2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, MultiTouch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries.
BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates.
LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Prototype JavaScript Framework http://www.prototypejs.org/ Copyright (c) 2005-2010 Sam Stephenson Permission is hereby granted, free of charge, to any person obtaining a
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
stringutils http://sourceforge.net/projects/stringutils/ Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way. Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
opencsv 1.7.1 http://opencsv.sourceforge.net/ "Derivative Works" shall mean any work, whether in Source or Object Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or
losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
1 What is Secure Login? ..................................................................... 11
1.1 System Overview .................................................................................. 12 1.2 System Overview with Security Token ............................................... 13 1.3 System Overview with Secure Login Server ...................................... 16 1.4 Instances ............................................................................................... 18 1.5 PKI Structure ........................................................................................ 19 1.6 Secure Communication ....................................................................... 20 1.7 Policy Server Overview ........................................................................ 21 1.8 Secure Login Web Client ..................................................................... 22 1.8.1 Export Restrictions ........................................................................... 22
1.8.2 Setting User Environment Variables ........................................................................... 23 1.8.3 Web Client Security Features ..................................................................................... 23
2.2 Secure Login Server Installation with Telnet ..................................... 29 2.3 Secure Login Server Installation with JSPM ...................................... 30 2.4 Secure Login Server Uninstallation .................................................... 33 2.5 Updating the Secure Login Server to SP4 ......................................... 33 2.6 Initial Configuration Wizard ................................................................. 34
2.6.1 Initial Configuration ..................................................................................................... 34 2.6.2 Enable Remote Access for Initial Wizard.................................................................... 49 2.6.3 Configure SSH Tunnel ................................................................................................ 50
3 Administration ................................................................................... 51
3.1 Logon to Administration Console....................................................... 51 3.2 Welcome Page ...................................................................................... 52
3.2.1 Change Password....................................................................................................... 53
09/2021
3.4.6 Archiving Certificate Requests and Issued Certificates ............................................ 100 3.4.7 Configuring a Distinguished Name with SPNego Login Module .............................. 102 3.4.8 Instance Configuration Client Configuration .......................................................... 103 3.4.9 Instance Configuration Instance Log Configuration ............................................... 113 3.4.10 Instance Configuration Instance Check ............................................................... 118 3.4.11 Instance Configuration Instance Status ............................................................... 119 3.4.12 Create a New Instance ........................................................................................... 120
4.5 Customize Secure Login Web Client ................................................ 138 4.6 Configure SSL Certificate Logon ...................................................... 139 4.7 Configure External Login ID .............................................................. 139 4.8 Emergency Recovery Tool ................................................................ 139 4.9 Monitoring ........................................................................................... 143
4.9.1 Web Service Status .................................................................................................. 143 4.9.2 XML Interface ............................................................................................................ 143
4.11 Integrate into Existing PKI ............................................................... 150 4.12 Configuring Secure Login Servers as Failover Servers for High Availability ................................................................................................ 151 4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver ................................................................................................. 153
4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 154 4.13.2 Configuration of the Secure Login Server .............................................................. 155
4.14 Setting Failover Timeouts of the Login Modules ........................... 156 4.15 Custom Use of Login Module with Login Module Stacks ............. 156
09/2012
6.2 Secure Login Server SNC Problem ................................................... 166 6.3 Enable Secure Login Server Trace ................................................... 167 6.4 Enable Secure Login Library Trace .................................................. 167 6.5 Secure Login Server Lock and Unlock ............................................. 168 6.6 Access Denied Replies ...................................................................... 169 6.7 Internal Server Message .................................................................... 169 6.8 Error Codes ........................................................................................ 170
6.8.1 Secure Login Server Error Codes ............................................................................. 170 6.8.2 Secure Login Web Client Error Codes...................................................................... 172 6.8.3 SAP Stacktrace Error Codes .................................................................................... 173
10
09/2021
Microsoft Windows domain (Active Directory Server) RADIUS server LDAP server RSA SecurID token SAP NetWeaver server Smart Card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
09/2012
11
Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is also provided. Secure Login Library Crypto library for the SAP NetWeaver ABAP system. Secure Login Library supports both X.509 and Kerberos technology. Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications. You do not necessarily need to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.
The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI. The stand-alone Secure Login Client can use the following authentication methods: - Smart Cards and USB tokens with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Windows credentials The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. The Microsoft Windows credentials can also be used to receive a user X.509 certificate with Secure Login Server. - User name and password (several authentication mechanisms) The Secure Login Client prompts the user for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive an X.509 certificate for the user. All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system. Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions: - Limited integration with the client environment (interaction required) - Limited client policy configuration
12
09/2021
Security Token
SAP GUI Web GUI
Figure: Secure Login System Environment with Existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.
Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:
Smart Card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store) Kerberos token
09/2012
13
PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store 4 Security Token
2
Client maps SNC name to authentication profile
1 Start connection and get SNC name SAP NetWeaver Platform Secure Login Library
5
Client provides certificate to SAP GUI application 6 Authentication and secure communication
Figure: Principal Workflow 1. 2. 3. 4. 5. 6. Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system. The Secure Login Client uses the authentication profile for this SNC name. The user unlocks the security token by entering the PIN or password. The Secure Login Client receives the X.509 certificate from the user security token. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server. The user is authenticated and the communication is secured. Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.
14
09/2021
Figure: Principal Workflow Kerberos Authentication 1. 2. 3. 4. 5. Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token. The Secure Login Client receives the Kerberos Service token. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server. The user is authenticated and the communication is secured.
09/2012
15
Figure: Secure Login System Environment The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication. The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server. The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).
16
09/2021
Authentication Methods
Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module. The following authentication methods are supported:
Microsoft Active Directory Service (ADS) RADIUS RSA SecurID token LDAP SAP ID-based logon SAP NetWeaver AS Java User Management Engine SAP NetWeaver AS Java SPNego
Figure: Principal Workflow 1. 2. 3. Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system. The Secure Login Client uses the client policy for this SNC name. The Secure Login Client receives the user login credentials.
09/2012
17
4. 5. 6. 7. 8. 9.
The Secure Login Client generates a certificate request. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not. If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client. Secure Login Client provides the certificate to SAP GUI. The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.
1.4 Instances
The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum. Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance. The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.
It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.
18
09/2021
PKI Integration
As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.
09/2012
19
20
09/2021
09/2012
21
Browser-based authentication (including all authentication server support) Support for SAP GUI for Microsoft Windows and SAP GUI for Java Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser URL redirect X.509 authentication support to SAP Web application server Localization and customization of HTML pages and applet messages
Differences between Secure Login Client and Secure Login Web Client:
With Secure Login Client the required security library is available. With Secure Login Web Client the security library needs to be downloaded in a Web browser application. With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI). The Secure Login Web Client triggers an authentication process and secure communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.
22
09/2021
Use Case
The Secure Login Web Client is configured to perform authentication and create local credentials without starting an SAP GUI, for example, if the login process is embedded in a silent Web client. SAP GUI is started later, for example, with an SAP shortcut from the SAP Enterprise Portal. In this case the user environment variables SSF_LIBRARY_PATH, SNC_LIB, and CREDDIR must be set globally.
Solution
To enable the Secure Login Web Client to set the environment variables globally, an administrator has to make sure that the file userenv.registry exists in the following directory: \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks\WIN32 After that, SAP GUI is able to read the environment variable because SAP GUI starts later. If userenv.registry is available, the user environment variables CREDDIR, SNC_LIB, and SSF_LIBRARY_PATH are globally set by the Secure Login Web Client.
09/2012
23
SAP-Signed Secure Login Web Client JAR Package to Protect SNC Libraries
To make sure that the files on the server and on the client are not manipulated, an SHA-256 checksum is in place. It prevents a manipulation of the SNC libraries on the side of the client and of the server. The SAP signature in the JAR file of the Secure Login Web Client applet protects the SHA256 checksums against manipulation attempts. This makes sure that the SNC libraries are identical with those delivered in the Secure Login Server package. During a download of a Secure Login Web Client package there is a check of the local files that verifies whether the native SNC libraries have already been downloaded even before the package is written to the hard disk. If the verification of the checksum fails, the files are deleted, and new files are downloaded from the server.
24
09/2021
2.1 Prerequisites
This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements
Secure Login Server Hard disk space Random-access memory Details 50 MB of hard disk space HDD space for log files 1 GB RAM at minimum
Software Requirements
Secure Login Server Application server Details SAP NetWeaver CE 7.2 SAP NetWeaver 7.3 Enhancement package 1 for SAP NetWeaver 7.3 The Secure Login Library installation is optional and required for SAP user authentication only. The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials. For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.
Details Microsoft Windows 7, Vista, XP (32-bit) SUSE Linux Enterprise Desktop 11 Mac OS X 10.5, 10.6 SUN Java 1.6 or higher browser plug-in
Java
For more information, see the Product Availability Map of SAP NetWeaver Single Sign-On 1.0.
09/2012
25
26
09/2021
Check if the folder <ASJava_installation>\exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file <ASJava_installation>\work\dev_jstart.
<ASJava_installation>\exe\snc.exe
Example D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library. The test is successful if the version is displayed.
09/2012
27
Check if the folder <ASJava_installation>/exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file <ASJava_installation>/work/dev_jstart.
<ASJava_installation>/exe/snc
Example /usr/sap/ABC/J00/exe/snc
28
09/2021
As a result; further information about the Secure Login Library should be displayed. The test is successful if the version is displayed.
3.) Deploy the Secure Login Server package. deploy <source>\SECURE_LOGIN_SERVER0SP_0.sca Microsoft Windows Example deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca The Secure Login Server application will be started automatically. Start the initial configuration described in section 2.6 Initial Configuration Wizard.
09/2012
29
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server. Microsoft Windows <ASJava_Installation>\j2ee\JSPM\go.bat Linux <ASJava_Installation>/j2ee/JSPM/go 3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
30
09/2021
09/2012
31
32
09/2021
09/2012
33
Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites. If everything is OK, choose Continue.
34
09/2021
Figure: Initial Configuration Wizard Key file for server credentials encryption Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked. After the configuration, choose Next to continue.
09/2012
35
Administrator Account
Define the password for the administration user Admin.
Figure: Initial Configuration Wizard Administrator Account Entries marked with * are mandatory.
Passwords used in Secure Login Server are restricted by the password policy definition. Passwords cannot be empty Passwords must have a length between 8 to 20 characters Passwords must contain at least one uppercase letter Passwords must contain at least one lowercase letter Passwords must contain at least one digit Passwords must contain at least one special character After the configuration, choose Next to continue.
36
09/2021
Figure: Initial Configuration Wizard Create Root CA Entries marked with * are mandatory.
Details Common Name* Enter the common name of the certificate (CN). Example: Root CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
09/2012
37
Enter the subject alternative names in this field. Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File This option only appears if the parent certificate is imported. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (File Format is: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time. Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates. You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.
38
09/2021
Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type It is possible to install or import SSL certificates later on using the administration console Certificate Management. For more information, see section 3.3.3 Certificate Management.
Option Generate an SSL certificate using the Secure Login Administration Console Skip all SSL certificates
Details The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console. Check this option if you do not want to or do not need to enter information for SSL certificates at this time.
09/2012
39
Figure: Initial Configuration Wizard Create SSL CA Information Entries marked with * are mandatory.
Details Common Name* Enter the common name of the certificate (CN). Example: SSL CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
40
09/2021
Enter the subject alternative names in this field. Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing Key Store File (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
09/2012
41
Figure: Initial Configuration Wizard SSL Server Information Entries marked with * are mandatory.
Details Common Name* Enter the common name of the certificate (CN). Example: Alias Server Name Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this
42
09/2021
is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field, you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (file format: *.p12). Password* The password for the KeyStore file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
09/2012
43
Figure: Initial Configuration Wizard User CA Information Entries marked with * are mandatory.
Details Common Name* Enter the common name of the certificate (CN). Example: User CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS)
44
09/2021
Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File The system displays this parameter if the SSL CA and the root CA have been imported. If you create them anew, this parameter is not visible. Checking this option displays the following options:
KeyStore File* Click Browse to locate and load an existing KeyStore file (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
09/2012
45
Figure: Initial Configuration Wizard Server Configuration Entries marked with * are mandatory.
Details DN.country Enter the country abbreviation in this field (C). Example: DE DN.locality Enter the regional information in this field (L). Example: Walldorf DN.organization Enter the company name in this field (O). Example: Company xyz DN.organizationalUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.
46
09/2021
Application Information
ServerHostName FQDN name or IP address of this server. This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server. ServerPort Port of this server. This parameter is used for the client policy definition and can be used for central change. AuthConfigPath Authentication server configurations file for the Secure Login Server. PseName The user CA key store file path. If you created a user CA in the previous step, the file path is shown here. DailyLogDir In this log path the user authentication information for the default instance is logged. (for example, the user authentication was successful) MonthlyLogDir In this log path the instance information for the default instance is logged. (for example, the default instance was started successful) AdminConsoleLogDir In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed) LockDir The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.
Authentication Server Configuration (read-only) Secure Login User CA Key Store (read-only) Log Configuration (read-only)
Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.
09/2012
47
Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server application.
Figure: Initial Configuration Wizard Congratulations Use the Telnet application to stop and start the Secure Login Server application (for more information, see section 2.2 Secure Login Server Installation with Telnet). Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.
48
09/2021
The configuration file web.xml is available in the following place: Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\se rvlet_jsp\securelogin\root\WEB-INF\web.xml Linux <ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/se rvlet_jsp/securelogin/root/WEB-INF/web.xml It is required to restart the Secure Login Server application.
09/2012
49
After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.
50
09/2021
3 Administration
3 Administration
This chapter describes the configuration parameters in Secure Login Server.
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above). The logon page appears.
Figure: Administration Console Logon Page Enter your administration user name (for example, Admin) and your password. Authentication type Local Login External Login Details Default user name/password combination authenticated in the administration console database. User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console. For more information about the configuration, see section 3.3.2
09/2012
51
3 Administration
Authentication type
Figure: Administration Console Welcome Page The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect. The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework. The right-hand pane displays the details of any node selected in the left-hand pane. In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. Logout Use this link to logout of the console. The login page will reappear (see previous page).
52
09/2021
3 Administration
About Click this to view version information about the console. You may be asked to re-enter your user name and password if you leave the administration console for a long time. The default console timeout is 10 minutes.
Figure: Change Password 3. Enter the current password into the Old Password field. 4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively. 5. Click OK
The user admin is a permanent user that has the role super user and cannot be deleted. As a consequence, the admin user can log on to the system regardless of state (when a serious system error occurs), making sure that there is at least one user who can always access Secure Login to correct or configure the system.
09/2012
53
3 Administration
Choose the Server Configuration node in the left-hand pane of the administration console. The following page appears:
54
09/2021
3 Administration Option Edit Details/Value Click Edit to change the Administration Console Description, Trace Configuration, and Client Configuration. For more information, see section 3.3.1 Edit Server Configuration. The description of this administration console. The current types of authentication available for log on to the administration console. The configuration can be changed using the button Edit Login Type. For more information, see section 3.3.2 Edit Login Type Setting. The current JAAS module used for External Login authentication to the Administration Console. For further information see section 3.3.2 Edit Login Type Setting. The authentication configuration file used by this server. This configuration is for information purposes only. The Trust Store file (TrustStore.jks) used by this server.
The Authentication File Path (read-only) Trust Certificates Storage File (read-only) Console Log Directory (read-only) Console Log Prefix (read-only) Enable Server Trace
The directory in which the console log file is located. The file prefix for the console log file. Enable Secure Login Server trace to provide extended traces. true Trace enabled false Trace enabled Default value is false. Path where the lock files are written. A lock file is generated if something went wrong with the Secure Login Server. In this case the Secure Login Server is locked. The host name or IP of the computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs). The port of this computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs). We recommend that you use an HTTPS (SSL) port. The directory in which the credentials are stored for the Secure Login Library. The directory where native libraries are stored for the Secure Login Library.
Path to the Server Lock File (read-only) Host Server Domain Name Port
09/2012
55
3 Administration
Figure: Administration Console Edit Server Configuration The following options can be set: Option Description Enable Server Trace Details/Value Here you can personalize the description for the administration console. true Write trace messages to the application server trace file (defaultTrace_*.log). false Do not write trace messages to the application server trace file. The host name or IP of the computer from which the console is being used. The port of the computer from which the console is being used. We recommend that you use an HTTPS (SSL) port.
Once you have changed any option, click Save to return to the Server Configuration page.
56
09/2021
3 Administration
Due to technical restrictions, only the following login modules can be used in the field External Login JAAS Module: SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP
09/2012
57
3 Administration
What I have to do first is making a decision: Do I want the Secure Login Server to create and manage one or more public key infrastructures, or is there an existing company PKI that is supposed to be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server. However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time. Choose the Certificate Management node from the tree in the left-hand pane. The following page appears:
Details One or more tree views of independent PKIs. One DefaultPKITree named Root CA SAP Security is available here. Define a display name for the new PKI and create a top-level Certification Authority (Root CA).
58
09/2021
3 Administration
Certificate Information
Common Name Common name of the selected certificate. Path File path of the selected certificate file. Save Password Password protection status of the selected certificate file. Mapping to Instance List of all instances and selections that are supposed to use this user CA. This option is available for user CAs only.
Further details of the X.509 certificate Displays the name of the PKI structure Selects the Certification Authority of a PKI for further management operations. Issue Creates a new Certification Authority of this type (USER_CA, SAP_CA or SSL_CA). Change Password Changes password of selected CA Remove Password Removes password of selected CA. A password must be given for each following management operation of this CA. Exports the selected certificate. Export Type Chooses the export type for the certificate. Possible export types: .crt, .p12, .pse or *.jks. New Password Defines the password of the exported certificate file. This option is not available if you choose the export type .crt. Imports the key store into the certificate list. Note: Only PSE files can be imported. PKI Name Displays the name of the new PKI the certificate belongs to. The following special characters are not supported:
~`!@#$%^&*()_-+= }{:"?><,./;'[]\|
[Export Certificate]
[Selection List] The selection list allows you to associate the type of CA of the certificate. Each type can be associated only once.
09/2012
59
3 Administration
Browse Opens a file browser to select the certificate file. Open Password Password that protects the certificate file Save Password Allows you to save the password in the configuration file.
Define the certificate parameters for the new root CA certificate and choose Create.
Entries marked with an asterisk(*) are mandatory. The new PKI should be available in the PKI tree.
60
09/2021
3 Administration
09/2012
61
3 Administration
Details Common Name* Enter the common name of the certificate (CN). Example: SAP CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L).
62
09/2021
3 Administration
Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above.
Details Common Name* Enter the common name of the certificate (CN). Example: SAP SID Organizational Unit
09/2012
63
3 Administration
Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. The password length is limited to 20 characters. Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
64
09/2021
3 Administration
Details Common Name* Enter the common name of the certificate (CN). Example: SLSSNC Organizational Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality
09/2012
65
3 Administration
Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field, you enter the password for this certificate. The password length is limited to 20 characters. Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
66
09/2021
3 Administration
Details Common Name* Enter the common name of the certificate (CN). Example: Username Organizational Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE (for Germany) Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: ServerName@FQDN.local Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters.
09/2012
67
3 Administration
Confirm Password* Confirm the encryption password entered in the field above. Save password to file If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Subject Alternative Names (E-mail)* To map a certificate to a user, use this field. For more information, see section 4.6 Configure SSL Certificate Logon. Example: LoginCert_Admin
This login certificate needs to be imported into a browser application. Therefore export this certificate in *p12 format and import it to your browser application. In addition, it is required to assign this login certificate to a user (user mapping). For more information, see section 4.6 Configure SSL Certificate Logon.
Export Certificate
Use this function to export any kind of certificate in the PKI list. 1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP Security. 2. Select the Export Type, for example .pse. 3. Define the password of the exported certificate file. 4. Choose the Export pushbutton to save the file to the desired location.
Details .pse Exports the certificate in PSE format. This file includes all keys and all certificates of the complete certificate chain. .crt Exports the public certificate information. .p12 Exports the certificate in P12 format. This file includes all keys and all certificates of the complete certificate chain used. .jks Exports the certificate in Java Key Store format.
68
09/2021
3 Administration
Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the import function to load a new certificate. 1. 2. 3. 4. 5. Choose on a desired certificate in the PKI tree list, for example SAP_CA. Choose Browse to open a file browser. Locate and open the PSE file. Enter the password for the PSE file in the field Open Password. As an option, you can choose to save the password. Choose the Import pushbutton to complete your import.
Imported certificates need to be part of the PKI structure. A trust relation to an existing root CA certificate, when available, is required. In case the desired certificate has no trust relation to the root CA certificate, the error message Trust connection cannot be established with ROOT CA appears.
09/2012
69
3 Administration
SSL CA Certificate (public certificate). This certificate is used to verify the SSL connection in the option Server Status. LDAPS CA Certificate (public certificate). This certificate is used to establish secure communication to the LDAP server. Depending on the PKI structure, it may be necessary to import the certificate chain.
Details Alias for the imported certificates. The certificate location. Select one of the following locations (this causes the third option to change accordingly): Local Host* The path to a certificate in the local file system PublicURL* Certificate available via a public URL Adds the certificate information to the Trust Store.
70
09/2021
3 Administration
Delete
Use this button to remove the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store). Use this button to export the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store).
Export
Changes in Trust Store require a restart of the SAP NetWeaver Application Server.
The default template cannot be deleted, changed, or exported. The Mapping option is only available if an additional certificate template is available.
Details Templates created by the user and available for use are listed here. Per default the default template is available. Adds a new certificate template. This takes you to the template creation page. Duplicates the selected template. This takes you to the template creation page Edits a selected template. This takes you to the template creation page. Deletes a template selected in the list. Maps any template to another.
09/2012
71
3 Administration
Export
Exports a template as an XML file. If you select more than one template for export, all of the templates are incorporated into a single XML file. Imports templates found on the local machine/network to the list.
Import
Details The unique template identifier Use this option to identify the specific public key used in an application. Use this option to identify the public key corresponding to the private key that is used to sign a certificate. This option indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used.
72
09/2021
3 Administration
Checking this option will open a mandatory field for the CertificatePolicies.OID (enter the ID and choose Add).
KeyUsage
The key usage extension defines the purpose of the key contained in the certificate. DigitalSignature Use when the public key is used with a digital signature mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. Digital signatures are often used for entity authentication and data origin authentication with integrity. NonRepudiation Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). KeyEncipherment Use when a certificate is used with a protocol that encrypts keys. An example is S/MIME enveloping where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key enciphering. DataEncipherment Use when the public key is used for encrypting user data, other than cryptographic keys. KeyAgreement Use when the sender and receiver of the public key need to derive the key without using encryption. This key can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers. KeyCertSign Use when the subjects public key is used for verifying a signature on public key certificates. If the keyCertSign is asserted, the CA bit in the basic constraints extension must also be asserted. CrlSign Use when the subject public key is used for verifying a signature on certificate revocation list. CrlSign must be asserted in certificates that are used to verify signatures on CRLs. EncipherOnly Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. DecipherOnly Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
09/2012
73
3 Administration
For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt ExtendedKeyUsage This option defines the extended purpose of the key contained in the certificate. Example SNC/SSF Client Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment ExtendedKeyUsage ClientAuthentication Example SNC Server Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment For more information about standard certificate extensions, see http://www.ietf.org/rfc/rfc3280.txt BasicConstraints This option defines whether the subject of the certificate is a Certification Authority and how deep a certification path may exist through that Certification Authority. Checking this option will open the following sub-options:
Is critical? If you select this option, the basic constraints parameter is required in the certificate for communication to be successful. Is CA? This option defines whether the subject of the certificate is a Certification Authority. When you select this option, the Path Length field opens. Enter the number of levels for which the constraints are valid.
Private Extensions
Add a user-specific extension to the template. Choose Add and open the Create Private Extension input page:
74
09/2021
3 Administration
Extension Name* The unique name for this extension Base64/DER Encoded Data* The content of the private extension in Base64 or DER format Add Adds the information from the fields above to the certificate template (this will also take you back to the Create Certificate Template page). Cancel Cancels the Create Private Extension configuration step. Reset Cancel Clears the fields of any entries. Cancels the Create Certificate Template configuration step.
09/2012
75
3 Administration
The default template cannot be deleted, changed, or exported. The Mapping option is only available for the default template if another certificate template is available.
Figure: Administration Console Certificate Template Mapping Option SAP Server Certificate User Certificate Details Assigns the certificate template that is used to create SAP server certificates. Assigns the certificate template to an instance used for creating user certificates.
76
09/2021
3 Administration
Figure: Administration Console Export Certificate Template Option [List Box] Details Selected Template Exports the selected certificate template. All Templates Exports all certificate templates. Executes the export procedure. Cancels the export procedure.
Export Cancel
Figure: Administration Console Import Certificate Template Option Browse Import Cancel Details Opens a file browser to locate a certificate template XML file. Executes the import procedure. Cancels the import procedure.
09/2012
77
3 Administration
The installation of the Secure Login Library (described in the Installation, Configuration, and Administration Guide of the Secure Login Library) is a prerequisite. Two options are available to define the SNC certificate: Import P12 File Import from Console (Certificate Management)
78
09/2021
3 Administration
View currently available message language files Create a new message language file Edit a message language file
The following table contains the names of the message language files: Message File Name serverMsg.properties serverMsg_de.Properties serverMsg._en.Properties serverMsg_fr.Properties serverMsg_ja.Properties serverMsg_pt.Properties serverMsg_ru.Properties serverMsg_zh_CN.Properties Language Template for translation German English French Japanese Portuguese Russian Chinese
The fallback message file is serverMsg_en.properties. This message file is used if the required language is not available. The language for the fallback scenario is English.
09/2012
79
3 Administration
Figure: Administration Console Create Message File Choose the desired language and choose the Create New File button. In this example the newly chosen language is Afrikaans. In this case, the name of the message file is serverMsg_af.properties. The predefined language for the new message file is English and needs to be translated to the required language. The file format is defined as: ServerMsg_<language_abbreviation>.properties
80
09/2021
3 Administration
To confirm any changes, choose Save. To disable a server message, delete the message text. Example: If the message Authentication process completed should be disabled, delete the message text for the parameter AUTH_RESULT_ACTION_OK_MSG.
09/2012
81
3 Administration
Figure: Administration Console System Check Option Authentication Configuration General System Checks Details Configuration of the authentication Files and Folder Are read/write permissions to file system available? SAP Cryptolib Checks the JavaSDK of the Secure Login Server. IAIK SDK Checks for the location of the IAIK SDK and displays the version number. Create PKCS#12 File Checks if a P12 certificate format can be created. Create PSE File Checks if a PSE certificate format can be created. JRE Crypto Policy Checks if Java JCE is enabled. Checks if there are any missing or invalid certificates
PKI Structure
82
09/2021
3 Administration
SAP ID Check
SAP SNC Runtime Checks if Secure Login Library is installed and configured. SAP JCO Runtime Checks whether the SAP JCO can be found. Server Name Check Checks Instance Names and Instance IDs. TrustStore Check the Java Trust Store used by Secure Login Server.
Details Current date and time information Version of the Secure Login Server Kernel The amount of time the Server has remained active and running
09/2012
83
3 Administration
Info: Server Instance File location of the Secure Login Server configuration file Configuration.properties. Integrity Check of the Secure Login Server Status Lock Status = No The Secure Login Server is not locked. Everything is OK and the server is up and running. Lock Status = Yes The Secure Login Server is locked meaning that it has encountered a problem. In this case, check the server information pane in the top left of the screen for tasks that still need to be performed as well as the log files for possible problems. An Unlock button appears next to the table entry (provided that the administrator role has the necessary permissions). Once you have resolved any problems, choose the Unlock button to reset the Lock Status. Verifies the status of the Secure Login Server Java Servlet. Secure Login Server Version
If the error message Cannot connect to the server using the SSL connection. Import the server's certificate into the Trust Store is displayed, add the SSL CA certificate (public certificates) to Trust Store of the Secure Login Server. For more information, see section 3.3.4 Trust Store Management.
84
09/2021
3 Administration
Details The content of the certificate request in Base64 encoding format. Use the option Browse for a file to insert to import a certificate request file. Use the button Read to import. Another option is to copy and paste the content of the certificate request to the Saved Request field. Define the period of time for which the certificate is valid. Select DER or PEM encoding type, a certificate response should be generated. If needed, select the desired certificate template. The default certificate template is used for the SAP environment. Choose the desired CA certificate; the certificate request should be signed. The certificate reply is generated, and you are asked to store the certificate reply file.
09/2012
85
3 Administration
This page displays all of the tasks performed using the Administration Console since logging began. This page allows you to do the following:
Select a period of time to view with the Log Month combo box. Export log files to a *.csv file format with the Export Logs function. This entry is only visible if log entries are present.
The monthly table contains the following information about the administration tasks: Option Date Time Code Level Details The date the task was performed. The time the task was performed. The internal message code of the task performed. An abbreviated description of the message level. Possible message levels: INF Information ERR Error WAR Warning The name of the user/administrator that performed the action. A quick description of the action, for example EDIT or OTHER. The server instances to which the action was directed A description of the message/task
86
09/2021
3 Administration
Properties Configuration In this section, you can configure the Secure Login Web Client profiles is performed. Message Settings In this section, you can configure the server messages provided to the Secure Login Web Client. Package Management In this section, you can configure the SNC library for the respective Secure Login Web Client. By default, three packages are available, for Microsoft Windows, Linux and Mac OS X. Note that there are server messages available for Secure Login Client (described in section 3.3.7 Message Settings) and Secure Login Web Client.
Option PORTALURL
Details URL address for certificate-based login to be called after successful user authentication This option depends on the parameter ACTION. The action to be performed by the Secure Login Web Client after successful user authentication. The following options are available: No action after authentication After successful user authentication, no action is performed. Open Portal After successful user authentication the URL defined in PORTALURL is used. Launch SAP GUI After successful user authentication the SAP GUI
ACTION
09/2012
87
3 Administration
application is started. Both SAP Portal and SAP GUI After successful user authentication the URL defined in PORTALURL is used, and the SAP GUI application is started. SAPLogon.slsinstance ClientLogging Secure Login Server Instance (user authentication method) to be used for Secure Login Web Client. This option determines the logging options: No No Client log file is created and no logging is performed. Temp Client creates a log file for each login session. The log file is deleted when the Secure Login Web Client is closed. Full The client log file is never deleted.
Save your changes. The location of the Secure Login Web Client files depends on the operating system: Microsoft Windows XP C:\Documents and Settings\<user>\sapsnc\ Microsoft Windows Vista / Microsoft Windows 7 C:\Users\<user>\sapsnc\ Mac OS /Users/<user>/sapsnc/ Linux /home/<user>/sapsnc/ You can customize the file location of the Secure Login Web Client. For more information, see section 4.5 Customize Secure Login Web Client.
88
09/2021
3 Administration
Figure: Administration Console SAP Server Management To create a new SAP server configuration, choose the Add button. The following screen contains the sections and parameters described below. Option SAP GUI for Java Details It is mandatory to fill these four fields. label Profile name. host IP address or FQDN name of the desired SAP server system. port Port of the desired SAP server system sncname SNC name of the desired SAP server system shortcut.Name Identifier used in multi-instance configurations. shortcut.Description The name of the server profile in SAP GUI for Microsoft Windows (in SAPGUI this is the Description field). This is the essential reference to the profile. Secure Login Server instance (user authentication method) to be used for Secure Login Web Client
09/2012
89
3 Administration
Figure: Administration Console Platform Configuration Select a platform and choose the Edit button. In this example, the Microsoft Windows platform is shown.
Details SAP.start.binary GUI application name for SAP GUI for Java. SAP.logon.binary SAP Logon application name for SAP GUI for Java. SAP.start Path used to locate the SAP applications. Use the Add button to add an additional search path. Use the
90
09/2021
3 Administration
Delete button to remove an existing search path. SAP GUI for Microsoft Windows (This option is only available for Microsoft Windows platforms) SAP.start.win.binary GUI application name for SAP GUI for Microsoft Windows. SAP.logon.win.binary SAP Logon application name for SAP GUI for Microsoft Windows. SAP.start.win Path used to locate the SAP applications. Use the button Add to create an additional search path. Use the button Delete to remove an existing search path. The platforms for which the properties on this page are applicable. The platform name is listed along with the files required by each platform to function correctly.
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web Client.
The fallback message file is SNCAppletMessages.properties. This message file is used if the required language is not available. The language for the fallback scenario is English. To disable a server message, delete the message text. To create a new message language file, choose the Add button. To configure an existing message language file, choose the Edit button.
09/2012
91
3 Administration
Package Management
In this section, you can configure the SNC library for the desired Secure Login Web Client. By default, several packages are available, for Microsoft Windows, Linux and Mac OS X. To update or add new files, choose the Upload button.
92
09/2021
3 Administration
09/2012
93
3 Administration
Figure: Administration Console Instance Management To define the parameters which are described below, use the Edit button. Entries marked with * are mandatory.
Details Login Module Select the desired user authentication mechanism. The following authentication mechanisms are available: SPNegoLoginModule SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP BasicPasswordLoginModule With the installation of Secure Login Server; Login Modules are installed in SAP NetWeaver. The name of the Login Modules is synchronized with the name of the JaasModule. The default is SPNegoLoginModule. For more information about the configuration of the Login Modules, see section 4.1 Configure Login Module. Policy Configuration Name This is the name of the configured login module stack.
PseType This parameter is read-only. The key store format is FilePSE. PseName Select the desired User CA for this instance. In this section, you define the Distinguished Name of
User Certificate
94
09/2021
3 Administration
Configuration
the user certificate will be defined. The common name (CN) is calculated by the Secure Login Server using the user credentials. DN.country Enter the country abbreviation in this field (C). Example: DE DN.locality Enter the regional information in this field (L). Example: Walldorf DN.organization Enter the company name in this field (O). Example: Company xyz DN.organizationUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Time (in minutes) for which a user certificate is valid. ValidityOffset* Time offset in minutes relative to the server system time for the certificates to start being valid. This parameter is helpful if the client and server time are not in sync. These parameters are read-only and display-only parameters used for generating user certificates. For more information, see section 3.3.5 Certificate Template These parameters are read-only. For more information, see Instance Log Management. LockDir The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention. maxSessionInactiveInterval Specifies the time, in seconds, between client requests before the servlet container will invalidate this session. This is applicable only in challengemode (for example, password change) AdminServletHeader Header text to be displayed on the status page. Header text is used in Server Status and Instance Status. AdminServletTrailer Footer text to be displayed on the status page. Footer text is used in Server Status and Instance Status. Any properties defined by the administrator are configured here. WebClientKeyStoreType Defines the certificate export format for the Secure Login Web Client. The default value is PKCS12.
User-Defined Properties
09/2012
95
3 Administration
For more information about possible parameters, see User-Defined Properties section.
Remember to configure the desired Login Module in SAP NetWeaver Administrator. For more information about the configuration of the Login Modules, see section 4.1 Configure Login Module.
Secure Login Web Client Certificate Format Certificate format used for Secure Login Web Client (see Secure Login Web Client Certificate Format). Certificate User Mapping Service Change the value of the Common Name (CN) field of the user certificate Distinguished Name, based on the user mapping service (see Certificate User Mapping Service). Certificate User Name Service Change the value format of the Common Name (CN) field of the user certificate Distinguished Name, based on the user name service (see Certificate User Name Service). Archiving Directory Create a directory for archiving all certificate requests and issued certificates as files (see Archiving Certificate Request and Issued Certificates). Distinguished Name Change the value of the Distinguished Name by adding domain components to the subject names (see Configuring a Distinguished Name with SPNego Login Module).
96
09/2021
3 Administration
SPNego (see 3.4.7 Configuring a Distinguished Name with SPNego Login Module).
Example The Microsoft user name is UserADS and the SAP user name is UserSAP. Without the Certificate User Mapping Service the Secure Login Server would create a user certificate with the Distinguished Name CN=UserADS. If the SAP user name is stored in the Microsoft Active Directory, for example, in the attribute employeeID, the Secure Login Server can read this attribute and create a user certificate with the Distinguished Name CN=UserSAP. This issue will be configured in the Certificate User Mapping Service. The advantage of having the SAP user name in Distinguished Name is easier configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping configuration).
If users change their own attributes (for example, through a self-service), and these attributes are used by the user certificate (issued by the Secure Login Server), a situation may occur in which these users are able to assign additional rights to themselves. Thus these users might get rights they are not supposed to have. For this case, we recommend that you implement access restrictions for the change of user attributes.
An AS ABAP uses, for example, certificate-based logon with the users e-mail addresses in the Distinguished Names. The string in the certificate has the following format: CN=employee@company.com This means that the users e-mail address is used for the user mapping in SNC. If an administrator enables the user to change his or her own data, for example, e-mail address, first name, last name etc. through a self-service, this user now has the possibility to enter, for example, his or her managers e-mail address (manager@company.com) as attribute. Since this data is usually maintained centrally, this change would also affect the Secure Login Server. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate, the user receives a certificate with the Distinguished Name CN=manager@company.com. This user is now able to log on to the AS ABAP as his or her manager.
The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active Directory system. The Certificate User Mapping Service depends on the Secure Login Server user credential check against the authentication server.
09/2012
97
3 Administration
Parameter LdapReadServers*
Details Number of LDAP servers that are configured here. A numerical value is expected and must be 1 or higher. The given value is used as n to define an ordered list of servers that are called in a fail-over manner. To disable all configured servers, leave this field empty. Connection timeout in seconds LDAP server to be used for retrieving that attribute Example: ldaps://ldapserver.demo.local:636 Define the Base DN of the desired LDAP server Example Microsoft Active Directory: DC=DEMO,DC=LOCAL For Microsoft Active Directory: Full domain name of the LDAP server. The domain name to be appended to the given user name if it is not a User Principle Name. If the name is already in UPN format, the property is ignored. Example: DEMO.LOCAL Define the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. Example Microsoft Active Directory: SecureLoginLDAP@DEMO.LOCAL Define the password of the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. Define the LDAP attribute which is used for the common name (CN) of the user certificate Distinguished Name. Example: employeeID
LdapReadDomainn*
LdapReadUsern*
LdapReadPassn*
LdapReadAttributen*
98
09/2021
3 Administration
The value n in the parameter is a counter and is defined depending on the parameter LdapReadServers.
The Secure Login Server is able to verify user credentials and perform Certificate User Mapping on a different server. The prerequisite is that the user name is available on both servers.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment), which needs to be considered by SNC X.509 certificates. The password length or value can be customized. If user names in the common name (CN) field need a fixed or minimum length, padding can be turned on. Typically this configuration is used if personnel numbers are used.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment) which needs to be considered by SNC X.509 certificates. The password length or value can be customized.
Figure: Administration Console User-Defined Properties Parameter MaxUserNameLength Details Maximum number of characters that a user name in the common name (CN) field can have. If the given user name is longer, it is cut from the right side. Default value: 12 Example: LongUsernameSAP is cut off to LongUsername with the default settings. If user names in the common name (CN) field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names. Default value: None The padding character is used to fill user names on the left side if their size is smaller than the configured
UserNamePaddingLength
UserNamePaddingChar
09/2012
99
3 Administration
padding length (UserNamePaddingLength). Default value: None Example: UserNamePaddingLength = 11 and UserNamePaddingChar = 0. The result is ShortName is extended to 00ShortName Typically this configuration is used if personnel numbers are used.
100
09/2021
3 Administration
If you enter ArchivingDir in the default server instance configuration, it is valid for all instances except those where you entered a different archiving directory path. 1. 2. 3. 4. 5. 6. Choose the Edit button. To add a new user-defined property, choose Add. Enter ArchivingDir. Enter a directory path in the input field. Save your entries. Restart the Secure Login Server.
Make sure that you enter a valid path. If the path is invalid, or if there are no write permissions for the Secure Login Server, an Internal server error message occurs when a user logs on, and the instance is locked to prevent a loss of data. Structure of the File Names The file names of the PKCS#10 (for certificate requests) and PKCS#7 files (for certificates) stored in the archiving are generated by the system. Among other things, they identify the SAP system, the user, the time, and the instance of the SAP system. Syntax [<timestamp>][<user_name>][<instance_url>][<SID>_<SAP_instance_numbe r>].ext This is an example of an archived file for a certificate request (PKCS#10 format): Example [20120719153732151][armstrongj][https_10.11.12.13_50001_securelogin_ PseServer_00010][ABC_00].p10 The file names consist of the following elements: File Name Element timestamp Description Timestamp with year, month, day, hours, minutes, seconds, and milliseconds Format: yyyymmddhhmmssmm User name of the user who authenticated or tried to authenticate The instance URL is derived from the URL of the Secure Login Server. An underscore replaces all characters except A to Z, a to z, and 0 to 9. SAP system ID of the Secure Login Server Instance of the SAP system where the Secure Login Server is installed.
user_name
instance_url
SID SAP_instance_number
09/2012
101
3 Administration
ext
File extension: p10 Extension for PKCS#10 files for archived certificate requests. p7c Extension for PKCS#7 files for archived certificates.
For technical reasons, it is not possible to get the user name from an SPNego Kerberos authentication. In this case, the user name of the certificate request (in the PKCS#10 file) is always kerberos_. However, the file name of the respective certificate (PKCS#7 file) contains the correct user name.
Do not use a configured Distinguished Name together with the certificate user mapping service (see 3.4.2 User-Defined Properties). Procedure 7. Go to Instance Management. 8. Choose the instance for which you want to customize the Distinguished Name. You find the user-defined properties in the configuration of this instance. 9. Choose the Edit button.
102
09/2021
3 Administration
10. To add a new user-defined property, choose Add. 11. Enter DN. Enter the data as required. For example, enter data for common name, organization, and country. See the following examples: Examples Values for DN Result If a user smith@example.com logs on, the following Distinguished Name is used: CN=smith, O=SAP, C=DE CN=smith@example.com, O=SAP, C=DE CN=smith, DC=example, DC=com
Values for DN
Result If there are different users called Smith in two subdomains (one in sub1.example.com and one in sub2.example.com), the following Distinguished Names are used: CN=smith@sub1.example.com CN=smith@sub2.example.com CN=smith, DC=sub1, DC=example, DC=com CN=smith, DC=sub2, DC=example, DC=com
In addition to this, you can set any valid Distinguished Name attribute as static part of the DN. Values for DN Result With different users called Smith in two subdomains (sub1.example.com and sub2.example.com) CN=smith@sub1.example.com, OU=HR, O=SAP, C=DE CN=smith@sub2.example.com, OU=HR, O=SAP, C=DE
12. Save your entries. 13. Restart the Secure Login Server.
09/2012
103
3 Administration
Client Policy Define the URL of the Secure Login Server; used by the Secure Login Client to retrieve the client policy.
Details Network resource (Secure Login Server) from which the latest Secure Login Client policy can be downloaded. Policy URL depends on the instance configuration: ClientPolicy.xml Client Policy defined in the default instance of the Secure Login Server. ClientPolicy.xml&path=000xx Client Policy defined in instance xx (instance number) of the Secure Login Server. Lifetime in minutes for verifying (update) a new client policy. Default is 0 minutes. By default, the Secure Login Client verifies a new client policy during the system startup of the client PC. Network timeout in seconds before the connection is closed if the server does not respond. The default value is 45 seconds. By default the Secure Login Client verifies during a new client policy during the system startup of the client PC. You can use this parameter, to disable this feature. No Secure Login Client updates the client policy at startup.
PolicyTTL*
104
09/2021
3 Administration
Yes Secure Login Client does not update the client policy at startup. Default value is No. Save Cancel Saves the configuration. Cancels the configuration.
Applications Defines which client profile is used for which SAP server application.
Details Existing application profiles are handled as configured by action. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Keep Keeps any existing profiles of the same name in the selected policy does not write the given one (default). The default value is Clean
Adds new application Edits the chosen application. Deletes the chosen application.
09/2012
105
3 Administration
To define the application parameter, choose the Add Application or Edit button.
Details Defines a name for this application template. Application specific PSE URI (SAP Server SNC Name) that is matched when a suitable profile is searched. You can use the wildcards * and ?. Examples: SNC/CN=SAP, OU=SAP Security, C=DE SNC/CN=Server*, O=Company xyz Using the value * means that the client profile is used for all SAP servers.
Profile allowFavorite
The name of the client profile to be used for the desired application. Allows the user to select the authentication profile manually in Secure Login Client. No A user cannot select the authentication profile manually in Secure Login Client. Yes A user can select the authentication profile manually in Secure Login Client. The default value is Yes.
Saves the configuration. Clears fields (Application Name and GSS Target Name). Goes back to the Client Configuration page.
106
09/2021
3 Administration
Figure: Administration Console Instance Management - Profiles Parameter You can also specify the profiles action Details Existing profiles are handled as configured by action. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Keep Keeps any existing profiles of the same name in the selected policy, does not write the given one (default). The default value is Clean Add Profile Edit Delete Adds a new profile Edits the chosen profile. Deletes the chosen profile.
To define the profile parameter, choose the Add Profile or Edit button. When you add a profile, you get the profile configuration screen that is filled with all the default values. Among them is PSE Type with the value windowslogin and Auto-Enroll set to True. Make sure that you set the values of these parameters according to the login module that is set in the Instance Configuration. For detailed information, see the table below with the parameters.
09/2012
107
3 Administration
Details Defines a name for this profile template. Authentication type. promptedlogin Using this profile, the user is prompted to enter the user credentials. This applies for the login modules SecureLoginModuleLDAP, SecureLoginModuleSAP, SecureLoginModuleRADIUS, and BasicPasswordLoginModule. windowslogin Using this profile, the user credentials are provided automatically (only available for Microsoft Windows authentication with SPNegoLoginModule). The default value is windowslogin Secure Login Server URL that is used for user authentication and certificate request. Enroll URL depends on the instance configuration. <Server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. <Server>/securelogin/PseServer&id=000xx
Enroll URL*
108
09/2021
3 Administration
Enroll URL defined in instance xx (instance number) of the Secure Login Server. To configure further Enroll URLs, use the Add button. This is the failover configuration for the Secure Login Client. If the Secure Login Client establishes a connection to the first Enroll URL, it tries the next Enroll URL, defined here. HttpProxyURL HTTP proxy to be used with enrollment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888 Value in seconds for the time in which an enrollment is to be carried out before the certificate expires The default value is 0 Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: Value -1 No Single Sign-On (SSO). Each SNC connection forces a new login. Value 0 No timeout. SSO without constraints. The default value is 0. Value n Seconds until an automatic logout takes place. The number of successive failed authentications after which automatic re-enrollment is stopped. You can activate the user name and password caching to ensure the automatic re-enrollment of certificates that are going to expire. Possible values: 0: Turn off: Does not re-enroll automatically, does not cache user name and password. A re-enrollment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Tries to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. The default value is 0. Key Size NewPinType RSA Key Length. The default value is 1024. Message text value used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client.
Grace Period
InactivityTimeout
Auto-Reenroll Attempts
09/2012
109
3 Administration
Available values are pin and password. Unique Client ID Network Timeout (seconds) Reauthentication Custom-defined string is displayed in the instance log or can be used for network filtering issues. Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 This parameter defines how many logon attempts are permitted with the Secure Login Client logon form before it is closed again. Example with the value 4: The Secure Login Client offers the logon form 4 times (the logons fail, for example, due to wrong credential information) before the logon form is closed. The default value is 0. With this value, the logon form is never closed. The user needs to use the Cancel button to close the logon form. This applies to the SSL Server certificate this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. True Verifies the SSL server host name with the Common Name (CN) field of the SSL Server certificate. False Does not verify the SSL server host name with the Common Name (CN) field of the SSL Server certificate. The default value is False This applies to the SSL server certificate this checks if the peer host name is given in the Subject Alternative Name attribute of the certificate. True Verifies the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. False Does not verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. The default value is False This applies to the SSL server certificate this specifies whether the system checks if the extended key usage ServerAuthentication is defined. True Verify if the extended key usage ServerAuthentication is defined in the SSL server certificate. False Does not verify if the extended key usage ServerAuthentication is defined in the SSL Server certificate.
110
09/2021
3 Administration
The default value is False User Warning MSIE Turns on/off a warning dialog box that appears after a new certificate has been propagated to the Microsoft Crypto Store. True Turns on a warning dialog box. False Turns off a warning dialog box. Note: Microsoft Internet Explorer must be restarted. The default value is False A user automatically gets an X.509 certificate when the Secure Login Client starts. False: Turn off True: Automatic provisioning of user certificates If pseType is set to windowslogin, user credentials are provided automatically (only applies for Microsoft Windows authentication with SPNegoLoginModule AA). If pseType is set to promptedlogin, the system prompts the users to enter their credentials. This applies for the following login modules: SecureLoginModuleLDAP, SecureLoginModuleSAP, SecureLoginModuleRADIUS, and BasicPasswordLoginModule. If these login modules are initially set, the default is promptedlogin. If, in SP3 or higher, you change the login module type in an existing instance, for example, from SPNegoLoginModule to SecureLoginModuleLDAP, you must manually set the values of the parameters PSE Type and Auto-Enroll to promptedlogin and False. This also applies if you clone an instance or migrate from an old version. Save Clear Cancel Saves the configuration. Clears fields. Cancels the configuration.
Auto-Enroll
Download Files This section describes how to download the relevant Client policy files for the Secure Login Client. Use the files generated with this option, if you want to export the client policy file for the current (active) instance.
09/2012
111
3 Administration
Figure: Administration Console Instance Management Download Files Parameter Client Policy and customer.zip Details If you choose this option, the system asks you which file you want to download.
ClientPolicy.xml Instance profile configuration (Enroll URL) and client policy (Policy URL) in XML format. Customer.zip Registry key that includes the configuration of the client profile (Policy URL). You can use this registry file for the Secure Login Client installation to define where the client profiles can be retrieved. To download the desired file, click it. customerAll.reg Registry Key which includes the configuration of the Client Profile (Policy URL) and the Instance Profiles (Enroll URL). This registry files can be used for the Secure Login Client installation; defining where the client profiles can be retrieved. In addition the instance profiles will be installed. Click on the desired file for download. Downloads the desired file.
Download
Global Client Policy This section describes how to download the relevant client policy files (including all instances) for the Secure Login Client. Use this option if you want to include the complete Secure Login Server configuration including all instances - in the client policy files for the Secure Login Client.
112
09/2021
3 Administration
Figure: Administration Console Instance Management Global Client Policy Parameter Generate Details Use this button to generate the global client policy. All instance client policy configurations are stored in a global client policy file. Registry key that includes the configuration of the client profile (Policy URL). You can use this registry files for the Secure Login Client installation to define where the client profiles of all instances can be retrieved. To download the desired file, click it. Registry key that includes the configuration of the client profile (Policy URL) and the Instance Profiles (Enroll URL). You can use this registry files for the Secure Login Client installation to define where the client profiles of all instances can be retrieved. The instance profiles of all instances are also installed. To download the desired file, click it. Profile configuration (Enroll URL) and client policy (Policy URL) for all instances in XML format.
GlobalCustomer.reg
GlobalCustomerAll.reg
GlobalClientPolicy.xml
If using the Global Client Policy, note that you need to define unique application template names in each instance. Remember to use the Generate button after making changes in instances.
09/2012
113
3 Administration
Monthly Log Information about the instance. Daily Log Information about the user authentication. Log Analysis Summary of statistical information for the instance. Log Setting Configuration of the log settings. Archive Log Archived logs are shown here.
Monthly Log
Figure: Administration Console Instance Log Monthly Log The Monthly Log table contains the following information: Option Log Month Details To display the log entries from a specific month, select it from the dropdown box. Use the button Export Logs to export the log file in *.CSV format.
The date the task was performed. The time the task was performed. The internal message code of the task performed. An abbreviated description of the message level. Possible message levels are: INF Information ERR Error WAR Warning
114
09/2021
3 Administration
Description
Daily Log
Figure: Administration Console Instance Log Daily Log The Daily Log table contains the following information: Option Log Date Details To display the log entries from a specific date, select it from the dropdown box. Use the button Export Logs to export the log file in *.CSV format.
Time the user authentication was performed. Custom information defined in the client profile (Unique Client ID) DNS and IP of the client computer from which a user authentication was performed. NOTE: This field only appears if multiple sets of DNS/IP are configured on the admin computer the IP values of one set are displayed. The name of the user that performed the user authentication. A quick description of the action, for example INIT_ACTION or AUTH_ACTION. Description of the user authentication result. Possible results are: ACM_OK User authentication was successful. ACM_ACCESS_DENIED User authentication failed.
09/2012
115
3 Administration
ACM_NEW_PIN_REQUIRED Password/PIN change was requested. ACM_NEW_PIN_REJECTED New password/PIN not accepted. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. OK Initial action was successful INTERNAL_SERVER_ERROR Server error. INVALID_MESSAGE_FORMAT Invalid or incomplete client communication.
Log Analysis You can use the Log Analysis to analyze statistical information about user authentication. To display the statistical information, define the desired start and end date and choose the Analysis button.
Figure: Administration Console Instance Log Log Analysis Log Setting This section describes the log file settings for the instance log management.
116
09/2021
3 Administration
Details The maximum size in gigabytes for the log file directory (all log files). The default value is 1 gigabyte. The maximum size of a log file in megabytes before it is archived. The default value is 10 megabytes. The interval (in days) after which the next log cleanup starts. The default value is 30 days. The interval (in months) after which the next log cleanup starts. The default value is 1 month. Define the period length to be used in Log Analysis. It defines the length of the period from Start Date until End Date. The default value is 30 days. The file prefix for daily logs. This information is read-only. The directory for daily log storage. This information is read-only. The file prefix for monthly logs. This information is read-only. The directory for monthly log storage. This information is read-only.
Maximum Individual File Size* Daily Log Cleanup Interval* Monthly Log Cleanup Interval* Daily Log Analysis Period*
Daily Log Prefix* Directory for Storing Daily Log Files* Monthly Log Prefix* Directory for Storing Monthly Log Files*
09/2012
117
3 Administration
Save Cancel
Archived Log files are stored in log file directory, defined in Log Setting.
Details The name under which the server has saved the log file(s). A radio button to indicate which file is downloaded.
To download a log file archive, select an archive from the Selected column and choose Download. You are prompted to choose a location. The log files are in ZIP format. To delete a log file archive, select an archive from the Selected column and choose Delete.
118
09/2021
3 Administration
Details Checks the correct configuration of client policies and client profiles Checks if there are missing or invalid certificates
Criteria Date Version Uptime Instance ID Configuration URL Configuration Status Lock Status
Details Current date and time information. Version of the Secure Login Server Kernel. The amount of time the instance has remained active and running. Chosen instance name File location of the Secure Login Server configuration file Configuration.properties. Integrity check of the Secure Login Server status. Lock Status = No Chosen Instance is not locked. Everything is OK and the Instance is up and running. Lock Status = Yes Chosen Instance is locked, which means it has encountered a problem. In this case, check the server information pane in
09/2012
119
3 Administration
the top left of the screen for tasks yet to be performed as well as the log files for possible problems. An Unlock button appears next to the table entry (providing the administrator role has the necessary permissions). Once you have resolved any problems, choose the Unlock button to reset the Lock Status. Secure Login Servlet Status Server Build Verifies the status of the Instance Java Servlet. Secure Login Server Version
Figure: Administration Console Instance Management To create a new instance, choose the Add button.
Figure: Administration Console Instance Management New Instance Define a name for the new instance and choose the OK button to continue.
120
09/2021
3 Administration
Figure: Administration Console Instance Management New Instance Select the option Create a New Server Instance and choose the OK button to continue.
Figure: Administration Console Instance Management Add New Instance Define the respective parameters (for more information, see section 3.4.1 DefaultServer Configuration). By default, the configuration for Authentication Server Configuration, Secure Login User CA Keystore and User Certificate Configuration, defined in DefaultServer Instance will be reused. If you do not want to re-use this configuration information, deactivate the option Use Default and define your own configuration. For example if you want to define a different user authentication mechanism for this instance, deactivate the option User Default in JaasModule and define a new value.
09/2012
121
3 Administration
After you have performed the configuration, choose the OK button to continue.
Figure: Administration Console Instance Management New Client Policy Define the parameter for the client policy and choose the OK button to continue.
Figure: Administration Console Instance Management New Instance Created The new instance was created and is displayed in the navigation tree. Remember to activate this new instance in Certificate Management (Mapping to Instance). Create New Instance Option (Clone from an existing server instance using this Administration Console) You can use the option Clone from an existing server instance using this Administration Console, to clone an existing instance configuration.
122
09/2021
3 Administration
Figure: Choose Existing Instance Create New Instance Option Migrate from an External Secure Login Server You can use the option Migrate from an External Secure Login Server to choose an existing instance configuration that is available in the file system (for example, a backup file copy of another Secure Login Server).
09/2012
123
3 Administration
Details Adds a new user. Changes the settings for a selected user in the list. Deletes a selected user from the list. Assigns a role to a selected user in the list.
124
09/2021
3 Administration
Figure: Administration Console Create User Option ID Name Password Confirm Password Disabled Change Password Details User logon name. User display name Defines user password. Confirms user password. If this option is enabled, this user cannot log on to the administration console. This option is only visible when editing a user entry in the list!. Check this option to change the password. This feature uses user information stored in an Authentication Server database for authentication to Secure Login Administration Console. Selecting this option displays the extra option External Login ID. External Login ID Define the user name for the desired Authentication Server database. For more information, see section 4.7 Configure External Login ID. This feature enables certificate-based logon to the Secure Login Administration Console. Selecting this option displays the extra option External Login ID. Certificate Login ID For user mapping, the Subject Alternative Name (RFC822 name) attribute of the logon certificate is used. The value of the Subject Alternative Name is verified with the value defined in Certificate Login ID. For more information, see section 4.6 Configure SSL Certificate Logon. Saves the configuration. Cancels the configuration.
External Login
Save Cancel
09/2012
125
3 Administration
Passwords used in the Secure Login Server are restricted by the password policy. Password cannot be empty Length of the password must be between 8 and 20 characters Password must contain at least one uppercase letter Password must contain at least one lowercase letter Password must contain at least one digit Password must contain at least one of the special characters
Assign a Role Choose the desired user and choose the Assign Role button.
Figure: Assign Role to User To transfer one or more roles to the user, select one or more roles from the left-hand pane All Role and choose >>Add to transfer the roles to My Role. To remove one or more roles from the user, select the role(s) in the My Role column on the right and choose >>Delete to remove the role(s). To save the configuration, choose the Save button.
126
09/2021
3 Administration
Predefined roles cannot be deleted or changed. To create a new role, use the Add button.
09/2012
127
3 Administration
Details The unique identifier for the role. The name used to describe the role. Define the permissions; assigned to this role. The permissions are described in the Permission Description. Define the permissions for the respective instances.
Instance List
Figure: Administration Console Locked File Management Select the locked file to be unlocked and choose the Release button.
128
09/2021
4 Other Configurations
4 Other Configurations
This section describes some additional configuration steps.
http://<host_name>:<port>/nwa
Choose Configuration Management and Authentication and Single Sign-On. Choose the tab Authentication and the configuration option Login Modules. The following Secure Login Server Login Modules are available:
SPNegoLoginModule This login module is used to verify user credentials against a Microsoft Windows domain. By default, this login module is set in the Secure Login Server. SecureLoginModuleLDAP This login module is used to verify user credentials against an LDAP Server or Microsoft Active Directory System. SecureLoginModuleRADIUS This login module is used to verify user credentials against a RADIUS Server. SecureLoginModuleSAP This login module is used to verify user credentials against an SAP ABAP server. The names of the Secure Login Server Login Modules are used in Instance configuration. Refer to section 3.4 Instance Management.
SPNegoLoginModule SPNegoLoginModule is the default login module of the Secure Login Server. To configure SPNego, use the appropriate configuration wizard. For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication. SPNegoLoginModule works in close conjunction with the user management engine (UME). Remember that you may need to configure the mapping mode of the Kerberos Principal Name to the UME or to change Customizing settings of the UME data source configuration. For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication > Configuring the UME for Kerberos Mapping . If you have an Active Directory environment with parent and child domains, you should configure the keytab file for the parent and child domain when you set up SPNego in SAP NetWeaver Java. .
09/2012
129
4 Other Configurations
SecureLoginModuleLDAP Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure its parameters.
Option LdapBaseDN
Details Base DN of the LDAP Server (Start Search Path). There are several configuration options. The variable $USERID is replaced by Secure Login Server with the user name for user verification against the authentication server. LDAP Server Define the search path where the user is located. Example: uid=$USERID,ou=Users,dc=yourdomain,dc=com Microsoft Active Directory System Define the search path where the user is located. Example: $USERID@<Windows_domain> cn=$USERID,cn=Users,dc=domain,dc=com If the parameter is not configured (empty), the Microsoft Windows UPN name is required for user authentication (to be entered in Secure Login Client).
LdapHost*
URL of the LDAP server or Active Directory server system used to authenticate the user. We recommend that you configure secure communication using LDAPS. ldaps://<FQDN or IP>:636 ldap://<FQDN or IP>:389 Character set encoding for communication between the Secure Login
LdapProviderLang
130
09/2021
4 Other Configurations
uage LdapTimeout
Server and the LDAP/ADS server. The default value is en-US. Period of time the Secure Login Server waits for a response before trying the next LDAP/ADS server (in milliseconds). The default value is 100 milliseconds. LDAP attribute that contains the expiration date of the user password for the Secure Login Client. Secure Login Server can process one of the following formats: Generalized time formats: 20120630181530Z = 30. June 2012 18:15:30 (UTC) 20120630191530+0100Z = 30. June 2012 20:15:30 (CET) 20120630181530.0Z = 30. June 2012 18:15:30 (UTC) 20120630191530.0+0100Z = 30. June 2012 20:15:30 (CET) MS Gregorian calendar time format (100-nanosecond intervals since 1. January 1601 (UTC)) 129855537300000000 = 30. June 2012 18:15:30 (UTC) Netscape Password Expiring time format (seconds until password expires) 864000 = 10 days from current date until password expires If a password expiration warning message is configured, the LdapBaseDN property must be given in complete DN form (UPN on Microsoft Active Directory). The PasswordExpirationAttribute value is used for the password expiration warning message only. By default no value is defined.
PasswordExpiratio nAttribute
The interval (in days) for a password expiration warning message to be sent to the Secure Login Client prior to a password expiring. Determines which password expiration warning message is used. This value is used for the password expiration warning only. It is only valid for the Secure Login Client. The default value is LDAP1. Do not change this value. Path to the Java certificate key store used by Secure Login Server. The certificate key store is used to enable LDAP over SSL (LDAPS). Use of the Java key store (*.jks) is mandatory when using LDAP over SSL (LDAPS). By default, no value is defined. LDAPS is required. Configure the following value: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ er\securelogin\Instances\TrustStore.jks Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelog
TrustStore
09/2012
131
4 Other Configurations
in/Instances/TrustStore.jks To save the configuration, choose the Save button. SecureLoginModuleRADIUS Choose the login module SecureLoginModuleRADIUS and choose the Edit button to configure its parameters. Entries marked with * are mandatory.
Option Authenticator*
Details Authentication method for the RADIUS server. Possible values are: CHAP MSCHAP PAP The default value is PAP. The port number used by the RADIUS server for authentication requests. Typically values are 1645 or 1812. The default value is 1645. PIN format. This parameter is only used with OTP tokens. Possible values: true The user can choose, and use, a PIN that contains only alphanumeric characters (A-Z, a-z, 0-9). false The user can choose, and use, a PIN that contains alphanumeric and special characters (such as !$%&). The default value is false. Host address of the RADIUS server (used for user authentication). For configuring specific RADIUS server messages. You need to define the full path and file name. By default no configuration file is required. Shared Secret is used to encrypt the user password. This Shared Secret also needs to be defined in the RADIUS Server. Save the shared secret as encrypted. For more information, see 5.5.3 Ensuring Encrypted Communication with Shared Secret. Period of time the Secure Login Server waits for a response before trying the next RADIUS Server (in milliseconds). The default value is 5000 milliseconds.
AuthPort*
PinAlphanumeric
RADIUSServerIP* ServerIniFile
SharedSecret*
TimeOut*
132
09/2021
4 Other Configurations
SecureLoginModuleSAP Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure its parameters.
Details Define the SAP client number in which the SAP user is to be verified. Path where the SNC certificate used by Secure Login Server is located. This configuration is not required if the environment variable SECUDIR was configured (see Installation, Configuration, and Administration Guide of the Secure Login Library). Configure the appropriate value for your operating system: Microsoft Windows <ASJava_Installation>\sec Example: D:\usr\sap\ABC\J00\sec Linux
<ASJava_Installation>/sec
Example: /usr/sap/ABC/J00/sec PasswordAlphanummeric This parameter is part of the password policy for the client-side policy consistency check. Possible values: true The password can contain only alphanumeric characters (A-Z, a-z, 0-9). false The password can contain alphanumeric and special
09/2012
133
4 Other Configurations
characters (such as !$%&). This parameter must be consistent with the SAP password policy. The default value is true. PasswordMax This parameter is part of the password policy for the client-side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. The default value is 30. This parameter is part of the password policy for the client-side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. The default value is 1. The technical SAP user account name used by Secure Login Server. This technical user will be created on the desired SAP ABAP server and you need to configure the SNC name. Example: SLSSNC IP address or host name of the SAP ABAP server. SNC name of the desired SAP ABAP server. Example: p:CN=ABC, OU=SAP Security, C=DE SAP system number Maximum number of connections Timeout for login Maximum number of connections until authentication is blocked
PasswordMin
SAPaccount*
SAPServer* SNCServerName*
134
09/2021
4 Other Configurations
LDAP Server
SAP NetWeaver - Secure Login Server Secure Login Admin Console Secure Login Client Secure Login Web Client SAP NetWeaver Administrator ABAP Server
Instance 1
Instance 2 Instance 3 Instance 4
SecureLoginModuleLDAP
SecureLoginModuleSAP
SPNegoLoginModule
Java Server/ADS
Figure: User Authentication Work Process The authentication work process takes place as follows: 1. Start Secure Login Client or Secure Login Web Client. 2. Choose the desired client profile and enter your user name and password. 3. The responsible instance for the chosen client profile is used. You can configure the link to the login module (for example, SecureLoginModuleLDAP) within the Instance configuration (Secure Login Administration Console Instance Management). 4. The instance triggers the login module. The login module establishes a connection to the authentication server. Login modules are configured in SAP NetWeaver Administrator. 5. The Secure Login Server sends the user credentials to the authentication server. If the response is successful, the Secure Login Server provides a user certificate to the Secure Login Client or Secure Login Web Client.
09/2012
135
4 Other Configurations
User type is System. Deactivate the password. Define the SNC name, which must match the SNC certificate created in Certificate Management (certificate type: SNC_CERT). Choose the tab Profiles and define the following authorization profiles: S_A.SCON S_A.SYSTEM S_USER_ALL S_USER_RFC Z_TRANS_RFC
Figure: Mozilla Firefox Extension for Secure Login Web Client Use the link here to install the Firefox extension.
136
09/2021
4 Other Configurations
If your Mozilla Firefox browser does not open an extension installation dialog, but only allows you to save this file, you have the following choices:
Choose the option Open with and choose the Mozilla Firefox application. Save the file to your Desktop, then drag and drop it into any Firefox window. Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI files.
Figure: Install Mozilla Firefox Extension Install the Firefox Extension by choosing Install Now, and restart Mozilla Firefox.
Figure: Uninstall Mozilla Firefox Extension Secure Login Security Module To uninstall, select the Firefox Extension Secure Login Security Module and choose the Remove button.
09/2012
137
4 Other Configurations
2. Upload the configuration file using the Secure Login Administration Console (section 3.3.12 Web Client Configuration). 3. We recommend that you save config.properties in the following directory: Microsoft Windows \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \WIN32 Mac OS \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \MAC_UNI Linux \SecureLoginServer\servlet_jsp\SlsWebClient\root\DownloadPacks \LIN26_I686 During an installation, the config.properties file is deleted. Make a backup of this file before you execute an installation. After the installation, you copy the file to the relevant directory.
Note that some configuration files are still stored in the default folder (sapsnc).
138
09/2021
4 Other Configurations
In the navigation tree, choose the node Certificate Management, and use the SAP CA to create a LOGIN_CERT certificate. In the certificate attribute Subject Alternative Names (E-mail), define the name that will be mapped with the attribute Certificate Login ID in User Management (for example: LoginCert_Admin). Save the settings, export this certificate in P12 format and import it in the desired Administrator User environment (for example, import in Internet Explorer browser). In the navigation tree, choose the node User Management and edit the desired user. Choose the option SSL Certificate Login and define the parameter Certificate Login ID (for example: LoginCert_Admin). Save the configuration and restart the Secure Login Server application server. Start the Secure Login Administration Console by calling its URL using HTTPS (which is enabled for certificate based login) and the user should be authenticated automatically. A message box might appear, prompting you to choose the desired certificate. In this case, choose the certificate to be used for logon.
Access to the operating system, where the Secure Login Server application is installed. Access to the Key file for server credentials encryption. The key file is a file on the Secure Login Server with random content and is used to secure password information in
09/2012
139
4 Other Configurations
configuration files. This key file was generated in the Initial Wizard (section 2.6.1 Initial Configuration) Step 1 Log on to the operating system, where the Secure Login Server is installed. Edit the file SLSRecoverPassword.bat (Microsoft Windows) or SLSRecoverPassword.sh (Linux) and change the path to the file iaik_jce.jar. Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
SLSRecoverPassword.bat @echo off SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce.jar IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib java -cp SLSRecoverPassword.jar;%IAIK_JARS_PATH% com.secude.util.misc.SecudeUtilities %* goto End :ErrorLib ECHO IAIK Library not found, please correct the path to the library in this script! :End
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
SLSRecoverPassword.sh #!/bin/sh # please check if this path points to the correct location of # the iaik library IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.jar if [ -f $IAIK_JARS_PATH ]; then java -cp SLSRecoverPassword.jar:$IAIK_JARS_PATH com.secude.util.misc.SecudeUtilities $@ else echo "IAIK Library not found, please correct the path to the library in this script!" fi
Other possible locations of the file iaik_jce.jar: <drive>:\usr\sap\ABC\J00\j2ee\JSPM\lib\ <drive>:\usr\sap\ABC\SYS\global\security\lib\engine\ <drive>:\usr\sap\ABC\SYS\global\security\lib\tools\ Save the script file SLSRecoverPassword.
140
09/2021
4 Other Configurations
Step 2 Obtain the encrypted password string for the desired user. The encrypted password string is later used in the command line tool. The user information is available in the configuration file user.xml, which is located in the directory specified below: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\user.xml Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us er.xml
user.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <Users> <User disable="false" id="Admin" lanCode="en_US" name="Administrator" predefined="true" roles="Super User"> <Password>encrypted_password_string</Password> </User> </Users>
Step 3 Open a command line shell and change to the folder where the file SLSRecoverPassword.bat (Microsoft Windows) and SLSRecoverPassword.sh is located. Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
Start the following command to decrypt and display the password for the desired user. SLSRecoverPassword --decrypt encrypted_password_string
<file_location_of_the_key_file>
Example SLSRecoverPassword --decrypt encrypted password string D:\usr\sap\ServerKeyFile\KeyFile.txt The password is displayed.
Output of SLSRecoverPassword Command Encode password=encrypted password string with key
09/2012
141
4 Other Configurations
You can use the following command to encrypt a password. SLSRecoverPassword --encrypt password <File Location of the key
file>
The encrypted password string is displayed. To display help on the SLSRecoverPassword command, use the following command: SLSRecoverPassword --help
142
09/2021
4 Other Configurations
4.9 Monitoring
This section describes how to retrieve the Secure Login Server status; for example, integration in Network Monitoring Tools. Several interfaces are available.
Server Instance Number # Status http://<host_name>:<port>/securelogin/PseServer?op=status &id=00010 To retrieve the Server Instance Number, click the node Instance Management and check the ID of the desired instance.
09/2012
143
4 Other Configurations
144
09/2021
4 Other Configurations
PolicyTTL
DWORD
NetworkTimeout
DWORD
DisableUpdatePolicyOnStartup
DWORD
09/2012
145
4 Other Configurations
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ applications\<Application Name>] Parameter GssTargetName Type STRING Description Application specific PSE URI (SAP server SNC name) that is matched when a suitable profile is searched. You can use the wildcards * and ?. Example: CN=SAP, OU=SAP Security, C=DE CN=Server*, O=Company xyz Using the value * means that the client profile is used for all SAP servers. profile allowFavorite STRING DWORD The name of the client profile to be used for the desired application. Allow the user to select the authentication profile manually in Secure Login Client. 0 User cannot select the authentication profile manually in Secure Login Client. 1 User can select authentication profile manually in Secure Login Client. The default value is 1.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ profiles\<Profile Name>] Parameter profileName pseType Type STRING STRING Description The name of the client profile to be used for the desired application. Authentication type. promptedlogin Using this profile, the user will be requested to enter the user credentials. windowslogin Using this profile, the user credentials will be provided automatically (only available for
146
09/2021
4 Other Configurations
Microsoft Windows authentication) Default value is windowslogin enrollURL0 STRING Secure Login Server URL that is used for user authentication and certificate request. Enroll URL depends on the instance configuration. <server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. <server>/securelogin/PseServer&id=000xx Enroll URL defined in Instance xx (instance number) of the Secure Login Server. Use the Add button to configure further Enroll URLs. This is the failover configuration for the Secure Login Client. If the first Enroll URL cannot be established, the Secure Login Client tries the next Enroll URL, defined here. httpProxyURL STRING HTTP proxy to be used with enrollment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888 This parameter defines how many login attempts to the Secure Login Client login form is closed again. Example with value 4: The Secure Login Client offers the login form 4 times (e.g. wrong credential information), before the login form will be closed. Default value is 0. The login form will never be closed. User needs to use the button Cancel to close the login form. Value in seconds when an enrollment is to be carried out before the certificate expires Default value is 0 Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: Value -1 No Single Sign-On (SSO). Each SNC connection forces a new login. Value 0 No timeout. SSO without constraints. The default value is 0.
reAuthentication
DWORD
gracePeriod
DWORD
inactivityTimeout
DWORD
09/2012
147
4 Other Configurations
Value > 0 Seconds until until an automatic logout is executed. autoReenrollTries DWORD The number of failed authentications in a row after which automatic re-enrollment is stopped. User name and password caching can be turned on to provide the automatic reenrollment of certificates that are going to expire. Possible values: 0: Turn off: Do not re-enroll automatically; do not cache user name and password. A re-enrollment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. The default value is 0. autoEnroll DWORD A user automatically gets an X.509 certificate when the Secure Login Client starts. 0: Turn off 1: Automatic provisioning of user certificates If pseType is set to windowslogin, user credentials are provided automatically (only applies for Microsoft Windows authentication). If pseType is set to promptedlogin, the system prompts the users to enter their credentials. RSA Key Length. The default value is 1024 (hexadecimal value: 400). Custom-defined string; will be displayed in the instance log or can be used for network filtering issues. Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 (hexadecimal value: 2d). This applies to the SSL server certificate this checks if the peer host name is given in
keySize
DWORD
UniqueClientID
STRING
networkTimeout
DWORD
sslHostCommonNameCheck
DWORD
148
09/2021
4 Other Configurations
the Common Name (CN) field of the SSL Server certificate. 1 Verify the SSL server host name with the Common Name (CN) field of the SSL server certificate. 0 Do not verify SSL server host name with the Common Name (CN) field of the SSL Server certificate. The default value is 0 sslHostAlternativeNameCheck DWORD This applies to the SSL server certificate this checks whether the peer host name is given in its Subject Alternative Name attribute of the certificate. 1 Verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. 0 Do not verify the SSL server host name with the Subject Alternative Name attribute of the SSL server certificate. Default value is 0 This applies to the SSL server certificate this checks if the extended key usage ServerAuthentication is defined. 1 Verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. 0 Do not verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. The default value is 0 Turn on/off a warning dialog box that appears after a new certificate has been propagated to Microsoft Crypto Store. 1 Turn on a warning dialog box. 0 Turn off a warning dialog box. NOTE: Microsoft Internet Explorer must be restarted. The default value is 0 Message text value is used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client. Available values are pin and password.
sslHostExtensionCheck
DWORD
userWarningMSIE
DWORD
newPinType
STRING
09/2012
149
4 Other Configurations
Basic Constraints
The RSA Key Length depends on the customer requirements. We recommend that you use 2048 Bit RSA keys or higher.
The user CA certificate should include the complete certificate chain. This means all public certificate information of the chain should be provided.
Typically the file is provided in P12 format. The Secure Login Server requires a PSE format to import using Secure Login Administration Console. Use the SAP tool SAPGENPSE to convert the P12 format to PSE format. sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p <PSE_file_name>.pse <P12_file_name>.p12
Log on to the Secure Login Administration Console and import the PSE file in Certificate Management. Choose USER_CA and the option Import Certificate. Restart the Secure Login Server Application.
150
09/2021
4 Other Configurations
4.12 Configuring Secure Login Servers as Failover Servers for High Availability
Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to prevent that the Secure Login Client sends a certificate request and does not get a response.
Concept
Install and run several Secure Login Servers on different AS Java servers acting as failover servers. The URLs of the Secure Login Servers that are available are listed in the Enroll URL parameter of the client policy. This is where the Secure Login Client checks which path to use. If the first Secure Login Server is down, it goes to the next Secure Login Server that is specified in the list
Configuration
1. Log on to the administration console. 2. Choose Instance Management > DefaultServer Configuration > Client Configuration und go to the Profiles tab.
3. Choose the Add Profile button to get to the Add/Modify Client Profile screen.
09/2012
151
4 Other Configurations
4. Behind the URL of the Enroll URL parameter, choose the Add button. A new row with the previous URL as default value appears.
5. Enter the URL to the failover Secure Login Server. To configure more Secure Login Servers as failover servers, add new rows and enter the relevant URLs. 6. Save your entries.
152
09/2021
4 Other Configurations
We recommend that you maintain this failover configuration in all Secure Login Servers you use. For more information about the parameter Enroll URL, see 4.10.2 Applications and Profiles.
Concept
Install and run authentication servers of the same type, for example two LDAP servers, in different networks acting as an authentication failover solution. The authentication logic of the Secure Login Server is handled by login modules. Several login modules of the same kind are put into login module stacks (authentication stacks). These login modules are configured to run with different authentication servers and have, for example, different IPs. When an authentication request comes in, the Secure Login Server tries to use all configured login modules until it gets to an authentication server that is online and returns an authentication result. If, for any reason, the login module on top of the stack does not respond, the Secure Login Server sends its authentication request to the next login module in the stack and expects it to process the authentication request. For more information, see the Help Portal at http://help.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks. If you simply try to insert and list login modules, and do not organize them in a stack, you cannot change the configuration of the login module. SAP NetWeaver only accepts the default configuration of a login module. However, for the authentication failover solution, you need to adapt values, for example, the destination paths and the timeout.
09/2012
153
4 Other Configurations
So you create a login module stack (with a dedicated name) that contains a number of login modules for authentication failover. Copy the login modules, list them in a logon module stack, change their names, and adapt the configuration. Authentication with the Secure Login Server only works with the following login modules.
Login Modules Used by the Secure Login Server Name SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP Usage Direct usage or in login module stack Direct usage or in login module stack Direct usage or in login module stack Note Does not depend on UME Does not depend on UME Does not depend on UME
BasicPasswordLoginModule SPNegoLoginModule
Not for login module stack, with UME Not for login module stack, with UME
Limitations
Put only login modules of the same kind into the login module stack. We do not support the use of different login modules (mixed authentication types).
154
09/2021
4 Other Configurations
14. Set the flag to SUFFICIENT to make sure that the authentication proceeds down the list to the next login module if the authentication is not successful. 15. Set the authentication-relevant parameters and save your changes. In these entries, you can change the names and the configuration. For more information, see the Application Help in http://help.sap.com/nw731/ under SAP Library > SAP NetWeaver Library: Function-Oriented View > Security > User Authentication and Single Sign-On > Authentication Infrastructure > Login Modules > Policy Configurations and Authentication Stacks.
4. Save your changes. You have now implemented a failover solution using SAP NetWeaver login module stacks.
09/2012
155
4 Other Configurations
Description Timeout for login Timeout for login Maximum number of connections until authentication is blocked Timeout for login
SecureLoginModuleRADIUS
TimeOut
You can set the timeout of the login modules in the login module stack as follows: 1. Select the login module for which you want to change the timeout. The table below the module name contains its parameters and their values. 2. Go down to the section for the login module options and choose the Add button. 3. In the New Login Module Option dialog box, enter the name of the parameter you want to add and provide a value. 4. Save your changes.
156
09/2021
4 Other Configurations
the first group of users and one for the second group of users, with each login module stack containing only one login module.
Configuration
1. Configure a login module stack in the policy configuration of the SAP NetWeaver JAAS as described above (see 4.13.1 Configuration of SAP NetWeaver AS Java). Use the REQUISITE flag for your login module stack. Set the authentication-relevant parameters as desired. 2. In the Secure Login Administration Console, enter the name of the login module stack. Proceed with the configuration as described above (see 4.13.2 Configuration of the Secure Login Server).
09/2012
157
5 Configuration Examples
5 Configuration Examples
This section describes some configuration examples for Secure Login Server.
158
09/2021
5 Configuration Examples
09/2012
159
5 Configuration Examples
This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
160
09/2021
5 Configuration Examples
For more information, see section 4.3 Create Technical User in SAP Server. 13. Install the Secure Login Client application on the client PC (for more information, see the Installation, Configuration and Administration Guide for the Secure Login Client). Import the customer.reg files into the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 14. Restart your client PC. 15. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. Double-click this profile and enter the SAP user name and password. After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
09/2012
161
5 Configuration Examples
Import the customer.reg files into the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 9. Restart your client PC. 10. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. Double-click this profile and enter the user name and password (RADIUS user database). After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).
162
09/2021
5 Configuration Examples
Checks and Activities 1. Rename your securid.ini file, for example, to securid.old. 2. Update the installation to Secure Login Server SP2. 3. Rename securid.old to securid.ini, thus overwriting the installed sample file. 4. Check whether the path entered in the SAP NetWeaver Administrator is %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini. 5. Copy your securid.ini into the RADIUS server environment. 1. Make sure that your custom directory path is entered in the SAP NetWeaver Administrator, either in the login module or in the login module stack. 2. Copy your securid.ini into the RADIUS server environment.
In either case, compare the securid.ini files on the Secure Login Server and on the RADIUS server to make sure that they are identical. To change the path in the SAP NetWeaver Administrator, proceed as follows: 1. Go to SAP NetWeaver Administrator. Under Authentication and Single Sign-On, choose Login Modules. 2. Select the login module SecureLoginModuleRADIUS. 3. On the Login Module Options tab, find the parameter SecuridFile. Here you see the relative path to the global directory %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini. 4. Enter the path where you stored your securid.ini file. 5. Save your changes
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
For more information, see the Help Portal at http://help.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks.
09/2012
163
5 Configuration Examples
5. Select the character string in this field and copy it to the clipboard. 6. In SAP NetWeaver Administrator (you can use the convenient link on the screen of the Secure Login Server), choose Authentication and Single Sign-On > Login Modules. 7. Select the login module SecureLoginModuleRADIUS. 8. On the Login Module Options tab, find the parameter SharedSecret. Paste the encrypted character string of the shared secret as the value for this parameter. 9. Save your changes.
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
164
09/2021
6 Troubleshooting
6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.
Is verification using different user credentials? Log on to the Secure Login Administration Console and check the log information in Instance Log Management. Check if the user authentication is displayed. If this is not the case, there may be a problem on the Secure Login Client or Secure Login Web Client. Verify the following parameter in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>] enrollURL0 = <URL>
Check whether the enrollURL is configured for the desired instance. Check in Secure Login Administration Console Instance Management. Copy this URL to the browser application and check if a response is displayed (ignore the responses ERROR_ACTION or INTERNAL_SERVER_ERROR). Change the URL of the parameter enrollURL to HTTP and check if this works. If this works, there is a problem with the HTTPS connection. If you are using HTTPS, the problem may relate to the certificate trust relationship. If this is the case, import the root certificate, on which the SSL server certificate depends and move it to the Microsoft Certificate Store (Computer Certificate Store).
Verify whether the authentication mechanism in the instance is correctly configured. JaasModule = SecureLoginModule<respective_authentication_server_type> Choose the node Certificate Management and verify whether the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModule<respective_authentication_server_type>. Restart the Secure Login Server Application. For some configuration issues in Secure Login Administration Console a restart of the Secure Login Server Application is required. Enable the Server Trace in the Secure Login Administration Console (section 6.3 Enable Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver Administrator. Log on to SAP NetWeaver Administrator and choose Problem Management. Choose Logs and Traces and Security Troubleshooting Wizard. Choose the diagnostic type Authentication and start the trace by choosing Start Diagnostics. Repeat the user authentication in Secure Login Client or Secure Login Web Client. Stop the trace by choosing the Stop Diagnostics button, and analyze the results.
09/2012
165
6 Troubleshooting
Log on to Secure Login Administration Console and verify the log information in Instance Log Management. Check if the user authentication is displayed. If this is not the case, there may be a problem in the Secure Login Client or Secure Login Web Client. Verify whether the authentication mechanism in Instance is configured correctly. JaasModule = SecureLoginModuleSAP Verify whether the Instance Mapping in Certificate Management is enabled (checkbox) for this instance. Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModuleSAP. Verify whether Secure Login Library is installed correctly. Verify the installation described in section 2.1.1 Secure Login Library. Verify whether the folder <ASJava_Installation>\exe, which is used by Secure Login Library is included in JAVA Library Path. Verify the JAVA Library Path (libpath) in the trace file <ASJava_Installation>\work\dev_jstart.
Verify whether an SNC certificate was provided to Secure Login Library PSE environment. Verify whether the security token containter file pse.zip is available in folder <ASJava_Installation>\sec Start the command line shell and change to the folder <ASJava_Installation>/exe. Set the environment SECUDIR=<ASJava_Installation>/sec Use the command: snc O <SAP Service User> status v Microsoft Windows Example: snc O SAPServiceABC status v Linux Example: snc O abcadm status v
Verify whether a technical user was created on the SAP ABAP server. Verify SAP user access rights (authorization profiles). Verify whether the SNC name is configured correctly. Enable Secure Login Library trace and analyze the problem. For more information, see section 6.4 Enable Secure Login Library Trace. If the error messages Couldnt acquire DEFAULT INITIATING credentials is displayed,
166
09/2021
6 Troubleshooting
verify whether the environment variable SECUDIR is configured correctly for the user who is starting the SAP server. Verify the installation of Secure Login Library in section 2.1.1 Secure Login Library.
The file sec_log_file_filename.txt contains the name of the trace file. The name can contain %.PID.%, which is replaced by the process ID. A typical SAP Web AS creates multiple work processes, so use this feature to avoid parallel access to the same file by all processes. Microsoft Windows Example sec_log_file_filename.txt C:\sec\log-%.PID.%.txt
09/2012
167
6 Troubleshooting
The file sec_log_file_level.txt contains the trace level as a single digit. Example sec_log_file_level.txt 4 Value 0 1 2 3 4 Details No trace Errors Errors and warnings Errors, warnings and logs Errors, warnings, logs and information
168
09/2021
6 Troubleshooting
The PseInstance<instance_number>.lock file is written to the folder: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\<instance_number>\ Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i nstance_number>/ Analyze and solve the problem, before deleting the lock file or changing the status in Secure Login Administration Console (use the Unlock button).
Solution Open regedit and locate the parameter TcpTimedWaitDelay under: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Set the value for TcpTimedWaitDelay to 30 seconds
09/2012
169
6 Troubleshooting
JAAS_RADIUS_ ERROR
AUTH_RESULT_ ACTION_OK_MSG AUTH_RESULT_ ACTION_DENIED_ MSG NEW_PIN_REPLY_ ACCEPTED_MSG NEW_PIN_REPLY_ REJECTED_MSG AUTH_SERVER_ TIMEOUT_MSG
The new PIN/password was accepted. A new PIN/password is required If the login module cannot establish a connection to the authentication server a timeout error will be set.
N/A (result only) N/A (result only) Possible reasons for this error may be one of the following: Unable to establish an SNC connection to the SAP server: Secure Login Server SAP user is not properly configured. Secure Login Server SAP user does not have required permissions. Faulty SNC configuration for the Secure Login Server. Timeout in the network connection. Authentication server is down.
CERT_CREATE_ ERROR
170
09/2021
6 Troubleshooting
certificate. CERT_INIT_ ERROR An error occurred while accessing the resources needed for this process, that is, the PSE used. An error occurred inside the PSE admin Server.
Verify parameter PseName in Instance Management. Make sure that the configuration file Configuration.properties contains the correct name, password, and aliases for the specific PSE. Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Make sure the application has the access rights to write to, or create the specified log directory, and that there is enough disk space.
PSE_ADMIN_ ERROR
PSE_ARCHIVE_ ERROR
This code may be due to insufficient disk space when writing/creating the log file due to insufficient disk space, or no write access and so on. This code can indicate a problem while creating an outgoing message. An error occurred while handling a client request.
PSE_CREATE_ ERROR
Make sure that the configuration Configuration.properties file contains all mandatory entries. Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Make sure the URL is set correctly to the Configuration.properties file.
PSE_HANDLING_ ERROR
PSE_INIT_ ERROR
May be caused when initializing the servlets. This is usually the case when the Secure Login Server configuration could not be read, either because the configuration URL is not set in the configuration file of the servlet engine or the file could not be found under the specified URL. Occurs when the servlet cannot send its response to the client due to network problems. An error occurred with the PSE Server.
PSE_IO_ ERROR
PSE_SERVER_ ERROR
Verify certificate in Certificate Management. Verify parameter PseName in Instance Management. Check in the login module configuration that the timeout value is high enough.
PSE_SERVER_ TIMEOUT
09/2012
171
6 Troubleshooting
172
09/2021
6 Troubleshooting
on logging and have a look at the log file to get more information about the cause of the error. To remedy the error, it is generally sufficient to restart SAP GUI and your browser. Thus the configuration is newly read in.
CALL_FUNCTION_NO_DEST CALL_FUNCTION_OPTION_OVERFLOW CALL_FUNCTION_NO_LB_DEST CALL_FUNCTION_NO_RECEIVER CALL_FUNCTION_NOT_REMOTE CALL_FUNCTION_REMOTE_ERROR CALL_FUNCTION_SIGNON_INCOMPL CALL_FUNCTION_SIGNON_INTRUDER CALL_FUNCTION_SIGNON_INVALID CALL_FUNCTION_SIGNON_REJECTED
09/2012
173
6 Troubleshooting
CALL_FUNCTION_SINGLE_LOGIN_REJ
error). No external user check. Invalid user type. Validity period of the user exceeded.
No authorization to log on as a trusted system. The error code may have any of the following meanings: - Incorrect logon data for valid security ID. - Calling system is not a trusted system or security ID is invalid. - Either the user does not have RFC authorization (authorization object S_RFCACL), or a logon was performed using one of the protected users DDIC or SAP*. - Time stamp of the logon data is invalid. RFC without valid user ID only allowed when calling a system function module. The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ. Data error (info internal table) during a RFC. No memory available for table being imported. For asynchronous RFC only: task name is already being used. For asynchronous RFC only: the specified task is already open. No RFC authorization. No trusted authorization for RFC caller and trusted system. No valid trusted entry for the calling system. No RFC authorization for user. Destination BACK is not permitted in current program. Destination BACK is not permitted in current program. Error while evaluating RFC destination. Error while evaluating RFC destination. Type conflict while transferring table. No memory available for creating a local internal table. Type conflict while transferring structure.
CALL_FUNCTION_SYSCALL_ONLY
CALL_FUNCTION_TABINFO CALL_FUNCTION_TABLE_NO_MEMORY CALL_FUNCTION_TASK_IN_USE CALL_FUNCTION_TASK_YET_OPEN CALL_FUNCTION_NO_AUTH CALL_RPERF_SLOGIN_AUTH_ERROR CALL_RPERF_SLOGIN_READ_ERROR RFC_NO_AUTHORITY CALL_FUNCTION_BACK_REJECTED CALL_XMLRFC_BACK_REJECTED CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_CONFLICT_TAB_TYP CALL_FUNCTION_CREATE_TABLE CALL_FUNCTION_UC_STRUCT
174
09/2021
6 Troubleshooting
CALL_FUNCTION_DEEP_MISMATCH CALL_FUNCTION_WRONG_VALUE_LENG CALL_FUNCTION_PARAMETER_TYPE CALL_FUNCTION_ILLEGAL_DATA_TYP CALL_FUNCTION_ILLEGAL_INT_LEN CALL_FUNCTION_ILL_INT2_LENG CALL_FUNCTION_ILL_FLOAT_FORMAT CALL_FUNCTION_ILL_FLOAT_LENG CALL_FUNCTION_ILLEGAL_LEAVE CALL_FUNCTION_OBJECT_SIZE CALL_FUNCTION_ROT_REGISTER
Type conflict while transferring structure. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Type conflict while transferring an integer. Type conflict while transferring an integer. Type conflict while transferring a floating point number. Type conflict while transferring a floating point number. Invalid LEAVE statement on RFC Server. Type conflict while transferring a reference. Type conflict while transferring a reference.
09/2012
175
7 List of Abbreviations
7 List of Abbreviations
Abbreviation ADS CA CAPI CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC SSL Meaning Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial-In User Service Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) Secure Socket Layer
176
09/2021
7 List of Abbreviations
09/2012
177
8 Glossary
8 Glossary
Authentication
A process that checks whether a person is really who they are. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.
Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:
The public key being signed. A name which can refer to a person, a computer, or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate produced by the private key of the CA.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE (personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period,
178
09/2021
8 Glossary
although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500 or LDAP directory).
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment.
09/2012
179
8 Glossary
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
PIN
See Personal Identification Number.
Public FSD
180
09/2021
8 Glossary
Public file system device. An external storage device that uses the same file system as the operating system.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.
Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
09/2012
181
8 Glossary
Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the functionality of both USB tokens and Smart Cards. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (Smart Card reader). From the computer operating systems point of view such a token is a USB-connected Smart Card reader with one non-removable Smart Card present. Tokens provide access to a private key that allows performing cryptographic operations. The private key may be persistent (like a PSE file, Smart Card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
182
09/2021