How-To Set Up SUP With SiteMinder
Content
How-To: Set up SUP with SiteMinder
Sybase Unwired Platform 2.1 ESD #3
Document ID: Last Revised: June 2012 Copyright © 2012 by Sybase, Inc. All rights reserved. This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. ® indicates registration in the United States of America. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Java and all Java-based marks are trademarks or registered trademarks of Oracle and/or its affiliates in the U.S. and other countries. Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. IBM and Tivoli are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. All other company and product names mentioned may be trademarks of the respective companies with which they are associated. Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies. Sybase, Inc., One Sybase Drive, Dublin, CA 94568.
Page 2 of 54
Contents
1. How to Set Up Sybase Unwired Platform with SiteMinder .................................................................. 4 Client Authentication Patterns ................................................................................................................. 4 1.1 1.2 1.3 1.4 Network Edge ........................................................................................................................... 4 Non Network Edge.................................................................................................................... 4 External Token .......................................................................................................................... 5 SAP SSO2 Integration................................................................................................................ 6
Sybase Unwired Platform Single Sign-on to EIS patterns ......................................................................... 8 1.5 1.6 1.7 Access of SiteMinder Protected Web Service .......................................................................... 8 Access of SSO2 Protected JCo RFC or SAP Web Service ........................................................... 8 Web Service Hosted on NetWeaver Requiring both SSO2 and SMSESSION ............................ 8
Impersonation Checking Considerations.................................................................................................. 8 1.8 1.9 1.10 1.11 Basic Username as Principal ..................................................................................................... 9 From the Token Issuer .............................................................................................................. 9 From a SiteMinder Protected Web Application ....................................................................... 9 From the Sybase Unwired Platform Username Sent by the Client .......................................... 9
Authentication Cache Timeout and Token Authentication.................................................................... 10 Authentication Errors and Reporting ..................................................................................................... 11 1.12 2. Account Problems................................................................................................................... 12
Configuration and Examples............................................................................................................... 13 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Configuring Security for SiteMinder Token or Basic Authentication...................................... 14 Network Edge Authentication with SiteMinder Protected Web Service ............................... 19 Non Network Edge Authentication with SiteMinder Protected Web Service........................ 27 Network Edge SiteMinder Authentication with SAP SSO2 Protected SAP JCO ...................... 34 Network Edge SiteMinder Authentication with SSO2 Protected SAP NetWeaver................. 40 External SiteMinder Token Authentication with SSO2 Protected SAP NetWeaver ............... 48 Hybrid Web Container Applications and Network Edge Authentication with SiteMinder .... 54 Hybrid Web Container Applications and External SiteMinder Token Authentication ........... 54
Page 3 of 54
1. How to Set Up Sybase Unwired Platform with SiteMinder
This document assumes familiarity with CA SiteMinder® (including installation, user directory integrations, policy server, policy configuration, and agent configuration) and NetWeaver (including installation, application deployment, and LoginModule configuration). This guide focuses solely on configuring Sybase® Unwired Platform for integration with your SiteMinder environment. For details on installing and configuring SiteMinder or NetWeaver, please refer to the corresponding product documentation.
Client Authentication Patterns
1.1 Network Edge
The Reverse Proxy or Relay Server in the DMZ is protected by SiteMinder. The Sybase Unwired Platform client is challenged for basic authentication credentials. If the credentials are valid an SMSESSION cookie is issued and the client is allowed through to the Sybase Unwired Platform server.
Figure 1 Process Flow: Network edge authentication
The client begins a session (RBS, MBS, or OData) by sending an HTTP(S) request to the Reverse Proxy. The Reverse Proxy detects the un-authenticated request and challenges (using basic authentication as pictured). After the 401 challenge, the client may already have network credentials configured, or perhaps there is a callback to prompt for credentials. 1.2 Non Network Edge
The Network Edge (Reverse Proxy or Relay Server) is not protected. The client’s request is allowed to flow to Sybase Unwired Platform where a LoginModule presents the basic credentials to a SiteMinder protected Web server on behalf of the client. Sybase Unwired Platform server retains the SMSESSION cookie/credentials for the client.
Page 4 of 54
Figure 2 Process Flow: Non network-edge authentication
1.3
External Token
The Sybase Unwired Platform client application obtains a SMSESSION cookie external to the Sybase Unwired Platform libraries via custom application processing. This SMSESSION token is passed into the Sybase Unwired Platform libraries as a cookie. Sybase Unwired Platform libraries add the cookie to subsequent HTTP requests to Sybase Unwired Platform server. The cookie may or may not be checked at the Network Edge.
Page 5 of 54
Figure 3 Process Flow: Authentication with externally obtained token
In any of these authentication patterns the SMSESSION token can be added as a credential to the authenticated Sybase Unwired Platform subject for use in single sign-on (SSO) to SiteMinder protected EIS systems. 1.4 SAP SSO2 Integration
In this pattern, the Sybase Unwired Platform user is initially authenticated by SiteMinder, resulting in an SMSESSION for the user. This SMSESSION is then forwarded along with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver as a LoginModule. The SMSESSION is re-validated, and then the TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified SAP user ID. This ticket is returned to Sybase Unwired Platform as a MYSAPSSO2 cookie and Sybase Unwired Platform now has both an SMSESSION and an SSO2 ticket to use for SSO purposes with various EIS depending on which SSO mechanism the EIS requires.
Page 6 of 54
Figure 4 Process Flow: Non network-edge authentication and single sign-on with SAP SSO2 token
Add a SiteMinder policy Response, like the one below, for the rule protecting the Reverse Proxy in front of NetWeaver. This is how the WASUSERNAME header gets added and provides NetWeaver with the SAP user ID for which it should generate the SSO2 ticket.
Page 7 of 54
In a variation of this pattern, there is a SiteMinder protected Reverse Proxy in the DMZ.
Figure 5 Process Flow: Network edge authentication and single sign-on with SAP SSO2 token
Here the client request comes with an existing SMSESSION which the internal Reverse Proxy simply validates. This sequence diagram also illustrates one of the end-to-end scenarios discussed later in this guide.
Sybase Unwired Platform Single Sign-on to EIS patterns
1.5 Access of SiteMinder Protected Web Service
An EIS Web service is protected by SiteMinder. Sybase Unwired Platform sends the current Sybase Unwired Platform user’s SMSESSION cookie when executing the Web service. 1.6 Access of SSO2 Protected JCo RFC or SAP Web Service
The SAP server is configured to use SSO2 tickets for single sign-on. Sybase Unwired Platform will send the user’s current MYSAPSSO2 ticket along with the request. SAP will validate that the SSO2 ticket is valid and was issued by a trusted peer and execute the request as that user. 1.7 Web Service Hosted on NetWeaver Requiring both SSO2 and SMSESSION
Sybase Unwired Platform will send both SSO credentials when executing this Web service call.
Impersonation Checking Considerations
With token based authentication, Sybase Unwired Platform trusts that somebody else has at some point authenticated the user and therefore uses that somebody else to validate the token. Sybase Unwired Platform does not get any user identity Page 8 of 54
(formally a Subject Principal) directly from the token. Yet Sybase Unwired Platform does need to know who the user is for various purposes (logging, auditing, retrieving server-side personalization values, and counted users license enforcement), so the question comes – how should you establish that principal? 1.8 Basic Username as Principal
If you are using Non Network Edge authentication, Sybase Unwired Platform will automatically use the username as a Principal. It is known that this is the username used to produce the SMSESSION token because Sybase Unwired Platform provided it to SiteMinder. 1.9 From the Token Issuer
This is the best choice if available. When SiteMinder is providing Network Edge authentication, it adds an HTTP header named sm_user with the username. Sybase Unwired Platform can use the ClientValuePropagatingLoginModule to pick up that header value and set it as a Principal. 1.10 From a SiteMinder Protected Web Application If you are using External Token authentication without Network Edge SiteMinder, that header will not be there, and any username provided is not used for authentication and should not be trusted. In this case there is a possibility to use the UsernameHttpHeader option in the HttpAuthenticationLoginModule, but only if the SiteMinder protected URL used can return an HTTP header with the username. You probably need to custom-develop a Web application that would do this, perhaps by using the SiteMinder native APIs (sm_agent.jar). 1.11 From the Sybase Unwired Platform Username Sent by the Client This is the worst option as it allows for easy impersonation. You would still use the HttpAuthenticationLoginModule to validate the SMSESSION token, but with no UsernameHttpHeader returned you have no reliable indication of the user associated with that token. The client application can set a username in the Sybase Unwired Platform request, and Sybase Unwired Platform can use that if you de-select the Check impersonation checkbox in the Settings tab for your security configuration in Sybase Control Center.
This is dangerous as your users will be able to impersonate any Sybase Unwired Platform user, access their data, workflows, personalization values, etc. In a custom application you may be able to prevent users from entering an impostor username but this really should be considered a last resort configuration. Page 9 of 54
Authentication Cache Timeout and Token Authentication
To reduce the load Sybase Unwired Platform puts on your backend identity management and security systems, there is an authentication cache (you can see settings for it on the Sybase Control Center screen shot above). By default the authentication cache will hold on to a user’s Subject/Principals/Credentials for 3600 seconds (1-hour). As long as the username/password contained inside subsequent Sybase Unwired Platform requests are unchanged, the request is considered authenticated and uses the cached security information for access control and SSO to EIS operations. But of course, tokens can expire. If you cache an SMSESSION for a user here and the token expires before the cache entry, you will get authentication failures during the SSO EIS operations. This leads to either synchronization errors or operation replay errors. It is important to configure the authentication cache so this does not occur. In the worst case, you can disable the authentication cache entirely by setting the cache timeout to 0. Every Sybase Unwired Platform request will be re-authenticated. For Non Network Edge basic authentication, you can set the cache interval to slightly less than the Idle Timeout for your SiteMinder session policy. In the SiteMinder Admin navigate to Policies -> Domain -> Realms and view the Realm that is creating the SMSESSION:
Because the authentication cache may be idle for some time, choose the Idle Timeout rather than Maximum Timeout. Because Sybase Unwired Platform is initiating the session, the session will be valid for at least the duration of Idle Timeout and can cache the SMSESSION for up to that long. In the SiteMinder protected Network Edge pattern, there is no safe setting for the authentication cache timeout besides 0. If the URL configured to validate the SMSESSION token also returns an HTTP header with the expiration time for the token expressed in milliseconds since epoch (1/1/1970), then the HttpAuthenticationLoginModule can use that value to adjust the authentication cache expiration for this Subject’s entry so it expires at an appropriate time. Use the TokenExpirationTimeHttpHeader to specify the name of the header containing this expiration value . Additionally, you can use TokenExpirationInterval property to trim a little time from the expiration so it does not expire while Sybase Unwired Platform is processing a request.
Page 10 of 54
For the External Token scenario, Sybase Unwired Platform relies on the custom application (that retrieves the token) for help. A recommended best practice here is to change the Sybase Unwired Platform password each time this external token value changes. A simple way to achieve this is to always set the password to the hashcode of the token value (using the native programming language hashcode functions for String, NSChar, and so on.) before synchronizing. That way, if the token has not changed (the client is responsible to refresh expired tokens), then Sybase Unwired Platform can use authentication cache value If the token has changed, the hashcode will be different, hence the password will be different, and Sybase Unwired Platform will flush the old authentication cache entry for this user because the password has changed.
Authentication Errors and Reporting
If Sybase Unwired Platform tries to do token based authentication and it fails, it will report back to the client that synchronization has failed because of an expired token. Callback handlers in the client will return a specific error code that applications can attempt to handle (check the on-line documents for sample code and the specific code values). If authentication against the SiteMinder protected Network Edge fails, in some cases the Agent will return a 302 redirect HTTP response. The Sybase Unwired Platform client is not a browser type application and will not automatically follow that redirect. Instead it will invoke the new OnHttpCommunicationError callback method. This method will receive the http status (302) as well as all HTTP headers from the response. In the case of 302 there will normally be a “Location” http header with the URL the agent wants a browser to go to. For SiteMinder agents, this URL will include an SMAUTHREASON query parameter with a numeric value. SiteMinder documentation covers the various possible values – here is one location: https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/programmingreference/javadoc-sm/com/netegrity/sdk/apiutil/SmApiSession.html?fromKBResultsScreen=T Take an example where a user’s account is disabled. If a Sybase Unwired Platform client tries to login with that account, you see a 302 response and SMAUTHREASON=7 as a query parameter in the Location URL. A custom application could retrieve and parse the Location header in the OnHttpCommunicationError callback and perhaps take corrective action (notify the user that their account is disabled). Some customers may find this technique useful to reduce the number of help desk calls when mobile applications stop working in the field.
Page 11 of 54
1.12 Account Problems SiteMinder is able to report certain problems related to a user’s account back to the client.
Figure 6 Process Flow: Authentication failure
For normal browser-based applications, this redirect would take you to a Web page with a textual description of what is wrong with your account (for example locked, password must be changed, or expired). Sybase Unwired Platform client applications are not browser applications and do not handle redirects like this. Instead the application can include custom code that utilizes the http communication error callback to handle the authentication error. void IApplicationCallback.OnHttpCommunicationError(int errorCode, string Message, Sybase.Collections.StringProperties httpHeaders) { ... else if (errorCode == 302) { String value = httpHeaders.Item("Location"); // parse the value to find the SMAUTHREASON=<N> value in query parameters within the URL } SiteMinder documents the reason codes it returns, and a smart client application might be able to indicate why the user cannot connect so they can fix the problem themselves rather than a costly call to some help desk.
Page 12 of 54
2. Configuration and Examples
These are some example use cases that illustrate the patterns of SiteMinder authentication with Sybase Unwired Platform. SiteMinder authentication is used in Network Edge and non Network Edge configurations to authenticate the client of a Web service, SAP JCO, and finally a NetWeaver service. The NetWeaver scenario is also used to illustrate the use of an externally obtained SiteMinder token. The configuration information, screenshots, and steps below are taken from the actual setup of our test lab. Here is a brief description of the systems involved so that when you see various URLs below you will know what is being configured and referenced. Computer ucperflab01.sybase.com Windows Server 2008 64-bit VM Component Internet Information Services (IIS) server with SiteMinder Agent, Relay Server, and Application Request Routing IIS plug-in SiteMinder protected IIS hosting a Web service Sybase Unwired Platform server NetWeaver 7.0 and SiteMinder Web AS Agent Netweaver server exposing web services for the GetFlightList sample BAPI, requiring SSO2 for login Notes This server serves dual purposes in out testing landscape. First it hosts the optional Relay Server component that mobile applications connect through when synchronizing – all the Network Edge tests use this (http://ucperflab01.sybase.com:80/rs/client/rsclient.dll). Second the ARR provides the reverse-proxy function in front of NetWeaver. All the SSO2 related tests use this. (http://ucperflab01.sybase.com:80/testapp/testconfig.jsp).
supw2003c3.sybase.com Also a Windows 2008 Server 64-bit system (not VM). supqastress11.sybase.com
SiteMinder protected EIS tests use this service. (http://supw2008c3.sybase.com/TemperatureWS_deploy/Convert. asmx?WSDL) Messaging listener on port 5001, Replication listener on port 2480. This is a simple, single node Sybase Unwired Platform installation.
jc70.sybase.com
Installed the “testapp” Web application that comes with the SiteMinder Agent for SAP on this server. It serves as the protected URL you access to obtain SSO2 tickets. (http://jc70.sybase.com:54500/testapp/testconfig.jsp) This server is configured to “trust” SSO2 tickets signed by the server certificate of jc70.sybase.com.
http://sap-doevm1.sybase.com:8000
Page 13 of 54
2.1
Configuring Security for SiteMinder Token or Basic Authentication
Use Sybase Control Center to create a security configuration for your SSO applications.
Click New and give your configuration a name.
Then open the Security folder and click on your configuration. In the Authentication tab, you will find the NoSecLoginModule by default. You want to remove that as it allows anybody to login without any credentials, but Sybase Control Center will not let you remove it until there is at least one other LoginModule defined. Click Add.
Page 14 of 54
Choose the ClientValuePropagatingLoginModule in the drop down and add the properties as shown. ClientHttpValuesAsNamedCredentials will insure that if the client application picked up an SMSESSION cookie either via Network Edge authentication or external token, it is saved as a credential named “SMSESSION2” on the Subject so it can be used for SSO to SiteMinder protected EIS. (It is called SMSESSION2 to avoid name conflict with other login modules created later). ClientHttpValuesAsPrincipals will pick up the sm_user HTTP header if the client has come in through Network Edge authentication and enables you to perform impersonation checking. Click OK to save it. Now you can remove the NoSecLoginModule.
Select it and click Delete. The ClientValuePropagatingLoginModule does not ever authenticate a user, its sole purpose is to move set HTTP headers or cookies as principals or credentials on the JAAS Subject. You want it to be first in the LoginModule list and Control Flag as optional (so that when its login() method returns false, as it always will, you will not cause the overall authentication to fail. Next add an HttpAuthenticationLoginModule.
Page 15 of 54
The URL points to any SiteMinder protected Web-Server URL. SSO Cookie Name tells the LoginModule what cookie to look for in the response, to check the credentials were valid, and the user should be considered authenticated. The ClientHttpValuesToSend and SendClientHttpValuesAs pair tell the LoginModule to look for a SMSESSION cookie in the client request (in case of Network Edge or external token) and send it as a cookie named SMSESSION in the URL GET request. The TryBasicAuthIfTokenAuthFails allows the LoginModule to send the username/password from the user’s request in case there is no SMSESSION cookie available or it is rejected by the SiteMinder agent. These settings allow this one LoginModule to serve both token based authentication (Network Edge or external token) or basic authentication in case of non Network Edge. Notice that in the case of non Network Edge authentication, the above URL will actually return two cookies – the MYSAPSSO2 you are looking for here and SMSESSION which you are ignoring in the response. Unfortunately, there is currently no way to configure this LoginModule to pick up both cookies and save them as credentials on the subject for SSO purposes later. If you are using non Network Edge and expect to be using both SMSESSION and MYSAPSSO2 for SSO access to EIS, then you need another LoginModule:
Page 16 of 54
Here the SSO Cookie Name is SMSESSION and that is what this LoginModule adds as a credential. Also you do not have the properties for propagating the SMSESSION cookie as this is a non Network Edge scenario. When you try to save this third login module, you see the following dialog.
Click Yes. Your Authentication tab will now look like:
If you are not supporting non Network Edge or do not need SMSESSION for EIS SSO, you only have two login modules. Generally the order of login modules matters for a JAAS login configuration – that is why there are up and down arrows. In this case, since they all have Control Flag as “optional,” the order does not matter as they all will be called. Next remove the NoSecAuthorizor from the Authorization tab. Select its checkbox and click Delete.
Page 17 of 54
Move to the Settings tab.
Adjust the Authentication cache timeout and Check impersonation settings as discussed in sections Impersonation checking considerations, and Authentication cache timeout and token authentication above. Finally from the General tab, click Validate to check your configuration (Sybase Unwired Platform will ping the various URLs you have provided to make sure they are protected by Basic authentication and validate the rest of your property settings) When you see the Validation passed green light, you can click Apply to save the changes.
Page 18 of 54
2.2
Network Edge Authentication with SiteMinder Protected Web Service
The Web service connection is defined in Sybase Unwired WorkSpace with a WSDL URL, for example, http://supw2008c3.sybase.com/TemperatureWS_deploy/Convert.asmx?WSDL The Web service enabled with HTTP basic authentication and a username and password is specified.
When mobile business objects (MBO) based on this Web service connection are created, single sign-on needs to be enabled by setting the username and password personalization keys in the HTTP Basic Authentication fields. Note: This step is what triggers SSO.
Page 19 of 54
The Web service endpoint is changed in Sybase Control Center to use the SMSESSION cookie for SSO. This is done by editing the Web service connection pool (created during the deployment of the MBO) and adding two new properties called “credential.a.mapping” with a value “Cookie:SMSESSION” and “credential.a.name” with a value “SMSESSION”.
Page 20 of 54
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
Page 21 of 54
Sample Code for Network Edge with SiteMinder Protected Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@"<yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"Mikel"andPassword:@"siteminder"]; [props setHttpCredentials:login]; props.loginCredentials= login; props.activationCode=nil; while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { Page 22 of 54
@try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smjcoSmjcoDB databaseExists]) [smjcoSmjcoDB deleteDatabase]; [smjcoSmjcoDB createDatabase]; SUPConnectionProfile *cp = [smjcoSmjcoDB getConnectionProfile]; [smjcoSmjcoDB setApplication:app]; [cp.syncProfile setUser:@"Mikel"]; [cp.syncProfile setPassword:@"siteminder"]; [cp.syncProfile setAsyncReplay:NO]; [smjcoSmjcoDB synchronize]; SUPObjectList *hlist = [smjcocompanylist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smjcoSmjcoDB unsubscribe]; [pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”);; }
Page 23 of 54
ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("Mikel", "siteminder"); props.LoginCredentials = login; props.HTTPCredentials = login; SsosapDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SsosapDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SsosapDB.DatabaseExists()) { SsosapDB.DeleteDatabase(); } SsosapDB.RegisterCallbackHandler(_ch); SsosapDB.GetSynchronizationProfile().AsyncReplay = false; SsosapDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SsosapDB.Synchronize(); icount = Flight.FindAll().Size(); utils.log("recorder size = " + icount); } Page 24 of 54
catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); }
} Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourApplicaionIDHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " ; } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { Page 25 of 54
APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); SsosapDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SsosapDB.databaseExists()) SsosapDB.deleteDatabase(); SsosapDB.registerCallbackHandler(_ch); SsosapDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); Page 26 of 54
LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); }
int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.3 Non Network Edge Authentication with SiteMinder Protected Web Service
Similar to the Network Edge example, the Web service endpoint is changed in Sybase Control Center to use the SMSESSION cookie for SSO. This is done by editing the Web service connection pool (created during the deployment of the MBO) and adding two new properties called “credential.a.mapping” with a value “Cookie:SMSESSION” and “credential.a.name” with a value “SMSESSION”. Unlike the Network Edge example, the application connection template is configured with the server name set to the Sybase Unwired Platform server or Reverse Proxy (for example Relay Server).
Page 27 of 54
Like the Network Edge example, the HTTPAuthenticationLoginModule is used as the authentication provider for this application and it is configured with TryBasicAuthIfTokenAuthFails property defined and set to true. This ensures that the basic authentication credentials obtained from the client are used by the LoginModule to authenticate with SiteMinder in the absence of a Network Edge server with a SiteMinder Web agent. Sample Code for non Network Edge SiteMinder Protected Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication* app=[SUPApplication getInstance]; @try{ app.applicationIdentifier = @" yourApplicationIDHere "; [app setApplicationCallback:self]; SUPConnectionProperties* props= app.connectionProperties; [props setServerName:@"<yoursupserver>"]; [props setPortNumber:5001]; [props setFarmId:@"0"];
Page 28 of 54
SUPLoginCredentials* login=[SUPLoginCredentials getInstance]; login.username=@"Emmam"; login.password=@"siteminder"; props.loginCredentials= login; props.activationCode=nil; props.securityConfiguration=@"<here yoursecurityconfigurate"; } @catch (NSException* pe) { NSLog(@"%@, %@",[pe name],[pe reason]); }
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded");
@try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([e2eSSOE2eSSODB databaseExists]) [e2eSSOE2eSSODB deleteDatabase]; [e2eSSOE2eSSODB createDatabase];
SUPConnectionProfile *cp = [e2eSSOE2eSSODB getSynchronizationProfile]; [e2eSSOE2eSSODB setApplication:app];
[cp setUser:@"Emmam"]; [cp setPassword:@"siteminder"]; [cp setAsyncReplay:NO]; Page 29 of 54
[e2eSSOE2eSSODB synchronize]; [cp enableTrace:NO]; SUPObjectList *hlist = [e2eSSOHelloWorld findAll]; NSLog(@"Number of strings = %d",[hlist size]); [e2eSSOE2eSSODB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler(); if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAppIDHere>”; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = “<yourSUPServerNameHere>”; props.PortNumber = 5001; props.FarmId = 0; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = “<yourSecurityConfiguration>”; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("Mikel", "siteminder"); props.LoginCredentials = login;
if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } Page 30 of 54
} SSOWSDB.SetApplication(app); if (utils.APP.RegistrationStatus == RegistrationStatus.UNREGISTERED) utils.APP.RegisterApplication(utils.TCTIMEOUT); SSOWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SSOWSDB.DatabaseExists()) { SSOWSDB.DeleteDatabase(); } SSOWSDB.RegisterCallbackHandler(_ch); SSOWSDB.GetSynchronizationProfile().AsyncReplay = true; SSOWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; NNESSOWSDB.GetSynchronizationProfile().UserName = “Mikel”; NNESSOWSDB.GetSynchronizationProfile().Password = “siteminder”; try { SSOWSDB.Synchronize(); icount = HelloWorld.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); } } Android: { app = com.sybase.mobile.Application.getInstance(); app.setApplicationContext(getActivity()); String aid = app.getApplicationIdentifier(); if (aid == null) { aid = <yourAPPIdHere>; Page 31 of 54
try { app.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = app.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(“<yourSUPServerNameHere>”); props.setPortNumber(utils.MCServerPort); props.setSecurityConfiguration("<yourSecurityConfiguration>"); LoginCredentials login = new LoginCredentials(utils.MCUser, uMCPassword); props.setLoginCredentials(login); NNESSOWSDB.setApplication(app); if (app.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) app.registerApplication(utils.TCTimeout); if (app.getConnectionStatus() != ConnectionStatus.CONNECTED) app.startConnection(utils.TCTimeout); _ch = new RBSCallbackHandler(); if (NNESSOWSDB.databaseExists()) { NNESSOWSDB.deleteDatabase(); } NNESSOWSDB.registerCallbackHandler(_ch); NNESSOWSDB.getSynchronizationProfile().setAsyncReplay(false);
int icount = 0; NNESSOWSDB.getSynchronizationProfile().setUserName(“Mikel”); NNESSOWSDB.getSynchronizationProfile().setPassword(“siteminder”); try { NNESSOWSDB.synchronize(); icount = HelloWorld.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } Page 32 of 54
finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“<yourSUPServerNameHere>”); props.setPortNumber(utils.MCServerPort); props.setSecurityConfiguration("<yourSecurityConfiguration>"); LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); NNESSOWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); } if (utils.APP.getConnectionStatus() != ConnectionStatus.CONNECTED) { utils.APP.startConnection(utils.TCTimeout); } int icount = 0; NNESSOWSDB.getSynchronizationProfile().setUserName(“Mikel”); NNESSOWSDB.getSynchronizationProfile().setPassword(“siteminder”); try { NNESSOWSDB.synchronize(); icount = HelloWorld.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) Page 33 of 54
{ printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.4 Network Edge SiteMinder Authentication with SAP SSO2 Protected SAP JCO
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
The HTTPAuthenticationLoginModule is utilized as the authentication provider for this application and it is configured to propagate the SiteMinder session cookie.
Page 34 of 54
Sample Code for Network Edge and SSO2 Protected SAP JCO iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@"<yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"sybase101"andPassword:@"sybase123"]; [props setHttpCredentials:login];
props.loginCredentials= login; props.activationCode=nil;
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded");
@try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smjcoSmjcoDB databaseExists]) [smjcoSmjcoDB deleteDatabase]; Page 35 of 54
[smjcoSmjcoDB createDatabase];
SUPConnectionProfile *cp = [smjcoSmjcoDB getConnectionProfile]; [cp enableTrace:NO]; [cp.syncProfile enableTrace:NO]; [smjcoSmjcoDB setApplication:app];
[cp.syncProfile setUser:@"sybase101"]; [cp.syncProfile setPassword:@"sybase123"]; [cp.syncProfile setAsyncReplay:NO];
[smjcoSmjcoDB synchronize];
SUPObjectList *hlist = [smjcocompanylist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smjcoSmjcoDB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”);; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; Page 36 of 54
props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("SYBASE101", "sybase123"); props.LoginCredentials = login; props.HTTPCredentials = login; SsosapDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SsosapDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SsosapDB.DatabaseExists()) { SsosapDB.DeleteDatabase(); } SsosapDB.RegisterCallbackHandler(_ch); SsosapDB.GetSynchronizationProfile().AsyncReplay = false; SsosapDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SsosapDB.Synchronize(); icount = Flight.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); Page 37 of 54
}
} Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourApplicaionIDHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " ; } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); Page 38 of 54
SsosapDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SsosapDB.databaseExists()) SsosapDB.deleteDatabase(); SsosapDB.registerCallbackHandler(_ch); SsosapDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) Page 39 of 54
{ printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); }
int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.5 Network Edge SiteMinder Authentication with SSO2 Protected SAP NetWeaver
The Web service connection is defined in Sybase Unwired WorkSpace with a NetWeaver WSDL URL, for example: http://sap-doevm1.sybase.com:8000/sap/bc/srt/wsdl/bndg_005056917C611ED0839513C12F013E5F/wsdl11/allinone/standard/documen t?sap-client=100 The Web service enabled with HTTP Basic Authentication and the username and password personalization keys are utilized to enable single sign-on. This is equivalent to the step done for the Web service connection example. Note: This step is what triggers SSO.
Page 40 of 54
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
Page 41 of 54
Sample Code for Network Edge with SAP NetWeaver Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@" <yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"sybase101"andPassword:@"sybase123"]; [props setHttpCredentials:login]; props.loginCredentials= login; props.activationCode=nil; Page 42 of 54
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smNWSSOSmNWSSODB databaseExists]) [smNWSSOSmNWSSODB deleteDatabase]; [smNWSSOSmNWSSODB createDatabase]; SUPConnectionProfile *cp = [smNWSSOSmNWSSODB getConnectionProfile];
[smNWSSOSmNWSSODB setApplication:app];
[cp.syncProfile setAsyncReplay:NO];
[smNWSSOSmNWSSODB synchronize];
SUPObjectList *hlist = [smNWSSOFlightGetlist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smNWSSOSmNWSSODB unsubscribe];
[pool drain]; }
C#: Page 43 of 54
{ utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("SYBASE101", "sybase123"); props.LoginCredentials = login; props.HTTPCredentials = login; SSO2SAPWSDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SSO2SAPWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SSO2SAPWSDB.DatabaseExists()) { SSO2SAPWSDB.DeleteDatabase(); Page 44 of 54
} SSO2SAPWSDB.RegisterCallbackHandler(_ch); SSO2SAPWSDB.GetSynchronizationProfile().AsyncReplay = false; SSO2SAPWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SSO2SAPWSDB.Synchronize(); icount = FlightGetlist.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); } } Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); Page 45 of 54
props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”);
LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SSO2SAPWSDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); SSO2SAPWSDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SSO2SAPWSDB.databaseExists()) SSO2SAPWSDB.deleteDatabase(); SSO2SAPWSDB.registerCallbackHandler(_ch); SSO2SAPWSDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); printLog("get com.sybase.mobile.Application.getApplicationIdentifier()"); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = utils.ApplicationID; Page 46 of 54
utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguartion>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SSO2SAPWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); } int icount = 0; try { SSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } }
Page 47 of 54
2.6
External SiteMinder Token Authentication with SSO2 Protected SAP NetWeaver
The application connection template is configured with the server name set to the Sybase Unwired Platform server or Reverse Proxy (for example Relay Server).
The HTTPAuthenticationLoginModule is utilized as the authentication provider for this application and it is configured to propagate the SiteMinder session cookie and obtain SAP SSO2 token used to authenticate with the NetWeaver service. Sample Code for SSO2 Protected SAP NetWeaver with External SiteMinder Token iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setServerName:@"<yourSUPServer>"]; [props setPortNumber:5001]; [props setFarmId:@"0"]; [props setUrlSuffix:@""]; Page 48 of 54
SUPStringProperties *cookies = [smnwTests externalCookies]; SUPStringProperties *headers = [SUPStringProperties getInstance]; for(NSString *key in [cookies keys]) { NSLog(@"Cookie found: name = %@, value = %@",key,[cookies item:key]); [headers add:@"Set-Cookie" withValue:[NSString stringWithFormat:@"%@=%@=",key,[cookies item:key]]]; } [props setHttpCookies:cookies]; SUPLoginCredentials* login=[SUPLoginCredentials getInstance]; login.username=@"sybase101"; login.password=@"sybase123";
props.loginCredentials= login; props.activationCode=nil;
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smNWSSOSmNWSSODB databaseExists]) [smNWSSOSmNWSSODB deleteDatabase]; [smNWSSOSmNWSSODB createDatabase]; SUPConnectionProfile *cp = [smNWSSOSmNWSSODB getSynchronizationProfile]; [cp enableTrace:NO]; [cp.syncProfile enableTrace:NO]; [smNWSSOSmNWSSODB setApplication:app];
Page 49 of 54
[cp setAsyncReplay:NO]; [ [smNWSSOSmNWSSODB synchronize]; SUPObjectList *hlist = [smNWSSOFlightGetlist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smNWSSOSmNWSSODB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; utils.log("get Application.ApplicationIdentifier"); string aid = utils.APP.ApplicationIdentifier; if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.ApplicationIdentifier = aid; utils.log("Application ID now set to: " + aid); } else { utils.log("Application ID is already set, it is: " + aid); } utils.log("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = “<yourSUPServerName>” props.PortNumber = 5001; props.FarmId = 0; props.UrlSuffix = “”; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = “<yourSecurityConfiguration>”; props.NetworkProtocol = utils.MCNetworkProtocol; utils.log("ApplicationID=" + utils.ApplicationID); props.HttpCookies = “<setExternalCookieHere>”; LoginCredentials login = new LoginCredentials(“SYBAES101”, “sybase123”); props.LoginCredentials = login;
Page 50 of 54
if (utils.APP.RegistrationStatus == RegistrationStatus.UNREGISTERED) utils.APP.RegisterApplication(utils.TCTIMEOUT);
if (Environment.OSVersion.Platform != PlatformID.WinCE) MSSO2SAPWSDB.GetSynchronizationProfile().ServerName = utils.MCServerName; MSSO2SAPWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (MSSO2SAPWSDB.DatabaseExists()) { MSSO2SAPWSDB.DeleteDatabase(); } MSSO2SAPWSDB.RegisterCallbackHandler(_ch); MSSO2SAPWSDB.GetSynchronizationProfile().AsyncReplay = false; MSSO2SAPWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { MSSO2SAPWSDB.Synchronize(); icount = FlightGetlist.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); Assert.Fail(); } finally { Assert.True(icount > 0); } } Android: { app = com.sybase.mobile.Application.getInstance(); app.setApplicationContext(getActivity()); String aid = app.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; try Page 51 of 54
{ app.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = app.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(“<yourSUPServerName>”); props.setPortNumber(5001); props.setSecurityConfiguration(“<yourSecurityConfiguaration>”); props.setHttpCookies(“<yourExternalCookie>”); LoginCredentials login = new LoginCredentials(“SYBASE101,”sybase123”) MSSO2SAPWSDB.setApplication(app); if (app.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) app.registerApplication(utils.TCTimeout); if (app.getConnectionStatus() != ConnectionStatus.CONNECTED) app.startConnection(utils.TCTimeout); _ch = new RBSCallbackHandler(); if (MSSO2SAPWSDB.databaseExists()) { MSSO2SAPWSDB.deleteDatabase(); } MSSO2SAPWSDB.registerCallbackHandler(_ch); MSSO2SAPWSDB.getSynchronizationProfile().setAsyncReplay(false); MSSO2SAPWSDB.getSynchronizationProfile().setServerName(utils.MCServerName);
int icount = 0; try { MSSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } Page 52 of 54
finally { Assert.assertTrue(icount > 0); } } Blackberry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“<yourSUPServerName>”); props.setPortNumber(5001); props.setSecurityConfiguration(“<yourSecurityConfiguration>”;); props.setHttpCookies(<externalCookieHere>); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); rops.setLoginCredentials(login); MSSO2SAPWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { utils.APP.registerApplication(utils.TCTimeout); } if (utils.APP.getConnectionStatus() != ConnectionStatus.CONNECTED) { utils.APP.startConnection(utils.TCTimeout); } int icount = 0; try { MSSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } Page 53 of 54
finally { assertTrue(icount > 0); } } 2.7 Hybrid Web Container Applications and Network Edge Authentication with SiteMinder
The Hybrid Web Container has built-in support for the Network Edge client authentication pattern as described in the Section 1.1 of this document. If the Reverse Proxy or Relay Server is protected by SiteMinder, the Hybrid Web Container will prompt the user for their basic authentication credentials, and the resulting SMSESSION cookie is automatically sent along with each subsequent request to the Sybase Unwired Platform server. This can be used in conjunction with all supported EIS data sources.
2.8
Hybrid Web Container Applications and External SiteMinder Token Authentication
The Hybrid Web Container supports the External Token client authentication pattern as described in Section 1.3 of this document by allowing the application developer to customize the Hybrid Web Container and set any additional HTTP headers and/or cookies in subsequent requests to the Sybase Unwired Platform server. In the case of SiteMinder, the externally retrieved SMSESSION cookie can be set in this method. Refer to the customization topic “Setting HTTP Headers” in the Sybase Unwired Platform product documentation: Developer Guide: Mobile Workflow Packages » Mobile Workflow Development » Hybrid Web Container Customization » iOS Hybrid Web Container Customization » iOS Customization Touch Points » Default Behavior Customization for the iOS Hybrid Web Container at http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01218.0213/doc/html/vhu1335457100473.html Or Developer Guide: Mobile Workflow Packages » Mobile Workflow Development » Hybrid Web Container Customization » Android Hybrid Web Container Customization » Android Customization Touch Points » Default Behavior Customization for the Android Hybrid Web Container at http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01218.0213/doc/html/vhu1335457098144.html
Page 54 of 54
Sybase Unwired Platform 2.1 ESD #3
Document ID: Last Revised: June 2012 Copyright © 2012 by Sybase, Inc. All rights reserved. This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. ® indicates registration in the United States of America. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Java and all Java-based marks are trademarks or registered trademarks of Oracle and/or its affiliates in the U.S. and other countries. Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. IBM and Tivoli are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. All other company and product names mentioned may be trademarks of the respective companies with which they are associated. Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies. Sybase, Inc., One Sybase Drive, Dublin, CA 94568.
Page 2 of 54
Contents
1. How to Set Up Sybase Unwired Platform with SiteMinder .................................................................. 4 Client Authentication Patterns ................................................................................................................. 4 1.1 1.2 1.3 1.4 Network Edge ........................................................................................................................... 4 Non Network Edge.................................................................................................................... 4 External Token .......................................................................................................................... 5 SAP SSO2 Integration................................................................................................................ 6
Sybase Unwired Platform Single Sign-on to EIS patterns ......................................................................... 8 1.5 1.6 1.7 Access of SiteMinder Protected Web Service .......................................................................... 8 Access of SSO2 Protected JCo RFC or SAP Web Service ........................................................... 8 Web Service Hosted on NetWeaver Requiring both SSO2 and SMSESSION ............................ 8
Impersonation Checking Considerations.................................................................................................. 8 1.8 1.9 1.10 1.11 Basic Username as Principal ..................................................................................................... 9 From the Token Issuer .............................................................................................................. 9 From a SiteMinder Protected Web Application ....................................................................... 9 From the Sybase Unwired Platform Username Sent by the Client .......................................... 9
Authentication Cache Timeout and Token Authentication.................................................................... 10 Authentication Errors and Reporting ..................................................................................................... 11 1.12 2. Account Problems................................................................................................................... 12
Configuration and Examples............................................................................................................... 13 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Configuring Security for SiteMinder Token or Basic Authentication...................................... 14 Network Edge Authentication with SiteMinder Protected Web Service ............................... 19 Non Network Edge Authentication with SiteMinder Protected Web Service........................ 27 Network Edge SiteMinder Authentication with SAP SSO2 Protected SAP JCO ...................... 34 Network Edge SiteMinder Authentication with SSO2 Protected SAP NetWeaver................. 40 External SiteMinder Token Authentication with SSO2 Protected SAP NetWeaver ............... 48 Hybrid Web Container Applications and Network Edge Authentication with SiteMinder .... 54 Hybrid Web Container Applications and External SiteMinder Token Authentication ........... 54
Page 3 of 54
1. How to Set Up Sybase Unwired Platform with SiteMinder
This document assumes familiarity with CA SiteMinder® (including installation, user directory integrations, policy server, policy configuration, and agent configuration) and NetWeaver (including installation, application deployment, and LoginModule configuration). This guide focuses solely on configuring Sybase® Unwired Platform for integration with your SiteMinder environment. For details on installing and configuring SiteMinder or NetWeaver, please refer to the corresponding product documentation.
Client Authentication Patterns
1.1 Network Edge
The Reverse Proxy or Relay Server in the DMZ is protected by SiteMinder. The Sybase Unwired Platform client is challenged for basic authentication credentials. If the credentials are valid an SMSESSION cookie is issued and the client is allowed through to the Sybase Unwired Platform server.
Figure 1 Process Flow: Network edge authentication
The client begins a session (RBS, MBS, or OData) by sending an HTTP(S) request to the Reverse Proxy. The Reverse Proxy detects the un-authenticated request and challenges (using basic authentication as pictured). After the 401 challenge, the client may already have network credentials configured, or perhaps there is a callback to prompt for credentials. 1.2 Non Network Edge
The Network Edge (Reverse Proxy or Relay Server) is not protected. The client’s request is allowed to flow to Sybase Unwired Platform where a LoginModule presents the basic credentials to a SiteMinder protected Web server on behalf of the client. Sybase Unwired Platform server retains the SMSESSION cookie/credentials for the client.
Page 4 of 54
Figure 2 Process Flow: Non network-edge authentication
1.3
External Token
The Sybase Unwired Platform client application obtains a SMSESSION cookie external to the Sybase Unwired Platform libraries via custom application processing. This SMSESSION token is passed into the Sybase Unwired Platform libraries as a cookie. Sybase Unwired Platform libraries add the cookie to subsequent HTTP requests to Sybase Unwired Platform server. The cookie may or may not be checked at the Network Edge.
Page 5 of 54
Figure 3 Process Flow: Authentication with externally obtained token
In any of these authentication patterns the SMSESSION token can be added as a credential to the authenticated Sybase Unwired Platform subject for use in single sign-on (SSO) to SiteMinder protected EIS systems. 1.4 SAP SSO2 Integration
In this pattern, the Sybase Unwired Platform user is initially authenticated by SiteMinder, resulting in an SMSESSION for the user. This SMSESSION is then forwarded along with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver as a LoginModule. The SMSESSION is re-validated, and then the TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified SAP user ID. This ticket is returned to Sybase Unwired Platform as a MYSAPSSO2 cookie and Sybase Unwired Platform now has both an SMSESSION and an SSO2 ticket to use for SSO purposes with various EIS depending on which SSO mechanism the EIS requires.
Page 6 of 54
Figure 4 Process Flow: Non network-edge authentication and single sign-on with SAP SSO2 token
Add a SiteMinder policy Response, like the one below, for the rule protecting the Reverse Proxy in front of NetWeaver. This is how the WASUSERNAME header gets added and provides NetWeaver with the SAP user ID for which it should generate the SSO2 ticket.
Page 7 of 54
In a variation of this pattern, there is a SiteMinder protected Reverse Proxy in the DMZ.
Figure 5 Process Flow: Network edge authentication and single sign-on with SAP SSO2 token
Here the client request comes with an existing SMSESSION which the internal Reverse Proxy simply validates. This sequence diagram also illustrates one of the end-to-end scenarios discussed later in this guide.
Sybase Unwired Platform Single Sign-on to EIS patterns
1.5 Access of SiteMinder Protected Web Service
An EIS Web service is protected by SiteMinder. Sybase Unwired Platform sends the current Sybase Unwired Platform user’s SMSESSION cookie when executing the Web service. 1.6 Access of SSO2 Protected JCo RFC or SAP Web Service
The SAP server is configured to use SSO2 tickets for single sign-on. Sybase Unwired Platform will send the user’s current MYSAPSSO2 ticket along with the request. SAP will validate that the SSO2 ticket is valid and was issued by a trusted peer and execute the request as that user. 1.7 Web Service Hosted on NetWeaver Requiring both SSO2 and SMSESSION
Sybase Unwired Platform will send both SSO credentials when executing this Web service call.
Impersonation Checking Considerations
With token based authentication, Sybase Unwired Platform trusts that somebody else has at some point authenticated the user and therefore uses that somebody else to validate the token. Sybase Unwired Platform does not get any user identity Page 8 of 54
(formally a Subject Principal) directly from the token. Yet Sybase Unwired Platform does need to know who the user is for various purposes (logging, auditing, retrieving server-side personalization values, and counted users license enforcement), so the question comes – how should you establish that principal? 1.8 Basic Username as Principal
If you are using Non Network Edge authentication, Sybase Unwired Platform will automatically use the username as a Principal. It is known that this is the username used to produce the SMSESSION token because Sybase Unwired Platform provided it to SiteMinder. 1.9 From the Token Issuer
This is the best choice if available. When SiteMinder is providing Network Edge authentication, it adds an HTTP header named sm_user with the username. Sybase Unwired Platform can use the ClientValuePropagatingLoginModule to pick up that header value and set it as a Principal. 1.10 From a SiteMinder Protected Web Application If you are using External Token authentication without Network Edge SiteMinder, that header will not be there, and any username provided is not used for authentication and should not be trusted. In this case there is a possibility to use the UsernameHttpHeader option in the HttpAuthenticationLoginModule, but only if the SiteMinder protected URL used can return an HTTP header with the username. You probably need to custom-develop a Web application that would do this, perhaps by using the SiteMinder native APIs (sm_agent.jar). 1.11 From the Sybase Unwired Platform Username Sent by the Client This is the worst option as it allows for easy impersonation. You would still use the HttpAuthenticationLoginModule to validate the SMSESSION token, but with no UsernameHttpHeader returned you have no reliable indication of the user associated with that token. The client application can set a username in the Sybase Unwired Platform request, and Sybase Unwired Platform can use that if you de-select the Check impersonation checkbox in the Settings tab for your security configuration in Sybase Control Center.
This is dangerous as your users will be able to impersonate any Sybase Unwired Platform user, access their data, workflows, personalization values, etc. In a custom application you may be able to prevent users from entering an impostor username but this really should be considered a last resort configuration. Page 9 of 54
Authentication Cache Timeout and Token Authentication
To reduce the load Sybase Unwired Platform puts on your backend identity management and security systems, there is an authentication cache (you can see settings for it on the Sybase Control Center screen shot above). By default the authentication cache will hold on to a user’s Subject/Principals/Credentials for 3600 seconds (1-hour). As long as the username/password contained inside subsequent Sybase Unwired Platform requests are unchanged, the request is considered authenticated and uses the cached security information for access control and SSO to EIS operations. But of course, tokens can expire. If you cache an SMSESSION for a user here and the token expires before the cache entry, you will get authentication failures during the SSO EIS operations. This leads to either synchronization errors or operation replay errors. It is important to configure the authentication cache so this does not occur. In the worst case, you can disable the authentication cache entirely by setting the cache timeout to 0. Every Sybase Unwired Platform request will be re-authenticated. For Non Network Edge basic authentication, you can set the cache interval to slightly less than the Idle Timeout for your SiteMinder session policy. In the SiteMinder Admin navigate to Policies -> Domain -> Realms and view the Realm that is creating the SMSESSION:
Because the authentication cache may be idle for some time, choose the Idle Timeout rather than Maximum Timeout. Because Sybase Unwired Platform is initiating the session, the session will be valid for at least the duration of Idle Timeout and can cache the SMSESSION for up to that long. In the SiteMinder protected Network Edge pattern, there is no safe setting for the authentication cache timeout besides 0. If the URL configured to validate the SMSESSION token also returns an HTTP header with the expiration time for the token expressed in milliseconds since epoch (1/1/1970), then the HttpAuthenticationLoginModule can use that value to adjust the authentication cache expiration for this Subject’s entry so it expires at an appropriate time. Use the TokenExpirationTimeHttpHeader to specify the name of the header containing this expiration value . Additionally, you can use TokenExpirationInterval property to trim a little time from the expiration so it does not expire while Sybase Unwired Platform is processing a request.
Page 10 of 54
For the External Token scenario, Sybase Unwired Platform relies on the custom application (that retrieves the token) for help. A recommended best practice here is to change the Sybase Unwired Platform password each time this external token value changes. A simple way to achieve this is to always set the password to the hashcode of the token value (using the native programming language hashcode functions for String, NSChar, and so on.) before synchronizing. That way, if the token has not changed (the client is responsible to refresh expired tokens), then Sybase Unwired Platform can use authentication cache value If the token has changed, the hashcode will be different, hence the password will be different, and Sybase Unwired Platform will flush the old authentication cache entry for this user because the password has changed.
Authentication Errors and Reporting
If Sybase Unwired Platform tries to do token based authentication and it fails, it will report back to the client that synchronization has failed because of an expired token. Callback handlers in the client will return a specific error code that applications can attempt to handle (check the on-line documents for sample code and the specific code values). If authentication against the SiteMinder protected Network Edge fails, in some cases the Agent will return a 302 redirect HTTP response. The Sybase Unwired Platform client is not a browser type application and will not automatically follow that redirect. Instead it will invoke the new OnHttpCommunicationError callback method. This method will receive the http status (302) as well as all HTTP headers from the response. In the case of 302 there will normally be a “Location” http header with the URL the agent wants a browser to go to. For SiteMinder agents, this URL will include an SMAUTHREASON query parameter with a numeric value. SiteMinder documentation covers the various possible values – here is one location: https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/programmingreference/javadoc-sm/com/netegrity/sdk/apiutil/SmApiSession.html?fromKBResultsScreen=T Take an example where a user’s account is disabled. If a Sybase Unwired Platform client tries to login with that account, you see a 302 response and SMAUTHREASON=7 as a query parameter in the Location URL. A custom application could retrieve and parse the Location header in the OnHttpCommunicationError callback and perhaps take corrective action (notify the user that their account is disabled). Some customers may find this technique useful to reduce the number of help desk calls when mobile applications stop working in the field.
Page 11 of 54
1.12 Account Problems SiteMinder is able to report certain problems related to a user’s account back to the client.
Figure 6 Process Flow: Authentication failure
For normal browser-based applications, this redirect would take you to a Web page with a textual description of what is wrong with your account (for example locked, password must be changed, or expired). Sybase Unwired Platform client applications are not browser applications and do not handle redirects like this. Instead the application can include custom code that utilizes the http communication error callback to handle the authentication error. void IApplicationCallback.OnHttpCommunicationError(int errorCode, string Message, Sybase.Collections.StringProperties httpHeaders) { ... else if (errorCode == 302) { String value = httpHeaders.Item("Location"); // parse the value to find the SMAUTHREASON=<N> value in query parameters within the URL } SiteMinder documents the reason codes it returns, and a smart client application might be able to indicate why the user cannot connect so they can fix the problem themselves rather than a costly call to some help desk.
Page 12 of 54
2. Configuration and Examples
These are some example use cases that illustrate the patterns of SiteMinder authentication with Sybase Unwired Platform. SiteMinder authentication is used in Network Edge and non Network Edge configurations to authenticate the client of a Web service, SAP JCO, and finally a NetWeaver service. The NetWeaver scenario is also used to illustrate the use of an externally obtained SiteMinder token. The configuration information, screenshots, and steps below are taken from the actual setup of our test lab. Here is a brief description of the systems involved so that when you see various URLs below you will know what is being configured and referenced. Computer ucperflab01.sybase.com Windows Server 2008 64-bit VM Component Internet Information Services (IIS) server with SiteMinder Agent, Relay Server, and Application Request Routing IIS plug-in SiteMinder protected IIS hosting a Web service Sybase Unwired Platform server NetWeaver 7.0 and SiteMinder Web AS Agent Netweaver server exposing web services for the GetFlightList sample BAPI, requiring SSO2 for login Notes This server serves dual purposes in out testing landscape. First it hosts the optional Relay Server component that mobile applications connect through when synchronizing – all the Network Edge tests use this (http://ucperflab01.sybase.com:80/rs/client/rsclient.dll). Second the ARR provides the reverse-proxy function in front of NetWeaver. All the SSO2 related tests use this. (http://ucperflab01.sybase.com:80/testapp/testconfig.jsp).
supw2003c3.sybase.com Also a Windows 2008 Server 64-bit system (not VM). supqastress11.sybase.com
SiteMinder protected EIS tests use this service. (http://supw2008c3.sybase.com/TemperatureWS_deploy/Convert. asmx?WSDL) Messaging listener on port 5001, Replication listener on port 2480. This is a simple, single node Sybase Unwired Platform installation.
jc70.sybase.com
Installed the “testapp” Web application that comes with the SiteMinder Agent for SAP on this server. It serves as the protected URL you access to obtain SSO2 tickets. (http://jc70.sybase.com:54500/testapp/testconfig.jsp) This server is configured to “trust” SSO2 tickets signed by the server certificate of jc70.sybase.com.
http://sap-doevm1.sybase.com:8000
Page 13 of 54
2.1
Configuring Security for SiteMinder Token or Basic Authentication
Use Sybase Control Center to create a security configuration for your SSO applications.
Click New and give your configuration a name.
Then open the Security folder and click on your configuration. In the Authentication tab, you will find the NoSecLoginModule by default. You want to remove that as it allows anybody to login without any credentials, but Sybase Control Center will not let you remove it until there is at least one other LoginModule defined. Click Add.
Page 14 of 54
Choose the ClientValuePropagatingLoginModule in the drop down and add the properties as shown. ClientHttpValuesAsNamedCredentials will insure that if the client application picked up an SMSESSION cookie either via Network Edge authentication or external token, it is saved as a credential named “SMSESSION2” on the Subject so it can be used for SSO to SiteMinder protected EIS. (It is called SMSESSION2 to avoid name conflict with other login modules created later). ClientHttpValuesAsPrincipals will pick up the sm_user HTTP header if the client has come in through Network Edge authentication and enables you to perform impersonation checking. Click OK to save it. Now you can remove the NoSecLoginModule.
Select it and click Delete. The ClientValuePropagatingLoginModule does not ever authenticate a user, its sole purpose is to move set HTTP headers or cookies as principals or credentials on the JAAS Subject. You want it to be first in the LoginModule list and Control Flag as optional (so that when its login() method returns false, as it always will, you will not cause the overall authentication to fail. Next add an HttpAuthenticationLoginModule.
Page 15 of 54
The URL points to any SiteMinder protected Web-Server URL. SSO Cookie Name tells the LoginModule what cookie to look for in the response, to check the credentials were valid, and the user should be considered authenticated. The ClientHttpValuesToSend and SendClientHttpValuesAs pair tell the LoginModule to look for a SMSESSION cookie in the client request (in case of Network Edge or external token) and send it as a cookie named SMSESSION in the URL GET request. The TryBasicAuthIfTokenAuthFails allows the LoginModule to send the username/password from the user’s request in case there is no SMSESSION cookie available or it is rejected by the SiteMinder agent. These settings allow this one LoginModule to serve both token based authentication (Network Edge or external token) or basic authentication in case of non Network Edge. Notice that in the case of non Network Edge authentication, the above URL will actually return two cookies – the MYSAPSSO2 you are looking for here and SMSESSION which you are ignoring in the response. Unfortunately, there is currently no way to configure this LoginModule to pick up both cookies and save them as credentials on the subject for SSO purposes later. If you are using non Network Edge and expect to be using both SMSESSION and MYSAPSSO2 for SSO access to EIS, then you need another LoginModule:
Page 16 of 54
Here the SSO Cookie Name is SMSESSION and that is what this LoginModule adds as a credential. Also you do not have the properties for propagating the SMSESSION cookie as this is a non Network Edge scenario. When you try to save this third login module, you see the following dialog.
Click Yes. Your Authentication tab will now look like:
If you are not supporting non Network Edge or do not need SMSESSION for EIS SSO, you only have two login modules. Generally the order of login modules matters for a JAAS login configuration – that is why there are up and down arrows. In this case, since they all have Control Flag as “optional,” the order does not matter as they all will be called. Next remove the NoSecAuthorizor from the Authorization tab. Select its checkbox and click Delete.
Page 17 of 54
Move to the Settings tab.
Adjust the Authentication cache timeout and Check impersonation settings as discussed in sections Impersonation checking considerations, and Authentication cache timeout and token authentication above. Finally from the General tab, click Validate to check your configuration (Sybase Unwired Platform will ping the various URLs you have provided to make sure they are protected by Basic authentication and validate the rest of your property settings) When you see the Validation passed green light, you can click Apply to save the changes.
Page 18 of 54
2.2
Network Edge Authentication with SiteMinder Protected Web Service
The Web service connection is defined in Sybase Unwired WorkSpace with a WSDL URL, for example, http://supw2008c3.sybase.com/TemperatureWS_deploy/Convert.asmx?WSDL The Web service enabled with HTTP basic authentication and a username and password is specified.
When mobile business objects (MBO) based on this Web service connection are created, single sign-on needs to be enabled by setting the username and password personalization keys in the HTTP Basic Authentication fields. Note: This step is what triggers SSO.
Page 19 of 54
The Web service endpoint is changed in Sybase Control Center to use the SMSESSION cookie for SSO. This is done by editing the Web service connection pool (created during the deployment of the MBO) and adding two new properties called “credential.a.mapping” with a value “Cookie:SMSESSION” and “credential.a.name” with a value “SMSESSION”.
Page 20 of 54
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
Page 21 of 54
Sample Code for Network Edge with SiteMinder Protected Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@"<yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"Mikel"andPassword:@"siteminder"]; [props setHttpCredentials:login]; props.loginCredentials= login; props.activationCode=nil; while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { Page 22 of 54
@try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smjcoSmjcoDB databaseExists]) [smjcoSmjcoDB deleteDatabase]; [smjcoSmjcoDB createDatabase]; SUPConnectionProfile *cp = [smjcoSmjcoDB getConnectionProfile]; [smjcoSmjcoDB setApplication:app]; [cp.syncProfile setUser:@"Mikel"]; [cp.syncProfile setPassword:@"siteminder"]; [cp.syncProfile setAsyncReplay:NO]; [smjcoSmjcoDB synchronize]; SUPObjectList *hlist = [smjcocompanylist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smjcoSmjcoDB unsubscribe]; [pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”);; }
Page 23 of 54
ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("Mikel", "siteminder"); props.LoginCredentials = login; props.HTTPCredentials = login; SsosapDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SsosapDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SsosapDB.DatabaseExists()) { SsosapDB.DeleteDatabase(); } SsosapDB.RegisterCallbackHandler(_ch); SsosapDB.GetSynchronizationProfile().AsyncReplay = false; SsosapDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SsosapDB.Synchronize(); icount = Flight.FindAll().Size(); utils.log("recorder size = " + icount); } Page 24 of 54
catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); }
} Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourApplicaionIDHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " ; } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { Page 25 of 54
APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); SsosapDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SsosapDB.databaseExists()) SsosapDB.deleteDatabase(); SsosapDB.registerCallbackHandler(_ch); SsosapDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); Page 26 of 54
LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); }
int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.3 Non Network Edge Authentication with SiteMinder Protected Web Service
Similar to the Network Edge example, the Web service endpoint is changed in Sybase Control Center to use the SMSESSION cookie for SSO. This is done by editing the Web service connection pool (created during the deployment of the MBO) and adding two new properties called “credential.a.mapping” with a value “Cookie:SMSESSION” and “credential.a.name” with a value “SMSESSION”. Unlike the Network Edge example, the application connection template is configured with the server name set to the Sybase Unwired Platform server or Reverse Proxy (for example Relay Server).
Page 27 of 54
Like the Network Edge example, the HTTPAuthenticationLoginModule is used as the authentication provider for this application and it is configured with TryBasicAuthIfTokenAuthFails property defined and set to true. This ensures that the basic authentication credentials obtained from the client are used by the LoginModule to authenticate with SiteMinder in the absence of a Network Edge server with a SiteMinder Web agent. Sample Code for non Network Edge SiteMinder Protected Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication* app=[SUPApplication getInstance]; @try{ app.applicationIdentifier = @" yourApplicationIDHere "; [app setApplicationCallback:self]; SUPConnectionProperties* props= app.connectionProperties; [props setServerName:@"<yoursupserver>"]; [props setPortNumber:5001]; [props setFarmId:@"0"];
Page 28 of 54
SUPLoginCredentials* login=[SUPLoginCredentials getInstance]; login.username=@"Emmam"; login.password=@"siteminder"; props.loginCredentials= login; props.activationCode=nil; props.securityConfiguration=@"<here yoursecurityconfigurate"; } @catch (NSException* pe) { NSLog(@"%@, %@",[pe name],[pe reason]); }
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded");
@try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([e2eSSOE2eSSODB databaseExists]) [e2eSSOE2eSSODB deleteDatabase]; [e2eSSOE2eSSODB createDatabase];
SUPConnectionProfile *cp = [e2eSSOE2eSSODB getSynchronizationProfile]; [e2eSSOE2eSSODB setApplication:app];
[cp setUser:@"Emmam"]; [cp setPassword:@"siteminder"]; [cp setAsyncReplay:NO]; Page 29 of 54
[e2eSSOE2eSSODB synchronize]; [cp enableTrace:NO]; SUPObjectList *hlist = [e2eSSOHelloWorld findAll]; NSLog(@"Number of strings = %d",[hlist size]); [e2eSSOE2eSSODB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler(); if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAppIDHere>”; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = “<yourSUPServerNameHere>”; props.PortNumber = 5001; props.FarmId = 0; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = “<yourSecurityConfiguration>”; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("Mikel", "siteminder"); props.LoginCredentials = login;
if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } Page 30 of 54
} SSOWSDB.SetApplication(app); if (utils.APP.RegistrationStatus == RegistrationStatus.UNREGISTERED) utils.APP.RegisterApplication(utils.TCTIMEOUT); SSOWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SSOWSDB.DatabaseExists()) { SSOWSDB.DeleteDatabase(); } SSOWSDB.RegisterCallbackHandler(_ch); SSOWSDB.GetSynchronizationProfile().AsyncReplay = true; SSOWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; NNESSOWSDB.GetSynchronizationProfile().UserName = “Mikel”; NNESSOWSDB.GetSynchronizationProfile().Password = “siteminder”; try { SSOWSDB.Synchronize(); icount = HelloWorld.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); } } Android: { app = com.sybase.mobile.Application.getInstance(); app.setApplicationContext(getActivity()); String aid = app.getApplicationIdentifier(); if (aid == null) { aid = <yourAPPIdHere>; Page 31 of 54
try { app.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = app.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(“<yourSUPServerNameHere>”); props.setPortNumber(utils.MCServerPort); props.setSecurityConfiguration("<yourSecurityConfiguration>"); LoginCredentials login = new LoginCredentials(utils.MCUser, uMCPassword); props.setLoginCredentials(login); NNESSOWSDB.setApplication(app); if (app.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) app.registerApplication(utils.TCTimeout); if (app.getConnectionStatus() != ConnectionStatus.CONNECTED) app.startConnection(utils.TCTimeout); _ch = new RBSCallbackHandler(); if (NNESSOWSDB.databaseExists()) { NNESSOWSDB.deleteDatabase(); } NNESSOWSDB.registerCallbackHandler(_ch); NNESSOWSDB.getSynchronizationProfile().setAsyncReplay(false);
int icount = 0; NNESSOWSDB.getSynchronizationProfile().setUserName(“Mikel”); NNESSOWSDB.getSynchronizationProfile().setPassword(“siteminder”); try { NNESSOWSDB.synchronize(); icount = HelloWorld.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } Page 32 of 54
finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“<yourSUPServerNameHere>”); props.setPortNumber(utils.MCServerPort); props.setSecurityConfiguration("<yourSecurityConfiguration>"); LoginCredentials login = new LoginCredentials(“Mikel”, “siteminder”); props.setLoginCredentials(login); NNESSOWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); } if (utils.APP.getConnectionStatus() != ConnectionStatus.CONNECTED) { utils.APP.startConnection(utils.TCTimeout); } int icount = 0; NNESSOWSDB.getSynchronizationProfile().setUserName(“Mikel”); NNESSOWSDB.getSynchronizationProfile().setPassword(“siteminder”); try { NNESSOWSDB.synchronize(); icount = HelloWorld.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) Page 33 of 54
{ printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.4 Network Edge SiteMinder Authentication with SAP SSO2 Protected SAP JCO
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
The HTTPAuthenticationLoginModule is utilized as the authentication provider for this application and it is configured to propagate the SiteMinder session cookie.
Page 34 of 54
Sample Code for Network Edge and SSO2 Protected SAP JCO iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@"<yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"sybase101"andPassword:@"sybase123"]; [props setHttpCredentials:login];
props.loginCredentials= login; props.activationCode=nil;
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded");
@try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smjcoSmjcoDB databaseExists]) [smjcoSmjcoDB deleteDatabase]; Page 35 of 54
[smjcoSmjcoDB createDatabase];
SUPConnectionProfile *cp = [smjcoSmjcoDB getConnectionProfile]; [cp enableTrace:NO]; [cp.syncProfile enableTrace:NO]; [smjcoSmjcoDB setApplication:app];
[cp.syncProfile setUser:@"sybase101"]; [cp.syncProfile setPassword:@"sybase123"]; [cp.syncProfile setAsyncReplay:NO];
[smjcoSmjcoDB synchronize];
SUPObjectList *hlist = [smjcocompanylist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smjcoSmjcoDB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”);; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; Page 36 of 54
props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("SYBASE101", "sybase123"); props.LoginCredentials = login; props.HTTPCredentials = login; SsosapDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SsosapDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SsosapDB.DatabaseExists()) { SsosapDB.DeleteDatabase(); } SsosapDB.RegisterCallbackHandler(_ch); SsosapDB.GetSynchronizationProfile().AsyncReplay = false; SsosapDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SsosapDB.Synchronize(); icount = Flight.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); Page 37 of 54
}
} Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourApplicaionIDHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " ; } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); Page 38 of 54
SsosapDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SsosapDB.databaseExists()) SsosapDB.deleteDatabase(); SsosapDB.registerCallbackHandler(_ch); SsosapDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SsosapDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) Page 39 of 54
{ printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); }
int icount = 0; try { SsosapDB.synchronize(); icount = Flight.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } } 2.5 Network Edge SiteMinder Authentication with SSO2 Protected SAP NetWeaver
The Web service connection is defined in Sybase Unwired WorkSpace with a NetWeaver WSDL URL, for example: http://sap-doevm1.sybase.com:8000/sap/bc/srt/wsdl/bndg_005056917C611ED0839513C12F013E5F/wsdl11/allinone/standard/documen t?sap-client=100 The Web service enabled with HTTP Basic Authentication and the username and password personalization keys are utilized to enable single sign-on. This is equivalent to the step done for the Web service connection example. Note: This step is what triggers SSO.
Page 40 of 54
The connection template for the application is setup appropriately with the server name set to the Network Edge server with the SiteMinder agent installed.
Page 41 of 54
Sample Code for Network Edge with SAP NetWeaver Web Service iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setNetworkProtocol:@"http"]; [props setServerName:@"ucperflab01.sybase.com"]; [props setPortNumber:80]; [props setFarmId:@" <yourmbsfarmid>"]; [props setUrlSuffix:@"/rs/client/rs_client.dll"]; SUPLoginCredentials *login = [[SUPLoginCredentials alloc] initWithUsername:@"sybase101"andPassword:@"sybase123"]; [props setHttpCredentials:login]; props.loginCredentials= login; props.activationCode=nil; Page 42 of 54
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smNWSSOSmNWSSODB databaseExists]) [smNWSSOSmNWSSODB deleteDatabase]; [smNWSSOSmNWSSODB createDatabase]; SUPConnectionProfile *cp = [smNWSSOSmNWSSODB getConnectionProfile];
[smNWSSOSmNWSSODB setApplication:app];
[cp.syncProfile setAsyncReplay:NO];
[smNWSSOSmNWSSODB synchronize];
SUPObjectList *hlist = [smNWSSOFlightGetlist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smNWSSOSmNWSSODB unsubscribe];
[pool drain]; }
C#: Page 43 of 54
{ utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; Application app = Application.GetInstance(); app.ApplicationCallback = new AppCallbackHandler();
if (app.ApplicationIdentifier == null) { app.ApplicationIdentifier = “<yourAPPIdHere>”; } ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = "ucperflab01.sybase.com"; props.PortNumber = 80; props.FarmId = "<yourMBSFarmID>"; props.UrlSuffix = "/rs/client/rs_client.dll"; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = "<yourSecurityConfiguration>"; props.NetworkProtocol = utils.MCNetworkProtocol; LoginCredentials login = new LoginCredentials("SYBASE101", "sybase123"); props.LoginCredentials = login; props.HTTPCredentials = login; SSO2SAPWSDB.SetApplication(app); if (utils.APP.RegistrationStatus != RegistrationStatus.REGISTERED) { try { utils.APP.RegisterApplication(utils.TCTIMEOUT); } catch (Exception e) { Console.WriteLine(e.ToString()); } } SSO2SAPWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (SSO2SAPWSDB.DatabaseExists()) { SSO2SAPWSDB.DeleteDatabase(); Page 44 of 54
} SSO2SAPWSDB.RegisterCallbackHandler(_ch); SSO2SAPWSDB.GetSynchronizationProfile().AsyncReplay = false; SSO2SAPWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { SSO2SAPWSDB.Synchronize(); icount = FlightGetlist.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); } finally { Assert.IsTrue(icount > 0); } } Android: { APP = com.sybase.mobile.Application.getInstance(); APP.setApplicationContext(getActivity()); String aid = APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; try { APP.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = APP.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(”ucperflab01.sybase.com”); props.setPortNumber(80); Page 45 of 54
props.setFarmId(“<yourMBSFarmId>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguration>”);
LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SSO2SAPWSDB.setApplication(APP); if (APP.getRegistrationStatus() != RegistrationStatus.REGISTERED) { try { APP.registerApplication(utils.TCTimeout); } catch (Exception e){ utils.printLog("Exception: " + e); } } if (APP.getConnectionStatus() != ConnectionStatus.CONNECTED) APP.startConnection(utils.TCTimeout); SSO2SAPWSDB.getConnectionProfile().enableTrace(false); _ch = new RBSCallbackHandler(); if (SSO2SAPWSDB.databaseExists()) SSO2SAPWSDB.deleteDatabase(); SSO2SAPWSDB.registerCallbackHandler(_ch); SSO2SAPWSDB.getSynchronizationProfile().setAsyncReplay(false); int icount = 0; try { SSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } finally { Assert.assertTrue(icount > 0); } } BlackBerry: { utils.APP = Application.getInstance(); printLog("get com.sybase.mobile.Application.getApplicationIdentifier()"); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = utils.ApplicationID; Page 46 of 54
utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“ucperflab01.sybase.com”); props.setPortNumber(80); props.setFarmId(“<yourMBSFarmID>”); props.setUrlSuffix(“/rs/client/rs_client.dll/%cid%/tm”); props.setSecurityConfiguration(“<yourSecurityConfiguartion>”); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); props.setLoginCredentials(login); props.setHttpCredentials(login); SSO2SAPWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { printLog("utils.APP.registerApplication"); utils.APP.registerApplication(utils.TCTimeout); printLog("utils.APP.registerApplication done."); } int icount = 0; try { SSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } finally { assertTrue(icount > 0); } }
Page 47 of 54
2.6
External SiteMinder Token Authentication with SSO2 Protected SAP NetWeaver
The application connection template is configured with the server name set to the Sybase Unwired Platform server or Reverse Proxy (for example Relay Server).
The HTTPAuthenticationLoginModule is utilized as the authentication provider for this application and it is configured to propagate the SiteMinder session cookie and obtain SAP SSO2 token used to authenticate with the NetWeaver service. Sample Code for SSO2 Protected SAP NetWeaver with External SiteMinder Token iOS: { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; SUPApplication *app = [SUPApplication getInstance]; app.applicationIdentifier = @" yourApplicationIDHere"; app.applicationCallback = self; SUPConnectionProperties* props= app.connectionProperties; [props setServerName:@"<yourSUPServer>"]; [props setPortNumber:5001]; [props setFarmId:@"0"]; [props setUrlSuffix:@""]; Page 48 of 54
SUPStringProperties *cookies = [smnwTests externalCookies]; SUPStringProperties *headers = [SUPStringProperties getInstance]; for(NSString *key in [cookies keys]) { NSLog(@"Cookie found: name = %@, value = %@",key,[cookies item:key]); [headers add:@"Set-Cookie" withValue:[NSString stringWithFormat:@"%@=%@=",key,[cookies item:key]]]; } [props setHttpCookies:cookies]; SUPLoginCredentials* login=[SUPLoginCredentials getInstance]; login.username=@"sybase101"; login.password=@"sybase123";
props.loginCredentials= login; props.activationCode=nil;
while ([SUPApplication registrationStatus] != SUPRegistrationStatus_REGISTERED) { @try { [app registerApplication:30]; } @catch (NSException *exception) { NSLog(@"Exception thrown in registration: %@",[exception description]); NSLog(@"******************"); NSLog(@"Exception thrown in registration: %@,%@", [exception name], [exception reason]); NSLog(@"******************"); } } NSLog(@"Registration succeeded"); @try { [app startConnection:30]; NSLog(@"Connection succeeded"); } @catch (NSException *exception) { NSLog(@"Exception thrown in connection: %@",[exception description]); } if([smNWSSOSmNWSSODB databaseExists]) [smNWSSOSmNWSSODB deleteDatabase]; [smNWSSOSmNWSSODB createDatabase]; SUPConnectionProfile *cp = [smNWSSOSmNWSSODB getSynchronizationProfile]; [cp enableTrace:NO]; [cp.syncProfile enableTrace:NO]; [smNWSSOSmNWSSODB setApplication:app];
Page 49 of 54
[cp setAsyncReplay:NO]; [ [smNWSSOSmNWSSODB synchronize]; SUPObjectList *hlist = [smNWSSOFlightGetlist findAll]; NSLog(@"Number of strings = %d",[hlist size]); [smNWSSOSmNWSSODB unsubscribe];
[pool drain]; } C#: { utils.APP = Sybase.Mobile.Application.GetInstance(); utils.TestCallback = new AppCallbackHandler(); utils.APP.ApplicationCallback = utils.TestCallback; utils.log("get Application.ApplicationIdentifier"); string aid = utils.APP.ApplicationIdentifier; if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.ApplicationIdentifier = aid; utils.log("Application ID now set to: " + aid); } else { utils.log("Application ID is already set, it is: " + aid); } utils.log("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.ConnectionProperties; props.ServerName = “<yourSUPServerName>” props.PortNumber = 5001; props.FarmId = 0; props.UrlSuffix = “”; if (!utils.MCActivationCode.Equals("")) props.ActivationCode = utils.MCActivationCode; props.SecurityConfiguration = “<yourSecurityConfiguration>”; props.NetworkProtocol = utils.MCNetworkProtocol; utils.log("ApplicationID=" + utils.ApplicationID); props.HttpCookies = “<setExternalCookieHere>”; LoginCredentials login = new LoginCredentials(“SYBAES101”, “sybase123”); props.LoginCredentials = login;
Page 50 of 54
if (utils.APP.RegistrationStatus == RegistrationStatus.UNREGISTERED) utils.APP.RegisterApplication(utils.TCTIMEOUT);
if (Environment.OSVersion.Platform != PlatformID.WinCE) MSSO2SAPWSDB.GetSynchronizationProfile().ServerName = utils.MCServerName; MSSO2SAPWSDB.SetApplication(utils.APP); if (utils.APP.ConnectionStatus != ConnectionStatus.CONNECTED) { utils.APP.StartConnection(utils.TCTIMEOUT); } _ch = new RBSCallbackHandler(); if (MSSO2SAPWSDB.DatabaseExists()) { MSSO2SAPWSDB.DeleteDatabase(); } MSSO2SAPWSDB.RegisterCallbackHandler(_ch); MSSO2SAPWSDB.GetSynchronizationProfile().AsyncReplay = false; MSSO2SAPWSDB.GetConnectionProfile().EnableTrace(false); int icount = 0; try { MSSO2SAPWSDB.Synchronize(); icount = FlightGetlist.FindAll().Size(); utils.log("recorder size = " + icount); } catch (Exception e) { utils.log("Exception: " + e); Assert.Fail(); } finally { Assert.True(icount > 0); } } Android: { app = com.sybase.mobile.Application.getInstance(); app.setApplicationContext(getActivity()); String aid = app.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; try Page 51 of 54
{ app.setApplicationIdentifier(aid); } catch (Exception e) { System.out.println(e.getMessage()); } } else { System.out.println("Application ID is already set, it is: " + aid); } ConnectionProperties props = app.getConnectionProperties(); props.setNetworkProtocol(ConnectionProperties.NETWORK_PROTOCOL_HTTP); props.setServerName(“<yourSUPServerName>”); props.setPortNumber(5001); props.setSecurityConfiguration(“<yourSecurityConfiguaration>”); props.setHttpCookies(“<yourExternalCookie>”); LoginCredentials login = new LoginCredentials(“SYBASE101,”sybase123”) MSSO2SAPWSDB.setApplication(app); if (app.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) app.registerApplication(utils.TCTimeout); if (app.getConnectionStatus() != ConnectionStatus.CONNECTED) app.startConnection(utils.TCTimeout); _ch = new RBSCallbackHandler(); if (MSSO2SAPWSDB.databaseExists()) { MSSO2SAPWSDB.deleteDatabase(); } MSSO2SAPWSDB.registerCallbackHandler(_ch); MSSO2SAPWSDB.getSynchronizationProfile().setAsyncReplay(false); MSSO2SAPWSDB.getSynchronizationProfile().setServerName(utils.MCServerName);
int icount = 0; try { MSSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); utils.printLog("recorder size = " + icount); } catch (Exception e) { utils.printLog("Exception: " + e); } Page 52 of 54
finally { Assert.assertTrue(icount > 0); } } Blackberry: { utils.APP = Application.getInstance(); String aid = utils.APP.getApplicationIdentifier(); if (aid == null) { aid = “<yourAPPIdHere>”; utils.APP.setApplicationIdentifier(aid); printLog("Application ID now set to: " + aid); } else { printLog("Application ID is already set, it is: " + aid); } printLog("Initialize App ConnectionProperties..."); ConnectionProperties props = utils.APP.getConnectionProperties(); props.setServerName(“<yourSUPServerName>”); props.setPortNumber(5001); props.setSecurityConfiguration(“<yourSecurityConfiguration>”;); props.setHttpCookies(<externalCookieHere>); LoginCredentials login = new LoginCredentials(“SYBASE101”, “sybase123”); rops.setLoginCredentials(login); MSSO2SAPWSDB.setApplication(utils.APP); if (utils.APP.getRegistrationStatus() == RegistrationStatus.UNREGISTERED) { utils.APP.registerApplication(utils.TCTimeout); } if (utils.APP.getConnectionStatus() != ConnectionStatus.CONNECTED) { utils.APP.startConnection(utils.TCTimeout); } int icount = 0; try { MSSO2SAPWSDB.synchronize(); icount = FlightGetlist.findAll().size(); printLog("recorder size = " + icount); } catch (Exception e) { printLog("Exception: " + e); } Page 53 of 54
finally { assertTrue(icount > 0); } } 2.7 Hybrid Web Container Applications and Network Edge Authentication with SiteMinder
The Hybrid Web Container has built-in support for the Network Edge client authentication pattern as described in the Section 1.1 of this document. If the Reverse Proxy or Relay Server is protected by SiteMinder, the Hybrid Web Container will prompt the user for their basic authentication credentials, and the resulting SMSESSION cookie is automatically sent along with each subsequent request to the Sybase Unwired Platform server. This can be used in conjunction with all supported EIS data sources.
2.8
Hybrid Web Container Applications and External SiteMinder Token Authentication
The Hybrid Web Container supports the External Token client authentication pattern as described in Section 1.3 of this document by allowing the application developer to customize the Hybrid Web Container and set any additional HTTP headers and/or cookies in subsequent requests to the Sybase Unwired Platform server. In the case of SiteMinder, the externally retrieved SMSESSION cookie can be set in this method. Refer to the customization topic “Setting HTTP Headers” in the Sybase Unwired Platform product documentation: Developer Guide: Mobile Workflow Packages » Mobile Workflow Development » Hybrid Web Container Customization » iOS Hybrid Web Container Customization » iOS Customization Touch Points » Default Behavior Customization for the iOS Hybrid Web Container at http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01218.0213/doc/html/vhu1335457100473.html Or Developer Guide: Mobile Workflow Packages » Mobile Workflow Development » Hybrid Web Container Customization » Android Hybrid Web Container Customization » Android Customization Touch Points » Default Behavior Customization for the Android Hybrid Web Container at http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01218.0213/doc/html/vhu1335457098144.html
Page 54 of 54
