IBM Tivoli Access Manager SAP Q amp A

Ibm Tivoli Access Manager Sap Q Amp A-PDF Download

  • Date:09 Sep 2020
  • Views:4
  • Downloads:0
  • Pages:24
  • Size:529.13 KB

Share Pdf : Ibm Tivoli Access Manager Sap Q Amp A

Download and Preview : Ibm Tivoli Access Manager Sap Q Amp A


Report CopyRight/DMCA Form For : Ibm Tivoli Access Manager Sap Q Amp A


Transcription:

IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. 1 Preface 3,1 1 Constraints 3,1 2 Definition 3,1 3 Intended Audience 3. 1 4 Additional Documentation 3,2 Overview 5,3 TAM based SSO to SAP ITS 6. 3 1 Overview 6,3 2 Configuring SAP R 3 for SSO 7,3 3 Configuring SAP ITS for SSO 9. 3 4 Configuring WebSEAL for SSO to SAP ITS 13,3 5 Testing the configuration 15. 4 TAM Based SSO to SAP EP 16,4 1 Overview 16,4 2 Configuring SAP EP for TAM based SSO 16.
4 3 Configuring WebSEAL for SSO to SAP EP 21,4 4 Testing the configuration 22. 5 Summary 23,September 2005 2, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. 1 1 Constraints, The texts references and graphics contained in this manual have been compiled with utmost. care nevertheless it is impossible to guarantee that they are fully without error IBM and SAP. cannot assume any responsibility for the correctness or completeness of the following. documentation the user alone is responsible for verifying the information contained therein. IBM and SAP will only assume liability for damage arising from the use of this documentation. irrespective of the pertinent legal basis in the case of intentional or active negligence under. no other circumstances will a warranty be made,1 2 Definition. This paper describes the configuration of using IBM Tivoli Access Manager TAM Version 5 1. for Single Sign On SSO to the SAP backend systems SAP Internet Transaction Server ITS. Version 6 20 and SAP Enterprise Portal EP Version 6 SP 10 The configurations described. herein should be reproducible given that the reader follows the operational model of our lab. environment If more information is needed please refer to the appropriate guides of the. products in Table 1,1 3 Intended Audience, This guide is intended to be used by administrators or technical consultants who have to build.
interoperability scenarios The users should be familiar with the above mentioned products. They should know how to use and configure the products. 1 4 Additional Documentation,Title Where to find Reference Number. Using SAP Cryptographic Library for SNC http service sap com instguides 1. Release 6 20 Document Version 2 0,when you search for the title of document. Pluggable Authentication Services for http service sap com instguides 2. External Authentication Mechanisms,when you search for the title of document. Release 6 20 Document Version 2 2,12 27 2002, WebSphere IBM HTTP Server Version 6 http www ibm com software webservers 3. User s guide December 2004 httpservers library, IBM Tivoli Access Manager SAP ITS http www ibm com software sysmgmt 4.
Integration Guide Version 1 1 01 products support IBMTivoliAccessManag. erfore business html,Infrastructure 2 0,when you search for SAP ITS. IBM Tivoli Access Manager for e business http www ibm com software tivoli 5. WebSEAL Administration Guide products access mgr e bus. Version 5 1,September 2005 3, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. IBM Tivoli Access Manager SAP Enterprise http www ibm com software sysmgmt 6. Portal Integration Guide products support IBMTivoliAccessManag. erfore business html,when you search for SAP Enterprise. Configuring the Use of SSL on the SAP http help sap com saphelp nw04 7. J2EE Engine helpdata en f1 2de3be0382df45a398d3f9,fb86a36a frameset htm. Table 1 List of references, Note Compared to the existing integration guides 4 and 6 this document describes the.
configuration of SAP ITS and SAP EP in more detail e g configuration of SNC at the. SAP transaction level and at the most recent software version In addition it covers. the use of SSL between WebSEAL and the SAP backend systems. September 2005 4, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. 2 Overview,Figure 1 Overview of configuration scenario. Figure 1 gives an architecture overview diagram of the scenario whose configuration is. introduced in this document In this scenario the IBM Tivoli Access Manager TAM is used as. a central authentication and authorization engine for web access with Single Sign On SSO to. the SAP backend systems SAP ITS and SAP EP, The components of the IBM Tivoli Access Manager which are important for this scenario are. an LDAP server Tivoli Directory Server V5 2 that contains a registry of users. the policy server that manages the authorization information in terms of access control. lists ACLs and, the WebSEAL server which is an authenticating reverse proxy. WebSEAL acts as a security guard ensuring that only authenticated and authorized users are. given access to downstream systems as long as access to the backend systems is configured. via WebSEAL, As a reverse proxy users do not directly access the backend systems but only via WebSEAL.
This means that WebSEAL accesses downstream backend systems on behalf of an. authenticated user, Thereby SSO can be achieved meaning that once a user is authenticated to WebSEAL it does. not need to authenticate against any downstream backend system again given that. WebSEAL presents to a backend system the identity of an authenticated user various. mechanisms are possible, the backend systems trust WebSEAL to present the identity of authenticated users. the backend systems provide itself a mechanism to use the trusted user information as. a base for its own authentication, The user information is known to WebSEAL and the SAP backend system and configured at. both systems with appropriate authorization and access rights e g by using a central user. management system like Tivoli Identity Manager, Thus SSO is based on a trust relationship between the reverse proxy and downstream. backend systems The configuration of this trust relationship between WebSEAL and SAP ITS. is covered in chapter 3 whereas chapter 4 covers those between WebSEAL and SAP EP. Thereby we describe the configuration of an actual lab environment end to end but only as. far as SSO is concerned in the way it is depicted in Figure 1 Thus we assume that the. products involved are already installed and up and running In particular we do not make any. assumption about the configuration of the authentication between the browser and WebSEAL. September 2005 5, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver.
3 TAM based SSO to SAP ITS, In this chapter we will first give an overview of the runtime and configuration steps for TAM. based SSO to SAP ITS Then a detailed description on how to configure the involved systems. is provided,3 1 Overview, Figure 2 Operational model of TAM based SSO to SAP ITS. Figure 2 shows the operational model of our lab environment that consists of. the node tamImage ctsc com where WebSEAL Version 5 1 is installed. the node sap2tivoli ctsc com with an installation of SAP ITS Version 6 20 consisting. of the components WGate and AGate Since SAP ITS requires an external Web. Server the IBM HTTP Server Version 6 0 is installed on this node as well. the node r3 ctsc com where SAP R 3 Enterprise Release 4 7 resides. On all these nodes Windows 2000 Server is installed. In addition Figure 2 shows the actual flows that happen between the different nodes within a. SSO scenario, 1 Using a Web browser a user accesses SAP ITS through WebSEAL as a reverse proxy. in between Thereby WebSEAL ensures that the user is authenticated using forms. based authentication in our scenario which as had been said before is not of. relevance for the discussion within this paper, 2 Once the authentication has succeeded WebSEAL passes the request to SAP ITS. using a junction configured with mutually authenticated SSL Thereby the. authenticated user ID is passed as a HTTP header variable iv user Using SSL. ensures the integrity of the user ID when it is transported as a HTTP header SSL with. mutual authentication enables SAP ITS to authenticate WebSEAL and therefore. establishes and ensures the trust between the two parties. 3 SAP ITS forwards the user ID to the SAP R 3 backend using Secure Network. Communication SNC a SAP proprietary technology with similar functionality than. SSL enabling a trust relationship between SAP ITS and SAP R 3. 4 The SAP R 3 system is configured to authenticate the user based on the received. trusted user ID As a result it sends back a SAP Logon Ticket representing the user. session for repeated access SAP R 3 is set up as the ticket issuing system. 5 SAP ITS forwards the SAP Logon Ticket to WebSEAL which finally passes it to the. browser as a session cookie Note we will talk about the Logon Ticket here because it. is simpler to us use this term than mysapsso2 cookie even though this is a synonym. A prerequisite for the scenario above is that the user logs on to TAM with the same ID with. which he is registered at SAP R 3 If the user IDs are different you have to establish a mapping. September 2005 6, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver.
of user IDs either within TAM or SAP R 3 as described in 4 Note in addition that password. change is disabled at R 3 for user with SSO, The order of description in this document follows the operational model from behind starting. with presenting the configuration within SAP R 3 succeeded by the configuration of SAP ITS. and WebSEAL,3 2 Configuring SAP R 3 for SSO, This chapter describes the configurations steps to be performed within SAP R 3 for the SNC. connection and the issuing of the SAP Logon Ticket SNC is based on keys that are maintained. in a key database called Personal Security Environment PSE For setup of SNC a single PSE. is used which is generated on the R 3 backend and exported to SAP ITS Assuming that you. have a SAP user ID with the appropriate authorizations perform the following steps. 1 Install the SAP Cryptographic Library on the SAP R 3 system p 16 1. 2 Set the Trust Manager profile parameters as shown in Table 2 p 23 1. 3 Restart the SAP system, 4 Create the SNC PSE using the transaction STRUST in the SAPGUI p 17 1 Choose. a SNC name like p CN IT1 OU CTSC O CTSC C DE Assign a password for the. new PSE Note We observed that the SNC certificate may not contain a verification. certificate, 5 Export the SNC PSE p 19 1 After this step you may copy the PSE file to the host. sap2tivoli ctsc com where the SAP ITS resides, 6 Maintain the SNC System Access Control List Call transaction SM30 p 22 1 select.
the table VSNCSYSACL type E and enter the SNC name with activation of RFC. CPIC external ID and DIAG Figure 3, 7 Maintain the extended user access control list p 22 1 Call transaction SM30. select the table USRACLEXT and enter the SNC name p CN IT1 OU CTSC. O IBMSAP C DE and user Leave the sequence number empty Figure 4. 8 Set the Profile Parameters for activating SNC p 22 1 Within our scenario we used. the values as specified in Table 3, 9 Activate issuing of logon tickets p 24 2 by setting the profile parameters as. depicted in Table 4,10 Restart the SAP system,Profile parameter Values. ssf name SAPSECULIB, ssf ssfapi lib D usr sap KSC SYS exe run sapcrypto dll. sec libsapsecu D usr sap KSC SYS exe run sapcrypto dll. Table 2 Trust Manager Profile Parameters,September 2005 7.
IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. Figure 3 Entry within VSNCSYSACL,Figure 4 Entry within USRACLEXT. Profile parameter Values,snc enable 1, snc gssapi lib D usr sap KSC SYS exe run sapcrypto dll. snc identity as p CN IT1 OU CTSC O CTSC C DE,snc data protection max 3. snc data protection min 1,snc data protection use 1. snc accept insecure cpic 1,snc accept insecure rfc 1.
snc accept insecure gui 1,snc accept insecure r3int rfc 1. Table 3 SNC Profile Parameters,September 2005 8, IBM Tivoli Access Manager Single Sign On for SAP NetWeaver. Profile parameter Values,login create sso2 ticket 2. login accept sso2 ticket 1,login ticket expiration time 60. login password change for SSO 0,Table 4 Ticket Issuing Profile Parameters.
3 3 Configuring SAP ITS for SSO, Given an installation of SAP ITS like depicted in Figure 2 this section first describes the. configuration of SNC between SAP ITS and SAP R 3 After that the configuration of underlying. Web Server for enabling SSL communication with WebSEAL is introduced Finally the. configuration of the PAS module is described, Note We do not configure SNC between WGate and AGate because both components reside on the. Configuration of SNC between SAP ITS and SAP R 3, 1 Install the SAP Cryptographic Library on the AGate p 24 1. 2 Load the SAP Cryptographic Library on the AGate p 25 in 1. 3 Copy the PSE from the SAP System p 7 and install it on the AGate p 27 1. 4 Create credentials for the AGate p 29 1, 5 Set AGate s service file parameters p 34 1 We selected the value sncQoPR3 1. 6 Test the SNC Connection between the AGate and SAP System using the ITS. Administration tool p 41 2, Note ensure that in the etc hosts file there is no entry like 127 0 0 1 localhost.
Configuration of SSL, SSL with client authentication enables SAP ITS to trust the user ID that is provided as the value. of a HTTP header variable by WebSEAL To setup the HTTP Server accordingly perform the. steps described below, Note we do not care in this paper about simultaneous access to the HTTP Server with mutual. SSL authentication and without This could be achieved through the definition of an. IBM and SAP will only assume liability for damage arising from the use of this documentation irrespective of the pertinent legal basis in the case of intentional or active negligence under no other circumstances will a warranty be made 1 2 Definition This paper describes the configuration of using IBM Tivoli Access Manager TAM Version 5 1 for Single Sign On SSO to the SAP

Related Books