Installation, Configuration and Administration Guide SAP NetWeaver Single-Sign-On SP2 Secure Login Server
PUBLIC Document Version: 1.2 – December 2011
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
© Copyright 2011 SAP AG. All rights reserved. JavaScript is a registered trademark of Sun Microsystems, Inc., used No part of this publication may be reproduced or transmitted in any
under license for technology invented and implemented by Netscape.
form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
notice.
BusinessObjects Explorer, and other SAP products and services
Some software products marketed by SAP AG and its distributors
mentioned herein as well as their respective logos are trademarks or
contain proprietary software components of other software vendors.
registered trademarks of SAP AG in Germany and other countries.
Microsoft, Windows, Outlook, and PowerPoint are registered
Business Objects and the Business Objects logo, BusinessObjects,
trademarks of Microsoft Corporation.
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
as their respective logos are trademarks or registered trademarks of
System p5, System x, System z, System z10, System z9, z10, z9,
Business Objects Software Ltd. in the United States and in other
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
countries.
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
and other Sybase products and services mentioned herein as well as
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
their respective logos are trademarks or registered trademarks of
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
Sybase, Inc. Sybase is an SAP company.
WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves
Linux is the registered trademark of Linus Torvalds in the U.S. and
informational purposes only. National product specifications may
other countries.
vary.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
These materials are subject to change without notice. These materials
trademarks or registered trademarks of Adobe Systems Incorporated in
are provided by SAP AG and its affiliated companies ("SAP Group")
the United States and/or other countries.
for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions
Oracle is a registered trademark of Oracle Corporation.
with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
warranty statements accompanying such products and services, if any.
Open Group.
Nothing herein should be construed as constituting an additional
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
warranty.
VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
Disclaimer Some components of this product are based on Java™. Any
HTML, XML, XHTML and W3C are trademarks or registered
code change in these components may cause unpredictable
trademarks of W3C®, World Wide Web Consortium, Massachusetts
and severe malfunctions and is therefore expressively
Institute of Technology.
prohibited, as is any decompilation of these components.
Java is a registered trademark of Sun Microsystems, Inc.
Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be
stringutils http://sourceforge.net/projects/stringutils/
modified or altered in any way. Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo Permission is hereby granted, free of charge, to any person obtaining a
Terms for Included Open Source Software
copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish,
This SAP software contains also the third party open source software
distribute, sublicense, and/or sell copies of the Software, and to permit
products listed below. Please note that for these third party products
persons to whom the Software is furnished to do so, subject to the
the following special terms and conditions shall apply.
following conditions:
Prototype JavaScript Framework http://www.prototypejs.org/
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Copyright (c) 2005-2010 Sam Stephenson THE SOFTWARE IS PROVIDED "AS IS", WITHOUT Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
opencsv 1.7.1 http://opencsv.sourceforge.net/
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
Apache License
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
Version 2.0, January 2004
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
http://www.apache.org/licenses/
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
Licensor for inclusion in the Work by the copyright owner or by an
and distribution as defined by Sections 1 through 9 of this document.
individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted"
"Licensor" shall mean the copyright owner or entity authorized by the
means any form of electronic, verbal, or written communication sent
copyright owner that is granting the License.
to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control
"Legal Entity" shall mean the union of the acting entity and all other
systems, and issue tracking systems that are managed by, or on behalf
entities that control, are controlled by, or are under common control
of, the Licensor for the purpose of discussing and improving the Work,
with that entity. For the purposes of this definition, "control" means (i)
but excluding communication that is conspicuously marked or
the power, direct or indirect, to cause the direction or management of
otherwise designated in writing by the copyright owner as "Not a
such entity, whether by contract or otherwise, or (ii) ownership of fifty
Contribution."
percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and
"You" (or "Your") shall mean an individual or Legal Entity exercising
subsequently incorporated within the Work.
permissions granted by this License. 2. Grant of Copyright License. Subject to the terms and conditions of "Source" form shall mean the preferred form for making
this License, each Contributor hereby grants to You a perpetual,
modifications, including but not limited to software source code,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
documentation source, and configuration files.
copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and
"Object" form shall mean any form resulting from mechanical
such Derivative Works in Source or Object form.
transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and
3. Grant of Patent License. Subject to the terms and conditions of this
conversions to other media types.
License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except
"Work" shall mean the work of authorship, whether in Source or
as stated in this section) patent license to make, have made, use, offer
Object form, made available under the License, as indicated by a
to sell, sell, import, and otherwise transfer the Work, where such
copyright notice that is included in or attached to the work (an
license applies only to those patent claims licensable by such
example is provided in the Appendix below).
Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to
"Derivative Works" shall mean any work, whether in Source or Object
which such Contribution(s) was submitted. If You institute patent
form, that is based on (or derived from) the Work and for which the
litigation against any entity (including a cross-claim or counterclaim in
editorial revisions, annotations, elaborations, or other modifications
a lawsuit) alleging that the Work or a Contribution incorporated within
represent, as a whole, an original work of authorship. For the purposes
the Work constitutes direct or contributory patent infringement, then
of this License, Derivative Works shall not include works that remain
any patent licenses granted to You under this License for that Work
separable from, or merely link (or bind by name) to the interfaces of,
shall terminate as of the date such litigation is filed.
the Work and Derivative Works thereof. 4. Redistribution. You may reproduce and distribute copies of the "Contribution" shall mean any work of authorship, including the
Work or Derivative Works thereof in any medium, with or without
original version of the Work and any modifications or additions to that
modifications, and in Source or Object form, provided that You meet
Work or Derivative Works thereof, that is intentionally submitted to
the following conditions:
(a) You must give any other recipients of the Work or Derivative
6. Trademarks. This License does not grant permission to use the trade
Works a copy of this License; and
names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the
(b) You must cause any modified files to carry prominent notices
origin of the Work and reproducing the content of the NOTICE file.
stating that You changed the files; and 7. Disclaimer of Warranty. Unless required by applicable law or (c) You must retain, in the Source form of any Derivative Works that
agreed to in writing, Licensor provides the Work (and each
You distribute, all copyright, patent, trademark, and attribution notices
Contributor provides its Contributions) on an "AS IS" BASIS,
from the Source form of the Work, excluding those notices that do not
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
pertain to any part of the Derivative Works; and
either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
(d) If the Work includes a "NOTICE" text file as part of its
MERCHANTABILITY, or FITNESS FOR A PARTICULAR
distribution, then any Derivative Works that You distribute must
PURPOSE. You are solely responsible for determining the
include a readable copy of the attribution notices contained within
appropriateness of using or redistributing the Work and assume any
such NOTICE file, excluding those notices that do not pertain to any
risks associated with Your exercise of permissions under this License.
part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works;
8. Limitation of Liability. In no event and under no legal theory,
within the Source form or documentation, if provided along with the
whether in tort (including negligence), contract, or otherwise, unless
Derivative Works; or, within a display generated by the Derivative
required by applicable law (such as deliberate and grossly negligent
Works, if and wherever such third-party notices normally appear. The
acts) or agreed to in writing, shall any Contributor be liable to You for
contents of the NOTICE file are for informational purposes only and
damages, including any direct, indirect, special, incidental, or
do not modify the License. You may add Your own attribution notices
consequential damages of any character arising as a result of this
within Derivative Works that You distribute, alongside or as an
License or out of the use or inability to use the Work (including but
addendum to the NOTICE text from the Work, provided that such
not limited to damages for loss of goodwill, work stoppage, computer
additional attribution notices cannot be construed as modifying the
failure or malfunction, or any and all other commercial damages or
License.
losses), even if such Contributor has been advised of the possibility of such damages.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions
9. Accepting Warranty or Additional Liability. While redistributing
for use, reproduction, or distribution of Your modifications, or for any
the Work or Derivative Works thereof, You may choose to offer, and
such Derivative Works as a whole, provided Your use, reproduction,
charge a fee for, acceptance of support, warranty, indemnity, or other
and distribution of the Work otherwise complies with the conditions
liability obligations and/or rights consistent with this License.
stated in this License.
However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other
5. Submission of Contributions. Unless You explicitly state otherwise,
Contributor, and only if You agree to indemnify, defend, and hold
any Contribution intentionally submitted for inclusion in the Work by
each Contributor harmless for any liability incurred by, or claims
You to the Licensor shall be under the terms and conditions of this
asserted against, such Contributor by reason of your accepting any
License, without any additional terms or conditions. Notwithstanding
such warranty or additional liability.
the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
Typographic Conventions Type Style Example Text
Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation
Example text
Emphasized words or phrases in body text, graphic titles, and table titles
EXAMPLE TEXT
Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text
Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text
Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT
Keys on the keyboard, for example, F2 or ENTER.
Icons Icon
Meaning Caution Example Note Recommendation Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Contents 1 What is Secure Login? ....................................................................... 9 1.1 System Overview .................................................................................. 10 1.2 System Overview with Security Token ............................................... 11 1.3 System Overview with Secure Login Server ...................................... 14 1.4 Instances ............................................................................................... 16 1.5 PKI Structure ........................................................................................ 17 1.6 Secure Communication ....................................................................... 18 1.7 Policy Server Overview ........................................................................ 19 1.8 Secure Login Web Client ..................................................................... 20 1.8.1 Export Restrictions ........................................................................... 20
2 Secure Login Server Installation ..................................................... 21 2.1 Prerequisites ........................................................................................ 21 2.1.1 Secure Login Library ................................................................................................... 22
2.2 Secure Login Server Installation with Telnet ..................................... 26 2.3 Secure Login Server Installation with JSPM ...................................... 27 2.4 Secure Login Server Uninstallation .................................................... 30 2.5 Updating the Secure Login Server to SP2 ......................................... 30 2.6 Initial Configuration Wizard ................................................................. 31 2.6.1 Initial Configuration ..................................................................................................... 31 2.6.2 Enable Remote Access for Initial Wizard.................................................................... 47 2.6.3 Configure SSH Tunnel ................................................................................................ 48
3 Administration ................................................................................... 49 3.1 Logon to Administration Console....................................................... 49 3.2 Welcome Page ...................................................................................... 50 3.2.1 Change Password....................................................................................................... 51
3.3 Server Configuration............................................................................ 52 3.3.1 Edit Server Configuration ............................................................................................ 54 3.3.2 Edit Login Type Setting ............................................................................................... 55 3.3.3 Certificate Management .............................................................................................. 56 3.3.4 Trust Store Management ............................................................................................ 68 3.3.5 Certificate Template .................................................................................................... 69 3.3.6 System Check ............................................................................................................. 76 3.3.7 Message Settings ....................................................................................................... 77 3.3.8 SNC Configuration ...................................................................................................... 81 3.3.9 Server Status .............................................................................................................. 82 3.3.10 Sign Certificate Requests ......................................................................................... 83 3.3.11 Console Log Viewer .................................................................................................. 85 3.3.12 Web Client Configuration .......................................................................................... 87
3.4 Instance Management .......................................................................... 92 3.4.1 DefaultServer Configuration ....................................................................................... 92 3.4.2 Create a New Instance ............................................................................................. 115
3.5 Console Users .................................................................................... 120 3.5.1 User Management .................................................................................................... 120 3.5.2 Role Management..................................................................................................... 123 3.5.3 Locked Files Management ........................................................................................ 124
4 Other Configurations ...................................................................... 125
06/2011
7
4.1 Configure Login Module .................................................................... 125 4.2 Verify Authentication Server Configuration ..................................... 131 4.3 Create Technical User in SAP Server ............................................... 133 4.4 Mozilla Firefox Support ...................................................................... 133 4.4.1 Install Firefox Extension ............................................................................................ 133 4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 134
4.5 Customize Secure Login Web Client ................................................ 135 4.6 Configure SSL Certificate Logon ...................................................... 135 4.7 Configure External Login ID .............................................................. 136 4.8 Emergency Recovery Tool ................................................................ 136 4.9 Monitoring ........................................................................................... 139 4.9.1 Web Service Status .................................................................................................. 139 4.9.2 XML Interface ............................................................................................................ 139
4.10 Secure Login Client Policy and Profiles ......................................... 141 4.10.1 Client Policy ............................................................................................................ 141 4.10.2 Applications and Profiles ........................................................................................ 142
4.11 Integrate into Existing PKI ............................................................... 146 4.12 Configuring Secure Login Servers as Failover Servers for High Availability ................................................................................................ 147 4.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver ................................................................................................. 149 4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 150 4.13.2 Configuration of the Secure Login Server .............................................................. 151
4.14 Setting Failover Timeouts of the Login Modules ........................... 152 4.15 Custom Use of Login Module with Login Module Stacks ............. 152
5 Configuration Examples ................................................................. 154 5.1 Kerberos Authentication with SPNego ............................................. 154 5.2 LDAP User Authentication ................................................................ 155 5.3 SAP User Authentication ................................................................... 156 5.4 RADIUS User Authentication............................................................. 157 5.5 Configuring RSA Authentication with RADIUS................................ 158 5.5.1 Configuration of the securid.ini File .......................................................................... 158 5.5.2 Customer-Specific Configuration of the securid.ini File ............................................ 159 5.5.3 Ensuring Encrypted Communication with Shared Secret ......................................... 160
6 Troubleshooting .............................................................................. 161 6.1 Checklist User Authentication Problem ........................................... 161 6.2 Secure Login Server SNC Problem ................................................... 162 6.3 Enable Secure Login Server Trace ................................................... 163 6.4 Enable Secure Login Library Trace .................................................. 163 6.5 Secure Login Server Lock and Unlock ............................................. 164 6.6 Access Denied Replies ...................................................................... 165 6.7 Internal Server Message .................................................................... 165 6.8 Error Codes ........................................................................................ 166 6.8.1 Secure Login Server Error Codes ............................................................................. 166 6.8.2 SAP Stacktrace Error Codes .................................................................................... 168
7 List of Abbreviations ...................................................................... 171 8 Glossary ........................................................................................... 173
8
06/2011
1 What is Secure Login?
1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment. Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components: Examples: SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC) Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS) Third party application server supporting X.509 certificates In a default SAP setup, users enter their SAP user name and password into the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption. To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between the SAP GUI and SAP server, thus providing secure single sign-on to SAP. Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:
Microsoft Windows domain (Active Directory Server) RADIUS server LDAP server RSA SecurID token SAP NetWeaver server Smart Card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
06/2011
9
1 What is Secure Login?
1.1 System Overview Secure Login is a client/server software system integrated with SAP software to make single sign-on, alternative user authentication, and enhanced security easy for distributed SAP environments. The Secure Login solution includes the following components:
Secure Login Server Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and application server. The Secure Login Web Client is provided as well. Secure Login Library Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology. Secure Login Client Client application which provides security tokens (Kerberos and X.509 technology) for a variety of applications.
It is not necessary to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.
The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI. The stand-alone Secure Login Client can use the following authentication methods: - Smart Cards and USB tokens with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Windows credentials The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. In addition, the Microsoft Windows credentials can be used to receive a user X.509 certificate with Secure Login Server. - User name and Password (Several Authentication Mechanism) The Secure Login Client prompts you for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive a user X.509 certificate. All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system. Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions: - Limited integration with the client environment (interaction required) - Limited client policy configuration
10
06/2011
1 What is Secure Login?
1.2 System Overview with Security Token The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for user authentication.
Main System Components The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.
PKI Infrastructure
Secure Login Client
• Smart Card, USB Token • Microsoft Crypto Store
Security Token • SAP GUI • Web GUI
SAP NetWeaver Platform
Kerberos Infrastructure
• Secure Login Library
• Kerberos Token
Authentication and secure communication Kerberos
Figure: Secure Login System Environment with Existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.
Authentication Methods In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:
Smart Card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store) Kerberos token
06/2011
11
1 What is Secure Login?
Workflow for X.509 Certificates The following figure shows the principal workflow and communication between the individual components.
PKI Infrastructure
Secure Login Client
• Smart Card, USB Token • Microsoft Crypto Store
4 Security Token
2 Client maps SNC name to authentication profile
1 Start connection and get SNC name
3
SAP NetWeaver Platform • Secure Login Library
Unlock Security Token
5 Client provides certificate to SAP GUI application
6 Authentication and secure communication
Figure: Principal Workflow 1.
Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system.
2.
The Secure Login Client uses the authentication profile for this SNC name.
3.
The user unlocks the security token by entering the PIN or password.
4.
The Secure Login Client receives the X.509 certificate from the user security token.
5.
The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server.
6.
The user is authenticated and the communication is secured.
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.
12
06/2011
1 What is Secure Login?
Workflow for Kerberos Token The following figure shows the principal workflow and communication between the individual components.
Figure: Principal Workflow Kerberos Authentication 1.
Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system.
2.
The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
3.
The Secure Login Client receives the Kerberos Service token.
4.
The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server.
5.
The user is authenticated and the communication is secured.
06/2011
13
1 What is Secure Login?
1.3 System Overview with Secure Login Server The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example, SAP NetWeaver). Users receive short term X.509 certificates. For the application server, long term X.509 certificates are issued. Based on the industry standard X.509v3, the certificates can be used for non-SAP systems as well. In order to provide user certificates, the user needs to be authenticated (verified by the Secure Login Server). Therefore the Secure Login Server supports several authentication server systems.
Main System Components The following figure shows the Secure Login system environment with the main system components.
Figure: Secure Login System Environment The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication. The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication Server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server. The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).
14
06/2011
1 What is Secure Login?
Authentication Methods Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module. The following authentication methods are supported:
Microsoft Active Directory Service (ADS) RADIUS RSA SecurID token LDAP SAP ID-based logon SAP NetWeaver AS Java User Management Engine SAP NetWeaver AS Java SPNego
Workflow with X.509 Certificate Request The following figure shows the principal workflow and communication between the individual components.
Figure: Principal Workflow 1.
Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system.
2.
The Secure Login Client uses the client policy for this SNC name.
3.
The Secure Login Client receives the user login credentials.
06/2011
15
1 What is Secure Login?
4.
The Secure Login Client generates a certificate request.
5.
The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server.
6.
The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not.
7.
If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client.
8.
Secure Login Client provides the certificate to SAP GUI.
9.
The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.
1.4 Instances The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum. Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance. The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.
Figure: Instances Examples
It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.
16
06/2011
1 What is Secure Login?
1.5 PKI Structure There are different integration scenarios available for Secure Login Server.
Out-of-the-Box PKI Secure Login Server Secure Login Server provides standard X.509 certificates for users (short term) and application server (long term). The following out of the box PKI structure can be delivered with the Secure Login Server.
Figure: Secure Login Server PKI Structure
PKI Integration As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.
Figure: Secure Login Server Integration with an Existing PKI
06/2011
17
1 What is Secure Login?
1.6 Secure Communication The goal of the Secure Login solution is to establish secure communication between all required components:
Figure: Secure Communication
Technology Used for Secure Communication Technology used for secure communication
18
From
To
Security Protocol / Interface
SAP GUI
SAP NetWeaver
DIAG/RFC (SNC)
Business Explorer
SAP NetWeaver
DIAG/RFC (SNC)
Business Client
SAP NetWeaver
DIAG/RFC (SNC), HTTPS
Web GUI
SAP NetWeaver
HTTPS (SSL)
Secure Login Client
Secure Login Server
HTTPS (SSL)
Secure Login Server
LDAP Server
LDAPS (SSL)
Secure Login Server
SAP NetWeaver
RFC (SNC)
Secure Login Server
RADIUS Server
RADIUS (shared secret)
06/2011
1 What is Secure Login?
1.7 Policy Server Overview Secure Login Client configuration is profile-based. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs). If no matching PSE URI is found, a default application context that links to a default profile can be defined. The application contexts and profiles are stored in the Microsoft Windows Registry of the client. You define these parameters in the XML policy file.
Figure: Default Application Context and Profile
06/2011
19
1 What is Secure Login?
1.8 Secure Login Web Client Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. You also use it for authentication against SAP NetWeaver Web Application Server. This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and Linux-based client systems can be used as well. Another use case is providing short term certificates to external employees (for example, to external consultants). The following main features are available:
Browser-based authentication (including all authentication server support) Support for SAP GUI for Microsoft Windows and SAP GUI for Java Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser URL redirect X.509 authentication support to SAP Web application server Localization and customization of HTML pages and applet messages
Differences between Secure Login Client and Secure Login Web Client:
With Secure Login Client the required security library is available. With Secure Login Web Client the security library needs to be downloaded in a Web browser application. With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI). The Secure Login Web Client triggers an authentication process and secure communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.
1.8.1 Export Restrictions At the start of the Secure Login Web Client, it transfers components that are required for authentication and for a secure network connection from the server to the client. The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. Under German export control regulations, these components are classified with ECCN 4D003. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations. If the Secure Login Server and the Secure Login Web Client are installed in different countries, you are obliged to make sure that you abide by the export and import regulations of the countries involved.
20
06/2011
2 Secure Login Server Installation
2 Secure Login Server Installation This chapter describes how to install Secure Login Server. The installation can be done using the Telnet application or with the Software Delivery Tool.
2.1 Prerequisites This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.
Hardware Requirements Secure Login Server
Details
Hard disk space
50 MB of hard disk space HDD space for log files
Random-access memory
1 GB RAM at minimum
Software Requirements Secure Login Server
Details
Application server
SAP NetWeaver CE 7.2 SAP NetWeaver 7.3
Optional: Secure Login Library
The Secure Login Library installation is optional and required for SAP user authentication only. The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials. For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.
Secure Login Web Client
Details
Operating systems
Microsoft Windows 7, Vista, XP (32-bit) SUSE Linux Enterprise Desktop 11 Mac OS X 10.5, 10.6
Java
SUN Java 1.5 or higher browser plug-in
Internet browser (32-bit)
Microsoft Internet Explorer 7, 8, 9 Mozilla Firefox 3.6 and higher
06/2011
21
2 Secure Login Server Installation
Supported Authentication Servers Secure Login Server
Details
LDAP server system
Microsoft Active Directory System 2003, 2008 openLDAP
SAP server system
SAP NetWeaver Application Server ABAP 6.20 or higher version
RADIUS server system
RSA Authentication Manager 6.1 and 7.1 freeRADIUS Microsoft Network Policy and Access Services (NPA) Microsoft Internet Authentication Service (IAS)
SAPNetWeaver AS Java User Man agement Engine (UME)
BasicPasswordLoginModule
2.1.1 Secure Login Library The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only. The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials. Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system. This document describes the installation for Microsoft Windows and Linux operating system.
Secure Login Library for Microsoft Windows Operating System Step 1 – Copy Library Files Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar –xvf \SECURELOGINLIB.SAR –R \exe\ Example sapcar –xvf D:\InstallSLS\SECURELOGINLIB.SAR –R D:\usr\sap\ABC\J00\exe\
Check if the folder \exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file \work\dev_jstart.
22
06/2011
2 Secure Login Server Installation
Step 2 – Environment Variable SECUDIR Set the system environment variable SECUDIR to the following directory: SECUDIR=\sec Example SECUDIR=D:\usr\sap\ABC\J00\sec
Step 3 – Verify Secure Login Library To verify the Secure Login Library, use the snc command:
\exe\snc.exe Example D:\usr\sap\ABC\J00\exe\snc.exe
As a result, you get further information about the Secure Login Library. The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the Command snc
Step 4 – Restart SAP NetWeaver Application Server In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.
06/2011
23
2 Secure Login Server Installation
Secure Login Library for Linux Operating System Step 1 – Copy Library Files Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder. sapcar –xvf /SECURELOGINLIB.SAR –R /exe/ Example sapcar –xvf /InstallSLS/SECURELOGINLIB.SAR –R /usr/sap/ABC/J00/exe
Check if the folder /exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file /work/dev_jstart.
Step 2 – Define File Attributes To use shared libraries in a shell, it is necessary to set the file permission attributes with the following command: chmod +rx /exe/snc lib* Example chmod +rx /usr/sap/ABC/J00/exe/snc lib*
Step 3 – Define File Owner Grant access rights to the user account that is used to start the SAP application (for example, adm). Change to the folder /exe/ and use the following command: chown [OWNER]:[GROUP] * Example chown abcadm:sapsys *
Step 4 – Verify Secure Login Library To verify the Secure Login Library use the snc command (with user adm):
/exe/snc Example
24
06/2011
2 Secure Login Server Installation
/usr/sap/ABC/J00/exe/snc
As a result; further information about the Secure Login Library should be displayed. The test is successful if the version is displayed.
Figure: Verify Secure Login Library with the snc Command
06/2011
25
2 Secure Login Server Installation
2.2 Secure Login Server Installation with Telnet 1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver Application Server. 2.) Start a Telnet session. telnet localhost 508 Example telnet localhost 50008
3.) Deploy the Secure Login Server package. deploy \SECURE_LOGIN_SERVER0SP_0.sca Microsoft Windows Example deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca The Secure Login Server application will be started automatically. Start the initial configuration described in section 2.6 Initial Configuration Wizard.
List of Useful Telnet Commands List of useful telnet commands Action
Command
Deploy Application
deploy SECURE_LOGIN_SERVER0SP_0.sca
Undeploy Application
undeploy name=SecureLoginServer vendor=sap.com
List Application
list_app | grep SecureLoginServer
Stop Application
stop_app sap.com/SecureLoginServer
Start Application
start_app sap.com/SecureLoginServer
26
06/2011
2 Secure Login Server Installation
2.3 Secure Login Server Installation with JSPM 1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver Application Server. The target folder location is \\localhost\sapmnt\trans\EPS\in Microsoft Windows \usr\sap\trans\EPS\in Linux /usr/sap/trans/EPS/in
2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server. Microsoft Windows \j2ee\JSPM\go.bat Linux /j2ee/JSPM/go 3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.
06/2011
27
2 Secure Login Server Installation
4.) Choose the New Software Components option.
5.) Select sap.com/SECURE_LOGIN_SERVER.
28
06/2011
2 Secure Login Server Installation
6.) Start the deployment process.
7.) After the deployment finishes, exit the JSPM application.
06/2011
29
2 Secure Login Server Installation
2.4 Secure Login Server Uninstallation This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet. 1.) Start a Telnet session. telnet localhost 508 Example telnet localhost 50008 2.) Stop the Secure Login Server application. stop_app sap.com/SecureLoginServer 3.) Undeploy the Secure Login Server package. undeploy name=SecureLoginServer vendor=sap.com
2.5 Updating the Secure Login Server to SP2 In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to SP1. You see the current version number of the Secure Login Server in the parameter Server Build. The entry REL_1_0_2_20 stands for SP2 (see 3.3.9 Server Status). After the installation, restart the system. During the installation, the following files are deleted: config.properties file userenv.registry Make a backup of these files before you execute an installation. After the installation, copy the files to the relevant directories.
30
06/2011
2 Secure Login Server Installation
2.6 Initial Configuration Wizard After the deployment of Secure Login Server an initial configuration is required. For security reasons, the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides). If, however, you want to perform the initialization and configuration from a remote location, you must manually enable this feature by editing the Secure Login web.xml file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard. If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost tunnel configuration for accessing the wizard. For re information, see section 2.6.3 Configure SSH Tunnel.
2.6.1 Initial Configuration This section describes the initial configuration of the Secure Login Server. Before starting the Initial Configuration Wizard, verify that the Secure Login Server application is running. Start the initial configuration using the browser URL: http://localhost:500/securelogin
Welcome Page In the welcome page a prerequisite check is performed. Verify all prerequisites. If everything is OK, choose Continue.
Figure: Initial Configuration Wizard – Welcome Page
06/2011
31
2 Secure Login Server Installation
Key File for Encryption of Server Credentials The key file is a file on the server with random content and is used to secure password information in configuration files. You can use any kind of file type which is larger than 32 bytes. You must create or copy the file to the desired location on the server and define it in this configuration step. There is a check whether the key file is available. Define the location of the key file. Example: D:\usr\sap\ServerKeyFile\KeyFile.txt
Figure: Initial Configuration Wizard – Key file for server credentials encryption
Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked.
After the configuration, choose Next to continue.
32
06/2011
2 Secure Login Server Installation
Administrator Account Define the password for the administration user Admin.
Figure: Initial Configuration Wizard – Administrator Account Entries marked with * are mandatory.
Passwords used in Secure Login Server are restricted by the password policy definition. Passwords cannot be empty Passwords must have a length between 8 to 20 characters Passwords must contain at least one uppercase letter Passwords must contain at least one lowercase letter Passwords must contain at least one digit Passwords must contain at least one special character
After the configuration, choose Next to continue.
06/2011
33
2 Secure Login Server Installation
Create Root CA Certificate Define the parameter for the root CA certificate.
Figure: Initial Configuration Wizard – Create Root CA Entries marked with * are mandatory.
Option
Details
Create a Root CA by providing certificate information
Common Name* Enter the common name of the certificate (CN). Example: Root CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
34
06/2011
2 Secure Login Server Installation
Valid From* Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File* Click Browse… to locate and load an existing KeyStore file (File Format is: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate
Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
Skip all PKI certificates
Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates. You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.
After the configuration, choose Next to continue.
06/2011
35
2 Secure Login Server Installation
Select the SSL Certificate Generation Type Choose an option for the SSL certificate.
Figure: Initial Configuration Wizard – Select the SSL Certificate Generation Type It is possible to install or import SSL certificates later on using the administration console Certificate Management. For more information, see section 3.3.3 Certificate Management.
Option
Details
Generate an SSL certificate using the Secure Login Administration Console
The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console.
Skip all SSL certificates
Check this option if you do not want to or do not need to enter information for SSL certificates at this time.
After having chosen an option configuration, choose Next to continue.
36
06/2011
2 Secure Login Server Installation
Create SSL CA Certificate This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen.
Figure: Initial Configuration Wizard – Create SSL CA Information Entries marked with * are mandatory.
Option
Details
Create a SSL CA by providing certificate information
Common Name* Enter the common name of the certificate (CN). Example: SSL CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
06/2011
37
2 Secure Login Server Installation
Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm password* Confirm the encryption password entered in the field above. Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File* Click Browse… to locate and load an existing Key Store File (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate
Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
Create SSL Server Certificate This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.
38
06/2011
2 Secure Login Server Installation
Figure: Initial Configuration Wizard –SSL Server Information Entries marked with * are mandatory.
Option
Details
Create an SSL server by providing certificate information
Common Name* Enter the common name of the certificate (CN). Example: Alias Server Name Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example:
[email protected] Encryption Key Length Select the encryption key length for the server (512,
06/2011
39
2 Secure Login Server Installation
1024, 1536, 2048, 3072, or 4096 bits). Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field, you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File* Click Browse… to locate and load an existing KeyStore file (file format: *.p12). Password* The password for the KeyStore file. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate
Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
40
06/2011
2 Secure Login Server Installation
Create User CA Certificate Define the parameter for the user CA certificate.
Figure: Initial Configuration Wizard –User CA Information Entries marked with * are mandatory.
Option
Details
Create a user CA by providing certificate information
Common Name* Enter the common name of the certificate (CN). Example: User CA SAP Security Organization Unit Enter the division of the company in this field (OU). Example: SAP Security Department Organization Enter the company name in this field (O). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: DE Encryption Key Length Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
06/2011
41
2 Secure Login Server Installation
Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). Password* In this field you enter the password for this certificate. The password length is limited to 20 characters. Save Password If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. Confirm Password* Confirm the encryption password entered in the field above. Import an Existing Key Store File
Checking this option displays the following options:
KeyStore File* Click Browse… to locate and load an existing KeyStore file (file format: *.pse). Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date. Skip this certificate
Check this option if you do not want or do not need to enter any information for this specific certificate at this time.
After the configuration, choose Next to continue.
42
06/2011
2 Secure Login Server Installation
Define Server Configuration Define the parameters for the User Certificate Configuration and Application Information. The other configuration parameters are read-only (for verification reasons).
Figure: Initial Configuration Wizard – Server Configuration Entries marked with * are mandatory.
Option
Details
User Certificate Configuration
DN.country Enter the country abbreviation in this field (C). Example: DE DN.locality Enter the regional information in this field (L). Example: Walldorf DN.organization Enter the company name in this field (O). Example: Company xyz DN.organizationalUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.
06/2011
43
2 Secure Login Server Installation
Application Information
ServerHostName FQDN name or IP address of this server. This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server. ServerPort Port of this server. This parameter is used for the client policy definition and can be used for central change.
Authentication Server Configuration (read-only)
AuthConfigPath Authentication server configurations file for the Secure Login Server.
Secure Login User CA Key Store (read-only)
PseName The user CA key store file path. If you created a user CA in the previous step, the file path is shown here.
Log Configuration (read-only)
DailyLogDir In this log path the user authentication information for the default instance is logged. (for example, the user authentication was successful) MonthlyLogDir In this log path the instance information for the default instance is logged. (for example, the default instance was started successful) AdminConsoleLogDir In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed) LockDir The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.
After the configuration, choose Next to continue.
44
06/2011
2 Secure Login Server Installation
Setup Review Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.
Figure: Initial Configuration Wizard –Setup Review
Finish Setup After successful setup configuration this page appears. Restart the Secure Login Server application.
Figure: Initial Configuration Wizard – Congratulations Use the Telnet application to stop and start the Secure Login Server application (for more information, see section 2.2 Secure Login Server Installation with Telnet). Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.
06/2011
45
2 Secure Login Server Installation
Microsoft Windows SAP Management Console In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer and choose the option Restart (right-click option).
Figure: SAP Management Console (sapmmc)
46
06/2011
2 Secure Login Server Installation
2.6.2 Enable Remote Access for Initial Wizard This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer. For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides).
In the configuration file web.xml, change the value to true for the parameter remoteAccess. web.xml remoteAccess true
The configuration file web.xml is available in the following place: Microsoft Windows \j2ee\cluster\apps\sap.com\SecureLoginServer\se rvlet_jsp\securelogin\root\WEB-INF\web.xml Linux /j2ee/cluster/apps/sap.com/SecureLoginServer/se rvlet_jsp/securelogin/root/WEB-INF/web.xml It is required to restart the Secure Login Server application.
06/2011
47
2 Secure Login Server Installation
2.6.3 Configure SSH Tunnel This configuration step is optional and belongs to the Linux environment if no GUI is available. The localhost configuration can be performed using for example, PuTTY Configure the following parameter and choose Add. Example: SSH tunnel configuration in PuTTY Parameter
Value
Source Port
500
Example: 50000
Destination
localhost:500
Example: localhost:50000
After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.
48
06/2011
3 Administration
3 Administration This chapter describes the configuration parameters in Secure Login Server.
3.1 Logon to Administration Console To open the administration console, enter the following URL in a Web browser: Communication
URL
Unsecured
http://:500/securelogin
Secured
https://:5/securelogin
You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above). The logon page appears.
Figure: Administration Console – Logon Page Enter your administration user name (for example, Admin) and your password. Authentication type
Details
Local Login
Default user name/password combination authenticated in the administration console database.
External Login
User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console. For more information about the configuration, see section 3.3.2
06/2011
49
3 Administration
Authentication type
Details Edit Login Type Setting.
3.2 Welcome Page After successful logon, the welcome page appears. This page also appears when you click on Home.
Figure: Administration Console – Welcome Page The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect. The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework. The right-hand pane displays the details of any node selected in the left-hand pane. In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. Logout Use this link to logout of the console. The login page will reappear (see previous page).
50
06/2011
3 Administration
About Click this to view version information about the console.
You may be asked to re-enter your user name and password if you leave the administration console for a long time. The default console timeout is 10 minutes.
3.2.1 Change Password This section describes how to change the account password for the administration console. 1. Choose Change Password in the title bar on any page. 2. The following dialog box appears:
Figure: Change Password 3. Enter the current password into the Old Password field. 4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively. 5. Click OK
The user admin is a permanent user that has the role super user and cannot be deleted. As a consequence, the admin user can log on to the system regardless of state (when a serious system error occurs), making sure that there is at least one user who can always access Secure Login to correct or configure the system.
06/2011
51
3 Administration
3.3 Server Configuration This section describes the server configuration page of the administration console. The Server Configuration page allows you to do the following:
View the server configuration. Edit some of the server parameters.
Choose the Server Configuration node in the left-hand pane of the administration console. The following page appears:
Figure: Administration Console - Server Configuration
The following options can be viewed on this page:
52
06/2011
3 Administration Option
Details/Value
Edit
Click Edit to change the Administration Console Description, Trace Configuration, and Client Configuration. For more information, see section 3.3.1 Edit Server Configuration.
Description
The description of this administration console.
Console Login Type
The current types of authentication available for log on to the administration console. The configuration can be changed using the button Edit Login Type. For more information, see section 3.3.2 Edit Login Type Setting.
External Login JAAS Module
The current JAAS module used for External Login authentication to the Administration Console. For further information see section 3.3.2 Edit Login Type Setting.
The Authentication File Path (read-only)
The authentication configuration file used by this server. This configuration is for information purposes only.
Trust Certificates Storage File (read-only)
The Trust Store file (TrustStore.jks) used by this server.
Console Log Directory (read-only)
The directory in which the console log file is located.
Console Log Prefix (read-only)
The file prefix for the console log file.
Enable Server Trace
Enable Secure Login Server trace to provide extended traces. true Trace enabled false Trace enabled Default value is false.
Path to the Server Lock File (read-only)
Path where the lock files are written. A lock file is generated if something went wrong with the Secure Login Server. In this case the Secure Login Server is locked.
Host Server Domain Name
The host name or IP of the computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs).
Port
The port of this computer from which the console is being used for the Secure Login Client policy configuration (for all client policy URLs). We recommend that you use an HTTPS (SSL) port.
CREDDIR (read-only)
The directory in which the credentials are stored for the Secure Login Library.
NativeLibraryPath (read-only)
The directory where native libraries are stored for the Secure Login Library.
06/2011
53
3 Administration
3.3.1 Edit Server Configuration Use the Edit button and the following page appears.
Figure: Administration Console – Edit Server Configuration The following options can be set: Option
Details/Value
Description
Here you can personalize the description for the administration console.
Enable Server Trace
true Write trace messages to the application server trace file (defaultTrace_*.log). false Do not write trace messages to the application server trace file.
Host Server Domain Name
The host name or IP of the computer from which the console is being used.
Port
The port of the computer from which the console is being used. We recommend that you use an HTTPS (SSL) port.
Once you have changed any option, click Save to return to the Server Configuration page.
54
06/2011
3 Administration
3.3.2 Edit Login Type Setting Use the Edit Login Type button, and you get to the page that allows you to configure, delete, or add the following login types: Local Login Default user name/password combination authenticated with the administration console database. External Login User name/password combination authenticated in the authentication server database set in the JAAS module. If this option is used, select the appropriate JAAS module in the External Login Jaas Module combo box. 1. To add a login option to the administration console login page, proceed as follows: 2. Select a login type from the All Login Type field and choose >>Add. As a consequence, it appears in the Current Login Type field. 3. Use the Up and Down buttons to move a login option up or down and thus define its priority. 4. To delete a login option from the administration console login page, select a login type from the Current Login Type field and choose
