Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
SAP NetWeaver How-To Guide
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
Applicable Releases:
SAP NetWeaver 7.0 EhP1
SAP NetWeaver CE 7.1 and 7.1 EhP1
Topic Area: Security & Identity Management
Capability: Identity & Access Management
Version 1.0
May 2009
© Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,
i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with
respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided “as is” without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or consequential
damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver “How-to” Guides are intended to simplify
the product implementation. While specific product
features and procedures typically are explained in a
practical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness of
the Code given herein, and SAP shall not be liable for
errors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only
to be used by SAP’s Support Services and may not be
modified or altered in any way.
Document History Document Version Description
1.00 First official release of this guide
Typographic Conventions Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic titles, and table titles
Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
Icons Icon Description
Caution
Note or Important
Example
Recommendation or Tip
Table of Contents
1. Business Scenario............................................................................................................... 1
2. Background Information..................................................................................................... 1
3. Prerequisites ........................................................................................................................ 1
4. Step-by-Step Procedure...................................................................................................... 2 4.1 Create web service endpoints in service provider system. .......................................... 2 4.2 Disable Requirement for SAML SSL ............................................................................ 6 4.3 Enable Automatically Startup of SAML Service ........................................................... 7 4.4 Configure SAP SSO Java Export ................................................................................. 9 4.5 Configure SAP SSO Java Import ............................................................................... 12 4.6 Adjust Login Module Stack for Unsecured Transport................................................. 14 4.7 Configure SAML Attester............................................................................................ 17 4.8 Configure Trusted SAML Issuer ................................................................................. 19 4.9 User Mapping for SAML ............................................................................................. 21 4.10 Enable Java-Web Service destinations...................................................................... 21
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
1. Business Scenario You are implementing SOA Interoperability scenario with message level security SAML. The consumer and provider are running on NetWeaver AS Java. This scenario doesn’t require transport level security. It’s suitable for internal landscape under firewall access where additional security (SSL) is not needed.
2. Background Information Web Services security will be performed on a scenario without SSL.
SAML Attester will be configured for Sender Vouches scenario.
3. Prerequisites You have Enterprise Service (Web Service) developed and deployed on SAP WebAS Java.
You have Web Service Client Application (WS proxies) developed and deployed on the same or different SAP WebAS Java server in your landscape.
May 2009 1
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4. Step-by-Step Procedure
4.1 Create web service endpoints in service provider system.
In this step we will create a new WS endpoint and a new service.
Note We assume that an Enterprise Service is already available/deployed on the provider’s server.
Note New endpoint may also be created in already existing service. From WS governance prospective a call to any endpoint part of one service will be considered as call to this service.
...
1. Open a web browser to the NetWeaver Administration home page, http://:50000/nwa.
2. Log in with Administrator credentials.
3. Select the “SOA Management” tab and then the “Application and Scenario Communication” sub-tab:
4. Select the link for “Single Service Administration”:
May 2009 2
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
Tip Short link to Service Destinations: http://host:port/nwa/ssadmin
5. Under Service Definitions” find the service you want to configure. You can search by WSDL Porttype Name, Internal WS name, or do any text search
An Internal Name search is shown in the example bellow
6. Press the “Go” button to search for all available “Service Definitions”:
7. Select the entry in the table and several information and configuration tabs will appear below the table:
8. Select the Configuration tab.
Make sure the “Runtime Configuration” radio button is selected and click New
May 2009 3
http://host:port/nwa/ssadmin
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
9. The service definition wizard.
Enter a “Service Endpoint Name” and select the New radio box next to “Add to service”.
Enter a name for the new service. In this case, enter the same name for both the service and endpoint (e.g., PosSess-SSL-MSG-SAML in the example shown below. Then select the Next button.
Note This step creates a new service and new endpoint. If you want to create a new endpoint only you can select the Existing service radio box and choose the desired service.
10. Enter the appropriate security settings for the endpoint as shown in the “Configuration Table” below and then enter the Next button:
May 2009 4
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
Note See Appendix for more configuration scenarios.
11. In the next Wizard step, select the Finish button
12. Under the WSDLs tab you can find the new created service and endpoint WSLD.
13. In the list, find and click on the link to the WSDL for the given endpoint:
14. From this view you can copy the WSDL for further usage. Developing WS client or creating destination proxy.
May 2009 5
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
CAUTION For SSL endpoints:
The Destination service on the consumer (client) side uses the URL entered in the URL field of the Destination Template to connect to the Endpoint instead of using the URL provided in the WSDL.
Therefore, for SSL endpoints, before using the WSDL URL modify to use the correct SSL connection access-point and port. For example, modify the URL you save in the file as follows:
URL of WSDL:
http://host:50000/webservice_wsdl...
Modify URL to use SSL connection:
httpS://host:SSLPORT/webservice_wsdlsapws/demo.sap.com.....&mode=sap_wsdl
4.2 Disable Requirement for SAML SSL ...
By default, SAML requires the use of SSL. In this particular scenario we don’t have SSL as requirement. To toggle this requirement on and off perform the following steps:
1. Open the SAP NetWeaver Administrator http://host:port/nwa and log in with Administrator credentials.
2. Select the “Configuration Management” tab and then the “Trusted Systems” link:
May 2009 6
http://host:50000/webservice_wsdlhttps://host:SSLPORT/webservice_wsdlhttps://paln00437300a.pal.sap.corp:50001/sapws/demo.sap.com.....&mode=sap_wsdlhttp://host:port/nwa
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
3. Select the ”SAML Browser/Artifact Profile” tab and then select the Edit button and the Setting tab:
4. Select the box to “Disable SSL Requirement” to disable the SAML security requirement. Select the Save button when finished:
4.3 Enable Automatically Startup of SAML Service In some versions SAML service is not enabled by default. To enable SAML for automatic startup, you must configure this from the J2EE Engine Configuration Tool.
Note Perform this step for both consumer system and provider system if residing on separate WAS Java engines
...
1. Go to the directory: C:\usr\sap\\J\j2ee\configtool and double-click on the “configtool.bat” file.
2. Switch to the Expert Mode, by selecting “View->Expert Mode” form the menu bar of the Config Tool.
May 2009 7
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
3. Open the cluster-data node and click on ”template – CE_...” as shown below:
4. Select the Filters tab.
5. Under “Custom rules” in the lower section of the window, set the Action to start, “Vendor Mask” to sap.com, Component to service and “Component Name Mask” to tc~sec~saml~service.
6. Select the “Apply changes” icon to save the new configuration. Now each time the server is restarted, the SAML service will start automatically.
May 2009 8
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
7. Make sure the SAML service is running. Open the SAP NetWeaver Administrator. http://host:port/nwa
Select the “Operation Management->Systems” tabs and the “Start & Stop” link.
8. Select “Java EE Services” tab and scroll in the table to find the SAML service. Verify the status is Started.
4.4 Configure SAP SSO Java Export To establish the trust between the receiver and provided systems you have to exchange the trust certificate. Identify the certificate that it will be used for each scenario and proceed as follows.
...
1. Open the NetWeaver Administrator http://:/nwa and log in with Administrator credentials.
May 2009 9
http://host:port/nwahttp://localhost:50000/nwa
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
2. Select the “Configuration Management” tab and then the Security sub-tab. Then select the “Certificate and Keys” link:
3. Select the keystore where the key-pair is stored. In this example TicketKeystore under “Keystore Views” and select the Edit button.
Note
Later versions of the interface have done away with the Edit button.
May 2009 10
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4. Select the certificate, here: SAPLogonTicketKeypair-cert certificate (be sure to export the CERTIFICATE and not the PRIVATE KEY). Under the heading, “Entries in Keystore View”, select the “Export Entry” button:
5. Select “Base64 X.509” for the “export format”:
May 2009 11
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
6. Select the Download button and select a folder to save the file. Use “.cert” as the file extension. Select the Close button when done:
4.5 Configure SAP SSO Java Import ...
1. Open a web browser to the NetWeaver administrator of the web service producer’s J2EE engine (e.g., http://:/nwa ). Log in with Administrator credentials.
2. Select the “Configuration Management” tab and then the Security sub-tab. Then select the “Certificate and Keys” link:
May 2009 12
http://usphlrig17.phl.sap.corp:50000/nwa
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
3. Select TicketKeystore under “Keystore Views” and select the Edit button
Note
Later versions of the interface have done away with the Edit button):
4. Under “Entries in Keystore View”, select the “Import “Entry” button:
5. Select X.509 Certificate for the entry type and enter the path to the file you exported from the consumer’s TicketKeystore.
May 2009 13
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4.6 Adjust Login Module Stack for Unsecured Transport
...
1. Open the NetWeaver Administrator of the web service consumer. http://:/nwa . Log in with Administrator credentials.
2. Select the “Configuration Management” tab and the Security sub-tab. Then select the Authentication link:
3. Web Dynpro and Visual Composure use the ticket Policy Configuration for authentication. We
need to adjust the ticket Logon Module stack to create a Login Ticket for SAML authentication. Enter ticket in the first line of the Name column and select the filter icon, .
4. Select the “Configuration Management” tab and the Security sub-tab. Then select the Authentication link: Select ticket Policy Configuration and the Edit button under “Policy Configuration Details”:
May 2009 14
http://localhost:50000/nwa
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
5. Select the Add button under Login Modules to add “Login Modules”:
6. Select the Login Module to add from the droplist list:
7. Select the appropriate evaluation Flag from the dropdown list:
May 2009 15
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
8. To add Options for the Login Module, select the Login Module and then select the Add button. Enter the name of the option and its value:
9. To change the order of the Login Module stack, select the Login Module and then the “Move Up” or “Move Down” button:
10. Adjust the Login Module stack as follows:
Login Module Flag Option Name Option Value
EvaluateTicketLoginModule SUFFICIENT ume.configuration.active true
CreateTicketLoginModule SUFFICIENT ume.configuration.active true
BasicPasswordLoginModule REQUISITE
May 2009 16
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4.7 Configure SAML Attester ...
1. Open a web browser to the Netweaver Administration home page of the web service consumer, http://:/nwa. Log in with Administrator credentials.
2. Select the Configuration Management tab, the Security sub-tab and the Trusted Systems link:
\
3. Select the Web Service Security SAML tab and the Local SAML Attesters tab under that.
Then select the Edit button:
4. Select the saml_default_attester from the “Local Attester List”:
May 2009 17
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
5. Under the “Keysore View” column, select TicketKeystore from the dropdown list if not already selected:
6. From the dropdown in the “Private Key” column, select the SAPLogonTIckeKeypair entry if not already selected. Under the “Issuer Name” column, enter the SID of the consumer system (in this example CE1):
7. Select the Save button to save the changes:
8. Use this saml_default_attester when you assign an “Attester Name” to a web service that uses SAML Assertions:
May 2009 18
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4.8 Configure Trusted SAML Issuer ...
1. Open a web browser to the NetWeaver Administration home page of the web service provider, http://:/nwa. Log in with Administrator credentials:
2. Select the Configuration Management tab, the Security sub-tab and the Trusted Systems link:
3. Select the “Web Service Security SAML” tab:
4. Select the Trusted Partners tab. The Issuer Name of all SAML Attesters configured for web service Destinations on the consumer must be referenced in the Trusted SAML Issuers list.
Note
In the step Configure SAMP Attester, we configured the saml_default_attester for use by web service destinations. We chose to use the SID of the consumer system for the Issue Name. This Issue Name must be added to the “Trusted SAML Issuers” list if it is not already present.
May 2009 19
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
5. To add an entry to the “Trusted SAML Issuers” list, select the Edit button and type the name in the list. If there are other “Issuer Names” already in the list, separate the new entry with a comma from the other names. In the example below, the “Issuer Name” of the SAML Attester used to configure web service Destinations on the consumer is the SID, CE1. When you are finished editing the list, select the Save button to save the changes:
Attester Used by Consumer Web Service Destinations for SAML Assertions
May 2009 20
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
4.9 User Mapping for SAML Note
To enable a trust between a web service consumer and web service producer based on SAML assertions, the username of the caller of the web service must be identical to a user on the producer system. If the SAML assertion has the private key of a certificate with the same distinguished name in the producer’s keystore, the assertion is considered to be authenticated for that user.
...
1. Create a user on the producer and on the consumer with identical usernames. The passwords do not have to match.
2. To access a web service secured by SAML assertions, you will be required to enter a valid username and password each time you access the web service in a new browser session… unless you are accessing the web service over SSL. In this case, the client certificate will be mapped to a user the first time you logon. Subsequently a logon ticket stored in the browser will eliminate the need for the user to login each time the web service is accessed via a WebDynpro or Visual Composer application.
Note You must be certain to logon with a username that also exists on the producer system or the username associated with the certificate will not be authorized to access the web service via SAML assertion.
4.10 Enable Java-Web Service destinations ...
1. Open a web browser to the NetWeaver Administration home page, http://:/nwa and login with administrator credentials.
2. Select the SOA Management tab, the Technical Configuration sub-tab and the Destination Template Management link:
May 2009 21
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
3. Select the “Destination Templates” tab and the New button:
4. Select WSDL for the “Destination Type”:
5. Enter the Destination Name, copy the URL of the WSDL for the web service endpoint. For a Java web service destination, enter the System Name (SID, e.g., CE1) and the fully qualified Host Name. Installation Number and the Client number are not mandatory for Java-Java scenario. Select the Next button when done.
May 2009 22
SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee
6. In the next screen enter the security settings that correspond to that of the web service endpoint (see Configuration Table below). Click on the Finish button to save the configuration when finished:
May 2009 23
www.sdn.sap.com/irj/sdn/howtoguides
1. Business Scenario2. Background Information3. Prerequisites4. Step-by-Step Procedure4.1 Create web service endpoints in service provider system. 4.2 Disable Requirement for SAML SSL4.3 Enable Automatically Startup of SAML Service4.4 Configure SAP SSO Java Export 4.5 Configure SAP SSO Java Import4.6 Adjust Login Module Stack for Unsecured Transport 4.7 Configure SAML Attester4.8 Configure Trusted SAML Issuer4.9 User Mapping for SAML4.10 Enable Java-Web Service destinations