Upload File

sap_netweaver_7.3_axm_6.1sp4

18
 - 1 - SAP NetWeaver 7.3 Secured by RSA Implementation Guide for Portal Servers and Web-Based Applications Last Modified January 8, 2013 Partner Information  Product Information Partner Name SAP Web Site www.sap.com Product Name SAP NetWeaver Version & Platform 7.3 Product Description A comprehensive integration and application platform, SAP NetWeaver works with your existing IT infrastructure to enable and manage change. With SAP NetWeaver, you can flexibly and rapidly design, build, implement, and execute new business strategies and processes. You can also drive innovation throughout your organization by combining existing systems while maintaining a sustainable cost structure. SAP NetWeaver embraces Internet standards such as HTTP, XML, and Web services. Ensuring openness and interoperability with Microsoft .NET and Java 2 Platform Enterprise Edition (J2EE) environments.  SAP NetWeaver 7.3

Upload: dsa

Post on 06-Oct-2015

14 views

Category:

Documents


0 download

Report

DESCRIPTION

SAP_NetWeaver_7.3_AxM_6.1SP4

TRANSCRIPT

  • - 1 -

    SAP NetWeaver 7.3

    Secured by RSA Implementation Guide for Portal Servers and Web-Based Applications

    Last Modified January 8, 2013

    Partner Information Product Information Partner Name SAP Web Site www.sap.com Product Name SAP NetWeaver Version & Platform 7.3 Product Description A comprehensive integration and application platform, SAP NetWeaver

    works with your existing IT infrastructure to enable and manage change. With SAP NetWeaver, you can flexibly and rapidly design, build, implement, and execute new business strategies and processes. You can also drive innovation throughout your organization by combining existing systems while maintaining a sustainable cost structure. SAP NetWeaver embraces Internet standards such as HTTP, XML, and Web services. Ensuring openness and interoperability with Microsoft .NET and Java 2 Platform Enterprise Edition (J2EE) environments.

    SAP NetWeaver 7.3

  • - 2 -

    SAP NetWeaver 7.3

    Solution Summary

    SAP NetWeaver supports third-party, Java Authentication and Authorization Service (JAAS) login modules to enhance the capabilities of its authentication process. RSA offers a custom, pluggable JAAS module for SAP NetWeaver that can be deployed to enable RSA Access Manager Authentication and Web Single Sign-On (SSO) for SAP users.

    SAPs security framework allows administrators to combine predefined and custom login modules in what are known as a login stacks. This guide details how the RSA login module can be placed in a login stack that also includes modules for issuing and validating SAP SSO login tickets1. Once this stack is configured to protect an SAP application, authenticated users will have access to their both internal and external to SAP without needing to re-authenticate.

    Note: The SAP Web Application Server also provides a login module called HeaderVariableLoginModule, which reads an authenticated users ID from an HTTP header variable and uses it to create an SAP SSO login ticket. This Login Module can also be used in conjunction with RSA Access Manager to read the ct-remote-user header variable. Consult the SAP Help Portal for more information on how to do this.

    To enable the integration, an RSA Access Manager Web Agent must be installed on a reverse proxy web server to the SAP Java Application Server (AS) and configured to protect SAP resources. The RSA login module, RSAAccessManagerLoginModuleNW73EAR, is deployed on the SAP AS, configured to retrieve details about the current users authentication status and identity, and combined with SAP login modules on a login stack.

    When a user2 tries to access a protected NetWeaver resource via the proxy server, the RSA Web Server Agent intercepts the request and redirects the user to an Access Manager login page. After a successful authentication, the agent creates an RSA Access Manager SSO token cookie and redirects the user to NetWeaver.

    The NetWeaver server loads the ticket template and calls the first module in its login module stack, EvaluateTicketLoginModule. This module determines if an SAP SSO login ticket has already been created. If it finds a ticket, the server creates a NetWeaver session and redirects the user to the requested resource. If not, the server calls RSAAccessManagerLoginModuleNW73EAR. This module retrieves the authenticated user name and passes it to RSA Access Manager for validation. Once the user has been validated, SAP calls CreateTicketLoginModule, which creates an SAP SSO login ticket and a NetWeaver session, and redirects the user to the requested resource.

    Partner Integration Overview

    Use UserID for SSO Yes (via RuntimeAPI)

    Use UserID for Personalization Yes

    Recognize Authentication Type N/A

    API-level Authorization Support (RuntimeAPI) No

    User Management (AdminAPI) Via Shared User Repository (LDAP)

    1 For more information about SAP Login Modules, Login Stacks and SSO Login Tickets see the Login Modules section in the SAP NetWeaver Application Server Security Guide. 2 Note that the user must exist (with the same username) in both SAP and RSA Access Manager. In addition, the user must be authenticating against the SAP Login Ticket Template.

  • - 3 -

    SAP NetWeaver 7.3

    Product Requirements

    SAP Product Requirements The following SAP products are required to complete this integration:

    SAP NetWeaver 7.3

    SAP NetWeaver Administrator 7.3

    SAP NetWeaver Developer Studio 7.3

    Consult the latest release notes and installation guides for up-to-date hardware and software requirements for each of these products.

    RSA Access Manager Requirements The integration requires a Web server that is supported by RSA Access Manager. See RSA Access Manager 6.1 technical specifications at http://www.rsa.com/node.aspx?id=1190 for a list of supported servers. This server will be configured as a reverse proxy to the SAP NetWeaver Application Server.

    Integration Modules The integration requires a copy of the RSAAccessManagerLoginModuleNW73EAR login module. The module can be downloaded from the following link: https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=868072044&arg12=downloaddirect&transaction=signon&quiet=true

    Important: If you experience a problem downloading the module when you click the link, copy and paste the URL in your browsers address field.

    Integration Modules File Name Destination RSAAccessManagerLoginModuleNW73EAR.ear The local temporary directory

  • - 4 -

    SAP NetWeaver 7.3

    Product Configuration

    Before You Begin This section provides instructions for integrating the SAP NetWeaver with RSA Access Manager. This document is not intended to suggest optimum installations or configurations.

    It is assumed that the reader has sufficient knowledge of each product to perform the tasks outlined in this section, as well as access to the appropriate documentation for installing and administering the required software components.

    All products/components must be installed and working prior to this integration. Perform the necessary tests to confirm that this is true before proceeding.

    Prerequisites Ensure that you have satisfied the following prerequisites before beginning the integration:

    Install SAP NetWeaver Administrator 7.3 and SAP NetWeaver Developer Studio 7.3. You must have administrative access to these applications to complete the instructions in this guide.

    Install an RSA Access Manager-supported Web server as a reverse proxy to NetWeaver. Install the appropriate RSA Access Manager agent on the proxy server. Ensure that there is one-to-one relationship between SAP and RSA usernames who will be

    authenticating against the RSA Login Module. Note that if the usernames dont match, they can be mapped to one another using the modules user_property parameter, providing that the RSA users contain an attribute that matches the SAP username. See the RSA Login Module Parameters section for a full list of parameter options.

    Installation This section contains instructions for installing the RSA Access Manager Login Module. It is divided into the following subsections:

    Download the RSA Login Module EAR File Deploy the RSA Login Module Configure RSA Login Module Options Configure the SAP Ticket Authentication Template

    Download the RSA Login Module EAR File

    The login module is contained in an Enterprise Archive (EAR) file named RSAAccessManagerLoginModuleNW73EAR.ear. Download this file from the link mentioned above and save it to a local directory.

  • - 5 -

    SAP NetWeaver 7.3

    Deploy the RSA Login Module Follow the steps below to deploy RSAAccessManagerLoginModuleNW73EAR.ear with SAP NetWeaver Developer Studio (NWDS):

    1. Start NWDS, log in as an administrator and select the WindowShow ViewOther menu option.

    2. Select the Deployment ViewDeploy View menu item and click the OK button.

  • - 6 -

    SAP NetWeaver 7.3

    3. Click the Deploy View tab, select External Deployable Archives from the list on the left and click the Add Element (plus sign) button in the upper left corner of the tab page.

    4. Browse to the directory in which you saved the RSAAccessManagerLoginModuleNW73EAR.ear file, select the file and click the Open button.

  • - 7 -

    SAP NetWeaver 7.3

    5. Expand External Deployable Archives on the Deploy View tab, right-click on RSAAccessManagerLoginModuleNW73EAR.ear and select Deploy from the menu. NWDS will display a message indicating that whether the deployment was successful or not. If the deployment is successful, the module will automatically be registered with the SAP J2EE Engine.

  • - 8 -

    SAP NetWeaver 7.3

    Configure RSA Login Module Options Once the EAR file has been successfully deployed, the module should be available for configuration in the J2EE Engine environment. Follow the steps below to verify that the RSA Access Manager Login Module to the User Management configuration:

    1. Log in to SAP NetWeaver Administrator as an administrative user.

    2. Select the Configuration tab and click on the Security menu item on the tabs toolbar.

    3. Click the Views menu to the right of the Authentication and Single Sign-On link and select Authentication.

  • - 9 -

    SAP NetWeaver 7.3

    4. Click the Login Modules menu item on the Authentication tabs toolbar.

    5. Find the RSAAccessManagerLoginModuleNW73 login module in the first table and select it.

    6. Scroll down the page, click the Login Module Options tab, click the Edit button and then click the Add button.

    7. Enter dispatcher_list in the Name field and your RSA Access Manager hostname and port (separated by a colon) in the Value field and click the Add button. If you have multiple dispatcher servers, of your A list of RSA Access Manager dispatchers, separate each one with a comma.

  • - 10 -

    SAP NetWeaver 7.3

    8. Enter connection_type in the Name field and the type of security the module will use to connect to the RSA Access Manager servers and click the Add button. See the RSA Login Module Parameters section in the Appendix for a list security type parameter values.

    9. Enter the appropriate module parameter names and values for a specific configuration in the Options list. See the RSA Login Module Parameters section in the Appendix for a complete list of parameters, requirements and interdependencies.

    10. Click the Save button.

  • - 11 -

    SAP NetWeaver 7.3

  • - 12 -

    SAP NetWeaver 7.3

    Configure the SAP Ticket Authentication Template The SAP Java Application Server provides predefined authentication templates, each of which contains one or more login modules that are combined in a login module stack3. SAPs Login Ticket authentication template can be used to enable SAP SSO by creating an SAP login ticket after each successful authentication and validating this ticket each subsequent time an authenticated user requests another protected SAP resource.

    The instructions in this section describe how to modify the ticket authentication template to include the RSA Login Module. Once the template has been updated, RSA Access Manager will be responsible for handling user authentication. This will enable SSO between SAP and other applications that are protected by RSA Access Manager4.

    To configure the ticket authentication template to use the RSA Login Module, perform the following steps using SAP Visual Administrator:

    1. Click the Components menu item on the Authentication tabs toolbar and select the policy configuration named ticket.

    2. Scroll down the page and click the Edit button on the Authentication Stack tabs toolbar . The ticket components login stack will appear in the Login Modules table, and it will most likely contain the following three modules in order:

    EvaluateTicketLoginModule which looks for a valid SAP Login Ticket

    BasicPasswordLoginModule which prompts a user to authenticate

    CreateTicketLoginModule which creates an SAP Login Ticket

    3 See the SAP NetWeaver Administration Guide for more information about authentication templates and login module stacks. 4 Note that SAP login tickets allow internal SSO among SAP applications, whereas RSA Access Manager tokens extend SSO to include applications that are external to SAP.

  • - 13 -

    SAP NetWeaver 7.3

    3. Click the down arrow to the right of the BasicPasswordLoginModule modules name to expand a list of all available modules. You will replace this module with the RSA Access Manager Login module.

    4. Select the module named RSAAccessManagerLoginModuleNW73.

    5. Click the down arrow in the Flag column and select REQUISITE from the dropdown list. The Login Module table should contain 3 rows with the following values in order from top to bottom: EvaluateTicketLoginModule SUFFICIENT BasicPasswordLoginModule REQUISITE CreateTicketLoginModule OPTIONAL

    6. Verify that the ticket login stack contains the three modules as listed below, in the same order and with the same conditional flags. Modify the flags and positions of the other two modules if necessary and click the Save button.

  • - 14 -

    SAP NetWeaver 7.3

    End User Experience Once the module has been installed, configured and assigned, users will be prompted by RSA Access Manager to authenticate when they attempt to access a protected SAP URL.

    Following a successful authentication, the user is redirected to the requested resource.

  • - 15 -

    SAP NetWeaver 7.3

    Certification Checklist Portal Servers and Web-Based Apps Date Tested: November 1, 2012

    Certification Environment Product Name Version Information Operating System

    RSA Access Manager 6.1 SP4 Windows Server 2008 SAP NetWeaver 7.3 Windows Server 2008 SAP NetWeaver Administrator 7.3 Windows Server 2008 SAP NetWeaver Developer Studio 7.3 SP08 Windows Server 2008

    Test Case Result Product Characteristics for SSO Support

    Application/Portal is web-based, and supports access by a standard HTTP-based browser Application/Portal runs on Web Server Platform supported by RSA Access Manager Application/Portal login interface can be modified or replaced Application/Portal can extract user information from RSA Access Manager session cookie Application/Portal can extract user information from HTTP Headers Application/Portal can extract authentication type from RSA Access Manager session cookie Application/Portal can extract authentication type from HTTP Headers Application/Portal can perform SSO with other RSA Access Manager-supported Web Server

    Login - General

    HTTP basic authentication N/A Forms based Forms based w/ URI retention

    Login Basic Authentication Access Denied for unauthorized user Successful login for authorized user Successful recognition of identity/personalization in 3rd Party Product Successful recognition of identity/personalization after SSO with other RSA Access Manager-supported Web Server

    JGS = Pass = Fail N/A = Non-Available Function

  • - 16 -

    SAP NetWeaver 7.3

    Appendix

    RSA Login Module Parameters There are multiple configurations available for the RSA Login Module, allowing administrators to control such things as the method in which the RSA Access Manager authenticated username is retrieved, the security setting for the modules runtime connection to the RSA Access Manager dispatcher, and whether to enable debugging. The tables below contain the complete list of mandatory and optional parameters, as well as their value requirements and interdependencies.

    Mandatory Parameters for All Configurations

    Name Value

    connection_type

    The type of security the module will use to connect to the RSA Access Manager dispatcher. The value must be one of the following types:

    CLEAR for Access Manager connections (not recommended ANON for anonymous SSL connections AUTH5 for mutually authenticated SSL connections.

    dispatcher_list

    A list of RSA Access Manager dispatchers that the module will use. A dispatcher should contain a hostname and port separated by a colon. Each dispatcher in the list should be separated by a comma. See the format below:

    server1:5608,server2:5608

    Mandatory Parameters for Mutually-Authenticated SSL6

    Name Value

    keystore The keystore (including its absolute path) that will be used for the connections private key

    keystore_password The SSL keystore password.

    key_alias The private key alias that is stored in the keystore

    key_password The password for the private key stored in the keystore

    5 Mutually-authenticated connections require additional parameters. See the Mandatory Parameters for Mutually-Authenticated SSL table for details. 6 These instructions are exclusively for mutually-authenticated SSL connection configuration.

  • - 17 -

    SAP NetWeaver 7.3

    Optional Parameters

    Name Value

    cookie_name

    The name of the RSA Access Manager SSO cookie. This variable should only need to be set unless the cookie name has been changed in the RSA Agents webagent.conf file.

    If this variable isnt set, the module uses the default cookie name: "CTSESSION".

    debug

    A Boolean flag that enables/disables debugging. The variable must be set to one of the following values:

    true to enable debugging false to disable debugging. This is the default value.

    retry_count The number of times the module will attempt to establish a Runtime API connection before returning.

    The default value is 3.

    timeout

    The number of milliseconds the dispatcher and auth server will remain connected.

    The default value is 10000.

    user_property

    An optional HTTP header variable name that will contain the Access Manager username after a successful authentication. This variable is especially useful if the RSA Access Manager login name and the SAP username are different. As long as the SAP username is stored in the RSA user under another attribute, UID for example, it can be exported to an HTTP header variable. If this variable contains the name of that header variable, the module will read the value and use it to create an SAP session.

    By default, the module retrieves the authenticated username from the RSA SSO token contained in the CTSESSION cookie.

    Partner InformationSAPSolution SummaryProduct RequirementsSAP Product RequirementsRSA Access Manager RequirementsThe integration requires a Web server that is supported by RSA Access Manager. See RSA Access Manager 6.1 technical specifications at http://www.rsa.com/node.aspx?id=1190 for a list of supported servers. This server will be configured as a reverse p...Integration Modules

    Product ConfigurationBefore You BeginPrerequisitesInstallationDownload the RSA Login Module EAR FileDeploy the RSA Login ModuleConfigure RSA Login Module OptionsConfigure the SAP Ticket Authentication Template

    End User Experience

    Certification Checklist Portal Servers and Web-Based AppsAppendixRSA Login Module Parameters

    /ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 2400 /MonoImageDepth -1 /MonoImageDownsampleThreshold 2.66667 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

    /CreateJDFFile false /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice


Acetone Peroxide

Life Is Just A Dream - Or Is It?

Rubik's cube solution

Cakes Recipes

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Aesops Fables

The Dutch Republic In International Trade

How Computer Monitors Work

Algorithms

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

1 시스템분석입문

Bhagavad Gita

Introduction to Six Sigma

Physical Modelling Synthesis Overview

Compressing And Decompressing Folders

Basic Buffer Overflows Explained

Jan Van Eyck and the Man In A Red Turban

Iron Mills Essay

United States Constitution

Keyboard Shortcuts for the Opera Browser for Mac OS X

(Tesla) - The Tesla Magnetic Car Engine

Explore The Levels of Creation

Barclays1

Simple Functions in Haskell

Daniel Zanella and Alexander Weygers

Who Killed God

Puntuación PAEF,s

Chapter-01

xCDC14a

Improve the Color Quality Of Your Monitor

Steve Jobs' Commencement Speech at Stanford

Tragic Heroes

Plato - Symposium

Chapter 24

Oedipus The King: The Ideal Tragic Play