The connector and the SAP application server, ABAP, communicate
through SOAP web services. The communication requests are authenticated
and authorized by using the industry standard SAML. The authentication
process requires that the connector and the application server store
the ABAP SAML trust certificate.
About this task
You export certificates from one application server and import
them into the other.
Procedure
Avoid SAML restriction on servers. The system clocks
of the Solution Manager/Service Desk and the Rational® Connector servers must be within
90 seconds of one another in terms of Coordinated Universal Time (UTC)
or the communication can fail. Requiring synchronized clocks prevents
against replay attacks, as SAML headers use embedded time stamps.
You can use any of the following solutions to avoid this restriction.
- Manually change the clocks on the two systems to be within
90 seconds of one another, adjusting for the timezone.
- On AIX®, UNIX, and Linux systems,
the TZ environment variable affects the difference between local and
UTC time. Generally it is set to the local timezone, but with offset
value; for example, EST+5 means the Eastern Standard Time, 5 hours
behind UTC.
- Use NTP (network time protocol) servers to synchronize
the times of the two servers.
Export the certificate from the connector
- Update the SAML Issuer Name to something that is unique
to the connector you are configuring and identifiable later when you
import the certificate.
Solution Manager instances
can have multiple Rational Connectors
attached to them, so the issuer name must identify a particular connector.
- Export the Connector Trust Certificate.
- Click the Generate Self Signed Certificate tab,
enter values for each of the fields, and click Submit.
- Write down the location of the downloaded file because
you need this information when you import the certificate to Solution
Manager.
Tip: Consider using the Generate Certificate
Signing Request and Import CSR Response Certificate tabs
to get a certificate authority signed SAML certificate instead of
generating a self-signed certificate.
Import the certificate to Solution Manager
- Import the certificate from the connector:
- Enter the transaction code SAML2. Log in to the browser
that opens.
- Go to the Trusted Providers tab and change the view
to show: Security Token Services.
- Click .
- Enter the Provider Name, and
click Next.
- Upload the Signing Certificate,
and click Next
- In the Step 3 Endpoints, click Finish.
- Select the provider that you just added, and click Edit.
- Ensure that Supported SAML Versions has
SAML 1.1 selected.
- On the Identity Federation Tab,
click Supported NameID Formats, and click Add.
- Click Unspecified and click OK.
- Click Save; then click Enable.
- Export the certificate to the connector:
- Use the transaction code STRUST.
- SelectSSF SAML2 Service Provider -S.
- From Own Certificate, double-click
the self-signed certificate.
- From Certificate, click Export Certificate.
- Ensure that the file format is Binary and select a file
path. Write down this location because you need it when you import
the certificate to the connector.
- Select the check box.
Import the certificate from SAP to the connector.
- Go to .
- Locate the file that you saved when exporting the certificate
to the connector.
- Click Upload.
- Restart the connector.