Entering content frame

Background documentation Using the Security Protocol Locate the document in its SAP Library structure

Web service clients use the HTTP protocol for sending SOAP requests to the server. SAP J2EE Engine supports the following authentication options:

·        User name and password (HTTP Basic Authentication) using plain HTTP (no SSL)

·         User name and password (HTTP Basic Authentication) using HTTP secured through SSL

·         X.509 Client Certificates using HTTP secured through SSL

·         SAP Logon Tickets using HTTP

·         SAP Logon Tickets using HTTP secured through SSL (SSL)

For standalone proxies, authentication must be configured through the Client Security Protocol. For deployable proxies, a destination in the destination service is created for each logical port. Each Web service destination can be configured using the destination service in the Visual Administrator.

Standalone Proxy

The authentication data is set using the Client Security Protocol, accessed through the Virtual Interface.

This graphic is explained in the accompanying text

StockWSImpl ws = new StockWSImpl();

Remote remote = ws.getLogicalPort(StockWS2ViRpc.class);

StockWS2ViRpc stocksWS = (StockWS2ViRpc) remote;

BaseGeneratedStub stub = (BaseGeneratedStub) remote;

SecurityProtocol securityProtocol = (SecurityProtocol) stub._getGlobalProtocols().getProtocol("SecurityProtocol");

AuthenticationContext = securityProtocol.getAuthenticationContext();

·        Using user name and password for authentication

These are set with the AuthenticationContext methods:

¡        public void setPassword(String password)

¡        public void setUsername(String password)

·        Using X.509 Client Certificates

The AuthenticationContextprovides the following method for passing client certificates for authentication:

¡        public void addClientCertificate(X509Certificate[] certificates, PrivateKey privateKey) throws KeyStoreException

·        Other SSL options

By default, any certificate of the server that provides the Web service is accepted. If an application needs to check for SSL server certificates, then use the following method of the AuthenticationContext:

¡        public void setIgnoreSSLServerCertificate(boolean ignoreSSLServerCertificate)

To set java.util.List of java.security.cert.X509Certificate, use:

¡        public void setServerCertificateList(List serverCertificateList)

·        Setting HTTP headers

To set additional HTTP headers use the following method of the Client Security protocol:

¡        public void addHeader(String key, String value)

Note

When using the client security protocol from an application or library running in the engine (i.e. from a Web Dynpro application), you need to set a classloader reference to the service tc~sec~wssec~service.

Deployable Proxy

For each logical port of a deployable proxy, a destination is created in Destination Service. You can edit the destination in the Visual Administrator. All data in the destinations is stored in the Secure Storage Service. If you want to configure the destinations for your logical port, then start the SAP J2EE Engine Visual Administrator and select the Destination Service.

·        Using user name and password for authentication

Select the destination from the left-hand frame and choose BASIC from the Authentication drop-down menu. The Basic Authentication section is enabled and you can enter a user name and password. If the SAP Crypto Toolkit has been installed, the data is encrypted by Secure Storage.

This graphic is explained in the accompanying text

·        Using X.509 Client Certificates

Select a desination and select X.509 Client Certification from the Authentication drop-down menu. The X.509 client certificates are stored in Keystore Service. The Client Certificates Authentication is enabled and you can select the keystore view and certificate from the corresponding drop-down menus.

·        Using SAP Logon Ticket

If the server calls a Web service in another SAP system on behalf of a user, the Web service proxy can provide the user identity in an SAP Logon Ticket.

To enable this feature, perform the following steps:

¡        Select SAP Logon Ticket from the Authentication drop-down menu

¡        Ensure that the JAAS Login Stack of the application (to which the user connects initially) contains CreateTicketLoginModule. A ticket is created for the user.

·        Other SSL options

By default, any certificate of the server that provides the Web service is accepted. If an application needs to check for server certificates, the server certificates accepted by the Web service proxy can be limited to certificates that are stored in the Keystore Service.

To limit the accepted server certificates, choose Accept Certificates in Keystore View and select a keystore view.

 

Leaving content frame