I'm sorry to cross post this message. I've posted this question under "SAP CRM Web Channel" but didn't get a response yet. Though I'm working on SAP E-Commerce, this issue is related to general J2EE Server, J2EE application and Logon ticket etc.
Instead of your proposed architecture, I would have gone for web dispatcher on DMZ which would route the requests to the web application , which is less complex & effective solution.
We already have SAP web dispatcher in DMZ for reverse proxy and load balancing. Looks like Web Dispatcher cannot handle authentication. Is there a way to configure web dispatcher to do authentication and present login page etc.? We do not want to route the request to the web application without authentication. Considering this, is it possible to achieve the authentication with stand-alone SAP J2EE server in DMZ?
The Web Dispatcher is a reverse proxy so it does not do authentication or show a logon page by itself.
It should be possible to do authentication on a stand-alone SAP J2EE server if you create trust between the different systems but I don't see why you would want to do this.
Thanks Ted for the response. This is my issue in detail. We need to perform authentication in DMZ before allowing the user into intranet. Ideally we should use Web Access Management tools like IBM Tivoli Access Manager for this purpose but it will take longer time and it will be a big project. For the time being we want to take this approach. Is there any other way to to achieve this without using a stand-alone SAP J2EE server.
Once we complete the authentication using a J2EE application in stand-alone J2EE server in DMZ, how can we forward the request to the actual application which is running on the J2EE server inside the intranet? In case of portal, we can do remote delta links or remote role assignment etc. but how can we integrate two J2EE applications without portal?
We've implemented SAP E-commerce for ERP which is a J2EE application. SAP J2EE server and ECC backend are in Intranet. SAP J2EE engine's UME is pointed to ABAP UME. In XCM of the B2B application, we've used user type as "R3_SU01UserContactPerson". With this setting the login page is served by the application (user/logon/login.jsp) and the authentication is perfomed directly against the ABAP backend using RFC SUSR_LOGIN_CHECK_RFC.
In above scenario the authentication is happening in intranet. Due to security concerns we need to do the authentication in DMZ. For this we are planning to install a stand-alone SAP J2EE server in DMZ and point its UME to an LDAP. This LDAP will have the same user ids as in ABAP UME. We want to deploy a J2EE application in this application server to serve login pages and authenticate against LDAP. Then configure this DMZ J2EE server to issue a SAP logon ticket and the J2EE server in Intranet to accept logon ticket. We don't have portal. Is it possible to achieve this without portal? How can we configure J2EE applications on two different J2EE servers to SSO using logon tickets?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.