Configuring the J2EE Engine to Accept Logon Tickets

The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user. For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.

To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature. ● If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature. ● If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.

Open the SSO wizard by following the path System Management -> Configuration ->Trusted Systems. There are two ways to add a trusted system. 1) Add a Trusted System by connecting to it.

• In the Trusted Systems section, choose Add Trusted System -> By Querying Trusted System.
• The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
• Enter your user name and password in the provided fields and choose Next.
• The details about the selected system’s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.

2) Adding a Trusted System by Manually Uploading its Certificate.

• Export the ticket issuing Trusted System certificate.
• In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
• Enter the System ID and Client in the provided fields.
• Browse to the location of the system’s certificate. Select the certificate and choose Open.
• Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.

Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.

• In the Security Provider Service choose Runtime -> Policy Configurations -> Authentication tab.
• Select the policy configuration for the application component to accept logon tickets from the Components list.
• Choose the Switch to edit mode button.
• Choose Add New. The list of available login modules for the component appears.
• Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.

After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.