Thursday, October 15, 2009

Specifying the J2EE Engine Client to Use for Logon Tickets

 

When issuing logon tickets, it is necessary to make sure that the user's ID for which the logon ticket has been issued is unique. For SAP Web AS, this includes determining the system ID and the client where the user exists. These attributes are necessary when maintaining the access control list in accepting systems and are therefore included in the user's logon ticket.

When the J2EE Engine is the ticket-issuing system, its system ID is used as specified in the installation. Although the J2EE Engine does not have a client, it still needs to provide a client value to use for logon tickets so that the tickets can be accepted by other systems, for example, from an SAP Web AS ABAP. The default client for the J2EE Engine is 000, however, you can explicitly set a different value to use.

 

The system ID and client combination must be unique when tickets are to be accepted by an SAP Web AS ABAP system. Therefore, in an Add-In installation, where the system IDs are the same, you must change the default client for the J2EE Engine (000) to a client that does not exist on the SAP Web AS ABAP system.

 

You can specify the configuration for logon tickets either in the UME properties or in the options for the login module CreateTicketLoginModule. The configuration to use depends on the value of the property ume.configuration.active.

If you use the UME configuration, then to specify the J2EE Engine's client set the property login.ticket_client in the UME property sheet. Otherwise, set the property client in the options for the login module CreateTicketLoginModule. (The reason for these two configuration options is to provide for downward compatibility.)

See the procedures below for information about checking the ume.configuration.active property and where to set the logon ticket client property.

 

Checking the Property ume.configuration.active

To check the value of the property ume.configuration.active for the login module CreateTicketLoginModule, use the Security Provider service. Check for this parameter in both the policy configurations as well as in the user store configuration.

 

Checking the Property in the Policy Configurations

 

 1.      In the Security Provider service, choose Policy Configurations.

 2.      Select each template or application that uses the login module CreateTicketLoginModule, for example, the template ticket.

The login module stack for this component appears.

If you do not know which components use the login module, then check the login module stacks for all of the components.

 

The table below shows the login module stack for the ticket template as it is delivered with the J2EE Engine. In this case, the option ume.configuration.active=true is set in the policy configuration for the ticket template.

Ticket Template Login Module Stack

Login Modules

Flag

Options

com.sap.security.core.jaas.
EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

{}

com.sap.security.core.jaas.
CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

 

Checking the Property in the User Store Configuration

1.      In the Security Provider service, choose the User Management tab page.

2.      Choose Manage security stores.

3.      Select the login module CreateTicketLoginModule and choose View / Change Properties.

 

                   Recommendation

If the ume.configuration.active property (or any other property) is set in the policy configurations and not in the login module options in the user store, then we recommend moving the setting(s) to the user store.

 

Reason

 

If properties are set in the login module options in the user store, then these properties are inherited by the policy configurations that use the corresponding login module.

However, if a property is set in the policy configurations, then no inheritance will take affect, even for additional properties that are set in the user store. Therefore, we recommend only setting options in the user store and not in the policy configurations.

 

No comments:

Post a Comment