Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP4 Secure Login LibraryPUBLIC Document Version: 1.4 – September 2012 © 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, MultiTouch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries. BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates. LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way. Open LDAP http://www.openldap.org/ The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER Terms for Included Open Source Software This SAP software contains also the third party open source software products listed below. Please note that for these third party products the following special terms and conditions shall apply. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale. WHETHER IN CONTRACT. INDIRECT. Also included in the distribution is a set of C++ wrapper functions. are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. this list of conditions and the following disclaimer. THE C++ WRAPPER FUNCTIONS Copyright (c) 1997-2010 University of Cambridge All rights reserved. England. USA. written prior permission. Redwood City. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. INCIDENTAL. STRICT LIABILITY. Redistribution and use in source and binary forms. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. Google Inc. SPECIAL. Release 8 of PCRE is distributed under the terms of the "BSD" licence.ac. EXEMPLARY. University of Cambridge Computing Service. All rights reserved. nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. OR Email local part: ph10 * Neither the name of the University of Cambridge nor the name of Google Inc.org/ PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. is distributed under the same terms as the software itself.pcre.CAUSED AND ON ANY THEORY OF LIABILITY. Cambridge. The documentation for PCRE. California. supplied in the "doc" directory. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.uk TO. with or without modification. Permission to copy and distribute verbatim copies of this document is granted. as specified below. * Redistributions in binary form must reproduce the above copyright notice. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Copyright 1999-2003 The OpenLDAP Foundation. PCRE http://www. THE "BSD" LICENCE Copyright (c) 2007-2010. INCLUDING. All Rights Reserved. The basic library functions are written in C and are freestanding. BUT NOT LIMITED THE BASIC LIBRARY FUNCTIONS Written by: Email domain: Philip Hazel cam. . Contributed by: Google Inc. use or other dealing in this Software without specific. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. Eric Young should be given attribution as the author of the parts of the library used.e. SSLeay http://www2.com). this list of conditions and the following disclaimer.com)" . The licence and distribution terms for any publically available version or derivative of this code cannot be changed. Redistributions in binary form must reproduce the above copyright notice. OR CONSEQUENTIAL DAMAGES (INCLUDING. are permitted provided that the following conditions are met: 1. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.uq. not just the SSL code. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft. BUT NOT LIMITED TO. BUT NOT LIMITED TO. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. The following conditions apply to all code found in this distribution. 3. LOSS OF USE. Redistributions of source code must retain the copyright notice. INCLUDING. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. 4. OR PROFITS. LOSS OF USE. OR PROFITS. RSA.psy. EXEMPLARY.] THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES.edu. BUT NOT LIMITED TO. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. STRICT LIABILITY. Redistribution and use in source and binary forms. be it the RC4. DATA. code. INCIDENTAL. SPECIAL. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.. I. 2. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.au/~ftp/Crypto/ssleay/ Copyright (C) 1995-1998 Eric Young (eay@cryptsoft. and as such any Copyright notices in the code are not to be removed. DES.com) All rights reserved. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. If this package is used in a product. INDIRECT. WHETHER IN CONTRACT. WHETHER IN CONTRACT. The implementation was written so as to conform with Netscapes SSL. lhash. This package is an SSL implementation written by Eric Young (eay@cryptsoft. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. Copyright remains Eric Young's. with or without modification. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence. STRICT LIABILITY. DATA.com). The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft. etc.CONSEQUENTIAL DAMAGES (INCLUDING. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. Cross-references to other documentation Emphasized words or phrases in body text. These include field names. graphic titles. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Output on the screen. This includes file and directory names and their paths. Example text EXAMPLE TEXT Example text Example text <Example text> EXAMPLE TEXT . source text. menu paths. For more information. These are words or characters that you enter in the system exactly as they appear in the documentation. and table titles Technical names of system objects. see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library. and key concepts of a programming language when they are surrounded by body text. table names.Typographic Conventions Type Style Example Text Description Words or characters quoted from the screen. Exact user entry. upgrade and database tools. pushbuttons labels. Keys on the keyboard. names of variables and parameters. and menu options. for example. screen titles. Icons Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. menu names. SELECT and INCLUDE. These include report names. for example. messages. and names of installation. F2 or ENTER. program names. Variable user entry. transaction codes. .......8 User Schemas for SNC Names ......................2.....................................................................................................2 Installation on a Microsoft Windows Operation System .............................1 Prerequisites ...4 Create PSE Environment ...................2......................................................3 Using Kerberos for SNC with Users in Different Domains ..................................................................................... 35 4.................2 Display Security Token Information ........................ 34 4.............................. 46 4.............3 Test SNC Function..........4.... 17 2................509 Configuration ................................ 30 4................8 Create Kerberos Keytab .........12 Create SNC Server Token ..........5 Uppercase Distinguished Name ........................1 Reference of the Communication Protocol Parameters (Server) ........... 47 4..................................................................................................................10 Remove Trusted Certificate from PSE...... 50 4.......................2............ 9 1....................................... 18 3............ 54 5.................4.......................................2........................4 Define Symmetric Algorithm ..............1 Enable Trace .....................................................................2.............................4...................................................................................... 42 4...................................5 Uninstallation ................... 28 3.......................................................9 Import Trusted Certificate to PSE ........... 60 09/2012 7 .................................................2........2 SNC Kerberos Configuration .........6 Alternative Name DN Feature ..7 Shorten Long Distinguished Names ....................................2 Reference of the Communication Protocol Parameters (Client) . 40 4................1 System Overview .. 36 4...........4 Authentication with X................... 12 2....... 10 2 Secure Login Library Installation ........................ 29 4 Configuration Options ...... 10 1.... 37 4................................................................... 37 4........1 Configuring Certificate Lifetime in sigsession and ParallelSessions Mode .............................. 13 2................. 45 4.................................................... 32 4.........2...................3...............3 Installation on a UNIX/Linux Operating System ................................ 51 5 Using Certificate Revocation Lists ...... 42 4.......4..... 42 4.................................................................... 38 4..... 33 4..........................4.............................................. 49 4....6 Register PKCS#12 to PSE ............................................. 33 4.....3 Configuring ParallelSessions Mode ...............................5 User Mapping ................... 32 4......... 22 3............................. 17 3 Secure Login Library Configuration...2............4.................. 36 4.....2 Command Line Tool SNC ........3.......................................... 36 4..... 30 4................. 34 4........................................................ 54 5.............................................................................................................................. 35 4..........5 Distributing PSEs in a Cluster Environment .......1 Downloading CRLs with the CRL Tool .................................................................................2 Main System Components .......... 44 4..........11 Create Root CA Token ..................2................1 SNC X............ 15 2.....................................................................4.4................................ 12 2..............2 Configuring the CRL Tool .......................................................7 Unregister Security Token from PSE ........2 Configuring sigsession Mode ......... 18 3.......................................................................................................................................................................................................................................................................2...........1 Display Software Version Numbers .........2..............................Contents 1 What is Secure Login? .......................................................................4 Updating the Secure Login Library ................................................................................................3 Communication Protocol Parameters ........... 31 4.............. 56 6 Use Cases ......................................2......................................................................4 Use Cases of the Communication Protocol Parameters ............509 Certificates and Kerberos ... .............................. 64 8 List of Abbreviations ..........1 Prerequisites ....................1 SNC Library Not Found ........1 Support for Authentication with Kerberos and X...... 60 6.......... 63 7.......................................2 Credentials Not Found .... 65 9 Glossary ...........3 No User Exists with SNC Name ..........509 on AS ABAP ................. 61 7 Troubleshooting ..........1.................... 67 8 09/2012 ... 60 6........1.... 63 7...............................................................................................................................................2 Installation and Configuration Steps ....................................................Installation Guide: Secure Login Library 6......................................................................................................................................................................................................................... 63 7................................ the digital user certificates of the PKI can also be used by Secure Login. supporting X. Secure Login provides strong encryption. SAP user names and passwords are transferred through the network without encryption. Secure Login allows you to benefit from the advantages of SNC without the need to set up a Public Key Infrastructure (PKI). Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL. To secure networks. and single sign-on between a wide variety of SAP components.1 What is Secure Login? 1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure single sign-on to the SAP environment. thus providing secure single sign-on to SAP. 09/2012 9 . users enter their SAP user name and password on the SAP GUI logon screen.509 certificates In a default SAP setup. SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also pass calls through the Secure Login Library to encrypt all communication between the SAP GUI and a SAP server. Examples: SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC) Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS) Third party application server. Secure Login allows users to authenticate via one of the following authentication mechanisms: Windows Domain (Active Directory Server) RADIUS server LDAP server SAP NetWeaver server Smart card authentication If a PKI has already been set up. secure communication. The Secure Login Web Client is also provided. Secure Login Library Cryptographic Library for the SAP NetWeaver ABAP system.509v3 certificates (out of the box PKI) to users and application server. The Secure Login solution includes three components: Secure Login Server Central service that provides X. Secure Login Client Client application that provides security tokens (Kerberos and X. An existing PKI structure or the Kerberos technology can be used for user authentication. You do not need to install all of the components.509 and Kerberos technology in parallel. 1.1 What is Secure Login? 1. alternative user authentication. For more information about Secure Login Server and Secure Login Client see their Installation. The Secure Login Library supports X.1 System Overview Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on. Configuration and Administration Guides.509 technology) for a variety of applications. and enhanced security for distributed SAP environments. This depends on your use case scenario. The Secure Login Library is integrated with SAP software to provide single sign-on capability and enhanced security.2 Main System Components The following figure shows the Secure Login system environment with the main system components: Figure: Secure Login System Environment with existing PKI and Kerberos 10 09/2012 . 09/2012 11 . For more information about Secure Login Server and Secure Login Client see the Installation.1 What is Secure Login? The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP Application Server and for secure communication. Configuration and Administration Guide. Go to https://service.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1 > Comprised Software Component Versions > Secure Login Library 1.1 Prerequisites This section deals with the prerequisites and requirements for the installation of Secure Login Library.0. 2. You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace.2 Secure Login Library Installation 2 Secure Login Library Installation This section explains how to install Secure Login Library.sap. 1 GB RAM Software Requirements Secure Login Library Operating Systems Details Microsoft Windows Server 2003 x64 64-bit Microsoft Windows Server 2003 on IA-64 64-bit Microsoft Windows Server 2008 x64 64-bit Microsoft Windows Server 2008 on IA-64 64-bit 12 09/2012 . The Secure Login Library is available for the following operating systems: AIX 32-bit AIX 64-bit HP-UX on IA-64 64-bit HP-UX on PA-RISC 32-bit HP-UX on PA-RISC 64-bit Linux on IA32 32-bit Linux on IA-64 64-bit Linux on Power 64-bit Linux on x86_64 64-bit Linux on zSeries 64-bit MacOS X 64-bit Solaris on SPARC 32-bit Solaris on SPARC 64-bit Solaris on x64_64 64-bit TRU64 64-bit Microsoft Windows Server on IA32 32-bit Microsoft Windows on IA-64 64-bit Microsoft Windows on x64 64-bit Hardware Requirements Secure Login Library Hard Disk Space Random Access Memory Details 10 MB Hard Disk Space Min. 30 SAP NetWeaver 2004 SAP NetWeaver 7.10 SAP Web Application Server 6. SAPCRYPTOLIB For more information.5 Universal 96 (32-bit / 64-bit) SAP Application Server SAP R/3 Release 4.3.20 SAP Web Application Server 6. 11. 11 x86_64-bit Linux SLES 9. 5.0 EHP2 SAP NetWeaver 7. 11.11. 6 x86_64-bit Linux RHEL 4.23.2 Installation on a Microsoft Windows Operation System Before starting the installation process.0 EHP1 SAP NetWeaver 7. 10.31 PA-RISC 64-bit HP-UX 11. 6.3 The SAPCRYPTOLIB is required to use the transaction STRUST (PSE Management). see the Product Availability Map of SAP NetWeaver Single Sign-On 1.1.2 Secure Login Library Installation Microsoft Windows Server 2008 R2 x64 64-bit Microsoft Windows Server 2008 R2 on IA-64 64-bit AIX 5.0 SAP NetWeaver 7. Copy the file to the target SAP NetWeaver Application Server.23. the Secure Login Library software SECURELOGINLIB.1 Power 64-bit HP-UX 11. 11 IA-64 64-bit Linux SLES 9.1 Alpha 64-bit Mac OS X 10. 10 SPARC 64-bit Solaris 10 x64 64-bit Linux SLES 9. We recommend that you create this directory below the SAP NetWeaver Application Server. 5. 09/2012 13 . 10. 5. 2. 10. 5. 6 Power 64-bit OSF1 5.SAR must be available.70 SAP Web Application Server 6.2.6C SAP R/3 Enterprise Release 4. 11 Power 64-bit Linux RHEL 4. 6 IA-64 64-bit Linux RHEL 4. 7. 11.31 IA-64 64-bit Solaris 9.0. Secure Login Library must be installed in a directory to which the Application Server has access at runtime. sapcar –xvf <SourcePath>\SECURELOGINLIB.SAR –R D:\usr\sap\ABC\DVEBMGS00\SLL Step 3 . The test is successful if the product version is displayed.exe The system displays further information about the Secure Login Library.exe Microsoft Windows Example D:\usr\sap\ABC\DVEBMGS00\SLL\snc. Figure: Verify Secure Login Library with the command snc 14 09/2012 .SAR to the new folder with the SAPCAR command line tool.SAR –R <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL Example: sapcar –xvf D:\SECURELOGINLIB.Extract SECURELOGINLIB.Test Secure Login Library To verify Secure Login Library.SAR Extract the file SECURELOGINLIB. use the following snc command: <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc.2 Secure Login Library Installation Step 1 .Create Folder SLL Create a new folder named SLL in: <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL Microsoft Windows Example: D:\usr\sap\ABC\DVEBMGS00\SLL Step 2 . Perform the configuration steps for the Secure Login Library with the user account that will start the SAP application (for example. Once configuration is complete.2 Secure Login Library Installation 2.SAR to the new folder with the SAPCAR command line tool.Extract SECURELOGINLIB. We recommend that you create this directory below the SAP NetWeaver Application Server. Copy the file to the target SAP NetWeaver Application Server.Create Folder SLL Create a new folder named SLL in: <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL Example: /usr/sap/ABC/DVEBMGS00/SLL Step 2 . the <SID>adm user needs to have access rights to the Secure Login Library.SAR –R <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/ Example: sapcar –xvf /tmp/SECURELOGINLIB. the Secure Login Library software SECURELOGINLIB. Secure Login Library must be installed in a directory to which the Application Server has access to at runtime.SAR –R /usr/sap/ABC/DVEBMGS00/SLL/ Step 3 . sapcar –xvf <SourcePath>/SECURELOGINLIB. Step 1 .SAR Extract the file SECURELOGINLIB.Define File Attributes in UNIX/Linux To use shared libraries in shell (operating system UNIX/Linux).SAR must be available. you need to set the file permission attributes with the following command: chmod +rx <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/snc lib* Example chmod +rx /usr/sap/ABC/DVEBMS00/SLL/snc lib* 09/2012 15 . <SID>adm).3 Installation on a UNIX/Linux Operating System Before starting the installation process. Change to the folder <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/ and use the following command: chown [OWNER]:[GROUP] * Example chown abcadm:sapsys Step 5 . Figure: Verify Secure Login Library with the command snc 16 09/2012 . The test is successful if the product version is displayed.Test Secure Login Library To verify Secure Login Library. <SID>adm). you need to set an attribute with the following command: chatr +s enable <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/snc Step 4 . use the snc command (in UNIX/Linux environment test with user <SID>adm): <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc Example: /usr/sap/ABC/DVEBMGS00/SLL/snc The system displays further information about the Secure Login Library.2 Secure Login Library Installation To use the shell under the operating system HP-UX with the shared libraries.Define File Owner in UNIX/Linux Apply access rights to the user account that will start the SAP application (for example. 5 Uninstallation This section explains how to uninstall Secure Login Library. 2.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1. define the following instance profile parameter and restart the SAP NetWeaver ABAP Application Sever: snc/enable = 0 For more information about the instance profile parameters see section 3 Secure Login Library Configuration. 09/2012 17 . Go to https://service. ADAPT_LINK Simply copy the new version to the relevant folder and replace the old library files.0.sap.2 Secure Login Library Installation 2. If you want deactivate SNC. Remove Folder SLL Remove the folder and the files in it: Microsoft Windows <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\ UNIX/Linux <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/ Deactivate SNC Library Configuration This step is optional and required only if the Secure Login Library is configured in an SAP NetWeaver instance profile parameter.4 Updating the Secure Login Library You can download the Support Package software from the SAP Service Marketplace. 509 certificates in the Trust Manager using the transaction STRUST. Otherwise SAP NetWeaver AS ABAP 7.509 Client Certificates for Client-Server Communication Certificate Fields [No key usage field] Key Usage Key Usage Key Usage Values [No values] Digital Signature Data Encipherment Key Encipherment Mode [No mode] sigsession.sap. see the following tables. The Secure Login Library can be configured to accept user authentications based on Kerberos tokens and X. To configure the Secure Login Library for Kerberos.509 Configuration This section describes the SNC X. Make sure the X. You must set the environment variable secudir if you use SAP NetWeaver AS ABAP 7. ParallelSessions mode Encryption Encryption 18 09/2012 .com/swdc. 3. You can create or import X.3 Secure Login Library Configuration 3 Secure Login Library Configuration You perform the SNC configuration for the SAP NetWeaver server system using the instance profile. Go to https://service. download SAPCRYPTOLIB from the SAP Service Marketplace. Key Usage for X. If you do not run an SAP NetWeaver AS ABAP.509 certificates are configured with supported values.509 certificates or one or more supported key usages. For a list of the key usages the Secure Login Library supports for SNC. For the complete description of the SNC interface and parameters.509 certificate is used for client-server or server-server communication.509 certificate configuration. see the SAP SNC manual (http://help. Prerequisites The Secure Login Library uses X.1 SNC X. If you want to manage your PSEs in the Trust Manager.509 client or server certificates for SNC connections.com). Use the transaction RZ10 to maintain the SNC profile parameters. you can use a command line tool. It supports either no key usage in X. choose Search for Software Downloads. Both authentication mechanisms can be used in parallel.0.sap.509 certificates. SAPCRYPTOLIB comes with the SAP NetWeaver AS ABAP. you must use SAPCRYPTOLIB. and look for the relevant download package. The supported key usages depend on whether the X.0 does not start. 509_Distinguished_Name> Example: snc/identity/as p:CN=ABC.sl Solaris / Linux / AIX <Path>/SLL/libsecgss.509 certificate token and Kerberos tokens are used in parallel. snc/data_protection/max snc/data_protection/min snc/data_protection/use snc/r3int_rfc_secure snc/r3int_rfc_qop snc/accept_insecure_cpic snc/accept_insecure_gui 3 2 3 0 8 1 1 Accept insecure communication Use this value if both insecure and secure communication is to be allowed for SAP GUI. OU=SAP Security Hint: If X. 09/2012 19 .dll HP-UX <Path>/SLL/libsecgss.509 certificate distinguished name. Parameter snc/enable snc/gssapi_lib Value 1 0 Activate SNC Deactivate SNC Define the SNC library.3 Secure Login Library Configuration Key Usage for X.509 Server Certificates for Client-Server and Server-Server Communication Certificate Fields [No key usage field] Key Usage Values [No values] Digital Signature Mode [No mode] sigsession. ParallelSessions mode (client-server only) Encryption SNC Parameters Log on to the SAP NetWeaver Application Server using SAP GUI. 0 Disallow insecure communication Use this value only if secure communication is to be allowed only (no insecure communication) for SAP GUI. Start the transaction RZ10 and define the following SNC parameters in Instance Profile. This value is case sensitive.so Define the SNC name of the SAP server‟s security token. X.509 Certificate Token p:<X. Microsoft Windows <Path>\SLL\secgss. define the X. the certificates must be provided by a Public Key Infrastructure (PKI). If no PKI is available the Secure Login Server (out of the box PKI) can be used to provide certificates. change this value to 0 (for all) or U (user dependent).3 Secure Login Library Configuration U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01). We recommend that you set this value to 1.509 Certificate Start transaction STRUST and import the SAP server certificate. From the PSE menu. 20 09/2012 . For a client/server communication. choose Save as. navigate back to the PSE menu. choose Import. snc/accept_insecure_rfc snc/permit_insecure_start snc/force_login_screen 1 1 0 Import X.509 Certificate Load the PSE file by entering the password. If you want to enforce higher security. Figure: Transaction STRUST – Import X. and select SNC SAPCryptolib. The SAP server certificate must be available in a PSE format. Correct path and filename configuration for the SNC library. Correct definition of the SNC name (case sensitive). the environment variable SECUDIR is defined. File access rights are defined for Secure Login Library. 09/2012 21 . X.509 certificate for the SAP System has been imported using STRUST. This verification check is performed only if SNC is activated. an error message appears. SNC parameters are defined in the instance profile. Secure Login Library is installed and if required in shell.3 Secure Login Library Configuration Figure: Save PSE as SNC SAPCryptolib If the certificate distinguished name of the PSE file does not match the SNC name configuration set in the instance profile parameter (snc/identity/as). You can see trusted certificates that have been imported with the transaction STRUST if you enter the following command: Microsoft Windows: <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc –O <SAPServiceSID> Linux: <INSTDIR>/<SID>adm/DVEBMGS<instance_number>/SLL/snc –O <SIDadm> Example Microsoft Windows: /usr/sap/ABC/DVEBMGS00/SLL/snc –O SAPServiceABC UNIX/Linux: /usr/sap/ABCadm/DVEBMGS00/SLL/snc –O absadm Restart SAP NetWeaver Application Server Verify the following checklist and restart the SAP NetWeaver Application Server. Microsoft Windows <Path>\SLL\secgss. Kerberos Token p:CN=<ServicePrincipalName> Example: snc/identity/as p:CN=SAP/
[email protected] certificate distinguished name. Start transaction RZ10 and define the following SNC parameters In the instance profile.LOCAL Hint: If X.sl Solaris / Linux / AIX <Path>/SLL/libsecgss.3 Secure Login Library Configuration 3.so Define the SNC name of the SAP server‟s security token. Parameter snc/enable snc/gssapi_lib Value 1 0 Activate SNC Deactivate SNC Define the SNC library. SNC Parameter Log on to the SAP NetWeaver Server using SAP GUI.2 SNC Kerberos Configuration This section describes the SNC Kerberos configuration. This value is case-sensitive.dll HP-UX <Path>/SLL/libsecgss.509 certificate token and Kerberos tokens are used in parallel. 0 Disallow insecure communication Use this value only if secure communication is to be allowed (no insecure communication) for SAP GUI. U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI is to be configured in the user management tool 22 09/2012 . define the X. snc/data_protection/max snc/data_protection/min snc/data_protection/use snc/r3int_rfc_secure snc/r3int_rfc_qop snc/accept_insecure_cpic snc/accept_insecure_gui 3 2 3 0 8 1 1 Accept insecure communication Use this value if insecure and secure communication should be allowed for SAP GUI. Figure: Create a Microsoft Windows Account Define a password and choose the option User cannot change password and Password never expires. The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. 09/2012 23 . We recommend that you set this value to 1. change this value to 0 (for all) or U (user-dependent). If you want to enforce higher security. Create a Microsoft Windows Account Create a new Microsoft Windows Account. provided by Secure Login Library. the Secure Login Library requires a Kerberos keytab which you can create using the command line tool. Therefore a Microsoft Windows account in Microsoft Active Directory is required. snc/accept_insecure_rfc snc/permit_insecure_start snc/force_login_screen 1 1 0 Microsoft Windows Account for SAP Server In order to verify user Kerberos authentication. We recommend the format Kerberos<SID>.3 Secure Login Library Configuration (SU01). This Service Principal Name is also required for the SNC name configuration. Define Service Principal Name The Service Principal Name will be used to provide Kerberos service tokens to the requested users.3 Secure Login Library Configuration Figure: Create a Microsoft Windows Account Make sure the password is as complex as possible. Start the Microsoft Windows tool ADSIEDIT. 24 09/2012 . choose the Microsoft Windows user (in our example: KerberosABC) and define the field servicePrincipalName. Figure: Define Service Principal Name The mandatory format is SAP/Kerberos<SID>. this may be due to the fact that the Service Principal Name used has been assigned several times in the Active Directory system. <SID>adm).3 Secure Login Library Configuration Figure: Define Service Principal Name Check for Multiple Service Principal Names If the Secure Login Client does not get a service ticket from the domain server. 09/2012 25 . Create PSE Environment Log on to the operating system where the Secure Login Library is installed. This Kerberos keytab is stored in the Personal Security Environment (pse.zip). Perform the configuration steps with the user account that will start the SAP application (for example. This does not apply for the Microsoft Windows operating system. Open a command line window and change to the Secure Login Library folder. Use the following command to check this: Example: setspn –T * -T foo -X Create Kerberos Keytab You create the Kerberos keytab using a command line tool provided by Secure Login Library. which is a container for security tokens. Microsoft Windows <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\ UNIX/Linux <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/ Temporarily define the environment variable SECUDIR to perform the subsequent configuration steps. snc crtkeytab –s SAP/Kerberos<SID>@<DOMAIN> -p <password> Example 26 09/2012 . using the snc command line application). see section 4. enter the following command. Generate Kerberos Keytab in PSE Environment To create a Kerberos keytab in the PSE.zip) was created. or using this management password. For more information. The environment variable SECUDIR is defined automatically by the SAP server process. a PSE can be used by the host system (if correct hostname).3 Secure Login Library Configuration Microsoft Windows set SECUDIR=<INSTDIR>\<SID>\DVEBMGS<instance_number>\sec UNIX/Linux (depends on shell) setenv SECUDIR <INSTDIR>/<SID>/DVEBMGS<instance_number>/sec export SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec If no Personal Security Environment (PSE) is available. enter the following command to create a PSE: snc crtpse –x <PSE_management_password> The PSE management password is used if the PSE environment (pse. Use the command snc to verify the location in which the PSE (pse.2 Command Line Tool SNC. The PSE is created in the path in which the environment variable SECUDIR is defined. Figure: Verify PSE Location PSE directory must point to the <INSTDIR>/<SID>/DVEBMS<instance_number>/sec folder.zip) is copied to another host system. Define this environment variable manually (shell) if you need to access the PSE (for example. By default. The Service Principal Name and the password of the Microsoft Windows account are required. SNC parameters are defined in the instance profile. using 3 (Privacy Level) N SncInit(): found snc/data_protection/min=2. The result should be SNC (Secure Network Communication) enabled. Verify SAP Server SNC Status After you have restarted the SAP NetWeaver Application Server.3 Secure Login Library Configuration snc crtkeytab –s SAP/
[email protected] -p ********** The domain name needs to be defined in uppercase. using 3 (Privacy Level) N SncInit(): found snc/gssapi_lib=D:\usr\sap\ABC\DVEBMGS00\SLL\secgss. PSE Environment was created and the Kerberos keytab has been imported using the Secure Login Library command line tool. File access rights are defined for Secure Login Library.SAP_UC/size_t/void* = 16/64/64) N SncInit(): found snc/data_protection/max=3. Secure Login Library is installed and if required in shell. Correct path and filename configuration for the SNC library. Example: <INSTDIR>\<SID>\DVEBMGS<instance_number>\work\dev_w0 N SncInit(): Initializing Secure Network Communication (SNC) N PC with Windows NT (mt. snc crtkeytab –s SAP/KerberosABC@DEMO. Figure: Verify Kerberos keytab Restart SAP NetWeaver Application Server Verify the following checklist and restart the SAP NetWeaver Application Server. the environment variable SECUDIR is defined. Correct definition of the SNC name (case sensitive). using 2 (Integrity Level) N SncInit(): found snc/data_protection/use=3.ascii.dll 09/2012 27 . verify the SNC status in the log file dev_w0.LOCAL -p ********** Use the command snc to verify if the Kerberos keytab was generated. 3 Using Kerberos for SNC with Users in Different Domains Use Case You use Kerberos for SNC and you have users in several Active Directory domains. A quick solution is to disable SNC.dll" dynamically loaded as GSS-API v2 library. the user would be able to use this ticket for the server. Restart the SAP NetWeaver Application Server and verify the SNC installation and configuration. which might be in a different domain. As a consequence.3 Secure Login Library Configuration N File "D:\usr\sap\ABC\DVEBMGS00\SLL\secgss. lifetime=Indefinite N SncInit(): Initiating Credentials available. Example You have created the user name KerberosNW1 in the Active Directory domain DOMAIN1. 3. lifetime=Indefinite M ***LOG R1Q=> p:CN= ABC. In such an environment. Since it is not so easy to configure trust relationship for different domains. The user names are identical whereas the domain names differ. Create users with service principal name in each domain. Open the instance profile configuration file and configure the parameter snc/enable = 0. Proceed as follows: 1. Every user would then be able to receive an authentication ticket from the Domain Controller for this user‟s domain. This user name is supposed to be used for an ABAP server. OU=SAP Security [thxxsnc. the SAP server system will no longer start. the Secure Login Library also supports another option. N The internal Adapter for the loaded GSS-API mechanism identifies as: N Internal SNC-Adapter (Rev 1. it would be the best to have a trust relationship between the different domains. OU=SAP Security N N Thu May 05 16:42:15 2011 N SncInit(): Accepting Credentials available.c 265] M SNC (Secure Network Communication) enabled Another possibility is to use transaction ST11 and open dev_w0.0) to SECUDE 5/GSS-API v2 N SncInit(): found snc/identity/as=p:CN=ABC. Configuring Kerberos Users for Different Domains (ABAP Server) You have different Active Directory domains that are managed by different Domain Controllers.COM with the service principal name 28 09/2012 . If there are problems with the SNC configuration. 4 Authentication with X. The user logs on. This means that the SNC name in the Network tab is a fixed entry entered by the CA for certificate-based authentication. The server authenticates the ticket because the keytabs of all domains are registered in the server. you need to have a name in the CN part (of the SNC name) that enables users to perform a Kerberos authentication as well. To add users who are able to log on with Kerberos. the Secure Login Client uses the existing CN part for certificate-based authentication or tries to map the CN part to a Service Principal Name that can be used for Kerberos authentication. Its service principal name is SPN=SAP/
[email protected] Secure Login Library Configuration SPN=SAP/KerberosNW1@DOMAIN1. The user name SAP/Kerberos<SID> is known in each domain.COM. 09/2012 29 . you have created a user with the same user name (KerberosNW1).COM. and the client receives a Kerberos authentication ticket for SAP/KerberosNW1 from the respective domain controller. Depending on the authentication method of the client. 2. During the authentication process. Create keytabs for both service principal names.COM. There is a keytab for each domain. Now the ABAP server accepts Kerberos authentication tickets from this user because keytabs for both domains are available. See also SAP Note 1763075. enter the value p:CN=SAP/Kerberos<SID>. the message server always sends the same SNC name since it is only able to use one single name. All users use the message server to authenticate at the application server.509 Certificates and Kerberos Use Case You already have an authentication method in place that is based on SNC server certificates. 3. In the second domain called DOMAIN2. the Secure Login Client converts the CN part as described in SAP Note 1696905. If this is not possible. It is also possible to set the SNC name of the server automatically to p:CN=SAP/Kerberos<SID>. To configure snc/identity/as. 3. A typical SAP WebAS creates multiple work processes. Microsoft Windows Example sec_log_file_filename. with level = 0) when the application server is started.% which is replaced by the process ID.PID.txt /etc/sec/log-%.txt and sec_log_file_level. Example sec_log_file_level. logs. you need to create the files sec_log_file_filename. The file sec_log_file_filename.txt UNIX/Linux Example sec_log_file_filename.txt The file sec_log_file_level.4 Configuration Options 4 Configuration Options This section describes some useful configuration and troubleshooting issues.PID. and logs Errors.1 Enable Trace To enable trace. warnings.PID.txt contains the name of the trace file.%.txt C:\sec\log-%. and information messages 30 09/2012 .txt 4 Value 0 1 2 3 4 Details No trace Errors Errors and warnings Errors. warnings. so use this feature to avoid parallel access to the same file by all processes. The name may contain %.%.txt in the following folder: Microsoft Windows %HOMEDRIVE%%HOMEPATH%\sec or C:\sec UNIX/Linux $HOME/sec or /etc/sec Both files must exist (for example.txt contains the trace level as a single digit. 4. if you want to be able to activate traces later (by changing the trace level). For more information on the trust manager.509 certificate.zip file) with system credentials in the path specified in the variable SECUDIR. Removes a security token which is registered in the Personal Security Environment (PSE) Displays the list of trusted certificates. SNC Tool Commands Command snc status snc test Description Shows the current status of the security tokens (Kerberos keytab and X. snc register snc unregister snc trust snc crtpse snc cred snc keytab snc crtkeytab snc createroot 09/2012 31 . Import X. This command saves the token as PKCS#12 and PSE file in the current path. You can also use a key file for enhanced protection of the PSE. for example Kerberos keytab functions.zip). Creates a root CA token with private key and X. Use the SNC command line tool only for functions that are not covered by the trust manager. This command uses either the absolute path to the certificate file (PKCS#12 format) or the token URI.509 certificates) Tests the SNC function. Manages a keytab object in the PSE Creates a Kerberos keytab file. The SNC command line tool enables you to perform the following tasks: Display security token Information Create a Personal Security Environment (pse.4 Configuration Options 4.509 certificates Certificate management Create and import a Kerberos keytab Create a root CA token and an SNC server token You get detailed help when you enter snc –H in the command line. Adds or removes system credentials for a specific host or a user in a PSE. see the SAP Help Portal at Trust Manager. Using the registered key for client and server authentication. You can add trusted certificates to the PSE or remove them.Using the system credentials enables you to access the PSE without knowing the PSE password. this command performs a certificate-based login for testing Registers a security token to the PSE. You can also use a key file for enhanced protection of the PSE. Creates a PSE (pse. You need to know the Service Principal Name and the password of the Microsoft Windows Kerberos service user.2 Command Line Tool SNC We recommend that you use the trust manager (ABAP transaction STRUST) for all actions related to the Personal Security Environment (PSE). 3 8.2 Display Security Token Information Use the snc status command to display the security tokens (Kerberos keytab and X. If not defined.4 Configuration Options snc createserver Creates an SNC server token with private key and X.0.2 8.1 Display Software Version Numbers Go to the installation directory and use the command snc or snc status to display the version numbers of the installed software.3.7.4. add the <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL directory to the PATH variable or call snc together with the following path: Microsoft Windows <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc. This command saves the token as PKCS#12 and PSE file in the current path. 8. and –W.509 certificate including the root certificate.3.–V. -w.509 certificates).2 : windows-x86-64 Support Package SP0/ATS SP1 SP2 SP3 SP4 CryptoLib Version 8. from very basic to very detailed. set the environment variable SECUDIR to: before using the snc command.7 4.2. snc status –V 32 09/2012 .3.3.5 8.3.exe UNIX <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc 4. SP 4 PL xx : CryptoLib 8.3. <INSTDIR>/<SID>/DVEBMGS<instance_number>/sec To call the snc command.2. You get the following output: Example: Product version : Secure Login Library 1. The level of details increases with the qualifiers –v. C=DE‖ 4. snc status –W –f snc_status.2.3 Test SNC Function Use the following command to test the SNC function with a certificate-based login.zip) with another host system. without creating new credentials.4 Configuration Options Use the following command to save the status in a zip file with many details. O=SAP AG. and all users have access to the PSE.zip To display the status for a specific user. only the host system. snc crtpse –P <PSE_master_password> The PSE (pse.zip) is created in the path specified by the environment variable SECUDIR. use the following command: snc –O <user_name> status -v Example: snc –O abcadm status –v snc –O SAPServiceABC status -v 4.4 Create PSE Environment Use the following command to create a Personal Security Environment (PSE). It is not possible to use this PSE (pse. snc test –n <certificate_name> Example: snc test –n ―CN=server. By default. Add new credentials for a new host name snc cred –P <PSE_master_password> -n <credential_name> –s <new_host_name> Add new credentials for a new user snc cred –P <PSE_master_password> –u <new_user> Add new credentials and encrypt content snc cred –P <PSE_master_password> -n <credential_name> –f <server_key_file> 09/2012 33 .2. where this PSE is created. you cannot access the credentials any longer.p12 34 09/2012 . Use the following steps. 3. if you do so. 4. The service is unable to work with relative path names. The passwordprotected PKCS#12 file is only valid for SERVA.p12 -x <token_password> –n ―‖ Always specify the full path name of the P12 file. Do not change the path and content of the credentials because. Generate a PSE on SERVA with the following command: snc crtpse –P <PSE_master_password> 2.4 Configuration Options The server key file is a file on the server with random content which is used to encrypt credentials in the PSE. 4. After that the PSE is valid for all these servers and is ready for distribution. Proceed with the corresponding command and add the credentials for SERVC to the PSE. To do so. and SERVC. SERVB. snc cred –P MyPassword –n ForEntireCluster –s SERVC –u <SERVC_SID>adm 5.2.zip from SERVA to the servers SERVB and SERVC. For this purpose. You can use any kind of file type which is larger than 32 Byte. you must add your credentials to the PSE for every server. Now you need to add your credentials to the PSE and make it valid for SERVB as well. proceed with the following command for SERVB.5 Distributing PSEs in a Cluster Environment To distribute PSEs in a cluster environment with the servers SERVA. use the following command: snc register –f <full_file_path><file_name>. 1. snc cred –P MyPassword –n ForEntireCluster –s SERVB –u <SERVB_SID>adm 4.2. Copy the file pse. The respective credentials are saved automatically. Now you have successfully distributed your PSE with your credentials to the entire cluster.6 Register PKCS#12 to PSE Use this command to register a key/certificate pair in PKCS#12 format in the Personal Security Environment: snc register –f <full_file_path><file_name>. Register your PKCS#12 file to the PSE for the SERVA server. get the token URI with the status command.LOCAL -p ********** 09/2012 35 .2. snc unregister –u <URI_from_status> 4.zip. You can unregister the security token by specifying the file with the absolute path. To do so.4 Configuration Options Example snc register –f C:\Certificate\cert. snc status –V Use the information you receive from the status command to unregister the token URI.2.7 Unregister Security Token from PSE Use this command to remove a security token which is registered in the Personal Security Environment. To create a Kerberos keytab in the PSE.p12 –n ―‖ 4. use the following command: Example: snc register –f cert. enter the following command: snc crtkeytab –s SAP/Kerberos<SID>@<DOMAIN> -p <Kerberos_service_user_password> Example snc crtkeytab –s SAP/
[email protected] Create Kerberos Keytab When you want to create a Kerberos keytab in the PSE. If you do not want to worry about the location of the PKCS#12 file. copy it into pse. Example snc unregister –P <PSE_master_password> –f C:\Certificate\cert. you need the Service Principal Name and the password of the Microsoft Windows Kerberos service user. and register it.p12 Use the command snc status –V to display the value for toksw: If the registered token was copied into the pse.zip file.p12 Use the command snc status –V to verify the import. a trusted Root CA certificate) into the Personal Security Environment: snc trust –a <certificate_file> Example snc trust –a C:\Certificate\RootCA.4 Configuration Options 4.pse sncrootcatoken.2. you can create it with snc createroot and snc createserver.2. OU=SAP Security‖ Use the command snc status –v to display the certificate Distinguished Name.cer 4. C=DE‖ Result: sncrootcatoken.509 certificate. snc trust –d <Distinguished_Name> Example snc trust –d ―CN=Certificate.crt After the creation.10 Remove Trusted Certificate from PSE Use this command to remove a certificate (for example. 4. a trusted Root CA certificate) from the Personal Security Environment.2.11 Create Root CA Token If no PKI (public-key infrastructure) for SNC connections is available in your company. Use the command snc createroot to create a root CA token with private key and X. O=Company. PSE. the root CA token is stored as PKCS#12. and CRT file (certificate only) in the current path. 36 09/2012 .9 Import Trusted Certificate to PSE Use this command to import a certificate (for example.p12 sncrootcatoken. snc createroot –r <root_CA_file_name> -P <CA_password> -N <root_SNC_name> Example snc createroot –r sncrootcatoken –P ******** -N ―CN=SAP SNC RootCA. You can shorten long and complicated names.3 Communication Protocol Parameters In the file gss. PSE. and CRT file (certificate only). Use the following syntax: <namecharset>latin1</namecharset> <protocol_2010> <ciphers>aes256 aes128 rc4</ciphers> </protocol_2010> 09/2012 37 . configure formats for the Distinguished Name.crt After the creation. keys.2. snc createserver –r <root_file_name> -P <CA_password> -p <P12_password> In the following example. and algorithms for encryption and digital signatures.xml.509 certificate and root certificate. Use the trust manager (see Trust Manager) to import the PSE file as SNC SAPCryptolib PSE. define the communication protocols to use.pse server.4 Configuration Options 4. you use the root CA token created in 4. integrate elements such as e-mail addresses.12 Create SNC Server Token Use the command snc createserver to create an SNC server token with private key and X.p12 server. 4. Example Include one value in the parameters. you can configure the SNC communication protocol for server-to-server and client-to-server communication.2. Example snc createserver –r sncrootcatoken -s server –n ―CN=server. the server token is stored in the current path as PKCS#12. List several values in a list separated by blanks. C=DE‖ –P <CA_password> -p <P12_password> Result: server. O=SAP AG.11 Create Root CA Token to issue a server token. configure algorithms for the protection of application data. You can. for example. The server tries the subject alternative names in order. Default: latin1 Replaces excessively long name components with shorter ones. Subject alternative name from the user certificate to be sent as the SAP SNC name. <long_client_name> Enter the complete client name for name conversion. the client sends the Distinguished Name (DN) of the client certificate in mixed case by default.xml (Server Functions Only) Parameter namecharset Values utf8 latin1 Description Character set used to exchange names with the application. It takes the first option it can used. Specifies whether to use the 1993 nameconversions (with parameter options) searchstr replstr <short_client_name> UpperCaseClientName true false ClientNameSource AltNameEMail AltNameEMailWithoutDomain AltNameDNS AltNameDName AltNameIP AltNameUPN AltNameUPNWithoutDomain Subject <SNC_CRYPTOLIB_protocol> protocol_1993 (with 38 09/2012 . Set to true to send the DN in uppercase.1 Reference of the Communication Protocol Parameters (Server) The following table contains the parameters that are valid for SNC on the server: Configuration Parameters of gss.3. Useful when a server application stores the client name in a database field with an insufficient maximum size. During SNC communication. Enter the abbreviated client name to save storage space in the database. Enter the options separated by a space.4 Configuration Options 4. The system uses the first one that is possible. This protocol supports authentication with X. Default: 86400 (24 hours) Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol. true false Specifies whether or not the 1993 communication protocol is used. Default: all Specifies whether the client key used for digital signatures is accepted as an authentication method. Default: true Accepted lifetime of temporary keys (digital signature to keep the session alive) in seconds. Default: true List of encryption algorithms available. Default: true Specifies whether the client key used for encryption is accepted as an authentication method.509 and Kerberos certificates. Default: all List of available hash algorithms: The system uses the first algorithm that is possible. Accepted lifetime of temporary keys (digital signature to keep the session use algs_encr aes256t aes192 aes128 des3 algs_hash sha512 sha 384 sha256 sha1 ripemd160 acceptsigmode true false acceptencrmode true false acceptedttl <temporary_key_lifetime> protocol_2010 (with parameter options) <SNC_CRYPTOLIB_protocol> use true false acceptedttl <temporary_key_lifetime> 09/2012 39 .5. which is compatible to SAPCRYPTOLIB 5.4 Configuration Options parameter options) communication protocol. xml (Client Functions Oonly) Parameter protocol_1993 (with parameter options) Values <SNC_CRYPTOLIB_protocol> Description Specifies whether to use the 1993 communication protocol.4 Configuration Options alive) in seconds. Depending on your SNC CRYPTOLIB.2 Reference of the Communication Protocol Parameters (Client) A gss. The system uses the first one that is possible. which is compatible to SAPCRYPTOLIB 5. You must specify the same communication protocol on both sides (client and server). Default: all List of available hash algorithms: The system uses the first algorithm that is possible. Default: all use true false algs_encr aes256 aes192 aes128 des3 algs_hash sha512 sha 384 sha256 sha1 ripemd160 40 09/2012 . Default: true List of encryption algorithms available. Default: all Algorithms used for handshake and application data protection. Default: 86400 (24 hours) ciphers aes256 aes128 rc4 Algorithms used for handshake and application data protection. Specifies whether or not to use the 1993 communication protocol. use either protocol_1993 or protocol_2010.5.xml file also exists in the client. Default: HMAC-SHA256 HMAC-SHA1 data_macs HMAC-SHA256 HMAC-SHA1 HMAC-SHA512 HMACRIPEMD160 4.3. The following table contains the parameters that are valid for SNC on the client: Configuration Parameters of gss. Algorithms used for handshake and application data protection. This period acts as a tolerance period if system times vary by a couple of minutes. Default: false Validity of temporary key in seconds.4 Configuration Options authop enc (encryption certificate) sig (signature certificate) sigsession (signature certificates for key cached for further sessions) auto (automatic) Specifies the authentication mode in the client. Default: auto age <period_in_seconds> Specifies a period of the key validity before the signing (in seconds). Default: HMAC-SHA256 HMAC-SHA1 Enable use of signature certificate with a temporary key. Default: None Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol. Default: all Algorithms used for handshake and application data protection. This protocol support authentication with X. Default: 86400 (one day) ttl <period_in_seconds> protocol_2010 (with parameter options) <SNC_CRYPTOLIB_protocol> use true false ciphers aes256 aes128 rc4 data_macs HMAC-SHA256 HMAC-SHA1 HMAC-SHA512 HMACRIPEMD160 ParallelSessions true/false ParallelSessionsTTL <period_in_seconds> 09/2012 41 . Default: 600 Validity of temporary key in seconds.509 and Kerberos certificates. the session remains valid. the temporary key and the associated session length are reused for a new session. (age is the server system time offset relative to the client system time.4 Configuration Options 4. you must choose from the following authentication modes: enc: encryption certificate sig: signature certificates and sign a temporary RSA key with it sigsession: signature certificate and sign a temporary RSA key with it. In ParallelSessions mode. The default is 180 s starting 60 s earlier.2 Configuring sigsession Mode If you use the 1993 protocol on the client and server. The default is 180 s starting 60 s earlier. the client creates a temporary key. ttl is the validity of the certificate in seconds. which gets a period of validity specified in age and ttl. During this period. This temporary key is cached for further sessions until you close the last session. which has a period of validity specified in age and ttl. you enter a PIN. If the value in ttl in the client exceeds the server value of acceptedttl. ttl is the validity of the certificate in seconds. the SNC 42 09/2012 . 4. the session remains valid. It is the time the key cache remains valid.1 Configuring Certificate Lifetime in sigsession and ParallelSessions Mode Every time you use a token (smart card or soft token) to authenticate.) During this period. you have the following options: In sigsession mode. In sigsession mode.4 Use Cases of the Communication Protocol Parameters 4.If you do not want to be forced to enter this PIN every time you open a session. the parameter ParallelSessionsTTL specifies the validity period of the temporary key. you enter a PIN. Whenever you reauthenticate.4. age is the server system time offset relative to the client system time. This period of time is identical with the maximum session length. the client creates a temporary key.4. Example If you use a token (smart card or soft token) to authenticate. Set a value for the system time tolerance in the parameter age in the gss. Restart the server.xml files. 300. To calculate the desired lifetime of the certificate. 3900.xml file of the server. This results in a desired lifetime of 3600 s. Save the file. for example. subtract the period specified in age from the period specified in ttl. proceed as follows: 1. for example. Save the file. Example 3900 s – 300 s = 3600 s To illustrate the behavior of the client and server parameters in the gss. see the following figure. Set the same value for acceptedttl as in ttl (3900) in the gss. 6. 3. 09/2012 43 .xml: <protocol_1993> <acceptsigmode>true</acceptsigmode> <acceptedttl>2000</acceptedttl> </protocol_1993> To specify the lifetime of a certificate in sigsession. Set a value in parameter ttl in the same file. 5. 2.xml file of the client. 4. Use the following syntax for the configuration: Configuration example Client configuration of gss.xml: <protocol_1993> <authop>sigsession</authop> <age>300</age> <ttl>1899</ttl> </protocol_1993> Server configuration of gss.4 Configuration Options connection produces an error message. Example If you use a token (smart card or soft token) to authenticate. the verification is successful. 3.xml) are identical.4. In parallel session mode. Configuration example Client configuration of gss. you must enter a PIN. 1. the verification fails. If the value in ParallelSessionsTTL in the client exceeds the server value of acceptedttl. Restart the server.4 Configuration Options Ensure that the configuration of acceptedttl (server gss. the client creates a temporary RSA key.3 Configuring ParallelSessions Mode Use parallel session mode for the 2010 protocol. Enter a period of time (in seconds) in ParallelSessionsTTL to specify the period of time during which reauthentication can occur. Outside the period specified in the ttl parameter.xml) and ttl (client gss. The vertical dotted lines indicate the time when the certificate is issued or when it is verified. Enter true in ParallelSessions. the SNC connection produces an error message.xml: <protocol_2010> 44 09/2012 . 2. 4. which is cached for re-authentication in further sessions until you close the last session. If you verify the validity of the certificate within the period specified by ttl. which is defined in section <protocol_1993>. The “new” protocol supports X. which is used to secure communication. the symmetric algorithm is agreed between both partners. the AES256 symmetric algorithm. The “old” protocol is compatible with SAP Crypto Library (SAPCryptoLib). It is possible in the Secure Login Library to allow the acceptance of only aes256.xml.509 certificates and Kerberos tokens in parallel.4 Configuration Options <ParallelSessions>true</ParallelSessions> <ParallelSessionsTTL>1800</ParallelSessionsTTL> </protocol_2010> Server configuration of gss. for example. the Secure Login Library provides the following symmetric algorithm (priority in this order). the strongest symmetric algorithm that is available on both sides is agreed. It is possible to force the use of.4 Define Symmetric Algorithm This section explains how to define the symmetric algorithm. AES256 AES192 (“old” protocol 1993 only) AES128 3DES (“old” protocol 1993 only) RC4 (“new” protocol 2010 only) Secure Login Library has implemented two protocols named protocol_1993 (“old”) and protocol_2010 (“new”). Parameter <algs_encr>XXX</algs_encr> Details Use this parameter to define the symmetric algorithm for the “old” protocol.xml: <protocol_2010> <acceptedttl>2000</acceptedttl> </protocol_2010> 4. for example.4. By default. You can define the following algorithms: aes256 09/2012 45 . You can define this in the Secure Login Library configuration file gss. This protocol is compatible with SAP Crypto Library (SAPCryptoLib). By default. If SAP GUI establishes a secure communication to the SAP NetWeaver Application Server. xml <gss> <server> <protocol_1993> <algs_encr>xxx</algs_encr> </protocol_1993> <protocol_2010> <ciphers>xxx</ciphers> </protocol_2010> </server> </gss> 4. the strongest symmetric algorithm that is available on both sides is agreed. the GSS Distinguished Names presented to SAP SNC may be converted to uppercase. It is possible in the Secure Login Library to allow only the acceptance of only AES256. You can define the following algorithms: AES256 AES128 RC4 Default is <empty>. 46 09/2012 . which is defined in section <protocol_2010>. <ciphers>XXX</ciphers> Use this parameter to define the symmetric algorithm for the “new” protocol.5 Uppercase Distinguished Name To support case insensitivity for user certificate names used by SNC. This protocol supports the Kerberos solution. By default. Parameter <UpperCaseClientName>XXX </UpperCaseClientName> Details Define the configuration in parameter <UpperCaseClientName>. The symmetric algorithm is arranged during the authentication process. This can be defined in the Secure Login Library configuration file gss. The symmetric algorithm is arranged during the authentication process. for example.4. true The distinguished name is provided in uppercase. gss.xml.4 Configuration Options aes192 aes128 des3 Default is <empty>. 2.3.20. AltNameDNS DNS name AltNameDNAME Directory name AltNameURI URI AltNameIP IP address AltNameUPN otherName with object identifier.3) without the domain part of the e-mail address.com). 09/2012 47 .311.4.1.3. AltNameEMAILWithoutDomain RFC 822 name without domain.smith instead of j.4.6. Here you can use the local part of an E-mail address without the domain part (j.xml <gss> <server> <UpperCaseClientName>xxx</UpperCaseClientName> </server> </gss> 4.6 Alternative Name DN Feature It is possible to use the Subject Alternative Name from the user certificate that is presented to the SAP SNC interface.xml. AltNameEMAIL RFC 822 name. You can define this in the Secure Login Library configuration file gss.4 Configuration Options false The distinguished name is provided in mixed case.1. AltNameUPNWithout Domain otherName with object identifier and without domain. Default is false.smith@company. Parameter <ClientNameSource>XXX </ClientNameSource> Details Defines the configuration in parameter <ClientNameSource>.3).1.4. gss. Here the Microsoft User Principal Name is used (otherName type with OID 1.20.6.311.2.1. Here the Microsoft User Principal Name is used (otherName type with OID 1. If an administrator enables the user to change his or her own data. <ClientNameSource>AltNameEMAIL AltNameUPN</ClientNameSource> If users change their own attributes (for example. through a self-service). it uses the subject (Distinguished Name). for example.4 Configuration Options Subject Distinguished Name Default is <empty>. an error occurs. e-mail address. certificate-based logon with the users’ e-mail addresses in the Distinguished Names. the Microsoft User Principal Name. The system uses the first value. for example. Thus these users might get rights they are not supposed to have. we recommend that you implement access restrictions for the change of user attributes. If this is not possible. this user now has the possibility to enter.com This means that the user’s e-mail address is used for the user mapping in SNC. The string in the certificate has the following format: CN=employee@company. An AS ABAP uses. the Subject (Distinguished Name) is used. through a self-service. For this case. his or her manager’s e -mail address (manager@company. a situation may occur in which these users are able to assign additional rights to themselves. gss. Example 1 The Secure Login Library uses the URI. In this case. and these attributes are used by the user certificate (issued by the Secure Login Server). If the URI is not available. last name etc. first name. If the second alternative value is not available. for example. <ClientNameSource>AltNameURI Subject</ClientNameSource> Example 2 The Secure Login Library uses the E-mail address and.com) as 48 09/2012 . as first alternative. it proceeds to the second value etc. An error occurs when no value can be used.xml <gss> <server> <ClientNameSource>xxx</ClientNameSource> </server> </gss> You can enter several values separated by commas or spaces. 4 Configuration Options attribute. Since this data is usually maintained centrally, this change would also affect the Secure Login Server. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate, the user receives a certificate with the Distinguished Name
[email protected]. This user is now able to log on to the AS ABAP as his or her manager. 4.4.7 Shorten Long Distinguished Names It is possible to shorten parts of the distinguished name (SNC Name) from the user certificates that are presented to the SAP SNC interface. The character limit for SAP server systems is 255 characters (in older systems 80 characters). For example, you can remove entire parts such as a company name which are identical for all users. You can define this in the Secure Login Library configuration file gss.xml. Parameter <searchstr>XXX</searchstr> Details In the <nameconversions> section, use the <searchstr> parameter to define the part of the distinguished name to be shortened. Example: OU=Very Long Organization Unit Name In the <nameconversions> section, the <replstr> parameter is used to define the part of the distinguished name to be replaced. Example: OU=Short Name <replstr>XXX</replstr> gss.xml <gss> <nameconversions> <searchstr>VeryLongNameComponent</searchstr> <replstr>ShorterNameComponent</replstr> </nameconversions> <nameconversions> <searchstr>AnotherVeryLongNameComponent</searchstr> <replstr>AnotherShorterNameComponent</replstr> </nameconversions> </gss> 09/2012 49 4 Configuration Options 4.4.8 User Schemas for SNC Names The SNC names for a certificate-based logon consist of user schema attributes for example, CN (common name), O (organization), OU (organizationalUnit), or C (country). These attributes comply with the RFC2256 default for user schemas. For more information, see the Summary of the X.500(96) User Schema for Use with LDAPv3 . Previous releases of SAPCRYPTOLIB and old SECUDE releases still use a user schema with obsolete attributes. The table below shows RFC2256-compliant attributes and the corresponding obsolete SAPCRYPTOLIB or SECUDE attributes, and the related keywords. Keyword surname street title serialNumber businessCategory description stateOrProvinceName RFC2256-Compliant Attribute (Default) SN STREET TITLE SERIALNUMBER BUSINESSCATEGORY DESCRIPTION ST Obsolete SAPCRYPTOLIB or SECUDE Attribute S ST T SN BC D SP Default Settings The default user schema of the Secure Login Library is RFC2256. The configuration is located in the file base.xml. For more information about base.xml, see 5.2 Configuring the CRL Tool. By default, the configuration of the user schema in the file base.xml is empty (meaning RFC2256). If you prefer, you can also enter RFC2256 for clarity. Example 1 <name> <encoding>UTF8</encoding> <schema></schema> <!—‗secude‘/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name> Example 2 <name> <encoding>UTF8</encoding> <schema>rfc2256</schema> <!—‗secude‘/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name> 50 09/2012 4 Configuration Options Setting for SAPCRYPTOLIB or SECUDE Release If customers want to keep their old user schema attributes, overwrite the user schema setting. To switch the Secure Login Library to use the attributes for obsolete SAPCRYTOLIB or SECUDE releases, open the base.xml file and enter the schema sapcryptolib or secude. Example 1 <name> <encoding>UTF8</encoding> <schema>sapcryptolib</schema> <!—‗secude‘/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name> Example 2 <name> <encoding>UTF8</encoding> <schema>secude</schema> <!—‗secude‘/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name> 4.5 User Mapping This section details how to define the user mapping in SAP user management. For user authentication using security tokens (X.509 certificate or Kerberos token), this mapping is required to define which security token belongs to which SAP user. For smooth and straightforward integration, we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping. Manual Configuration Start the user management tool by calling transaction SU01. Choose the SNC tab. If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field. If you are using X.509 certificate based authentication, enter the X.509 Certificate Distinguished Name in the SNC name field. Note that the definition of the SNC name is case sensitive. 09/2012 51 OU=SAP Security belongs to the user SAPUSER.4 Configuration Options Kerberos Example In this example the SNC Name p:
[email protected] Certificate Example In this example.LOCAL belongs to the user SAPUSER. 52 09/2012 . Configuration. and Administration Guide. X. the SNC name p:CN=SAPUSER. see the Secure Login Library Installation. For more information about how to perform user mapping. a list of SAP users or SAP user groups.LOCAL X. Kerberos Example In this example.4 Configuration Options Set External Security Name for All Users You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode. p:CN=user_name@DEMO. SNC names are generated with the following string for all users without an SNC name. This batch tool will takes an SAP user and uses the components <previous_character_string><SAP_user_name><following_character_string> to build the SNC Name.509 Certificate Example In this example. With this tool you can choose all SAP Users *. OU= SAP Security 09/2012 53 . Note that the definition of the string is case sensitive. SNC names are generated with the following string for all users without an SNC name: p:CN=user_name. You can use the option Users without SNC names only to overwrite SNC names. 2 Configuring the CRL Tool. The local cache for the CRLs is \SECUDIR\dbcrl. 5. 54 09/2012 . Storing CRLs in the cache improves system performance. Make sure the server process has read authorization for the CRL (files) in the cache directory. No use of delta CRLs At present the Secure Login Library assumes that. granting read authorization with the umask command. They must be replaced regularly by a new CRL or by a CRL that has not yet expired. You can schedule the download using a cron job. in a UNIX environment. getting CRLs from a distribution point. The CA issues CRLs at regular intervals. They contain a list of certificates that have been declared as invalid. CAs regularly update certificate revocation lists.5 Using Certificate Revocation Lists 5 Using Certificate Revocation Lists The Secure Login Library supports certificate revocation lists (CRLs). Usually UNIX does not come with an LDAP client. The CRL issued by the Certificate Authority (CA) contains the revoked certificates. We recommend using a cron job to schedule the regular download. see 5. all CAs provide CRLs. The Secure Login Library has the following limitations: Customers cannot use the extension IssuingDistributionPoint in CRLs with the Secure Login Library. We recommend using the same user or.*). To use the CRL functions. To use the CRL tool to get CRLs from LDAP.1 Downloading CRLs with the CRL Tool The main function of the CRL tool is to enable you to download CRLs from the CRL distribution point and to make them available in the local cache \SECUDIR\dbcrls. in a given environment. and storing it in a local cache. The Secure Login Library provides a tool that enables you to regularly download new CRLs from CRL distribution points (LDAP or HTTP) to the local cache. it uses the downloaded CRL. Storing CRLs in the local cache ensures fast accessing of the CRLs. This enables you to make sure that revoked certificates are not accepted. Limitations The Secure Login Library covers only basic functions on the server side. Otherwise performance suffers when the Secure Login Library has to download CRLs from an external CRL distribution point. For more information. make the appropriate settings in the configuration files. This means that multiple PKIs using different revocation checking policies and one PKI with CAs using different revocation checking policies are not supported. The Secure Login Client does not check CRLs. Run the CRL tool at regular intervals to ensure that the most recent CRL is located in the local cache. such as checking client certificates with CRLs. you must provide an OpenLDAP client (liboldap. When the application server checks certificates. CAs place certificate revocation lists at CRL distribution points. example. and ADS has to be configured in ldap. use crtl –H. crl get -u <LDAP_server> store -u <LDAP_server> Example crl get –u ldap:///sap. If the certificates contain a CRL distribution point.example.crl Use the following command to get a CRL and store it in a cache without a distribution point: crl get -u <LDAP_server> store Example crl get –u ldap:///sap. specify its location with -u so that the CRL can be found during certificate verification. For an Active Directory server. Use the following command to get a CRL and store it in a file: crl get –u <LDAP_server> -f <CRL_file> Example crl get –u ldap:///sap.com -f file.com 09/2012 55 . crl status crl list crl remove crl show crl store Examples of Getting a CRL from a CRL Distribution Point In the following examples you see the commands for getting a CRL from a CRL distribution point. CRL Tool Commands Command crl get Description Downloads a CRL from a given CRL distribution point using a given URL (Web server or LDAP server). Shows the current status of the configuration and of the module Shows the CRLs currently located in the local cache Removes the CRL from the local cache Shows the content of a CRL file Stores a CRL in the local cache.example.xml.example.5 Using Certificate Revocation Lists To display detailed help. the user must be a domain user.com store Use the following command to get a CRL and store it in a cache using the same distribution point (the URL in the store command must be the path of the CRL distribution list).com –u ldap:///sap. Example <pkix> <profile> <acceptNoBCwithKeyUsage>true</acceptNoBCwithKeyUsage> <revCheck>CRL</revCheck> <certificatePolicies>noCheck</certificatePolicies> </profile> </pkix> The following table contains all parameters and parameter options that are available in pkix.2 Configuring the CRL Tool The following configuration files are available in the \SLL folder: pkix.xml.com 5.xml. The default setting of this parameter is no (no use of CRLs).5 Using Certificate Revocation Lists Use the following command to get a CRL and store it in a cache using a different distribution point (the URL in the store command must point to the CRL distribution point specified in the certificate). After you have entered changes in the configuration files.xml base. crl get –u <HTTP_server> store -u <LDAP_server> Example crl get –u http://server/ store -u ldap:///sap. restart your ABAP server so that the newly-set parameters take effect. Configuration parameters of pkix.example. you can configure whether a CRL check is used at all.xml The parameters are similar to tags surrounding the values.xml ldap. You may use uppercase or lowercase for entering values.xml Parameter profile (with parameter options) Values <CRL_checking_profile> Description CRL checking profile 56 09/2012 . CRL checking is active if the parameter revCheck is set to the value CRL.xml In the configuration file pkix. pkix. 09/2012 57 . the certificates are not accepted. By default. Default: NO List of trusted certificate policy object identifiers separated by a semicolon (.). set the parameter usepkicache to true. you may optionally use the parameter pkicachedir and enter the location there (for multiple servers accessing the cache. base.5 Using Certificate Revocation Lists accceptNoBCwithK eyUsage true/false pkix. Example 1 If you want to define a different location for the cache directory. performance will improve considerably. If you do not want to define a different location for the cache directory. you could use an NFS cache).xml You can configure the cache and the verification of the CRL download in the file base. If the parameter acceptNoBCwithKeyUsage has the value false. for example on an LDAP server or HTTP server. If you want to activate CRL verification with the cache. the system checks whether certificates without the BasicContraints extension have the keyCertSign key usage. the parameter verificationonlineaccess is set to false to disable the function that verifies the CRLs online.xml defines that CA certificates must have the BasicConstraint extension. Default: true Enables/disables revocation checking.xml. set the parameter usepkicache to true (default setting is false). you need not enter any value in pkicachedir. In this case. In this case. they are accepted as CA certificates. If you use CRLs that are located in the cache. Default: noCheck revCheck NO/CRL certificatePolic ies noCheck/<trusted_certificate_p olicy_object_identifiers> If the parameter acceptNoBCwithKeyUsage has the value true. <base> <verificationonlineaccess>false</verificationonlineaccess> <usepkicache>true</usepkicache> <pkicachedir>\usr\sap\T2D\DVEBMGS00\sec</pkicachedir> </base> Example 2 Set the parameter verificationonlineaccess to false. Configuration parameters of base. In this case. you need not enter any value in pkicachedir. set the parameter verificationonlineaccess to true and set the parameter usepkicache to false. Default: false Specifies whether a CRL check uses a cache directory or a remote LDAP directory.5 Using Certificate Revocation Lists <base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example 3 If you want to carry out a CRL check from a remote LDAP directory.com:8003</url> </proxy> The following table contains all parameters and parameter options that are available in base. you must enter the host name and the port number of the proxy server. Default: false Location of dbcert and dbcris directories. <base> <proxy> <url>host. pkicachedir proxy (with parameter options) url <directory_pat h> <proxy> <host_name:p ort> 58 09/2012 .example. <base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example 4 If you want to make a CRL request from a proxy server. missing CRLs and certificates are being searched online.xml. Default: <PSE_directory> Defines the proxy if you use a proxy server for the CRL request. Host name and port number ot the proxy This parameter does not support proxy URLs.xml Parameter verification onlineaccess usepkicache Values true/false true/false Description If set to true. define the name of the LDAP server in the configuration file ldap. Default: rfc2256 ldap. If an LDAP URL that does not contain the server name is used as a CRL distribution point (in the default setting. Default: 800 Definition of LDAP server used for CRL Enter ADS if Active Directory is used as an LDAP server.61 sapcryptoli b/rfc2256 Distinguished Name Delimiters of the values.xml You only need to modify this file in an Active Directory environment. Default: doublequote Character set used for encoding Distinguished Names in ASN. Default: 40000 Network timeout in milliseconds.xml.xml Parameter timeout Values <milliseconds> Description Timeout of the LDAP server in milliseconds.1.5 Using Certificate Revocation Lists name (with parameter options) escape delimi ter encodi ng schema <Distinguished _Name> doublequote /backslash UTF8/T. you must enter the value ADS in the parameter name. If you are in a Microsoft Windows domain and Active Directory is used as LDAP server. Default: no value nettimeout <milliseconds> server (with parameter options) name <Active_Directory> ADS 09/2012 59 . Example <ldap> <server> <name>ADS</name> </server> </ldap> Configuration parameters of ldap. Default: UTF8 Schema for the sequence and keywords of the name elements. the relevant section is commented out). It provides a rough overview of the steps you take if you want to set up such a solution. This setup is also possible if SAPCRYPTOLIB is installed in the AS ABAP system 2. The server-to. 6.server communication uses X.1 Prerequisites You have installed Secure Login Client on the client workstations in a Microsoft domain. The Secure Login Client issues a Kerberos service token and authenticates at AS ABAP system 1 with SNC.1.509 certificates possible.6 Use Cases 6 Use Cases This section gives an instruction for the most frequently used use cases of NetWeaver Single Sign-On.509 certificates. and you find multiple helpful references and links. 60 09/2012 .1 Support for Authentication with Kerberos and X. 6. We assume that there is a Microsoft domain user who requests to authenticate at a Secure Login Client. This makes an SNC communication with X. Secure Login Library is installed in the AS ABAP systems 1 and 2.509 on AS ABAP You want to use Kerberos authentication technology for the client-to-server communication and thus enable single sign-on and secure server-to-server communication using SNC. Create Kerberos Keytab ). for example SAP/KerberosABC@DOMAIN. 5. see the Secure Login Library Installation section in the Installation. Secure Login Library. see Installing the SAP Cryptographic Library on the AS ABAP (http://help.zip (see Installation. Create a Microsoft Service Principal Name for the technical user of the AS ABAP system.509 certificate for the AS ABAP. SNC Kerberos Configuration.LOCAL.com/saphelp_nw73ehp1/helpdata/en/c4/3a616a505211d189550000e 829fbbd/frameset.com/saphelp_nw73ehp1/helpdata/en/49/236897bf5a1902e10000000 a42189c/frameset.sap. 2.509 certificates in transaction STRUST (for more information on the trust manager. b) Start the transaction RZ10 in the AS ABAP.2 Installation and Configuration Steps Procedure 1. Use the transaction RZ10 (see Maintaining Profiles (http://help. c) Choose your instance profile. Configuration. C=DE. 3. create a technical user that can be used in an AS ABAP. Generate X. If you use self-signed certificates.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a 42189c/frameset. Secure Login Library available on http://help. Specify a Service Principal Name for this user (see options 1 and 2). and save it in the security token container pse.sap. use the Service Principal Name of the Microsoft Active Directory technical user. On AS ABAP system 1.sap. Install the Secure Login Library as SNC security library on AS ABAP system 1. and Administration Guide for SAP NetWeaver Single Sign-On 1.6 Use Cases The following SAP NetWeaver Single Sign-On components must be installed in the following environment: Systems Microsoft Windows client AS ABAP system 1 AS ABAP system 2 Software Components Secure Login Client Secure Login Library (SNC library) Secure Login Library or SAPCRYPTOLIB (SNC library) 6.1. For more information. 4.com/nwsso10. Configure the SNC parameters on both AS ABAP systems (1 and 2) in the Instance Profile. Configuration. and Administration Guide of SAP NetWeaver Single Sign-On. for example CN=KerberosABC. Option 1 a) Create an X. OU=SAP Security. For the installation procedure of SAPCRYPTOLIB on an AS ABAP.htm) on the SAP Help Portal. In Microsoft Active Directory. Install the Secure Login Library or SAPCRYPTOLIB as SNC security library on AS ABAP system 2.htm).sap. create a Kerberos keytab file in the Secure Login Library environment. see http://help.0. import them from the AS ABAP system 2. 09/2012 61 .htm) on the SAP Help Portal). htm). If SAP GUI receives the SNC name p:CN=KerberosABC. To configure the SNC user mapping. configure secure network communication (SNC) in transaction SM59 (see http://help. start transaction SU01 on the AS ABAP system 1 (see Installation.LOCAL Unlike some PKI vendors. import them from the AS ABAP system 1. Go to the parameter name snc/identities/as. configure secure network communication (SNC) in transaction SM59 (see http://help. Configuration. 7. to CN=SAP/KerberosABC@DOMAIN. Install the Secure Login Client on your Windows client(s) (see Installation.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d b4d97d/frameset.sap. Authentication with X. the Secure Login Client rebuilds the Service Principal Name.0. Secure Login Library. OU=SAP Security. and Administration Guide for SAP NetWeaver Single Sign-On 1. see http://help. Option 2 Create an X. This happens if the Secure Login Client uses a Kerberos profile. C=DE The Secure Login Client (1. 8.0. patch 03 and higher) converts the SNC name for Kerberos use. Enter p:CN=KerberosABC.509 Certificates and Kerberos. Restart the AS ABAP systems 1 and 2. Configuration.509 certificate for the AS ABAP system Example: CN=SAP/KerberosABC@DOMAIN. 10. d) e) f) g) 62 09/2012 .com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d b4d97d/frameset. 6. see SAP Note 1696905. Secure Login Client. and Administration Guide for SAP NetWeaver Single Sign-On 1.509 certificate in transaction STRUST (for more information on the trust manager. Secure Login Client Installation). Secure Login Client.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a 42189c/frameset. 9.0.sap. User Mapping). On AS ABAP system 2.htm).6 Use Cases Choose Extended Maintenance and Change.sap. Depending on the communication direction.0. and enable SNC in SAP GUI (see Installation. Depending on the communication direction. Secure Login Server can generate a certificate with special characters.0 SP02.LOCAL. For more information. Secure Login Client. If you use self-signed certificates. OU=SAP Security. C=DE. and SAP GUI has no Kerberos name. and Administration Guide for SAP NetWeaver Single Sign-On 1. Configuration. generate X. Configuration. for example. Enable SNC in SAP GUI). For more information. and Administration Guide for SAP NetWeaver Single Sign-On 1. for example @. see the Installation.htm) for AS ABAP system 2. Enable Secure Login Library trace and analyze the problem. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. For more information. Checklist Possible Issues Verify SAP trace file dev_w0.7 Troubleshooting 7 Troubleshooting This section provides further information about how to perform troubleshooting for Secure Login Library. Verify SNC library file access rights for the user starting the SAP server. Choose the instance profile and verify the SNC configuration. Verify if Secure Login Library is installed correctly. 7. Verify if Secure Login Library is installed correctly.2 Credentials Not Found The SNC library and configuration are verified when the SAP ABAP server starts. Problem SNC library cannot be found. For more information. Choose the instance profile and verify the value of the parameter snc/gssapi_lib. see section 3 Secure Login Library Configuration. Verify the installation described in section 2 Secure Login Library Installation. For more information. Verify the installation described in section 2 Secure Login Library Installation. 09/2012 63 . see section 4. 7.1 Enable Trace. Checklist Possible Issues Verify SAP trace file dev_w0. see section 3 Secure Login Library Configuration. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. Verify the SNC configuration. Verify the SNC library status with the command snc status –v or snc –O <user_name> status –v. Problem Could not get credentials. Verify the SNC configuration.1 SNC Library Not Found The SNC library and configuration are verified when the SAP ABAP server starts. see the SAP Note 1635019. 64 09/2012 .7 Troubleshooting Verify SNC library file access rights for the user starting the SAP server. For further information.1 Enable Trace. 7. Start a command line shell and change to the Secure Login Library folder <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL. For more information.3 No User Exists with SNC Name Problem If the error message No user exists with SNC name … occurs and your login fails. see section 4. a server with a default Secure Login Library configuration cannot find the SNC name in the database. Set the environment SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec Use the command: snc –O <SAP_service_user> status –v Microsoft Windows Example: snc –O SAPServiceABC status –v Linux Example: snc –O abcadm status –v Enable the Secure Login Library trace and analyze the problem. Verify if the SNC certificate was provided to the Secure Login Library PSE environment. 8 List of Abbreviations 8 List of Abbreviations Abbreviation ADS CA CAPI CRL CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC Meaning Active Directory Service Certification Authority Microsoft Crypto API Certification Revocation List Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial-In User Service Remote function call (SAP NetWeaver term) Rivest. Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) 09/2012 65 . 8 List of Abbreviations SSL UPN WAR WAS Secure Socket Layer User Principal Name Web Archive Web Application Server 66 09/2012 . The location (URL) of a revocation center. A name.509. Certification Authority (CA) An entity which issues and verifies digital certificates for use by other parties. The most common certificate standard is the ITU-T X. In a multi-user or network system.9 Glossary 9 Glossary Authentication A process that checks whether a person is really who they claim to be. a computer or an organization. Certificate Revocation List (CRL) A group of certificates that have been declared to be invalid. A certificate typically includes: The public key being signed. Certificate Store Sets of security certificates belonging to user tokens or certification authorities. The digital signature of the certificate produced by the CA‟s private key. authentication means the validation of a user‟s logon information. Base64 encoding Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. A user‟s name and password are compared against an authorized list. Note: Base64 encoding expands binary data by 33%. A validity period. which can refer to a person. which is quite efficient CAPI See „Cryptographic Application Programming Interface’ Certificate A digital identity card. CREDDIR A directory on the server in which information is placed that goes beyond the PSE 09/2012 67 . The certificate revocation list is maintained and publically released by the issuing Certification Authority (CA) and typically contains the following information: The certificate's serial number The issuing CA's Distinguished Name The date of revocation. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications. This encoding has been introduced in PEM (RFC1421) and MIME. Distinguished Names are defined in the ISO/ITU X. You can use them to restrict the public key to as few or as many operations as needed. real individual or other entity.9 Glossary (personal security environment). Cryptographic Application Programming Interface (CAPI) The Cryptographic Application Programming Interface (also known variously as CryptoAPI. This name ensures that identical certificates are never created for different people with the same name. if you have a key used only for signing.500 standard. Key Usage Key usage extensions define the purpose of the public key contained in a certificate. Alternatively. Cryptographic credentials may be self-issued. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is. similar to a telephone book (for example. CRL Distribution Point Publicly available location where a Certification Authority (CA) hosts its certificate revocation list (CRL). 68 09/2012 . an X. For example.500 or LDAP directory). Cryptographic credentials are often designed to expire after a certain period. It is a set of dynamically-linked libraries that provides an abstraction layer that isolates programmers from the code used to encrypt the data. enable key enciphering. Directory Service Provides information in a structured format. if a key is used only for key management. the certification authority) and the serial number. or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Microsoft Windows-based applications using cryptography. Within a PKI: Contains information about the public key of the user of the security infrastructure. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process. enable the digital signature and/or non-repudiation extensions. Microsoft Cryptography API. or issued by a trusted third party. Distinguished Name (DN) A name pattern that is used to create a globally unique identifier for a person. Credentials Used to establish the identity of a party in communication. although this is not mandatory. in many cases the only criterion for issuance is unambiguous association of the credential with a specific. All PKI users require a unique name. Personal Information Exchange Syntax Standard Specifies a portable format for saving or transporting a user‟s private keys. it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. If the extension is non-critical. PIN See Personal Identification Number.500. Personal Security Environment The PSE is a personal security area that every user requires to work with. “PKCS#11” is an API defining a generic interface to cryptographic tokens. 09/2012 69 . If the certificate is used for another purpose. A PSE is a security token container with security-related information. proposed by RFC 989 in 1987. the certificate must be used only for the indicated purpose or purposes. If the extension is critical. applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. it is in violation of the CA's policy. and other secret information. PKCS#11 “PKCS” refers to a group of Public Key Cryptography Standards devised and published by RSA Security.9 Glossary Key Usage (extended) Extended key usage further refines key usage extensions. Nevertheless. Lightweight Directory Access Protocol (LDAP) A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X. Privacy-Enhanced Mail (PEM) The first known use of Base 64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol. PEM See Privacy Enhanced Mail. This includes the certificate and its secret private key. An extended key is either critical or non-critical. Personal Identification Number (PIN) A unique code number assigned to the authorized user. PEM defines a "printable encoding" scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters. as required by transfer protocols such as SMTP. The PSE can be either an encrypted file or a smart card and is protected with a password. certificates. Ensures the authorization of communication partners and the confidentiality. distributing. Public Key Infrastructure Comprises the hardware. Shamir. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream. Is often structured hierarchically. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure. for the secure exchange of information over the Internet. Secure Network Communications A module in the SAP NetWeaver system that deals with the communication with external. Secure Sockets Layer A protocol developed by Netscape Communications for setting up secure connections over insecure channels. To check foreign certificates. cryptographic libraries. software. administering. guidelines. and revoking certificates based on asymmetric cryptography. integrity. cryptographically procedure. with a root certificate at the top.and lower-case Roman alphabet characters (A –Z. An external storage device that uses the same file system as the operating system. and Adleman in 1977. representing a CA that does not need to be authenticated by a trusted third party. and methods that are involved in creating.509 PKI systems. and authenticity of transferred data. RSA An asymmetric.9 Glossary The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper. The library is addressed using GSS API functions and provides SAP NetWeaver components with access to security functions. The "=" symbol is also used as a special suffix code. Is used in many common browsers and mail tools. a–z). people. the numerals (0–9). Public FSD Public file system device. It is the most widely-used algorithm for encryption and authentication. Root certification authority The highest certification authority in a PKI. Public Key Cryptography Standards A collection of standards published by RSA Security Inc. a user requires the certificate path as well as the root certificate. developed by Rivest. and the "+" and "/" symbols. Its certificate is signed with a private key. In X. saving. There can be any number of CAs between a user certificate and the root certification authority. All users of the PKI must trust it. 70 09/2012 . Root certification The certificate of the root CA. the hierarchy of certificates is always a top-down tree. smart card. Smart-card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. and a domain name (optional).509 A standardized format for certificates and blocking list. The private key can be persistent (like a PSE file. Token A security token (or sometimes a hardware token. Tokens provide access to a private key that allows the user to perform cryptographic operations. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (smart card reader). a password.9 Glossary Single Sign-On A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication). X. The credentials usually comprise a user name. From the computer operating system‟s point of view a token is a USB -connected smart card reader with one nonremovable smart card present. X. Windows Credentials A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The term may also refer to software tokens. or CAPI container) or non-persistent (like temporary keys provided by Secure Login). 09/2012 71 .500 A standardized format for a tree-structured directory service. authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication.