application for verification...

Any thoughts?

Michael

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎02-15-2007 2:10 PM

0 Kudos

Well, in that case (application running on WebLogic, not running on SAP NetWeaver AS Java) you need to use "SAPSSOEXT".

SAPSSOEXT itself requires SAPSECULIB to be able to verify the digital signature of those SAP Logon Tickets. SAPSECULIB is using PSE files as "key store". In your case that PSE only needs to contain the certificate (in the "certificate list" section of the PSE, aka "Private Address Book") of the NWAS Java server which has created the SAP Logon Ticket (-> digital signature).

You have two ways to perform such operations (here: add certificate to certificate list) on PSE files:

(a) using SAPGENPSE (command line exectuable, shipped with SAPCRYPTOLIB)

(b) using ABAP transaction STRUST

Regards, Wolfgang

PS: see also http://help.sap.com/saphelp_nw2004s/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎02-15-2007 2:41 PM

0 Kudos

<u>Update</u>: the NWAS Java might also create a "verify.pse" file.

That PSE file contains the correct certificate and can be used to verify SAP logon tickets (using SAPSECULIB and SAPSSOEXT).

Go to solution
Former Member

‎02-15-2007 2:16 PM

0 Kudos

Wolfgang,

Thanks for the information.

According to this I need to use the SAPGENPSE to create the certificate entry for the SAP J2EE AS private key in the WebLogic environment. Is this correct?

I am assuming a WebLogic savvy person will know where to put the SAPSSOEXT and SAPSECULIB libraries. Is this correct?

Thanks.

Michael

Go to solution
yonko_yonchev
Active Participant
In response to Former Member

‎02-15-2007 2:26 PM

0 Kudos

Hi Michael,

I think these 2 document will be helpful to you:

How to Set Up SSO Between SAP NetWeaver Portal and IBM WebSphere Portal Using TAI.pdf

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/404e655d-0401-0010-2388-cb588a3e...

and

How to Interoperate SAP Enterprise Portal and IBM WebSphere Portal Server

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4a3addc4-0501-0010-bfbb-9cdd2958...

There's also other forum posts and blogs on WebSphere integration with the portal - take a look at those as well. What Wolfgang is suggesting may work as well.

Regards,

Yonko

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎02-15-2007 2:51 PM

0 Kudos

<a href="http://www.weblogic.com">BEA WebLogic</a> <> <a href="http://www.ibm.com/software/websphere/">IBM WebSphere</a>

Go to solution
yonko_yonchev
Active Participant
In response to Former Member

‎02-15-2007 3:04 PM

0 Kudos

Sorry...my mistake - not an expert in IBM or BEA products myself. @Michael: Search the forums and at the blogs on the SDN though - there's lots of info on the subject. Another advice would be to check the WebLogic documentation if there's information on the subject there.

Go to solution
Former Member

‎04-08-2008 1:26 PM

0 Kudos

People,

Any news regarding this? Have anyone of you been able to enable the SSO between Weblogic and SAP-EP? How?

Also, how can we acomplish the opposite: from Weblogic to SAP-EP?

Thanks and Regards.