SOA Security Scenarios: WebAS Java, Message Level Security ... · SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee . Applicable Releases: SAP

SAP NetWeaver How-To Guide

SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee

Applicable Releases:

SAP NetWeaver 7.0 EhP1

SAP NetWeaver CE 7.1 and 7.1 EhP1

Topic Area: Security & Identity Management

Capability: Identity & Access Management

Version 1.0

May 2009

© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable for

errors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

Document History Document Version Description

1.00 First official release of this guide

Typographic Conventions Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons Icon Description

Caution

Note or Important

Example

Recommendation or Tip

Table of Contents

1. Business Scenario............................................................................................................... 1

2. Background Information..................................................................................................... 1

3. Prerequisites ........................................................................................................................ 1

4. Step-by-Step Procedure...................................................................................................... 2 4.1 Create web service endpoints in service provider system. .......................................... 2 4.2 Disable Requirement for SAML SSL ............................................................................ 6 4.3 Enable Automatically Startup of SAML Service ........................................................... 7 4.4 Configure SAP SSO Java Export ................................................................................. 9 4.5 Configure SAP SSO Java Import ............................................................................... 12 4.6 Adjust Login Module Stack for Unsecured Transport................................................. 14 4.7 Configure SAML Attester............................................................................................ 17 4.8 Configure Trusted SAML Issuer ................................................................................. 19 4.9 User Mapping for SAML ............................................................................................. 21 4.10 Enable Java-Web Service destinations...................................................................... 21


1. Business Scenario You are implementing SOA Interoperability scenario with message level security SAML. The consumer and provider are running on NetWeaver AS Java. This scenario doesn’t require transport level security. It’s suitable for internal landscape under firewall access where additional security (SSL) is not needed.

2. Background Information Web Services security will be performed on a scenario without SSL.

SAML Attester will be configured for Sender Vouches scenario.

3. Prerequisites You have Enterprise Service (Web Service) developed and deployed on SAP WebAS Java.

You have Web Service Client Application (WS proxies) developed and deployed on the same or different SAP WebAS Java server in your landscape.

May 2009 1


4. Step-by-Step Procedure

4.1 Create web service endpoints in service provider system.

In this step we will create a new WS endpoint and a new service.

Note We assume that an Enterprise Service is already available/deployed on the provider’s server.

Note New endpoint may also be created in already existing service. From WS governance prospective a call to any endpoint part of one service will be considered as call to this service.

...

1. Open a web browser to the NetWeaver Administration home page, http://:50000/nwa.

2. Log in with Administrator credentials.

3. Select the “SOA Management” tab and then the “Application and Scenario Communication” sub-tab:

4. Select the link for “Single Service Administration”:

May 2009 2


Tip Short link to Service Destinations: http://host:port/nwa/ssadmin

5. Under Service Definitions” find the service you want to configure. You can search by WSDL Porttype Name, Internal WS name, or do any text search

An Internal Name search is shown in the example bellow

6. Press the “Go” button to search for all available “Service Definitions”:

7. Select the entry in the table and several information and configuration tabs will appear below the table:

8. Select the Configuration tab.

Make sure the “Runtime Configuration” radio button is selected and click New

May 2009 3

http://host:port/nwa/ssadmin


9. The service definition wizard.

Enter a “Service Endpoint Name” and select the New radio box next to “Add to service”.

Enter a name for the new service. In this case, enter the same name for both the service and endpoint (e.g., PosSess-SSL-MSG-SAML in the example shown below. Then select the Next button.

Note This step creates a new service and new endpoint. If you want to create a new endpoint only you can select the Existing service radio box and choose the desired service.

10. Enter the appropriate security settings for the endpoint as shown in the “Configuration Table” below and then enter the Next button:

May 2009 4


Note See Appendix for more configuration scenarios.

11. In the next Wizard step, select the Finish button

12. Under the WSDLs tab you can find the new created service and endpoint WSLD.

13. In the list, find and click on the link to the WSDL for the given endpoint:

14. From this view you can copy the WSDL for further usage. Developing WS client or creating destination proxy.

May 2009 5


CAUTION For SSL endpoints:

The Destination service on the consumer (client) side uses the URL entered in the URL field of the Destination Template to connect to the Endpoint instead of using the URL provided in the WSDL.

Therefore, for SSL endpoints, before using the WSDL URL modify to use the correct SSL connection access-point and port. For example, modify the URL you save in the file as follows:

URL of WSDL:

http://host:50000/webservice_wsdl...

Modify URL to use SSL connection:

httpS://host:SSLPORT/webservice_wsdlsapws/demo.sap.com.....&mode=sap_wsdl

4.2 Disable Requirement for SAML SSL ...

By default, SAML requires the use of SSL. In this particular scenario we don’t have SSL as requirement. To toggle this requirement on and off perform the following steps:

1. Open the SAP NetWeaver Administrator http://host:port/nwa and log in with Administrator credentials.

2. Select the “Configuration Management” tab and then the “Trusted Systems” link:

May 2009 6

http://host:50000/webservice_wsdlhttps://host:SSLPORT/webservice_wsdlhttps://paln00437300a.pal.sap.corp:50001/sapws/demo.sap.com.....&mode=sap_wsdlhttp://host:port/nwa


3. Select the ”SAML Browser/Artifact Profile” tab and then select the Edit button and the Setting tab:

4. Select the box to “Disable SSL Requirement” to disable the SAML security requirement. Select the Save button when finished:

4.3 Enable Automatically Startup of SAML Service In some versions SAML service is not enabled by default. To enable SAML for automatic startup, you must configure this from the J2EE Engine Configuration Tool.

Note Perform this step for both consumer system and provider system if residing on separate WAS Java engines

...

1. Go to the directory: C:\usr\sap\\J\j2ee\configtool and double-click on the “configtool.bat” file.

2. Switch to the Expert Mode, by selecting “View->Expert Mode” form the menu bar of the Config Tool.

May 2009 7


3. Open the cluster-data node and click on ”template – CE_...” as shown below:

4. Select the Filters tab.

5. Under “Custom rules” in the lower section of the window, set the Action to start, “Vendor Mask” to sap.com, Component to service and “Component Name Mask” to tc~sec~saml~service.

6. Select the “Apply changes” icon to save the new configuration. Now each time the server is restarted, the SAML service will start automatically.

May 2009 8


7. Make sure the SAML service is running. Open the SAP NetWeaver Administrator. http://host:port/nwa

Select the “Operation Management->Systems” tabs and the “Start & Stop” link.

8. Select “Java EE Services” tab and scroll in the table to find the SAML service. Verify the status is Started.

4.4 Configure SAP SSO Java Export To establish the trust between the receiver and provided systems you have to exchange the trust certificate. Identify the certificate that it will be used for each scenario and proceed as follows.

...

1. Open the NetWeaver Administrator http://:/nwa and log in with Administrator credentials.

May 2009 9

http://host:port/nwahttp://localhost:50000/nwa


2. Select the “Configuration Management” tab and then the Security sub-tab. Then select the “Certificate and Keys” link:

3. Select the keystore where the key-pair is stored. In this example TicketKeystore under “Keystore Views” and select the Edit button.

Note

Later versions of the interface have done away with the Edit button.

May 2009 10


4. Select the certificate, here: SAPLogonTicketKeypair-cert certificate (be sure to export the CERTIFICATE and not the PRIVATE KEY). Under the heading, “Entries in Keystore View”, select the “Export Entry” button:

5. Select “Base64 X.509” for the “export format”:

May 2009 11


6. Select the Download button and select a folder to save the file. Use “.cert” as the file extension. Select the Close button when done:

4.5 Configure SAP SSO Java Import ...

1. Open a web browser to the NetWeaver administrator of the web service producer’s J2EE engine (e.g., http://:/nwa ). Log in with Administrator credentials.

2. Select the “Configuration Management” tab and then the Security sub-tab. Then select the “Certificate and Keys” link:

May 2009 12

http://usphlrig17.phl.sap.corp:50000/nwa


3. Select TicketKeystore under “Keystore Views” and select the Edit button

Note

Later versions of the interface have done away with the Edit button):

4. Under “Entries in Keystore View”, select the “Import “Entry” button:

5. Select X.509 Certificate for the entry type and enter the path to the file you exported from the consumer’s TicketKeystore.

May 2009 13


4.6 Adjust Login Module Stack for Unsecured Transport

...

1. Open the NetWeaver Administrator of the web service consumer. http://:/nwa . Log in with Administrator credentials.

2. Select the “Configuration Management” tab and the Security sub-tab. Then select the Authentication link:

3. Web Dynpro and Visual Composure use the ticket Policy Configuration for authentication. We

need to adjust the ticket Logon Module stack to create a Login Ticket for SAML authentication. Enter ticket in the first line of the Name column and select the filter icon, .

4. Select the “Configuration Management” tab and the Security sub-tab. Then select the Authentication link: Select ticket Policy Configuration and the Edit button under “Policy Configuration Details”:

May 2009 14

http://localhost:50000/nwa


5. Select the Add button under Login Modules to add “Login Modules”:

6. Select the Login Module to add from the droplist list:

7. Select the appropriate evaluation Flag from the dropdown list:

May 2009 15


8. To add Options for the Login Module, select the Login Module and then select the Add button. Enter the name of the option and its value:

9. To change the order of the Login Module stack, select the Login Module and then the “Move Up” or “Move Down” button:

10. Adjust the Login Module stack as follows:

Login Module Flag Option Name Option Value

EvaluateTicketLoginModule SUFFICIENT ume.configuration.active true

CreateTicketLoginModule SUFFICIENT ume.configuration.active true

BasicPasswordLoginModule REQUISITE

May 2009 16


4.7 Configure SAML Attester ...

1. Open a web browser to the Netweaver Administration home page of the web service consumer, http://:/nwa. Log in with Administrator credentials.

2. Select the Configuration Management tab, the Security sub-tab and the Trusted Systems link:

\

3. Select the Web Service Security SAML tab and the Local SAML Attesters tab under that.

Then select the Edit button:

4. Select the saml_default_attester from the “Local Attester List”:

May 2009 17


5. Under the “Keysore View” column, select TicketKeystore from the dropdown list if not already selected:

6. From the dropdown in the “Private Key” column, select the SAPLogonTIckeKeypair entry if not already selected. Under the “Issuer Name” column, enter the SID of the consumer system (in this example CE1):

7. Select the Save button to save the changes:

8. Use this saml_default_attester when you assign an “Attester Name” to a web service that uses SAML Assertions:

May 2009 18


4.8 Configure Trusted SAML Issuer ...

1. Open a web browser to the NetWeaver Administration home page of the web service provider, http://:/nwa. Log in with Administrator credentials:

2. Select the Configuration Management tab, the Security sub-tab and the Trusted Systems link:

3. Select the “Web Service Security SAML” tab:

4. Select the Trusted Partners tab. The Issuer Name of all SAML Attesters configured for web service Destinations on the consumer must be referenced in the Trusted SAML Issuers list.

Note

In the step Configure SAMP Attester, we configured the saml_default_attester for use by web service destinations. We chose to use the SID of the consumer system for the Issue Name. This Issue Name must be added to the “Trusted SAML Issuers” list if it is not already present.

May 2009 19


5. To add an entry to the “Trusted SAML Issuers” list, select the Edit button and type the name in the list. If there are other “Issuer Names” already in the list, separate the new entry with a comma from the other names. In the example below, the “Issuer Name” of the SAML Attester used to configure web service Destinations on the consumer is the SID, CE1. When you are finished editing the list, select the Save button to save the changes:

Attester Used by Consumer Web Service Destinations for SAML Assertions

May 2009 20


4.9 User Mapping for SAML Note

To enable a trust between a web service consumer and web service producer based on SAML assertions, the username of the caller of the web service must be identical to a user on the producer system. If the SAML assertion has the private key of a certificate with the same distinguished name in the producer’s keystore, the assertion is considered to be authenticated for that user.

...

1. Create a user on the producer and on the consumer with identical usernames. The passwords do not have to match.

2. To access a web service secured by SAML assertions, you will be required to enter a valid username and password each time you access the web service in a new browser session… unless you are accessing the web service over SSL. In this case, the client certificate will be mapped to a user the first time you logon. Subsequently a logon ticket stored in the browser will eliminate the need for the user to login each time the web service is accessed via a WebDynpro or Visual Composer application.

Note You must be certain to logon with a username that also exists on the producer system or the username associated with the certificate will not be authorized to access the web service via SAML assertion.

4.10 Enable Java-Web Service destinations ...

1. Open a web browser to the NetWeaver Administration home page, http://:/nwa and login with administrator credentials.

2. Select the SOA Management tab, the Technical Configuration sub-tab and the Destination Template Management link:

May 2009 21


3. Select the “Destination Templates” tab and the New button:

4. Select WSDL for the “Destination Type”:

5. Enter the Destination Name, copy the URL of the WSDL for the web service endpoint. For a Java web service destination, enter the System Name (SID, e.g., CE1) and the fully qualified Host Name. Installation Number and the Client number are not mandatory for Java-Java scenario. Select the Next button when done.

May 2009 22


6. In the next screen enter the security settings that correspond to that of the web service endpoint (see Configuration Table below). Click on the Finish button to save the configuration when finished:

May 2009 23

www.sdn.sap.com/irj/sdn/howtoguides

1. Business Scenario2. Background Information3. Prerequisites4. Step-by-Step Procedure4.1 Create web service endpoints in service provider system. 4.2 Disable Requirement for SAML SSL4.3 Enable Automatically Startup of SAML Service4.4 Configure SAP SSO Java Export 4.5 Configure SAP SSO Java Import4.6 Adjust Login Module Stack for Unsecured Transport 4.7 Configure SAML Attester4.8 Configure Trusted SAML Issuer4.9 User Mapping for SAML4.10 Enable Java-Web Service destinations

Documents

SOA Security Scenarios: WebAS Java, Message Level Security ... · SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee . Applicable Releases: SAP