-
SAP NetWeaver How-To Guide
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
Applicable Releases:
SAP NetWeaver 7.0 EhP1
SAP NetWeaver CE 7.1 and 7.1 EhP1
Topic Area: Security & Identity Management
Capability: Identity & Access Management
Version 1.0
May 2009
-
© Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,
i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with
respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided “as is” without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or
consequential
damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver “How-to” Guides are intended to simplify
the product implementation. While specific product
features and procedures typically are explained in a
practical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness of
the Code given herein, and SAP shall not be liable for
errors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only
to be used by SAP’s Support Services and may not be
modified or altered in any way.
-
Document History Document Version Description
1.00 First official release of this guide
-
Typographic Conventions Type Style Description
Example Text Words or characters quoted from the screen. These
include field names, screen titles, pushbuttons labels, menu names,
menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic
titles, and table titles
Example text File and directory names and their paths, messages,
names of variables and parameters, source text, and names of
installation, upgrade and database tools.
Example text User entry texts. These are words or characters
that you enter in the system exactly as they appear in the
documentation.
Variable user entry. Angle brackets indicate that you replace
these words and characters with appropriate entries to make entries
in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
Icons Icon Description
Caution
Note or Important
Example
Recommendation or Tip
-
Table of Contents
1. Business
Scenario...............................................................................................................
1
2. Background
Information.....................................................................................................
1
3. Prerequisites
........................................................................................................................
1
4. Step-by-Step
Procedure......................................................................................................
2 4.1 Create web service endpoints in service provider system.
.......................................... 2 4.2 Disable
Requirement for SAML SSL
............................................................................
6 4.3 Enable Automatically Startup of SAML Service
........................................................... 7 4.4
Configure SAP SSO Java Export
.................................................................................
9 4.5 Configure SAP SSO Java Import
...............................................................................
12 4.6 Adjust Login Module Stack for Unsecured
Transport................................................. 14 4.7
Configure SAML
Attester............................................................................................
17 4.8 Configure Trusted SAML Issuer
.................................................................................
19 4.9 User Mapping for SAML
.............................................................................................
21 4.10 Enable Java-Web Service
destinations......................................................................
21
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
1. Business Scenario You are implementing SOA Interoperability
scenario with message level security SAML. The consumer and
provider are running on NetWeaver AS Java. This scenario doesn’t
require transport level security. It’s suitable for internal
landscape under firewall access where additional security (SSL) is
not needed.
2. Background Information Web Services security will be
performed on a scenario without SSL.
SAML Attester will be configured for Sender Vouches
scenario.
3. Prerequisites You have Enterprise Service (Web Service)
developed and deployed on SAP WebAS Java.
You have Web Service Client Application (WS proxies) developed
and deployed on the same or different SAP WebAS Java server in your
landscape.
May 2009 1
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4. Step-by-Step Procedure
4.1 Create web service endpoints in service provider system.
In this step we will create a new WS endpoint and a new
service.
Note We assume that an Enterprise Service is already
available/deployed on the provider’s server.
Note New endpoint may also be created in already existing
service. From WS governance prospective a call to any endpoint part
of one service will be considered as call to this service.
...
1. Open a web browser to the NetWeaver Administration home page,
http://:50000/nwa.
2. Log in with Administrator credentials.
3. Select the “SOA Management” tab and then the “Application and
Scenario Communication” sub-tab:
4. Select the link for “Single Service Administration”:
May 2009 2
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
Tip Short link to Service Destinations:
http://host:port/nwa/ssadmin
5. Under Service Definitions” find the service you want to
configure. You can search by WSDL Porttype Name, Internal WS name,
or do any text search
An Internal Name search is shown in the example bellow
6. Press the “Go” button to search for all available “Service
Definitions”:
7. Select the entry in the table and several information and
configuration tabs will appear below the table:
8. Select the Configuration tab.
Make sure the “Runtime Configuration” radio button is selected
and click New
May 2009 3
http://host:port/nwa/ssadmin
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
9. The service definition wizard.
Enter a “Service Endpoint Name” and select the New radio box
next to “Add to service”.
Enter a name for the new service. In this case, enter the same
name for both the service and endpoint (e.g., PosSess-SSL-MSG-SAML
in the example shown below. Then select the Next button.
Note This step creates a new service and new endpoint. If you
want to create a new endpoint only you can select the Existing
service radio box and choose the desired service.
10. Enter the appropriate security settings for the endpoint as
shown in the “Configuration Table” below and then enter the Next
button:
May 2009 4
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
Note See Appendix for more configuration scenarios.
11. In the next Wizard step, select the Finish button
12. Under the WSDLs tab you can find the new created service and
endpoint WSLD.
13. In the list, find and click on the link to the WSDL for the
given endpoint:
14. From this view you can copy the WSDL for further usage.
Developing WS client or creating destination proxy.
May 2009 5
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
CAUTION For SSL endpoints:
The Destination service on the consumer (client) side uses the
URL entered in the URL field of the Destination Template to connect
to the Endpoint instead of using the URL provided in the WSDL.
Therefore, for SSL endpoints, before using the WSDL URL modify
to use the correct SSL connection access-point and port. For
example, modify the URL you save in the file as follows:
URL of WSDL:
http://host:50000/webservice_wsdl...
Modify URL to use SSL connection:
httpS://host:SSLPORT/webservice_wsdlsapws/demo.sap.com.....&mode=sap_wsdl
4.2 Disable Requirement for SAML SSL ...
By default, SAML requires the use of SSL. In this particular
scenario we don’t have SSL as requirement. To toggle this
requirement on and off perform the following steps:
1. Open the SAP NetWeaver Administrator http://host:port/nwa and
log in with Administrator credentials.
2. Select the “Configuration Management” tab and then the
“Trusted Systems” link:
May 2009 6
http://host:50000/webservice_wsdlhttps://host:SSLPORT/webservice_wsdlhttps://paln00437300a.pal.sap.corp:50001/sapws/demo.sap.com.....&mode=sap_wsdlhttp://host:port/nwa
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
3. Select the ”SAML Browser/Artifact Profile” tab and then
select the Edit button and the Setting tab:
4. Select the box to “Disable SSL Requirement” to disable the
SAML security requirement. Select the Save button when
finished:
4.3 Enable Automatically Startup of SAML Service In some
versions SAML service is not enabled by default. To enable SAML for
automatic startup, you must configure this from the J2EE Engine
Configuration Tool.
Note Perform this step for both consumer system and provider
system if residing on separate WAS Java engines
...
1. Go to the directory: C:\usr\sap\\J\j2ee\configtool and
double-click on the “configtool.bat” file.
2. Switch to the Expert Mode, by selecting “View->Expert
Mode” form the menu bar of the Config Tool.
May 2009 7
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
3. Open the cluster-data node and click on ”template – CE_...”
as shown below:
4. Select the Filters tab.
5. Under “Custom rules” in the lower section of the window, set
the Action to start, “Vendor Mask” to sap.com, Component to service
and “Component Name Mask” to tc~sec~saml~service.
6. Select the “Apply changes” icon to save the new
configuration. Now each time the server is restarted, the SAML
service will start automatically.
May 2009 8
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
7. Make sure the SAML service is running. Open the SAP NetWeaver
Administrator. http://host:port/nwa
Select the “Operation Management->Systems” tabs and the
“Start & Stop” link.
8. Select “Java EE Services” tab and scroll in the table to find
the SAML service. Verify the status is Started.
4.4 Configure SAP SSO Java Export To establish the trust between
the receiver and provided systems you have to exchange the trust
certificate. Identify the certificate that it will be used for each
scenario and proceed as follows.
...
1. Open the NetWeaver Administrator http://:/nwa and log in with
Administrator credentials.
May 2009 9
http://host:port/nwahttp://localhost:50000/nwa
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
2. Select the “Configuration Management” tab and then the
Security sub-tab. Then select the “Certificate and Keys” link:
3. Select the keystore where the key-pair is stored. In this
example TicketKeystore under “Keystore Views” and select the Edit
button.
Note
Later versions of the interface have done away with the Edit
button.
May 2009 10
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4. Select the certificate, here: SAPLogonTicketKeypair-cert
certificate (be sure to export the CERTIFICATE and not the PRIVATE
KEY). Under the heading, “Entries in Keystore View”, select the
“Export Entry” button:
5. Select “Base64 X.509” for the “export format”:
May 2009 11
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
6. Select the Download button and select a folder to save the
file. Use “.cert” as the file extension. Select the Close button
when done:
4.5 Configure SAP SSO Java Import ...
1. Open a web browser to the NetWeaver administrator of the web
service producer’s J2EE engine (e.g., http://:/nwa ). Log in with
Administrator credentials.
2. Select the “Configuration Management” tab and then the
Security sub-tab. Then select the “Certificate and Keys” link:
May 2009 12
http://usphlrig17.phl.sap.corp:50000/nwa
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
3. Select TicketKeystore under “Keystore Views” and select the
Edit button
Note
Later versions of the interface have done away with the Edit
button):
4. Under “Entries in Keystore View”, select the “Import “Entry”
button:
5. Select X.509 Certificate for the entry type and enter the
path to the file you exported from the consumer’s
TicketKeystore.
May 2009 13
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4.6 Adjust Login Module Stack for Unsecured Transport
...
1. Open the NetWeaver Administrator of the web service consumer.
http://:/nwa . Log in with Administrator credentials.
2. Select the “Configuration Management” tab and the Security
sub-tab. Then select the Authentication link:
3. Web Dynpro and Visual Composure use the ticket Policy
Configuration for authentication. We
need to adjust the ticket Logon Module stack to create a Login
Ticket for SAML authentication. Enter ticket in the first line of
the Name column and select the filter icon, .
4. Select the “Configuration Management” tab and the Security
sub-tab. Then select the Authentication link: Select ticket Policy
Configuration and the Edit button under “Policy Configuration
Details”:
May 2009 14
http://localhost:50000/nwa
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
5. Select the Add button under Login Modules to add “Login
Modules”:
6. Select the Login Module to add from the droplist list:
7. Select the appropriate evaluation Flag from the dropdown
list:
May 2009 15
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
8. To add Options for the Login Module, select the Login Module
and then select the Add button. Enter the name of the option and
its value:
9. To change the order of the Login Module stack, select the
Login Module and then the “Move Up” or “Move Down” button:
10. Adjust the Login Module stack as follows:
Login Module Flag Option Name Option Value
EvaluateTicketLoginModule SUFFICIENT ume.configuration.active
true
CreateTicketLoginModule SUFFICIENT ume.configuration.active
true
BasicPasswordLoginModule REQUISITE
May 2009 16
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4.7 Configure SAML Attester ...
1. Open a web browser to the Netweaver Administration home page
of the web service consumer, http://:/nwa. Log in with
Administrator credentials.
2. Select the Configuration Management tab, the Security sub-tab
and the Trusted Systems link:
\
3. Select the Web Service Security SAML tab and the Local SAML
Attesters tab under that.
Then select the Edit button:
4. Select the saml_default_attester from the “Local Attester
List”:
May 2009 17
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
5. Under the “Keysore View” column, select TicketKeystore from
the dropdown list if not already selected:
6. From the dropdown in the “Private Key” column, select the
SAPLogonTIckeKeypair entry if not already selected. Under the
“Issuer Name” column, enter the SID of the consumer system (in this
example CE1):
7. Select the Save button to save the changes:
8. Use this saml_default_attester when you assign an “Attester
Name” to a web service that uses SAML Assertions:
May 2009 18
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4.8 Configure Trusted SAML Issuer ...
1. Open a web browser to the NetWeaver Administration home page
of the web service provider, http://:/nwa. Log in with
Administrator credentials:
2. Select the Configuration Management tab, the Security sub-tab
and the Trusted Systems link:
3. Select the “Web Service Security SAML” tab:
4. Select the Trusted Partners tab. The Issuer Name of all SAML
Attesters configured for web service Destinations on the consumer
must be referenced in the Trusted SAML Issuers list.
Note
In the step Configure SAMP Attester, we configured the
saml_default_attester for use by web service destinations. We chose
to use the SID of the consumer system for the Issue Name. This
Issue Name must be added to the “Trusted SAML Issuers” list if it
is not already present.
May 2009 19
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
5. To add an entry to the “Trusted SAML Issuers” list, select
the Edit button and type the name in the list. If there are other
“Issuer Names” already in the list, separate the new entry with a
comma from the other names. In the example below, the “Issuer Name”
of the SAML Attester used to configure web service Destinations on
the consumer is the SID, CE1. When you are finished editing the
list, select the Save button to save the changes:
Attester Used by Consumer Web Service Destinations for SAML
Assertions
May 2009 20
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
4.9 User Mapping for SAML Note
To enable a trust between a web service consumer and web service
producer based on SAML assertions, the username of the caller of
the web service must be identical to a user on the producer system.
If the SAML assertion has the private key of a certificate with the
same distinguished name in the producer’s keystore, the assertion
is considered to be authenticated for that user.
...
1. Create a user on the producer and on the consumer with
identical usernames. The passwords do not have to match.
2. To access a web service secured by SAML assertions, you will
be required to enter a valid username and password each time you
access the web service in a new browser session… unless you are
accessing the web service over SSL. In this case, the client
certificate will be mapped to a user the first time you logon.
Subsequently a logon ticket stored in the browser will eliminate
the need for the user to login each time the web service is
accessed via a WebDynpro or Visual Composer application.
Note You must be certain to logon with a username that also
exists on the producer system or the username associated with the
certificate will not be authorized to access the web service via
SAML assertion.
4.10 Enable Java-Web Service destinations ...
1. Open a web browser to the NetWeaver Administration home page,
http://:/nwa and login with administrator credentials.
2. Select the SOA Management tab, the Technical Configuration
sub-tab and the Destination Template Management link:
May 2009 21
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
3. Select the “Destination Templates” tab and the New
button:
4. Select WSDL for the “Destination Type”:
5. Enter the Destination Name, copy the URL of the WSDL for the
web service endpoint. For a Java web service destination, enter the
System Name (SID, e.g., CE1) and the fully qualified Host Name.
Installation Number and the Client number are not mandatory for
Java-Java scenario. Select the Next button when done.
May 2009 22
-
SOA Security Scenarios: WebAS Java, Message Level Security with
no Transport Guarantee
6. In the next screen enter the security settings that
correspond to that of the web service endpoint (see Configuration
Table below). Click on the Finish button to save the configuration
when finished:
May 2009 23
-
www.sdn.sap.com/irj/sdn/howtoguides
1. Business Scenario2. Background Information3. Prerequisites4.
Step-by-Step Procedure4.1 Create web service endpoints in service
provider system. 4.2 Disable Requirement for SAML SSL4.3 Enable
Automatically Startup of SAML Service4.4 Configure SAP SSO Java
Export 4.5 Configure SAP SSO Java Import4.6 Adjust Login Module
Stack for Unsecured Transport 4.7 Configure SAML Attester4.8
Configure Trusted SAML Issuer4.9 User Mapping for SAML4.10 Enable
Java-Web Service destinations