Distributing Single Sign-on Related Files in an SAP Mobile Server Cluster

Place required files in the appropriate primary SAP Mobile Server subdirectory so they are distributed to all SAP Mobile Servers within the cluster during cluster synchronization.

Any changes to a named security configuration affect the cluster and trigger a cluster synchronization, which automatically zips the files in the primary SAP Mobile Server CSI subdirectory and distributes them to the other servers in the cluster. Copy all certificate and other security-related files to the CSI subdirectory.

The provider configuration information, which includes the server certificate file name and location, must be the same on all cluster nodes. The same is true for the cryptographic DLLs and certificate files for SSO using X509.

  1. On the primary server in the cluster, put any SAP certificate files or truststores into the SMP_HOME\Servers\UnwiredServer\Repository\CSI\conf directory.

    Use system properties to specify the full path and location of the file in the configuration so they can be accessed from different servers within the cluster if installation directories are different from that of the primary server. For example:

    ${djc.home}/Repository/CSI/conf/
SNCTEST.pse
    For X.509 CertificateAuthenticationLoginModule, if the ValidateCertificatePath is set to true, the default, the CA certificate (or one of its parents) must be installed in the truststore for each server.
    Note: SAP Mobile Server truststore and keystore files:
    • SMP_HOME\Servers\UnwiredServer\Repository\Security\truststore.jks – is the SAP Mobile Server trust store that contains CA (or parent) certificates. SAP Mobile Server trusts all CA or parent certificates in truststore.jks.
    • SMP_HOME\Servers\UnwiredServer\Repository\Security\keystore.jks – contains client certificates only.

    The CertificateAuthenticationLoginModule also has Trusted Certificate Store* and Store Password properties which you can to keep the module out of the default SAP Mobile Server trust store. You must first:

    1. Use keytool to put the CA certificate into a new keystore.
    2. Put the keystore into the Repository\CSI\conf subdirectory.
    3. Include the path in the Trusted Certificate Store property.
  2. From SAP Control Center, add the login module.
  3. Restart all SAP Mobile Server within the cluster.
Parent topic: Single Sign-on for SAP