Secure Login for SAP NetWeaver Single Sign-On Implementation Guide

March 25, 2018 | Author: Julio Montenegro | Category: Transport Layer Security, Public Key Certificate, Radius, Active Directory, Authentication
Share
Report this link


Comments



Description

PUBLICSAP NetWeaver Single Sign-On 2.0 SP1 Document Version: 1.5 - 2013-09-19 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents 1 1.1 What Is Secure Login?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 System Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 1.1.1 1.1.2 1.1.3 1.2 1.3 1.4 Clients for Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Main System Components with Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Main System Components without Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 System Overview with Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Client Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 PKI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 1.4.1 1.4.2 Out-of-the-Box PKI Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 PKI Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 1.5 1.6 1.7 2 2.1 Secure Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Policy Server Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Migrating to SAP NetWeaver Single Sign-On 2.0 from 1.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Secure Login Client Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.1.1 2.1.2 Unattended Installation with SAPSetup Installation Server. . . . . . . . . . . . . . . . . . . . . . . . . . 23 Uninstalling Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2 2.3 Updating the Secure Login Client to SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Adding Root Certificates during Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.1 2.3.2 Option 1: Installing Root CA Certificate on a Windows Client. . . . . . . . . . . . . . . . . . . . . . . . . .27 Option 2: Distributing Root CA Certificates on Microsoft Domain Server. . . . . . . . . . . . . . . . . 27 2.3.3 Option 3: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.4 Migrating Secure Login Client to SAP NetWeaver Single Sign-On 2.0 from 1.0. . . . . . . . . . . . . . . . . . . . 29 2.4.1 2.4.2 2.4.3 2.4.4 2.5 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 2.5.7 2.6 2.6.1 Downloading Policies to Secure Login Client Using Profile Groups. . . . . . . . . . . . . . . . . . . . . 30 Downloading Policies to Secure Login Client Using the Policy Download Agent. . . . . . . . . . . . 30 Creating a Profile Group of Client Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Configuring a Secure Login Client 2.0 to Run with Secure Login Server 1.0. . . . . . . . . . . . . . . 32 Enable SNC in SAP GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 User Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Overview of Registry Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Smart Card Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Digital Signature (SSF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Configuring Client Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 SAP NetWeaver Business Client with Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Secure Login Client with a Published Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Secure Login Client for Citrix XenApp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents 2.6.2 2.6.3 3 3.1 Secure Login Client with a Published SAP Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Other Features of Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Secure Login Library Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.1.1 3.1.2 3.1.3 3.1.4 Prerequisites for Installing Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Installing Secure Login Library on a Microsoft Windows Operating System. . . . . . . . . . . . . . . 47 Installation on a UNIX/Linux Operating System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Downloading the Secure Login Library Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Updating Secure Login Library to SP1 on a Microsoft Windows Operating System. . . . . . . . . . 51 Updating Secure Login Library to SP1 on a UNIX/Linux Operating System. . . . . . . . . . . . . . . 52 Configuring Secure Login Library During an Update to SP1. . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.2 Updating Secure Login Library from SP0 to SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2.1 3.2.2 3.2.3 3.2.4 3.3 3.4 3.5 Migrating Secure Login Library to SAP NetWeaver Single Sign-On 2.0 from 1.0. . . . . . . . . . . . . . . . . . . 53 Standard and FIPS 140-2 Certified Secure Login Library Crypto Kernel. . . . . . . . . . . . . . . . . . . . . . . . .55 3.4.1 3.5.1 3.5.2 3.5.3 Using the FIPS 140-2 Certified Secure Login Crypto Kernel. . . . . . . . . . . . . . . . . . . . . . . . . . 56 SNC X.509 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 SNC Kerberos Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 X.509 and Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Secure Login Library Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.5.4 Kerberos Authentication for HTML-Based User Interfaces Using SAP NetWeaver AS ABAP with SPNego. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.5.5 3.5.6 3.5.7 3.5.8 3.6 3.6.1 4 4.1 SNC Communication Protocol Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Use Case for Defining a Symmetric Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 User SNC Name Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Using Certificate Revocation Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Tracing for Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Installation and Installation File Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.1.1 4.1.2 4.1.3 4.1.4 Prerequisites for Installing Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Secure Login Server Installation with Software Update Manager. . . . . . . . . . . . . . . . . . . . . . 92 Secure Login Server Installation with Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Secure Login Server Uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Prerequisites for Running the Initial Configuration Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Starting the Secure Login Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Changing Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.2 Initial Configuration Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 4.2.1 4.2.2 4.3 Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.3.1 4.3.2 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 3 4.3.3 4.3.4 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 4.5.7 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7 4.7.1 4.7.2 4.7.3 4.7.4 4.7.5 4.7.6 4.7.7 5 5.1 Stopping and Starting Secure Login Server with Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Stopping and Starting Secure Login Server Using SAP Management Console. . . . . . . . . . . . 100 Export Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Using Secure Login Client in Web Adapter Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Enabling SAP GUI to Use Credentials with Secure Login Web Client. . . . . . . . . . . . . . . . . . . 102 Security Features of Secure Login Web Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Mozilla Firefox Plug-In for Storing Secure Login User Certificates . . . . . . . . . . . . . . . . . . . . 105 Rebranding Secure Login Web Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Overview of Login Modules Supported by SAP NetWeaver Single Sign-On 2.0. . . . . . . . . . . . 109 Adding a Policy Configuration for SAP NetWeaver Single Sign-On 2.0. . . . . . . . . . . . . . . . . . 109 Creating an Authentication Profile Pointing to a Policy Configuration. . . . . . . . . . . . . . . . . . . 111 Creating Destinations in Secure Login Administration Console. . . . . . . . . . . . . . . . . . . . . . . 113 Setting the Enrollment URL for Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Actions at Policy Download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Migration of Certificate User Mapping in the Secure Login Server. . . . . . . . . . . . . . . . . . . . . 115 User Mapping in Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configuring a Destination in Secure Login Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Archiving Certificate Requests, Issued Certificates, and User Certificates. . . . . . . . . . . . . . . 130 Checking the Availability of Secure Login Server Configuration. . . . . . . . . . . . . . . . . . . . . . .132 Verify Authentication Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Integrate into Existing PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 High Availability and Failover for Secure Login Server and Secure Login Client. . . . . . . . . . . .134 Kerberos Authentication with SPNego. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 LDAP User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 SAP User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 RADIUS User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Secure Login Web Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Migrating Secure Login Server 2.0 from 1.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configuration Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Parameter Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Parameter Overview for Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 5.1.1 5.1.2 Registry Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 SSF Parameters for Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Parameters for Certificate Revocation Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 SNC Parameters for Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Communication and Protocol Parameters (Server and Client). . . . . . . . . . . . . . . . . . . . . . . 159 Parameters for Initial Configuration (PKI Certificates). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Parameters for Signing Certificate Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 5.2 Parameter Overview for Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 5.2.1 5.2.2 5.2.3 5.3 Parameter Overview for Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 5.3.1 5.3.2 4 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents 5.3.3 5.3.4 5.3.5 5.3.6 Secure Login Client Policy and Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Parameters for the Policy Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Parameters for User Certificate Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Parameters for Destination Management Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 189 5.3.7 Mapping of Parameters for a Migration of SAP NetWeaver Single Sign-On 2.0 from 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 6 6.1 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Troubleshooting Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.3 6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 6.3.8 6.3.9 6.3.10 6.3.11 Error in SNC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 User Name Not Found. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Invalid Security Token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Wrong SNC Library Configured. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Monitoring Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 SNC Error Codes in the Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 SNC Library Not Found. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Credentials Not Found. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 No User Exists with SNC Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Monitoring Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Error Occurred with sapgenpse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 SNC Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Secure Login Web Client Authentication Failed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Trust Warnings in Secure Login Web Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Error Codes of SAP Stacktrace Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Checklist User Authentication Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Enable Fully Qualified Distinguished Name in Enrollment URL. . . . . . . . . . . . . . . . . . . . . . . 209 Locking and Unlocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Secure Login Server SNC Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Secure Login Authentication Profile Lock and Unlock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Internal Server Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Monitoring Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Troubleshooting Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Troubleshooting Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 6.3.12 Logging and Tracing Secure Login Server with the Log Viewer of SAP NetWeaver Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 7 8 9 9.1 List of Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Secure Login Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 5 . . . . . . . . . . . . . . . . . . . . . . . . . .4 10. . . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Java Access Bridge. . . . . . .9 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 AES-NI Sample Library. . . . . . . . . . . . . . . . . . . . . .3 Component Overview. . . . . . . . .11 11 Microsoft Windows Server Domain Controller. . . . . . . . . . . . . . . . . . . . . . . 250 Code Project . . . . . . . .5. . . . . . . . . . .5 10. . . . . . . . . . . . . . Flex. . . . . . . . . . . . . . . . . . .3. . . . . . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Google GSON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 SSLeay. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 9. . . . . . . . . . . . . . .7 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Runtime Security Considerations for Secure Login Server. . . . . . . . . . . . . . . . . . . . . . Code Project . 234 9.2 9. . . . . . . . . . . . . . . . . . . . . . . . .6 10. . . . . . . . . . . . . . . . . . . . 243 Secure Login Web Client. . . . . . . . . . . . . . . . . . . . . . . . . .6 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . 229 Initialization Procedures for Secure Login Library. . . . . . . . . . . . . .4 Installation Procedures and Settings for Secure Login Client.4. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 10. . . .1 9. . . . . . . . . . . . . . . . . . . . . . . . .8 9. . . . . . . . . . . . . . . . . . . . . . . . . . .265 Disclaimer. . . . . . . . . . . . . 256 libxml2. . . . . . 234 9. . . . . . . . . . . . . . .3. . . . . . . . . . . . . . .Pretty IE Toolbar in C#. . . . . . . . . . .5. . . . . . . . . . . . . . . . . . . 255 zlib. . . . . . . . . . .3 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Configuration Procedures and Settings for Secure Login Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 9. . . . . . . .228 Secure Login Library. . . . . . . . . . 257 SHA. . . . . 237 Configuration Procedures and Settings for Secure Login Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 9.3 10. . . 266 6 PUBLIC © 2013 SAP AG or an SAP affiliate company. . .5 Installation Procedures and Settings for Secure Login Server. . . . . . . . . . . .9. . . . . . . . . . . . . . . . . . 234 Initialization Procedures for Secure Login Client. . . .Adding Icons to System Tray. . . . . . . All rights reserved. . . . . . . . . . . . . .4 Installation Procedures and Settings for Secure Login Library. . . . . . . .5 Secure Login Server.2 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 9. .10 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 9. . . . . . . . . . . . . . . . .4 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 10 10. 229 9. . . . . .2 9.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Initialization Procedures and Settings for Secure Login Server. . . 251 RSA Cryptoki: Cryptographic Token Interface Standard API (PKCS #11). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Open Source Licenses. . . . . . . . . . 246 Sun Java Platform Standard Edition SDK (J2SDK) (JDK). . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . . .4. .246 Windows Template Library. . . . . . . . . . . . 244 LDAP Directory Server. . . . .236 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Runtime Security Considerations for Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Microsoft Windows Server Active Directory. . . . . . . . 244 RSA Authentication Server. . 235 Configuration Procedures and Settings for Secure Login Client. . . . . . . . . . . . . . . . .2 9. . . . . . 233 Runtime Security Considerations for Secure Login Library. . . . . . . . . . . . . . . .5. . . . . . . .7 9. . . . . . . . . . JQuery. .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 10. . . . . . . . .3 9. . . . . . . . . . . . . . . . . . . . .1 10. . . . . . . . . .5. . . SAP user names and passwords are transferred through the network without encryption.1 What Is Secure Login? Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. Secure Login allows users to authenticate with one of the following authentication mechanisms: ● ● ● ● ● Windows Domain (Active Directory Server) RADIUS server LDAP server SAP NetWeaver Application Server Smart card authentication If a PKI has already been set up. alternative user authentication. the digital user certificates of the PKI can also be used by Secure Login.509 certificates In a default SAP setup. and enhanced security for distributed SAP environments. Secure Login provides strong encryption. 7 . and single sign-on between a wide variety of SAP components. Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on. The Secure Login solution includes several components: ● Secure Login Server Central service that provides X. Secure Login Library. secure communication. Secure Login Library ● Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. and Secure Login Client). The Secure Login Web Client is an additional function. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server. SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. 1. thus providing secure single sign-on to SAP. ● ● ● SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC) HTML-based user interfaces and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS) Third-party application servers supporting Kerberos and X.1 System Overview Secure Login consists of several components (Secure Login Server. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL. All rights reserved. Secure Login allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI).509v3 certificates (out-of-the-box PKI) to users and application servers. see the central SAP Note SAP Note 1912175. users enter their SAP user name and password on the SAP GUI logon screen. For more information. To secure networks. 1. For more information about Secure Login Server. ● Secure Login Client Client application that provides security tokens (Kerberos and X. Microsoft Windows Credentials The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication.1 Authentication Methods of Secure Login Client The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology. and Secure Login Client. A policy server provides authentication profiles that specify how to log on to the desired SAP system. User name and password (several authentication mechanisms) The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . or together with the Secure Login Server for certificate-based authentication without having to set up a PKI.1. Note You do not need to install all of the components. an existing public key infrastructure (PKI). All rights reserved. see there.509 certificate with the Secure Login Server.509 technology) for a variety of applications. This depends on your use case scenario. Secure Login Library. Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. The Secure Login Library supports both X. 8 PUBLIC © 2013 SAP AG or an SAP affiliate company.The Microsoft Windows credentials can also be used to receive a user X. ● All of these authentication methods can be used in parallel.1 Clients for Authentication Secure Login runs with the following clients for authentication: Related Information Authentication Methods of Secure Login Client [page 8] Authentication Methods of Secure Login Web Client [page 9] 1.509 and Kerberos technology.509 certificate.1. 1.Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Client can use the following authentication methods: ● ● ● Smart cards and USB tokens with an existing PKI certificate Secure Login Server and authentication server are not necessary. Secure Login Client.1. 9 . and Secure Login Library.1.1.2 Main System Components with Secure Login Server Overview of the main system components in an environment with Secure Login Server. The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used. 1.1.2 Authentication Methods of Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. but with the following limited functions: ● ● Limited integration with the client environment (interaction required) Limited client policy configuration Related Information Secure Login Web Client [page 100] Secure Login Web Client is a feature of the Secure Login Server that is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC. For each supported method. It consists of a servlet and a set of associated classes and shared libraries. It enables authentication against an authentication server and provides the Secure Login Client with a short term certificate.1. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods.2 Workflow with X. You can set the initial configuration and administration in the Secure Login Administration Console. The Secure Login Server is a pure Java application. there is a corresponding configurable JAAS module. The configuration data is stored in the database and can be displayed using the J2EE Engine GUI Config Tool in the path SecureLoginServer.2. All rights reserved.1. The Secure Login Server is the central server component that connects all parts of the system. It is installed on an SAP NetWeaver Application Server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . The Secure Login Server provides client authentication profiles to the Secure Login Client or Secure Login Web Client.509 Certificate Request Using Secure Login Server The following figure shows the principal workflow and communication between the individual components.The Secure Login Client is responsible for the certificate-based authentication and Kerberos-based authentication to the SAP application server.1 Authentication Methods with Secure Login Server Secure Login supports several authentication methods.2. It allows flexible user authentication configurations (for example. 10 PUBLIC © 2013 SAP AG or an SAP affiliate company. which authentication type should be used for which SAP application server). 1. The following authentication methods are supported ● ● ● ● ● ● ● Microsoft Active Directory Service (ADS) RADIUS RSE SecurID token LDAP ABAP-based logon SAP NetWeaver AS Java User Management Engine SAP NetWeaver AS Java SPNego 1. 6. 1. Secure Login Client provides the user certificate to SAP GUI. The Secure Login Server forwards the user credentials to the authentication server (for example. 8. the Secure Login Client retrieves the SNC name from the SAP NetWeaver Application Server ABAP (AS ABAP). 2. The Secure Login Client generates a certificate request. To generate this SNC name.1.1. 4. an LDAP or RSA server) and receives a response indicating whether the user credentials are valid or not. 5. This user certificate is used to perform single sign-on and secure communication (SNC) between the SAP GUI or web GUI client and the AS ABAP. Upon connection start. The Secure Login Client sends the user credentials and the certificate request to the Secure Login Server.3 Main System Components without Secure Login Server The following figure shows the Secure Login system environment with the main system components: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. the Secure Login Client uses the client policy of the Secure Login Server. 3. 9. the Secure Login Server generates a certificate response and provides it to the Secure Login Client. 7. If the user credentials are valid. 11 . The Secure Login Client provides the user credentials. All rights reserved. All rights reserved. 1.1 Authentication Methods without Secure Login Server In a system environment without Secure Login Server.509 certificates through secure network communication (SNC).509 certificates: ● ● Smart card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store) 12 PUBLIC © 2013 SAP AG or an SAP affiliate company. the Secure Login Client supports the following authentication methods: Table 1: Authentication Methods without Secure Login Server Authentication Method Authentication with X.509 certificates Details The certificate provider sends the X. The following certificate providers work with X. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? .1.3.The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. 1. 3.509 certificate from the user security token. 13 . see LINK 1.2 Workflow with X. 2. 6.509 Certificate without Secure Login Server The following figure shows the principal workflow and communication between the individual components. The user is authenticated and the communication is secured.1. Authentication with Kerberos tokens For more information about the authentication with a Kerberos token.Authentication Method Details In SNC the Secure Login Client can perform authentication with encryption and digital signing certificates. The Secure Login Client uses the authentication profile for this SNC name. by entering the PIN or password. the Secure Login Client retrieves the SNC name from the SAP NetWeaver AS ABAP.5 Workflow with Kerberos Token.509 certificate for single sign-on and secure communication between SAP GUI or Web GUI and the AS ABAP. 4. for example. All rights reserved.3. The Secure Login Client provides the X. 5. Upon connection start. 1. The user unlocks the security token. The Secure Login Client receives the X. The Secure Login Client supports RSA and DSA keys. 1. 2. All rights reserved.3. 5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . 3. The Secure Login Client receives the Kerberos Service token The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server. Upon connection start. 1. 14 PUBLIC © 2013 SAP AG or an SAP affiliate company. The Crypto Service Provider (CSP) from SAP is such a plug-in. The user is authenticated and the communication is secured. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.1. It provides the user keys to all CAPI-enabled applications. 4. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines.3 Server Workflow with Kerberos Token without Secure Login The following figure shows the principal workflow and communication between the individual components.Note Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. the Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system. long term X. 1. Based on the industry standard X.509 certificates. or user login ID padding and archive certificate requests. You can define the user certificates. the user needs to be authenticated (verified by the Secure Login Server). An authentication profile uses a user CA and an authentication method against a certain client type. The enrollment URL. 15 .509v3. Using authentication stacks makes sure that Secure Login is a failover solution. SAP NetWeaver). All rights reserved. and the client behavior is downloaded to each client. Users receive short term X. PKI. Therefore the Secure Login Server supports several authentication servers. In order to provide user certificates. the certificates can be used for non-SAP systems as well. There are different integration scenarios available for Secure Login Server.4 PKI Structure You can integrate the PKI in different ways. You can select either the type Secure Login Client or Secure Login Web Client. For the application server. The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example.509 certificates are issued. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. The following out of the box PKI structure can be delivered with the Secure Login Server.2 System Overview with Secure Login Server This topic gives you an overview of an environment using Secure Login Server. SAP NetWeaver Administrator organizes the client authentication profiles in authentication stacks with login modules.509 certificates for users (short term) and application server (long term).4. 1. for example. with LDAP user mapping using attributes from LDAP or Active Directory.1. You are free to change the Distinguished Name in many ways. 1.3 Client Authentication Profiles The client authentication profile feature of Secure Login allows you to determine a certain user authentication method.1 Out-of-the-Box PKI Login Server Secure Login Server provides standard X. 509v3.1. All rights reserved. The required minimum is to provide a user CA certificate to the Secure Login Server. 16 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . it is possible to integrate the Secure Login Server to an existing PKI.4.2 PKI Integration As the Secure Login Server is based on industry standard X. 5 Secure Communication The goal of the Secure Login solution is to establish secure communication between all required components: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 17 .1. All rights reserved.The following table displays the security protocol or interface that is used for secure communication between various components. Table 2: Technology Used for Secure Communication From SAP GUI Business Explorer Business Client Web GUI Secure Login Client Secure Login Server Secure Login Server Secure Login Server To SAP NetWeaver SAP NetWeaver SAP NetWeaver SAP NetWeaver Secure Login Server LDAP server SAP NetWeaver RADIUS server Security Protocol / Interface DIAG/RFC (SNC) DIAG/RFC (SNC) DIAG/RFC (SNC) DIAG/RFC (SNC). HTTPS HTTPS (SSL) HTTPS (SSL) RFC (SNC) RADIUS (shared secret) 18 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . We assume that you run SAP NetWeaver Single Sign-On 1. You want to migrate to SAP NetWeaver Single SignOn 2.2 Application A. a default PSE URI is used. a default application context that links to a default profile can be defined.4 PSE URI(A.3) Default PSE URI Profile P.0.1) PSE URI (A. You define these parameters in the XML policy file. Table 4: Profiles and Related Settings Profiles and Related Settings Profile P.0 on a separate SAP NetWeaver Application Server in addition to your Secure Login Server 1. All rights reserved.1 Application A.z Application A.2) PSE URI (A.0.1.3 Application A.0 from 1.6 Policy Server Overview Secure Login Client configuration is profile-based.0.4 does not have a PSE URI that is specifically assigned to application A.7 Migrating to SAP NetWeaver Single Sign-On 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company.y Settings for Default Profile P.x Settings P. Example The following tables shows an example for dependencies of application contexts and profiles: Table 3: Dependencies of Application Contexts and Profiles Application Contexts Application A.0 from 1.0. The application contexts and profiles are stored in the Microsoft Windows Registry of the client.x Profile P.y Profile P. If no matching PSE URI is found. For this reason. Run both Secure Login Servers in parallel. Install Secure Login Server 2. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs). The following scenarios are possible: 1.0 This topic describes the scenarios for migrating to SAP NetWeaver Single Sign-On 2.0 from 1.x Profile P. 19 .z Settings P.z 1.y Default Profile P.x Default Profile P.4. It links to a default profile with settings are configurable in the XML policy file. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. follow the instruction in the related link. Update Secure Login Server from 1. b. Update Secure Login Server from 1. Set the protocol for SAP NetWeaver Single Sign-On 1. All rights reserved.0 [page 32] This use case describes the settings if you run Secure Login Client of SAP NetWeaver Single Sign-On 2. In the configuration of the Secure Login Server. Related Information Configuring a Secure Login Client 2.0 in the enrollment URL. you proceed with the migration of Secure Login Library.0 with Secure Login Server 1. see the related link. which describes how you migrate Secure Login Client to version 2.0.0. you must use the protocol for SAP NetWeaver Single Sign-On 1.0 to 2. The Secure Login Client 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? . 2.0 by distributing the Secure Login Server 2.0 and keep Secure Login Client with version 1. You must change the configuration. For more information.0. Update Secure Login Client 1. For more information.0 using the protocol type for SAP NetWeaver Single Sign-On 1.0 to match with Secure Login Server 2.0 using profile groups in the Secure Login Server.0 in the enrollment URL. b. Update the policy URL on the Secure Login Clients 1. In this case.0 to 2. Configure the authentication profiles on Secure Login Server 2. Caution The Secure Login Client configuration is not valid anymore.Tip We recommend that you use this scenario for migration. a.0 overwrites Secure Login Server 1. You need not make any further changes in the configuration. see related link. 4.0 on an SAP NetWeaver Application Server means that Secure Login Server 2. c. Caution The Secure Login Client configuration is not valid anymore.0.0 you change the protocol type of the enrollment URL on the Secure Login Server to 2. After having migrated Secure Login Client and Secure Login Server. The client receives the configuration automatically with the policy download agent. Update Secure Login Client 1.0 and keep Secure Login Server 1.0 in the enrollment URL for every single client authentication profile in the Secure Login Client Settings tab of the Secure Login Administration Console. This protocol is compatible with the clients running on version Secure Login Client 1.0 to 2. 20 PUBLIC © 2013 SAP AG or an SAP affiliate company. see the related link.0. Configure the authentication profiles and the profile groups of the Secure Login Server as described in the related link. Update the configuration of the Secure Login Client as described in the related link. Caution Updating Secure Login Server from 1.0 to Run with Secure Login Server 1. You must change the configuration.0.0. a. The configuration for the clients in the Secure Login Server remain the same. 3. d.0 to 2. For more information.0 configuration among the clients.0.0 does not work with Secure Login Server 2.0. After having updated all Secure Login Clients to version 2. The migration depends on the client and on the login modules you use. 21 . Creating a Profile Group of Client Authentication Profiles [page 31] You can use profile groups filled with the client authentication profiles of the Secure Login Server 2.Migrating Secure Login Server 2.0 from 1.0. you must adapt the protocol of the enrollment URL in Secure Login Server. All rights reserved.0.0 to 2. Migrating Secure Login Library to SAP NetWeaver Single Sign-On 2.0.0 from 1. Setting the Enrollment URL for Secure Login Client [page 114] During a migration.0 [page 53] This topic describes how you migrate the cryptographic library from SAP NetWeaver Single Sign-On 1.0 from 1. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide What Is Secure Login? PUBLIC © 2013 SAP AG or an SAP affiliate company. Downloading Policies to Secure Login Client Using Profile Groups [page 30] During the migration.0 [page 107] The following section describes how you migrate Secure Login Server 2.0 when you migrate Securer Login Client. the Secure Login Client needs the client authentication policies of the Secure Login Server 2. exe.0 installation procedure uninstalls the old MSI-based Secure Login Client 1. To download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace.exe to install Secure Login Client. If you choose Secure Login Server Support. uninstall it manually before you start the installation of Secure Login Client 2. you want to use the policy download agent for getting the client policy configuration from Secure Login Server to Secure Login Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . go to https:// service. 2.1 Secure Login Client Secure Login Client Installation This section explains the installation and the installation options of the Secure Login Client. 3. SAP NetWeaver Single Sign-On SAP NetWeaver Single Sign-On 2. (Optional) If. Start SAPSetupSLC. The Secure Login Client installation package of the Secure Login Client component contains the following options Table 5: Installation Components of Secure Login Client Option SAP Secure Login Client Description This option installs the basic components of Secure Login Client. the Secure Login Server provides user certificates to the Secure Login Client.0 SP1 or higher. deploy the new policy URL (located in the policy group settings) before you execute Sap Setup. All rights reserved. Based on the provided user credentials. 4. If you run Secure Login Client 1. This feature is mandatory.0 SP0. in the case of a new installation. 1. Option for an installation under Citrix XenApp. it comes together with the options Crypto & Certificate Store Providers and Policy Download Agent. Sap Setup restarts the policy download service and pulls the client configuration from Secure Login Server.sap. This option installs authentication support with Secure Login Server.2 2.0. An installation of the Secure Login Client in a Citrix XenApp environment does not require any special steps or settings. This is only true for Secure Login Client 1.0 Download the installation package SAPSetupSLC.com/swdc. see related link. Note The Secure Login Client 2. Start during Microsoft Windows login Secure Login Server Support 22 PUBLIC © 2013 SAP AG or an SAP affiliate company.0. Choose products Installations and Upgrades Browse our Download Catalog SAP NetWeaver and complementary Installation . Web Adapter Enable logging 5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. do not install this feature. choose Next. To continue.0. To hide the Kerberos profile. We recommend that you install this option only for problem analysis. You can create your own installation package or deploy Secure Login Client on multiple clients.1 Unattended Installation with SAPSetup Installation Server This topic describes how you run an unattended installation of Secure Login Client with the SAPSetup Installation Server. Related Information Secure Login Client for Citrix XenApp [page 44] This section describes how to use the Secure Login Client in a Citrix XenApp environment.0. 23 . As an example. Caution When you install Secure Login 2. Use Secure Login Client to create and store private keys for the Secure Login Web Client. Choose Install.Option Kerberos Single Sign-On Description This feature installs the Kerberos authentication support. Restriction An unattended installation with SAPSetupSLC package delivered by SAP only includes the preselected (default) installation options. The Secure Login Client starts automatically when a user logs on. Deploy Secure Login Client on multiple clients using SAPSetup Installation Server. 7. An administrator cannot select or unselect options. An administrator has several possibilities to distribute Secure Login Client to various clients. All rights reserved. This feature installs the trace and logging option. you uninstall an old MSI-based Secure Login Client 1.1. Close the window of the installation package. an administrator can create a dedicated installation package on a central installation server and then distribute it among the clients. ● ● Create a dedicated installation package for distribution among multiple clients using SAPSetup Installation Server. You use the SAPSetup Installation Server to distribute SAP front-end software on multiple workstations across the network. 6. 2. (If applicable) Distribute the installation with SAP Setup means. 2. 1. Follow the instruction of the wizard. 2. The wizard guides you through the uninstallation.2. 1. Start Control Panel in your Microsoft Windows operating system. All rights reserved. Use the method that suits you best to distribute Secure Login Client to the client workstations.1.2. see related link.com/sltoolset 2. Using Control Panel in your Microsoft Windows operating system Using SAP Setup Using a command line tool 2. You have now uninstalled your Secure Login Client. For more information on SAPSetup. Note SAPSetupSLC is a default SAPSetup.1. It support all default parameters and arguments. you can use SAPSetup. 4.1. Related Information http://service.exe.1.sap. 3. 2. Related Information 24 PUBLIC © 2013 SAP AG or an SAP affiliate company. Start SAPSetup as described in the related link. 3. Unselect all options. Choose the button for uninstallation. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client .1 Uninstalling Secure Login Client with Microsoft Windows Control Panel You can uninstall Secure Login Client using Control Panel of Microsoft Windows. If you want to uninstall Secure Login Client. 5.2 ● ● ● Uninstalling Secure Login Client There are multiple ways to uninstall Secure Login Client.2 Uninstalling Secure Login Client with SAPSetup Here you find a description how you uninstall Secure Login Client using SAPSetup. 2. Start SAPSetupSLC. Choose the option for uninstalling a program Select the row for Secure Login Client. com/swdc.exe /product:"SLC" /repair For an uninstallation. 2. 1. 2. Start a command prompt.sap.1.3 Uninstalling Secure Login Client with a Command Line Tool Here you find a description how you uninstall Secure Login Client using a command line tool. You can download the Support Package software from the SAP Service Marketplace. You can uninstall Secure Login Client with the command NwSapSetup. http://service. Microsoft Windows 32 bit: %ProgramFiles%\SAP\SapSetup\setup Microsoft Windows 64 bit: %ProgramFiles(x86)%\SAP\SapSetup\setup Note NwSapSetup. You simply run the installation software and overwrite your existing Secure Login Client. Go to https://service. proceed as follows: 1.exe /product:"SLC" /uninstall /nodlg You have uninstalled Secure Login Client.com/sltoolset 2. 2. Enter the uninstallation command.2. Use the following command: NwSapSetup.sap.exe also offers a repair function. 25 .0 . Choose Support Package and Patches Browse our Download Catalog SAP NetWeaver and complementary products SAP NetWeaver Single Sign-On SAP NetWeaver Single Sign-On 2.Secure Login Client Installation [page 22] This section explains the installation and the installation options of the Secure Login Client. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. It is located in the installation directory. You do not need to uninstall the existing version of the Secure Login Client.2 Updating the Secure Login Client to SP1 To update the Secure Login Client 2.0 SP0 to SP1. Example NwSapSetup. take the following steps.exe. 5. https://<host_name>:<port>/webdynpro/resources/sap.509 Certificate. size. The version number 2. and a temporary download ID is appended. 4. 3. 7.com:50001/webdynpro/resources/sap. Go to the Certificate Management tab. Related Information Secure Login Client Installation [page 22] This section explains the installation and the installation options of the Secure Login Client.. All rights reserved. and the patch level are displayed.0 Support Package 1. 6.3 Adding Root Certificates during Installation This section describes how to integrate the installation of the Secure Login Server root CA certificate (Microsoft Certificate Store) for the Secure Login Client into software distribution tools. type. 5..ui/Main Example https://example.com/securelogin. Open the Secure Login Administration Console. To export a root CA certificate from the Secure Logon Server. Save it in a location of your choice. Select the root CA you want to export.Note The file name of the installation kit indicates the support package.com/securelogin. 4. the patch level number. right-click the blue diamond of the Secure Login Client in the Microsoft Windows notification area. Choose the Export Entry button..ui/Main 2. Note You might be prompted to enter and confirm a password to encode the entry file. To display the version number of your software. and the download link. 8. Note The customized aspects of this installation are associated only with the integration with Secure Login Server. Start the installation as decribed in the related link. (Optional) Rename the file so that it indicates the origin of the root CA certificate. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . proceed as follows: 1. The dialog box displays the file name.crt. Choose About Secure Login. 26 PUBLIC © 2013 SAP AG or an SAP affiliate company. Choose Download button. This means that the exported certificate file has the file extension . 3. 2. Choose the export format X. Start the command prompt in Microsoft Windows. To do so.3 Option 3: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies This topic shows you how to distribute Secure Login Server root CA certificates using Microsoft Group Policies Use the corresponding procedure in the related link. Log on to the Microsoft Domain Server as administrator. Related Information Distributing Root CA Certificates Using Microsoft Group Policies with Microsoft Windows Server 2008/2008 R2 [page 28] These steps describe how to distribute root CA certificates using Microsoft Group Policies. 27 . Use the following command:certutil –dsPublish –f <root_CA_file> RootCA Restart your client.2.exe /add /all /c SLS_RootCA. Example certmgr.2 Option 2: Distributing Root CA Certificates on Microsoft Domain Server To distribute Secure Login Server root CA certificates to all clients in Active Directory. This pushes the certificates to the client.) to import certificates. which is part of the Microsoft Windows Software Development Kit (SDK. 3. 2. 2. All rights reserved.3.exe /add /all /c <root_CA_file> /s ROOT /r localMachine The Root CA certificate is provided by the Secure Login Server.crt /s ROOT /r localMachine 2.3.1 Option 1: Installing Root CA Certificate on a Windows Client You need to install the root CA certificate from Secure Login Server in the client environment.3. use the following command to import a certificate: Syntax certmgr. After a restart the group policies are updated. you can also use the command gpupdate /force. The root CA certificate is used to establish secure communication to the Secure Login Server. Use the Microsoft CertMgr tool. 4. proceed as follows: 1. Distributing Root CA Certificates Using Microsoft Group Policies with Microsoft Windows Server 2003/2003 R2 [page 28] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. In a system with a Secure Login Client installation. To edit the default domain policy. To distribute Secure Login Server root CA certificates using Microsoft Group Policies. take the following steps: Microsoft Windows Server 2008/2008 R2 1. Restart your client. 4. Import the root CA certificate of the Secure Login Server. Restart your client. 3. you can also use the command gpupdate /force. take the following steps: Microsoft Windows Server 2003/2003 R2 1. 6. 28 PUBLIC © 2013 SAP AG or an SAP affiliate company. 5. To distribute Secure Login Server root CA certificates using Microsoft Group Policies. 2. Import the root CA certificate of the Secure Login Server. After a restart the public key and group policies are updated.1 Distributing Root CA Certificates Using Microsoft Group Policies with Microsoft Windows Server 2008/2008 R2 These steps describe how to distribute root CA certificates using Microsoft Group Policies. you can also use the command gpupdate /force. Open Domain Security Policy. 2. Go to the administrative tools. 3. Open the Control Panel in Microsoft Windows. Open the Control Panel in Microsoft Windows Go to Administrative Tools.2 Distributing Root CA Certificates Using Microsoft Group Policies with Microsoft Windows Server 2003/2003 R2 These steps describe how to distribute root CA certificates using Microsoft Group Policies. Open the Group Policy Management Editor. 2. 2. Choose the domain name. This pushes the certificates to the client. To do so. To do so.These steps describe how to distribute root CA certificates using Microsoft Group Policies. After a restart the public key and group policies are updated. 5. 6.. Go to Security Settings Public Key Policies Trusted Root Certification Authorities .3. Navigate to Edit.3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client .. 7.3. Go to Forest Domain . All rights reserved.3. right-click Policies Windows Settings Security Settings Public Key Policies Computer Configuration Trusted Root Certification Authorities . 4. This pushes the certificates to the client. 0. Configuring Client Tracing [page 41] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. Tip We recommend that you perform the exchange of the enrollment URL and the policy download to get the full range of settings from Secure Login Server 2. If you installed Secure Login Client 2. You can run either Secure Login Server 2.0. For more information.0.0 from 1. It does not matter whether you run all or only some clients with Secure Login Client 2. Prerequisites The following prerequisites must be fulfilled when you want to start migrating Secure Login Client: ● ● If you keep the Secure Login Server of SAP NetWeaver Single Sign-On 1.0 or update some or all clients to Secure Login Client 2. you determine the trace parameters in a special configuration file that is located on the client.0 in the registry of your clients one by one whenever you think that it makes sense for a specific client. This configuration is not valid anymore.0 with Secure Login Server 1.0 or update all or some of the clients to Secure Login Client 2. 29 .0.0. You may also run Secure Login Server 2.2.0.0 and keep the Secure Login Client 1.0 and 1. Related Information Migrating Secure Login Server 2. Configuring a Secure Login Client 2. For more information.0. see the related link. All rights reserved. you must adapt the clients.4 Migrating Secure Login Client to SAP NetWeaver Single Sign-On 2.0.0 and 1. There are multiple migration scenarios for the Secure Login Client. each client had a registry entry that determined the trace conditions of this client.0. see related link.0 to Run with Secure Login Server 1.0. Client Tracing of Secure Login Client In SAP NetWeaver Single Sign-On 1.0 [page 32] This use case describes the settings if you run Secure Login Client of SAP NetWeaver Single Sign-On 2. you can exchange the enrollment URL to Secure Login Server 2.0. For more information. you can update the clients without a policy change. see related link.0 in parallel and keep the Secure Login Client 1. If you have already migrated the Secure Login Server from 1.0 from 1. In SAP NetWeaver Single Sign-On 2.0 The following section describes how you migrate Secure Login Client to SAP NetWeaver Single Sign-On 2.0 [page 107] The following section describes how you migrate Secure Login Server 2.0 from 1.0 to 2. The migration depends on the client and on the login modules you use.0 from 1.0 or 1.0. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . Enable Fully Qualified Distinguished Name in Enrollment URL [page 209] The following topics describes how to enable a fully qualified distinguished name in an enrollment URL.1 Downloading Policies to Secure Login Client Using Profile Groups During the migration. The Secure Login Client uses the new policies after a restart.0 from 1.0.0.If you want to switch on tracing of Secure Login Client.0 from 1.2 Downloading Policies to Secure Login Client Using the Policy Download Agent Secure Login Client gets the client authentication policies from the Secure Login Server 2.4. you need to get the policies of the client authentication profile from Secure Login Server 2. 2. you must configure a file for client tracing in each client. Distribute the registry file with the distribution mechanisms you usually use. For more information. see related link. A profile group contains one or several client authentication profiles.0. 2. Migrating to SAP NetWeaver Single Sign-On 2. two per profile group.0 [page 19] This topic describes the scenarios for migrating to SAP NetWeaver Single Sign-On 2. Import these registry files into the clients you want to migrate to the policies of SAP NetWeaver Single Sign-On 2. For more information.0. 2. Each client authentication profile defines a number of policies that determine the behavior of the client.0.0 or 1. Download the file ProfileDownloadPolicy_<profile_group>. the Secure Login Administration provides registry files (*.0. the Secure Login Client needs the client authentication policies of the Secure Login Server 2. If you download the policies to the Secure Login Client.0 when you migrate Securer Login Client. 3. Prerequisites: You have checked the Policy Download Agent option during the Secure Login Client installation.reg to import the policy URL and the settings into the clients. see related link. Proceed as follows: Create a profile group with the client authentication profiles of Secure Login Server 2. After the distribution.0.0 in regular intervals using the policy download agent. 1.reg). It does not matter whether you use Secure Login Client 2. the registry file imports all the client authentication parameters into the registry of the respective clients. All rights reserved. This is possible if you use profile groups.4. Create a profile group with the client authentication profiles of Secure Login Server 2. 30 PUBLIC © 2013 SAP AG or an SAP affiliate company. Related Information Creating a Profile Group of Client Authentication Profiles [page 31] You can use profile groups filled with the client authentication profiles of the Secure Login Server 2. If you unselect the installation option Start during Windows login.2 Using Certificates for CAPI Applications You only need this feature if you want to use certificates issued for CAPI applications by the Secure Login Server. such as for a client authentication with Internet Explorer.4. Download the client authentication policies of the Secure Login Server 2.com/securelogin. The CSP/CAPI service is registered during the installation. the Secure Login Client does not start automatically.0. Enable Fully Qualified Distinguished Name in Enrollment URL [page 209] The following topics describes how to enable a fully qualified distinguished name in an enrollment URL. Related Information Creating a Profile Group of Client Authentication Profiles [page 31] You can use profile groups filled with the client authentication profiles of the Secure Login Server 2.0 when you migrate Securer Login Client.0 when you migrate Securer Login Client. 2. Open the Secure Login Administration Console of NetWeaver Single Sign-On 2.1 Start during Windows login The Secure Login Client starts automatically when a user logs on to a Microsoft Windows operating system. To create a profile group and to download the profiles to clients.4.2.4.0 to the Secure Login Client in a profile group. install the Policy Download Agent feature.2. One client can only belong to one profile group. proceed as follows: 1.3 Downloading Policies from the Secure Login Server To automatically download client policies from the Secure Login Server.3 Creating a Profile Group of Client Authentication Profiles You can use profile groups filled with the client authentication profiles of the Secure Login Server 2.2. Restart the client systems or restart the Secure Login service to get the configuration into the clients. All rights reserved. 2. 31 . https://<host_name>:<port>/webdynpro/resources/sap. 2.4.ui/Main Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. Remember that this automatic startup increases memory and CPU consumption. 2.4. and actions after policy download.0.0 to Run with Secure Login Server 1. 7. and the setting when the policy is updated. the Secure Login Client retrieves the policies of respective profile group from the Secure Login Server. you must take care that the enrollment URL and the policy URL are correct in Secure Login Server 1. You find an overview of the client authentication parameters in the related link. see related link.0 with Secure Login Server 1. Among other things. 2. add more client authentication profiles. If required. the registry file imports all the client authentication parameters into the registry of the respective clients. 3. ○ ProfileDownloadPolicy_<profile_group_name>. 5.Example https://example. For more information. 10. Distribute the registry files with the distribution mechanisms you usually use. 6. Choose the Create button.0. they contain the protocol. If there are any changes in the profiles. Start the Secure Login Server.4. Select Profile Groups in the toolbar below the tabs. such as protocol.com/securelogin. Related Information Parameters for Client Configuration [page 173] This topic contains the client configuration parameters. Start Secure Login Administration Console of SAP NetWeaver Single Sign-On 1. you can specify some properties. 9.0. Go the Client Authentication Profiles tab. Enter the parameters for the download mode of the profile groups and policies.reg This file includes the policy URL that specifies the resource file that includes the latest configuration of all client authentication profiles in the profile group. Parameters for Downloading Policies Using Profile Groups [page 182] When you create a profile group from the client authentication profiles. After the distribution. download the most recent registry file and re-install the Secure Login Client for the changes to take effect. 8. All rights reserved. 4.0 together with Secure Login Server 1. If there are any changes in the profiles.ui/Main 2.0 This use case describes the settings if you run Secure Login Client of SAP NetWeaver Single Sign-On 2. policy update interval. the port. host name. In intervals defined in the profile group parameters. 32 PUBLIC © 2013 SAP AG or an SAP affiliate company.reg This file includes the configuration of all client authentication profiles in the profile group.4 Configuring a Secure Login Client 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . The subsequent popup displays the following registry files: ○ ProfileGroup_<profile_group_name>. Choose Download Policy. Enter a name and a description for the profile group. the interval after which the policy is updated.com:50001/webdynpro/resources/sap. timeout. the network timeout. Take the following steps to check or configure the enrollment URL: 1.0. the most recent configuration is automatically updated in the Secure Login Client after a defined time (policy update interval). If you want to run clients with Secure Login Client 2. 0. 2. 33 . how to define the user mapping in SAP user management. 4. 8. Among other things. you need to enable the SNC option. enable the SNC option.1 Kerberos SNC Name Choose the option Activate Secure Network Communication and define the SNC Name.1. 6. Go to the Enroll URL field and change the URL if required. Example SNC Name: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. Choose Client Configuration. 2.5 Configuration Options This topic deals with several configuration options of the Secure Login Client. 9.5. Choose the Profiles tab. Go to the Client Policy tab. Start the SAP GUI application. 2. Save your changes. Go to the instance you want to use. 5.1 Enable SNC in SAP GUI Using SNC in SAP GUI To establish secure communication between SAP GUI and SAP NetWeaver application server. 7. User the field Policy URL to enter the policy URL for Secure Login Server 1. Choose the Edit button. this section describes how to enable SNC in SAP GUI. All rights reserved. create or open a system entry. Save your changes.5. 3. and define the SNC name of the SAP NetWeaver Application Server ABAP. and how to support smart cards. Example <Server host:port>/securelogin/admin/Navigation? 10.Syntax: http://<IP/FQDN>:5<instance_number>00/securelogin https://<IP/FQDN>:5<instance_number><https_port>/securelogin (secured) 2. Note that the definition of the SNC name is case-sensitive.LOCAL The SNC name is provided by your SAP NetWeaver Administrator.1.5.509 Certificate SNC Name Choose the option Activate Secure Network Communication and define the SNC name. 2. Configuration. For more information. All rights reserved. about how to install the SNC library on the SAP NetWeaver application server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client .2 X. and Administration Guides.p:CN=SAPServicesABC/@DEMO. see the Secure Login Library Installation. 34 PUBLIC © 2013 SAP AG or an SAP affiliate company. 1 1.2. 35 .Example SNC Name: p:CN=ABC. For more information about how to install the SNC library on the SAP NetWeaver application server. Note that the definition of the SNC Name is case-sensitive. 2.5.509 certificate or Kerberos token). 2. OU=SAP Security The SNC name is provided by your SAP NetWeaver administrator. and Administration Guides. Manual Configuration Start the user management tool by calling transaction SU01. we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping. this mapping is required to define which security token belongs to which SAP user. For the user authentication using security tokens (X.5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company.2 User Mapping This section describes how to define the user mapping in SAP user management. Choose the SNC tab. All rights reserved. Configuration. see the Secure Login Library Installation. Tip For smooth and straightforward integration. 509 certificate Distinguished Name in the SNC name field. If you are using Kerberos authentication.2.2.LOCAL belongs to the user "SAPUSER".509 Certificate Example In this example the SNC name p:CN=SAPUSER.1 Kerberos Example In this example. enter the Kerberos user name in the SNC name field.5.5. 2. Note Note that the definition of the SNC name is case-sensitive. If you are using X.2 X.509 certificate based authentication. All rights reserved. 3. the SNC name p:[email protected]. 36 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . 2.1.2. OU=SAP Security belongs to the user "SAPUSER". enter the X. You receive a list of SAP users or SAP user groups.1 Kerberos Example In this example.2. see the Secure Login Library Installation.Note For more information about how to perform user mapping. This batch tool takes an SAP user and uses the components <previous_character_string><SAP_user_name><next_character_string> to build the SNC name. 37 . With this tool you can choose all SAP Users by specifying *. 2.5. Configuration and Administration Guide.LOCAL Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. Note Note that the definition of the SNC name is case-sensitive.2. SNC names are generated with the following string for all users without an SNC name: p:CN=<user_name>@DEMO. All rights reserved.2.2 Set External Security Name for All Users You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode. You can use the option Users without SNC names only to overwrite SNC names. 2.5. You can make the following settings: ● ● ● ● ● Common settings PCSC settings CAPI settings Kerberos settings for Kerberos profile Kerberos settings for SPNego profile For more information.509 Certificate Example In this example SNC names are generated with the following string for all users without an SNC name: p:CN=<user_name>. 38 PUBLIC © 2013 SAP AG or an SAP affiliate company. see the related links.2.2. OU= SAP Security 2.3 Overview of Registry Configuration Options This section describes further configuration options in registry for the Secure Login Client. All rights reserved.5.2. This section describes further configuration options in registry for the Secure Login Client.2 X. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client .5. Checklist for smart card support: ● ● If required install smart card reader hardware and PC/SC driver. CAPI Settings [page 145] This table refers to the CAPI setting from third-party Cryptographic Service Providers. The mini drivers automatically publish the certificates. This middleware software should support the desired smart card.509 certificates stored in smart cards and supports 64-bit CSP. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or middleware that is based on mini drivers. 2. which might close the smart card after the logon to Microsoft Windows. 2.5.509 certificates for digital signatures in an SAP environment. contact your smart card middleware vendor. For smart card support.5. Whether the user is able to do this depends on the smart card middleware. PIN management is handled by the middleware software. Some smart card vendors provide their own middleware software. The supported interface is Secure Store and Forward (SSF). and there are some middleware software vendors available who support different kinds of smart cards. 39 . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. The prerequisite for using SSF is that SSF is configured in the SAP instance profile. This option is part of the default installation. PCSC Settings [page 145] PCSC settings refer to the use of smart card readers.5 Digital Signature (SSF) The Secure Login Client can use X. for example.Related Information Common Settings [page 143] This table contains the common settings in the registry for the Secure Login Client. Typically the smart card reader is usually automatically recognized by the operating system. you need to install the relevant smart card middleware. All rights reserved.5. For more information. in the Microsoft Certificate Store. Install smart card middleware software.1 How to Test SSF Client Signature Procedure for testing the SSF client signature in a SAP GUI.4 Smart Card Integration The Secure Login Client can use X. This user needs to re-enter the PIN in the browser or in SAP GUI. A typical situation is a user logging on to a Microsoft operating system using the smart card.5. These interfaces are typically also supported by the smart card middleware software. Kerberos Setting for Kerberos Profile [page 149] Kerberos Setting for SPNego Profile [page 150] 2. For the parameter RFC destination.txt 8. The file should be signed.1. 2. Signing. enter the Distinguished Name of the smart card certificate in the ID field. Example: CN=Username.txt Example c:\temp\IsSigned. In this example the profile name is SSF. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . Example c:\temp\ToBeSigned. Example: toksw:mem://securelogin/<profile_name> <profile_name> is the profile name defined in Secure Login Server. In parameter Input data. In the parameter Output data. OU=SAP Security In the SSF Profile field. enter the value SAP_SSFATGUI. You have the following configuration options: ○ If you use smart card. The system prompts you for a password. Enter the program name SSF01 and execute this program. Choose the green OK button. enter the value PKCS7. enter the file to be signed. All rights reserved. which is not required. Choose a desired function you want test. enter the Secure Login Client profile configuration. 4. . For the parameter SSF format. 3. enter the path and file name for the signed file. enter the Distinguished Name of the user certificate in the ID field. Execute the program and choose the Sign button. Example: CN=Smartcard User. OU=SAP Security ○ If you use Secure Login Client Profile provided by Secure Login Server. 7. Log on to the SAP system using SAP GUI and start transaction SE38. You get the following output: 40 PUBLIC © 2013 SAP AG or an SAP affiliate company. for example. 6. 5. choose the Other Communication button. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company. For details about the parameters. you must configure a file for client tracing in each client. 1. Choose the SSF option and define the desired parameters. Log on to the SAP system using SAP GUI and start transaction SU01.2 SSF User Configuration in SAP GUI This topic tells you how you configure a user for the SSF in SAP GUI. All rights reserved.2. Prerequisites: During the installation of the Secure Login Client. 3. 2.5.6 Configuring Client Tracing If you want to switch on tracing of Secure Login Client. Related Information SSF Parameters for Digital Signatures [page 151] SSF user configuration parameters for digital signatures 2. Use this configuration step to define which Secure Login Client profile is used for the SSF interface.5. This is defined for each SAP user. on the Address tab. 41 . you have chosen the Enable logging installation option.5. see the related link. Edit the desired user and. its content is moved to a backup file named sec-*. .trc becomes much bigger than this size. You can configure the following options for client tracing: ● ● ● ● Trace directory Trace level Maximum size of all rotation files Number of the rotation files Configure client tracing in the file sectrace. When the maximum number of trace files is reached. Open the file sectrace. If the trace file sec-*. 2: + Warnings . All rights reserved. .trc and <number> is incremented . Directory where trace files are written . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . Directory = %LOCALAPPDATA%\SAP\SecureLogin\Traces . 1: Errors . Trace configuration for Secure Login Library [trace] .% will be replaced by the directory of the Secure Login Library installation . . Specify a file size (in bytes).ini.Use Case An activated client trace function writes the trace into rotation files. 4: + Developer Trace Level= 0 . so the oldest backup file will be overwritten. RotateFileSize = 10000000 .ini using a text editor and enter your configuration. %. Number of trace backup files . Log Rotation . Trace level . If this configured number of backup files has been reached then <number> is set to 0 again . The value 0 turns log rotation off. There will be one trace file for each process. RotateFileNumber = 10 42 PUBLIC © 2013 SAP AG or an SAP affiliate company. You can use environment variables (%VARNAME%) in the specified path.<number>. then the second file and so on. 3: + Info . 0: Deactivated .BINDIR. Proceed as follows: 1. client trace continues and overwrites the first file. Example This is an example of the default content of the configuration file. Go to the following directory: For Windows 32-bit operating systems: %ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\etc\ For Windows 64-bit operating systems: %ProgramFiles%\SAP\FrontEnd\SecureLogin\etc\ 2. Make sure that you provide enough disk space for the client trace function. 3. Deactivate the trace after the error was remedied.0. 43 . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company.The default trace configuration has the following default settings: ○ ○ ○ ○ The trace directory is %LOCALAPPDATA%\SAP\SecureLogin\Traces. Application Help SAP NetWeaver Library: Function-Oriented View SAP NetWeaver Business Client Application Server ABAP UI Technologies in ABAP 2.5. The size for all trace files per process ID is 100 Mbyte. You can integrate Secure Login Client in SAP NetWeaver Business Client. 2. Save your changes.0. Recommendation Only use Secure Login Client trace if an error occurred and you are investigating the cause of the error. You are using SAP NetWeaver Single Sign-On 2. The maximum number of trace files per process ID is 10. All rights reserved.0 Patch Level 5 as User Interface Add-On for SAP NetWeaver. Trace level is 0 (no trace).5. when it starts up in the morning. for example. you may get a large quantity of trace files every day.7 SAP NetWeaver Business Client with Secure Login Client Integration of Secure Login Client in SAP NetWeaver Business Client Prerequisites You have installed SAP NetWeaver Business Client 4.1 Integrating Secure Login Client into SAP NetWeaver Business Client Use the configuration file to configure that SAP NetWeaver Business uses Client Secure Login Client for authentication. Caution The maximum size of all trace files per process is 110 Mbytes (10 backup files and 1 trace file).7. This means that you can log on to SAP NetWeaver Business Client using the secure login features of SAP NetWeaver Single Sign-On. For more information about the configuration of SAP NetWeaver Business Client. 2. You are using on-demand short-term certificates from Secure Login Server. Since each Secure Login Client and each SAP GUI gets a new process ID. see the relevant SAP NetWeaver release in the SAP Help Portal under Application Server Installation and Client Configuration . add the following option to your admin options file: Example <SingleOptions> <ShowSecureLoginClientAttribute>True</ShowSecureLoginClientAttribute> </SingleOptions> The user sees the attribute Use Secure Login Client on the user interface. Note This step is optional. See the related link to the Product Availability Matrix for an overview of the supported platforms. 3.6 Secure Login Client for Citrix XenApp This section describes how to use the Secure Login Client in a Citrix XenApp environment. 44 PUBLIC © 2013 SAP AG or an SAP affiliate company. Modify your runtime connections with the attribute <UseSecureLoginClient>. RSA). To add attributes to the admin options file. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client .xml file under %PROGRAMDATA%\SAP\NWBC\. When the user tries to connect against a system where the Use Secure Login Client attribute is set.509 Certificate. It allows the user to activate or deactivate the usage of the feature for each connection using the user interface. SAP NetWeaver Business Client continues the logon process and takes over this certificate. this setting is immediately valid. Access the NwbcOptions. Example <RuntimeConnection> <Name>Test</Name> <Url></Url> <Type>R3</Type> <Client>111</Client> <Comment</Comment> <User> </User> <UseSecureLoginClient>True</UseSecureLoginClient> </RuntimeConnection> If Secure Login Client is installed on your workstation. proceed as follows: 1. To activate the appearance of the Secure Login Client attribute in the users systems dialog. SAP NetWeaver Business Client triggers Secure Login Client to create an X. It may occur that Secure Login Client opens a popup where users can enter credentials to identify themselves (secure token. 2. All rights reserved. The Secure Login Client supports only 64-bit Microsoft Windows operating systems.As an administrator you can configure a Secure Login integration by adding attributes to the admin options file. After finishing the Secure Login Client process. 2. exe /s "%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll" Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client PUBLIC © 2013 SAP AG or an SAP affiliate company.2.2 Secure Login Client with a Published SAP Logon The Secure Login Client does not start automatically when a user logs on to a published SAP Logon in a Citrix XenApp environment.sap. Create the file usrlogon_slc. You can install the Secure Login Client in the same way as on a local Microsoft Windows operating system.6.1 Secure Login Client with a Published Desktop Secure Login client runs with a published desktop.exe /s "%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto. 2. A published desktop behaves similarly to a standard Microsoft Windows desktop. which similarly to a standard Microsoft Windows desktop. we recommend that you unselect the feature Start during Windows login. remove the next line if you do not want the SLC to start automatically start "Launch SLC" "%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\bin\sbus. 45 .exe" rem register CSP.com/pam 2. All rights reserved. remove the next two lines if no CSP/CAPI support is required regsvr32.cmd: @ECHO OFF rem starting Secure Login Client. Related Information http://service.cmd in the Microsoft Windows directory and insert it into the Microsoft Windows Registry. Install the Secure Login Client. To minimize memory and CPU consumption. create a user login script called usrlogon_slc.dll" regsvr32. 2. 1.6. Insert the following content into the file usrlogon_slc. 3. To automatically start the Secure Login Client. When installing. you may unselect the features Start during Windows login. 2.6.Use Case The customer wants to run Secure Login Client in a Citrix XenApp environment.1 How to Enable Automatic Startup with a Published SAP Logon This topic describes how you automatically start up Secure Login Client with a published SAP logon.cmd in the Microsoft Windows directory. All rights reserved. Open the Microsoft Windows Registry and go to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Open the key AppSetup and append the reference to the file usrlogon_slc. 2.cmd to the value with a simple comma as a separator (without any space). and automatic download of client policies.cmd You must keep the sequence as shown in the example above because.3 Other Features of Secure Login Client Secure Login Client supports a number of additional features. such as automatic startup when a user logs on to Microsoft Windows.cmstart.4.cmd. Example Registry value name: AppSetup Registry value: ctxhide. the system proceeds from one file to the next. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Client . 46 PUBLIC © 2013 SAP AG or an SAP affiliate company. 5. certificate issued for CAPI applications.exe usrlogon.6.exe.usrlogon_slc. Add the script to the Microsoft Windows Registry to make sure that the Secure Login Client starts automatically at startup. when starting up. Copy the file to the target SAP NetWeaver Application Server. Related Information https://service.3 3.1.1 Prerequisites for Installing Secure Login Library This section deals with the prerequisites and requirements for the installation of Secure Login Library. All rights reserved. the Secure Login Library software SECURELOGINLIB. 47 .SAR must be available.2 Installing Secure Login Library on a Microsoft Windows Operating System This topic describes the installation of Secure Login Library on a Microsoft Windows Operating System. sapcar –xvf <SourcePath>\SECURELOGINLIB.sap.SAR –R D:\usr\sap\ABC\DVEBMGS00\SLL Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.SAR –R $(DIR_INSTANCE)\SLL Example sapcar –xvf D:\SECURELOGINLIB.1. 1.SAR to the new folder with the SAPCAR command line tool.1 Secure Login Library Secure Login Library Installation This topic explains how to install Secure Login Library. Go to SAP Service Marketplace and choose Support Package and Patches Browse our Download Catalog SAP NetWeaver and complementary products Comprised Software Component Versions the several operating systems. 3. We recommend that you create this directory below the SAP NetWeaver Application Server.0 Secure Login Library 2.0 . You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace.com/swdc http://service.sap. Before starting the installation process. Create a new folder named SLL in: $(DIR_INSTANCE)\SLL Example D:\usr\sap\ABC\DVEBMGS00\SLL 2. Extract the file SECURELOGINLIB. The Secure Login Library is available for 3.com/pam SAP NetWeaver Single Sign-On SAP NetWeaver Single Sign-On 2. Secure Login Library must be installed in a directory to which the Application Server has access at runtime. 3 Installation on a UNIX/Linux Operating System Before starting the installation process.1. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . sapcar –xvf <SourcePath>/SECURELOGINLIB. <SID>adm). 3. To use shared libraries in shell (operating system UNIX/Linux) and the crl command.SAR to the new folder with the SAPCAR command line tool. Extract the file SECURELOGINLIB. Once configuration is complete.Note Take care that your adminstrator has write permission for the extracted files. Create a new folder named SLL in: $(DIR_INSTANCE)/SLL Example /usr/sap/ABC/DVEBMGS00/SLL 2.SAR –R /usr/sap/ABC/DVEBMGS00/SLL/ 3. 1. the Secure Login Library software SECURELOGINLIB. the <SID>adm user needs to have access rights to the Secure Login Library. Secure Login Library must be installed in a directory to which the Application Server has access to at runtime. All rights reserved. Copy the file to the target SAP NetWeaver Application Server. 3. use the following command: D:\usr\sap\ABC\DVEBMGS00\SLL\sapgenpse This command displays status and version information of Secure Login Library. To verify Secure Login Library.SAR –R $(DIR_INSTANCE)/SLL/ Example sapcar –xvf /tmp/SECURELOGINLIB. We recommend that you create this directory below the SAP NetWeaver Application Server. Define File Attributes in UNIX/Linux.SAR must be available. you need to set the file permission attributes with the following command: chmod +rx $(DIR_INSTANCE)/SLL/lib* chmod +rx $(DIR_INSTANCE)/SLL/sll/crl Example chmod +rx /usr/sap/ABC/DVEBMS00/SLL/lib* 48 PUBLIC © 2013 SAP AG or an SAP affiliate company. Note Perform the configuration steps for the Secure Login Library with the user account that will start the SAP application (for example. Test Secure Login Library.1. file.. 49 . Please note that for single sign-on you require a license for SAP NetWeaver Single Sign-On.. Remove the folder and its contents: Microsoft Windows $(DIR_INSTANCE)\SLL\ UNIX/Linux $(DIR_INSTANCE)/SLL/ Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. ############################################################################# License Disclaimer SAP NetWeaver Single Sign-On You are about to configure trust for single sign-on or SNC Client Encryption. <command> [sub-options] .29 SAPCRYPTOLIB 5.0 Patch 1 (Jan 24 2013) FILE-Version 8.. Remove folder SLL. Using default SAPCRYPTOLIB library name "sapcrypto" Platform: Versions: <platform_name> SAPGENPSE 2.5.4.To use the shell under the operating system HP-UX with the shared libraries. Define File Owner in UNIX/Linux.1. chown [OWNER]:[GROUP] * Example chown abcadm:sapsys 5. Apply access rights to the user account that will start the SAP application (for example.To verify Secure Login Library. <SID>adm). use the sapgenpse command (in UNIX/Linux environment test with user <SID>adm): /usr/sap/ABC/DVEBMS00/SLL/sapgenpse The sapgenpse command produces the following output with library name.5C pl35 (Jan 28 2013) MT-safe Environment variable $SECUDIR is defined: "c:\sll20\env_var" 3. 1. platform sapgenpse version. All rights reserved. the usage of SNC Client Encryption only without SSO is free as described in SAP Note 1643878. ############################################################################# Usage: sapgenpse [-h] <command> [-h] [sub-options] .4 Uninstallation This section explains how to uninstall Secure Login Library. you need to set an attribute with the following command: chatr +s enable <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/crl 4.. and environment variable. As exception. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library .509 and Kerberos certificates in SAP NetWeaver Application Server ABAP 3.0 .0 SP1. Download SLLIBRARY01_0-xxx. define the following instance profile parameter and restart the SAP NetWeaver ABAP Application Sever: Example snc/enable = 0 For more information about the instance profile parameters see related link. Deactivate SNC Library Configuration. Go to SAP Service Marketplace and choose Support Package and Patches Browse our Download Catalog SAP NetWeaver and complementary products Comprised Software Component Versions the several operating systems. Download the SECURELOGINLIB. use the software from the SAP Service Marketplace.0 SP1 must be available.SAR for Secure Login of SAP NetWeaver Single Sign-On 2.2.SAR from the SAP Service Marketplace. This step is optional and required only if the Secure Login Library is configured in an SAP NetWeaver instance profile parameter. If you want deactivate SNC. Related Information https://service. The Secure Login Library is available for 3. the Secure Login Library software SECURELOGINLIB.2.0 SP0 to 2. Note xxx in the file name is a temporary download ID.1 Downloading the Secure Login Library Software Before you start the update process. To get the relevant Secure Login Library installation kit.2 Updating Secure Login Library from SP0 to SP1 If you want to update Secure Login Library from version 2. proceed as follows: 1.com/pam SAP NetWeaver Single Sign-On SAP NetWeaver Single Sign-On 2. All rights reserved.0 Secure Login Library 2. This archive file contains a directory structure that lists the different platforms.sap. You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. 2.SAR file that is suitable for your platform. Related Information SNC Parameters for Secure Login Library [page 155] SNC parameters for X.com/swdc http://service. Choose the directory for relevant platform. 3.sap. 50 PUBLIC © 2013 SAP AG or an SAP affiliate company. exe a) (If required) Change the configuration by editing the relevant XML configuration files. 2. Before you start the update process. We recommend that this directory is located below the SAP NetWeaver Application Server. which are usually files. 3. Configuring the CRL Tool [page 83] This topic describes the CRL configuration files.2 Updating Secure Login Library to SP1 on a Microsoft Windows Operating System You can update Secure Login Library from version 2. Create a new folder named SLL.SAR –R $(DIR_INSTANCE)\SLL Example sapcar –xvf D:\SECURELOGINLIB.lst sapgenpse.0 SP0 to 2. 5.0 SP1 must be available.xml.0 SP0 remain in the renamed directory. keep the configuration files. Rename the SLL directory. Related Information SNC Communication Protocol Parameters [page 72] In the file gss. For more information. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. in a separate place. You copy the file to the target SAP NetWeaver Application Server. sapcar –xvf <SourcePath>\SECURELOGINLIB. 51 .2.0 SP1 on a Microsoft Windows Operating System.SAR –R D:\usr\sap\ABC\DVEBMGS00\SLL Note Take care that your administrator has write permission for the extracted files.SAR for Secure Login of SAP NetWeaver Single Sign-On 2. see the related links. Start the SAP NetWeaver Application Server. you can configure the SNC communication protocol for server-to-server and client-to-server communication.SAR to the new folder with the SAPCAR command line tool. a) If you changed the configuration in the past.dll sapcrypto. Secure Login Library must be installed in a directory to which the Application Server has access at runtime. 1. to SLL_OLD. the Secure Login Library software SECURELOGINLIB. $(DIR_INSTANCE)\SLL Example D:\usr\sap\ABC\DVEBMGS00\SLL 4.3. Extract the file SECURELOGINLIB. Stop the SAP NetWeaver Application Server. for example. All the files from version 2. The SLL folder contains several subfolders and the following files: ○ ○ ○ sapcrypto. All rights reserved. Secure Login Library must be installed in a folder to which the Application Server has access at runtime. 5.SAR –R $(DIR_INSTANCE)/SLL/ Example sapcar –xvf /tmp/SECURELOGINLIB. Stop the SAP NetWeaver Application Server. to SLL_OLD. All rights reserved. Create a new folder named SLL. We recommend that this folder is located below the SAP NetWeaver Application Server. 3. Start the SAP NetWeaver Application Server. $(DIR_INSTANCE)/SLL Example /usr/sap/ABC/DVEBMGS00/SLL 4.0 SP0 to 2.SAR for Secure Login of SAP NetWeaver Single Sign-On 2. for example.lst sapgenpse a) (If required) Change the configuration by editing the relevant XML configuration files. All the files from version 2. the Secure Login Library software SECURELOGINLIB.3. 52 PUBLIC © 2013 SAP AG or an SAP affiliate company. see related link.0 SP1 on a UNIX/Linux Operating System. Extract the file SECURELOGINLIB. You copy the file to the target SAP NetWeaver Application Server.so libsapcrypto.xml.0 SP0 remain in the renamed folder.2.SAR to the new folder with the SAPCAR command line tool. Before you start the update process. keep the configuration files. The SLL folder contains several subfolders and the following files: ○ ○ ○ ○ libsapcrypto. which are usually files. in a separate place. you can configure the SNC communication protocol for server-to-server and client-to-server communication. a) If you changed the configuration in the past.sl (HP-UX only) sapcrypto. see the related links.SAR –R /usr/sap/ABC/DVEBMGS00/SLL/ Note Take care that your administrator has write permission for the extracted files. Rename the SLL folder.0 SP1 must be available. 1. 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . For more information. For more information. Related Information Installation on a UNIX/Linux Operating System [page 48] SNC Communication Protocol Parameters [page 72] In the file gss.3 Updating Secure Login Library to SP1 on a UNIX/Linux Operating System You can update Secure Login Library from version 2. sapcar –xvf <SourcePath>/SECURELOGINLIB. 3.0 SP1 you can use your already existing Secure Login Library configuration or you can define a new configuration. you can activate tracing for Secure Login Library. 3.Configuring the CRL Tool [page 83] This topic describes the CRL configuration files. you find the configuration files in the sll/defaults subfolder. copy sectrace. see related link.3 Migrating Secure Login Library to SAP NetWeaver Single Sign-On 2. 53 . c) Save your changes.4 SP1 Configuring Secure Login Library During an Update to When updating Secure Login Library from 2.0 to 2. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.0 This topic describes how you migrate the cryptographic library from SAP NetWeaver Single Sign-On 1. If you want to enter a new configuration. c) Save your changes. the SNC communication parameters or the use of certificate revocation lists.0. For more information.0 SP0). b) If you want to use Secure Login Library trace.0 SP0 to 2. c) Save your changes.ini with your preferred trace configuration (from version 2. take the following steps: a) Copy the relevant configuration files from the sll/defaults subfolder to the sll folder. ● If you want to enter a new configuration. ● If you want to use your previous configuration files (from version 2. proceed as follows: a) Copy the configuration files to the sll folder. Related Information Secure Login Library Configuration [page 57] Configuring Tracing for Secure Login Library [page 86] In the case of an error. for example.0 SP0) to the sll folder. You can change. see related link.2. b) Add the required parameters. For more information. Note After having extracted the SAR file.0 from 1. you also have the following option: a) Create a new configuration file in the sll folder. Secure Login Library uses only the configuration files that are located in the sll folder. Start the SAP NetWeaver Application Server. b) Open it in the sll folder and modify the parameters. This is the time when you replace the libraries because the AS ABAP does not access them. extract it.pse is available. The subsequent substeps guide you through the procedure.SAR in SLLnew. If you are using SNC. choose m) Choose The content of your PSE is in the database of the SAP NetWeaver Application Server ABAP. a) If the PKCS#12 file in included in pse. choose Open. 54 PUBLIC © 2013 SAP AG or an SAP affiliate company. PSE Save as. 2. you must convert these files to SAPSNCS. Use the following command: D:\usr\sap\ABC\DVEBMGS00\SLL\snc status 4. you stop the AS ABAP. All rights reserved. d) Use the following command: sapgenpse import_p12 -x <New_PSE_password> -z <PKCS#12_password> -p <PSE_file_to_create> <PKCS#12_file> e) Start the trust manager (transaction STRUST) in the Application Server ABAP. b) Convert the PKCS#12 file to a PSE file. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . for example. Choose SNC SAPCryptolib in the popup. In the next step.0..0.zip.. you must make sure that an SNC SAPCryptolib PSE (called SAPSNCS. Choose . proceed with the next main step. If you used. (Optional) Check the SNC status to see which certificate and keytab you are using in SAP NetWeaver Single Sign-On 1. h) To import the file.SAR –R D:\usr\sap\ABC\DVEBMGS00\SLLnew 3. Use the sapgenpse command in the SSLnew folder. f) Choose PSE Import .Prerequisites: ● You have already installed Secure Login Library of SAP NetWeaver Single Sign-On 1.0 by the library SAP NetWeaver Single Sign-On 2. After having started the AS ABAP.0. If you use SNC with certificates. 1.pse in the file system) is available in the trust manager of the Application Server ABAP. you enable the Application Server ABAP to use the library of SAP NetWeaver Single Sign-On 2. add them using the trust manager. Example sapcar –xvf D:\SECURELOGINLIB. For more information. k) To save the content. If you already managed your PSEs in the trust manager of the Application Server ABAP. . pse. . create a Kerberos keytab file. you must make sure that an SNC PSE called SAPSNCS.zip for SNC with PKCS#12 files.0. i) j) l) (If required) Enter a password if your PSE is password-protected. g) Select your PSE. see related link. Unpack SECURELOGINLIB. Create a directory called SLLnew. n) If you need additional trusted certificates. Migrating Secure Login Library basically means replacing the library of SAP NetWeaver Single Sign-On 1. The trust manager distributes the PSE throughout your system environment.pse in the correct format. 5. c) Go to D:\usr\sap\ABC\DVEBMGS00\SLLnew. (If required) If you use SNC with Kerberos authentication. Related Information Creating Keytab for Kerberos [page 62] You need a keytab file to use SNC with Kerberos authentication. 8. Change the name of the profile parameter snc/gssapi_lib to $(DIR_INSTANCE)$(DIR_SEP)SLL$ (DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) in the Application Server ABAP. for example. 7. Note Status: The FIPS cryptographic kernel is currently in the process of certification. this software needs to be tested and validated against the FIPS security standard. Implementation The Secure Login Library of SAP NetWeaver Single Sign-On 2.4 Standard and FIPS 140-2 Certified Secure Login Library Crypto Kernel Secure Login Library supports the FIPS 140-2 security standard. The crypto kernel is a library with different cryptographic algorithms. The crypto kernel is included in the SAR file of the installation package. 10. see related link. Remove the SLL directory. Stop the SAP NetWeaver Application Server ABAP. SNC X. This enables the Secure Login Library to access the content on the level of the file system. to comply with legal (regulations) standards and guidelines. Purpose When in the United States or Canada a government department wants to use crypto software in their computer systems. you use the Secure Login Library with the certified crypto kernel. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. It is installed in the regular installation procedure. Start the Application Server ABAP. Rename the SLLnew directory to SLL. 55 . For more information. Secure Login supports the FIPS 140-2 standard in the Secure Login Library.6.509 certificate configuration. 3. If you are obliged to use a FIPS-certified crypto kernel.0 comes with a standard Secure Login Library crypto kernel and with a Secure Login Library crypto kernel that is certified according to the FIPS 140-2 standard. All rights reserved. 9. This standard contains special security requirements regarding the design and implementation of cryptographic modules.509 Configuration [page 58] This section describes the SNC X. Note Patches and extensions of the Secure Login Library. you find the standard crypto kernel files in the standard SLL directory.so. the crypto kernel is located in the SLL directory (see SLL Installation) and consists of the following files: For Windows operating systems ● ● slcryptokernel. are only implemented in the library with the standard Secure Login Library crypto kernel . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library .dll. All rights reserved. The library with the FIPScertified crypto kernel remain unchanged for the time being. use the following command: sapgenpse cryptinfo Result: The command displays the following details of the crypto kernel: ○ ○ ○ Version Cryptographic algorithms Certification status (FIPS) 56 PUBLIC © 2013 SAP AG or an SAP affiliate company. After the installation.dll slcryptokernel.so libslcryptokernel. Keep in mind that you might have to wait some time for the release of the FIPS-certified library that include the patches and extensions you want to use.1 Using the FIPS 140-2 Certified Secure Login Crypto Kernel This topic shows whether you use the FIPS 140-2 security standard. 2. After the installation.sha256 (for HP-UX) 3. This overwrites and replaces the standard crypto kernel files. copy them from the fips subdirectory to the SLL directory. Procedure 1.4. for example. The installation procedure creates a special subdirectory for the FIPS-certified files called fips. The fips subdirectory is the place where you find the certified crypto kernel files mentioned above. adding a new encryption algorithm.sha256 libslcryptokernel. To display details of the crypto kernel files that used by the Secure Login Library. To use the certified crypto kernel files. 3.sha256 For UNIX platforms ● ● ● ● libslcryptokernel.sl. Patches and extension of the library with the FIPScertified crypto kernel are only available after the completion of an elaborate FIPS certification process.sl (for HP-UX) libslcryptokernel. Install the Secure Login Library as described in the related link. 0.0>sapgenpse cryptinfo ############################################################################# License Disclaimer SAP NetWeaver Single Sign-On You are about to configure trust for single sign-on or SNC Client Encryption. To configure the Secure Login Library for Kerberos.ELGAMAL.29 CPU-FEATURES-SUPPORTED = AES-NI CPU-FEATURES-ACTIVE = AES-NI HASH-ALGORITHMS = MD2.RC4. If you are not running an SAP NetWeaver AS ABAP.CTSCBC.29 FILE-VERSION = 8.SHA1.X.MD5.Example C:\_work\src\2.RC2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.com/swdc.TDES2KEY. 57 .SHA512.DES.SHA384.XML. You can create or import X. SAPCRYPTOLIB is delivered with SAP NetWeaver AS ABAP.509 certificates.CTSECB. Go to https://service.DSA KEYEXCHANGE-ALGORITHMS = DH RANDOM-ALGORITHMS = CTR_DRBG 3. see the SAP SNC manual http://help. All rights reserved.RIPEMD128.PKCS1BT02.sap. you can use a command line tool.RC5_32 ENCRYPTION-MODES = ECB.AES256.MD4. choose Search for Software Downloads.5 Secure Login Library Configuration You perform the SNC configuration for the SAP NetWeaver server system using the instance profile.PEM.CFB*8. and look for the relevant download package.OFB*8.PKCS1PSS.CRC32 ENCRYPTION-ALGORITHMS = RSA. The Secure Login Library can be configured to accept user authentications based on Kerberos tokens and X.sap.CTR.SHA256.CBC. For a complete description of the SNC interface and parameters.IDEA. you must use SAPCRYPTOLIB.1. Use transaction RZ10 to maintain the SNC profile parameters.PKCS1OAEP. download SAPCRYPTOLIB from the SAP Service Marketplace. As exception.com Note If you want to manage your PSEs in the Trust Manager.509 certificates in the Trust Manager using transaction STRUST.1.B1.RIPEMD160. the usage of SNC Client Encryption only without SSO is free as described in SAP Note 1643878. ############################################################################# Properties of Secure Login Crypto Kernel: FIPS 140-2 = YES API-VERSION = 1 VERSION = 2. You can use both authentication mechanisms in parallel.TDES2KEY.SSL KEYEDHASH-ALGORITHMS = HMAC SIG-ALGORITHMS = RSA. Please note that for single sign-on you require a license for SAP NetWeaver Single Sign-On.AES192.0.SHA224.GCM PADDING-MODES = PKCS1BT01.4. 923.AES128. Caution If you are using SAP NetWeaver AS ABAP 7.0, you need to set the environment variable <SECUDIR> to $ (DIR_INSTANCE)/sec. Otherwise SAP NetWeaver AS ABAP 7.0 does not start. 3.5.1 SNC X.509 Configuration This section describes the SNC X.509 certificate configuration. Prerequisites The Secure Login Library uses X.509 client or server certificates for SNC connections. It supports either no key usage in X.509 certificates or one or more supported key usages. The supported key usages depend on whether the X.509 certificate is used for client-server or server-server communication. Make sure the X.509 certificates are configured with supported values. For a list of the key usages the Secure Login Library supports for SNC, see the following tables. Table 6: Key Usage for X.509 Client Certificates for Client-Server Communication Certificate Fields [No key usage field] Key Usage Key Usage Key Usage Values [No values] Digital Signature Data Encipherment Key Encipherment Mode [No mode] sigsession, ParallelSessions mode Encryption Encryption Table 7: Key Usage for X.509 Server Certificates for Client-Server and Server-Server Communication Certificate Fields [No key usage field] Key Usage Values [No values] Digital Signature Mode [No values] sigsession, ParallelSessions mode (client-server only) Encryption 3.5.1.1 Configuring SNC Parameters for X.509 Certificates Configuration of SNC parameters for X.509 certificates 58 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library 1. 2. Log on to the SAP NetWeaver Application Server using SAP GUI. Start the transaction RZ10 and define the following SNC parameters in Instance Profile. For more information, see related link. Related Information SNC Parameters for X.509 Configuration [page 156] Use these parametes to configure SNC in the SAP NetWeaver Application Server ABAP. 3.5.1.2 1. Import X.509 Certificate Set the environment variable <SECUDIR>. Microsoft Windows: set SECUDIR=$(DIR_INSTANCE)\sec UNIX/Linux (depends on shell): setenv SECUDIR $(DIR_INSTANCE)/sec export SECUDIR=$(DIR_INSTANCE)/sec 2. Start transaction STRUST and import the SAP server certificate. The SAP server certificate must be available in a PSE format. If this is not the case, create a PSE with the trust manager (transaction STRUST). The new certificate must be signed by a Certification Authority. For a client/server communication, the certificates must be provided by a Public Key Infrastructure (PKI). If no PKI is available the Secure Login Server (out of the box PKI) can be used to provide certificates. 3. From the PSE menu, choose Import. 4. 5. Load the PSE file. (If required) Enter the PSE password. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 59 6. 7. Choose the PSE Save as... . . Select SNC SAPCryptolib and choose If the certificate distinguished name of the PSE file does not match the SNC name configuration set in the instance profile parameter (snc/identity/as), an error message appears. This verification check is performed only if SNC is activated. 3.5.2 SNC Kerberos Configuration Configuration for SNC Kerberos. This topic describes how you configure the SNC parameters for Kerberos in an AS ABAP. 1. 2. Log on to the SAP NetWeaver Server using SAP GUI. Start transaction RZ10 and define the following SNC parameters in the instance profile. For more information, see related link. Related Information SNC Parameters for Kerberos Configuration [page 157] SNC parameters for AS ABAP 3.5.2.1 Microsoft Windows Account for SAP Server In order to verify user Kerberos authentication, the Secure Login Library requires a Kerberos keytab which you can create using the command line tool, provided by Secure Login Library. The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. Therefore a Microsoft Windows account in Microsoft Active Directory is required. 60 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library 3.5.2.1.1 1. Create a Microsoft Windows Account Create a new Microsoft Windows Account. We recommend the format SAPService<SID>. 2. Define a password and choose the option User cannot change password and Password never expires. Note Make sure the password is as complex as possible. 3.5.2.1.2 Define Service Principal Name The Service Principal Name will be used to provide Kerberos service tokens to the requested users. This Service Principal Name is also required for the SNC name configuration. 1. 2. 3. Start the Microsoft Windows tool ADSIEDIT. Choose the Microsoft Windows user (in our example: SAPServiceABC). Define the field servicePrincipalName. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 61 Note The mandatory format is SAP/SAPService<SID>. 3.5.2.1.3 Check for Multiple Service Principal Names If the Secure Login Client does not get a service ticket from the domain server, this may be due to the fact that the Service Principal Name used has been assigned several times in the Active Directory system. Use the following command to check this: Example setspn –T * -T foo -X 3.5.2.1.4 Creating Keytab for Kerberos You need a keytab file to use SNC with Kerberos authentication. If you want to use SNC with Kerberos authentication, you need to create a keytab file. 1. 2. Go to the SLL directory. Set the variable <SECUDIR>. Microsoft Windows: set SECUDIR=$(DIR_INSTANCE)\sec UNIX/Linux (depends on shell): setenv SECUDIR $(DIR_INSTANCE)/sec export SECUDIR=$(DIR_INSTANCE)/sec 3. Use the following command: Microsoft Windows: \usr\sap\ABC\DVEBMGS00\SLL\sapgenpse keytab -p SAPSNCSKERB.pse -x <password> -X <service_user_password> -a <service_user_name>@<domain> UNIX/Linux: /usr/sap/ABCadm/DVEBMGS00/SLL/sapgenpse keytab -p SAPSNCSKERB.pse -x ****** -X ********* -a [email protected] You have created the keytab file SAPSNCSKERB.pse for Kerberos authentication. Caution The Secure Login Library always uses a PSE file called SAPSNCSKERB.pse file for the keytab. The server does not start if the file has a different name. 62 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library 1.5 Domains Using Kerberos for SNC with Users in Different Solution for users in different Active Directory domains using Kerberos for SNC You use Kerberos for SNC and you have users in several Active Directory domains. you have created a user with the same user name (SAPServiceNW1). Proceed as follows: 1. Create users with service principal name in each domain.4.pse -x <password> -nopsegen -X <keytab_password> -a SAPServiceNW1@EXAMPLE1. All rights reserved. the user would be able to use this ticket for the server. Example You have created the user name SAPServiceNW1 in the Active Directory domain DOMAIN1.COM. The user names are identical whereas the domain names differ. In the second domain called DOMAIN2.pse -x <PIN> -O <system_user> Example sapgenpse seclogin -p /usr/sap/abc/dvebmgS00/sec/SAPSNCSKERB. Set the credentials using the following command: sapgenpse seclogin -p <path>\SAPSNCSKERB.COM.COM with the service principal name SPN=SAP/SAPServiceNW1@DOMAIN1. Configuring Kerberos Users for Different Domains (AS ABAP) Configuration of users in different Active Directory domains (AS ABAP) You have different Active Directory domains that are managed by different Domain Controllers. Every user would then be able to receive an authentication ticket from the Domain Controller for this user’s domain.pse O abcadm 5.COM. 63 . In such an environment. use the following command: sapgenpse -h 3. -x <password> - (Optional) Add a new keytab file if required and do not forget to set the credentials. the Secure Login Library also supports another option. Use the following command: sapgenpse keytab -p <path>\SAPSNCSKERB. Its service principal name is SPN=SAP/[email protected]. it would be the best to have a trust relationship between the different domains. Since it is not so easy to configure trust relationship for different domains.COM Note For more information. This user name is supposed to be used for an ABAP server. As a consequence. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.5. which might be in a different domain. To configure snc/identity/as.1 Authentication with X. enter the value p:CN=SAPService<SID>. 64 PUBLIC © 2013 SAP AG or an SAP affiliate company. the Secure Login Client converts the CN part as described in the related link. The user logs on.sap.509 and Kerberos Authentication This topic describes how you can combine X.3. Related Information https://service.509 and Kerberos authentication. All rights reserved.com/sap/support/notes/1763075 3. Related Information https://service. you need to have a name in the CN part (of the SNC name) that enables users to perform a Kerberos authentication as well.5.com/sap/support/notes/1696905 3.3.5.509 Certificates and Kerberos Authenticating with X.2. 3. Create keytabs for both service principal names.2 Supporting Authentication with Kerberos and X. This means that the SNC name in the Network tab is a fixed entry entered by the CA for certificate-based authentication. There is a keytab for each domain. the message server always sends the same SNC name since it is only able to use one single name. During the authentication process. All users use the message server to authenticate at the application server. 3. The server authenticates the ticket because the keytabs of all domains are registered in the server. the Secure Login Client uses the existing CN part for certificate-based authentication or tries to map the CN part to a Service Principal Name that can be used for Kerberos authentication. and the client receives a Kerberos authentication ticket for SAP/ SAPService<SID> from the respective domain controller.509 on SAP NetWeaver AS ABAP You want to use Kerberos authentication technology for the client-to-server communication and thus enable single sign-on and secure server-to-server communication using SNC.5. Depending on the authentication method of the client.3 X. Now the ABAP server accepts Kerberos authentication tickets from this user because keytabs for both domains are available. See also related link. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . It is also possible to set the SNC name of the server automatically to p:CN=SAPService<SID>. If this is not possible. To add users who are able to log on with Kerberos. The service principal name SAP/SAPService<SID> is known in each domain.509 Certificates and Kerberos You already have an authentication method in place that is based on SNC server certificates.sap. Note This setup is also possible if SAPCRYPTOLIB is installed on SAP NetWeaver AS ABAP system TWO.server communication uses X. 2.509 certificates possible. 1. Systems Microsoft Windows client SAP NetWeaver AS ABAP system ONE SAP NetWeaver AS ABAP system TWO Software Components Secure Login Client Secure Login Library (SNC library) Secure Login Library or SAPCRYPTOLIB (SNC library) We assume that there is a Microsoft domain user who requests authentication at a Secure Login Client. This makes an SNC communication with X. Secure Login Library is installed on SAP NetWeaver AS ABAP systems ONE and TWO. On SAP NetWeaver AS ABAP system ONE. In Microsoft Active Directory. 65 . (See options 1 and 2). create a technical user that can be used by SAP NetWeaver AS ABAP. create a Kerberos keytab file in the Secure Login Library as described in SNC Kerberos Configuration [page 60].509 certificates. Specify a Service Principal Name for this user. Use Edit Profiles (transaction RZ10 on SAP NetWeaver AS ABAP systems (ONE and TWO) to configure the SNC parameters in the instance profile. 3.● ● You have installed Secure Login Client on the client workstations in a Microsoft domain and have enabled SNC in SAP GUI . The server-to. use the service user of the Microsoft Active Directory. ● The following SAP NetWeaver Single Sign-On components are installed in the environment shown in the following table. All rights reserved. The Secure Login Client issues a Kerberos service token and authenticates at SAP NetWeaver AS ABAP system ONE with SNC. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. sap. Related Information Secure Login Library Installation [page 47] This topic explains how to install Secure Login Library.509 certificate in Trust Manager (transaction STRUST).509 certificates in the Trust Manager (transaction STRUST). http://help. 7. 5. http://help. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . OU=SAP Security.sap.LOCAL Unlike some PKI vendors. http://help.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00db4d97d/ frameset.4.com/saphelp_nw73ehp1/helpdata/en/49/236897bf5a1902e10000000a42189c/ frameset. Secure Login Client converts the SNC name for use by Kerberos. ○ Option 2 a) Create an X. import them from SAP NetWeaver AS ABAP system ONE. C=DE b) Start Edit Profiles (transaction RZ10). OU=SAP Security.3. for example.LOCAL. OU=SAP Security. Example CN=SAPServiceABC@DOMAIN. Secure Login Server can generate a certificate with special characters. c) Choose an instance profile.3. Example CN=SAPServiceABC. 6.com/saphelp_nw73ehp1/helpdata/en/c4/3a616a505211d189550000e829fbbd/ frameset. configure secure network communication (SNC) in Configuration of RFC Connections (transaction SM59) on SAP NetWeaver AS ABAP systems ONE and TWO. for example (@) at sign.htmSAP Help Portal for Enhancement Package 1 for SAP NetWeaver 7. Configure SNC user mapping in User Maintenance (transaction SU01) on SAP NetWeaver AS ABAP system ONE. e) Under snc/identities/as. C=DE. to [email protected]. All rights reserved. On SAP NetWeaver AS ABAP system TWO. If you use self-signed certificates. On SAP NetWeaver AS ABAP system ONE. 66 PUBLIC © 2013 SAP AG or an SAP affiliate company. enter CN=SAPServiceABC. ○ Option 1 a) Create an X. d) Choose Extended Maintenance and then the Change pushbutton. Depending on the communication direction.3.htmSAP Help Portal for Enhancement Package 1 for SAP NetWeaver 7.3. the Secure Login Client rebuilds the service user.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/ frameset.509 certificate for SAP NetWeaver AS ABAP. If SAP GUI receives the SNC name p:CN=SAPServiceABC. Restart SAP NetWeaver AS ABAP systems ONE and TWO. 8. This happens if the Secure Login Client uses a Kerberos profile. generate X. and SAP GUI has no Kerberos name.htmSAP Help Portal for Enhancement Package 1 for SAP NetWeaver 7. http://help.htmSAP Help Portal for Enhancement Package 1 for SAP NetWeaver 7.509 certificate for SAP NetWeaver AS ABAP.sap. C=DE. generate X. The Kerberos key distribution center in the domain controller of Active Directory grants a Kerberos service ticket for the AS ABAP and the user can log on using his or her browser. Caution SPNego does not provide transport layer security. integrated.5. which is integrated in the Microsoft environment. for example from the domain controller of Active Directory. They log on.1 System Landscape for Kerberos Authentication on SAP NetWeaver AS ABAP Kerberos authentication requires several systems in your landscape.4. We recommend that you use transport layer security mechanisms.5. 3. The web client of the user must support SPNego. When a user tries to access the AS ABAP with a web browser (using HTTPS). Related Information Workflow with Kerberos Token without Secure Login Server [page 14] For Kerberos authentication with SAP GUI.4 Kerberos Authentication for HTML-Based User Interfaces Using SAP NetWeaver AS ABAP with SPNego Kerberos authentication on SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP with a web client requires Simple and Protected GSS API Negotiation Mechanism (SPNego) for SAP NetWeaver AS ABAP. Kerberos is the authentication method used.3. for example to a Microsoft Windows operating system. for example. grants a Kerberos ticket to the users who log on. Table 8: Component Required for SPNego on SAP NetWeaver AS ABAP Component Web client Description The web client requests a service or a resource from SAP NetWeaver AS ABAP and authenticates against the Kerberos Key Distribution Center. The Kerberos Key Distribution Center (KDC) Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. which negotiate the outcome transparently for the user. For example. 67 . into Microsoft Windows 2003 and higher. The employees use PCs in a Microsoft Windows environment. use Secure Login Client. SAP NetWeaver AS ABAP uses the single sign-on authentication mechanism. which gets the respective Windows users. to ensure confidentiality and integrity of the communication with SAP NetWeaver AS ABAP. such as Secure Sockets Layer (SSL) / Transport Layer Security (TLS). The Kerberos key distribution center. the AS ABAP requests a Kerberos service ticket from the browser. The browser forwards this request to Active Directory. users use a web browser as a web client to access web applications running on SAP NetWeaver AS ABAP. Many company employees who use Microsoft Windows operating systems and SAP business applications for their daily work want to have Single Sign-On for their employees. com/pam Secure Login Library Installation [page 47] This topic explains how to install Secure Login Library. 3. 3. Set to the path to the Kerberos library (Secure Login Library of SAP NetWeaver Single Sign-On 2. Secure Login Library You must have installed release 2. among others. 68 PUBLIC © 2013 SAP AG or an SAP affiliate company.0 or higher). Start Edit Profiles (transaction RZ10). Choose default or instance profile. enabling Microsoft Windows integrated authentication in a Microsoft Windows domain. It authenticates the user and grants a token that is used for the communication between the user’s web client and SAP NetWeaver AS ABAP. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . Set the following profile parameters as required.5.SPNego: Collective Corrections Check the Product Availability Matrix for the most current releases. All rights reserved.Component Description Microsoft Windows Domain Controller (DC) acts as a KDC.4. Table 9: Profile Parameters for SPNego Parameter spnego/enable spnego/krbspnego_lib Setting Set to 1. 1.0 or higher on the host SAP NetWeaver AS ABAP and have licenses for SAP NetWeaver Single Sign-On 2. which includes.sap.3 SPS 7 and higher SAP Note 1819808 .2 Setting the AS ABAP Profile Parameters To enable authentication with SPNego for ABAP you must set profile parameters. 2.0. Related Information https://service. support for Simple and Protected GSSAPI Negotiation Mechanism (SPNego). SAP NetWeaver AS ABAP Enhancement Package 1 for release 7. use this parameter to determine the format for the translation of Kerberos user name to SNC name.3 Configuring the Domain Controller The SPNego configuration enables you to maintain and derive new symmetric keys with a Kerberos service name and password.dll libsapcrypto. Restart SAP NetWeaver AS ABAP. 5. Find the exact steps in the Microsoft documentation. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. see SAP Note 1819808 SPNego: Collective Corrections. Create a service user on the Windows domain controller. 6.Parameter Setting Note Use the following files of SAP NetWeaver Single Sign-On: Table 10: Kerberos Library File Names File Name sapcrypto. 69 . Save your entries. For more information.4. Note Changing this dynamic profile parameter does not require a restart. Default value is 111. If the transaction starts without error message. Start SPNego Configuration (transaction SPNEGO). 1. 4. You can use the same service user as for SNC.5. Tip We recommend the format Kerberos<SID>. then you have set up the SPNego library correctly and you know the kernel supports SPNego. 3.sl Operating System Microsoft Windows UNIX platforms HP-UX only spnego/construct_SNC_name If you use a Kerberos-based SNC product that is not SAP NetWeaver Single Sign-On.so libsapcrypto. 4. Confirm the license disclaimer.4 Adding User Principal Names Add the user principal name of the KDC to configure trust for SAP NetWeaver AS ABAP.customer. Register the service principal names (SPNs) for the service user for the host name of the SAP NetWeaver AS ABAP and all aliases. 1. All rights reserved. Example KerberosAB1. Add the user principal name manually or from a keytab file.You can also use another service user.customer. We recommend that you do not use SAPService<SID> because the Password Never Expires option is not set for this user by default.DE\KerberosAB1 setspn -A HTTP/su3x24. ○ To enter the user principal name manually.de -f out. 3.de IT. Wait two minutes for all instances to synchronize. 2. Enable the Password Never Expires option for this user. which points to the previously created service user (KerberosAB1). ldifde -r serviceprincipalname=HTTP/hades.de and su3x24.0 or higher.de IT. SAP NetWeaver AS ABAP only supports SPNego with a valid license for SAP NetWeaver Single Sign-On 2.DE\KerberosAB1 This registers both aliases hades. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . 3. you do not need to restart the application server if the keytab was updated or configured for the first time.customer. 2. 4. To check the result of the configuration. Start SPNego Configuration (transaction SPNEGO).customer.CUSTOMER. Enter the user principal name manually if you know the password of the service user otherwise import the keytab file. choose service user. (Add) and enter the name and password of the 70 PUBLIC © 2013 SAP AG or an SAP affiliate company.customer. single sign-on fails.CUSTOMER. enter the following command at the command line for each SPN you registered.ldf) is one entry. If the password for this user expires. Note After performing this procedure.5. 3. Switch to Edit mode.ldf The output of this command (out. Example setspn -A HTTP/hades. Ensure that all SPNs are unique.de as SPNs and associates them with the AS ABAP service user on the Microsoft Windows Domain Controller. If this is not the case. 71 . the token received from the KDC is transferred by the way of the user’s web client to the AS ABAP.○ 5.CUSTOMER. The token contains the Kerberos User Principal Name (UPN). your users can log on to Microsoft Windows and authenticate at the AS ABAP if SAP NetWeaver Single Sign-On is already used for SNCbased authentication. Save your entries. Unfortunately. you must maintain SNC mapping. which consists of two parts: a user name part and a domain part.DE /pass mypass /out c:/keytab / mapUser KerberosAB1@IT. To import a keytab file. the UPN must be mapped to an existing ABAP user.) Perform a user mapping on the SNC tab of User Maintenance (transaction SU01). You can use arbitrary Kerberos-based SNC products in combination with SPNego. choose (Import keytab file). The UPN from the Active Directory has the following format: Format: <AD_user_name>@<domain> Example: Smith@IT. Related Information Creating Kerberos Keytab Files [page 71] The Kerberos keytab file establishes trust between the KDC and SAP NetWeaver AS ABAP.DE During SPNego authentication. This requires a configuration option to control prefixing and uppercase or lowercase conversion of the user name and domain parts. To authenticate the user with such a token. Format: ktpass /princ <Active_Directory_logon_name>@<domain> /pass <password> /out <path_to_keytab_file> /mapUser <Active_Directory_logon_name>@<domain> /crypto All /ptype KRB5_NT_PRINCIPAL Example: ktpass /princ KerberosAB1@IT. All rights reserved. which does not match the ABAP user name. Create a Kerberos keytab file on your Microsoft Windows Domain Controller.1 Creating Kerberos Keytab Files The Kerberos keytab file establishes trust between the KDC and SAP NetWeaver AS ABAP.4. SPNego re-uses the existing SNC mapping string that can be configured in transaction SU01.CUSTOMER.5. The following is an example of creating a keytab file with the tool ktpass.SPNego: Collective Corrections. separated by the at-sign (@) (for example [email protected]. After you have configured the Key Distribution Center and the trust configuration. This is controlled by profile parameter spnego/construct_SNC_name. (See SAP Note 1819808 .DE). Find the exact steps in the Microsoft documentation. 3.CUSTOMER. the various SNC products differ in how they construct an SNC name for a given Kerberos User Name.DE /crypto All /ptype KRB5_NT_PRINCIPAL Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. This token contains the Kerberos UPN. Example In Active Directory use the ktpass command. 5 Troubleshooting SPNego on AS ABAP To analyze SPNego authentication failures. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . you enter a PIN.3. 1. (age is the server system time offset relative to the client system time.xml. define the communication protocols to use. use the SPNego tracing function.sap. Example (section of gss. keys. You can.5.sap. 2.4. You can shorten long and complicated names. see the related links. the client creates a temporary key.5 SNC Communication Protocol Parameters In the file gss. Related Information Reference of the Communication Protocol Parameters (Server) [page 159] Reference of the Communication Protocol Parameters (Client) [page 162] The following table contains the parameters that are valid for SNC on the client: 3.5. you can configure the SNC communication protocol for server-to-server and client-to-server communication.1 Configuring Certificate Lifetime in sigsession and ParallelSessions Mode Every time you use a token (smart card or soft token) to authenticate. the session 72 PUBLIC © 2013 SAP AG or an SAP affiliate company.5.com/sap/support/notes/1819808 3. configure algorithms for the protection of application data.com/sap/support/notes/1732610 https://service. List several values in a list separated by blanks. All rights reserved.xml) Include one value in the parameters. you have the following options: ● In sigsession mode.If you do not want to be forced to enter this PIN every time you open a session. for example.5. Start SPNego Configuration (transaction SPNEGO). configure formats for the Distinguished Name.) During this period. which has a period of validity specified in age and ttl. Related Information https://service. Choose Goto SPNego Tracing . and algorithms for encryption and digital signatures. integrate elements such as e-mail addresses. Use the following syntax: <namecharset>latin1</namecharset> <protocol_2010> <ciphers>aes256 aes128 rc4</ciphers> </protocol_2010> Note For more information. Set a value for the system time tolerance in the parameter age in the gss. During this period. 73 . you must choose from the following authentication modes: ● ● ● enc: encryption certificate sig: signature certificates and sign a temporary RSA key with it sigsession: signature certificate and sign a temporary RSA key with it. age is the server system time offset relative to the client system time. which gets a period of validity specified in age and ttl.1. for example. Whenever you reauthenticate. All rights reserved.xml file of the client.1 Configuring sigsession Mode If you use the 1993 protocol on the client and server. ttl is the validity of the certificate in seconds. 300. the parameter ParallelSessionsTTL specifies the validity period of the temporary key. ● In ParallelSessions mode.xml: <protocol_1993> <acceptsigmode>true</acceptsigmode> <acceptedttl>2000</acceptedttl> </protocol_1993> To specify the lifetime of a certificate in sigsession. This period of time is identical with the maximum session length. This temporary key is cached for further sessions until you close the last session. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. In sigsession mode. It is the time the key cache remains valid. the temporary key and the associated session length are reused for a new session. Note If the value in ttl in the client exceeds the server value of acceptedttl. the session remains valid. Use the following syntax for the configuration: Configuration example Client configuration of gss. The default is 180 s starting 60 s earlier. the SNC connection produces an error message.remains valid. The default is 180 s starting 60 s earlier.5. Example If you use a token (smart card or soft token) to authenticate. proceed as follows: 1. the client creates a temporary key.5.xml: <protocol_1993> <authop>sigsession</authop> <age>300</age> <ttl>1899</ttl> </protocol_1993> Server configuration of gss. ttl is the validity of the certificate in seconds. 3. you enter a PIN. The vertical dotted lines indicate the time when the certificate is issued or when it is verified.xml) and ttl (client gss. If you verify the validity of the certificate within the period specified by ttl. Save the file. Restart the server. To calculate the desired lifetime of the certificate. 3900. This results in a desired lifetime of 3600 s. 6. the verification fails. 5. Set a value in parameter ttl in the same file.xml file of the server. 4. for example. the verification is successful.2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library .xml files. Example 3900 s – 300 s = 3600 s To illustrate the behavior of the client and server parameters in the gss. Set the same value for acceptedttl as in ttl (3900) in the gss. Ensure that the configuration of acceptedttl (server gss. subtract the period specified in age from the period specified in ttl.xml) are identical. Outside the period specified in the ttl parameter. All rights reserved. see the following figure. Save the file. 3. 74 PUBLIC © 2013 SAP AG or an SAP affiliate company. xml: <protocol_2010> <ParallelSessions>true</ParallelSessions> <ParallelSessionsTTL>1800</ParallelSessionsTTL> </protocol_2010> Server configuration of gss. If SAP GUI establishes a secure communication to the SAP NetWeaver Application Server. The “old” protocol is compatible with SAP Crypto Library (SAPCryptoLib). which is used to secure communication. the client creates a temporary RSA key. the SNC connection produces an error message. the AES256 symmetric algorithm. The “new” protocol supports X. Restart the server. In parallel session mode. 75 . 1. you must enter a PIN. Example If you use a token (smart card or soft token) to authenticate.5.3.5. which is cached for re-authentication in further sessions until you close the last session. the Secure Login Library provides the following symmetric algorithm (priority in this order).5.xml: <protocol_2010> <acceptedttl>2000</acceptedttl> </protocol_2010> 3. Enter true in ParallelSessions. You can define this in the Secure Login Library configuration file gss. 2.6 Use Case for Defining a Symmetric Algorithm This section explains how to define the symmetric algorithm. By default. the symmetric algorithm is agreed between both partners. 3. ● ● ● ● ● AES256 AES192 (“old” protocol 1993 only) AES128 3DES (“old” protocol 1993 only) RC4 (“new” protocol 2010 only) Secure Login Library has implemented two protocols named protocol_1993 (“old”) and protocol_2010 (“new”). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. It is possible to force the use of. If the value in ParallelSessionsTTL in the client exceeds the server value of acceptedttl.1. for example. Enter a period of time (in seconds) in ParallelSessionsTTL to specify the period of time during which reauthentication can occur.2 Configuring ParallelSessions Mode Use parallel session mode for the 2010 protocol.509 certificates and Kerberos tokens in parallel. Configuration example Client configuration of gss. All rights reserved.xml. It is possible in the Secure Login Library to allow only the acceptance of only AES256. for example. the strongest symmetric algorithm that is available on both sides is agreed. The symmetric algorithm is arranged during the authentication process. for example. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . Section of gss. You can define the following algorithms: AES256 AES128 RC4 Default is <empty>. This protocol supports the Kerberos solution. By default. The symmetric algorithm is arranged during the authentication process. the strongest symmetric algorithm that is available on both sides is agreed. By default. You can define the following algorithms: aes256 aes192 aes128 des3 Default is <empty>. All rights reserved. which is defined in section <protocol_1993>. This protocol is compatible with SAP Crypto Library (SAPCryptoLib). It is possible in the Secure Login Library to allow the acceptance of only aes256.xml <gss> <server> <protocol_1993> <algs_encr>xxx</algs_encr> </protocol_1993> <protocol_2010> 76 PUBLIC © 2013 SAP AG or an SAP affiliate company. <ciphers>XXX</ciphers> Use this parameter to define the symmetric algorithm for the “new” protocol.Table 11: Parameter <algs_encr>XXX</algs_encr> Details Use this parameter to define the symmetric algorithm for the “old” protocol. which is defined in section <protocol_2010>. 1 Uppercase Distinguished Name To support case insensitivity for user certificate names used by SNC. true The distinguished name is provided in uppercase.7. false The distinguished name is provided in mixed case. the GSS Distinguished Names presented to SAP SNC may be converted to uppercase. Table 12: Parameter <UpperCaseClientName>XXX </ UpperCaseClientName> Details Define the configuration in parameter <UpperCaseClientName>. Default is false.<ciphers>xxx</ciphers> </protocol_2010> </server> </gss> 3. 3. Section of gss. This can be defined in the Secure Login Library configuration file gss. All rights reserved.7 User SNC Name Mapping The following section describes how you configure the user SNC name the Secure Login Library. 77 .5.xml.xml <gss> <server> <UpperCaseClientName>xxx</UpperCaseClientName> </server> </gss> Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.5. e-mail address.xml. You can define this in the Secure Login Library configuration file gss. through a self-service). Thus these users might get rights they are not supposed to have. If the URI is not available. certificate-based logon with the users’ e-mail addresses in the Distinguished Names. The system uses the first value.2 Alternative Name DN Feature It is possible to use the Subject Alternative Name from the user certificate that is presented to the SAP SNC interface. last name etc. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . through a self-service. For this case.xml <gss> <server> <ClientNameSource>xxx</ClientNameSource> </server> </gss> You can enter several values separated by commas or spaces.3. An error occurs when no value can be used. Example 1 The Secure Login Library uses the URI. for example. An AS ABAP uses. If the second alternative value is not available. for example. we recommend that you implement access restrictions for the change of user attributes. <ClientNameSource>AltNameEMAIL AltNameUPN</ClientNameSource> Caution If users change their own attributes (for example. this change would also 78 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. If this is not possible. first name. The string in the certificate has the following format: CN=employee@company. and these attributes are used by the user certificate (issued by the Secure Login Server). this user now has the possibility to enter. it uses the subject (Distinguished Name). a situation may occur in which these users are able to assign additional rights to themselves. for example. <ClientNameSource>AltNameURI Subject</ClientNameSource> Example 2 The Secure Login Library uses the E-mail address and. his or her manager’s e-mail address (manager@company. it proceeds to the second value etc.5. the Microsoft User Principal Name.com This means that the user’s e-mail address is used for the user mapping in SNC.com) as attribute.7. Section of gss. Since this data is usually maintained centrally. an error occurs. If an administrator enables the user to change his or her own data. as first alternative. 0 SP1 or higher might be forced to edit the name schema in Secure Login Library 2. By default. 3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. Example <gss> <nameencoding>UTF8</nameencoding> <nameschema></nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </gss> Example <gss> <nameencoding>UTF8</nameencoding> <nameschema>rfc2256</nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </gss> Related Information SNC Communication Protocol Parameters [page 72] In the file gss. the user receives a certificate with the Distinguished Name [email protected]. 79 .0 SP0 or SP1 and want to use patch 1 of Secure Login Library 2.xml is empty (meaning RFC2256).xml. Note Customers who run Secure Login Library 2.7. see SAP Note SAP Note 1864123 and related links.affect the Secure Login Server. you can configure the SNC communication protocol for server-to-server and client-to-server communication. If you prefer.0 SP1 Patch 1 and enter their own name schema they used in the original release.3 Default User Schema Settings The default user schema of the Secure Login Library is RFC2256. All rights reserved. you can also enter RFC2256 for clarity. the configuration of the user schema in the file gss. The configuration is located in the file gss. This user is now able to log on to the AS ABAP as his or her manager. For more information.com. you can configure the SNC communication protocol for server-to-server and client-to-server communication.xml. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate. Communication and Protocol Parameters (Server and Client) [page 159] In the file gss.xml. or C (country). To switch the Secure Login Library to use the attributes for obsolete SAPCRYTOLIB or SECUDE releases. overwrite the user schema setting.5.7.xml file and enter the schema sapcryptolib or secude. Example <gss> <nameencoding>UTF8</nameencoding> <nameschema>sapcryptolib</nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </gss> Example <gss> <nameencoding>UTF8</nameencoding> <nameschema>secude</nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </gss> 80 PUBLIC © 2013 SAP AG or an SAP affiliate company. O (organization). see the Summary of the X.3. These attributes comply with the RFC2256 default for user schemas.3. Previous releases of SAPCRYPTOLIB and old SECUDE releases still use a user schema with obsolete attributes. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . CN (common name). OU (organizationalUnit). The table below shows RFC2256-compliant attributes and the corresponding obsolete SAPCRYPTOLIB or SECUDE attributes.3. Keyword surname street title serialNumber businessCategory description stateOrProvinceName RFC2256-Compliant Attribute (Default) SN STREET TITLE SERIALNUMBER BUSINESSCATEGORY DESCRIPTION ST Obsolete SAPCRYPTOLIB or SECUDE Attribute S ST T SN BC D SP 3. open the gss.7.5.2 Setting for SAPCRYPTOLIB or SECUDE Release If customers want to keep their old user schema attributes. All rights reserved.500(96) User Schema for Use with LDAPv3. For more information.1 SNC Name Compatibility with a SECUDE SAPCRYPTOLIB Release User schemas for SNC names The SNC names for a certificate-based logon consist of user schema attributes for example. and the related keywords. The CA issues CRLs at regular intervals. The CRL issued by the Certification Authority (CA) contains the revoked certificates. CAs place certificate revocation lists at CRL distribution points. They must be replaced regularly by a new CRL or by a CRL that has not yet expired. CAs regularly update certificate revocation lists. which enable you to revoke certificates that have been declared invalid.4 Shorten Long Distinguished Names It is possible to shorten parts of the distinguished name (SNC Name) from the user certificates that are presented to the SAP SNC interface. The Secure Login Library provides a tool that enables you to regularly download new CRLs from CRL distribution points (LDAP or HTTP) to the local cache. The character limit for SAP server systems is 255 characters (in older systems 80 characters). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.5. This enables you to make sure that revoked certificates are not accepted.3. All rights reserved. you can remove entire parts such as a company name which are identical for all users.7. Example OU=Very Long Organization Unit Name <replstr>XXX</replstr> In the <nameconversions> section. the <replstr> parameter is used to define the part of the distinguished name to be replaced. You can define this in the Secure Login Library configuration file gss. Parameter <searchstr>XXX</searchstr> Details In the <nameconversions> section.xml file: <gss> <nameconversions> <searchstr>VeryLongNameComponent</searchstr> <replstr>ShorterNameComponent</replstr> </nameconversions> <nameconversions> <searchstr>AnotherVeryLongNameComponent</searchstr> <replstr>AnotherShorterNameComponent</replstr> </nameconversions> </gss> 3. 81 . For example. use the <searchstr> parameter to define the part of the distinguished name to be shortened. They contain a list of certificates that have been declared as invalid.8 Using Certificate Revocation Lists The Secure Login Library supports certificate revocation lists.5. Example OU=Short Name The following source code represents a section of the code of the gss.xml. For more information. We recommend using a cron job to schedule the regular download. and storing it in a local cache. Limitations The Secure Login Library covers only basic functions on the server side. For more information. such as checking client certificates with CRLs. Otherwise performance suffers when the Secure Login Library has to download CRLs from an external CRL distribution point. This means that multiple PKIs using different revocation checking policies and one PKI with CAs using different revocation checking policies are not supported.*). No use of delta CRLs At present the Secure Login Library assumes that. You can schedule the download using a cron job. Related Information CRL Tool Commands [page 153] This is an overview of the CRL tool commands. The main function of the CRL tool is to enable you to download CRLs. you must provide an OpenLDAP client (liboldap. We recommend using the same user or.5. Usually UNIX does not come with an LDAP client. it uses the downloaded CRL. Run the CRL tool at regular intervals to ensure that the most recent CRL is located in the local cache. granting read authorization with the umask command. When the application server checks certificates.8. The Secure Login Library has the following limitations: ● ● ● Customers cannot use the extension IssuingDistributionPoint in CRLs with the Secure Login Library. 3. To use the CRL tool to get CRLs from LDAP.1 Downloading CRLs with the CRL Tool The main function of the CRL tool is to enable you to download CRLs from the CRL distribution point and to make them available in the local cache \SECUDIR\dbcrls. To use the CRL functions. see related link. 82 PUBLIC © 2013 SAP AG or an SAP affiliate company. ● ● Related Information Configuring the CRL Tool [page 83] This topic describes the CRL configuration files. make the appropriate settings in the configuration files. To display detailed help.Storing CRLs in the local cache ensures fast accessing of the CRLs. all CAs provide CRLs. use crtl –H. All rights reserved. Storing CRLs in the cache improves system performance. in a UNIX environment. getting CRLs from a distribution point. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . The local cache for the CRLs is \SECUDIR\dbcrl. see the related link. Note Make sure the server process has read authorization for the CRL (files) in the cache directory. The Secure Login Client does not check CRLs. in a given environment. Use the following command to get a CRL and store it in a file: To get a CRL from a CRL distribution point.5.xml ldap.3 Configuring the CRL Tool This topic describes the CRL configuration files. use one of the following commands: ○ Use the following command to get a CRL and store it in a file: crl get –u <LDAP_server> -f <CRL_file> Example crl get –u ldap:///sap.example.com Related Information CRL Tool Commands [page 153] This is an overview of the CRL tool commands.com ○ Use the following command to get a CRL and store it in a cache using a different distribution point (the URL in the store command must point to the CRL distribution point specified in the certificate).example. 3. 83 .2 Getting a CRL from a CRL Distribution Point This topic contains a variety of examples that show you how you can get a CRL from a distribution point.example. You may use uppercase or lowercase for entering values. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company.example.5.xml base.3.xml The parameters are similar to tags surrounding the values. In the following examples you see the commands for getting a CRL from a CRL distribution point.example. The following configuration files are available in the \SLL folder: ● ● ● pkix.com -f file. see the related link.com store ○ Use the following command to get a CRL and store it in a cache using the same distribution point (the URL in the store command must be the path of the CRL distribution list).8. crl get –u <HTTP_server> store -u <LDAP_server> Example crl get –u http://server/ store -u ldap:///sap.com –u ldap:///sap.8.crl ○ Use the following command to get a CRL and store it in a cache without a distribution point: crl get -u <LDAP_server> store Example crl get –u ldap:///sap. For an overview of all commands. The main function of the CRL tool is to enable you to download CRLs. crl get -u <LDAP_server> store -u <LDAP_server> Example crl get –u ldap:///sap. 3. set the parameter usepkicache to true (default setting is false).2 base. for example on an LDAP server or HTTP server. Example <pkix> <profile> <acceptNoBCwithKeyUsage>true</acceptNoBCwithKeyUsage> <revCheck>CRL</revCheck> <certificatePolicies>noCheck</certificatePolicies> </profile> </pkix> The following table contains all parameters and parameter options that are available in pkix. If you use CRLs that are located in the cache. CRL checking is active if the parameter revCheck is set to the value CRL.xml. 3.xml In the configuration file pkix. restart your ABAP server so that the newly-set parameters take effect. you may optionally use the parameter pkicachedir and enter the location there (for multiple servers accessing the cache. Note After you have entered changes in the configuration files.3. you could use an NFS cache).xml [page 153] The following table contains all parameters and parameter options that are available in pkix.xml.xml.3.5.8. performance will improve considerably.xml You can configure the cache and the verification of the CRL download in the file base. All rights reserved. If you want to activate CRL verification with the cache.8. the parameter verificationonlineaccess is set to false to disable the function that verifies the CRLs online. Example If you want to define a different location for the cache directory.1 pkix. By default.xml. The default setting of this parameter is no (no use of CRLs).5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library . you can configure whether a CRL check is used at all. <base> <verificationonlineaccess>false</verificationonlineaccess> <usepkicache>true</usepkicache> <pkicachedir>\usr\sap\T2D\DVEBMGS00\sec</pkicachedir> </base> 84 PUBLIC © 2013 SAP AG or an SAP affiliate company. Related Information Configuration Parameters of pkix. Example <base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example If you want to carry out a CRL check from a remote LDAP directory. 3. If an LDAP URL that does not contain the server name is used as a CRL distribution point (in the default setting. In this case. you must enter the value ADS in the parameter name. <base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example If you want to make a CRL request from a proxy server.3.xml [page 154] The following table contains all parameters and parameter options that are available in base. 85 .xml This configuration file is only relevant if you have an Active Directory environment.xml. you must enter the host name and the port number of the proxy server. If you are in a Microsoft Windows domain and Active Directory is used as LDAP server. All rights reserved. define the name of the LDAP server in the configuration file ldap. You only need to modify this file in an Active Directory environment.5.3 ldap.8.xml. you need not enter any value in pkicachedir. set the parameter verificationonlineaccess to true and set the parameter usepkicache to false.xml. Example <ldap> <server> Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. Related Information Configuration Parameters of base. the relevant section is commented out). <base> <proxy> <url>host.com:8003</url> </proxy> The following table contains all parameters and parameter options that are available in base.example. 3. The name of the trace file has the following format: sec-<process_ID>.6 Configuration Options This section describes useful configuration and troubleshooting issues of Secure Login Library.trc exceeds the defined file size. you have activated tracing twice.%>. If sectrace. Copy sectrace. Use separate trace directories in this case.6.xml [page 155] The following table contains all parameters and parameter options that are available in ldap. and <number> increases.<name>ADS</name> </server> </ldap> The following table contains all parameters and parameter options that are available in ldap. The trace directory must be a subdirectory of DVEBMG. the configuration file sectrace. proceed as follows: 1. The sectrace. If tracing is activated. You can also use environment variables (encapsulated by %). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library .ini can be located in the following directory.BINDIR.ini is available in the installation directory and in the following directory.trc Note If the process is already known. Each process ID get its own trace file. 3. To configure tracing for the Secure Login Library.ini configuration file defines the location of the trace directory.trc. Related Information Configuration Parameters of ldap.xml. Go to the following directory of the Secure Login Library $(DIR_INSTANCE)\SLL 2. 86 PUBLIC © 2013 SAP AG or an SAP affiliate company. the file name includes the process name.<number>.xml. you can activate tracing for Secure Login Library.1 Configuring Tracing for Secure Login Library In the case of an error. All rights reserved. Example: sec-dev_w0.trc (trace file for work process 0) If a trace file sec-*. several trace files are available in the trace directory.ini from the sll/defaults subfolder to the sll folder Note Alternatively. its content moves to a backup file called sec*. Thus it is possible to specify the SLL installation directory by using < %. The maximum number of trace files per process ID is 10. For more information. see related link. Open the file sectrace.%/. Trace level is 0 (no trace). Save your changes. you may get a large quantity of trace files every day. All rights reserved. Caution The maximum size of all trace files per process ID is 110 Mbytes (10 backup files and 1 trace file). Related Information Configuring Client Tracing [page 41] If you want to switch on tracing of Secure Login Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Library PUBLIC © 2013 SAP AG or an SAP affiliate company. when it starts up in the morning.ini using a text editor and enter your configuration. The size for all trace files per process ID is 110 Mbyte. 87 .For Windows operating systems: %HOMEDRIVE%%HOMEPATH%\sec If %HOMEDRIVE% and the variable %HOMEPATH% do not exist./SLLTrace. 3.. you must configure a file for client tracing in each client. for example. the fallback is /etc. Make sure that you provide enough disk space for the trace function.BINDIR. We recommend that you only use Secure Login Library trace if an error occurred and you are investigating the cause of the error. Since Secure Login Library and each SAP GUI gets a new process ID. The default trace configuration has the following default settings: ○ ○ ○ ○ The trace directory is %. the fallback is \ on the C:\ drive. 4. Deactivate the trace after the error was remedied. For Unix operating systems: $HOME/sec If $HOME does not exist. Note You need not restart the Application Sever ABAP. 0 SPx is integrated in SAP Solution Manager.0 SP1 Installation File Name SECURELOGINSERVER00_0.0.1.sca The installation files have the following format: SLSERVER<support_package_number_<patch_level><ID>.4 4.0 to higher support packages and patches using Maintenance Optimizer. The Secure Login Library installation is optional and required for SAP user authentication only. You can update Secure Login Server 2. During the installation of Secure Login Server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . The installation can be done using the Telnet application or with the Software Delivery Tool.sca The ID attached to the file name is a temporary download ID.0 SP0 Secure Login Server 2.1 Prerequisites for Installing Secure Login Server This topic describes the prerequisites for an installation of the Secure Login Server.1 Secure Login Server Installation and Installation File Names This chapter describes how to install Secure Login Server for different support packages of SAP NetWeaver Single Sign-On 2. Note The names of the installation files vary according to the version and support package of SAP NetWeaver Single Sign-On. All rights reserved. see the SAP Help Portal under SAP Solution Manager Maintenance Optimizer .sca SLSERVER01_2-<ID>. the SAP NetWeaver Application Server must be up and running. Table 13: File Name for Installing Secure Login Server Version and Support Package Secure Login Server 2. The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials. For more information. 4.sca Example SLSERVER01_2-10012314. Secure Login Server 2. Hardware and software requirements are described in the following documents: 88 PUBLIC © 2013 SAP AG or an SAP affiliate company. sap.2 Installing Secure Login Library (Optional) The Secure Login Library installation is optional and can be used as an alternative for SAPCRYPTOLIB 5. Related Information http://service. For more information. SAP server system SAP NetWeaver Application Server ABAP 6.20 or higher version RSA Authentication Manager 6. All rights reserved.1. The Secure Login Library is used to establish secure communication to an AS ABAP and to verify SAP credentials.5 for SAP NetWeaver Application Server ABAP user authentication only. The Sizing Guide contains the hardware requirements.sap.com/pam BasicPasswordLoginModule RADIUS server system 4. 89 . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. 2008. 2012 openLDAP. For more information.1.1.sap.1. see related link.1 Server Authentication Servers Supported by Secure Login The Secure Login Server supports the following authentication servers: Table 14: Supported Authentication Servers Supported by Secure Login Server LDAP server system Details Microsoft Active Directory System 2003.com/pam Authentication Servers Supported by Secure Login Server [page 89] The Secure Login Server supports the following authentication servers: https://service.1 and 7.5. Check the Product Availability Matrix for the most current releases.● ● The Product Availability Matrix lists the software requirements for all components.1 freeRADIUS Microsoft Network Policy and Access Services (NPA) Microsoft Internet Authentication Service (IAS) SAP NetWeaver AS Java User Management Engine (UME) Related Information http://service.com/%7Esapidb/011000358700000178192012E 4. see related link. SAR with the SAPCAR command line tool to a separate folder. Set the environment variable <SECUDIR>. which is a subfolder of exe. 90 PUBLIC © 2013 SAP AG or an SAP affiliate company. Verify Secure Login Library. Copy library files. Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR –R D:\usr\sap\ABC\J00\exe\sll 2. All rights reserved.1 Installing Secure Login Library for Microsoft Windows Operating Systems 1. The test is successful if the version is displayed. sapcar –xvf <source_path>\SECURELOGINLIB. 4.1. Set the system environment variable <SECUDIR> to the following directory: SECUDIR=<DIR_INSTANCE>\sec Example SECUDIR=D:\usr\sap\ABC\J00\sec 3.Note Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system.SAR –R <DIR_INSTANCE>\exe\sll Example sapcar –xvf D:\InstallSLS\SECURELOGINLIB.exe As a result. This document describes the installation for Microsoft Windows and Linux operating systems. you get further information about the Secure Login Library.2. use the sapgenpse command: <DIR_INSTANCE>\exe\sll\sapgenpse. To verify the Secure Login Library. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .exe Example D:\usr\sap\ABC\J00\exe\sll\sapgenpse.1. The test is successful if the version is displayed. Define file owner.1. 91 . further information about the Secure Login Library should be displayed. To verify the Secure Login Library use the sapgenpse command (with user <<SID>adm>): <DIR_INSTANCE>/exe/sll/sapgenpse Example /usr/sap/ABC/J00/exe/sll/sapgenpse As a result.1.2 Systems 1.SAR with the SAPCAR command line tool to the following folder.SAR –R <ASJava_installation>/exe/sll Example sapcar –xvf /InstallSLS/SECURELOGINLIB. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. Grant access rights to the user account that is used to start the SAP application (for example. Installing Secure Login Library for Linux Operating Copy library files Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB. it is necessary to set the file permission attributes with the following command: chmod +rx <DIR_INSTANCE>/exe/sll/sapgenpse lib* Example chmod +rx /usr/sap/ABC/J00/exe/sll/sapgenpse lib* 3. All rights reserved.4. <<SID>adm>). sapcar –xvf <source_path>/SECURELOGINLIB. Define file attributes To use shared libraries in a shell.SAR –R /usr/sap/ABC/J00/exe/sll 2.2. Verify Secure Login Library. Change to the folder <DIR_INSTANCE> /exe/sll and use the following command: chown [OWNER]:[GROUP] * Example chown abcadm:sapsys * 4. You have downloaded the relevant installation file for Secure Login Server. 2. Choose the relevant components. Tip We recommend that you use this procedure to install Secure Login Server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . You have now installed the Secure Login Server. but insecure option for installing Secure Login Server.sap. telnet localhost 5<instance_number>08 Example telnet localhost 50008 92 PUBLIC © 2013 SAP AG or an SAP affiliate company.sap. All rights reserved. Install the installation file for Secure Login Server according to the steps in the wizard. You have met the requirements for the update. 4. Prerequisites: ● ● ● ● Your service user has administrator authorizations.1.3 Secure Login Server Installation with Telnet A Telnet installation is a fast. see related link. For more information.com/sltoolset https://service. For more information. 1.com/sap/support/notes/1563579 https://service. You have downloaded the latest Software Update Manager for your operating system. Copy the relevant installation file to the target SAP NetWeaver Application Server. Start the Software Update Manager. see related link.4. see related link. 3. Start a Telnet session.sap. Caution We recommend that you use the installation using the Software Update Manager. Related Information http://service.com/sap/support/notes/1707161 Installation and Installation File Names [page 88] This chapter describes how to install Secure Login Server for different support packages of SAP NetWeaver Single Sign-On 2.2 Secure Login Server Installation with Software Update Manager This topic describes how you install Secure Login Server with the Software Update Manager.1. 2. For more information. 1.0. For Secure Login Server 2.3.3.sca The Secure Login Server application starts automatically when you open the login page of the Secure Login Administration Console for the first time.sca Example deploy D:\InstallSLS\SECURELOGINSERVER00_0.sca For Secure Login Server 2.ui. you have created the following components: ○ ○ ○ ○ SecureLoginServer.1 List of Useful Telnet Commands This topic contains a table with Telnet commands that are useful if you install Secure Login Server with Telnet. Deploy the Secure Login Server package.ear securelogin.ear Related Information Initial Configuration Wizard [page 95] After the deployment of Secure Login Server an initial configuration is required List of Useful Telnet Commands [page 93] This topic contains a table with Telnet commands that are useful if you install Secure Login Server with Telnet.0 SP0: deploy <source>\SECURELOGINSERVER00_0.ui. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. You find a list of useful Telnet commands in the related link. 93 . 4. All rights reserved. Start the initial configuration as described in the related link.alias.ear securelogin.0 SP1: deploy <source>\SLSERVER<support_package_number>_<patch_level>-<ID>. After the deployment of Secure Login Server.1.sca Example deploy D:\InstallSLS\SLSERVER01_2-10012314.umep. Secure Login Server Installation with Software Update Manager [page 92] This topic describes how you install Secure Login Server with the Software Update Manager.sda securelogin.sca <<sp_pl>> stands for the support package number with two digits and the patch level number with one digit. Table 15: List of Useful Telnet Commands Action Deploy Secure Login Server Command deploy SECURELOGINSERVER00<<sp_pl>>. undeploy name=<ear_file> vendor=sap.alias vendor=sap. you undeploy the components individually.umep vendor=sap.com undeploy name=securelogin.umep vendor=sap. execute these commands.com undeploy name=SecureLoginServer vendor=sap.ui vendor=sap. 4.ui. List application Related Information list_app | grep securelogin Secure Login Server Installation with Telnet [page 92] A Telnet installation is a fast.alias vendor=sap.ui vendor=sap. Secure Login Server Uninstallation [page 94] This chapter describes how you uninstall Secure Login Server.Action Undeploy Secure Login Server Command undeploy name=securelogin.com Note If you want to undeploy the Secure Login Server. All rights reserved. To do so.com 94 PUBLIC © 2013 SAP AG or an SAP affiliate company. Undeploy Secure Login Server. but insecure option for installing Secure Login Server.ui.1. telnet localhost 5<instance_number>08 Example telnet localhost 50008 2. 1.com Example undeploy name=securelogin.com undeploy name=securelogin.4 Secure Login Server Uninstallation This chapter describes how you uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet.com Example undeploy name=securelogin.com Example undeploy name=securelogin. Start a Telnet session. We recommend that you use the sequence displayed in this table. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . and Roles . For more information about users and roles in AS Java. Groups. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. see the related link and SAP Help Portal under NetWeaver Library: Function-Oriented View Application Server Java Security Identity Management Administration of Users and Roles SAP User Management of the Managing Users. Related Information Authorizations and Roles [page 238] Secure Login Server deploys user management engine roles for SAP NetWeaver AS Java that enable you to securely initialize Secure Login Server.2 Initial Configuration Wizard After the deployment of Secure Login Server an initial configuration is required Caution The initial configuration of the Secure Login Server can be performed on local host or on a remote host (with HTTPS only).Example undeploy name=SecureLoginServer vendor=sap. you have assigned the role SLAC_SUPERADMIN to your user.com You have now uninstalled the Secure Login Server. In the SAP NetWeaver AS Java. we recommend that you use SSL during the initial configuration process. 4. Related Information List of Useful Telnet Commands [page 93] This topic contains a table with Telnet commands that are useful if you install Secure Login Server with Telnet. Tip For security reason. All rights reserved.1 Prerequisites for Running the Initial Configuration Wizard Prerequisites for running the initial configuration wizard of the Secure Login Server ● ● Verify that the Secure Login Server application is running. 4. The system keeps the configuration data in the database of the SAP NetWeaver Application Server. 95 .2. 1 Initial Configuration (Automatic) Before you can work with the Secure Login Server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .2.2 Initial Configuration This section describes the modes that are possible for the initial configuration wizard.2. The initialization wizard accesses the Secure Login Server global directory. All rights reserved. a wizard leads you through the initial configuration of the Secure Login Server. 96 PUBLIC © 2013 SAP AG or an SAP affiliate company. Start the initial configuration using the browser URL: http://localhost:<port>/slac or https://<host_name>:<SSL_port>/slac Example https://localhost:50001/slac Note If you want to start the initial configuration wizard from a remote computer. In the Migrate mode. Manual In this option. 2. Skip All If you choose this option.4. You can also import a CA certificate in a key-pair file and use the parameter and values from this file. choose Edit. which contains the all the PKI information you need. The initialization wizard sets the values for the PKI certificates and for the user certificates. You do not want to enter individual values. you have to use https.2. the initial configuration wizard allows you to import the PKI as a file from the previous version. 3. Mandatory parameters are marked by an asterisk (*). Nevertheless you can change individual parameter values. Thus you can migrate the configuration from your the previous version of the Secure Login Server. This section describes the initial configuration of the Secure Login Server. This section describes the initial configuration of the Secure Login Server. The following configuration options are available: ● Automatic The initialization wizard generates the configuration of the PKI certificates and user certificates automatically. 1. you can configure the PKI certificates and user certificates manually. Migrate You see this option if you have an older version of Secure Login Server. You can change the configuration in each configuration step. see the related link below. For more information about the parameters. the initialization wizard skips the PKI creation and generates the user certificate configuration with the default values. ● ● ● 4. To change a parameter. The details section displays the parameters. It generates the PKI certificates and user certificates with the respective values automatically. Enter the related value or choose from a list. Related Information Parameters for Initial Configuration (PKI Certificates) [page 164] This topic contains the parameters for the configuration of the PKI certificates. 5. SSL CA. Choose Finish to complete the initial configuration of the PKI certificates and user certificates. If you want to undo your changes. For more information about the parameters.2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. you can skip the generation of each CA by marking the respective Skip field.2.0 from1. If you want to enter the values for the PKI and user certificates yourself.4. see the related link. To get to User Certificate Configuration. choose Finish. Save your changes. user CA. For more information. 97 . To get to User Certificate Configuration. All rights reserved.1 Server Transferring PKI Information to Secure Login For migration purposes.0. 1. choose Next. For more information. You can also generate an entry by importing a file. 4. Enter the respective values.2 Initial Configuration (Manual) Before you can work with the Secure Login Server. 6. 3. Enter the related parameters. a wizard leads you through manual steps for the initial configuration of the Secure Login Server.2. choose the Manual radio button. To complete the initial configuration. Importing Certificate Entries from a File [page 98] You can import entries for the root CA and/or the user CA during certificate management. In each wizard step (except in the user CA step). Parameters for User Certificate Configuration [page 185] This table contains the parameters for user certificate configuration for the client authentication profile. and the user certificate configuration. see the related link below. 4. choose Reset. SAP CA. which you can configure in the Secure Login Administratration Console. see the related link. 7. (Optional) If you do not want to generate a root CA. choose Next. This command restores the original configuration. 2. you must make sure that the PKI information of Secure Login Server 1.2. 7. Related Information Parameters for Initial Configuration (PKI Certificates) [page 164] This topic contains the parameters for the configuration of the PKI certificates. 6.2. you must make sure that the PKI information of Secure Login Server 1. mark the Skip Root CA checkbox. (Optional) Import an entry in a key-pair file.0. The manual configuration mode allows you to change values for the root CA.0 is available for use.0 is available for your migrated Secure Login Server 2. If you want to use the automatic initial configuration of Secure Login Server during the migration of Secure Login Server 2. Enter the related parameter. 5. 4. 0 is located. For more information. This is the reason why you must transfer the PKI information.0 to the current version.. You want to import entries and parameters for the root CA or the user CA from a key-pair file using the initialization wizard for the generation of PKI and user certificates. Since this file is encrypted. enter the password to decrypt the file. 1. see related link. 3. Select the file type in the Entry Type field. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .0 is located. import the PSE file with the respective PKI. All rights reserved.2. (If applicable) If the entry is decrypted and protected by a password. 3. It generates the PKI certificates and user certificates with the respective values automatically. The initial configuration wizard is now able to access your PKI information automatically. All fields are marked as mandatory. Start the initial configuration. 98 PUBLIC © 2013 SAP AG or an SAP affiliate company. which contains the all the PKI information you need.0. Proceed as follows: You must copy the entire directory and its content from the AS Java environment of your Secure Login Server 1.3 Importing Certificate Entries from a File You can import entries for the root CA and/or the user CA during certificate management. choose Save. Enter the path of the entry file in the next field or browse to the file with Browse.2. In the Application Server Java. Note If you are migrating the Secure Login Server. The options PSE Key Pair and PKCS#12 Key Pair are available. You can only import files with the file extensions pse or p12. 2. we recommend that you migrate the PKI.. you are prompted to enter a password. Simply copy it and insert it accordingly into the environment where your AS Java with Secure Login Server 2. 4. Related Information Initial Configuration Wizard [page 95] After the deployment of Secure Login Server an initial configuration is required 4. Copy the whole directory to a directory with the corresponding name in the AS Java where your Secure Login Server 2. go to the following directory: /usr/sap/<SID>/SYS/global/SecureLoginServer 2. 1. Choose Import The dialog box Import Certificate appears. 5.The initialization wizard of the initial configuration accesses the global directory. Note If you want to migrate from Secure Login Server 1. To complete the import. com/securelogin. 4. Note You find the https port in the SSL setting of the SAP NetWeaver configuration.3 Administration This topic contains administration tasks such as starting Secure Login Administration Console.com:50001/webdynpro/resources/sap. c:\telnet localhost 5$(DIR_INSTANCE)08 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 4. password management.3.0. The Secure Login Administration Console opens.4. and stopping and starting Secure Login Server.com/securelogin.1 Starting the Secure Login Administration Console This section describes how you start the Secure Login Administration Console. 4. https://<host_name>:<port>/webdynpro/resources/sap. 1. The port number is usually 50001.3 Stopping and Starting Secure Login Server with Telnet You can start and stop Secure Login Server with Telnet means. you must change the administration password in SAP NetWeaver. use a web browser. Since Secure Administration Console runs within SAP NetWeaver. 99 .3. 1.3.2 Changing Password This section describes how to change the administration password of the Secure Login Administration Console.ui/Main Shortcut: https://<host>:<port>/slac Example https://example. Enter your administration user name and the password. Open the Secure Login Administration Console of NetWeaver Single Sign-On 2. Start a Telnet session. To open the administration console.ui/Main 2. For example.alias sap.com/securelogin.Example c:\telnet localhost 50008 2. The Secure Login Web Client provides short-term certificates to employees. The following main features are available: ● ● ● Browser-based authentication (including support of all authentication servers) Support for SAP GUI for Microsoft Windows and SAP GUI for Java Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser on Microsoft Windows 100 PUBLIC © 2013 SAP AG or an SAP affiliate company.com/securelogin.com/securelogin.com/SecureLoginServer sap. but Mac OS X based client systems can be used as well. start_app sap. 4. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .umep Start the SAP Management Console. All rights reserved.3. Choose Action Stop or Action Start for stopping and starting. You also use it for authentication against SAP NetWeaver Web Application Server.com/securelogin.ui 4. Filter the applications for Secure Login Server by entering the names of the components.4 Stopping and Starting Secure Login Server Using SAP Management Console You can also monitor Secure Login Server using SAP Management Console Secure Login Server has the following AS Java components in the SAP Management Console: ● ● ● ● 1. 4. This means that the client is no longer limited to Microsoft Windows.ui Start Secure Login Server.com/*ecure* This displays the AS Java components of Secure Login Server. stop_app sap.ui sap.com/securelogin. 3. Stop Secure Login Server.ui. enter the following in the Name column: sap. sap.4 Secure Login Web Client Secure Login Web Client is a feature of the Secure Login Server that is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC. Choose AS Java Components. 3. 2. the client system does not store the keys persistently. it transfers components that are required for authentication and for a secure network connection from the server to the client. for example. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations. but they are Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.1 Export Restrictions Export restriction according to ECCN 5D002 At the start of the Secure Login Web Client. As postauthentication action. these components are classified with ECCN 5D002. 4.509 certificates or start SAP GUI without any user interaction. the authentication process and secure communication can be triggered on demand (for example.corp:50201/SecureLoginServer/webclient/ webclient. the Secure Login Web Client starts the SAP GUI. https://<host_name>:<ssl_port>/SecureLoginServer/webclient/webclient. However. Web Adapter mode ensures a high security level because it enables the Secure Login Client to manage private keys for Secure Login Web Client. With Secure Login Client. After the authentication process.abc. you are obliged to make sure that you abide by the export and import regulations of the countries involved.dhcp. the Secure Login Web Client can reuse existing security browser sessions. To start the Secure Login Web Client. SAP NetWeaver Portal. Caution If the Secure Login Server and the Secure Login Web Client are installed in different countries.wdf.● ● ● Support for MAC OS X Keychain. With Secure Login Web Client the security library needs to be downloaded in a Web browser application. for example. The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. convert already existing browser sessions for using SSL client authentication with X.4. Your profile (GUID) is appended to the URL. URL redirect X. Moreover.html?profile=cd468f6c-ff00-f479-8021-9d811040556e Differences between Secure Login Client and Secure Login Web Client: ● ● With Secure Login Client the required security library is available.2 Using Secure Login Client in Web Adapter Mode The key management of Secure Login Client in Web Adapter mode is highly secure. 101 .4. you can redirect to another web page which needs SLL authentication.html? profile=<GUID> Example: https://nwssoexample.509 authentication support to SAP Web application server Localization and customization of HTML pages and applet messages The start of the Secure Login Web Client is profile-dependent. Under German export control regulations. The Secure Login Web Client triggers an authentication process and secure communication. use the following URL. All rights reserved. in SAP GUI). 4. The SNC and key management libraries are not downloaded. Expand the Client Behavior section. which you can use for SNC in the Secure Login Client. Configuring Web Adapter Mode for Secure Login Open the Secure Login Administration Console. 4.2.4. 3. ● Secure Login Client is not installed on your Microsoft Windows client. 4. ● Secure Login Client is installed on your Microsoft Windows client with the Web Adapter option. All rights reserved.3 Enabling SAP GUI to Use Credentials with Secure Login Web Client You want to enable the Secure Login Web Client to perform authentication and create local credentials that are used by SAP GUI on Microsoft Windows platforms. Web Adapter mode also enables you to use a logout function in the Secure Login Client. 2. Related Information Secure Login Client Installation [page 22] This section explains the installation and the installation options of the Secure Login Client. Activate Web Adapter Mode (requires Secure Login Client installation). Secure Login Web Client uses the following path for downloading the SNC libraries from Secure Login Server: %LOCALAPPDATA%\sapsnc\ (can be changed in Platform Binaries Download Path in client authorization profile with Secure Login Web Client Settings. you can. 5. Choose the relevant client authentication profile.4. you can use multiple connection modes. 6. after the enrollment. Go to Secure Login Web Client Settings. Secure Login Web Client uses the following path for downloading the SNC libraries from Secure Login Server: 102 PUBLIC © 2013 SAP AG or an SAP affiliate company. Web Adapter mode is immediately active after changing the configuration for the next web client enrollment on this profile.temporarily stored in a secure way in the memory of the clients. If you configured a Secure Login Web Client profile in the Secure Login Administration Console. Choose Edit. Prerequisites ● You have installed Secure Login Client with Web Adapter mode. This profile is not persistent. 4. choose a Secure Login Web Client profile. It is only available after an enrollment and for the client session.1 Client 1. When the Secure Login Client user has restarted or logged out. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . To enable Secure Login Web Client to make an SNC connection to SAP GUI. the Secure Login Client removes all Single Sign-On keys. data and passwords are transported in a secured way. You have activated Web Adapter Mode in the Client Behavior section.4.4. To avoid trust warnings on the clients' browsers. enable SSL on the clients. you must export the SSL CA root in the SAP NetWeaver Administrator. 4. use utilities of the domain controller to distribute the SSL CAs to your clients. All rights reserved. they get an SSL-related warning in the browser.4 Security Features of Secure Login Web Client The following features are designed to improve security of the Secure Login Web Client: ● ● ● Forced use of HTTPS SAP-signed Secure Login Web Client JAR package to protect SNC libraries PKI check before storing in Microsoft Certificate store (for Microsoft Windows only) Related Information Forced Use of HTTPS [page 103] SAP-Signed Secure Login Web Client JAR Package to Protect SNC Libraries [page 104] PKI Check before Storing in a Client Certificate Store [page 104] You must have established a trust relationship for the Secure Login Web Client. the connection is terminated.4. When communicating with the Secure Login Server. If SSL is not enabled in the clients.● ● Secure Login Web Client uses the Secure Login Client installation path for the SNC connection. In this case. Secure Login Web Client uses the following path for downloading the SNC libraries from Secure Login Server: %LOCALAPPDATA%\sapsnc\ ● 4. it must use server authentication without client authentication. and an error occurs. Note The Secure Login Web Client needs an SSL connection with the Secure Login Server. The trust relationship is established between the trust store of the browser and the SAP NetWeaver Key Storage. 103 . In a Microsoft Windows environment.1 Forced Use of HTTPS It is mandatory to use the HTTPS protocol. You can disable client authentication in the Client Authentication Mode SAP NetWeaver Administrator Configuration SSL SLL Access Points column by setting the value Do Not Request. You have not activated Web Adapter Mode in the Client Behavior section. With HTTPS. Secure Login Web Client uses the Secure Login Client installation path for the SNC connection. Related Information Importing CAs or Certificates into the SAP NetWeaver Key Storage [page 104] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. the Secure Login Web Client uses the following path for downloading the SNC libraries from Secure Login Server: %LOCALAPPDATA%\sapsnc\ Secure Login Client is installed on your Microsoft Windows client without the Web Adapter option. If someone tries to bypass HTTPS. 5.4. an SHA-256 checksum is in place. and new files are downloaded from the server.2 SAP-Signed Secure Login Web Client JAR Package to Protect SNC Libraries To make sure that the files on the server and on the client are not manipulated. You display the details of the TrustedCAs view in the View Entries tab.4. The SAP signature in the JAR file of the Secure Login Web Client applet protects the SHA-256 checksums against manipulation attempts.3 PKI Check before Storing in a Client Certificate Store You must have established a trust relationship for the Secure Login Web Client. Select the Key Storage view TrustedCAs. Go to the Configuration tab. Select the file format of your CA certificate. 3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . 2. Choose Views in Certificates and Keys. To import your file. 8.4. Select Key Storage. the files are deleted. 7. Browse to your file.1 Importing CAs or Certificates into the SAP NetWeaver Key Storage To establish a trust relationship with the SAP NetWeaver Application Server.4. System Security for AS Java Only 4.4. Take the following steps: 1. see the SAP Help Portal under Security Security System Security SAP NetWeaver Library: Function-Oriented View Using the AS Java Key Storage . All rights reserved. 9. Start SAP NetWeaver Administrator. 4. This makes sure that the SNC libraries are identical with those delivered in the Secure Login Server package. Choose Import Entry. For more information. 104 PUBLIC © 2013 SAP AG or an SAP affiliate company. During a download of a Secure Login Web Client package there is a check of the local files that verifies whether the native SNC libraries have already been downloaded even before the package is written to the hard disk. choose Import.4. It prevents a manipulation of the SNC libraries on the side of the client and of the server.4.1. If the verification of the checksum fails. you import your CA certificate of the LDAP server into the Key Storage of SAP NetWeaver Application Server. 4. 6. You have now established a trust relationship by having imported CAs or certificates files. 4. 105 . If your Mozilla Firefox browser does not open an extension installation dialog. you have the following choices: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. 2. 4. the certificate in the Microsoft Certificate Store. Import the root CAs from the user CA of the Secure Login Server in the trusted root Certification Authorities. Install the Firefox extension. The Firefox Extension is provided by the Secure Login Server and can be downloaded using the following URL: http://<host_name>:<port>/SecureLoginServer/webclient/firefox Browser and operating system are recognized automatically. Use Microsoft or Mac OS utilities to import the trusted root CAs into the clients' certificate stores or login/system Keychain and to set a trust relationship. the system performs a PKI check before keys and certificates are stored or overwritten in the Microsoft certificate store and in the local PSE file. All rights reserved. To avoid that already valid enrolled keys and certificates are being overwritten with invalid ones from an untrustworthy Secure Login Server. To enable a PKI check. the Secure Login Web Client stores.1 Install Firefox Extension Firefox Extension for Secure Login Web Client Prerequisite You have installed Firefox Extension XPI.4.5.5 Mozilla Firefox Plug-In for Storing Secure Login User Certificates Mozilla Firefox stores the certificate in the browser's certificate store using the plug-in of Secure Login Web Client. The same function is provided for the Mozilla Firefox browser.Note This section only refers to Microsoft Windows and Mac OS operating systems. you must set a trust anchor in the clients. After successful user authentication. Distribute the trust anchors that are used by your client authentication profiles. but only allows you to save this file. 4. 1. which are responsible for your clients. 1. 106 PUBLIC © 2013 SAP AG or an SAP affiliate company. Install the Firefox Extension by choosing Install Now. Choose Add-ons Manager and Extensions from the menu. 2. then drag and drop it into any Firefox window. 2. 4. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . To uninstall. Start the Mozilla Firefox application. 3.4.4.2 Uninstall Mozilla Firefox Extension This topic describes how you uninstall the Firefox extension for Secure Login Web Client. 4.○ ○ ○ Choose the option Open with and choose the Mozilla Firefox application. All rights reserved. 3. Restart Mozilla Firefox. Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI files. Save the file to your Desktop. 1. select the Firefox Extension Secure Login Security Module and choose the Remove button.6 Rebranding Secure Login Web Client You may want to rebrand the logon user interface of Secure Login Web Client according to the needs of your company.5. The migration depends on the client and on the login modules you use. All rights reserved. For this reason. for example in a way that it reflects the corporate identity of your company.0 from 1.html. Save your changes.4. You need not restart the Secure Login Server. 4.0 from 1.0 accepts the PKI of the previous version. The file webclient.1 Configuring Secure Login Web Client for Rebranding You configure rebranding options in a script file of SAP NetWeaver AS Java. It makes sense to change the value in the sections surrounded by <LABEL> and </LABEL>.com\SecureLoginServer \servlet_jsp\SecureLoginServer\webclient\root Example D:\usr\sap\NJ4\J00\j2ee\cluster\apps\sap.0 The following section describes how you migrate Secure Login Server 2. which contains all the PKI information you need. The initialization wizard accesses the Secure Login Server global directory. 3.Many users of your company or external users use the Secure Login Web Client to log on to your company's systems. you want to rebrand the Secure Login Web Client and modify its logon user interface.com\SecureLoginServer\servlet_jsp \SecureLoginServer\webclient\root 2. Go to the following directory: \usr\sap\<host_name>\<instance_name>\j2ee\cluster\apps\sap. take the following steps: 1.0.0. Open webclient. After the installation of the Secure Login Server 2. 4.0.5 Migrating Secure Login Server 2. 4. the initial configuration wizard migrates the PKI of SAP NetWeaver Single Sign-On 1.6. It generates the PKI certificates and user certificates with the respective values automatically. You must simply confirm the relevant password of the PKI. and the Secure Login Administration Console of SAP NetWeaver Single Sign-On 2. You want to change the appearance of the Secure Login Web Client so that all users immediately recognize that they are about to log on to your company's systems. 107 . If you want to rebrand Secure Login Web Client. Make the appropriate changes in the HTML file.html contains all options for rebranding your logon user interface. Restriction Do not change the values in the parameters id and name. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .0 have destinations.0 and 2.0 is available for your migrated Secure Login Server 2. Security AS Java Authentication Infrastructure SAP Library SAP User Authentication and Single Sign-On Authentication Policy Configurations and Authentication Stacks .0. For more information. You set the parameters for the destinations in the Secure Login Administration Console or in SAP NetWeaver Administrator.Prerequisites ● ● ● SAP NetWeaver Single Sign-On 1. The related link contains an overview of the login modules and the places where the configuration is executed.0.0 to 2. see the Application Help in http://help. Each login module of SAP NetWeaver Single Sign-On 1. All rights reserved.0.0. The following topics describe a migration of Secure Login Server.com/nw731/ under NetWeaver Library: Function-Oriented View Infrastructure Related Information Initial Configuration [page 96] This section describes the modes that are possible for the initial configuration wizard. in some cases.0 to 2. you must make sure that the PKI information of Secure Login Server 1.0 and 1. the login module names. and the location where the destinations are configured.0.0 for the initial configuration wizard.0 [page 109] This table contains the login modules. You have provided the respective PKI information of Secure Login Server 1. Copy the values of the parameters over wherever possible or enter the value in the respective format. see related link. You must migrate the policy configuration of the login modules for SAP NetWeaver Single Sign-On 1. Overview of Login Modules Supported by SAP NetWeaver Single Sign-On 2. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.0) for the policy configuration according to the login module(s) you use. we recommend that you map the parameters for your previous version (SAP NetWeaver Single Sign-On 1.0 to Secure Login 2. So you must decide which value you want to use for SAP NetWeaver Single Sign-On 2. Importing Certificate Entries from a File [page 98] You can import entries for the root CA and/or the user CA during certificate management.0 was configured in the SAP NetWeaver Administrator. the value ranges for the configuration vary. migrate either Secure Login Server with Secure Login Client or Secure Login Server with Secure Login Web Client. 108 PUBLIC © 2013 SAP AG or an SAP affiliate company. Transferring PKI Information to Secure Login Server [page 97] For migration purposes. You have executed the PKI migration during the initial configuration. Tip For a migration. Mapping of Parameters by Login Module [page 192] Table that maps policy configuration and login module parameters of SAP NetWeaver Single Sign-On 2. Depending on which client (Secure Login Client or Secure Login Web Client) you use. For more information.sap.0. You can migrate from SAP NetWeaver Single-Sign-On 1. see related link. For more information. whereas some login modules for SAP NetWeaver Single Sign-On 2. The parameters and.0 are installed on separate servers. The migration comprises the Secure Login components Secure Login Server and Secure Login Client. All rights reserved.0. The policy configuration contains several login module stacks.0 to 2.0 This table contains the login modules.0 Login Module SPNego login module LDAP login module Login Module Name SPNegoLoginModule SecureLoginModule20LDAP Destination Configured in (No destination required) Secure Login Administration Console Secure Login Administration Console SAP NetWeaver Administrator (No destination required) RADIUS login module SecureLoginModule20RADIUS ABAP login module SAP NetWeaver AS Java User Management Engine (UME). For some of them. migrate the policy configuration of the Secure Login Server. The following table contains an overview of the login modules that are available in SAP NetWeaver Single Sign-On 2.0 If you want to migrate from SAP NetWeaver Single Sign-On 1.0 to 2.0. you must configure destinations (in the Secure Login Administration Console or in the SAP NetWeaver Administrator). see SAP Help Portal for SAP NetWeaver . For more information on basic authentication. the login module names. SAP Library: Function-Oriented View Security User Authentication and Single SignOn Integration in Single Sign-On Using User (SSO) Environments SecureLoginModule20ABAP BasicPasswordLoginModule ID and Password Authentication 4. 1.2 Adding a Policy Configuration for SAP NetWeaver Single Sign-On 2.0. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.5.4. If you want to migrate from SAP NetWeaver Single Sign-On 1. which contains login modules. Table 16: Overview of Login Modules for SAP NetWeaver Single Sign-On 2. 109 . and the location where the destinations are configured. Start the SAP NetWeaver Administrator.1 Overview of Login Modules Supported by SAP NetWeaver Single Sign-On 2.5. you must first add a policy configuration. To add a policy configuration for a login module stack (for example. Go to the section Option of login module. 5. To specify all the details of the policy configuration. 10. 17. 4. go to the section Details of policy configuration below. You find an overview of the login modules for SAP NetWeaver Single Sign-On 2. 7. Choose the Add button. Copy the respective values from the previous login module and paste them into the parameters of the login module for SAP NetWeaver Single Sign-On 2. for LDAP) for SAP NetWeaver Single Sign-On 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . Go to Authentication and Single Sign-On. choose Add in the Authentication tab. Enter the name of the destination. All rights reserved. 14. Select the respective login module for SAP NetWeaver Single Sign-On 2. 11. select SecureLoginModule20LDAP. This overrides the configuration of the User Management Engine. For example in the case of an LDAP and RADIUS login module. Example For LDAP.0. Choose the Configuration tab.0 in the related link. Example You may find the parameters PasswordExpirationAttribute and PasswordExpirationGracePeriod in the options section. Choose the Properties tab. You have now configured the policy configuration with login modules for SAP NetWeaver Single Sign-On 2. 13. 8. the login module names. This section contains all the parameters that are relevant for the configuration.0. Enter the name of the policy configuration.0. you have to configure the destination in the Secure Login Administration Console. and the location where the destinations are configured. Parameters for the Policy Configuration [page 172] 110 PUBLIC © 2013 SAP AG or an SAP affiliate company. Set a flag to make sure that the authentication proceeds down the list to the next login module if authentication is not successful. For more information. The related link explains the meaning of the parameters. 15. 3. Choose the Create button. Open the dropdown list in the Login Module Name column. 9. see related link that offers an overview of the login modules. 12. 6. Enter UserMappingMode and type in the value VirtualUser. Related Information Overview of Login Modules Supported by SAP NetWeaver Single Sign-On 2. For choosing the relevant login module.Example https://<host_name>:<port>/nwa 2. choose Edit.0. 16. What is still missing in this stage is the creation of an authentication profile pointing to the policy configuration and the destination configuration.0 [page 109] This table contains the login modules. Open the Secure Login Administration Console of NetWeaver Single Sign-On 2. This name appears in the navigation tree of the Secure Login Administration Console of SAP NetWeaver Single Sign-On 1. 5. 111 . 4. it is easy to identify which instance in SAP NetWeaver Single Sign-On 1. To create a client authentication profile. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.com/securelogin. The following clients are possible: ○ ○ Secure Login Client Profile Secure Login Web Client Profile Note If you use a Secure Login Web Client profile. All rights reserved. you find the client parameters in the related link.0.com/securelogin.0. choose Create.com:50001/webdynpro/resources/sap.ui/Main 2. Select the client you use.3 Creating an Authentication Profile Pointing to a Policy Configuration An authentication profile in the Secure Login Administration Console serves as a pointer to the configuration of the login module.5. Go to Authentication Profile Type.The policy configuration allows you to set parameters for the login modules. To create and configure an authentication profile pointing to a policy configuration. create an authentication profile that points to the relevant policy configuration in the NetWeaver Administrator where the configuration of the login module is located (in the Authentication tab of the SAP NetWeaver Administrator).0. 6. The wizard for configuring the new client authentication profile opens. https://<host_name>:<port>/webdynpro/resources/sap. select the name of the policy configuration you created for SAP NetWeaver Single Sign-On 2.0. In the parameter User Authentication. proceed as follows: 1. 4.ui/Main You can also use the following short command: https://<host_name>:<port>/slac Example https://example. 3.0 was migrated to which client authentication profile in SAP NetWeaver Single Sign-On 2.0 (under Instance Management <instance_configuration_name> . Enter the authentication profile and a description Tip We recommend that you use the name of the respective instance configuration of Secure Login Administration Console of SAP NetWeaver Single Sign-On 1. If you enter an identical name. At this point. Choose next to continue. For more information. All rights reserved. see the related link. 11.0. You generated the value when you imported the PKI during initial configuration. 12. Choose Next to continue. see the related link to the user certificate parameters for Secure Login Server. For more information. 10. 9.7.0. Parameters for Secure Login Web Client Configuration [page 176] This topic contains the Secure Login Web Client configuration parameters. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . which contains login modules. The Enrollment URL of SAP NetWeaver Single Sign-On 1.0 in the dropdown list. Caution Take care that the column Secure Login Client Version contains the value 1. Note The field User CA for Issuing User Certificates already contains a value for the user CA. Select the name of your policy configuration for SAP NetWeaver Single Sign-On 2. see the related link. In SAP NetWeaver Single Sign-On 1. see the related link about the client configuration. Parameters for Client Configuration [page 173] This topic contains the client configuration parameters. It is displayed split up in several columns. Initial Configuration [page 96] This section describes the modes that are possible for the initial configuration wizard.0 is already available. For more information. you must first add a policy configuration. Go to the User Authentication section. (Optional) If you use a proxy URL.0 to 2. copy the proxy URL over from SAP NetWeaver Single Sign-On 1.0 for backward compatibility for Secure Login Client 1. It comprises a number of user certificate parameters.0. Choose Use Policy Configuration. Note You can access the policy configuration in the SAP NetWeaver Administrator if you choose the link Authentication and Single Sign-On. it is located in Instance Management <instance_profile> Client Configuration in the Profiles tab. 8. Related Information Adding a Policy Configuration for SAP NetWeaver Single Sign-On 2.0. The next step is the user certificate configuration. 112 PUBLIC © 2013 SAP AG or an SAP affiliate company.0 [page 109] If you want to migrate from SAP NetWeaver Single Sign-On 1. For more information. Choose Edit to see the entire range of parameters. 6.0 and 1. 7. fills all the parameters with values you used in the previous version. Provide a description of the destination.5. for LDAP login modules) You can set optional server authentication parameters in the section LDAP Server Authentication (Optional).0 in the options of the LDAP login module. see the related link dealing with policy configuration. proceed as follows: 1. Do not enter ldap://. ○ (Optional.0 to 2. All rights reserved. https://<host_name>:<port>/webdynpro/resources/sap. The imported file.0.0. 4.ui/Main Example https://example. you need to have imported an LDAP server certificate to the trusted certificates into the Key Storage of SAP NetWeaver Single Sign-On. This table lists the parameter names for SAP NetWeaver Single Signon 2.0 [page 109] If you want to migrate from SAP NetWeaver Single Sign-On 1. To create a destination. ○ (Optional for RADIUS login modules) You can import a server message file delivered by RSA in the Advanced Configuration for RSA Authentication section. For more information. They vary depending on the destination type. 5. You have configured a destination in Secure Login Administration Console. Related Information Adding a Policy Configuration for SAP NetWeaver Single Sign-On 2. you must first add a policy configuration. Select the Destination Management tab.0 (SAP NetWeaver Administrator) in the field IP Address / Host Name.com:50001/webdynpro/resources/sap. Select the destination type from the list.com/securelogin.4. Open the Secure Login Administration Console. Enter the relevant parameters. Choose Next to continue. Note Enter only the host name of the LDAP login module of SAP NetWeaver Single Sign-On 1.com/securelogin.4 Creating Destinations in Secure Login Administration Console LDAP and RADIUS login modules require destinations in the Secure Login Administration Console. 113 . You find the host name in the login module of SAP NetWeaver Single Sign. Mapping of Parameters by Login Module [page 192] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. Enter the same destination name you specified in policy configuration.ui/Main 2. a) You can set optional authentication parameters in the section below. Enter the port separately. 3. which you used for SAP NetWeaver Single Sign-On 1. A related link contains a mapping table sorted by login module. Enter the name of the destination in the policy configuration. Choose the Create button.On 1. The system prompts you to enter a destination name. which contains login modules. 8. LDAP Destination and RADIUS Destination are available.0. Choose Finish to complete the destination configuration. When using ldap or ldaps. 6. To configure the protocol in the enrollment URL.0 and. 7. 5.0.6 Configuring Actions at Policy Download This topic describes the actions that are possible after a policy download to Secure Login Client. for example you want to run Secure Login Client 1. you must adapt the protocol of the enrollment URL in Secure Login Server. Secure Login Server downloads the client policies to the clients at regular intervals.0 and slc1 for 1. proceed as follows: 1. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . 3. Go to the Enrollment URL section. If you use different clients.0 has the following syntax: <Server host:port>/SecureLoginServer/slc2/doLogin?profile=<profile uuid> <Server host:port>/SecureLoginServer/slc1/doLogin?profile=<profile uuid> slc2 stands for the protocol for SAP NetWeaver Single Sign-On 2.com:50001/webdynpro/resources/sap.0 and Secure Login Client 1. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.0.5. If. you must use the correct communication protocol.0 does not overwrite and thus wipe out the settings in the Secure Login Client. This means that both profile group configuration settings coexist (the profile group configuration of Secure Login Server 2.0 to the clients. Host Name. Save your changes. for example 1.ui/Main 2. at the same time. you must provide several enrollment URLs having different protocol versions. The enrollment URL for SAP NetWeaver Single Sign-On 2. it might make sense to keep the profile group configuration settings of Secure Login Server 1. 4.com/securelogin.0.0 to 2. 4. 114 PUBLIC © 2013 SAP AG or an SAP affiliate company. You find the current enrollment URL split up into several parts. and Secure Login Client Version columns. In this setup. Start the Secure Login Administration Console of SAP NetWeaver Single Sign-On 2. 4.com/securelogin.0 and 1.0 for fallback purposes.0. Go to the Secure Login Client Settings tab.0 clients with Secure Login Server 2. https://<host_name>:<port>/webdynpro/resources/sap. You determine certain actions that are launched after the policy download to Secure Login Client. Port.0. All rights reserved. for example Secure Login Client 2. Choose the respective client authentication profile. In a migration context. Choose the Secure Login Client versions you want to use for your clients.5 Setting the Enrollment URL for Secure Login Client During a migration.5. download the profile group settings for Secure Login Server 2. Choose Edit. you keep the old configuration of Secure Login Server 1. It consists of the Protocol. Each client authentication profile has its own enrollment URLs for communicating with the clients.0.0.ui/Main Example https://example.0 and 1.Table that maps policy configuration and login module parameters of SAP NetWeaver Single Sign-On 2. https://<host_name>:<port>/webdynpro/resources/sap. Select Keep to preserve the profile group configuration of SAP NetWeaver Single Sign-On 1. This parameter refers to the profile group configuration in the Secure Login Server.0 and is supposed to be migrated to SAP NetWeaver Single Sign-On 2. Start the Secure Login Administration Console of SAP NetWeaver Single Sign-On 2. and actions after policy download. Choose the Edit button. policy update interval. Choose the field Action on SAP AS ABAP Application Settings. 9. All rights reserved.com/securelogin. Go to Client Management Profile Groups Select the profile group for which you want to download the policies to Secure Login Client. This parameter refers to the profile group configuration in the Secure Login Client.0. you can specify some properties. Select Keep to preserve the profile group configuration of SPO NetWeaver Single Sign-On 1.5.7 Migration of Certificate User Mapping in the Secure Login Server This topic describes how you migrate certificate user mapping to SAP NetWeaver Single Sign-On 2. timeout. host name.0.ui/Main 2. 6. Related Information Parameters for Downloading Policies Using Profile Groups [page 182] When you create a profile group from the client authentication profiles. Prerequisites Certificate user mapping is available in SAP NetWeaver Single Sign-On 1. 3. Use Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.0. For configuring the actions at policy download.com:50001/webdynpro/resources/sap.com/securelogin. 10. Save your changes. 4. 5. Choose the field Action on Client Settings. see related link. use the parameters in the Actions at Policy Download section.1. such as protocol.ui/Main Example https://example.0 in Secure Login Server. Go to the section Information for Client Authentication Profile Windows Authentication (SPNEGO) to see the parameters and the values. 4. For more information about the parameters.0 in Secure Login Client. User mapping is only possible with LDAP or Active Directory server. 115 . 8. Note You find the parameters you download to the Secure Login Client in the Profile Group tab under the respective client authentication profile (including the assignment of SAP AS ABAP SNC names the client authentication is valid for). 7. Go to the General tab. Open the Secure Login Administration Console. Save your changes. Go to the LDAP Server Authentication (Optional) section.com/securelogin.The aim of the Secure Login Server user mapping is to adapt logon between Windows operation systems and an SAP environment. Enter values for the parameters. It conveys only user information.com/securelogin. You must define an LDAP destination. This is implemented by the fact that the Secure Logon Server issues a certificate with user information that is used by other applications. https://<host_name>:<port>/webdynpro/resources/sap.0. Related links: “Configuring User Login ID Padding (Optional)” (REFERENCE) Related Information 9. Proceed as follows: 1.0 in parallel with a Secure Login Administration Console of SAP NetWeaver Single Sign-On 1. For more information. see (REFERENCE) Configuring the Certificate Attributes for User Mapping when Migrating Secure Login Server and the related link. 5. not necessarily a user name. For more information on the parameters. 4. 116 PUBLIC © 2013 SAP AG or an SAP affiliate company. enter the required values from SAP NetWeaver Single Sign-On 1. Go through user login ID mapping in the user certificate configuration of the client authentication profile and enter the parameters you need. see related link. Enter the optional parameters in the section LDAP Server Authentication (Optional) of the Destination Management. All rights reserved.ui/Main https://example. This means that you do not need a user-to-user mapping. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . see related link.ui/Main 2. see related link. (Optional) If you want to use user logon ID padding. For more information. The application recognizes the information and uses it to map to a certain user. 8. You find a mapping of parameters for destination management in the related link. For more information. Choose the Edit button. Select the Destination Management tab.0. 3. but the information in the certificate makes sure that the authentication request of a certain user are accepted. User mapping is possible in the following applications: ● ● ● ● ● ● ● ● LDAP OpenLDAP User Management Engine Microsoft Active Directory ABAP login module SPNego login module RSA RADIUS We recommend that you run SAP NetWeaver Single Sign-On 2. Go to the Settings tab. 6. 7. You need to specify the LDAP search base DN and the service user name. Entering a password is optional.com:50001/webdynpro/resources/sap. see Transport Layer Security SAP NetWeaver Library: Function-Oriented View Transport Layer Security on the AS ABAP User Maintenance on AS ABAP Security Network and Secure Network Communication Configuring SNC on AS ABAP in the SAP Help Portal.5. 4.1 Example for Implementing Migrating User Mapping with Secure Login Server This is an example for user mapping migration with Secure Login Server using an LDAP user with an UME. The user authenticates with Secure Login Server at an User Management Engine of an Application Server ABAP. In Instance Management.7. 117 . or AUTH:DCS. 4. for example. Using the User Maintenance (SU01 transaction) in the Application Server ABAP.5. SAP NetWeaver Single Sign-On 1. you map the certificate Distinguished Name as SNC name.0. All rights reserved. for example the e-mail address. Parameters for Destination Management Configuration [page 189] Configure destinations if you use LDAP or RADIUS login modules or user logon ID mapping. A user logs on to Secure Login Server with user name and password. The Secure Login Server connects to LDAP to get further attributes from the LDAP search base.7. this table enables you to map the user certificate attributes from SAP NetWeaver Single SignOn 2. which could be used for static entry of a Distinguished Name for LDAP and Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. SAP GUI reads the user information (the e-mail address) that is sent with the certificate and identifies the appropriate SAP user. The Certificate Attribute Configuration contains all the attributes that are transferred from the Secure Login Server to the Secure Login Client. You have an LDAP user and want to use it in the User Management Engine (UME) of an Application Server ABAP as well.0 only offered a user-defined property called DN. Now the user authenticates with Secure Login Client or Secure Login Web Client at the SAP GUI. These attributes are maintained in the Distinguished Name of the user certificate. AUTH:UPN.2 Configuring the Certificate Attributes for User Mapping when Migrating Secure Login Server This topic describes the certificate attribute configuration during a migration of Secure Login Server. The Secure Login Server receives the user name and password in the authentication request and identifies the user. Note For more information.Mapping of Parameters for Destination Management [page 197] Creating Destinations in Secure Login Administration Console [page 113] Mapping of Parameters for User Certificate Attribute Configuration [page 197] During a migration. The Secure Login Server issues a certificate that contains information about the user.0 with the user-defined property in SAP NetWeaver Single Sign-On 1. You want to add further attributes to the certificate Distinguished Name. e-mail address. 5. padding length. 2. For migration purposes. 5. The user certificate attribute configuration of SAP NetWeaver Single Sign-On 2.0 and memorize the values of the respective user-defined properties.0 into the parameters wherever possible using the appropriate format.7. Activate the checkbox Enable User Logon ID Padding. Choose the corresponding instance in Secure Login Administration Console of SAP NetWeaver Single SignOn 1. In Instance Management. 1.0. This displays the user logon ID padding parameters. Go to Certificate Attribute Configuration.3 Configuring User Logon ID Padding (Optional) in Secure Login Server The optional user logon ID padding is also transferred from the Secure Login Server to the Secure Login Client. Related Information Parameters for Certificate Attribute Configuration [page 186] These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client. Mapping of Parameters for User Certificate Attribute Configuration [page 197] During a migration. Go to User Logon ID Padding (Optional). 4.0 correspond to those in 1.SPNego profiles.0 into the parameters wherever possible using the appropriate format. see Parameters for User Logon Padding. Enter the values from SAP NetWeaver Single Sign-On 1. Enter the values from SAP NetWeaver Single Sign-On 1. see the related link. 2.0 only offered user-defined properties for padding character. 3. This section contains the padding parameters that are passed on in the certificate when a client or a Secure Login Client authenticates. see also Mapping of Parameters for User Logon ID Padding. For more information about which parameters of SAP NetWeaver Single Sign-On 2. This section contains the certificate attributes that are passed on in the certificate when a client or a Secure Login Client authenticates.5. All rights reserved. and maximum length. 118 PUBLIC © 2013 SAP AG or an SAP affiliate company. SAP NetWeaver Single Sign-On 1. Activate the checkbox Enable User Logon ID Padding. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . 1.0 and memorize the values of the user-defined property. 3. 4. Save your changes.0 is much more flexible than the user-defined property DN. For more information about the user logon ID padding parameters. Prerequisite You have set the common name to PADDEDNAME in the certificate attribute configuration. Save your changes. this table enables you to map the user certificate attributes from SAP NetWeaver Single SignOn 2.0. This displays the user logon ID padding parameters. Choose the corresponding instance in Secure Login Administration Console of SAP NetWeaver Single SignOn 1.0 with the user-defined property in SAP NetWeaver Single Sign-On 1. 1. 4. 1 User Mapping in Secure Login Server This topic and the following topics deal with user mapping. Some systems require a certain length. because you want to have a different name in the user certificate or because your server has special requirements for the user name. the generation of user certificate Distinguished Names. Parameters for Certificate Attribute Configuration [page 186] These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client. which you can configure in the Secure Login Administratration Console. You want to change the common name or the Distinguished Name that is used in a user certificate. If user names in the common name (CN) field need a fixed or minimum length.6. All rights reserved. Certificate user logon ID mapping and user logon ID padding enable you to use multiple attributes for the generation of the Distinguished Name.509 certificates.6 Configuration In the following. you find information about how you can configure Secure Login Server. The password length or value can be customized.6.1 Names Configuration of User Certificate Distinguished This topic describes how you change the common name or Distinguished Name that is used in a user certificate.4. 4.1. and user logon ID padding. padding can be turned on. 4. SAP user IDs have a maximum length of 12 characters (SAP NetWeaver AS ABAP environment) which needs to be considered by SNC X. The following changes of the Distinguished Name are possible: ● ● ● ● ● Expanding the length of the Distinguished Name Shortening the Distinguished Name Using a completely different Distinguished Name Adding additional characters to the Distinguished Name Enriching the Distinguished Name by adding additional attributes Note You can configure all those options if you use certificate user mapping and/or user login ID padding. Parameters of User Mapping Destinations and Attributes [page 187] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. others special trailing or leading characters. Related Information Parameters for User Certificate Configuration [page 185] This table contains the parameters for user certificate configuration for the client authentication profile. Typically this configuration is used if personnel numbers are used. 119 . You have entered the optional parameters in the section LDAP Server Authentication (Optional) of the Destination Management. Destination Management Settings For more information. it lists the user mapping attributes. use the following parameters. Prerequisites You have a service user in Microsoft Active Directory or LDAP. The system displays the Mapping Destinations and Mapping Attributes sections. 2. An LDAP server or a Microsoft Active Directory Server is installed in LDAP Server Authentication (Optional) . 120 PUBLIC © 2013 SAP AG or an SAP affiliate company. Expand the User Logon ID Mapping (Optional) tray. 4. This enables you to configure the use of an LDAP or Microsoft Active Directory Server attributes instead of the user name passed by the client. Procedure To configure the basic and optional functions for the user mapping certificate. 4.6. Activate the checkbox Enable User Logon ID Mapping. 5. Go to Client Management. All rights reserved. Choose the User Certificate Configuration tab.2 (Optional) Configuring the User Logon ID Mapping with Added Attributes Here you learn how you use LDAP or Microsoft Active Directory Server attributes instead of the user name passed on by the client.This table contains an overview of the parameters for user mapping.1.1 Configuring User Mapping for Secure Login Server in a Client Authentication Profile User mapping for Secure Login Server only runs if you use Microsoft Active Directory or LDAP.6. see the related link. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . Choose the Edit button. You have defined client authentication profiles for the authentication stack you use. Creating Destinations in Secure Login Administration Console [page 113] 4.1. take the following steps: 1. 3. Moreover.1. Related Information Parameters for LDAP Login Modules [page 178] This table contains an overview of the parameters you can set for LDAP login modules. Parameters for User Logon ID Padding [page 188] If you want to use user logon ID padding.1. It is possible to select multiple destinations. Enter a search attribute and search values for the LDAP or Active Directory database in the mandatory parameters LDAP Search Attribute and Search Value. The following values are available for Search Value: AUTH:USERID AUTH:UPN AUTH:DCS This search method finds an entire row in an LDAP or Active Directory database. All rights reserved. 121 . The following attributes are available as default values. the field Common Name contains the values AUTH:USERID. Use the LDAP search attribute AMAccountName with search value (AUTH:USERID). You can also add new attributes. displayName givenName mail name (last name) sAMAccountName sn (first name) userPrincipalName(user principal name) The attributes you enter here add values to all the fields in the Certificate Attribute Configuration section below. and userPrincipalName in this sequence. from LDAP. Caution If any one of the attribute values is not valid. If you want to use further values. go to the section Mapping Attributes. the whole client authentication profile is locked.6. you can enrich the Common Name field with the following values (in the following sequence): AUTH:USERID Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. for example. you must enter them explicitly. and AUTH:DCS. if you misspelled it. Select the respective destination names in the Mapping Destinations table. If you add the mapping attributes displayName. The following destinations are available: ○ ○ LDAP destination Windows Active Directory 7. mail. AUTH:UPN. To search in a specific column in the LDAP or Active Directory database. 8. Example Use the LDAP search attribute userPrincipalName with search value (AUTH:UPN). You may find several attributes. Example In the default setting. for example. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .1. 5. 122 PUBLIC © 2013 SAP AG or an SAP affiliate company. If you have defined mapping attributes from an LDAP or Active Directory. This topic explains the configuration. you can also use these attributes. such as AUTH:USERID or directly type in what you want to include in the user certificate. 1.6. for example. Enter the mandatory common name or choose an input value. The Certificate Attribute Configuration contains all the attributes that are transferred from the Secure Login Server to the Secure Login Client. Go to Certificate Attribute Configuration. see the related link. This topic explains the configuration. 4. This section contains the certificate attributes that are passed on in the certificate when a client or a Secure Login Client authenticates or when the Secure Login Server uploads the user certificate profile. all those attributes are immediately transferred by the certificate. Related Information Configuring the Certificate Attributes for User Mapping in the Secure Login Server [page 122] The Secure Login Server passes the certificate attributes for user mapping on to the Secure Login Client. LDAP:mail for an e-mail address. 2.0 correspond to those in 1. Related Information Parameters for Certificate Attribute Configuration [page 186] These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client. When an attribute is found. Step through the fields and determine the elements you want to include in the user certificate. for example AUTH:USERID. You can use the input values. see the related link. For more information. Fill the fields you need.AUTH:UPN AUTH:DCS (for Appendix Subject Name only) LDAP:displayName LDAP:mail LDAP:userPrincipalName It is clear that you can also use all other configured LDAP attributes.3 Configuring the Certificate Attributes for User Mapping in the Secure Login Server The Secure Login Server passes the certificate attributes for user mapping on to the Secure Login Client. 3. All rights reserved. user information contains the e-mail address. When a user logs on to a Secure Login Client. 4. Save your changes.0.1. for example “mail”. For more information about which parameters of SAP NetWeaver Single Sign-On 2. Save your changes. in the user certificate itself. The padding length sets the minimum length of user names. Enter the appropriate parameters. 1. All rights reserved. Now the user login ID padding parameters appear. 3.1. Example You want to enrich the Distinguished Name by adding a number of new attributes from the LDAP server. 2. Assumption You have service user called Denise Smith who works in the organization BI ADM. which. you must the LDAP search attributes you want to add. Activate the Enable User Logon ID Padding checkbox. generates the output [email protected] (Optional) Configuring User Logon ID Padding User logon ID padding enables you to set the lengths of user names. for example AUTH:UPN. The LDAP search uses the LDAP:name with the search result Denise Smith (in the fourth column of the table). userNameMappingLDAPSearchAttributeValue=(AUTH:USERID) . you can fix the length of the Distinguished Name in the Padding Length and Maximum Length fields. the Secure Login Server uses a certain policy configuration that determines the result variables. Prerequisites You have set the common name in the certificate attribute configuration to the value PADDEDNAME. see related link. The last row contains an example of options for a complete output in a user certificate. you can turn on padding.1. For this purpose. 123 .6. use the following parameters.4. You want to use user name mapping from an LDAP server with user name padding. In these cases.5 Example for Configuring a User Distinguished Name in Secure Login Server This section contains an example for user name mapping in the Secure Login Server. When a user authenticates. User names in the common name (CN) field may need a fixed or minimum length. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.6. User IDs need a maximum length of 12 characters in the SAP NetWeaver ABAP environment.org. However. Related Information Parameters for User Logon ID Padding [page 188] If you want to use user logon ID padding. You can only use user name padding if you have set PADDEDNAME in the Common Name field of the certificate attribute configuration.1. For more information. 4.1. and add padding characters. for example. All rights reserved.d omain.org" 124 PUBLIC © 2013 SAP AG or an SAP affiliate company. DC=org denisesmith@domain. OU=BI ADM.email" User Name Padding (optional) Padding For="(AUTH:USERID)" Padding Character="0" Padding Length=12 Maximum Length=14 Certificate creation Common Name="(PADDEDNAME)" Organizational Unit Name ="BI ADM" Organizational Name="" Locality="" Country Name="" Appendix Subject Name="(AUTH:DCS)" Certificate Distinguished Name Subject Alternative Name (RFC822 Name)="(LDAP:email)" ( PADDEDNAME) [email protected] main. DC=org" "denisesmith@mail. DC=domain.org 0denisesmith "0denisesmith" "BI ADM" "DC=domain. org PolicyConfigurationsNam (AUTH:USERID) e="<client_authentication (AUTH:UPN) _profile>" (AUTH:DCS) LDAP User Name Mapping (optional) userNameMappingLDAP SearchAttributeName="s AMAccountName" userNameMappingLDAP SearchAttributeValue="( AUTH:USERID)" (LDAP:userPrincipal) (LDAP:name) Denise Smith userNameMappingLDAP (LDAP:email) Attributes="userPrincipal . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . DC=org" "CN=0denisesmith.Table 17: Overview of User Distinguished Name Configuration Action Authentication Configuration Result Variable(s) Result Values denisesmith denisesmith @domain.name.org DC=domain. DC=org" Moreover.org" "[email protected]" Result The certificate you created with this configuration has the following Distinguished Name: "CN=0denisesmith. You can use the field Appendix Subject Name in the Certificate Attribute Configuration section of Management certificate. User Certificate Configuration Client for this. The users are located in different trusted Microsoft Active Directory domains. DC=domain. 125 . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. Caution Since the user IDs may be identical in the subdomains.domain. Secure Login Server.6.Action Configuration Subject Alternative Name (Principal Name)="(LDAP:userPrinc ipal)" Result Variable(s) Result Values "denisesmith@domain . the Secure Login Server must ensure that nonambiguous certificates are issued. All rights reserved.1. OU=BI ADM. the certificate contains the following subject alternative names (RFC822 and principal name): "denisesmith@mail. You want to use Secure Login Client. It allows you to customize the Distinguished Name of a Use one of the following variables for the Common Name field: Variable (AUTH:USERID) (AUTH:UPN) (AUTH:DCS) Prerequisites Description User name only User principal name All domain components are displayed.6 Configuring a Distinguished Name with Active Directory Server and SPNego Login Module This topic describes the configuration of Distinguished Names for users in different trusted domains. and the SPNego login module for certificate enrollment.org" 4.1. Thus it adds the domain components to the subject names. example. Choose Edit. Choose the User Certificate Configuration tab.example.com CN=smith.DC=example.com). You have a Microsoft Active Directory environment.DC=sub2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . Go to Client Management. 2.com and one in sub2.DC=sub1. 4.DC=com" Display of the domain components Example Variables with Output of Domain Components Result If there are different users called Smith in two subdomains (one in sub1.example. the following Distinguished Name is used: (AUTH:USERID) (AUTH:UPN) (AUTH:DCS) CN=smith CN=smith@example. the following Distinguished Names are used: Common Name with(AUTH:UPN) CN=smith@sub1. enter data for common name.example.DC=com CN=smith. you can set any valid Distinguished Name attribute as static part of the Distinguished Name.com Common Name with (AUTH:USERID) Appendix Subject Name with (AUTH:DCS) CN=smith. If there are two users in different domains.DC=example. 3. Enter the values with the data as required. 5. Procedure 1. 126 PUBLIC © 2013 SAP AG or an SAP affiliate company.com [email protected] logs on. Select the relevant client authentication profile.DC=example.DC=com Example In addition to this. Expand the Certificate Attribute Configuration tray. See the following examples: Example Values for Appendix Subject Name Result If a user smith@example. organization. and country. All rights reserved. For example. you must output the domain components in the Distinguished Name. 6.● ● You use the SPNego login module in the Secure Login Server. OU=HR. 3. OU=HR.example. O=SAP.7 Testing Your User Certificate Configuration After having configured the user certificate. OU=HR. Start the Secure Administration Console.Values for Appendix Subject Name Result With different users called Smith in two subdomains (sub1. 2. C=DE 7.com) CN=AUTH:UPN.example. 127 .com and sub2. C=DE CN=smith@sub1. C=DE CN=smith@sub2. Note Use Appendix Subject Name to configure a Relative Distinguished Name. Go to the Client Management tab.example. we recommend that you test the configuration. O=SAP.com. O=SAP. 1.com. Go to the Certificate Attribute Configuration section. Enter the relevant values. Choose the client authentication profile of which you want to test the certificate attribute configuration.6. Save your entries.example. 4. Choose Edit. 6. All rights reserved. Example Table 18: Certificate Attribute Configuration Parameter for Certificate Attribute Configuration Value for Certificate Attribute Configuration n Common Name Country Name Organizational Name (AUTH:UPN) DE ARAdev Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. you must enter the User Principal Name for testing. Note If the current client authentication profile runs with SPNego or Active Directory. 4.1.1. 5. Example User Principal Name: dsmith@domain. If the SAP user name is stored in the Microsoft Active Directory. for example. from a Microsoft Windows domain) are not the same. Enter your user name in the User Name field. Without certificate user mapping the Secure Login Server would create a user certificate with the Distinguished Name CN=UserADS. 8. in the attribute AUTH:USERID. a situation may occur in which these users are able to 128 PUBLIC © 2013 SAP AG or an SAP affiliate company. Caution Do not use certificate user mapping together with a configured Distinguished Name with SPNego.org. The advantage of having the SAP user name in Distinguished Name is easier configuration in the SAP NetWeaver ABAP/Java Server environment (user mapping configuration).OU=BI ADM. enter only the user ID. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .org User ID: dsmith 9.6.2 Restrictions of Certificate User Mapping This section describes how to configure the use of an attribute from an LDAP or Microsoft Active Directory Server instead of the user name given by the client. the Secure Login Server can read this attribute and create a user certificate with the Distinguished Name CN=UserSAP. enter the User Principal Name to test. Choose Test. 4. through a self-service). For more information.C=DE The test output displays the common name as it appears in the certificate. This may be useful if the SAP user names and the authenticated user names (for example. Go to the Configuration Check section. Otherwise.O=ARAdev. see related link. All rights reserved. Caution If users change their own attributes (for example.Parameter for Certificate Attribute Configuration Value for Certificate Attribute Configuration n Organizational Unit Name BI ADM 7. You get the following test output: CN=dsmith@domain. Example The Microsoft user name is "UserADS" and the SAP user name is "UserSAP". If the current profile is SPNego or Active Directory.1. and these attributes are used by the user certificate (issued by the Secure Login Server). the generation of user certificate Distinguished Names. If you use use mapping (for LDAP and Microsoft Activce Directory servers). his or her manager’s e-mail address (manager@company. the user certificate configuration refers to this destination name. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate.com. and user logon ID padding. first name. Example An AS ABAP uses.6. provider language etc. Since this data is usually maintained centrally. The string in the certificate has the following format: [email protected] additional rights to themselves. see related link. for example. 4. you must fill these parameters. For more information on the destination management parameters. for example.com This means that the user’s e-mail address is used for the user mapping in SNC. The following types are available: ○ ○ 2. and the ID of the destination. For more information. this change would also affect the Secure Login Server. see related link. This user is now able to log on to the AS ABAP as his or her manager. (Optional) If you use user logon ID mapping. If an administrator enables the user to change his or her own data. last name etc. certificate-based logon with the users’ e-mail addresses in the Distinguished Names. e-mail address. the type. Related Information Parameters for Destination Management Configuration [page 189] Configure destinations if you use LDAP or RADIUS login modules or user logon ID mapping.com) as attribute. For this case. Enter the details of the destinations. through a selfservice. User Mapping in Secure Login Server [page 119] This topic and the following topics deal with user mapping. Thus these users might get rights they are not supposed to have. They only apply to LDAP or Microsoft Active Directory servers. This tab contains the name of the name. 129 . 1. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.2 Configuring a Destination in Secure Login Server This topic explains how you configure destination for LDAP or RADIUS login modules. this user now has the possibility to enter. All rights reserved. port number. for example. LDAP destination RADIUS destination Go to the Settings tab. The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active Directory system. we recommend that you implement access restrictions for the change of user attributes. 3. such as IP address and host name. Certificate user mapping depends on the Secure Login Server user credential check against the authentication server. Go to the General tab. Related Information Configuring a Distinguished Name with Active Directory Server and SPNego Login Module [page 125] This topic describes the configuration of Distinguished Names for users in different trusted domains. the user receives a certificate with the Distinguished Name CN=manager@company. 4. You can also store user certificates in the user's User Management Enging (UME) after successful authentication. The certificate requests are stored as PKCS#10 files. take the following steps: 130 PUBLIC © 2013 SAP AG or an SAP affiliate company. for example for later auditing. Moreover you can also store user certificates in the user's User Management Engine (UME) entry after successful authentication. If you activate the checkbox Archiving Folder Path. the Secure Login Server does not create archive files for invalid or failed authentication attempts because the client does not receive a valid Kerberos ticket. Exceptions If you use the SPNego login module. If you want to use archiving. Prerequisites The file system has the required space.5 KB) have an overall size of about 3 KB. activate the UME Propagation checkbox. Both options are available as well. Issued Certificates. To do so. The Secure Login Server stores certificate requests (for successful and unsuccessful authentication) and the respective certificates (for successful authentication only) in the archiving directory as Base64-encoded files. 4. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . In this case the client does not create a certificate request either. and user certificates in a separate folder or in the UME. and User Certificates This topic deals with settings for archiving certificate requests.6.1 Configuring Archiving Certificate Requests and Issued Certificates This configuration allows the user to specify where to store archived certificate requests and issued certificates as well as writing the user certificate to the user's UME entry after successful authentication. All rights reserved. you can log all certificate requests and the issued certificates as files on a file system. issued certificates. or go to other buildings). Example: In an organization with 1000 employees at minimum 1000 certificate requests occur per day. Employees log on and off several times during the day. After having decided to use archiving of certificate requests and responses you must provide a file system with ample space. A certificate request (about 0. have breaks.3 Archiving Certificate Requests. so the number of files is usually considerably higher (the employees go to meetings.6. You can store archived certificate requests and issued certificates either in a special directory configured by you.5 KB) and the certificate (about 2. whereas the responses are stored as PKCS#7 files. This amounts to 2000 files (for requests and issued certificates) that are stored every day.3.4. com/securelogin. Syntax [<timestamp>][<profile_ID>][<user_name>][<client_ID>_<port>] [<SAP_NetWeaver_instance_number>]. 5.com:50001/webdynpro/resources/sap.3.com/securelogin.p10 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. a) Enter the path of the archiving directory according to the syntax that conforms with your operating system: Example c:\cert_archive 7.ext This is an example of an archived file for a certificate request (PKCS#10 format): Example for a certificate request [20130731152533534][b56b62e6-10b5-9176-9b79-5a1faab4448d][jarmstrong] [10. Go to the User Certificate Configuration tab.69.ui/Main 2. see the SAP Help Portal under Help 8.298. The URL for the UME propagation is https://<host_name>:<port>/sbs/docs/DOC-66034.176_49633][ABC_00]. Among other things.6. they identify the client authentication profile. The file names of the PKCS#10 (for certificate requests) and PKCS#7 files (for certificates) stored in the archiving are generated by the system. https://<host_name>:<port>/webdynpro/resources/sap. (Optional) Activate UME Propagation to write the user certificate to the user's UME entry after successful authentication. It is mandatory to specify an archiving directory in the next field. 4. Open the Secure Login Administration Console.1. 3. 4. 131 . the time. Go to Client Management Select a client authentication profile from the list.ui/Main or https://<host>:<port>/slac Example https://example. (Optional) Activate Enable storing of archiving certificate. the user. Function-Oriented View Security Identity Management Server Java User Management Engine Application User Management of the Application Save your changes. For more information on the User Management Engine (UME).2 Structure of the Archive Files This topic explains the structure of the archive file names. All rights reserved. and the instance of the SAP NetWeaver system. Expand the User Certificate Storage tray. 6. 4. It displays whether the components that are necessary for Secure Login are currently available.p7c The file names consist of the following elements: File Name Element timestamp Description Timestamp with year. the user name of the certificate request (in the PKCS#10 file) is always kerberos_. hours. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .176_49633][ABC_00]. However. it is not possible to get the user name from an SPNego Kerberos authentication.298. month.69. All rights reserved. p7c Extension for PKCS#7 files for archived certificates. seconds. minutes. File extension: ● ● p10 Extension for PKCS#10 files for archived certificate requests. The following sections are available: ● User Authentication The Secure Administration Console checks whether the policy configuration names of all client authentication profiles are available in Authentication and Single Sign-On of SAP NetWeaver Administrator. This feature displays the status of the system configuration. day. the file name of the respective certificate (PKCS#7 file) contains the correct user name.6. In this case. Port of the client Instance of the SAP NetWeaver where the Secure Login Server is installed.Example for a certificate file [20130731152533534][b56b62e6-10b5-9176-9b79-5a1faab4448d][jarmstrong] [10. IP of the client that sends the certificate request. Format: yyyymmddhhmmssmm profile_ID user_name Client authentication profile ID User name of the user who authenticated or tried to authenticate. and milliseconds. The green 132 PUBLIC © 2013 SAP AG or an SAP affiliate company.4 Checking the Availability of Secure Login Server Configuration This section describes the System Management tab of the Secure Login Administration Console. client_IP port SAP_NetWeaver_instance_number ext Note For technical reasons. 5. The responsible client authentication profile for the chosen client profile is used.509 user certificates. If a Public Key Infrastructure (PKI) is available. the Secure Login Server provides a user certificate to the Secure Login Client or Secure Login Web Client. If the indicator is red. Start Secure Login Client or Secure Login Web Client. If you choose this link. and destinations. The client authentication profile are assigned to policy configurations in an authentication stack. which contains login modules. After successful configuration of client authentication profiles. the Secure Login Server can be integrated. If the indicator is red. To provide X.indicator means that the configuration is correct. the Secure Login Server requires a User CA certificate which needs to be provided by the PKI. The authentication work process takes place as follows: 1. 2. 4. 4. If you choose this link. check whether the user CA which is selected in client authentication profile is available. Login modules are configured in SAP NetWeaver Administrator. Green means that the PKI structure is available and correct. 4. You can use the existing PKI to create the certificates for the SSL server and the SAP NetWeaver Application Server. PKI Structure If the indicator of PKI Structure is yellow. The Secure Login Server sends the user credentials to the authentication server. ● 4. make sure that your PKI has a user CA. certificate management. A login module establishes a connection to the authentication server.7. you access the SAP NetWeaver Administrator where you can check the configuration. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. Choose the desired client profile and enter your user name and password. 3. ● Security Check This section checks whether SSL is configured correctly. All rights reserved. 133 .7.7 Configuration Examples This section describes some configuration examples for Secure Login Server. the Secure Login Client or Secure Login Web Client can be used to verify communication to the authentication server.2 Integrate into Existing PKI You can use the existing PKI to create the certificates for the SSL server and the SAP NetWeaver AS. you access the SSL configuration in SAP NetWeaver Administrator. If the response is successful. you must change your configuration.1 Verify Authentication Server Configuration This topic shows you how to verify the communication to the authentication server. 1. choose Import. 4. 3. To import the certificate file. 6. fill the relevant mandatory fields. and the option Import Certificate. Typically the file is provided in P12 or PSE format. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server . Go to Certificate Management. All rights reserved. To import your certificate. Restart the Secure Login Server application. 7. 5.3 High Availability and Failover for Secure Login Server and Secure Login Client You want to ensure high availability of the Secure Login Server. This means all public certificate information of the chain should be provided. Select USER_CA. Choose the Import Certificate button. Certificate Attribute Version Asymmetric Algorithm Key Usage Details V3 RSA Algorithm Digital Signature Non-Repudiation Key Encipherment Data Encipherment Certificate Signing Off-line CRL Signing CRL Signing Basic Constraints Subject Type=CA Path Length Constraint=None Note The user CA certificate should include the complete certificate chain. 8. 4. Choose User CA as CA type. 134 PUBLIC © 2013 SAP AG or an SAP affiliate company.7. 2.The following certificate attributes are required for the user CA certificate. Import the user CA certificate using Secure Login Administration Console. Log on to the Secure Login Administration Console and import the PSE or P12 file in Certificate Management. Go to the Enrollment URL section. see related link. The Secure Login Client or Secure Login Web Client goes through the enrollment URLs and checks which one it can use to authenticate.7. You can also ensure failover for the Secure Login Client by using Secure Login Server(s) with multiple enrollment URLs. Concept Install and run several Secure Login Servers on different AS Java servers acting as failover servers. Configure the enrollment URL for Secure Login Client. You can also use one Secure Login Server and add multiple enrollment URLs. Choose the Add button to add other enrollment URLs to a failover Secure Login Server. For example. Thus you provide high availability. Use Case You want to ensure high availability of the Secure Login Server. Configuration 1. 3. Install a Secure Login Server per Application Servers Java. This is where the Secure Login Client checks which path to use. 4. For more information. Log on to the Secure Login Administration Console. Client Management Client Authentication Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company.1 Configuring Secure Login Servers as Failover Servers for High Availability It makes sense to configure failover connections for high availability to avoid that a client cannot authenticate. see related link. 135 .For example. For more information. For more information. see related link. Application Server Application Server Java AS Java Cluster Technical System Landscape Architecture or AS Java 4. see SAP Help Portal in the SAP NetWeaver Library: Function-Oriented View under Administering Application Server Java Architecture .3. another AS Java with a Secure Login Sever is still running. 2. If an AS Java with a Secure Login Sever fails. Related Information Configuring Secure Login Servers as Failover Servers for High Availability [page 135] It makes sense to configure failover connections for high availability to avoid that a client cannot authenticate. Choose the relevant client authentication management in Profile Secure Login Client Settings . For more information about the parameter Enrollment URL. Using SAP NetWeaver AS Java instances running in the AS Java cluster architecture you make sure that (at least some of) your Secure Login Servers are running and provide high availability for Secure Login Client. you want to make sure that users are able to authenticate even if an authentication server for a configured authentication method is not available. 6. We recommend that you maintain this failover configuration in all Secure Login Servers you use. Save your entries. it goes to the next Secure Login Server that is specified in the list. The URLs of the Secure Login Servers that are available are listed in the Enrollment URL parameter of the client policy. If the first Secure Login Server is down. All rights reserved. 5. you want to prevent that the Secure Login Client sends a certificate request and does not get a response. You must make sure that the Secure Login Severs your clients are connected to continue to run. Related Information Setting the Enrollment URL for Secure Login Client [page 114] During a migration, you must adapt the protocol of the enrollment URL in Secure Login Server. 4.7.3.2 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver Failover servers ensure high availability of the login modules. Use Case For example, you want to make sure that users are able to authenticate even if an authentication server for a configured authentication method is not available. Concept Install and run authentication servers of the same type, for example two LDAP servers, in different networks acting as an authentication failover solution. The authentication logic of the Secure Login Server is handled by login modules. Several login modules of the same kind are put into authentication stacks. These login modules are configured to run with different authentication servers and have, for example, different IPs. When an authentication request comes in, the Secure Login Server tries to use all configured login modules until it gets to an authentication server that is online and returns an authentication result. If, for any reason, the login module on top of the stack does not respond, the Secure Login Server sends its authentication request to the next login module in the stack and expects it to process the authentication request. This behavior does not depend on the flag (SUFFICIENT, REQUISITE, OPTIONAL, or REQUIRED) set for the login module (in the policy configuration of SAP NetWeaver Administrator). For more information, see the SAP Help Portal and choose Library Function-Oriented View Security Infrastructure Authentication on the AS Java Application Help SAP Library SAP NetWeaver User Authentication and Single Sign-On Login Modules . Authentication Limitations SAP NetWeaver Single Sign-On 2.0 only supports failover if you configure the authentication stacks in SAP NetWeaver Administrator using the following login modules: ● ● ● LDAP login module RADIUS login module ABAP login module 136 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server Note Put only login modules of the same kind into the authentication stack. We do not support the use of different login modules (mixed authentication types). 4.7.4 ● ● ● ● 1. 2. 3. 4. 5. 6. 7. Kerberos Authentication with SPNego In this configuration example, the user authentication is verified against a Microsoft Windows domain. Secure Login Server is installed and the initial wizard has been completed. In Certificate Management at least the User CA is available. To use HTTPS, you must enable SSL on the SAP NetWeaver server. You have configured and enabled SPNego on SAP NetWeaver Administrator. Log on to the Secure Login Administration Console and choose Client Management. Go to User Certificate Configuration and check whether a user CA is available in this User Certificate Issuer section. Configure your Secure Login Client Settings. For more information, see related links. For Secure Login Web Client Settings, see Creating a Profile Group of Client Authentication Profiles [page 31]. Go to Profile Groups. To add the default SPNego client authentication profile, choose Add. If you use the Secure Login Client, distribute the policy URL to the clients, for example by downloading the policies using the Download Policy button. For more information, see related link. Choose this profile in the Secure Login Client, and an X.509 certificate is provided without further user interaction. After a successful authentication, an X.509 user certificate is provided. This user certificate is available in the Microsoft Certificate Store (User Certificate Store). 8. If you use the Secure Login Web Client, log on with the corresponding profile URL. Related Information Applications and Profiles [page 167] The policy downloader and/or the profile groups provide the Applications and Profiles configuration to the Secure Login Client using ProfileGroup_<profile_group_name>.reg and ProfileDownloadPolicy_<profile_group_name>.reg. Parameters for Client Configuration [page 173] This topic contains the client configuration parameters. Downloading Policies from the Secure Login Server [page 31] 4.7.4.1 Enabling Kerberos Authentication with SPNego for Secure Login Web Client Kerberos authentication is also possible for Secure Login Web Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 137 You use the default SPNego client authentication profile as a template to create your own SPNego client authentication profile, but you must change the client type to Secure Login Web Client profile. 1. 2. 3. 4. 5. 6. 7. Log on to the Secure Login Administration Console and choose the node Client Management. Verify whether the authentication mechanism in Client Authentication Profile is configured correctly. Select the default SPNego client authentication profile. Choose Copy to New Profile. Enter a name for your new client authentication profile. Set the type of the new authentication profile to Secure Login Web Client Profile. For more information, see related link. Related Information Kerberos Authentication with SPNego [page 137] In this configuration example, the user authentication is verified against a Microsoft Windows domain. 4.7.5 LDAP User Authentication In this configuration example, the user authentication is verified against a Microsoft Active Directory System or LDAP server. ● ● ● 1. 2. 3. 4. 5. 6. 7. 8. 9. Secure Login Server is installed and the initial wizard has been completed. In Certificate Management at least the User CA is available. To use HTTPS, you must enable SSL on the SAP NetWeaver AS Java. Log on to the Secure Login Administration Console and choose the Client Authentication Profile tab. Choose User Certificate Management and check whether a user CA is available. Choose a user CA. If you use Secure Login Client, choose Client Management and configure the client policy. For Secure Login Web Client Settings, see Creating a Profile Group of Client Authentication Profiles [page 31]. Go to Profile Groups. Choose the profile group that contains the relevant client authentication profile. Choose the Download Policy button. This export the files ProfileGroup<profilegroup>.reg and ProfileDownloadPolicy<profilegroup>.reg. Export the client policy which is used for the Secure Login Client installation. Create an LDAP destination. For more information, see related link. This LDAP destination must exist in the SAP NetWeaver Administrator. 10. Define the connection parameters for the login module SecureLoginModuleLDAP. For more information, see related link 11. Install the Secure Login Client application on the client PC. Import the files ProfileGroup<profilegroup>.reg and ProfileDownloadPolicy<profilegroup>.reg to the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. 12. Restart your client PC. 13. In the Secure Login Client, the profile defined in Client Authentication Profile is displayed in Secure Login Client Console. Choose this profile and enter the user name and password (Active Directory System or LDAP server). 138 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). 14. If you use the Secure Login Web Client, log on with the corresponding profile URL. Related Information Importing LDAP Server CAs or Certificates into the SAP NetWeaver Key Storage [page 139] You establish a trust relationship with your SAP NetWeaver Application Server by importing CAs or certificates into the Key Storage. Creating Destinations in Secure Login Administration Console [page 113] Parameters for LDAP Login Modules [page 178] This table contains an overview of the parameters you can set for LDAP login modules. 4.7.5.1 Importing LDAP Server CAs or Certificates into the SAP NetWeaver Key Storage You establish a trust relationship with your SAP NetWeaver Application Server by importing CAs or certificates into the Key Storage. To establish a trust relationship with the SAP NetWeaver Application Server, you import your CA certificate of the LDAP server into the Key Storage of SAP NetWeaver Application Server. Take the following steps: 1. 2. 3. 4. 5. Start SAP NetWeaver Administrator. Go to the Configuration tab. Choose Views in Certificates and Keys. Select Key Storage. Select the Key Storage view TrustedCAs. You display the details of the TrustedCAs view in the View Entries tab. 6. 7. 8. 9. Choose Import Entry. Select the file format of your CA or certificate. Browse to your file. To import your file, choose Import. You have now established a trust relationship by having imported CAs or certificates files. For more information, see the SAP Help Portal under Security Security System Security SAP NetWeaver Library: Function-Oriented View Using the AS Java Key Storage . System Security for AS Java Only 4.7.6 SAP User Authentication In this example, you configure that users automatically get X.509 certificates when they are logged on to a Microsoft Windows domain. ● Secure Login Server is installed and the initial wizard has been completed. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 139 ● ● ● In Certificate Management, at least the user CA is available. To use HTTPS, enable SSL on SAP NetWeaver Application Server. An SNC library is installed. For more information, see related link. Take the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Verify whether the authentication mechanism in the client authentication profile is configured correctly. SecureLoginDefaultPolicyConfigurationABAP. Create a destination with an RFC destination value in the SAP NetWeaver Administrator. For more information, see related link. Choose Certificate Management and check if a user CA is available for this client authentication profile. Choose a user CA. Choose Client Management and configure the client policy. Go to User Certificate Configuration. Configure your Secure Login Client Settings. For more information, see related links. For Secure Login Web Client Settings, see Creating a Profile Group of Client Authentication Profiles [page 31]. Go to Profile Groups. Choose the profile group that contains the relevant client authentication profile. ProfileDownloadPolicy<profilegroup>.reg. 11. Export the client policy which is used for the Secure Login Client installation. 12. Create an LDAP destination. For more information, see related link. This LDAP destination must exist in the SAP NetWeaver Administrator. 13. Define the connection parameters for the login module SecureLoginModuleABAP. For more information, see related link 14. Install the Secure Login Client application on the client PC. Import the files ProfileGroup<profilegroup>.reg and ProfileDownloadPolicy<profilegroup>.reg to the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Import missing certificates. You can also use Secure Login Web Client. 15. Restart your client PC. 16. In the Secure Login Client, the profile defined in Client Authentication Profile is displayed in Secure Login Client Console. Choose this profile and enter the user name and password (AS ABAP). After successful authentication, an X.509 user certificate is provided. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). 17. If you use the Secure Login Web Client, log on with the corresponding profile URL. Related Information Secure Login Library Installation [page 47] This topic explains how to install Secure Login Library. Secure Login Client Installation [page 22] This section explains the installation and the installation options of the Secure Login Client. Creating a Destination with an RFC Destination Type [page 141] 10. Choose the Download Policy button. This exports the files ProfileGroup<profilegroup>.reg and 140 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server 7. An RSA Authentication Manager (with a RADIUS server) is installed and running. see Parameters for RADIUS Login Modules [page 180]. Go to Destinations. For more information. Verify whether the RADIUS destination of the client authentication profile is configured correctly.. 4. In the RADIUS Server.7 ● RADIUS User Authentication In this configuration example. It communicates with the Secure Login Server through its RADIUS protocol using its own RADIUS server. You must enter this name in the Login Module options in Secure Login Administration Console.. configure Radius Client for Secure Login Server. Enter a destination name. The Secure Login Server supports new SecurID PINs and the next token code of RSA SecurID tokens. ● ● 1. 3. 6. Choose User Certificate Configuration and check if the a user CA is available in this User Certificate Issuer section. Choose this profile and enter the user name and password (RADIUS user database). For more information. If you use the Secure Login Client and you have downloaded the policy for he relevant client authentication profile. For Secure Login Web Client Settings. Secure Login Server is installed and the initial wizard was completed.1. see the corresponding RSA Authentication Manager documentation. see related links. 6. Continue with Next and follow the steps of the destination wizard SAP NetWeaver Administrator. the user authentication is verified against a RADIUS server.6. the defined profile appears in Secure Login Client Console. For more information about the parameters for RADIUS. 4. Install the Secure Login Client application on the client PC (see Secure Login Client Installation [page 22]) or use Secure Login Web Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server PUBLIC © 2013 SAP AG or an SAP affiliate company. 5. 4. Creating a Destination with an RFC Destination Type Start the SAP NetWeaver Administrator. 8.7. Configure your Secure Login Client Settings.4. 5. The versions currently supported are 6..7.1 and 7. This means that the Secure Login Server can establish communication to the RADIUS Server. Verify in SAP NetWeaver Administrator whether the policy configuration for RADIUS authentication was set up correctly. 7. Log on to the Secure Login Administration Console and choose a client authentication profile. In Certificate Management at least the User CA is available. Choose Create. 3.1 1. 2. Choose the destination type RFC Destination. All rights reserved. see Creating a Profile Group of Client Authentication Profiles [page 31]. 2. Use the Shared Secret for this connection. 141 . Open the Secure Login Administration Console.ini server message file manually.1 Using a Customer-Specific securid. 3. b) Import the securid. Related Information Parameters for Client Configuration [page 173] This topic contains the client configuration parameters. proceed as follows: a) Enter the required values in the parameters of the Advanced Configuration for RSA Authentication section. 7. Choose the Edit button. an X. log on with the corresponding profile URL. 8. All rights reserved. 5. You can import or configure the customer-specific securid.ini server message file in the RADIUS destination of the Secure Login Administration Console. Save your changes. If you use the Secure Login Web Client. Select a destination with the type RADIUS Destination. 2.7. 6.ini Server Message File This topic describes how you provide a server message file for RSA authentication to a RADIUS destination.ini server message file that has already been customized. 1. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). Related Information SAP Help Portal for Enhancement Package 3 for SAP NetWeaver Application Server release 7. Parameters for Secure Login Web Client Configuration [page 176] This topic contains the Secure Login Web Client configuration parameters.0 Choose Security Application Help SAP Library SAP NetWeaver Library SAP NetWeaver by Key Capability Login Modules and Login User Authentication and Single Sign-On Authentication on the AS Java Module Stacks 142 PUBLIC © 2013 SAP AG or an SAP affiliate company. Expand the Advanced Configuration for RSA Authentication section in the Settings tab below the list of destinations. If you want to use your own securid.509 user certificate is provided. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Server .ini file.After successful authentication. If you want to enter the parameters for the securid. 4. proceed as follows: a) Use Import Server Message File to browse to your file. Go to the Destination Management tab. 4.7. 9. 1. Kerberos Setting for Kerberos Profile [page 149] Kerberos Setting for SPNego Profile [page 150] 5. see the related links. PCSC Settings [page 145] PCSC settings refer to the use of smart card readers.1. Related Information Common Settings [page 143] This table contains the common settings in the registry for the Secure Login Client.1 Common Settings This table contains the common settings in the registry for the Secure Login Client. CAPI Settings [page 145] This table refers to the CAPI setting from third-party Cryptographic Service Providers.)..1 Parameter Overview for Secure Login Client 5.5 Parameter Reference 5...) or in the client workstation (HKEY_LOCAL_MACHINE\SOFTWARE\. All rights reserved. The configuration is either located in the user (HKEY_CURRENT_USER\SOFTWARE\.1.. 143 .1 Registry Configuration Options This section describes further configuration options in registry for the Secure Login Client. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. ● ● ● ● ● Common settings PCSC settings CAPI settings Kerberos settings for Kerberos profile Kerberos settings for SPNego profile For more information. set the value 0. All rights reserved. Possible values are: ar_SA Arabic (Saudi-Arabia) de_DE German. To display the tray icon. set the value1. To hide the tray icon.Table 19: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common] [HKEY_CURRENT_USER\SOFTWARE\Policies\SAP\SecureLogin\common] Parameter Locale Type STRING Description Language setting for Secure Login Client. Use this parameter for customizing. TrustDB STRING Use this option to define where Secure Login Client searches for trusted root certificates. The default setting is that the tray icon is displayed. (Germany) en_US English (USA) es_ES Spanish (Spain) fr_FR French (France) hi_IN Hindi (India) it_IT Italian (Italy) ja_JP Japanese (Japan) pt_BR Portuguese (Brazil) ru_RU Russian (Russia) tr_TR Turkish (Turkey) zh_CN Simplified Chinese (China) HideTrayIcon DWORD Use this option to remove the Secure Login Client tray icon. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . The following values are possible: capi(default) Get trust from Microsoft Certificate Store token 144 PUBLIC © 2013 SAP AG or an SAP affiliate company. The language is usually automatically recognized. Default value is <install_path>/ etc.Parameter Type Description Use root certificates on tokens Get trust from files (. The default value is <empty> (do not disable any PCSC smart card reader). This option is evaluated after IgnoredReadersPattern. AllowedReadersPattern STRING Use this option to use only some specified PCSC smart card readers.p7c.Wildcards (* and ?) are allowed.crt.1. Table 20: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc] [HKEY_CURRENT_USER\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc] Parameter IgnoredReadersPattern Type STRING Description Use this option to disable some PCSC smart card readers.1.3 CAPI Settings This table refers to the CAPI setting from third-party Cryptographic Service Providers.res). 5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.…) in a single directory ResourcePath STRING Use this option to specify an alternate location for the language files (. 145 .1. You can specify multiple patterns by separating the patterns with.1. or. The options in this section allow you to select which PCSC smart card readers are used or ignored. 5. All rights reserved. all readers are used (same as *). The default value is * (use every PCSC smart card reader) Important: If you use an empty string ‘’.2 PCSC Settings PCSC settings refer to the use of smart card readers.. Example: O=My Org Unit CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that have an issuer’s Distinguished Name that contains CAPIFilterExcludeSubjectDN. All rights reserved.The options in these sections allow you to select which certificates from third party Cryptographic Service Providers may be used. CAPIFilterIssuerDN STRING 146 PUBLIC © 2013 SAP AG or an SAP affiliate company. Example: (Microsoft) Use only certificates provided by CSPs from Microsoft CAPIFilterValidOnly DWORD Use this option to use only certificates that are valid (issued in the past and not expired). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . Use this option to use only certificates that have an issuer’s Distinguished Name that contains CAPIFilterIssuerDN. Table 21: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi] [HKEY_CURRENT_USER\SOFTWARE\Policies\SAP\SecureLogin\common\capi] Parameter CAPIProviderFilter Type STRING Description Use this option to use only certificates provided by specific CSPs (the CSP name must begin with this string). Example: CN=Test CA CAPIFilterExcludeSubjectDN STRING STRING Use this option to disable certificates that have a subject Distinguished Name that contains CAPIFilterExcludeSubjectDN. Example: CN=My Companies CA CAPIFilterSubjectDN STRING Use this option to use only certificates that have a subject Distinguished Name that contains CAPIFilterSubjectDN. Parameter Type Description Example: O=Testing only CAPIFilterKeyUsage STRING Use this option to use only certificates that have a specific key usage. The CAPIFilterKeyUsage may contain the following strings (you can specify multiple strings) +KEYUSAGE Use only certificates that have the specified key usage. Where KEYUSAGE can be one of the following: dataEncipherment Data encipherment key usage digitalSignature Digital-Signature Key-Usage keyAgreement Key agreement key usage keyEncipherment Key encipherment key usage nonRepudiation Non-repudiation key usage cRLSign CRL signature key usage CAPIFilterExtendedKeyUsage STRING Use this option to use only certificates that have a specific key usage. The CAPIFilterExtendedKeyUsage may contain the following strings: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. The syntax of this option is similar to CAPIFilterKeyUsage. 147 . -KEYUSAGE Do not use certificates that have the specified key usage. All rights reserved. 3.11) MicrosoftDocumentSigning (1.7) TimestampSigning (1.7.6.1.5.6.7.6.1.3.3.5.5) IpsecTunnel (1.1.3.311.5.7.6.Parameter Type Description +EXTKEYUSAGE Use only certificates that have the specified extended key usage -EXTKEYUSAGE Do not use certificates that have the specified extended key usage Where EXTKEYUSAGE can be one of the following: ServerAuthentication (1.6.3.3.5.4) MicrosoftEfsRecovery (1.5.5. If you have a CAPI token. for example 148 PUBLIC © 2013 SAP AG or an SAP affiliate company.1.311.5.5.3.1.1.1.3.3.6.6.20.1.7.3.1.5.10.5.2) inactivityTimeout DWORD Use this option if you want to configure that users are forced to log on for each SNC connection.3.4.1.3.5.1.311.6.311.3.3.311.1. All rights reserved.2) CodeSigning (1.4.6.3.3.10. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .6.5.5.3.6.5.3.8) OcspSigning (1.3.1.3.7.3.7.3) EmailProtection (1.1) MicrosoftKeyRecovery (1.3.5.2.4.5.6.9) MicrosoftEfs (1.7.10.1.3.7.10.6) IpsecUser (1.1.3.4) IpsecEndSystem (1.1.3.4.12) MicrosoftSmartcardLogon (1.1.3.1.5.6.1.7.1) ClientAuthentication (1.4.5.4.3.6. 0 (default) Single sign-on 5.1.4 Kerberos Setting for Kerberos Profile You want to use Kerberos authentication that forces users to authenticate interactively. Since the Kerberos profile always enforces a logon. 149 . the token is logged out after a complete buildup of the SNC connection (with one or several private key operations). some always prompt the user for a password. All rights reserved. interactive authentication is required even if the users have already logged on to a Microsoft Windows domain. Possible values: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Users must always enter their Microsoft Windows credentials before a Kerberos-based SNC session starts.1. Note It depends on the third-party cryptographic service provider you use whether the inactive timeout is available. Table 22: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\Kerberos] [HKEY_CURRENT_USER\SOFTWARE\Policies\SAP\SecureLogin\common\Kerberos] Parameter SSOMode Type DWORD Description Use this option to configure the setting of the Kerberos profile of the Secure Login Client for SNC connection. Each SNC connection forces a new login.Parameter Type Description a smart card or a soft token. The following values are possible: ffffffff (equivalent to -1) No single sign-on. Some cryptographic service providers do not allow logout. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . There is an automatic logon to the Secure Login Client Kerberos profile. Possible values: 0 The SNC connection uses the existing Microsoft Windows credentials. Table 23: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\Kerberos] [HKEY_CURRENT_USER\SOFTWARE\Policies\SAP\SecureLogin\common\Kerberos] Parameter SSOMode Type DWORD Description Use this option to configure the setting of the SPNego profile of the Secure Login Client for SNC connection. 1 Users are prompted for user name and password once to log on to an SNC session. All rights reserved. There is no automatic logon in the Secure Login Client profile. the Kerberos profile is grayed out. There is no automatic logon in the Secure Login Client profile. you must make the following settings in the Microsoft Windows Registry. the Kerberos profile is grayed out. 5.Parameter Type Description 0 The SNC connection uses the existing Microsoft Windows credentials.5 Kerberos Setting for SPNego Profile If you use the SPNego login module for Kerberos authentication. There is an automatic logon to the Secure Login Client Kerberos profile. After the Microsoft Windows logon.1. After logon to Microsoft Windows. 150 PUBLIC © 2013 SAP AG or an SAP affiliate company. 2 Users are always prompted for user name and password for every logon to an SNC session (no single sign-on).1. Parameter Type Description 1 Users are prompted for user name and password once to log on to an SNC session. 151 . the Kerberos profile is grayed out. 5. 5. The connection remains until the certificate expires. SSF profile Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. After the Microsoft Windows logon. After logon to Microsoft Windows. All rights reserved. 2 Users are prompted for user name and password once to log on to an SNC session (no single signon). The SNC connection remains until users logs off from their profiles.1. There is no autoenrollment with the certificate. Table 24: SSF User Configuration Parameter SSF-ID Description Define the Distinguished Name of the user certificate.1.2. the Kerberos profile is grayed out. Define the Secure Login Client profile. There is no automatic logon in the Secure Login Client profile. There is no automatic logon in the Secure Login Client profile.2 SSF Parameters for Digital Signatures SSF user configuration parameters for digital signatures The following table contains parameter for the SSF user configuration in SAP GUI. Example: CN=Username.1 SSF User Configuration The following table contains parameter for the SSF user configuration in SAP GUI. OU=SAP Security SSF-ID Part 2 Define an additional Distinguished Name of the user certificate. There are three options available. before a certificate is provided. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .Parameter Description ● Use Secure Login Client Profile The desired certificate is used for SSF. ● Destination The RFC destination (logical destination) where the SSF RFC server program has been defined. Example: [reauth]toksw:mem://securelogin/ <profile_name> ● <empty> If no SSF profile is defined.2 Parameter Overview for Secure Login Library 5. see the SAP Help Portal. based on the Secure Login Client profile name.1 Parameters for Certificate Revocation Lists Parameter overview for the CRL tool The following parameter overview tables enable you to configure a tool for certification revocation lists. Note For more information.2. Example: toksw:mem://securelogin/<profile_name> Use Secure Login Client Profile and Reauthentication Adding the [reauth] option means that the user needs to authenticate again to the Secure Login Client profile. Enter the value SAP_SSFATGUI (SSF for digital signatures on the front ends). the SSF-ID can be used to search the certificate in Secure Login Client. 5. 152 PUBLIC © 2013 SAP AG or an SAP affiliate company. crl status crl list crl remove crl show crl store If you want to know how you can use the CRL command.xml.xml. For an Active Directory server. and ADS has to be configured in ldap. see the related link.2. If you want to know how to configure the CRL tool with pkix. 5.xml defines that CA certificates must have the BasicConstraint extension.5. the user must be a domain user. 153 . Related Information Downloading CRLs with the CRL Tool [page 82] The main function of the CRL tool is to enable you to download CRLs from the CRL distribution point and to make them available in the local cache \SECUDIR\dbcrls. Default: true Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.1.1 CRL Tool Commands This is an overview of the CRL tool commands. specify its location with -u so that the CRL can be found during certificate verification. Shows the current status of the configuration and of the module Shows the CRLs currently located in the local cache Removes the CRL from the local cache Shows the content of a CRL file Stores a CRL in the local cache. If the certificates contain a CRL distribution point.xml. see the related link.2.xml The following table contains all parameters and parameter options that are available in pkix. Table 25: CRL Tool Commands Command crl get Description Downloads a CRL from a given CRL distribution point using a given URL (Web server or LDAP server). All rights reserved. The main function of the CRL tool is to enable you to download CRLs.2 Configuration Parameters of pkix.xml Parameter profile(with parameter options) accceptNoBCwithKeyUsage true/false Values Description CRL checking profile pkix. Table 26: Configuration parameters of pkix.1. for example to download CRLs. missing CRLs and certificates are being searched online. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .). If the parameter acceptNoBCwithKeyUsage has the value false.xml. In this case. Default: false Location of dbcert and dbcris directories. the system checks whether certificates without the BasicContraints extension have the keyCertSign key usage.xml. they are accepted as CA certificates. 5.2. Default: NO certificatePolicies List of trusted certificate policy <trusted_certificate_policy_object_i object identifiers separated by a dentifiers> semicolon (.xml Parameter verification onlineaccess Values true/false Description If set to true. Default: false Specifies whether a CRL check uses a cache directory or a remote LDAP directory. Default: <PSE_directory> Defines the proxy if you use a proxy server for the CRL request. Related Information pkix.xml The following table contains all parameters and parameter options that are available in base.Parameter revCheck Values NO/CRL Description Enables/disables revocation checking. If you want to know how to configure the CRL tool with base. <host_name:port> Host name and port number of the proxy usepkicache true/false pkicachedir <directory_path> proxy(with parameter options) url 154 PUBLIC © 2013 SAP AG or an SAP affiliate company. the certificates are not accepted.3 Configuration Parameters of base.xml [page 84] In the configuration file pkix.1. Table 27: Configuration parameters of base. Default: noCheck noCheck/ Note If the parameter acceptNoBCwithKeyUsage has the value true. see the related link. you can configure whether a CRL check is used at all.xml. All rights reserved. 2. Table 28: Configuration parameters of ldap. name(with parameter options) escapedelimiter doublequote/backslash Distinguished Name Delimiters of the values.Parameter Values Description Note This parameter does not support proxy URLs.xml The following table contains all parameters and parameter options that are available in ldap. If you want to know how to configure the CRL tool with ldap.xml.xml. Default: doublequote Related Information base. see the related link. nettimeout <milliseconds> server(with parameter options) name 5. Default: no value Related Information ldap. Default: 40000 Network timeout in milliseconds. 155 . 5.xml [page 84] You can configure the cache and the verification of the CRL download in the file base.4 Configuration Parameters of ldap. All rights reserved. Default: 800 Definition of LDAP server used for CRL ADS Enter ADS if Active Directory is used as an LDAP server.xml [page 85] This configuration file is only relevant if you have an Active Directory environment.2 SNC Parameters for Secure Login Library SNC parameters for X.xml Parameter timeout Values <milliseconds> Description Timeout of the LDAP server in milliseconds.2.509 and Kerberos certificates in SAP NetWeaver Application Server ABAP Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.xml.1. snc/data_protection/max snc/data_protection/min snc/data_protection/use snc/r3int_rfc_secure snc/r3int_rfc_qop 3 2 3 0 8 156 PUBLIC © 2013 SAP AG or an SAP affiliate company.509 certificate distinguished name. Microsoft Windows <Path>\SLL\sapcrypto. (transaction RZ10).509 Configuration Use these parametes to configure SNC in the SAP NetWeaver Application Server ABAP. In the following.509 Certificate Token p:<X.In the following tables. Table 29: SNC Parameters for Secure Login Library Parameter snc/enable Value 1 Activate SNC 0 Deactivate SNC snc/gssapi_lib Define the SNC library. you find an overview of the profile parameters you can use to configure the SNC parameters in SAP NetWeaver Application Server ABAP. OU=SAP Security Hint: If X.sl Solaris / Linux / AIX <Path>/SLL/libsapcrypto. All rights reserved.509_Distinguished_Name> Example: p:CN=ABC. This value is case sensitive.2.2. you find an overview of the profile parameters you can use to configure the SNC parameters in SAP NetWeaver Application Server ABAP.so snc/identity/as Define the SNC name of the SAP server’s security token. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .509 certificate token and Kerberos tokens are used in parallel.dll HP-UX <Path>/SLL/libsapcrypto. X.1 SNC Parameters for X. define the X. (transaction RZ10) 5. dll HP-UX <Path>/SLL/libsapcrypto. 157 .2 SNC Parameters for Kerberos Configuration SNC parameters for AS ABAP Table 30: SNC Parameters for Secure Login Library Parameter snc/enable Value 1 Activate SNC 0 Deactivate SNC snc/gssapi_lib Define the SNC library.2. 0 Disallow insecure communication Use this value only if secure communication is to be allowed only (no insecure communication) for SAP GUI. All rights reserved. If you want to enforce higher security.sl Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.Parameter snc/accept_insecure_cpic snc/accept_insecure_gui Value 1 1 Accept insecure communication Use this value if both insecure and secure communication is to be allowed for SAP GUI. We recommend that you set this value to 1.2. change this value to 0 (for all) or U (user dependent). Microsoft Windows <Path>\SLL\sapcrypto. U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01). snc/accept_insecure_rfc snc/permit_insecure_start snc/force_login_screen 1 1 0 5. change this value to 0 (for all) or U (user dependent).so snc/identity/as Define the SNC name of the SAP server’s security token. This value is case-sensitive. snc/accept_insecure_rfc 1 158 PUBLIC © 2013 SAP AG or an SAP affiliate company. 0 Disallow insecure communication Use this value only if secure communication is to be allowed only (no insecure communication) for SAP GUI.LOCAL Hint: If X. All rights reserved.509 certificate token and Kerberos tokens are used in parallel.509 certificate distinguished name. U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01). define the X. snc/data_protection/max snc/data_protection/min snc/data_protection/use snc/r3int_rfc_secure snc/r3int_rfc_qop snc/accept_insecure_cpic snc/accept_insecure_gui 3 2 3 0 8 1 1 Accept insecure communication Use this value if both insecure and secure communication is to be allowed for SAP GUI. Kerberos Token p:CN=<service_User_Principal_Name> Example: p:CN=KerberosABC@DEMO. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . We recommend that you set this value to 1.Parameter Value Solaris / Linux / AIX <Path>/SLL/libsapcrypto. If you want to enforce higher security. 1. 5.Parameter snc/permit_insecure_start snc/force_login_screen Value 1 0 5.3.2.xml (Server Functions Only) Parameter namecharset Values utf8/latin1 Description Character set used to exchange names with the application.3 Communication and Protocol Parameters (Server and Client) In the file gss.61 Character set used for encoding Distinguished Names in ASN. you can configure the SNC communication protocol for server-to-server and client-to-server communication. Default: UTF8 Schema for the sequence and keywords of the name elements.xml.1 Reference of the Communication Protocol Parameters (Server) The following table contains the parameters that are valid for SNC on the server: Table 31: Configuration Parameters of gss. Default: rfc2256 nameencoding nameschema sapcryptolib/rfc2256 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.2. The configuration file gss. All rights reserved.xml enables you to configure the SNC communication protocol for server-to-server and client-to-server communication. Default: latin1 nameconversions(with parameter options) Replaces excessively long name components with shorter ones. UTF8/T. 159 . Useful when a server application stores the client name in a database field with an insufficient maximum size. replstr <short_client_name> UpperCaseClientName true/false ClientNameSource AltNameEMail RFC 822 name.3).20. It takes the first option it can use.3. The server tries the subject alternative names in this order. AltNameEMAILWithoutDomain RFC 822 name without domain. Subject alternative name from the user certificate to be sent as the SAP SNC name. Set to true to send the DN in uppercase.311. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . During SNC communication. Enter the options separated by a space.smith instead of j.6. AltNameEMailWithoutDomain AltNameDNS DNS name AltNameDName AltNameURI URI Directory name AltNameIP IP address AltNameUPN otherName with object identifier. Enter the abbreviated client name to save storage space in the database.2.4. Here the Microsoft User Principal Name is used (otherName type with OID 160 PUBLIC © 2013 SAP AG or an SAP affiliate company.com). AltNameUPNWithoutDomain otherName with object identifier and without domain. Here the Microsoft User Principal Name is used (otherName type with OID 1.1.1. Here you can use the local part of an E-mail address without the domain part (j.Parameter searchstr Values <long_client_name> Description Enter the complete client name for name conversion. the client sends the Distinguished Name (DN) of the client certificate in mixed case by default. All rights reserved.smith@company. 3) without the domain part of the e-mail address.4.509 and Kerberos certificates.5. Default: 86400 (24 hours) Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol.2. use true/false algs_encr aes256t aes192 aes128 des3 algs_hash sha512 sha 384 sha256 sha1 ripemd160 acceptsigmode true/false acceptencrmode true/false acceptedttl <temporary_key_lifetime> protocol_2010 (with parameter options) use <SNC_CRYPTOLIB_protocol> true/false Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Default: all Specifies whether the client key used for digital signatures is accepted as an authentication method.1. This protocol supports authentication with X. Default: all List of available hash algorithms: The system uses the first algorithm that is possible. All rights reserved. Default: true Accepted lifetime of temporary keys (digital signature to keep the session alive) in seconds. the Subject (Distinguished Name) is used. 161 .6.3. Default: true Specifies whether the client key used for encryption is accepted as an authentication method. Specifies whether or not the 1993 communication protocol is used. Subject Distinguished Name Default is <empty>. The system uses the first one that is possible.1. In this case.311.20. Default: true List of encryption algorithms available. Description protocol_1993 (with parameter options) <SNC_CRYPTOLIB_protocol> Specifies whether to use the 1993 communication protocol.Parameter Values 1. which is compatible to SAPCRYPTOLIB 5. xml file also exists in the client.61 Description Character set used for encoding Distinguished Names in ASN. Default: all Algorithms used for handshake and application data protection.Parameter acceptedttl Values <temporary_key_lifetime> Description Accepted lifetime of temporary keys (digital signature to keep the session alive) in seconds. Default: 86400 (24 hours) Algorithms used for handshake and application data protection. Default: true List of encryption algorithms available. Default: rfc2256 Specifies whether to use the 1993 communication protocol. Table 32: Configuration Parameters of gss. Default: HMAC-SHA256 HMAC-SHA1 ciphers aes256 aes128 rc4 data_macs HMAC-SHA256 HMAC-SHA1 HMAC-SHA512 HMAC-RIPEMD160 5. use either protocol_1993 or protocol_2010. All rights reserved. Specifies whether or not to use the 1993 communication protocol. Depending on your SNC CRYPTOLIB.2 Reference of the Communication Protocol Parameters (Client) The following table contains the parameters that are valid for SNC on the client: A gss. You must specify the same communication protocol on both sides (client and server). which is compatible to SAPCRYPTOLIB 5. Default: all nameschema sapcryptolib/rfc2256 protocol_1993 (with parameter options) <SNC_CRYPTOLIB_protocol> use truefalse algs_encr aes256 aes192 aes128 des3 162 PUBLIC © 2013 SAP AG or an SAP affiliate company.5.2.xml (Client Functions Only) Parameter nameencoding Values UTF8/T.3. Default: UTF8 Schema for the sequence and keywords of the name elements. The system uses the first one that is possible. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .1. Algorithms used for handshake and application data protection. Default: None Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol. 163 . This protocol support authentication with X. Default: false Validity of temporary key in seconds.3 Parameter Overview for Secure Login Server Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Default: auto authop enc (encryption certificate) sig (signature certificate) sigsession (signature certificates for key cached for further sessions) auto (automatic) age <period_in_seconds> Specifies a period of the key validity before the signing (in seconds). Default: 600 Validity of temporary key in seconds. This period acts as a tolerance period if system times vary by a couple of minutes. Default: HMAC-SHA256 HMAC-SHA1 Enable use of signature certificate with a temporary key.509 and Kerberos certificates. Default: all Algorithms used for handshake and application data protection. All rights reserved.Parameter algs_hash Values sha512 sha 384 sha256 sha1 ripemd160 Description List of available hash algorithms: The system uses the first algorithm that is possible. Default: 86400 (one day) ttl <period_in_seconds> protocol_2010 (with parameter options) use <SNC_CRYPTOLIB_protocol> truefalse ciphers aes256 aes128 rc4 data_macs HMAC-SHA256 HMAC-SHA1 HMACSHA512 HMAC-RIPEMD160 ParallelSessions true/false ParallelSessionsTTL <period_in_seconds> 5. Default: all Specifies the authentication mode in the client. Typically this is the Fully Qualified Domain Name (FQDN). Enter the subject alternative names in this field. You can also set these parameters manually if you choose Manual in the initialization wizard. During the initial configuration. or 4096 bits). Table 33: Parameters for PKI Certificate Management Parameter Entry Name (mandatory) Description Enter the name of the Certification Authority Select the encryption key length for the server (1024. 2048.1 Parameters for Initial Configuration (PKI Certificates) This topic contains the parameters for the configuration of the PKI certificates. Enter the end date for the validity of this certificate. a wizard leads you through the initial configuration of the Secure Login Server. Enter the start date for the validity of this certificate.3. Enter the country abbreviation in this field (C Enter the company name in this field (O) Enter the regional information in this field (L). Example Root CA Key Length (mandatory) 2048 Valid From (mandatory) 11/29/2013 Valid To (mandatory) 04/25/2014 Country Name DE Organization Name Company xyz Locality Name Walldorf Organization Unit Name SAP Security Department Common Name (mandatory) Root CA SAP Security Subject Alternative Name (DNS) ServerName@FQDN. Enter the alternative name in this field.local 164 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . Enter the company name in this field (OU) Enter the common name of the certificate (CN). Related Information Initial Configuration (Automatic) [page 96] Before you can work with the Secure Login Server. 1536.5. 3072. the initialization wizard steps through these parameters. This section contains an overview of the parameters and values of the PKI certificate management. All rights reserved. On the SAP server. Select DER or PEM encoding type. Note Entries marked with * are mandatory. Validity Period of Certificate (months)* Define the period of time for which the certificate is valid. Choose the desired CA certificate. a certificate response should be generated. All rights reserved. Table 34: Parameters for Signing Certificate Requests Option Base64 Encoded Certificate Request (PKCS #10) * Details The content of the certificate request in base64 encoding format.3. Another option is to copy and paste the content of the certificate request to the Base64-Encoded Certificate Request (PKCS#10) field. The Secure Login Server signs the certificate request and sends back a certificate response which is recorded in the SAP server.5. The default certificate template is used for the SAP environment. a PSE or P12 could be generated on the SAP server side. The certificate request should be signed. Use the button Read Content to import. Path in the Secure Login Administration Console: Certificate Management Sign Certificate Requests Note As an example scenario. Use the option Browse a File to Insert to import a certificate request file. Certificate Encoding Type Certificate Template Issuer* Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.2 Parameters for Signing Certificate Requests This section describes the parameters located in the Secure Login Administration Console for submitting a certificate request to the Secure Login Server Certification Authority. 165 . a certificate request is created and sent to the Secure Login Server. select the desired certificate template. If needed. it contains the client policy name. the profile names.3 Secure Login Client Policy and Profiles This section contains detailed information about the client policy and client profiles for Secure Login Client. Table 35: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System] Parameter PolicyURL Type STRING Description Network resource from which the latest Secure Login Client profiles can be downloaded. Using the client policy configuration the client profiles can be downloaded from Secure Login Server.1 Client Policy Information about client policy parameters for the Secure Login Client. The default is 45 seconds (hexadecimal value: 2d).3. Among other things. All rights reserved.reg. and the relevant enrollment URLs. 5. Default value is 0.3. the Secure Login Client verifies a new client policy during system startup of the client PC. DisableUpdatePolicyOnStartup DWORD 166 PUBLIC © 2013 SAP AG or an SAP affiliate company. These parameters are defined in the file ProfileDownloadPolicy<profile_group_name>.3. By default. 1 Disable automatic policy download.5. The default is 0 minutes (hexadecimal value: 0). You can use this parameter to disable this feature. 0 Enable automatically policy download. The client policy is included in the file GroupClientPolicy. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . By default. The client policy is installed together with Secure Login Client on the client computer. the Secure Login Client verifies during system startup of the client PC. NetworkTimeout DWORD Network timeout in seconds before the connection is closed if the Secure Login Server does not respond.xml. PolicyTTL DWORD The lifetime in minutes for verifying (updating) a new client policy on the Secure Login Server. 0 User cannot select the authentication profile manually in Secure Login Client. profile STRING The name of the client profile to be used for the desired application.3.reg and ProfileDownloadPolicy_<profile_group_name>. Example: CN=SAP.reg file. You can use the wildcards * and ?. 167 . OU=SAP Security. Table 36: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ applications\<Application Name>] Parameter GssTargetName Type STRING Description Application-specific PSE URI (SAP server SNC name) that is matched when a suitable profile is searched.reg.2 Applications and Profiles The policy downloader and/or the profile groups provide the Applications and Profiles configuration to the Secure Login Client using ProfileGroup_<profile_group_name>.3. The default value is 1. All rights reserved. O=Company xyz Using the value * means that the client profile is used for all SAP servers.5. allowFavorite DWORD Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. 1 User can select authentication profile manually in Secure Login Client. C=DE CN=Server*. Allow the user to select the authentication profile manually in Secure Login Client. it is possible to download the configuration using the ProfileGroup<profile_group_name>. In addition. All rights reserved.comd:50201/ SecureLoginServer/slc2/ doLogin? profile=6506265a-3c5f-4fd188fd-5e962f92fe6c Use the Add button to configure further Enroll URLs. Default value is windowslogin. windowslogin Using this profile.0 or for a Secure Login Client 2.0.Table 37: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<Profile Name>] Parameter profileName Type STRING Description The name of the client profile to be used for the desired application. Example for Secure Login Client 2. This is the failover configuration for the Secure Login Client. Use slc1 for Secure Login Client 1.address. The enrollment URL depends on the configuration of the client authentication profile. enrollURL0 STRING Secure Login Server URL that is used for user authentication and certificate request of the Secure Login Client. the user will be requested to enter the user credentials.0. Authentication type. https://<server>:port/ SecureLoginServer/slc(x)/ doLogin? profile=<profile_ID> You can configure a path for a Secure Login Client 1. If the first Enroll URL pseType STRING 168 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .0 https:// example. promptedlogin Using this profile. the user credentials will be provided automatically (only available for Microsoft Windows authentication).0 and slc2 for Secure Login Client 2. Default value is 0. 169 .. SSO without constraints.Parameter Type Description cannot be established. gracePeriod DWORD Value in seconds when an enrollment is to be carried out before the certificate expires.address. Value: -1 No Single Sign-On (SSO). defined here. Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). wrong credential information). Example with value 4: The Secure Login Client offers the login form 4 times (for example. inactivityTimeout DWORD Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Enter a value > 0. All rights reserved. before the login form will be closed. Each SNC connection forces a new login. Example: http://example. Default value is 0. The default value is 0.com: 8888 reAuthentication DWORD This parameter defines how many login attempts to the Secure Login Client login form is closed again. Only HTTP proxies without authentication and without SSL to proxy are supported. httpProxyURL STRING HTTP proxy to be used with enrollment URLs. User needs to use the button Cancel to close the login form. Value: 0 No timeout. The login form will never be closed. the Secure Login Client tries the next Enroll URL. autoEnroll DWORD A user automatically gets an X. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . The default value is 0. 170 PUBLIC © 2013 SAP AG or an SAP affiliate company. User name and password caching can be turned on to provide the automatic re-enrollment of certificates that are going to expire. keySize DWORD RSA Key Length. The default value is 1024 (hexadecimal value: 400). user credentials are provided automatically (only applies for Microsoft Windows authentication). If pseType is set to promptedlogin. Possible values: 0: Turn off Do not re-enroll automatically. The error counter is reset on success.509 certificate when the Secure Login Client starts. do not cache user name and password. 0: Turn off 1: Automatic provisioning of user certificates If pseType is set to windowslogin. autoReenrollTries DWORD The number of failed authentications in a row after which automatic re-enrollment is stopped. Value >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. A re-enrollment must always be performed manually by the user. the system prompts the users to enter their credentials.Parameter Type Description Seconds until an automatic logout is executed. All rights reserved. 0 Do not verify SSL server host name with the Common Name(CN) field of the SSL Server certificate. 171 .Parameter UniqueClientID Type STRING Description Custom-defined string. sslHostAlternativeNameCheck DWORD This applies to the SSL server certificate – this checks whether the peer host name is given in its Subject Alternative Name attribute of the certificate. The default value is 0. 1 Verify the SSL server host name with the Common Name (CN) field of the SSL server certificate. will be displayed in the instance log or can be used for network filtering issues. Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 (hexadecimal value: 2d). networkTimeout DWORD sslHostCommonNameCheck DWORD This applies to the SSL server certificate – this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. sslHostExtensionCheck DWORD This applies to the SSL server certificate – this checks if the Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. 1 Verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. All rights reserved. 0 Do not verify the SSL server host name with the Subject Alternative Name attribute of the SSL server certificate. Default value is 0. The default value is 0. 172 PUBLIC © 2013 SAP AG or an SAP affiliate company. 0 Do not verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. 5. Parameters for RADIUS Login Modules [page 180] This table contains an overview of the parameters you can set for RADIUS login modules Parameters for ABAP Login Modules [page 181] This table contains an overview of the parameters you can set for ABAP login modules. The following topics contain an overview of the policy configuration parameter. Available values are pin and password. You can set them in the SAP NetWeaver Administrator under Authentication and Single Sign-On.3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . You can set parameters for the following login module parameters: ● ● ● ● SPNego login module LDAP login module RADIUS login module ABAP login module Related Information Parameters for LDAP Login Modules [page 178] This table contains an overview of the parameters you can set for LDAP login modules. All rights reserved.4 Parameters for the Policy Configuration The policy configuration allows you to set parameters for the login modules. newPinType STRING Message text value is used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client.Parameter Type Description extended key usage ServerAuthentication is defined. 1 Verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. All rights reserved. A re-enrollment must always be performed manually by the user.1 Parameters for Client Configuration This topic contains the client configuration parameters. the system prompts the users to enter their credentials. Possible values: 0: Turn off: Does not re-enroll automatically. The error counter is reset on success. Table 38: Parameters for Client Authentication Profiles Parameters Auto-enroll Details A user automatically gets an X.4. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.509 certificate when the Secure Login Client starts. This applies for the following login modules: SecureLoginModuleLDAP.3. >0(n):Turn on with n tries to succeed: Tries to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. During the configuration of the client authentication profile. does not cache user name and password.5. Automatic Re-enroll Attempts The number of successive failed authentications after which automatic re-enrollment is stopped. If pseType is set to promptedlogin. you come to a step where you configure the client configuration. SecureLoginModuleRADIUS. SecureLoginModuleSAP. the default is promptedlogin. You can activate the user name and password caching to ensure the automatic re-enrollment of certificates that are going to expire. 173 . False:Turn off True:Automatic provisioning of user certificates If pseType is set to windowslogin. user credentials are provided automatically (only applies for Microsoft Windows authentication with SPNegoLoginModule AA). If these login modules are initially set. Note The fields with the asterisk (*) are mandatory fields. and BasicPasswordLoginModule. Example: http://example. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . Enroll URL depends on the configuration of the client authentication profile. it tries the next enrollment URL.Parameters Details The default value is 0. The default value is 0 HTTP Proxy URL HTTP proxy to be used with enrollment URLs. Enrollment URL Secure Login Server URL that is used for user authentication and certificate request. defined here. Value 0 No timeout. Network Timeout (Seconds) Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 174 PUBLIC © 2013 SAP AG or an SAP affiliate company. Possible values: Value -1 No Single Sign-On (SSO).com:8888 Inactivity Timeout (Seconds) Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity).address. https://<host_name>:<port>/ SecureLoginServer/<protocol_version>/ doLogin?profile=<profile_ID> Enrollment URL defined in a client authentication profile <profile_ID> of the Secure Login Server. This is the failover configuration for the Secure Login Client. Grace Period (Seconds) Value in seconds for the time in which an enrollment is to be carried out before the certificate expires. Each SNC connection forces a new login. To configure further enrollment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. All rights reserved. use the Add button. The default value is 0. If the Secure Login Client establishes a connection to the first enrollment URL. SSO without constraints. Value n Seconds until an automatic logout takes place. Show Error Message . Policy Configuration Name Re-authentication This parameter defines how many logon attempts are permitted with the Secure Login Client logon form before it is closed again. True Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. The default value is true. The default value is False SSL Host Common Name Check This applies to the SSL Server certificate – this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. With this value. for example. True Verifies the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. Show Success Message The default value is true. Example with the value 4: The Secure Login Client offers the logon form 4 times (the logons fail. 175 . Available values are pin and password. due to wrong credential information) before the logon form is closed. All rights reserved. SSL Host Alternative Name Check This applies to the SSL server certificate – this checks if the peer host name is given in the Subject Alternative Name attribute of the certificate. the logon form is never closed. Success messages are displayed. The default value is 0.Parameters New PIN/Password Response Text Details Message text value used for messages (change PIN/ password) to the Secure Login Client and Secure Login Web Client. The user needs to use the Cancel button to close the logon form. Error messages are displayed in the client. False Does not verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. During the configuration of the client authentication profile.4. Table 39: Secure Login Web Client Configuration Parameters Post Authentication Actions Description 176 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . All rights reserved. The default value is False User CA 5. False Does not verify the SSL server host name with the Common Name (CN) field of the SSL Server certificate.Parameters Details Verifies the SSL server host name with the Common Name (CN) field of the SSL Server certificate.2 Parameters for Secure Login Web Client Configuration This topic contains the Secure Login Web Client configuration parameters.3. you come to a step where you configure the Secure Login Web Client configuration. Note The fields with the asterisk (*) are mandatory fields. The default value is False SSL Host Extension Name Check This applies to the SSL server certificate – this specifies whether the system checks if the extended key usage ServerAuthentication is defined. False Does not verify if the extended key usage ServerAuthentication is defined in the SSL Server certificate. True Verify if the extended key usage ServerAuthentication is defined in the SSL server certificate. ini file with the respective entry. This means that you need the saplogon. for example. 177 .509 certificate is required. The following options are available: ● ● No Action After successful user authentication. IP Address/Host Name * Port * IP address or fully qualified host name of the ABAP system. Port of SAP NetWeaver Default: 3200 SNC Name * SNC name of SAP NetWeaver Example p:CN=ABAP System Web Client URL IP Address/Host Name IP address or host name of Secure Login Server which is used to generate to Web Client URL. in the SAP NetWeaver Portal. All rights reserved.Parameters Actions Description The action to be performed by the Secure Login Web Client after successful user authentication. Port of Secure Login Server for the Web Client URL. Redirect to URL Enter an URL for certificate-based login. you need to enter the SAP GUI description to enable direct logon to an ABAP system. Restriction This parameter is only supported on Microsoft Windows with SAP GUI for Windows. Log On to ABAP System After successful authentication. Redirect to URL and Log On to ABAP System Redirect to URL and Launch SAP Logon Pad ● ● ● ● SAP GUI Description * Name of the server profile in SAP GUI for Microsoft Windows (Description field in SAP GUI). After successful user authentication. You can use this URL to configure a location where SSL client based authentication with the enrolled X. If you are using SAP GUI for Microsoft Windows. Port Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. the user logs on to an ABAP system. Launch SAP Logon Pad After successful authentication. no action is performed. this URL is called. the SAP Logon pad is started automatically. 3 Parameters for LDAP Login Modules This table contains an overview of the parameters you can set for LDAP login modules. 178 PUBLIC © 2013 SAP AG or an SAP affiliate company.3. Note You have installed a Secure Login Client installation and activated Web Adapter during the installation procedure. the location of the Secure Login Web Client files depends on the operating system. If Web adapter mode is active. This feature is only available on Microsoft Windows. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . By default.Parameters URL Client Behavior Web Adapter Mode (requires Secure Login Client installation) Description This URL is made up of the IP address/host name and of the port Activate this checkbox to reuse an already existing installation of the Secure Login Client at the start of a Secure Login Web Client. the Secure Login Server download only slwc.sap_webclient/sapsnc 5. Default: For Microsoft Windows XP: %APPDATA% For Microsoft Windows Vista/7 or higher: %LOCALAPPDATA% Example for Microsoft Windows XP: %USERPROFILE%\%APPDATA%\sapsnc Example for Microsoft Windows Vista/7: %USERPROFILE%\%LOCALAPPDATA%\sapsnc OS X Default: $HOME/sapsnc Example: $HOME/. Platform Binaries Download Path Microsoft Windows Enter the download location for the security libraries.4. All rights reserved.exe. January 1601 (UTC)) 129855537300000000= 30. June 2012 20:15:30 (CET) MS Gregorian calendar time format (100-nanosecond intervals since 1. Secure Login Server can process one of the following formats: Generalized time formats: 20120630181530Z= 30. By default no value is defined. Table 40: Parameters for LDAP Login Modules Parameters Details In Options of login module of the SAP NetWeaver Administrator ldapDestination PasswordExpirationAttribute Enter the exact name of the LDAP destination.0Z= 30. June 2012 20:15:30 (CET) 20120630181530. The PasswordExpirationAttribute value is used for the password expiration warning message only.0+0100Z= 30. PasswordExpirationGracePeriod The interval (in days) for a password expiration warning message to be sent to the Secure Login Client prior to a password expiring.You set these parameters when you create a destination for an LDAP login module. June 2012 18:15:30 (UTC) Netscape Password Expiring time format (seconds until password expires) 864000= 10 days from current date until password expires If a password expiration warning message is configured. Related Information Creating Destinations in Secure Login Administration Console [page 113] Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. For more information on destination management. June 2012 18:15:30 (UTC) 20120630191530+0100Z= 30. All rights reserved. June 2012 18:15:30 (UTC) 20120630191530. the LdapBaseDN property must be given in complete DN form (UPN on Microsoft Active Directory). LDAP attribute that contains the expiration date of the user password for the Secure Login Client. 179 . see related link. The port number used by the RADIUS server for authentication requests. A Shared Secret is used to encrypt the user password. see related link. Paste your Shared Secret again for confirmation. Typical values are 1645 or 1812.4 Parameters for RADIUS Login Modules This table contains an overview of the parameters you can set for RADIUS login modules You set these parameter when you create a destination for a RADIUS login module. Table 42: Parameters in the Secure Login Administration Console Parameters Authentication Method* Details Authentication method for the RADIUS server. The default value is 5000 milliseconds. IP Address/Host Name* Host address of the RADIUS server (used for user authentication). Paste your Shared Secret into this field. Timeout (Milliseconds)* Period of time the Secure Login Server waits for a response before trying the next RADIUS Server (in milliseconds). This Shared Secret also needs to be defined in the RADIUS Server. The default value is 1645. Table 41: Parameters in SAP NetWeaver Administrator Parameters RadiusDestination Details Enter the exact name of your RADIUS destination.4.5. Possible values are: PAP CHAP MSCHAP The default value is PAP.3. Port* Shared Secret* Confirm Shared Secret* Advanced Configuration for RSA Authentication 180 PUBLIC © 2013 SAP AG or an SAP affiliate company. For more information. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . You can set the following parameters when you configure the destination for an ABAP login module. Possible values: true maxNbrConnections PasswordAlphanummeric Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Wait for token code to change. the following parameters are filled automatically. Table 43: Options of login module Parameters Destination Details The destination is already available in the SAP NetWeaver Administrator.Parameters Import Server Message File: Details Note If you import a RADIUS Server message file. Please try again. Maximum number of connections. 181 .5 Parameters for ABAP Login Modules This table contains an overview of the parameters you can set for ABAP login modules. In this case the destination is already available in the SAP NetWeaver Administrator. then enter the new tokencode: Please re-enter new PIN: PIN Accepted.3. ExtInputMustChoose_D: ExtInputMustChoose_D_D: ExtInputNextCode: ExtInputReenterPin: ExtOutputChange: ExtOutputReject: Related Information Ensuring Communication with the RSA Server Using a Shared Secret 5.4. All rights reserved. then enter the new passcode: PIN rejected. ExtInputMustChoose_C: ExtInputMustChoose_C_C: Enter a new PIN having n alphanumeric characters: Enter a new PIN having from n to n alphanumeric characters: Enter a new PIN having n digits: Enter a new PIN having from n to n digits: Wait for token to change. This parameter is part of the password policy for the client-side policy consistency check. The default value is 30. such as protocol.Parameters Details The password can contain only alphanumeric characters (A-Z. PasswordMin This parameter is part of the password policy for the client-side policy consistency check.3. 0-9). This parameter must be consistent with the SAP password policy. The default value is 1. This parameter must be consistent with the SAP password policy. You can determine the parameters used by a policy update from the Secure Login Server to the Secure Login Client. The default value is true. 182 PUBLIC © 2013 SAP AG or an SAP affiliate company. host name. All rights reserved.4.6 Groups Parameters for Downloading Policies Using Profile When you create a profile group from the client authentication profiles. and actions after policy download.reg and ProfileDownloadPolicy_<profile_group_name>. false The password can contain alphanumeric and special characters (such as !$%&). specifically the minimum number of characters in the password to be used. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . SAPTimeout Timeout for login Maximum number of connections until authentication is blocked 5. a-z. policy update interval. The parameters define the download mode of the registry files ProfileGroup_<profile_group_name>. specifically the maximum number of characters in the password to be used. PasswordMax This parameter is part of the password policy for the client-side policy consistency check.reg. you can specify some properties. This parameter must be consistent with the SAP password policy. timeout. All rights reserved. Lifetime in minutes for verifying (update) a new client policy. Default is <host_name>. If you use http. For security reasons. IP Adress/Host Name:* Policy Update Interval (Minutes):* Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. we recommend to use https. No Secure Login Client updates the client policy at startup. You can use this parameter.001.Note The fields with the asterisk (*) are mandatory fields. Table 44: Parameters for Downloading Policies Using Profile Groups Parameters Group Name:* Description: Protocol:* Default is https. 183 . The default value is 45 seconds. Example: vmx6032 Port:* Default is 50. the Secure Login Client verifies a new client policy during the system startup of the client PC.000. Default is 0 minutes. choose 50. Yes Details The profile group name appears here. to disable this feature. You can also use the IP address or the computer name. The port that is currently configured in the SAP NetWeaver Administrator appears automatically. Network Timeout (Seconds):* Network timeout in seconds before the connection is closed if the server does not respond. The current host name appears. By default. Update Policy on Startup (Default:Yes): By default the Secure Login Client verifies during a new client policy during the system startup of the client PC. Parameters Details Secure Login Client does not update the client policy at startup. Note In a migration setup from SAP NetWeaver Single Sign-On 1. The default value is Clean. Actions at Policy Download Actions on SAP AS ABAP Application Settings: Existing profiles are handled as configured by action. Keep Keeps any existing profiles of the same name in the selected policy. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Clean Deletes all existing profiles in the selected policy key before the given ones are written. The Secure Login Server keeps the profile group configuration of the Secure Login Server 1. Default value is No. All rights reserved. The default value is Clean. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Action on Client Settings: Existing profiles are handled as configured by action. Keep Keeps any existing profiles of the same name in the selected policy. 184 PUBLIC © 2013 SAP AG or an SAP affiliate company. Does not overwrite the given one (default).0 to 2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .0. Does not overwrite the given one (default).0 for fallback purposes. it makes sense to use Keep. Note The fields with the asterisk (*) are mandatory fields. which you can configure in the Secure Login Administratration Console. for user user login ID mapping with attribute configuration. see the related links.0 for fallback purposes.1 Parameters for User Certificate Configuration This table contains the parameters for user certificate configuration for the client authentication profile. which you can configure in the Secure Login Administration Console. For a detailed overview of the parameters. Related Information Parameters for User Certificate Configuration [page 185] This table contains the parameters for user certificate configuration for the client authentication profile. etc.0. Table 45: Parameters for User Certificate Configuration Parameter Country Name Description Enter the country abbreviation in this field (C Example DE Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.3. for example. This table contains the parameters for the client authentication profile.5. 5.3.Parameters Details Note In a migration setup from SAP NetWeaver Single Sign-On 1. archving. 185 . All rights reserved. The Secure Login Server keeps the profile group configuration of the Secure Login Server 1.5 Parameters for User Certificate Configuration This section contains the parameters for user certificates. 5.0 to 2. which you can configure in the Secure Login Administratration Console. Parameters for Certificate Attribute Configuration [page 186] These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client. it makes sense to use Keep. Parameter Organizational Name Description Enter the company name in this field (O) Enter the regional information in this field (L). Enter the company name in this field (OU) Enter the period of validity of the certificate (CN). Default value is 600. Example Company xyz Locality Name Walldorf Organization Unit Name SAP Security Department Validity Period (Minutes) (mandatory) 600 Validity Offset (mandatory) -5 Time offset in minutes relative to the server system time for the certificates to start being valid. This parameter is helpful if the client and server time are not in sync. Default value is -5. Key Length (mandatory) Select the encryption key length for the server (1024, 1536, 2048, 3072, or 4096 bits). 2048 5.3.5.2 Parameters for Certificate Attribute Configuration These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client. Note The fields with the asterisk (*) are mandatory fields. Table 46: Parameters for Certificate Attribute Configuration Parameter Common Name * Description Here you enter the common name. You can also use the following values from the destination: AUTH:USERID AUTH:UPN AUTH:DCS 186 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference Parameter Description PADDEDNAME Use this value to enable padding of the common name or any additionally defined certificate attributes. Note You define the attributes for the certificate in the destination. Country Name Enter the two-character country code or use the above-mentioned values. Enter the organizational name or use the abovementioned values. Enter the organizational unit name or use the abovementioned values. Enter the locality or use the above-mentioned values. Values: AUTH:DCS variable or a complete Relative Distinguished Name (RDN) Example: OU=SAP, CN=Demo Organizational Name Organizational Unit Name Locality Appendix Subject Name Subject Alternative Name (RFC822 Name) In this certificate attribute, the RFC822 name appears in a sequence. The principal name appears in a sequence. Subject Alternative Name (Principal Name) 5.3.5.3 Parameters of User Mapping Destinations and Attributes This table contains an overview of the parameters for user mapping. Moreover, it lists the user mapping attributes. Note Entries marked with * are mandatory. Table 47: Parameters for User Mapping Destinations and Attributes Parameter Mapping Destinations Description Here you select the LDAP or Active Directory destination. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 187 Parameter Enable User Logon ID Mapping Description Activate this checkbox to enable user logon ID mapping. The default is not active. Here you enter the LDAP search attribute with search values. Default is userPrincipalName. The default LDAP search value is AUTH:UPN. Select one or several of the following mapping attributes values: displayName givenName mail name sAMAccountName sn(first name) userPrincipalName Example: If you add the attribute name userPrincipal, name, mail, the following resulting values are displayed in dropdown list for the Certificate Attribute Configuration section: (LDAP:userPrincipal), (LDAP:name), (LDAP:mail). LDAP Search Attribute * Search Value * Mapping Attributes 5.3.5.4 Parameters for User Logon ID Padding If you want to use user logon ID padding, use the following parameters. Note The fields with the asterisk (*) are mandatory fields. Table 48: Parameters for User Logon ID Padding Parameter Padding for * Details Here you enter for which user name the padding is applied. Default: AUTH:USERID 188 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference Parameter Maximum Length * Details Maximum number of characters that a user name in the common name (CN) field can have. If the given use name is longer, it is cut from the right side. Default value: 12 Example: "LongUsernameSAP" is cut off to"LongUsername" with the default settings. Padding Length * If user names in the common name (CN) field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names. Default value: None Padding Character * The padding character is used to fill user names on the left side if their size is smaller than the configured padding length (Padding Length). Default value: None Example: Padding Length= 11 and Padding Character = 0. The result is "ShortName" is extended to 00ShortName Typically this configuration is used if personnel numbers are used. 5.3.6 Parameters for Destination Management Configuration Configure destinations if you use LDAP or RADIUS login modules or user logon ID mapping. Here you find the parameters for the destination management. You need to configure destinations if you use LDAP or RADIUS servers. Use the optional settings in LDAP Server Authentication (Optional) if you use user logon ID mapping mode, for example in connection with LDAP or Microsoft Active Directory databases. For more information, see the detailed parameter overview in the related link. Related Information Parameters for Destination Management [page 190] Here you find the mandatory and optional parameters for the destination management. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 189 5.3.6.1 Parameters for Destination Management Here you find the mandatory and optional parameters for the destination management. You need to configure destinations if you use LDAP or RADIUS servers. Use the optional settings in LDAP Server Authentication (Optional) if you use user logon ID mapping mode, for example in connection with LDAP or Microsoft Active Directory databases. Note Entries marked with * are mandatory. Table 49: Parameters for Destination Management Parameters IP Address/Host Name * Details Host name or IP address of the LDAP server or Active Directory server system used to authenticate the user. Use the fully qualified distinguished name or the IP. Example: ldaps://ldapserver.demo.local Tip We recommend that you configure secure communication Port * Enter a three-digit port for the LDAP or Microsoft Active Directory server. Example: 389 Use SSL for LDAP Access If you want to use an encrypted SSL connection for secure communication, activate this parameter. This means that ldaps is used in the URL to the LDAP server. The default is empty (no use of ldaps). Note You have imported server certificates into trusted certificates in the SAP NetWeaver Key Storage. Connection Timeout (Milliseconds) * The connection timeout in milliseconds: 500 is the period of time the Secure Login Server waits for a response before trying the next LDAP/ADS server (in milliseconds). The default value is 500 milliseconds. Provider Language * Language of the LDAP or Microsoft Active Directory Server. Default is en-US 190 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference There are several configuration options. The parameters in the LDAP Server Authentication (optional) section are only relevant if you use the user mapping service. This parameter is only relevant for user mapping with an LDAP or Microsoft Active Directory Server. Technical user of the backend that executes the user mapping. The domain name to be appended to the given user name if it is not a User Principle Name.cn=Users.Parameters Login Base DN Details For Microsoft Active Directory: Full domain name of the LDAP server that runs the authentication. LDAP Server Define the search path where the user is located. Service User Name Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. Example: $USERID@DOMAIN. Search Base DN This parameter is only relevant for user mapping with an LDAP or Microsoft Active Directory Server. It is possible to run authentication with the server entered in Login Base DN and user logon ID mapping with Microsoft Active Directory. the Microsoft Windows UPN name is required for user authentication (to be entered in Secure Login Client).LOCAL For LDAP servers other than Microsoft Active Directory: Base DN of the LDAP Server (Start Search Path).dc=com If the parameter is not configured (empty).dc=domain.dc=yourdomain. The variable $USERID is replaced by Secure Login Server with the user name for user verification against the authentication server. Example: $USERID@<Windows_domain> cn= $USERID. 191 . All rights reserved. Example: uid=$USERID. the property is ignored.ou=Users. If the name is already in UPN format.dc=SSO Microsoft Active Directory System Define the search path where the user is located. All rights reserved.0 and 1.Parameters Password Details This parameter is only relevant for user mapping with an LDAP or Microsoft Active Directory Server.0 and 1.0 from 1.0. During the migration phase.0.7. This parameter is only relevant for user mapping with an LDAP or Microsoft Active Directory Server. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.0 and 1. Mapping of Client Configuration Parameters [page 196] Table that maps client configuration parameters of SAP NetWeaver Single Sign-On 2.0 to 2.0 to 2.0. you find tables that contain parameters you need when you migrate Secure Login Server from SAP NetWeaver Single Sign-On 1. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . see the related link.0.3.0 and check whether they are still available (maybe with a different name) and which values they can have.0.0 to 2.7 Mapping of Parameters for a Migration of SAP NetWeaver Single Sign-On 2.0 to 2. and some of the parameters (of SAP NetWeaver Single Sign-On 1.0 and 1.0. For more information on a migration. You find the parameters either in the SAP NetWeaver Administrator or in the Secure Login Administration Console. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1. Confirm Password 5.0. The following mapping tables are available: Related Information Mapping of Parameters by Login Module [page 192] Table that maps policy configuration and login module parameters of SAP NetWeaver Single Sign-On 2. In the following.3.0 to 2.0. Have a look at the parameters and values of SAP NetWeaver Single Sign-On 1. The following table contains the parameters you set in the policy configuration when you determine the options for the login modules. Mapping of User Certificate Configuration Parameters [page 194] Table that maps user certificate configuration parameters of SAP NetWeaver Single Sign-On 2.0. we recommend that you compare these parameters and their values step by step. You only need this table if you migrate from SAP NetWeaver Single Sign-On 1. 5. 192 PUBLIC © 2013 SAP AG or an SAP affiliate company.0 to 2.0. The number and the names of the parameters vary.0) do not exist anymore. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.1 Mapping of Parameters by Login Module Table that maps policy configuration and login module parameters of SAP NetWeaver Single Sign-On 2.0 This topic contains tables that enable you to map parameters and values when migrating from SAP NetWeaver Single Sign-On 1.0 to 2.0. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1. All rights reserved.0 LDAP login module ldapDestination Connection Timeout (Milliseconds) * Provider Language * IP Address/ Host Name * Login Base DN Port * Use SSL for LDAP Access PasswordExpirationAttribute PasswordExpirationGracePeriod PasswordExpirationAttribute PasswordExpirationGracePeriod ServerID TrustStore Search Base DN Service User Name Password Confirm Password RADIUS login module RadiusDestination IP Address / Host Name * RADIUSServerIP ServerIniFile Shared Secret * Timeout (Milliseconds) * Destination Authentication Method * Port * Authenticator AuthPort SharedSecret Timeout LdapTimeout LdapProviderLanguage LdapHost LdapBaseDN Parameters for SAPNetWeaver Single Sign-On 1.Table 50: Mapping of Policy Configuration Parameters Parameters for SAP NetWeaver Single Sign-On 2.0 Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company. 193 . You only need this table if you migrate from SAP NetWeaver Single Sign-On 1.0 to 2.0.0.0 PinAlphanumeric ABAP login module Destination maxNbrConnections PasswordAlphanumeric PasswordMax PasswordMin SAPTimeout maxNbrConnections PasswordAlphanumeric PasswordMax PasswordMin SAPTimeout SAPaccount SAPServer SNCServerName SystemNo Client CREDDIR Related Information Migrating Secure Login Server 2. The following table contains the parameters you set in the user certificate configuration.0. the client authentication profile.2 Mapping of User Certificate Configuration Parameters Table that maps user certificate configuration parameters of SAP NetWeaver Single Sign-On 2. All rights reserved. The migration depends on the client and on the login modules you use.0 from 1.0 from 1. You use them when you configure. 194 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .0 [page 107] The following section describes how you migrate Secure Login Server 2.7.0. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.0 Parameters for SAPNetWeaver Single Sign-On 1.0 to 2. see the related link.0 and 1.Parameters for SAP NetWeaver Single Sign-On 2. 5.3. For more information on a migration. You find the parameters either in the SAP NetWeaver Administrator or in the Secure Login Administration Console. for example. Note The fields with the asterisk (*) are mandatory fields. All rights reserved.7.0 [page 107] The following section describes how you migrate Secure Login Server 2.country DN. The migration depends on the client and on the login modules you use.organization DN.3. Table 52: Mapping Table for User Logon ID Padding Parameter in SAP NetWeaver Single Sign-On 2.0.0 DN. 195 .0 User-Defined Property in SAP NetWeaver Single Sign-On 1.0 Country Name Organizational Name Locality Name Organization Unit Name Validity Period (Minutes) * Validity Offset * Key Length * Related Information Migrating Secure Login Server 2.0.0 from 1.organizationalUnit ValidityMinutes ValidityOffset Key Size (in Client Configuration -> Profiles ->Edit) 5.0 Enable Logon ID Padding Padding For * Padding Character * Padding Length Maximum Length * UserNamePaddingChar UserNamePaddingLength MaxUserNameLength Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.3 Mapping of Parameters for User Logon ID Padding This table enables you to map user login ID parameters when migrating to SAP NetWeaver Single Sign-On 2.0 from 1.Table 51: Mapping of User Certificate Configuration Parameters Parameters for SAP NetWeaver Single Sign-On 2. Parameters for SAPNetWeaver Single Sign-On 1.locality DN. The following table contains the parameters you set in the client configuration.0 from 1. For more information on a migration.0 from 1.3. the client authentication profile.0 HTTP Proxy URL Auto-Enroll Automatic Number of Re-Enroll Retries Grace Period (Seconds) * Inactivity Timeout (Seconds) Network Timeout (Seconds) * Re-Authentication * New PIN/Password Response Text Check Common Name of SSL Host Check Alternative Name of SSL Host Check Extension of SSL Host Parameters for SAPNetWeaver Single Sign-On 1. You find the parameters either in the SAP NetWeaver Administrator or in the Secure Login Administration Console. This table is useful when you migrate from SAP NetWeaver Single Sign-On 1.0.0 HttpProxyURL Auto-Enroll Auto-Reenroll Attempts Grace Period InactivityTimeout Network Timeout (seconds) Reauthentication NewPinType SSL Host Common Name Check SSL Host Alternative Name Check SSL Host Extension Check Profile Name PSE Type Unique Client ID User Warning MSIE Related Information Migrating Secure Login Server 2.0 to 2. for example. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference .0.0 and 1. see the related link.5. The migration depends on the client and on the login modules you use. All rights reserved.0.0 to 2.0 [page 107] The following section describes how you migrate Secure Login Server 2. Table 53: Mapping of Client Configuration Parameters Parameters for SAP NetWeaver Single Sign-On 2.0. You use them when you configure. You only need this table if you migrate from SAP NetWeaver Single Sign-On 1.4 Mapping of Client Configuration Parameters Table that maps client configuration parameters of SAP NetWeaver Single Sign-On 2.7. 196 PUBLIC © 2013 SAP AG or an SAP affiliate company. 0.0. Table 54: Mapping of Parameters for User Certificate Attribute Configuration Parameter in SAP NetWeaver Single Sign-On 2. All rights reserved. use the values from SAP NetWeaver Single Sign-On 1.5 Mapping of Parameters for User Certificate Attribute Configuration During a migration. this table enables you to map the user certificate attributes from SAP NetWeaver Single SignOn 2.0 5.3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference PUBLIC © 2013 SAP AG or an SAP affiliate company.3. you specify the Distinguished Name in a fixed character string. 197 .0 with the user-defined property in SAP NetWeaver Single Sign-On 1. Note The fields with the asterisk (*) are mandatory fields.0 to 2.7.6 Mapping of Parameters for Destination Management For a migration of the user mapping from SAP NetWeaver Single Sign-On 1. Subject Alternative Name (RFC822 Name) Subject Alternative Name (Principal Name) User-Defined Property in SAP NetWeaver Single Sign-On 1.7.5.0 and enter them in the appropriate format into the parameters for SAP NetWeaver Single Sign-On 2.0. Note Entries marked with * are mandatory.0 Common Name * Country Name Organizational Name Organizational Unit Name Locality Appendix Subject Name DN In this option. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Parameter Reference . LDAP Search Attribute * LdapReadAttribute<n> 198 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved.0 Destination Management tab IP Address/Host Name * Port * Use SSL for LDAP Access Connection Timeout (Milliseconds) * Provider Language * Login Base DN LDAP Server Authentication (Optional) tab Search Base DN Service User Name Enter or change password Password LdapReadPass LdapReadServers LdapReadBaseDNn LdapReadUsern LdapReadDomain LdapReadTimeoutn LdapreadUrl Note There is no parameter in SAP NetWeaver Single Sign-On 2.0 because the configuration of the Secure Login Administration Console contains several destinations.0 User-Defined Properties in SAP NetWeaver Single Sign-On 1.Table 55: Mapping of Parameters for Destination Management SAP NetWeaver Single Sign-On 2. com/sap/support/notes/1673155 6. Error Message Miscellaneous failure. 6. Related Information http://service.1 Error in SNC Secure Login Client SNC error Use Case SAP GUI user wants to authenticate to SAP Applications Servers using Kerberos token or X. we recommend that you check the SAP Notes for the component BC-IAM-SL regularly. 199 . They contain information on program corrections and provide additional documentation. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company. Related Information Configuring Client Tracing [page 41] If you want to switch on tracing of Secure Login Client. Refer to the SAP Note in the related link. Note If you need to contact SAP support.sap.1 Troubleshooting Secure Login Client This section describes some troubleshooting issues of Secure Login Client and how to solve them.1. All rights reserved.509 user certificate. you must configure a file for client tracing in each client. create a CSN Message in the component BC-IAM-SL. provide the Secure Login Client trace information as described in the related link.6 Troubleshooting This section provides information on troubleshooting related activities In case of problems. Tip In addition. Error in SNC. 2.509 certificate. Verify if the user is authenticated in the Microsoft domain.dll 6. Is the name correct? (Kerberos name / X. take the following steps: a.2 User Name Not Found No user exists with SNC name. All rights reserved. Verify if SNC is enabled in SAP GUI for the desired SAP server.Checklist 1. O=SAP. If you are using an X.509 user certificate. Verify if the security token (Kerberos or certificate) is used. b. proceed as follows: 1. If you are using a Kerberos token. C=DE" 200 PUBLIC © 2013 SAP AG or an SAP affiliate company. 4. Try with the option Use Profile for SAP Applications if the desired profile is used.ini). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . Verify if the SNC name of the desired SAP server is configured in SAP GUI (saplogon. L=Walldorf. 3. Verify if the environment variable SNC_LIB is configured to use sapcrypto. Use Case SAP GUI user wants to authenticate to SAP server using Kerberos token or X.509 certificate is displayed in Secure Login Client Console. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto. Verify if Kerberos token is displayed in Secure Login Client Console. 5. Error Message No user exists with SNC name "p:CN=WRONGSNCNAME.1.dll. Check the certificate you are using. Verify if X.509 certificate name) Note that the SNC name is case-sensitive. Configuration and Administration Guide for Secure Login Library. the user mapping is not available or not configured correctly. Error Message The system displays the following error message: Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company.1. enable the trace and verify the results. Compare the user certificate distinguished name with the SNC name in SAP User Management (SU01). There may also be another reason for this error. For more information see the Installation. Note that SNC name is case-sensitive. Error Message SAP System Message S. If the Secure Login Library is installed on the SAP ABAP server and used for SNC. Checklist ● ● Verify if SNC is configured in the SAP ABAP server.com/sap/support/notes/1635019 6.3 Invalid Security Token Use Case 1 SAP GUI wants to authenticate to SAP server using a Kerberos token or X. Use Case 2 The Secure Login Client requests a service ticket from the domain server.509 user certificate. For more information. see the related SAP Note Related Information https://service.sap.Checklist ● If this message appears. 201 . All rights reserved. you find the error code A2600202.dll) is assigned to SAP GUI. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . To check this. you have to check whether the Service Principal Name used was assigned several times in the Active Directory system.dll is used.dll”. Error Message Unable to load GSS-API DLL named “sncgss32.4 Wrong SNC Library Configured Wrong library configured in Secure Login Client Use Case An SAP GUI user wants to authenticate to a SAP server using Kerberos token or X. Verify the environment variable SNC_LIB. you enter the following command: setspn –T * -T foo -X 6. In the trace log of the Secure Login Client.Supplied credentials not accepted by the server.1. Checklist The wrong SNC library (in this example sncgss32. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto. For Secure Login Client the SNC library sapcrypto. Checklist ● If the Secure Login Client does not get a service ticket from the domain server.dll 202 PUBLIC © 2013 SAP AG or an SAP affiliate company.509 user certificate. All rights reserved. All rights reserved. 203 . Verify if Secure Login Library is installed correctly. a) Log on to SAP ABAP server using SAP GUI and start transaction RZ10.6. If a client experiences operational problems. For more information. consult the list of internal errors of the Secure Login Library's GSS module.2. 6. Verify the SNC configuration. The third-party error detection tool AppSight provides monitoring reports of the Secure Login Client.bmc. Verify the installation described in section Secure Login Library Installation [page 47].6 SNC Error Codes in the Secure Login Client In case of an SNC error in the client. If you want to use AppSight to monitor Secure Login Client. 3. This is a third party solution management software application that allows remote troubleshooting of client machines. Distribute the file among your clients so that they can use AppSight for monitoring.1. 6. 4.5 Monitoring Secure Login Client Secure Login Client provides an interface for the monitoring tool AppSight. Verify SNC library file access rights for the user starting the SAP server. 2. request the interface file from the SAP monitoring team. 1. one of the functions of the software is to record information about running software programs. Verify SAP trace file dev_w0. 6. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company. Related Information SNC Error Codes [page 205] In case of an error from a calling application with the Secure Login Library.2 Troubleshooting Secure Login Library This section provides further information about how to perform troubleshooting for Secure Login Library. Problem: SNC library cannot be found.1. see the AppSight documentation on http://www. You find the complete list of the SNC error codes in the related link.in the AppSight Console.1 SNC Library Not Found The SNC library and configuration are verified when the SAP ABAP server starts. consult this list of internal errors of the GSS module. b) Choose the instance profile and verify the value of the parameter snc/gssapi_lib.com. Related Information Secure Login Library Configuration [page 57] Configuring Tracing for Secure Login Library [page 86] In the case of an error. b) Choose the instance profile and verify the SNC configuration. a) Start a command line shell and change to the Secure Login Library folder $(DIR_INSTANCE)/SLL.5.2 Credentials Not Found The SNC library and configuration are verified when the SAP ABAP server starts. Example Microsoft Windows: sapgenpse seclogin –O -l SAPServiceABC Linux: sapgenpse seclogin –O -l abcadm 6. 2. Verify the installation described in section Secure Login Library Installation [page 47]. 204 PUBLIC © 2013 SAP AG or an SAP affiliate company. Verify whether the Secure Login Library has the same architecture as the ABAP System (32-bit or 64-bit ). 5. Verify the SNC library status with the command sapgenpse. To determine the architecture. 3. Verify if Secure Login Library is installed correctly.2. Enable the Secure Login Library trace and analyze the problem. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . the file command enables you to check whether you have a 32-bit or 64 bit Secure Login Library. you can activate tracing for Secure Login Library. a) Log on to SAP ABAP server using SAP GUI and start transaction RZ10. you can activate tracing for Secure Login Library. 4. c) Use the command: sapgenpse seclogin –O -l <SAP_service_user>. 6. On UNIX. 6. 1. use the following command: file sapgenpse Related Information Secure Login Library Configuration [page 57] Configuring Tracing for Secure Login Library [page 86] In the case of an error. Verify SNC library file access rights for the user starting the SAP server. Verify SAP trace file dev_w0. Verify the SNC configuration. Problem: Could not get credentials. b) Set the environment SECUDIR=$(DIR_INSTANCE)/sec. Verify if the SNC certificate was provided to the Secure Login Library PSE environment. a server with a default Secure Login Library configuration cannot find the SNC name in the database. error messages with description in SAP Note SAP Note 1867829. For more information. see SAP Help Portal under Solution Monitoring . Function-Oriented View Solution Lifecycle Management 6. For further information.2.2. consult this list of internal errors of the GSS module. see the following SAP Note. You find the complete list of error codes.2.sap. They may occur in the client or be reported by the client as server errors.com/sap/support/notes/1834979 6. Note To analyze the problem in more detail. For more information.5 Error Occurred with sapgenpse If errors occur with sapgenpse. Related Information http://service. It might help you to find a solution for your issue. activate the trace function of Secure Login Library and analyze traces. Related Information Configuring Tracing for Secure Login Library [page 86] In the case of an error.4 Monitoring Secure Login Library This topic provides information about Application Server monitoring utilities you can use. we recommend that you use monitoring utilities provided by SAP NetWeaver AS ABAP. see the related SAP Note.sap. If you suspect that there might be an issue with Secure Login Server. These error codes and the corresponding error messages are sent if internal errors occur in the GSS module or if invalid input data come in from a calling application. you can activate tracing for Secure Login Library. The list of SNC error codes can also be helpful when you analyze server trace or log files.2.6.com/sap/support/notes/1635019 6. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company.6 SNC Error Codes In case of an error from a calling application with the Secure Login Library. 205 . All rights reserved.3 No User Exists with SNC Name Problem: If the error message No user exists with SNC name … occurs and your login fails. http://service. see the related link. To make sure that your Secure Login Web Client does not authenticate several times. The Secure Login Web Client does not use SSL on its port. All rights reserved. your browser sends trust warnings and denies access. Distribute the SSL CAs into the trusted certificate stores of your clients. The cause for this error is that you are authenticated several times if you use Secure Login Web Client in one browser window with several tabs. and uses it in the additional tabs. You must check the web client URL in the client authentication profile.3 Troubleshooting Secure Login Server This section gives additional information about troubleshooting for Secure Login Server.3. 6. You have authenticated with a Secure Login Web Client. their meaning and possible corrections.3. Runtime Error Codes CALL_BACK_ENTRY_NOT_FOUND Description The called function module is not released for RFC. 6.3. 206 PUBLIC © 2013 SAP AG or an SAP affiliate company.2 Trust Warnings in Secure Login Web Client Before you can authenticate with Secure Login Web Client. Use the utilities of your operating system (Microsoft Windows and Keychain for Mac OS X are supported). The following error message occurs: Authentication failed. for example. cookies and URL of the SAP NetWeaver Application Server. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting .3.6. The browser shares the authentication information.1 Secure Login Web Client Authentication Failed Secure Login Web Client authentication failed due to multiple tabs in your browser. 6. Client is already authenticated as a different user.3. 6.3 Error Codes of SAP Stacktrace Errors This chapter describes the error codes and return codes.1 SAP Stacktrace Error Codes This table contains the SAP stacktrack error codes. proceed as follows: Make sure that you close the additional tabs of your browser. 3 for ABAP) when executing an asynchronous RFC. Data received for unknown CPI-C connection. Error in authorization buffer (internal error). Current function is not called remotely. Maximum length of options for the destination exceeded. CALL_FUNCTION_NO_DEST CALL_FUNCTION_OPTION_OVERFLOW CALL_FUNCTION_NO_LB_DEST CALL_FUNCTION_NO_RECEIVER CALL_FUNCTION_NOT_REMOTE CALL_FUNCTION_REMOTE_ERROR CALL_FUNCTION_SIGNON_INCOMPL CALL_FUNCTION_SIGNON_INTRUDER CALL_FUNCTION_SIGNON_INVALID CALL_FUNCTION_SIGNON_REJECTED CALL_FUNCTION_SINGLE_LOGIN_REJ No authorization to log on as a trusted system. While executing an RFC. User locked. Too many logon attempts. Calling system is not a trusted system or security ID is invalid. RFC from external program without valid user ID. The specified destination (in load distribution mode) does not exist. ● Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company. Logon attempt in the form of an internal call in a target system not allowed. or a logon was performed using one of the protected users DDIC or SAP*. Time stamp of the logon data is invalid. Either the user does not have RFC authorization (authorization object S_RFCACL). The error code may have any of the following meanings: ● ● ● Incorrect logon data for valid security ID.Runtime Error Codes CALL_FUNCTION_DEST_TYPE CALL_FUNCTION_NO_SENDER CALL_FUNCTION_DESTINATION_NO_T Description The type of the destination is not allowed. The function module being called is not flagged as being “remotely” callable. 207 . Missing communication type (I for internal connection. No external user check. This error code may have any of the following meanings: ● ● ● ● ● ● ● Incorrect password or invalid user ID. Invalid user type. Logon attempt in target system without valid user ID. The specified destination does not exist. Validity period of the user exceeded. All rights reserved. Logon data for the user is incomplete. an error occurred that has been logged in the calling system. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting .Runtime Error Codes CALL_FUNCTION_SYSCALL_ONLY Description RFC without valid user ID only allowed when calling a system function module. No valid trusted entry for the calling system. For asynchronous RFC only: the specified task is already open. Invalid data type while transferring parameters. CALL_FUNCTION_TABINFO CALL_FUNCTION_TABLE_NO_MEMORY CALL_FUNCTION_TASK_IN_USE CALL_FUNCTION_TASK_YET_OPEN CALL_FUNCTION_NO_AUTH CALL_RPERF_SLOGIN_AUTH_ERROR CALL_RPERF_SLOGIN_READ_ERROR RFC_NO_AUTHORITY CALL_FUNCTION_BACK_REJECTED CALL_XMLRFC_BACK_REJECTED CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_CONFLICT_TAB_TYP CALL_FUNCTION_CREATE_TABLE CALL_FUNCTION_UC_STRUCT CALL_FUNCTION_DEEP_MISMATCH CALL_FUNCTION_WRONG_VALUE_LENG CALL_FUNCTION_PARAMETER_TYPE CALL_FUNCTION_ILLEGAL_DATA_TYP CALL_FUNCTION_ILLEGAL_INT_LEN CALL_FUNCTION_ILL_INT2_LENG CALL_FUNCTION_ILL_FLOAT_FORMAT CALL_FUNCTION_ILL_FLOAT_LENG CALL_FUNCTION_ILLEGAL_LEAVE 208 PUBLIC © 2013 SAP AG or an SAP affiliate company. Data error (info internal table) during a RFC. Invalid data type while transferring parameters. Type conflict while transferring an integer. Type conflict while transferring structure. Type conflict while transferring table. No memory available for creating a local internal table. Error while evaluating RFC destination. Invalid data type while transferring parameters. Destination “BACK” is not permitted in current program. Type conflict while transferring a floating point number. Type conflict while transferring a floating point number. Destination “BACK” is not permitted in current program. No RFC authorization for user. No memory available for table being imported. Error while evaluating RFC destination. For asynchronous RFC only: task name is already being used. Type conflict while transferring an integer. Invalid LEAVE statement on RFC Server. No RFC authorization. The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ. No trusted authorization for RFC caller and trusted system. All rights reserved. Type conflict while transferring structure. 1.0 or Higher on Microsoft Windows How to enable fully qualified distinguished name for SAP NetWeaver 7. 6. the problem may relate to the certificate trust relationship. Check Secure Login Client Settings or Secure Login Web Client Settings in Secure Login Administration Console. 2. c) If you are using HTTPS. In the default configuration of the SAP NetWeaver Application Server. 6. 3. on which the SSL server certificate depends and move it to the Microsoft Certificate Store (Computer Certificate Store).4 Checklist User Authentication Problem This section describes the configuration issues to check if a user authentication is not successful. If this is the case. All rights reserved.5 Enable Fully Qualified Distinguished Name in Enrollment URL The following topics describes how to enable a fully qualified distinguished name in an enrollment URL. you need to execute the following steps. 209 .3. Is verification using different user credentials? Log on to Secure Login Administration Console and check the log information in Client Authentication Profiles.0 or higher Engine.3. If this is not the case. It may occur that some installations of SAP NetWeaver Application Server Java do not automatically generate fully qualified distinguished names.5. To enable the fully qualified distinguished name. when you download a policy configuration to the Secure Login Client or Secure Login Web Client because the policy download does not provide a fully qualified distinguished name in the enrollment URL. Verify the following parameter: a) Check whether the Enrollment URL parameter is configured for the desired instance. 6. there may be a problem on the Secure Login Client or Secure Login Web Client. import the root certificate.1 Enable Fully Qualified Distinguished Name for SAP Net Weaver 7. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company.0 or higher on Microsoft Windows.3. This may cause an error. The steps below are only relevant for SAP NetWeaver 7. for example. Type conflict while transferring a reference. the fully qualified domain is not used and cannot be changed.Runtime Error Codes CALL_FUNCTION_OBJECT_SIZE CALL_FUNCTION_ROT_REGISTER Description Type conflict while transferring a reference. b) Copy this URL to the browser application and check if a response is displayed (ignore the responses ERROR_ACTION or INTERNAL_SERVER_ERROR). Check if the user authentication is displayed. Choose the tab Certificate Management and verify whether USER_CA is active. wdf.wdf. 1.dhcp. Open the file DEFAULT. j2ee/dbhost.PFL in the profile directory.1.$(SAPFQDN) j2ee/dbhost = $(SAPLOCALHOST). Add the entries SAPLOCALHOSTFULL and SAPFQDN.$(SAPFQDN) j2ee/scs/host = $(SAPLOCALHOST). The entries SAPFQDN and SAPLOCALHOSTFULL have to be the first two entries.wdf.0 or higher on Linux. SAPLOCALHOSTFULL = <current_fully_qualified_distinguished_name> SAPFQDN = <current_domain> Example SAPLOCALHOSTFULL = veisa730vmmst. Stop the J2EE engine. 2.sap. All rights reserved.corp Modify the value of the entries SAPDBHOST.dhcp.sap. Start the J2EE engine.0 or Higher on Linux How to enable fully qualified distinguished name for SAP NetWeaver AS Java 7. 210 PUBLIC © 2013 SAP AG or an SAP affiliate company. and j2ee/scs/host: Example SAPDBHOST = $(SAPLOCALHOST). Go to the profile directory: usr/sap/<SID>/SYS/profile. 6.corp SAPFQDN = dhcp.sap.corp icm/host_name_full = $(SAPLOCALHOSTFULL) 3. open the profiles (java instance profile <SID>_J00_your_current_host_nameand SCS profile <SID>_SCS01_your_current_host_name) and add the lines below: SAPLOCALHOST = <current_host_name> SAPLOCALHOSTFULL = <current_fully_qualified_distinguishied_name> icm/host_name_full = $(SAPLOCALHOSTFULL) Example SAPLOCALHOST = veisa730vmmst SAPLOCALHOSTFULL = veisa730vmmst.$(SAPFQDN) 4. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . Stop the J2EE engine.2 Enable Fully Qualified Distinguished Name for SAP NetWeaver 7.3.5. Go to the profile directory /usr/sap/SL3/SYS/profile. Go to the profile directory /usr/sap/SL3/SYS/profile.PFL profile.slac185. the ennrollment URL will includes the fully qualified distinguished name. Go to the profile directory at usr/sap/<SID>/SYS/profile. Go to the profile directory /usr/sap/SL3/profile.$(SAPFQDN) 7.slac185.2. $(SAPFQDN) j2ee/dbhost = $(SAPLOCALHOST). All rights reserved.168. 211 . Example 10. add the domain to /etc/hosts. Open the file DEFAULT. open the profiles (java instance profile <SID>_J00_your_current_hostname and SCS profile <SID>_SCS01_your_current_hostname) and add the lines below: SAPLOCALHOST = <current_host_name> SAPLOCALHOSTFULL = <current_fully_qualified_distinguished_name> icm/host_name_full = $(SAPLOCALHOSTFULL) 3. The entries SAPFQDN and SAPLOCALHOSTFULL must be the first entries. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company. $(SAPFQDN) j2ee/scs/host = $(SAPLOCALHOST).local icm/host_name_full = $(SAPLOCALHOSTFULL) 4. open the SL3_SCS01_java67 profile.slac185. open the SL3_SCS01_java67 profile.local Modify the values as described in the following example: Example SAPDBHOST = $(SAPLOCALHOST) .67 java67. and add the lines below to the java instance profile.slac185. and add the lines below to the SCS profile: SAPLOCALHOST = java67 SAPLOCALHOSTFULL = java67.local SAPFQDN = slac185. open the DEFAULT. Now when a client authentication profile of Secure Login Client is created.35. SAPLOCALHOST = java67 SAPLOCALHOSTFULL = java67.PFL profile and add the lines below to the DEFAULT.local a) If the system cannot find a fully qualified distinguished name. Make sure that the system can find the fully qualified distinguished name.local icm/host_name_full = $(SAPLOCALHOSTFULL) 5. SAPLOCALHOST = java67 SAPLOCALHOSTFULL = java67.PFL in the profile directory: Add the entries SAPLOCALHOSTFULL and SAPFQDN. b) Restart the SAP NetWeaver Application Server Java. SAPLOCALHOSTFULL = <YOUR_CURRENT_FQDN> SAPFQDN = <YOUR_CURRENT_DOMAIN> 6. For more information. 2. secure communication to the AS ABAP needs to be established. Proceed as follows: 1. 5. 2. If the test is successful. Start SAP NetWeaver Administrator and verify the configuration in the Configuration tab and Destinations. the status line displays the following message: Successfully connected to system <SID> as user <user_name>.3. (If the Ping operation was successful) Proceed with step for enabling Secure Login Library Trace.6 Locking and Unlocking You want to change data in the Secure Login Administration Console and you get a message saying that this data is locked by another user. Application Server Administration Tools Application Server SAP NetWeaver Administering Application Server Java 6. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . if someone forgets to log out during a change operation or if their browser crashes. This can occur. Use the standard unlock function of SAP NetWeaver Administrator to remove the lock. for example. If you believe that this lock is not part of a normal change operation. 4.6. The communication is secured using SNC. you can unlock the data. Log in as an administrator to SAP NetWeaver Administrator. Problem: The Secure Login Server cannot establish an SNC connection to the AS ABAP. 212 PUBLIC © 2013 SAP AG or an SAP affiliate company. 3. (If Ping Destination failed) Verify whether Secure Login Library is installed correctly. 1. see the SAP NetWeaver Library under Java Administrator Problem Management Function-Oriented View Administration Managing Locks .3. Go to the Destination Detail section and choose Ping Destination. Verify the installation described in section Secure Login Library Installation [page 47]. For the Secure Login Server to verify SAP user credentials. Select the destination with the destination type RFC Destination.7 Secure Login Server SNC Problem The Secure Login Server cannot establish an SNC connection to the SAP Server. Verify the installation of Secure Login Library in Secure Login Library section. see related link. you can activate tracing for Secure Login Library. 7. their meaning and possible corrections. c) Use the command sapgenpse get_my_name -p SAPSNCS. 8. Verify whether the SNC name is configured correctly. An ‘Internal server message’ is displayed. Verify whether the security token file SAPSNCS. All rights reserved. To unlock the authentication profile. Verify whether an SNC certificate was provided to Secure Login Library PSE environment.3. verify whether the environment variable SECUDIR is configured correctly for the user who is starting the SAP server. 6. Administration of the Internet Communication Manager Additional Profile icm/conn_timeout .9 Internal Server Message You tried to authenticate to an AS Java using a login module stack. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company. Enable Secure Login Library Trace and analyze the problem. use the Unlock button in the Secure Login Administration Console. http://service. For more information. Related Information Configuring Tracing for Secure Login Library [page 86] In the case of an error. but did not succeed.3. For more information.com/sap/support/notes/1834979 6. 213 . a) Start the command line shell and change to the folder <DIR_INSTANCE>/exe/sll.8 Secure Login Authentication Profile Lock and Unlock A Secure Login authentication profile locks itself when it detects a serious problem such as authentication server failure that affects all clients. b) Set the environment SECUDIR = <DIR_INSTANCE>/sec.3.sap. If the error messages Couldn’t acquire DEFAULT INITIATING credentials is displayed. see Internet Communication Manager (ICM) in the SAP Library under Parameters Related Information Parameters for Destination Management Configuration [page 189] Configure destinations if you use LDAP or RADIUS login modules or user logon ID mapping.6.pse -x <password> -O <SAP_service_user>.10 Error Codes Error codes and return codes for Secure Login Server This chapter describes the error codes and return codes.pse is available in folder <DIR_INSTANCE>\sec. A reason for this error could be an ICM timeout error. 6. In the log file on client side. The user might lock a directory.10. see Forced Use of HTTPS [page 103]. During an update. and thus block the update process from replacing the files. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . and log on again. we recommend that you switch on logging and have a look at the log file to get more information about the cause of the error.3. restart your browser. the native libraries on your server system might be manipulated. For more information.1 Secure Login Web Client Error Codes The following table provides you with an overview of the Secure Login Server error codes. All rights reserved. Thus the configuration is newly read in. the native libraries must be updated. Caution If this error persists. Error Code Client Error 0x01 Error Message Problem during download or saving the native components. To remedy the error. Check the Secure Login Server installation for consistency. 214 PUBLIC © 2013 SAP AG or an SAP affiliate company. Client Error 0x02 Insecure HTTP connection to Secure Login Server is rejected. Client Error 0x03 Checksum error in local or remote Secure Login Web Client libraries. this is a connection error that prevented that the native libraries were downloaded to the Secure Login Web Client or saved in the user's directory. it is generally sufficient to restart SAP GUI and your browser. you can see which file is corrupted. This removes the locking mechanism. Description In most cases. If the error persists. This error occurs when a user is working online during an update from SAP NetWeaver Single Sign-On 1.0 SP1 or SP2 to a higher support package. To remedy the error. log off from SAP GUI. Attempted buildup of an HTTP connection instead of a (secured) HTTPS connection.6. We recommend that you switch on logging and have a look at the log file to get more information about the cause of the error. otherwise you get this error. Client Error 0x06 Communication Error with the native SLWC agent. Client Error 0x08 Web Client is running in Web Adapter Mode.Error Code Client Error 0x04 Error Message Unknown or untrustworthy Secure Login Server user certificate issuer is rejected. Client Error 0x09 Cannot load configuration for web client. If this error occurs. but no Web Adapter installation is found.3. Contact the administrator to see what is wrong with the profile. 215 . Install Secure Login Client with Web Adapter option. abort. abort. The administrator configured the Secure Login Web Client to run in Web Adapter mode. The Secure Login Web Client can only run in Mac OS X or Microsoft Windows. Description PKI checking error. proceed as described in PKI Check before Storing in a Client Certificate Store [page 104] Client Error 0x05 This Platform is not supported by the web client. A root CA from the user CA of the Secure Login Server must be available in the Microsoft Trusted Root Certification Authorities. Note This error only occurs in Microsoft Windows and Mac OS operating systems. The Secure Login Web Client could not load the configuration. Users must install the SAP GUI on their systems. All rights reserved. Usually this happens if the profile was configured to use the Windows Secure Login Client. Client Error 0x07 Please install SAP Gui This happens when the SAP GUI is not installed on the users’ client. This can happen when the key size is greater than 1024. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company.11 Monitoring Secure Login Server This topic provides information about Application Server monitoring utilities you can use. 6. and a Secure Login Web Client accessed this profile. but the Web Adapter option was not activated during the installation. abort. 3.2 Configuring Logging Using Log Configuration you can configure the severities of log controllers online in the whole system or in certain system instances. we recommend that you use monitoring utilities provided by SAP NetWeaver AS Java. In SAP NetWeaver Administrator. All rights reserved.com/saphelp_nw73ehp1/helpdata/en/47/af4560fa711503e10000000a42189c/content. Alternatively. start Log Viewer by choosing Troubleshooting Logs and Traces Log Viewer . Related Information http://help.3.12.12. the logs are managed in AS Java’s logging framework.1 Viewing Logs With Log Viewer.3. It might help you to find a solution for your issue. When deploying a configuration on SAP NetWeaver AS Java. For more information.If you suspect that there might be an issue with Secure Login Server. These log records assist you to monitor and diagnose problems. Function-Oriented View Solution Lifecycle Management 6.sap. start it in the browser at https://<host>:<port>/nwa/logs. 6. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting . Secure Login Server writes log messages and debug traces to the following log controllers: Table 56: Category Category Applications/Common/Security/SecureLoginServer/ Authentication Applications/Common/Security/SecureLoginServer/ Certificates Applications/SecureLoginServer/Server Default Severity INFO INFO INFO 216 PUBLIC © 2013 SAP AG or an SAP affiliate company. you can view all log and trace messages generated in the whole SAP NetWeaver system landscape.12 Logging and Tracing Secure Login Server with the Log Viewer of SAP NetWeaver Administrator You can use the Log Viewer tool of SAP NetWeaver Administrator to log Secure Login Server.htm 6. see SAP Help Portal under Solution Monitoring . severities INFO. WARNING.com/saphelp_erp60_sp/helpdata/en/47/af5645fa711503e10000000a42189c/frameset.com/securelogin. Alternatively.htm Troubleshooting Logs and Log Configuration . start it in the browser at https://<host>:<port>/nwa/log- Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Troubleshooting PUBLIC © 2013 SAP AG or an SAP affiliate company.Category Applications/Common/Security/NetweaverSSO/ Certificates Applications/Common/Security/NetweaverSSO/ KeyStore Applications/ NetweaverSSO/Server Applications/SecureLoginServer/SLAC System/Security/SecureLoginServer/SLAC Table 57: Location Location com. All rights reserved. The changes are effective immediately.sap. see Log Configuration with SAP NetWeaver Administrator. Related Information http://help. ERROR. To start log configuration.ui Default Severity INFO INFO INFO INFO INFO Default Location INFO To view log and debug entries with a lower severity. open SAP NetWeaver Administrator and choose Traces config. FATAL etc. For more information. There are no log objects and sub-objects.securelogin.com/SecureLoginServer sap. change the log configuration in the log configurator.sap.). 217 . The log messages of Secure Login Server are compliant with the logging and tracing concept of SAP NetWeaver AS Java (for example.* (and subnodes) Table 58: Location Application sap. Shamir and Adleman 218 PUBLIC © 2013 SAP AG or an SAP affiliate company. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide List of Abbreviations .7 List of Abbreviations Meaning Abbreviatio ns ADS CA CAPI CSP DN EAR HTTP HTTPS IAS JAAS LDAP NPA PEM PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Privacy Enhanced Mail Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial-In User Service Remote function call (SAP NetWeaver term) Rivest. All rights reserved. Abbreviatio ns SAR SCA SLAC SLC SLL SLS SLWC SNC SSL UPN WAR WAS Meaning SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) Secure Socket Layer User Principal Name Web Archive Web Application Server Secure Login for SAP NetWeaver Single Sign-On Implementation Guide List of Abbreviations PUBLIC © 2013 SAP AG or an SAP affiliate company. 219 . All rights reserved. A certificate typically includes: ● ● ● ● ● The public key being signed. which is quite efficient Certificate A digital identity card. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary . A user’s name and password are compared against an authorized list. All rights reserved. The most common certificate standard is the ITU-T X. or an organization. Certification Authority (CA) An entity which issues and verifies digital certificates for use by other parties. This encoding has been introduced in PEM (RFC1421) and MIME.509. 220 PUBLIC © 2013 SAP AG or an SAP affiliate company. Note Base64 encoding expands binary data by 33%. A validity period. In a multi-user or network system. A name which can refer to a person. The digital signature of the certificate produced by the private key of the CA. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. a computer. The location (URL) of a revocation center. authentication means the validation of a user’s logon information. Base64 Encoding The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters.8 Glossary Glossary for Secure Login Authentication A process that checks whether a person is really who they are. or issued by a trusted third party. CRL Distribution Point Publicly available location where a Certification Authority (CA) hosts its certificate revocation list (CRL). Cryptographic credentials are often designed to expire after a certain period. although this is not mandatory. 221 . Cryptographic Application Programming Interface (CAPI) The Cryptographic Application Programming Interface (also known variously as CryptoAPI. Microsoft Cryptography API. in many cases the only criterion for issuance is unambiguous association of the credential with a specific. or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. All rights reserved.Certificate Revocation List (CRL) A group of certificates that have been declared to be invalid. Cryptographic credentials may be self-issued. It is a set of dynamically-linked libraries that provides an abstraction layer which isolates Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary PUBLIC © 2013 SAP AG or an SAP affiliate company. Usually they take the form of machine-readable cryptographic keys and/or passwords. Credentials Used to establish the identity of a party in communication. CREDDIR A directory on the server in which information is placed that goes beyond the PSE (personal security environment). The certificate revocation list is maintained and publically released by the issuing Certification Authority (CA) and typically contains the following information: ● ● ● The certificate's serial number The issuing CA's Distinguished Name The date of revocation Certificate Store Sets of security certificates belonging to user tokens or certification authorities. real individual or other entity. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process. programmers from the code used to encrypt the data. 222 PUBLIC © 2013 SAP AG or an SAP affiliate company. You can use them to restrict the public key to as few or as many operations as needed. similar to a telephone book (e. An extended key is either critical or non-critical. it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates.g. All PKI users require a unique name. If the extension is critical. a X. For example.500. Nevertheless. if you have a key used only for signing. if a key is used only for key management. Alternatively. If the certificate is used for another purpose. If the extension is non-critical. All rights reserved. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is. applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable. Key Usage (extended) Extended key usage further refines key usage extensions. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary . The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions. Distinguished Name (DN) A name pattern that is used to create a globally unique identifier for a person. This name ensures that a certificate is never created for different people with the same name. Distinguished Names are defined in the ISO/ITU X. Within a PKI: Contains information about the public key of the user of the security infrastructure. the Certification Authority) and the serial number. the certificate must be used only for the indicated purpose or purposes.500 or LDAP directory). enable the digital signature and/or non-repudiation extensions. enable key encipherment. it is in violation of the CA's policy. Lightweight Directory Access Protocol (LDAP) A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X. Directory Service Provides information in a structured format. Key Usage Key usage extensions define the purpose of the public key contained in a certificate.500 standard. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary PUBLIC © 2013 SAP AG or an SAP affiliate company. PKCS#11 PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PEM defines a “printable encoding” scheme that uses Base64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters. and the + and / symbols. as required by transfer protocols such as SMTP.and lowercase Roman alphabet characters (A–Z. the server sequentially processes the login module stack that applies to the component that the user accesses. All rights reserved. a–z). A PSE is a security token container with security-related information. the numerals (0–9). The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper. and other secret information. The "=" symbol is also used as a special suffix code. Personal Identification Number (PIN) A unique code number assigned to the authorized user. Privacy-Enhanced Mail (PEM) The first known use of Base64 encoding for electronic data transfer was the Privacy-enhanced Electronic Mail (PEM) protocol. certificates. This includes the certificate and its secret private key. When a user is authenticated on the J2EE Engine. PKCS#11 is an API defining a generic interface to cryptographic tokens. Personal Security Environment The PSE is a personal security area that every user requires to work with. Personal Information Exchange Syntax Standard Specifies a portable format for saving or transporting a user’s private keys. The original specification additionally used the * symbol to delimit encoded but unencrypted data within the output stream. 223 . The PSE can be either an encrypted file or a Smart Card and is protected with a password. proposed by RFC 989 in 1987. It is possible to assign different login module stacks to different components.Login Module Stack (Authentication Stack) List of login modules containing authentication logic that is assigned to a component. thus enabling pluggable authentication. and Adleman in 1977. All users of the PKI must trust it. a user requires the certificate path as well as the root certificate. Shamir.509 PKI systems. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure. people. To check foreign certificates. with a root certificate at the top. Its certificate is signed with a private key.Public FSD Public file system device. representing a CA that does not need to be authenticated by a trusted third party. and methods that are involved in creating. It is the most widely-used algorithm for encryption and authentication. An external storage device that uses the same file system as the operating system. guidelines. for the secure exchange of information over the Internet. developed by Rivest. RSA An asymmetric. the hierarchy of certificates is always a top-down tree. In X. Public Key Infrastructure Comprises the hardware. Is used in many common browsers and mail tools. Is often structured hierarchically. Root Certification Authority The highest Certification Authority in a PKI. software. There can be any amount of CAs between a user certificate and the root Certification Authority. Public Key Cryptography Standards A collection of standards published by RSA Security Inc. saving. administering. cryptographically procedure. distributing. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary . and revoking certificates based on asymmetric cryptography. Root Certification The certificate of the root CA. 224 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Smart Card. The term may also refer to software tokens. 225 . Tokens provide access to a private key that allows performing cryptographic operations. Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the functionality of both USB tokens and Smart Cards. Token A security token (or sometimes a hardware token. Ensures the authorization of communication partners and the confidentiality. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary PUBLIC © 2013 SAP AG or an SAP affiliate company. integrity. All rights reserved. cryptographically libraries. and a domain name (optional). Secure Sockets Layer A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Microsoft Windows Credentials A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (Smart Card reader). and authenticity of transferred data. The credentials usually comprise a user name. and CAPI container) or non-persistent (like temporary keys provided by Secure Login). The private key may be persistent (like a PSE file. Single Sign-On A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication). authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions. From the computer operating system’s point of view such a token is a USB-connected Smart Card reader with one non-removable Smart Card present. a password.Secure Network Communications A module in the SAP NetWeaver system that deals with the communication with external. 226 PUBLIC © 2013 SAP AG or an SAP affiliate company. X.500 A standardized format for a tree-structured directory service.X. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Glossary .509 A standardized format for certificates and blocking list. or Upgrade Guides. the demands on security are also on the rise. either SAP NetWeaver AS Java or SAP NetWeaver AS ABAP according to the component. Technical Operation Manuals. Therefore. negligence. All rights reserved. or attempted manipulation of your system should not result in loss of information or processing time. Why is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data. Target Audience ● ● ● Technology consultants Security consultants System administrators This document is not included as part of the Installation Guides. To assist you in securing Secure Login. whereas the Security Guides provide information that is relevant for all life cycle phases. This guide does not replace the administration or operation guides that are available for productive operations. 227 . Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company.1 Before You Start Review the information provided here before you begin your security configuration. see the SAP NetWeaver Security Guide for your release. Such guides are only relevant for a certain phase of the software life cycle. 9. For more information. User errors.9 Secure Login Security Guide Caution The security guide provides an overview of the security-relevant information that applies to Secure Login. we provide this Security Guide. you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. When using a distributed system. Configuration Guides. These demands on security apply likewise to Secure Login. the corresponding security guides also apply to Secure Login. Fundamental Security Guides You install components of Secure Login on host SAP NetWeaver Application Servers. sap. Table 59: Important SAP Notes Title Release Note SAP NetWeaver Single Sign-On 2.509 and Kerberos security tokens.com/solutionmanagerOn SAP Service Market Place 9.0 SAP Note SAP Note 1808526 Comment The release note for SAP NetWeaver Single Sign-On 2.com/community/securityOn SAP Community Network http://service. but also requires or uses third-party and operating system components. You must consider all these components for a complete and integrated secure system.htmFor Enhancement Package 1 for SAP NetWeaver 7. which is the basis for reliable security services for the consuming of business applications and end-user systems. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide . Table 60: Entities of an SAP NetWeaver SSO System Landscape Entity Secure Login Library Description Security protocol provider for SAP NetWeaver Application Server ABAP (SNC). All rights reserved. and SAP NetWeaver Application Server Java (SSL).sap. Supports X. SAP RFC (SNC).Important SAP Notes The most important SAP Notes that apply to the security of the Secure Login component appear in the following table. Supports X.sap.0 describes the components and features of this release.0 Related Information SAP Note 1912175 http://help. Security client for end users.com/securitynotesOn SAP Service Market Place http://scn.2 Component Overview SAP NetWeaver Single Sign-On consists of its product components. Provides security protocols and credentials to run secure sessions with SAP GUI or web applications.3 on SAP Help Portal https://service.sap. The central note provides productspecific information. Secure Login Client 228 PUBLIC © 2013 SAP AG or an SAP affiliate company.509 and Kerberos security tokens.com/saphelp_nw73ehp1/helpdata/en/f3/780118b9cd48c7a668c60c3f8c4030/frameset. Central note for SAP NetWeaver Single Sign-On 2. For more information. For RADIUS-based end-user authentication. and Secure Login Server. RSA SecurID tokens can be used. Secure Login Web Client Microsoft Windows server (domain controller) Microsoft Windows server (Active Directory) LDAP directory server RSA authentication server 9. All rights reserved. For LDAP-based end-user authentication. To avoid conflicts with an existing installation of SAPCRYPTOLIB version 5. Only add those files you need to change. Windows domain users and their passwords are managed here.509 certificate provider running on SAP NetWeaver Application Server Java.3 Secure Login Library 9.3. Browser-embedded and zero-footprint end-user client. For LDAP-based end-user authentication. Secure Login Client. see the product guide. which comes as an integrated component of Secure Login Server. 229 . The minimal configuration runs with built-in defaults. as both security libraries use the same library and utility file names (libsapcrypto.1 Installation Procedures and Settings for Secure Login Library Secure Login Library is shipped as platform SAP CAR archives without an installation program.5. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. library and command line utility files. as well as of configuration XML files to the minimum set that is required by the application server processes. service users from the respective Windows domains are required. Limit file permissions of installation folders.Entity Secure Login Server Description X. No XML files are required. classical LDAP directories can also be used. a different installation folder is required. Supports end user authentication to several SAP and third-party services. The installation depends on respective platform and operating system. sapgenpse). For Kerberos and SPNego based authentication in Secure Login Library. Status: The FIPS cryptographic kernel is currently in the process of certification.2 INTEL AES-NI Support Secure Login Library is shipped with AES Native Interface support for several INTEL CPUs (Windows and Linux OS only). To make sure they are not used.2.1.1 FIPS 140-2 Crypto Kernel Secure Login Library is shipped with a FIPS 140-2 compliant cryptographic kernel module. delete the original files from the library folder beforehand. who must be able to read and write. 9. All rights reserved.3. To run Secure Login Library in an FIPS compliant cryptography mode. you must copy the files from subfolder / fips/ to the library folder manually. The utility displays the AES-NI status and other crypto relevant information. To check if Secure Login Library is running in FIPS mode.1.2 Initialization Procedures for Secure Login Library Secure Login Library requires a Personal Security Environment file (PSE). run the command line utility cryptinfo. which prints out the FIPS compliance status and other crypto relevant information. Both types allow local generation by a command line utility or import from existing key stores. Only allow privileged administrators.3. as well as with an extended cryptographic kernel module. or one or more Kerberos keytab identities. 9. Use the file permissions of the respective operating systems to grant minimum access only. but increases the speed of encryption operations.3. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide .Table 61: Example Alternate Installation Folders Operating System Windows Unix/Linux Alternate Installation Path D:\usr\sap\SE1\SCS02\exe\sll\ /usr/sap/NW1/DVEBMGS00/exe/sll/ 9. 9. 230 PUBLIC © 2013 SAP AG or an SAP affiliate company. and application processes that must be able to read such key files to do so.3. which contains either an X.509 certificate identity with PKI trust anchors. or both. To find out if a respective host supports AES-NI. This hardware accelerated AES encryption does not affect the level of security. run the command line utility cryptinfo.1 File Permissions of Key Files Store any kind of key files (PSE or PKCS#12) with limited file permissions. 509 Certificates You can generate a new PSE file and an X. 231 . sapgenpse implements a built-in medium-strength password policy to avoid weak passwords: ● ● ● ● ● 8 character minimum length 1 or more lowercase letters 1 or more uppercase letters 1 or more digits 1 or more special characters Tip We recommended that you choose a stronger password than this policy enforces.509 certificate has a shorter key size than recommended for the desired PKI role.The command line utilities shipped with Secure Login Library set such minimum file permissions if possible. depending on the planned key life time and the PKI role of the identity. We recommended that you check these automatically generated permissions after write operations.3. In this case. The number of bits should be high enough to avoid brute force attacks against the public key. It does not replace the password of the PSE.509 certificate key from a PSE requires you to enter a new password.509 certificate identity with the command line utility sapgenpse. A new X. Table 62: Recommended Key Size According to Role and Lifetime PKI Role Root certification authority Intermediate server CA Intermediate user CA SSL or SNC server End user End user short-lived Key Lifetime 10 years 10 years 5 years 10 years < 1 year < 1 day RSA Key Size 4096 bits 4096 bits 2048 bits 2048 bits 2048 bits 2048 bits An X.509 certificate identity may also be imported from a PKCS#12 key file. 9. for example.2 X.2. If the imported X. the PKCS#12 transport password is only used to read from the file.509 certificate requires an RSA key size of a specific number of bits. Generating a new PSE and exporting an X. All rights reserved. The table below lists the recommended key size. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. consider contacting the originator of the key and ask for a larger one. more characters. If a PKCS#12 transport password seems to be weaker than the password of the PSE. which protects the key file against unauthorized access. we recommended that you delete the PKCS#12 file or move it to a protected folder after the import operation succeeded. more characters.2. and consists of the service principal name and the service account password. However. Generating a new PSE for Kerberos keytab identities requires you to enter a new password. If you do. also in a secure place that can be locked or encrypted. The second option to get a Kerberos keytab identity into a PSE file is to import it from a keytab file.3. for example. This includes that the primary instance where to enter a new service account password is the Windows domain controller.3 STRUST Managed PSEs and X.5.4 Kerberos Keytabs You can generate a new PSE file and one or more Kerberos keytab identities with the command line utility sapgenpse. As Secure Login Library works in a so-called offline Kerberos verification mode. 9. which should have its own password policy configuration in place. 9. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide . If such password is weaker than recommended.509 certificate identity can also come from SAP NetWeaver AS ABAP and its STRUST transaction. A single keytab identity represents the service account created on a Windows domain controller. The configuration is also done manually and offline. All rights reserved. It should only be considered if the service account passwords must not be shared 232 PUBLIC © 2013 SAP AG or an SAP affiliate company. We do not recommended this option. In this case. keyfile and password are generated and managed by STRUST.3. Do not copy and distribute PSE or PKCS#12 files unless you really need to.509 Certificates A PSE file with X. because the Windows domain controller does not provide a secure way to store and transport keytab files. which protects the key file against unauthorized access. there is no technical communication between SAP NetWeaver AS ABAP and Windows DC. sapgenpse implements a built-in medium-strength password policy to avoid weak passwords: ● ● ● ● ● 8 character minimum length 1 or more lowercase letters 1 or more uppercase letters 1 or more digits 1 or more special characters Tip We recommended that you choose a stronger password than this policy enforces.Do not write on paper or print out any password unless you really need to.2. consider contacting the administrator of the account and ask for a better password. This requires you to export the keytab on the Windows domain controller side. we recommended that you have a secure backup of such files. keep such paper or file copy in a secure place that can be locked or encrypted. which uses the underlying SAPCRYPTOLIB version 5. Both must be exactly the same on Windows domain controller side and in the respective command line of sapgenpse. there are several properties that can be used to fine-tune the security protocols and the cryptographic algorithms they use. For more information. All rights reserved. or SNC is turned on too early which may lead to a lock-out of all users including administrators. It is important to understand how to configure SNC for SAP NetWeaver AS ABAP server and its users and services.htm? frameset=/en/e6/56f466e99a11d1a5b00000e835363f/frameset. In this case.sap. PSE and cred_v2 files cannot be used on any other system. only local OS level access to the instance profile and command line allow you to repair and restart the server again. 233 . and minimal file permissions of the folder containing PSE and cred_v2 files. SSO credentials generated by sapgenpse. The respective configuration is done in the ABAP instance profile.com/saphelp_nw73ehp1/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/content. which is a text property file that is either edited manually or by ABAP transaction RZ10.2. recommended application server and OS patches.3. 9.htmas part of SAP Help Portal documentation for Enhancement Package 1 for SAP NetWeaver Application Server 7.3.3 Configuration Procedures and Settings for Secure Login Library Secure Login Library comes with a strong default configuration. and store it in the credentials file (cred_v2) of the PSE. However. In the latter case.2.between two administrators. Secure Login Library enables you to enter the PSE password once on a server. SNC is not enforced and insecure and password-based logon is still possible. Any changes in XML configuration files should be cross-checked and tested before applied to a production system.3. no need for entering PSE passwords at restart). This minimizes the risk of stolen PSE and cred_v2 files. and requires a protected operating system by standard means like firewalls. see the documentation for SNC. On Windows platforms. through a protected file system. 9. Otherwise. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. and if there is a secure way to exchange such unprotected keytab files in a secure way. for example. Related Information http://help. This SSO credentials mechanism is not highly secure on most platforms. See the administration guide for details.5 Single Sign-On Credentials To allow unattended server restart (for example.6 SAP NetWeaver AS ABAP Instance Profile (SNC) Secure Login Library is used by SAP NetWeaver AS ABAP to act as a protocol provider for SNC.exe are protected with the data protection key of the host (Windows Data Protection API).3 9. you can activate tracing for Secure Login Library. but your decision also depends on the security policies and conditions of your infrastructure and landscape. you can achieve multiple security levels and use them in parallel or role-based.4 Runtime Security Considerations for Secure Login Library Turn off massive and raw data traces in productive systems. for example.509 certificate or Kerberos keytab based operations are similar to the initialization. for example. The installation can only be performed by a local or Windows domain user with sufficient permissions to install software and system components.1 Installation Procedures and Settings for Secure Login Client Secure Login Client is shipped with an SAP Setup installation program. The following table provides help on selecting the right mechanisms. easy to roll out.4.3. Secure Login Server. Related Information Configuring Tracing for Secure Login Library [page 86] In the case of an error. no SSL or SSF Windows authentication (SPNego to Medium X. Secure Login Client. You can.All X. and Secure Login Library are designed to support you in increasing the security level in your organization. infrastructure given existing 234 PUBLIC © 2013 SAP AG or an SAP affiliate company. start with Kerberos and move groups of users to RSA SecurID or Smartcard later on. All rights reserved. 9. see the respective recommendations. 9.SNC authentication only.4 Secure Login Client 9. during testing and trouble shooting. infrastructure given existing Microsoft Domain . As Secure Login Client supports several end-user credentials or tokens. Use logging and tracing only if required.509) + Very high usability. very easy to roll out. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide . Security Token Windows authentication (Kerberos) Security Level Medium Assessment + Very high usability. RSA Server and SecurID token life cycle management required Smartcard (X. there is already a selfsigned X.Enterprise PKI or public trust center services and smartcard life cycle management required 9.509 certificates from the Windows certificate store.509) Medium + High usability. which only requires you to register the respective group URL. A more flexible way is to use Secure Login Server as a client policy server. The client profiles may be imported into a client machine by means of Microsoft group policy objects or registry file imports into the Policies section of the host. 235 .509 on the fly .Security Token Security Level Assessment Microsoft Domain. and should not offer plain HTTP ports if possible.509) Very high + Supports SNC/SSL/SSF .509) High + Supports SNC/SSL/SSF + Secure Login Server allows to generate X.4. supports SNC/SSL/SSF . but with the following Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. In any case. or gets Secure Login Server client profiles from the Windows registry. To enforce HTTPS communication with Secure Login Server. supports SNC/SSL/SSF + Secure Login Server allows to generate X. supports SNC/SSL/SSF + Secure Login Server allows to generate X.2 Initialization Procedures for Secure Login Client Secure Login Client makes use of existing X. SAP NetWeaver AS Java must provide SSL ports with server authentication. Secure Login Client uses the registered security settings from the profiles. which is used by the download agent component to retrieve the profiles of the group. the Kerberos tickets of the current user.509 Password (LDAP or ABAP Basic Authentication to X.Enterprise PKI or public trust center services required to roll-out X.509 certificate available for SSL connections. After a default installation of SAP NetWeaver Application Server (SAP NetWeaver AS) Java.509 on the fly RSA SecurID (One Time Passcodes to X.509) Medium + High usability. All rights reserved.509 on the fly Software Certificate (X. It is the responsibility of Secure Login Server and its administration console to generate client profiles with the recommended and secure default protocols. You can use this certificate. sap. during testing and troubleshooting.htmSAP Help Portal documentation for Enhancement Package 1 for SAP NetWeaver 7.com/saphelp_nw73ehp1/helpdata/en/48/7f28a10fa44cdbe10000000a42189d/content. 9. for example.com/saphelp_nw73ehp1/helpdata/en/bc/2ee9a2d023d64eac961745ea2cb503/content. you must configure a file for client tracing in each client.3 Configuration Procedures and Settings for Secure Login Client Secure Login Client gets its security configuration from Secure Login Server. replace the self-signed certificate as soon as possible and before any end user is allowed to connect to Secure Login Server.4 Runtime Security Considerations for Secure Login Client Turn off massive and raw data traces in productive systems.4. There are no further security related configuration properties. In this case it is crucial that the administrator compares certificate name and fingerprint on web browser side with the certificate in SAP NetWeaver AS Java.htmSAP Help Portal documentation for Enhancement Package 1 for SAP NetWeaver 7. A technically educated administrator can ignore this. Use logging and tracing only if required. A valid and trusted SSL server certificate can be issued by an existing in-house or external trust center or simply by Secure Login Server.sap. 9. you find information about how you can configure Secure Login Server. Related Information http://help. 9. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide .3 http://help.htm? frameset=/en/22/757da81d90447696213e5863e8fdf8/frameset.htm? frameset=/en/cd/a3937849b043509786c5b42171e5d3/frameset.restriction: Because it is only self-signed. However. All rights reserved.4. Related Information Configuring Client Tracing [page 41] If you want to switch on tracing of Secure Login Client. it is not recognized by web browsers as a trusted certificate from a known public-key infrastructure. This way it is possible to administrate SAP NetWeaver AS Java over an SSL encrypted channel. as long as the web browser offers to ignore the warning and continue with opening the connection.5 Secure Login Server 236 PUBLIC © 2013 SAP AG or an SAP affiliate company.3 Configuration [page 119] In the following. A new X. Table 63: Recommended Key Size According to Role and Lifetime PKI Role Root certification authority Intermediate server CA Intermediate user CA SSL or SNC server Key Lifetime 10 years 10 years 5 years 10 years RSA Key Size 4096 bits 4096 bits 2048 bits 2048 bits Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. If you use telnet.509 certificate requires you to select the RSA key size in number of bits. All rights reserved. 9.2. The number of bits should be high enough to avoid brute force attacks against the public key. depending on the planned key life time and the PKI role of the identity. A telnet deployment on a remote host is highly insecure.1 Installation Procedures and Settings for Secure Login Server Secure Login Server is shipped as an application deployment package for SAP NetWeaver Application Server Java . 9.509 Certificate Identities and PKI The initialization wizard enables you to create and configure a default set of PKI and client profile objects with recommended secure defaults.5. 237 .5. Caution We do not recommend using the command line-based installation tool using telnet.5. Related Information Secure Login Server Installation with Software Update Manager [page 92] This topic describes how you install Secure Login Server with the Software Update Manager. The recommended installation tool is Software Update Manager. as plain telnet sessions are not encrypted.2 Initialization Procedures and Settings for Secure Login Server You initialize the Secure Login Server automatically when you start the Secure Login Administration Console page the first time after a fresh deployment.1 X.9. you must run it on the local host. The table below lists the recommended key size. Only administrator and operator users that work with Secure Login Server Administration Console shall get SLAC roles. Only use the role SLAC_SUPERADMIN for initialization and emergency operations.2. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide . We recommended that you do not assign SLAC roles to business users.2 Authorizations and Roles Secure Login Server deploys user management engine roles for SAP NetWeaver AS Java that enable you to securely initialize Secure Login Server.5. Action Pages s Client Authentication Destination Management Destinations Certificate Management System Management System Check Client Authentication Profile Write SLAC_ Yes Client Mngt_ All SLAC_ No Client Mngt_ ReadO nly SLAC_ No CertM ngt_All SLAC_ No CertM ngt_Re adOnly Read Yes Profile Groups PKI Structure Sign Certificate Requests Write Yes Read Yes Write Yes Read Yes Write No Read No Write No Read No Write Read No No Yes No Yes No Yes No No No No No No No No No No No Yes Yes No No No No No No No No No No Yes No No No No 238 PUBLIC © 2013 SAP AG or an SAP affiliate company. use the other dedicated SLAC roles. For other administrative operations. All rights reserved. Normal business users do not require SLAC roles.PKI Role End user End user short-lived Key Lifetime < 1 year < 1 day RSA Key Size 2048 bits 2048 bits 9. All rights reserved. 239 .Action Pages s Client Authentication Destination Management Destinations Certificate Management System Management System Check Client Authentication Profile Write SLAC_ No SignCe rtReq_ All SLAC_ No SignCe rtReq_ ReadO nly SLAC_ No Syste mChec k_All SLAC_ No Syste mChec k_Rea dOnly Read No Profile Groups PKI Structure Sign Certificate Requests Write No Read No Write No Read No Write No Read No Write Yes Read Yes Write Read No No No No No No No No No No Yes No No No No No No No No No No No Yes Yes No No No No No No No No No No Yes Actions Roles SLAC_CERT_ ADMIN SLAC_CERT_ READONLY SLAC_OPERA TOR SLAC_OPERA SLAC_SUPER TOR_READON ADMIN LY No Yes SLAC_SUPPO RTER SLAC_ClientM Yes ngt_All SLAC_ClientM No ngt_ReadOnly SLAC_CertMn Yes gt_All SLAC_CertMn No gt_ReadOnly No Yes No No No Yes No Yes No No No Yes No Yes No No No Yes Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. Actions Roles SLAC_CERT_ ADMIN SLAC_CERT_ READONLY SLAC_OPERA TOR SLAC_OPERA SLAC_SUPER TOR_READON ADMIN LY No Yes SLAC_SUPPO RTER SLAC_SignCer Yes tReq_All SLAC_SignCer No tReq_ReadOnl y SLAC_System No Check_All SLAC_System No Check_ReadO nly No No No Yes No No No Yes No Yes No Yes No No No Yes No Yes 9.5.3 Configuration Procedures and Settings for Secure Login Server Use the Secure Login Administration Console to change the security configuration of the Secure Login Server. 9.5.3.1 Secure Connections For new or changed Client Authentication Profiles, we strongly recommend the default protocol HTTPS. Otherwise, you send user passwords in clear text over the network. Also configure external authentication back-end systems connected to Secure Login Server as destinations (ABAP/RFC, Active Directory/LDAP, RADIUS/RSA) to allow a secure communication. How to do configure secure communication depends on the respective protocol and back-end product. Protect RFC connections to SAP NetWeaver AS ABAP servers with SNC, LDAP with SSL, and RADIUS with Challenge-Handshake Authentication Protocol (CHAP) and a shared secret for session key agreement. 9.5.3.2 X.509 Certificate Identity Export Exporting an X.509 certificate identity in Certificate Management to a PSE or PKCS#12 file requires you to enter a new password, which protects the key file against unauthorized access. Secure Login Server implements a built-in medium-strength password policy to avoid weak passwords: 240 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide ● ● ● ● ● 12 character minimum length 2 or more lowercase letters 2 or more uppercase letters or Unicode letters 2 or more digits 2 or more special characters Tip We recommended that you choose a stronger password than this policy enforces, for example, more characters. You can also manage and export the same X.509 certificate identities in SAP NetWeaver Administrator, but without the recommended password policy. We strongly recommended that you only use Secure Login Administration Console for such operations. A new X.509 certificate requires you to select the RSA key size in number of bits. The number of bits should be high enough to avoid brute force attacks against the public key. The table below lists the recommended key size, depending on the planned key life time and the PKI role of the identity. Table 64: Recommended Key Size According to Role and Lifetime PKI Role Root certification authority Intermediate server CA Intermediate user CA SSL or SNC server End user End user short-lived Key Lifetime 10 years 10 years 5 years 10 years < 1 year < 1 day RSA Key Size 4096 bits 4096 bits 2048 bits 2048 bits 2048 bits 2048 bits This is to be considered for new PKI instances and issued server certificates in Certificate Management, as well as for Client Authentication Profiles. An X.509 certificate identity may also be imported from a PSE or PKCS#12 key file. If a PSE or PKCS#12 transport password seems to be weaker than the built-in policy, we recommended that you delete the PSE or PKCS#12 file or move it to a protected folder after the import operation succeeded. If the imported X.509 certificate has a shorter key size than recommended for the desired PKI role, consider contacting the originator of the key and ask for a larger one. Do not write on paper or print out any password unless you really need to. If you do, keep such paper or file copy in a secure place that can be locked or encrypted. Do not copy and distribute PSE or PKCS#12 files unless you really need to. However, we recommended that you have a secure backup of such files, also in a secure place that can be locked or encrypted. Related Information Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 241 https://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/ algorithmen_node.html(German language only) The Algorithm Catalog of the German Federal Network Agency provides background information on determining key sizes 9.5.3.3 X.509 Root Certificate Life Cycle The X.509 certificates of the one-and-only or all existing root Certification Authorities must be present and trusted in all participating components, in other words. all servers and clients with Secure Login or other X.509 enabled applications. While all other X.509 certificates like intermediate CAs and user or server certificates can be replaced without manual re-distribution to other systems, the replacement of root CA certificates is quite complex and expensive in terms of administrative efforts. On the other hand, such replacement is needed whenever a root CA certificate expires. To make sure that your X.509 enabled landscape does not stop working because of an expired root CA, make sure to follow these recommendations: ● ● ● Issue root CA certificates with a feasible life time. Choose the longest validity associated to the recommended RSA key size. Monitor all root CA certificates regularly, for example, once a month, to make sure you notice an upcoming expiration. Define and plan overlapping root CA validities: Create a new root CA long enough before the old ones expire, create all respective intermediate CAs and server certificates, create all client authentication profiles. Roll out the new root CA certificate in time to make sure it is available and trusted everywhere before the old one expires. Once this is done, migrate server certificates first, then all client authentication profiles. Do not delete any root or intermediate or server certificate, or client authentication profile, before you can make sure the new PKI is running in the whole landscape. ● 9.5.3.4 Storing the Private Key of the Root CA Although SAP NetWeaver AS Java and Secure Login Server can store the private RSA key of the root CA, it is a best practice to move away the Root CA key unless another Intermediate CA is issued. 1. 2. 3. 4. 5. Export the key with a very strong password. Store this key file (PKCS#12) on two separate CDs or USB drives. Put the keys in a safe and separate places with physical locks. Delete the private RSA key (not the X.509 certificate!) in the Key Storage of SAP NetWeaver AS Java. Import the key file into the Key Storage of SAP NetWeaver AS Java if needed, but do not forget to repeat the previous step when finished. 242 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide 9.5.4 Runtime Security Considerations for Secure Login Server Logging and Tracing Turn off massive and raw data traces in productive systems. Use logging and tracing only if required, for example, during testing and troubleshooting. Secure Login Server uses the standard APIs of SAP NetWeaver AS Java for logging and tracing. Filter for the application com.sap/securelogin.ui. For more information, see SAP NetWeaver AS Java Security Guide for your respective release: http:// help.sap.com/nw_platform. For more information about HTTP raw data traces, see SAP Note 724719 - How to enable HTTP tracing in the SAP J2ee Engine 6.40/7.0. Backup and Recovery Secure Login Server relies on the backup and recovery mechanisms of SAP NetWeaver AS Java and its database. For more information, see the security guides relevant for your release: http://help.sap.com/nw_platform. Virus Protection We recommend you protect the host SAP NetWeaver Application Server Java with the virus scan interface. If the virus scan profile webdynpro_FileUpload is active, you make sure that uploaded files are scanned for viruses. For more information, see the virus scan interface documentation for your SAP NetWeaver release. 9.5.5 Secure Login Web Client Secure Login Web Client is integrated into Secure Login Server, and does not require its own installation, initialization, or configuration. The Java Applet of Secure Login Web Client is digitally signed by SAP AG and automatically verified by the web browser. All security relevant profiles and configuration properties come from Secure Login Server and the Secure Login Administration Console. Additionally, Secure Login Web Client enforces HTTPS communication and refuses any plain HTTP URL to servers. The X.509 end user certificate it receives must also come from a locally trusted PKI: On Windows and Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. 243 Mac OS X, the Root Certification Authority of the PKI must be available and trusted in the respective system stores, for example, Windows Certificate Store or Apple Keychain. Turn off massive and raw data traces in productive systems. Use logging and tracing only if required, for example, during testing and troubleshooting. 9.6 Microsoft Windows Server Domain Controller In addition to the security guidelines provided by Microsoft, we have a few additional recommendation for the secure operation of this product. We recommended that you use a strong password policy for all accounts, especially for business users and service accounts used for Kerberos-based authentication. Grant minimum account privileges to service accounts that you created for Secure Login Library and Kerberos keytab identities. The only required privilege is membership in the Windows Domain. No other permissions or memberships should be assigned unless there is an urgent need for it. We recommend a regular password change policy for business user and service accounts used for Kerberosbased authentication. Before you change the password of your Kerberos service account, add another keytab entry for its SPN in the PSE of your SAP NetWeaver AS ABAP or SAP NetWeaver AS Java SPNego configuration to make sure there is no interruption in your Kerberos authentication. 9.7 Microsoft Windows Server Active Directory In addition to the security guidelines provided by Microsoft, we have a few additional recommendation for the secure operation of this product. Provide SSL protected LDAP communication for clients that send passwords for authentication. We recommend a regular password change policy for business user and service accounts used for LDAP-based authentication. 9.8 LDAP Directory Server In addition to the security guidelines provided by the LDAP vendor, we have a few additional recommendation for the secure operation of this product. Provide SSL protected LDAP communication for clients that send passwords for authentication. We recommend a regular password change policy for business user accounts used for LDAP-based authentication. 244 PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Secure Login Security Guide PUBLIC © 2013 SAP AG or an SAP affiliate company. 245 . consider contacting the administrator of the account and ask for a better one. Secure Login Server and RSA Authentication Server communicate over the RADIUS protocol.9.9 RSA Authentication Server In addition to the security guidelines provided by the RSA. we have a few additional recommendation for the secure operation of this product. The protocol makes use of a shared secret that is required during session key agreement. All rights reserved. Use the recommended RSA SecurID token maintenance options from the vendor guides. Such shared secrets should meet the same password strength recommendations as for key files: ● ● ● ● ● 8 characters minimum length 1 or more lowercase letters 1 or more uppercase letters 1 or more digits 1 or more special characters If such a password is weaker than recommended. RESTRICTIONS. service mark. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . any other machine readable materials (including. general purpose Internet browsing. logo or trade name of Sun or its licensors is granted under this Agreement. BY USING THE SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS AND AGREE TO THEM. used for general computing functions under end user control (such as but not specifically limited to email. THEN YOU MUST NOT USE THE SOFTWARE ON THIS SITE OR ANY OTHER MEDIA ON WHICH THE SOFTWARE IS CONTAINED. printers and storage management systems. "General Purpose Desktop Computers and Servers" means computers. Sun grants you a non-exclusive. limited license without license fees to reproduce and use internally Software complete and unmodified for the sole purpose of running Programs. IF YOU DO NOT HAVE SUCH AUTHORITY. including. including desktop and laptop computers. Inc. title or interest in or to any trademark. programming guides and other documentation provided to you by Sun under this Agreement. LICENSE TO USE. VERSION 6 SUN MICROSYSTEMS. Inc. but not limited to the Java Technology Restrictions of the Supplemental License Terms. wireless handheld devices. Sun Microsystems. 1. The use of Software in systems and solutions that provide dedicated functionality (other than as mentioned above) or designed for use in embedded or function-specific software applications. but not limited to. any updates or error corrections provided by Sun. construction. 2. operation or maintenance of any nuclear facility. TV/STB. You acknowledge that Licensed Software is not designed or intended for use in the design. disclaims any express or implied warranty of fitness for such uses. 3. you may not modify. and any user manuals. or reverse engineer Software. DEFINITIONS. ("SUN") IS WILLING TO LICENSE THE SOFTWARE IDENTIFIED BELOW TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY "AGREEMENT"). source files. and office suite productivity tools). OR IF YOU DO NOT WISH TO BE BOUND BY THE TERMS. netbooks. Unless enforcement is prohibited by applicable law. "Programs" means Java technology applets and applications intended to run on the Java Platform Standard Edition (Java SE) platform on Javaenabled General Purpose Desktop Computers and Servers. libraries. kiosks. nontransferable. 246 PUBLIC © 2013 SAP AG or an SAP affiliate company. for example but not limited to: Software embedded in or bundled with industrial control systems. telematics and network control switching equipment.10 Open Source Licenses 10. and other related systems are excluded from this definition and not licensed under this Agreement. PLEASE READ THE AGREEMENT CAREFULLY. decompile. and data files). Subject to the terms and conditions of this Agreement. header files. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. wireless mobile telephones. Blu-ray Disc devices. "Software" means the identified above in binary form. IF YOU ARE AGREEING TO THESE TERMS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY. or servers. Binary Code License Agreement for the JAVA SE DEVELOPMENT KIT (JDK). No right. YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THE LEGAL ENTITY TO THESE TERMS. Additional licenses for developers and/or publishers are granted in the Supplemental License Terms.1 Sun Java Platform Standard Edition SDK (J2SDK) (JDK) Sun Java Platform Standard Edition SDK (J2SDK) (JDK) Sun Microsystems. Additional restrictions for developers and/or publishers licenses are set forth in the Supplemental License Terms. Software is confidential and copyrighted. All rights reserved. INC. which vary from state to state.212 (for non-DOD acquisitions). or in either party's opinion be likely to become. FORTE. ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE. You acknowledge and agree as between you and Sun that Sun owns the SUN. SOLARIS. DISCLAIMER OF WARRANTY. representations and warranties and prevails over any conflicting or additional terms of any quote. 5. TO THE EXTENT NOT PROHIBITED BY LAW. EXPORT REGULATIONS. Some states do not allow the exclusion of incidental or consequential damages. You may have others. LIMITED WARRANTY. SEVERABILITY.S. All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries. INDIRECT. TRADEMARKS AND LOGOS. If any provision of this Agreement is held to be unenforceable. then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement. CONSEQUENTIAL. This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement. order. Sun warrants to you that for a period of ninety (90) days from the date of purchase. 9. You may terminate this Agreement at any time by destroying all copies of Software. so the above may not apply to you. FORTE. or other communication between the parties relating to its subject matter during the term of this Agreement. 13.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2. TERMINATION. Software is provided "AS IS".S. Upon Termination. 8. GOVERNING LAW. REPRESENTATIONS AND WARRANTIES. 10. In no event will Sun's liability to you. whether in contract. service marks. 7. Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. exceed the amount paid by you for Software under this Agreement. INCIDENTAL OR PUNITIVE DAMAGES. 11. this is in accordance with 48 CFR 227.S. in which case this Agreement will immediately terminate. tort (including negligence). INTEGRATION. This Agreement is effective until terminated. and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http:// www. OR FOR SPECIAL. this Agreement will remain in effect with the provision omitted. HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY. Except for the foregoing. U. UNLESS SPECIFIED IN THIS AGREEMENT. JINI. EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Government prime contractor or subcontractor (at any tier). the subject of a claim of infringement of any intellectual property right. proposals. so some of the terms above may not be applicable to you. and iPLANET-related trademarks. Any implied warranties on the Software are limited to 90 days. INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain such licenses to export. JINI. 6. Either party may terminate this Agreement immediately should any Software become. unless omission would frustrate the intent of the parties. and iPLANET trademarks and all SUN. or import as may be required after delivery to you. re-export. the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. SOLARIS. ALL EXPRESS OR IMPLIED CONDITIONS.com/policies/trademarks. Some states do not allow limitations on duration of an implied warranty. as evidenced by a copy of the receipt. FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED.101 and 12. federal law. JAVA. or otherwise.4. LIMITATION OF LIABILITY.S. Any use you make of the Sun Marks inures to Sun's benefit. All rights reserved. This Agreement is the entire agreement between you and Sun relating to its subject matter. If Software is being acquired by or on behalf of the U. PROFIT OR DATA. No choice of law rules of any jurisdiction will apply. Any action related to this Agreement will be governed by California law and controlling U. No Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. 12. EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This limited warranty gives you specific legal rights.sun. It supersedes all prior or contemporaneous oral or written communications. acknowledgment. you must destroy all copies of Software.7201 through 227. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. logos and other brand designations ("Sun Marks"). GOVERNMENT RESTRICTED RIGHTS. Government or by a U. JAVA. 247 . you agree to defend and indemnify Sun and its licensors from and against any damages. including. the Programs add significant and primary functionality to the Redistributables. you do not remove or alter any proprietary legends or notices contained in the Software. and vi. v. iv. iv. iii. or in any license contained within the Software. unless in writing and signed by an authorized representative of each party. limited license without fees to reproduce and distribute the Software. limited license without fees to reproduce and distribute those files specifically identified as redistributable in the Software "README" file ("Redistributables") provided that: i. provided that i. liabilities. B. Software Internal Use and Development License Grant. non-transferable. you only distribute the Redistributables pursuant to a license agreement that protects Sun's interests consistent with the terms contained in the Agreement. including but not limited to the Java Technology Restrictions of these Supplemental Terms. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software README file. and for the sole purpose of running. you only distribute the Software subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement. and only bundled as part of Programs. the Programs add significant and primary functionality to the Software. v. License to Distribute Software. you do not remove or alter any proprietary legends or notices contained in or on the Redistributables. ii. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software "README" file incorporated herein by reference. you distribute the Redistributables complete and unmodified. 248 PUBLIC © 2013 SAP AG or an SAP affiliate company. you do not distribute additional software intended to replace any component(s) of the Software. limited license without fees to reproduce internally and use internally the Software complete and unmodified for the purpose of designing. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . ii. you distribute the Software complete and unmodified and only bundled as part of. SUPPLEMENTAL LICENSE TERMS These Supplemental License Terms add to or modify the terms of the Binary Code License Agreement. Sun grants you a non-exclusive. C. and testing your Programs. including. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software README file. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Binary Code License Agreement. non-transferable. you do not distribute additional software intended to supersede any component(s) of the Redistributables (unless otherwise specified in the applicable README file). Sun grants you a non-exclusive. developing. Sun grants you a non-exclusive. All rights reserved. Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Binary Code License Agreement .modification of this Agreement will be binding. but not limited to the Java Technology Restrictions of these Supplemental Terms. costs. settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim. your Programs. lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. but not limited to the Java Technology Restrictions of these Supplemental Terms. iii. License to Distribute Redistributables. non-transferable. A. Sun hereby grants to you a non-exclusive. and shall pay all damages awarded by a court of competent jurisdiction. Sun Microsystems. c. Subject to and conditioned upon your compliance with the restrictions and obligations contained in the Agreement. such notice shall include the following information: 1. "sun" or similar convention as specified by Sun in any naming convention designation. title of Publication. classes. Use is subject to license terms. provides you. The Software must be reproduced in its entirety and without any modification whatsoever (including. You shall indemnify Sun for all damages arising from your failure to comply with the requirements of this Agreement. D. and other countries. All rights reserved. assistance and authority to defend. vi. iv. or change the behavior of. and ix. 249 . You may not create. at your expense. lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. or authorize your licensees to create. vii. "javax". or change the behavior of. modify. ii. You may not include any third party software on the Media which is intended to be a replacement or substitute for the Software. without limitation. Sun Microsystems. All rights reserved. Inc. In addition. Sun. and d. viii. The Media label shall include the following information: Copyright 2006. costs. Your obligation to provide indemnification under this section shall arise provided that Sun: a. or such settlement amount negotiated by you. Java. author(s). Distribution by Publishers. v. This information must be placed on the Media label in such a manner as to only apply to the Sun Software. This section pertains to your distribution of the Software with your printed book or magazine (as those terms are commonly used in the industry) relating to Java technology ("Publication"). interfaces. Java Technology Restrictions. in addition to the license granted in Paragraph 1 above. You must clearly identify the Software as Sun's product on the Media holder or Media label. at your expense. it must be distributed with your Publication(s). gives you sole control of the defense and settlement of the claim.vi. settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim. b. any and all claims brought against Sun by third parties. and you may not state or imply that Sun is responsible for any third-party software contained on the Media. You must refer to the Software as JavaTM SE Development Kit 6. iii. subject to the following terms: i. Inc. or subpackages that are in any way identified as "java". You may not distribute the Software on a stand-alone basis. You shall provide Sun with a written notice for each Publication. the Sun logo. you agree to defend and indemnify Sun and its licensors from and against any damages. J2SE. provides you prompt notice of the claim. arising out of or in connection with your use.S. the Java Coffee Cup logo. modify. You are responsible for downloading the Software from the applicable Sun web site. with all available information. E. liabilities. nontransferable limited right to reproduce complete and unmodified copies of the Software on electronic media (the "Media") for the sole purpose of inclusion and distribution with your Publication(s). in the U. the Binary Code License and Supplemental License Terms accompanying the Software and proprietary rights notices contained in the Software). Solaris. you shall defend. and all trademarks and logos based on Java are trademarks or registered trademarks of Sun Microsystems. reproduction or distribution of the Software and/or the Publication. has not compromised or settled such claim without your prior written consent. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. 2. 3. Software may contain source code that.S. Termination for Infringement. 250 PUBLIC © 2013 SAP AG or an SAP affiliate company.S. I. royalty-free copyright license to reproduce its contribution.Subject to the terms of this license.. 1. California 95054. prepare derivative works of its contribution. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . California 95054. copyright law. A "contribution" is the original software. each contributor grants you a non-exclusive. If you do not accept the license. Sun does not associate the data with personally identifiable information. Santa Clara. The Software's installation and auto-update processes transmit a limited amount of data to Sun (or its service provider) about those specific processes to help Sun understand and optimize them. worldwide. U.A.S. 4. including the license conditions and limitations in section 3. M/S USCA12-110. the subject of a claim of infringement of any intellectual property right. G." "derivative works. Inc. All rights reserved. Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME. Third Party Code.A . 10.Subject to the terms of this license. is provided solely for reference purposes pursuant to the terms of this Agreement. A "contributor" is any person that distributes its contribution under this license.com/data/. the disclaimer of warranty and limitation of liability provisions in paragraphs 5 and 6 of the Binary Code License Agreement shall apply to all Software in this distribution.txt file. Either party may terminate this Agreement immediately should any Software become. Source Code. Source code may not be redistributed unless expressly provided for in this Agreement. (B) Patent Grant. Such notice shall be sent to Sun Microsystems. you accept this license. In addition to any terms and conditions of any third party opensource/freeware license identified in the THIRDPARTYLICENSEREADME. Definitions The terms "reproduce. You can find more information about the data Sun collects at http://java.2 Windows Template Library Windows Template Library Microsoft Public License (Ms-PL) This license governs use of the accompanying software. each contributor grants you a non-exclusive. Installation and Auto-Update. ISBN or ISSN numbers. or any additions or changes to the software. royalty-free license under its licensed 2. If you use the software. F. and distribute its contribution or any derivative works that you create.txt file.. U. H. 4150 Network Circle. Attention: Contracts Administration. For inquiries please contact: Sun Microsystems. or in either party's opinion be likely to become." "reproduction. including the license conditions and limitations in section 3." and "distribution" have the same meaning here as under U. Inc. 4150 Network Circle. Grant of Rights (A) Copyright Grant. unless expressly licensed for other purposes. Santa Clara. worldwide. and 4. do not use the software. date of Publication. "Licensed patents" are a contributor's patent claims that read directly on its contribution. the contributors exclude the implied warranties of merchantability.This license does not grant you rights to use any contributors' name. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software. the individual or other entity reading or otherwise making use of the Work licensed pursuant to this License and the individual or other entity which offers the Work under the terms of this License ("Author"). 3. and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software. guarantee.Adding Icons to System Tray The Code Project Open License (CPOL) 1. The software is provided "as-is". Conditions and Limitations (A) No Trademark License. import. (C) If you distribute any portion of the software.02 Preamble This License governs Your use of the Work.3 Code Project . you may only do so under a license that complies with this license. 251 . patent. The contributors give no express warranties. Source Code and Executable Files can be redistributed. The main points subject to the terms of the License are: ● ● ● ● ● Source Code and Executable Files can be used in commercial applications. and Source Code can be modified to create derivative works. You may have additional consumer rights under your local laws which this license cannot change. If you distribute any portion of the software in compiled or object code form. use. guarantees. you must retain all copyright. fitness for a particular purpose and non-infringement. All rights reserved. and attribution notices that are present in the software. logo. Code Project Adding Icons to System Tray Code Project . have made. This License is intended to allow developers to use the Source Code and Executable Files provided as part of the Work in any application in any form.Pretty IE Toolbar in C#. (E) The software is licensed "as-is. offer for sale. To the extent permitted under your local laws.Pretty IE Toolbar in C#. or trademarks. or conditions. you may do so only under this license by including a complete copy of this license with your distribution.patents to make. Code Project . trademark. your patent license from such contributor to the software ends automatically." You bear the risk of using it. or any warranty whatsoever is provided. (D) If you distribute any portion of the software in source code form. No claim of suitability. sell. 10. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. The Article accompanying the Work may not be distributed or republished without the Author's consent This License is entered between You. when and where You changed that file. License Grant. configuration and any required data files included in the Work. 252 PUBLIC © 2013 SAP AG or an SAP affiliate company. e. 3. data files. limit. documentation. "Executable Files" refer to the executables. g. "Standard Version" refers to such a Work if it has not been modified. non-exclusive. You may apply bug fixes. portability fixes and other modifications obtained from the Public Domain or from the Author. or has been modified in accordance with the consent of the Author. an individual or entity wishing to use the Work and exercise your rights under this License. d. All rights reserved. YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. first sale or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws. c. "Source Code" refers to the collection of source code and configuration files used to create the Executable Files. Nothing in this License is intended to reduce. 2. i. royalty-free. h. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. THE AUTHOR GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. Subject to the terms and conditions of this License. You may use the standard version of the Source Code or Executable Files in Your own applications. "Articles" means. whitepapers and the Articles. You may distribute the standard version of the Executable Files and Source Code or Derivative Work in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution. all articles written by Author which describes how the Source Code and Executable Files for the Work may be used by a user. or restrict any rights arising from fair use. "Derivative Work" means a work based upon the Work or upon the Work and other pre-existing works. including the Source Code. the Author hereby grants You a worldwide. "Work" refers to the collection of files distributed by the Publisher. c. magazine. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HEREIN. binary files. YOU CANNOT MAKE ANY USE OF THE WORK. IF YOU DO NOT AGREE TO ACCEPT AND BE BOUND BY THE TERMS OF THIS LICENSE. Definitions a. Any subroutines or modules supplied by You and linked into the Source Code or Executable Files this Work shall not be considered part of this Work and will not be subject to the terms of this License. The Articles discussing the Work published in any form by the author may not be distributed or republished without the Author's consent. Executable Files. collectively. provided that You insert a prominent notice in each changed file stating how. A Work modified in such a way shall still be considered the standard version and will be subject to this License. e. without the prior written consent of the Author. b. Fair Use/Fair Use Rights. b. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . DVD or other medium from or by which the Work is obtained by You. 1. such consent being in the full discretion of the Author. binaries. perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: a. "You" is you. The author retains copyright to any such Articles. d. You may use the Executable Files and Source Code pursuant to this License but you may not repost or republish or otherwise distribute or make available the Articles. You may otherwise modify Your copy of this Work (excluding the Articles) in any way to create a Derivative Work. CD-ROM.License THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CODE PROJECT OPEN LICENSE ("LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. "Publisher" means the provider of the website. f. "Author" means the individual or entity that offers the Work under the terms of this License. fair dealing. All rights reserved. Patent License. indemnify and hold harmless the Author and the Publisher from and against any claims. THE USER. or rent any part of the Work. suits. BUGFREE OR FREE OF VIRUSES. or the Uniform Resource Identifier for. 7. 5. Termination. You agree not to remove any of the original copyright. liabilities. c. worldwide. though. Indemnity. d. THIS WORK IS PROVIDED "AS IS". 6. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW. ETC. a. immoral or improper purposes. You agree to defend. b. this License with every copy of the Executable Files or Source Code You distribute and ensure that anyone receiving such Executable Files and Source Code agrees that the terms of this License apply to such Executable Files and/or Source Code. 253 . You may distribute the Executable Files and Source Code only under the terms of this License. You agree not to sell. EVEN IF THE AUTHOR OR THE PUBLISHER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IMPLIED OR STATUTORY WARRANTIES OR CONDITIONS. CONSEQUENTIAL. e. This License and the rights granted hereunder will terminate automatically upon any breach by You of any term of this License. Restrictions. You agree to comply with all such laws and regulations that may apply to the Work after Your receipt of the Work. irrevocable (except as stated in this section) patent license to make. INCLUDING WITHOUT LIMITATION. cannot be sold. have made. MERCHANTABLE QUALITY OR FITNESS FOR A PARTICULAR PURPOSE. costs. and You must include a copy of. import. 8. Representations. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. each Author hereby grants to You a perpetual. lease. Limitation on Liability. 9.4. Subject to the terms and conditions of this License. You may not sublicense the Work. Individuals or entities who have received Derivative Works from You under this License. OR ANY WARRANTY OF TITLE OR NON-INFRINGEMENT. patent. WARRANTIES OR CONDITIONS OF MERCHANTABILITY. ASSUME ALL RISK IN ITS USE. Warranties and Disclaimer. SUITABILITY. You may not distribute the Executable Files or Source Code with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: a. immoral or improper material. non-exclusive. The Work is subject to applicable export laws. trademark. You may not offer or impose any terms on the Work that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder. The Work by itself. The name of the Author may not be used to endorse or promote products derived from the Work without the prior written consent of the Author. no-charge. royalty-free. INCIDENTAL. and expenses (including reasonable legal or attorneys? fees) resulting from or relating to any use of the Work by You. IN NO EVENT WILL THE AUTHOR OR THE PUBLISHER BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL. You must keep intact all notices that refer to this License and to the disclaimer of warranties. "WHERE IS" AND "AS AVAILABLE". PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK OR OTHERWISE. You agree not to advertise or in any way imply that this Work is a product of Your own. losses. YOU MUST PASS THIS DISCLAIMER ON WHENEVER YOU DISTRIBUTE THE WORK OR DERIVATIVE WORKS. use. f. AUTHOR EXPRESSLY DISCLAIMS ALL EXPRESS. and attribution notices and associated disclaimers that may appear in the Source Code or Executable Files. or on pages containing illegal. YOU. INCLUDING COPYRIGHT INFRINGEMENT. PATENT INFRINGEMENT. This does not restrict you from including the Work or any part of the Work inside a larger software distribution that itself is being sold. OR THAT THE WORK (OR ANY PORTION THEREOF) IS CORRECT. and otherwise transfer the Work. USEFUL. damages. WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OR GUARANTEES. You agree not to use the Work for illegal. leased or rented. b. agreements or representations with respect to the Work not specified herein. Subject to the above terms and conditions. be responsible for and shall not have any liability in respect of the subject matter of this License. and without further action by the parties to this License. The Publisher reserves the right to cease making the Work available to You at any time without notice 11. There are no understandings.4 RSA Cryptoki: Cryptographic Token Interface Standard API (PKCS #11) RSA Cryptoki: Cryptographic Token Interface Standard API (PKCS #11) RSA Security Cryptoki License License to copy and use this software is granted provided that it is identified as "RSA Security Inc. c. this License is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above. 6. your License from such contributor to the Work ends automatically. 10 and 11 will survive any termination of this License. it shall not affect the validity or enforceability of the remainder of the terms of this License. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . or is required to be. under any circumstances. granted under the terms of this License). however that any such election will not serve to withdraw this License (or any other license that has been. The Author shall not be bound by any additional provisions that may appear in any communication from You. This License constitutes the entire agreement between the parties with respect to the Work licensed herein. 7. If any provision of this License is invalid or unenforceable under applicable law. will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. 8. b. including without limitation any general. The parties hereby confirm that the Publisher shall not. such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. patent or any other infringement claim against any contributor over infringements You claim are made by the Work. 10. the laws of location of the principal place of residence of the Author. and this License will continue in full force and effect unless terminated as stated above. incidental or consequential damages arising in connection to this license. the Author reserves the right to release the Work under different license terms or to stop distributing the Work at any time. d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. If You bring a copyright. The Publisher makes no warranty whatsoever in connection with the Work and shall not be liable to You or any party on any legal theory for any damages whatsoever. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing this software. c. All rights reserved. This License may not be modified without the mutual written agreement of the Author and You. Miscellaneous a. 9. trademark. Sections 1. 2. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Security Inc. 254 PUBLIC © 2013 SAP AG or an SAP affiliate company.however. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing the derived work. special. Publisher. This License shall be governed by the laws of the location of the head office of the Author or if the Author is an individual. 10. provided. INCIDENTAL. LOSS OF USE. etc. SPECIAL. 3. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. DATA.com)". The implementation was written so as to conform with Netscapes SSL. not just the SSL code. Redistributions of source code must retain the copyright notice. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. Copyright remains Eric Young's. WHETHER IN CONTRACT. If this package is used in a product.RSA Security Inc. Eric Young should be given attribution as the author of the parts of the library used. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. are permitted provided that the following conditions are met: 1. OR CONSEQUENTIAL DAMAGES (INCLUDING. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES.com) All rights reserved. EXEMPLARY. this list of conditions and the following disclaimer. code. lhash. It is provided "as is" without express or implied warranty of any kind.5 SSLeay SSLeay SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft. 2. OR PROFITS.The licence and distribution terms for any publically available version or derivative of this code cannot Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. INDIRECT. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES. The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. BUT NOT LIMITED TO. RSA. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. INCLUDING. STRICT LIABILITY.com)" 4. The following conditions apply to all code found in this distribution. All rights reserved. be it the RC4. BUT NOT LIMITED TO. and as such any Copyright notices in the code are not to be removed.com). This package is an SSL implementation written by Eric Young (eay@cryptsoft. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.com). If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft. 255 . Redistribution and use in source and binary forms. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.. DES. 10. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. Redistributions in binary form must reproduce the above copyright notice. with or without modification. JQuery The MIT License Copyright (c) 1998-2003 Daniel Veillard. Permission is granted to anyone to use this software for any purpose.be changed. including without limitation the rights to use. to any person obtaining a copy of this software and associated documentation files (the "Software"). sublicense. The origin of this software must not be misrepresented.6 zlib zlib The zlib/libpng License Copyright (c) 1995-2012 Jean-loup Gailly and Mark Adler This software is provided 'as-is'. publish. free of charge. 3. and/or sell copies of the Software. All Rights Reserved Permission is hereby granted. and to alter it and redistribute it freely. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. JQuery libxml2. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence. Altered source versions must be plainly marked as such. All rights reserved. i. 10. If you use this software in a product. modify. and to permit persons to whom the Software is furnished to do so. 2. copy.e. THE SOFTWARE IS PROVIDED "AS IS". without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. including commercial applications. WITHOUT WARRANTY OF ANY KIND. and must not be misrepresented as being the original software. This notice may not be removed or altered from any source distribution.7 libxml2. subject to the following restrictions: 1. merge. EXPRESS OR IMPLIED. you must not claim that you wrote the original software. distribute. 10. an acknowledgment in the product documentation would be appreciated but is not required. FITNESS FOR A PARTICULAR PURPOSE AND 256 PUBLIC © 2013 SAP AG or an SAP affiliate company. to deal in the Software without restriction. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY "AGREEMENT"). Unless enforcement is prohibited by applicable law. any updates or error corrections provided by Oracle. 257 . Oracle grants you a non-exclusive. Title to Software and all associated intellectual property rights is retained by Oracle and/or its licensors. ("ORACLE").NONINFRINGEMENT.html. source files.oracle. WHETHER IN AN ACTION OF CONTRACT. PLEASE READ THE AGREEMENT CAREFULLY. limited license without license fees to reproduce and use internally the Software complete and unmodified for the sole purpose of running Programs. THE LICENSE SET FORTH IN THIS SECTION 2 DOES NOT EXTEND TO THE COMMERCIAL FEATURES. and any user manuals. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. INC. IF YOU DO NOT HAVE SUCH AUTHORITY.Subject to the terms and conditions of this Agreement including. RESTRICTIONS. "Software" means the Java SE Platform Products in binary form that you selected for download. 3.html. THEN SELECT THE "DECLINE LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND YOU MUST NOT USE THE SOFTWARE ON THIS SITE OR ANY OTHER MEDIA ON WHICH THE SOFTWARE IS CONTAINED. LICENSE TO USE. Standard Edition platform on Java-enabled General Purpose Desktop Computers and Servers. FOR AND ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES UNDER COMMON CONTROL. IF YOU ARE AGREEING TO THESE TERMS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY. the Java Technology Restrictions of the Supplemental License Terms. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.8 Java Access Bridge Java Access Bridge Oracle Binary Code License Agreement for the Java SE Platform Products ORACLE AMERICA. OR IF YOU DO NOT WISH TO BE BOUND BY THE TERMS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM. "Programs" means Java technology applets and applications intended to run on the Java Platform. but not limited to. YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THE LEGAL ENTITY TO THESE TERMS. “Commercial Features” means those features identified in Table 1-1 (Commercial Features In Java SE Product Editions) of the Software documentation accessible at http://www. and data files). any other machine readable materials (including. 10.com/technetwork/java/javase/ documentation/index. All rights reserved. “README File” means the README file for the Software accessible at http://www. Software is copyrighted.oracle. DEFINITIONS. DAMAGES OR OTHER LIABILITY. you may not 2.com/technetwork/ java/javase/terms/readme/index. install or use from Oracle or its authorized licensees. ARISING FROM. BY SELECTING THE "ACCEPT LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND/OR BY USING THE SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS AND AGREE TO THEM. YOUR RIGHTS AND OBLIGATIONS RELATED TO THE COMMERCIAL FEATURES ARE AS SET FORTH IN THE SUPPLEMENTAL TERMS ALONG WITH ADDITIONAL LICENSES FOR DEVELOPERS AND PUBLISHERS. libraries. nontransferable. header files. programming guides and other documentation provided to you by Oracle under this Agreement. TORT OR OTHERWISE. 1. but not limited to. This agreement is governed by the substantive and procedural laws of California. unless omission would frustrate the intent of the parties. in violation of these laws. SEVERABILITY. export control laws and other applicable export and import laws govern your use of the Software. You and Oracle agree to submit to the exclusive jurisdiction of. TRADEMARKS AND LOGOS. REVENUE. and other measures to ensure its safe use. title or interest in or to any trademark. 11. 258 PUBLIC © 2013 SAP AG or an SAP affiliate company. Oracle disclaims any express or implied warranty of fitness for such uses. service mark. unless omission would frustrate the intent of the parties. it is not developed or intended for use in any inherently dangerous applications. If any provision of this Agreement is held to be unenforceable.S.oracle. ORACLE FURTHER DISCLAIMS ALL WARRANTIES.com/us/legal/third-party-trademarks/index. Either party may terminate this Agreement immediately should any Software become. chemical. directly. WHETHER IN AN ACTION IN CONTRACT OR TORT. including applications that may create a risk of personal injury. 10. 5. or reverse engineer Software. then the Government's rights in Software and accompanying documentation shall be only those set forth in this Agreement. redundancy. logo or trade name of Oracle or its licensors is granted under this Agreement. You acknowledge and agree as between you and Oracle that Oracle owns the ORACLE and JAVA trademarks and all ORACLE. Any use you make of the Oracle Marks inures to Oracle's benefit. If Software is being acquired by or on behalf of the U.modify. PUNITIVE OR CONSEQUENTIAL DAMAGES. TERMINATION. nuclear. 6. EXPORT REGULATIONS. You agree that U. including technical data. Additional restrictions for developers and/or publishers licenses are set forth in the Supplemental License Terms. or indirectly. DATA OR DATA USE. and you agree to comply with the Third Party Usage Guidelines for Oracle Trademarks currently located at http://www. or Santa Clara counties in California in any dispute arising out of or relating to this agreement. 8. additional information can be found on Oracle's Global Trade Compliance web site (http://www. and venue in. INCURRED BY YOU OR ANY THIRD PARTY. ORACLE'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U. 9. backup. You agree that neither the Software nor any direct product thereof will be exported. 12. the subject of a claim of infringement of any intellectual property right. This Agreement is effective until terminated. No right. logos and other brand designations ("Oracle Marks"). LIMITATION OF LIABILITY. Upon termination. in which case this Agreement will immediately terminate. then you shall be responsible to take all appropriate fail-safe. SPECIAL.000). SEVERABILITY. or in either party's opinion be likely to become. you must destroy all copies of Software. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. Government or by a U. or will be used for any purpose prohibited by these laws including. service marks. GOVERNMENT LICENSE RIGHTS.S.html. This Agreement will terminate immediately without notice from Oracle if you fail to comply with any provision of this Agreement.oracle.S. You may terminate this Agreement at any time by destroying all copies of Software. this Agreement will remain in effect with the provision omitted. ANY IMPLIED WARRANTIES OF MERCHANTABILITY. INCIDENTAL. the courts of San Francisco. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . All rights reserved.S. this Agreement will remain in effect with the provision omitted.S. FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. $1. 4.com/products/export). Government prime contractor or subcontractor (at any tier). in which case this Agreement will immediately terminate. EXPRESS AND IMPLIED. If you use the Software in dangerous applications. DISCLAIMER OF WARRANTY. without limitation. decompile.and JAVA-related trademarks. INCLUDING WITHOUT LIMITATION. U. EVEN IF ORACLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. GOVERNING LAW. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY INDIRECT. or biological weapons proliferation. OR DAMAGES FOR LOSS OF PROFITS. You acknowledge that the Software is developed for general use in a variety of information management applications. If any provision of this Agreement is held to be unenforceable. but not limited to the Java Technology Restrictions of these Supplemental Terms. LICENSE TO DISTRIBUTE SOFTWARE. Oracle grants you a non-exclusive. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the README File incorporated herein by reference. v. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the README File. you distribute the Redistributables complete and unmodified. and for the sole purpose of running. C. is a complete. liabilities. you do not distribute additional software intended to replace any component(s) of the Software. or b. lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. iii. non-transferable. and vi. You may not use the Commercial Features for running Programs. or in any license contained within the Software. or for any purpose other than as set forth in Sections B. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. SOFTWARE INTERNAL USE FOR DEVELOPMENT LICENSE GRANT. costs. but not limited to the Java Technology Restrictions of these Supplemental Terms. COMMERCIAL FEATURES. iv. you do not remove or alter any proprietary legends or notices contained in the Software. the Programs add significant and primary functionality to the Software. and testing your Programs. you only distribute the Software subject to a license agreement that: a. including. D and E of these Supplemental Terms. protects Oracle's interests consistent with the terms contained in this Agreement and that includes the notice set forth in Section G. limited license without fees to reproduce and distribute those files specifically identified as redistributable in the README File ("Redistributables") provided that: i.SUPPLEMENTAL LICENSE TERMS These Supplemental License Terms add to or modify the terms of the Binary Code License Agreement. You must obtain a separate license from Oracle. including but not limited to the Java Technology Restrictions of these Supplemental Terms. non-transferable. you distribute the Software complete and unmodified and only bundled as part of. provided that i. you do not distribute additional software intended to supersede any component(s) of the Redistributables (unless otherwise specified in the applicable README File). the Programs add significant and primary functionality to the Redistributables. Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Binary Code License Agreement. settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim. B. Oracle grants you a non-exclusive. All rights reserved. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Binary Code License Agreement. you agree to defend and indemnify Oracle and its licensors from and against any damages. ii. unmodified reproduction of this Agreement. non-transferable. A. LICENSE TO DISTRIBUTE REDISTRIBUTABLES. and only bundled as part of Programs. your Programs. limited license without fees to reproduce and distribute the Software. C. ii. limited license without fees to reproduce internally and use internally the Software complete and unmodified for the purpose of designing. including. D. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the README File. iii. developing. 259 . Oracle grants you a non-exclusive. Java applets or applications in your internal business operations or for any commercial or production purpose. If You want to use the Commercial Features for any purpose other than as permitted in this Agreement. settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim. "sun". E. You are responsible for downloading the Software from the applicable Oracle web site. “oracle” or similar convention as specified by Oracle in any naming convention designation. v. vii. (2) author(s).S. Subject to and conditioned upon your compliance with the restrictions and obligations contained in the Agreement. You may not distribute the Software on a stand-alone basis. "javax". The Software must be reproduced in its entirety and without any modification whatsoever (including with respect to all proprietary notices) and distributed with your Publication subject to a license agreement that is a complete. nontransferable limited right to reproduce complete and unmodified copies of the Software on electronic media (the "Media") for the sole purpose of inclusion and distribution with your Publication(s). This information must be placed on the Media label in such a manner as to only apply to the Oracle Software. iii. or b. DISTRIBUTION BY PUBLISHERS. ORACLE and JAVA trademarks and all ORACLE. lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. liabilities. 260 PUBLIC © 2013 SAP AG or an SAP affiliate company. viii. Such notice shall be sent to Oracle America. or authorize your licensees to create. (3) date of Publication. subject to the following terms: i.and JAVA-related trademarks. unmodified reproduction of this Agreement. modify. you do not remove or alter any proprietary legends or notices contained in or on the Redistributables. is a complete. vi. service marks.A . you agree to defend and indemnify Oracle and its licensors from and against any damages. iv. settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim. it must be distributed with your Publication(s). Inc. v. such notice shall include the following information: (1) title of Publication. Use is subject to license terms. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses .S. JAVA TECHNOLOGY RESTRICTIONS. All rights reserved. unmodified reproduction of this Agreement. You must refer to the Software as JavaTM SE Development Kit. The Media label shall include the following information: Copyright 2011. interfaces. liabilities. lawsuit or action by any third party that arises or results from the use or distribution of the Software and/or the Publication. Attention: General Counsel.iv. Oracle America. costs. This section pertains to your distribution of the JavaTM SE Development Kit Software with your printed book or magazine (as those terms are commonly used in the industry) relating to Java technology ("Publication"). you only distribute the Redistributables pursuant to a license agreement that: a. and (4) ISBN or ISSN numbers. All rights reserved. or subpackages that are in any way identified as "java". costs.. or change the behavior of. vi. 500 Oracle Parkway. and other countries. You may not include any third party software on the Media which is intended to be a replacement or substitute for the Software. You must clearly identify the Software as Oracle's product on the Media holder or Media label. logos and other brand designations are trademarks or registered trademarks of Oracle in the U. California 94065 U. protects Oracle's interests consistent with the terms contained in the Agreement and includes the notice set forth in Section G. modify. ii. You may not create. classes. or change the behavior of. and ix. Inc. Oracle hereby grants to you a non-exclusive. . F. Redwood Shores. You shall provide Oracle with a written notice for each Publication. and you may not state or imply that Oracle is responsible for any third-party software contained on the Media. You agree to defend and indemnify Oracle and its licensors from and against any damages. SOURCE CODE. Oracle does not associate the data with personally identifiable information.oracle. Either party may terminate this Agreement immediately should any Software become.G. (v)(b).(v)(b) and D. THIRD PARTY CODE. the subject of a claim of infringement of any intellectual property right.All Rights Reserved All rights reserved.oracle.. Redistribution and use in source and binary forms. are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice. 2011 10.0 Copyright (c) 1993-2012 . I.html. Source code may not be redistributed unless expressly provided for in this Agreement. The Software's installation and auto-update processes transmit a limited amount of data to Oracle (or its service provider) about those specific processes to help Oracle understand and optimize them. where the notice is displayed in a manner that anyone using the Software will see the notice: Use of the Commercial Features for any commercial or production purpose requires a separate license from Oracle. “Commercial Features” means those features identified Table 1-1 (Commercial Features In Java SE Product Editions) of the Software documentation accessible at http://www. Redwood Shores.com/technetwork/java/ javase/documentation/index. COMMERCIAL FEATURES NOTICE.Aaron D. Last updated May 17. For purpose of complying with Supplemental Term Section C. All rights reserved. J.com/technetwork/java/ javase/documentation/index. Inc. your license agreement shall include the following notice. California 94065. 500 Oracle Parkway.com/ technetwork/java/javase/documentation/index. this list of conditions and the following disclaimer. Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME file accessible at http://www. K. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company.html. TERMINATION FOR INFRINGEMENT. In addition to any terms and conditions of any third party opensource/ freeware license identified in the THIRDPARTYLICENSEREADME file. INSTALLATION AND AUTO-UPDATE. the disclaimer of warranty and limitation of liability provisions in paragraphs 4 and 5 of the Binary Code License Agreement shall apply to all Software in this distribution. or in either party's opinion be likely to become. with or without modification.9 SHA. 261 . Software may contain source code that.oracle.html H. Gifford . unless expressly licensed for other purposes. Flex BSD 2. You can find more information about the data Oracle collects as a result of your Software download at http://www. is provided solely for reference purposes pursuant to the terms of this Agreement. For inquiries please contact: Oracle America. USA. Flex SHA. that is based on (or derived from) the Work and for which the editorial revisions. and conversions to other media types. 10. For the purposes of this definition. "License" shall mean the terms and conditions for use. whether in Source or Object form. and distribution as defined by Sections 1 through 9 of this document. as 262 PUBLIC © 2013 SAP AG or an SAP affiliate company. DATA. whether by contract or otherwise. WHETHER IN CONTRACT. "Legal Entity" shall mean the union of the acting entity and all other entities that control. INCLUDING. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. AND DISTRIBUTION 1.0. LOSS OF USE. INCIDENTAL. EXEMPLARY. STRICT LIABILITY. to cause the direction or management of such entity. "Derivative Works" shall mean any work. or are under common control with that entity. or other modifications represent. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. All rights reserved. "control" means (i) the power. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form.10 Google GSON Google GSON Apache License Version 2. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. BUT NOT LIMITED TO. or (ii) ownership of fifty percent (50%) or more of the outstanding shares. OR PROFITS. including but not limited to compiled object code.● ● Redistributions in binary form must reproduce the above copyright notice. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT.apache. Definitions. are controlled by. whether in Source or Object form. INDIRECT. Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. made available under the License. OR CONSEQUENTIAL DAMAGES (INCLUDING. January 2004 http://www. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. REPRODUCTION. reproduction. generated documentation. elaborations. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. "Work" shall mean the work of authorship. and configuration files. annotations. as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). SPECIAL. or (iii) beneficial ownership of such entity. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses . including but not limited to software source code. direct or indirect. "Source" form shall mean the preferred form for making modifications. BUT NOT LIMITED TO. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. documentation source.org/licenses/ TERMS AND CONDITIONS FOR USE. import. then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. irrevocable (except as stated in this section) patent license to make. "submitted" means any form of electronic. You must give any other recipients of the Work or Derivative Works a copy of this License. within a display generated by the Derivative Works. and issue tracking systems that are managed by. For the purposes of this definition. and attribution notices from the Source form of the Work. and distribute the Work and such Derivative Works in Source or Object form. no-charge. If the Work includes a "NOTICE" text file as part of its distribution. and distribution of the Work otherwise complies with the conditions stated in this License.a whole. no-charge. Subject to the terms and conditions of this License. excluding those notices that do not pertain to any part of the Derivative Works. royalty-free. 263 . Derivative Works shall not include works that remain separable from. "Contribution" shall mean any work of authorship. You must cause any modified files to carry prominent notices stating that You changed the files. non-exclusive. Grant of Copyright License. then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file. including but not limited to communication on electronic mailing lists. or. or merely link (or bind by name) to the interfaces of. and d. prepare Derivative Works of. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. each Contributor hereby grants to You a perpetual. or distribution of Your modifications. sell. including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof. For the purposes of this License. or for any such Derivative Works as a whole. verbal. Grant of Patent License. All rights reserved. each Contributor hereby grants to You a perpetual. or written communication sent to the Licensor or its representatives. use. within the Source form or documentation. reproduction. You must retain. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium. 2. the Work and Derivative Works thereof. if provided along with the Derivative Works. with or without modifications. sublicense. in the Source form of any Derivative Works that You distribute. 4. but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution. excluding those notices that do not pertain to any part of the Derivative Works. reproduction. and b. if and wherever such third-party notices normally appear. If You institute patent litigation against any entity (including a crossclaim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement. non-exclusive. and c. worldwide. alongside or as an addendum to the NOTICE text from the Work. and otherwise transfer the Work. that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. trademark. irrevocable copyright license to reproduce. You may add Your own attribution notices within Derivative Works that You distribute. all copyright. publicly display. have made. patent. provided that such additional attribution notices cannot be construed as modifying the License. publicly perform. Subject to the terms and conditions of this License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use. or on behalf of. where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Redistribution. 3. worldwide. provided Your use. an original work of authorship. offer to sell. The contents of the NOTICE file are for informational purposes only and do not modify the License. source code control systems. the Licensor for the purpose of discussing and improving the Work. provided that You meet the following conditions: a. in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works. and in Source or Object form. royalty-free. Unless You explicitly state otherwise. You may choose to offer. nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Submission of Contributions. NON-INFRINGEMENT. any warranties or conditions of TITLE. even if such Contributor has been advised of the possibility of such damages. See the License for the specific language governing permissions and limitations under the License. Notwithstanding the above. or product names of the Licensor. such Contributor by reason of your accepting any such warranty or additional liability. Trademarks. including. and only if You agree to indemnify. either express or implied. indirect. While redistributing the Work or Derivative Works thereof. unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing. attach the following boilerplate notice. with the fields enclosed by brackets "[]" replaced with your own identifying information. Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS. However. 264 PUBLIC © 2013 SAP AG or an SAP affiliate company. contract. and hold each Contributor harmless for any liability incurred by. shall any Contributor be liable to You for damages. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License. Accepting Warranty or Additional Liability. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. defend. not on behalf of any other Contributor. work stoppage. software distributed under the License is distributed on an "AS IS" BASIS. Limitation of Liability. without any additional terms or conditions. 7. any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License. trademarks. Version 2. indemnity. In no event and under no legal theory. either express or implied.org/licenses/LICENSE-2. You may obtain a copy of the License at http:// www. or FITNESS FOR A PARTICULAR PURPOSE. This License does not grant permission to use the trade names. 8. MERCHANTABILITY. or claims asserted against. or otherwise.0 (the "License"). or other liability obligations and/or rights consistent with this License. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. without limitation. you may not use this file except in compliance with the License. Unless required by applicable law or agreed to in writing. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work To apply the Apache License to your work. Disclaimer of Warranty.0 Unless required by applicable law or agreed to in writing. in accepting such obligations. service marks. acceptance of support. All rights reserved. and charge a fee for. 9. 6. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. warranty.apache. incidental. except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. special. or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill. You may act only on Your own behalf and on Your sole responsibility. whether in tort (including negligence). including any direct. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. or any and all other commercial damages or losses). Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses .5. computer failure or malfunction. EXEMPLARY. STRICT LIABILITY. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. SPECIAL. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. WHETHER IN CONTRACT. Redistributions of source code must retain the above copyright notice. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT. this list of conditions and the following disclaimer. BUT NOT LIMITED TO. with or without modification. 265 . OR PROFITS. INCLUDING. BUT NOT LIMITED TO.11 AES-NI Sample Library AES-NI Sample Library BSD Two Clause License Redistribution and use in source and binary forms. OR CONSEQUENTIAL DAMAGES (INCLUDING. INDIRECT. 2. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Open Source Licenses PUBLIC © 2013 SAP AG or an SAP affiliate company. All rights reserved. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. are permitted provided that the following conditions are met: 1. DATA. Redistributions in binary form must reproduce the above copyright notice. INCIDENTAL. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.10. THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. LOSS OF USE. the third person singular cannot be avoided or a gender-neutral noun does not exist. If when referring to members of both sexes. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding.11 Disclaimer SAP Library document classification: PUBLIC. Accessibility The information contained in the SAP Library documentation represents SAP's current view of accessibility criteria as of the date of publication. SAP documentation is gender neutral. OR FITNESS FOR A PARTICULAR PURPOSE. Its content is subject to change without notice. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. 266 PUBLIC © 2013 SAP AG or an SAP affiliate company. SAP does not warrant the correctness and completeness of the Code given herein. EXPRESS OR IMPLIED. OR OF MERCHANTABILITY. SAP MAKES NO WARRANTIES. it is in no way intended to be a binding guideline on how to ensure accessibility of software products. Coding Samples Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. except if such damages were caused by SAP intentionally or grossly negligent. SAP reserves the right to use the masculine form of the noun and pronoun. All rights reserved. or a gender-neutral noun (such as “sales person” or “working days”) is used. and SAP shall not be liable for errors or damages caused by the usage of the Code. This document is for informational purposes only. Depending on the context. Gender-Neutral Language As far as possible. and SAP does not warrant that it is error-free. This is to ensure that the documentation remains comprehensible. the reader is addressed directly with “you. Secure Login for SAP NetWeaver Single Sign-On Implementation Guide Disclaimer . however. com/corporate-en/legal/copyright/ index. The information contained herein may be changed without prior notice. Nothing herein should be construed as constituting an additional warranty. without representation or warranty of any kind. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. if any.www.com/contactsap © 2013 SAP AG or an SAP affiliate company. Please see http://www.epx for additional trademark information and notices. National product specifications may vary. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. All rights reserved. and SAP Group shall not be liable for errors or omissions with respect to the materials.sap. . The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services.sap.
Copyright © 2024 DOKUMEN.SITE Inc.