fiori configuration

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP2

Secure Login Server

PUBLIC

Document Version: 1.2 December 2011

Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

WebSphere, Netfinity, Tivoli and Informix are trademarks or

registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, and other SAP products and services

mentioned herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in other

countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Disclaimer

Some components of this product are based on Java. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

SAP AG

Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Any Java Source Code delivered with this product is

only to be used by SAPs Support Services and may not be

modified or altered in any way.

Terms for Included Open

Source Software

This SAP software contains also the third party open source software

products listed below. Please note that for these third party products

the following special terms and conditions shall apply.

Prototype JavaScript Framework http://www.prototypejs.org/

Copyright (c) 2005-2010 Sam Stephenson

Permission is hereby granted, free of charge, to any person obtaining a

copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to the

following conditions:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

stringutils http://sourceforge.net/projects/stringutils/

Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo

Permission is hereby granted, free of charge, to any person obtaining a

copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to the

following conditions:

The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

opencsv 1.7.1 http://opencsv.sourceforge.net/

Apache License

Version 2.0, January 2004

http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND

DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction,

and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the

copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other

entities that control, are controlled by, or are under common control

with that entity. For the purposes of this definition, "control" means (i)

the power, direct or indirect, to cause the direction or management of

such entity, whether by contract or otherwise, or (ii) ownership of fifty

percent (50%) or more of the outstanding shares, or (iii) beneficial

ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising

permissions granted by this License.

"Source" form shall mean the preferred form for making

modifications, including but not limited to software source code,

documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical

transformation or translation of a Source form, including but not

limited to compiled object code, generated documentation, and

conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or

Object form, made available under the License, as indicated by a

copyright notice that is included in or attached to the work (an

example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object

form, that is based on (or derived from) the Work and for which the

editorial revisions, annotations, elaborations, or other modifications

represent, as a whole, an original work of authorship. For the purposes

of this License, Derivative Works shall not include works that remain

separable from, or merely link (or bind by name) to the interfaces of,

the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including the

original version of the Work and any modifications or additions to that

Work or Derivative Works thereof, that is intentionally submitted to

Licensor for inclusion in the Work by the copyright owner or by an

individual or Legal Entity authorized to submit on behalf of the

copyright owner. For the purposes of this definition, "submitted"

means any form of electronic, verbal, or written communication sent

to the Licensor or its representatives, including but not limited to

communication on electronic mailing lists, source code control

systems, and issue tracking systems that are managed by, or on behalf

of, the Licensor for the purpose of discussing and improving the Work,

but excluding communication that is conspicuously marked or

otherwise designated in writing by the copyright owner as "Not a

Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity

on behalf of whom a Contribution has been received by Licensor and

subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of

this License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable

copyright license to reproduce, prepare Derivative Works of, publicly

display, publicly perform, sublicense, and distribute the Work and

such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of this

License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except

as stated in this section) patent license to make, have made, use, offer

to sell, sell, import, and otherwise transfer the Work, where such

license applies only to those patent claims licensable by such

Contributor that are necessarily infringed by their Contribution(s)

alone or by combination of their Contribution(s) with the Work to

which such Contribution(s) was submitted. If You institute patent

litigation against any entity (including a cross-claim or counterclaim in

a lawsuit) alleging that the Work or a Contribution incorporated within

the Work constitutes direct or contributory patent infringement, then

any patent licenses granted to You under this License for that Work

shall terminate as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the

Work or Derivative Works thereof in any medium, with or without

modifications, and in Source or Object form, provided that You meet

the following conditions:

(a) You must give any other recipients of the Work or Derivative

Works a copy of this License; and

(b) You must cause any modified files to carry prominent notices

stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works that

You distribute, all copyright, patent, trademark, and attribution notices

from the Source form of the Work, excluding those notices that do not

pertain to any part of the Derivative Works; and

(d) If the Work includes a "NOTICE" text file as part of its

distribution, then any Derivative Works that You distribute must

include a readable copy of the attribution notices contained within

such NOTICE file, excluding those notices that do not pertain to any

part of the Derivative Works, in at least one of the following places:

within a NOTICE text file distributed as part of the Derivative Works;

within the Source form or documentation, if provided along with the

Derivative Works; or, within a display generated by the Derivative

Works, if and wherever such third-party notices normally appear. The

contents of the NOTICE file are for informational purposes only and

do not modify the License. You may add Your own attribution notices

within Derivative Works that You distribute, alongside or as an

addendum to the NOTICE text from the Work, provided that such

additional attribution notices cannot be construed as modifying the

License.

You may add Your own copyright statement to Your modifications

and may provide additional or different license terms and conditions

for use, reproduction, or distribution of Your modifications, or for any

such Derivative Works as a whole, provided Your use, reproduction,

and distribution of the Work otherwise complies with the conditions

stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise,

any Contribution intentionally submitted for inclusion in the Work by

You to the Licensor shall be under the terms and conditions of this

License, without any additional terms or conditions. Notwithstanding

the above, nothing herein shall supersede or modify the terms of any

separate license agreement you may have executed with Licensor

regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade

names, trademarks, service marks, or product names of the Licensor,

except as required for reasonable and customary use in describing the

origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or

agreed to in writing, Licensor provides the Work (and each

Contributor provides its Contributions) on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,

either express or implied, including, without limitation, any warranties

or conditions of TITLE, NON-INFRINGEMENT,

MERCHANTABILITY, or FITNESS FOR A PARTICULAR

PURPOSE. You are solely responsible for determining the

appropriateness of using or redistributing the Work and assume any

risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory,

whether in tort (including negligence), contract, or otherwise, unless

required by applicable law (such as deliberate and grossly negligent

acts) or agreed to in writing, shall any Contributor be liable to You for

damages, including any direct, indirect, special, incidental, or

consequential damages of any character arising as a result of this

License or out of the use or inability to use the Work (including but

not limited to damages for loss of goodwill, work stoppage, computer

failure or malfunction, or any and all other commercial damages or

losses), even if such Contributor has been advised of the possibility of

such damages.

9. Accepting Warranty or Additional Liability. While redistributing

the Work or Derivative Works thereof, You may choose to offer, and

charge a fee for, acceptance of support, warranty, indemnity, or other

liability obligations and/or rights consistent with this License.

However, in accepting such obligations, You may act only on Your

own behalf and on Your sole responsibility, not on behalf of any other

Contributor, and only if You agree to indemnify, defend, and hold

each Contributor harmless for any liability incurred by, or claims

asserted against, such Contributor by reason of your accepting any

such warranty or additional liability.

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more

information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

06/2011 7

Contents

1 What is Secure Login? ....................................................................... 9

1.1 System Overview .................................................................................. 10

1.2 System Overview with Security Token ............................................... 11

1.3 System Overview with Secure Login Server ...................................... 14

1.4 Instances ............................................................................................... 16

1.5 PKI Structure ........................................................................................ 17

1.6 Secure Communication ....................................................................... 18

1.7 Policy Server Overview ........................................................................ 19

1.8 Secure Login Web Client ..................................................................... 20

1.8.1 Export Restrictions ........................................................................... 20

2 Secure Login Server Installation ..................................................... 21 2.1 Prerequisites ........................................................................................ 21

2.1.1 Secure Login Library ................................................................................................... 22

2.2 Secure Login Server Installation with Telnet ..................................... 26

2.3 Secure Login Server Installation with JSPM ...................................... 27

2.4 Secure Login Server Uninstallation .................................................... 30

2.5 Updating the Secure Login Server to SP2 ......................................... 30

2.6 Initial Configuration Wizard ................................................................. 31 2.6.1 Initial Configuration ..................................................................................................... 31 2.6.2 Enable Remote Access for Initial Wizard.................................................................... 47 2.6.3 Configure SSH Tunnel ................................................................................................ 48

3 Administration ................................................................................... 49 3.1 Logon to Administration Console ....................................................... 49

3.2 Welcome Page ...................................................................................... 50 3.2.1 Change Password....................................................................................................... 51

3.3 Server Configuration ............................................................................ 52 3.3.1 Edit Server Configuration ............................................................................................ 54 3.3.2 Edit Login Type Setting ............................................................................................... 55 3.3.3 Certificate Management .............................................................................................. 56 3.3.4 Trust Store Management ............................................................................................ 68 3.3.5 Certificate Template .................................................................................................... 69 3.3.6 System Check ............................................................................................................. 76 3.3.7 Message Settings ....................................................................................................... 77 3.3.8 SNC Configuration ...................................................................................................... 81 3.3.9 Server Status .............................................................................................................. 82 3.3.10 Sign Certificate Requests ......................................................................................... 83 3.3.11 Console Log Viewer .................................................................................................. 85 3.3.12 Web Client Configuration .......................................................................................... 87

3.4 Instance Management .......................................................................... 92 3.4.1 DefaultServer Configuration ....................................................................................... 92 3.4.2 Create a New Instance ............................................................................................. 115

3.5 Console Users .................................................................................... 120 3.5.1 User Management .................................................................................................... 120 3.5.2 Role Management..................................................................................................... 123 3.5.3 Locked Files Management ........................................................................................ 124

4 Other Configurations ...................................................................... 125

8 06/2011

4.1 Configure Login Module .................................................................... 125

4.2 Verify Authentication Server Configuration ..................................... 131

4.3 Create Technical User in SAP Server ............................................... 133

4.4 Mozilla Firefox Support ...................................................................... 133 4.4.1 Install Firefox Extension ............................................................................................ 133 4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 134

4.5 Customize Secure Login Web Client ................................................ 135

4.6 Configure SSL Certificate Logon ...................................................... 135

4.7 Configure External Login ID .............................................................. 136

4.8 Emergency Recovery Tool ................................................................ 136

4.9 Monitoring ........................................................................................... 139 4.9.1 Web Service Status .................................................................................................. 139 4.9.2 XML Interface ............................................................................................................ 139

4.10 Secure Login Client Policy and Profiles ......................................... 141 4.10.1 Client Policy ............................................................................................................ 141 4.10.2 Applications and Profiles ........................................................................................ 142

4.11 Integrate into Existing PKI ............................................................... 146

4.12 Configuring Secure Login Servers as Failover Servers for High Availability ................................................................................................ 147

4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver ................................................................................................. 149

4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 150 4.13.2 Configuration of the Secure Login Server .............................................................. 151

4.14 Setting Failover Timeouts of the Login Modules ........................... 152

4.15 Custom Use of Login Module with Login Module Stacks ............. 152

5 Configuration Examples ................................................................. 154 5.1 Kerberos Authentication with SPNego ............................................. 154

5.2 LDAP User Authentication ................................................................ 155

5.3 SAP User Authentication ................................................................... 156

5.4 RADIUS User Authentication............................................................. 157

5.5 Configuring RSA Authentication with RADIUS ................................ 158 5.5.1 Configuration of the securid.ini File .......................................................................... 158 5.5.2 Customer-Specific Configuration of the securid.ini File ............................................ 159 5.5.3 Ensuring Encrypted Communication with Shared Secret ......................................... 160

6 Troubleshooting .............................................................................. 161 6.1 Checklist User Authentication Problem ........................................... 161

6.2 Secure Login Server SNC Problem ................................................... 162

6.3 Enable Secure Login Server Trace ................................................... 163

6.4 Enable Secure Login Library Trace .................................................. 163

6.5 Secure Login Server Lock and Unlock ............................................. 164

6.6 Access Denied Replies ...................................................................... 165

6.7 Internal Server Message .................................................................... 165

6.8 Error Codes ........................................................................................ 166 6.8.1 Secure Login Server Error Codes ............................................................................. 166 6.8.2 SAP Stacktrace Error Codes .................................................................................... 168

7 List of Abbreviations ...................................................................... 171

8 Glossary ........................................................................................... 173

1 What is Secure Login?

06/2011 9

1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment.

Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components:

Examples:

SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)

Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)

Third party application server supporting X.509 certificates

In a default SAP setup, users enter their SAP user name and password into the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between the SAP GUI and SAP server, thus providing secure single sign-on to SAP.

Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:

Microsoft Windows domain (Active Directory Server)

RADIUS server

LDAP server

RSA SecurID token

SAP NetWeaver server

Smart Card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.


10 06/2011

1.1 System Overview Secure Login is a client/server software system integrated with SAP software to make single sign-on, alternative user authentication, and enhanced security easy for distributed SAP environments.

The Secure Login solution includes the following components:

Secure Login Server Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and application server. The Secure Login Web Client is provided as well.

Secure Login Library Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology.

Secure Login Client Client application which provides security tokens (Kerberos and X.509 technology) for a variety of applications.

It is not necessary to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.

The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI. The stand-alone Secure Login Client can use the following authentication methods:

- Smart Cards and USB tokens with an existing PKI certificate

Secure Login Server and Authentication Server are not necessary.

- Microsoft Crypto Store with an existing PKI certificate

Secure Login Server and Authentication Server are not necessary.

- Microsoft Windows credentials

The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. In addition, the Microsoft Windows credentials can be used to receive a user X.509 certificate with Secure Login Server.

- User name and Password (Several Authentication Mechanism)

The Secure Login Client prompts you for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive a user X.509 certificate.

All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.

Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions:

- Limited integration with the client environment (interaction required)

- Limited client policy configuration


06/2011 11

1.2 System Overview with Security Token The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for user authentication.

Main System Components The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.

Secure Login ClientPKI Infrastructure

Smart Card, USB Token

Microsoft Crypto Store

Secure Login Library

Authentication and

secure communication

SAP GUI

Web GUI

SAP NetWeaver Platform

Security Token

Kerberos Infrastructure

Kerberos Token

Kerberos

Figure: Secure Login System Environment with Existing PKI and Kerberos

The Secure Login Client is responsible for the certificate-based authentication and Kerberos-based authentication to the SAP application server.

Authentication Methods In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:

Smart Card and USB tokens with an existing PKI certificate

Microsoft Crypto Store (Certificate Store)

Kerberos token


12 06/2011

Workflow for X.509 Certificates The following figure shows the principal workflow and communication between the individual components.

1

Start connection and

get SNC name

Client maps

SNC name to

authentication

profile

Secure Login Client

Security Token2

4

PKI Infrastructure

6

SAP NetWeaver Platform

Client provides certificate

to SAP GUI application

Authentication and

secure communication

Smart Card, USB Token

Microsoft Crypto Store

Secure Login Library

5

Unlock Security Token

3

Figure: Principal Workflow

1. Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system.

2. The Secure Login Client uses the authentication profile for this SNC name.

3. The user unlocks the security token by entering the PIN or password.

4. The Secure Login Client receives the X.509 certificate from the user security token.

5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server.

6. The user is authenticated and the communication is secured.

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.


06/2011 13

Workflow for Kerberos Token The following figure shows the principal workflow and communication between the individual components.

Figure: Principal Workflow Kerberos Authentication

1. Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system.

2. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.

3. The Secure Login Client receives the Kerberos Service token.

4. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server.

5. The user is authenticated and the communication is secured.


14 06/2011

1.3 System Overview with Secure Login Server The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example, SAP NetWeaver).

Users receive short term X.509 certificates. For the application server, long term X.509 certificates are issued. Based on the industry standard X.509v3, the certificates can be used for non-SAP systems as well.

In order to provide user certificates, the user needs to be authenticated (verified by the Secure Login Server). Therefore the Secure Login Server supports several authentication server systems.

Main System Components The following figure shows the Secure Login system environment with the main system components.

Figure: Secure Login System Environment

The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication.

The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication Server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server.

The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).


06/2011 15

Authentication Methods Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods.

For each supported method, there is a corresponding configurable JAAS module.

The following authentication methods are supported:

Microsoft Active Directory Service (ADS)

RADIUS

RSA SecurID token

LDAP

SAP ID-based logon

SAP NetWeaver AS Java User Management Engine

SAP NetWeaver AS Java SPNego

Workflow with X.509 Certificate Request The following figure shows the principal workflow and communication between the individual components.

Figure: Principal Workflow

1. Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system.

2. The Secure Login Client uses the client policy for this SNC name.

3. The Secure Login Client receives the user login credentials.


16 06/2011

4. The Secure Login Client generates a certificate request.

5. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server.

6. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not.

7. If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client.

8. Secure Login Client provides the certificate to SAP GUI.

9. The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.

1.4 Instances The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum.

Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance.

The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.

Figure: Instances Examples

It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.


06/2011 17

1.5 PKI Structure There are different integration scenarios available for Secure Login Server.

Out-of-the-Box PKI Secure Login Server Secure Login Server provides standard X.509 certificates for users (short term) and application server (long term). The following out of the box PKI structure can be delivered with the Secure Login Server.

Figure: Secure Login Server PKI Structure

PKI Integration As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.

Figure: Secure Login Server Integration with an Existing PKI


18 06/2011

1.6 Secure Communication The goal of the Secure Login solution is to establish secure communication between all required components:

Figure: Secure Communication

Technology Used for Secure Communication

Technology used for secure communication

From To Security Protocol / Interface

SAP GUI SAP NetWeaver DIAG/RFC (SNC)

Business Explorer SAP NetWeaver DIAG/RFC (SNC)

Business Client SAP NetWeaver DIAG/RFC (SNC), HTTPS

Web GUI SAP NetWeaver HTTPS (SSL)

Secure Login Client Secure Login Server HTTPS (SSL)

Secure Login Server LDAP Server LDAPS (SSL)

Secure Login Server SAP NetWeaver RFC (SNC)

Secure Login Server RADIUS Server RADIUS (shared secret)


06/2011 19

1.7 Policy Server Overview Secure Login Client configuration is profile-based. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs).

If no matching PSE URI is found, a default application context that links to a default profile can be defined.

The application contexts and profiles are stored in the Microsoft Windows Registry of the client. You define these parameters in the XML policy file.

Figure: Default Application Context and Profile


20 06/2011

1.8 Secure Login Web Client Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. You also use it for authentication against SAP NetWeaver Web Application Server.

This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and Linux-based client systems can be used as well. Another use case is providing short term certificates to external employees (for example, to external consultants).

The following main features are available:

Browser-based authentication (including all authentication server support)

Support for SAP GUI for Microsoft Windows and SAP GUI for Java

Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser

URL redirect X.509 authentication support to SAP Web application server

Localization and customization of HTML pages and applet messages

Differences between Secure Login Client and Secure Login Web Client:

With Secure Login Client the required security library is available. With Secure Login Web Client the security library needs to be downloaded in a Web browser application.

With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI). The Secure Login Web Client triggers an authentication process and secure communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.

1.8.1 Export Restrictions

At the start of the Secure Login Web Client, it transfers components that are required for authentication and for a secure network connection from the server to the client.

The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. Under German export control regulations, these components are classified with ECCN 4D003. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations.

If the Secure Login Server and the Secure Login Web Client are installed in different countries, you are obliged to make sure that you abide by the export and import regulations of the countries involved.

2 Secure Login Server Installation

06/2011 21

2 Secure Login Server Installation This chapter describes how to install Secure Login Server. The installation can be done using the Telnet application or with the Software Delivery Tool.

2.1 Prerequisites This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.

Hardware Requirements

Secure Login Server Details

Hard disk space 50 MB of hard disk space

HDD space for log files

Random-access memory 1 GB RAM at minimum

Software Requirements


Application server SAP NetWeaver CE 7.2

SAP NetWeaver 7.3

Optional: Secure Login Library

The Secure Login Library installation is optional and required for SAP user authentication only.

The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials.

For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.

Secure Login Web Client Details

Operating systems Microsoft Windows 7, Vista, XP (32-bit)

SUSE Linux Enterprise Desktop 11

Mac OS X 10.5, 10.6

Java SUN Java 1.5 or higher browser plug-in

Internet browser (32-bit) Microsoft Internet Explorer 7, 8, 9

Mozilla Firefox 3.6 and higher


22 06/2011

Supported Authentication Servers


LDAP server system Microsoft Active Directory System 2003, 2008

openLDAP

SAP server system SAP NetWeaver Application Server ABAP 6.20 or higher version

RADIUS server system RSA Authentication Manager 6.1 and 7.1

freeRADIUS

Microsoft Network Policy and Access Services (NPA)

Microsoft Internet Authentication Service (IAS)

SAPNetWeaver AS Java User Man agement Engine (UME)

BasicPasswordLoginModule

2.1.1 Secure Login Library The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only. The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials.

Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system. This document describes the installation for Microsoft Windows and Linux operating system.

Secure Login Library for Microsoft Windows Operating System

Step 1 Copy Library Files

Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf \SECURELOGINLIB.SAR R \exe\

Example

sapcar xvf D:\InstallSLS\SECURELOGINLIB.SAR R D:\usr\sap\ABC\J00\exe\

Check if the folder \exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file \work\dev_jstart.


06/2011 23

Step 2 Environment Variable SECUDIR

Set the system environment variable SECUDIR to the following directory:

SECUDIR=\sec

Example

SECUDIR=D:\usr\sap\ABC\J00\sec

Step 3 Verify Secure Login Library

To verify the Secure Login Library, use the snc command:

\exe\snc.exe

Example D:\usr\sap\ABC\J00\exe\snc.exe

As a result, you get further information about the Secure Login Library.

The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the Command snc

Step 4 Restart SAP NetWeaver Application Server

In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.


24 06/2011

Secure Login Library for Linux Operating System

Step 1 Copy Library Files

Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf /SECURELOGINLIB.SAR R /exe/

Example sapcar xvf /InstallSLS/SECURELOGINLIB.SAR R /usr/sap/ABC/J00/exe

Check if the folder /exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file /work/dev_jstart.

Step 2 Define File Attributes

To use shared libraries in a shell, it is necessary to set the file permission attributes with the following command:

chmod +rx /exe/snc lib*

Example

chmod +rx /usr/sap/ABC/J00/exe/snc lib*

Step 3 Define File Owner

Grant access rights to the user account that is used to start the SAP application (for example, adm).

Change to the folder /exe/ and use the following command:

chown [OWNER]:[GROUP] *

Example chown abcadm:sapsys *

Step 4 Verify Secure Login Library

To verify the Secure Login Library use the snc command (with user adm):

/exe/snc

Example


06/2011 25

/usr/sap/ABC/J00/exe/snc

As a result; further information about the Secure Login Library should be displayed.

The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the snc Command


26 06/2011

2.2 Secure Login Server Installation with Telnet

1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver Application Server.

2.) Start a Telnet session. telnet localhost 508

Example

telnet localhost 50008

3.) Deploy the Secure Login Server package.

deploy \SECURE_LOGIN_SERVER0SP_0.sca

Microsoft Windows Example

deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca

The Secure Login Server application will be started automatically. Start the initial configuration described in section 2.6 Initial Configuration Wizard.

List of Useful Telnet Commands

List of useful telnet commands

Action Command

Deploy Application deploy SECURE_LOGIN_SERVER0SP_0.sca

Undeploy Application undeploy name=SecureLoginServer vendor=sap.com

List Application list_app | grep SecureLoginServer

Stop Application stop_app sap.com/SecureLoginServer

Start Application start_app sap.com/SecureLoginServer


06/2011 27

2.3 Secure Login Server Installation with JSPM

1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver Application Server. The target folder location is \\localhost\sapmnt\trans\EPS\in Microsoft Windows \usr\sap\trans\EPS\in Linux /usr/sap/trans/EPS/in

2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server. Microsoft Windows \j2ee\JSPM\go.bat Linux /j2ee/JSPM/go

3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.


28 06/2011

4.) Choose the New Software Components option.

5.) Select sap.com/SECURE_LOGIN_SERVER.


06/2011 29

6.) Start the deployment process.

7.) After the deployment finishes, exit the JSPM application.


30 06/2011

2.4 Secure Login Server Uninstallation This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet.

1.) Start a Telnet session. telnet localhost 508

Example

telnet localhost 50008

2.) Stop the Secure Login Server application. stop_app sap.com/SecureLoginServer

3.) Undeploy the Secure Login Server package. undeploy name=SecureLoginServer vendor=sap.com

2.5 Updating the Secure Login Server to SP2 In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to SP1. You see the current version number of the Secure Login Server in the

parameter Server Build. The entry REL_1_0_2_20 stands for SP2 (see 3.3.9 Server

Status). After the installation, restart the system.

During the installation, the following files are deleted:

config.properties file

userenv.registry

Make a backup of these files before you execute an installation. After the installation, copy the files to the relevant directories.


06/2011 31

2.6 Initial Configuration Wizard After the deployment of Secure Login Server an initial configuration is required.

For security reasons, the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides).

If, however, you want to perform the initialization and configuration from a remote location, you must manually enable this feature by editing the Secure Login web.xml file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard.

If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost tunnel configuration for accessing the wizard. For re information, see section 2.6.3 Configure SSH Tunnel.

2.6.1 Initial Configuration This section describes the initial configuration of the Secure Login Server.

Before starting the Initial Configuration Wizard, verify that the Secure Login Server application is running.

Start the initial configuration using the browser URL: http://localhost:500/securelogin

Welcome Page

In the welcome page a prerequisite check is performed. Verify all prerequisites.

If everything is OK, choose Continue.

Figure: Initial Configuration Wizard Welcome Page


32 06/2011

Key File for Encryption of Server Credentials

The key file is a file on the server with random content and is used to secure password information in configuration files. You can use any kind of file type which is larger than 32 bytes. You must create or copy the file to the desired location on the server and define it in this configuration step. There is a check whether the key file is available.

Define the location of the key file.

Example:

D:\usr\sap\ServerKeyFile\KeyFile.txt

Figure: Initial Configuration Wizard Key file for server credentials encryption

Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked.

After the configuration, choose Next to continue.


06/2011 33

Administrator Account

Define the password for the administration user Admin.

Figure: Initial Configuration Wizard Administrator Account

Entries marked with * are mandatory.

Passwords used in Secure Login Server are restricted by the password policy definition.

Passwords cannot be empty

Passwords must have a length between 8 to 20 characters

Passwords must contain at least one uppercase letter

Passwords must contain at least one lowercase letter

Passwords must contain at least one digit

Passwords must contain at least one special character



34 06/2011

Create Root CA Certificate

Define the parameter for the root CA certificate.

Figure: Initial Configuration Wizard Create Root CA


Option Details

Create a Root CA by providing certificate information

Common Name*

Enter the common name of the certificate (CN).

Example: Root CA SAP Security

Organization Unit

Enter the division of the company in this field (OU).

Example: SAP Security Department

Organization

Enter the company name in this field (O).

Example: Company xyz

Locality

Enter the regional information in this field (L).

Example: Walldorf

Country

Enter the country abbreviation in this field (C).

Example: DE

Encryption Key Length

Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).


06/2011 35

Valid From*

Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD).

Valid To*

Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).

Password*

In this field you enter the password for this certificate. The password length is limited to 20 characters.

Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.

Confirm Password*

Confirm the encryption password entered in the field above.

Import an Existing Key Store File

Checking this option displays the following options:

KeyStore File*

Click Browse to locate and load an existing KeyStore file (File Format is: *.pse).

Password*

The password for the KeyStore (PSE) file.

Save Password

If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.

Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.

Skip all PKI certificates Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates.

You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.



36 06/2011

Select the SSL Certificate Generation Type

Choose an option for the SSL certificate.

Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type

It is possible to install or import SSL certificates later on using the administration console Certificate Management. For more information, see section 3.3.3 Certificate Management.

Option Details

Generate an SSL certificate using the Secure Login Administration Console

The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console.

Skip all SSL certificates Check this option if you do not want to or do not need to enter information for SSL certificates at this time.

After having chosen an option configuration, choose Next to continue.


06/2011 37

Create SSL CA Certificate

This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen.

Figure: Initial Configuration Wizard Create SSL CA Information


Option Details

Create a SSL CA by providing certificate information

Common Name*


Example: SSL CA SAP Security

Organization Unit



Organization



Locality


Example: Walldorf

Country


Example: DE




38 06/2011

Valid From*

Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).

Valid To*

Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).

Password*

Enter the password for this certificate in this field. The password length is limited to 20 characters.


Confirm password*




KeyStore File*

Click Browse to locate and load an existing Key Store File (file format: *.pse).

Password*


Save Password


Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.


Create SSL Server Certificate

This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.


06/2011 39

Figure: Initial Configuration Wizard SSL Server Information


Option Details

Create an SSL server by providing certificate information

Common Name*


Example: Alias Server Name

Organization Unit



Organization



Locality


Example: Walldorf

Country


Example: DE

Subject Alternative Names (DNS)

Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN).

Example: [email protected]


Select the encryption key length for the server (512,


40 06/2011

1024, 1536, 2048, 3072, or 4096 bits).

Valid From*


Valid To*


Password*

In this field, you enter the password for this certificate. The password length is limited to 20 characters.

Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.

Confirm Password*




KeyStore File*

Click Browse to locate and load an existing KeyStore file (file format: *.p12).

Password*

The password for the KeyStore file.

Save Password


Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.



06/2011 41

Create User CA Certificate

Define the parameter for the user CA certificate.

Figure: Initial Configuration Wizard User CA Information


Option Details

Create a user CA by providing certificate information

Common Name*


Example: User CA SAP Security

Organization Unit



Organization



Locality


Example: Walldorf

Country


Example: DE




42 06/2011

Valid From*


Valid To*


Password*

In this field you enter the password for this certificate. The password length is limited to 20 characters.


Confirm Password*




KeyStore File*

Click Browse to locate and load an existing KeyStore file (file format: *.pse).

Password*


Save Password

If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.

Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.



06/2011 43

Define Server Configuration

Define the parameters for the User Certificate Configuration and Application Information.

The other configuration parameters are read-only (for verification reasons).

Figure: Initial Configuration Wizard Server Configuration


Option Details

User Certificate Configuration

DN.country


Example: DE

DN.locality


Example: Walldorf

DN.organization



DN.organizationalUnit



ValidityMinutes*

Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.


44 06/2011

Application Information ServerHostName

FQDN name or IP address of this server.

This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server.

ServerPort

Port of this server.

This parameter is used for the client policy definition and can be used for central change.

Authentication Server Configuration (read-only)

AuthConfigPath

Authentication server configurations file for the Secure Login Server.

Secure Login User CA Key Store (read-only)

PseName

The user CA key store file path. If you created a user CA in the previous step, the file path is shown here.

Log Configuration (read-only)

DailyLogDir

In this log path the user authentication information for the default instance is logged. (for example, the user authentication was successful)

MonthlyLogDir

In this log path the instance information for the default instance is logged. (for example, the default instance was started successful)

AdminConsoleLogDir

In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed)

LockDir

The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.



06/2011 45

Setup Review

Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.

Figure: Initial Configuration Wizard Setup Review

Finish Setup

After successful setup configuration this page appears. Restart the Secure Login Server application.

Figure: Initial Configuration Wizard Congratulations

Use the Telnet application to stop and start the Secure Login Server application (for more information, see section 2.2 Secure Login Server Installation with Telnet).

Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.


46 06/2011

Microsoft Windows SAP Management Console

In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer and choose the option Restart (right-click option).

Figure: SAP Management Console (sapmmc)


06/2011 47

2.6.2 Enable Remote Access for Initial Wizard This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer.

For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides).

In the configuration file web.xml, change the value to true for the parameter remoteAccess.

web.xml

remoteAccess

true

The configuration file web.xml is available in the following place:

Microsoft Windows \j2ee\cluster\apps\sap.com\SecureLoginServer\servlet_jsp\securelogin\root\WEB-INF\web.xml Linux /j2ee/cluster/apps/sap.com/SecureLoginServer/servlet_jsp/securelogin/root/WEB-INF/web.xml

It is required to restart the Secure Login Server application.


48 06/2011

2.6.3 Configure SSH Tunnel This configuration step is optional and belongs to the Linux environment if no GUI is available. The localhost configuration can be performed using for example, PuTTY

Configure the following parameter and choose Add.

Example: SSH tunnel configuration in PuTTY

Parameter Value

Source Port 500 Example: 50000

Destination localhost:500 Example: localhost:50000

After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.

3 Administration

06/2011 49

3 Administration This chapter describes the configuration parameters in Secure Login Server.

3.1 Logon to Administration Console To open the administration console, enter the following URL in a Web browser:

Communication URL

Unsecured http://:500/securelogin

Secured https://:5/securelogin

You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above).

The logon page appears.

Figure: Administration Console Logon Page

Enter your administration user name (for example, Admin) and your password.

Authentication type Details

Local Login Default user name/password combination authenticated in the administration console database.

External Login User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console.

For more information about the configuration, see section 3.3.2

3 Administration

50 06/2011

Authentication type Details

Edit Login Type Setting.

3.2 Welcome Page After successful logon, the welcome page appears. This page also appears when you click on Home.

Figure: Administration Console Welcome Page

The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:

The top left-hand pane lists any tasks that have yet to be performed. For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect.

The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework.

The right-hand pane displays the details of any node selected in the left-hand pane.

In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. Logout Use this link to logout of the console. The login page will reappear (see previous page).

3 Administration

06/2011 51

About Click this to view version information about the console.

You may be asked to re-enter your user name and password if you leave the administration console for a long time. The default console timeout is 10 minutes.

3.2.1 Change Password This section describes how to change the account password for the administration console.

1. Choose Change Password in the title bar on any page.

2. The following dialog box appears:

Figure: Change Password

3. Enter the current password into the Old Password field.

4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively.

5. Click OK

The user admin is a permanent user that has the role super user and cannot be deleted.

As a consequence, the admin user can log on to the system regardless of state (when a serious system error occurs), making sure that there is at least one user who can always access Secure Login to correct or configure the system.

3 Administration

52 06/2011

3.3 Server Configuration This section describes the server configuration page of the administration console.

The Server Configuration page allows you to do the following:

View the server configuration.

Edit some of the server parameters.

Choose the Server Configuration node in the left-hand pane of the administration console.

The following page appears:

Figure: Administration Console - Server Configuration

The following options can be viewed on this page:

3 Administration

06/2011 53

Option Details/Value

Edit Click Edit to change the Administration Console Description, Trace Configuration, and Client Configuration. For more information, see section 3.3.1 Edit Server Configuration.

Description The description of this administration console.

Console Login Type The current types of authentication available for log on to the administration console. The configuration can be changed using the button Edit Login Type. For more information, see section 3.3.2 Edit Login Type Setting.

External Login JAAS Module

The current JAAS module used for External Login authentication to the Administration Console. For further information see section 3.3.2 Edit Login Type Setting.

The Authentication File Path (read-only)

The authentication configuration file used by this server. This configuration is for information purposes only.

Trust Certificates Storage File (read-only)

The Trust Store file (TrustStore.jks) used by this server.

Console Log Directory (read-only)

The directory in which the console log file is located.

Console Log Prefix (read-only)

The file prefix for the console log file.

Enable Server Trace Enable Secure Login Server trace to provide extended traces.

true Trace enabled

false Trace enabled

Default value is false.

Path to the Server Lock File (read-only)

Path where the lock files are written. A lock file is generated if something went wrong with the Secure Login Server. In this case the Secure Login Server is locked.

Host Server Domain Name

The host name or IP of the computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs).

Port The port of this computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs).

We recommend that you use an HTTPS (SSL) port.

CREDDIR (read-only)

The directory in which the credentials are stored for the Secure Login Library.

NativeLibraryPath (read-only)

The directory where native libraries are stored for the Secure Login Library.

3 Administration

54 06/2011

3.3.1 Edit Server Configuration Use the Edit button and the following page appears.

Figure: Administration Console Edit Server Configuration

The following options can be set:

Option Details/Value

Description Here you can personalize the description for the administration console.

Enable Server Trace true

Write trace messages to the application server trace file (defaultTrace_*.log).

false

Do not write trace messages to the application server trace file.

Host Server Domain Name

The host name or IP of the computer from which the console is being used.

Port The port of the computer from which the console is being used. We recommend that you use an HTTPS (SSL) port.

Once you have changed any option, click Save to return to the Server Configuration page.

3 Administration

06/2011 55

3.3.2 Edit Login Type Setting Use the Edit Login Type button, and you get to the page that allows you to configure, delete, or add the following login types:

Local Login

Default user name/password combination authenticated with the administration console database.

External Login

User name/password combination authenticated in the authentication server database set in the JAAS module. If this option is used, select the appropriate JAAS module in the External Login Jaas Module combo box.

1. To add a login option to the administration console login page, proceed as follows: 2. Select a login type from the All Login Type field and choose >>Add. As a

consequence, it appears in the Current Login Type field. 3. Use the Up and Down buttons to move a login option up or down and thus define its

priority. 4. To delete a login option from the administration console login page, select a login

type from the Current Login Type field and choose

3 Administration

56 06/2011

3.3.3 Certificate Management This section describes the Certificate Management page of the administration console.

The Certificate Management page allows you to do the following:

Create certificates

View certificates

Export certificates

Import certificates

What I have to do first is making a decision: Do I want the Secure Login Server to create and manage one or more public key infrastructures, or is there an existing company PKI that is supposed to be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server.

However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time.

Choose the Certificate Management node from the tree in the left-hand pane. The following page appears:

Figure: Administration Console Certificate Management

Option Details

PKI Tree One or more tree views of independent PKIs. One DefaultPKITree named Root CA SAP Security is available here.

Create New Root CA Define a display name for the new PKI and create a top-level Certification Authority (Root CA).

3 Administration

06/2011 57

Certificate Information Common Name

Common name of the selected certificate.

Path

File path of the selected certificate file.

Save Password

Password protection status of the selected certificate file.

Mapping to Instance

List of all instances and selections that are supposed to use this user CA. This option is available for user CAs only.

More Details Further details of the X.509 certificate

[PKI Information] Displays the name of the PKI structure

[CA Operations] Selects the Certification Authority of a PKI for further management operations.

Issue

Creates a new Certification Authority of this type (USER_CA, SAP_CA or SSL_CA).

Change Password

Changes password of selected CA

Remove Password

Removes password of selected CA. A password must be given for each following management operation of this CA.

[Export Certificate] Exports the selected certificate.

Export Type

Chooses the export type for the certificate. Possible export types: .crt, .p12, .pse or *.jks.

New Password

Defines the password of the exported certificate file. This option is not available if you choose the export type .crt.

[Import New PKI] Imports the key store into the certificate list.

Note: Only PSE files can be imported.

PKI Name

Displays the name of the new PKI the certificate belongs to. The following special characters are not supported: ~`!@#$%^&*()_-+= }{:"?>

3 Administration

58 06/2011

Open Password

Password that protects the certificate file

Save Password

Allows you to save the password in the configuration file.

Create New PKI

Use this function to create a new internal PKI that has its own root CA certificate.

Enter a display name for the new PKI, for example NEW PKI and choose Create New Root CA.

Define the certificate parameters for the new root CA certificate and choose Create.

Entries marked with an asterisk(*) are mandatory.

The new PKI should be available in the PKI tree.

3 Administration

06/2011 59

Import New PKI

Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing root CA stored inside the Secure Login Server.

1. Enter a display name for the new PKI, for example, ImportPKI. 2. Select the type of CA that shall be imported, for example, ROOT_CA. 3. Choose Browse to open a file browser. Locate and open the PSE file. 4. Enter the password for the PSE file in the field Open Password. 5. As an option, you can choose to save the password. 6. Choose the Import pushbutton to complete.

The imported PKI should be available in the PKI tree.

3 Administration

60 06/2011

Create SAP CA Certificate

Use this function to create an SAP CA certificate.

1. Choose on the Root CA certificate in the PKI tree list. 2. Select the certificate type SAP_CA in [CA Operations]. 3. Choose on the Issue pushbutton and define the certificate parameters.

Figure: Administration Console Create SAP CA Certificate

Entries marked with an asterisk(*) are mandatory.

fiori configuration

Documents