Tip:
Highlight text to annotate it
X
This tutorial demonstrates how to integrate IBM Access Manager for e-business
with SAP NetWeaver Application Server ABAP using WebSEAL, a reverse proxy that controls access
to protected resources on a back-end web server.
NetWeaver Application Server ABAP is a complex, multi-tier application server for creating
and deploying highly scalable ABAP applications.
In particular, this guide describes how to achieve both single sign-on
and single sign-off capabilities.
It is assumed that an environment already exists where both Access Manager
and NetWeaver Application Server are installed, configured and operating.
It is outside the scope of this tutorial to describe the installation and administration
of these products except where necessary to achieve integration.
This diagram illustrates the steps performed for single sign-on.
A WebSEAL junction is created beforehand and connected
to the server when NetWeaver is installed.
A browser request for a NetWeaver application is intercepted,
and in response the browser prompts the user
to provide credentials for authentication to WebSEAL.
Once authenticated, WebSEAL retrieves the user's global sign-on credentials and forwards them
in a basic authentication header along with the initial request
through the junction to the NetWeaver server.
NetWeaver will authenticate the credentials against its user registry, and if successful,
will return the requested content back to WebSEAL, which in turn sends the content
to the browser, filtering URLs as appropriate.
The integration uses the global sign-on or GSO feature in Access Manager.
GSO resources users and credentials need to be defined to work with the integration.
I will demonstrate the commands you need to execute in PD admin.
For more information and definitions of commands used,
refer to the Access Manager Information Center documentation.
Firstly, create a GSO resource.
Next, create a user account and enable it to have GSO capabilities with the GSO user option.
Alternatively, existing users can be modified to gain GSO capabilities.
Now a resource credential needs to be created.
Note that the resource name and TAM user name need to match with what we previously created.
The resource user and resource password values specified are sent
to the back end ABAP web application.
Once GSA entities have been created using PD admin, we can create a WebSEAL junction
that will pass on the GSA creds to the web app.
Either a virtual host or standard junction could be created,
but transparent path junctions are not supported for this integration.
In this example, I create a virtual host junction which means
that WebSEAL must be listening on the same port as the NetWeaver Application Server
and DNS must be set up so that the WebSEAL server resolves
to the address of the NetWeaver app server.
Again, for more details, refer to the Access Manager Information Center and look
within the WebSEAL Administration Guide.
An option in the WebSEAL config file should be added to allow cookies to be used independently
by different ABAP applications at differing URLs.
So, let's edit that config file, and we look within the preserve cookie name stanza.
And add this entry.
If you're interested in a technical explanation, this option includes the path
in the cookie name instead of setting it separately and is necessary
because the path attribute of the cookie is set to the root path so that cookies can be used
by the back end application when used with the WebSEAL junction.
WebSEAL should now be configured properly, so let's restart it to update its configuration.
To configure NetWeaver Application Server to work with the integration,
all that is required is to change the logoff page setting to interact with WebSEAL.
Start by logging into your SAP system.
Run the SICF transaction.
Click the Execute button.
Double click the node in the tree that represents the service you wish to configure.
For this demo, I will select the Web GUI node.
Click the Change button.
Select the Error Pages tab, and then select the Logoff Page tab.
Select the Redirect to URL radio button, then enter the URL
of the pkms logout page defined by WebSEAL.
Because I'm using a virtual host junction, this hostname needs to resolve to the WebSEAL server.
Click the Store button to apply the changes.
We've finished configuring WebSEAL and the NetWeaver application server,
so we are now in a position to test the integration.
I will demonstrate by logging into and out of the SAP GUI for HTML.
This application needs to be properly enabled beforehand to test the integration with it.
You will see the standard WebSEAL authentication web pages for these processes,
but these can be customized for your purposes.
Let's login using the TAM account we created earlier.
We can see that the back-end Web application is satisfied
with the GSO credentials that WebSEAL supplied to it.
Now, let's logout.
This is the standard pkms logout page provided by WebSEAL and indicates we have logged
out of our SAP system and WebSEAL.
So, we have successfully tested the integration.
Boo-ya!