CA SiteMinder ERP Agents · PDF fileEnable Single Signon for WebDynpro-Based Applications.....42 Configure the LogOff URL of the Enterprise Portal

Agent Guide for SAP Web AS r5.6 SP4

CA™ SiteMinder® ERP Agents

This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the product are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2007 CA. All rights reserved.

CA Product References This document references the following CA products:

CA™ SiteMinder®

Contact Technical Support For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support.

http://www.ca.com/support

http://www.ca.com/support

Contents v

Contents

Chapter 1: Overview and Architecture 7 SAP Web Application Server Background ........................................................ 7 SiteMinder Agent for SAP Web AS Overview ..................................................... 7 Architecture ................................................................................... 9

Components............................................................................... 9 Interaction of Components ................................................................ 10

Chapter 2: Installation and Configuration 13 System Requirements......................................................................... 13 Prerequisite Instructions ...................................................................... 14

Configure the Front-End Web Server ....................................................... 14 Verify the Configuration of MYSAPSSO2 Tickets ............................................. 15

Installing the SiteMinder Agent for SAP Web AS ................................................ 15 Run a GUI Mode Installation on Windows ................................................... 15 Run a GUI Mode Installation on UNIX ...................................................... 17 Run a Console Mode Installation on UNIX................................................... 19

SiteMinder Policy Server and Web Server Configuration ......................................... 20 SessionLinker Configuration ............................................................... 20 Map a SiteMinder User as a Web AS User................................................... 21 Configure SiteMinder Web Agent........................................................... 21 Enabling the 4.x Agent .................................................................... 22 Configure SiteMinder Policies .............................................................. 22 Installing and Verifying with the Test Page ................................................. 23

Configure the SAP Web Application Server ..................................................... 24 How to Update the SiteMinder Policies...................................................... 24 Configure the SiteMinder Agent ............................................................ 24 Deploy and View SiteMinderLoginModule.sda ............................................... 32 Configure SiteMinderLoginModule .......................................................... 34 Create an Authentication Template......................................................... 35 Select Applications to Use the Authentication Template...................................... 36 Configure the Enterprise Portal Authentication Scheme ...................................... 37

Test the Installation and Configuration of SiteMinder Agent for SAP Web AS ...................... 40 Configure the SiteMinderLoginModule Log Level ................................................ 41 View the SiteMinderLoginModule Log Messages ................................................. 42 Enable Single Signon for WebDynpro-Based Applications ........................................ 42 Configure the LogOff URL of the Enterprise Portal............................................... 43

vi Agent Guide for SAP Web AS

Chapter 3: Troubleshooting 45 Solve Configuration Problems ................................................................. 45

Verify the SiteMinder Policies .............................................................. 45 Check the Web Agent Log ................................................................. 46 Temporarily Disable the Session Linker..................................................... 46 Examine Web AS Log Files and Traces...................................................... 46 Examine SiteMinder Agent for SAP Web AS Log File ......................................... 46

Interpret Log File Messages ................................................................... 47 The smwebas.home Property is Not Set .................................................... 48 Class Not Found .......................................................................... 48 No JDecrypt File .......................................................................... 48 Java Agent Initialization Errors............................................................. 49 Invalid License............................................................................ 49 Timed-Out Evaluation of SmWebAsAgent ................................................... 49 Invalid Entries in the Configuration File..................................................... 50 Return Code from doManagement Error .................................................... 50 Invalid IP Address or Ports ................................................................ 51 Agent Name or Shared Secret ............................................................. 51 WASUSERNAME HTTP Header Not Found or Empty .......................................... 51 SiteMinder Session ID Header Not Found or Empty.......................................... 52 SiteMinder Session Spec Header Not Found or Empty ....................................... 52 Resource Not Protected By SiteMinder...................................................... 52 WAS Usernames Do Not Match ............................................................ 53 WAS Username Is Not Present or Is Mismatched ............................................ 53 SiteMinder Session Is Invalid .............................................................. 53 Login Module Authentication Failure........................................................ 54 Login Stack Authentication Failure ......................................................... 54

Appendix A: Front-End Web Server Configuration 55 Apache Web Server........................................................................... 55

Verify an Apache Web Server Configuration - Example ...................................... 56 Sun ONE Web Server ......................................................................... 56

Verify a Sun ONE Web Server Configuration Using RPP - Example ............................ 57

Appendix B: NPSEncrypt and NPSVersion Tools 59 NPSEncrypt Tool.............................................................................. 59 NPSVersion Tool .............................................................................. 60

Overview and Architecture 7

Chapter 1: Overview and Architecture

This section contains the following topics:

SAP Web Application Server Background (see page 7) SiteMinder Agent for SAP Web AS Overview (see page 7) Architecture (see page 9)

SAP Web Application Server Background For releases prior to Version 4.7, SAP provided web-based access to many of its application offerings through a web server component in SAP’s architecture, and was known as Internet Transaction Server (ITS). Typically, a user attempting to execute an SAP transaction had to log into the SAP system over the Web via ITS, which prompted the user for the username, password, and language. The architecture was based on SAP R/3 Basis application server, which was primarily based on the SAP proprietary ABAP engine.

For releases 4.7 and later, SAP developed a new architecture, more commonly known as SAP NetWeaver architecture. It is based on SAP’s web application server (SAP Web AS). Depending on the type of installation, the SAP Web AS has an ABAP engine, a J2EE engine, or both.

SAP Web AS now provides the dual capability of deploying the ABAP-based Business Server Pages and web applications compliant with J2EE Version 1.3.

SiteMinder Agent for SAP Web AS Overview Traditionally, eTrust SiteMinder Agent for SAP provides a single signon (SSO) solution, which is supported with SAP’s Internet Transaction Server (ITS) architecture. However, because many of the joint customers of SAP and CA are considering moving to SAP Web AS and Enterprise Portal, an SSO solution had to be developed, allowing seamless SSO integration among non-SAP, non-Web AS, SAP, Web AS J2EE, and Enterprise Portal applications.

The Web AS J2EE engine allows for the integration of a third-party authentication product by means of the standard Pluggable Authentication Module (PAM) framework. As part of this framework, applications deployed on the Web AS J2EE engine can be protected by means of a Login Stack or Authentication template, which might constitute a standard or custom Java Authentication and Authorization Service (JAAS) login module.

Sun’s JAAS implements a Java technology version of the standard PAM framework, and supports user-based authorization.

SiteMinder Agent for SAP Web AS Overview

8 Agent Guide for SAP Web AS

Based on the security needs, the Login Stack or the Authentication template can be customized to use a set of JAAS-based login modules arranged in a particular order in the login stack. A custom login module based on the JAAS framework can be developed and registered with the Security Provider service offered with the Web AS J2EE engine. This provides a pluggable mode of developing and deploying the login modules independently of the application, which might use it as a part of a login stack protecting the application.

SAP’s Enterprise Portal also allows usage of the custom login module, as part of the login stack, to act as an authentication mechanism for access to Enterprise Portal. It is possible to modify the authentication scheme used by the Enterprise Portal for user authentication. This authentication scheme references an authentication template or login stack inside SAP Web AS.

The SiteMinder Agent for SAP Web AS is the CA SSO solution for integration with SAP Web AS and specifically towards SSO with J2EE-based applications deployed on the SAP Web AS J2EE engine including the Enterprise Portal application. The current solution allows extension of these SSO capabilities with applications deployed outside of SAP Web AS as well.

The SiteMinder Agent for SAP Web AS solution provides increased security using a Tier 2 session validation whereby the point of trust is moved from the web server to the SAP Web AS J2EE engine.

Many web-based applications employ an independent session management scheme, frequently through the use of a session cookie or session ticket. Therefore, SiteMinder’s replay prevention and session management logic can be bypassed. The possibility that the SiteMinder and application sessions can become asynchronous to each other is one of the main security problems when integrating applications that maintain their own sessions. The SiteMinder Agent for SAP Web AS solution includes the SessionLinker component to prevent session synchronization issues. The SessionLinker web server plug-in monitors the SiteMinder Session ID header against the Web AS session ticket. When the two sessions diverge, action is taken to prevent the application from operating until a new session within SAP Web AS is established.

In addition to providing enhanced security, SiteMinder Agent for SAP Web AS allows leveraging the increased number of authentication mechanisms available with SiteMinder.

Note: The SiteMinder Agent for SAP Web AS only controls the authentication for the applications deployed on the Web AS and for the Enterprise Portal. All authorizations and roles are administered and controlled by the Web AS J2EE engine itself.

Architecture


Architecture

Components

The components of SiteMinder Agent for SAP Web AS include the following:

User or client

Front-end web server

eTrust SiteMinder Policy server

SAP Web AS J2EE engine.

User or Client

User is the user browser, while client is the HTTP-based web client, which is used to access the Web AS J2EE engine.

Front-End Web Server

This is the SiteMinder Web Agent-supported web server, front-ending the Web AS J2EE engine. The applications deployed on the J2EE engine are available for access via the SiteMinder supported front-end web server.

The SiteMinder Web Agent is configured on the web server, which protects the application on this web server as well as the J2EE server accessed via the web server.

The web server also hosts the SessionLinker web server plug-in, which intercepts the requests and tracks the Web AS J2EE session, identified by the MYSAPSSO2 ticket and the JSESSIONID cookie, against the SiteMinder Session ID.

SiteMinder Policy Server

The SiteMinder Policy server governs the access to applications deployed on the web server and the Web AS J2EE engine.

Web AS J2EE Engine

The Web AS J2EE engine is a J2EE-compliant platform for running J2EE applications. It is part of the SAP Web Application Server (Web AS). Applications deployed on the Web AS J2EE engine are protected using the login stacks or authentication templates. The login stacks or authentication templates consist of JAAS-compliant login modules, which are also deployed on the J2EE engine.

Architecture


The login modules that are deployed as part of the login stack and are of interest to the integration are the following:

SiteMinderLoginModule

Custom JAAS-compliant login module that validates the user’s SiteMinder session by using SiteMinder’s Java Agent API.

CreateTicketLoginModule

Web AS J2EE engine login module, which is needed to create the MYSAPSSO2 ticket for the authenticated user. The J2EE engine supports the use of logon tickets for SSO in an SAP system environment. The logon ticket is stored as a non-persistent cookie, named MYSAPSSO2, in the user’s web browser.

Interaction of Components

Interaction of the components is shown in the following illustration.

The following data flow describes the preceding illustration:

1. User (HTTP-based web client) accesses the Web AS J2EE engine application or Enterprise Portal via the front end web server.

2. SiteMinder Web Agent, hosted on the web server, intercepts the request and determines whether the accessed application or resource is protected by the Policy server. If the resource is protected, the user is challenged for authentication.

Architecture


3. SiteMinder authenticates the user and checks for the user’s access permissions to the protected application. If the user has access to the application, the Policy server returns the Web AS username in the form of an HTTP header response along with the SessionLinker header response. The SessionLinker response contains the cookie names (MYSAPSSO2 and JSESSIONID) against which the SiteMinder session is tracked.

4. Once SiteMinder allows access to the protected application or resource, the web server forwards the request to the J2EE engine. The J2EE engine invokes the SiteMinder login module, protecting the Web AS deployed application or the Enterprise Portal application.

5. The SiteMinder login module validates the SiteMinder session information against the Policy server.

6. The Policy server returns success if the session is valid, and returns the Web AS username. The SiteMinder login module confirms that the session does indeed belong to the requesting Web AS user. If the session is not valid, the authentication attempt fails and access to the requested resource is prohibited.

7. If the SiteMinder login module successfully validates the user session, the module sets the user Principal to the Web AS username. The Web AS J2EE engine invokes the CreateTicketLoginModule, which creates the MYSAPSSO2 ticket for the authenticated Web AS user. The J2EE engine services the request for the application if both login modules succeed.

8. The SessionLinker on the web server maintains a track of the SiteMinder session against the Web AS session identified by the MYSAPSSO2 and JSESSIONID cookies. If access is illegal, the cookies are emptied. If access is legal, the requested application or resource is presented to the user.

Installation and Configuration 13

Chapter 2: Installation and Configuration


System Requirements (see page 13) Prerequisite Instructions (see page 14) Installing the SiteMinder Agent for SAP Web AS (see page 15) SiteMinder Policy Server and Web Server Configuration (see page 20) Configure the SAP Web Application Server (see page 24) Test the Installation and Configuration of SiteMinder Agent for SAP Web AS (see page 40) Configure the SiteMinderLoginModule Log Level (see page 41) View the SiteMinderLoginModule Log Messages (see page 42) Enable Single Signon for WebDynpro-Based Applications (see page 42) Configure the LogOff URL of the Enterprise Portal (see page 43)

System Requirements The following software is required:

SiteMinder

SiteMinder Policy server r5.5 or later

SiteMinder Web Agent 5QMRX or later

Front-end Web Servers: One or more of the following:

IIS 5.0, IIS 6.0

Apache 2.0.x

IBM Http Server 2.0.x

Sun ONE 6.1

SAP

SAP Web AS (J2EE engine) 6.40 SP12 or later or 7.0

SAP Enterprise Portal 6.0 SP12 or later

For updated information about platform and web server support, search for Platform Support Matrix on http://ca.com/support.

Prerequisite Instructions


Prerequisite Instructions

Configure the Front-End Web Server

The web server, which is supported by SiteMinder Web Agent, acts as a front end for the SAP Web Application Server (Web AS) J2EE engine.

The following are guidelines for configuring the front-end web server:

The SiteMinder Web Agent should be hosted on the front-end web server to provide the first tier of authentication for the SiteMinder Agent for SAP Web AS. See eTrust SiteMinder Web Agent Installation Guide.

The web server should be further configured to proxy the requests for the applications deployed on the Web AS J2EE engine. For WebDynpro-based applications, the web server should be configured to proxy the requests for resources starting with /webdynpro/. Similarly, for Enterprise Portal, configure the web server to proxy the requests for resources starting with /irj.

Access to the Web AS applications directly through the Web AS J2EE engine should not be permitted. This will not be allowed by the SiteMinder Agent for SAP Web AS, as it will not authenticate the users for any direct access. All requests to Web AS applications, including the Enterprise Portal and WebDynpro-based applications, should go through the front-end web server only.

Note: For WebDynpro-based applications, in order for all requests to be routed through the front-end web server, you will also need to modify the system definition that the WebDynpro application is using. The WAS Host Name property of the system definition should be modified to contain the complete DNS name, including the HTTP/HTTPS port, of the front-end web server, instead of containing the DNS name of the back-end web application server.

The order of priority of the web server plug-ins should be Web Agent followed by session linker followed by the Web AS proxy plug-in.

For specific configuration steps, refer to the SAP documentation.

More information:

Enable Single Signon for WebDynpro-Based Applications (see page 42)

Installing the SiteMinder Agent for SAP Web AS


Verify the Configuration of MYSAPSSO2 Tickets

The SAP Web AS J2EE engine must be configured to issue and accept MYSAPSSO2 tickets. The logon ticket is stored as a non-persistent cookie, named MYSAPSSO2, in the user’s web browser.

Note: Please refer to the SAP documentation for details on configuring the generation and usage of MYSAPSSO2 tickets.

Installing the SiteMinder Agent for SAP Web AS Installation is performed using the InstallAnywhere software developed by the Macrovision Corporation.

Installer can be run in the following modes:

GUI mode for Windows or UNIX platforms

Console mode for UNIX platforms

Run a GUI Mode Installation on Windows

Perform the following procedure to run the SiteMinder Agent installer in GUI mode.

To run a GUI mode installation on Windows

1. Navigate to the Win32 folder in the installation media then double click the executable file:

ca-erpconn-5.6-sp4-win32.exe

The installation program prepares the files.

2. Review the information in the Introduction dialog box, then click Next.

3. Read the License Agreement then select the radio button to accept the agreement. Click Next.

If you do not accept the agreement, the installation terminates.

4. Read the notes in the Important Information dialog box, then click Next.

5. In the Select an ERP Agent to Install window, select SAP Web Application Server Agent, and click Next.



6. In the Finding Installed Software window, select the software packages installed on the local machine then click Next. (Elements of the SAP Web Application Server agent must be installed on the SAP Web Application Server, the Web server where the SiteMinder Web Agent has been installed, and the SiteMinder Policy server.)

Note: If these server packages are located on different machines, you will need to run the installer on each of these systems.

7. In the Choose Install Folder dialog box, accept the default location (C:\Program Files\CA\erpconn) or use the Choose button to select a different location. Click Next.

If you select a non-default location then want to revert to the default directory, click Restore Default Folder.

8. Review the information in the Pre-Installation Summary dialog box, then click Install.

Note: The installation program may detect that newer versions of certain system DLLs are installed on your system. It asks if you want to overwrite these newer files with older files. Select No To All if you see this message.

The SiteMinder Agent files are copied to the specified location. Afterward, the ERP Agent Configuration dialog is displayed.

9. Choose one of the following options:

Yes. I would like to configure the Agent now.

No. I will configure the Agent later.

If the installation program detects that there are locked Agent files, it will prompt you to restart your system instead of reconfiguring it. Select whether to restart the system automatically or later on your own.

10. If you choose not to configure the Agent, the Install Complete dialog box displays.

11. Click Done.

If you selected the option to configure the Agent automatically, the installation program prepares the SiteMinder Agent Configuration Wizard and begins the configuration process described in Run the Agent Configuration Wizard on Windows (see page 25).

Note: After installation, you can review the installation log files in ERP_agent_home\install_config_info.

More information:

Run the Agent Configuration Wizard on Windows (see page 25)



Run a GUI Mode Installation on UNIX

Perform the following procedure to run the SiteMinder Agent installer in GUI mode on UNIX platforms.

Notes:

Running a SiteMinder Agent GUI-mode installation or running the Configuration Wizard using the Exceed application may cause text in the dialog boxes to be truncated because of unavailable fonts. This limitation has no affect on SiteMinder Agent installation and configuration.

If you are installing the SiteMinder Agent via telnet or other terminal emulation software, you must have an X-Windows session running in the background to run the GUI mode installation. Additionally, you need to set the DISPLAY variable to your terminal, as follows:

DISPLAY=111.11.1.12:0.0 export DISPLAY

If you try to run in GUI mode through a telnet window without an X-Windows session, the installer throws a Java exception and exits.

You can also run a command-line installation from a console window.

To run a GUI mode installation on UNIX

1. Navigate to the directory for your operating system (aix, hpux, linux, solaris) in the installation media.

2. Copy the appropriate binary file to a local directory then navigate to that directory:

Solaris: ca-erpconn-5.6-sp4-sol.bin

AIX: ca-erpconn-5.6-sp4-aix.bin

Linux: ca-erpconn-5.6-sp4-linux.bin

HP-UX: ca-erpconn-5.6-sp4-hp.bin

HP-UX Itanium: ca-erpconn-5.6-sp4-hp-itan.bin

3. Open a console window and check the permissions on the binary file. You may need to add execute permissions to the install file. For example:

chmod +x ca-erpconn-5.6-sp4-sol.bin

4. In the console window, navigate to the local installation directory then enter:

./ca-erpconn-5.6-sp4-operating_system.bin

where operating_system is sol, aix, linux, hp, or hp-itan


5. Review the information in the Introduction dialog box, then click Next.



6. Read the License Agreement then select the radio button to accept the agreement. Click Next.

If you do not accept the agreement, the installation terminates.

7. Read the notes in the Important Information dialog box, then click Next.

8. In the Select an ERP Agent to Install window, select SAP Web Application Server Agent, and click Next.

9. In the Finding Installed Software window, select the server software packages installed on the local machine then click Next. (Elements of the SAP Web Application Server agent must be installed on the SAP Web Application Server, the Web server where the SiteMinder Web Agent has been installed, and the SiteMinder Policy server.)


10. In the Choose Install Folder dialog box, accept the default location (~/CA/erpconn) or use the Choose button to select a different location. Click Next.

If you select a non-default location then want to revert to the default directory, click Restore Default Folder.

11. Review the information in the Pre-Installation Summary dialog box, then click Install.

Note: The installation program may detect that newer versions of certain system libraries are installed on your system. It asks if you want to overwrite these newer files with older files. Select No To All if you see this message.

12. The SiteMinder Agent files are copied to the specified location.

13. In the Install Complete dialog box, click Done.

Note: After installation, you can review the installation log files in ERP_agent_home/install_config_info.



Run a Console Mode Installation on UNIX

Perform the following procedure to run the SiteMinder Agent installer in console mode on UNIX platforms.

To run a console mode installation

1. Navigate to the directory for your operating system (aix, hpux, linux, solaris) in the installation media.

2. Copy the appropriate binary file to a local directory then navigate to that directory:

Solaris: ca-erpconn-5.6-sp4-sol.bin

AIX: ca-erpconn-5.6-sp4-aix.bin

Linux: ca-erpconn-5.6-sp4-linux.bin

HP-UX: ca-erpconn-5.6-sp4-hp.bin

HP-UX Itanium: ca-erpconn-5.6-sp4-hp-itan.bin

3. Open a console window and check the permissions on the binary file. You may need to add execute permissions to the install file. For example:

chmod +x ca-erpconn-5.6-sp4-sol.bin

4. In the console window, navigate to the local installation directory then enter:

./ca-erpconn-5.6-sp4-operating_system.bin -i console

where operating_system is sol, aix, linux, hp, or hp-itan


Note: At any time during the installation procedure, you can enter Quit in order to exit the procedure.

5. Review the Introduction and press Enter to continue.

The installation prepares the License Agreement.

6. Read the License Agreement, pressing Enter to read through the entire agreement.

7. Enter Y to accept the agreement and continue with the installation.

8. Review the Important Information section for information about the installation and documentation.

Press Enter to page through the notes and continue through the installation.

9. On the Select an ERP Agent to Install page, enter the number that corresponds to SAP Web Application Server Agent, and press the Enter key.

SiteMinder Policy Server and Web Server Configuration


10. On the Finding Installed Software page, enter a comma-separated list of numbers representing server software packages installed on the local machine or press Enter to accept the default.(Elements of the SAP Web Application Server agent must be installed on the SAP Web Application Server, the Web server where the SiteMinder Web Agent has been installed, and the SiteMinder Policy server.)


11. On the Choose Install Folder page, specify the location where you want the SAP Web AS agent to be installed. Press Enter to accept the default folder (~/CA/erpconn) or enter the full path to the required folder and then press Enter.

12. Review the information in the Pre-Installation Summary, then press ENTER to continue. The program begins installing files.

13. Press the Enter key to exit the installer.



SessionLinker Configuration

SessionLinker maintains the linkage between the SiteMinder session and the application session. Once associated, the SessionLinker makes sure that a particular application session or foreign session is available for use only with the associated SiteMinder sessions. Attempts by any other SiteMinder sessions to use the same foreign session or the application session will be prevented by the SessionLinker.

SessionLinker monitors and tracks the SiteMinder session against the application session cookies, as identified by the SessionLinker active response. When the two sessions diverge, SessionLinker attempts to destroy the application session cookies, which forces the application to recreate its session cookies based upon the current SiteMinder session information.

SessionLinker is installed as part of the installation of the SiteMinder Agent for SAP Web AS on the SiteMinder Policy server and web server machines.

The SessionLinker must monitor two application session cookies, MYSAPSSO2 and JSESSIONID, which should be mentioned in the SessionLinker active response. Refer to the eTrust SiteMinder Agent - SessionLinker Guide for details on specifying multiple application cookies.



Map a SiteMinder User as a Web AS User

Mapping allows the SiteMinder User ID to be different from the Web AS username.

To map a SiteMinder user to a Web AS user

Select a User attribute from the SiteMinder User directory to identify the Web AS username. The value of this User attribute should exactly match the Web AS username in the Web AS User Store.

Note: This User attribute value will be used to create the MYSAPSSO2 ticket and to provide access to the Web AS application.

Configure SiteMinder Web Agent

Perform the following procedure to configure the SiteMinder Web Agent.

To configure the SiteMinder Web Agent

1. Install and configure the SiteMinder WEB Agent on the front-end web server. See eTrust SiteMinder Web Agent Installation Guide.

2. Set the following parameters of the Agent Configuration Object:

FCCCompatMode = No

DisableSessionVars = No

3. If you have an Enterprise Portal integration, modify the following parameters of the Agent Configuration Object for certain Enterprise Portal links to function properly:

Remove // and ~ from the list in the BadUrlChars parameter.

Remove < and > from the list of BadCSSChars parameters.

4. Restart the web server to reflect the changed values.

More information:

SiteMinder Session ID Header Not Found or Empty (see page 52) SiteMinder Session Spec Header Not Found or Empty (see page 52)



Enabling the 4.x Agent

Although the Web AS Agent supports SiteMinder Web Agent versions 5.x and 6.x, the SiteMinder login module (which provides the second tier of authentication) uses the Agent Name and Shared Secret model.

Make sure that the agent object, used by the Web AS Agent, has the Support 4.x agents check box enabled. You will also need to provide a shared secret.

Configure SiteMinder Policies

Perform the following procedure to configure SiteMinder policies.

To configure SiteMinder Policies

1. Create a validation realm for protecting the resource /smwebasagent/ by using a SiteMinder authentication scheme and the agent object used by the Web Agent, configured in Configuring SiteMinder Web Agent (see page 21).

2. Create a rule protecting Get and Post on the realm.

3. Create a response that contains the following two Web Agent HTTP Header response attributes:

A User attribute, set to a Variable Name WASUSERNAME (an Attribute Name set to the attribute that should be presented to the Web AS for SSO2 ticket generation). See Mapping SiteMinder and Web AS Users (see page 21).

An Active Response for NPSSessionLinker, set as follows:

Leave the Variable Name blank.

Set the Library Name to npssessionlinker.

Set the Function Name to Config.

Set the Parameters to COOKIE1=MYSAPSSO2;COOKIE2=JSESSIONID.

In the Advanced tab, remove the leading equal sign (=).

The result should appear as:

<@lib="npssessionlinker" func="Config" param="COOKIE1=MYSAPSSO2;COOKIE2=JSESSIONID"@>

4. Create a policy that includes the above rule with an appropriate set of users. Associate the responses with the rule created in Step 2



Installing and Verifying with the Test Page

A test page, webastest, is installed in the \sapwebas\samples subfolder of the folder which you selected for installing the SiteMinder Agent for SAP Web AS.

Use this test page to verify the configuration for SiteMinder Agent for SAP Web AS.

Installing the Test Page

To install the test page, copy one of the following files to the /smwebasagent/ virtual folder on the web server:

webastest.asp (ASP for IIS)

webastest.pl (Perl for Apache, IBM Http Server)

webastest.jsp (JSP for Sun ONE)

Verify the SiteMinder Agent Configuration for Web AS

Perform the following procedure to verify that the SiteMinder Agent configuration for Web AS is correct.

To verify the configuration for SiteMinder Agent for SAP Web AS

1. Use the browser to access the appropriate webastest test page for your web server (.asp, .pl, or .jsp file).

If configuration is done correctly, the user is challenged and on entering valid user credentials, the test page is displayed. The page displays a set of headers, which are required for this integration.

2. Verify that the following headers are displayed correctly:

WASUSERNAME

SM_SERVERSESSIONID or SMSERVERSESSIONID

SM_SERVERSESSIONSPEC or SMSERVERSESSIONSPEC

NPS_SESSION_LINKER

Note: The WASUSERNAME header value should match the actual Web AS username.

3. If the headers display incorrectly or if the header values are missing, the test page indicates that a problem exists. Review the steps in SiteMinder Policy Server and Web Server Configuration (see page 20) to determine the cause of the problem.

4. If no problem exists, proceed to SAP Web Application Server Configuration (see page 24).

Configure the SAP Web Application Server



How to Update the SiteMinder Policies

The following are guidelines for updating the SiteMinder Policies:

Do not modify the SiteMinder policies configured in Configure SiteMinder Policies (see page 22). These policies will be re-used by the SiteMinder login module for Tier 2 authentication.

Create additional policies for protecting each of the Web AS applications as well as the Enterprise Portal. The procedure for creating additional policies is the same as in the SP2 version. Refer to Configure SiteMinder Policies (see page 22).

The resource to be protected for Web AS applications depends on the particular Web AS application. For Enterprise Portal, /irj/ is typically the resource to be protected. For webdynpro applications, protect the /web-dynpro/ resource.

Make sure that all users who will access the Web AS or Enterprise Portal applications are included in the policies created for the /smwebasagent/ validation realm.

More information:

Configure SiteMinder Policies (see page 22)

Configure the SiteMinder Agent

You configure the SiteMinder Agent for SAP Web AS using a configuration wizard.



Run the Agent Configuration Wizard on Windows

Perform the following procedure to run the SiteMinder ERP Agent Configuration Wizard.

To run the ERP Agent Configuration Wizard

1. If necessary, start the ERP Agent Configuration Wizard (it may have been invoked by the installer):

a. Navigate to Agent_Install_Dir

b. Double-click ca-erp-config.cmd.

Note: If you chose to configure the Web Agent immediately after the installation, the ERP Agent installer starts the wizard automatically.

The configuration wizard starts.

2. Proceed through the wizard as prompted, providing the following information when it is requested:

ERP Agent to configure

Name of the ERP SAP Web Application Server Agent.

Location for the SAP Web Application Server

SAP Web Application Server instance root directory.

Load balancing mode to be used if the ERP Agent is configured to work with multiple Policy Servers

One of:

Fail Over (default)

Load Balancing

IP addresses of Policy Servers with which the SiteMinder ERP Agent communicates when validating sessions

One or more Policy server IP addresses.

Example: 127.0.0.1

If you specify multiple Policy server IP addresses, use a space as separator.

If the Policy server uses ports other than the default port values, specify the ports for the particular Policy server after the Policy server IP and use a comma (,) as separator. The order is Acct port, Auth port, and Az port (Accounting, Authentication, and Authorization). If you do not specify the ports, the default port values of 44441, 44442 and 44443 are assumed for the Acct, Auth, and Az servers.



Name of the Agent object to use for the SiteMinder Agent for SAP Web AS login module

Agent name.

Example: webasagent

The value of this parameter must:

Match the agent name used in the policies described in Updating the SiteMinder Policies (see page 24).

Be enabled for supporting a 4.x agent as described in Enabling the 4.x Agent (see page 22).

Shared secret for the Agent name (and confirmation of that value)

Shared secret.

Example: secret

This value may be encrypted by using the NPSEncrypt utility (NPSEncrypt.exe), which is installed in the ERP Agent Installation Folder\sapwebas\tools folder.

Note: You cannot copy and paste a value encrypted with the Web Agent’s encryption tools.

URI of the protected resource used by the SiteMinder Agent for SAP Web AS

URI string.

This value will be used as a tier 2 validation realm by the SiteMinder Agent for SAP Web AS.

Example: /smwebasagent/

This URI must match the protected resource used in the policies described in as mentioned in How to Update the SiteMinder Policies (see page 24).

(Optional) SiteMinder Agent for SAP Web AS License String

Valid License String.

If no string is specified, the software assumes you are using an evaluation version, which allows the agent to be used for a maximum period of 2 hours after which a restart of the Web AS J2EE engine will be required.



(Optional) URL of the Error page

Absolute URL of the Error page which will be displayed if the SiteMinder login module fails.

If the ErrorURL is not specified and if the SiteMinder login module fails, an error message is displayed in the browser (see page 54).

3. Confirm your configuration selections and press Configure to proceed. (If you are not happy with your selections, click Previous to return to earlier screens to change them.)

The Configuring CA SiteMinder ERP Agent v5.6 SP4 screen opens and a progress indicator appears.

4. On the Configuration Complete screen, review the results of the configuration process and click Done.

Run the Agent Configuration Wizard in GUI Mode on UNIX

Perform the following procedure to run the SiteMinder Agent installer in GUI mode on UNIX platforms.

Notes:

Running the Configuration Wizard using the Exceed application may cause text in the dialog boxes to be truncated because of unavailable fonts. This limitation has no affect on SiteMinder Agent configuration.

If you are configuring the SiteMinder Agent via telnet or other terminal emulation software, you must have an X-Windows session running in the background. Additionally, you need to set the DISPLAY variable to your terminal, as follows:

DISPLAY=111.11.1.12:0.0 export DISPLAY

If you try to run in GUI mode through a telnet window without an X-Windows session, the installer throws a Java exception and exits.

You can also run a command-line configuration from a console window.



To run the SiteMinder ERP Agent Configuration Wizard in GUI mode on UNIX

1. Start the ERP Agent Configuration Wizard:

a. Open a console window and navigate to Agent_Install_Dir

b. Check the permissions on the ca-erp-config.sh file. You may need to add execute permissions. For example:

chmod +x ca-erp-config.sh

c. Enter:

./ca-erp-config.sh


2. Proceed through the Wizard as prompted, providing the following information when it is requested:






One of:

Fail Over (default)

Load Balancing



Example: 127.0.0.1






Agent name.

Example: webasagent





Shared secret.

Example: secret




URI string.











If the ErrorURL is not specified and if the SiteMinder login module fails, an error message is display (see page 54)ed in the browser.

3. Confirm your configuration selections and press Configure to proceed. (If you are not happy with your selections, click Previous to return to earlier screens to change them.)

The Configuring CA SiteMinder ERP Agent v5.6 SP4 screen opens and a progress indicator appears.

4. On the Configuration Complete screen, review the results of the configuration process and click Done.

Run the Agent Configuration Wizard in Console Mode on UNIX

Perform the following procedure to run the SiteMinder Agent Configuration Wizard in console mode on UNIX platforms.

Note: You can also run the configuration wizard In GUI mode.

To run the SiteMinder ERP Agent Configuration Wizard in console mode on UNIX

1. Start the ERP Agent Configuration Wizard:

a. Open a console window and navigate to Agent_Install_Dir/install_config_info

b. Check the permissions on the ca-erp-config.bin file. You may need to add execute permissions. For example:

chmod +x ca-erp-config.bin

c. Enter:

./ca-erp-config.bin –I console


2. Proceed through the Wizard as prompted, providing the following information when it is requested:








One of:

Fail Over (default)

Load Balancing



Example: 127.0.0.1




Agent name.

Example: webasagent





Shared secret.

Example: secret






URI string.









If the ErrorURL is not specified and if the SiteMinder login module fails, an error message is display (see page 54)ed in the browser.

3. Review the information in the Pre-Configuration Summary, then press the Enter key to continue. The program begins the configuration process.

4. Press the Enter key to exit the installer.


Deploy and View SiteMinderLoginModule.sda

SDA is a Software Delivery Archive used by SAP as the mechanism for deploying components with NW2004. See the http://help.sap.com/saphelp_erp2005/helpdata/en/4f/eae1401b52b533e10000000a155106/frameset.htm site for more information about an SDA.

Deploy SiteMinderLoginModule.sda and use the J2EE Engine Visual Administrator to view it.



Prerequisites

The prerequisites to the deployment of SiteMinderLoginModule.sda are the following:

SiteMinderLoginModule.sda must be available.

The SDM server must be installed and started on the host to be accessed.

Deploy SiteMinderLoginModule.sda

Perform the following procedure to deploy SiteMinderLoginModule.sda.

To deploy SiteMinderLoginModule.sda

1. Start the SDM GUI, by executing one of the following script files in the usr/sap/SID/instance_name/SDM/Program directory.

RemoteGui.bat for Windows hosts

RemoteGui.sh for UNIX hosts

2. Log in to the SDM server:

a. Select SDM GUI, Login.

b. Enter the SDM server password. If the SDM password was not explicitly specified during the SDM installation, the default is sdm.

c. Optionally, enter a description of the user who is logging in in the User Description field.

d. Enter the SDM server hostname and port.

e. Select Login. The SDM Repository in the SAP - Software Deployment Manager GUI appears.

3. Select the Deployment tab. The Step 1 of 4: Choose SCAs/SDAs to be deployed screen appears.

4. Click the Add SDA button, which is the first button to the left. The Choose window appears.

5. Browse to the location of SiteMinderLoginModule.sda, and select it. Click Next. The required module is displayed on the window.

6. Click Next. The Repository Preview pane appears.

7. Click Next. The message Step 3 of 4 SDM is Ready to Deploy - Start Deployment appears.

8. Click Start. Deployment starts, and a progress bar indicates the progress of the operation.



9. When the Overall Deployment Progress is 100%, click Confirm.

10. Disconnect and Exit from SDM GUI by either clicking the Disconnect button or selecting the appropriate choice in the menu. SiteMinderLoginModule is successfully deployed.

View the Deployed SiteMinderLoginModule.sda

Perform the following procedure to view SiteMinderLoginModule deployed as an SDA.

To view the deployed SiteMinderLoginModule.sda

1. In the Visual Administrator GUI of J2EE Engine, select in turn Global Configuration, cluster, SID, server 0_0..., Libraries. The Global Configuration pane appears.

2. Select the SiteMinderLoginModule node. A window pane appears displaying the SiteMinder jars contained in the JARs Contained field, and a reference to the security interface in the Library Reference field.

Configure SiteMinderLoginModule

Perform the following procedure to configure SiteMinderLoginModule.

To configure SiteMinderLoginModule

1. Open the J2EE Engine Visual Administrator console and, on the Cluster tab, navigate to Server, Services, Security Provider

2. Select the Runtime tab and the User Management tab.

3. Click the Manage Security Stores button.

4. Select the UME User Store for the User Store in use in the current Web AS environment.

5. Click the Add Login Module button.

6. When the dialog box is displayed, click OK (no need to specify anything in this dialog box).

7. In the Add Login Module dialog box, specify the class name as:

com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule.

8. Specify the display name, for example SiteMinderLoginModule, and a description for the login module, and click OK.

9. Make sure Security Provider is still selected on the Cluster tab, and click the Properties tab.

10. For the LoginModuleClassLoaders property, enter the Value: library:ca.com~SiteMinderLoginModule



11. Click the Update button.

12. Click the Save icon in the toolbar above the Properties tab.

13. When you are prompted, restart the server.

14. Restart the J2EE engine.

Create an Authentication Template

Perform the following procedure to create an authentication template.

To create an authentication template

1. Open the J2EE Engine Visual Administrator console.

2. On the Cluster tab, navigate to and select Server, Services, Security Provider

3. Click the Runtime tab and click the Policy Configurations tab.

4. At the bottom of the Components panel, click the Add button.

5. In the dialog box, enter the name for the new authentication template (new policy configuration), for example, siteminder. Click OK.

6. In the Components panel, select the siteminder authentication template you just created.

7. Click the Authentication tab for the template and click the Add New button.



8. Add the following information to the template:

Login Modules Flag Options

SiteMinderLoginModule REQUISITE if SiteMinderLoginModule is configured as the only Login Module.

Typically OPTIONAL if other Login Modules are also configured. However, other settings may be used based on the specific requirements of your deployment.

(Optional) redirectOnError

If set to True (the default), SiteMinderLoginModule redirects users to the Error page or a 403 error response sent on authentication failure.

If set to False, SiteMinderLoginModule does not redirect users to the Error page or a 403 error response sent on authentication failure.

Note: You must set redirectOnError to False if multiple Login Modules are configured and the OPTIONAL flag is set.

com.sap.security.core.server.jaas.CreateTicketLoginModule

REQUIRED ume.configuration.active

Note: Set this option to True.

Select Applications to Use the Authentication Template

Applications deployed on the Web AS J2EE engine can use the SiteMinder Authentication template, which you created in Creating an Authentication Template.

To select applications to use the authentication template

1. Make sure that the application to be protected (by the SiteMinder Agent for SAP Web AS product) is deployed on the Web AS J2EE engine.

2. In the Visual Administrator console, select the Security Provider service from the Cluster list.

3. Click the Runtime tab and the Policy Configurations tab.

4. From the Components list, select your application.

5. In the Authentication tab, click the drop-down list to select the SiteMinder authentication template.



Configure the Enterprise Portal Authentication Scheme

In order to integrate the SiteMinder Login module with the Enterprise Portal, you must create a SiteMinder AuthScheme.

To create a SiteMinder AuthScheme

1. Make sure the SiteMinder Agent for SAP Web AS solution is deployed on the Web AS J2EE Engine, as described in the following sections of this guide:

How to Update the SiteMinder Policies (see page 24)

Deploy and View SiteMinderLoginModule (see page 32)

Configure SiteMinderLoginModule

2. Create a backup of the existing authschemes.xml file, as follows:

a. In the Web AS J2EE Engine Visual Administrator console, select the Configuration Adapter service under the Server node.

b. In the Display Configuration tab, scroll to the following:

cluster_data, server, persistent, com.sap.security.core.ume.service, authschemes.xml

c. Double-click authschemes.xml, and click the Download button to keep a copy of the file.

3. Edit the authschemes.xml file:

a. Click the Edit button to switch to the edit mode. At the prompt, click Yes.

b. Click the Write button (pencil icon) to open authschemes.xml.

c. Create a new authscheme by copying the elements of the existing uidpwdlogon authscheme. Rename the new authscheme to SiteMinder.



See the following example:



d. Modify frontendtarget of the SiteMinder authscheme to point to a URL iView, which should refer to an error page. This page will be presented to the user if authentication is unsuccessful or if the authentication stack fails. For details on creating a URL iView, see the SAP documentation.

Note: The value of frontendtarget given here is just for reference, and needs to be changed as per the user environment. Also if the frontendtarget value given here is an iView, the Everyone group should be given Read access to it.

e. Modify the default authscheme-ref so that it points to the SiteMinder authscheme.

f. Click OK to save changes to the authschemes.xml file.

4. Navigate to Server, Services, and select Security Provider.

5. Click the Runtime tab and the Select Policy Configurations tab.

6. Optionally, remove other Login Modules (BasicPasswordLoginModule, EvaluateTicketLoginModule) from the ticket authentication template stack.

7. Add the following modules to the ticket authentication template stack, in the order shown and after the EvaluateTicketLoginModule, if present:

SiteMinderLoginModule

CreateTicketLoginModule

8. Do one of the following:

If there are no other Login Modules in the stack, ensure that the following flags are set:

– SiteMinderLoginModule with flag REQUISITE

– CreateTicketLoginModule with flag REQUIRED

If there are other Login Modules in the stack, you may need to change the Login Module flags as shown below or based upon deployment-specific requirements:

– SiteMinderLoginModule with flag OPTIONAL

– CreateTicketLoginModule with flag OPTIONAL

Note: You must set redirectOnError option to False if the OPTIONAL flag is set for SiteMinderLoginModule.

9. Restart the Web AS J2EE engine for the changes to take effect.

Test the Installation and Configuration of SiteMinder Agent for SAP Web AS


Test the Installation and Configuration of SiteMinder Agent for SAP Web AS

It is important to test the installation and configuration.

To test installation and configuration of SiteMinder Agent for SAP Web AS

1. Deploy the test application testapp.ear, which is installed in the SiteMinder Agent for SAP Web AS installation folder\sapwebas\samples\ subfolder. If you are unfamiliar with the application deployment procedure on the Web AS J2EE Engine, refer to the SAP documentation for details.

Once deployed, you will need to add users to the TestAppSecurityRole configured for the test application, as described in the following steps.

2. Open the J2EE Engine Visual Admin console, and navigate to

Server, Services, Security Provider

3. Select the Policy Configurations tab under the Runtime tab.

4. Select the testapp application displayed in the Components list.

5. Select the Security Roles tab on the right panel and select the TestAppSecurityRole.

6. From within the Mappings group-box, click the Add button and select appropriate users from the user tree. Click OK.

Note: Make sure the WASUSERNAME response attribute returns this username (see Configuring SiteMinder Policies (see page 22)).

The user added should be visible in the Users list box.

7. The deployed test application now needs to be protected by the SiteMinder login module. click the Authentication tab and select the siteminder authentication template (see Selecting Applications to Use the Authentication Template (see page 36)).

8. Create a realm for the application in the Policy server with the resource /testapp/. Create the rules and responses and bind them to a policy as mentioned in Configuring SiteMinder Policies (see page 22).

9. Configure the front-end web server to forward this URL (/testapp/) to the Web AS J2EE Engine. For proxy configuration details for the respective web server, as detailed in Front (see page 55)-End Web Server Configuration (see page 55).

10. Access the web page: http://webserver:port/testapp/testconfig.jsp

11. On being challenged, enter valid SiteMinder credentials for authentication.

Configure the SiteMinderLoginModule Log Level


12. On successful authentication, the test page displays the following HTTP headers:

WASUSERNAME

SM_SERVERSESSIONID or SMSERVERSESSIONID

SM_SERVERSESSIONSPEC or SMSERVERSESSIONSPEC

NPS_SESSION_LINKER

The cookies SMSESSION, JSESSIONID, and MYSAPSSO2 should also be visible (you might need to refresh the page to view them). The user principal displayed should be the same as the WASUSERNAME.

13. If the test is successful, proceed to test the Enterprise Portal configuration settings for the SiteMinder Agent for SAP Web AS. The configuration settings are described in Create a SiteMinder AuthScheme.

14. Make sure you have created a realm for the resource /irj/ in the Policy server with the associated rules and responses (for details, see Configuring SiteMinder Policies (see page 22) and Updating the SiteMinder Policies (see page 24)).

15. Make sure that the WASUSERNAME response attribute configured in this policy is defined to return a valid Enterprise Portal user ID for the corresponding SiteMinder user.

16. Access the URL: http://webserver:port/irj/portal

17. When challenged, enter SiteMinder credentials for authentication. On successful authentication, the portal page is displayed.

Configure the SiteMinderLoginModule Log Level The SiteMinderLoginModule log messages are added to the Web AS defaulttrace.trc file.

The SiteMinderLoginModule log levels can be configured using the Log Configurator service of the Visual Administrator tool.

To configure the SiteMinderLoginModule Log Level

1. Open the J2EE Engine Visual Administrator console, and select the Cluster tab.

2. Select Server, Services, Log Configurator.

3. Select the Locations tab.

View the SiteMinderLoginModule Log Messages


4. Navigate to ROOT LOCATION, com, netegrity, siteminder, sap, webas, util, and select the Severity level as required.

5. Click the save button to save the setting.

View the SiteMinderLoginModule Log Messages The SiteMinderLoginModule log messages can be viewed using the Log Viewer service of the Visual Administrator tool.

To view the SiteMinderLoginModule log messages

1. Open the J2EE Engine Visual Administrator console, and select the Cluster tab.

2. Select Server, Services, Log Viewer.

3. Select the Runtime tab.

4. Navigate to Cluster, Server, Sap_Install_Folder, System_ID/JC00, j2ee/cluster/server0, log.

5. Double-click defaulttrace.trc. You can now view the messages.

Enable Single Signon for WebDynpro-Based Applications In order to enable the system to use single signon with WebDynpro applications, you must perform the following procedure.

To enable single signon with WebDynpro applications

1. Make sure that the /webdynpro/ resource is protected by SiteMinder policies.

2. Make sure that the front-end web server is configured to proxy the WebDynpro resources.

3. Log in to Enterprise Portal.

4. Navigate to the System Administration window on Enterprise Portal, and select System Configuration.

5. Select System Landscape, and locate the system that is being used by your WebDynpro-based application.

6. From the system’s context menu, select Open, Object.

7. Select the Web Application Server (WAS) property category.

8. Enter the complete DNS name, including the HTTP/HTTPS port, of the front-end web server as the value of the WAS Host Name property.

Configure the LogOff URL of the Enterprise Portal


9. Click the Save button, and click Close.

10. Restart the SAP Web AS J2EE engine for the changes to take effect.

More information:

How to Update the SiteMinder Policies (see page 24)

Configure the LogOff URL of the Enterprise Portal Configure the LogOff URL of the Enterprise Portal to the LogOff URI of the SiteMinder Web Agent.

Note: To configure the LogOff URI of the Web Agent refer to the eTrust SiteMinder Web Agent guide.

To configure the LogOff URL for the Enterprise Portal

1. Login to the portal.

2. Click System Administration, System Configuration, UM Configuration, Direct Editing.

3. Set the parameter ume.logoff.redirect.url to the SiteMinder LogOff URI.

4. Restart Web AS J2EE engine.

Troubleshooting 45

Chapter 3: Troubleshooting


Solve Configuration Problems (see page 45) Interpret Log File Messages (see page 47)

Solve Configuration Problems

Verify the SiteMinder Policies

You can use the SiteMinder Test tool to verify the SiteMinder policies.

To verify the SiteMinder Policies by using the SiteMinder Test tool

1. Access the SiteMinder Test Tool from the Start, Programs menu.

2. Specify the correct Agent name, Shared Secret, and IP address. Click Connect.

3. Enter the correct validation realm resource (for example, /smwebasagent/), action GET. Click IsProtected.

4. Enter a valid SiteMinder username and password. Click IsAuthenticated, and IsAuthorized.

5. If at any time a red indicator appears or if the responses WASUSERNAME and NPS_SESSION_LINKER do not appear in the Attributes box, examine the SiteMinder Policy server configuration and logs. These are mandatory for proper configuration.

6. Change the resource to the Web AS application. Click IsProtected, IsAuthenticated, and IsAuthorized. Verify that no red indicators appear and that responses appear for WASUSERNAME and NPS_SESSION_LINKER.

7. Change the resource to the Enterprise Portal application resource and click IsProtected, IsAuthenticated, and IsAuthorized. Verify that no red indicators appear and that responses appear for both WASUSERNAME and NPS_SESSION_LINKER.

8. Make sure that the users configured for accessing Web AS and Enterprise portal also have access to the validation realm resource, /smwebasagent/.

Solve Configuration Problems


Check the Web Agent Log

If the web browser shows a 500 Server Error page, or if the web browser continuously returns to the login page, check the Web Agent log file. The solutions to these problems are found in the eTrust SiteMinder Agent Guide.

Temporarily Disable the Session Linker

Try simplifying the environment by temporarily eliminating the possibility of a problem in Session Linker.

Important: Do not perform this procedure in production—it could expose the system to attacks.

Examine Web AS Log Files and Traces

Check the Web AS log files and traces for any problem.

Examine SiteMinder Agent for SAP Web AS Log File

To interpret SiteMinder Agent for SAP Web AS log messages, see Interpreting Log File Messages (see page 47).

Interpret Log File Messages

Troubleshooting 47

Interpret Log File Messages The following is a list of common log file messages:

The smwebas.home Property is Not Set (see page 48)

Class Not Found (see page 48)

No JDecrypt File (see page 48)

Java Agent Initialization Errors (see page 49)

Invalid License (see page 49)

Timed-Out Evaluation of SmWebAsAgent (see page 49)

Invalid Entries in the Configuration File (see page 50)

Return Code from doManagement Error (see page 50)

Agent Name or Shared Secret (see page 51)

SiteMinder Session ID Header Not Found or Empty (see page 52)

Resource Not Protected By SiteMinder (see page 52)

WAS Usernames Do Not Match (see page 53)

WAS Username Is Not Present or Is Mismatched (see page 53)

SiteMinder Session Is Invalid (see page 53)

Login Module Authentication Failure

Login Stack Authentication Failure (see page 54)



The smwebas.home Property is Not Set

The Web AS default trace issues the message:

“smwebas.home property not set”

Make sure the smwebas.home property is set—use the Web AS Configuration Tool.

More information:

Install the SmWebAsSSO.conf File

Class Not Found

The Web AS default trace issues the message:

“java.lang.ClassNotFoundException: com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule”

The SiteMinderLoginModule.sda library might not have been deployed, was deployed incorrectly or no reference for the library was made in the ClassLoaders property of the Security Provider service.

More information:

Deploy and View SiteMinderLoginModule.sda (see page 32)

No JDecrypt File

The Web AS default trace issues:

“no JDecrypt in java.library.path”

The file JDecrypt.dll might not be present in the system path.

More information:

Configuring the SiteMinder Login Module


Troubleshooting 49

Java Agent Initialization Errors

Two messages can be issued if the SiteMinder Java Agent API file is not present in the system path:

The SiteMinder Agent for SAP Web AS log file issues: “javaagent_api_init”

The Web AS default trace issues: “Exception from System.loadLibrary(smjavaagentapi) java.lang.UnsatisfiedLinkError: no smjavaagentapi in java.library.path”

If you receive either of these messages, see Configuring the SiteMinder Login Module.

Invalid License

The log file issues the following message:

“Invalid license for product SmWebAsAgent”

The license given for the SiteMinder Agent for SAP Web AS in the Agent configuration might be invalid or the license string might be corrupted. Rerun the Agent Configuration Wizard and ensure that you specify the correct license for the SiteMinder Agent for SAP Web AS.

More information:

Configure the SiteMinder Agent (see page 24)

Timed-Out Evaluation of SmWebAsAgent


“Evaluation of SmWebAsAgent has timed out”

The evaluation license for the SiteMinder Agent for SAP Web AS (valid for 2 hours by default) may have expired. Contact your CA Sales Representative.



Invalid Entries in the Configuration File


“Invalid entries in Config file”

Agent configuration details are missing or are incorrect. Rerun the Agent Configuration Wizard.

More information:


Return Code from doManagement Error


“Return code from doManagement(): -1”

This message can occur due to one of the following reasons:

The Agent configuration might contain an incorrect Policy server IP address.

The Policy server might not be running.

A communication problem might exist between the Policy server and the SiteMinder Login Module.

More information:



Troubleshooting 51

Invalid IP Address or Ports


“Policy server IP address or ports are invalid”

The Agent configuration might contain the following invalid information for the Policy server:

Invalid IP address

Invalid accounting, authentication or authorization ports

Rerun the Agent Configuration Wizard and ensure that you specify the Policy Server IP address and ports correctly.

More information:

Run the Agent Configuration Wizard on Windows (see page 25)

Agent Name or Shared Secret


“Agent initialization failed...Check agent name and shared secret”

The agent name, shared secret, or both may be incorrectly configured. Rerun the Agent Configuration Wizard and ensure that you specify the agent name and shared secret correctly.

More information:


WASUSERNAME HTTP Header Not Found or Empty


"WASUSERNAME header not found or empty - Aborting..."

The Web Agent HTTP header response attribute, WASUSERNAME, might not be available to the SiteMinder login module. Check the SiteMinder Web Agent configuration on the front-end web server and Policy server responses. See Configuring SiteMinder Policies (see page 22).



SiteMinder Session ID Header Not Found or Empty


"SiteMinderSessionID header not found or empty - Aborting..."

The SMSERVERSESSIONID or SM_SERVERSESSIONID HTTP header might not be available to the SiteMinder login module. Check the following items:

The SiteMinder Web Agent configuration on the proxy Web Server

The parameter DisableSessionVars in the Agent Configuration Object, which should be set to NO (but could have incorrectly been set to YES).

SiteMinder Session Spec Header Not Found or Empty


"SiteMinderSessionSpec header not found or empty - Aborting..."

The SMSERVERSESSIONSPEC or SM_SERVERSESSIONSPEC HTTP header might not be available to the SiteMinder Login Module. Check the following items:

The SiteMinder Web Agent configuration on the proxy Web Server

The parameter DisableSessionVars in the Agent Configuration Object, which should be set NO (but could have incorrectly been set to YES).

Resource Not Protected By SiteMinder


"Resource not protected by SiteMinder"

The resource listed in the Agent configuration has not been protected in the Policy server. Create a realm and associated rules and responses for the resource. For information, see C (see page 22)onfiguring SiteMinder Policies.


Troubleshooting 53

WAS Usernames Do Not Match


"WAS usernames do not match"

The possible reasons for this message are:

A WASUSERNAME header could have been manually sent to the browser— this could be a result of session hijack.

The User attribute passed in the WASUSERNAME Policy server response for the resource mentioned in the Agent configuration does not match with that given for the resource currently being accessed.

Check the WASUSERNAME response for both the validation and the application realms—the user attribute passed should be the same in both the cases.

For information about the WASUSERNAME parameter, see Configuring SiteMinder Policies (see page 22).

WAS Username Is Not Present or Is Mismatched


"WASUSERNAME not present or mismatch in authorize() call"

WASUSERNAME Policy server response attribute may not have been configured properly for the validation resource mentioned in the Agent configuration.

SiteMinder Session Is Invalid


"SiteMinder session invalid"

The Tier 2 SiteMinder session validation can fail if the session times out or has invalid access.



Login Module Authentication Failure


"SiteMinder login module authentication failed. Redirecting to the error page..."

If authentication by the SiteMinder login module fails, the user is redirected to the absolute URL of the Error page, which is the ErrorURL parameter specified during Agent configuration (see page 24).

If the URL of the Error page is not displayed and the “Page cannot be displayed” message appears in the browser, check the ErrorURL parameter set during Agent config (see page 24)uration.

The SiteMinder Agent for SAP Web AS log file might issue an additional message if the ErrorURL parameter is not specified during configuration:

"SiteMinder login module authentication failed. No Error URL configured, sending error message..."

Login Stack Authentication Failure


"Overall login stack authentication failed. Sending error message..."

Though the SiteMinder login module has succeeded, some other login module or modules in the stack (with REQUISITE or REQUIRED flags) might have failed.

Front-End Web Server Configuration 55

Appendix A: Front-End Web Server Configuration


Apache Web Server (see page 55) Sun ONE Web Server (see page 56)

Apache Web Server This configuration requires two apache modules: mod_proxy (used for transforming the Apache web server into an intermediary server); and mod_rewrite (performs modifications to the URL based upon a set of rules and configurations).

Refer to the SAP documentation to configure the Apache web server as a front-end Web server to the Web AS.

Sun ONE Web Server


Verify an Apache Web Server Configuration - Example

The following steps summarize how to verify the configuration. Use the steps only for reference.

To verify an Apache Web server configuration

1. Open the Apache web server configuration file (httpd.conf).

2. Make sure the file contains the following entries: LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/libproxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so AddModule mod_rewrite.c AddModule mod_proxy.c RewriteLog "/etc/httpd/logs/rewrite_log" RewriteLogLevel 9

3. Between the Location tags, specify the rules and conditions to use for the redirection. Use a separate Location section for each application that is to be redirected by the Apache web server, for example: <Location /application_root_dir> RewriteEngine On RewriteCond %{THE_REQUEST} \.jsp RewriteRule ̂ (.+) http://somehost.com:90%{REQUEST_URI} [P] RewriteCond %{THE_REQUEST} Example RewriteRule ̂ (.+) htt://somehost.com:90%{REQUEST_URI} [P] </Location>

Sun ONE Web Server Refer to the SAP documentation to configure the Sun ONE web server as a front end web server to the Web AS.

Sun ONE Web Server

Front-End Web Server Configuration 57

Verify a Sun ONE Web Server Configuration Using RPP - Example

The following steps summarize how to verify the configuration of a Sun ONE Web server. Use the steps only for reference.

A reverse proxy plug-in (RPP) is required to perform this task. The RPP is provided as a shared object called libpassthrough.so, and can be downloaded from the Sun site.

To perform basic RPP configuration

1. Modify the magnus.conf file: Init fn=load-modules shlib="<S1ASInstallation>/lib/libpassthrough.so" funcs="init-passthrough,auth-passthrough,check-passthrough, service-passthrough" NativeThread="no" Init fn="init-passthrough"

2. Modify the obj.conf file: <Object name="default"> NameTrans fn="assign-name" from="/*" name="passthrough" .... </Object> <Object name="passthrough"> ObjectType fn="force-type" type="magnus-internal/passthrough" PathCheck fn="deny-existence" path="*/WEB-INF/*" Service type="magnus-internal/passthrough" fn="service-passthrough" servers="http://<Myserver>:<MyHTTPPort>" Error reason="Bad Gateway" fn="send-error" uri="/badgateway.html" </Object>

NPSEncrypt and NPSVersion Tools 59

Appendix B: NPSEncrypt and NPSVersion Tools


NPSEncrypt Tool (see page 59) NPSVersion Tool (see page 60)

NPSEncrypt Tool Sometimes, secret values must be stored in a configuration file. For security purposes, you might want to encrypt and store the encrypted form of these secret values. To do this, use the NPSEncrypt tool. When a setting allows encrypted values to be used, this product will decrypt it before use. If the setting is not encrypted, the value entered will be used as is.

The NPSEncrypt utility takes plain text entered on the command line, encrypts it, and prints the result on the screen. The resulting encrypted text can be cut and pasted wherever it is needed.

A product that allows an encrypted value, automatically decrypts it when needed.

To encrypt a value, use the command prompt and type the NPSEncrypt command followed by a space and followed by the text to be encrypted:

C:\>npsencrypt secret [NPSEncrypt Version 1.1 - NPSEncrypt Revision 1] [NDSEnc-B]CKtyevyWkrF24Aj9Ly+xEQ==

In this case the encrypted form of secret is:

[NDSEnc-B]CKtyevyWkrF24Aj9Ly+xEQ==

When you copy and paste, grab the entire line, including [NDSEnc-].

NPSVersion Tool


NPSEncrypt encrypts the same text to many different cipher text values. Use any of the values, for example: C:\>npsencrypt secret [NPSEncrypt Version 1.1 - NPSEncrypt Revision 1] [NDSEnc-C]iQO2KVyRN2fB4tMwjtgRYQ== C:\>npsencrypt secret [NPSEncrypt Version 1.1 - NPSEncrypt Revision 1] [NDSEnc-C]FWhVC+MiA7aNnA87szw76g== C:\>npsencrypt secret [NPSEncrypt Version 1.1 - NPSEncrypt Revision 1] [NDSEnc-B]PD24A2Iz6H+KeDh7j4zUIg==

NPSVersion Tool Use the NPSVersion tool to extract version information from many CA products. To use this tool, type the NPSVersion on a command line followed by a space and the name of the executable whose version information you want, for example:

C:\> NPSVersion sessionlinkd [NPSVersion Version 1.0 - NPSVersion Revision 1] sessionlinkd - Package: NPSSessionLinker V1.3 sessionlinkd - Component: SessionLinker daemon V1.3.2 (Jul 14 2003 20:26:16) sessionlinkd - Platform: Windows

C:\>

You may use the NPSVersion tool on one platform to extract information for a product built for any other platform. The actual information displayed might differ in format and content than that shown above, but the relevant lines when discussing any issues with Support are Package and Component. Each line has a version number.

Package refers to the version of the Product, in this case the SessionLinker version 1.3 product.

Component refers to the actual part of the product that is enclosed within this specific file. It is not uncommon for this version number to be larger than the Package version. This is usually due to Component having one of more bugs repaired or minor enhancements added that did not require the entire Package to be rebuilt or renumbered.

Documents

CA SiteMinder ERP Agents · PDF fileEnable Single Signon for WebDynpro-Based Applications.....42 Configure the LogOff URL of the Enterprise Portal