Integrating SAP EP and WebSEAL

December 27th, 2007

Integrating third-party products into Tivoli Access Manager WebSEAL is never too easy and is often very dependent on the actual application and the application server it runs on to propagate credentials.

To protect SAP EP behind WebSEAL there are a few requirements that SAP EP has to correctly generate URLs in the Web UI:

  • SAP EP must not be used behind a junction, but at /,
  • the HTTP Host header needs to match,
  • and a HTTP ClientProtocol header must be set

To run SAP EP at the root (/) and send an appropriate HTTP Host header the easiest thing to do with Tivoli Access Manager V6.0 or later is to configure SAP EP on a virtualhost junction:

pdadmin sec_master> server task default-webseald-webseal01 virtualhost create -t ssl -h sapephost01.example.com -v sapep01.example.com -c all vhost-sapep01-https

The ClientProtocol header is a little bit more complicated to set; the ClientProtocol header is used by SAP to determine the appropriate protocol to set when sending full URLs including protocol and hostname to the user. To inject this header we need to first compile a plug-in for WebSEAL and afterwards configure the header to be set.

To compile the plug-in you first need to download the IBM Tivoli Access Manager SAP Netweaver AS Java Integration Adapter. Then you use the WebSEAL AuthADK to compile the shared object library for your platform and copy the shared lib to /opt/pdweb/bin.

To load the shared object library as a plug-in when loading WebSEAL you need to add the following directives to the WebSEAL configuration file of the instance where the virtualhost has been created:

[aznapi-configuration]
cred-attribute-entitlement-services = ClientProtocol

[aznapi-entitlement-services]
ClientProtocol = /opt/pdweb/bin/libazn_ent_svc_ClientProtocol.so

To finally enable the plug-in to do something on your virtualhost junction you need to enable the plug-in to set the ClientProtocol header by setting the HTTP-Tag-Value attribute on the virtualhost object you created earlier:

pdadmin sec_master> object modify /WebSEAL/webseal01-default/@vhost-sapep01-https set attribute HTTP-Tag-Value ClientProtocol=ClientProtocol

Posted by gpoul at 12:06pm CET Filed in Tivoli
Comments Off