Authentication of a WS Client Using a SAP Logon Ticket

HE

LP

.BC

WE

BS

ER

VIC

ES

_T

UT

OR

IAL

S

Re lease 650

SAP Online Help 04.04.2005

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Authentication of a WS Client Using a SAP Logon Ticket 650 2

SAP Online Help 04.04.2005

Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Authentication of a WS Client Using a SAP Logon Ticket 650 3

SAP Online Help 04.04.2005

Authentication of a WS Client Using a SAP Logon Ticket .............................................................. 5 Importing Projects ........................................................................................................................ 6 Configuring the Logical Port for Use of Logon Tickets ................................................................ 7 Configuring the Client – Generating a SAP Logon Ticket ......................................................... 10 Exporting the Certificate Used for Generating the Ticket .......................................................... 12

Authentication of a WS Client Using a SAP Logon Ticket 650 4

SAP Online Help 04.04.2005

Authentication of a WS Client Using a SAP Logon Ticket

Task In this tutorial, you will learn – based on a predefined project – all the development steps required to configure an existing Web service in such a way that it authenticates itself to the Web service provider via a SAP logon ticket. The predefined Web service CreditCheck is to be used.

The Web service CreditCheck offers the simple function of checking the credit-worthiness of a customer on the basis of the customer number. If a customer number between 1001 and 1005 is passed, the credit limit of the customer is returned. Otherwise a message informs you that no corresponding customer exists.

The client uses a jsp application to simulate a simple sales portal. If a customer makes an order, the system uses the corresponding customer number to check whether the sum of the order is within the credit limit of that customer. This check is carried out using the Web service CreditCheck.

Since an SAP logon ticket is always issued for one specific user, the client application is configured in such a way that an authentication via user name and password is required. To learn how to configure servlets and jsp applications, refer to Integrating Security Functions.

Objectives By the end of this tutorial, you will be able to: ! Authenticate an existing Web service client to the Web service provider using a SAP logon

ticket.

Prerequisites You can call the Web service CreditCheck if you have worked through the tutorial Creating

a User Authentication Using Logon Tickets or deployed the solution EAR file on a J2EE Engine.

You can access the SAP J2EE Engine using the Visual Administrator.

Systems, Installations, and Authorizations You have installed the SAP NetWeaver Developer Studio and configured it for use of the

SAP J2EE Engine.

Knowledge You understand the functioning of a JSP Web service client, for example, by reading the topic

Creating a Client JavaServer Page.

Next Step: Importing Projects [Seite 6]

Authentication of a WS Client Using a SAP Logon Ticket 650 5

SAP Online Help 04.04.2005

Importing Projects The following projects are available for this tutorial:

• Deployable proxy project CreditLimitCheckProxy (the proxy used for the Web service CreditLimitCheck)

• WEB project CreditLimitCheckWeb (the Web service consumer)

• EAR project CreditLimitCheckWebEAR (for deploying the Web project)

The projects are available in the form of a ZIP file and can be downloaded here.

Procedure Importing Projects into the SAP NetWeaver Developer Studio ...

1. Download the ZIP file and save it to any directory on your local hard disk or directly in the work area of the SAP NetWeaver Developer Studio.

2. Unpack the ZIP file.

3. Start the SAP NetWeaver Developer Studio.

4. Import the projects CreditLimitCheckProxy, CreditLimitCheckWeb, and CreditLimitCheckEAR and open the J2EE Explorer in the J2EE deployment perspective.

Result Once you have imported the project into the Developer Studio, the following structure is displayed in the J2EE Explorer.

Authentication of a WS Client Using a SAP Logon Ticket 650 6

SAP Online Help 04.04.2005

Next Step: Configuring the Logical Port for Use of Logon Tickets [Page 7]

Configuring the Logical Port for Use of Logon Tickets A logical port contains the configuration of the client-side SOAP runtime environment, such as the URL or the security settings of a Web service. If you want to access a Web service using a proxy, this is done via a logical port. Every logical port corresponds to a configuration of the Web service as offered by the Web service provider.

To be able to create a logical port, you first require a Web service definition. The latter can be obtained using the overview page of a Web service, for example. However, it can also be imported from the local file system or a UDDI registry.

This section explains – based on an existing proxy - how to create a logical port and access it from within the application.

When using SAP logon tickets, you do not have to provide detailed information for the authentication - for example, the entry of user name and password or the selection of a specific certificate. The Ticket is always issued for the user who is logged on. This means, this authentification type allows the configuration at design time. Additional settings - for example, for the Visual Administrator - are not necessary,

Authentication of a WS Client Using a SAP Logon Ticket 650 7

SAP Online Help 04.04.2005

Prerequisites You have ensured that your Workbench proxy settings are the same as those in your Intranet.

Check these settings in the Developer Studio by choosing Window Preferences Workbench Proxy Settings.

The structure of your projects CreditLimitCheckProxy, CreditLimitCheckWeb, and CreditLimitCheckWebEar is currently displayed in the J2EE Explorer.

Procedure Creating and Using Logical Ports ...

1. Call the Web service homepage of the Web service CreditCheck. The link to the Web service definition can be found under the heading WSDL. Copy this link to your clipboard and return to the SAP NetWeaver Developer Studio.

2. Choose New – Logical Ports from the context menu for the node CreditLimitCheckProxy – com.sap.demo.proxy.CreditCheckLocalProxy – Logical Ports.

3. In the dialog box WSDL URL, insert the link from the clipboard and confirm by choosing OK. The logical port TICKETPort_Document appears in your project hierarchy.

If the specified logical port should not appear, check whether you are using the Web service definition of the correct Web service. Also, note the prerequisites for this tutorial.

4. Open the file CreditLimitCheck.jsp by double-clicking the node CreditLimitCheckWeb – web.xml – CreditLimitCheck.jsp. Select the Source tab (bottom left in your preview pane) to display the source text.

5. Search for the following statement in the source code: CreditCheckViDocument port = (CreditCheckViDocument) obj.getLogicalPort("NONEPort_Document", CreditCheckViDocument.class);

6. Replace the statement with:

CreditCheckViDocument port = (CreditCheckViDocument) obj.getLogicalPort("TICKETPort_Document", CreditCheckViDocument.class);

The Web service consumer now uses the logical port TICKETPort_Document, which accesses a configuration of the Web service that requires authentication via a SAP logon ticket.

Authentication of a WS Client Using a SAP Logon Ticket 650 8

SAP Online Help 04.04.2005

7. Save your changes.

Configuring the Logical Port for Use of SAP Logon Tickets ... ...

1. Open the new logical port by double-clicking the node CreditLimitCheckProxy – com.sap.demo.proxy.CreditLimitCheckProxy – Logical Ports – TICKETPort_Document. A window containing the properties of the logical port appears.

2. Select the Security tab. The security settings are displayed.

3. Select HTTP Authentication as the Authentication and activate the option Use SAP Logon Ticket. Leave the remaining settings unchanged and save your changes.

Deploying the Changed Web Service and Proxy ...

1. Choose Build EAR from the context menu for the project CreditLimitCheckProxy and deploy the file CreditLimitCheckProxy – CreditLimitCheckProxy.ear on the J2EE Engine.

2. Regenerate the files CreditLimitCheckWeb.war and CreditLimitCheckWebEar.ear by choosing Build WEB Archive or Build Application Archive from the context menus for the projects CreditLimitCheckWeb and CreditLimitCheckWebEar and deploy the file CreditLimitCheckWebEAR.ear on your J2EE Engine.

Result You have created a new logical port called TICKETPort_Document and have made it accessible by deploying the proxy on the J2EE Engine. The Web service client is now configured in such a way that it uses the port TICKETPort_Document and uses a SAP logon ticket to logon to the Web service provider.

Next Step: Creating, Signing, and Exporting the Client Certificate [Extern]

Authentication of a WS Client Using a SAP Logon Ticket 650 9

SAP Online Help 04.04.2005

Configuring the Client – Generating a SAP Logon Ticket The Web service proxy tries to logon to the Web service provider using the SAP logon ticket but does not generate the ticket itself. The proxy can only transfer an existing ticket. You must configure the client application so that it issues a logon ticket for the user at the user’s logon.

Prerequisites The structure of your projects CreditLimitCheckWeb and CreditLimitCheckWebEar is currently

displayed in the J2EE Explorer.

Procedure Adjusting the Logon Configuration of the Client Application ...

1. Double-click the node CreditLimitCheckWeb – web-j2ee-engine to display the various settings of the WEB project.

2. Activate the Security tab in the dialog box which opens on the right. The security settings of the project are displayed.

3. In the tree structure Security roles, select the entry login configuration. Enter CreditLimitCheck in the field Security policy domain (on the right). Leave the other fields unchanged.

4. Choose Add below the tree structure. A new entry <new login module> is displayed. Change the name by entering BasicPasswordLoginModule in the field Name (on the right). Select optional as the Priority.

5. Select the entry login configuration again and choose Add again.

6. Enter the name CreateTicketLoginModule for the new login module and enter sufficient under Priority.

Authentication of a WS Client Using a SAP Logon Ticket 650 10

SAP Online Help 04.04.2005

7. Save your changes.

8. Regenerate the files CreditLimitCheckWeb.war and CreditLimitCheckWebEar.ear by choosing Build WEB Archive or Build Application Archive from the context menus for the projects CreditLimitCheckWeb and CreditLimitCheckWebEar and deploy the file CreditLimitCheckWebEAR.ear on your J2EE Engine.

Result If you call the client application CreditLimitCheck, you need to logon using the user name and password – in case you have not done it before. After a successful logon, an SAP logon ticket is generated for this user.

Next Step: Configuring the Web Service Client for Securing the Server Identity [Extern]

Authentication of a WS Client Using a SAP Logon Ticket 650 11

SAP Online Help 04.04.2005

Exporting the Certificate Used for Generating the Ticket An SAP logon ticket is generated using an X 509 certificate. Before the certificate can be checked by the Web service provider for its actual origin and its trustworthiness, it must be exported from the client’s system to be made available for the providing system.

If the Web service and its client are located on the same SAP J2EE Engine, this step is not necessary. The SAP J2EE Engine automatically accepts SAP logon tickets it has issued itself.

Procedure Exporting the Certificate ...

1. Start the Visual Administrator and log on to the SAP J2EE Engine that contains your Web service.

2. Select the node <SID> - Server … - Services – Key Storage and activate the tabs Runtime (top) and Data (bottom) in the right window.

3. Select the entry TicketKeystore in the Views area and the entry SAPLogonTicketKeypair-cert under Entries.

4. Choose Export in the area Entry (bottom right) and, in the dialog box that appears, save the certificate as a crt file in your file system.

Result The certificate used for generating the SAP logon ticket can now be made available for the Web service provider. This allows the provider to check the ticket for authentity and trustworthiness.

If the system of the Web service provider is already configured appropriately, you can now test the client application. The tutorial Creating a User Authentication Using Logon Tickets shows you how to configure the Web service for user authentication using a SAP logon ticket. Note that after a successful logon to the Web service provider, you act as the user for which the SAP logon ticket was issued.

You can test the client application by calling the URL in your browser. A simple screen for creating orders is displayed. After choosing the Order button, you are requested to enter the Customer Identity Card Number. If you press the Check button, the Web service CreditLimitPrivateLocal is called and the value you entered in the text field is passed. The result is then evaluated and displayed. Note that only data for the customer numbers 1001 to 1005 is displayed. For all other values, a message is displayed stating that no customer was found for that number.

Authentication of a WS Client Using a SAP Logon Ticket 650 12