Beruflich Dokumente
Kultur Dokumente
NetWeaver 7.3
SAP
NetWeaver 7.3
Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description
SAP
www.sap.com
SAP NetWeaver
7.3
A comprehensive integration and application platform, SAP NetWeaver
works with your existing IT infrastructure to enable and manage change.
With SAP NetWeaver, you can flexibly and rapidly design, build, implement,
and execute new business strategies and processes. You can also drive
innovation throughout your organization by combining existing systems
while maintaining a sustainable cost structure.
SAP NetWeaver embraces Internet standards such as HTTP, XML, and
Web services. Ensuring openness and interoperability with Microsoft .NET
and Java 2 Platform Enterprise Edition (J2EE) environments.
-1-
SAP
NetWeaver 7.3
Solution Summary
SAP NetWeaver supports third-party, Java Authentication and Authorization Service (JAAS) login
modules to enhance the capabilities of its authentication process. RSA offers a custom, pluggable JAAS
module for SAP NetWeaver that can be deployed to enable RSA Access Manager Authentication and
Web Single Sign-On (SSO) for SAP users.
SAPs security framework allows administrators to combine predefined and custom login modules in what
are known as a login stacks. This guide details how the RSA login module can be placed in a login stack
that also includes modules for issuing and validating SAP SSO login tickets 1. Once this stack is
configured to protect an SAP application, authenticated users will have access to their both internal and
external to SAP without needing to re-authenticate.
Note: The SAP Web Application Server also provides a login module called
HeaderVariableLoginModule, which reads an authenticated users ID from an HTTP header variable
and uses it to create an SAP SSO login ticket. This Login Module can also be used in conjunction with
RSA Access Manager to read the ct-remote-user header variable. Consult the SAP Help Portal for more
information on how to do this.
To enable the integration, an RSA Access Manager Web Agent must be installed on a reverse proxy web
server to the SAP Java Application Server (AS) and configured to protect SAP resources. The RSA login
module, RSAAccessManagerLoginModuleNW73EAR, is deployed on the SAP AS, configured to
retrieve details about the current users authentication status and identity, and combined with SAP login
modules on a login stack.
When a user 2 tries to access a protected NetWeaver resource via the proxy server, the RSA Web Server
Agent intercepts the request and redirects the user to an Access Manager login page. After a successful
authentication, the agent creates an RSA Access Manager SSO token cookie and redirects the user to
NetWeaver.
The NetWeaver server loads the ticket template and calls the first module in its login module stack,
EvaluateTicketLoginModule. This module determines if an SAP SSO login ticket has already been
created. If it finds a ticket, the server creates a NetWeaver session and redirects the user to the
requested resource. If not, the server calls RSAAccessManagerLoginModuleNW73EAR. This module
retrieves the authenticated user name and passes it to RSA Access Manager for validation. Once the
user has been validated, SAP calls CreateTicketLoginModule, which creates an SAP SSO login ticket
and a NetWeaver session, and redirects the user to the requested resource.
Partner Integration Overview
Use UserID for SSO
Yes
N/A
No
For more information about SAP Login Modules, Login Stacks and SSO Login Tickets see the Login Modules section in the SAP
NetWeaver Application Server Security Guide.
2
Note that the user must exist (with the same username) in both SAP and RSA Access Manager. In addition, the user must be
authenticating against the SAP Login Ticket Template.
-2-
SAP
NetWeaver 7.3
Product Requirements
SAP Product Requirements
The following SAP products are required to complete this integration:
Consult the latest release notes and installation guides for up-to-date hardware and software
requirements for each of these products.
Integration Modules
Integration Modules
File Name
RSAAccessManagerLoginModuleNW73EAR.ear
Destination
The local temporary directory
-3-
SAP
NetWeaver 7.3
Product Configuration
Before You Begin
This section provides instructions for integrating the SAP NetWeaver with RSA Access Manager. This
document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has sufficient knowledge of each product to perform the tasks outlined in
this section, as well as access to the appropriate documentation for installing and administering the
required software components.
All products/components must be installed and working prior to this integration. Perform the necessary
tests to confirm that this is true before proceeding.
Prerequisites
Ensure that you have satisfied the following prerequisites before beginning the integration:
Install SAP NetWeaver Administrator 7.3 and SAP NetWeaver Developer Studio 7.3. You must
have administrative access to these applications to complete the instructions in this guide.
Install the appropriate RSA Access Manager agent on the proxy server.
Ensure that there is one-to-one relationship between SAP and RSA usernames who will be
authenticating against the RSA Login Module. Note that if the usernames dont match, they can
be mapped to one another using the modules user_property parameter, providing that the RSA
users contain an attribute that matches the SAP username. See the RSA Login Module
Parameters section for a full list of parameter options.
Installation
This section contains instructions for installing the RSA Access Manager Login Module. It is divided into
the following subsections:
-4-
SAP
NetWeaver 7.3
2. Select the Deployment ViewDeploy View menu item and click the OK button.
-5-
SAP
NetWeaver 7.3
3. Click the Deploy View tab, select External Deployable Archives from the list on the left and click
the Add Element (plus sign) button in the upper left corner of the tab page.
-6-
SAP
NetWeaver 7.3
-7-
SAP
NetWeaver 7.3
-8-
SAP
NetWeaver 7.3
4. Click the Login Modules menu item on the Authentication tabs toolbar.
5. Find the RSAAccessManagerLoginModuleNW73 login module in the first table and select it.
6. Scroll down the page, click the Login Module Options tab, click the Edit button and then click the
Add button.
7. Enter dispatcher_list in the Name field and your RSA Access Manager hostname and port (separated
by a colon) in the Value field and click the Add button. If you have multiple dispatcher servers, of
your A list of RSA Access Manager dispatchers, separate each one with a comma.
-9-
SAP
NetWeaver 7.3
8. Enter connection_type in the Name field and the type of security the module will use to connect to the
RSA Access Manager servers and click the Add button. See the RSA Login Module Parameters section
in the Appendix for a list security type parameter values.
9. Enter the appropriate module parameter names and values for a specific configuration in the Options
list. See the RSA Login Module Parameters section in the Appendix for a complete list of
parameters, requirements and interdependencies.
- 10 -
SAP
NetWeaver 7.3
- 11 -
SAP
NetWeaver 7.3
2. Scroll down the page and click the Edit button on the Authentication Stack tabs toolbar . The ticket
components login stack will appear in the Login Modules table, and it will most likely contain the
following three modules in order:
See the SAP NetWeaver Administration Guide for more information about authentication templates and login module stacks.
Note that SAP login tickets allow internal SSO among SAP applications, whereas RSA Access Manager tokens extend SSO to
include applications that are external to SAP.
4
- 12 -
SAP
NetWeaver 7.3
3. Click the down arrow to the right of the BasicPasswordLoginModule modules name to expand a list
of all available modules. You will replace this module with the RSA Access Manager Login module.
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL
6. Verify that the ticket login stack contains the three modules as listed below, in the same order and
with the same conditional flags. Modify the flags and positions of the other two modules if necessary
and click the Save button.
- 13 -
SAP
NetWeaver 7.3
- 14 -
SAP
NetWeaver 7.3
Certification Environment
Version Information
6.1 SP4
7.3
7.3
7.3 SP08
Operating System
Test Case
Result
N/A
= Pass
- 15 -
SAP
NetWeaver 7.3
Appendix
RSA Login Module Parameters
There are multiple configurations available for the RSA Login Module, allowing administrators to control
such things as the method in which the RSA Access Manager authenticated username is retrieved, the
security setting for the modules runtime connection to the RSA Access Manager dispatcher, and whether
to enable debugging. The tables below contain the complete list of mandatory and optional parameters,
as well as their value requirements and interdependencies.
connection_type
dispatcher_list
Value
The type of security the module will use to connect to the RSA
Access Manager dispatcher. The value must be one of the
following types:
CLEAR for Access Manager connections (not recommended
ANON for anonymous SSL connections
AUTH 5 for mutually authenticated SSL connections.
A list of RSA Access Manager dispatchers that the module will
use. A dispatcher should contain a hostname and port
separated by a colon. Each dispatcher in the list should be
separated by a comma. See the format below:
server1:5608,server2:5608
Value
keystore
The keystore (including its absolute path) that will be used for
the connections private key
keystore_password
key_alias
key_password
Mutually-authenticated connections require additional parameters. See the Mandatory Parameters for Mutually-Authenticated
SSL table for details.
6
These instructions are exclusively for mutually-authenticated SSL connection configuration.
- 16 -
SAP
NetWeaver 7.3
Optional Parameters
Name
cookie_name
debug
retry_count
Value
The name of the RSA Access Manager SSO cookie. This
variable should only need to be set unless the cookie name has
been changed in the RSA Agents webagent.conf file.
If this variable isnt set, the module uses the default cookie
name: "CTSESSION".
A Boolean flag that enables/disables debugging. The variable
must be set to one of the following values:
true to enable debugging
false to disable debugging. This is the default value.
The number of times the module will attempt to establish a
Runtime API connection before returning.
The default value is 3.
timeout
user_property
- 17 -