fiori configuration
DESCRIPTION
Fiori ConfigurationTRANSCRIPT
-
Installation, Configuration and Administration Guide
SAP NetWeaver Single-Sign-On SP2
Secure Login Server
PUBLIC
Document Version: 1.2 December 2011
-
Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. in the United States and in other
countries.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
Disclaimer
Some components of this product are based on Java. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
SAP AG
Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
-
Any Java Source Code delivered with this product is
only to be used by SAPs Support Services and may not be
modified or altered in any way.
Terms for Included Open
Source Software
This SAP software contains also the third party open source software
products listed below. Please note that for these third party products
the following special terms and conditions shall apply.
Prototype JavaScript Framework http://www.prototypejs.org/
Copyright (c) 2005-2010 Sam Stephenson
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
stringutils http://sourceforge.net/projects/stringutils/
Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
opencsv 1.7.1 http://opencsv.sourceforge.net/
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND
DISTRIBUTION
1. Definitions.
-
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the
copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other
entities that control, are controlled by, or are under common control
with that entity. For the purposes of this definition, "control" means (i)
the power, direct or indirect, to cause the direction or management of
such entity, whether by contract or otherwise, or (ii) ownership of fifty
percent (50%) or more of the outstanding shares, or (iii) beneficial
ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising
permissions granted by this License.
"Source" form shall mean the preferred form for making
modifications, including but not limited to software source code,
documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but not
limited to compiled object code, generated documentation, and
conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work (an
example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the
original version of the Work and any modifications or additions to that
Work or Derivative Works thereof, that is intentionally submitted to
Licensor for inclusion in the Work by the copyright owner or by an
individual or Legal Entity authorized to submit on behalf of the
copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control
systems, and issue tracking systems that are managed by, or on behalf
of, the Licensor for the purpose of discussing and improving the Work,
but excluding communication that is conspicuously marked or
otherwise designated in writing by the copyright owner as "Not a
Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, publicly
display, publicly perform, sublicense, and distribute the Work and
such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this
License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except
as stated in this section) patent license to make, have made, use, offer
to sell, sell, import, and otherwise transfer the Work, where such
license applies only to those patent claims licensable by such
Contributor that are necessarily infringed by their Contribution(s)
alone or by combination of their Contribution(s) with the Work to
which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in
a lawsuit) alleging that the Work or a Contribution incorporated within
the Work constitutes direct or contributory patent infringement, then
any patent licenses granted to You under this License for that Work
shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You meet
the following conditions:
-
(a) You must give any other recipients of the Work or Derivative
Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that
You distribute, all copyright, patent, trademark, and attribution notices
from the Source form of the Work, excluding those notices that do not
pertain to any part of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained within
such NOTICE file, excluding those notices that do not pertain to any
part of the Derivative Works, in at least one of the following places:
within a NOTICE text file distributed as part of the Derivative Works;
within the Source form or documentation, if provided along with the
Derivative Works; or, within a display generated by the Derivative
Works, if and wherever such third-party notices normally appear. The
contents of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution notices
within Derivative Works that You distribute, alongside or as an
addendum to the NOTICE text from the Work, provided that such
additional attribution notices cannot be construed as modifying the
License.
You may add Your own copyright statement to Your modifications
and may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or for any
such Derivative Works as a whole, provided Your use, reproduction,
and distribution of the Work otherwise complies with the conditions
stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work by
You to the Licensor shall be under the terms and conditions of this
License, without any additional terms or conditions. Notwithstanding
the above, nothing herein shall supersede or modify the terms of any
separate license agreement you may have executed with Licensor
regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied, including, without limitation, any warranties
or conditions of TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, or FITNESS FOR A PARTICULAR
PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise, unless
required by applicable law (such as deliberate and grossly negligent
acts) or agreed to in writing, shall any Contributor be liable to You for
damages, including any direct, indirect, special, incidental, or
consequential damages of any character arising as a result of this
License or out of the use or inability to use the Work (including but
not limited to damages for loss of goodwill, work stoppage, computer
failure or malfunction, or any and all other commercial damages or
losses), even if such Contributor has been advised of the possibility of
such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer, and
charge a fee for, acceptance of support, warranty, indemnity, or other
liability obligations and/or rights consistent with this License.
However, in accepting such obligations, You may act only on Your
own behalf and on Your sole responsibility, not on behalf of any other
Contributor, and only if You agree to indemnify, defend, and hold
each Contributor harmless for any liability incurred by, or claims
asserted against, such Contributor by reason of your accepting any
such warranty or additional liability.
-
Typographic Conventions
Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic titles, and table titles
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more
information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
-
06/2011 7
Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview .................................................................................. 10
1.2 System Overview with Security Token ............................................... 11
1.3 System Overview with Secure Login Server ...................................... 14
1.4 Instances ............................................................................................... 16
1.5 PKI Structure ........................................................................................ 17
1.6 Secure Communication ....................................................................... 18
1.7 Policy Server Overview ........................................................................ 19
1.8 Secure Login Web Client ..................................................................... 20
1.8.1 Export Restrictions ........................................................................... 20
2 Secure Login Server Installation ..................................................... 21 2.1 Prerequisites ........................................................................................ 21
2.1.1 Secure Login Library ................................................................................................... 22
2.2 Secure Login Server Installation with Telnet ..................................... 26
2.3 Secure Login Server Installation with JSPM ...................................... 27
2.4 Secure Login Server Uninstallation .................................................... 30
2.5 Updating the Secure Login Server to SP2 ......................................... 30
2.6 Initial Configuration Wizard ................................................................. 31 2.6.1 Initial Configuration ..................................................................................................... 31 2.6.2 Enable Remote Access for Initial Wizard.................................................................... 47 2.6.3 Configure SSH Tunnel ................................................................................................ 48
3 Administration ................................................................................... 49 3.1 Logon to Administration Console ....................................................... 49
3.2 Welcome Page ...................................................................................... 50 3.2.1 Change Password....................................................................................................... 51
3.3 Server Configuration ............................................................................ 52 3.3.1 Edit Server Configuration ............................................................................................ 54 3.3.2 Edit Login Type Setting ............................................................................................... 55 3.3.3 Certificate Management .............................................................................................. 56 3.3.4 Trust Store Management ............................................................................................ 68 3.3.5 Certificate Template .................................................................................................... 69 3.3.6 System Check ............................................................................................................. 76 3.3.7 Message Settings ....................................................................................................... 77 3.3.8 SNC Configuration ...................................................................................................... 81 3.3.9 Server Status .............................................................................................................. 82 3.3.10 Sign Certificate Requests ......................................................................................... 83 3.3.11 Console Log Viewer .................................................................................................. 85 3.3.12 Web Client Configuration .......................................................................................... 87
3.4 Instance Management .......................................................................... 92 3.4.1 DefaultServer Configuration ....................................................................................... 92 3.4.2 Create a New Instance ............................................................................................. 115
3.5 Console Users .................................................................................... 120 3.5.1 User Management .................................................................................................... 120 3.5.2 Role Management..................................................................................................... 123 3.5.3 Locked Files Management ........................................................................................ 124
4 Other Configurations ...................................................................... 125
-
8 06/2011
4.1 Configure Login Module .................................................................... 125
4.2 Verify Authentication Server Configuration ..................................... 131
4.3 Create Technical User in SAP Server ............................................... 133
4.4 Mozilla Firefox Support ...................................................................... 133 4.4.1 Install Firefox Extension ............................................................................................ 133 4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 134
4.5 Customize Secure Login Web Client ................................................ 135
4.6 Configure SSL Certificate Logon ...................................................... 135
4.7 Configure External Login ID .............................................................. 136
4.8 Emergency Recovery Tool ................................................................ 136
4.9 Monitoring ........................................................................................... 139 4.9.1 Web Service Status .................................................................................................. 139 4.9.2 XML Interface ............................................................................................................ 139
4.10 Secure Login Client Policy and Profiles ......................................... 141 4.10.1 Client Policy ............................................................................................................ 141 4.10.2 Applications and Profiles ........................................................................................ 142
4.11 Integrate into Existing PKI ............................................................... 146
4.12 Configuring Secure Login Servers as Failover Servers for High Availability ................................................................................................ 147
4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver ................................................................................................. 149
4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 150 4.13.2 Configuration of the Secure Login Server .............................................................. 151
4.14 Setting Failover Timeouts of the Login Modules ........................... 152
4.15 Custom Use of Login Module with Login Module Stacks ............. 152
5 Configuration Examples ................................................................. 154 5.1 Kerberos Authentication with SPNego ............................................. 154
5.2 LDAP User Authentication ................................................................ 155
5.3 SAP User Authentication ................................................................... 156
5.4 RADIUS User Authentication............................................................. 157
5.5 Configuring RSA Authentication with RADIUS ................................ 158 5.5.1 Configuration of the securid.ini File .......................................................................... 158 5.5.2 Customer-Specific Configuration of the securid.ini File ............................................ 159 5.5.3 Ensuring Encrypted Communication with Shared Secret ......................................... 160
6 Troubleshooting .............................................................................. 161 6.1 Checklist User Authentication Problem ........................................... 161
6.2 Secure Login Server SNC Problem ................................................... 162
6.3 Enable Secure Login Server Trace ................................................... 163
6.4 Enable Secure Login Library Trace .................................................. 163
6.5 Secure Login Server Lock and Unlock ............................................. 164
6.6 Access Denied Replies ...................................................................... 165
6.7 Internal Server Message .................................................................... 165
6.8 Error Codes ........................................................................................ 166 6.8.1 Secure Login Server Error Codes ............................................................................. 166 6.8.2 SAP Stacktrace Error Codes .................................................................................... 168
7 List of Abbreviations ...................................................................... 171
8 Glossary ........................................................................................... 173
-
1 What is Secure Login?
06/2011 9
1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components:
Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)
Third party application server supporting X.509 certificates
In a default SAP setup, users enter their SAP user name and password into the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between the SAP GUI and SAP server, thus providing secure single sign-on to SAP.
Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:
Microsoft Windows domain (Active Directory Server)
RADIUS server
LDAP server
RSA SecurID token
SAP NetWeaver server
Smart Card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
-
1 What is Secure Login?
10 06/2011
1.1 System Overview Secure Login is a client/server software system integrated with SAP software to make single sign-on, alternative user authentication, and enhanced security easy for distributed SAP environments.
The Secure Login solution includes the following components:
Secure Login Server Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and application server. The Secure Login Web Client is provided as well.
Secure Login Library Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology.
Secure Login Client Client application which provides security tokens (Kerberos and X.509 technology) for a variety of applications.
It is not necessary to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.
The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI. The stand-alone Secure Login Client can use the following authentication methods:
- Smart Cards and USB tokens with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Crypto Store with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Windows credentials
The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. In addition, the Microsoft Windows credentials can be used to receive a user X.509 certificate with Secure Login Server.
- User name and Password (Several Authentication Mechanism)
The Secure Login Client prompts you for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive a user X.509 certificate.
All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.
Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions:
- Limited integration with the client environment (interaction required)
- Limited client policy configuration
-
1 What is Secure Login?
06/2011 11
1.2 System Overview with Security Token The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for user authentication.
Main System Components The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.
Secure Login ClientPKI Infrastructure
Smart Card, USB Token
Microsoft Crypto Store
Secure Login Library
Authentication and
secure communication
SAP GUI
Web GUI
SAP NetWeaver Platform
Security Token
Kerberos Infrastructure
Kerberos Token
Kerberos
Figure: Secure Login System Environment with Existing PKI and Kerberos
The Secure Login Client is responsible for the certificate-based authentication and Kerberos-based authentication to the SAP application server.
Authentication Methods In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:
Smart Card and USB tokens with an existing PKI certificate
Microsoft Crypto Store (Certificate Store)
Kerberos token
-
1 What is Secure Login?
12 06/2011
Workflow for X.509 Certificates The following figure shows the principal workflow and communication between the individual components.
1
Start connection and
get SNC name
Client maps
SNC name to
authentication
profile
Secure Login Client
Security Token2
4
PKI Infrastructure
6
SAP NetWeaver Platform
Client provides certificate
to SAP GUI application
Authentication and
secure communication
Smart Card, USB Token
Microsoft Crypto Store
Secure Login Library
5
Unlock Security Token
3
Figure: Principal Workflow
1. Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system.
2. The Secure Login Client uses the authentication profile for this SNC name.
3. The user unlocks the security token by entering the PIN or password.
4. The Secure Login Client receives the X.509 certificate from the user security token.
5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server.
6. The user is authenticated and the communication is secured.
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.
-
1 What is Secure Login?
06/2011 13
Workflow for Kerberos Token The following figure shows the principal workflow and communication between the individual components.
Figure: Principal Workflow Kerberos Authentication
1. Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system.
2. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
3. The Secure Login Client receives the Kerberos Service token.
4. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server.
5. The user is authenticated and the communication is secured.
-
1 What is Secure Login?
14 06/2011
1.3 System Overview with Secure Login Server The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example, SAP NetWeaver).
Users receive short term X.509 certificates. For the application server, long term X.509 certificates are issued. Based on the industry standard X.509v3, the certificates can be used for non-SAP systems as well.
In order to provide user certificates, the user needs to be authenticated (verified by the Secure Login Server). Therefore the Secure Login Server supports several authentication server systems.
Main System Components The following figure shows the Secure Login system environment with the main system components.
Figure: Secure Login System Environment
The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication.
The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication Server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server.
The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).
-
1 What is Secure Login?
06/2011 15
Authentication Methods Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods.
For each supported method, there is a corresponding configurable JAAS module.
The following authentication methods are supported:
Microsoft Active Directory Service (ADS)
RADIUS
RSA SecurID token
LDAP
SAP ID-based logon
SAP NetWeaver AS Java User Management Engine
SAP NetWeaver AS Java SPNego
Workflow with X.509 Certificate Request The following figure shows the principal workflow and communication between the individual components.
Figure: Principal Workflow
1. Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system.
2. The Secure Login Client uses the client policy for this SNC name.
3. The Secure Login Client receives the user login credentials.
-
1 What is Secure Login?
16 06/2011
4. The Secure Login Client generates a certificate request.
5. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server.
6. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not.
7. If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client.
8. Secure Login Client provides the certificate to SAP GUI.
9. The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.
1.4 Instances The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum.
Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance.
The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.
Figure: Instances Examples
It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.
-
1 What is Secure Login?
06/2011 17
1.5 PKI Structure There are different integration scenarios available for Secure Login Server.
Out-of-the-Box PKI Secure Login Server Secure Login Server provides standard X.509 certificates for users (short term) and application server (long term). The following out of the box PKI structure can be delivered with the Secure Login Server.
Figure: Secure Login Server PKI Structure
PKI Integration As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.
Figure: Secure Login Server Integration with an Existing PKI
-
1 What is Secure Login?
18 06/2011
1.6 Secure Communication The goal of the Secure Login solution is to establish secure communication between all required components:
Figure: Secure Communication
Technology Used for Secure Communication
Technology used for secure communication
From To Security Protocol / Interface
SAP GUI SAP NetWeaver DIAG/RFC (SNC)
Business Explorer SAP NetWeaver DIAG/RFC (SNC)
Business Client SAP NetWeaver DIAG/RFC (SNC), HTTPS
Web GUI SAP NetWeaver HTTPS (SSL)
Secure Login Client Secure Login Server HTTPS (SSL)
Secure Login Server LDAP Server LDAPS (SSL)
Secure Login Server SAP NetWeaver RFC (SNC)
Secure Login Server RADIUS Server RADIUS (shared secret)
-
1 What is Secure Login?
06/2011 19
1.7 Policy Server Overview Secure Login Client configuration is profile-based. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs).
If no matching PSE URI is found, a default application context that links to a default profile can be defined.
The application contexts and profiles are stored in the Microsoft Windows Registry of the client. You define these parameters in the XML policy file.
Figure: Default Application Context and Profile
-
1 What is Secure Login?
20 06/2011
1.8 Secure Login Web Client Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. You also use it for authentication against SAP NetWeaver Web Application Server.
This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and Linux-based client systems can be used as well. Another use case is providing short term certificates to external employees (for example, to external consultants).
The following main features are available:
Browser-based authentication (including all authentication server support)
Support for SAP GUI for Microsoft Windows and SAP GUI for Java
Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser
URL redirect X.509 authentication support to SAP Web application server
Localization and customization of HTML pages and applet messages
Differences between Secure Login Client and Secure Login Web Client:
With Secure Login Client the required security library is available. With Secure Login Web Client the security library needs to be downloaded in a Web browser application.
With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI). The Secure Login Web Client triggers an authentication process and secure communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.
1.8.1 Export Restrictions
At the start of the Secure Login Web Client, it transfers components that are required for authentication and for a secure network connection from the server to the client.
The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. Under German export control regulations, these components are classified with ECCN 4D003. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations.
If the Secure Login Server and the Secure Login Web Client are installed in different countries, you are obliged to make sure that you abide by the export and import regulations of the countries involved.
-
2 Secure Login Server Installation
06/2011 21
2 Secure Login Server Installation This chapter describes how to install Secure Login Server. The installation can be done using the Telnet application or with the Software Delivery Tool.
2.1 Prerequisites This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements
Secure Login Server Details
Hard disk space 50 MB of hard disk space
HDD space for log files
Random-access memory 1 GB RAM at minimum
Software Requirements
Secure Login Server Details
Application server SAP NetWeaver CE 7.2
SAP NetWeaver 7.3
Optional: Secure Login Library
The Secure Login Library installation is optional and required for SAP user authentication only.
The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials.
For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.
Secure Login Web Client Details
Operating systems Microsoft Windows 7, Vista, XP (32-bit)
SUSE Linux Enterprise Desktop 11
Mac OS X 10.5, 10.6
Java SUN Java 1.5 or higher browser plug-in
Internet browser (32-bit) Microsoft Internet Explorer 7, 8, 9
Mozilla Firefox 3.6 and higher
-
2 Secure Login Server Installation
22 06/2011
Supported Authentication Servers
Secure Login Server Details
LDAP server system Microsoft Active Directory System 2003, 2008
openLDAP
SAP server system SAP NetWeaver Application Server ABAP 6.20 or higher version
RADIUS server system RSA Authentication Manager 6.1 and 7.1
freeRADIUS
Microsoft Network Policy and Access Services (NPA)
Microsoft Internet Authentication Service (IAS)
SAPNetWeaver AS Java User Man agement Engine (UME)
BasicPasswordLoginModule
2.1.1 Secure Login Library The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only. The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials.
Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system. This document describes the installation for Microsoft Windows and Linux operating system.
Secure Login Library for Microsoft Windows Operating System
Step 1 Copy Library Files
Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf \SECURELOGINLIB.SAR R \exe\
Example
sapcar xvf D:\InstallSLS\SECURELOGINLIB.SAR R D:\usr\sap\ABC\J00\exe\
Check if the folder \exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file \work\dev_jstart.
-
2 Secure Login Server Installation
06/2011 23
Step 2 Environment Variable SECUDIR
Set the system environment variable SECUDIR to the following directory:
SECUDIR=\sec
Example
SECUDIR=D:\usr\sap\ABC\J00\sec
Step 3 Verify Secure Login Library
To verify the Secure Login Library, use the snc command:
\exe\snc.exe
Example D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library.
The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the Command snc
Step 4 Restart SAP NetWeaver Application Server
In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.
-
2 Secure Login Server Installation
24 06/2011
Secure Login Library for Linux Operating System
Step 1 Copy Library Files
Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar xvf /SECURELOGINLIB.SAR R /exe/
Example sapcar xvf /InstallSLS/SECURELOGINLIB.SAR R /usr/sap/ABC/J00/exe
Check if the folder /exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file /work/dev_jstart.
Step 2 Define File Attributes
To use shared libraries in a shell, it is necessary to set the file permission attributes with the following command:
chmod +rx /exe/snc lib*
Example
chmod +rx /usr/sap/ABC/J00/exe/snc lib*
Step 3 Define File Owner
Grant access rights to the user account that is used to start the SAP application (for example, adm).
Change to the folder /exe/ and use the following command:
chown [OWNER]:[GROUP] *
Example chown abcadm:sapsys *
Step 4 Verify Secure Login Library
To verify the Secure Login Library use the snc command (with user adm):
/exe/snc
Example
-
2 Secure Login Server Installation
06/2011 25
/usr/sap/ABC/J00/exe/snc
As a result; further information about the Secure Login Library should be displayed.
The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the snc Command
-
2 Secure Login Server Installation
26 06/2011
2.2 Secure Login Server Installation with Telnet
1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver Application Server.
2.) Start a Telnet session. telnet localhost 508
Example
telnet localhost 50008
3.) Deploy the Secure Login Server package.
deploy \SECURE_LOGIN_SERVER0SP_0.sca
Microsoft Windows Example
deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca
The Secure Login Server application will be started automatically. Start the initial configuration described in section 2.6 Initial Configuration Wizard.
List of Useful Telnet Commands
List of useful telnet commands
Action Command
Deploy Application deploy SECURE_LOGIN_SERVER0SP_0.sca
Undeploy Application undeploy name=SecureLoginServer vendor=sap.com
List Application list_app | grep SecureLoginServer
Stop Application stop_app sap.com/SecureLoginServer
Start Application start_app sap.com/SecureLoginServer
-
2 Secure Login Server Installation
06/2011 27
2.3 Secure Login Server Installation with JSPM
1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver Application Server. The target folder location is \\localhost\sapmnt\trans\EPS\in Microsoft Windows \usr\sap\trans\EPS\in Linux /usr/sap/trans/EPS/in
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server. Microsoft Windows \j2ee\JSPM\go.bat Linux /j2ee/JSPM/go
3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
-
2 Secure Login Server Installation
28 06/2011
4.) Choose the New Software Components option.
5.) Select sap.com/SECURE_LOGIN_SERVER.
-
2 Secure Login Server Installation
06/2011 29
6.) Start the deployment process.
7.) After the deployment finishes, exit the JSPM application.
-
2 Secure Login Server Installation
30 06/2011
2.4 Secure Login Server Uninstallation This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet.
1.) Start a Telnet session. telnet localhost 508
Example
telnet localhost 50008
2.) Stop the Secure Login Server application. stop_app sap.com/SecureLoginServer
3.) Undeploy the Secure Login Server package. undeploy name=SecureLoginServer vendor=sap.com
2.5 Updating the Secure Login Server to SP2 In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to SP1. You see the current version number of the Secure Login Server in the
parameter Server Build. The entry REL_1_0_2_20 stands for SP2 (see 3.3.9 Server
Status). After the installation, restart the system.
During the installation, the following files are deleted:
config.properties file
userenv.registry
Make a backup of these files before you execute an installation. After the installation, copy the files to the relevant directories.
-
2 Secure Login Server Installation
06/2011 31
2.6 Initial Configuration Wizard After the deployment of Secure Login Server an initial configuration is required.
For security reasons, the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides).
If, however, you want to perform the initialization and configuration from a remote location, you must manually enable this feature by editing the Secure Login web.xml file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard.
If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost tunnel configuration for accessing the wizard. For re information, see section 2.6.3 Configure SSH Tunnel.
2.6.1 Initial Configuration This section describes the initial configuration of the Secure Login Server.
Before starting the Initial Configuration Wizard, verify that the Secure Login Server application is running.
Start the initial configuration using the browser URL: http://localhost:500/securelogin
Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites.
If everything is OK, choose Continue.
Figure: Initial Configuration Wizard Welcome Page
-
2 Secure Login Server Installation
32 06/2011
Key File for Encryption of Server Credentials
The key file is a file on the server with random content and is used to secure password information in configuration files. You can use any kind of file type which is larger than 32 bytes. You must create or copy the file to the desired location on the server and define it in this configuration step. There is a check whether the key file is available.
Define the location of the key file.
Example:
D:\usr\sap\ServerKeyFile\KeyFile.txt
Figure: Initial Configuration Wizard Key file for server credentials encryption
Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked.
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
06/2011 33
Administrator Account
Define the password for the administration user Admin.
Figure: Initial Configuration Wizard Administrator Account
Entries marked with * are mandatory.
Passwords used in Secure Login Server are restricted by the password policy definition.
Passwords cannot be empty
Passwords must have a length between 8 to 20 characters
Passwords must contain at least one uppercase letter
Passwords must contain at least one lowercase letter
Passwords must contain at least one digit
Passwords must contain at least one special character
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
34 06/2011
Create Root CA Certificate
Define the parameter for the root CA certificate.
Figure: Initial Configuration Wizard Create Root CA
Entries marked with * are mandatory.
Option Details
Create a Root CA by providing certificate information
Common Name*
Enter the common name of the certificate (CN).
Example: Root CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
-
2 Secure Login Server Installation
06/2011 35
Valid From*
Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate. The password length is limited to 20 characters.
Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field above.
Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File*
Click Browse to locate and load an existing KeyStore file (File Format is: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
Skip all PKI certificates Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates.
You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
36 06/2011
Select the SSL Certificate Generation Type
Choose an option for the SSL certificate.
Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type
It is possible to install or import SSL certificates later on using the administration console Certificate Management. For more information, see section 3.3.3 Certificate Management.
Option Details
Generate an SSL certificate using the Secure Login Administration Console
The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console.
Skip all SSL certificates Check this option if you do not want to or do not need to enter information for SSL certificates at this time.
After having chosen an option configuration, choose Next to continue.
-
2 Secure Login Server Installation
06/2011 37
Create SSL CA Certificate
This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen.
Figure: Initial Configuration Wizard Create SSL CA Information
Entries marked with * are mandatory.
Option Details
Create a SSL CA by providing certificate information
Common Name*
Enter the common name of the certificate (CN).
Example: SSL CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
-
2 Secure Login Server Installation
38 06/2011
Valid From*
Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The password length is limited to 20 characters.
Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Confirm password*
Confirm the encryption password entered in the field above.
Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File*
Click Browse to locate and load an existing Key Store File (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
Create SSL Server Certificate
This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.
-
2 Secure Login Server Installation
06/2011 39
Figure: Initial Configuration Wizard SSL Server Information
Entries marked with * are mandatory.
Option Details
Create an SSL server by providing certificate information
Common Name*
Enter the common name of the certificate (CN).
Example: Alias Server Name
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Subject Alternative Names (DNS)
Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN).
Example: [email protected]
Encryption Key Length
Select the encryption key length for the server (512,
-
2 Secure Login Server Installation
40 06/2011
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate. The password length is limited to 20 characters.
Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field above.
Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File*
Click Browse to locate and load an existing KeyStore file (file format: *.p12).
Password*
The password for the KeyStore file.
Save Password
If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
06/2011 41
Create User CA Certificate
Define the parameter for the user CA certificate.
Figure: Initial Configuration Wizard User CA Information
Entries marked with * are mandatory.
Option Details
Create a user CA by providing certificate information
Common Name*
Enter the common name of the certificate (CN).
Example: User CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
-
2 Secure Login Server Installation
42 06/2011
Valid From*
Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate. The password length is limited to 20 characters.
Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field above.
Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File*
Click Browse to locate and load an existing KeyStore file (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.
Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
06/2011 43
Define Server Configuration
Define the parameters for the User Certificate Configuration and Application Information.
The other configuration parameters are read-only (for verification reasons).
Figure: Initial Configuration Wizard Server Configuration
Entries marked with * are mandatory.
Option Details
User Certificate Configuration
DN.country
Enter the country abbreviation in this field (C).
Example: DE
DN.locality
Enter the regional information in this field (L).
Example: Walldorf
DN.organization
Enter the company name in this field (O).
Example: Company xyz
DN.organizationalUnit
Enter the division of the company in this field (OU).
Example: SAP Security Department
ValidityMinutes*
Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.
-
2 Secure Login Server Installation
44 06/2011
Application Information ServerHostName
FQDN name or IP address of this server.
This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server.
ServerPort
Port of this server.
This parameter is used for the client policy definition and can be used for central change.
Authentication Server Configuration (read-only)
AuthConfigPath
Authentication server configurations file for the Secure Login Server.
Secure Login User CA Key Store (read-only)
PseName
The user CA key store file path. If you created a user CA in the previous step, the file path is shown here.
Log Configuration (read-only)
DailyLogDir
In this log path the user authentication information for the default instance is logged. (for example, the user authentication was successful)
MonthlyLogDir
In this log path the instance information for the default instance is logged. (for example, the default instance was started successful)
AdminConsoleLogDir
In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed)
LockDir
The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.
After the configuration, choose Next to continue.
-
2 Secure Login Server Installation
06/2011 45
Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.
Figure: Initial Configuration Wizard Setup Review
Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server application.
Figure: Initial Configuration Wizard Congratulations
Use the Telnet application to stop and start the Secure Login Server application (for more information, see section 2.2 Secure Login Server Installation with Telnet).
Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.
-
2 Secure Login Server Installation
46 06/2011
Microsoft Windows SAP Management Console
In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer and choose the option Restart (right-click option).
Figure: SAP Management Console (sapmmc)
-
2 Secure Login Server Installation
06/2011 47
2.6.2 Enable Remote Access for Initial Wizard This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer.
For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides).
In the configuration file web.xml, change the value to true for the parameter remoteAccess.
web.xml
remoteAccess
true
The configuration file web.xml is available in the following place:
Microsoft Windows \j2ee\cluster\apps\sap.com\SecureLoginServer\servlet_jsp\securelogin\root\WEB-INF\web.xml Linux /j2ee/cluster/apps/sap.com/SecureLoginServer/servlet_jsp/securelogin/root/WEB-INF/web.xml
It is required to restart the Secure Login Server application.
-
2 Secure Login Server Installation
48 06/2011
2.6.3 Configure SSH Tunnel This configuration step is optional and belongs to the Linux environment if no GUI is available. The localhost configuration can be performed using for example, PuTTY
Configure the following parameter and choose Add.
Example: SSH tunnel configuration in PuTTY
Parameter Value
Source Port 500 Example: 50000
Destination localhost:500 Example: localhost:50000
After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.
-
3 Administration
06/2011 49
3 Administration This chapter describes the configuration parameters in Secure Login Server.
3.1 Logon to Administration Console To open the administration console, enter the following URL in a Web browser:
Communication URL
Unsecured http://:500/securelogin
Secured https://:5/securelogin
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above).
The logon page appears.
Figure: Administration Console Logon Page
Enter your administration user name (for example, Admin) and your password.
Authentication type Details
Local Login Default user name/password combination authenticated in the administration console database.
External Login User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console.
For more information about the configuration, see section 3.3.2
-
3 Administration
50 06/2011
Authentication type Details
Edit Login Type Setting.
3.2 Welcome Page After successful logon, the welcome page appears. This page also appears when you click on Home.
Figure: Administration Console Welcome Page
The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework.
The right-hand pane displays the details of any node selected in the left-hand pane.
In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. Logout Use this link to logout of the console. The login page will reappear (see previous page).
-
3 Administration
06/2011 51
About Click this to view version information about the console.
You may be asked to re-enter your user name and password if you leave the administration console for a long time. The default console timeout is 10 minutes.
3.2.1 Change Password This section describes how to change the account password for the administration console.
1. Choose Change Password in the title bar on any page.
2. The following dialog box appears:
Figure: Change Password
3. Enter the current password into the Old Password field.
4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively.
5. Click OK
The user admin is a permanent user that has the role super user and cannot be deleted.
As a consequence, the admin user can log on to the system regardless of state (when a serious system error occurs), making sure that there is at least one user who can always access Secure Login to correct or configure the system.
-
3 Administration
52 06/2011
3.3 Server Configuration This section describes the server configuration page of the administration console.
The Server Configuration page allows you to do the following:
View the server configuration.
Edit some of the server parameters.
Choose the Server Configuration node in the left-hand pane of the administration console.
The following page appears:
Figure: Administration Console - Server Configuration
The following options can be viewed on this page:
-
3 Administration
06/2011 53
Option Details/Value
Edit Click Edit to change the Administration Console Description, Trace Configuration, and Client Configuration. For more information, see section 3.3.1 Edit Server Configuration.
Description The description of this administration console.
Console Login Type The current types of authentication available for log on to the administration console. The configuration can be changed using the button Edit Login Type. For more information, see section 3.3.2 Edit Login Type Setting.
External Login JAAS Module
The current JAAS module used for External Login authentication to the Administration Console. For further information see section 3.3.2 Edit Login Type Setting.
The Authentication File Path (read-only)
The authentication configuration file used by this server. This configuration is for information purposes only.
Trust Certificates Storage File (read-only)
The Trust Store file (TrustStore.jks) used by this server.
Console Log Directory (read-only)
The directory in which the console log file is located.
Console Log Prefix (read-only)
The file prefix for the console log file.
Enable Server Trace Enable Secure Login Server trace to provide extended traces.
true Trace enabled
false Trace enabled
Default value is false.
Path to the Server Lock File (read-only)
Path where the lock files are written. A lock file is generated if something went wrong with the Secure Login Server. In this case the Secure Login Server is locked.
Host Server Domain Name
The host name or IP of the computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs).
Port The port of this computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs).
We recommend that you use an HTTPS (SSL) port.
CREDDIR (read-only)
The directory in which the credentials are stored for the Secure Login Library.
NativeLibraryPath (read-only)
The directory where native libraries are stored for the Secure Login Library.
-
3 Administration
54 06/2011
3.3.1 Edit Server Configuration Use the Edit button and the following page appears.
Figure: Administration Console Edit Server Configuration
The following options can be set:
Option Details/Value
Description Here you can personalize the description for the administration console.
Enable Server Trace true
Write trace messages to the application server trace file (defaultTrace_*.log).
false
Do not write trace messages to the application server trace file.
Host Server Domain Name
The host name or IP of the computer from which the console is being used.
Port The port of the computer from which the console is being used. We recommend that you use an HTTPS (SSL) port.
Once you have changed any option, click Save to return to the Server Configuration page.
-
3 Administration
06/2011 55
3.3.2 Edit Login Type Setting Use the Edit Login Type button, and you get to the page that allows you to configure, delete, or add the following login types:
Local Login
Default user name/password combination authenticated with the administration console database.
External Login
User name/password combination authenticated in the authentication server database set in the JAAS module. If this option is used, select the appropriate JAAS module in the External Login Jaas Module combo box.
1. To add a login option to the administration console login page, proceed as follows: 2. Select a login type from the All Login Type field and choose >>Add. As a
consequence, it appears in the Current Login Type field. 3. Use the Up and Down buttons to move a login option up or down and thus define its
priority. 4. To delete a login option from the administration console login page, select a login
type from the Current Login Type field and choose
-
3 Administration
56 06/2011
3.3.3 Certificate Management This section describes the Certificate Management page of the administration console.
The Certificate Management page allows you to do the following:
Create certificates
View certificates
Export certificates
Import certificates
What I have to do first is making a decision: Do I want the Secure Login Server to create and manage one or more public key infrastructures, or is there an existing company PKI that is supposed to be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server.
However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time.
Choose the Certificate Management node from the tree in the left-hand pane. The following page appears:
Figure: Administration Console Certificate Management
Option Details
PKI Tree One or more tree views of independent PKIs. One DefaultPKITree named Root CA SAP Security is available here.
Create New Root CA Define a display name for the new PKI and create a top-level Certification Authority (Root CA).
-
3 Administration
06/2011 57
Certificate Information Common Name
Common name of the selected certificate.
Path
File path of the selected certificate file.
Save Password
Password protection status of the selected certificate file.
Mapping to Instance
List of all instances and selections that are supposed to use this user CA. This option is available for user CAs only.
More Details Further details of the X.509 certificate
[PKI Information] Displays the name of the PKI structure
[CA Operations] Selects the Certification Authority of a PKI for further management operations.
Issue
Creates a new Certification Authority of this type (USER_CA, SAP_CA or SSL_CA).
Change Password
Changes password of selected CA
Remove Password
Removes password of selected CA. A password must be given for each following management operation of this CA.
[Export Certificate] Exports the selected certificate.
Export Type
Chooses the export type for the certificate. Possible export types: .crt, .p12, .pse or *.jks.
New Password
Defines the password of the exported certificate file. This option is not available if you choose the export type .crt.
[Import New PKI] Imports the key store into the certificate list.
Note: Only PSE files can be imported.
PKI Name
Displays the name of the new PKI the certificate belongs to. The following special characters are not supported: ~`!@#$%^&*()_-+= }{:"?>
-
3 Administration
58 06/2011
Open Password
Password that protects the certificate file
Save Password
Allows you to save the password in the configuration file.
Create New PKI
Use this function to create a new internal PKI that has its own root CA certificate.
Enter a display name for the new PKI, for example NEW PKI and choose Create New Root CA.
Define the certificate parameters for the new root CA certificate and choose Create.
Entries marked with an asterisk(*) are mandatory.
The new PKI should be available in the PKI tree.
-
3 Administration
06/2011 59
Import New PKI
Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing root CA stored inside the Secure Login Server.
1. Enter a display name for the new PKI, for example, ImportPKI. 2. Select the type of CA that shall be imported, for example, ROOT_CA. 3. Choose Browse to open a file browser. Locate and open the PSE file. 4. Enter the password for the PSE file in the field Open Password. 5. As an option, you can choose to save the password. 6. Choose the Import pushbutton to complete.
The imported PKI should be available in the PKI tree.
-
3 Administration
60 06/2011
Create SAP CA Certificate
Use this function to create an SAP CA certificate.
1. Choose on the Root CA certificate in the PKI tree list. 2. Select the certificate type SAP_CA in [CA Operations]. 3. Choose on the Issue pushbutton and define the certificate parameters.
Figure: Administration Console Create SAP CA Certificate
Entries marked with an asterisk(*) are mandatory.