SAP

NetWeaver 7.3

SAP

NetWeaver 7.3

Secured by RSA Implementation Guide for

Portal Servers and Web-Based Applications
Last Modified January 8, 2013

Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description

SAP
www.sap.com
SAP NetWeaver
7.3
A comprehensive integration and application platform, SAP NetWeaver
works with your existing IT infrastructure to enable and manage change.
With SAP NetWeaver, you can flexibly and rapidly design, build, implement,
and execute new business strategies and processes. You can also drive
innovation throughout your organization by combining existing systems
while maintaining a sustainable cost structure.
SAP NetWeaver embraces Internet standards such as HTTP, XML, and
Web services. Ensuring openness and interoperability with Microsoft .NET
and Java 2 Platform Enterprise Edition (J2EE) environments.

-1-

SAP

NetWeaver 7.3

Solution Summary
SAP NetWeaver supports third-party, Java Authentication and Authorization Service (JAAS) login
modules to enhance the capabilities of its authentication process. RSA offers a custom, pluggable JAAS
module for SAP NetWeaver that can be deployed to enable RSA Access Manager Authentication and
Web Single Sign-On (SSO) for SAP users.
SAPs security framework allows administrators to combine predefined and custom login modules in what
are known as a login stacks. This guide details how the RSA login module can be placed in a login stack
that also includes modules for issuing and validating SAP SSO login tickets 1. Once this stack is
configured to protect an SAP application, authenticated users will have access to their both internal and
external to SAP without needing to re-authenticate.
Note: The SAP Web Application Server also provides a login module called
HeaderVariableLoginModule, which reads an authenticated users ID from an HTTP header variable
and uses it to create an SAP SSO login ticket. This Login Module can also be used in conjunction with
RSA Access Manager to read the ct-remote-user header variable. Consult the SAP Help Portal for more
information on how to do this.

To enable the integration, an RSA Access Manager Web Agent must be installed on a reverse proxy web
server to the SAP Java Application Server (AS) and configured to protect SAP resources. The RSA login
module, RSAAccessManagerLoginModuleNW73EAR, is deployed on the SAP AS, configured to
retrieve details about the current users authentication status and identity, and combined with SAP login
modules on a login stack.
When a user 2 tries to access a protected NetWeaver resource via the proxy server, the RSA Web Server
Agent intercepts the request and redirects the user to an Access Manager login page. After a successful
authentication, the agent creates an RSA Access Manager SSO token cookie and redirects the user to
NetWeaver.
The NetWeaver server loads the ticket template and calls the first module in its login module stack,
EvaluateTicketLoginModule. This module determines if an SAP SSO login ticket has already been
created. If it finds a ticket, the server creates a NetWeaver session and redirects the user to the
requested resource. If not, the server calls RSAAccessManagerLoginModuleNW73EAR. This module
retrieves the authenticated user name and passes it to RSA Access Manager for validation. Once the
user has been validated, SAP calls CreateTicketLoginModule, which creates an SAP SSO login ticket
and a NetWeaver session, and redirects the user to the requested resource.
Partner Integration Overview
Use UserID for SSO

Yes (via RuntimeAPI)

Use UserID for Personalization

Yes

Recognize Authentication Type

N/A

API-level Authorization Support (RuntimeAPI)

No

User Management (AdminAPI)

Via Shared User Repository (LDAP)

For more information about SAP Login Modules, Login Stacks and SSO Login Tickets see the Login Modules section in the SAP
NetWeaver Application Server Security Guide.
2
Note that the user must exist (with the same username) in both SAP and RSA Access Manager. In addition, the user must be
authenticating against the SAP Login Ticket Template.

-2-

SAP

NetWeaver 7.3

Product Requirements
SAP Product Requirements
The following SAP products are required to complete this integration:

SAP NetWeaver 7.3

SAP NetWeaver Administrator 7.3

SAP NetWeaver Developer Studio 7.3

Consult the latest release notes and installation guides for up-to-date hardware and software
requirements for each of these products.

RSA Access Manager Requirements

The integration requires a Web server that is supported by RSA Access Manager. See RSA Access
Manager 6.1 technical specifications at http://www.rsa.com/node.aspx?id=1190 for a list of supported
servers. This server will be configured as a reverse proxy to the SAP NetWeaver Application Server.

Integration Modules

The integration requires a copy of the RSAAccessManagerLoginModuleNW73EAR login module. The

module can be downloaded from the following link:
https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=868072044&a
rg12=downloaddirect&transaction=signon&quiet=true
Important: If you experience a problem downloading the module when you click the link, copy and
paste the URL in your browsers address field.

Integration Modules

File Name
RSAAccessManagerLoginModuleNW73EAR.ear

Destination
The local temporary directory

-3-

SAP

NetWeaver 7.3

Product Configuration
Before You Begin
This section provides instructions for integrating the SAP NetWeaver with RSA Access Manager. This
document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has sufficient knowledge of each product to perform the tasks outlined in
this section, as well as access to the appropriate documentation for installing and administering the
required software components.
All products/components must be installed and working prior to this integration. Perform the necessary
tests to confirm that this is true before proceeding.

Prerequisites
Ensure that you have satisfied the following prerequisites before beginning the integration:

Install SAP NetWeaver Administrator 7.3 and SAP NetWeaver Developer Studio 7.3. You must
have administrative access to these applications to complete the instructions in this guide.

Install an RSA Access Manager-supported Web server as a reverse proxy to NetWeaver.

Install the appropriate RSA Access Manager agent on the proxy server.

Ensure that there is one-to-one relationship between SAP and RSA usernames who will be
authenticating against the RSA Login Module. Note that if the usernames dont match, they can
be mapped to one another using the modules user_property parameter, providing that the RSA
users contain an attribute that matches the SAP username. See the RSA Login Module
Parameters section for a full list of parameter options.

Installation
This section contains instructions for installing the RSA Access Manager Login Module. It is divided into
the following subsections:

Download the RSA Login Module EAR File

Deploy the RSA Login Module

Configure RSA Login Module Options

Configure the SAP Ticket Authentication Template

Download the RSA Login Module EAR File

The login module is contained in an Enterprise Archive (EAR) file named
RSAAccessManagerLoginModuleNW73EAR.ear. Download this file from the link mentioned above
and save it to a local directory.

-4-

SAP

NetWeaver 7.3

Deploy the RSA Login Module

Follow the steps below to deploy RSAAccessManagerLoginModuleNW73EAR.ear with SAP NetWeaver
Developer Studio (NWDS):
1. Start NWDS, log in as an administrator and select the WindowShow ViewOther menu option.

2. Select the Deployment ViewDeploy View menu item and click the OK button.

-5-

SAP

NetWeaver 7.3

3. Click the Deploy View tab, select External Deployable Archives from the list on the left and click
the Add Element (plus sign) button in the upper left corner of the tab page.

4. Browse to the directory in which you saved the RSAAccessManagerLoginModuleNW73EAR.ear file,

select the file and click the Open button.

-6-

SAP

NetWeaver 7.3

5. Expand External Deployable Archives on the Deploy View tab, right-click on

RSAAccessManagerLoginModuleNW73EAR.ear and select Deploy from the menu. NWDS will
display a message indicating that whether the deployment was successful or not. If the deployment
is successful, the module will automatically be registered with the SAP J2EE Engine.

-7-

SAP

NetWeaver 7.3

Configure RSA Login Module Options

Once the EAR file has been successfully deployed, the module should be available for configuration in
the J2EE Engine environment. Follow the steps below to verify that the RSA Access Manager Login
Module to the User Management configuration:
1. Log in to SAP NetWeaver Administrator as an administrative user.
2. Select the Configuration tab and click on the Security menu item on the tabs toolbar.
3. Click the Views menu to the right of the Authentication and Single Sign-On link and select
Authentication.

-8-

SAP

NetWeaver 7.3

4. Click the Login Modules menu item on the Authentication tabs toolbar.
5. Find the RSAAccessManagerLoginModuleNW73 login module in the first table and select it.
6. Scroll down the page, click the Login Module Options tab, click the Edit button and then click the
Add button.

7. Enter dispatcher_list in the Name field and your RSA Access Manager hostname and port (separated
by a colon) in the Value field and click the Add button. If you have multiple dispatcher servers, of
your A list of RSA Access Manager dispatchers, separate each one with a comma.

-9-

SAP

NetWeaver 7.3

8. Enter connection_type in the Name field and the type of security the module will use to connect to the
RSA Access Manager servers and click the Add button. See the RSA Login Module Parameters section
in the Appendix for a list security type parameter values.

9. Enter the appropriate module parameter names and values for a specific configuration in the Options
list. See the RSA Login Module Parameters section in the Appendix for a complete list of
parameters, requirements and interdependencies.

10. Click the Save button.

- 10 -

SAP

NetWeaver 7.3

- 11 -

SAP

NetWeaver 7.3

Configure the SAP Ticket Authentication Template

The SAP Java Application Server provides predefined authentication templates, each of which contains
one or more login modules that are combined in a login module stack 3. SAPs Login Ticket
authentication template can be used to enable SAP SSO by creating an SAP login ticket after each
successful authentication and validating this ticket each subsequent time an authenticated user requests
another protected SAP resource.
The instructions in this section describe how to modify the ticket authentication template to include the
RSA Login Module. Once the template has been updated, RSA Access Manager will be responsible for
handling user authentication. This will enable SSO between SAP and other applications that are
protected by RSA Access Manager 4.
To configure the ticket authentication template to use the RSA Login Module, perform the following steps
using SAP Visual Administrator:
1. Click the Components menu item on the Authentication tabs toolbar and select the policy
configuration named ticket.

2. Scroll down the page and click the Edit button on the Authentication Stack tabs toolbar . The ticket
components login stack will appear in the Login Modules table, and it will most likely contain the
following three modules in order:

EvaluateTicketLoginModule which looks for a valid SAP Login Ticket

BasicPasswordLoginModule which prompts a user to authenticate

CreateTicketLoginModule which creates an SAP Login Ticket

See the SAP NetWeaver Administration Guide for more information about authentication templates and login module stacks.
Note that SAP login tickets allow internal SSO among SAP applications, whereas RSA Access Manager tokens extend SSO to
include applications that are external to SAP.
4

- 12 -

SAP

NetWeaver 7.3

3. Click the down arrow to the right of the BasicPasswordLoginModule modules name to expand a list
of all available modules. You will replace this module with the RSA Access Manager Login module.

4. Select the module named RSAAccessManagerLoginModuleNW73.

5. Click the down arrow in the Flag column and select REQUISITE from the dropdown list. The Login
Module table should contain 3 rows with the following values in order from top to bottom:

EvaluateTicketLoginModule SUFFICIENT

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL

6. Verify that the ticket login stack contains the three modules as listed below, in the same order and
with the same conditional flags. Modify the flags and positions of the other two modules if necessary
and click the Save button.

- 13 -

SAP

NetWeaver 7.3

End User Experience

Once the module has been installed, configured and assigned, users will be prompted by RSA Access
Manager to authenticate when they attempt to access a protected SAP URL.

Following a successful authentication, the user is redirected to the requested resource.

- 14 -

SAP

NetWeaver 7.3

Certification Checklist Portal Servers and Web-Based Apps

Date Tested: November 1, 2012
Product Name
RSA Access Manager
SAP NetWeaver
SAP NetWeaver Administrator
SAP NetWeaver Developer Studio

Certification Environment
Version Information

6.1 SP4
7.3
7.3
7.3 SP08

Operating System

Windows Server 2008

Windows Server 2008
Windows Server 2008
Windows Server 2008

Test Case

Result

Product Characteristics for SSO Support

Application/Portal is web-based, and supports access by a standard HTTP-based browser
Application/Portal runs on Web Server Platform supported by RSA Access Manager
Application/Portal login interface can be modified or replaced
Application/Portal can extract user information from RSA Access Manager session cookie
Application/Portal can extract user information from HTTP Headers
Application/Portal can extract authentication type from RSA Access Manager session cookie
Application/Portal can extract authentication type from HTTP Headers
Application/Portal can perform SSO with other RSA Access Manager-supported Web Server
Login - General
HTTP basic authentication
Forms based
Forms based w/ URI retention

N/A

Login Basic Authentication

Access Denied for unauthorized user
Successful login for authorized user
Successful recognition of identity/personalization in 3rd Party Product
Successful recognition of identity/personalization after SSO with other RSA Access Managersupported Web Server
JGS

= Pass

- 15 -

= Fail N/A = Non-Available Function

SAP

NetWeaver 7.3

Appendix
RSA Login Module Parameters
There are multiple configurations available for the RSA Login Module, allowing administrators to control
such things as the method in which the RSA Access Manager authenticated username is retrieved, the
security setting for the modules runtime connection to the RSA Access Manager dispatcher, and whether
to enable debugging. The tables below contain the complete list of mandatory and optional parameters,
as well as their value requirements and interdependencies.

Mandatory Parameters for All Configurations

Name

connection_type

dispatcher_list

Value
The type of security the module will use to connect to the RSA
Access Manager dispatcher. The value must be one of the
following types:
CLEAR for Access Manager connections (not recommended
ANON for anonymous SSL connections
AUTH 5 for mutually authenticated SSL connections.
A list of RSA Access Manager dispatchers that the module will
use. A dispatcher should contain a hostname and port
separated by a colon. Each dispatcher in the list should be
separated by a comma. See the format below:
server1:5608,server2:5608

Mandatory Parameters for Mutually-Authenticated SSL 6

Name

Value

keystore

The keystore (including its absolute path) that will be used for
the connections private key

keystore_password

The SSL keystore password.

key_alias

The private key alias that is stored in the keystore

key_password

The password for the private key stored in the keystore

Mutually-authenticated connections require additional parameters. See the Mandatory Parameters for Mutually-Authenticated
SSL table for details.
6
These instructions are exclusively for mutually-authenticated SSL connection configuration.

- 16 -

SAP

NetWeaver 7.3

Optional Parameters
Name
cookie_name

debug

retry_count

Value
The name of the RSA Access Manager SSO cookie. This
variable should only need to be set unless the cookie name has
been changed in the RSA Agents webagent.conf file.
If this variable isnt set, the module uses the default cookie
name: "CTSESSION".
A Boolean flag that enables/disables debugging. The variable
must be set to one of the following values:
true to enable debugging
false to disable debugging. This is the default value.
The number of times the module will attempt to establish a
Runtime API connection before returning.
The default value is 3.

timeout

The number of milliseconds the dispatcher and auth server will

remain connected.
The default value is 10000.

user_property

An optional HTTP header variable name that will contain the

Access Manager username after a successful authentication.
This variable is especially useful if the RSA Access Manager
login name and the SAP username are different. As long as the
SAP username is stored in the RSA user under another
attribute, UID for example, it can be exported to an HTTP
header variable. If this variable contains the name of that
header variable, the module will read the value and use it to
create an SAP session.
By default, the module retrieves the authenticated username
from the RSA SSO token contained in the CTSESSION cookie.

- 17 -