Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security related question - RFC destination of type G

Former Member
0 Kudos

Hello,

we would like to call an external webservice through a Client Proxy (ABAP).

For that matter it is necessary to create an RFC destination of type 'G' and maintain certain attributes.

I am interested in the 'Logon & Security' tab. Here I see a checkbox 'Send SAP Logon Ticket'. The SAP help explains that an SAP logon ticket is sent to the external server on the first connection-.

So, if the first call is a webservice call, can the external server somehow get the SSO2 ticket information?

If there is a coding example available (possibly Java) it would be very helpful.

In a bigger context I am searching for the right configuration here, since the external server will also serve as a client which calls ABAP webservices in turn. Is it sufficient to send the SAP logon ticket (the one which the SAP Web AS sent on the first call) in turn to authentificate or how can the authentification be done in this direction?

Any ideas or example welcome.

Thanks,

Michael

13 REPLIES 13

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Hello,

> we would like to call an external webservice through a Client Proxy (ABAP).

In that case I propose to use the tools provided for webservice configuration - rather than dealing with SM59 destinations directly.

> I am interested in the 'Logon & Security' tab. Here I see a checkbox 'Send SAP Logon Ticket'. The SAP help explains that an SAP logon ticket is sent to the external server on the first connection-.

Well, actually the SM59 wording is incorrect: it's not an SAP Logon Ticket but an SAP Assertion Ticket which is created and send along with the http request.

> So, if the first call is a webservice call, can the external server somehow get the SSO2 ticket information?

> If there is a coding example available (possibly Java) it would be very helpful.

Well, actually this mechanism (transmitting SAP Assertion Ticket via http) was designed to be used for NetWeaver systems, only. So, if "Java" refers to "NWAS Java" then all you need to do is to configure the JAAS login module stack accordingly (so that it contains the EvaluateAssertionTicketLoginModul).

As the name "SAP Assertion Ticket" might indicate, this is a proprietary token format. Using web services in conjunction with external servers that might not be the best choice. Unfortenately, NWAS ABAP does not offer SAML (1.1) with release 7.0.

> In a bigger context I am searching for the right configuration here, since the external server will also serve as a client which calls ABAP webservices in turn. Is it sufficient to send the SAP logon ticket (the one which the SAP Web AS sent on the first call) in turn to authentificate or how can the authentification be done in this direction?

No, that would be the totally wrong approach: you should never "bounce back" any Assertion Tickets (which are, in contrast to SAP Logon Tickets, designed to be accepted only by one single "intended recipient system"; if that information is contained in the ticket, the recipient system will determine whether it was indeed the intended recipient).

0 Kudos

Hello Wolfgang,

thanks, that's interesting.

I was wondering how the ticket could be evaluated but if the SAP J2EE has a dedicated function for this, it is clear.

All I have read so far of how to call external webservices from WebAS ABAP is to create a client proxy from a given WSDL and configure a locical port. For the configuration of a logical port I do need an RFC destination of type 'G'.

So, I didn't find any other recommendations.

Did you mean something else by 'tools provided for webservice configurations'? Do you mean the authentification tab in the client proxy confirguration?

I'm also not quite clear at which point in time a SSO2 ticket would be sent.

0 Kudos

>

> I'm also not quite clear at which point in time a SSO2 ticket would be sent.

At no point of time ... (SSO2 ticket = SAP Logon Ticket).

But if referring to SAP Assertion Tickets: they are created in the cause of an outbound communication (on request of the communication framework) and "consumed" immediatetly on the receiver side.

Regarding your other questions I've contacted a colleague for clarification. As soon as I've new information, I'll post it.

IMHO it is unlikely that an external web service provider specifies the requirement to authenticate using SAP Assertion Tickets in the WSDL. The WSDL however should clearly state whether message-based or transport security is requested (and the type of authentication scheme / token format).

PS: I smile each time I read about an "RFC destination of type 'G' (http connection to external server)" ...

Edited by: Wolfgang Janzen on Feb 21, 2008 10:39 AM

0 Kudos

What's so funny about RFC destination of type 'G' ?

0 Kudos

"RFC destination of type 'HTTP Connection ...'" sounds like "Car of type motorcycle" or "Apple of type pear" or "Rectangle of type triangle" ...

0 Kudos

>

> Regarding your other questions I've contacted a colleague for clarification. As soon as I've new information, I'll post it.

Meanwhile I got a reply:

As of SP 14 (SAP_BASIS 7.00) the SOAP runtime provides enhanced features (including SAML 1.1 support). You should use transaction SOAMANAGER to generate the SM59 destination based on what is defined in the WSDL (via a so-called logical port).

If you are currently not on SP 14, I'd strongly recommend to apply that ABAP Support Package.

Best regards,

Wolfgang

0 Kudos

Hello Wolfgang,

actually we have now a system with SP14. When I try to call transaction SOAMANAGER I notice that this is actually a WebDynpro transaction. Unfortunately I'm not quite sure how to configure the WebAS to make this run. Currently I only see an empty page ('Page cannot be displayed') in the browser.

Thanks,

Michael

0 Kudos

Hello Michael,

I also recently had to get SOAMANAGER running, because WSADMIN is now apparently deprecated. The first time I brought it up I got a blank page as you did, but after performing a reload of the page, it gave useful information about which services needed to be enabled. I had to go through several iterations to get everything. But, basically, you need to go into transaction SICF and activate some things. This may not be a complete list, but the ones I remember are:

/sap/public/bc

/sap/public/myssocntl

/sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT

Maybe there is documentation out there somewhere....

Hope this helps,

Eric

0 Kudos

Hello Wolfgang,

here is a follow-up on this question, since SOAMANAGER is running now.

I managed to create a service and endpoints. But I didn't find a possibility to create an RFC destination in this transaction.

Also I would like to find the documentation for this transaction.

Any hints?

Thanks,

Michael

0 Kudos

Hi Michael,

When you create a new ws consumer configuration (logical port), the soamanager will automatically create an SM59 destiation for you. All changes to the destinationare done over soamanager. So there is no need to jump into SM59 to create/change this destination manually.

You also raised the question about evaluating the authentication assertion ticket in non-SAP Java. You may want to look into the book of Martin Räpple "Programmierhandbuch SAP NetWeaver Sicherheit" (english title: "The Developer's Guide to SAP NetWeaver Security"). Martin describes integrating c-library for ticket evaluation into an Tomcat servlet filter.

What is your ws provider system?

Regards,

Martijn

0 Kudos

Hi Martin,

ok, that's good. Currently we have some problems generating a consumer proxy, so I cannot really test this.

The external application uses JAXB and Jakarta Struts.

Thanks,

Michael

0 Kudos

Hi Eric/Michael,

Im having trouble running my SAOMANAGER, Can you share what all needs to be done to configure SOAMANAGER. We have recently moved to SP14.

Thanks,

0 Kudos

I do not expect this to be conclusive, but this is what worked for me so far:

Go to T-code SICF and activate the following services

u2022 /default_host/sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT

u2022 /default_host/sap/public/bc/icons_rtl

u2022 /sap/public/bc/pictograms

u2022 /sap/public/bc/webdynpro/

this made the SOAMANAGER start for me and allowed me to create a binding as well...