SAP NetWeaver Single-Sign-On SP1

Installation, Configuration and Administration Guide
SAP NetWeaver Single-Sign-On SP1

Secure Login Server
PUBLIC
Document Version: 1.1 October 2011
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
Copyright 2011 SAP AG. All rights reserved.

JavaScript is a registered trademark of Sun Microsystems, Inc., used
No part of this publication may be reproduced or transmitted in any
under license for technology invented and implemented by Netscape.
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
notice.
BusinessObjects Explorer, and other SAP products and services
Some software products marketed by SAP AG and its distributors
mentioned herein as well as their respective logos are trademarks or
contain proprietary software components of other software vendors.
registered trademarks of SAP AG in Germany and other countries.
Microsoft, Windows, Outlook, and PowerPoint are registered
Business Objects and the Business Objects logo, BusinessObjects,
trademarks of Microsoft Corporation.
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
as their respective logos are trademarks or registered trademarks of
System p5, System x, System z, System z10, System z9, z10, z9,
Business Objects Software Ltd. in the United States and in other
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
countries.
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
and other Sybase products and services mentioned herein as well as
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
their respective logos are trademarks or registered trademarks of
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
Sybase, Inc. Sybase is an SAP company.
WebSphere, Netfinity, Tivoli and Informix are trademarks or

registered trademarks of IBM Corporation.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
Linux is the registered trademark of Linus Torvalds in the U.S. and
informational purposes only. National product specifications may
other countries.
vary.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
These materials are subject to change without notice. These materials
trademarks or registered trademarks of Adobe Systems Incorporated in
are provided by SAP AG and its affiliated companies ("SAP Group")
the United States and/or other countries.
for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions
Oracle is a registered trademark of Oracle Corporation.
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
warranty statements accompanying such products and services, if any.
Open Group.
Nothing herein should be construed as constituting an additional
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
warranty.
VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.
Disclaimer
Some components of this product are based on Java. Any
HTML, XML, XHTML and W3C are trademarks or registered
code change in these components may cause unpredictable
trademarks of W3C, World Wide Web Consortium, Massachusetts
and severe malfunctions and is therefore expressively
Institute of Technology.
prohibited, as is any decompilation of these components.
Java is a registered trademark of Sun Microsystems, Inc.
Any Java Source Code delivered with this product is

only to be used by SAPs Support Services and may not be
stringutils http://sourceforge.net/projects/stringutils/
modified or altered in any way.

Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo
Permission is hereby granted, free of charge, to any person obtaining a
Terms for Included Open

Source Software
copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
This SAP software contains also the third party open source software
distribute, sublicense, and/or sell copies of the Software, and to permit
products listed below. Please note that for these third party products
persons to whom the Software is furnished to do so, subject to the
the following special terms and conditions shall apply.
following conditions:
Prototype JavaScript Framework http://www.prototypejs.org/
The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.
Copyright (c) 2005-2010 Sam Stephenson

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
opencsv 1.7.1 http://opencsv.sourceforge.net/
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
Apache License
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
Version 2.0, January 2004
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
http://www.apache.org/licenses/
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND
DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
Licensor for inclusion in the Work by the copyright owner or by an
and distribution as defined by Sections 1 through 9 of this document.
individual or Legal Entity authorized to submit on behalf of the

copyright owner. For the purposes of this definition, "submitted"
"Licensor" shall mean the copyright owner or entity authorized by the
means any form of electronic, verbal, or written communication sent
copyright owner that is granting the License.
to the Licensor or its representatives, including but not limited to

communication on electronic mailing lists, source code control
"Legal Entity" shall mean the union of the acting entity and all other
systems, and issue tracking systems that are managed by, or on behalf
entities that control, are controlled by, or are under common control
of, the Licensor for the purpose of discussing and improving the Work,
with that entity. For the purposes of this definition, "control" means (i)
but excluding communication that is conspicuously marked or
the power, direct or indirect, to cause the direction or management of
otherwise designated in writing by the copyright owner as "Not a
such entity, whether by contract or otherwise, or (ii) ownership of fifty
Contribution."
percent (50%) or more of the outstanding shares, or (iii) beneficial

ownership of such entity.
"Contributor" shall mean Licensor and any individual or Legal Entity

on behalf of whom a Contribution has been received by Licensor and
"You" (or "Your") shall mean an individual or Legal Entity exercising
subsequently incorporated within the Work.
permissions granted by this License.

2. Grant of Copyright License. Subject to the terms and conditions of
"Source" form shall mean the preferred form for making
this License, each Contributor hereby grants to You a perpetual,
modifications, including but not limited to software source code,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
documentation source, and configuration files.
copyright license to reproduce, prepare Derivative Works of, publicly

display, publicly perform, sublicense, and distribute the Work and
"Object" form shall mean any form resulting from mechanical
such Derivative Works in Source or Object form.
transformation or translation of a Source form, including but not

limited to compiled object code, generated documentation, and
3. Grant of Patent License. Subject to the terms and conditions of this
conversions to other media types.
License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except
"Work" shall mean the work of authorship, whether in Source or
as stated in this section) patent license to make, have made, use, offer
Object form, made available under the License, as indicated by a
to sell, sell, import, and otherwise transfer the Work, where such
copyright notice that is included in or attached to the work (an
license applies only to those patent claims licensable by such
example is provided in the Appendix below).
Contributor that are necessarily infringed by their Contribution(s)

alone or by combination of their Contribution(s) with the Work to
"Derivative Works" shall mean any work, whether in Source or Object
which such Contribution(s) was submitted. If You institute patent
form, that is based on (or derived from) the Work and for which the
litigation against any entity (including a cross-claim or counterclaim in
editorial revisions, annotations, elaborations, or other modifications
a lawsuit) alleging that the Work or a Contribution incorporated within
represent, as a whole, an original work of authorship. For the purposes
the Work constitutes direct or contributory patent infringement, then
of this License, Derivative Works shall not include works that remain
any patent licenses granted to You under this License for that Work
separable from, or merely link (or bind by name) to the interfaces of,
shall terminate as of the date such litigation is filed.
the Work and Derivative Works thereof.

4. Redistribution. You may reproduce and distribute copies of the
"Contribution" shall mean any work of authorship, including the
Work or Derivative Works thereof in any medium, with or without
original version of the Work and any modifications or additions to that
modifications, and in Source or Object form, provided that You meet
Work or Derivative Works thereof, that is intentionally submitted to
the following conditions:
(a) You must give any other recipients of the Work or Derivative
6. Trademarks. This License does not grant permission to use the trade
Works a copy of this License; and
names, trademarks, service marks, or product names of the Licensor,

except as required for reasonable and customary use in describing the
(b) You must cause any modified files to carry prominent notices
origin of the Work and reproducing the content of the NOTICE file.
stating that You changed the files; and

7. Disclaimer of Warranty. Unless required by applicable law or
(c) You must retain, in the Source form of any Derivative Works that
agreed to in writing, Licensor provides the Work (and each
You distribute, all copyright, patent, trademark, and attribution notices
Contributor provides its Contributions) on an "AS IS" BASIS,
from the Source form of the Work, excluding those notices that do not
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
pertain to any part of the Derivative Works; and
either express or implied, including, without limitation, any warranties

or conditions of TITLE, NON-INFRINGEMENT,
(d) If the Work includes a "NOTICE" text file as part of its
MERCHANTABILITY, or FITNESS FOR A PARTICULAR
distribution, then any Derivative Works that You distribute must
PURPOSE. You are solely responsible for determining the
include a readable copy of the attribution notices contained within
appropriateness of using or redistributing the Work and assume any
such NOTICE file, excluding those notices that do not pertain to any
risks associated with Your exercise of permissions under this License.
part of the Derivative Works, in at least one of the following places:

within a NOTICE text file distributed as part of the Derivative Works;
8. Limitation of Liability. In no event and under no legal theory,
within the Source form or documentation, if provided along with the
whether in tort (including negligence), contract, or otherwise, unless
Derivative Works; or, within a display generated by the Derivative
required by applicable law (such as deliberate and grossly negligent
Works, if and wherever such third-party notices normally appear. The
acts) or agreed to in writing, shall any Contributor be liable to You for
contents of the NOTICE file are for informational purposes only and
damages, including any direct, indirect, special, incidental, or
do not modify the License. You may add Your own attribution notices
consequential damages of any character arising as a result of this
within Derivative Works that You distribute, alongside or as an
License or out of the use or inability to use the Work (including but
addendum to the NOTICE text from the Work, provided that such
not limited to damages for loss of goodwill, work stoppage, computer
additional attribution notices cannot be construed as modifying the
failure or malfunction, or any and all other commercial damages or
License.
losses), even if such Contributor has been advised of the possibility of

such damages.
You may add Your own copyright statement to Your modifications

and may provide additional or different license terms and conditions
9. Accepting Warranty or Additional Liability. While redistributing
for use, reproduction, or distribution of Your modifications, or for any
the Work or Derivative Works thereof, You may choose to offer, and
such Derivative Works as a whole, provided Your use, reproduction,
charge a fee for, acceptance of support, warranty, indemnity, or other
and distribution of the Work otherwise complies with the conditions
liability obligations and/or rights consistent with this License.
stated in this License.
However, in accepting such obligations, You may act only on Your

own behalf and on Your sole responsibility, not on behalf of any other
5. Submission of Contributions. Unless You explicitly state otherwise,
Contributor, and only if You agree to indemnify, defend, and hold
any Contribution intentionally submitted for inclusion in the Work by
each Contributor harmless for any liability incurred by, or claims
You to the Licensor shall be under the terms and conditions of this
asserted against, such Contributor by reason of your accepting any
License, without any additional terms or conditions. Notwithstanding
such warranty or additional liability.
the above, nothing herein shall supersede or modify the terms of any
separate license agreement you may have executed with Licensor
regarding such Contributions.
Typographic Conventions
Type Style
Example Text
Description
Words or characters quoted from
the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation
Example text
Emphasized words or phrases in

body text, graphic titles, and
table titles
EXAMPLE TEXT
Technical names of system

objects. These include report
names, program names,
transaction codes, table names,
and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.
Example text
Output on the screen. This

includes file and directory names
and their paths, messages,
names of variables and
parameters, source text, and
names of installation, upgrade
and database tools.
Example text
Exact user entry. These are

words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example text>
Variable user entry. Angle

brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for

example, F2 or ENTER.
Icons
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library

documentation to help you identify different
types of information at a glance. For more
information, see Help on Help General
Information Classes and Information Classes
for Business Information Warehouse on the
first page of any version of SAP Library.
Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview .................................................................................. 10
1.2 System Overview with Security Token ............................................... 11
1.3 System Overview with Secure Login Server ...................................... 14
1.4 Instances ............................................................................................... 16
1.5 PKI Structure ........................................................................................ 17
1.6 Secure Communication ....................................................................... 18
1.7 Policy Server Overview ........................................................................ 19
1.8 Secure Login Web Client ..................................................................... 20
2 Secure Login Server Installation ..................................................... 21

2.1 Prerequisites ........................................................................................ 21
2.1.1 Secure Login Library ................................................................................................... 22
2.2 Secure Login Server Installation with Telnet ..................................... 26

2.3 Secure Login Server Installation with JSPM ...................................... 27
2.4 Secure Login Server Uninstallation .................................................... 30
2.5 Updating the Secure Login Server to SP1 ......................................... 30
2.6 Initial Configuration Wizard ................................................................. 31
2.6.1 Initial Configuration ..................................................................................................... 31
2.6.2 Enable Remote Access for Initial Wizard.................................................................... 47
2.6.3 Configure SSH Tunnel ................................................................................................ 48
3 Administration ................................................................................... 49
3.1 Logon to Administration Console....................................................... 49
3.2 Welcome Page ...................................................................................... 50
3.2.1 Change Password....................................................................................................... 51
3.3 Server Configuration............................................................................ 52

3.3.1 Edit Server Configuration ............................................................................................ 54
3.3.2 Edit Login Type Setting ............................................................................................... 55
3.3.3 Certificate Management .............................................................................................. 57
3.3.4 Trust Store Management ............................................................................................ 69
3.3.5 Certificate Template .................................................................................................... 70
3.3.6 System Check ............................................................................................................. 77
3.3.7 Message Settings ....................................................................................................... 78
3.3.8 SNC Configuration ...................................................................................................... 82
3.3.9 Server Status .............................................................................................................. 83
3.3.10 Sign Certificate Requests ......................................................................................... 84
3.3.11 Console Log Viewer .................................................................................................. 86
3.3.12 Web Client Configuration .......................................................................................... 88
3.4 Instance Management .......................................................................... 95

3.4.1 DefaultServer Configuration ....................................................................................... 95
3.4.2 Create a New Instance ............................................................................................. 117
3.5 Console Users .................................................................................... 121

3.5.1 User Management .................................................................................................... 121
3.5.2 Role Management..................................................................................................... 124
3.5.3 Locked Files Management ........................................................................................ 125
4 Other Configurations ...................................................................... 126

4.1 Configure Login Module .................................................................... 126
06/2011
4.2 Verify Authentication Server Configuration ..................................... 132

4.3 Create Technical User in SAP Server ............................................... 133
4.4 Mozilla Firefox Support ...................................................................... 133
4.4.1 Install Firefox Extension ............................................................................................ 133
4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 134
4.5 Customize Secure Login Web Client ................................................ 135

4.6 Configure SSL Certificate Logon ...................................................... 135
4.7 Configure External Login ID .............................................................. 136
4.8 Emergency Recovery Tool ................................................................ 136
4.9 Monitoring ........................................................................................... 139
4.9.1 Web Service Status .................................................................................................. 139
4.9.2 XML Interface ............................................................................................................ 139
4.10 Secure Login Client Policy and Profiles ......................................... 141

4.10.1 Client Policy ............................................................................................................ 141
4.10.2 Applications and Profiles ........................................................................................ 142
4.11 Integrate into Existing PKI ............................................................... 146

4.12 Configuring Secure Login Servers as Failover Servers for High
Availability ................................................................................................ 147
5 Configuration Examples ................................................................. 150

5.1 Kerberos Authentication with SPNego ............................................. 150
5.2 LDAP User Authentication ................................................................ 151
5.3 SAP User Authentication ................................................................... 152
5.4 RADIUS User Authentication............................................................. 153
6 Troubleshooting .............................................................................. 155

6.1 Checklist User Authentication Problem ........................................... 155
6.2 Secure Login Server SNC Problem ................................................... 156
6.3 Enable Secure Login Server Trace ................................................... 157
6.4 Enable Secure Login Library Trace .................................................. 157
6.5 Secure Login Server Lock and Unlock ............................................. 158
6.6 Access Denied Replies ...................................................................... 159
6.7 Error Codes ........................................................................................ 160
6.7.1 Secure Login Server Error Codes ............................................................................. 160
6.7.2 SAP Stacktrace Error Codes .................................................................................... 162
7 List of Abbreviations ...................................................................... 165

8 Glossary ........................................................................................... 167
06/2011
1 What is Secure Login?

Secure Login is an innovative software solution created specifically to improve user and IT
productivity and to protect business-critical data in SAP business solutions through secure
Single Sign-On to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between
a wide variety of SAP components:
Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)
Third party application server supporting X.509 certificates
In a default SAP setup, users enter their SAP user name and password into the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that
enables users to log on to SAP systems without entering a user name or password. The
SNC interface can also direct calls through the Secure Login Library to encrypt all
communication between the SAP GUI and SAP server, thus providing secure single sign-on
to SAP.
Secure Login allows you to benefit from the advantages of SNC without being forced to set
up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of
the following authentication mechanisms:
Microsoft Windows domain (Active Directory Server)

RADIUS server
LDAP server
SAP NetWeaver server
Smart Card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by
Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and
other HTTPS-enabled Web applications) with SSL.
06/2011
1.1 System Overview

Secure Login is a client/server software system integrated with SAP software to make single
sign-on, alternative user authentication, and enhanced security easy for distributed SAP
environments.
The Secure Login solution includes the following components:
Secure Login Server

Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and
application server. The Secure Login Web Client is provided as well.
Secure Login Library
Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports
both X.509 and Kerberos technology.
Secure Login Client
Client application which provides security tokens (Kerberos and X.509 technology) for a
variety of applications.
It is not necessary to install all components. This depends on the use case. For further
information about Secure Login Client and Secure Login Library see the corresponding
Installation, Configuration and Administration Guide.
The Secure Login Client is split into the following variants:

Secure Login Client
Secure Login Client can either be used with an existing public key infrastructure (PKI) or
together with the Secure Login Server. You can use it for certificate-based authentication
without being obliged to set up a PKI.
The stand-alone Secure Login Client can use the following authentication methods:
- Smart Cards and USB tokens with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Crypto Store with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Windows credentials
The Microsoft Windows domain credentials (Kerberos token) can be used for
authentication. In addition, the Microsoft Windows credentials can be used to receive
a user X.509 certificate with Secure Login Server.
- User name and Password (Several Authentication Mechanism)
The Secure Login Client prompts you for a user name and a password and uses
these credentials for authentication at the Secure Login Server to receive a user
X.509 certificate.
All of these authentication methods can be used in parallel. A policy server provides
authentication profiles that specify how to log on to the desired SAP system.
Secure Login Web Client
This client is based on a Web browser (Web GUI) and is part of the Secure Login Server.
The Secure Login Web Client has the same authentication methods as the standalone
Secure Login Client, but with the following limited functions:
- Limited integration with the client environment (interaction required)
- Limited client policy configuration
10
06/2011
1.2 System Overview with Security Token

The Secure Login Client is integrated with SAP software to provide a single sign-on capability
and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for
user authentication.
Main System Components

The following figure shows the Secure Login system environment with the main system
components if an existing PKI or Kerberos infrastructure is used.
PKI Infrastructure
Secure Login Client
Smart Card, USB Token

Microsoft Crypto Store
Security Token
SAP GUI
Web GUI
SAP NetWeaver Platform
Kerberos Infrastructure
Kerberos Token
Authentication and
secure communication
Kerberos
Figure: Secure Login System Environment with Existing PKI and Kerberos
The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.
Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the
following authentication methods:
Smart Card and USB tokens with an existing PKI certificate

Microsoft Crypto Store (Certificate Store)
Kerberos token
06/2011
11
Workflow for X.509 Certificates

The following figure shows the principal workflow and communication between the individual
components.
PKI Infrastructure
Secure Login Client
Smart Card, USB Token

Microsoft Crypto Store
4
Security Token
2
Client maps
SNC name to
authentication
profile
1
Start connection and
get SNC name
SAP NetWeaver Platform

Unlock Security Token
5
Client provides certificate
to SAP GUI application
6
Authentication and
secure communication
Figure: Principal Workflow

1.
Upon connection start, the Secure Login Client retrieves the SNC name from the
desired SAP server system.
2.
The Secure Login Client uses the authentication profile for this SNC name.
3.
The user unlocks the security token by entering the PIN or password.
4.
The Secure Login Client receives the X.509 certificate from the user security token.
5.
The Secure Login Client provides the X.509 certificate for SAP single sign-on and
secure communication between SAP Client and SAP Server.
6.
The user is authenticated and the communication is secured.
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto
engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the
user keys to all CAPI-enabled applications.
12
06/2011
Workflow for Kerberos Token

components.
Figure: Principal Workflow Kerberos Authentication

1.
Upon connection start, the Secure Login Client retrieves the SNC name (Service
Principal Name) from the respective SAP server system.
2.
The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos
Service token.
3.
The Secure Login Client receives the Kerberos Service token.
4.
The Secure Login Client provides the Kerberos Service token for SAP single sign-on
and secure communication between SAP Client and SAP server.
5.
The user is authenticated and the communication is secured.
06/2011
13
1.3 System Overview with Secure Login Server

The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and
application server systems (for example, SAP NetWeaver).
Users receive short term X.509 certificates. For the application server, long term X.509
certificates are issued. Based on the industry standard X.509v3, the certificates can be used
for non-SAP systems as well.
In order to provide user certificates, the user needs to be authenticated (verified by the
Secure Login Server). Therefore the Secure Login Server supports several authentication
server systems.
Main System Components

The following figure shows the Secure Login system environment with the main system
components.
Figure: Secure Login System Environment

The Secure Login Client is responsible for the certificate-based logon to the SAP application
server and encryption of the SAP client/server communication.
The Secure Login Server is the central server component that connects all parts of the
system. It enables authentication against an authentication Server and provides the Secure
Login Client with a short term certificate. The Secure Login Server is a pure Java application.
It consists of a servlet and a set of associated classes and shared libraries. It is installed on
an SAP NetWeaver application server.
The Secure Login Server provides client authentication profiles to the Secure Login Client,
which allows flexible user authentication configurations (for example, which authentication
type should be used for which SAP application server).
14
06/2011
Authentication Methods
Secure Login supports several authentication methods. It uses the Java Authentication and
Authorization Service (JAAS) as a generic interface for the different authentication methods.
For each supported method, there is a corresponding configurable JAAS module.
The following authentication methods are supported:
Microsoft Active Directory Service (ADS)

RADIUS
LDAP
SAP ID-based logon
Workflow with X.509 Certificate Request

components.
Figure: Principal Workflow

1.
Upon connection start, the Secure Login Client gets the SNC name from the desired
SAP server system.
2.
The Secure Login Client uses the client policy for this SNC name.
3.
The Secure Login Client receives the user login credentials.
4.
The Secure Login Client generates a certificate request.
5.
The Secure Login Client sends the user credentials and the authentication request to
the Secure Login Server.
06/2011
15
6.
The Secure Login Server forwards the user credentials to the authentication server and
receives a response indicating whether the user credentials are valid or not.
7.
If the user credentials are valid, the Secure Login Server generates a user certificate
(certificate response) and provides it to the Secure Login Client.
8.
Secure Login Client provides the certificate to SAP GUI.
9.
The user certificate is used to perform an authentication, single sign-on, and secure
communication between SAP client and server.
1.4 Instances
The Secure Login instances feature allows multiple instances running on the same server.
The main advantage of using instances is that the time spent on maintaining Secure Login is
reduced to a minimum.
Secure Login Server instances can use a common user CA certificate for one or more
instances, or you can set an individual user CA certificate (PKI) for each instance.
The Secure Login Client authentication profiles can be configured to use different Secure
Login Server instances for different authentication methods.
Figure: Instances Examples
It is still possible to use several Secure Login Servers and/or authentication servers for
failover. The Secure Login Server can connect to more than one authentication server.
16
06/2011
1.5 PKI Structure

There are different integration scenarios available for Secure Login Server.
Out-of-the-Box PKI Secure Login Server

Secure Login Server provides standard X.509 certificates for users (short term) and
application server (long term). The following out of the box PKI structure can be delivered
with the Secure Login Server.
Figure: Secure Login Server PKI Structure
PKI Integration
As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate
the Secure Login Server to an existing PKI. The required minimum is to provide a user CA
certificate to the Secure Login Server.
Figure: Secure Login Server Integration with an Existing PKI
06/2011
17
1.6 Secure Communication

The goal of the Secure Login solution is to establish secure communication between all
required components:
Figure: Secure Communication
Technology Used for Secure Communication

Technology used for secure communication
18
From
To
Security Protocol / Interface
SAP GUI
SAP NetWeaver
DIAG/RFC (SNC)
Web GUI
SAP NetWeaver
HTTPS (SSL)
Secure Login Client
Secure Login Server
HTTPS (SSL)
Secure Login Server
LDAP Server
LDAPS (SSL)
Secure Login Server
SAP NetWeaver
RFC (SNC)
Secure Login Server
RADIUS Server
RADIUS (shared secret)
06/2011
1.7 Policy Server Overview

Secure Login Client configuration is profile-based. You can configure the application contexts
to provide a mechanism for automatic application-based profile selection. The system then
searches the application contexts for specific personal security environment universal
resource identifiers (PSE URIs).
If no matching PSE URI is found, a default application context that links to a default profile
can be defined.
The application contexts and profiles are stored in the Microsoft Windows Registry of the
client. You define these parameters in the XML policy file.
Figure: Default Application Context and Profile
06/2011
19
1.8 Secure Login Web Client

Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution
for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms
and for launching SAP GUI with SNC security. You also use it for authentication against SAP
NetWeaver Web Application Server.
This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and
Linux-based client systems can be used as well. Another use case is providing short term
certificates to external employees (for example, to external consultants).
The following main features are available:
Browser-based authentication (including all authentication server support)

Support for SAP GUI for Microsoft Windows and SAP GUI for Java
Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser
URL redirect X.509 authentication support to SAP Web application server
Localization and customization of HTML pages and applet messages
Differences between Secure Login Client and Secure Login Web Client:
20
With Secure Login Client the required security library is available.

With Secure Login Web Client the security library needs to be downloaded in a Web
browser application.
With Secure Login Client, the authentication process and secure communication can be
triggered on demand (for example, in SAP GUI).
The Secure Login Web Client triggers an authentication process and secure
communication. After the authentication process, the Secure Login Web Client starts the
SAP GUI.
06/2011
2 Secure Login Server Installation

This chapter describes how to install Secure Login Server.
The installation can be done using the Telnet application or with the Software Delivery Tool.
2.1 Prerequisites
This chapter describes the prerequisites and requirements for the installation of Secure Login
Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements
Secure Login Server
Details
Hard disk space
50 MB of hard disk space

HDD space for log files
Random-access memory
1 GB RAM at minimum
Software Requirements
Secure Login Server
Details
Application server
SAP NetWeaver CE 7.2

SAP NetWeaver 7.3
Optional:
The Secure Login Library installation is optional and

required for SAP user authentication only.
The Secure Login Library will be used to establish
secure communication to SAP NetWeaver Application
Server ABAP to verify SAP credentials.
For operating system support see the Installation,
Configuration and Administration Guide of the Secure
Login Library.
Details
Operating systems
Microsoft Windows 7, Vista, XP (32-bit)

SUSE Linux Enterprise Desktop 11
Mac OS X 10.5, 10.6
Java
SUN Java 1.5 or higher browser plug-in
Internet browser (32-bit)
Microsoft Internet Explorer 7, 8

Mozilla Firefox 3.6, 4.0
06/2011
21
Supported Authentication Server

Secure Login Server
Details
LDAP server system
Microsoft Active Directory System 2003, 2008

openLDAP
SAP server system
SAP NetWeaver Application Server ABAP 6.20 or

higher version
RADIUS server system
freeRADIUS
Microsoft Network Policy and Access Services (NPA)
Microsoft Internet Authentication Service (IAS)
2.1.1 Secure Login Library

The Secure Login Library installation is optional and is required for SAP NetWeaver
Application Server user authentication only. The Secure Login Library is used to establish
secure communication to SAP ABAP server and to verify SAP credentials.
Keep in mind that there are different Secure Login Library software packages available
depending on the desired operating system. This document describes the installation for
Microsoft Windows and Linux operating system.
Secure Login Library for Microsoft Windows Operating

System
Step 1 Copy Library Files
Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver
Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command
line tool to the following folder.
sapcar xvf <source_path>\SECURELOGINLIB.SAR R
<ASJava_installation>\exe\
Example
sapcar xvf D:\InstallSLS\SECURELOGINLIB.SAR R
D:\usr\sap\ABC\J00\exe\
Check if the folder <ASJava_installation>\exe, which is used by Secure Login Library, is

included in the Java library path. Verify the Java Library Path (libpath) in the trace file
<ASJava_installation>\work\dev_jstart.
22
06/2011
Step 2 Environment Variable SECUDIR

Set the system environment variable SECUDIR to the following directory:
SECUDIR=<ASJava_installation>\sec
Example
SECUDIR=D:\usr\sap\ABC\J00\sec
Step 3 Verify Secure Login Library

To verify the Secure Login Library, use the snc command:
<ASJava_installation>\exe\snc.exe
Example
D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library.
The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the Command snc
Step 4 Restart SAP NetWeaver Application Server

In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server
because the environment variable SECUDIR does not takes effect unless you perform a
restart.
06/2011
23
Secure Login Library for Linux Operating System

Step 1 Copy Library Files
Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application
Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to
the following folder.
sapcar xvf <source_path>/SECURELOGINLIB.SAR R
<ASJava_installation>/exe/
Example
sapcar xvf /InstallSLS/SECURELOGINLIB.SAR R /usr/sap/ABC/J00/exe
Check if the folder <ASJava_installation>/exe, which is used by Secure Login Library, is

included in the Java library path. Verify the Java library path (libpath) in the trace file
<ASJava_installation>/work/dev_jstart.
Step 2 Define File Attributes

To use shared libraries in a shell, it is necessary to set the file permission attributes with the
following command:
chmod +rx <ASJava_installation>/exe/snc lib*
Example
chmod +rx /usr/sap/ABC/J00/exe/snc lib*
Step 3 Define File Owner

Grant access rights to the user account that is used to start the SAP application (for example,
<SID>adm).
Change to the folder <ASJava_installation>/exe/ and use the following command:
chown [OWNER]:[GROUP] *
Example
chown abcadm:sapsys *
Step 4 Verify Secure Login Library

To verify the Secure Login Library use the snc command (with user <SID>adm):
<ASJava_installation>/exe/snc
Example
24
06/2011
/usr/sap/ABC/J00/exe/snc
As a result; further information about the Secure Login Library should be displayed.
The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the snc Command
06/2011
25
2.2 Secure Login Server Installation with Telnet

1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver
Application Server.
2.) Start a Telnet session.
telnet localhost 5<instance_number>08
Example
telnet localhost 50008
3.) Deploy the Secure Login Server package.

deploy <source>\SECURE_LOGIN_SERVER00_0.sca
Microsoft Windows Example
deploy D:\InstallSLS\SECURE_LOGIN_SERVER00_0.sca
The Secure Login Server application will be started automatically.
Start the initial configuration described in section 2.6 Initial Configuration Wizard.
List of Useful Telnet Commands

List of useful telnet commands
Action
Command
Deploy Application
deploy SECURE_LOGIN_SERVER00_0.sca
Undeploy Application
undeploy name=SecureLoginServer vendor=sap.com
List Application
list_app | grep SecureLoginServer
Stop Application
stop_app sap.com/SecureLoginServer
Start Application
start_app sap.com/SecureLoginServer
26
06/2011
2.3 Secure Login Server Installation with JSPM

1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver
Application Server.
The target folder location is \\localhost\sapmnt\trans\EPS\in
Microsoft Windows
<drive>\usr\sap\trans\EPS\in
Linux
/usr/sap/trans/EPS/in
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application
Server.
Microsoft Windows
<ASJava_Installation>\j2ee\JSPM\go.bat
Linux
<ASJava_Installation>/j2ee/JSPM/go
3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
06/2011
27
4.) Choose the New Software Components option.
5.) Select sap.com/SECURE_LOGIN_SERVER.
28
06/2011
6.) Start the deployment process.
7.) After the deployment finishes, exit the JSPM application.
06/2011
29
2.4 Secure Login Server Uninstallation

This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login
Server in Telnet.
1.) Start a Telnet session.
telnet localhost 5<instance_number>08
Example
telnet localhost 50008
2.) Stop the Secure Login Server application.
stop_app sap.com/SecureLoginServer
3.) Undeploy the Secure Login Server package.
undeploy name=SecureLoginServer vendor=sap.com
2.5 Updating the Secure Login Server to SP1

In SAP Note 1617206 you find a description that tells you how to update the Secure Login
Server to SP1. You see the current version number of the Secure Login Server in the
parameter Server Build. The entry REL_1_0_1_10 stands for SP1 (see 3.3.9 Server
Status). After the installation, restart the system.
30
06/2011
2.6 Initial Configuration Wizard

After the deployment of Secure Login Server an initial configuration is required.
For security reasons, the initial configuration of the Secure Login Server can be
performed on local host only (same server computer on which the Secure Login
resides).
If, however, you want to perform the initialization and configuration from a remote
location, you must manually enable this feature by editing the Secure Login web.xml
file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard.
If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost
tunnel configuration for accessing the wizard. For re information, see section 2.6.3
Configure SSH Tunnel.
2.6.1 Initial Configuration

This section describes the initial configuration of the Secure Login Server.
Before starting the Initial Configuration Wizard, verify that the Secure Login Server
application is running.
Start the initial configuration using the browser URL:
http://localhost:5<instance_number>00/securelogin
Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites.
If everything is OK, choose Continue.
Figure: Initial Configuration Wizard Welcome Page
06/2011
31
Key File for Encryption of Server Credentials

The key file is a file on the server with random content and is used to secure password
information in configuration files. You can use any kind of file type which is larger than 32
bytes. You must create or copy the file to the desired location on the server and define it in
this configuration step. There is a check whether the key file is available.
Define the location of the key file.
Example:
D:\usr\sap\ServerKeyFile\KeyFile.txt
Figure: Initial Configuration Wizard Key file for server credentials encryption
Keep in mind that, in case the key file is changed or not available, it is not possible to log
on to the Secure Login Administration Console. The Secure Login Server does not work
anymore and is locked.
After the configuration, choose Next to continue.
32
06/2011
Administrator Account
Define the password for the administration user Admin.
Figure: Initial Configuration Wizard Administrator Account

Entries marked with * are mandatory.
Passwords used in Secure Login Server are restricted by the password policy definition.
Passwords cannot be empty
Passwords must have a length between 8 to 20 characters
Passwords must contain at least one uppercase letter
Passwords must contain at least one lowercase letter
Passwords must contain at least one digit
Passwords must contain at least one special character
06/2011
33
Create Root CA Certificate

Define the parameter for the root CA certificate.
Figure: Initial Configuration Wizard Create Root CA

Option
Details
Create a Root CA by
providing certificate
information
Common Name*
Enter the common name of the certificate (CN).
Example: Root CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
34
06/2011
Valid From*
Enter the date from when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File
Checking this option displays the following options:
KeyStore File*
Click Browse to locate and load an existing
KeyStore file (File Format is: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
Skip this certificate
Check this option if you do not want to or do not need

to enter any information for this specific certificate at
this time.
Skip all PKI certificates

to enter information for any certificate at this time.
This means you skip all the PKI certificates including
the Root CA, SSL CA, SSL Server, and User CA
certificates.
You can create or add certificate information at a later
time in the Certificate Management function of the
Administration Console.
06/2011
35
Select the SSL Certificate Generation Type

Choose an option for the SSL certificate.
Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type
It is possible to install or import SSL certificates later on using the administration console
Certificate Management. For more information, see section 3.3.3 Certificate
Management.
Option
Details
Generate an SSL
certificate using the
Secure Login
Administration Console
The SSL certificates for the SAP NetWeaver

Application Server (or other Web application server)
are created using the Secure Login Administration
Console.
Skip all SSL certificates

to enter information for SSL certificates at this time.
After having chosen an option configuration, choose Next to continue.
36
06/2011
Create SSL CA Certificate

This step is optional and is only available if the option Generate an SSL certificate using the
Secure Login administration console was chosen.
Figure: Initial Configuration Wizard Create SSL CA Information

Option
Details
Create a SSL CA by
information
Common Name*
Example: SSL CA SAP Security
Organization Unit
Organization
Locality
Example: Walldorf
Country
Example: DE
1024, 1536, 2048, 3072, or 4096 bits).
06/2011
37
Valid From*
Enter the date when the validity of the certificate
Valid To*
Enter the date when the validity of the certificate ends
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Save Password
Confirm password*
above.
Store File
KeyStore File*
Click Browse to locate and load an existing Key
Store File (file format: *.pse).
Password*
Save Password

to enter any information for this specific certificate at
this time.
Create SSL Server Certificate

This step is optional and is only available if you chose the option Generate an SSL certificate
using the Secure Login administration console.
38
06/2011
Figure: Initial Configuration Wizard SSL Server Information

Option
Details
Create an SSL server by

information
Common Name*
Example: Alias Server Name
Organization Unit
Organization
Locality
Example: Walldorf
Country
Example: DE
Subject Alternative Names (DNS)
Enter the alternative name in this field. Typically this
is the Fully Qualified Domain Name (FQDN).
Example: ServerName@FQDN.local
06/2011
39
1024, 1536, 2048, 3072, or 4096 bits).

Valid From*
Valid To*
Password*
In this field, you enter the password for this certificate.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Confirm Password*
above.
Store File
KeyStore File*
KeyStore file (file format: *.p12).
Password*
The password for the KeyStore file.
Save Password
Check this option if you do not want or do not need to

enter any information for this specific certificate at this
time.
40
06/2011
Create User CA Certificate

Define the parameter for the user CA certificate.
Figure: Initial Configuration Wizard User CA Information

Option
Details
Create a user CA by
information
Common Name*
Example: User CA SAP Security
Organization Unit
Organization
Locality
Example: Walldorf
Country
Example: DE
1024, 1536, 2048, 3072, or 4096 bits).
06/2011
41
Valid From*
Valid To*
Password*
Save Password
Confirm Password*
above.
Store File
KeyStore File*
KeyStore file (file format: *.pse).
Password*
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Check this option if you do not want or do not need to

enter any information for this specific certificate at this
time.
42
06/2011
Define Server Configuration

Define the parameters for the User Certificate Configuration and Application Information.
The other configuration parameters are read-only (for verification reasons).
Figure: Initial Configuration Wizard Server Configuration

Option
Details
User Certificate
Configuration
DN.country
Example: DE
DN.locality
Example: Walldorf
DN.organization
DN.organizationalUnit
ValidityMinutes*
Information for a temporary certificate: The period of
time (in minutes) that the user certificate is valid.
06/2011
43
Application Information
ServerHostName
FQDN name or IP address of this server.
This parameter is used for the client policy definition
and can be used for centrally changing the server
host name and the server port in the instance
configuration of the Secure Login Server.
ServerPort
Port of this server.
This parameter is used for the client policy definition
and can be used for central change.
Authentication Server
Configuration
(read-only)
AuthConfigPath
Authentication server configurations file for the
Secure Login Server.
Secure Login User CA Key

Store
(read-only)
PseName
The user CA key store file path. If you created a user
CA in the previous step, the file path is shown here.
Log Configuration
(read-only)
DailyLogDir
In this log path the user authentication information for
the default instance is logged.
(for example, the user authentication was successful)
MonthlyLogDir
In this log path the instance information for the default
instance is logged.
(for example, the default instance was started
successful)
AdminConsoleLogDir
In this log path the admin console information for the
Secure Login Administration Console is logged.
(for example, the default instance configuration was
changed)
LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.
44
06/2011
Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard
configuration.
Figure: Initial Configuration Wizard Setup Review
Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server
application.
Figure: Initial Configuration Wizard Congratulations

Use the Telnet application to stop and start the Secure Login Server application (for more
information, see section 2.2 Secure Login Server Installation with Telnet).
Another possibility in the Microsoft Windows environment is to use the SAP Management
Console (sapmmc) application. Under AS Java Components, choose the application
sap.com/SecureLoginServer and restart the application.
06/2011
45
Microsoft Windows SAP Management Console

In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to
restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer
and choose the option Restart (right-click option).
Figure: SAP Management Console (sapmmc)
46
06/2011
2.6.2 Enable Remote Access for Initial Wizard

This configuration step is optional and is only required if you want to perform the initial
configuration from a remote computer.
For security reasons we recommend performing the initial configuration on the local host
(same server computer on which the Secure Login Server resides).
In the configuration file web.xml, change the value to true for the parameter remoteAccess.
web.xml
<init-param>
<param-name>remoteAccess</param-name>
<param-value>true</param-value>
</init-param>
The configuration file web.xml is available in the following place:

Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\se
rvlet_jsp\securelogin\root\WEB-INF\web.xml
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/se
rvlet_jsp/securelogin/root/WEB-INF/web.xml
It is required to restart the Secure Login Server application.
06/2011
47
2.6.3 Configure SSH Tunnel

This configuration step is optional and belongs to the Linux environment if no GUI is
available. The localhost configuration can be performed using for example, PuTTY
Configure the following parameter and choose Add.
Example: SSH tunnel configuration in PuTTY
Parameter
Value
Source Port
5<instance_number>00
Example: 50000
Destination
localhost:5<instance_number>00
Example: localhost:50000
After the SSH tunnel configuration, log on to this connection and perform the initial
configuration. For more information, see section 2.6 Initial Configuration Wizard.
48
06/2011
3 Administration
3 Administration
This chapter describes the configuration parameters in Secure Login Server.
3.1 Logon to Administration Console

To open the administration console, enter the following URL in a Web browser:
Communication
URL
Unsecured
http://<IP/FQDN>:5<instance_number>00/securelogin
Secured
https://<IP/FQDN>:5<instance_number><https_port>/securelogin
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port
number is usually 50001 (corresponds to 01 in the table above).
The logon page appears.
Figure: Administration Console Logon Page

Enter your administration user name (for example, Admin) and your password.
Authentication type
Details
Local Login
Default user name/password combination authenticated in the

administration console database.
External Login
User name/password combination authenticated in the

authentication server database set in the JAAS module.
Example: You can use the Microsoft Active Directory user
database for logging on to the Secure Login Server
administration console.
For more information about the configuration, see section 3.3.2
06/2011
49
3 Administration
Authentication type
Details
Edit Login Type Setting.
3.2 Welcome Page

After successful logon, the welcome page appears. This page also appears when you click
on Home.
Figure: Administration Console Welcome Page

The administration console interface allows you to easily configure the server to your needs.
The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed.
For example, Connection must be HTTPS refers to the missing SSL connection between
the console and the Secure Login Server, or Server needs to be restarted informs you
that the configuration has been changed, and you need to restart the Secure Login
Server application for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each node
represents tasks that can be performed within the Secure Login Server framework.
The right-hand pane displays the details of any node selected in the left-hand pane.
In the top right-hand corner there are three entries that appear on every page in the
console:
Change Password
This allows you to change the password for the current administrator/user account.
Logout
Use this link to logout of the console. The login page will reappear (see previous page).
50
06/2011
3 Administration
About
Click this to view version information about the console.
You may be asked to re-enter your user name and password if you leave the
administration console for a long time. The default console timeout is 10 minutes.
3.2.1 Change Password

This section describes how to change the account password for the administration console.
1. Choose Change Password in the title bar on any page.
2. The following dialog box appears:
Figure: Change Password

3. Enter the current password into the Old Password field.
4. Enter and confirm the new password into the fields New Password and Confirm New
Password respectively.
5. Click OK
The user admin is a permanent user that has the role super user and cannot be deleted.
As a consequence, the admin user can log on to the system regardless of state (when a
serious system error occurs), making sure that there is at least one user who can always
access Secure Login to correct or configure the system.
06/2011
51
3 Administration
3.3 Server Configuration

This section describes the server configuration page of the administration console.
The Server Configuration page allows you to do the following:
View the server configuration.

Edit some of the server parameters.
Choose the Server Configuration node in the left-hand pane of the administration console.
The following page appears:
Figure: Administration Console - Server Configuration
The following options can be viewed on this page:
52
06/2011
3 Administration
Option
Details/Value
Edit
Click Edit to change the Administration Console Description,

Trace Configuration, and Client Configuration.
For more information, see section 3.3.1 Edit Server
Configuration.
Description
The description of this administration console.
Console Login Type
The current types of authentication available for log on to the

administration console. The configuration can be changed
using the button Edit Login Type.
For more information, see section 3.3.2 Edit Login Type
Setting.
External Login JAAS

Module
The current JAAS module used for External Login

authentication to the Administration Console.
For further information see section 3.3.2 Edit Login Type
Setting.
The Authentication File

Path
(read-only)
The authentication configuration file used by this server. This

configuration is for information purposes only.
Trust Certificates
Storage File
(read-only)
The Trust Store file (TrustStore.jks) used by this server.
Console Log Directory

(read-only)
The directory in which the console log file is located.
Console Log Prefix

(read-only)
The file prefix for the console log file.
Enable Server Trace
Enable Secure Login Server trace to provide extended

traces.
true
Trace enabled
false
Trace enabled
Default value is false.
Path to the Server Lock

File
(read-only)
Path where the lock files are written. A lock file is generated if
something went wrong with the Secure Login Server. In this
case the Secure Login Server is locked.
Host Server Domain

Name
The host name or IP of the computer from which the console

is being used for the Secure Login Client policy configuration
(for all client policy URLs).
Port
The port of this computer from which the console is being

used for the Secure Login Client policy configuration (for all
client policy URLs).
We recommend that you use an HTTPS (SSL) port.
CREDDIR
(read-only)
The directory in which the credentials are stored for the

Secure Login Library.
NativeLibraryPath
(read-only)
The directory where native libraries are stored for the Secure
Login Library.
06/2011
53
3 Administration
3.3.1 Edit Server Configuration

Use the Edit button and the following page appears.
Figure: Administration Console Edit Server Configuration

The following options can be set:
Option
Details/Value
Description
Here you can personalize the description for the

Enable Server Trace
true
Write trace messages to the application server trace file
(defaultTrace_*.log).
false
Do not write trace messages to the application server trace
file.
Host Server Domain

Name
The host name or IP of the computer from which the console

is being used.
Port
The port of the computer from which the console is being

used. We recommend that you use an HTTPS (SSL) port.
Once you have changed any option, click Save to return to the Server Configuration page.
54
06/2011
3 Administration
3.3.2 Edit Login Type Setting

Use the Edit Login Type button, and the following page appears.
Figure: Administration Console Login Type Setting

This page allows you to configure, delete, or add the following login types:
Local Login
Default user name/password combination authenticated via the administration console
database.
External Login
User name/password combination authenticated in the authentication server database set in
the JAAS module. If this option is used, select the appropriate JAAS module in the External
Login Jaas Module combo box as well.
SSL-Certificate Login
User name/password combination authenticated with a certificate imported into the Web
browser. The user logon certificate can be created using the Certificate Management.
For more information, see section 3.3.3 Certificate Management.
To add a login option to the administration console login page, select a login type from the
ALL Login Type field and choose >>Add (it appears in the Current Login Type field).
If necessary, use the Up and Down buttons to give a login option priority (the sequence they
appear in the Login Type combo box on the login page).
Choose Save to confirm any changes.
To delete a login option from the administration console login page, select a login type from
the Current Login Type field and choose <<Delete (it appears in the ALL Login Type field).
06/2011
55
3 Administration
External Login JAAS Module

Several login modules are available. They can be used for the External Login option.
Available Login JAAS Module
Login Module
Remarks
SPNegoLoginModule
Use Kerberos/SPNego to link the External Login

option.
SecureLoginModuleLDAP
Use LDAP server or MS-ADS server system to

link the External Login option.
SecureLoginModuleRADIUS
Use RADIUS server to link the External Login

option.
SecureLoginModuleSAP
Use SAP NetWeaver Application Server to link the

External Login option.
Choose Save to confirm any changes.
56
06/2011
3 Administration
3.3.3 Certificate Management

This section describes the Certificate Management page of the administration console.
The Certificate Management page allows you to do the following:
Create certificates
View certificates
Export certificates
Import certificates
What I have to do first is making a decision:

Do I want the Secure Login Server to create and manage one or more public key
infrastructures, or is there an existing company PKI that is supposed to be used on top.
Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI
below your enterprise PKI and two others independently created by Secure Login Server.
However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or
delete PKIs at any time.
Choose the Certificate Management node from the tree in the left-hand pane.
Figure: Administration Console Certificate Management
Option
Details
PKI Tree
One or more tree views of independent PKIs.

One DefaultPKITree named Root CA SAP Security is
available here.
Create New Root CA
Define a display name for the new PKI and create a top-level
Certification Authority (Root CA).
06/2011
57
3 Administration
Certificate Information
Common Name
Common name of the selected certificate.
Path
File path of the selected certificate file.
Save Password
Password protection status of the selected certificate file.
Mapping to Instance
List of all instances and selections that are supposed to use
this user CA. This option is available for user CAs only.
More Details
Further details of the X.509 certificate
[PKI Information]
Displays the name of the PKI structure
[CA Operations]
Selects the Certification Authority of a PKI for further

management operations.
Issue
Creates a new Certification Authority of this type (USER_CA,
SAP_CA or SSL_CA).
Change Password
Changes password of selected CA
Remove Password
Removes password of selected CA. A password must be
given for each following management operation of this CA.
[Export Certificate]
Exports the selected certificate.

Export Type
Chooses the export type for the certificate.
Possible export types: .crt, .p12, .pse or *.jks.
New Password
Defines the password of the exported certificate file. This
option is not available if you choose the export type .crt.
[Import New PKI]
Imports the key store into the certificate list.

Note: Only PSE files can be imported.
PKI Name
Displays the name of the new PKI the certificate belongs to.
The following special characters are not supported:
~`!@#$%^&*()_-+= }{:"?><,./;'[]\|
[Selection List]
The selection list allows you to associate the type of CA of
the certificate. Each type can be associated only once.
Browse
Opens a file browser to select the certificate file.
58
06/2011
3 Administration
Open Password
Password that protects the certificate file
Save Password
Allows you to save the password in the configuration file.
Create New PKI

Use this function to create a new internal PKI that has its own root CA certificate.
Enter a display name for the new PKI, for example NEW PKI and choose Create New Root
CA.
Define the certificate parameters for the new root CA certificate and choose Create.
Entries marked with an asterisk(*) are mandatory.

The new PKI should be available in the PKI tree.
06/2011
59
3 Administration
Import New PKI

Use this function to create a new PKI that uses external CA certificates. This way it is also
possible to create a PKI without having the issuing root CA stored inside the Secure Login
Server.
1. Enter a display name for the new PKI, for example, ImportPKI.
2. Select the type of CA that shall be imported, for example, ROOT_CA.
3. Choose Browse to open a file browser. Locate and open the PSE file.
4. Enter the password for the PSE file in the field Open Password.
5. As an option, you can choose to save the password.
6. Choose the Import pushbutton to complete.
The imported PKI should be available in the PKI tree.
60
06/2011
3 Administration
Create SAP CA Certificate

Use this function to create an SAP CA certificate.
1. Choose on the Root CA certificate in the PKI tree list.
2. Select the certificate type SAP_CA in [CA Operations].
3. Choose on the Issue pushbutton and define the certificate parameters.
Figure: Administration Console Create SAP CA Certificate
Entries marked with an asterisk(*) are mandatory.
Option
Details
Create SAP_CA Subject

Information
Common Name*
Example: SAP CA SAP Security
Organization Unit
Organization
Locality
Example: Walldorf
Country
Example: DE
06/2011
61
3 Administration

1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Valid To*
Password*
Save Password
Confirm Password*
above.
Create SAP Server Certificate

Use this function to create a certificate for the SAP NetWeaver Application Server (AS).
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select in [CA Operations] the certificate type SAP_Server.
3. Choose the Issue pushbutton and define the certificate parameters.
Figure: Administration Console Create SAP Server Certificate
62
06/2011
3 Administration
Entries marked with an asterisk (*) are mandatory.
Option
Details
Specify the parameters of

the SAP Server Certificate
Common Name*
Example: SAP SID
Organizational Unit
Organization
Locality
Example: Walldorf
Country
Example: DE
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
Valid To*
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Confirm Password*
above.
Save password to file
06/2011
63
3 Administration
Create SNC Certificate

Use this function to create a certificate for the SNC connection to SAP NetWeaver
Application Server (AS).
Using this certificate the Secure Login Server establishes a secure communication with the
SAP NetWeaver AS to verify SAP user credentials.
2. Select the certificate type SNC_CERT in [CA Operations].
Figure: Administration Console Create SNS Certificate
Option
Details
Create SNC_CERT
Subject Information
Common Name*
Example: SLSSNC
Organizational Unit
Organization
Locality
Example: Walldorf
Country
64
06/2011
3 Administration
Example: DE
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Valid To*
Password*
In this field, you enter the password for this certificate.
Confirm Password*
above.
06/2011
65
3 Administration
Create Login Certificate

Use this function to create a login certificate for the Secure Login administration console. The
Secure Login Administrator establishes a certificate based login to the Administration
Console.
2. Select the certificate type LOGIN_CERT in [CA Operations].
Figure: Administration Console Create Login Certificate
Option
Details
Create LOGIN_CERT
Subject Information
Common Name*
Example: Username
Organizational Unit
Organization
Locality
Example: Walldorf
Country
66
06/2011
3 Administration
Example: DE (for Germany)

1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Valid To*
Password*
Confirm Password*
above.
Subject Alternative Names (E-mail)*
In order to map a certificate to a user, this field is
used. For more information, see section 4.6 Configure
SSL Certificate Logon.
Example: LoginCert_Admin
This login certificate needs to be imported into a browser application. Therefore export
this certificate in *p12 format and import it to your browser application.
In addition, it is required to assign this login certificate to a user (user mapping). For more
information, see section 4.6 Configure SSL Certificate Logon.
06/2011
67
3 Administration
Export Certificate
Use this function to export any kind of certificate in the PKI list.
1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP
Security.
2. Select the Export Type, for example .pse.
3. Define the password of the exported certificate file.
4. Choose the Export pushbutton to save the file to the desired location.
Option
Details
Export Type
.pse
Exports the certificate in PSE format.
This file includes all keys and all certificates of the
complete certificate chain.
.crt
Exports the public certificate information.
.p12
Exports the certificate in P12 format.
This file includes all keys and all certificates of the
complete certificate chain used.
.jks
Exports the certificate in Java Key Store format.
Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the
import function to load a new certificate.
1.
2.
3.
4.
5.
Choose on a desired certificate in the PKI tree list, for example SAP_CA.
Choose Browse to open a file browser. Locate and open the PSE file.
Enter the password for the PSE file in the field Open Password.
As an option, you can choose to save the password.
Choose the Import pushbutton to complete your import.
Imported certificates need to be part of the PKI structure. A trust relation to an existing
root CA certificate, when available, is required.
In case the desired certificate has no trust relation to the root CA certificate, the error
message Trust connection cannot be established with ROOT CA appears.
68
06/2011
3 Administration
3.3.4 Trust Store Management

The Trust Store is used to declare a certificate as coming from a trusted source and can be
used with Secure Login Server. You can use this page to view the Trust Store file content,
export a certificate, delete a certificate, and add new certificates.
Typically the following certificates are installed in the Secure Login Server Trust Store:
SSL CA Certificate (public certificate).

This certificate is used to verify the SSL connection in the option Server Status.
LDAPS CA Certificate (public certificate).
This certificate is used to establish secure communication to the LDAP server.
Depending on the PKI structure, it may be necessary to import the certificate chain.
Figure: Administration Console Trust Store Management
Option
Details
Certificate Alias*
Alias for the imported certificates.
Certificate Location
The certificate location. Select one of the following

locations (this causes the third option to change
accordingly):
Local Host*
The path to a certificate in the local file system
PublicURL*
Certificate available via a public URL
06/2011
69
3 Administration
Add to Trust Store
Adds the certificate information to the Trust Store.
Delete
Use this button to remove the selected certificate from

the Trust Store (only visible if a certificate has been
added to the Trust Store).
Export
Use this button to export the selected certificate from

the Trust Store (only visible if a certificate has been
added to the Trust Store).
Changes in Trust Store require a restart of the SAP NetWeaver Application Server.
3.3.5 Certificate Template

This section describes the Certificate Template page of the administration console. Use the
functionality on this page to perform any certificate template-related task.
Choose the Certificate Template node in the left-hand pane of the administration console.
Figure: Administration Console Certificate Template Management
The default template cannot be deleted, changed, or exported. The Mapping option is only
available if an additional certificate template is available.
Option
Details
Template Name
Templates created by the user and available for use are

listed here. Per default the default template is available.
Add
Adds a new certificate template. This takes you to the

template creation page.
Copy
Duplicates the selected template. This takes you to the

template creation page
Edit
Edits a selected template. This takes you to the template

creation page.
Delete
Deletes a template selected in the list.
70
06/2011
3 Administration
Mapping
Maps any template to another.
Export
Exports a template as an XML file. If you select more than

one template for export, all of the templates are incorporated
into a single XML file.
Import
Imports templates found on the local machine/network to the

list.
Add a New Certificate Template

This section describes how you create a new certificate template.
Click the Add button and the following information appears:
Figure: Administration Console New Certificate Template
Option
Details
Template Name*
The unique template identifier
SubjectKeyIdentifier
Use this option to identify the specific public key used in an

application.
AuthorityKeyIdentifier
Use this option to identify the public key corresponding to the

private key that is used to sign a certificate.
06/2011
71
3 Administration
CertificatePolicies
This option indicates the policy under which the certificate

has been issued and the purposes for which the certificate
may be used.
Checking this option will open a mandatory field for the
CertificatePolicies.OID (enter the ID and choose Add).
KeyUsage
The key usage extension defines the purpose of the key

contained in the certificate.
DigitalSignature
Use when the public key is used with a digital signature
mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. Digital
signatures are often used for entity authentication and data
origin authentication with integrity.
NonRepudiation
Use when the public key is used to verify digital signatures
used to provide a non-repudiation service. Non-repudiation
protects against the signing entity falsely denying some
action (excluding certificate or CRL signing).
KeyEncipherment
Use when a certificate is used with a protocol that encrypts
keys. An example is S/MIME enveloping where a fast
(symmetric) key is encrypted with the public key from the
certificate. SSL protocol also performs key enciphering.
DataEncipherment
Use when the public key is used for encrypting user data,
other than cryptographic keys.
KeyAgreement
Use when the sender and receiver of the public key need to
derive the key without using encryption. This key can be
used to encrypt messages between the sender and receiver.
Key agreement is typically used with Diffie-Hellman ciphers.
KeyCertSign
Use when the subjects public key is used for verifying a
signature on public key certificates. If the keyCertSign is
asserted, the CA bit in the basic constraints extension must
also be asserted.
CrlSign
Use when the subject public key is used for verifying a
signature on certificate revocation list. CrlSign must be
asserted in certificates that are used to verify signatures on
CRLs.
EncipherOnly
Use only when key agreement is also enabled. This enables
the public key to be used only for enciphering data while
performing key agreement.
DecipherOnly
72
06/2011
3 Administration
Use only when key agreement is also enabled. This

enables the public key to be used only for deciphering data
while performing key agreement.
For more information about standard certificate extensions,
see http://www.ietf.org/rfc/rfc3280.txt
ExtendedKeyUsage
This option defines the extended purpose of the key

contained in the certificate.
Example SNC/SSF Client Certificate:
KeyUsage
DigitalSignature
NonRepudiation
KeyEncipherment
DataEncipherment
ExtendedKeyUsage
ClientAuthentication
Example SNC Server Certificate:
KeyUsage
DigitalSignature
NonRepudiation
KeyEncipherment
DataEncipherment
For more information about standard certificate extensions,
see http://www.ietf.org/rfc/rfc3280.txt
BasicConstraints
This option defines whether the subject of the certificate is a

Certification Authority and how deep a certification path may
exist through that Certification Authority.
Checking this option will open the following sub-options:
Is critical?
If you select this option, the basic constraints parameter is
required in the certificate for communication to be
successful.
Is CA?
This option defines whether the subject of the certificate is a
Certification Authority. When you select this option, the Path
Length field opens. Enter the number of levels for which the
constraints are valid.
Private Extensions
06/2011
Add a user-specific extension to the template.

Choose Add and open the Create Private Extension input
page:
73
3 Administration
Extension Name*
The unique name for this extension
Base64/DER Encoded Data*
The content of the private extension in Base64 or DER
format
Add
Adds the information from the fields above to the certificate
template (this will also take you back to the Create
Certificate Template page).
Cancel
Cancels the Create Private Extension configuration step.
Reset
Clears the fields of any entries.
Cancel
Cancels the Create Certificate Template configuration step.
For more information about standard certificate extensions, see

http://www.ietf.org/rfc/rfc3280.txt
74
06/2011
3 Administration
Mapping Certificate Template

This section describes how you can map certificate templates to server instances (user
certificates) or SAP server certificates.
Choose the desired template name and choose the Mapping button.
Figure: Administration Console Certificate Template
The default template cannot be deleted, changed, or exported. The Mapping option is only
available for the default template if another certificate template is available.
Figure: Administration Console Certificate Template Mapping

Option
Details
SAP Server Certificate
Assigns the certificate template that is used to create SAP

server certificates.
User Certificate
Assigns the certificate template to an instance used for

creating user certificates.
To confirm any changes, choose Save.
06/2011
75
3 Administration
Export Certificate Template

This section describes how to export certificate templates as an XML file.
Choose the desired template and choose the Export button.
Figure: Administration Console Export Certificate Template

Option
Details
[List Box]
Selected Template
Exports the selected certificate template.
All Templates
Exports all certificate templates.
Export
Executes the export procedure.
Cancel
Cancels the export procedure.
Import Certificate Template

This section describes how to import certificate templates into the Certificate Template
Management page.
Choose the Import button.
Figure: Administration Console Import Certificate Template

Option
Details
Browse
Opens a file browser to locate a certificate template XML file.
Import
Executes the import procedure.
Cancel
Cancels the import procedure.
76
06/2011
3 Administration
3.3.6 System Check

This section describes the System Check page of the Administration Console. This feature
displays the status of the system configuration (whether the components necessary for
Secure Login functionality are currently available).
This function is similar to the initial wizard page (prerequisite check).
Figure: Administration Console System Check

Option
Details
Authentication
Configuration
Configuration of the authentication
General System Checks
Files and Folder

Are read/write permissions to file system available?
SAP Cryptolib
Checks the JavaSDK of the Secure Login Server.
IAIK SDK
Checks for the location of the IAIK SDK and displays the
version number.
Create PKCS#12 File
Checks if a P12 certificate format can be created.
Create PSE File
Checks if a PSE certificate format can be created.
JRE Crypto Policy
Checks if Java JCE is enabled.
06/2011
77
3 Administration
PKI Structure
Checks if there are any missing or invalid certificates
SAP ID Check
SAP SNC Runtime

Checks if Secure Login Library is installed and configured.
SAP JCO Runtime
Checks whether the SAP JCO can be found.
Server List
Server Name Check

Checks Instance Names and Instance IDs.
Trust Store
TrustStore
Check the Java Trust Store used by Secure Login Server.
3.3.7 Message Settings

This section describes the Message Settings page of the Administration Console. The
message settings are used to relay specific server messages to the Secure Login Client.
The Message Settings page allows you to do the following:
View currently available message language files

Create a new message language file
Edit a message language file
Figure: Administration Console Message Settings
The fallback message file is serverMsg.properties. This message file is used if the
required language is not available. The language for the fallback scenario is English.
78
06/2011
3 Administration
Create a Message File

Choose the Add button to create a new message language file.
Figure: Administration Console Create Message File

Choose the desired language and choose the Create New File button.
In this example the newly chosen language is Afrikaans.
Figure: Administration Console Create Message File
The predefined language for the new message file is English and needs to be translated
to the required language.
The file format is defined as: ServerMsg_<country abbreviation>.properties
06/2011
79
3 Administration
Edit a Message File

Choose the relevant message file and choose the Edit button.
Figure: Administration Console Edit Message File

To confirm any changes, choose Save.
To disable a server message, delete the message text.

Example: If the message Authentication process completed should be disabled, delete the
message text for the parameter AUTH_RESULT_ACTION_OK_MSG.
80
06/2011
3 Administration
Message Format Configuration Option

The message format can either be plain text or rich text. Rich text messages are contained in
a body element. You can use the following codes:
Code
Details
<body>message</body>
The whole rich text message has to be enclosed in

body start and end tags.
\r\n
Inserts a line break.
<b>text</b>
Uses bold formatting for text.
<any color=red>text<any>
Uses the color red for text (red is the only color
supported).
<a href=URL>anchor</a>
Inserts a link to the destination URL with the link

text anchor.
File Location of the Message Files

The server messages file are available in the following locations:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\classes
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/classes
06/2011
81
3 Administration
3.3.8 SNC Configuration

This section describes the preparation required for Secure Login Server to run with SAP ID
authentication. This configuration step is optional and is only required if you want to integrate
SAP ID authentication.
The SNC certificate is used to establish a secure communication to the desired SAP
NetWeaver ABAP system. This secure communication is used to verify SAP User
Authentication.
The installation of the Secure Login Library (described in the Installation, Configuration,
and Administration Guide of the Secure Login Library) is a prerequisite.
Two options are available to define the SNC certificate:

Import P12 File
Import from Console (Certificate Management)
Import P12 File

If using the setup type From Local, choose the Browse button and select the desired P12
file. Define the password and choose the Upload button to install the SNC certificate.
Figure: Administration Console SNC Configuration Option From Local
82
06/2011
3 Administration
Import from Console

The prerequisite for this option is that a SNC certificate (certificate type SNC_CERT) has
been created in Certificate Management. For more information, see section 3.3.3 Certificate
Management.
Select the desired SNC certificate and choose the Upload button to install the SNC
certificate.
Figure: Administration Console SNC Configuration Option: From Console
3.3.9 Server Status

The option Server Status provides server status information.
Figure: Administration Console Server Status
06/2011
83
3 Administration
Criteria
Details
Date
Current date and time information
Version
Version of the Secure Login Server Kernel
Uptime
The amount of time the Server has remained active and

running
Instance ID
Info: Server Instance
Configuration URL
File location of the Secure Login Server configuration file

Configuration.properties.
Configuration Status
Integrity Check of the Secure Login Server Status
Lock Status
Lock Status = No
The Secure Login Server is not locked. Everything is OK and
the server is up and running.
Lock Status = Yes
The Secure Login Server is locked meaning that it has
encountered a problem. In this case, check the server
information pane in the top left of the screen for tasks that
still need to be performed as well as the log files for possible
problems.
An Unlock button appears next to the table entry (provided
that the administrator role has the necessary permissions).
Once you have resolved any problems, choose the Unlock
button to reset the Lock Status.
Secure Login Servlet

Status
Verifies the status of the Secure Login Server Java Servlet.
Server Build
Secure Login Server Version
If the error message Cannot connect to the server using the SSL connection. Import the
server's certificate into the Trust Store is displayed, add the SSL CA certificate (public
certificates) to Trust Store of the Secure Login Server.
For more information, see section 3.3.4 Trust Store Management.
3.3.10 Sign Certificate Requests

This section describes how to submit a certificate request to the Secure Login Server
Certification Authority in the administration console.
As an example scenario, a PSE or P12 could be generated on the SAP server side. On
the SAP server, a certificate request is created and sent to the Secure Login Server.
The Secure Login Server signs the certificate request and sends back a certificate
response which is recorded in the SAP server.
84
06/2011
3 Administration
Figure: Administration Console Sign Certificate Requests
Option
Details
Base-64 Encoded
Certificate Request (PKCS
#10)
The content of the certificate request in Base64

encoding format.
Use the option Browse for a file to insert to import a
certificate request file. Use the button Read to import.
Another option is to copy and paste the content of the
certificate request to the Saved Request field.
Validity Period of
Certificate*
Define the period of time for which the certificate is

valid.
Certificate Encoding Type
Select DER or PEM encoding type, a certificate

response should be generated.
Certificate Template
If needed, select the desired certificate template. The

default certificate template is used for the SAP
environment.
Issuer
Choose the desired CA certificate; the certificate

request should be signed.
Sign Certificate
The certificate reply is generated, and you are asked

to store the certificate reply file.
06/2011
85
3 Administration
3.3.11 Console Log Viewer

This section describes the Administration Console logging functionality. The log entries apply
only to the administration actions performed in the Administration Console.
Figure: Administration Console Console Log Viewer
This page displays all of the tasks performed using the Administration Console since logging
began. This page allows you to do the following:
Select a period of time to view with the Log Month combo box.
Export log files to a *.csv file format with the Export Logs function.
This entry is only visible if log entries are present.
The monthly table contains the following information about the administration tasks:
Option
Details
Date
The date the task was performed.
Time
The time the task was performed.
Code
The internal message code of the task performed.
Level
An abbreviated description of the message level.

Possible message levels:
INF
Information
ERR
Error
WAR
Warning
User
The name of the user/administrator that performed

the action.
Action
A quick description of the action, for example EDIT or
86
06/2011
3 Administration
OTHER.
Server
The server instances to which the action was directed
Description
A description of the message/task
06/2011
87
3 Administration
3.3.12 Web Client Configuration

This section describes the configuration settings for the Secure Login Web Client.
The Web Client Configuration is separated in three tabs:
Properties Configuration
In this section, you can configure the Secure Login Web Client profiles is performed.
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Package Management
In this section, you can configure the SNC library for the respective Secure Login Web
Client. By default, three packages are available, for Microsoft Windows, Linux and Mac
OS X.
Note that there are server messages available for Secure Login Client (described in
section 3.3.7 Message Settings) and Secure Login Web Client.
Figure: Administration Console Web Client Configuration
Properties Configuration Web Client Application Path

The parameter WebClientConfigPath is read-only and used for verification purposes. This
configuration links the Secure Login Server to the Secure Login Web Client application.
88
06/2011
3 Administration
Properties Configuration Common Configuration

The Common Configuration defines the parameter for Secure Login Web Client profile
Launch SAP Logon.
Figure: Secure Login Web Client profile Launch SAP Logon

To configure this profile, choose the Edit button.
Figure: Administration Console Common Configuration
Option
Details
PORTALURL
URL address for certificate-based login to be called

after successful user authentication
This option depends on the parameter ACTION.
AUTHENTICATIONSCHEME
The SAP Portal Scheme to be used for

authentication. This option is not usually required.
ACTION
The action to be performed by the Secure Login Web

Client after successful user authentication. The
following options are available:
No action after authentication
After successful user authentication, no action is
06/2011
89
3 Administration
performed.
Open Portal
After successful user authentication the URL defined
in PORTALURL is used.
Launch SAP GUI
After successful user authentication the SAP GUI
application is started.
Both SAP Portal and SAP GUI
After successful user authentication the URL defined
in PORTALURL is used, and the SAP GUI application
is started.
PackURL
The name of the folder where the SNC libraries for

the Secure Login Web Client are stored.
By default, three SNC libraries are available in the
folder DownloadPacks, for Linux, Microsoft Windows
and Mac OS X.
SAPLogon.slsinstance
Secure Login Server Instance (user authentication

method) to be used for Secure Login Web Client.
ClientLogging
This option determines the logging options:

No
No Client log file is created and no logging is
performed.
Temp
Client creates a log file for each login session. The
log file is deleted when the Secure Login Web Client
is closed.
Full
The client log file is never deleted.
The location of the Secure Login Web Client files depends on the operating system:
Microsoft Windows XP
C:\Documents and Settings\<user>\sapsnc\
Microsoft Windows Vista / Microsoft Windows 7
C:\Users\<user>\sapsnc\
Mac OS
/Users/<user>/sapsnc/
Linux
/home/<user>/sapsnc/
You can customize the file location of the Secure Login Web Client. For more information,
see section 4.5 Customize Secure Login Web Client.
90
06/2011
3 Administration
Properties Configuration SAP Server Management

In SAP Server Management you define the parameters for additional profiles in Secure Login
Web Client. This type of profiles is used to log on directly to the desired SAP server system
after successful user authentication.
Use this section of the page to Add new SAP server configuration, view, and Edit current
SAP server configuration and Delete SAP server configuration.
To import SAP server configurations from saplogon.ini files, choose the button Upload SAP
Server List from File.
Figure: Administration Console SAP Server Management

To create a new SAP server configuration, choose the Add button.
Figure: Administration Console Add SAP Server Configuration
Option
Details
SAP GUI for Java
label
Profile name.
host
IP address or FQDN name of the desired SAP server
system.
06/2011
91
3 Administration
port
Port of the desired SAP server system
sncname
SNC name of the desired SAP server system
SAP GUI for Microsoft
Windows
shortcut.Name
Identifier used in multi-instance configurations.
shortcut.Description
The name of the server profile in SAP GUI for
Microsoft Windows (in SAPGUI this is the Description
field). This is the essential reference to the profile.
The Instance ID this server

used
Secure Login Server instance (user authentication

method) to be used for Secure Login Web Client
Properties Configuration Platform Configuration

In Platform Configuration you can define the parameter for SAP GUI for Microsoft Windows
and SAP GUI for Java is defined. This configuration depends on the operating system.
For the operating system Mac OS and Linux, only SAP GUI for Java can be configured.
For the operating system Microsoft Windows, SAP GUI for Microsoft Windows and SAP GUI
for Java can be configured.
Figure: Administration Console Platform Configuration

Select a platform and choose the Edit button. In this example, the Microsoft Windows
platform is shown.
92
06/2011
3 Administration
Figure: Administration Console Platform Configuration - Microsoft Windows
Option
Details
SAP GUI for Java
SAP.start.binary
GUI application name for SAP GUI for Java.
SAP.logon.binary
SAP Logon application name for SAP GUI for Java.
SAP.start
Path used to locate the SAP applications. Use the
Add button to add an additional search path. Use the
Delete button to remove an existing search path.
SAP GUI for Microsoft

Windows
(This option is only
available for Microsoft
Windows platforms)
SAP.start.win.binary
GUI application name for SAP GUI for Microsoft
Windows.
SAP.logon.win.binary
SAP Logon application name for SAP GUI for
Microsoft Windows.
SAP.start.win
Path used to locate the SAP applications. Use the
button Add to create an additional search path. Use
the button Delete to remove an existing search path.
Supported Operating
Systems
The platforms for which the properties on this page

are applicable. The platform name is listed along with
the files required by each platform to function
correctly.
06/2011
93
3 Administration
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Figure: Administration Console Message Settings
The fallback message file is SNCAppletMessages.properties. This message file is used if

the required language is not available. The language for the fallback scenario is English.
To disable a server message, delete the message text.
To create a new message language file, choose the Add button. To configure an existing
message language file, choose the Edit button.
Package Management
In this section, you can configure the SNC library for the desired Secure Login Web Client. By
default, several packages are available, for Microsoft Windows, Linux and Mac OS X.
To update or add new files, choose the Upload button.
Figure: Administration Console Package Management
94
06/2011
3 Administration
3.4 Instance Management

In Instance Management, you can define the user authentication mechanism and client
policy. The DefaultServer Instance is installed by default with the Secure Login Server and
cannot be changed.
3.4.1 DefaultServer Configuration

In the navigation tree, click the folder DefaultServer Configuration. The following screen
appears.
06/2011
95
3 Administration
Figure: Administration Console Instance Management

To define the parameters which are described below, use the Edit button.
Option
Details
Authentication Server
Configuration
JaasModule
Select the desired user authentication mechanism.
The following authentication mechanisms are
available:
SPNegoLoginModule
With the installation of Secure Login Server; Login
Modules are installed in SAP NetWeaver. The name
of the Login Modules is synchronized with the name
of the JaasModule.
For more information about the configuration of the
Login Modules, see section 4.1 Configure Login
Module.
Secure Login User CA

Keystore
PseType
This parameter is read-only. The key store format is
FilePSE.
PseName
Select the desired User CA for this instance.
User Certificate
Configuration
In this section, you define the Distinguished Name of

the user certificate will be defined. The common
name (CN) is calculated by the Secure Login Server
using the user credentials.
DN.country
96
06/2011
3 Administration

Example: DE
DN.locality
Example: Walldorf
DN.organization
DN.organizationUnit
ValidityMinutes*
Time (in minutes) for which a user certificate is valid.
ValidityOffset*
Time offset in minutes relative to the server system
time for the certificates to start being valid. This
parameter is helpful if the client and server time are
not in sync.
UseUPN
If the Microsoft user credentials are used and the
User principal Name (UPN) is available, you can use
this parameter to define whether the UPN is used in
the CN field of the Distinguished Name of the user
certificate.
Example:
If this parameter is configured with true, the CN field
value is CN=Username@Domain.local
If this parameter is configured with false, the CN field
value is CN=Username
Certificate Template
Configuration
These parameters are read-only and display-only

parameters used for generating user certificates. For
more information, see section 3.3.5 Certificate
Template
Log Configuration
These parameters are read-only. For more

information, see Instance Log Management.
Other Server Configuration
LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.
maxSessionInactiveInterval
Specifies the time, in seconds, between client
requests before the servlet container will invalidate
this session. This is applicable only in challengemode (for example, password change)
AdminServletHeader
Header text to be displayed on the status page.
Header text is used in Server Status and Instance
Status.
AdminServletTrailer
Footer text to be displayed on the status page. Footer
06/2011
97
3 Administration
text is used in Server Status and Instance Status.

User-Defined Properties
Any properties defined by the administrator are

configured here.
WebClientKeyStoreType
Defines the certificate export format for the Secure
Login Web Client. The default value is PKCS12.
For more information about possible parameters, see
User-Defined Properties section.
Remember to configure the desired Login Module in SAP NetWeaver Administrator. For
more information about the configuration of the Login Modules, see section 4.1 Configure
Login Module.
User-Defined Properties
User-Defined Properties are used to define additional configuration issues depending on the
instance. You can configure the following:
Secure Login Web Client Certificate Format

Certificate format used for Secure Login Web Client.
Certificate User Mapping Service
Change the value of the Common Name (CN) field of the user certificate Distinguished
Name, based on the user mapping service.
Certificate User Name Service
Change the value format of the Common Name (CN) field of the user certificate
Distinguished Name, based on the user name service.
Secure Login Web Client Certificate Format

Define the certificate export format for the Secure Login Web Client.
In default instance the default value is PKCS12. If you create a new instance is created, you
need to define this parameter.
Certificate User Mapping Service

This section describes how to configure the use of an attribute from an LDAP or Microsoft
Active Directory Server instead of the user name given by the client. This may be useful if the
SAP user names and the authenticated user names (for example, from a Microsoft Windows
domain) are not the same.
Example
The Microsoft user name is UserADS and the SAP user name is UserSAP. Without the
Certificate User Mapping Service the Secure Login Server would create a user certificate
with the Distinguished Name CN=UserADS.
98
06/2011
3 Administration
If the SAP user name is stored in the Microsoft Active Directory, for example, in the
attribute employeeID, the Secure Login Server can read this attribute and create a user
certificate with the Distinguished Name CN=UserSAP.
This issue will be configured in the Certificate User Mapping Service.
The advantage of having the SAP user name in Distinguished Name is easier
configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping
configuration).
The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active
Directory system. The Certificate User Mapping Service depends on the Secure Login Server
user credential check against the authentication server.
Figure: Administration Console User-Defined Properties
Parameter
Details
LdapReadServers*
Number of LDAP servers that are configured here.

A numerical value is expected and must be 1 or
higher. The given value is used as n to define an
ordered list of servers that are called in a fail-over
manner.
To disable all configured servers, leave this field
empty.
LdapReadTimeoutn
Connection timeout in seconds.
LdapReadUrln*
The LDAP server to be used to retrieve that attribute
LdapReadBaseDNn*
Define the Base DN of the desired LDAP server

Example Microsoft Active Directory:
DC=DEMO,DC=LOCAL
LdapReadDomainn*
For Microsoft Active Directory:

LDAP domain to be appended to the given user name
if it is not a User Principle Name. If the name is
already in UPN format, the property is ignored.
LdapReadUsern*
Define the technical user used to read the LDAP

attribute from LDAP or Microsoft Active Directory
06/2011
99
3 Administration
Server.
Example: employeeID
LdapReadPassn*
Define the password of the technical user used to

read the LDAP attribute from LDAP or Microsoft
Active Directory Server.
LdapReadAttributen*
Define the LDAP attribute which is used for the

common name (CN) of the user certificate
Distinguished Name.
Example Microsoft Active Directory:
SecureLoginLDAP@DEMO.LOCAL
The value n in the parameter is a counter and is defined depending on the parameter
LdapReadServers.
The Secure Login Server is able to verify user credentials and perform Certificate User
Mapping on a different server. The prerequisite is that the user name is available on both
servers.
Certificate User Name Service

There are two use cases available for configuring the Certificate User Name Service.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP
environment), which needs to be considered by SNC X.509 certificates. The password
length or value can be customized.
If user names in the common name (CN) field need a fixed or minimum length, padding
can be turned on. Typically this configuration is used if personnel numbers are used.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment)
which needs to be considered by SNC X.509 certificates. The password length or value can
be customized.
Figure: Administration Console User-Defined Properties

Parameter
Details
MaxUserNameLength
Maximum number of characters that a user name in

the common name (CN) field can have. If the given
user name is longer, it is cut from the right side.
100
06/2011
3 Administration
Default value: 12
Example:
LongUsernameSAP is cut off to LongUsername with
the default settings.
UserNamePaddingLength
If user names in the common name (CN) field need a

fixed or minimum length, padding can be turned on.
The padding length sets the minimum length of user
names.
Default value: None
UserNamePaddingChar
The padding character is used to fill user names on

the left side if their size is smaller than the configured
padding length (UserNamePaddingLength).
Default value: None
Example:
UserNamePaddingLength = 11 and
UserNamePaddingChar = 0.
The result is ShortName is extended to
00ShortName
Typically this configuration is used if personnel
numbers are used.
Instance Configuration - Client Configuration

This section describes how you can define the client policy and how it is used by the Secure
Login Client.
Client Policy
Define the URL of the Secure Login Server; used by the Secure Login Client to retrieve the
client policy.
Figure: Administration Console Instance Management - Client Policy
Parameter
06/2011
Details
101
3 Administration
Policy URL*
Network resource (Secure Login Server) from which

the latest Secure Login Client policy can be
downloaded.
Policy URL depends on the instance configuration:
ClientPolicy.xml
Client Policy defined in the default instance of the
ClientPolicy.xml&path=000xx
Client Policy defined in instance xx (instance number)
of the Secure Login Server.
PolicyTTL*
Lifetime in minutes for verifying (update) a new client

policy.
Default is 0 minutes.
By default, the Secure Login Client verifies a new
client policy during the system startup of the client
PC.
Network Timeout
(seconds)*
Network timeout in seconds before the connection is

closed if the server does not respond.
The default value is 45 seconds.
Disable update policy on

startup
By default the Secure Login Client verifies during a

new client policy during the system startup of the
client PC.
You can use this parameter, to disable this feature.
No
Secure Login Client updates the client policy at
startup.
Yes
Secure Login Client does not update the client policy
at startup.
Default value is No.
Save
Saves the configuration.
Cancel
Cancels the configuration.
Applications
Defines which client profile is used for which SAP server application.
102
06/2011
3 Administration
Figure: Administration Console Instance Management - Applications
Parameter
Details
Specify the applications

action
Existing application profiles are handled as configured

by action.
Clean
Deletes all existing profiles in the selected policy key
before the given ones are written.
Replace
Replaces any existing profiles of the same name in
the selected policy key with a given one.
Keep
Keeps any existing profiles of the same name in the
selected policy does not write the given one (default).
The default value is Clean
Add Application
Adds new application
Edit
Edits the chosen application.
Delete
Deletes the chosen application.
To define the application parameter, choose the Add Application or Edit button.
Figure: Administration Console Instance Management Edit Application
06/2011
103
3 Administration
Parameter
Details
Application Name*
Defines a name for this application template.
GSS Target Name*
Application specific PSE URI (SAP Server SNC

Name) that is matched when a suitable profile is
searched. You can use the wildcards * and ?.
Examples:
SNC/CN=SAP, OU=SAP Security, C=DE
SNC/CN=Server*, O=Company xyz
Using the value * means that the client profile is used
for all SAP servers.
Profile
The name of the client profile to be used for the

desired application.
allowFavorite
Allows the user to select the authentication profile

manually in Secure Login Client.
No
A user cannot select the authentication profile
Yes
A user can select the authentication profile manually
in Secure Login Client.
The default value is Yes.
Save
Clear
Clears fields (Application Name and GSS Target

Name).
Back
Goes back to the Client Configuration page.
Profiles
This section describes the configuration of the client profile.
104
06/2011
3 Administration
Figure: Administration Console Instance Management - Profiles

Parameter
Details
You can also specify the

profiles action
Existing profiles are handled as configured by action.

Clean
Deletes all existing profiles in the selected policy key
before the given ones are written.
Replace
Replaces any existing profiles of the same name in
the selected policy key with a given one.
Keep
Keeps any existing profiles of the same name in the
selected policy, does not write the given one (default).
The default value is Clean
Add Profile
Adds a new profile
Edit
Edits the chosen profile.
Delete
Deletes the chosen profile.
To define the profile parameter, choose the Add Profile or Edit button.
Figure: Administration Console Instance Management Edit Profile
06/2011
105
3 Administration
Parameter
Details
Profile Name*
Defines a name for this profile template.
PSE Type
Authentication type.
promptedlogin
Using this profile, the user is prompted to enter the
user credentials.
windowslogin
Using this profile, the user credentials are provided
automatically (only available for Microsoft Windows
authentication)
The default value is windowslogin
Enroll URL*
Secure Login Server URL that is used for user

authentication and certificate request.
Enroll URL depends on the instance configuration.
<Server>/securelogin/PseServer
Enroll URL defined in the default instance of the
<Server>/securelogin/PseServer&id=000xx
Enroll URL defined in instance xx (instance number)
To configure further Enroll URLs, use the Add button.
This is the failover configuration for the Secure Login
Client. If the Secure Login Client establishes a
connection to the first Enroll URL, it tries the next
Enroll URL, defined here.
HttpProxyURL
HTTP proxy to be used with enrollment URLs. Only

HTTP proxies without authentication and without SSL
to proxy are supported.
Example: http://example.address.com:8888
Grace Period
Value in seconds for the time in which an enrollment

is to be carried out before the certificate expires
The default value is 0
InactivityTimeout
Value in seconds until an automatic logout is

performed (due to mouse and keyboard inactivity).
Possible values:
Value -1
No Single Sign-On (SSO). Each SNC connection
forces a new login.
Value 0
No timeout. SSO without constraints.
The default value is 0.
Auto-Reenroll Attempts
The number of successive failed authentications after

which automatic re-enrollment is stopped.
106
06/2011
3 Administration
You can activate the user name and password

caching to ensure the automatic re-enrollment of
certificates that are going to expire. Possible values:
0: Turn off:
Does not re-enroll automatically, does not cache user
name and password. A re-enrollment must always be
performed manually by the user.
>0 (n): Turn on with n tries to succeed:
Tries to re-enroll a maximum of n times before either
a new certificate is received or the user name and
password cache are cleared. The error counter is
reset on success.
Key Size
RSA Key Length.

NewPinType
Message text value used for messages (change

PIN/password) to the Secure Login Client and Secure
Login Web Client.
Available values are pin and password.
Unique Client ID
Custom-defined string is displayed in the instance log

or can be used for network filtering issues.
Network Timeout
(seconds)
Network timeout (in seconds) before the connection is

closed if the server does not respond
Reauthentication
This parameter defines how many logon attempts are

permitted with the Secure Login Client logon form
before it is closed again.
Example with the value 4:
The Secure Login Client offers the logon form 4 times
(the logons fail, for example, due to wrong credential
information) before the logon form is closed.
With this value, the logon form is never closed. The
user needs to use the Cancel button to close the
logon form.
SSL Host Common Name

Check
This applies to the SSL Server certificate this

checks if the peer host name is given in the Common
Name (CN) field of the SSL Server certificate.
True
Verifies the SSL server host name with the Common
Name (CN) field of the SSL Server certificate.
False
Does not verify the SSL server host name with the
Common Name (CN) field of the SSL Server
certificate.
The default value is False
SSL Host Alternative
This applies to the SSL server certificate this
06/2011
107
3 Administration
Name Check
checks if the peer host name is given in the Subject

Alternative Name attribute of the certificate.
True
Verifies the SSL server host name with the Subject
Alternative Name attribute of the SSL Server
certificate.
False
Does not verify the SSL server host name with the
Subject Alternative Name attribute of the SSL Server
certificate.
SSL Host Extension Check
This applies to the SSL server certificate this

specifies whether the system checks if the extended
key usage ServerAuthentication is defined.
True
Verify if the extended key usage ServerAuthentication
is defined in the SSL server certificate.
False
Does not verify if the extended key usage
ServerAuthentication is defined in the SSL Server
certificate.
User Warning MSIE
Turns on/off a warning dialog box that appears after a

new certificate has been propagated to the Microsoft
Crypto Store.
True
Turns on a warning dialog box.
False
Turns off a warning dialog box.
Note: Microsoft Internet Explorer must be restarted.
Auto-Enroll
A user automatically gets an X.509 certificate when

the Secure Login Client starts.
False: Turn off
True: Automatic provisioning of user certificates
If pseType is set to windowslogin, user credentials
are provided automatically (only applies for Microsoft
Windows authentication).
If pseType is set to promptedlogin, the system
prompts the users to enter their credentials.
Save
Clear
Clears fields.
Cancel
Download Files
This section describes how to download the relevant Client policy files for the Secure Login
Client. Use the files generated with this option, if you want to export the client policy file for
the current (active) instance.
108
06/2011
3 Administration
Figure: Administration Console Instance Management Download Files

Parameter
Details
Client Policy and

customer.zip
If you choose this option, the system asks you which

file you want to download.
ClientPolicy.xml
Instance profile configuration (Enroll URL) and client
policy (Policy URL) in XML format.
Customer.zip
Registry key that includes the configuration of the
client profile (Policy URL).
You can use this registry file for the Secure Login
Client installation to define where the client profiles
can be retrieved.
To download the desired file, click it.
customerAll.reg
Registry Key which includes the configuration of the

Client Profile (Policy URL) and the Instance Profiles
(Enroll URL).
This registry files can be used for the Secure Login
Client installation; defining where the client profiles
can be retrieved. In addition the instance profiles will
be installed.
Click on the desired file for download.
Download
Downloads the desired file.
Global Client Policy

This section describes how to download the relevant client policy files (including all instances)
for the Secure Login Client. Use this option if you want to include the complete Secure Login
Server configuration including all instances - in the client policy files for the Secure Login
Client.
06/2011
109
3 Administration
Figure: Administration Console Instance Management Global Client Policy
Parameter
Details
Generate
Use this button to generate the global client policy. All

instance client policy configurations are stored in a
global client policy file.
GlobalCustomer.reg

client profile (Policy URL).
You can use this registry files for the Secure Login
Client installation to define where the client profiles of
all instances can be retrieved.
GlobalCustomerAll.reg

client profile (Policy URL) and the Instance Profiles
(Enroll URL).
You can use this registry files for the Secure Login
Client installation to define where the client profiles of
all instances can be retrieved. The instance profiles of
all instances are also installed.
GlobalClientPolicy.xml
Profile configuration (Enroll URL) and client policy

(Policy URL) for all instances in XML format.
If using the Global Client Policy, note that you need to define unique application template
names in each instance.
Remember to use the Generate button after making changes in instances.
Instance Configuration - Instance Log Management

This section describes the instance logging functionality. The Instance Log Management
provides the following functions:
110
06/2011
3 Administration
Monthly Log
Information about the instance.
Daily Log
Information about the user authentication.
Log Analysis
Summary of statistical information for the instance.
Log Setting
Configuration of the log settings.
Archive Log
Archived logs are shown here.
Monthly Log
Figure: Administration Console Instance Log Monthly Log

The Monthly Log table contains the following information:
Option
Details
Log Month
To display the log entries from a specific month,

select it from the dropdown box.
Use the button Export Logs to export the log file in
*.CSV format.
Date
The date the task was performed.
Time
The time the task was performed.
Code
The internal message code of the task performed.
Level
An abbreviated description of the message level.

Possible message levels are:
INF
Information
ERR
Error
WAR
Warning
06/2011
111
3 Administration
Description
A description of the message/task.
Daily Log
Figure: Administration Console Instance Log Daily Log

The Daily Log table contains the following information:
Option
Details
Log Date
To display the log entries from a specific date, select

it from the dropdown box.
Use the button Export Logs to export the log file in
*.CSV format.
Time
Time the user authentication was performed.
Client
Custom information defined in the client profile

(Unique Client ID)
DNS/IP
DNS and IP of the client computer from which a user

authentication was performed.
View As
NOTE: This field only appears if multiple sets of

DNS/IP are configured on the admin computer the
IP values of one set are displayed.
User
The name of the user that performed the user

authentication.
Action
A quick description of the action, for example

INIT_ACTION or AUTH_ACTION.
Result
Description of the user authentication result.

Possible results are:
ACM_OK
User authentication was successful.
ACM_ACCESS_DENIED
User authentication failed.
112
06/2011
3 Administration
ACM_NEW_PIN_REQUIRED
Password/PIN change was requested.
ACM_NEW_PIN_REJECTED
New password/PIN not accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
OK
Initial action was successful
INTERNAL_SERVER_ERROR
Server error.
INVALID_MESSAGE_FORMAT
Invalid or incomplete client communication.
Log Analysis
You can use the Log Analysis to analyze statistical information about user authentication.
To display the statistical information, define the desired start and end date and choose the
Analysis button.
Figure: Administration Console Instance Log Log Analysis

Log Setting
This section describes the log file settings for the instance log management.
06/2011
113
3 Administration
Figure: Administration Console Instance Log Log Setting
Option
Details
Maximum Log File Size*
The maximum size in gigabytes for the log file

directory (all log files).
The default value is 1 gigabyte.
Maximum Individual File

Size*
The maximum size of a log file in megabytes before it

is archived.
The default value is 10 megabytes.
Daily Log Cleanup

Interval*
The interval (in days) after which the next log cleanup
starts.
The default value is 30 days.
Monthly Log Cleanup

Interval*
The interval (in months) after which the next log

cleanup starts.
The default value is 1 month.
Daily Log Analysis Period*
Define the period length to be used in Log Analysis. It

defines the length of the period from Start Date until
End Date.
The default value is 30 days.
Daily Log Prefix*
The file prefix for daily logs.

This information is read-only.
Directory for Storing Daily

Log Files*
The directory for daily log storage.

Monthly Log Prefix*
The file prefix for monthly logs.

Directory for Storing

Monthly Log Files*
The directory for monthly log storage.

114
06/2011
3 Administration
Save
Save the configuration.
Cancel
Cancel the configuration.
Archived Log
This section describes the Archive Log page.
Figure: Administration Console Instance Log Archived Log
Archived Log files are stored in log file directory, defined in Log Setting.
Option
Details
Archived File Name
The name under which the server has saved the log file(s).
Selected
A radio button to indicate which file is downloaded.
To download a log file archive, select an archive from the Selected column and choose
Download. You are prompted to choose a location. The log files are in ZIP format.
To delete a log file archive, select an archive from the Selected column and choose Delete.
Instance Configuration - Instance Check

In Instance Check, you can check the Client Policy and PKI Structure for the chosen
instance.
Figure: Administration Console Instance Check
06/2011
115
3 Administration
Option
Details
Client Policy
Checks the correct configuration of client policies and client

profiles
PKI Structure
Checks if there are missing or invalid certificates
Instance Configuration - Instance Status

Use this option to display the status of the desired instance.
Criteria
Details
Date
Current date and time information.
Version
Version of the Secure Login Server Kernel.
Uptime
The amount of time the instance has remained active and

running.
Instance ID
Chosen instance name
Configuration URL
File location of the Secure Login Server configuration file

Configuration.properties.
Configuration Status
Integrity check of the Secure Login Server status.
Lock Status
Lock Status = No
Chosen Instance is not locked. Everything is OK and the
Instance is up and running.
Lock Status = Yes
Chosen Instance is locked, which means it has encountered
a problem. In this case, check the server information pane in
the top left of the screen for tasks yet to be performed as
well as the log files for possible problems.
116
06/2011
3 Administration
An Unlock button appears next to the table entry (providing

the administrator role has the necessary permissions). Once
you have resolved any problems, choose the Unlock button
to reset the Lock Status.
Secure Login Servlet
Status
Verifies the status of the Instance Java Servlet.
Server Build
Secure Login Server Version
3.4.2 Create a New Instance

This section describes how to create a new instance.
Figure: Administration Console Instance Management

To create a new instance, choose the Add button.
Figure: Administration Console Instance Management New Instance

Define a name for the new instance and choose the OK button to continue.
06/2011
117
3 Administration

Select the option Create a New Server Instance and choose the OK button to continue.

Define the respective parameters (for more information, see section 3.4.1 DefaultServer
Configuration).
By default, the configuration for Authentication Server Configuration, Secure Login User CA
Keystore and User Certificate Configuration, defined in DefaultServer Instance will be reused.
If you do not want to re-use this configuration information, deactivate the option Use Default
and define your own configuration.
118
06/2011
3 Administration
For example if you want to define a different user authentication mechanism for this
instance, deactivate the option User Default in JaasModule and define a new value.
After you have performed the configuration, choose the OK button to continue.
Figure: Administration Console Instance Management New Client Policy

Define the parameter for the client policy and choose the OK button to continue.
Figure: Administration Console Instance Management New Instance Created

The new instance was created and is displayed in the navigation tree.
Remember to activate this new instance in Certificate Management (Mapping to

Instance).
06/2011
119
3 Administration
Create New Instance Option

(Clone from an existing server instance using this Administration Console)
You can use the option Clone from an existing server instance using this Administration
Console, to clone an existing instance configuration.
Figure: Choose Existing Instance
Create New Instance Option

Migrate from an External Secure Login Server
You can use the option Migrate from an External Secure Login Server to choose an existing
instance configuration that is available in the file system (for example, a backup file copy of
another Secure Login Server).
Figure: Choose Existing Instance from File Backup
120
06/2011
3 Administration
3.5 Console Users

This section describes the Console Users page of the administration console. Use this node
to view when an administrator logged on to, or logged off from the administration console.
Figure: Administration Console Console Users
3.5.1 User Management

This section describes the User Management node of the administration console.
This node displays a list of the users/administrators registered with the administration console
and allows you to add a new user, edit or delete a current user, and assign a role to a user.
Figure: Administration Console User Management
The Admin user cannot be deleted.
Option
Details
Add
Adds a new user.
Edit
Changes the settings for a selected user in the list.
Delete
Deletes a selected user from the list.
Assign Role
Assigns a role to a selected user in the list.
06/2011
121
3 Administration
Add a User
To create a new user, choose the Add button.
Figure: Administration Console Create User

Option
Details
ID
User logon name.
Name
User display name
Password
Defines user password.
Confirm Password
Confirms user password.
Disabled
If this option is enabled, this user cannot log on to the

Change Password
This option is only visible when editing a user entry in the

list!.
Check this option to change the password.
External Login
This feature uses user information stored in an

Authentication Server database for authentication to Secure
Login Administration Console. Selecting this option displays
the extra option External Login ID.
External Login ID
Define the user name for the desired Authentication Server
database.
For more information, see section 4.7 Configure External
Login ID.
SSL Certificate Login
This feature enables certificate-based logon to the Secure

Login Administration Console. Selecting this option displays
the extra option External Login ID.
Certificate Login ID
For user mapping, the Subject Alternative Name (RFC822
name) attribute of the logon certificate is used. The value of
the Subject Alternative Name is verified with the value
defined in Certificate Login ID.
For more information, see section 4.6 Configure SSL
Certificate Logon.
Save
122
06/2011
3 Administration
Cancel
Passwords used in the Secure Login Server are restricted by the password policy.
Password cannot be empty
Length of the password must be between 8 and 20 characters
Password must contain at least one uppercase letter
Password must contain at least one lowercase letter
Password must contain at least one digit
Password must contain at least one of the special characters
Assign a Role
Choose the desired user and choose the Assign Role button.
Figure: Assign Role to User

To transfer one or more roles to the user, select one or more roles from the left-hand pane All
Role and choose >>Add to transfer the roles to My Role.
To remove one or more roles from the user, select the role(s) in the My Role column on the
right and choose >>Delete to remove the role(s).
To save the configuration, choose the Save button.
06/2011
123
3 Administration
3.5.2 Role Management

This section describes the Role Management node of the Administration Console. Use this
node to configure the permissions for each administrator role.
Figure: Administration Console Role Management
Predefined roles cannot be deleted or changed.

To create a new role, use the Add button.
Figure: Administration Console Role Management
124
06/2011
3 Administration
Option
Details
ID*
The unique identifier for the role.
Name*
The name used to describe the role.
Permission List
Define the permissions; assigned to this role.

The permissions are described in the Permission
Description.
Instance List
Define the permissions for the respective instances.
To save the configuration, use the Save button.
3.5.3 Locked Files Management

This section describes how to check whether any Secure Login Server-specific system files
have been locked and how to unlock them, if necessary.
Files are locked in the following scenarios.
Different administrators are configuring the Secure Login Server at the same time.
When this happens one administrator will receive a message informing them to contact the
specific administrator to unlock the file.
Example Message
File ClientPolicy.xml has been locked, ask the administrator to remove the lock.
Figure: Administration Console Locked File Management

Select the locked file to be unlocked and choose the Release button.
06/2011
125
4 Other Configurations
This section describes some additional configuration steps.
4.1 Configure Login Module

You configure the Login Modules in the SAP NetWeaver Administrator. Log on to the SAP
NetWeaver Administrator.
http://<host_name>:<port>/nwa
Choose Configuration Management and Authentication and Single Sign-On.
Choose the tab Authentication and the configuration option Login Modules.
The following Secure Login Server Login Modules are available:
SPNegoLoginModule
This login module is used to verify user credentials against a Microsoft Windows domain.
This login module is used to verify user credentials against an LDAP Server or Microsoft
Active Directory System.
This login module is used to verify user credentials against a RADIUS Server.
This login module is used to verify user credentials against an SAP ABAP server.
The names of the Secure Login Server Login Modules are used in Instance configuration.
Refer to section 3.4 Instance Management.
SPNegoLoginModule
To configure SPNego, use the appropriate configuration wizard. For more information, see
the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View >
Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO)
Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication.
SPNegoLoginModule works in close conjunction with the user management engine (UME).
Remember that you may need to configure the mapping mode of the Kerberos Principal
Name to the UME or to change Customizing settings of the UME data source configuration.
For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library:
Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in
Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using
Kerberos Authentication > Configuring the UME for Kerberos Mapping.
Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure
its parameters.
126
06/2011
Figure: SAP NetWeaver Administrator SecureLoginModuleLDAP
Option
Details
LdapBaseDN
Base DN of the LDAP Server (Start Search Path).

There are several configuration options. The variable $USERID is
replaced by Secure Login Server with the user name for user
verification against the authentication server.
LDAP Server
Define the search path where the user is located.
Example:
uid=$USERID,ou=Users,dc=yourdomain,dc=com
Microsoft Active Directory System
Define the search path where the user is located.
Example:
$USERID@<Windows_domain>
cn=$USERID,cn=Users,dc=domain,dc=com
If the parameter is not configured (empty), the Microsoft Windows UPN
name is required for user authentication (to be entered in Secure Login
Client).
LdapHost*
URL of the LDAP server or Active Directory server system used to

authenticate the user.
We recommend that you configure secure communication using
LDAPS.
ldaps://<FQDN or IP>:636
ldap://<FQDN or IP>:389
LdapProviderLang
uage
Character set encoding for communication between the Secure Login

Server and the LDAP/ADS server.
The default value is en-US.
LdapTimeout
Period of time the Secure Login Server waits for a response before
06/2011
127
trying the next LDAP/ADS server (in milliseconds).

The default value is 100 milliseconds.
PasswordExpiratio
nAttribute
The expiration date format of the password. For the LDAP

authentication server, the date must be in one of the following formats:
UMT:
0060727081914Z
Or
0060727081914+0700Z
GMT (Greenwich Mean Time) in ADS format:
0060727081914.0Z
Or
0060727081914.0+0700Z
MS Gregorian calendar (the number of milliseconds since 01/01/1601).
For example:
127984619236406250
If a password expiration warning message is configured, the
LdapBaseDN property must be given in complete DN form.
The PasswordExpirationAttribute value is used for the password expiry
warning message only.
By default no value is defined.
PasswordExpiratio
nGracePeriod
The interval (in days) for a password expiry warning message to be sent
to the client prior to a password expiring.
ServerID
Determines which password expiry warning is used. This value is used

for the password expiry warning only.
By default no value is defined.
TrustStore
Path to the Java certificate key store used by Secure Login Server. The
certificate key store is used to enable LDAP over SSL (LDAPS).
Use of the Java key store (*.jks) is mandatory when using LDAP over
SSL (LDAPS).
By default, no value is defined.
LDAPS is required. Configure the following value:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ
er\securelogin\Instances\TrustStore.jks
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelog
in/Instances/TrustStore.jks
To save the configuration, choose the Save button.
128
06/2011
Choose the login module SecureLoginModuleRADIUS and choose the Edit button to
configure its parameters.
Figure: SAP NetWeaver Administrator SecureLoginModuleRADIUS
Option
Details
Authenticator*
Authentication method for the RADIUS server.

Possible values are:
CHAP
MSCHAP
PAP
The default value is PAP.
AuthPort*
The port number used by the RADIUS server for

authentication requests.
Typically values are 1645 or 1812.
PinAlphanumeric
PIN format. This parameter is only used with OTP

tokens. Possible values:
true
The user can choose, and use, a PIN that contains
only alphanumeric characters (A-Z, a-z, 0-9).
false
The user can choose, and use, a PIN that contains
alphanumeric and special characters (such as !$%&).
The default value is false.
PinMax
Maximum PIN length for a new PIN. This parameter is

only used with OTP tokens.
PinMin
Minimum PIN length for a new PIN. This parameter is

only used with OTP tokens.
06/2011
129
RADIUSServerIP*
Host address of the RADIUS server (used for user

authentication).
ServerIniFile
For configuring specific RADIUS server messages.

You need to define the full path and file name.
By default no configuration file is required.
SharedSecret*
Shared Secret is used to encrypt the user password.

This Shared Secret also needs to be defined in the
RADIUS Server.
TimeOut*
Period of time the Secure Login Server waits for a

response before trying the next RADIUS Server (in
milliseconds).
The default value is 5000 milliseconds.
Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure
its parameters.
Figure: SAP NetWeaver Administrator SecureLoginModuleSAP
Option
Details
Client*
Define the SAP client number in which the SAP user

is to be verified.
CREDDIR
Path where the SNC certificate used by Secure Login

Server is located.
This configuration is not required if the environment
variable SECUDIR was configured (see Installation,
Configuration, and Administration Guide of the
Secure Login Library).
Configure the appropriate value for your operating
system:
Microsoft Windows
<ASJava_Installation>\sec
130
06/2011
Example: D:\usr\sap\ABC\J00\sec
Linux
<ASJava_Installation>/sec
Example: /usr/sap/ABC/J00/sec
PasswordAlphanummeric
This parameter is part of the password policy for the

client-side policy consistency check. Possible values:
true
The password can contain only alphanumeric
characters (A-Z, a-z, 0-9).
false
The password can contain alphanumeric and special
characters (such as !$%&).
This parameter must be consistent with the SAP
password policy.
The default value is true.
PasswordMax

client-side policy consistency check, specifically the
maximum number of characters in the password to be
used.
password policy.
PasswordMin

client-side policy consistency check, specifically the
minimum number of characters in the password to be
used.
password policy.
SAPaccount*
The technical SAP user account name used by

Secure Login Server. This technical user will be
created on the desired SAP ABAP server and you
need to configure the SNC name.
Example: SLSSNC
SAPServer*
IP address or host name of the SAP ABAP server.
SNCServerName*
SNC name of the desired SAP ABAP server.

Example:
p:CN=ABC, OU=SAP Security, C=DE
SystemNo*
SAP system number
06/2011
131
4.2 Verify Authentication Server Configuration

After successful configuration of Certificate Management, Instance Management and Login
Module, the Secure Login Client or Secure Login Web Client can be used to verify
communication to the authentication server.
LDAP Server
SAP NetWeaver - Secure Login Server

Secure Login
Admin Console
SAP NetWeaver Administrator
ABAP Server
Secure Login Client

Instance 1
Instance 2
Instance 3
Instance 4
SPNegoLoginModule
RADIUS Server
Java Server/ADS
Figure: User Authentication Work Process

The authentication work process takes place as follows:
1. Start Secure Login Client or Secure Login Web Client.
2. Choose the desired client profile and enter your user name and password.
3. The responsible instance for the chosen client profile is used.
You can configure the link to the login module (for example,
SecureLoginModuleLDAP) within the Instance configuration (Secure Login
Administration Console Instance Management).
4. The instance triggers the login module. The login module establishes a connection to
the authentication server. Login modules are configured in SAP NetWeaver
Administrator.
5. The Secure Login Server sends the user credentials to the authentication server.
If the response is successful, the Secure Login Server provides a user certificate to
the Secure Login Client or Secure Login Web Client.
132
06/2011
4.3 Create Technical User in SAP Server

The technical user is used to verify SAP user credentials on the SAP ABAP server.
Logon to the SAP ABAP server using SAP GUI and start the transaction SU01 (User
Management).
Create a new user (for example, SLSSNC):
User type is System.

Deactivate the password.
Define the SNC name, which must match the SNC certificate created in Certificate
Management (certificate type: SNC_CERT).
Choose the tab Profiles and define the following authorization profiles:
S_A.SCON
S_A.SYSTEM
S_USER_ALL
S_USER_RFC
Z_TRANS_RFC
Save the settings.
4.4 Mozilla Firefox Support

After successful user authentication, the Secure Login Web Client stores, the certificate in the
Microsoft Certificate Store. The same function is provided for the Mozilla Firefox Browser.
4.4.1 Install Firefox Extension

It is a prerequisite that the Firefox Extension XPI is installed. The Firefox Extension is
provided by the Secure Login Server and can be downloaded using the following URL:
http://<host_name>:<port>/SlsWebClient/Firefox/index.html
Browser and operating system are recognized automatically.
Figure: Mozilla Firefox Extension for Secure Login Web Client

Use the link here to install the Firefox extension.
06/2011
133
If your Mozilla Firefox browser does not open an extension installation dialog, but only allows
you to save this file, you have the following choices:
Choose the option Open with and choose the Mozilla Firefox application.
Save the file to your Desktop, then drag and drop it into any Firefox window.
Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI
files.
Figure: Install Mozilla Firefox Extension

Install the Firefox Extension by choosing Install Now, and restart Mozilla Firefox.
4.4.2 Uninstall Mozilla Firefox Extension

Start the Mozilla Firefox application and, from the menu, choose Add-ons Manager and
Extensions.
Figure: Uninstall Mozilla Firefox Extension Secure Login Security Module

To uninstall, select the Firefox Extension Secure Login Security Module and choose the
Remove button.
134
06/2011
4.5 Customize Secure Login Web Client

By default, the location of the Secure Login Web Client files is stored in the user environment
of the client. This depends on the operating system:
Microsoft Windows XP
C:\Documents and Settings\<user>\sapsnc\
Microsoft Windows Vista / Microsoft Windows 7
C:\Users\<user>\sapsnc\
Mac OS
/Users/<user>/sapsnc/
Linux
/home/<user>/sapsnc/
You can use the configuration file config.properties to define a different location for the
libraries. You can upload the configuration file using the Secure Login Administration Console
(section 3.3.12 Web Client Configuration).
Config.properties
USER_FOLDER=<Path to be used>
Note that some configuration files are still stored in the default folder (sapsnc).
4.6 Configure SSL Certificate Logon

Use an X.509 certificate to log on to the Secure Login Administration Console.
The prerequisites are that SSL is enabled on SAP NetWeaver server, and the X.509
certificate has a trust relationship with the SSL server certificate of the SAP NetWeaver
server.
The SAP NetWeaver HTTPS port also needs to be configured to accept certificate-based
login (Request Certificate).
In the navigation tree, choose the node Certificate Management, and use the SAP CA to
create a LOGIN_CERT certificate.
In the certificate attribute Subject Alternative Names (E-mail), define the name that will be
mapped with the attribute Certificate Login ID in User Management (for example:
LoginCert_Admin). Save the settings, export this certificate in P12 format and import it in
the desired Administrator User environment (for example, import in Internet Explorer
browser).
In the navigation tree, choose the node User Management and edit the desired user.
Choose the option SSL Certificate Login and define the parameter Certificate Login ID
(for example: LoginCert_Admin).
Save the configuration and restart the Secure Login Server application server.
Start the Secure Login Administration Console by calling its URL using HTTPS (which is
enabled for certificate based login) and the user should be authenticated automatically.
A message box might appear, prompting you to choose the desired certificate. In this
case, choose the certificate to be used for logon.
06/2011
135
4.7 Configure External Login ID

Define an authentication mechanism to use to log on to the Secure Login Administration
Console. The prerequisite is that the desired authentication mechanism is configured in the
instance (parameter JaasModule).
In the navigation tree, choose the node Server Configuration and choose the Edit Login
Type button. Define the desired authentication mechanism using the parameter External
Login JAAS Module and Save the configuration.
In the navigation tree, choose the node User Management and edit the desired user.
Choose the option External Login and define the parameter External Login ID. The
External Login ID is the user name of the desired authentication server database.
Save the configuration and restart the Secure Login Server application server.
Start the Secure Login Administration Console URL, choose the option External Login
and log on with the user name and password of the authentication server.
4.8 Emergency Recovery Tool

The Emergency Recovery tool is used when the Secure Login Server administrator has
forgotten his or her password and no longer has access to the Secure Login Administration
Console.
The prerequisites for the Emergency Recovery Tool:
Access to the operating system, where the Secure Login Server application is installed.
Access to the Key file for server credentials encryption. The key file is a file on the
Secure Login Server with random content and is used to secure password information in
configuration files. This key file was generated in the Initial Wizard (section 2.6.1 Initial
Configuration)
Step 1
Log on to the operating system, where the Secure Login Server is installed.
Edit the file SLSRecoverPassword.bat (Microsoft Windows) or SLSRecoverPassword.sh
(Linux) and change the path to the file iaik_jce.jar.
Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
SLSRecoverPassword.bat
@echo off
SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce.jar
IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib
java -cp SLSRecoverPassword.jar;%IAIK_JARS_PATH%
com.secude.util.misc.SecudeUtilities %*
goto End
:ErrorLib
ECHO IAIK Library not found, please correct the path to the library in this
script!
:End
136
06/2011
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
SLSRecoverPassword.sh
#!/bin/sh
# please check if this path points to the correct location of
# the iaik library
IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.jar
if [ -f $IAIK_JARS_PATH ];
then
java -cp SLSRecoverPassword.jar:$IAIK_JARS_PATH
com.secude.util.misc.SecudeUtilities $@
else
echo "IAIK Library not found, please correct the path to the library in this
script!"
fi
Other possible locations of the file iaik_jce.jar:

<drive>:\usr\sap\ABC\J00\j2ee\JSPM\lib\
<drive>:\usr\sap\ABC\SYS\global\security\lib\engine\
<drive>:\usr\sap\ABC\SYS\global\security\lib\tools\
Save the script file SLSRecoverPassword.
Step 2
Obtain the encrypted password string for the desired user. The encrypted password string is
later used in the command line tool. The user information is available in the configuration file
user.xml, which is located in the directory specified below:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances\user.xml
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us
er.xml
user.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Users>
<User disable="false" id="Admin" lanCode="en_US" name="Administrator"
predefined="true" roles="Super User">
<Password>encrypted_password_string</Password>
</User>
</Users>
06/2011
137
Step 3
Open a command line shell and change to the folder where the file SLSRecoverPassword.bat
(Microsoft Windows) and SLSRecoverPassword.sh is located.
Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
Start the following command to decrypt and display the password for the desired user.
SLSRecoverPassword decrypt encrypted_password_string
<file_location_of_the_key_file>
Example
SLSRecoverPassword decrypt Encrypted Password String
D:\usr\sap\ServerKeyFile\KeyFile.txt
The password is displayed.
Output of SLSRecoverPassword Command
Encode password=Encrypted Password String with key
file=D:\usr\sap\ServerKeyFile\KeyFile.txt
Out is <Password>
You can use the following command to encrypt a password.

SLSRecoverPassword encrypt Password <File Location of the key
file>
The encrypted password string is displayed.
138
06/2011
4.9 Monitoring
This section describes how to retrieve the Secure Login Server status; for example,
integration in Network Monitoring Tools. Several interfaces are available.
4.9.1 Web Service Status

Some examples are given below how to retrieve the Secure Login Server status by URL.
Server Status
http://<host_name>:<port>/securelogin/PseServer?op=serverstatus
Default Server Instance Status
http://<host_name>:<port>/securelogin/PseServer?op=status
Server Instance Number # Status

http://<host_name>:<port>/securelogin/PseServer?op=status &id=00010
To retrieve the Server Instance Number, click the node Instance Management and check
the ID of the desired instance.
4.9.2 XML Interface

Secure Login Server provides an XML interface to automate monitoring using your own or a
third-party program, for example, to incorporate monitoring into administrative tools.
Secure Login Server has to be called with a specific request in XML format. The Secure
Login Server then returns an XML reply with the status information.
Send the following Status Request to the URL:
http://<host_name>:<port>/securelogin/PseServer
Status Request
<TransFairGram>
<Control>
<Version>Pepperbox 2.0.0</Version>
<ActionRequest>
STATUS_REQUEST_ACTION
</ActionRequest>
</Control>
</TransFairGram>
06/2011
139
The Status Reply is similar to the following example.

Status Reply
<TransFairGram>
<Control>
<ActionRequest>STATUS_ACTION</ActionRequest>
<Version>Pepperbox 2.0.0</Version>
<ServerBuild>$Name: REL_1_0_0_17 $</ServerBuild>
</Control>
<Content>
<Data>
<Status>
<ConfigURL>
file:<Path To Secure Login Server>\Configuration.properties
</ConfigURL>
<ConfigurationStatus>OK</ConfigurationStatus>
<Date>Mon May 18 12:02:54 CET 2011</Date>
<ID>Instance 00010</ID>
<LockFile/>
<LockStatus>false</LockStatus>
<PseServerStatus>OK</PseServerStatus>
<ServerBuild>SLS_5-1-1-0</ServerBuild>
</Status>
<Message>
The current Server status is enclosed with this transfairgram (only for
diagnostic purpose)
</Message>
<MessageCode>0701</MessageCode>
</Data>
<DataType>application/xml</DataType>
</Content>
</TransFairGram>
140
06/2011
4.10 Secure Login Client Policy and Profiles

This section contains detailed information about the client policy and client profiles for Secure
Login Client. The client policy is installed together with Secure Login Client on the client
computer. Using the client policy configuration the client profiles can be downloaded from
4.10.1 Client Policy

These parameters are defined in the files customer.reg and GlobalCustomer.reg.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]
Parameter
Type
Description
PolicyURL
STRING
Network resource from which the latest

Secure Login Client profiles can be
downloaded.
Three types of client policy are available:
ClientPolicy.xml
Client policy defined in the default instance
ClientPolicy.xml&path=000xx
Client policy defined in instance xx
(instance number) of the Secure Login
Server.
GlobalClientPolicy.xml
Global client policy includes all available
instances of the Secure Login Server.
PolicyTTL
DWORD
The lifetime in minutes for verifying

(updating) a new client policy on the
The default is 0 minutes (hexadecimal
value: 0).
By default, the Secure Login Client verifies
during system startup of the client PC.
NetworkTimeout
DWORD
Network timeout in seconds before the

connection is closed if the Secure Login
Server does not respond.
The default is 45 seconds (hexadecimal
value: 2d).
DisableUpdatePolicyOnStartup
DWORD
By default, the Secure Login Client verifies

a new client policy during system startup of
the client PC.
You can use this parameter to disable this
feature.
1
Disable automatic policy download.
0
Enable automatically policy download.
Default value is 0.
06/2011
141
4.10.2 Applications and Profiles

The Secure Login Server provides the Applications and Profiles configuration to the Secure
Login Client using ClientPolicy.xml and GlobalClientPolicy.xml.
In addition it is possible to download the configuration using the customerAll.reg and
GlobalCustomerAll.reg files.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
applications\<Application Name>]
Parameter
Type
Description
GssTargetName
STRING
Application specific PSE URI (SAP server

SNC name) that is matched when a
suitable profile is searched. You can use
the wildcards * and ?.
Example:
SNC/CN=SAP, OU=SAP Security,
C=DE
SNC/CN=Server*, O=Company xyz
Using the value * means that the client
profile is used for all SAP servers.
profile
STRING
The name of the client profile to be used for

the desired application.
allowFavorite
DWORD
Allow the user to select the authentication

profile manually in Secure Login Client.
0
User cannot select the authentication profile
1
User can select authentication profile
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
profiles\<Profile Name>]
Parameter
Type
Description
profileName
STRING
The name of the client profile to be used for

the desired application.
pseType
STRING
Authentication type.
promptedlogin
Using this profile, the user will be requested
to enter the user credentials.
142
06/2011
windowslogin
Using this profile, the user credentials will
be provided automatically (only available for
Microsoft Windows authentication)
Default value is windowslogin
enrollURL0
STRING
Secure Login Server URL that is used for

user authentication and certificate request.
Enroll URL depends on the instance
configuration.
<server>/securelogin/PseServer
Enroll URL defined in the default instance
<server>/securelogin/PseServer&id=000xx
Enroll URL defined in Instance xx (instance
number) of the Secure Login Server.
Use the Add button to configure further
Enroll URLs. This is the failover
configuration for the Secure Login Client. If
the first Enroll URL cannot be established,
the Secure Login Client tries the next Enroll
URL, defined here.
httpProxyURL
STRING
HTTP proxy to be used with enrollment

URLs. Only HTTP proxies without
authentication and without SSL to proxy are
supported.
Example:
http://example.address.com:8888
reAuthentication
DWORD
This parameter defines how many login

attempts to the Secure Login Client login
form is closed again.
Example with value 4:
The Secure Login Client offers the login
form 4 times (e.g. wrong credential
information), before the login form will be
closed.
Default value is 0.
The login form will never be closed. User
needs to use the button Cancel to close the
login form.
gracePeriod
DWORD
Value in seconds when an enrollment is to

be carried out before the certificate expires
Default value is 0
inactivityTimeout
DWORD
Value in seconds until an automatic logout

is performed (due to mouse and keyboard
inactivity). Possible values:
Value -1
No Single Sign-On (SSO). Each SNC
connection forces a new login.
06/2011
143
Value 0
No timeout. SSO without constraints.
autoReenrollTries
DWORD
The number of failed authentications in a

row after which automatic re-enrollment is
stopped.
User name and password caching can be
turned on to provide the automatic reenrollment of certificates that are going to
expire. Possible values:
0: Turn off:
Do not re-enroll automatically; do not cache
user name and password. A re-enrollment
must always be performed manually by the
user.
>0 (n): Turn on with n tries to succeed:
Try to re-enroll a maximum of n times
before either a new certificate is received or
the user name and password cache are
cleared. The error counter is reset on
success.
autoEnroll
DWORD
A user automatically gets an X.509

certificate when the Secure Login Client
starts.
0: Turn off
1: Automatic provisioning of user
certificates
If pseType is set to windowslogin, user
credentials are provided automatically (only
applies for Microsoft Windows
authentication).
If pseType is set to promptedlogin, the
system prompts the users to enter their
credentials.
keySize
DWORD
RSA Key Length.

The default value is 1024 (hexadecimal
value: 400).
UniqueClientID
STRING
Custom-defined string; will be displayed in

the instance log or can be used for network
filtering issues.
networkTimeout
DWORD
Network timeout (in seconds) before the

connection is closed if the server does not
respond
The default value is 45 (hexadecimal value:
2d).
sslHostCommonNameCheck
DWORD
This applies to the SSL server certificate
144
06/2011
this checks if the peer host name is given in

the Common Name (CN) field of the SSL
Server certificate.
1
Verify the SSL server host name with the
Common Name (CN) field of the SSL
server certificate.
0
Do not verify SSL server host name with
the Common Name (CN) field of the SSL
Server certificate.
sslHostAlternativeNameCheck
DWORD

this checks whether the peer host name is
given in its Subject Alternative Name
attribute of the certificate.
1
Verify the SSL server host name with the
Subject Alternative Name attribute of the
SSL Server certificate.
0
Do not verify the SSL server host name
with the Subject Alternative Name attribute
of the SSL server certificate.
Default value is 0
sslHostExtensionCheck
DWORD

this checks if the extended key usage
ServerAuthentication is defined.
1
Verify whether the extended key usage
ServerAuthentication is defined in the SSL
Server certificate.
0
Do not verify whether the extended key
usage ServerAuthentication is defined in
the SSL Server certificate.
userWarningMSIE
DWORD
Turn on/off a warning dialog box that

appears after a new certificate has been
propagated to Microsoft Crypto Store.
1
Turn on a warning dialog box.
0
Turn off a warning dialog box.
NOTE: Microsoft Internet Explorer must be
restarted.
newPinType
STRING
Message text value is used for messages

(change PIN/password) to the Secure Login
Client and Secure Login Web Client.
Available values are pin and password.
06/2011
145
4.11 Integrate into Existing PKI

If a Public Key Infrastructure (PKI) is available, the Secure Login Server can be integrated.
You can use the existing PKI to create the certificates for the SSL server and the SAP server.
To provide X.509 user certificates, the Secure Login Server requires a User CA certificate
which needs to be provided by the PKI.
The following certificate attributes are required for the user CA certificate.
Certificate Attribute
Details
Version
V3
Asymmetric Algorithm
RSA Algorithm
Key Usage
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Certificate Signing
Off-line CRL Signing
CRL Signing
Basic Constraints
Subject Type=CA
Path Length Constraint=None
The RSA Key Length depends on the customer requirements. We recommend that you
use 2048 Bit RSA keys or higher.
The user CA certificate should include the complete certificate chain. This means all
public certificate information of the chain should be provided.
Typically the file is provided in P12 format. The Secure Login Server requires a PSE format to
import using Secure Login Administration Console.
Use the SAP tool SAPGENPSE to convert the P12 format to PSE format.
sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p
<PSE_file_name>.pse <P12_file_name>.p12
Log on to the Secure Login Administration Console and import the PSE file in Certificate
Management. Choose USER_CA and the option Import Certificate.
Restart the Secure Login Server Application.
146
06/2011
4.12 Configuring Secure Login Servers as

Failover Servers for High Availability
Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to
prevent that the Secure Login Client sends a certificate request and does not get a response.
Concept
Install and run several Secure Login Servers on different AS Java servers acting as failover
servers. The URLs of the Secure Login Servers that are available are listed in the Enroll URL
parameter of the client policy. This is where the Secure Login Client checks which path to
use. If the first Secure Login Server is down, it goes to the next Secure Login Server that is
specified in the list
Configuration
1. Log on to the administration console.
2. Choose Instance Management > DefaultServer Configuration > Client Configuration
und go to the Profiles tab.
3. Choose the Add Profile button to get to the Add/Modify Client Profile screen.
06/2011
147
4. Behind the URL of the Enroll URL parameter, choose the Add button. A new row with
the previous URL as default value appears.
5. Enter the URL to the failover Secure Login Server. To configure more Secure Login
Servers as failover servers, add new rows and enter the relevant URLs.
6. Save your entries.
148
06/2011
We recommend that you maintain this failover configuration in all Secure Login Servers you
use. For more information about the parameter Enroll URL, see 4.10.2 Applications and
Profiles.
06/2011
149
5 Configuration Examples
This section describes some configuration examples for Secure Login Server.
5.1 Kerberos Authentication with SPNego

In this configuration example, the user authentication is verified against a Microsoft Windows
domain.
Prerequisites
Secure Login Server is installed and the initial wizard has been completed.
In Certificate Management at least the User CA is available.
If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server.
You have configured and enabled SPNego on the SAP NetWeaver Administrator.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node Instance
Management.
2. Verify whether the authentication mechanism in Instance is configured correctly.
JaasModule = SPNegoLoginModule
3. Choose the node Certificate Management and verify if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.
4. Choose the node Client Configuration and configure Client Policy, Applications and
Profiles (section 3.4 Instance Management). Make sure that pseType is set to
windowslogin.
Export the client policy (customer.reg) which is used for Secure Login Client
Installation.
5. Restart the Secure Login Server.
6. Install the Secure Login Client application on the client PC (for more information, see
the Installation, Configuration and Administration Guide for Secure Login Client).
Import the customer.reg files to the client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is in
the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
7. Restart the client PC.
8. In the Secure Login Client the profile defined in Instance Management is displayed in
the Secure Login Client Console.
Double-click this profile, and an X.509 certificate is provided without further user
interaction.
After a successful authentication an X.509 user certificate is provided.
This user certificate is displayed in the Secure Login Client Console and is available
in the Microsoft Certificate Store (User Certificate Store).
150
06/2011
5.2 LDAP User Authentication

In this configuration example, the user authentication is verified against a Microsoft Active
Directory System or LDAP server.
Prerequisites
If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node
Instance Management.
2. Verify whether the authentication mechanism in the instance is configured
correctly.
JaasModule = SecureLoginModuleLDAP
3. Choose the node Certificate Management and check if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this Instance.
4. Choose the node Client Configuration and configure Client Policy, Applications
and Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg), which will be used for the Secure Login
Client Installation.
5. Logon to SAP NetWeaver Administrator and define the connection parameters
for the Login Module SecureLoginModuleLDAP (section 4.1 Configure Login
Module).
6. If you are using LDAPS, import the LDAPS certificate into the Secure Login
Server Trust Store. For further information, see section 3.3.4 Trust Store
Management.
7. Restart the Secure Login Server Application.
If you are using LDAPS, restart the SAP NetWeaver JAVA application server.
8. Install the Secure Login Client application on the client PC (For more information,
see the Installation, Configuration and Administration Guide for the Secure Login
Client).
Import the customer.reg files to the Client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is
in the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
9. Restart your client PC.
10. In the Secure Login Client, the profile defined in Instance Management is
displayed in Secure Login Client Console.
Double-click this profile and enter the user name and password (Active Directory
System or LDAP server).
After successful authentication an X.509 user certificate is provided.
06/2011
151
This user certificate is displayed in the Secure Login Client Console and is
available in the Microsoft Certificate Store (User Certificate Store).
5.3 SAP User Authentication

In this example, you configure that users automatically get X.509 certificates when they are
logged on to a Microsoft Windows domain. The Microsoft Windows domain authentication is
double-checked against the SAP ABAP server.
Prerequisites
In Certificate Management at least the user CA is available.
If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server.
Secure Login Library is installed (described in the Installation, Configuration, and
Administration Guide of the Secure Login Library).
Configuration Steps
1. Log on to the Secure Login Administration Console, and choose the node Certificate
Management.
2. Create a new certificate for the technical user (for Secure Login Server) choosing
certificate type SNC_CERT (for example, CN=SLSSNC).
3. Create a new SAP ABAP server certificate choosing certificate type SAP_SERVER
(for example, CN=ABC, OU=SAP Security).
4. Perform SNC Configuration (section
5. 3.3.8 SNC Configuration.) and import the certificate of the technical user (Option:
From Console).
6. Verify whether the authentication mechanism in the instance is configured correctly.
JaasModule = SecureLoginModuleSAP
Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg) to be used for Secure Login Client
Installation.
9. Logon to SAP NetWeaver Administrator and define the connection parameters for
the Login Module SecureLoginModuleSAP (section 4.1 Configure Login Module).
10. Restart the Secure Login Server application.
11. Install Secure Login Library on the target SAP ABAP server.
Enable SNC configuration.
Import SAP ABAP Server certificate in transaction STRUST.
Restart SAP ABAP Server.
For further information see the Installation, Configuration and Administration Guide
for Secure Login Library.
152
06/2011
12. Create a technical user (for Secure Login Server) in SAP User Management (for
example, SLSSNC), define authorizations and configure the SNC Name (for
example, CN=SLSSNC).
For more information, see section 4.3 Create Technical User in SAP Server.
the Installation, Configuration and Administration Guide for the Secure Login Client).
Import the customer.reg files into the client registry.
certificates.
15. In Secure Login Client the profile defined in Instance Management is displayed in
Secure Login Client Console.
Double-click this profile and enter the SAP user name and password.
After successful authentication, an X.509 user certificate is provided.
5.4 RADIUS User Authentication

In this configuration example the user authentication is verified against a RADIUS server.
Prerequisites
Secure Login Server is installed and the initial wizard was completed.
If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node Instance
Management.
2. Verify whether the authentication mechanism in the instance is configured correctly.
JaasModule = SecureLoginModuleRADIUS
Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg) to be used for Secure Login Client
installation.
5. In the RADIUS Server, configure Radius Client for Secure Login Server. This means
that the Secure Login Server can establish communication to the RADIUS Server.
Define the Shared Secret for this connection.
6. Logon to SAP NetWeaver Administrator and define the connection parameters for
the Login Module SecureLoginModuleRADIUS (section 4.1 Configure Login Module).
06/2011
153
7. Restart the Secure Login Server Application.

the Installation, Configuration and Administration Guide for Secure Login Client).
Import the customer.reg files into the client registry.
certificates.
10. In Secure Login Client the profile defined in Instance Management is displayed in
Secure Login Client Console.
Double-click this profile and enter the user name and password (RADIUS user
database).
After successful authentication, an X.509 user certificate is provided.
154
06/2011
6 Troubleshooting
6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.
6.1 Checklist User Authentication Problem

This section describes the configuration issues to check if a user authentication is not
successful.
Checklist Possible Issues
Is verification using different user credentials?
Log on to the Secure Login Administration Console and check the log information in
Instance Log Management. Check if the user authentication is displayed. If this is not the
case, there may be a problem on the Secure Login Client or Secure Login Web Client.
Verify the following parameter in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>]
enrollURL0 = <URL>
Check whether the enrollURL is configured for the desired instance. Check in Secure
Login Administration Console Instance Management.
Copy this URL to the browser application and check if a response is displayed (ignore the
responses ERROR_ACTION or INTERNAL_SERVER_ERROR).
Change the URL of the parameter enrollURL to HTTP and check if this works.
If this works, there is a problem with the HTTPS connection.
If you are using HTTPS, the problem may relate to the certificate trust relationship.
If this is the case, import the root certificate, on which the SSL server certificate depends
and move it to the Microsoft Certificate Store (Computer Certificate Store).
Verify whether the authentication mechanism in the instance is correctly configured.

JaasModule = SecureLoginModule<respective_authentication_server_type>
Choose the node Certificate Management and verify whether the parameter Mapping to
Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModule<respective_authentication_server_type>.
Restart the Secure Login Server Application. For some configuration issues in Secure
Login Administration Console a restart of the Secure Login Server Application is required.
Enable the Server Trace in the Secure Login Administration Console (section 6.3 Enable
Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver
Administrator.
Log on to SAP NetWeaver Administrator and choose Problem Management. Choose
Logs and Traces and Security Troubleshooting Wizard.
Choose the diagnostic type Authentication and start the trace by choosing Start
Diagnostics.
Repeat the user authentication in Secure Login Client or Secure Login Web Client.
Stop the trace by choosing the Stop Diagnostics button, and analyze the results.
06/2011
155
6 Troubleshooting
6.2 Secure Login Server SNC Problem

For the Secure Login Server to verify SAP user credentials, secure communication to the
SAP ABAP server needs to be established. The communication is secured using SNC.
Problem
The Secure Login Server cannot establish an SNC connection to the SAP Server.
Checklist Possible Issues
Log on to Secure Login Administration Console and verify the log information in Instance
Log Management. Check if the user authentication is displayed. If this is not the case,
there may be a problem in the Secure Login Client or Secure Login Web Client.
Verify whether the authentication mechanism in Instance is configured correctly.

JaasModule = SecureLoginModuleSAP
Verify whether the Instance Mapping in Certificate Management is enabled (checkbox)

for this instance.
Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModuleSAP.
Verify whether Secure Login Library is installed correctly.

Verify the installation described in section 2.1.1 Secure Login Library.
Verify whether the folder <ASJava_Installation>\exe, which is used by Secure Login
Library is included in JAVA Library Path. Verify the JAVA Library Path (libpath) in the
trace file <ASJava_Installation>\work\dev_jstart.
Verify whether an SNC certificate was provided to Secure Login Library PSE
environment.
Verify whether the file pse.zip is available in folder <ASJava_Installation>\sec
Start the command line shell and change to the folder <ASJava_Installation>/exe.
Set the environment SECUDIR=<ASJava_Installation>/sec
Use the command: snc O <SAP Service User> status v
Microsoft Windows Example: snc O SAPServiceABC status v
Linux Example: snc O abcadm status v
Verify whether a technical user was created on the SAP ABAP server.
Verify SAP user access rights (authorization profiles).
Verify whether the SNC name is configured correctly.
Enable Secure Login Library trace and analyze the problem. For more information, see
section 6.4 Enable Secure Login Library Trace.
156
06/2011
6 Troubleshooting
If the error messages Couldnt acquire DEFAULT INITIATING credentials is displayed,

verify whether the environment variable SECUDIR is configured correctly for the user
who is starting the SAP server. Verify the installation of Secure Login Library in section
2.1.1 Secure Login Library.
6.3 Enable Secure Login Server Trace

Choose the Server Configuration node in the left-hand pane of the Administration Console
and enable the trace option. Define the value true for the parameter Enable Server Trace and
restart the Secure Login Server application.
The trace file is written to the Default Trace of SAP NetWeaver. Logon to SAP NetWeaver
Administrator and choose Problem Management, Log and Traces and Log Viewer.
Choose the option Show View, General and Default Trace (Java).
Secure Login Server can generate a large amount of trace output. For test systems, we
recommend that you enable tracing. For production systems, we recommend that you
disable tracing since this might result in unnecessary log files and impact performance.
Deactivate the Secure Login Server Trace after you have analyzed the problem.
6.4 Enable Secure Login Library Trace

To enable the trace option, the files sec_log_file_filename.txt and sec_log_file_level.txt need
to be created in the folder:
Microsoft Windows
%HOMEDRIVE%%HOMEPATH%\sec or C:\sec
Unix/Linux
$HOME/sec or /etc/sec
The file sec_log_file_filename.txt contains the name of the trace file.

The name can contain %.PID.%, which is replaced by the process ID.
A typical SAP Web AS creates multiple work processes, so use this feature to avoid parallel
access to the same file by all processes.
Microsoft Windows Example
sec_log_file_filename.txt
C:\sec\log-%.PID.%.txt
06/2011
157
6 Troubleshooting
Unix/Linux Example
sec_log_file_filename.txt
/etc/sec/log-%.PID.%.txt
The file sec_log_file_level.txt contains the trace level as a single digit.

Example
sec_log_file_level.txt
4
Value
Details
No trace
Errors
Errors and warnings
Errors, warnings and logs
Errors, warnings, logs and information
6.5 Secure Login Server Lock and Unlock

Secure Login Server locks itself when it detects a serious problem such as authentication
server failure that affects all clients. To unlock the server or server instance, use the Unlock
button in the Secure Login Administration Console or delete the lock file.
Secure Login Server uses the following files to lock the server or server instance:
PseServer.lock
This file is used to lock the entire server. The server lock is only applied if the
Configuration.properties file cannot be read. The LockDir property in the web.xml file is used
to apply the server lock.
The PseServer.lock file is written to the following folder:
Microsoft Windows
Instances
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances
158
06/2011
6 Troubleshooting
PseInstance<instance_number>.lock
If the Configuration.properties file can be read by Secure Login Server and a lock becomes
necessary, Secure Login Server creates an instance-based lock. The directory for the
instance-based lock is specified by the property LockDir in Configuration.properties.
The PseInstance<instance_number>.lock file is written to the folder:
Microsoft Windows
Instances\<instance_number>\
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i
nstance_number>/
Analyze and solve the problem, before deleting the lock file or changing the status in
Secure Login Administration Console (use the Unlock button).
6.6 Access Denied Replies

This problem applies only to Microsoft Windows operating systems.
Problem
The Secure Login Server is returning a large amount of Access Denied replies to the Secure
Login Client during heavy load.
Explanation
The reason for this behavior is that after a TCP/IP socket has been used for communication,
and this connection is closed down after the communication has taken place, the OS keeps
this socket for some time until it releases it again for its next use.
This means that the parameter TcpTimedWaitDelay is set too high and must be changed. For
more information, see the following Microsoft page:
http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3-473c84e8-e657c0c619d11033.mspx):
Solution
Open regedit and locate the parameter TcpTimedWaitDelay under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the value for TcpTimedWaitDelay to 30 seconds
06/2011
159
6 Troubleshooting
6.7 Error Codes

This chapter describes the error codes and return codes, their meaning and possible
corrections.
6.7.1 Secure Login Server Error Codes

Error Code
Description
Solution
JAAS_LDAP_
ERROR
Authentication fails due to

configuration errors of the
login module for LDAP or
timing problems on the
network.
Verify configuration of Login

Module for LDAP.
If using LDAPS, make sure that its
CA certificate is imported into Trust
store of Secure Login Server.
JAAS_RADIUS_
ERROR
Authentication fails due to

configuration errors of the
login module for RADIUS or
timing problems on the
network.
Verify configuration of Login

Module for LDAP.
Check if the RADIUS server is up
and running.
AUTH_RESULT_
ACTION_OK_MSG
Authentication successful.
N/A (result only)
AUTH_RESULT_
ACTION_DENIED_
MSG
Authentication denied.
N/A (result only)
NEW_PIN_REPLY_
ACCEPTED_MSG
The new PIN/password

was accepted.
N/A (result only)
NEW_PIN_REPLY_
REJECTED_MSG
A new PIN/password is
required
N/A (result only)
AUTH_SERVER_
TIMEOUT_MSG
If the login module cannot

establish a connection to
the authentication server a
timeout error will be set.
Possible reasons for this error may

be one of the following:
Unable to establish an SNC
connection to the SAP server:
Secure Login Server SAP user is
not properly configured.
Secure Login Server SAP user
does not have required
permissions.
Faulty SNC configuration for the
Timeout in the network connection.
Authentication server is down.
CERT_CREATE_
ERROR
160
An error occurred while

trying to create a new
certificate.
Verify certificate in Certificate

Management.
Verify parameter PseName in
06/2011
6 Troubleshooting
CERT_INIT_
ERROR

accessing the resources
needed for this process,
that is, the PSE used.
Make sure that the configuration file

Configuration.properties contains
the correct name, password, and
aliases for the specific PSE.
PSE_ADMIN_
ERROR
An error occurred inside the

PSE admin Server.

Management.
PSE_ARCHIVE_
ERROR
This code may be due to

insufficient disk space
when writing/creating the
log file due to insufficient
disk space, or no write
access and so on.
Make sure the application has the

access rights to write to, or create
the specified log directory, and that
there is enough disk space.
PSE_CREATE_
ERROR
This code can indicate a

problem while creating an
outgoing message.
Make sure that the configuration

Configuration.properties file
contains all mandatory entries.
PSE_HANDLING_
ERROR

handling a client request.

Management.
PSE_INIT_
ERROR
May be caused when

initializing the servlets. This
is usually the case when
the Secure Login Server
configuration could not be
read, either because the
configuration URL is not set
in the configuration file of
the servlet engine or the file
could not be found under
the specified URL.
Make sure the URL is set correctly

to the Configuration.properties file.
PSE_IO_
ERROR
Occurs when the servlet

cannot send its response to
the client due to network
problems.
Make sure the network is

configured correctly and running.
PSE_SERVER_
ERROR
An error occurred with the

PSE Server.

Management.
PSE_SERVER_
TIMEOUT
The client session timed

out.
Check in the login module

configuration that the timeout value
is high enough.
06/2011
161
6 Troubleshooting
6.7.2 SAP Stacktrace Error Codes

Runtime Error Code
Description
CALL_BACK_ENTRY_NOT_FOUND
The called function module is not released

for RFC.
CALL_FUNCTION_DEST_TYPE
The type of the destination is not allowed.
CALL_FUNCTION_NO_SENDER
Current function is not called remotely.
CALL_FUNCTION_DESTINATION_NO_T
Missing communication type (I for internal

connection, 3 for ABAP) when executing an
asynchronous RFC.
CALL_FUNCTION_NO_DEST
The specified destination does not exist.
CALL_FUNCTION_OPTION_OVERFLOW
Maximum length of options for the

destination exceeded.
CALL_FUNCTION_NO_LB_DEST
The specified destination (in load

distribution mode) does not exist.
CALL_FUNCTION_NO_RECEIVER
Data received for unknown CPI-C

connection.
CALL_FUNCTION_NOT_REMOTE
The function module being called is not

flagged as being remotely callable.
CALL_FUNCTION_REMOTE_ERROR
While executing an RFC, an error occurred

that has been logged in the calling system.
CALL_FUNCTION_SIGNON_INCOMPL
Logon data for the user is incomplete.
CALL_FUNCTION_SIGNON_INTRUDER
Logon attempt in the form of an internal call

in a target system not allowed.
CALL_FUNCTION_SIGNON_INVALID
RFC from external program without valid

user ID.
CALL_FUNCTION_SIGNON_REJECTED
Logon attempt in target system without valid

user ID. This error code may have any of
the following meanings:
- Incorrect password or invalid user
ID.
- User locked.
- Too many logon attempts.
- Error in authorization buffer (internal
error).
- No external user check.
- Invalid user type.
- Validity period of the user
exceeded.
CALL_FUNCTION_SINGLE_LOGIN_REJ
No authorization to log on as a trusted

system. The error code may have any of the
following meanings:
- Incorrect logon data for valid
security ID.
- Calling system is not a trusted
system or security ID is invalid.
162
06/2011
6 Troubleshooting
Either the user does not have RFC

authorization (authorization object
S_RFCACL), or a logon was
performed using one of the
protected users DDIC or SAP*.
Time stamp of the logon data is
invalid.
CALL_FUNCTION_SYSCALL_ONLY
RFC without valid user ID only allowed

when calling a system function module. The
meaning of the error codes is the same as
for
CALL_FUNCTION_SINGLE_LOGIN_REJ.
CALL_FUNCTION_TABINFO
Data error (info internal table) during a RFC.
CALL_FUNCTION_TABLE_NO_MEMORY
No memory available for table being

imported.
CALL_FUNCTION_TASK_IN_USE
For asynchronous RFC only: task name is

already being used.
CALL_FUNCTION_TASK_YET_OPEN
For asynchronous RFC only: the specified

task is already open.
CALL_FUNCTION_NO_AUTH
No RFC authorization.
CALL_RPERF_SLOGIN_AUTH_ERROR
No trusted authorization for RFC caller and

trusted system.
CALL_RPERF_SLOGIN_READ_ERROR
No valid trusted entry for the calling system.
RFC_NO_AUTHORITY
No RFC authorization for user.
CALL_FUNCTION_BACK_REJECTED
Destination BACK is not permitted in

current program.
CALL_XMLRFC_BACK_REJECTED
Destination BACK is not permitted in

current program.
CALL_FUNCTION_DEST_SCAN
Error while evaluating RFC destination.
CALL_FUNCTION_DEST_SCAN
Error while evaluating RFC destination.
CALL_FUNCTION_CONFLICT_TAB_TYP
Type conflict while transferring table.
CALL_FUNCTION_CREATE_TABLE
No memory available for creating a local

internal table.
CALL_FUNCTION_UC_STRUCT
Type conflict while transferring structure.
CALL_FUNCTION_DEEP_MISMATCH
Type conflict while transferring structure.
CALL_FUNCTION_WRONG_VALUE_LENG
Invalid data type while transferring

parameters.
CALL_FUNCTION_PARAMETER_TYPE

parameters.
CALL_FUNCTION_ILLEGAL_DATA_TYP

parameters.
CALL_FUNCTION_ILLEGAL_INT_LEN
Type conflict while transferring an integer.
CALL_FUNCTION_ILL_INT2_LENG
Type conflict while transferring an integer.
CALL_FUNCTION_ILL_FLOAT_FORMAT
Type conflict while transferring a floating
06/2011
163
6 Troubleshooting
point number.
CALL_FUNCTION_ILL_FLOAT_LENG
Type conflict while transferring a floating

point number.
CALL_FUNCTION_ILLEGAL_LEAVE
Invalid LEAVE statement on RFC Server.
CALL_FUNCTION_OBJECT_SIZE
Type conflict while transferring a reference.
CALL_FUNCTION_ROT_REGISTER
Type conflict while transferring a reference.
164
06/2011
7 List of Abbreviations
Abbreviation
Meaning
ADS
Active Directory Service
CA
Certification Authority
CAPI
Microsoft Crypto API
CSP
Cryptographic Service Provider
DN
Distinguished Name
EAR
Enterprise Application Archive
HTTP
Hyper Text Transport Protocol
HTTPS
Hyper Text Transport Protocol with Secure Socket Layer (SSL)
IAS
Internet Authentication Service (Microsoft Windows Server 2003)
JAAS
Java Authentication and Authorization Service
JSPM
Java Support Package Manager
LDAP
Lightweight Directory Access Protocol
NPA
Network Policy and Access Services (Microsoft Windows Server

2008)
PIN
Personal Identification Number
PKCS
Public Key Cryptography Standards
PKCS#10
Certification Request Standard
PKCS#11
Cryptographic Token Interface Standard
PKCS#12
Personal Information Exchange Syntax Standard
PKI
Public Key Infrastructure
PSE
Personal Security Environment
RADIUS
Remote Authentication Dial-In User Service
RFC
Remote function call (SAP NetWeaver term)
RSA
Rivest, Shamir and Adleman
SAR
SAP Archive
SCA
Software Component Archive
SLAC
Secure Login Administration Console
SLC
Secure Login Client
SLL
SLS
Secure Login Server
SLWC
SNC
Secure Network Communication (SAP term)
SSL
Secure Socket Layer
06/2011
165
UPN
User Principal Name
WAR
Web Archive
WAS
Web Application Server
166
06/2011
8 Glossary
8 Glossary
Authentication
A process that checks whether a person is really who they are. In a multi-user or network
system, authentication means the validation of a users logon information. A users name
and password are compared against an authorized list.
Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of
64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other
uses include HTTP Basic Authentication Headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:
The public key being signed.

A name which can refer to a person, a computer, or an organization.
A validity period.
The location (URL) of a revocation center.
The digital signature of the certificate produced by the private key of the CA.
The most common certificate standard is the ITU-T X.509.
Certification Authority (CA)

An entity which issues and verifies digital certificates for use by other parties.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE
(personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may
be self-issued, or issued by a trusted third party; in many cases the only criterion for
issuance is unambiguous association of the credential with a specific, real individual or
other entity. Cryptographic credentials are often designed to expire after a certain period,
06/2011
167
8 Glossary
although this is not mandatory.

Credentials have a defined time to live (TTL) that is configured by a policy and managed
by a Client service process.
Cryptographic Application Programming Interface (CAPI)

The Cryptographic Application Programming Interface (also known variously as
CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming
interface included with Microsoft Windows operating systems that provides services to
enable developers to secure Windows-based applications using cryptography. It is a set
of dynamically-linked libraries that provides an abstraction layer which isolates
programmers from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that
perform cryptographic functions.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500
or LDAP directory).
Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name
ensures that a certificate is never created for different people with the same name. The
uniqueness of the certificate is additionally ensured by the name of the issuer of the
certificate (that is, the Certification Authority) and the serial number. All PKI users require a
unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can
use them to restrict the public key to as few or as many operations as needed. For example,
if you have a key used only for signing, enable the digital signature and/or non-repudiation
extensions. Alternatively, if a key is used only for key management, enable key
encipherment.
Key Usage (extended)

Extended key usage further refines key usage extensions. An extended key is either critical
or non-critical. If the extension is critical, the certificate must be used only for the indicated
purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's
policy.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and
may be used in finding the correct key/certificate of an entity that has multiple
keys/certificates. The extension is then only an informational field and does not imply that the
CA restricts use of the key to the purpose indicated. Nevertheless, applications that use
certificates may require that a particular purpose be indicated in order for the certificate to be
acceptable.
168
06/2011
8 Glossary
Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses
from a hierarchical directory such as X.500.
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
Personal Identification Number (PIN)

A unique code number assigned to the authorized user.
Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a users private keys, certificates,
and other secret information.
Personal Security Environment

The PSE is a personal security area that every user requires to work with. A PSE contains
security-related information. This includes the certificate and its secret private key. The
PSE can be either an encrypted file or a Smart Card and is protected with a password.
PIN
See Personal Identification Number.
Privacy-Enhanced Mail (PEM)

The first known use of Base64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a
"printable encoding" scheme that uses Base64 encoding to transform an arbitrary
sequence of octets to a format that can be expressed in short lines of 7-bit characters, as
required by transfer protocols such as SMTP.
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet
consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals
(09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.
The original specification additionally used the "*" symbol to delimit encoded but
unencrypted data within the output stream.
Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.
06/2011
169
8 Glossary
Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of
information over the Internet.
Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in
creating, administering, saving, distributing, and revoking certificates based on
asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root
certificate at the top, representing a CA that does not need to be authenticated by a
trusted third party.
Root Certification Authority

The highest Certification Authority in a PKI. All users of the PKI must trust it. Its certificate
is signed with a private key. There can be any amount of CAs between a user certificate
and the root Certification Authority. To check foreign certificates, a user requires the
certificate path as well as the root certificate.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman
in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: key
lengths of 1024 bits or higher are regarded as secure.
Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external,
cryptographically libraries. The library is addressed using GSS API functions and
provides NetWeaver components with access to the security functions.
Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections
over insecure channels. Ensures the authorization of communication partners and the
confidentiality, integrity, and authenticity of transferred data.
Single Sign-On
A system that administrates authentication information allowing a user to logon to
systems and open programs without the need to enter authentication every time
(automatic authentication).
170
06/2011
8 Glossary
Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the
functionality of both USB tokens and Smart Cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional Smart Card without
requiring a unique input device (Smart Card reader). From the computer operating
systems point of view such a token is a USB-connected Smart Card reader with one
non-removable Smart Card present.
Tokens provide access to a private key that allows performing cryptographic operations.
The private key may be persistent (like a PSE file, Smart Card, and CAPI container) or
non-persistent (like temporary keys provided by Secure Login).
Microsoft Windows Credentials

A unique set of information authorizing the user to access the Microsoft Windows
operating system on a computer. The credentials usually comprise a user name, a
password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
06/2011
171

SAP NetWeaver Single-Sign-On SP1

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SAP NetWeaver Single-Sign-On SP1

Caricato da

Copyright:

Formati disponibili

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP1

Copyright 2011 SAP AG. All rights reserved.

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, and other SAP products and services

Some software products marketed by SAP AG and its distributors

mentioned herein as well as their respective logos are trademarks or

contain proprietary software components of other software vendors.

registered trademarks of SAP AG in Germany and other countries.

Microsoft, Windows, Outlook, and PowerPoint are registered

Business Objects and the Business Objects logo, BusinessObjects,

trademarks of Microsoft Corporation.

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in other

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

and other Sybase products and services mentioned herein as well as

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

their respective logos are trademarks or registered trademarks of

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

Sybase, Inc. Sybase is an SAP company.

WebSphere, Netfinity, Tivoli and Informix are trademarks or

Linux is the registered trademark of Linus Torvalds in the U.S. and

informational purposes only. National product specifications may

These materials are subject to change without notice. These materials

trademarks or registered trademarks of Adobe Systems Incorporated in

are provided by SAP AG and its affiliated companies ("SAP Group")

the United States and/or other countries.

for informational purposes only, without representation or warranty of

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

HTML, XML, XHTML and W3C are trademarks or registered

code change in these components may cause unpredictable

trademarks of W3C, World Wide Web Consortium, Massachusetts

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Java is a registered trademark of Sun Microsystems, Inc.

Any Java Source Code delivered with this product is

modified or altered in any way.

Terms for Included Open

copy of this software and associated documentation files (the

distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to the

the following special terms and conditions shall apply.

Prototype JavaScript Framework http://www.prototypejs.org/

The above copyright notice and this permission notice shall be

Copyright (c) 2005-2010 Sam Stephenson

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

opencsv 1.7.1 http://opencsv.sourceforge.net/

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING