Transcription
CA SiteMinder Agent for SAP Web AS Guider12.0Second Edition
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred toas the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time.This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, withoutthe prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosedby you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governingyour use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you andCA.Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you mayprint or otherwise make available a reasonable number of copies of the Documentation for internal use by you and youremployees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproducedcopy.The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicablelicense for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility tocertify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANYKIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THEPOSSIBILITY OF SUCH LOSS OR DAMAGE.The use of any software product referenced in the Documentation is governed by the applicable license agreement and suchlicense agreement is not modified in any way by the terms of this notice.The manufacturer of this Documentation is CA.Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictionsset forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, ortheir successors.Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong totheir respective companies.
SiteMinder Agent for SAP Web AS Product ReferencesThis document references the following CA Technologies products: CA Technologies SiteMinder CA Technologies SiteMinder SessionLinker CA Technologies Federation ManagerContact CA TechnologiesContact CA SupportFor your convenience, CA Technologies provides one site where you can access theinformation that you need for your Home Office, Small Business, and Enterprise CATechnologies products. At http://ca.com/support, you can access the followingresources: Online and telephone contact information for technical assistance and customerservices Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your productProviding Feedback About Product DocumentationIf you have comments or questions about CA Technologies product documentation, youcan send a message to techpubs@ca.com.To provide feedback about CA Technologies product documentation, complete ourshort customer survey which is available on the CA Support website athttp://ca.com/docs.
ContentsChapter 1: Overview and Architecture9SiteMinder SSO Options for SAP Web Application Server . 9SiteMinder Agent for SAP Web AS Integration . 10SiteMinder Agent for SAP Web AS Authentication Modes . 11Components in a SiteMinder Agent for SAP Web Application Server Environment . 12User or Client . 12Front-End Web Server. 12SiteMinder Policy Server . 13Web AS J2EE Engine . 13Federation Manager . 14Chapter 2: SiteMinder Agent for SAP Web AS Deployment Examples15Case 1: SiteMinder Agent for SAP Web AS SSO Mode . 15How Use Case 1 Works . 16Case 2: Federation Manager with the SiteMinder Agent for SAP Web AS . 18How Use Case 2 Works . 19Case 3: Agent for SAP Web AS and Federation Manager with the SiteMinder Connector . 19How Use Case 3 Works . 21Chapter 3: Install and Configure the SiteMinder Agent23Gather Installation Information . 23Run the SiteMinder Agent for SAP Web AS Installation Wizard on Windows . 24Run the SiteMinder Agent for SAP Web AS Installation Wizard on UNIX or Linux. 25Gather Information for the Configuration Wizard . 26Gather Configuration Information for your Authentication Mode . 26Gather Information to Configure Your SSO Mode . 26Gather Information to Configure Your Federation Mode . 29Run the SiteMinder Agent for SAP Web AS Configuration Wizard . 30Chapter 4: Configuration for SSO Mode with SiteMinder33How to Prepare for a SiteMinder Agent for SAP Web AS Installation. 33Configure the Front-End Web Server. 33Verify the Configuration of MYSAPSSO2 Tickets . 34Map a SiteMinder User as a Web AS User . 35Enable the SiteMinder Agent . 35Contents 5
Configure an Active Response for the SessionLinker . 36Configure SiteMinder Web Agent . 37Configure SiteMinder Policies . 37Installing and Verifying with the Test Page . 38Install the Test Page . 38Verify the SiteMinder Agent Configuration for Web AS . 39Chapter 5: Configuration for Federation Mode with Federation Manager41Intended Audience . 41Federation Partnership Overview . 41Considerations for the Asserting Party Configuration . 42How To Configure the Relying Party in a Federation Partnership. 43User Identification Based on an Assertion Attribute. 45SAP Web AS User Identification . 46SSO Configuration for Federation Mode . 46Single Logout Configuration for Federation Mode. 47Identity Cookie Settings for Federation Mode . 48Assertion Attribute Use by the Target SAP Application . 49Chapter 6: Configure SAP Web Application Server 7.0 and the Agent forSAP Web AS to Work Together51Guidelines for Updating SiteMinder Policies. 51Change the Configuration of the SAP J2EE Engine . 52Deploy and View SiteMinderLoginModule.sda . 52Prerequisites . 52Deploy SiteMinderLoginModule.sda. 53View the Deployed SiteMinderLoginModule.sda . 54Configure SiteMinderLoginModule . 54Create an Authentication Template . 55Select Applications to Use the Authentication Template . 56How to Confirm your SiteMinder Protection . 56Deploy the Test Application . 56Configure the Test Application. 57Configure the Enterprise Portal Authentication Scheme. 59How to Configure the SiteMinder Settings . 61Configure the LogOff URL of the Enterprise Portal (7.0) . 62Chapter 7: Configure SAP Web Application Server 7.1-7.3 and the Agent forSAP Web AS to Work Together63Guidelines for Updating SiteMinder Policies. 636 Agent for SAP Web AS Guide
Change the Configuration of the SAP J2EE Engine . 64Deploy the SiteMinderLoginModule.sda. 64Add a Property for the SiteMinder Login Module Using the AS Java Config Tool . 65Configure the SiteMinder Login Module Using SAP NetWeaver Administrator . 65Create an Authentication Template Using SAP NetWeaver Administrator . 66Configure the LogOff URL of the Enterprise Portal . 66Configure a SiteMinder Authentication Scheme for the Enterprise Portal . 67Configure SiteMinder to Protect the Enterprise Portal. 70Chapter 8: Upgrade the SiteMinder Agent for SAP Web AS71How to Prepare for a SiteMinder Agent for SAP Web AS Upgrade . 71Gather the Information for your SiteMinder Agent for SAP Web AS Upgrade . 71Run the Installation Wizard to Upgrade your SiteMinder Agent for SAP Web AS on Windows . 72Run the Installation Wizard to Upgrade your SiteMinder Agent for SAP Web AS on UNIX/Linux . 73Chapter 9: Remove the SiteMinder Agent for SAP Web AS75Remove the SiteMinder Agent for SAP Web AS from Windows . 75Remove the SiteMinder Agent for SAP Web AS from UNIX/Linux . 75Chapter 10: Troubleshooting the SiteMinder Agent for SAP Web AS77Verify the SiteMinder Policies . 77Check the Web Agent Log . 78Temporarily Disable the Session Linker . 78Examine Web AS Log Files and Traces . 78Chapter 11: SiteMinder Agent for SAP Web AS Log Messages79Appendix A: Front-End Web Server Configuration91Apache Web Server . 91Verify an Apache Web Server Configuration - Example. 91Sun Java Systems Web Server . 92Verify a Sun Java Systems Web Server Configuration Using RPP - Example . 92Appendix B: NPSEncrypt and NPSVersion Tools95NPSEncrypt Tool . 95NPSVersion Tool . 97Contents 7
Appendix C: Platform Support99Locate the SiteMinder Platform Support Matrix. 99Appendix D: Worksheets101SiteMinder Agent for SAP Web AS Installation Worksheet. 101SiteMinder Agent for SAP Web AS SSO Mode Configuration Worksheet . 101SiteMinder Agent for SAP Web AS Federation Mode Configuration Worksheet. 102Index8 Agent for SAP Web AS Guide105
Chapter 1: Overview and ArchitectureThis section contains the following topics:SiteMinder SSO Options for SAP Web Application Server (see page 9)SiteMinder Agent for SAP Web AS Integration (see page 10)SiteMinder Agent for SAP Web AS Authentication Modes (see page 11)Components in a SiteMinder Agent for SAP Web Application Server Environment (seepage 12)SiteMinder SSO Options for SAP Web Application ServerSiteMinder supports the following SSO deployment options for the SAP Web ApplicationServer (SAP Web AS):Tier-1A SiteMindera Web Agent hosted on a front-end web server providesauthentication. The web server acts as a proxy for requests to the SAP WebApplication Server.A Tier 1 solution is the minimum requirement for SSO. However, Tier-1 solutionshave the following limitations: The ERP Solution trusts information sent from the security solution and does noverification. The point of trust is the web server, which can reside in the DMZ.Two security options apply:Option 1User credentials are stored in the ERP database/directory. Thedatabase/directory may not be encrypted, and may be located on the webserver leaving user information vulnerable to attack.Option 2Users log on to the ERP solution as a super user, masking the identity of thetrue user.Tier-2A SiteMinderERP Connector hosted on the ERP System provides authentication.SiteMinderand ERP session linkages are maintained using the SessionLinker.The SiteMinder Agent for SAP Web AS is a Tier-2 solution that enables the ERPsolution to verify that information that is passed by SiteMinderwas sent bySiteMinder. This critical capability ensures that even internal users are notattempting to compromise the SAP system.Chapter 1: Overview and Architecture 9
SiteMinder Agent for SAP Web AS IntegrationUsing the SiteMinder Agent for SAP Web AS has the following benefits: The points of trust are the ERP Connector and the SiteMinderPolicy Server. Users can be authenticated at the main application site when they first log inand then move seamlessly to any ERP application without being prompted forcredentials.–SiteMinderassumes responsibility for authentication.–SiteMinderintegrates with the user directory and/or database so there is noneed to store user credentials in multiple locations.SiteMinder Agent for SAP Web AS IntegrationThe SiteMinder Agent for SAP Web AS provides seamless single-sign on (SSO)integration among the following types of applications: SAP applications Web Application Server J2EE applications Enterprise Portal applications Non-SAP applications Non-web AS applicationsThe Web AS J2EE engine lets you integrate a third-party authentication product with thestandard Pluggable Authentication Module (PAM) framework. You can protectapplications that are deployed on the Web AS J2EE engine with a Login Stack orAuthentication template. Create the template from a standard or custom JavaAuthentication and Authorization Service (JAAS) login module.The Java Authentication and Authorization Service (JAAS), from Sun Microsystems,implements a Java technology version of the standard PAM framework, and supportsuser-based authorization.You can customize the Login Stack or the Authentication template to use a set ofJAAS-based login modules arranged in a particular order in the login stack. A customlogin module that is based on the JAAS framework can be developed and registeredwith the Security Provider service offered with the Web AS J2EE engine. This engineprovides a pluggable mode of developing and deploying the login modulesindependently of the application, which uses it as a part of a login stack protecting theapplication.The Enterprise Portal from SAP also allows usage of the custom login module, as part ofthe login stack, to act as an authentication mechanism for access to Enterprise Portal.You can modify the Enterprise Portal.authentication scheme. The authenticationscheme references an authentication template or login stack inside the SAP Web AS.10 Agent for SAP Web AS Guide
SiteMinder Agent for SAP Web AS Authentication ModesThe SiteMinder Agent for SAP Web AS is the SSO solution for integration with SAP WebAS. The agent specifically addresses SSO with J2EE-based applications deployed on theSAP Web AS J2EE engine, including the Enterprise Portal application. The currentsolution allows extension of these SSO capabilities with applications deployed outside ofSAP Web AS too.The SiteMinder Agent for SAP Web AS solution provides increased security using a Tier 2session validation whereby the point of trust is moved from the web server to the SAPWeb AS J2EE engine.Many web-based applications use an independent session management scheme, suchas a session cookie or session ticket. Therefore, these applications can bypass theSiteMinder replay prevention and session management logic. The possibility that theSiteMinder and application sessions can become asynchronous to each other is one ofthe main security problems when integrating applications that maintain their ownsessions. The SiteMinder Agent for SAP Web AS solution includes the SessionLinkercomponent to prevent session synchronization issues. The SessionLinker web serverplug-in monitors the SiteMinder Session ID header against the Web AS session ticket.When the two sessions diverge, the SessionLinker acts. The SessionLinker prevents theapplication from operating until a new session within the SAP Web AS is established.In addition to providing enhanced security, SiteMinder Agent for SAP Web AS allowsleveraging the increased number of authentication mechanisms available withSiteMinder.Note: The SiteMinder Agent for SAP Web AS only controls the authentication for theapplications that are deployed on the SAP Web AS and for the Enterprise Portal. TheSAP Web AS J2EE engine itself controls and administers all authorizations and roles.SiteMinder Agent for SAP Web AS Authentication ModesThe SiteMinder Agent for SAP Web AS uses either one or both of the following modes toauthenticate users:SSO ModeValidates user sessions against the SiteMinder Policy Server, which confirms thatthe SMSESSION cookie the user presents is legitimate. The SiteMinder Policy Serverreturns the ID of the SAP Web AS user in an SiteMinder active response to theSiteMinder Agent for SAP Web AS, which asserts that ID to the SAP Web ApplicationServer. The SAP Web Application server authorizes the user.Federation ModeReceives Federation Profile cookies from CA Technologies Federation Manager. TheSiteMinder Agent for SAP Web AS extracts the contents of the cookie, and thenasserts the SP side user ID and the user attributes (from the cookie) to the SAP WebApplication server. The SAP Web Application server authorizes the user.Chapter 1: Overview and Architecture 11
Components in a SiteMinder Agent for SAP Web Application Server EnvironmentBoth modes can be used together. For example, you can use the SSO mode toauthenticate the users inside your organization, and you can use the Federation modeto authenticate users outside of your organization. However, only one mode can beused in a web browser session.If both modes are used together and the user is authenticated by SiteMinder andFederation Manager, then the SiteMinder authentication takes priority. For example, ifFederation Manager operates with the SiteMinder Connector enabled, then theSiteMinder authentications take priority over the Federation Manager authentications.More information:Case 3: Agent for SAP Web AS and Federation Manager with the SiteMinder Connector(see page 19)Components in a SiteMinder Agent for SAP Web ApplicationServer EnvironmentThe components used by a SiteMinder Agent for SAP Web Application Server includethe following items:User or ClientA user refers to a web browser of an end user. A client is the HTTP-based web client,which accesses the J2EE engine of the SAP Web Application Server.Front-End Web ServerWhen the SiteMinder Agent for SAP Web AS operates in SSO mode, theagent-supported web server runs as a front-end to the SAP Web Application Server J2EEengine. The applications that are deployed on the J2EE engine are accessible throughthe SiteMinder supported front-end web server.The SiteMinder Web Agent is configured on the web server, which protects theapplication on this web server and the J2EE engine that is accessed through the webserver.12 Agent for SAP Web AS Guide
Components in a SiteMinder Agent for SAP Web Application Server EnvironmentThe web server also hosts the SiteMinder SessionLinker web server plug-in. TheSessionLinker intercepts the requests and tracks the Web AS J2EE session against theSiteMinder Session ID using the following items: The MYSAPSSO2 ticket The JSESSIONID cookieThe SiteMinder SessionLinker synchronizes the SiteMinder session with the third-partyapplication session for better security. For example, if a user logs out of the third-partyapplication, the SiteMinder SessionLinker logs the user out of SiteMinder. Conversely, ifa user logs out of SiteMinder, the SessionLinker invalidates the related session of thethird-party application.Note: The SiteMinder SessionLinker only supports a SiteMinder Agent for SAP Web ASthat is running in SSO Mode. The SiteMinder SessionLinker is not used when aSiteMinder Agent for SAP Web AS operates in Federation Mode.SiteMinder Policy ServerWhen the SiteMinder Agent for SAP Web AS operates in SSO mode, the SiteMinderPolicy server governs access to the applications deployed on the web server and the SAPWeb Application Server J2EE engine.The Policy Server also hosts the SessionLinker Policy Server plug-in.Note: The SessionLinker only supports a SiteMinder Agent for SAP Web AS for SAP WebAS that is running in SSO Mode. The SessionLinker is not used when a SiteMinder Agentfor SAP Web AS for SAP Web AS operates in Federation Mode.Web AS J2EE EngineThe SAP Web Application Server J2EE engine is a J2EE-compliant operating environmentfor running J2EE applications. Login stacks or authentication templates protect theapplications that are deployed on the J2EE engine. The login stacks or authenticationtemplates consist of JAAS-compliant login modules, which are also deployed on the J2EEengine.Chapter 1: Overview and Architecture 13
Components in a SiteMinder Agent for SAP Web Application Server EnvironmentThe following login modules are deployed as part of the login stack:SiteMinderLoginModuleCustom JAAS-compliant login module that validates the SiteMinder session of theuser with the SiteMinder Java Agent API.CreateTicketLoginModuleWeb AS J2EE engine login module, which creates the MYSAPSSO2 ticket for theauthenticated user. The J2EE engine supports the use of logon tickets for SSO in anSAP system environment. The logon ticket is stored as a session cookie, namedMYSAPSSO2, in the web browser of the user.Federation ManagerCA Federation Manager enables customers to establish federated partnerships in aflexible way, together with or independent of a Web access management system.Federation Manager supports standards-based federation. Organizations act as theasserting party, providing user authentication and assertion of identity, or as the relyingparty, consuming the identity to allow access to web resources and services.14 Agent for SAP Web AS Guide
Chapter 2: SiteMinder Agent for SAP WebAS Deployment ExamplesThis section contains the following topics:Case 1: SiteMinder Agent for SAP Web AS SSO Mode (see page 15)Case 2: Federation Manager with the SiteMinder Agent for SAP Web AS (see page 18)Case 3: Agent for SAP Web AS and Federation Manager with the SiteMinder Connector(see page 19)Case 1: SiteMinder Agent for SAP Web AS SSO ModeUse case 2 is a deployment in which the SiteMinder Agent for SAP Web AS protects theresources on the SAP Web AS in SSO mode. A deployed SiteMinder system integrateswith the SiteMinder Agent for SAP Web AS, and authenticates users to the SAP Web AS.The following illustration shows this deployment with the SiteMinder Web Agent, andthe SiteMinder Agent for SAP Web
SiteMinder SSO Options for SAP Web Application Server SiteMinder supports the following SSO deployment options for the SAP Web Application Server (SAP Web AS): Tier-1 A SiteMindera Web Agent hosted on a front-end web server provides authentication. The web server acts as a proxy for requests to the SAP Web
