Single Sign-on Authentication

Understand the role of user credentials and X.509 certificates in single sign-on authentication.

Encrypt the communication channel between Unwired Server and the SAP EIS for security reasons:

For Web services, DOE, and Gateway interactions this requires an HTTPS communication path with mutual certificate authentication. Use Sybase Control Center to navigate to the corresponding connection pool, edit the properties and add the properties "Certificate Alias" (give the name of a certificate alias in the keystore.jks), and "Password" (provide the key password).
For JCo connections you must configure the SNC properties.

During mutual certificate authentication, the client presents a certificate to Unwired Server. In order for authentication to succeed, the client’s certificate, or more typically the CA certificate that signed the client certificate must be present in the Unwired Server truststore. The Unwired Server truststore also contains a server-certificate (CN=host.domain) which is issued by the server (SAP for example), and which other SAP servers are configured to trust, meaning that once the server-certificate is authenticated during the HTTPS mutual certificate authentication, the SAP server further trusts that the credentials (SSO2 or X.509 values) given to identify the end user are correct, and the SAP server executes its EIS operations as that asserted end-user.

There is a separate notion of a “technical user” (CN=someTechUserName), which is different than the (CN=host.domain) server-certificate used for SSO. In a “normal” pooled JCo connection, the username is a technical user, and all RFCs are executed in the SAP EIS as that user. The technical user is granted all rights and roles within SAP to allow it to execute the range of RFCs behind the MBOs, which is the opposite of SSO.