SAP How-to Guide Sybase Unwired Platform How To... SSO with SAP token for MBO-based apps Applicable Releases: Sybase Unwired Platform 2.1 Version 1.0 March 2012 All other prod uct and service nam es m entio ned are the tradem arks of their respective com panies. Data contained in this d ocument serves inform atio nal purpose s only. N atio nal product specifications may vary. The information in this document is proprietary to SAP. N o part of this docum ent may be reproduce d, copied, or transm itted in any form or for any purpose without the express pri or written perm ission of SAP AG. This document is a preliminary versio n and not subj ect to your license agreem ent or any ot her agreem ent with S AP. Thi s docume nt contains only inten ded strate gies, developm ents, an d functionalities of the SAP® pro duct and is n ot intended to be bi ndin g up on S AP to any particular course of busin ess, pro duct strategy, an d/or developm ent. Please note th at this docum e nt is subj ect to change and m ay be change d by SAP at any tim e without n otice. SAP assum es no respo nsibility for errors or om issi ons in this docum ent. SAP d oes not warrant the accuracy or com pleteness of the information, text, grap hics, links, or ot her items containe d within this m aterial. T his docume nt is provided without a warranty of any kind, eith er express or implied, including b ut not lim ited to the implied warranties of m erchantability, fitness for a particular purpos e, or non-infringem ent. SAP shall have n o liability for dam ages of any kind includin g without lim itation direct, special, indirect, or consequential dam a ges that m ay result from the use of thes e m aterials. This lim itation shall n ot apply in cases of intent or gross negligence. The statutory liability for personal injury an d defective products is n ot affected. SAP has n o control over the inform ation that you m ay access through the us e of hot links contai ned in the se m aterials and d oes n ot end orse yo ur use of third-party Web page s nor provide any warranty whatsoever relating to third-party Web pa ges . © Copyright 2012 SAP AG. All rights reserved. No part of this publication m ay be repro duce d or transmitted in any form or for any purpo se without the express perm ission of SAP AG. T he inform atio n containe d herein m ay be chan ged with out prior notice. Som e software products marketed by SAP AG an d its distrib utors contain proprietary software com po nent s of other software vend ors. Microsoft, Window s, Excel, Outlo ok, an d PowerPoint are registered trademarks of Microsoft Corporation. IBM , DB2, DB2 Universal Data base, System i, Syst em i5, System p, Sy stem p5, System x, System z, System z10, System z9, z10, z9, iSeries, p Series , xSeries, zSerie s, eServer, z/VM, z/OS, i5/O S, S/390, O S/39 0, OS/ 400, AS/ 400, S/390 Parallel Enter prise Server, PowerVM, Power Architecture, POWER6 +, POWER6, POW ER5+, POW ER5, POWER, OpenPower, PowerPC, BatchPipes , BladeCenter, System Stora ge, GPF S, HACMP, RETAIN, DB2 Con nect, RACF, Red book s, OS /2, Parallel Syspl ex, MVS/ES A, AIX, Intellige nt M iner, Web Sphere, N etfinity, Tivoli and I nform ix are tradem arks or registered trademark s of IBM Corporation. Linux is the registere d tradem ark of Linus Torvald s in the U. S. an d other countries. Ado be, the Adobe logo, Acrobat, Post Script, and Rea der are either tradem arks or registered trademark s of Ado be System s Incorporated in the United States and /or oth er countries. Oracle is a registered tradem ark of Oracle Corporation. UNIX, X/Open , OSF/1, a nd M otif are registered tradem arks of the Ope n Group. Citrix, ICA, Program Neighborhood , M etaFrame, WinFram e, Vide oFrame, an d MultiWin are tradem arks or registered trademarks of Citrix Systems, Inc. HTM L , XM L, XHTM L and W3C are trademarks or registered trademarks of W3C®, World Wid e Web Co nsortium , Massachu setts Instit ute of Techn ology. Java is a registered trademark of Sun M icrosystem s, Inc. JavaScript is a registered trademark of Sun M icrosystems, Inc., u sed u nder license for technol ogy inve nted an d im plem ente d by Netscape. SAP, R/3, SAP N etWeaver, D uet, PartnerEd ge, ByDesig n, SAP Bu sinessObjects Explorer, Stream Work, and other SAP products a nd services m entio ned h erein as well as their respective logos are tradem arks or registered trad emarks of SAP AG in Germ any and other countries . SAP “How-to” Guides are intended to simplify the product implementtation. While specific product features and procedures typically are explained in a Business Objects and the Business Objects logo, BusinessObjects, Crystal practical business context, it is not implied that those features and procedures are Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects the only approach in solving a specific business problem using SAP NetWeaver. products and services mentioned herein as well as their respective logos are Should you wish to receive additional information, clarification or support, please trademarks or registered trademarks of Business Objects Software Ltd. Business refer to SAP Consulting. Objects is an SAP company. Any software coding and/or code lines / strings (“Code”) included in this Syba se and A daptive Server, iAnyw here, Sy base 365, SQL A nywhere, an d other Sybas e prod ucts and services m enti oned herein as well as their respective log os are tradem arks or registere d tradem arks of Syba se, Inc. Sy base is an SAP compa ny. documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent. Disclaimer Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way. Document History Document Version Description 1.00 First official release of this guide Typographic Conventions Icons Type Style Description Icon Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. Description Caution Note or Important Example Recommendation or Tip Table of Contents 1. Business Scenario ............................................................................................................... 1 2. Background Information ..................................................................................................... 1 3. Prerequisites ...................................................................................................................... 1 4. Step-by-Step Procedure ..................................................................................................... 1 4.1 4.2 Obtain/Install SAP Cryptographic Libraries ........................................................................... 1 Generating a PSE file for SUP Server .................................................................................... 3 4.3 4.4 Import the SUP PSE certificate into the SAP EIS .................................................................. 4 Import the SAP EIS certificate into SUP PSE ......................................................................... 7 4.5 4.6 Create a “Connections” profile for SUP ................................................................................ 9 Token provider URL ............................................................................................................ 12 4.7 4.8 Steps for Token provider URL with SSL/HTTPS .................................................................. 14 Simple Connection Test for the SSO Landscape ................................................................. 15 4.9 Create a SUP Security Profile.............................................................................................. 17 4.10 Assigning the Security Profile to a Domain/Package ........................................................... 19 4.11 SUP Workspace .................................................................................................................. 21 5. Appendix ......................................................................................................................... 23 How To... SSO with SAP token for MBO MBO-based apps 1. Business Scenario In a modern enterprise landscape, it makes sense to implement Single Sign-On Sign (SSO) to help reduce complexity, TCO and increase user productivity. In a mobile environment, it is especially important to reduce the number of times a user has to ente enter his or her credentials – small keyboards slow users down and can lead to an increase in thee number of attempts at entering usernames and passwords. The Sybase Unwired Platform (SUP) provides provide you with various options to help enable the SSO solution. This document will help you to understand the necessary sequences on how to setup Single Sign-On On (SSO) for SUP 2.1 using SAP SSO2 token. 2. Background Information For this scenario, we will be using the following landscape. TRUST SYSTEM (SSO) ABAP System (dual stack): usphlrig1 This system will be the business data Java System: usphrlig18 This system will be the authenticating system and SAP SSO2 token issuing server SUP Server: usphrlig12 Note We could have just use the Java stack on the ABAP system to be the SAP SSO2 issuing server as well here 3. Prerequisites For this guide, we will assume the following: • • • • • • 4. A working landscape (SUP and EIS) EIS (backend) system is fully configured configure for SSO and SNC OS access to the SUP server with admin administrative privileges to install security modules Access to the SSC for SUP with admin administrative privileges to configure the landscape for SSO Access to SAP Service Marketplace (SMP) to obtain the SAP cryptographic libraries Access to obtain certificate ertificate of the SAP EIS Step-by-Step Step Procedure Below are sequence of steps that one would need to follow to implement SSO with SAP token/ticket. token/ticket Some of the initial steps can be skipped if SUP has already been configured for SAP EIS. 4.1 Obtain/Install SAP Cryptographic L Libraries ... • If you don’t have the SAPCAR executable already then perform these tasks: Login to SAP Service Marketplace (SMP) (http://service.sap.com/swdc http://service.sap.com/swdc) • Navigate to “Support Support Packages and Patches” Patches “Additional Components” “SAPCAR SAPCAR” select any version select your OS download the executable • Navigate to “Installations Installations and Upgrades Upgrades” “Browse our Download Catalog” “SAP SAP Cryptographic Software” “SAP Cryptographic Software” • Select and download the platform specific file for your SUP OS • Create a directory ry in which you can unpack the cryptographic file. For example: D: D:\sapcryptolib sapcryptolib • Extract the SAP Cryptographic SAR file. For example: April 2012 1 How To... SSO with SAP token for MBO MBO-based apps SAPCAR.EXE -xvf < SAP AP Cryptographic SAR file> -R d:\sapcryptolib • Open the “D:\sapcryptolib” tolib” in Windows Explorer • Copy the content in the sub directory for the SUP OS to “D: “D:\sapcryptolib”. tolib”. For this example the SUP OS is x86 architecture: • Add the SECUDIR environment variable to the user environment batch file: <UnwiredPlatform_InstallDir> <UnwiredPlatform_InstallDir>\UnwiredPlatform\Servers\UnwiredServer\bin\usersetenv.bat. usersetenv.bat. April 2012 2 How To... SSO with SAP token for MBO MBO-based apps • Set the system environment SECUDIR variable to the SAP Cryptographic installation path. For example: • If you have installed Unwired WorkSpace, you must add the SECUDIR variable to the WorkSpace batch file: <UnwiredPlatform_InstallDir> UnwiredPlatform_InstallDir>\UnwiredPlatform\Eclipse\UnwiredWorkspace.bat. UnwiredWorkspace.bat. 4.2 Generating a PSE file for SUP Server This section only applies if your organization does not have a method to create your own X.509 certificate for the SUP server. If your organization already has a PKI environment then you can ask the administrator of that system to create a X.509 certificate for your you SUP server and the steps might be different to convert that file into a PSE file.. We will be using what we have in installed in n the previous section for the tasks below. • Open a DOS console • Change to the directory where you extract the SAP cryptographic file. For example: d::\sapcryptolib • Generate the certificate with the command below: Syntax: sapgenpse get_pse <additional_options <additional_options> -p <PSE_Name> –rr <cert_req_file_name> -x <PIN> <Distinguished_Name> Example: sapgenpse get_pse –p SNCTEST.pse –r abc.req –x abcpin "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=I1234567890 MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE" April 2012 3 How To... SSO with SAP token for MBO MBO-based apps Note For the Distinguished Name, please use fully qualified domain name (FQDN). Remember the PIN/password for later usage. • Generate a credential file to initialize a new keystore keyst for usage Syntax: sapgenpse seclogin -p <PSE file> -O DOMAIN\your_name_here -x password sword Example: sapgenpse seclogin -p SNCTEST.pse -O SYSTEM -x abcd1234 Note The user generating the certificate must have the same user user name as the process (mlserv##.dll (mlserv## or eclipse.exe) under which the Unwired Platform service runs. • If the command is successful then you should see folder and a file similar to the screen shot below 4.3 • • • Import the SUP PSE certificate into the SAP EIS On the SUP system, export the certificate from the PSE that was just created created.. Example: Example: sapgenpse.exe export_own_cert export_own_cer -v -p SNCTEST.pse -x abcd1234 -o o SUP SUP.crt Login to the SAP EIS via the SAP GUI Start the transaction “STRUST STRUST” April 2012 4 How To... SSO with SAP token for MBO MBO-based apps • Click on the “SNC SAPCryptolib” tolib” node or some similar node that hold the SNC certificate. You will need to provide the password that as created with it. • Now we can import the SUP PSE into this system to setup a trust, click on “Import certificate” while in the SNC node April 2012 5 How To... SSO with SAP token for MBO MBO-based apps • On the “Import Certificate” screen, switch to “Base64” for the file for format mat and navigate to the exported certificate of the SUP server that was done earlier then hit “Enter” • Click on “Add to Certificate List” for the next screen April 2012 6 How To... SSO with SAP token for MBO MBO-based apps • If everything is successful then the screen would look something like below. 4.4 • • Import the SAP EIS certificate into SUP PSE You still should be in the SAP GUI from exporting the SAP EIS SNC certificate Double ouble click on the “Owner” certificate so that the certificate is displayed display April 2012 7 How To... SSO with SAP token for MBO MBO-based apps • Click on “Export certificate”,, click on “Base64” for the file format and give it a path to export the certificate • • Now, we need to back on the SUP server for the following tasks Start a DOS console and import the SAP EIS certificate into the SUP PSE. Example: Example: sapgenpse.exe maintain_pk -v -p SNCTEST.pse -x abcd1234 -a SAP_EIS.crt .crt April 2012 8 How To... SSO with SAP token for MBO MBO-based apps • A SUP application restart will be needed here 4.5 Create a “Connections” profile for SUP • • Login into SUP SCC with an administrative account. Example: https://<SUP host>:8283/scc/# :8283/scc/# Navigate to “Connections” node • Create a new connection by clicking on the “New…” April 2012 9 How To... SSO with SAP token for MBO MBO-based apps • Input the necessary value for the variable • The default template does not have all the fields that you would need to setup the connection so we will need to add them by click on the “ADD NEW PROPERTY” field. • Update the connection template so that it contain the followings fields: Language (jco.client.lang) = EN Host name (jco.client.ashost) ashost) = <SAP EIS host> April 2012 10 How To... SSO with SAP token for MBO MBO-based apps System m number (jco.client.sysnr) = <SAP EIS system number> SNC mode (jco.client.snc_mode) = 1 SNC name (jco.snc_myname) = p: p:<SUP DN for the PSE file> SNC service library path (jco.client.snc_lib) = <path>/sapcrypto.dll /sapcrypto.dll (the location of the cryptographic library) Client number (jco.client.client) = <SAP EIS client number> SNC partner (jco.client.snc_partnern (jco.client.snc_partnername) = p:<SAP EIS DN> SNC level (jco.client.snc_qop) = 1 Note For the normal operation, you should not use the userID/password field for the connection profile • For testing the connection profile, we will need to temporary update the profile to include the userID/password. • Once the userID/password field has been setup, click on the “Test Connection” to see if the certificate exchange between the two systems is properly setup. April 2012 11 How To... SSO with SAP token for MBO MBO-based apps • If the test is successful then you can remove the “Logon User” and “Password” field from the profile and save it. 4.6 Token provider URL In order to use the SSO token for the MBO MBO-based based app, you would need to setup the security profile in SUP to use the “HttpAuthenticationLoginModule” and with this module the SAP SSO2 token can be obtain. obtain There a couple of methods of obtaining the token and it will be cover below but the trick to this module is that the endpoint URL must issue a “401 Unauthorized” Unauthorized response when not presented with credentials and accept basic authentication. April 2012 12 How To... SSO with SAP token for MBO MBO-based apps For this scenario, we will be assuming the issuing/authentication system is a SAP JAVA system of some sort. One method is to use an existing applic application in the java system but this would required some minor modification to the “basic” login stack to force the app to issue a SAP SSO2 token since the default does not not. Another method is to create/deploy deploy a simple portal aapp that can issue a token for the system. 1. 2. Using an existing app within the java system. Example (the URL below is just one example within the Java): http://<host>:<port>/sec_basic/basicprotected/index.jsp o With this method, the issuing system login stack would need to be update achieve what we want here. You can do this either at the app level or the entire stack but the screen shot below is for the entire stack stack. o Login to your “Visual Administrator” on the java system and update the “basic” stack so that it would contain the following: EvaluateTicketLogin EvaluateTicketLoginModule SUFFICIENT ClientCertLoginModule tLoginModule OPTIONAL CreateTicketLoginModule TicketLoginModule SUFFICIENT BasicPasswordLoginModule icPasswordLoginModule REQUISITE CreateTicketLoginModule TicketLoginModule OPTIONAL o Once the login stack has been updated, an application restart will be need here. Create a simple app for the portal. portal Example: http://<host>:<port>/irj/servlet/prt/portal/prtroot/HelloWorld.HelloWorld o We won’t be covering on how to create the HelloWorld servlet here but you can find various guides on the SCN to help with this. April 2012 13 How To... SSO with SAP token for MBO MBO-based apps 4.7 Steps for Token provider URL with SSL/HTTPS This section of the guide will cover the basic of what you will need to do if the token provider URL is using a SSL/HTTPS. You can skip this step if the URL from the previous section section finding is using the plain HTTP. Base on our finding from the previous section, we will be using the following URL: https://<host>:<SSL_port>/irj/servlet/prt/portal/prtroot/HelloWorld.HelloWorld • Get the certificate from SAP EIS that is being use for the encryption communication or the certificate that was used to sign the SSL certificate. Example: o This authentication server has the following SSL certificate that is signed by “SSL CA SAP Security” April 2012 o The “SSL CA SAP Security” certificate is signed by “Root CA SAP Security” o The “Root CA SAP Security” is the last certificate in the chain o We would just need only one of the cert from the certificate chain to satisfy requirement 14 How To... SSO with SAP token for MBO MBO-based apps Note Any of the chain certificates in this scenario would do but we would recommend using the lowest level of the certificate in the chain to add it to the truststore. The “ROOT CA” would be in this scenario. The benefit to this is that if you ever decide to add any other backend system to the landscape and that server certificate was signed by this ROOT CA then you don’tt have to do anything else to the SUP truststore. • Import the certificates into SUP trust truststore o Syntax: keytool -import import -alias <alias> -keystore <drive>:\Sybase\UnwiredPlatform UnwiredPlatform\Servers\UnwiredServer\Repository\Security Security\truststore.jks -storepass <store password – default=changeit> -file <cert file> o Example: ROOT CA certificate import o 4.8 Answer “yes” or “y” for the question (“Trust this certificate?”) Simple Connection Test for the SSO Landscape Now that we have found a "401 HTTP Basic authentication" URL to use for the SUP security profile, we can do a simple test to ensure that the landscape is working before updating the profile in the SUP server. With this test, we will be using only the web browser on any machine. For this example, we will be using the “HelloWorld” URL method. • • Start a web browser Input the “HelloWorld” URL, the system should force a 401 authentication challenge by requesting req a userID/password value. April 2012 15 How To... SSO with SAP token for MBO MBO-based apps • Input the requested information and a simple Hello message should appear for the app. • Now that we have a SAP SSO2 token, we should be able to navigate to the ABAP system without any issue and should not have to provide any information such as userID/password. Within the same browser/tab, browser/tab, navigate to an ABAP URL to test the SSO. For example: http://<ABAP host>:<port>/sap/bc/ping?sap host>:<port>/sap/bc/ping?sap-client=<client #> If everything is working correctly than you should see something like the screen below. • • Note During this last test (ABAP URL), you should not have to enter the userID/password to get the successes message. If the system is asking for the userID/Password then the SSO setup is not setup correctly. April 2012 16 How To... SSO with SAP token for MBO MBO-based apps 4.9 Create a SUP Security Profile • • Login into SUP SCC with an administrative account. Example: https://<SUP host>:8283/scc/# host>:8283/scc/# Navigate to “Security” node, click on the “General” tab and click “+ New…” • Give the profile name and click “OK” “OK”. For this example: SAPEIS • Select the newly created profile on the navigation pane, pane click on the “Authentication” tab and click on “New…” • On the “Authentication provider:” option, select the “HttpAuthenticationLoginModule” April 2012 17 How To... SSO with SAP token for MBO MBO-based apps • Add another property field (“SSO Cookie Name”) to the template. • Input the required value for the property and click “OK” Note For the “SSO Cookie Name”, the value must be “MYSAPSSO2” so that the SUP framework can propagate it correctly. • You can delete the “NoSecLoginModule” from the profile once the new provider has been added. April 2012 18 How To... SSO with SAP token for MBO MBO-based apps • Switch to the “General” tab and click “Validate” to ensure the input URL is valid ((“401 401 HTTP Basic authentication” URL) • If everything is successfully then click “Apply” 4.10 • Assigning the Security Profile to a Domain Domain/Package Within the SCC, navigate to the “S “Security” node for your working domain and click on “Security Configurations” tab.. Example: for this scenario, we are working under the default domain April 2012 19 How To... SSO with SAP token for MBO MBO-based apps • Click on”+ Assign…” and select the new profile that was just created and click “OK” • The result is that the profile now can be use for this domain Note Assign the security profile to the correct domain for your application or the device client will authenticate in the default domain with the admin security configuration, and won't pick up the SSO2Token they need for SSO later. • After the security profile has been added, you can now assign the profile to a package by navigate to the application, select it and click on the “Setting…” tab. Example: April 2012 20 How To... SSO with SAP token for MBO MBO-based apps 4.11 • SUP Workspace In the SUP Workspace, make sure the Runtime Data Source Credential and Connection Properties setting have been made. It needs to be set to "username" and "password" "password" for the respective fields. Example: April 2012 21 How To... SSO with SAP token for MBO MBO-based apps • That should be all you need to do from the development side to setup for SSO. April 2012 22 How To... SSO with SAP token for MBO MBO-based apps 5. Appendix Appendix A – Further resource @ SyBooks Online and SAP Library • SUP Single Sign-On: http://infocenter.sybase.com Sybase Unwired Platform 2.x System Administration Security Administration Security Layers User Security Setup Single Sign-on for SAP • Configuring the AS ABAP for Supporting SSL: http://help.sap.com/saphelp_aii710/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm • Configure SAP EIS for SSO: http://help.sap.com/saphelp_nw70/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm • Reference for the login stack: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/c3/d4bbdcbbff4f8f9b2c4fe07fe105ae/content.htm Appendix B – Browser tools for tracing HTTP traffic You can use one of the following tool to help with the initial phase of the SSO setup to see if the URL traffic is issuing a SAP SSO2 token or forcing a “401 HTTP Basic authentication”. • HttpWatch • HTTPLook • Wireshark • Fiddler 2 Appendix C – Debug • Change the log levels in SCC and restart SUP server server. To do this, go into nto SCN, go down into “Servers” <servername> “Server Server Configuration Configuration” “General” tab, and then pick “Performance Performance Configuration Configuration”. April 2012 23 How To... SSO with SAP token for MBO MBO-based apps Click on "Show optional properties" and add something like ""-Djco.trace_level=1 Djco.trace_path=D:\temp" temp" to the existing "User Options". This will result in traces being written by the JCO layer to the location you specify. • In SCC, go to “Servers” <servername servername> “Log”, then go to the “Settings” tab. Change the entries for “Security” and “DataServices” to DEBUG. This will result in extra info in the SERVERNAME-server.log SERVERNAME file, located under X:\sybase\UnwiredPlatform UnwiredPlatform\Servers\UnwiredServer\logs April 2012 24 www.sap.com/contactsap www.sdn.sap.com/irj/sdn/howtoguides