Guia NW SSO Version 1.0

Installation, Configuration and Administration Guide SAP NetWeaver Single-Sign-On SP4 Secure Login Server
PUBLIC Document Version: 1.6 September 2012
2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, MultiTouch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries.
BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates.
LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Prototype JavaScript Framework http://www.prototypejs.org/ Copyright (c) 2005-2010 Sam Stephenson Permission is hereby granted, free of charge, to any person obtaining a
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
stringutils http://sourceforge.net/projects/stringutils/ Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way. Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
Terms for Included Open Source Software

This SAP software contains also the third party open source software products listed below. Please note that for these third party products the following special terms and conditions shall apply.
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
opencsv 1.7.1 http://opencsv.sourceforge.net/ "Derivative Works" shall mean any work, whether in Source or Object Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or
losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
1 What is Secure Login? ..................................................................... 11
1.1 System Overview .................................................................................. 12 1.2 System Overview with Security Token ............................................... 13 1.3 System Overview with Secure Login Server ...................................... 16 1.4 Instances ............................................................................................... 18 1.5 PKI Structure ........................................................................................ 19 1.6 Secure Communication ....................................................................... 20 1.7 Policy Server Overview ........................................................................ 21 1.8 Secure Login Web Client ..................................................................... 22 1.8.1 Export Restrictions ........................................................................... 22
1.8.2 Setting User Environment Variables ........................................................................... 23 1.8.3 Web Client Security Features ..................................................................................... 23
2 Secure Login Server Installation ..................................................... 25

2.1 Prerequisites ........................................................................................ 25
2.1.1 Secure Login Library ................................................................................................... 26
2.2 Secure Login Server Installation with Telnet ..................................... 29 2.3 Secure Login Server Installation with JSPM ...................................... 30 2.4 Secure Login Server Uninstallation .................................................... 33 2.5 Updating the Secure Login Server to SP4 ......................................... 33 2.6 Initial Configuration Wizard ................................................................. 34
2.6.1 Initial Configuration ..................................................................................................... 34 2.6.2 Enable Remote Access for Initial Wizard.................................................................... 49 2.6.3 Configure SSH Tunnel ................................................................................................ 50
3 Administration ................................................................................... 51
3.1 Logon to Administration Console....................................................... 51 3.2 Welcome Page ...................................................................................... 52
3.2.1 Change Password....................................................................................................... 53
3.3 Server Configuration............................................................................ 54

3.3.1 Edit Server Configuration ............................................................................................ 56 3.3.2 Edit Login Type Setting ............................................................................................... 57 3.3.3 Certificate Management .............................................................................................. 58 3.3.4 Trust Store Management ............................................................................................ 70 3.3.5 Certificate Template .................................................................................................... 71 3.3.6 SNC Configuration ...................................................................................................... 78 3.3.7 Message Settings ....................................................................................................... 79 3.3.8 System Check ............................................................................................................. 82 3.3.9 Server Status .............................................................................................................. 83 3.3.10 Sign Certificate Requests ......................................................................................... 84 3.3.11 Console Log Viewer .................................................................................................. 85 3.3.12 Web Client Configuration .......................................................................................... 87
3.4 Instance Management .......................................................................... 92

3.4.1 DefaultServer Configuration ....................................................................................... 92 3.4.2 User-Defined Properties ............................................................................................. 96 3.4.3 Secure Login Web Client Certificate Format .............................................................. 96 3.4.4 Certificate User Mapping Service ............................................................................... 96 3.4.5 Certificate User Name Service ................................................................................... 99
09/2021
3.4.6 Archiving Certificate Requests and Issued Certificates ............................................ 100 3.4.7 Configuring a Distinguished Name with SPNego Login Module .............................. 102 3.4.8 Instance Configuration Client Configuration .......................................................... 103 3.4.9 Instance Configuration Instance Log Configuration ............................................... 113 3.4.10 Instance Configuration Instance Check ............................................................... 118 3.4.11 Instance Configuration Instance Status ............................................................... 119 3.4.12 Create a New Instance ........................................................................................... 120
3.5 Console Users .................................................................................... 124

3.5.1 User Management .................................................................................................... 124 3.5.2 Role Management..................................................................................................... 127 3.5.3 Locked Files Management ........................................................................................ 128
4 Other Configurations ...................................................................... 129

4.1 Configure Login Module .................................................................... 129 4.2 Verify Authentication Server Configuration ..................................... 135 4.3 Create Technical User in SAP Server ............................................... 136 4.4 Mozilla Firefox Support ...................................................................... 136
4.4.1 Install Firefox Extension ............................................................................................ 136 4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 137
4.5 Customize Secure Login Web Client ................................................ 138 4.6 Configure SSL Certificate Logon ...................................................... 139 4.7 Configure External Login ID .............................................................. 139 4.8 Emergency Recovery Tool ................................................................ 139 4.9 Monitoring ........................................................................................... 143
4.9.1 Web Service Status .................................................................................................. 143 4.9.2 XML Interface ............................................................................................................ 143
4.10 Secure Login Client Policy and Profiles ......................................... 145

4.10.1 Client Policy ............................................................................................................ 145 4.10.2 Applications and Profiles ........................................................................................ 146
4.11 Integrate into Existing PKI ............................................................... 150 4.12 Configuring Secure Login Servers as Failover Servers for High Availability ................................................................................................ 151 4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver ................................................................................................. 153
4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 154 4.13.2 Configuration of the Secure Login Server .............................................................. 155
4.14 Setting Failover Timeouts of the Login Modules ........................... 156 4.15 Custom Use of Login Module with Login Module Stacks ............. 156
5 Configuration Examples ................................................................. 158

5.1 Kerberos Authentication with SPNego ............................................. 158 5.2 LDAP User Authentication ................................................................ 159 5.3 SAP User Authentication ................................................................... 160 5.4 RADIUS User Authentication............................................................. 161 5.5 Configuring RSA Authentication with RADIUS................................ 162
5.5.1 Configuration of the securid.ini File .......................................................................... 162 5.5.2 Customer-Specific Configuration of the securid.ini File ............................................ 163 5.5.3 Ensuring Encrypted Communication with Shared Secret ......................................... 164
6 Troubleshooting .............................................................................. 165

6.1 Checklist User Authentication Problem ........................................... 165
09/2012
6.2 Secure Login Server SNC Problem ................................................... 166 6.3 Enable Secure Login Server Trace ................................................... 167 6.4 Enable Secure Login Library Trace .................................................. 167 6.5 Secure Login Server Lock and Unlock ............................................. 168 6.6 Access Denied Replies ...................................................................... 169 6.7 Internal Server Message .................................................................... 169 6.8 Error Codes ........................................................................................ 170
6.8.1 Secure Login Server Error Codes ............................................................................. 170 6.8.2 Secure Login Web Client Error Codes...................................................................... 172 6.8.3 SAP Stacktrace Error Codes .................................................................................... 173
7 List of Abbreviations ...................................................................... 176 8 Glossary ........................................................................................... 178
10
09/2021
1 What is Secure Login?

Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment. Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components: Examples: SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC) Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS) Third party application server supporting X.509 certificates In a default SAP setup, users enter their SAP user name and password into the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption. To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between the SAP GUI and SAP server, thus providing secure single sign-on to SAP. Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:

Microsoft Windows domain (Active Directory Server) RADIUS server LDAP server RSA SecurID token SAP NetWeaver server Smart Card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
09/2012
11
1.1 System Overview

Secure Login is a client/server software system integrated with SAP software to make single sign-on, alternative user authentication, and enhanced security easy for distributed SAP environments. The Secure Login solution includes the following components:
Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is also provided. Secure Login Library Crypto library for the SAP NetWeaver ABAP system. Secure Login Library supports both X.509 and Kerberos technology. Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications. You do not necessarily need to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.
The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI. The stand-alone Secure Login Client can use the following authentication methods: - Smart Cards and USB tokens with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Windows credentials The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. The Microsoft Windows credentials can also be used to receive a user X.509 certificate with Secure Login Server. - User name and password (several authentication mechanisms) The Secure Login Client prompts the user for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive an X.509 certificate for the user. All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system. Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions: - Limited integration with the client environment (interaction required) - Limited client policy configuration
12
09/2021
1.2 System Overview with Security Token

The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for user authentication.
Main System Components

The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.
PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store
Secure Login Client
Security Token
SAP GUI Web GUI
Kerberos Infrastructure Kerberos Token
SAP NetWeaver Platform Secure Login Library
Authentication and secure communication

Kerberos
Figure: Secure Login System Environment with Existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.
Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:

Smart Card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store) Kerberos token
09/2012
13
Workflow for X.509 Certificates

The following figure shows the principal workflow and communication between the individual components.
PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store 4 Security Token
Secure Login Client
2
Client maps SNC name to authentication profile
1 Start connection and get SNC name SAP NetWeaver Platform Secure Login Library
3 Unlock Security Token
5
Client provides certificate to SAP GUI application 6 Authentication and secure communication
Figure: Principal Workflow 1. 2. 3. 4. 5. 6. Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system. The Secure Login Client uses the authentication profile for this SNC name. The user unlocks the security token by entering the PIN or password. The Secure Login Client receives the X.509 certificate from the user security token. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server. The user is authenticated and the communication is secured. Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.
14
09/2021
Workflow for Kerberos Token

Figure: Principal Workflow Kerberos Authentication 1. 2. 3. 4. 5. Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token. The Secure Login Client receives the Kerberos Service token. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server. The user is authenticated and the communication is secured.
09/2012
15
1.3 System Overview with Secure Login Server

The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example, SAP NetWeaver). Users receive short term X.509 certificates. For the application server, long term X.509 certificates are issued. Based on the industry standard X.509v3, the certificates can be used for non-SAP systems as well. In order to provide user certificates, the user needs to be authenticated (verified by the Secure Login Server). Therefore the Secure Login Server supports several authentication server systems.
Main System Components

The following figure shows the Secure Login system environment with the main system components.
Figure: Secure Login System Environment The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication. The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server. The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).
16
09/2021
Authentication Methods
Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module. The following authentication methods are supported:

Microsoft Active Directory Service (ADS) RADIUS RSA SecurID token LDAP SAP ID-based logon SAP NetWeaver AS Java User Management Engine SAP NetWeaver AS Java SPNego
Workflow with X.509 Certificate Request

Figure: Principal Workflow 1. 2. 3. Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system. The Secure Login Client uses the client policy for this SNC name. The Secure Login Client receives the user login credentials.
09/2012
17
4. 5. 6. 7. 8. 9.
The Secure Login Client generates a certificate request. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not. If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client. Secure Login Client provides the certificate to SAP GUI. The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.
1.4 Instances
The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum. Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance. The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.
Figure: Instances Examples
It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.
18
09/2021
1.5 PKI Structure

There are different integration scenarios available for Secure Login Server.
Out-of-the-Box PKI Secure Login Server

Secure Login Server provides standard X.509 certificates for users (short term) and application server (long term). The following out of the box PKI structure can be delivered with the Secure Login Server.
Figure: Secure Login Server PKI Structure
PKI Integration
As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.
Figure: Secure Login Server Integration with an Existing PKI
09/2012
19
1.6 Secure Communication

The goal of the Secure Login solution is to establish secure communication between all required components:
Figure: Secure Communication
Technology Used for Secure Communication

Technology used for secure communication From SAP GUI Business Explorer Business Client Web GUI Secure Login Client Secure Login Server Secure Login Server Secure Login Server To SAP NetWeaver SAP NetWeaver SAP NetWeaver SAP NetWeaver Secure Login Server LDAP Server SAP NetWeaver RADIUS Server Security Protocol / Interface DIAG/RFC (SNC) DIAG/RFC (SNC) DIAG/RFC (SNC), HTTPS HTTPS (SSL) HTTPS (SSL) LDAPS (SSL) RFC (SNC) RADIUS (shared secret)
20
09/2021
1.7 Policy Server Overview

Secure Login Client configuration is profile-based. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs). If no matching PSE URI is found, a default application context that links to a default profile can be defined. The application contexts and profiles are stored in the Microsoft Windows Registry of the client. You define these parameters in the XML policy file.
Figure: Default Application Context and Profile
09/2012
21
1.8 Secure Login Web Client

Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. You also use it for authentication against SAP NetWeaver Web Application Server. This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and Linux-based client systems can be used as well. Another use case is providing short term certificates to external employees (for example, to external consultants). The following main features are available:

Browser-based authentication (including all authentication server support) Support for SAP GUI for Microsoft Windows and SAP GUI for Java Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser URL redirect X.509 authentication support to SAP Web application server Localization and customization of HTML pages and applet messages
Differences between Secure Login Client and Secure Login Web Client:
With Secure Login Client the required security library is available. With Secure Login Web Client the security library needs to be downloaded in a Web browser application. With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI). The Secure Login Web Client triggers an authentication process and secure communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.
1.8.1 Export Restrictions

At the start of the Secure Login Web Client, it transfers components that are required for authentication and for a secure network connection from the server to the client. The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. Under German export control regulations, these components are classified with ECCN 4D003. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations. If the Secure Login Server and the Secure Login Web Client are installed in different countries, you are obliged to make sure that you abide by the export and import regulations of the countries involved.
22
09/2021
1.8.2 Setting User Environment Variables

You want to enable the Secure Login Web Client to perform authentication and create local credentials that are used by SAP GUI on Microsoft Windows platforms. To enable SAP GUI to use the credentials you need to set user environment variables. The Secure Login Web Client normally sets the following user environment variables for the process when it starts SAP GUI directly after an authentication: CREDDIR = %USERPROFILE%\sapsnc\ SNC_LIB = %USERPROFILE%\sapsnc\secgss.dll SSF_LIBRARY_PATH = %USERPROFILE%\sapsnc\secssf.dll
Use Case
The Secure Login Web Client is configured to perform authentication and create local credentials without starting an SAP GUI, for example, if the login process is embedded in a silent Web client. SAP GUI is started later, for example, with an SAP shortcut from the SAP Enterprise Portal. In this case the user environment variables SSF_LIBRARY_PATH, SNC_LIB, and CREDDIR must be set globally.
Solution
To enable the Secure Login Web Client to set the environment variables globally, an administrator has to make sure that the file userenv.registry exists in the following directory: \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks\WIN32 After that, SAP GUI is able to read the environment variable because SAP GUI starts later. If userenv.registry is available, the user environment variables CREDDIR, SNC_LIB, and SSF_LIBRARY_PATH are globally set by the Secure Login Web Client.
1.8.3 Web Client Security Features

The following features are designed to improve security of the Secure Login Web Client: Forced use of HTTPS at the initialization of the Secure Login Web Client SAP-signed Secure Login Web Client JAR package to protect SNC libraries PKI check before storing in Microsoft Certificate store (for Microsoft Windows only)
Forced Use of HTTPS

At the initialization the Secure Login Web Client applet and the Secure Login Server are forced to connect with HTTPS. With HTTPS passwords are transported in a secured way during authentication. The trust relationship is established in the trust store of the browser. If someone tries to bypass HTTPS, the connection is terminated, and an error occurs.
09/2012
23
SAP-Signed Secure Login Web Client JAR Package to Protect SNC Libraries
To make sure that the files on the server and on the client are not manipulated, an SHA-256 checksum is in place. It prevents a manipulation of the SNC libraries on the side of the client and of the server. The SAP signature in the JAR file of the Secure Login Web Client applet protects the SHA256 checksums against manipulation attempts. This makes sure that the SNC libraries are identical with those delivered in the Secure Login Server package. During a download of a Secure Login Web Client package there is a check of the local files that verifies whether the native SNC libraries have already been downloaded even before the package is written to the hard disk. If the verification of the checksum fails, the files are deleted, and new files are downloaded from the server.
PKI Check before Storing in Microsoft Certificate Store

This section only refers to Microsoft Windows operating systems. To avoid that already valid enrolled keys and certificates are being overwritten with invalid ones from an untrustworthy Secure Login Server, the system performs a PKI check before keys and/or certificates are stored or overwritten in the Microsoft certificate store and in the local PSE file. To enable a PKI check, you must set a trust anchor by importing the root CA from the user CA of the Secure Login Server in the Microsoft Trusted Root Certification Authorities before you can use the Secure Login Web Client.
24
09/2021
2 Secure Login Server Installation

This chapter describes how to install Secure Login Server. The installation can be done using the Telnet application or with the Software Delivery Tool.
2.1 Prerequisites
This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements
Secure Login Server Hard disk space Random-access memory Details 50 MB of hard disk space HDD space for log files 1 GB RAM at minimum
Software Requirements
Secure Login Server Application server Details SAP NetWeaver CE 7.2 SAP NetWeaver 7.3 Enhancement package 1 for SAP NetWeaver 7.3 The Secure Login Library installation is optional and required for SAP user authentication only. The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials. For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.
Optional: Secure Login Library
Secure Login Web Client Operating systems
Details Microsoft Windows 7, Vista, XP (32-bit) SUSE Linux Enterprise Desktop 11 Mac OS X 10.5, 10.6 SUN Java 1.6 or higher browser plug-in
Java
For more information, see the Product Availability Map of SAP NetWeaver Single Sign-On 1.0.
09/2012
25
Supported Authentication Servers

Secure Login Server LDAP server system SAP server system RADIUS server system Details Microsoft Active Directory System 2003, 2008 openLDAP SAP NetWeaver Application Server ABAP 6.20 or higher version RSA Authentication Manager 6.1 and 7.1 freeRADIUS Microsoft Network Policy and Access Services (NPA) Microsoft Internet Authentication Service (IAS) BasicPasswordLoginModule
SAPNetWeaver AS Java User Man agement Engine (UME)
2.1.1 Secure Login Library

The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only. The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials. Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system. This document describes the installation for Microsoft Windows and Linux operating system.
Secure Login Library for Microsoft Windows Operating System

Step 1 Copy Library Files
Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf <source_path>\SECURELOGINLIB.SAR R <ASJava_installation>\exe\ Example sapcar xvf D:\InstallSLS\SECURELOGINLIB.SAR R D:\usr\sap\ABC\J00\exe\
26
09/2021
Check if the folder <ASJava_installation>\exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file <ASJava_installation>\work\dev_jstart.
Step 2 Environment Variable SECUDIR

Set the system environment variable SECUDIR to the following directory: SECUDIR=<ASJava_installation>\sec Example SECUDIR=D:\usr\sap\ABC\J00\sec
Step 3 Verify Secure Login Library

To verify the Secure Login Library, use the snc command:
<ASJava_installation>\exe\snc.exe
Example D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library. The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the Command snc
Step 4 Restart SAP NetWeaver Application Server

In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.
09/2012
27
Secure Login Library for Linux Operating System

Step 1 Copy Library Files
Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf <source_path>/SECURELOGINLIB.SAR R <ASJava_installation>/exe/ Example sapcar xvf /InstallSLS/SECURELOGINLIB.SAR R /usr/sap/ABC/J00/exe
Check if the folder <ASJava_installation>/exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file <ASJava_installation>/work/dev_jstart.
Step 2 Define File Attributes

To use shared libraries in a shell, it is necessary to set the file permission attributes with the following command: chmod +rx <ASJava_installation>/exe/snc lib* Example chmod +rx /usr/sap/ABC/J00/exe/snc lib*
Step 3 Define File Owner

Grant access rights to the user account that is used to start the SAP application (for example, <SID>adm). Change to the folder <ASJava_installation>/exe/ and use the following command: chown [OWNER]:[GROUP] * Example chown abcadm:sapsys *
Step 4 Verify Secure Login Library

To verify the Secure Login Library use the snc command (with user <SID>adm):
<ASJava_installation>/exe/snc
Example /usr/sap/ABC/J00/exe/snc
28
09/2021
As a result; further information about the Secure Login Library should be displayed. The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the snc Command
2.2 Secure Login Server Installation with Telnet

1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver Application Server. 2.) Start a Telnet session. telnet localhost 5<instance_number>08 Example telnet localhost 50008
3.) Deploy the Secure Login Server package. deploy <source>\SECURE_LOGIN_SERVER0SP_0.sca Microsoft Windows Example deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca The Secure Login Server application will be started automatically. Start the initial configuration described in section 2.6 Initial Configuration Wizard.
List of Useful Telnet Commands

List of useful telnet commands Action Deploy Application Undeploy Application List Application Command deploy SECURE_LOGIN_SERVER0SP_0.sca undeploy name=SecureLoginServer vendor=sap.com list_app | grep SecureLoginServer
09/2012
29
Stop Application Start Application
stop_app sap.com/SecureLoginServer start_app sap.com/SecureLoginServer
2.3 Secure Login Server Installation with JSPM

1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver Application Server. The target folder location is \\localhost\sapmnt\trans\EPS\in Microsoft Windows <drive>\usr\sap\trans\EPS\in Linux /usr/sap/trans/EPS/in
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server. Microsoft Windows <ASJava_Installation>\j2ee\JSPM\go.bat Linux <ASJava_Installation>/j2ee/JSPM/go 3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
30
09/2021
4.) Choose the New Software Components option.
5.) Select sap.com/SECURE_LOGIN_SERVER.
09/2012
31
6.) Start the deployment process.
7.) After the deployment finishes, exit the JSPM application.
32
09/2021
2.4 Secure Login Server Uninstallation

This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet. 1.) Start a Telnet session. telnet localhost 5<instance_number>08 Example telnet localhost 50008 2.) Stop the Secure Login Server application. stop_app sap.com/SecureLoginServer 3.) Undeploy the Secure Login Server package. undeploy name=SecureLoginServer vendor=sap.com To keep the configuration files after an uninstallation, the system leaves the following folder remains on your hard disk: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\ Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/
2.5 Updating the Secure Login Server to SP4

In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to a higher SP. You see the current version number of the Secure Login Server in the parameter Server Build. For example, 1.0.4.x.x stands for SP4 (see 3.3.9 Server Status). After the installation, restart the system. During the installation, the following files are deleted: config.properties file userenv.registry Make a backup of these files before you execute an installation. After the installation, copy the files to the relevant directories. For more information about userenv.registry, see 1.8.2 Setting User Environment Variables.
09/2012
33
2.6 Initial Configuration Wizard

After the deployment of Secure Login Server an initial configuration is required. For security reasons, the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides). If, however, you want to perform the initialization and configuration from a remote location, you must manually enable this feature by editing the Secure Login web.xml file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard. If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost tunnel configuration for accessing the wizard. For re information, see section 2.6.3 Configure SSH Tunnel.
2.6.1 Initial Configuration

This section describes the initial configuration of the Secure Login Server. Before starting the Initial Configuration Wizard, verify that the Secure Login Server application is running. Start the initial configuration using the browser URL: http://localhost:5<instance_number>00/securelogin
Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites. If everything is OK, choose Continue.
Figure: Initial Configuration Wizard Welcome Page
34
09/2021
Key File for Encryption of Server Credentials

The key file is a file on the server with random content and is used to secure password information in configuration files. You can use any kind of file type which is larger than 32 bytes. You must create or copy the file to the desired location on the server and define it in this configuration step. There is a check whether the key file is available. Define the location of the key file. Example: D:\usr\sap\ServerKeyFile\KeyFile.txt
Figure: Initial Configuration Wizard Key file for server credentials encryption Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked. After the configuration, choose Next to continue.
09/2012
35
Administrator Account
Define the password for the administration user Admin.
Figure: Initial Configuration Wizard Administrator Account Entries marked with * are mandatory.
Passwords used in Secure Login Server are restricted by the password policy definition. Passwords cannot be empty Passwords must have a length between 8 to 20 characters Passwords must contain at least one uppercase letter Passwords must contain at least one lowercase letter Passwords must contain at least one digit Passwords must contain at least one special character After the configuration, choose Next to continue.
36
09/2021
Create Root CA Certificate

Define the parameter for the root CA certificate.
Figure: Initial Configuration Wizard Create Root CA Entries marked with * are mandatory.
Option Create a Root CA by providing certificate information
Details Common Name* Enter the common name of the certificate (CN). Example: Root CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
09/2012
37
Enter the subject alternative names in this field. Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File This option only appears if the parent certificate is imported. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (File Format is: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time. Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates. You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.
Skip all PKI certificates
38
09/2021
After the configuration, choose Next to continue.
Select the SSL Certificate Generation Type

Choose an option for the SSL certificate.
Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type It is possible to install or import SSL certificates later on using the administration console Certificate Management. For more information, see section 3.3.3 Certificate Management.
Option Generate an SSL certificate using the Secure Login Administration Console Skip all SSL certificates
Details The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console. Check this option if you do not want to or do not need to enter information for SSL certificates at this time.
After having chosen an option configuration, choose Next to continue.
09/2012
39
Create SSL CA Certificate

This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen.
Figure: Initial Configuration Wizard Create SSL CA Information Entries marked with * are mandatory.
Option Create a SSL CA by providing certificate information
Details Common Name* Enter the common name of the certificate (CN). Example: SSL CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
40
09/2021
Enter the subject alternative names in this field. Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing Key Store File (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
09/2012
41
Create SSL Server Certificate

This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.
Figure: Initial Configuration Wizard SSL Server Information Entries marked with * are mandatory.
Option Create an SSL server by providing certificate information
Details Common Name* Enter the common name of the certificate (CN). Example: Alias Server Name Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this
42
09/2021
is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field, you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (file format: *.p12). Password* The password for the KeyStore file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
09/2012
43
Create User CA Certificate

Define the parameter for the user CA certificate.
Figure: Initial Configuration Wizard User CA Information Entries marked with * are mandatory.
Option Create a user CA by providing certificate information
Details Common Name* Enter the common name of the certificate (CN). Example: User CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
44
09/2021
Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
09/2012
45
Define Server Configuration

Define the parameters for the User Certificate Configuration and Application Information. The other configuration parameters are read-only (for verification reasons).
Figure: Initial Configuration Wizard Server Configuration Entries marked with * are mandatory.
Option User Certificate Configuration
Details DN.country Enter the country abbreviation in this field (C). Example: DE DN.locality Enter the regional information in this field (L). Example: Walldorf DN.organization Enter the company name in this field (O). Example: Company xyz DN.organizationalUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.
46
09/2021
Application Information
ServerHostName FQDN name or IP address of this server. This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server. ServerPort Port of this server. This parameter is used for the client policy definition and can be used for central change. AuthConfigPath Authentication server configurations file for the Secure Login Server. PseName The user CA key store file path. If you created a user CA in the previous step, the file path is shown here. DailyLogDir In this log path the user authentication information for the default instance is logged. (for example, the user authentication was successful) MonthlyLogDir In this log path the instance information for the default instance is logged. (for example, the default instance was started successful) AdminConsoleLogDir In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed) LockDir The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.
Authentication Server Configuration (read-only) Secure Login User CA Key Store (read-only) Log Configuration (read-only)
Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.
09/2012
47
Figure: Initial Configuration Wizard Setup Review
Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server application.
Figure: Initial Configuration Wizard Congratulations Use the Telnet application to stop and start the Secure Login Server application (for more information, see section 2.2 Secure Login Server Installation with Telnet). Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.
48
09/2021
Microsoft Windows SAP Management Console

In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer and choose the option Restart (right-click option).
Figure: SAP Management Console (sapmmc)
2.6.2 Enable Remote Access for Initial Wizard

This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer. For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides). In the configuration file web.xml, change the value to true for the parameter remoteAccess.
web.xml <init-param> <param-name>remoteAccess</param-name> <param-value>true</param-value> </init-param>
The configuration file web.xml is available in the following place: Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\se rvlet_jsp\securelogin\root\WEB-INF\web.xml Linux <ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/se rvlet_jsp/securelogin/root/WEB-INF/web.xml It is required to restart the Secure Login Server application.
09/2012
49
2.6.3 Configure SSH Tunnel

This configuration step is optional and belongs to the Linux environment if no GUI is available. The localhost configuration can be performed using for example, PuTTY Configure the following parameter and choose Add. Example: SSH tunnel configuration in PuTTY Parameter Source Port Destination Value 5<instance_number>00 localhost:5<instance_number>00 Example: 50000 Example: localhost:50000
After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.
50
09/2021
3 Administration
3 Administration
This chapter describes the configuration parameters in Secure Login Server.
3.1 Logon to Administration Console

To open the administration console, enter the following URL in a Web browser: Communication Unsecured Secured URL http://<IP/FQDN>:5<instance_number>00/securelogin https://<IP/FQDN>:5<instance_number><https_port>/securelogin
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above). The logon page appears.
Figure: Administration Console Logon Page Enter your administration user name (for example, Admin) and your password. Authentication type Local Login External Login Details Default user name/password combination authenticated in the administration console database. User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console. For more information about the configuration, see section 3.3.2
09/2012
51
3 Administration
Authentication type
Details Edit Login Type Setting.
3.2 Welcome Page

After successful logon, the welcome page appears. This page also appears when you click on Home.
Figure: Administration Console Welcome Page The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect. The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework. The right-hand pane displays the details of any node selected in the left-hand pane. In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. Logout Use this link to logout of the console. The login page will reappear (see previous page).
52
09/2021
3 Administration
About Click this to view version information about the console. You may be asked to re-enter your user name and password if you leave the administration console for a long time. The default console timeout is 10 minutes.
3.2.1 Change Password

This section describes how to change the account password for the administration console. 1. Choose Change Password in the title bar on any page. 2. The following dialog box appears:
Figure: Change Password 3. Enter the current password into the Old Password field. 4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively. 5. Click OK
The user admin is a permanent user that has the role super user and cannot be deleted. As a consequence, the admin user can log on to the system regardless of state (when a serious system error occurs), making sure that there is at least one user who can always access Secure Login to correct or configure the system.
09/2012
53
3 Administration
3.3 Server Configuration

This section describes the server configuration page of the administration console. The Server Configuration page allows you to do the following:

View the server configuration. Edit some of the server parameters.
Choose the Server Configuration node in the left-hand pane of the administration console. The following page appears:
Figure: Administration Console - Server Configuration
The following options can be viewed on this page:
54
09/2021
3 Administration Option Edit Details/Value Click Edit to change the Administration Console Description, Trace Configuration, and Client Configuration. For more information, see section 3.3.1 Edit Server Configuration. The description of this administration console. The current types of authentication available for log on to the administration console. The configuration can be changed using the button Edit Login Type. For more information, see section 3.3.2 Edit Login Type Setting. The current JAAS module used for External Login authentication to the Administration Console. For further information see section 3.3.2 Edit Login Type Setting. The authentication configuration file used by this server. This configuration is for information purposes only. The Trust Store file (TrustStore.jks) used by this server.
Description Console Login Type
External Login JAAS Module
The Authentication File Path (read-only) Trust Certificates Storage File (read-only) Console Log Directory (read-only) Console Log Prefix (read-only) Enable Server Trace
The directory in which the console log file is located. The file prefix for the console log file. Enable Secure Login Server trace to provide extended traces. true Trace enabled false Trace enabled Default value is false. Path where the lock files are written. A lock file is generated if something went wrong with the Secure Login Server. In this case the Secure Login Server is locked. The host name or IP of the computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs). The port of this computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs). We recommend that you use an HTTPS (SSL) port. The directory in which the credentials are stored for the Secure Login Library. The directory where native libraries are stored for the Secure Login Library.
Path to the Server Lock File (read-only) Host Server Domain Name Port
CREDDIR (read-only) NativeLibraryPath (read-only)
09/2012
55
3 Administration
3.3.1 Edit Server Configuration

Use the Edit button and the following page appears.
Figure: Administration Console Edit Server Configuration The following options can be set: Option Description Enable Server Trace Details/Value Here you can personalize the description for the administration console. true Write trace messages to the application server trace file (defaultTrace_*.log). false Do not write trace messages to the application server trace file. The host name or IP of the computer from which the console is being used. The port of the computer from which the console is being used. We recommend that you use an HTTPS (SSL) port.
Host Server Domain Name Port
Once you have changed any option, click Save to return to the Server Configuration page.
56
09/2021
3 Administration
3.3.2 Edit Login Type Setting

Use the Edit Login Type button, and you get to the page that allows you to configure, delete, or add the following login types: Local Login Default user name/password combination authenticated with the administration console database. External Login User name/password combination authenticated in the authentication server database set in the JAAS module. If this option is used, select the appropriate JAAS module in the External Login Jaas Module combo box. 1. To add a login option to the administration console login page, proceed as follows: 2. Select a login type from the All Login Type field and choose >>Add. As a consequence, it appears in the Current Login Type field. 3. Use the Up and Down buttons to move a login option up or down and thus define its priority. 4. To delete a login option from the administration console login page, select a login type from the Current Login Type field and choose <<Delete. 5. Choose Save to confirm any changes. Several login modules are available. Available Login JAAS Module Login Module SPNegoLoginModule SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP BasicPasswordLoginModule Remarks Uses Kerberos/SPNego. This is the default setting of the Secure Login Server. Uses LDAP server or MS-ADS server system. Uses RADIUS server. Uses SAP NetWeaver Application Server. Uses for direct authentication with user name and password. It is configured in the SAP NetWeaver Administrator and UME provides users.
Due to technical restrictions, only the following login modules can be used in the field External Login JAAS Module: SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP
Choose Save to confirm any changes.
09/2012
57
3 Administration
3.3.3 Certificate Management

This section describes the Certificate Management page of the administration console. The Certificate Management page allows you to do the following:

Create certificates View certificates Export certificates Import certificates
What I have to do first is making a decision: Do I want the Secure Login Server to create and manage one or more public key infrastructures, or is there an existing company PKI that is supposed to be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server. However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time. Choose the Certificate Management node from the tree in the left-hand pane. The following page appears:
Figure: Administration Console Certificate Management
Option PKI Tree
Details One or more tree views of independent PKIs. One DefaultPKITree named Root CA SAP Security is available here. Define a display name for the new PKI and create a top-level Certification Authority (Root CA).
Create New Root CA
58
09/2021
3 Administration
Certificate Information
Common Name Common name of the selected certificate. Path File path of the selected certificate file. Save Password Password protection status of the selected certificate file. Mapping to Instance List of all instances and selections that are supposed to use this user CA. This option is available for user CAs only.
More Details [PKI Information] [CA Operations]
Further details of the X.509 certificate Displays the name of the PKI structure Selects the Certification Authority of a PKI for further management operations. Issue Creates a new Certification Authority of this type (USER_CA, SAP_CA or SSL_CA). Change Password Changes password of selected CA Remove Password Removes password of selected CA. A password must be given for each following management operation of this CA. Exports the selected certificate. Export Type Chooses the export type for the certificate. Possible export types: .crt, .p12, .pse or *.jks. New Password Defines the password of the exported certificate file. This option is not available if you choose the export type .crt. Imports the key store into the certificate list. Note: Only PSE files can be imported. PKI Name Displays the name of the new PKI the certificate belongs to. The following special characters are not supported:
~`!@#$%^&*()_-+= }{:"?><,./;'[]\|
[Export Certificate]
[Import New PKI]
[Selection List] The selection list allows you to associate the type of CA of the certificate. Each type can be associated only once.
09/2012
59
3 Administration
Browse Opens a file browser to select the certificate file. Open Password Password that protects the certificate file Save Password Allows you to save the password in the configuration file.
Create New PKI

Use this function to create a new internal PKI that has its own root CA certificate. Enter a display name for the new PKI, for example NEW PKI and choose Create New Root CA.
Define the certificate parameters for the new root CA certificate and choose Create.
Entries marked with an asterisk(*) are mandatory. The new PKI should be available in the PKI tree.
60
09/2021
3 Administration
Import New PKI

Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing root CA stored inside the Secure Login Server. 1. Enter a display name for the new PKI, for example, ImportPKI. 2. Select the type of CA that shall be imported, for example, ROOT_CA. 3. Choose Browse to open a file browser. Locate and open the PSE file. 4. Enter the password for the PSE file in the field Open Password. 5. As an option, you can choose to save the password. 6. Choose the Import pushbutton to complete.
The imported PKI should be available in the PKI tree.
09/2012
61
3 Administration
Create SAP CA Certificate

Use this function to create an SAP CA certificate. 1. Choose on the Root CA certificate in the PKI tree list. 2. Select the certificate type SAP_CA in [CA Operations]. 3. Choose on the Issue pushbutton and define the certificate parameters.
Figure: Administration Console Create SAP CA Certificate
Entries marked with an asterisk(*) are mandatory.
Option Create SAP_CA Subject Information
Details Common Name* Enter the common name of the certificate (CN). Example: SAP CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L).
62
09/2021
3 Administration
Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above.
Create SAP Server Certificate

Use this function to create a certificate for the SAP NetWeaver Application Server (AS). 1. Choose on the SAP_CA certificate in the PKI tree list. 2. Select in [CA Operations] the certificate type SAP_Server. 3. Choose the Issue pushbutton and define the certificate parameters.
Entries marked with an asterisk (*) are mandatory.
Option Specify the parameters of the SAP Server Certificate
Details Common Name* Enter the common name of the certificate (CN). Example: SAP SID Organizational Unit
09/2012
63
3 Administration
Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. The password length is limited to 20 characters. Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
64
09/2021
3 Administration
Create SNC Certificate

Use this function to create a certificate for the SNC connection to SAP NetWeaver Application Server (AS). Using this certificate the Secure Login Server establishes a secure communication with the SAP NetWeaver AS to verify SAP user credentials. 1. Choose on the SAP_CA certificate in the PKI tree list. 2. Select the certificate type SNC_CERT in [CA Operations]. 3. Choose the Issue pushbutton and define the certificate parameters.
Figure: Administration Console Create SNS Certificate
Option Create SNC_CERT Subject Information
Details Common Name* Enter the common name of the certificate (CN). Example: SLSSNC Organizational Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality
09/2012
65
3 Administration
Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field, you enter the password for this certificate. The password length is limited to 20 characters. Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
66
09/2021
3 Administration
Create Login Certificate

Use this function to create a login certificate for the Secure Login administration console. The Secure Login Administrator establishes a certificate based login to the Administration Console. 1. Choose on the SAP_CA certificate in the PKI tree list. 2. Select the certificate type LOGIN_CERT in [CA Operations]. 3. Choose the Issue pushbutton and define the certificate parameters.
Option Create LOGIN_CERT Subject Information
Details Common Name* Enter the common name of the certificate (CN). Example: Username Organizational Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE (for Germany) Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters.
09/2012
67
3 Administration
Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Subject Alternative Names (E-mail)* To map a certificate to a user, use this field. For more information, see section 4.6 Configure SSL Certificate Logon. Example: LoginCert_Admin
This login certificate needs to be imported into a browser application. Therefore export this certificate in *p12 format and import it to your browser application. In addition, it is required to assign this login certificate to a user (user mapping). For more information, see section 4.6 Configure SSL Certificate Logon.
Export Certificate
Use this function to export any kind of certificate in the PKI list. 1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP Security. 2. Select the Export Type, for example .pse. 3. Define the password of the exported certificate file. 4. Choose the Export pushbutton to save the file to the desired location.
Option Export Type
Details .pse Exports the certificate in PSE format. This file includes all keys and all certificates of the complete certificate chain. .crt Exports the public certificate information. .p12 Exports the certificate in P12 format. This file includes all keys and all certificates of the complete certificate chain used. .jks Exports the certificate in Java Key Store format.
68
09/2021
3 Administration
Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the import function to load a new certificate. 1. 2. 3. 4. 5. Choose on a desired certificate in the PKI tree list, for example SAP_CA. Choose Browse to open a file browser. Locate and open the PSE file. Enter the password for the PSE file in the field Open Password. As an option, you can choose to save the password. Choose the Import pushbutton to complete your import.
Imported certificates need to be part of the PKI structure. A trust relation to an existing root CA certificate, when available, is required. In case the desired certificate has no trust relation to the root CA certificate, the error message Trust connection cannot be established with ROOT CA appears.
09/2012
69
3 Administration
3.3.4 Trust Store Management

The Trust Store is used to declare a certificate as coming from a trusted source and can be used with Secure Login Server. You can use this page to view the Trust Store file content, export a certificate, delete a certificate, and add new certificates. Typically the following certificates are installed in the Secure Login Server Trust Store:

SSL CA Certificate (public certificate). This certificate is used to verify the SSL connection in the option Server Status. LDAPS CA Certificate (public certificate). This certificate is used to establish secure communication to the LDAP server. Depending on the PKI structure, it may be necessary to import the certificate chain.
Figure: Administration Console Trust Store Management
Option Certificate Alias* Certificate Location
Details Alias for the imported certificates. The certificate location. Select one of the following locations (this causes the third option to change accordingly): Local Host* The path to a certificate in the local file system PublicURL* Certificate available via a public URL Adds the certificate information to the Trust Store.
Add to Trust Store
70
09/2021
3 Administration
Delete
Use this button to remove the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store). Use this button to export the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store).
Export
Changes in Trust Store require a restart of the SAP NetWeaver Application Server.
3.3.5 Certificate Template

This section describes the Certificate Template page of the administration console. Use the functionality on this page to perform any certificate template-related task. Choose the Certificate Template node in the left-hand pane of the administration console. The following page appears:
Figure: Administration Console Certificate Template Management
The default template cannot be deleted, changed, or exported. The Mapping option is only available if an additional certificate template is available.
Option Template Name Add Copy Edit Delete Mapping
Details Templates created by the user and available for use are listed here. Per default the default template is available. Adds a new certificate template. This takes you to the template creation page. Duplicates the selected template. This takes you to the template creation page Edits a selected template. This takes you to the template creation page. Deletes a template selected in the list. Maps any template to another.
09/2012
71
3 Administration
Export
Exports a template as an XML file. If you select more than one template for export, all of the templates are incorporated into a single XML file. Imports templates found on the local machine/network to the list.
Import
Add a New Certificate Template

This section describes how you create a new certificate template. Click the Add button and the following information appears:
Figure: Administration Console New Certificate Template
Entries marked with * are mandatory.
Option Template Name* SubjectKeyIdentifier AuthorityKeyIdentifier CertificatePolicies
Details The unique template identifier Use this option to identify the specific public key used in an application. Use this option to identify the public key corresponding to the private key that is used to sign a certificate. This option indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used.
72
09/2021
3 Administration
Checking this option will open a mandatory field for the CertificatePolicies.OID (enter the ID and choose Add).
KeyUsage
The key usage extension defines the purpose of the key contained in the certificate. DigitalSignature Use when the public key is used with a digital signature mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. Digital signatures are often used for entity authentication and data origin authentication with integrity. NonRepudiation Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). KeyEncipherment Use when a certificate is used with a protocol that encrypts keys. An example is S/MIME enveloping where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key enciphering. DataEncipherment Use when the public key is used for encrypting user data, other than cryptographic keys. KeyAgreement Use when the sender and receiver of the public key need to derive the key without using encryption. This key can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers. KeyCertSign Use when the subjects public key is used for verifying a signature on public key certificates. If the keyCertSign is asserted, the CA bit in the basic constraints extension must also be asserted. CrlSign Use when the subject public key is used for verifying a signature on certificate revocation list. CrlSign must be asserted in certificates that are used to verify signatures on CRLs. EncipherOnly Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. DecipherOnly Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
09/2012
73
3 Administration
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt ExtendedKeyUsage This option defines the extended purpose of the key contained in the certificate. Example SNC/SSF Client Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment ExtendedKeyUsage ClientAuthentication Example SNC Server Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt BasicConstraints This option defines whether the subject of the certificate is a Certification Authority and how deep a certification path may exist through that Certification Authority. Checking this option will open the following sub-options:
Is critical? If you select this option, the basic constraints parameter is required in the certificate for communication to be successful. Is CA? This option defines whether the subject of the certificate is a Certification Authority. When you select this option, the Path Length field opens. Enter the number of levels for which the constraints are valid.
Private Extensions
Add a user-specific extension to the template. Choose Add and open the Create Private Extension input page:
74
09/2021
3 Administration
Extension Name* The unique name for this extension Base64/DER Encoded Data* The content of the private extension in Base64 or DER format Add Adds the information from the fields above to the certificate template (this will also take you back to the Create Certificate Template page). Cancel Cancels the Create Private Extension configuration step. Reset Cancel Clears the fields of any entries. Cancels the Create Certificate Template configuration step.
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt
09/2012
75
3 Administration
Mapping Certificate Template

This section describes how you can map certificate templates to server instances (user certificates) or SAP server certificates. Choose the desired template name and choose the Mapping button.
Figure: Administration Console Certificate Template
The default template cannot be deleted, changed, or exported. The Mapping option is only available for the default template if another certificate template is available.
Figure: Administration Console Certificate Template Mapping Option SAP Server Certificate User Certificate Details Assigns the certificate template that is used to create SAP server certificates. Assigns the certificate template to an instance used for creating user certificates.
To confirm any changes, choose Save.
Export Certificate Template

This section describes how to export certificate templates as an XML file.
76
09/2021
3 Administration
Choose the desired template and choose the Export button.
Figure: Administration Console Export Certificate Template Option [List Box] Details Selected Template Exports the selected certificate template. All Templates Exports all certificate templates. Executes the export procedure. Cancels the export procedure.
Export Cancel
Import Certificate Template

This section describes how to import certificate templates into the Certificate Template Management page. Choose the Import button.
Figure: Administration Console Import Certificate Template Option Browse Import Cancel Details Opens a file browser to locate a certificate template XML file. Executes the import procedure. Cancels the import procedure.
09/2012
77
3 Administration
3.3.6 SNC Configuration

This section describes the preparation required for Secure Login Server to run with SAP ID authentication. This configuration step is optional and is only required if you want to integrate SAP ID authentication. The SNC certificate is used to establish a secure communication to the desired SAP NetWeaver ABAP system. This secure communication is used to verify SAP User Authentication.
The installation of the Secure Login Library (described in the Installation, Configuration, and Administration Guide of the Secure Login Library) is a prerequisite. Two options are available to define the SNC certificate: Import P12 File Import from Console (Certificate Management)
Import P12 File

If you use the setup type From Local, choose the Browse button and select the desired P12 file. Define the password and choose the Upload button to install the SNC certificate.
Figure: Administration Console SNC Configuration Option From Local
Import from Console

The prerequisite for this option is that a SNC certificate (certificate type SNC_CERT) has been created in Certificate Management. For more information, see section 3.3.3 Certificate Management. Select the desired SNC certificate and choose the Upload button to install the SNC certificate.
78
09/2021
3 Administration
Figure: Administration Console SNC Configuration Option: From Console
3.3.7 Message Settings

This section describes the Message Settings page of the Administration Console. The message settings are used to relate to specific server messages to the Secure Login Client. The Message Settings page allows you to do the following:

View currently available message language files Create a new message language file Edit a message language file
The following table contains the names of the message language files: Message File Name serverMsg.properties serverMsg_de.Properties serverMsg._en.Properties serverMsg_fr.Properties serverMsg_ja.Properties serverMsg_pt.Properties serverMsg_ru.Properties serverMsg_zh_CN.Properties Language Template for translation German English French Japanese Portuguese Russian Chinese
The fallback message file is serverMsg_en.properties. This message file is used if the required language is not available. The language for the fallback scenario is English.
Create a Message File

Choose the Add button to create a new message language file.
09/2012
79
3 Administration
Figure: Administration Console Create Message File Choose the desired language and choose the Create New File button. In this example the newly chosen language is Afrikaans. In this case, the name of the message file is serverMsg_af.properties. The predefined language for the new message file is English and needs to be translated to the required language. The file format is defined as: ServerMsg_<language_abbreviation>.properties
Edit a Message File

Choose the relevant message file and choose the Edit button.
Figure: Administration Console Edit Message File
80
09/2021
3 Administration
To confirm any changes, choose Save. To disable a server message, delete the message text. Example: If the message Authentication process completed should be disabled, delete the message text for the parameter AUTH_RESULT_ACTION_OK_MSG.
Message Format Configuration Option

The message format can either be plain text or rich text. Rich text messages are contained in a body element. You can use the following codes: Code <body>message</body> \r\n <b>text</b> <any color=red>text<any> <a href=URL>anchor</a> Details The whole rich text message has to be enclosed in body start and end tags. Inserts a line break. Uses bold formatting for text. Uses the color red for text (red is the only color supported). Inserts a link to the destination URL with the link text anchor.
File Location of the Message Files

The server messages file are available in the following locations: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\classes Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/classes
09/2012
81
3 Administration
3.3.8 System Check

This section describes the System Check page of the Administration Console. This feature displays the status of the system configuration (whether the components necessary for Secure Login functionality are currently available). This function is similar to the initial wizard page (prerequisite check).
Figure: Administration Console System Check Option Authentication Configuration General System Checks Details Configuration of the authentication Files and Folder Are read/write permissions to file system available? SAP Cryptolib Checks the JavaSDK of the Secure Login Server. IAIK SDK Checks for the location of the IAIK SDK and displays the version number. Create PKCS#12 File Checks if a P12 certificate format can be created. Create PSE File Checks if a PSE certificate format can be created. JRE Crypto Policy Checks if Java JCE is enabled. Checks if there are any missing or invalid certificates
PKI Structure
82
09/2021
3 Administration
SAP ID Check
SAP SNC Runtime Checks if Secure Login Library is installed and configured. SAP JCO Runtime Checks whether the SAP JCO can be found. Server Name Check Checks Instance Names and Instance IDs. TrustStore Check the Java Trust Store used by Secure Login Server.
Server List Trust Store
3.3.9 Server Status

The option Server Status provides server status information.
Figure: Administration Console Server Status
Criteria Date Version Uptime
Details Current date and time information Version of the Secure Login Server Kernel The amount of time the Server has remained active and running
09/2012
83
3 Administration
Instance ID Configuration URL Configuration Status Lock Status
Info: Server Instance File location of the Secure Login Server configuration file Configuration.properties. Integrity Check of the Secure Login Server Status Lock Status = No The Secure Login Server is not locked. Everything is OK and the server is up and running. Lock Status = Yes The Secure Login Server is locked meaning that it has encountered a problem. In this case, check the server information pane in the top left of the screen for tasks that still need to be performed as well as the log files for possible problems. An Unlock button appears next to the table entry (provided that the administrator role has the necessary permissions). Once you have resolved any problems, choose the Unlock button to reset the Lock Status. Verifies the status of the Secure Login Server Java Servlet. Secure Login Server Version
Secure Login Servlet Status Server Build
If the error message Cannot connect to the server using the SSL connection. Import the server's certificate into the Trust Store is displayed, add the SSL CA certificate (public certificates) to Trust Store of the Secure Login Server. For more information, see section 3.3.4 Trust Store Management.
3.3.10 Sign Certificate Requests

This section describes how to submit a certificate request to the Secure Login Server Certification Authority in the administration console. As an example scenario, a PSE or P12 could be generated on the SAP server side. On the SAP server, a certificate request is created and sent to the Secure Login Server. The Secure Login Server signs the certificate request and sends back a certificate response which is recorded in the SAP server.
84
09/2021
3 Administration
Figure: Administration Console Sign Certificate Requests
Option Base-64 Encoded Certificate Request (PKCS #10)
Details The content of the certificate request in Base64 encoding format. Use the option Browse for a file to insert to import a certificate request file. Use the button Read to import. Another option is to copy and paste the content of the certificate request to the Saved Request field. Define the period of time for which the certificate is valid. Select DER or PEM encoding type, a certificate response should be generated. If needed, select the desired certificate template. The default certificate template is used for the SAP environment. Choose the desired CA certificate; the certificate request should be signed. The certificate reply is generated, and you are asked to store the certificate reply file.
Validity Period of Certificate* Certificate Encoding Type Certificate Template
Issuer Sign Certificate
3.3.11 Console Log Viewer

This section describes the Administration Console logging functionality. The log entries apply only to the administration actions performed in the Administration Console.
09/2012
85
3 Administration
Figure: Administration Console Console Log Viewer
This page displays all of the tasks performed using the Administration Console since logging began. This page allows you to do the following:

Select a period of time to view with the Log Month combo box. Export log files to a *.csv file format with the Export Logs function. This entry is only visible if log entries are present.
The monthly table contains the following information about the administration tasks: Option Date Time Code Level Details The date the task was performed. The time the task was performed. The internal message code of the task performed. An abbreviated description of the message level. Possible message levels: INF Information ERR Error WAR Warning The name of the user/administrator that performed the action. A quick description of the action, for example EDIT or OTHER. The server instances to which the action was directed A description of the message/task
User Action Server Description
86
09/2021
3 Administration
3.3.12 Web Client Configuration

This section describes the configuration settings for the Secure Login Web Client. The Web Client Configuration is separated in three tabs:

Properties Configuration In this section, you can configure the Secure Login Web Client profiles is performed. Message Settings In this section, you can configure the server messages provided to the Secure Login Web Client. Package Management In this section, you can configure the SNC library for the respective Secure Login Web Client. By default, three packages are available, for Microsoft Windows, Linux and Mac OS X. Note that there are server messages available for Secure Login Client (described in section 3.3.7 Message Settings) and Secure Login Web Client.
Properties Configuration Web Client Application Path

The parameter WebClientConfigPath is read-only and used for verification purposes. This configuration links the Secure Login Server to the Secure Login Web Client application.
Properties Configuration Common Configuration

The Common Configuration section defines the parameters for Secure Login Web Client profile for launching the SAP Logon screen. To configure this profile, choose the Edit button. The following options are available in Common Configuration:
Option PORTALURL
Details URL address for certificate-based login to be called after successful user authentication This option depends on the parameter ACTION. The action to be performed by the Secure Login Web Client after successful user authentication. The following options are available: No action after authentication After successful user authentication, no action is performed. Open Portal After successful user authentication the URL defined in PORTALURL is used. Launch SAP GUI After successful user authentication the SAP GUI
ACTION
09/2012
87
3 Administration
application is started. Both SAP Portal and SAP GUI After successful user authentication the URL defined in PORTALURL is used, and the SAP GUI application is started. SAPLogon.slsinstance ClientLogging Secure Login Server Instance (user authentication method) to be used for Secure Login Web Client. This option determines the logging options: No No Client log file is created and no logging is performed. Temp Client creates a log file for each login session. The log file is deleted when the Secure Login Web Client is closed. Full The client log file is never deleted.
Save your changes. The location of the Secure Login Web Client files depends on the operating system: Microsoft Windows XP C:\Documents and Settings\<user>\sapsnc\ Microsoft Windows Vista / Microsoft Windows 7 C:\Users\<user>\sapsnc\ Mac OS /Users/<user>/sapsnc/ Linux /home/<user>/sapsnc/ You can customize the file location of the Secure Login Web Client. For more information, see section 4.5 Customize Secure Login Web Client.
Properties Configuration SAP Server Management

In SAP Server Management you define the parameters for additional profiles in Secure Login Web Client. This type of profiles is used to log on directly to the desired SAP server system after successful user authentication. Use this section of the page to Add new SAP server configuration, view, and Edit current SAP server configuration and Delete SAP server configuration. To import SAP server configurations from saplogon.ini files, choose the button Upload SAP Server List from File.
88
09/2021
3 Administration
Figure: Administration Console SAP Server Management To create a new SAP server configuration, choose the Add button. The following screen contains the sections and parameters described below. Option SAP GUI for Java Details It is mandatory to fill these four fields. label Profile name. host IP address or FQDN name of the desired SAP server system. port Port of the desired SAP server system sncname SNC name of the desired SAP server system shortcut.Name Identifier used in multi-instance configurations. shortcut.Description The name of the server profile in SAP GUI for Microsoft Windows (in SAPGUI this is the Description field). This is the essential reference to the profile. Secure Login Server instance (user authentication method) to be used for Secure Login Web Client
SAP GUI for Microsoft Windows
The Instance ID this server used
Properties Configuration Platform Configuration

In Platform Configuration you can define the parameter for SAP GUI for Microsoft Windows and SAP GUI for Java is defined. This configuration depends on the operating system. For the operating system Mac OS and Linux, only SAP GUI for Java can be configured. For the operating system Microsoft Windows, SAP GUI for Microsoft Windows and SAP GUI for Java can be configured.
09/2012
89
3 Administration
Figure: Administration Console Platform Configuration Select a platform and choose the Edit button. In this example, the Microsoft Windows platform is shown.
Figure: Administration Console Platform Configuration - Microsoft Windows
Option SAP GUI for Java
Details SAP.start.binary GUI application name for SAP GUI for Java. SAP.logon.binary SAP Logon application name for SAP GUI for Java. SAP.start Path used to locate the SAP applications. Use the Add button to add an additional search path. Use the
90
09/2021
3 Administration
Delete button to remove an existing search path. SAP GUI for Microsoft Windows (This option is only available for Microsoft Windows platforms) SAP.start.win.binary GUI application name for SAP GUI for Microsoft Windows. SAP.logon.win.binary SAP Logon application name for SAP GUI for Microsoft Windows. SAP.start.win Path used to locate the SAP applications. Use the button Add to create an additional search path. Use the button Delete to remove an existing search path. The platforms for which the properties on this page are applicable. The platform name is listed along with the files required by each platform to function correctly.
Supported Operating System
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web Client.
Figure: Administration Console Message Settings
The fallback message file is SNCAppletMessages.properties. This message file is used if the required language is not available. The language for the fallback scenario is English. To disable a server message, delete the message text. To create a new message language file, choose the Add button. To configure an existing message language file, choose the Edit button.
09/2012
91
3 Administration
Package Management
In this section, you can configure the SNC library for the desired Secure Login Web Client. By default, several packages are available, for Microsoft Windows, Linux and Mac OS X. To update or add new files, choose the Upload button.
3.4 Instance Management

In Instance Management, you can define the user authentication mechanism and client policy. The DefaultServer Instance is installed by default with the Secure Login Server and cannot be changed.
3.4.1 DefaultServer Configuration

In the navigation tree, click the folder DefaultServer Configuration. The following screen appears.
92
09/2021
3 Administration
09/2012
93
3 Administration
Figure: Administration Console Instance Management To define the parameters which are described below, use the Edit button. Entries marked with * are mandatory.
Option Authentication Server Configuration
Details Login Module Select the desired user authentication mechanism. The following authentication mechanisms are available: SPNegoLoginModule SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP BasicPasswordLoginModule With the installation of Secure Login Server; Login Modules are installed in SAP NetWeaver. The name of the Login Modules is synchronized with the name of the JaasModule. The default is SPNegoLoginModule. For more information about the configuration of the Login Modules, see section 4.1 Configure Login Module. Policy Configuration Name This is the name of the configured login module stack.
Secure Login User CA Keystore
PseType This parameter is read-only. The key store format is FilePSE. PseName Select the desired User CA for this instance. In this section, you define the Distinguished Name of
User Certificate
94
09/2021
3 Administration
Configuration
the user certificate will be defined. The common name (CN) is calculated by the Secure Login Server using the user credentials. DN.country Enter the country abbreviation in this field (C). Example: DE DN.locality Enter the regional information in this field (L). Example: Walldorf DN.organization Enter the company name in this field (O). Example: Company xyz DN.organizationUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Time (in minutes) for which a user certificate is valid. ValidityOffset* Time offset in minutes relative to the server system time for the certificates to start being valid. This parameter is helpful if the client and server time are not in sync. These parameters are read-only and display-only parameters used for generating user certificates. For more information, see section 3.3.5 Certificate Template These parameters are read-only. For more information, see Instance Log Management. LockDir The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention. maxSessionInactiveInterval Specifies the time, in seconds, between client requests before the servlet container will invalidate this session. This is applicable only in challengemode (for example, password change) AdminServletHeader Header text to be displayed on the status page. Header text is used in Server Status and Instance Status. AdminServletTrailer Footer text to be displayed on the status page. Footer text is used in Server Status and Instance Status. Any properties defined by the administrator are configured here. WebClientKeyStoreType Defines the certificate export format for the Secure Login Web Client. The default value is PKCS12.
Certificate Template Configuration
Log Configuration Other Server Configuration
User-Defined Properties
09/2012
95
3 Administration
For more information about possible parameters, see User-Defined Properties section.
Remember to configure the desired Login Module in SAP NetWeaver Administrator. For more information about the configuration of the Login Modules, see section 4.1 Configure Login Module.
3.4.2 User-Defined Properties

User-Defined Properties are used to define additional configuration issues depending on the instance. You can configure the following:
Secure Login Web Client Certificate Format Certificate format used for Secure Login Web Client (see Secure Login Web Client Certificate Format). Certificate User Mapping Service Change the value of the Common Name (CN) field of the user certificate Distinguished Name, based on the user mapping service (see Certificate User Mapping Service). Certificate User Name Service Change the value format of the Common Name (CN) field of the user certificate Distinguished Name, based on the user name service (see Certificate User Name Service). Archiving Directory Create a directory for archiving all certificate requests and issued certificates as files (see Archiving Certificate Request and Issued Certificates). Distinguished Name Change the value of the Distinguished Name by adding domain components to the subject names (see Configuring a Distinguished Name with SPNego Login Module).
3.4.3 Secure Login Web Client Certificate Format

Define the certificate export format for the Secure Login Web Client. In the default instance, the default value is PKCS12. If you create a new instance, you need to define this parameter.
3.4.4 Certificate User Mapping Service

This section describes how to configure the use of an attribute from an LDAP or Microsoft Active Directory Server instead of the user name given by the client. This may be useful if the SAP user names and the authenticated user names (for example, from a Microsoft Windows domain) are not the same. Do not use certificate user mapping together with a configured Distinguished Name with
96
09/2021
3 Administration
SPNego (see 3.4.7 Configuring a Distinguished Name with SPNego Login Module).
Example The Microsoft user name is UserADS and the SAP user name is UserSAP. Without the Certificate User Mapping Service the Secure Login Server would create a user certificate with the Distinguished Name CN=UserADS. If the SAP user name is stored in the Microsoft Active Directory, for example, in the attribute employeeID, the Secure Login Server can read this attribute and create a user certificate with the Distinguished Name CN=UserSAP. This issue will be configured in the Certificate User Mapping Service. The advantage of having the SAP user name in Distinguished Name is easier configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping configuration).
If users change their own attributes (for example, through a self-service), and these attributes are used by the user certificate (issued by the Secure Login Server), a situation may occur in which these users are able to assign additional rights to themselves. Thus these users might get rights they are not supposed to have. For this case, we recommend that you implement access restrictions for the change of user attributes.
An AS ABAP uses, for example, certificate-based logon with the users e-mail addresses in the Distinguished Names. The string in the certificate has the following format: CN=employee@company.com This means that the users e-mail address is used for the user mapping in SNC. If an administrator enables the user to change his or her own data, for example, e-mail address, first name, last name etc. through a self-service, this user now has the possibility to enter, for example, his or her managers e-mail address (manager@company.com) as attribute. Since this data is usually maintained centrally, this change would also affect the Secure Login Server. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate, the user receives a certificate with the Distinguished Name CN=manager@company.com. This user is now able to log on to the AS ABAP as his or her manager.
The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active Directory system. The Certificate User Mapping Service depends on the Secure Login Server user credential check against the authentication server.
09/2012
97
3 Administration
Figure: Administration Console User-Defined Properties
Parameter LdapReadServers*
Details Number of LDAP servers that are configured here. A numerical value is expected and must be 1 or higher. The given value is used as n to define an ordered list of servers that are called in a fail-over manner. To disable all configured servers, leave this field empty. Connection timeout in seconds LDAP server to be used for retrieving that attribute Example: ldaps://ldapserver.demo.local:636 Define the Base DN of the desired LDAP server Example Microsoft Active Directory: DC=DEMO,DC=LOCAL For Microsoft Active Directory: Full domain name of the LDAP server. The domain name to be appended to the given user name if it is not a User Principle Name. If the name is already in UPN format, the property is ignored. Example: DEMO.LOCAL Define the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. Example Microsoft Active Directory: SecureLoginLDAP@DEMO.LOCAL Define the password of the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. Define the LDAP attribute which is used for the common name (CN) of the user certificate Distinguished Name. Example: employeeID
LdapReadTimeoutn LdapReadUrln* LdapReadBaseDNn*
LdapReadDomainn*
LdapReadUsern*
LdapReadPassn*
LdapReadAttributen*
98
09/2021
3 Administration
The value n in the parameter is a counter and is defined depending on the parameter LdapReadServers.
The Secure Login Server is able to verify user credentials and perform Certificate User Mapping on a different server. The prerequisite is that the user name is available on both servers.
3.4.5 Certificate User Name Service

There are two use cases available for configuring the Certificate User Name Service.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment), which needs to be considered by SNC X.509 certificates. The password length or value can be customized. If user names in the common name (CN) field need a fixed or minimum length, padding can be turned on. Typically this configuration is used if personnel numbers are used.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment) which needs to be considered by SNC X.509 certificates. The password length or value can be customized.
Figure: Administration Console User-Defined Properties Parameter MaxUserNameLength Details Maximum number of characters that a user name in the common name (CN) field can have. If the given user name is longer, it is cut from the right side. Default value: 12 Example: LongUsernameSAP is cut off to LongUsername with the default settings. If user names in the common name (CN) field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names. Default value: None The padding character is used to fill user names on the left side if their size is smaller than the configured
UserNamePaddingLength
UserNamePaddingChar
09/2012
99
3 Administration
padding length (UserNamePaddingLength). Default value: None Example: UserNamePaddingLength = 11 and UserNamePaddingChar = 0. The result is ShortName is extended to 00ShortName Typically this configuration is used if personnel numbers are used.
3.4.6 Archiving Certificate Requests and Issued Certificates

If you set the user-defined property ArchivingDir, you can log all certificate requests and the issued certificates as files on a file system, for example for later auditing. The Secure Login Server stores certificate requests (for successful and unsuccessful authentication) and the respective certificates (for successful authentication only) in the archiving directory as Base64-encoded files. The certificate requests are stored as PKCS#10 files, whereas the responses are stored as PKCS#7 files. After having decided to use archiving of certificate requests and responses you must provide a file system with ample space. Exceptions If you use the SPNego login module, the Secure Login Server does not create archive files for invalid or failed authentication attempts because the client does not receive a valid Kerberos ticket. In this case the client does not create a certificate request either. Prerequisites The file system has the required space. For example, in an organization with 1000 employees at minimum 1000 certificate requests occur per day. This amounts to 2000 files (for requests and issued certificates) that are stored every day. A certificate request (about 0.5 KB) and the certificate (about 2.5 KB) have an overall size of about 3 KB. Employees log on and off several times during the day, so the number of files is usually considerably higher (the employees go to meetings, have breaks, or go to other buildings). Procedure To enable the Secure Login Server to store certificate requests and responses in the archiving directory, use the user-defined properties. 1. Go to Instance Management. 2. Choose an instance. The user-defined properties are in the configuration of this instance.
100
09/2021
3 Administration
If you enter ArchivingDir in the default server instance configuration, it is valid for all instances except those where you entered a different archiving directory path. 1. 2. 3. 4. 5. 6. Choose the Edit button. To add a new user-defined property, choose Add. Enter ArchivingDir. Enter a directory path in the input field. Save your entries. Restart the Secure Login Server.
Make sure that you enter a valid path. If the path is invalid, or if there are no write permissions for the Secure Login Server, an Internal server error message occurs when a user logs on, and the instance is locked to prevent a loss of data. Structure of the File Names The file names of the PKCS#10 (for certificate requests) and PKCS#7 files (for certificates) stored in the archiving are generated by the system. Among other things, they identify the SAP system, the user, the time, and the instance of the SAP system. Syntax [<timestamp>][<user_name>][<instance_url>][<SID>_<SAP_instance_numbe r>].ext This is an example of an archived file for a certificate request (PKCS#10 format): Example [20120719153732151][armstrongj][https_10.11.12.13_50001_securelogin_ PseServer_00010][ABC_00].p10 The file names consist of the following elements: File Name Element timestamp Description Timestamp with year, month, day, hours, minutes, seconds, and milliseconds Format: yyyymmddhhmmssmm User name of the user who authenticated or tried to authenticate The instance URL is derived from the URL of the Secure Login Server. An underscore replaces all characters except A to Z, a to z, and 0 to 9. SAP system ID of the Secure Login Server Instance of the SAP system where the Secure Login Server is installed.
user_name
instance_url
SID SAP_instance_number
09/2012
101
3 Administration
ext
File extension: p10 Extension for PKCS#10 files for archived certificate requests. p7c Extension for PKCS#7 files for archived certificates.
For technical reasons, it is not possible to get the user name from an SPNego Kerberos authentication. In this case, the user name of the certificate request (in the PKCS#10 file) is always kerberos_. However, the file name of the respective certificate (PKCS#7 file) contains the correct user name.
3.4.7 Configuring a Distinguished Name with SPNego Login Module

You want to use Secure Login Client, Secure Login Server, and the SPNego login module for certificate enrollment. The users are located in different trusted Microsoft Active Directory domains. Since the user IDs may be identical in the subdomains, the Secure Login Server must ensure that non-ambiguous certificates are issued. Thus it adds the domain components to the subject names. You can use the user-defined property DN for this. It allows you to customize the Distinguished Name of a certificate. Use one of the three following variables for the Distinguished Name: Variable $USERID $UPN $DC Prerequisites You use the SPNego login module in the Secure Login Server. You have a Microsoft Active Directory environment. Description User name only User principal name All domain components
Do not use a configured Distinguished Name together with the certificate user mapping service (see 3.4.2 User-Defined Properties). Procedure 7. Go to Instance Management. 8. Choose the instance for which you want to customize the Distinguished Name. You find the user-defined properties in the configuration of this instance. 9. Choose the Edit button.
102
09/2021
3 Administration
10. To add a new user-defined property, choose Add. 11. Enter DN. Enter the data as required. For example, enter data for common name, organization, and country. See the following examples: Examples Values for DN Result If a user smith@example.com logs on, the following Distinguished Name is used: CN=smith, O=SAP, C=DE CN=smith@example.com, O=SAP, C=DE CN=smith, DC=example, DC=com
CN=$USERID, O=SAP, C=DE CN=$UPN, O=SAP, C=DE CN=$USERID, $DC
Values for DN
Result If there are different users called Smith in two subdomains (one in sub1.example.com and one in sub2.example.com), the following Distinguished Names are used: CN=smith@sub1.example.com CN=smith@sub2.example.com CN=smith, DC=sub1, DC=example, DC=com CN=smith, DC=sub2, DC=example, DC=com
CN=$UPN CN=$USERID, $DC
In addition to this, you can set any valid Distinguished Name attribute as static part of the DN. Values for DN Result With different users called Smith in two subdomains (sub1.example.com and sub2.example.com) CN=smith@sub1.example.com, OU=HR, O=SAP, C=DE CN=smith@sub2.example.com, OU=HR, O=SAP, C=DE
CN=$UPN OU=HR, O=SAP, C=DE
12. Save your entries. 13. Restart the Secure Login Server.
3.4.8 Instance Configuration Client Configuration

This section describes how you can define the client policy and how it is used by the Secure Login Client.
09/2012
103
3 Administration
Client Policy Define the URL of the Secure Login Server; used by the Secure Login Client to retrieve the client policy.
Figure: Administration Console Instance Management - Client Policy
Parameter Policy URL*
Details Network resource (Secure Login Server) from which the latest Secure Login Client policy can be downloaded. Policy URL depends on the instance configuration: ClientPolicy.xml Client Policy defined in the default instance of the Secure Login Server. ClientPolicy.xml&path=000xx Client Policy defined in instance xx (instance number) of the Secure Login Server. Lifetime in minutes for verifying (update) a new client policy. Default is 0 minutes. By default, the Secure Login Client verifies a new client policy during the system startup of the client PC. Network timeout in seconds before the connection is closed if the server does not respond. The default value is 45 seconds. By default the Secure Login Client verifies during a new client policy during the system startup of the client PC. You can use this parameter, to disable this feature. No Secure Login Client updates the client policy at startup.
PolicyTTL*
Network Timeout (seconds)* Disable update policy on startup
104
09/2021
3 Administration
Yes Secure Login Client does not update the client policy at startup. Default value is No. Save Cancel Saves the configuration. Cancels the configuration.
Applications Defines which client profile is used for which SAP server application.
Figure: Administration Console Instance Management - Applications
Parameter Specify the applications action
Details Existing application profiles are handled as configured by action. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Keep Keeps any existing profiles of the same name in the selected policy does not write the given one (default). The default value is Clean
Add Application Edit Delete
Adds new application Edits the chosen application. Deletes the chosen application.
09/2012
105
3 Administration
To define the application parameter, choose the Add Application or Edit button.
Figure: Administration Console Instance Management Edit Application
Parameter Application Name* GSS Target Name*
Details Defines a name for this application template. Application specific PSE URI (SAP Server SNC Name) that is matched when a suitable profile is searched. You can use the wildcards * and ?. Examples: SNC/CN=SAP, OU=SAP Security, C=DE SNC/CN=Server*, O=Company xyz Using the value * means that the client profile is used for all SAP servers.
Profile allowFavorite
The name of the client profile to be used for the desired application. Allows the user to select the authentication profile manually in Secure Login Client. No A user cannot select the authentication profile manually in Secure Login Client. Yes A user can select the authentication profile manually in Secure Login Client. The default value is Yes.
Save Clear Back
Saves the configuration. Clears fields (Application Name and GSS Target Name). Goes back to the Client Configuration page.
106
09/2021
3 Administration
Profiles This section describes the configuration of the client profile.
Figure: Administration Console Instance Management - Profiles Parameter You can also specify the profiles action Details Existing profiles are handled as configured by action. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Keep Keeps any existing profiles of the same name in the selected policy, does not write the given one (default). The default value is Clean Add Profile Edit Delete Adds a new profile Edits the chosen profile. Deletes the chosen profile.
To define the profile parameter, choose the Add Profile or Edit button. When you add a profile, you get the profile configuration screen that is filled with all the default values. Among them is PSE Type with the value windowslogin and Auto-Enroll set to True. Make sure that you set the values of these parameters according to the login module that is set in the Instance Configuration. For detailed information, see the table below with the parameters.
09/2012
107
3 Administration
Figure: Administration Console Instance Management Edit Profile
Parameter Profile Name* PSE Type
Details Defines a name for this profile template. Authentication type. promptedlogin Using this profile, the user is prompted to enter the user credentials. This applies for the login modules SecureLoginModuleLDAP, SecureLoginModuleSAP, SecureLoginModuleRADIUS, and BasicPasswordLoginModule. windowslogin Using this profile, the user credentials are provided automatically (only available for Microsoft Windows authentication with SPNegoLoginModule). The default value is windowslogin Secure Login Server URL that is used for user authentication and certificate request. Enroll URL depends on the instance configuration. <Server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. <Server>/securelogin/PseServer&id=000xx
Enroll URL*
108
09/2021
3 Administration
Enroll URL defined in instance xx (instance number) of the Secure Login Server. To configure further Enroll URLs, use the Add button. This is the failover configuration for the Secure Login Client. If the Secure Login Client establishes a connection to the first Enroll URL, it tries the next Enroll URL, defined here. HttpProxyURL HTTP proxy to be used with enrollment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888 Value in seconds for the time in which an enrollment is to be carried out before the certificate expires The default value is 0 Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: Value -1 No Single Sign-On (SSO). Each SNC connection forces a new login. Value 0 No timeout. SSO without constraints. The default value is 0. Value n Seconds until an automatic logout takes place. The number of successive failed authentications after which automatic re-enrollment is stopped. You can activate the user name and password caching to ensure the automatic re-enrollment of certificates that are going to expire. Possible values: 0: Turn off: Does not re-enroll automatically, does not cache user name and password. A re-enrollment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Tries to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. The default value is 0. Key Size NewPinType RSA Key Length. The default value is 1024. Message text value used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client.
Grace Period
InactivityTimeout
Auto-Reenroll Attempts
09/2012
109
3 Administration
Available values are pin and password. Unique Client ID Network Timeout (seconds) Reauthentication Custom-defined string is displayed in the instance log or can be used for network filtering issues. Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 This parameter defines how many logon attempts are permitted with the Secure Login Client logon form before it is closed again. Example with the value 4: The Secure Login Client offers the logon form 4 times (the logons fail, for example, due to wrong credential information) before the logon form is closed. The default value is 0. With this value, the logon form is never closed. The user needs to use the Cancel button to close the logon form. This applies to the SSL Server certificate this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. True Verifies the SSL server host name with the Common Name (CN) field of the SSL Server certificate. False Does not verify the SSL server host name with the Common Name (CN) field of the SSL Server certificate. The default value is False This applies to the SSL server certificate this checks if the peer host name is given in the Subject Alternative Name attribute of the certificate. True Verifies the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. False Does not verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. The default value is False This applies to the SSL server certificate this specifies whether the system checks if the extended key usage ServerAuthentication is defined. True Verify if the extended key usage ServerAuthentication is defined in the SSL server certificate. False Does not verify if the extended key usage ServerAuthentication is defined in the SSL Server certificate.
SSL Host Common Name Check
SSL Host Alternative Name Check
SSL Host Extension Check
110
09/2021
3 Administration
The default value is False User Warning MSIE Turns on/off a warning dialog box that appears after a new certificate has been propagated to the Microsoft Crypto Store. True Turns on a warning dialog box. False Turns off a warning dialog box. Note: Microsoft Internet Explorer must be restarted. The default value is False A user automatically gets an X.509 certificate when the Secure Login Client starts. False: Turn off True: Automatic provisioning of user certificates If pseType is set to windowslogin, user credentials are provided automatically (only applies for Microsoft Windows authentication with SPNegoLoginModule AA). If pseType is set to promptedlogin, the system prompts the users to enter their credentials. This applies for the following login modules: SecureLoginModuleLDAP, SecureLoginModuleSAP, SecureLoginModuleRADIUS, and BasicPasswordLoginModule. If these login modules are initially set, the default is promptedlogin. If, in SP3 or higher, you change the login module type in an existing instance, for example, from SPNegoLoginModule to SecureLoginModuleLDAP, you must manually set the values of the parameters PSE Type and Auto-Enroll to promptedlogin and False. This also applies if you clone an instance or migrate from an old version. Save Clear Cancel Saves the configuration. Clears fields. Cancels the configuration.
Auto-Enroll
Download Files This section describes how to download the relevant Client policy files for the Secure Login Client. Use the files generated with this option, if you want to export the client policy file for the current (active) instance.
09/2012
111
3 Administration
Figure: Administration Console Instance Management Download Files Parameter Client Policy and customer.zip Details If you choose this option, the system asks you which file you want to download.
ClientPolicy.xml Instance profile configuration (Enroll URL) and client policy (Policy URL) in XML format. Customer.zip Registry key that includes the configuration of the client profile (Policy URL). You can use this registry file for the Secure Login Client installation to define where the client profiles can be retrieved. To download the desired file, click it. customerAll.reg Registry Key which includes the configuration of the Client Profile (Policy URL) and the Instance Profiles (Enroll URL). This registry files can be used for the Secure Login Client installation; defining where the client profiles can be retrieved. In addition the instance profiles will be installed. Click on the desired file for download. Downloads the desired file.
Download
Global Client Policy This section describes how to download the relevant client policy files (including all instances) for the Secure Login Client. Use this option if you want to include the complete Secure Login Server configuration including all instances - in the client policy files for the Secure Login Client.
112
09/2021
3 Administration
Figure: Administration Console Instance Management Global Client Policy Parameter Generate Details Use this button to generate the global client policy. All instance client policy configurations are stored in a global client policy file. Registry key that includes the configuration of the client profile (Policy URL). You can use this registry files for the Secure Login Client installation to define where the client profiles of all instances can be retrieved. To download the desired file, click it. Registry key that includes the configuration of the client profile (Policy URL) and the Instance Profiles (Enroll URL). You can use this registry files for the Secure Login Client installation to define where the client profiles of all instances can be retrieved. The instance profiles of all instances are also installed. To download the desired file, click it. Profile configuration (Enroll URL) and client policy (Policy URL) for all instances in XML format.
GlobalCustomer.reg
GlobalCustomerAll.reg
GlobalClientPolicy.xml
If using the Global Client Policy, note that you need to define unique application template names in each instance. Remember to use the Generate button after making changes in instances.
3.4.9 Instance Configuration Instance Log Configuration

This section describes the instance logging functionality. The Instance Log Management provides the following functions:
09/2012
113
3 Administration
Monthly Log Information about the instance. Daily Log Information about the user authentication. Log Analysis Summary of statistical information for the instance. Log Setting Configuration of the log settings. Archive Log Archived logs are shown here.
Monthly Log
Figure: Administration Console Instance Log Monthly Log The Monthly Log table contains the following information: Option Log Month Details To display the log entries from a specific month, select it from the dropdown box. Use the button Export Logs to export the log file in *.CSV format.
Date Time Code Level
The date the task was performed. The time the task was performed. The internal message code of the task performed. An abbreviated description of the message level. Possible message levels are: INF Information ERR Error WAR Warning
114
09/2021
3 Administration
Description
A description of the message/task.
Daily Log
Figure: Administration Console Instance Log Daily Log The Daily Log table contains the following information: Option Log Date Details To display the log entries from a specific date, select it from the dropdown box. Use the button Export Logs to export the log file in *.CSV format.
Time Client DNS/IP View As
Time the user authentication was performed. Custom information defined in the client profile (Unique Client ID) DNS and IP of the client computer from which a user authentication was performed. NOTE: This field only appears if multiple sets of DNS/IP are configured on the admin computer the IP values of one set are displayed. The name of the user that performed the user authentication. A quick description of the action, for example INIT_ACTION or AUTH_ACTION. Description of the user authentication result. Possible results are: ACM_OK User authentication was successful. ACM_ACCESS_DENIED User authentication failed.
User Action Result
09/2012
115
3 Administration
ACM_NEW_PIN_REQUIRED Password/PIN change was requested. ACM_NEW_PIN_REJECTED New password/PIN not accepted. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. OK Initial action was successful INTERNAL_SERVER_ERROR Server error. INVALID_MESSAGE_FORMAT Invalid or incomplete client communication.
Log Analysis You can use the Log Analysis to analyze statistical information about user authentication. To display the statistical information, define the desired start and end date and choose the Analysis button.
Figure: Administration Console Instance Log Log Analysis Log Setting This section describes the log file settings for the instance log management.
116
09/2021
3 Administration
Figure: Administration Console Instance Log Log Setting
Option Maximum Log File Size*
Details The maximum size in gigabytes for the log file directory (all log files). The default value is 1 gigabyte. The maximum size of a log file in megabytes before it is archived. The default value is 10 megabytes. The interval (in days) after which the next log cleanup starts. The default value is 30 days. The interval (in months) after which the next log cleanup starts. The default value is 1 month. Define the period length to be used in Log Analysis. It defines the length of the period from Start Date until End Date. The default value is 30 days. The file prefix for daily logs. This information is read-only. The directory for daily log storage. This information is read-only. The file prefix for monthly logs. This information is read-only. The directory for monthly log storage. This information is read-only.
Maximum Individual File Size* Daily Log Cleanup Interval* Monthly Log Cleanup Interval* Daily Log Analysis Period*
Daily Log Prefix* Directory for Storing Daily Log Files* Monthly Log Prefix* Directory for Storing Monthly Log Files*
09/2012
117
3 Administration
Save Cancel
Save the configuration. Cancel the configuration.
Archived Log This section describes the Archive Log page.
Figure: Administration Console Instance Log Archived Log
Archived Log files are stored in log file directory, defined in Log Setting.
Option Archived File Name Selected
Details The name under which the server has saved the log file(s). A radio button to indicate which file is downloaded.
To download a log file archive, select an archive from the Selected column and choose Download. You are prompted to choose a location. The log files are in ZIP format. To delete a log file archive, select an archive from the Selected column and choose Delete.
3.4.10 Instance Configuration Instance Check

In Instance Check, you can check the Client Policy and PKI Structure for the chosen instance.
Figure: Administration Console Instance Check
118
09/2021
3 Administration
Option Client Policy PKI Structure
Details Checks the correct configuration of client policies and client profiles Checks if there are missing or invalid certificates
3.4.11 Instance Configuration Instance Status

Use this option to display the status of the desired instance.
Criteria Date Version Uptime Instance ID Configuration URL Configuration Status Lock Status
Details Current date and time information. Version of the Secure Login Server Kernel. The amount of time the instance has remained active and running. Chosen instance name File location of the Secure Login Server configuration file Configuration.properties. Integrity check of the Secure Login Server status. Lock Status = No Chosen Instance is not locked. Everything is OK and the Instance is up and running. Lock Status = Yes Chosen Instance is locked, which means it has encountered a problem. In this case, check the server information pane in
09/2012
119
3 Administration
the top left of the screen for tasks yet to be performed as well as the log files for possible problems. An Unlock button appears next to the table entry (providing the administrator role has the necessary permissions). Once you have resolved any problems, choose the Unlock button to reset the Lock Status. Secure Login Servlet Status Server Build Verifies the status of the Instance Java Servlet. Secure Login Server Version
3.4.12 Create a New Instance

This section describes how to create a new instance.
Figure: Administration Console Instance Management To create a new instance, choose the Add button.
Figure: Administration Console Instance Management New Instance Define a name for the new instance and choose the OK button to continue.
120
09/2021
3 Administration
Figure: Administration Console Instance Management New Instance Select the option Create a New Server Instance and choose the OK button to continue.
Figure: Administration Console Instance Management Add New Instance Define the respective parameters (for more information, see section 3.4.1 DefaultServer Configuration). By default, the configuration for Authentication Server Configuration, Secure Login User CA Keystore and User Certificate Configuration, defined in DefaultServer Instance will be reused. If you do not want to re-use this configuration information, deactivate the option Use Default and define your own configuration. For example if you want to define a different user authentication mechanism for this instance, deactivate the option User Default in JaasModule and define a new value.
09/2012
121
3 Administration
After you have performed the configuration, choose the OK button to continue.
Figure: Administration Console Instance Management New Client Policy Define the parameter for the client policy and choose the OK button to continue.
Figure: Administration Console Instance Management New Instance Created The new instance was created and is displayed in the navigation tree. Remember to activate this new instance in Certificate Management (Mapping to Instance). Create New Instance Option (Clone from an existing server instance using this Administration Console) You can use the option Clone from an existing server instance using this Administration Console, to clone an existing instance configuration.
122
09/2021
3 Administration
Figure: Choose Existing Instance Create New Instance Option Migrate from an External Secure Login Server You can use the option Migrate from an External Secure Login Server to choose an existing instance configuration that is available in the file system (for example, a backup file copy of another Secure Login Server).
Figure: Choose Existing Instance from File Backup
09/2012
123
3 Administration
3.5 Console Users

This section describes the Console Users page of the administration console. Use this node to view when an administrator logged on to, or logged off from the administration console.
Figure: Administration Console Console Users
3.5.1 User Management

This section describes the User Management node of the administration console. This node displays a list of the users/administrators registered with the administration console and allows you to add a new user, edit or delete a current user, and assign a role to a user.
Figure: Administration Console User Management
The Admin user cannot be deleted.
Option Add Edit Delete Assign Role
Details Adds a new user. Changes the settings for a selected user in the list. Deletes a selected user from the list. Assigns a role to a selected user in the list.
Add a User To create a new user, choose the Add button.
124
09/2021
3 Administration
Figure: Administration Console Create User Option ID Name Password Confirm Password Disabled Change Password Details User logon name. User display name Defines user password. Confirms user password. If this option is enabled, this user cannot log on to the administration console. This option is only visible when editing a user entry in the list!. Check this option to change the password. This feature uses user information stored in an Authentication Server database for authentication to Secure Login Administration Console. Selecting this option displays the extra option External Login ID. External Login ID Define the user name for the desired Authentication Server database. For more information, see section 4.7 Configure External Login ID. This feature enables certificate-based logon to the Secure Login Administration Console. Selecting this option displays the extra option External Login ID. Certificate Login ID For user mapping, the Subject Alternative Name (RFC822 name) attribute of the logon certificate is used. The value of the Subject Alternative Name is verified with the value defined in Certificate Login ID. For more information, see section 4.6 Configure SSL Certificate Logon. Saves the configuration. Cancels the configuration.
External Login
SSL Certificate Login
Save Cancel
09/2012
125
3 Administration
Passwords used in the Secure Login Server are restricted by the password policy. Password cannot be empty Length of the password must be between 8 and 20 characters Password must contain at least one uppercase letter Password must contain at least one lowercase letter Password must contain at least one digit Password must contain at least one of the special characters
Assign a Role Choose the desired user and choose the Assign Role button.
Figure: Assign Role to User To transfer one or more roles to the user, select one or more roles from the left-hand pane All Role and choose >>Add to transfer the roles to My Role. To remove one or more roles from the user, select the role(s) in the My Role column on the right and choose >>Delete to remove the role(s). To save the configuration, choose the Save button.
126
09/2021
3 Administration
3.5.2 Role Management

This section describes the Role Management node of the Administration Console. Use this node to configure the permissions for each administrator role.
Figure: Administration Console Role Management
Predefined roles cannot be deleted or changed. To create a new role, use the Add button.
Figure: Administration Console Role Management
09/2012
127
3 Administration
Option ID* Name* Permission List
Details The unique identifier for the role. The name used to describe the role. Define the permissions; assigned to this role. The permissions are described in the Permission Description. Define the permissions for the respective instances.
Instance List
To save the configuration, use the Save button.
3.5.3 Locked Files Management

This section describes how to check whether any Secure Login Server-specific system files have been locked and how to unlock them, if necessary. Files are locked in the following scenarios. Different administrators are configuring the Secure Login Server at the same time. When this happens one administrator will receive a message informing them to contact the specific administrator to unlock the file. Example Message File ClientPolicy.xml has been locked, ask the administrator to remove the lock.
Figure: Administration Console Locked File Management Select the locked file to be unlocked and choose the Release button.
128
09/2021
4 Other Configurations
This section describes some additional configuration steps.
4.1 Configure Login Module

You configure the Login Modules in the SAP NetWeaver Administrator. Log on to the SAP NetWeaver Administrator.
http://<host_name>:<port>/nwa
Choose Configuration Management and Authentication and Single Sign-On. Choose the tab Authentication and the configuration option Login Modules. The following Secure Login Server Login Modules are available:
SPNegoLoginModule This login module is used to verify user credentials against a Microsoft Windows domain. By default, this login module is set in the Secure Login Server. SecureLoginModuleLDAP This login module is used to verify user credentials against an LDAP Server or Microsoft Active Directory System. SecureLoginModuleRADIUS This login module is used to verify user credentials against a RADIUS Server. SecureLoginModuleSAP This login module is used to verify user credentials against an SAP ABAP server. The names of the Secure Login Server Login Modules are used in Instance configuration. Refer to section 3.4 Instance Management.
SPNegoLoginModule SPNegoLoginModule is the default login module of the Secure Login Server. To configure SPNego, use the appropriate configuration wizard. For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication. SPNegoLoginModule works in close conjunction with the user management engine (UME). Remember that you may need to configure the mapping mode of the Kerberos Principal Name to the UME or to change Customizing settings of the UME data source configuration. For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication > Configuring the UME for Kerberos Mapping . If you have an Active Directory environment with parent and child domains, you should configure the keytab file for the parent and child domain when you set up SPNego in SAP NetWeaver Java. .
09/2012
129
SecureLoginModuleLDAP Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure its parameters.
Figure: SAP NetWeaver Administrator SecureLoginModuleLDAP
Option LdapBaseDN
Details Base DN of the LDAP Server (Start Search Path). There are several configuration options. The variable $USERID is replaced by Secure Login Server with the user name for user verification against the authentication server. LDAP Server Define the search path where the user is located. Example: uid=$USERID,ou=Users,dc=yourdomain,dc=com Microsoft Active Directory System Define the search path where the user is located. Example: $USERID@<Windows_domain> cn=$USERID,cn=Users,dc=domain,dc=com If the parameter is not configured (empty), the Microsoft Windows UPN name is required for user authentication (to be entered in Secure Login Client).
LdapHost*
URL of the LDAP server or Active Directory server system used to authenticate the user. We recommend that you configure secure communication using LDAPS. ldaps://<FQDN or IP>:636 ldap://<FQDN or IP>:389 Character set encoding for communication between the Secure Login
LdapProviderLang
130
09/2021
uage LdapTimeout
Server and the LDAP/ADS server. The default value is en-US. Period of time the Secure Login Server waits for a response before trying the next LDAP/ADS server (in milliseconds). The default value is 100 milliseconds. LDAP attribute that contains the expiration date of the user password for the Secure Login Client. Secure Login Server can process one of the following formats: Generalized time formats: 20120630181530Z = 30. June 2012 18:15:30 (UTC) 20120630191530+0100Z = 30. June 2012 20:15:30 (CET) 20120630181530.0Z = 30. June 2012 18:15:30 (UTC) 20120630191530.0+0100Z = 30. June 2012 20:15:30 (CET) MS Gregorian calendar time format (100-nanosecond intervals since 1. January 1601 (UTC)) 129855537300000000 = 30. June 2012 18:15:30 (UTC) Netscape Password Expiring time format (seconds until password expires) 864000 = 10 days from current date until password expires If a password expiration warning message is configured, the LdapBaseDN property must be given in complete DN form (UPN on Microsoft Active Directory). The PasswordExpirationAttribute value is used for the password expiration warning message only. By default no value is defined.
PasswordExpiratio nAttribute
PasswordExpiratio nGracePeriod ServerID
The interval (in days) for a password expiration warning message to be sent to the Secure Login Client prior to a password expiring. Determines which password expiration warning message is used. This value is used for the password expiration warning only. It is only valid for the Secure Login Client. The default value is LDAP1. Do not change this value. Path to the Java certificate key store used by Secure Login Server. The certificate key store is used to enable LDAP over SSL (LDAPS). Use of the Java key store (*.jks) is mandatory when using LDAP over SSL (LDAPS). By default, no value is defined. LDAPS is required. Configure the following value: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ er\securelogin\Instances\TrustStore.jks Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelog
TrustStore
09/2012
131
in/Instances/TrustStore.jks To save the configuration, choose the Save button. SecureLoginModuleRADIUS Choose the login module SecureLoginModuleRADIUS and choose the Edit button to configure its parameters. Entries marked with * are mandatory.
Option Authenticator*
Details Authentication method for the RADIUS server. Possible values are: CHAP MSCHAP PAP The default value is PAP. The port number used by the RADIUS server for authentication requests. Typically values are 1645 or 1812. The default value is 1645. PIN format. This parameter is only used with OTP tokens. Possible values: true The user can choose, and use, a PIN that contains only alphanumeric characters (A-Z, a-z, 0-9). false The user can choose, and use, a PIN that contains alphanumeric and special characters (such as !$%&). The default value is false. Host address of the RADIUS server (used for user authentication). For configuring specific RADIUS server messages. You need to define the full path and file name. By default no configuration file is required. Shared Secret is used to encrypt the user password. This Shared Secret also needs to be defined in the RADIUS Server. Save the shared secret as encrypted. For more information, see 5.5.3 Ensuring Encrypted Communication with Shared Secret. Period of time the Secure Login Server waits for a response before trying the next RADIUS Server (in milliseconds). The default value is 5000 milliseconds.
AuthPort*
PinAlphanumeric
RADIUSServerIP* ServerIniFile
SharedSecret*
TimeOut*
132
09/2021
SecureLoginModuleSAP Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure its parameters.
Figure: SAP NetWeaver Administrator SecureLoginModuleSAP
Option Client* CREDDIR
Details Define the SAP client number in which the SAP user is to be verified. Path where the SNC certificate used by Secure Login Server is located. This configuration is not required if the environment variable SECUDIR was configured (see Installation, Configuration, and Administration Guide of the Secure Login Library). Configure the appropriate value for your operating system: Microsoft Windows <ASJava_Installation>\sec Example: D:\usr\sap\ABC\J00\sec Linux
<ASJava_Installation>/sec
Example: /usr/sap/ABC/J00/sec PasswordAlphanummeric This parameter is part of the password policy for the client-side policy consistency check. Possible values: true The password can contain only alphanumeric characters (A-Z, a-z, 0-9). false The password can contain alphanumeric and special
09/2012
133
characters (such as !$%&). This parameter must be consistent with the SAP password policy. The default value is true. PasswordMax This parameter is part of the password policy for the client-side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. The default value is 30. This parameter is part of the password policy for the client-side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. The default value is 1. The technical SAP user account name used by Secure Login Server. This technical user will be created on the desired SAP ABAP server and you need to configure the SNC name. Example: SLSSNC IP address or host name of the SAP ABAP server. SNC name of the desired SAP ABAP server. Example: p:CN=ABC, OU=SAP Security, C=DE SAP system number Maximum number of connections Timeout for login Maximum number of connections until authentication is blocked
PasswordMin
SAPaccount*
SAPServer* SNCServerName*
SystemNo* maxNbrConnections SAPTimeout
134
09/2021
4.2 Verify Authentication Server Configuration

After successful configuration of Certificate Management, Instance Management and Login Module, the Secure Login Client or Secure Login Web Client can be used to verify communication to the authentication server.
LDAP Server
SAP NetWeaver - Secure Login Server Secure Login Admin Console Secure Login Client Secure Login Web Client SAP NetWeaver Administrator ABAP Server
Instance 1
Instance 2 Instance 3 Instance 4
SecureLoginModuleLDAP
SecureLoginModuleSAP
RADIUS Server SecureLoginModuleRADIUS
SPNegoLoginModule
Java Server/ADS
Figure: User Authentication Work Process The authentication work process takes place as follows: 1. Start Secure Login Client or Secure Login Web Client. 2. Choose the desired client profile and enter your user name and password. 3. The responsible instance for the chosen client profile is used. You can configure the link to the login module (for example, SecureLoginModuleLDAP) within the Instance configuration (Secure Login Administration Console Instance Management). 4. The instance triggers the login module. The login module establishes a connection to the authentication server. Login modules are configured in SAP NetWeaver Administrator. 5. The Secure Login Server sends the user credentials to the authentication server. If the response is successful, the Secure Login Server provides a user certificate to the Secure Login Client or Secure Login Web Client.
09/2012
135
4.3 Create Technical User in SAP Server

The technical user is used to verify SAP user credentials on the SAP ABAP server. Logon to the SAP ABAP server using SAP GUI and start the transaction SU01 (User Management). Create a new user (for example, SLSSNC):

User type is System. Deactivate the password. Define the SNC name, which must match the SNC certificate created in Certificate Management (certificate type: SNC_CERT). Choose the tab Profiles and define the following authorization profiles: S_A.SCON S_A.SYSTEM S_USER_ALL S_USER_RFC Z_TRANS_RFC
Save the settings.
4.4 Mozilla Firefox Support

After successful user authentication, the Secure Login Web Client stores, the certificate in the Microsoft Certificate Store. The same function is provided for the Mozilla Firefox Browser.
4.4.1 Install Firefox Extension

It is a prerequisite that the Firefox Extension XPI is installed. The Firefox Extension is provided by the Secure Login Server and can be downloaded using the following URL: http://<host_name>:<port>/SlsWebClient/Firefox/index.html Browser and operating system are recognized automatically.
Figure: Mozilla Firefox Extension for Secure Login Web Client Use the link here to install the Firefox extension.
136
09/2021
If your Mozilla Firefox browser does not open an extension installation dialog, but only allows you to save this file, you have the following choices:

Choose the option Open with and choose the Mozilla Firefox application. Save the file to your Desktop, then drag and drop it into any Firefox window. Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI files.
Figure: Install Mozilla Firefox Extension Install the Firefox Extension by choosing Install Now, and restart Mozilla Firefox.
4.4.2 Uninstall Mozilla Firefox Extension

Start the Mozilla Firefox application and, from the menu, choose Add-ons Manager and Extensions.
Figure: Uninstall Mozilla Firefox Extension Secure Login Security Module To uninstall, select the Firefox Extension Secure Login Security Module and choose the Remove button.
09/2012
137
4.5 Customize Secure Login Web Client

By default, the location of the Secure Login Web Client files is the user environment of the client. This depends on the operating system: Microsoft Windows XP C:\Documents and Settings\<user>\sapsnc\ Microsoft Windows Vista / Microsoft Windows 7 C:\Users\<user>\sapsnc\ Mac OS /Users/<user>/sapsnc/ Linux /home/<user>/sapsnc/ To define a different location for the libraries, use the configuration file config.properties. 1. Enter a location in the following format: Example (for Microsoft Windows operating systems)
Config.properties USER_FOLDER=C:\\WebClient
Example (for MAC OS and Linux)

Config.properties USER_FOLDER=/home/WebClient/
2. Upload the configuration file using the Secure Login Administration Console (section 3.3.12 Web Client Configuration). 3. We recommend that you save config.properties in the following directory: Microsoft Windows \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \WIN32 Mac OS \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \MAC_UNI Linux \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \LIN26_I686 During an installation, the config.properties file is deleted. Make a backup of this file before you execute an installation. After the installation, you copy the file to the relevant directory.
Note that some configuration files are still stored in the default folder (sapsnc).
138
09/2021
4.6 Configure SSL Certificate Logon

Use an X.509 certificate to log on to the Secure Login Administration Console. The prerequisites are that SSL is enabled on SAP NetWeaver server, and the X.509 certificate has a trust relationship with the SSL server certificate of the SAP NetWeaver server. The SAP NetWeaver HTTPS port also needs to be configured to accept certificate-based login (Request Certificate).
In the navigation tree, choose the node Certificate Management, and use the SAP CA to create a LOGIN_CERT certificate. In the certificate attribute Subject Alternative Names (E-mail), define the name that will be mapped with the attribute Certificate Login ID in User Management (for example: LoginCert_Admin). Save the settings, export this certificate in P12 format and import it in the desired Administrator User environment (for example, import in Internet Explorer browser). In the navigation tree, choose the node User Management and edit the desired user. Choose the option SSL Certificate Login and define the parameter Certificate Login ID (for example: LoginCert_Admin). Save the configuration and restart the Secure Login Server application server. Start the Secure Login Administration Console by calling its URL using HTTPS (which is enabled for certificate based login) and the user should be authenticated automatically. A message box might appear, prompting you to choose the desired certificate. In this case, choose the certificate to be used for logon.
4.7 Configure External Login ID

Define an authentication mechanism to use to log on to the Secure Login Administration Console. The prerequisite is that the desired authentication mechanism is configured in the instance (parameter JaasModule). In the navigation tree, choose the node Server Configuration and choose the Edit Login Type button. Define the desired authentication mechanism using the parameter External Login JAAS Module and Save the configuration. In the navigation tree, choose the node User Management and edit the desired user. Choose the option External Login and define the parameter External Login ID. The External Login ID is the user name of the desired authentication server database. Save the configuration and restart the Secure Login Server application server. Start the Secure Login Administration Console URL, choose the option External Login and log on with the user name and password of the authentication server.
4.8 Emergency Recovery Tool

The Emergency Recovery tool is used when the Secure Login Server administrator has forgotten his or her password and no longer has access to the Secure Login Administration Console. The prerequisites for the Emergency Recovery Tool:

Access to the operating system, where the Secure Login Server application is installed. Access to the Key file for server credentials encryption. The key file is a file on the Secure Login Server with random content and is used to secure password information in
09/2012
139
configuration files. This key file was generated in the Initial Wizard (section 2.6.1 Initial Configuration) Step 1 Log on to the operating system, where the Secure Login Server is installed. Edit the file SLSRecoverPassword.bat (Microsoft Windows) or SLSRecoverPassword.sh (Linux) and change the path to the file iaik_jce.jar. Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
SLSRecoverPassword.bat @echo off SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce.jar IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib java -cp SLSRecoverPassword.jar;%IAIK_JARS_PATH% com.secude.util.misc.SecudeUtilities %* goto End :ErrorLib ECHO IAIK Library not found, please correct the path to the library in this script! :End
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
SLSRecoverPassword.sh #!/bin/sh # please check if this path points to the correct location of # the iaik library IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.jar if [ -f $IAIK_JARS_PATH ]; then java -cp SLSRecoverPassword.jar:$IAIK_JARS_PATH com.secude.util.misc.SecudeUtilities $@ else echo "IAIK Library not found, please correct the path to the library in this script!" fi
Other possible locations of the file iaik_jce.jar: <drive>:\usr\sap\ABC\J00\j2ee\JSPM\lib\ <drive>:\usr\sap\ABC\SYS\global\security\lib\engine\ <drive>:\usr\sap\ABC\SYS\global\security\lib\tools\ Save the script file SLSRecoverPassword.
140
09/2021
Step 2 Obtain the encrypted password string for the desired user. The encrypted password string is later used in the command line tool. The user information is available in the configuration file user.xml, which is located in the directory specified below: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\user.xml Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us er.xml
user.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <Users> <User disable="false" id="Admin" lanCode="en_US" name="Administrator" predefined="true" roles="Super User"> <Password>encrypted_password_string</Password> </User> </Users>
Step 3 Open a command line shell and change to the folder where the file SLSRecoverPassword.bat (Microsoft Windows) and SLSRecoverPassword.sh is located. Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
Start the following command to decrypt and display the password for the desired user. SLSRecoverPassword --decrypt encrypted_password_string
<file_location_of_the_key_file>
Example SLSRecoverPassword --decrypt encrypted password string D:\usr\sap\ServerKeyFile\KeyFile.txt The password is displayed.
Output of SLSRecoverPassword Command Encode password=encrypted password string with key
09/2012
141
file=D:\usr\sap\ServerKeyFile\KeyFile.txt Out is <password>
You can use the following command to encrypt a password. SLSRecoverPassword --encrypt password <File Location of the key
file>
The encrypted password string is displayed. To display help on the SLSRecoverPassword command, use the following command: SLSRecoverPassword --help
142
09/2021
4.9 Monitoring
This section describes how to retrieve the Secure Login Server status; for example, integration in Network Monitoring Tools. Several interfaces are available.
4.9.1 Web Service Status

Some examples are given below how to retrieve the Secure Login Server status by URL. Server Status http://<host_name>:<port>/securelogin/PseServer?op=serverstatus Default Server Instance Status http://<host_name>:<port>/securelogin/PseServer?op=status
Server Instance Number # Status http://<host_name>:<port>/securelogin/PseServer?op=status &id=00010 To retrieve the Server Instance Number, click the node Instance Management and check the ID of the desired instance.
4.9.2 XML Interface

Secure Login Server provides an XML interface to automate monitoring using your own or a third-party program, for example, to incorporate monitoring into administrative tools. Secure Login Server has to be called with a specific request in XML format. The Secure Login Server then returns an XML reply with the status information. Send the following Status Request to the URL: http://<host_name>:<port>/securelogin/PseServer
Status Request <TransFairGram> <Control> <Version>Pepperbox 2.0.0</Version> <ActionRequest> STATUS_REQUEST_ACTION </ActionRequest> </Control> </TransFairGram>
09/2012
143
The Status Reply is similar to the following example.

Status Reply <TransFairGram> <Control> <ActionRequest>STATUS_ACTION</ActionRequest> <Version>Pepperbox 2.0.0</Version> <ServerBuild>$Name: REL_1_0_0_17 $</ServerBuild> </Control> <Content> <Data> <Status> <ConfigURL> file:<Path To Secure Login Server>\Configuration.properties </ConfigURL> <ConfigurationStatus>OK</ConfigurationStatus> <Date>Mon May 18 12:02:54 CET 2011</Date> <ID>Instance 00010</ID> <LockFile/> <LockStatus>false</LockStatus> <PseServerStatus>OK</PseServerStatus> <ServerBuild>SLS_5-1-1-0</ServerBuild> </Status> <Message> The current Server status is enclosed with this transfairgram (only for diagnostic purpose) </Message> <MessageCode>0701</MessageCode> </Data> <DataType>application/xml</DataType> </Content> </TransFairGram>
144
09/2021
4.10 Secure Login Client Policy and Profiles

This section contains detailed information about the client policy and client profiles for Secure Login Client. The client policy is installed together with Secure Login Client on the client computer. Using the client policy configuration the client profiles can be downloaded from Secure Login Server.
4.10.1 Client Policy

These parameters are defined in the files customer.reg and GlobalCustomer.reg. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System] Parameter PolicyURL Type STRING Description Network resource from which the latest Secure Login Client profiles can be downloaded. Three types of client policy are available: ClientPolicy.xml Client policy defined in the default instance of the Secure Login Server. ClientPolicy.xml&path=000xx Client policy defined in instance xx (instance number) of the Secure Login Server. GlobalClientPolicy.xml Global client policy includes all available instances of the Secure Login Server. The lifetime in minutes for verifying (updating) a new client policy on the Secure Login Server. The default is 0 minutes (hexadecimal value: 0). By default, the Secure Login Client verifies during system startup of the client PC. Network timeout in seconds before the connection is closed if the Secure Login Server does not respond. The default is 45 seconds (hexadecimal value: 2d). By default, the Secure Login Client verifies a new client policy during system startup of the client PC. You can use this parameter to disable this feature. 1 Disable automatic policy download. 0 Enable automatically policy download. Default value is 0.
PolicyTTL
DWORD
NetworkTimeout
DWORD
DisableUpdatePolicyOnStartup
DWORD
09/2012
145
4.10.2 Applications and Profiles

The Secure Login Server provides the Applications and Profiles configuration to the Secure Login Client using ClientPolicy.xml and GlobalClientPolicy.xml. In addition, it is possible to download the configuration using the customerAll.reg and GlobalCustomerAll.reg files.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ applications\<Application Name>] Parameter GssTargetName Type STRING Description Application specific PSE URI (SAP server SNC name) that is matched when a suitable profile is searched. You can use the wildcards * and ?. Example: CN=SAP, OU=SAP Security, C=DE CN=Server*, O=Company xyz Using the value * means that the client profile is used for all SAP servers. profile allowFavorite STRING DWORD The name of the client profile to be used for the desired application. Allow the user to select the authentication profile manually in Secure Login Client. 0 User cannot select the authentication profile manually in Secure Login Client. 1 User can select authentication profile manually in Secure Login Client. The default value is 1.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ profiles\<Profile Name>] Parameter profileName pseType Type STRING STRING Description The name of the client profile to be used for the desired application. Authentication type. promptedlogin Using this profile, the user will be requested to enter the user credentials. windowslogin Using this profile, the user credentials will be provided automatically (only available for
146
09/2021
Microsoft Windows authentication) Default value is windowslogin enrollURL0 STRING Secure Login Server URL that is used for user authentication and certificate request. Enroll URL depends on the instance configuration. <server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. <server>/securelogin/PseServer&id=000xx Enroll URL defined in Instance xx (instance number) of the Secure Login Server. Use the Add button to configure further Enroll URLs. This is the failover configuration for the Secure Login Client. If the first Enroll URL cannot be established, the Secure Login Client tries the next Enroll URL, defined here. httpProxyURL STRING HTTP proxy to be used with enrollment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888 This parameter defines how many login attempts to the Secure Login Client login form is closed again. Example with value 4: The Secure Login Client offers the login form 4 times (e.g. wrong credential information), before the login form will be closed. Default value is 0. The login form will never be closed. User needs to use the button Cancel to close the login form. Value in seconds when an enrollment is to be carried out before the certificate expires Default value is 0 Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: Value -1 No Single Sign-On (SSO). Each SNC connection forces a new login. Value 0 No timeout. SSO without constraints. The default value is 0.
reAuthentication
DWORD
gracePeriod
DWORD
inactivityTimeout
DWORD
09/2012
147
Value > 0 Seconds until until an automatic logout is executed. autoReenrollTries DWORD The number of failed authentications in a row after which automatic re-enrollment is stopped. User name and password caching can be turned on to provide the automatic reenrollment of certificates that are going to expire. Possible values: 0: Turn off: Do not re-enroll automatically; do not cache user name and password. A re-enrollment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. The default value is 0. autoEnroll DWORD A user automatically gets an X.509 certificate when the Secure Login Client starts. 0: Turn off 1: Automatic provisioning of user certificates If pseType is set to windowslogin, user credentials are provided automatically (only applies for Microsoft Windows authentication). If pseType is set to promptedlogin, the system prompts the users to enter their credentials. RSA Key Length. The default value is 1024 (hexadecimal value: 400). Custom-defined string; will be displayed in the instance log or can be used for network filtering issues. Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 (hexadecimal value: 2d). This applies to the SSL server certificate this checks if the peer host name is given in
keySize
DWORD
UniqueClientID
STRING
networkTimeout
DWORD
sslHostCommonNameCheck
DWORD
148
09/2021
the Common Name (CN) field of the SSL Server certificate. 1 Verify the SSL server host name with the Common Name (CN) field of the SSL server certificate. 0 Do not verify SSL server host name with the Common Name (CN) field of the SSL Server certificate. The default value is 0 sslHostAlternativeNameCheck DWORD This applies to the SSL server certificate this checks whether the peer host name is given in its Subject Alternative Name attribute of the certificate. 1 Verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. 0 Do not verify the SSL server host name with the Subject Alternative Name attribute of the SSL server certificate. Default value is 0 This applies to the SSL server certificate this checks if the extended key usage ServerAuthentication is defined. 1 Verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. 0 Do not verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. The default value is 0 Turn on/off a warning dialog box that appears after a new certificate has been propagated to Microsoft Crypto Store. 1 Turn on a warning dialog box. 0 Turn off a warning dialog box. NOTE: Microsoft Internet Explorer must be restarted. The default value is 0 Message text value is used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client. Available values are pin and password.
sslHostExtensionCheck
DWORD
userWarningMSIE
DWORD
newPinType
STRING
09/2012
149
4.11 Integrate into Existing PKI

If a Public Key Infrastructure (PKI) is available, the Secure Login Server can be integrated. You can use the existing PKI to create the certificates for the SSL server and the SAP server. To provide X.509 user certificates, the Secure Login Server requires a User CA certificate which needs to be provided by the PKI. The following certificate attributes are required for the user CA certificate. Certificate Attribute Version Asymmetric Algorithm Key Usage Details V3 RSA Algorithm Digital Signature Non-Repudiation Key Encipherment Data Encipherment Certificate Signing Off-line CRL Signing CRL Signing Subject Type=CA Path Length Constraint=None
Basic Constraints
The RSA Key Length depends on the customer requirements. We recommend that you use 2048 Bit RSA keys or higher.
The user CA certificate should include the complete certificate chain. This means all public certificate information of the chain should be provided.
Typically the file is provided in P12 format. The Secure Login Server requires a PSE format to import using Secure Login Administration Console. Use the SAP tool SAPGENPSE to convert the P12 format to PSE format. sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p <PSE_file_name>.pse <P12_file_name>.p12
Log on to the Secure Login Administration Console and import the PSE file in Certificate Management. Choose USER_CA and the option Import Certificate. Restart the Secure Login Server Application.
150
09/2021
4.12 Configuring Secure Login Servers as Failover Servers for High Availability
Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to prevent that the Secure Login Client sends a certificate request and does not get a response.
Concept
Install and run several Secure Login Servers on different AS Java servers acting as failover servers. The URLs of the Secure Login Servers that are available are listed in the Enroll URL parameter of the client policy. This is where the Secure Login Client checks which path to use. If the first Secure Login Server is down, it goes to the next Secure Login Server that is specified in the list
Configuration
1. Log on to the administration console. 2. Choose Instance Management > DefaultServer Configuration > Client Configuration und go to the Profiles tab.
3. Choose the Add Profile button to get to the Add/Modify Client Profile screen.
09/2012
151
4. Behind the URL of the Enroll URL parameter, choose the Add button. A new row with the previous URL as default value appears.
5. Enter the URL to the failover Secure Login Server. To configure more Secure Login Servers as failover servers, add new rows and enter the relevant URLs. 6. Save your entries.
152
09/2021
We recommend that you maintain this failover configuration in all Secure Login Servers you use. For more information about the parameter Enroll URL, see 4.10.2 Applications and Profiles.
4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver

Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to make sure that users are able to authenticate even if an authentication server for a configured authentication method is not available.
Concept
Install and run authentication servers of the same type, for example two LDAP servers, in different networks acting as an authentication failover solution. The authentication logic of the Secure Login Server is handled by login modules. Several login modules of the same kind are put into login module stacks (authentication stacks). These login modules are configured to run with different authentication servers and have, for example, different IPs. When an authentication request comes in, the Secure Login Server tries to use all configured login modules until it gets to an authentication server that is online and returns an authentication result. If, for any reason, the login module on top of the stack does not respond, the Secure Login Server sends its authentication request to the next login module in the stack and expects it to process the authentication request. For more information, see the Help Portal at http://help.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks. If you simply try to insert and list login modules, and do not organize them in a stack, you cannot change the configuration of the login module. SAP NetWeaver only accepts the default configuration of a login module. However, for the authentication failover solution, you need to adapt values, for example, the destination paths and the timeout.
09/2012
153
So you create a login module stack (with a dedicated name) that contains a number of login modules for authentication failover. Copy the login modules, list them in a logon module stack, change their names, and adapt the configuration. Authentication with the Secure Login Server only works with the following login modules.
Login Modules Used by the Secure Login Server Name SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP Usage Direct usage or in login module stack Direct usage or in login module stack Direct usage or in login module stack Note Does not depend on UME Does not depend on UME Does not depend on UME
BasicPasswordLoginModule SPNegoLoginModule
Direct usage only Direct usage only
Not for login module stack, with UME Not for login module stack, with UME
Limitations
Put only login modules of the same kind into the login module stack. We do not support the use of different login modules (mixed authentication types).
4.13.1 Configuration of SAP NetWeaver AS Java

To configure an SAP NetWeaver AS Java to act as an identity provider, proceed as follows: 7. Open the SAP NetWeaver Administrator and go to the Authentication and Single Sign-On service. 8. On the Authentication tab, there is a table under Component. Log on to the administration console. 9. To create a new login module stack for authentication custom configuration, choose the Create button. This custom configuration serves as your new login module stack. 10. Enter a configuration name and choose the type Custom. These entries appear in the Policy Configuration Name table. 11. In the section below under the Authentication Stack tab, add the login modules by choosing the Edit and Add buttons. 12. If you double-click the cell for the login module name, a dropdown list with the login modules that are available appears. 13. Select the login modules you need. Note that we only support login module stacks with the same type of login modules, for example, with different IPs or destination paths.
154
09/2021
14. Set the flag to SUFFICIENT to make sure that the authentication proceeds down the list to the next login module if the authentication is not successful. 15. Set the authentication-relevant parameters and save your changes. In these entries, you can change the names and the configuration. For more information, see the Application Help in http://help.sap.com/nw731/ under SAP Library > SAP NetWeaver Library: Function-Oriented View > Security > User Authentication and Single Sign-On > Authentication Infrastructure > Login Modules > Policy Configurations and Authentication Stacks.
4.13.2 Configuration of the Secure Login Server

The administration console of the Secure Login Server uses this newly created login module stack directly. Keep in mind that you cannot adapt the parameters of the login module stack in the administration console. 1. In the Secure Login Administration Console, enter the name of the login module stack. 2. Choose the Edit button. 3. In the Instance Configuration > Authentication Server Configuration, choose the authentication type Policy Configuration Name and enter the name of the relevant login module stack.
4. Save your changes. You have now implemented a failover solution using SAP NetWeaver login module stacks.
09/2012
155
4.14 Setting Failover Timeouts of the Login Modules

When an authentication attempt arrives, and the authentication request is passed on and proceeds down the list in the login module stack, the ICM timeout for a connection with an external system may be exceeded. This leads to the error message internal server error. Usually the default ICM timeout is 5000 ms. You need to make sure that the timeouts belonging to the single login modules do not exceed the ICM timeout. To avoid this, set the timeouts of the login module in your login module stacks so that the total of all timeouts does not exceed the default ICM timeout. If the bandwidth is very limited, consider changing the ICM timeout for the entire system. For more information, see Internet Communication Manager (ICM) in the SAP Library under Administration of the Internet Communication Manager > Additional Profile Parameters > icm/conn_timeout.
Name of Login Module SecureLoginModuleLDAP SecureLoginModuleSAP
Parameter Name LdapTimeout SAPTimeout maxNbrConnections
Description Timeout for login Timeout for login Maximum number of connections until authentication is blocked Timeout for login
SecureLoginModuleRADIUS
TimeOut
You can set the timeout of the login modules in the login module stack as follows: 1. Select the login module for which you want to change the timeout. The table below the module name contains its parameters and their values. 2. Go down to the section for the login module options and choose the Add button. 3. In the New Login Module Option dialog box, enter the name of the parameter you want to add and provide a value. 4. Save your changes.
4.15 Custom Use of Login Module with Login Module Stacks

Use Case
You want to use several Secure Login Server instances with authentication types of the same kind. Since it is only possible to have one configuration per login module, you can overwrite the login module configuration if you use it in a login module stack. Working with a login module stack enables you to use the default configuration of the login module, change authentication-relevant parameters in the SAP NetWeaver Administrator and store them in a login module stack with only one login module. Use this option if, for example, you want to create one LDAP login module for a dedicated group of users and another one for another group of users. Create a login module stack for
156
09/2021
the first group of users and one for the second group of users, with each login module stack containing only one login module.
Configuration
1. Configure a login module stack in the policy configuration of the SAP NetWeaver JAAS as described above (see 4.13.1 Configuration of SAP NetWeaver AS Java). Use the REQUISITE flag for your login module stack. Set the authentication-relevant parameters as desired. 2. In the Secure Login Administration Console, enter the name of the login module stack. Proceed with the configuration as described above (see 4.13.2 Configuration of the Secure Login Server).
09/2012
157
5 Configuration Examples
This section describes some configuration examples for Secure Login Server.
5.1 Kerberos Authentication with SPNego

In this configuration example, the user authentication is verified against a Microsoft Windows domain. Prerequisites Secure Login Server is installed and the initial wizard has been completed. In Certificate Management at least the User CA is available. If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server. You have configured and enabled SPNego on the SAP NetWeaver Administrator . Configuration Steps 1. Log on to the Secure Login Administration Console and choose the node Instance Management. 2. Verify whether the authentication mechanism in Instance is configured correctly. JaasModule = SPNegoLoginModule 3. Choose the node Certificate Management and verify if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. 4. Choose the node Client Configuration and configure Client Policy, Applications and Profiles (section 3.4 Instance Management). Make sure that pseType is set to windowslogin. Export the client policy (customer.reg) which is used for Secure Login Client Installation. 5. Restart the Secure Login Server. 6. Install the Secure Login Client application on the client PC (for more information, see the Installation, Configuration and Administration Guide for Secure Login Client). Import the customer.reg files to the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 7. Restart the client PC. 8. In the Secure Login Client the profile defined in Instance Management is displayed in the Secure Login Client Console. Double-click this profile, and an X.509 certificate is provided without further user interaction. After a successful authentication an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
158
09/2021
5.2 LDAP User Authentication

In this configuration example, the user authentication is verified against a Microsoft Active Directory System or LDAP server. Prerequisites Secure Login Server is installed and the initial wizard has been completed. In Certificate Management at least the User CA is available. If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server. Configuration Steps 1. Log on to the Secure Login Administration Console and choose the node Instance Management. 2. Verify whether the authentication mechanism in the instance is configured correctly. JaasModule = SecureLoginModuleLDAP 3. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this Instance. 4. Choose the node Client Configuration and configure Client Policy, Applications and Profiles (section 3.4 Instance Management). Export the Client Policy (customer.reg), which will be used for the Secure Login Client Installation. 5. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleLDAP (section 4.1 Configure Login Module). 6. If you are using LDAPS, import the LDAPS certificate into the Secure Login Server Trust Store. For further information, see section 3.3.4 Trust Store Management. 7. Restart the Secure Login Server Application. If you are using LDAPS, restart the SAP NetWeaver JAVA application server. 8. Install the Secure Login Client application on the client PC (For more information, see the Installation, Configuration and Administration Guide for the Secure Login Client). Import the customer.reg files to the Client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 9. Restart your client PC. 10. In the Secure Login Client, the profile defined in Instance Management is displayed in Secure Login Client Console. Double-click this profile and enter the user name and password (Active Directory System or LDAP server). After successful authentication an X.509 user certificate is provided.
09/2012
159
This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
5.3 SAP User Authentication

In this example, you configure that users automatically get X.509 certificates when they are logged on to a Microsoft Windows domain. The Microsoft Windows domain authentication is double-checked against the SAP ABAP server. Prerequisites Secure Login Server is installed and the initial wizard has been completed. In Certificate Management at least the user CA is available. If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server. Secure Login Library is installed (described in 2.1.1 Secure Login Library). Configuration Steps 1. Log on to the Secure Login Administration Console, and choose the node Certificate Management. 2. Create a new certificate for the technical user (for Secure Login Server) choosing certificate type SNC_CERT (for example, CN=SLSSNC). 3. Create a new SAP ABAP server certificate choosing certificate type SAP_SERVER (for example, CN=ABC, OU=SAP Security). 4. Perform SNC Configuration (section 5. .) and import the certificate of the technical user (Option: From Console). 6. Verify whether the authentication mechanism in the instance is configured correctly. JaasModule = SecureLoginModuleSAP 7. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. 8. Choose the node Client Configuration and configure Client Policy, Applications and Profiles (section 3.4 Instance Management). Export the Client Policy (customer.reg) to be used for Secure Login Client Installation. 9. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleSAP (section 4.1 Configure Login Module). 10. Restart the Secure Login Server application. 11. Install Secure Login Library on the target SAP ABAP server. Enable SNC configuration. Import SAP ABAP Server certificate in transaction STRUST. Restart SAP ABAP Server. For further information see the Installation, Configuration and Administration Guide for Secure Login Library. 12. Create a technical user (for Secure Login Server) in SAP User Management (for example, SLSSNC), define authorizations and configure the SNC Name (for example, CN=SLSSNC).
160
09/2021
For more information, see section 4.3 Create Technical User in SAP Server. 13. Install the Secure Login Client application on the client PC (for more information, see the Installation, Configuration and Administration Guide for the Secure Login Client). Import the customer.reg files into the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 14. Restart your client PC. 15. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. Double-click this profile and enter the SAP user name and password. After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
5.4 RADIUS User Authentication

In this configuration example, the user authentication is verified against a RADIUS server. Prerequisites Secure Login Server is installed and the initial wizard was completed. In Certificate Management at least the User CA is available. If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server. Configuration Steps 1. Log on to the Secure Login Administration Console and choose the node Instance Management. 2. Verify whether the authentication mechanism in the instance is configured correctly. JaasModule = SecureLoginModuleRADIUS 3. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. 4. Choose the node Client Configuration and configure Client Policy, Applications and Profiles (section 3.4 Instance Management). Export the Client Policy (customer.reg) to be used for Secure Login Client installation. 5. In the RADIUS Server, configure Radius Client for Secure Login Server. This means that the Secure Login Server can establish communication to the RADIUS Server. Define the Shared Secret for this connection. 6. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleRADIUS (section 4.1 Configure Login Module). 7. Restart the Secure Login Server Application. 8. Install the Secure Login Client application on the client PC (for more information, see the Installation, Configuration and Administration Guide for Secure Login Client).
09/2012
161
Import the customer.reg files into the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 9. Restart your client PC. 10. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. Double-click this profile and enter the user name and password (RADIUS user database). After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
5.5 Configuring RSA Authentication with RADIUS

Prerequisites
An RSA Authentication Manager (with a RADIUS server) is installed and running. The versions currently supported are 6.1 and 7.1. It communicates with the Secure Login Server through its RADIUS protocol using its own RADIUS server. The Secure Login Server supports new SecurID PINs and the next token code of RSA SecurID tokens. For more information, see the corresponding RSA Authentication Manager documentation. For more information on the parameters for RADIUS, see 4.1 Configure Login Module.
5.5.1 Configuration of the securid.ini File

For communication with the RSA Authentication Manager, you need the securid.ini file, which is provided by the RADIUS server. The Secure Login Server installation package installs a sample securid.ini file (corresponding to RSA Authentication Manager 7.1) in the global directory. You need not edit the file for the configuration. RSA server messages automatically parse the PIN policy and the minimum and maximum PIN length and transfer the values to the Secure Login Client without any configuration effort on your side. We recommend that you use the file provided by your RSA RADIUS server. To do this, proceed as follows: 1. On the RADIUS server, go to the directory that contains securid.ini. For more information on the file path, see the documentation of the RSA Authentication Server. 2. Copy the new file to the global directory of the Secure Login Server, and overwrite the old securid.ini file. The path to the global directory remains the same. By default, the relative path to the securid.ini file in the SAP NetWeaver Administrator is %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
162
09/2021
5.5.2 Customer-Specific Configuration of the securid.ini File

If you want to keep your customer-specific securid.ini file, you have to make sure that your file is located in the relevant directory, either in the global directory or a directory of your choice. In the latter case, adapt the path in the SAP NetWeaver Administrator of the RADIUS login module. Take the following steps:
Use Case securid.ini located in the global directory
Checks and Activities 1. Rename your securid.ini file, for example, to securid.old. 2. Update the installation to Secure Login Server SP2. 3. Rename securid.old to securid.ini, thus overwriting the installed sample file. 4. Check whether the path entered in the SAP NetWeaver Administrator is %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini. 5. Copy your securid.ini into the RADIUS server environment. 1. Make sure that your custom directory path is entered in the SAP NetWeaver Administrator, either in the login module or in the login module stack. 2. Copy your securid.ini into the RADIUS server environment.
securid.ini located in another directory
In either case, compare the securid.ini files on the Secure Login Server and on the RADIUS server to make sure that they are identical. To change the path in the SAP NetWeaver Administrator, proceed as follows: 1. Go to SAP NetWeaver Administrator. Under Authentication and Single Sign-On, choose Login Modules. 2. Select the login module SecureLoginModuleRADIUS. 3. On the Login Module Options tab, find the parameter SecuridFile. Here you see the relative path to the global directory %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini. 4. Enter the path where you stored your securid.ini file. 5. Save your changes
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
For more information, see the Help Portal at http://help.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks.
09/2012
163
5.5.3 Ensuring Encrypted Communication with Shared Secret

To make sure that the RSA Authentication Manager can communicate with the RSA server, you need to do the following: 1. Add the SAP NetWeaver IP address to the list of the RSA RADIUS clients in the RSA Authentication Manager. 2. Enter a shared secret for the RSA RADIUS client or use the shared secret that is delivered as default. 3. Configure the shared secret property SharedSecret in the configuration of the RADIUS login module accordingly. Since the shared secret is entered in the SAP NetWeaver Administrator and visible to other users, encrypt the shared secret of the RADIUS server and insert the encrypted string into SAP NetWeaver Administrator. This means that only the Secure Login Server can read the shared secret. Your system administrator must know the shared secret of the RADIUS server. To encrypt the shared secret, take the following steps: 1. 2. 3. 4. Open the administration console of the Secure Login Server. Choose Secret Encryption under Server Configuration. Paste the shared secret into the input field Shared Secret. To encrypt your input, choose the Encrypt button. The field Encrypted Secret, which is immediately below, displays the encrypted result.
5. Select the character string in this field and copy it to the clipboard. 6. In SAP NetWeaver Administrator (you can use the convenient link on the screen of the Secure Login Server), choose Authentication and Single Sign-On > Login Modules. 7. Select the login module SecureLoginModuleRADIUS. 8. On the Login Module Options tab, find the parameter SharedSecret. Paste the encrypted character string of the shared secret as the value for this parameter. 9. Save your changes.
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
164
09/2021
6 Troubleshooting
6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.
6.1 Checklist User Authentication Problem

This section describes the configuration issues to check if a user authentication is not successful. Checklist Possible Issues

Is verification using different user credentials? Log on to the Secure Login Administration Console and check the log information in Instance Log Management. Check if the user authentication is displayed. If this is not the case, there may be a problem on the Secure Login Client or Secure Login Web Client. Verify the following parameter in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>] enrollURL0 = <URL>
Check whether the enrollURL is configured for the desired instance. Check in Secure Login Administration Console Instance Management. Copy this URL to the browser application and check if a response is displayed (ignore the responses ERROR_ACTION or INTERNAL_SERVER_ERROR). Change the URL of the parameter enrollURL to HTTP and check if this works. If this works, there is a problem with the HTTPS connection. If you are using HTTPS, the problem may relate to the certificate trust relationship. If this is the case, import the root certificate, on which the SSL server certificate depends and move it to the Microsoft Certificate Store (Computer Certificate Store).
Verify whether the authentication mechanism in the instance is correctly configured. JaasModule = SecureLoginModule<respective_authentication_server_type> Choose the node Certificate Management and verify whether the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModule<respective_authentication_server_type>. Restart the Secure Login Server Application. For some configuration issues in Secure Login Administration Console a restart of the Secure Login Server Application is required. Enable the Server Trace in the Secure Login Administration Console (section 6.3 Enable Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver Administrator. Log on to SAP NetWeaver Administrator and choose Problem Management. Choose Logs and Traces and Security Troubleshooting Wizard. Choose the diagnostic type Authentication and start the trace by choosing Start Diagnostics. Repeat the user authentication in Secure Login Client or Secure Login Web Client. Stop the trace by choosing the Stop Diagnostics button, and analyze the results.
09/2012
165
6 Troubleshooting
6.2 Secure Login Server SNC Problem

For the Secure Login Server to verify SAP user credentials, secure communication to the SAP ABAP server needs to be established. The communication is secured using SNC. Problem The Secure Login Server cannot establish an SNC connection to the SAP Server. Checklist Possible Issues
Log on to Secure Login Administration Console and verify the log information in Instance Log Management. Check if the user authentication is displayed. If this is not the case, there may be a problem in the Secure Login Client or Secure Login Web Client. Verify whether the authentication mechanism in Instance is configured correctly. JaasModule = SecureLoginModuleSAP Verify whether the Instance Mapping in Certificate Management is enabled (checkbox) for this instance. Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModuleSAP. Verify whether Secure Login Library is installed correctly. Verify the installation described in section 2.1.1 Secure Login Library. Verify whether the folder <ASJava_Installation>\exe, which is used by Secure Login Library is included in JAVA Library Path. Verify the JAVA Library Path (libpath) in the trace file <ASJava_Installation>\work\dev_jstart.
Verify whether an SNC certificate was provided to Secure Login Library PSE environment. Verify whether the security token containter file pse.zip is available in folder <ASJava_Installation>\sec Start the command line shell and change to the folder <ASJava_Installation>/exe. Set the environment SECUDIR=<ASJava_Installation>/sec Use the command: snc O <SAP Service User> status v Microsoft Windows Example: snc O SAPServiceABC status v Linux Example: snc O abcadm status v
Verify whether a technical user was created on the SAP ABAP server. Verify SAP user access rights (authorization profiles). Verify whether the SNC name is configured correctly. Enable Secure Login Library trace and analyze the problem. For more information, see section 6.4 Enable Secure Login Library Trace. If the error messages Couldnt acquire DEFAULT INITIATING credentials is displayed,
166
09/2021
6 Troubleshooting
verify whether the environment variable SECUDIR is configured correctly for the user who is starting the SAP server. Verify the installation of Secure Login Library in section 2.1.1 Secure Login Library.
6.3 Enable Secure Login Server Trace

Choose the Server Configuration node in the left-hand pane of the Administration Console and enable the trace option. Define the value true for the parameter Enable Server Trace and restart the Secure Login Server application. The trace file is written to the Default Trace of SAP NetWeaver. Logon to SAP NetWeaver Administrator and choose Problem Management, Log and Traces and Log Viewer. Choose the option Show View, General and Default Trace (Java). Secure Login Server can generate a large amount of trace output. For test systems, we recommend that you enable tracing. For production systems, we recommend that you disable tracing since this might result in unnecessary log files and impact performance. Deactivate the Secure Login Server Trace after you have analyzed the problem.
6.4 Enable Secure Login Library Trace

To enable the trace option, the files sec_log_file_filename.txt and sec_log_file_level.txt need to be created in the folder: Microsoft Windows %HOMEDRIVE%%HOMEPATH%\sec or C:\sec Unix/Linux $HOME/sec or /etc/sec
The file sec_log_file_filename.txt contains the name of the trace file. The name can contain %.PID.%, which is replaced by the process ID. A typical SAP Web AS creates multiple work processes, so use this feature to avoid parallel access to the same file by all processes. Microsoft Windows Example sec_log_file_filename.txt C:\sec\log-%.PID.%.txt
09/2012
167
6 Troubleshooting
Unix/Linux Example sec_log_file_filename.txt /etc/sec/log-%.PID.%.txt
The file sec_log_file_level.txt contains the trace level as a single digit. Example sec_log_file_level.txt 4 Value 0 1 2 3 4 Details No trace Errors Errors and warnings Errors, warnings and logs Errors, warnings, logs and information
6.5 Secure Login Server Lock and Unlock

Secure Login Server locks itself when it detects a serious problem such as authentication server failure that affects all clients. To unlock the server or server instance, use the Unlock button in the Secure Login Administration Console or delete the lock file. Secure Login Server uses the following files to lock the server or server instance: PseServer.lock This file is used to lock the entire server. The server lock is only applied if the Configuration.properties file cannot be read. The LockDir property in the web.xml file is used to apply the server lock. The PseServer.lock file is written to the following folder: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances PseInstance<instance_number>.lock If the Configuration.properties file can be read by Secure Login Server and a lock becomes necessary, Secure Login Server creates an instance-based lock. The directory for the instance-based lock is specified by the property LockDir in Configuration.properties.
168
09/2021
6 Troubleshooting
The PseInstance<instance_number>.lock file is written to the folder: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\<instance_number>\ Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i nstance_number>/ Analyze and solve the problem, before deleting the lock file or changing the status in Secure Login Administration Console (use the Unlock button).
6.6 Access Denied Replies

This problem applies only to Microsoft Windows operating systems. Problem The Secure Login Server is returning a large amount of Access Denied replies to the Secure Login Client during heavy load. Explanation The reason for this behavior is that after a TCP/IP socket has been used for communication, and this connection is closed down after the communication has taken place, the OS keeps this socket for some time until it releases it again for its next use. This means that the parameter TcpTimedWaitDelay is set too high and must be changed. For more information, see the following Microsoft page:
http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3-473c84e8-e657c0c619d11033.mspx):
Solution Open regedit and locate the parameter TcpTimedWaitDelay under: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Set the value for TcpTimedWaitDelay to 30 seconds
6.7 Internal Server Message

Use Case
You tried to authenticate to an AS Java using a login module stack, but did not succeed. After a number of unsuccessful authentication attempts, an Internal server message is displayed. A reason for this error could be an ICM timeout error. For more information, see 4.14 Setting Failover Timeouts of the Login Modules and Internet Communication Manager (ICM) in the SAP Library under Administration of the Internet Communication Manager > Additional Profile Parameters > icm/conn_timeout.
09/2012
169
6 Troubleshooting
6.8 Error Codes

This chapter describes the error codes and return codes, their meaning and possible corrections.
6.8.1 Secure Login Server Error Codes

Error Code JAAS_LDAP_ ERROR Description Authentication fails due to configuration errors of the login module for LDAP or timing problems on the network. Authentication fails due to configuration errors of the login module for RADIUS or timing problems on the network. Authentication successful. Authentication denied. Solution Verify configuration of Login Module for LDAP. If using LDAPS, make sure that its CA certificate is imported into Trust store of Secure Login Server. Verify configuration of Login Module for LDAP. Check if the RADIUS server is up and running. N/A (result only) N/A (result only)
JAAS_RADIUS_ ERROR
AUTH_RESULT_ ACTION_OK_MSG AUTH_RESULT_ ACTION_DENIED_ MSG NEW_PIN_REPLY_ ACCEPTED_MSG NEW_PIN_REPLY_ REJECTED_MSG AUTH_SERVER_ TIMEOUT_MSG
The new PIN/password was accepted. A new PIN/password is required If the login module cannot establish a connection to the authentication server a timeout error will be set.
N/A (result only) N/A (result only) Possible reasons for this error may be one of the following: Unable to establish an SNC connection to the SAP server: Secure Login Server SAP user is not properly configured. Secure Login Server SAP user does not have required permissions. Faulty SNC configuration for the Secure Login Server. Timeout in the network connection. Authentication server is down.
CERT_CREATE_ ERROR
An error occurred while trying to create a new
Verify certificate in Certificate Management.
170
09/2021
6 Troubleshooting
certificate. CERT_INIT_ ERROR An error occurred while accessing the resources needed for this process, that is, the PSE used. An error occurred inside the PSE admin Server.
Verify parameter PseName in Instance Management. Make sure that the configuration file Configuration.properties contains the correct name, password, and aliases for the specific PSE. Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Make sure the application has the access rights to write to, or create the specified log directory, and that there is enough disk space.
PSE_ADMIN_ ERROR
PSE_ARCHIVE_ ERROR
This code may be due to insufficient disk space when writing/creating the log file due to insufficient disk space, or no write access and so on. This code can indicate a problem while creating an outgoing message. An error occurred while handling a client request.
PSE_CREATE_ ERROR
Make sure that the configuration Configuration.properties file contains all mandatory entries. Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Make sure the URL is set correctly to the Configuration.properties file.
PSE_HANDLING_ ERROR
PSE_INIT_ ERROR
May be caused when initializing the servlets. This is usually the case when the Secure Login Server configuration could not be read, either because the configuration URL is not set in the configuration file of the servlet engine or the file could not be found under the specified URL. Occurs when the servlet cannot send its response to the client due to network problems. An error occurred with the PSE Server.
PSE_IO_ ERROR
Make sure the network is configured correctly and running.
PSE_SERVER_ ERROR
Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Check in the login module configuration that the timeout value is high enough.
PSE_SERVER_ TIMEOUT
The client session timed out.
09/2012
171
6 Troubleshooting
6.8.2 Secure Login Web Client Error Codes

Error Code Client Error 0x02 Error Message Insecure HTTP connection to Secure Login Server is rejected. Checksum error in local or remote Secure Login Web Client libraries. Description Attempted buildup of an HTTP connection instead of a (secured) HTTPS connection. This error occurs when a user is working online during an update from SAP NetWeaver Single Sign-On 1.0 SP1 or SP2 to a higher support package. During an update, the native libraries must be updated. The user might lock a directory, and thus block the update process from replacing the files. To remedy the error, restart your browser, log off from SAP GUI, and log on again. This removes the locking mechanism. If the error persists, we recommend that you switch on logging and have a look at the log file to get more information about the cause of the error. If this error persists, the native libraries on your server system might be manipulated. In the log file on client side, you can see which file is corrupted. Check the Secure Login Server installation for consistency. Client Error 0x04 Unknown or untrustworthy Secure Login Server user certificate issuer is rejected. PKI checking error. A root CA from the user CA of the Secure Login Server must be available in the Microsoft Trusted Root Certification Authorities This error only occurs in Microsoft Windows operating systems.
Client Error 0x03
Client Error 0x01
Please retry or contact your IT administrator.
In most cases this is a configuration error. We recommend that you switch
172
09/2021
6 Troubleshooting
on logging and have a look at the log file to get more information about the cause of the error. To remedy the error, it is generally sufficient to restart SAP GUI and your browser. Thus the configuration is newly read in.
6.8.3 SAP Stacktrace Error Codes

Runtime Error Code CALL_BACK_ENTRY_NOT_FOUND CALL_FUNCTION_DEST_TYPE CALL_FUNCTION_NO_SENDER CALL_FUNCTION_DESTINATION_NO_T Description The called function module is not released for RFC. The type of the destination is not allowed. Current function is not called remotely. Missing communication type (I for internal connection, 3 for ABAP) when executing an asynchronous RFC. The specified destination does not exist. Maximum length of options for the destination exceeded. The specified destination (in load distribution mode) does not exist. Data received for unknown CPI-C connection. The function module being called is not flagged as being remotely callable. While executing an RFC, an error occurred that has been logged in the calling system. Logon data for the user is incomplete. Logon attempt in the form of an internal call in a target system not allowed. RFC from external program without valid user ID. Logon attempt in target system without valid user ID. This error code may have any of the following meanings: - Incorrect password or invalid user ID. - User locked. - Too many logon attempts. - Error in authorization buffer (internal
CALL_FUNCTION_NO_DEST CALL_FUNCTION_OPTION_OVERFLOW CALL_FUNCTION_NO_LB_DEST CALL_FUNCTION_NO_RECEIVER CALL_FUNCTION_NOT_REMOTE CALL_FUNCTION_REMOTE_ERROR CALL_FUNCTION_SIGNON_INCOMPL CALL_FUNCTION_SIGNON_INTRUDER CALL_FUNCTION_SIGNON_INVALID CALL_FUNCTION_SIGNON_REJECTED
09/2012
173
6 Troubleshooting
CALL_FUNCTION_SINGLE_LOGIN_REJ
error). No external user check. Invalid user type. Validity period of the user exceeded.
No authorization to log on as a trusted system. The error code may have any of the following meanings: - Incorrect logon data for valid security ID. - Calling system is not a trusted system or security ID is invalid. - Either the user does not have RFC authorization (authorization object S_RFCACL), or a logon was performed using one of the protected users DDIC or SAP*. - Time stamp of the logon data is invalid. RFC without valid user ID only allowed when calling a system function module. The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ. Data error (info internal table) during a RFC. No memory available for table being imported. For asynchronous RFC only: task name is already being used. For asynchronous RFC only: the specified task is already open. No RFC authorization. No trusted authorization for RFC caller and trusted system. No valid trusted entry for the calling system. No RFC authorization for user. Destination BACK is not permitted in current program. Destination BACK is not permitted in current program. Error while evaluating RFC destination. Error while evaluating RFC destination. Type conflict while transferring table. No memory available for creating a local internal table. Type conflict while transferring structure.
CALL_FUNCTION_SYSCALL_ONLY
CALL_FUNCTION_TABINFO CALL_FUNCTION_TABLE_NO_MEMORY CALL_FUNCTION_TASK_IN_USE CALL_FUNCTION_TASK_YET_OPEN CALL_FUNCTION_NO_AUTH CALL_RPERF_SLOGIN_AUTH_ERROR CALL_RPERF_SLOGIN_READ_ERROR RFC_NO_AUTHORITY CALL_FUNCTION_BACK_REJECTED CALL_XMLRFC_BACK_REJECTED CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_CONFLICT_TAB_TYP CALL_FUNCTION_CREATE_TABLE CALL_FUNCTION_UC_STRUCT
174
09/2021
6 Troubleshooting
CALL_FUNCTION_DEEP_MISMATCH CALL_FUNCTION_WRONG_VALUE_LENG CALL_FUNCTION_PARAMETER_TYPE CALL_FUNCTION_ILLEGAL_DATA_TYP CALL_FUNCTION_ILLEGAL_INT_LEN CALL_FUNCTION_ILL_INT2_LENG CALL_FUNCTION_ILL_FLOAT_FORMAT CALL_FUNCTION_ILL_FLOAT_LENG CALL_FUNCTION_ILLEGAL_LEAVE CALL_FUNCTION_OBJECT_SIZE CALL_FUNCTION_ROT_REGISTER
Type conflict while transferring structure. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Type conflict while transferring an integer. Type conflict while transferring an integer. Type conflict while transferring a floating point number. Type conflict while transferring a floating point number. Invalid LEAVE statement on RFC Server. Type conflict while transferring a reference. Type conflict while transferring a reference.
09/2012
175
7 List of Abbreviations
Abbreviation ADS CA CAPI CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC SSL Meaning Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial-In User Service Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) Secure Socket Layer
176
09/2021
UPN WAR WAS
User Principal Name Web Archive Web Application Server
09/2012
177
8 Glossary
8 Glossary
Authentication
A process that checks whether a person is really who they are. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.
Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:

The public key being signed. A name which can refer to a person, a computer, or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate produced by the private key of the CA.
The most common certificate standard is the ITU-T X.509.
Certification Authority (CA)

An entity which issues and verifies digital certificates for use by other parties.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE (personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period,
178
09/2021
8 Glossary
although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process.
Cryptographic Application Programming Interface (CAPI)

The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500 or LDAP directory).
Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name ensures that a certificate is never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is, the Certification Authority) and the serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment.
Key Usage (extended)

Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy. If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable.
Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses
09/2012
179
8 Glossary
from a hierarchical directory such as X.500.
Login Module Stack (Authentication Stack)

List of login modules containing authentication logic that is assigned to a component. When a user is authenticated on the J2EE Engine, the server sequentially processes the login module stack that applies to the component that the user accesses. It is possible to assign different login module stacks to different components, thus enabling pluggable authentication.
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
Personal Identification Number (PIN)

A unique code number assigned to the authorized user.
Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a users private keys, certificates, and other secret information.
Personal Security Environment

The PSE is a personal security area that every user requires to work with. A PSE is a security token container with security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a Smart Card and is protected with a password.
PIN
See Personal Identification Number.
Privacy-Enhanced Mail (PEM)

The first known use of Base64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a "printable encoding" scheme that uses Base64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP. The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.
Public FSD
180
09/2021
8 Glossary
Public file system device. An external storage device that uses the same file system as the operating system.
Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet.
Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically. In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.
Root Certification Authority

The highest Certification Authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any amount of CAs between a user certificate and the root Certification Authority. To check foreign certificates, a user requires the certificate path as well as the root certificate.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.
Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external, cryptographically libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions.
Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data.
Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
09/2012
181
8 Glossary
Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the functionality of both USB tokens and Smart Cards. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (Smart Card reader). From the computer operating systems point of view such a token is a USB-connected Smart Card reader with one non-removable Smart Card present. Tokens provide access to a private key that allows performing cryptographic operations. The private key may be persistent (like a PSE file, Smart Card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).
Microsoft Windows Credentials

A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
182
09/2021

Guia NW SSO Version 1.0

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Guia NW SSO Version 1.0

Diunggah oleh

Hak Cipta:

Format Tersedia

Installation, Configuration and Administration Guide SAP NetWeaver Single-Sign-On SP4 Secure Login Server

PUBLIC Document Version: 1.6 September 2012

Terms for Included Open Source Software

2 Secure Login Server Installation ..................................................... 25

3.3 Server Configuration............................................................................ 54

3.4 Instance Management .......................................................................... 92

3.5 Console Users .................................................................................... 124

4 Other Configurations ...................................................................... 129

4.10 Secure Login Client Policy and Profiles ......................................... 145

5 Configuration Examples ................................................................. 158

6 Troubleshooting .............................................................................. 165

7 List of Abbreviations ...................................................................... 176 8 Glossary ........................................................................................... 178

1 What is Secure Login?

1 What is Secure Login?

1 What is Secure Login?

1.1 System Overview

1 What is Secure Login?

1.2 System Overview with Security Token

Main System Components

PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store

Secure Login Client

Kerberos Infrastructure Kerberos Token

SAP NetWeaver Platform Secure Login Library

Authentication and secure communication

1 What is Secure Login?

Workflow for X.509 Certificates

Secure Login Client

3 Unlock Security Token

1 What is Secure Login?

Workflow for Kerberos Token

1 What is Secure Login?

1.3 System Overview with Secure Login Server

Main System Components

1 What is Secure Login?

Workflow with X.509 Certificate Request

1 What is Secure Login?

Figure: Instances Examples

1 What is Secure Login?

1.5 PKI Structure

Out-of-the-Box PKI Secure Login Server

Figure: Secure Login Server PKI Structure

Figure: Secure Login Server Integration with an Existing PKI

1 What is Secure Login?

1.6 Secure Communication

Figure: Secure Communication

Technology Used for Secure Communication

1 What is Secure Login?

1.7 Policy Server Overview

Figure: Default Application Context and Profile

1 What is Secure Login?

1.8 Secure Login Web Client

1.8.1 Export Restrictions

1 What is Secure Login?

1.8.2 Setting User Environment Variables

1.8.3 Web Client Security Features

Forced Use of HTTPS

1 What is Secure Login?

PKI Check before Storing in Microsoft Certificate Store

2 Secure Login Server Installation

2 Secure Login Server Installation

Optional: Secure Login Library

Secure Login Web Client Operating systems

2 Secure Login Server Installation