Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PUBLIC
Document Version: 1.1 October 2011
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
System p5, System x, System z, System z10, System z9, z10, z9,
countries.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
other countries.
vary.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
Open Group.
warranty.
Disclaimer
Some components of this product are based on Java. Any
Institute of Technology.
stringutils http://sourceforge.net/projects/stringutils/
This SAP software contains also the third party open source software
products listed below. Please note that for these third party products
following conditions:
Apache License
http://www.apache.org/licenses/
"License" shall mean the terms and conditions for use, reproduction,
"Legal Entity" shall mean the union of the acting entity and all other
systems, and issue tracking systems that are managed by, or on behalf
entities that control, are controlled by, or are under common control
of, the Licensor for the purpose of discussing and improving the Work,
with that entity. For the purposes of this definition, "control" means (i)
Contribution."
as stated in this section) patent license to make, have made, use, offer
to sell, sell, import, and otherwise transfer the Work, where such
form, that is based on (or derived from) the Work and for which the
of this License, Derivative Works shall not include works that remain
any patent licenses granted to You under this License for that Work
separable from, or merely link (or bind by name) to the interfaces of,
(a) You must give any other recipients of the Work or Derivative
6. Trademarks. This License does not grant permission to use the trade
(b) You must cause any modified files to carry prominent notices
origin of the Work and reproducing the content of the NOTICE file.
from the Source form of the Work, excluding those notices that do not
such NOTICE file, excluding those notices that do not pertain to any
contents of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution notices
License or out of the use or inability to use the Work (including but
addendum to the NOTICE text from the Work, provided that such
License.
the Work or Derivative Works thereof, You may choose to offer, and
You to the Licensor shall be under the terms and conditions of this
the above, nothing herein shall supersede or modify the terms of any
separate license agreement you may have executed with Licensor
regarding such Contributions.
Typographic Conventions
Type Style
Example Text
Description
Words or characters quoted from
the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Icons
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview .................................................................................. 10
1.2 System Overview with Security Token ............................................... 11
1.3 System Overview with Secure Login Server ...................................... 14
1.4 Instances ............................................................................................... 16
1.5 PKI Structure ........................................................................................ 17
1.6 Secure Communication ....................................................................... 18
1.7 Policy Server Overview ........................................................................ 19
1.8 Secure Login Web Client ..................................................................... 20
3 Administration ................................................................................... 49
3.1 Logon to Administration Console....................................................... 49
3.2 Welcome Page ...................................................................................... 50
3.2.1 Change Password....................................................................................................... 51
06/2011
06/2011
If a PKI has already been set up, the digital user certificates of the PKI can also be used by
Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and
other HTTPS-enabled Web applications) with SSL.
06/2011
It is not necessary to install all components. This depends on the use case. For further
information about Secure Login Client and Secure Login Library see the corresponding
Installation, Configuration and Administration Guide.
10
06/2011
PKI Infrastructure
Security Token
SAP GUI
Web GUI
Kerberos Infrastructure
Kerberos Token
Authentication and
secure communication
Kerberos
Figure: Secure Login System Environment with Existing PKI and Kerberos
The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.
Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the
following authentication methods:
06/2011
11
PKI Infrastructure
4
Security Token
2
Client maps
SNC name to
authentication
profile
1
Start connection and
get SNC name
5
Client provides certificate
to SAP GUI application
6
Authentication and
secure communication
Upon connection start, the Secure Login Client retrieves the SNC name from the
desired SAP server system.
2.
The Secure Login Client uses the authentication profile for this SNC name.
3.
The user unlocks the security token by entering the PIN or password.
4.
The Secure Login Client receives the X.509 certificate from the user security token.
5.
The Secure Login Client provides the X.509 certificate for SAP single sign-on and
secure communication between SAP Client and SAP Server.
6.
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto
engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the
user keys to all CAPI-enabled applications.
12
06/2011
Upon connection start, the Secure Login Client retrieves the SNC name (Service
Principal Name) from the respective SAP server system.
2.
The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos
Service token.
3.
4.
The Secure Login Client provides the Kerberos Service token for SAP single sign-on
and secure communication between SAP Client and SAP server.
5.
06/2011
13
14
06/2011
Authentication Methods
Secure Login supports several authentication methods. It uses the Java Authentication and
Authorization Service (JAAS) as a generic interface for the different authentication methods.
For each supported method, there is a corresponding configurable JAAS module.
The following authentication methods are supported:
Upon connection start, the Secure Login Client gets the SNC name from the desired
SAP server system.
2.
The Secure Login Client uses the client policy for this SNC name.
3.
4.
5.
The Secure Login Client sends the user credentials and the authentication request to
the Secure Login Server.
06/2011
15
6.
The Secure Login Server forwards the user credentials to the authentication server and
receives a response indicating whether the user credentials are valid or not.
7.
If the user credentials are valid, the Secure Login Server generates a user certificate
(certificate response) and provides it to the Secure Login Client.
8.
9.
The user certificate is used to perform an authentication, single sign-on, and secure
communication between SAP client and server.
1.4 Instances
The Secure Login instances feature allows multiple instances running on the same server.
The main advantage of using instances is that the time spent on maintaining Secure Login is
reduced to a minimum.
Secure Login Server instances can use a common user CA certificate for one or more
instances, or you can set an individual user CA certificate (PKI) for each instance.
The Secure Login Client authentication profiles can be configured to use different Secure
Login Server instances for different authentication methods.
It is still possible to use several Secure Login Servers and/or authentication servers for
failover. The Secure Login Server can connect to more than one authentication server.
16
06/2011
PKI Integration
As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate
the Secure Login Server to an existing PKI. The required minimum is to provide a user CA
certificate to the Secure Login Server.
06/2011
17
18
From
To
SAP GUI
SAP NetWeaver
DIAG/RFC (SNC)
Web GUI
SAP NetWeaver
HTTPS (SSL)
HTTPS (SSL)
LDAP Server
LDAPS (SSL)
SAP NetWeaver
RFC (SNC)
RADIUS Server
06/2011
06/2011
19
Differences between Secure Login Client and Secure Login Web Client:
20
06/2011
2.1 Prerequisites
This chapter describes the prerequisites and requirements for the installation of Secure Login
Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements
Secure Login Server
Details
Random-access memory
1 GB RAM at minimum
Software Requirements
Secure Login Server
Details
Application server
Optional:
Secure Login Library
Details
Operating systems
Java
06/2011
21
Details
freeRADIUS
Microsoft Network Policy and Access Services (NPA)
Microsoft Internet Authentication Service (IAS)
22
06/2011
<ASJava_installation>\exe\snc.exe
Example
D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library.
The test is successful if the version is displayed.
06/2011
23
<ASJava_installation>/exe/snc
Example
24
06/2011
/usr/sap/ABC/J00/exe/snc
As a result; further information about the Secure Login Library should be displayed.
The test is successful if the version is displayed.
06/2011
25
Command
Deploy Application
deploy SECURE_LOGIN_SERVER00_0.sca
Undeploy Application
List Application
Stop Application
stop_app sap.com/SecureLoginServer
Start Application
start_app sap.com/SecureLoginServer
26
06/2011
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application
Server.
Microsoft Windows
<ASJava_Installation>\j2ee\JSPM\go.bat
Linux
<ASJava_Installation>/j2ee/JSPM/go
3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
06/2011
27
28
06/2011
06/2011
29
30
06/2011
Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites.
If everything is OK, choose Continue.
06/2011
31
Figure: Initial Configuration Wizard Key file for server credentials encryption
Keep in mind that, in case the key file is changed or not available, it is not possible to log
on to the Secure Login Administration Console. The Secure Login Server does not work
anymore and is locked.
32
06/2011
Administrator Account
Define the password for the administration user Admin.
Passwords used in Secure Login Server are restricted by the password policy definition.
Passwords cannot be empty
Passwords must have a length between 8 to 20 characters
Passwords must contain at least one uppercase letter
Passwords must contain at least one lowercase letter
Passwords must contain at least one digit
Passwords must contain at least one special character
06/2011
33
Option
Details
Create a Root CA by
providing certificate
information
Common Name*
Enter the common name of the certificate (CN).
Example: Root CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
34
06/2011
Valid From*
Enter the date from when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File
KeyStore File*
Click Browse to locate and load an existing
KeyStore file (File Format is: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate
06/2011
35
Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type
It is possible to install or import SSL certificates later on using the administration console
Certificate Management. For more information, see section 3.3.3 Certificate
Management.
Option
Details
Generate an SSL
certificate using the
Secure Login
Administration Console
36
06/2011
Option
Details
Create a SSL CA by
providing certificate
information
Common Name*
Enter the common name of the certificate (CN).
Example: SSL CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
06/2011
37
Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File
KeyStore File*
Click Browse to locate and load an existing Key
Store File (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate
38
06/2011
Option
Details
Common Name*
Enter the common name of the certificate (CN).
Example: Alias Server Name
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Subject Alternative Names (DNS)
Enter the alternative name in this field. Typically this
is the Fully Qualified Domain Name (FQDN).
Example: ServerName@FQDN.local
Encryption Key Length
Select the encryption key length for the server (512,
06/2011
39
KeyStore File*
Click Browse to locate and load an existing
KeyStore file (file format: *.p12).
Password*
The password for the KeyStore file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate
40
06/2011
Option
Details
Create a user CA by
providing certificate
information
Common Name*
Enter the common name of the certificate (CN).
Example: User CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
06/2011
41
Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File
KeyStore File*
Click Browse to locate and load an existing
KeyStore file (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Skip this certificate
42
06/2011
Option
Details
User Certificate
Configuration
DN.country
Enter the country abbreviation in this field (C).
Example: DE
DN.locality
Enter the regional information in this field (L).
Example: Walldorf
DN.organization
Enter the company name in this field (O).
Example: Company xyz
DN.organizationalUnit
Enter the division of the company in this field (OU).
Example: SAP Security Department
ValidityMinutes*
Information for a temporary certificate: The period of
time (in minutes) that the user certificate is valid.
06/2011
43
Application Information
ServerHostName
FQDN name or IP address of this server.
This parameter is used for the client policy definition
and can be used for centrally changing the server
host name and the server port in the instance
configuration of the Secure Login Server.
ServerPort
Port of this server.
This parameter is used for the client policy definition
and can be used for central change.
Authentication Server
Configuration
(read-only)
AuthConfigPath
Authentication server configurations file for the
Secure Login Server.
PseName
The user CA key store file path. If you created a user
CA in the previous step, the file path is shown here.
Log Configuration
(read-only)
DailyLogDir
In this log path the user authentication information for
the default instance is logged.
(for example, the user authentication was successful)
MonthlyLogDir
In this log path the instance information for the default
instance is logged.
(for example, the default instance was started
successful)
AdminConsoleLogDir
In this log path the admin console information for the
Secure Login Administration Console is logged.
(for example, the default instance configuration was
changed)
LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.
44
06/2011
Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard
configuration.
Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server
application.
06/2011
45
46
06/2011
In the configuration file web.xml, change the value to true for the parameter remoteAccess.
web.xml
<init-param>
<param-name>remoteAccess</param-name>
<param-value>true</param-value>
</init-param>
06/2011
47
Value
Source Port
5<instance_number>00
Example: 50000
Destination
localhost:5<instance_number>00
Example: localhost:50000
After the SSH tunnel configuration, log on to this connection and perform the initial
configuration. For more information, see section 2.6 Initial Configuration Wizard.
48
06/2011
3 Administration
3 Administration
This chapter describes the configuration parameters in Secure Login Server.
URL
Unsecured
http://<IP/FQDN>:5<instance_number>00/securelogin
Secured
https://<IP/FQDN>:5<instance_number><https_port>/securelogin
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port
number is usually 50001 (corresponds to 01 in the table above).
The logon page appears.
Details
Local Login
External Login
06/2011
49
3 Administration
Authentication type
Details
Edit Login Type Setting.
The top left-hand pane lists any tasks that have yet to be performed.
For example, Connection must be HTTPS refers to the missing SSL connection between
the console and the Secure Login Server, or Server needs to be restarted informs you
that the configuration has been changed, and you need to restart the Secure Login
Server application for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each node
represents tasks that can be performed within the Secure Login Server framework.
The right-hand pane displays the details of any node selected in the left-hand pane.
In the top right-hand corner there are three entries that appear on every page in the
console:
Change Password
This allows you to change the password for the current administrator/user account.
Logout
Use this link to logout of the console. The login page will reappear (see previous page).
50
06/2011
3 Administration
About
Click this to view version information about the console.
You may be asked to re-enter your user name and password if you leave the
administration console for a long time. The default console timeout is 10 minutes.
The user admin is a permanent user that has the role super user and cannot be deleted.
As a consequence, the admin user can log on to the system regardless of state (when a
serious system error occurs), making sure that there is at least one user who can always
access Secure Login to correct or configure the system.
06/2011
51
3 Administration
Choose the Server Configuration node in the left-hand pane of the administration console.
The following page appears:
52
06/2011
3 Administration
Option
Details/Value
Edit
Description
Trust Certificates
Storage File
(read-only)
Path where the lock files are written. A lock file is generated if
something went wrong with the Secure Login Server. In this
case the Secure Login Server is locked.
Port
CREDDIR
(read-only)
NativeLibraryPath
(read-only)
The directory where native libraries are stored for the Secure
Login Library.
06/2011
53
3 Administration
Details/Value
Description
true
Write trace messages to the application server trace file
(defaultTrace_*.log).
false
Do not write trace messages to the application server trace
file.
Port
Once you have changed any option, click Save to return to the Server Configuration page.
54
06/2011
3 Administration
06/2011
55
3 Administration
Remarks
SPNegoLoginModule
SecureLoginModuleLDAP
SecureLoginModuleRADIUS
SecureLoginModuleSAP
56
06/2011
3 Administration
Create certificates
View certificates
Export certificates
Import certificates
Option
Details
PKI Tree
Define a display name for the new PKI and create a top-level
Certification Authority (Root CA).
06/2011
57
3 Administration
Certificate Information
Common Name
Common name of the selected certificate.
Path
File path of the selected certificate file.
Save Password
Password protection status of the selected certificate file.
Mapping to Instance
List of all instances and selections that are supposed to use
this user CA. This option is available for user CAs only.
More Details
[PKI Information]
[CA Operations]
[Export Certificate]
[Selection List]
The selection list allows you to associate the type of CA of
the certificate. Each type can be associated only once.
Browse
Opens a file browser to select the certificate file.
58
06/2011
3 Administration
Open Password
Password that protects the certificate file
Save Password
Allows you to save the password in the configuration file.
Define the certificate parameters for the new root CA certificate and choose Create.
06/2011
59
3 Administration
60
06/2011
3 Administration
Option
Details
Common Name*
Enter the common name of the certificate (CN).
Example: SAP CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
06/2011
61
3 Administration
62
06/2011
3 Administration
Option
Details
Common Name*
Enter the common name of the certificate (CN).
Example: SAP SID
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field
above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
06/2011
63
3 Administration
Option
Details
Create SNC_CERT
Subject Information
Common Name*
Enter the common name of the certificate (CN).
Example: SLSSNC
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
64
06/2011
3 Administration
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate.
The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field
above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
06/2011
65
3 Administration
Option
Details
Create LOGIN_CERT
Subject Information
Common Name*
Enter the common name of the certificate (CN).
Example: Username
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
66
06/2011
3 Administration
This login certificate needs to be imported into a browser application. Therefore export
this certificate in *p12 format and import it to your browser application.
In addition, it is required to assign this login certificate to a user (user mapping). For more
information, see section 4.6 Configure SSL Certificate Logon.
06/2011
67
3 Administration
Export Certificate
Use this function to export any kind of certificate in the PKI list.
1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP
Security.
2. Select the Export Type, for example .pse.
3. Define the password of the exported certificate file.
4. Choose the Export pushbutton to save the file to the desired location.
Option
Details
Export Type
.pse
Exports the certificate in PSE format.
This file includes all keys and all certificates of the
complete certificate chain.
.crt
Exports the public certificate information.
.p12
Exports the certificate in P12 format.
This file includes all keys and all certificates of the
complete certificate chain used.
.jks
Exports the certificate in Java Key Store format.
Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the
import function to load a new certificate.
1.
2.
3.
4.
5.
Choose on a desired certificate in the PKI tree list, for example SAP_CA.
Choose Browse to open a file browser. Locate and open the PSE file.
Enter the password for the PSE file in the field Open Password.
As an option, you can choose to save the password.
Choose the Import pushbutton to complete your import.
Imported certificates need to be part of the PKI structure. A trust relation to an existing
root CA certificate, when available, is required.
In case the desired certificate has no trust relation to the root CA certificate, the error
message Trust connection cannot be established with ROOT CA appears.
68
06/2011
3 Administration
Option
Details
Certificate Alias*
Certificate Location
06/2011
69
3 Administration
Delete
Export
Changes in Trust Store require a restart of the SAP NetWeaver Application Server.
The default template cannot be deleted, changed, or exported. The Mapping option is only
available if an additional certificate template is available.
Option
Details
Template Name
Add
Copy
Edit
Delete
70
06/2011
3 Administration
Mapping
Export
Import
Option
Details
Template Name*
SubjectKeyIdentifier
AuthorityKeyIdentifier
06/2011
71
3 Administration
CertificatePolicies
KeyUsage
72
06/2011
3 Administration
BasicConstraints
Is critical?
If you select this option, the basic constraints parameter is
required in the certificate for communication to be
successful.
Is CA?
This option defines whether the subject of the certificate is a
Certification Authority. When you select this option, the Path
Length field opens. Enter the number of levels for which the
constraints are valid.
Private Extensions
06/2011
73
3 Administration
Extension Name*
The unique name for this extension
Base64/DER Encoded Data*
The content of the private extension in Base64 or DER
format
Add
Adds the information from the fields above to the certificate
template (this will also take you back to the Create
Certificate Template page).
Cancel
Cancels the Create Private Extension configuration step.
Reset
Cancel
74
06/2011
3 Administration
The default template cannot be deleted, changed, or exported. The Mapping option is only
available for the default template if another certificate template is available.
Details
User Certificate
06/2011
75
3 Administration
Details
[List Box]
Selected Template
Exports the selected certificate template.
All Templates
Exports all certificate templates.
Export
Cancel
Details
Browse
Import
Cancel
76
06/2011
3 Administration
Details
Authentication
Configuration
06/2011
77
3 Administration
PKI Structure
SAP ID Check
Server List
Trust Store
TrustStore
Check the Java Trust Store used by Secure Login Server.
The fallback message file is serverMsg.properties. This message file is used if the
required language is not available. The language for the fallback scenario is English.
78
06/2011
3 Administration
The predefined language for the new message file is English and needs to be translated
to the required language.
The file format is defined as: ServerMsg_<country abbreviation>.properties
06/2011
79
3 Administration
80
06/2011
3 Administration
Details
<body>message</body>
\r\n
<b>text</b>
<any color=red>text<any>
Uses the color red for text (red is the only color
supported).
<a href=URL>anchor</a>
06/2011
81
3 Administration
The installation of the Secure Login Library (described in the Installation, Configuration,
and Administration Guide of the Secure Login Library) is a prerequisite.
82
06/2011
3 Administration
06/2011
83
3 Administration
Criteria
Details
Date
Version
Uptime
Instance ID
Configuration URL
Configuration Status
Lock Status
Lock Status = No
The Secure Login Server is not locked. Everything is OK and
the server is up and running.
Lock Status = Yes
The Secure Login Server is locked meaning that it has
encountered a problem. In this case, check the server
information pane in the top left of the screen for tasks that
still need to be performed as well as the log files for possible
problems.
An Unlock button appears next to the table entry (provided
that the administrator role has the necessary permissions).
Once you have resolved any problems, choose the Unlock
button to reset the Lock Status.
Server Build
If the error message Cannot connect to the server using the SSL connection. Import the
server's certificate into the Trust Store is displayed, add the SSL CA certificate (public
certificates) to Trust Store of the Secure Login Server.
For more information, see section 3.3.4 Trust Store Management.
84
06/2011
3 Administration
Option
Details
Base-64 Encoded
Certificate Request (PKCS
#10)
Validity Period of
Certificate*
Certificate Template
Issuer
Sign Certificate
06/2011
85
3 Administration
This page displays all of the tasks performed using the Administration Console since logging
began. This page allows you to do the following:
Select a period of time to view with the Log Month combo box.
Export log files to a *.csv file format with the Export Logs function.
This entry is only visible if log entries are present.
The monthly table contains the following information about the administration tasks:
Option
Details
Date
Time
Code
Level
User
Action
86
06/2011
3 Administration
OTHER.
Server
Description
06/2011
87
3 Administration
Properties Configuration
In this section, you can configure the Secure Login Web Client profiles is performed.
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Package Management
In this section, you can configure the SNC library for the respective Secure Login Web
Client. By default, three packages are available, for Microsoft Windows, Linux and Mac
OS X.
Note that there are server messages available for Secure Login Client (described in
section 3.3.7 Message Settings) and Secure Login Web Client.
88
06/2011
3 Administration
Option
Details
PORTALURL
AUTHENTICATIONSCHEME
ACTION
06/2011
89
3 Administration
performed.
Open Portal
After successful user authentication the URL defined
in PORTALURL is used.
Launch SAP GUI
After successful user authentication the SAP GUI
application is started.
Both SAP Portal and SAP GUI
After successful user authentication the URL defined
in PORTALURL is used, and the SAP GUI application
is started.
PackURL
SAPLogon.slsinstance
ClientLogging
The location of the Secure Login Web Client files depends on the operating system:
Microsoft Windows XP
C:\Documents and Settings\<user>\sapsnc\
Microsoft Windows Vista / Microsoft Windows 7
C:\Users\<user>\sapsnc\
Mac OS
/Users/<user>/sapsnc/
Linux
/home/<user>/sapsnc/
You can customize the file location of the Secure Login Web Client. For more information,
see section 4.5 Customize Secure Login Web Client.
90
06/2011
3 Administration
Option
Details
label
Profile name.
host
IP address or FQDN name of the desired SAP server
system.
06/2011
91
3 Administration
port
Port of the desired SAP server system
sncname
SNC name of the desired SAP server system
SAP GUI for Microsoft
Windows
shortcut.Name
Identifier used in multi-instance configurations.
shortcut.Description
The name of the server profile in SAP GUI for
Microsoft Windows (in SAPGUI this is the Description
field). This is the essential reference to the profile.
92
06/2011
3 Administration
Option
Details
SAP.start.binary
GUI application name for SAP GUI for Java.
SAP.logon.binary
SAP Logon application name for SAP GUI for Java.
SAP.start
Path used to locate the SAP applications. Use the
Add button to add an additional search path. Use the
Delete button to remove an existing search path.
SAP.start.win.binary
GUI application name for SAP GUI for Microsoft
Windows.
SAP.logon.win.binary
SAP Logon application name for SAP GUI for
Microsoft Windows.
SAP.start.win
Path used to locate the SAP applications. Use the
button Add to create an additional search path. Use
the button Delete to remove an existing search path.
Supported Operating
Systems
06/2011
93
3 Administration
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Package Management
In this section, you can configure the SNC library for the desired Secure Login Web Client. By
default, several packages are available, for Microsoft Windows, Linux and Mac OS X.
To update or add new files, choose the Upload button.
94
06/2011
3 Administration
06/2011
95
3 Administration
Option
Details
Authentication Server
Configuration
JaasModule
Select the desired user authentication mechanism.
The following authentication mechanisms are
available:
SPNegoLoginModule
SecureLoginModuleLDAP
SecureLoginModuleRADIUS
SecureLoginModuleSAP
With the installation of Secure Login Server; Login
Modules are installed in SAP NetWeaver. The name
of the Login Modules is synchronized with the name
of the JaasModule.
For more information about the configuration of the
Login Modules, see section 4.1 Configure Login
Module.
PseType
This parameter is read-only. The key store format is
FilePSE.
PseName
Select the desired User CA for this instance.
User Certificate
Configuration
96
06/2011
3 Administration
Log Configuration
LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.
maxSessionInactiveInterval
Specifies the time, in seconds, between client
requests before the servlet container will invalidate
this session. This is applicable only in challengemode (for example, password change)
AdminServletHeader
Header text to be displayed on the status page.
Header text is used in Server Status and Instance
Status.
AdminServletTrailer
Footer text to be displayed on the status page. Footer
06/2011
97
3 Administration
Remember to configure the desired Login Module in SAP NetWeaver Administrator. For
more information about the configuration of the Login Modules, see section 4.1 Configure
Login Module.
User-Defined Properties
User-Defined Properties are used to define additional configuration issues depending on the
instance. You can configure the following:
98
06/2011
3 Administration
If the SAP user name is stored in the Microsoft Active Directory, for example, in the
attribute employeeID, the Secure Login Server can read this attribute and create a user
certificate with the Distinguished Name CN=UserSAP.
This issue will be configured in the Certificate User Mapping Service.
The advantage of having the SAP user name in Distinguished Name is easier
configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping
configuration).
The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active
Directory system. The Certificate User Mapping Service depends on the Secure Login Server
user credential check against the authentication server.
Parameter
Details
LdapReadServers*
LdapReadTimeoutn
LdapReadUrln*
LdapReadBaseDNn*
LdapReadDomainn*
LdapReadUsern*
06/2011
99
3 Administration
Server.
Example: employeeID
LdapReadPassn*
LdapReadAttributen*
The value n in the parameter is a counter and is defined depending on the parameter
LdapReadServers.
The Secure Login Server is able to verify user credentials and perform Certificate User
Mapping on a different server. The prerequisite is that the user name is available on both
servers.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP
environment), which needs to be considered by SNC X.509 certificates. The password
length or value can be customized.
If user names in the common name (CN) field need a fixed or minimum length, padding
can be turned on. Typically this configuration is used if personnel numbers are used.
SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment)
which needs to be considered by SNC X.509 certificates. The password length or value can
be customized.
Details
MaxUserNameLength
100
06/2011
3 Administration
Default value: 12
Example:
LongUsernameSAP is cut off to LongUsername with
the default settings.
UserNamePaddingLength
UserNamePaddingChar
Parameter
06/2011
Details
101
3 Administration
Policy URL*
PolicyTTL*
Network Timeout
(seconds)*
Save
Cancel
Applications
Defines which client profile is used for which SAP server application.
102
06/2011
3 Administration
Parameter
Details
Add Application
Edit
Delete
To define the application parameter, choose the Add Application or Edit button.
06/2011
103
3 Administration
Parameter
Details
Application Name*
Profile
allowFavorite
Save
Clear
Back
Profiles
This section describes the configuration of the client profile.
104
06/2011
3 Administration
Details
Add Profile
Edit
Delete
To define the profile parameter, choose the Add Profile or Edit button.
06/2011
105
3 Administration
Parameter
Details
Profile Name*
PSE Type
Authentication type.
promptedlogin
Using this profile, the user is prompted to enter the
user credentials.
windowslogin
Using this profile, the user credentials are provided
automatically (only available for Microsoft Windows
authentication)
The default value is windowslogin
Enroll URL*
HttpProxyURL
Grace Period
InactivityTimeout
Auto-Reenroll Attempts
106
06/2011
3 Administration
NewPinType
Unique Client ID
Network Timeout
(seconds)
Reauthentication
06/2011
107
3 Administration
Name Check
Auto-Enroll
Save
Clear
Clears fields.
Cancel
Download Files
This section describes how to download the relevant Client policy files for the Secure Login
Client. Use the files generated with this option, if you want to export the client policy file for
the current (active) instance.
108
06/2011
3 Administration
Details
ClientPolicy.xml
Instance profile configuration (Enroll URL) and client
policy (Policy URL) in XML format.
Customer.zip
Registry key that includes the configuration of the
client profile (Policy URL).
You can use this registry file for the Secure Login
Client installation to define where the client profiles
can be retrieved.
To download the desired file, click it.
customerAll.reg
Download
06/2011
109
3 Administration
Parameter
Details
Generate
GlobalCustomer.reg
GlobalCustomerAll.reg
GlobalClientPolicy.xml
If using the Global Client Policy, note that you need to define unique application template
names in each instance.
Remember to use the Generate button after making changes in instances.
110
06/2011
3 Administration
Monthly Log
Information about the instance.
Daily Log
Information about the user authentication.
Log Analysis
Summary of statistical information for the instance.
Log Setting
Configuration of the log settings.
Archive Log
Archived logs are shown here.
Monthly Log
Details
Log Month
Date
Time
Code
Level
06/2011
111
3 Administration
Description
Daily Log
Details
Log Date
Time
Client
DNS/IP
View As
User
Action
Result
112
06/2011
3 Administration
ACM_NEW_PIN_REQUIRED
Password/PIN change was requested.
ACM_NEW_PIN_REJECTED
New password/PIN not accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
OK
Initial action was successful
INTERNAL_SERVER_ERROR
Server error.
INVALID_MESSAGE_FORMAT
Invalid or incomplete client communication.
Log Analysis
You can use the Log Analysis to analyze statistical information about user authentication.
To display the statistical information, define the desired start and end date and choose the
Analysis button.
06/2011
113
3 Administration
Option
Details
The interval (in days) after which the next log cleanup
starts.
The default value is 30 days.
114
06/2011
3 Administration
Save
Cancel
Archived Log
This section describes the Archive Log page.
Archived Log files are stored in log file directory, defined in Log Setting.
Option
Details
The name under which the server has saved the log file(s).
Selected
To download a log file archive, select an archive from the Selected column and choose
Download. You are prompted to choose a location. The log files are in ZIP format.
To delete a log file archive, select an archive from the Selected column and choose Delete.
06/2011
115
3 Administration
Option
Details
Client Policy
PKI Structure
Criteria
Details
Date
Version
Uptime
Instance ID
Configuration URL
Configuration Status
Lock Status
Lock Status = No
Chosen Instance is not locked. Everything is OK and the
Instance is up and running.
Lock Status = Yes
Chosen Instance is locked, which means it has encountered
a problem. In this case, check the server information pane in
the top left of the screen for tasks yet to be performed as
well as the log files for possible problems.
116
06/2011
3 Administration
Server Build
06/2011
117
3 Administration
118
06/2011
3 Administration
For example if you want to define a different user authentication mechanism for this
instance, deactivate the option User Default in JaasModule and define a new value.
After you have performed the configuration, choose the OK button to continue.
06/2011
119
3 Administration
120
06/2011
3 Administration
Option
Details
Add
Edit
Delete
Assign Role
06/2011
121
3 Administration
Add a User
To create a new user, choose the Add button.
Details
ID
Name
Password
Confirm Password
Disabled
Change Password
External Login
Save
122
06/2011
3 Administration
Cancel
Passwords used in the Secure Login Server are restricted by the password policy.
Password cannot be empty
Length of the password must be between 8 and 20 characters
Password must contain at least one uppercase letter
Password must contain at least one lowercase letter
Password must contain at least one digit
Password must contain at least one of the special characters
Assign a Role
Choose the desired user and choose the Assign Role button.
06/2011
123
3 Administration
124
06/2011
3 Administration
Option
Details
ID*
Name*
Permission List
Instance List
06/2011
125
4 Other Configurations
4 Other Configurations
This section describes some additional configuration steps.
http://<host_name>:<port>/nwa
Choose Configuration Management and Authentication and Single Sign-On.
Choose the tab Authentication and the configuration option Login Modules.
The following Secure Login Server Login Modules are available:
SPNegoLoginModule
This login module is used to verify user credentials against a Microsoft Windows domain.
SecureLoginModuleLDAP
This login module is used to verify user credentials against an LDAP Server or Microsoft
Active Directory System.
SecureLoginModuleRADIUS
This login module is used to verify user credentials against a RADIUS Server.
SecureLoginModuleSAP
This login module is used to verify user credentials against an SAP ABAP server.
The names of the Secure Login Server Login Modules are used in Instance configuration.
Refer to section 3.4 Instance Management.
SPNegoLoginModule
To configure SPNego, use the appropriate configuration wizard. For more information, see
the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View >
Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO)
Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication.
SPNegoLoginModule works in close conjunction with the user management engine (UME).
Remember that you may need to configure the mapping mode of the Kerberos Principal
Name to the UME or to change Customizing settings of the UME data source configuration.
For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library:
Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in
Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using
Kerberos Authentication > Configuring the UME for Kerberos Mapping.
SecureLoginModuleLDAP
Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure
its parameters.
126
06/2011
4 Other Configurations
Option
Details
LdapBaseDN
LdapHost*
LdapProviderLang
uage
LdapTimeout
Period of time the Secure Login Server waits for a response before
06/2011
127
4 Other Configurations
PasswordExpiratio
nGracePeriod
The interval (in days) for a password expiry warning message to be sent
to the client prior to a password expiring.
ServerID
TrustStore
Path to the Java certificate key store used by Secure Login Server. The
certificate key store is used to enable LDAP over SSL (LDAPS).
Use of the Java key store (*.jks) is mandatory when using LDAP over
SSL (LDAPS).
By default, no value is defined.
LDAPS is required. Configure the following value:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ
er\securelogin\Instances\TrustStore.jks
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelog
in/Instances/TrustStore.jks
128
06/2011
4 Other Configurations
SecureLoginModuleRADIUS
Choose the login module SecureLoginModuleRADIUS and choose the Edit button to
configure its parameters.
Option
Details
Authenticator*
AuthPort*
PinAlphanumeric
PinMax
PinMin
06/2011
129
4 Other Configurations
RADIUSServerIP*
ServerIniFile
SharedSecret*
TimeOut*
SecureLoginModuleSAP
Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure
its parameters.
Option
Details
Client*
CREDDIR
130
06/2011
4 Other Configurations
Example: D:\usr\sap\ABC\J00\sec
Linux
<ASJava_Installation>/sec
Example: /usr/sap/ABC/J00/sec
PasswordAlphanummeric
PasswordMax
PasswordMin
SAPaccount*
SAPServer*
SNCServerName*
SystemNo*
06/2011
131
4 Other Configurations
LDAP Server
ABAP Server
Instance 1
SecureLoginModuleLDAP
Instance 2
SecureLoginModuleSAP
Instance 3
SecureLoginModuleRADIUS
Instance 4
SPNegoLoginModule
RADIUS Server
Java Server/ADS
132
06/2011
4 Other Configurations
06/2011
133
4 Other Configurations
If your Mozilla Firefox browser does not open an extension installation dialog, but only allows
you to save this file, you have the following choices:
Choose the option Open with and choose the Mozilla Firefox application.
Save the file to your Desktop, then drag and drop it into any Firefox window.
Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI
files.
134
06/2011
4 Other Configurations
Note that some configuration files are still stored in the default folder (sapsnc).
In the navigation tree, choose the node Certificate Management, and use the SAP CA to
create a LOGIN_CERT certificate.
In the certificate attribute Subject Alternative Names (E-mail), define the name that will be
mapped with the attribute Certificate Login ID in User Management (for example:
LoginCert_Admin). Save the settings, export this certificate in P12 format and import it in
the desired Administrator User environment (for example, import in Internet Explorer
browser).
In the navigation tree, choose the node User Management and edit the desired user.
Choose the option SSL Certificate Login and define the parameter Certificate Login ID
(for example: LoginCert_Admin).
Save the configuration and restart the Secure Login Server application server.
Start the Secure Login Administration Console by calling its URL using HTTPS (which is
enabled for certificate based login) and the user should be authenticated automatically.
A message box might appear, prompting you to choose the desired certificate. In this
case, choose the certificate to be used for logon.
06/2011
135
4 Other Configurations
Access to the operating system, where the Secure Login Server application is installed.
Access to the Key file for server credentials encryption. The key file is a file on the
Secure Login Server with random content and is used to secure password information in
configuration files. This key file was generated in the Initial Wizard (section 2.6.1 Initial
Configuration)
Step 1
Log on to the operating system, where the Secure Login Server is installed.
Edit the file SLSRecoverPassword.bat (Microsoft Windows) or SLSRecoverPassword.sh
(Linux) and change the path to the file iaik_jce.jar.
Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
SLSRecoverPassword.bat
@echo off
SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce.jar
IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib
java -cp SLSRecoverPassword.jar;%IAIK_JARS_PATH%
com.secude.util.misc.SecudeUtilities %*
goto End
:ErrorLib
ECHO IAIK Library not found, please correct the path to the library in this
script!
:End
136
06/2011
4 Other Configurations
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
SLSRecoverPassword.sh
#!/bin/sh
# please check if this path points to the correct location of
# the iaik library
IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.jar
if [ -f $IAIK_JARS_PATH ];
then
java -cp SLSRecoverPassword.jar:$IAIK_JARS_PATH
com.secude.util.misc.SecudeUtilities $@
else
echo "IAIK Library not found, please correct the path to the library in this
script!"
fi
Step 2
Obtain the encrypted password string for the desired user. The encrypted password string is
later used in the command line tool. The user information is available in the configuration file
user.xml, which is located in the directory specified below:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances\user.xml
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us
er.xml
user.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Users>
<User disable="false" id="Admin" lanCode="en_US" name="Administrator"
predefined="true" roles="Super User">
<Password>encrypted_password_string</Password>
</User>
</Users>
06/2011
137
4 Other Configurations
Step 3
Open a command line shell and change to the folder where the file SLSRecoverPassword.bat
(Microsoft Windows) and SLSRecoverPassword.sh is located.
Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
Start the following command to decrypt and display the password for the desired user.
SLSRecoverPassword decrypt encrypted_password_string
<file_location_of_the_key_file>
Example
SLSRecoverPassword decrypt Encrypted Password String
D:\usr\sap\ServerKeyFile\KeyFile.txt
The password is displayed.
Output of SLSRecoverPassword Command
Encode password=Encrypted Password String with key
file=D:\usr\sap\ServerKeyFile\KeyFile.txt
Out is <Password>
file>
138
06/2011
4 Other Configurations
4.9 Monitoring
This section describes how to retrieve the Secure Login Server status; for example,
integration in Network Monitoring Tools. Several interfaces are available.
06/2011
139
4 Other Configurations
140
06/2011
4 Other Configurations
Type
Description
PolicyURL
STRING
PolicyTTL
DWORD
NetworkTimeout
DWORD
DisableUpdatePolicyOnStartup
DWORD
06/2011
141
4 Other Configurations
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
applications\<Application Name>]
Parameter
Type
Description
GssTargetName
STRING
profile
STRING
allowFavorite
DWORD
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
profiles\<Profile Name>]
Parameter
Type
Description
profileName
STRING
pseType
STRING
Authentication type.
promptedlogin
Using this profile, the user will be requested
to enter the user credentials.
142
06/2011
4 Other Configurations
windowslogin
Using this profile, the user credentials will
be provided automatically (only available for
Microsoft Windows authentication)
Default value is windowslogin
enrollURL0
STRING
httpProxyURL
STRING
reAuthentication
DWORD
gracePeriod
DWORD
inactivityTimeout
DWORD
06/2011
143
4 Other Configurations
Value 0
No timeout. SSO without constraints.
The default value is 0.
autoReenrollTries
DWORD
autoEnroll
DWORD
keySize
DWORD
UniqueClientID
STRING
networkTimeout
DWORD
sslHostCommonNameCheck
DWORD
144
06/2011
4 Other Configurations
DWORD
sslHostExtensionCheck
DWORD
userWarningMSIE
DWORD
newPinType
STRING
06/2011
145
4 Other Configurations
Details
Version
V3
Asymmetric Algorithm
RSA Algorithm
Key Usage
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Certificate Signing
Off-line CRL Signing
CRL Signing
Basic Constraints
Subject Type=CA
Path Length Constraint=None
The RSA Key Length depends on the customer requirements. We recommend that you
use 2048 Bit RSA keys or higher.
The user CA certificate should include the complete certificate chain. This means all
public certificate information of the chain should be provided.
Typically the file is provided in P12 format. The Secure Login Server requires a PSE format to
import using Secure Login Administration Console.
Use the SAP tool SAPGENPSE to convert the P12 format to PSE format.
sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p
<PSE_file_name>.pse <P12_file_name>.p12
Log on to the Secure Login Administration Console and import the PSE file in Certificate
Management. Choose USER_CA and the option Import Certificate.
Restart the Secure Login Server Application.
146
06/2011
4 Other Configurations
Concept
Install and run several Secure Login Servers on different AS Java servers acting as failover
servers. The URLs of the Secure Login Servers that are available are listed in the Enroll URL
parameter of the client policy. This is where the Secure Login Client checks which path to
use. If the first Secure Login Server is down, it goes to the next Secure Login Server that is
specified in the list
Configuration
1. Log on to the administration console.
2. Choose Instance Management > DefaultServer Configuration > Client Configuration
und go to the Profiles tab.
3. Choose the Add Profile button to get to the Add/Modify Client Profile screen.
06/2011
147
4 Other Configurations
4. Behind the URL of the Enroll URL parameter, choose the Add button. A new row with
the previous URL as default value appears.
5. Enter the URL to the failover Secure Login Server. To configure more Secure Login
Servers as failover servers, add new rows and enter the relevant URLs.
6. Save your entries.
148
06/2011
4 Other Configurations
We recommend that you maintain this failover configuration in all Secure Login Servers you
use. For more information about the parameter Enroll URL, see 4.10.2 Applications and
Profiles.
06/2011
149
5 Configuration Examples
5 Configuration Examples
This section describes some configuration examples for Secure Login Server.
150
06/2011
5 Configuration Examples
06/2011
151
5 Configuration Examples
This user certificate is displayed in the Secure Login Client Console and is
available in the Microsoft Certificate Store (User Certificate Store).
152
06/2011
5 Configuration Examples
12. Create a technical user (for Secure Login Server) in SAP User Management (for
example, SLSSNC), define authorizations and configure the SNC Name (for
example, CN=SLSSNC).
For more information, see section 4.3 Create Technical User in SAP Server.
13. Install the Secure Login Client application on the client PC (for more information, see
the Installation, Configuration and Administration Guide for the Secure Login Client).
Import the customer.reg files into the client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is in
the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
14. Restart your client PC.
15. In Secure Login Client the profile defined in Instance Management is displayed in
Secure Login Client Console.
Double-click this profile and enter the SAP user name and password.
After successful authentication, an X.509 user certificate is provided.
This user certificate is displayed in the Secure Login Client Console and is available
in the Microsoft Certificate Store (User Certificate Store).
06/2011
153
5 Configuration Examples
154
06/2011
6 Troubleshooting
6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.
Log on to the Secure Login Administration Console and check the log information in
Instance Log Management. Check if the user authentication is displayed. If this is not the
case, there may be a problem on the Secure Login Client or Secure Login Web Client.
Verify the following parameter in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>]
enrollURL0 = <URL>
Check whether the enrollURL is configured for the desired instance. Check in Secure
Login Administration Console Instance Management.
Copy this URL to the browser application and check if a response is displayed (ignore the
responses ERROR_ACTION or INTERNAL_SERVER_ERROR).
Change the URL of the parameter enrollURL to HTTP and check if this works.
If this works, there is a problem with the HTTPS connection.
If you are using HTTPS, the problem may relate to the certificate trust relationship.
If this is the case, import the root certificate, on which the SSL server certificate depends
and move it to the Microsoft Certificate Store (Computer Certificate Store).
Choose the node Certificate Management and verify whether the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.
Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModule<respective_authentication_server_type>.
Restart the Secure Login Server Application. For some configuration issues in Secure
Login Administration Console a restart of the Secure Login Server Application is required.
Enable the Server Trace in the Secure Login Administration Console (section 6.3 Enable
Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver
Administrator.
Log on to SAP NetWeaver Administrator and choose Problem Management. Choose
Logs and Traces and Security Troubleshooting Wizard.
Choose the diagnostic type Authentication and start the trace by choosing Start
Diagnostics.
Repeat the user authentication in Secure Login Client or Secure Login Web Client.
Stop the trace by choosing the Stop Diagnostics button, and analyze the results.
06/2011
155
6 Troubleshooting
Log on to Secure Login Administration Console and verify the log information in Instance
Log Management. Check if the user authentication is displayed. If this is not the case,
there may be a problem in the Secure Login Client or Secure Login Web Client.
Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModuleSAP.
Verify whether an SNC certificate was provided to Secure Login Library PSE
environment.
Verify whether the file pse.zip is available in folder <ASJava_Installation>\sec
Start the command line shell and change to the folder <ASJava_Installation>/exe.
Set the environment SECUDIR=<ASJava_Installation>/sec
Use the command: snc O <SAP Service User> status v
Microsoft Windows Example: snc O SAPServiceABC status v
Linux Example: snc O abcadm status v
Verify whether a technical user was created on the SAP ABAP server.
Verify SAP user access rights (authorization profiles).
Verify whether the SNC name is configured correctly.
Enable Secure Login Library trace and analyze the problem. For more information, see
section 6.4 Enable Secure Login Library Trace.
156
06/2011
6 Troubleshooting
06/2011
157
6 Troubleshooting
Unix/Linux Example
sec_log_file_filename.txt
/etc/sec/log-%.PID.%.txt
Details
No trace
Errors
158
06/2011
6 Troubleshooting
PseInstance<instance_number>.lock
If the Configuration.properties file can be read by Secure Login Server and a lock becomes
necessary, Secure Login Server creates an instance-based lock. The directory for the
instance-based lock is specified by the property LockDir in Configuration.properties.
The PseInstance<instance_number>.lock file is written to the folder:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances\<instance_number>\
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i
nstance_number>/
Analyze and solve the problem, before deleting the lock file or changing the status in
Secure Login Administration Console (use the Unlock button).
Solution
Open regedit and locate the parameter TcpTimedWaitDelay under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the value for TcpTimedWaitDelay to 30 seconds
06/2011
159
6 Troubleshooting
Description
Solution
JAAS_LDAP_
ERROR
JAAS_RADIUS_
ERROR
AUTH_RESULT_
ACTION_OK_MSG
Authentication successful.
AUTH_RESULT_
ACTION_DENIED_
MSG
Authentication denied.
NEW_PIN_REPLY_
ACCEPTED_MSG
NEW_PIN_REPLY_
REJECTED_MSG
A new PIN/password is
required
AUTH_SERVER_
TIMEOUT_MSG
CERT_CREATE_
ERROR
160
06/2011
6 Troubleshooting
Instance Management.
CERT_INIT_
ERROR
PSE_ADMIN_
ERROR
PSE_ARCHIVE_
ERROR
PSE_CREATE_
ERROR
PSE_HANDLING_
ERROR
PSE_INIT_
ERROR
PSE_IO_
ERROR
PSE_SERVER_
ERROR
PSE_SERVER_
TIMEOUT
06/2011
161
6 Troubleshooting
Description
CALL_BACK_ENTRY_NOT_FOUND
CALL_FUNCTION_DEST_TYPE
CALL_FUNCTION_NO_SENDER
CALL_FUNCTION_DESTINATION_NO_T
CALL_FUNCTION_NO_DEST
CALL_FUNCTION_OPTION_OVERFLOW
CALL_FUNCTION_NO_LB_DEST
CALL_FUNCTION_NO_RECEIVER
CALL_FUNCTION_NOT_REMOTE
CALL_FUNCTION_REMOTE_ERROR
CALL_FUNCTION_SIGNON_INCOMPL
CALL_FUNCTION_SIGNON_INTRUDER
CALL_FUNCTION_SIGNON_INVALID
CALL_FUNCTION_SIGNON_REJECTED
CALL_FUNCTION_SINGLE_LOGIN_REJ
162
06/2011
6 Troubleshooting
CALL_FUNCTION_SYSCALL_ONLY
CALL_FUNCTION_TABINFO
CALL_FUNCTION_TABLE_NO_MEMORY
CALL_FUNCTION_TASK_IN_USE
CALL_FUNCTION_TASK_YET_OPEN
CALL_FUNCTION_NO_AUTH
No RFC authorization.
CALL_RPERF_SLOGIN_AUTH_ERROR
CALL_RPERF_SLOGIN_READ_ERROR
RFC_NO_AUTHORITY
CALL_FUNCTION_BACK_REJECTED
CALL_XMLRFC_BACK_REJECTED
CALL_FUNCTION_DEST_SCAN
CALL_FUNCTION_DEST_SCAN
CALL_FUNCTION_CONFLICT_TAB_TYP
CALL_FUNCTION_CREATE_TABLE
CALL_FUNCTION_UC_STRUCT
CALL_FUNCTION_DEEP_MISMATCH
CALL_FUNCTION_WRONG_VALUE_LENG
CALL_FUNCTION_PARAMETER_TYPE
CALL_FUNCTION_ILLEGAL_DATA_TYP
CALL_FUNCTION_ILLEGAL_INT_LEN
CALL_FUNCTION_ILL_INT2_LENG
CALL_FUNCTION_ILL_FLOAT_FORMAT
06/2011
163
6 Troubleshooting
point number.
CALL_FUNCTION_ILL_FLOAT_LENG
CALL_FUNCTION_ILLEGAL_LEAVE
CALL_FUNCTION_OBJECT_SIZE
CALL_FUNCTION_ROT_REGISTER
164
06/2011
7 List of Abbreviations
7 List of Abbreviations
Abbreviation
Meaning
ADS
CA
Certification Authority
CAPI
CSP
DN
Distinguished Name
EAR
HTTP
HTTPS
IAS
JAAS
JSPM
LDAP
NPA
PIN
PKCS
PKCS#10
PKCS#11
PKCS#12
PKI
PSE
RADIUS
RFC
RSA
SAR
SAP Archive
SCA
SLAC
SLC
SLL
SLS
SLWC
SNC
SSL
06/2011
165
7 List of Abbreviations
UPN
WAR
Web Archive
WAS
166
06/2011
8 Glossary
8 Glossary
Authentication
A process that checks whether a person is really who they are. In a multi-user or network
system, authentication means the validation of a users logon information. A users name
and password are compared against an authorized list.
Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of
64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other
uses include HTTP Basic Authentication Headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE
(personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may
be self-issued, or issued by a trusted third party; in many cases the only criterion for
issuance is unambiguous association of the credential with a specific, real individual or
other entity. Cryptographic credentials are often designed to expire after a certain period,
06/2011
167
8 Glossary
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500
or LDAP directory).
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can
use them to restrict the public key to as few or as many operations as needed. For example,
if you have a key used only for signing, enable the digital signature and/or non-repudiation
extensions. Alternatively, if a key is used only for key management, enable key
encipherment.
168
06/2011
8 Glossary
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
PIN
See Personal Identification Number.
Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.
06/2011
169
8 Glossary
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman
in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: key
lengths of 1024 bits or higher are regarded as secure.
Single Sign-On
A system that administrates authentication information allowing a user to logon to
systems and open programs without the need to enter authentication every time
(automatic authentication).
170
06/2011
8 Glossary
Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the
functionality of both USB tokens and Smart Cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional Smart Card without
requiring a unique input device (Smart Card reader). From the computer operating
systems point of view such a token is a USB-connected Smart Card reader with one
non-removable Smart Card present.
Tokens provide access to a private key that allows performing cryptographic operations.
The private key may be persistent (like a PSE file, Smart Card, and CAPI container) or
non-persistent (like temporary keys provided by Secure Login).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
06/2011
171