Problem solve Get help with specific problems with your technologies, process and projects.

Implementing single sign-on in the J2EE server engine

As of SAP Web AS 6.20, SAP has implemented a J2EE Engine that allows Java code to be executed directly in the application server.

As of SAP Web AS 6.20, SAP has implemented a J2EE Engine that allows Java code (servlets, EJBs, etc.) to be executed directly in the application server. This Java engine provides some powerful utilities to enhance almost any Java/SAP development, such as SSO (single sign-on, user management, etc.). However, the J2EE Engine can also be run as a standalone Java application server, with most of this functionality intact.

When building Java applications, user management is a key issue for successful deployment. Although the J2EE Engine does provide its own tools, you can also enable user management directly through SAP. This tip demonstrates how to enable single sign-on through the J2EE Server Engine, whether it's running standalone or as part of an embedded Web AS installation.

Note: it is possible to install and run the J2EE Server Engine from a remote server or your local workstation. Ask your BASIS administrator to order the Web AS 6.20 J2EE Server Engine, Standalone CD or check to see if the media is already in-house. Using this standalone server is a great way to prototype new applications or learn some of the newest features in Java/SAP integration.

The remainder of this tip assumes that the J2EE Server Engine has been deployed locally or on a standalone server that allows you access to the server command console. This tip also assumes that you have installed the J2EE Server Engine Adminstration tool on a local workstation.

Stage 1: Updating the JAAS login module
Step 1: Start up the J2EE Server Engine and Adminstration tool. Log in as 'Administrator' with no password (this is the default installation).

Step 2: Navigate to the Server One - Services - Security dialog window and select the JAAS tab.

Step 3: Select the 'InQMyLoginSystem' from the Available Applications side bar and select the entry labeled ''.

Step 4: At the bottom of this screen, enter a new Login Module called ''. Set the Flag to 'sufficient' and the options to 'userfactory="null" createticket="0" acceptticket="0"'. Click the 'Add' button to apply this entry to the JAAS tab.

Stage 2: Configuring SAP Integration
Step 1: Select the SAP Integration tab in the Security window.

Step 2: Click the 'Configure' button and follow the wizard for creating a new SAP configuration. Be sure to enter a valid system user in the Authentication step. This user will be authenticated against the SAP through JCo. Finally, select 'Auto-detect' from the Single Sign-On step and finish the configuration.

Step 3: Click the 'Start' to activate the SAP integration.

Stage 3: Enabling Enhanced SSO (optional)
Be sure to check with a BASIS administrator before following these steps
Step 1: In SAP, use the transaction STRUST to ensure that a valid system PSE exists. This is indicated by a green light next to the PSE ID. If not, select Replace from the context menu and create a new system PSE. (Check with BASIS before doing this)

Step 2: From transaction RZ10/11 modify the following parameters:
login/accept_sso2_ticket 1
login/create_sso2_ticket 1
login/ticket_expiration_time 60

Step 3: Save the parameters. If RZ11 no restart is needed. Otherwise, SAP should be restarted for the new profile changes to take effect.

You can now test the single sign-on from the J2EE Server Engine command console. Without needing to create users in the J2EE User Management, you can seamlessly log on from the Java server using a pre-existing SAP username and password.

From the server command console enter 'add login'. You will not see a response, other than a new command prompt. Enter 'login (your SAP username)'. You will be prompted to enter a password. If the password and configuration are correct you should be rewarded with a successful logon message.

Now, re-login via the J2EE Administrator using your SAP username and password (instead of Administrator). If the SAP PSE was deployed correctly, you should have access to the J2EE admin GUI. This access will be limited by the privileges of that user in the SAP system.

As you build Java applications, you can allow users to logon through Java objects, without creating duplicate user management in the server engine. For more information, check out the How to... Security Series 4: Authentication Methods. It contains a more detailed overview and screenshots of the procedure described above.

Author Austin Sincock is a freelance Java/SAP consultant who contributes regularly to Web and print journals. He can be reached at [email protected]. Check out his upcoming book Enterprise Java for SAP

Dig Deeper on SAP development and programming languages