Download SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17...
Believe in a higher level of IT security SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Copyright © 2010 SECUDE AG. All Rights Reserved. This SECUDE-branded software and its corresponding documentation is the exclusive property of SECUDE AG of Emmetten, Switzerland and is protected under the various copyright laws around the world and by various other intellectual property laws. Use of this software and/or its documentation and any copying thereof by end users is subject to the terms of a license agreement with SECUDE AG. The wrongful use or copying of this software and/or documentation subjects infringers to both criminal and civil liabilities. The SECUDE and FinallySecure trademarks are owned by SECUDE AG, protected internationally and used by SECUDE AG pursuant to an exclusive license. All other trademarks, service marks, and trade names referenced herein are the property of their respective owners. ANY USE, COPYING, REPRODUCTION, ALTERATION, TRANSMISSION, OR TRANSLATION OF THESE MATERIALS, IN WHOLE OR IN PART, IN ANY FORM OR BY ANY MEANS, IS STRICTLY PROHIBITED WITHOUT THE PRIOR WRITTEN PERMISSION OF SECUDE AG. IF THIS MATERIAL IS PROVIDED WITH SOFTWARE LICENSED BY SECUDE, THE INFORMATION HEREIN IS PROVIDED SUBJECT TO THE TERMS OF THE WARRANTY PROVIDED WITH THE PRODUCT LICENSE. IF THIS MATERIAL IS NOT PROVIDED WITH LICENSED SOFTWARE, THE INFORMATION HEREIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN EITHER CASE, THERE ARE NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR QUALITY. IN NO EVENT SHALL SECUDE AG OR ANY OF ITS AFFILIATES BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE MATERIALS AND/OR INFORMATION CONTAINED HEREIN. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you. SECUDE AG takes reasonable measures to ensure the quality of the data and other information produced herein. However, these materials may contain technical inaccuracies or typographical errors, and are not guaranteed to be error-free. Information may be changed or updated without notice. SECUDE AG has no obligation to update these materials based on changes to its products or services or those of third parties. SECUDE AG may also make improvements or changes to the products or services described in this information at any time without notice. SECUDE AG frequently releases new versions of its software and updates them. Therefore, images shown in this document may be slightly different from what you see on your screen. As with any security product, SECUDE AG highly recommends the back up of data as well as passwords on a regular basis. SECUDE AG is not responsible for the loss of passwords or data that cannot be retrieved based upon a user‟s failure to adhere to stringent backup and safe-keeping conventions.
SECUDE SECUDE AG
SECUDE IT Security GmbH
SECUDE IT Security, LLC
Bergegg 1
Goebelstrasse 21
380 Sundown Drive
6376 Emmetten, NW
64293 Darmstadt
Dawsonville, GA 30524
Switzerland
Germany
USA
P: +41 (0) 44 575 19-00
P: +49 (0)6151 82897-0
P: +1 (706) 216 8609
F: +41 (0) 44 575 19-75
F: +49 (0)6151 82897-26
F: +1 (706) 216 4696
Sales Europe:
[email protected]
Sales US:
[email protected]
Support Europe:
[email protected]
Support US:
[email protected]
Documentation:
[email protected] www.secude.com www.finallysecure.com
2
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Table of Contents 1
What is SECUDE Secure Login?
11
2
System Overview
12
2.1
2.2
2.3
2.4 2.5
3 3.1
3.2 3.3
3.4 3.5
3.6
3.7
System Overview with PKI 2.1.1 Main System Components 2.1.2 Authentication Method 2.1.3 Workflow 2.1.4 Secured Communication for SAP System Overview with SECUDE Secure Login Server 2.2.1 Main System Components 2.2.2 Authentication Method 2.2.3 Instances 2.2.4 PKI Structure 2.2.5 Workflow 2.2.6 Secure Communication Methods of Authentication in SECUDE Secure Login 2.3.1 Active Directory Server (ADS) Authentication 2.3.2 RADIUS / RSA Authentication 2.3.3 SAP ID Authentication 2.3.4 SAP Logon Ticket Authentication 2.3.5 SQL Database Authentication Policy Server Overview Secure Login Web Client
Server Installation, Configuration, and Removal Prerequisites 3.1.1 Hardware Requirements 3.1.2 Software Requirements Preparing the Server for Installation Installation Procedure for Apache Tomcat-based Server Installations 3.3.1 Option to Configure SSL in Tomcat 3.3.2 Test the SSL Connection for Tomcat 3.3.3 Single Sign-On for the Administration Console (Tomcat Only) Installation Procedure for BEA Weblogic-based Server Installations Installation Procedure for SAP NetWeaver-based Server Installations 3.5.1 Configure the System Environment (only for SAP ID-Based Logon) 3.5.2 Configure the Authentication Server in SAP NetWeaver 3.5.3 Test the SSL Connection Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module 3.6.1 Step 1 - Initial Installation 3.6.2 Step 2 – Server-Specific Quick Initialization 3.6.3 Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard) 3.6.4 Step 3 - Configure Authentication Server Communication 3.6.5 Step 4 - Test SECUDE Secure Login Server Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server 3.7.1 Remove SECUDE Secure Login Server - Tomcat 3.7.2 Remove SECUDE Login Server – BEA Weblogic
13 13 13 14 15 16 16 17 18 19 20 21 22 23 24 25 28 28 30 31
32 33 33 33 34 35 36 36 37 40 42 43 49 53 54 54 56 63 84 90 91 91 92 3
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver
4 4.1
4.2 4.3
4.4
5 5.1 5.2 5.3
5.4 5.5
6 6.1
6.2 6.3
6.4
4
92
Client Installation, Configuration, and Removal
94
Prerequisites 4.1.1 Hardware Requirements for SECUDE Secure Login Client 4.1.2 Software Requirements for SECUDE Secure Login Client SECUDE Secure Login Client Preparation Client Rollout 4.3.1 Installation 4.3.2 Command Line Options to Influence the MSI Setup Remove SECUDE Secure Login Client
95 95 95 96 97 98 103 106
Secure Login plus Web Client - Installation, Usage, and Removal 109 Prerequisites Preparing the Server for Installation Install and Configure the Web Client 5.3.1 Web Client installation on Tomcat 5.3.2 Web Client Installation on NetWeaver Use the Web Client 5.4.1 Configure SSL Trust for the Web Client Java Applet Remove the Web Client
Administration Administration Console 6.1.1 Open the Console 6.1.2 Change the Administrator/User Password 6.1.3 Server Configuration 6.1.4 Certificate Management 6.1.5 Authentication Management 6.1.6 TrustStore Management 6.1.7 Certificate Template 6.1.8 System Check 6.1.9 Backup/Restore 6.1.10 Change Language 6.1.11 Message Setting 6.1.12 SSS&JCO Installation 6.1.13 Server Status 6.1.14 Sign Certificate Requests 6.1.15 Console Log Viewer 6.1.16 Web Client Configuration Email Report&Alert Configuration Instance Management 6.3.1 Instance Configuration 6.3.2 Customizing With User-Defined Properties 6.3.3 Client Configuration 6.3.4 Instance Log Management 6.3.5 Instance Check 6.3.6 Instance Status Console Users 6.4.1 User Management 6.4.2 Role Management
110 111 112 112 114 115 116 117
119 119 119 122 124 128 131 141 143 149 150 155 156 158 162 163 165 166 177 178 179 181 183 192 196 197 198 199 202
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.5
7 7.1 7.2
7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19
8 8.1 8.2 8.3
8.4 8.5 8.6 8.7
9 9.1
9.2
6.4.3 Other 6.5.1 6.5.2 6.5.3
Locked Files Management Administration Features Status Query via an Internet Browser Secure Login Web Service Status Query XML Interface
Troubleshooting How to use Unlimited Key Length Policies Log Files 7.2.1 Daily Log File 7.2.2 Monthly Log File Turning Tracing On/Off SECUDE Secure Login Server Lock and Unlock Setting the Correct Environment Variables for SAP ID-Based Logon Problems with the Client URL Implement an SSL.PSE-Based TrustStore for HTTPS ‘Access Denied’ Replies Why the Secure Login Instance/Server is Locked Password Expiry Warnings on Sun LDAP (1) Password Expiry Warnings on Sun LDAP (2) Secure Login Server Cannot Establish an SNC Connection to the SAP Server Administration Console Pages Appear ‘broken’ Problem Loading the GSS Library (SAP-ID Module) Blank Page when Logging into the Secure Login Administration Console Users Cannot be Successfully Authenticated to any JAAS Module Enable Remote Access to Initialize and Configure Secure Login Server Problems Accessing the Administration Console or the Web Client via Firefox 229 Error Message when viewing Certificate Details using Firefox 3
Error and Return Codes ADS Authentication Errors RSA Authentication Errors SAP ID Error Codes and Return Codes 8.3.1 Authentication-based Codes 8.3.2 Password Change Related Codes 8.3.3 Connectivity Related Codes Stacktrace Error Codes Common Errors CERT Errors PSE Errors
Appendix Client Policy 9.1.1 ClientPolicy.xml File Registry Keys and Values 9.1.2 ClientPolicy.xml File Example 9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute 9.1.4 Configuring Secure Login with Microsoft Group Policies Configurable Properties 9.2.1 Files that Contain Configurable Properties 9.2.2 Web.xml File 9.2.3 Configuration.properties File
205 206 206 207 209
211 212 213 213 215 215 216 217 218 218 219 219 220 220 221 221 222 223 227 229
230
231 232 232 232 232 233 233 234 236 237 237
238 239 239 240 244 245 246 246 247 248 5
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.3 9.4
10
6
9.2.4 JAAS Module Configuration Files 9.2.5 Files for Server Message Configuration Secure Login Client Registry Values Key Usage Reference
List of Abbreviations
253 262 264 266
267
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Preface
About this Manual This manual describes the administration tasks necessary to install, configure, and run SECUDE Secure Login 5.1.1.
Target Audience This manual is targeted at the system and security administrators responsible for the installation and maintenance of Secure Login. It is necessary to have the following knowledge to complete the tasks set in this manual:
Security knowledge! For a list of hardware and software requirements for the Secure Login Client installation, refer to section 4.1 on page 95. For a list of hardware and software requirements for the Secure Login Server installation, refer to section 3.1 on page 33.
Related Documentation The following documentation is available for SECUDE Secure Login:
This manual. The SECUDE signon&secure Server installation manual. SECUDE Secure Login 5.1 Release notes Secure Network Communications, SNC User Manual, version 1.2; SAP AG; Walldorf.
7
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Contents This manual contains the following chapters:
Chapter 1 „What is SECUDE Secure Login?‟, on page 11 This chapter presents Secure Login. Chapter 2 „System Overview‟, on page 12 This chapter provides an overview of the overall system architecture and the principal workflow. It also details the specific system architecture and workflow for the authentication methods supported by Secure Login: ADS, RADIUS/RSA, and SAP IDbased logon. Chapter 3 „Server Installation, Configuration, and Removal‟, on page 32 This chapter describes the installation of the SECUDE Secure Login Server. Chapter 4 „Client Installation, Configuration, and Removal‟, on page 94 This chapter describes the configuration and installation of the SECUDE Secure Login Client. Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page 109 This chapter details the SECUDE Secure Login Web Client. Chapter 6 „Administration‟, on page 119 This chapter details how to monitor the SECUDE Secure Login Server. Chapter 7 „Troubleshooting‟, on page 211 This chapter describes the SECUDE Secure Login Server features for logging and error recovery. Chapter 8 „Error and Return Codes‟, on page 231 This chapter describes error and return codes, their meaning, and possible corrections. Chapter 9 „Appendix‟, on page 238 This chapter contains various advanced details an administrator may need to configure Secure Login. Chapter 10 „List of Abbreviations‟, on page 267 This chapter lists the abbreviation used in the manual.
A glossary and index are provided at the end of this manual.
8
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Conventions used in this Manual Style
Meaning
Bold
Emphasis Defined terms
Italics
References – especially when referring to another manual‟s title Application or company names – such as Windows or SECUDE Important information appearing in notes, warnings, and Hints
Monospace
Package names Filenames and directory names XML element names and attribute names Method names Variables Parameters Code examples
Monospace italics
Replaceable elements within user input
Monospace bold
Main element in a syntax description
Initial Capital Letters
Tool names Product names
Code elements (i.e. XML)
[Square brackets]
Options within a syntax description
…|…
“or” within a syntax description
Blue text
Elements of the graphical user interface Action sequences such as “Menu>Submenu” or “select Option X” Internet links Cross references such as “see section 2.1”
9
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Icons and Step Indication in this Manual Notes Notes contain detailed information about a topic and are of direct importance to the subject at hand. Notes are displayed in italic text, with a pen/paper icon to the left of the text body.
Warnings A warning will contain information about circumstances, parameters, and so on that MUST be fulfilled. Failure to comply will have consequences for the current operation. Warnings are displayed in italic text with a warning icon to the left of the text body.
Hints Hints contain useful information about the operation of the application. Hints are displayed in italic text, with a light bulb icon to the left of the text body. Steps/Procedures Procedures indicate the steps necessary to perform a task. They are displayed in normal text, with a light grey background.
Contacting Technical Support For technical assistance contact SECUDE Support: Phone
+49 (0)6151 82897 33
Fax
+49 (0)6151 82897 26
E-mail Web
[email protected] (Europe and Asia),
[email protected] (USA) http://www.secude.com/htm/338/en/Support.htm When you want to open a support case, please provide as much of the following information as possible (error information needed by support will vary between products):
10
Name (customer or partner) and contract number Name of SECUDE product plus version and service pack Involved and relevant third-party products plus versions The hardware on which the product is running plus Operating System + service pack Date, time, and description of the error Is the error reproducible? If yes, state the steps necessary to reproduce the error Corresponding log files generated during operation Any other information necessary to reproduce the error Error priority: Priority
Description
Critical
Loss of data within SECUDE application, severe memory leak, application crashes.
Major
The SECUDE application has a major loss of functionality.
Normal
The SECUDE application loses some functionality without a severe impact on the overall stability or data integrity.
Minor
The SECUDE application suffers minor functionality loss, or other problems in which an easy workaround is present.
Trivial
„Look and feel‟ problems such as misspelled words or misaligned text.
Enhancement
Request for an enhancement to the SECUDE application.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
1 Introduction
Scope of secure communication
What is SECUDE Secure Login? SECUDE Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure single sign-on to the SAP environment. SECUDE Secure Login, together with SECUDE signon&secure, provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components, including but not limited to: SAPGUI and SAP NetWeaver platform via Secure Network Communications (SNC) Web browsers and SAP Portal (via Secure Socket Layer – SSL) Other SAP components such as SAP NetWeaver Java, SAP ITS, SAP Router, SAP LPD In a standard SAP setup, users enter their SAP user name and password into the SAPGUI logon screen. SAP user names and passwords are transferred through the network without encryption. To help secure networks, SAP provides a „Secure Network Communications‟ module (SNC) that enables users to login to SAP systems without entering a user name or password. The SNC module can also pass calls through a third-party crypto-library to encrypt all communication between the SAPGUI and SAP Server, thus providing secure single sign-on to SAP. SECUDE Secure Login is the third-party crypto-library of choice for SAP. It uses session keys to encrypt the communication, and digital user certificates (X.509) for user authentication.
Authentication mechanisms
SECUDE Secure Login allows you to benefit from the advantages of SNC without the need to setup a Public Key Infrastructure (PKI). SECUDE Secure Login allows users to authenticate via one of the following authentication mechanisms: Windows logon information Radius and RSA Token (one-time password) LDAP SAP user ID and password SAP Logon Ticket SQL Database Smart card and PIN If a PKI has already been set up, then the digital user certificates of the PKI can also be used by SECUDE Secure Login. Further authentication mechanisms can be supported on request – please contact SECUDE support.
Access methods
SECUDE Secure Login also helps save time insofar that, through the use of the optional single sign-on, a user does not need to re-authenticate every time a new SAP application is opened or a different SAP Server is used. It also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) via SSL.
11
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2
System Overview
Introduction
This chapter describes the SECUDE Secure Login architecture and concepts that are valid for all product variants.
The product
SECUDE Secure Login is a Client/Server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments. The SECUDE Secure Login Client is split into two variants: A stand-alone Client (Windows only). The SECUDE Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the SECUDE Secure Login Server it can be used for certificate-based authentication without having to set up a PKI. The stand-alone SECUDE Secure Login Client can use the following authentication methods: - Smart cards and USB tokens with an existing PKI certificate SECUDE Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store SECUDE Secure Login Server and Authentication Server are not necessary. - Windows credentials (without user interaction) The user is authenticated via their Windows credentials (user name, domain, password), which the user entered during Windows login. No SECUDE Secure Login dialog box appears to ask for these values. - Username and password The Client prompts for user name and password (e.g. with RSA SecurID) and authenticates with these credentials via the SECUDE Secure Login Server. All of these authentication methods can be used in parallel. A policy Server provides profiles that specify how to log in to the intended SAP system. A Web Client (via an Internet browser on almost any system). At the heart of the Web Client is a signed Java applet. This means that the Internet browser will display a Java warning prompting you to confirm the applet signed-certificate. If you decide not to trust the certificate, the applet will still run but the warning will reappear when you next logon. If you decide to trust the certificate the warning will not reappear. The SECUDE Secure Login Web Client has the same authentication methods as the stand-alone Client but with the following limited functionality: - No single sign-on to SAP - No policy configuration - Only one instance can be used at any one time
Sections in this chapter
12
Section Section Section Section
2.1 2.2 2.3 2.4
„System Overview with PKI‟ on page 13 „System Overview with SECUDE Secure Login Server‟ on page 16 „Methods of Authentication in SECUDE Secure Login‟ on page 22 „Policy Server Overview‟ on page 30
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.1
System Overview with PKI The SECUDE Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. An existing PKI structure can be used to create certificates for user authentication.
2.1.1
Main System Components The following figure shows the SECUDE Secure Login system environment with the main system components if an existing PKI structure is used:
Figure 2-1 SECUDE Secure Login system environment with existing PKI Client
Policy Server
2.1.2
The SECUDE Secure Login Client is responsible for the certificate-based login to the SAP application Server and encryption of the SAP Client/Server communication. The policy Server provides profiles that specify how to log in to the intended SAP system.
Authentication Method In a system environment without SECUDE Secure Login Server, the SECUDE Secure Login Client supports the following authentication methods: Smart cards and USB tokens with an existing PKI certificate Microsoft Crypto Store
13
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.1.3
Workflow The following figure shows the principal workflow and communication between the individual components:
Figure 2-2 Principal workflow between components
14
1.
Upon connection start, the SECUDE Secure Login Client retrieves the SNC name from the SAP Server.
2.
The SECUDE Secure Login Client uses the authentication profile for this SNC name.
3.
The SECUDE Secure Login Client receives the authentication data from the user login token.
4.
The user unlocks the login token by entering the PIN.
5.
The SECUDE Secure Login Client provides the authentication data for SAP single signon and secure communication between SAP Client and Server.
6.
SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client and SAP EP Server/SAP WAS use SSL for secure communication.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.1.4
Secured Communication for SAP Secure communication is established between all system components.
Figure 2-3 Secure communication for SAP Secure communication between SAP GUI and SAP Server
Communication between the SAP GUI and the SAP NetWeaver Platform is protected using the SECUDE Secure Login Client. This product integrates itself into the network interface of any SAP process through the SAP SNC (Secure Network Communication) module. It enables certificate-based authentication among SAP components. For example, an SAP Client can authenticate itself using its certificate on the SAP application Server, and vice versa. Communication takes place over a secure channel.
Secure communication between Internet Explorer and Web Server
The communication between Microsoft Internet Explorer and a Web Server can be secured using SSL. The Web Server has to authenticate the Web browser with its Server certificate (Server authentication). In addition, the Web browser has to authenticate the Web Server with its user certificate (Client authentication). Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party cryptoengines. The SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the user keys to all CAPI-enabled applications.
15
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2 Introduction
System Overview with SECUDE Secure Login Server SECUDE Secure Login Client/Server system is combined with an Authentication Server and the SAP system to facilitate authentication and to enhance security. Using the SECUDE Secure Login Client/Server system, it is possible to use certificatebased authentication without having to set up a PKI.
Contents
2.2.1
Section Section Section Section Section Section
2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6
„Main System Components‟, on page 16 „Authentication Method‟, on page 17 „Instances‟, on page 18 „PKI Structure‟, on page 19 „Workflow‟, on page 20 „Secure Communication‟, on page 21
Main System Components The following figure shows the SECUDE Secure Login system environment with the main system components:
Figure 2-4 SECUDE Secure Login system environment Client
The SECUDE Secure Login Client is the Client part of the Client/Server system. It is responsible for the certificate-based login to the SAP application Server and encryption of the SAP Client/Server communication.
Server
The SECUDE Secure Login Server is the central Server component that connects all parts of the system. It enables authentication against an Authentication Server and provides the SECUDE Secure Login Client with a temporary certificate. This certificate contains the user data and the public key to authenticate the user to the SAP application Server. The SECUDE Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It runs in a Server environment in combination with an application Server (such as SAP NetWeaver) or a Web Server with a servlet engine (such as Tomcat).
Policy Server
16
The policy Server provides profiles that specify how to log in to the intended SAP system.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2.2 Introduction
Supported Authentication Methods
Authentication Method SECUDE Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module. The following authentication methods are supported: Microsoft Active Directory Service (ADS) RSA SecurID Token RADIUS SAP ID-based logon SAP Logon Tickets SQL Database Tables Third-party JAAS module For information on how to use a specific third-party JAAS module, refer to the proprietary documentation.
Figure 2-5 SECUDE Secure Login Server with JAAS interface
17
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2.3
Instances The SECUDE Secure Login instances feature allows multiple instances of Secure Login to run on the same Server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum. If you want the single-Server functionality of Secure Login version 4.2 you need only use a single instance. SECUDE Secure Login Server instances can use a common PSE file for one or more instances, or you can set an individual PSE for each instance. The SECUDE Secure Login Client authentication profiles can be configured to use different SECUDE Secure Login Server instances for different authentication methods, or different user groups can be assigned to a Server instance according to access rights/type. For example:
Figure 2-6 Instances example Failover
Further Information
18
It is still possible to use several SECUDE Secure Login Servers and/or Authentication Servers for failover. SECUDE Secure Login Server can connect to more than one Authentication Server (all of which use the same authentication method). For details about how to configure instances via the Administration Console see section 6.2 on page 177.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2.4 Introduction
Simple PKI Structure
PKI Structure SECUDE Secure Login creates standard X.509 certificates to authenticate users to the SAP application Server and to encrypt the Client/Server communication. These user certificates are generated on demand and have only a limited lifetime. Therefore, it is not necessary to set up and administrate a standard PKI. Nevertheless, SECUDE Secure Login needs two PKIs for the following two scenarios: Secure communication between the SECUDE Secure Login Server and Client: The Web Server needs a certificate for the SSL connection between the SECUDE Secure Login Client and Server. The SECUDE Secure Login Client must verify the certificate of the Web Server. Secure communication between the SAP Client and SAP Server The SAP Server needs a certificate to communicate securely with the SAP GUI. The recommended simple PKI can be setup via the Administration Console. Many possible PKI hierarchies meet the SECUDE Secure Login demands. The following figure shows the simplest approach. It also complies with the convention that one CA should only issue one kind of certificate.
Figure 2-7 Simple PKI structure Trust Hierarchy
Each application Server (such as Tomcat or SAP NetWeaver) with a running SECUDE Secure Login Server needs an SSL Server certificate (“SSL CA”, as shown in the previous figure) and a corresponding key pair. With this SSL certificate, the Server can be authenticated by the SECUDE Secure Login Client and the communication between the SECUDE Secure Login Server and Client can be encrypted. The SECUDE Secure Login Client must have a copy of the SSL certificate in order to verify the SECUDE Secure Login Server certificate. Each SAP application Server needs a key pair and a certificate from the “SAP CA”. This Server certificate is used to encrypt the SNC channel between the SAP application Server and the SAP GUI Client. The SAP GUI must have a copy of the root CA certificate in order to verify the Server CA certificate provided to it by the SAP application Server. The “User CA” (which generates each of the Client certificates: User 1, User 2, …, User n) is included as part of the SECUDE Secure Login Server. The user CA key pair and certificate, from which each Client certificate is derived, is stored in a personal security environment (PSE).
19
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2.5
Workflow The following figure shows the principal workflow and communication between the individual components:
Figure 2-8 Principal workflow
20
1.
Upon connection start, the SECUDE Secure Login Client gets the SNC name from the SAP Server.
2.
The SECUDE Secure Login Client uses the Client policy for this SNC name. The Client policy is either static (i.e. the Client policy information is set in the Windows registry), or the policy information is retrieved dynamically from the Secure Login Server. For further information about how to download the relevant files for a static or dynamic Client policy see section 6.3.3 „Client Configuration‟ on page 183.
3.
The SECUDE Secure Login Client receives the user login as authentication data.
4.
In addition, the SECUDE Secure Login Client generates an RSA key pair.
5.
The SECUDE Secure Login Client sends the authentication data and the certification request for the public key of the RSA key pair to the SECUDE Secure Login Server. This connection is secured using SSL.
6.
The SECUDE Secure Login Server forwards the authentication data to the Authentication Server using a secure connection. The Authentication Server informs the SECUDE Secure Login Server whether authentication has been successful.
7.
If authentication is successful, the SECUDE Secure Login Server generates a temporary user certificate based on the user‟s public key and identification. The certification reply is transferred from the SECUDE Secure Login Server to the SECUDE Secure Login Client. The certification reply also contains necessary additional certificates from the certificate chain.
8.
The SECUDE Secure Login Client provides the certificate for SAP single sign-on and secure communication between SAP Client and Server.
9.
SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client and SAP EP Server/SAP WAS use SSL for secure communication.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.2.6
Secure Communication Secure communication is established between all system components:
Figure 2-9 Secure communication Communication Between SECUDE Secure Login Client and Server Format Security
Reliability
The communication between the Client and the Server uses SSL. The administrator must configure the URL, including the port number of the Server, on the Clients. An SSL connection is necessary for secure communication. The SSL connection is established using the certificate of the SECUDE Secure Login Server (Server authentication). For an SSL connection, the SECUDE Secure Login Client must be configured to trust the Server certificate. A list of SECUDE Secure Login Servers can be configured. If the Client cannot reach a Server after a configurable time, it tries to connect to the next Server on the list. Communication Between SECUDE Secure Login Server and Authentication Server
Security
Reliability
The communication between SECUDE Secure Login Server and Authentication Server must be secured. This is important because the authentication data of the user is on the network. A list of Authentication Servers can be configured in the SECUDE Secure Login Server. If the SECUDE Secure Login Server cannot reach an Authentication Server after a configurable time, it tries to connect to the next Server on the list. Communication Between SAP GUI and SAP Server
Security
Communication between SAP GUI and the SAP NetWeaver Platform is protected using the SECUDE Secure Login Client. This product integrates itself into the network interface of any SAP process through the SAP SNC (Secure Network Communication) module. It enables certificate-based authentication among SAP components. For example, an SAP Client can authenticate itself using its certificate on the SAP application Server, and vice versa. Communication takes place over a secure channel.
21
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Communication Between Internet Explorer and Web Server Security
2.3 Introduction Contents
The communication between Microsoft Internet Explorer and a Web Server can be secured using SSL. The Web Server has to authenticate the Web browser with its Server certificate (Server authentication). In addition, the Web browser has to authenticate the Web Server with its user certificate (Client authentication). Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the user keys to all CAPI-enabled applications.
Methods of Authentication in SECUDE Secure Login This chapter details each of the authentication methods supported by Secure Login. Section Section Section Section Section
2.3.1 2.3.2 2.3.3 2.3.4 2.3.5
„Active Directory Server (ADS) Authentication‟, on page 23 „RADIUS / RSA‟, on page 24 'SAP ID‟, on page 25 „SAP Logon Ticket Authentication‟, on page 28 „SQL Database Authentication This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SQL database-based authentication method.
System Architecture for SQL DBbased Logon
The following figure shows the SECUDE Secure Login system environment for SQL DBbased logon:
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon
JAAS Module The SQL DB variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SQL database. For this method of authentication to work, additional third-party SQL driver librarie are needed for the SECUDE Secure Login Server to function correctly: For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar. - SQL Database
- The JAAS module uses standard SQL queries to find the given user ID and password in a table. This table and its column names could either be random configured, or predefined names are used for higher performance. The simplest form is to have usernames and passwords stored in two columns. For 22
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client ident This could be a Client machine identification value or some application defined d
This Client ID is transported in the username field of the protocol, and requires a separator string definition. Positive False Authentication Another configuration allows using the database as combination of white and bla list. In this scenario, all exact matches in the database return a positive result, a well as all username values that are not found in the table at all. It is recommended to implement this feature only if Client identifiers are used tha are sufficient to protect this kind of positive false authentication.
2.3.1
Active Directory Server (ADS) Authentication This section describes the specific system architecture and workflow for the SECUDE Secure Login Active Directory Server (ADS) authentication method.
System Architecture for ADS
The following figure shows the SECUDE Secure Login system environment for ADS:
Figure 2-10 SECUDE Secure Login system environment for ADS Client The SECUDE Secure Login Client is integrated into the Windows logon process. It sends the domain, user ID, and password entered by a user to the SECUDE Secure 23
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Login Server to authenticate the user. The SECUDE Secure Login Client is represented by a small icon in the system tray that shows the status of the login. Server The SECUDE Secure Login Server receives the authentication data sent by the Client and forwards it to the Microsoft Active Directory Service (ADS). If the authentication on ADS is successful, the SECUDE Secure Login Server certifies the user‟s public key. The certification reply is generated and transferred to the Client. If ADS cannot authenticate the user, the SECUDE Secure Login Server informs the Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web Server. The SECUDE Secure Login Server provides the service of an online certification authority (CA). ADS The Microsoft ADS verifies the authentication data sent by the Client (domain, user ID, password). It informs the SECUDE Secure Login Server about whether the user could be authenticated. Secure Login Process
2.3.2
1.
A user logs on to Microsoft Windows as usual.
2.
The SECUDE Secure Login Server receives the authentication information of the user‟s Windows logon. It forwards the information via an SSL secured connection to the Microsoft Active Directory Server and requests confirmation.
3.
If the Microsoft Active Directory Server is able to authenticate the user successfully, a temporary certificate is created for the user. This certificate is sent to the Client workstation and made available to the SAP GUI for Windows. Thus, a certificate-based login to the SAP application Server is performed without a corporate PKI.
4.
When users start the SAP GUI for Windows, they are automatically logged on to the SAP applications for which they have authorization. The connection to these SAP applications is secure.
RADIUS / RSA Authentication This chapter describes the specific system architecture and workflow for the SECUDE Secure Login RADIUS/RSA authentication method.
System Architecture for RSA
24
The following figure shows the SECUDE Secure Login system environment for RADIUS/RSA:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 2-11 SECUDE Secure Login system environment for RADIUS/RSA Client The SECUDE Secure Login Client is a stand-alone Windows application. The SECUDE Secure Login Client provides a user interface to enter a user name and a SecurID password. The SecurID password is composed of a PIN which the user has to provide and the one-time password generated by the RSA SecurID token. Server The SECUDE Secure Login Server receives the authentication data sent by the Client and forwards it to the RSA Authentication Manager or another RADIUS Server. If the authentication is successful, the SECUDE Secure Login Server certifies the user‟s public key. The certification reply is generated and transferred to the Client. If authentication fails, the SECUDE Secure Login Server informs the Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web Server, but can repeat authentication. RSA Authentication. Manager The RSA Authentication Manager verifies the authentication data sent by the Client. It informs the SECUDE Secure Login Server about whether the user could be authenticated. Secure Login Process
2.3.3
1.
A user enters his/her credentials using the SECUDE Secure Login Client user interface.
2.
The SECUDE Secure Login Server receives the authentication information. It forwards the information to the RSA Authentication Manager or RADIUS Server and requests confirmation.
3.
If the RSA Authentication Manager or RADIUS Server is able to authenticate the user successfully, a temporary certificate is created for the user. This certificate is sent to the Client workstation and made available to the SAP GUI for Windows. Thus, a certificate-based login to the SAP application Server is performed without a corporate PKI.
SAP ID Authentication This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SAP ID-based authentication method.
System Architecture for SAP IDbased Logon
The following figure shows the SECUDE Secure Login system environment for SAP ID-based logon:
Figure 2-12 SECUDE Secure Login system environment for SAP ID-based logon 25
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
JAAS Module The SAP ID variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SAP Server. The JAAS module uses two ABAP functions on the SAP Server via SNC secured RFC. To use these RFC calls, the SAP Server version has to be at least 6.2. For this method of authentication to work, several libraries are needed for the SECUDE Secure Login Server to function correctly: - The native RFC library - An additional native library required for the JNI (Java Native Interface) access - The Java JCO library For details about how to install these libraries refer to chapter 3 „Server Installation‟, on page 32. SAP System User An “SAP system user” is an individual with access rights beyond those of a normal user. These rights can be used to check the logon details of a normal user. The SAP System user profile must contain the following entries for this method of authentication to work: - S_A.SCON - S_A.SYSTEM - S_USER_ALL - S_USER_RFC - Z_TRANS_RFC Mode of Operation The SECUDE Secure Login Server acts on behalf of the SAP system user and obtains the normal SAP user logon data via the SECUDE Secure Login Client. Password Policy The SAP Server has a special password policy that can force the immediate change of the user password under the following circumstances: - For newly created users during their initial logon to the SAP system - Password expiration date - SAP user administrator forced password changes These changes are (and can only be) triggered by the SAP Server. The SECUDE Secure Login Server and Client cannot force a change. The confidentiality of the SAP user password is ensured by using SNC to protect the connection between the SAP Server and the SECUDE Secure Login Server. Password Rejection In the password change process the new password might be rejected by the SAP Server for the following reasons: - Password does not comply with password policy (length, complexity) - Password is already present in password history - The wrong password has been entered too many times As with the password policy, password rejection is controlled by the SAP Server.
26
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Secure Login Process
The following figure shows the SECUDE Secure Login process for SAP ID-based logon:
secure login server
SAP server
secure login client
Initialization request Initialization reply Logon request
Logon request
Logon reply
New password request New password reply
Authentication reply
Figure 2-13 SECUDE Secure Login process for SAP ID-based logon 1.
In the first step, a process initialization request is sent from the SECUDE Secure Login Client to the SECUDE Secure Login Server.
2.
The SECUDE Secure Login Server replies that initialization can start.
3.
The SECUDE Secure Login Client sends a logon request (plus unsigned certificate) to the SAP Server via the SECUDE Secure Login Server.
4.
The SAP Server will reply with one of the following: - Reject the password (see previous section) - Force a password change (initial logon, password expired etc.) - Password OK > authentication successful
5.
When logon is successful the SECUDE Secure Login Server will send the Client a signed certificate and is made available to the SAP GUI for Windows.
27
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.3.4
SAP Logon Ticket Authentication This section describes the specific system architecture and workflow for the SECUDE Secure Login SAP Logon Ticket authentication method.
System Architecture for SAP Logon Ticket
The following figure shows the SECUDE Secure Login system environment for SAP Logon Ticket:
Figure 2-14 SECUDE Secure Login system environment for SAP Logon Ticket Client This authentication module only applies to the Secure Login Web Client. It sends the user ID and password entered by a user or a program to the SAP NetWeaver Portal URL to call its user login procedure. If successful, the portal returns with a SAP Logon Ticket in form of a HTTP Cookie, which is handed over to the Web browser where the Secure Login Web Client is running. Alternatively, the SAP Logon Ticket could be handed over to the Secure Login Web Client by other means, e.g. a browser script. This allows having the Web Client running in unattended and invisible mode. The Secure Login Web Client then sends the SAP Logon Ticket to the SECUDE Secure Login Server to authenticate the user. Server The SECUDE Secure Login Server receives the SAP Logon Ticket sent by the Client and performs offline verification. If the authentication is successful, the SECUDE Secure Login Server certifies the user‟s public key. The certification reply is generated and transferred to the Client.
2.3.5
SQL Database Authentication This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SQL database-based authentication method.
System Architecture for SQL DBbased Logon
28
The following figure shows the SECUDE Secure Login system environment for SQL DBbased logon:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon JAAS Module The SQL DB variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SQL database. For this method of authentication to work, additional third-party SQL driver libraries are needed for the SECUDE Secure Login Server to function correctly: - For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar. SQL Database The JAAS module uses standard SQL queries to find the given user ID and password in a table. This table and its column names could either be randomly configured, or predefined names are used for higher performance. The simplest form is to have usernames and passwords stored in two columns. For given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client identifier. This could be a Client machine identification value or some application defined data:
This Client ID is transported in the username field of the protocol, and requires a separator string definition. Positive False Authentication Another configuration allows using the database as combination of white and black list. In this scenario, all exact matches in the database return a positive result, as well as all username values that are not found in the table at all. It is recommended to implement this feature only if Client identifiers are used that are sufficient to protect this kind of positive false authentication.
29
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.4 Introduction
Policy Server Overview SECUDE Secure Login Client configuration is profile-based. To provide a mechanism for automatic application-based profile selection, application contexts can be configured. They are then searched for specific „personal security environment universal resource identifiers‟ (PSE URIs). If no matching PSE URI is found, a default application context can be defined that links to a default profile.
Figure 2-16 Default application context and profile The application contexts and profiles are stored in the Windows registry of the Client (including other internal keys for the Client). These parameters are defined within the XML policy file (ClientPolicy.xml). You can also integrate the values for the SECUDE Secure Login Client in your company‟s group policies via an ADM file. Further Information
For further information about how to download the relevant files for a static or dynamic Client policy see section 6.3.3 „Client Configuration‟ on page 183. For further information about how to integrate the policy values for the SECUDE Secure Login Client into your company‟s group policies (ADM file), refer to section 9.1.4 „Configuring Secure Login with Microsoft Group Policies‟ on page 245. Advanced details about the Client policy file XML syntax can be found in section 9.1.1 „ClientPolicy.xml File‟ on page 239 along with the use of wildcards in section 9.1.3 on page 244.
30
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.5 Introduction
Secure Login Web Client A new feature of SECUDE Secure Login 5.1 is the Web Service and Web Client. The Web Client is an SNC provider developed mainly for SAP Logon GUI for Java – making the most of Windows as well as non-Windows platforms. It is a Web-based solution to authenticate users via Web-browsers (i.e. in portal scenarios) on a variety of platforms and to launch the SAPGUI with SECUDE SNC security. This means that the Client is no longer exclusively for Windows, but also Mac OS X and a range of Linux-based systems (due to differences between the SAPGUI for Java and SAPGUI for Windows the Web Client for Windows only has limited functionality). Moreover, in contrast to SECUDE Secure Login stand-alone Client for Windows (SLC) the Web Client has no SSL Client-authentication. The Web Client can be deployed to Apache Tomcat and SAP NetWeaver but, currently, not to BEA WebLogic.
Main Features
Browser-based authentication against Secure Login Server (all back-ends are supported including RSA and challenge-mode functions such as password changes) Download and prepare the SECUDE SNC library (simple to update the native libraries when a new version is available). Soft-token provider via Secure Login Server - Create credentials for crypto-token Launch SAPGUI for Java/Windows with SNC parameters and crypto-token - Launch SAPGUI or directly login to SAP Server (AS ABAP) - Specify search path for SAPGUI binaries either centrally on the Server side, or by the user on the Client side (host-specific) Localization and customization of HTML pages and Applet messages - Stylesheet (CSS) support, preconfigured for NetWeaver Portal Optional clean-up of temporary files when browser is closed (such as soft-tokens and credentials).
Further Information
Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page 109
31
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3 Introduction
Server Installation, Configuration, and Removal This chapter describes the SECUDE Secure Login Server installation. It is necessary to install and configure Secure Login Server BEFORE installing Secure Login Client. This chapter details the installation and configuration procedure for various target systems, for example, Servers that use servlet engines such as Apache Tomcat or SAP NetWeaver. If you want to install Secure Login with the Web Client then refer directly to chapter 5. This is because the Web Client installation is not just the Web Client but rather the complete Secure Login Server plus Web Client. The installation routine is quite different for Tomcat and only slightly different for NetWeaver.
Sections in this Chapter
Section 3.1 „Prerequisites‟, on page 33 Section 3.2 „Preparing the Server for Installation„, on page 34 Section 3.3 „Installation Procedure for Apache Tomcat-based Server Installations‟, on page 35 Section 3.4 „Installation Procedure for BEA Weblogic-based Server Installations‟ on page 40 Section 3.5 „Installation Procedure for SAP NetWeaver-based Server Installations‟, on page 42 Section 3.6 „Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module‟, on page 54 Section 3.7 „Remove SECUDE Secure Login Server‟, on page 91
32
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.1
Prerequisites This section lists the hardware and software requirements.
3.1.1
3.1.2
Hardware Requirements Hardware
Details
Hard disk space
20-50MB plus space for log files
RAM
1GB
Software Requirements For the…
…you require the following software
Operating System for Secure Login Server
One of the following: Windows 2003 Server - R2 (x86) Windows XP Professional - SP2 (x86) Suse Linux Enterprise Server 9 or 10 (x86) Solaris 8, 9, or 10 (SPARC) HP-UX 11.11 (PA-RISC) HP-UX 11.23 (Itanium)
Java http://java.sun.com/
JDK 1.5. with the Java Cryptography Extension (JCE)
Supported Application Servers
BEA WebLogic 8.1, 9.0, 10.0 Apache Tomcat version 5.x/6.x with JDK 1.4-1.6 (make sure that the optional components „Service Setup‟ and „Native‟ are selected in the setup). In case RSA ACE 6.1.2 is installed on Solaris it is mandatory to have JDK maximum 1.5. SAP NetWeaver Java 6.4 – 7.0 with: - SAP Java connector 2.1.8 (necessary for SAP-ID based logon. Please contact SAP for these libraries.) - SAP Java Cryptographic Toolkit - A running and configured SSL service provider
Server supporting LDAP/ADS authentication
openLDAP Sun ONE LDAP Microsoft Active Directory Server (ADS) 2000 or 2003 Sun Java System Directory Server
Server supporting RADIUS/RSA authentication
freeRADIUS RSA Authentication Manager 6.0 or higher
Server supporting SAP ID-based login
The following SAP application Server versions are supported: SAP Server 6.20 SAP NetWeaver ABAP 7.00
JCE Unlimited Strength Jurisdiction Policy files (usually part of the JDK or JRE).
Support for additional platforms or versions may be available on request. Please contact SECUDE for further information.
33
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.2 Introduction
Preparing the Server for Installation The Server must be prepared for the installation of Secure Login. If you have already prepared the Server go to the next section below. If you have not prepared the Server, the following list indicates what must be installed and configured before starting with the installation of SECUDE Secure Login: Install the operating system (plus updates if necessary). Install Java (JCE will be automatically installed). Install the application Server. This manual does not detail the installation and configuration of the above mentioned software. It is assumed that the knowledge and skills necessary to perform the Server preparation is already present and must not be documented.
Contents of Delivery Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as follows: SECUDE51SecureLoginNativeComponents.zip This file contains the necessary native Secure Login components for each supported platform. SECUDE51SecureLoginServer.zip \doc This directory contains the documentation, license agreements, and readme files. \SECUDE51SecureLoginServer.zip Despite the fact this ZIP file has the same name as the file containing it, this file contains the standard Secure Login applications as well as the Web Client variants: - \NetWeaver 70\securelogin.ear Standard Secure Login application for SAP NetWeaver to work with the Secure Login Client. - \NetWeaver 70 WS\secureloginservice.ear The Web Client version of Secure Login for SAP NetWeaver. - \Tomcat\securelogin.war Standard Secure Login application for Apache Tomcat to work with the Secure Login Client. - \Tomcat WS\axis2.war, securelogin.war, secureloginservice.aar, shared.zip, SlsWebClient.war The Web Client version of Secure Login for Apache Tomcat plus secondary files necessary for operation.
Prepare the Files
In preparation for installation, it is recommended to unpack the ZIP archive SECUDE51SecureLoginServer.zip to produce the four application sub-directories: \NetWeaver 70 \NetWeaver 70 WS \Tomcat \Tomcat WS …as well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the native components. This manual contains steps in which it is necessary to choose and confirm passwords. For reasons of security Secure Login will only allow you to choose passwords that are hard to guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
34
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.3 Introduction
Installation Procedure for Apache Tomcat-based Server Installations This section describes the installation procedure for an environment using Apache Tomcat. These steps assume that Tomcat and the necessary runtime components are already installed. 1.
Locate the unzipped Tomcat deployment file (see section 3.2 on page 34): SECUDE51SecureLoginServer\Tomcat\securelogin.war
2.
Deploy the securelogin.war file: This step describes how to deploy the files to the Server using Tomcat 6.0 as an example (you can also use the Tomcat Manager to deploy Secure Login). Make sure that file name and path notations used in this step are correct for the target operating system. These bulleted steps describe how to transfer the WAR file and configuration files to the target servlet engine: Stop the servlet engine (Tomcat) if it is running. If necessary, remove the existing SECUDE Secure Login Web application directories and securelogin.war file: - \Webapps\securelogin\ - \Webapps\securelogin.war Copy the new securelogin.war file into the directory: \Webapps\ Start the servlet engine (Tomcat).
3.
Now to test the deployment. In your Internet browser, enter the following URL: http:///securelogin For example: http://localhost:8080/securelogin
Make sure that file name and path notations used in this step are correct for the target operating system. 4.
If the deployment has been successful, the SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-1 Administration Console – prerequisite check page This page lists the prerequisites to run Secure Login successfully. Items with a 35
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
green “dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP IDbased logon). 5.
3.3.1
Use the Adminstration Console initialization wizard to create the Secure Login environment (see section 3.6 on page 54).
Option to Configure SSL in Tomcat If you are remotely administrating Secure Login over a network it is recommended to use an SSL connection. This means that SSL must be activated in Tomcat. Follow these steps to activate SSL in Tomcat (this example details SSL for Tomcat v.6.0): 1.
If Tomcat is running, stop and exit it.
2.
Open the Server.xml file from the directory \conf.
3.
Copy the following code behind the commented-out SSL configuration example in the Server.xml file (edit the information in the following example syntax accordingly):
The PKCS12 (*.p12) file should already have been generated via the Administration Console during the Server setup. If not use the Certificate management function of the Administration Console to generate one (see section 6.3.2 on page 181). 4.
Save and close the Server.xml file.
5.
Start Tomcat.
Despite using HTTPS for the URLs in policies and generating SSL Server certificates (both via the Administration Console) you still need to manually activate SSL in Tomcat.
3.3.2
36
Test the SSL Connection for Tomcat 1.
To test the SSL connection enter the following URL in your browser: https://URL-Where-Your-Servlet-Resides/securelogin For example: https://localhost:8443/securelogin
2.
This should open the Administration Console login page (see section 6.1 „Administration Console‟ on page 119).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.3.3
Single Sign-On for the Administration Console (Tomcat Only) This section details how to setup Tomcat to: Use a login certificate generated via the Administration Console for SSL-based authentication (refer to the next section below). Trust only those certificates created via the Administration Console as well as using single sign-on authentication to the Administration Console (refer to section 3.3.3.2 below). Setup a single SSL port in Tomcat for both the Secure Login Administration Console and the Secure Login Client to share (refer to section 3.3.3.1 below).
3.3.3.1
Use a Login Certificate Generated via the Administration Console for SSL-based Authentication This section details how to setup Tomcat to use a SSL login certificates, generated using the Administration Console, for authentication (the Administration Console offers the option to login to the Secure Login Server using certificate-based SSL authentication). The following steps assume that you have already: Created a user via the User Management node (see section 6.4.1 on page 199) that uses the subject alternative name in the certificate for the option Certificate Login ID. Created a login certificate (under SAP CA) via the Certificate Management node. The subject alternative name provided in the certificate creation must match the entry in the option Certificate Login ID for the user created in User Management. The resulting certificate has been exported as a *.p12 file and imported into Internet Explorer or Firefox. By default, Tomcat uses the Java trust store to perform the authentication. This means, all CAs that are trusted by the Java VM could be used to create Administration Console login certificates – as long as the subject_alt_name in the certificate matches an Administration Console user account. If you decide to use the JVM truststore (jre\lib\security\cacerts), the Adminstration Console root certificate or SAP-CA certificate must be imported into it using Java's keytool. For further information refer to section 5.4.1 „Configure SSL Trust for the Web Client Java Applet‟ on page 116.
3.3.3.2
Setup Tomcat to Trust Only Administration Console-Generated Certificates This section details how to setup Tomcat to trust only those certificates created via the Administration Console and also how to create a truststore (and set ports) specifically for the purpose of single sign-on to the Administration Console. To use only those certificates created via the Administration Console you must configure the Tomcat SSL connector must to use a truststore other than the Java VM. This can be achieved by either creating a new truststore or using the Secure Login Administration Console truststore. To setup single sign-on it is necessary to create and use a trustore specifically for the purpose of single sign-on (refer to the next page). The following example creates two ports – one for the Administration Console and one for the Secure Login Client.
37
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Create a New Truststore
1.
As a first step we must create a new truststore that contains only the Administration Console root certificate: Open a command box and enter the following: keytool –import –v –trustcacerts -alias my_root_ca –file C:\root.crt –keypass 123456 –keystore C:\myTruststoreFile – storepass 123456 Press Return.
2.
38
Now to configure a Tomcat SSL connector to use this truststore only (for single signon): - Open the Server.xml file from the directory \conf. - The following example code should be entered behind the commented-out SSL configuration example in the Server.xml file (edit the information marked in red in the following example syntax accordingly): In this example note that there are two connectors – one for the Secure Login Client (port 4443 in the example) and one only to be used for the single sign-on to the Administration Console (port 8443 in the example). This is to avoid any possible access conflicts. As you can see by the parameters/values marked in blue, the connector to be used for single sign-on has the following specifics: - A different port number - The parameter ClientAuth is set to true. - The truststore file (*.jks) is stated.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.3.3.3
Setup Tomcat for Single SSL Port Usage for both the Administration Console and Secure Login Client This section details how to setup a single SSL port in Tomcat for both the Secure Login Administration Console and the Secure Login Client to share. This means it is possible to perform: …certificate-based single sign-on via the Secure Login Administration Console as well as… …standard login for the Secure Login Client …using the same port.
Create a Single SSL Port
1.
Open the Server.xml file from the directory \conf.
2.
The following example code should be entered behind the commented-out SSL configuration example in the Server.xml file (edit the information marked in red in the following example syntax accordingly): As you can see by the parameter marked in blue (ClientAuth=”want”), Client authentication is now optional.
39
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.4 Introduction
Installation Procedure for BEA Weblogic-based Server Installations This section describes the installation procedure for an environment using BEA Weblogic. These steps assume that BEA WebLogic and the necessary runtime components are already installed. 1.
This first step applies to BEA WebLogic 8.1 only. If you are using BEA WebLogic 9 or 10 please start with step 5. Before deploying the application you must check the readiness of the Server for application deployment by setting the „Staging Mode‟. If you have already performed this task then go to step 5. Start the WebLogic Server and open the BEA WebLogic console: http:///console
2.
Select Server>myServer from the navigation tree.
3.
Select the tabs Configuration>Deployment:
Figure 3-2 BEA console – check staging mode Make sure that the Staging Mode is set to stage. If not, select stage from the combobox and click Apply.
40
4.
Close the console and restart the WebLogic Server.
5.
Create a new directory: /Server/bin/myServer/stage/securelogin.war
6.
Unzip the contents of the securelogin.war file to the directory stated in the previous step.
7.
Now to deploy the Secure Login application. Open the BEA WebLogic console: http:///console
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.
The BEA WebLogic Server Home page will appear:
Figure 3-3 BEA console – WebLogic Server Home page Click Web Application Modules. 9.
The Web Applications page will appear.
Figure 3-4 BEA console –Web applications page Click Deploy a new Web Application Module…
41
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
10. The Deploy a new Web Application Module page will appear:
Figure 3-5 BEA console – deploy Web application page Use Location to navigate to the stage Server directory (do not use the upload your files link). For example: 10.49.13.169/opt/bea/Weblogic81/Server/bin/myServer/stage 11. Select the securelogin.war application and click Target Module. 12. Start the Secure Login application in BEA WebLogic. 13. After Secure Login has been successfully deployed, open your Internet browser and enter the Secure Login Administration Console URL: http:///securelogin 14. Use the Adminstration Console initialization wizard to create the Secure Login environment (refer to the next section).
3.5 Introduction
Installation Procedure for SAP NetWeaver-based Server Installations This section describes the installation procedure for an environment with SAP NetWeaver. After unpacking the installation package, the installation of the SECUDE Secure Login Server comprises the following tasks: Create SSL certificates Configure the SECUDE Secure Login Server Deploy the files on SAP NetWeaver Configure the Authentication Server in SAP NetWeaver Test the SECUDE Secure Login Server Configure SSL Test the SSL connection
42
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.5.1
Configure the System Environment (only for SAP ID-Based Logon) This section details the steps necessary to pre-configure the system for the respective environment. 1.
Configure NetWeaver (prerequisite to run the Secure Login Administration Console): Change the password of the Guest user via NetWeaver user management. Select Server0 > services > Security provider from the tree in the left-hand pane. Select the Runtime tab and then the User Management tab. Open the Users tab and locate the entry Guest. Enter a new password in the field Change password, check No password change required, and click Change. A password confirmation dialog will appear:
Figure 3-6 Confirm password change Re-enter the new password and click OK. 2.
Now it is time to deploy the Secure Login enterprise archive to NetWeaver. The archive is located in the directory already unzipped in section 3.2 on page 34: SECUDE51SecureLoginServer\NetWeaver\securelogin.ear The easiest method of deploying the archive is to use either the SAP Software Deployment Tool or SAP Visual Administrator. For further details please refer to the proprietary documentation.
Make sure that file name and path notation is correct for the target operating system. 3.
Open and logon to the Administration Console: In your browser, enter the following URL: http:///securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/
43
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-7 Administration Console – prerequisite check page This page lists the prerequisites to run Secure Login successfully. Items with a green “dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP IDbased logon). Click Continue to go through the setup wizard as described in section 3.6.3 'Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)‟ on page 63. 4.
After completing the initial setup, the Web.xml file in the WEB-INF directory must be updated (re-read). This is achieved via the SAP Visual Administrator: Open the SAP Visual Administrator. Select the Server(x)>Services>Deploy node from the tree in the left-hand pane. Select the deployed secude.com/SecureLogin component from the Runtime tab in the middle pane.
44
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Click Single File Update on the right-hand side. The following dialog will appear:
Figure 3-8 Update Web.xml file Click OK. 5.
Open and logon to the Administration Console: In your browser, enter the following URL: http:///securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/ The login page should appear:
Figure 3-9 Administration Console – login page Generate the SSL certificates as a *.p12 file as described in section 6.3.2.3 „Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, som configuration properties may be needed to define which user name is put into the cer This is only to be considered if Secure Login Client sends compound username values Property
Details
UseQualifiedName
If true, the full received username value is taken for th certificate‟s CN field If false, only the user ID part before the separator is t and UserNameSeparator must be set to a non-blank va apply this property. 45
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Default value: true. UserNameSeperator
String of one or more characters that separates userna Client identifier sent by the Secure Login Client. If config DBColumnClientID must also be configured in the SQL J module. Default value: None. Sample: USER001#CLIENT999 is splitted to USER001 UseQualifiedName =”false” and UserNameSeperator
‟ on page 183. Locate the SSL certificate and change the file extension to *.pfx. For further information about the Administration Console refer to section 6.1 on page 119. 6.
Now to enable SSL in SAP NetWeaver:
If there is more than one Server installed, this step has to be performed for each of the Servers.
46
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Open the SAP Visual Administrator. Select the Server(x)>Services>ConfigurationAdapter node from the tree in the lefthand pane. Select the Runtime tab and then the Display configuration tab. Select the following node from the middle pane: Conifgurations>cluster_data>dispatcher>cfg>services>Propertysheet.ssl-runtime
Figure 3-10 enable SSL – select Propertysheet.ssl-runtime node Click the pencil icon (middle icon under the tab heading) to display the Change Configuration dialog:
Figure 3-11 enable SSL – Change Configuration dialog Select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked). Click OK. 47
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The same set of properties must also be changed at another Server node. Select the following node from the middle pane: Conifgurations>cluster_data>Server>cfg>services>Propertysheet.ssl-runtime As above, select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked). Click OK. 7.
Now that Secure Login has been deployed and SSL has been enabled the Server must be restarted to make use of the new settings.
8.
Now for certificate import and validation: To enable Server authentication, the Server has to have an SSL Server certificate. This certificate and the associated private key must be imported into SAP NetWeaver. This is achieved by using the *.pfx file generated in step 5.
SAP NetWeaver only accepts PKCS#12 software token files with the extension *.pfx. Open the SAP Visual Administrator. Select the Server(x)>Services>KeyStorage node from the tree in the left-hand pane. Select the Runtime tab. The certificates are organized into sub-groups, so called „Views‟. Each of the „Views‟ groups is purpose-based, and contains certificates that suit the purpose, for example, TrustedCAs and the service_ssl Views, or Views defined by the administrator:
Figure 3-12 certificate import – key storage Click the service_ssl entry in the Views list. Click Load. Locate and open the SSL certificate created by the Administration Console in step 5. Before the SSL certificate can be verified, all certificates up to the root have to be imported in the manner described above. Furthermore the root certificate must be 48
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
imported (loaded) into the TrustedCAs view. NetWeaver only accept certificates as a trust anchor contained in this view. Use the Load button to import a certificate. The certificate file has to be base64-encoded with the file name extension *.crt. 9.
Now for SSL configuration: To enable Client authentication the SSL Provider must be configured to request the Client certificates. Open the SAP Visual Administrator. Select the Server(x)>Services>SSL Provider node from the tree in the left-hand pane. Select the Runtime tab and then the Client Authentication tab in the bottom righthand pane. Select Do not request Client certificate:
Figure 3-13 set SSL configuration Click the Server Identity tab. Click Add to browse for the credentials uploaded in step 9. 10. The configuration of SAP NetWeaver for Secure Login is now complete. Next Steps
The next step is to configure the Authentication Servers for Secure Login. Please refer to the next section - 3.5.2 on page 49. When installing the signon&secure components for SAP ID-based logon (see section 6.1.12 ' SSS&JCO Installation’, on page 158), you can ignore the third step Install JCO because SAP NetWeaver already has these components installed and set.
3.5.2
Configure the Authentication Server in SAP NetWeaver 49
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Introduction
The JAAS module used by the SECUDE Secure Login Server must be configured directly inside SAP NetWeaver. You have to create one JAAS module with a corresponding policy and to add a configuration for each Authentication Server in the JAAS module. The configuration process consists of the following steps: Configure the LoginModuleClassLoader property. Create a JAAS module. Configure the first Authentication Server in the JAAS module. Create a JAAS policy. Configure an Authentication Server in JAAS module. Configuration is performed in SAP Visual Administrator. The relevant configuration node is the Security Provider node in the Services section. Follow these steps to configure LoginModuleClassLoader: 1.
Open the SAP Visual Administrator.
2.
Select the Security Provider node from the left-hand pane and the Properties tab from the right-hand pane.
3.
Select the LoginModuleClassLoaders property from the list and enter the following value into the field Value at the bottom of the window: library:SECUDE-SecureLogin
Figure 3-14 SAP Visual Administrator – Configure the LoginModuleClassLoader property 4.
Click Update at the bottom of the window.
5.
Now to create a JAAS module: Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane. This will open a second row of tabs. Select the User Management tab. Select the pencil icon above the top row to change to edit mode.
Click Manage Security Stores. The area for the login module administration is displayed: 50
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-15 SAP Visual Administrator – Configure the JAAS module Click Add Login Module on the right-hand side of the window. The following window appears:
Figure 3-16 SAP Visual Administrator – add login module In the Class Name field enter the class name of the JAAS module: - For ADS: com.secude.transfair.pepperbox.LdapJaasModule - For RSA/RADIUS: com.secude.transfair.pepperbox.RsaRadiusJaasModule - For SAP-ID: com.secude.transfair.pepperbox.SAPJaasModule Enter descriptive strings in the fields Display Name and Description. 6.
Now to configure the first Authentication Server in the JAAS module: In the Add Login Module enter the names and values of the configurable module 51
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
properties for the first Authentication Server in the Options table. For a description of the configurable properties for ADS, see section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟ on page 253. For a description of the configurable properties for RSA/RADIUS, see section 9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟ on page 257. Click OK. 7.
Now to create a JAAS policy: Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane. This will open a second row of tabs. Select the Policy Configuration tab. Click Add under the component list. A new dialog will open. Under Name, enter SLSJaasModule. Click OK. The window now appears as follows:
Figure 3-17 SAP Visual Administrator – add JAAS module 8.
Now to configure an Authentication Server in the JAAS module: Select the newly created SLSJaasModule policy/login module configuration from the Components list. Click Add New from the bottom right-hand side of the window. The available login modules are displayed. Select the JAAS module you want to configure. Click OK.
The Edit Login Module window opens:
52
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-18 SAP Visual Administrator – edit login module Enter the names and values of the configurable module properties of the added Authentication Server (a list of property names and examples can be found in the section covering Authentication Server configuration via the Administration Console (see section 6.1.4 on page 128).
3.5.3
Test the SSL Connection The following step describes how to test the Secure Login files deployed to the Server. Make sure that file name and path notations used in this step are correct for the target operating system. 1.
In your browser, enter the following URL: https:///securelogin/ PseServer?op=Serverstatus For example: https://SAPNetWeaverHost:50001/securelogin/ PseServer?op=Serverstatus
2.
If the deployment has been successful the SECUDE Secure Login Administration Console login page should appear as in section 6.1.1.
53
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.6 Introduction Contents
Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module This section details the initialization and configuration of the Secure Login Server component using the Administration Console initialization wizard. Section 3.6.1 „Step 1 Section 3.6.3 „Step 2 (Wizard)‟ on page 63 Section 3.6.4 „Step 3 Section 3.6.5 „Step 4
- Initial Installation‟, on page 54 – Multiple Authentication Server Initialization – Expert Mode - Configure Authentication Server Communication‟ on page 84 - Test SECUDE Secure Login Server‟ on page 90
For reasons of security, the Secure Login Server component can only be initialized via the Administration Console and only when the console is called from the same Server computer on which the Secure Login resides. If however, you want to perform the initialization and configuration from a remote location, then you must manually enable this feature by editing the Secure Login Web.xml file. For further details please refer to section 7.17 on page 229). If you want to use Secure Login on an operating system that does not have a GUI (for example Unix without X-Win), you must use SSH or Putty to tunnel to the Client Webbrowser (as long as an SSH Daemon is running on the Server).
3.6.1 Introduction
Step 1 - Initial Installation This section describes the installation procedure and initial configuration of Secure Login. This is necessary for all Authentication Server types. 1.
If you have not already done so, enter the following URL in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin
2.
If the deployment has been successful the SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-19 Administration Console – prerequisite check page 54
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
This page lists the prerequisites to run Secure Login successfully. Items with a green “dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP ID-based logon). For further information about the Administration Console refer to section 6.1 on page 114. 3.
Click Continue.
4.
The scenario selection page will appear:
Figure 3-20 Server initialization– authentication selection page Use this page to choose between either an Authentication Server-specific, quick initialization, or a detailed multiple Authentication Server initialization. Click on the logo next to one of the Server-specific methods Microsoft Windows Domain Username and Password, Username and Password Stored in LDAP Server, One-Time Password, or SAP Username and Password. For details about the next step, refer to the next section. If you click on the Multiple Authentication Methods (Expert Mode) logo, the next step is in section 3.6.3 on page 63).
55
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.6.2
Step 2 – Server-Specific Quick Initialization 1.
After clicking the logo next to the desired authentication method (Microsoft Windows Domain, SUN Directory Server or other LDAP Server, RSA SecureID or other One-TimePassword solution, or SAP Netweaver – see previous section), the Company Information page will appear:
Figure 3-21 Server Setup Wizard – company information page Enter basic information about your company. The following options are available (options marked with * are mandatory): Option
Details
Company Information
Country The abbreviation of your country. Click on the field to open and select a country from the drop down menu. Example: DE for Germany Locality The region in which your company is located. Example: Darmstadt Company name Enter the name of your company in this field. Example: SECUDE
Administrator Account
Account name The username for the account.
Password Information
NOTE: The password will be used as the password for Administration Console access! Password The password for this account Confirm password Confirm the password entered in the field above.
Click Next to continue.
2. 56
According to which authentication method you selected in section 3.6.1, step 4, on
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
page 55, one of the following pages will appear: For Microsoft Windows Domain authentication:
Figure 3-22 Server initialization – Microsoft Windows Domain authentication page The following options are available (options marked with * are mandatory): Option
Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter a password in the fields Certificate Password and Confirm Certificate Password to be used for all automated PKI operations (PSE file and TrustStore passwords).
Enter the Active Directory Server…
The IP or URL of the Authentication Server. Click More to view open the following options: Use SSL Check this option if you want to use secure communication with the Server. Port The port number the Active Directory Server uses for communication.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the Active Directory Server.
For SUN Directory Server/LDAP authentication: 57
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-23 Server initialization – SUN Directory Server/LDAP authentication page The following options are available (options marked with * are mandatory): Option
Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
Enter the LDAP Server…
The URL of the Authentication Server. Click More to view open the following options: Use SSL (LDAPs) Check this option if you want to use secure communication with the Server. NOTE: GetBaseDN will not work if SSL is enabled. If you want to use the GetBaseDN feature it is recommended you click it first and then enable SSL. Port The port number the SUN Directory Server/LDAP Server uses for communication.
Enter or select the LDAP search base
Manually enter the base dynamic name or click GetBaseDN to try and automatically retrieve it from the LDAP Server.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SUN DS/LDAP Server.
For RSA SecurID authentication or other one-time password solutions: 58
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-24 Server initialization – RSA SecurID authentication page The following options are available (options marked with * are mandatory): Option
Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
Enter the RSA Server…
The URL of the RSA Server. Enter the password into the Shared Secret field. Click More to view open the following options: AuthPort The authentication port at which the RSA Server expects to be queried for authentication requests. Authenticator This is the authentication protocol for the RSA Server. The possible options are: CHAP MSCHAP PAP NOTE: The RSA Authentication Manager only supports the PAP authentication protocol.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the RSA Server.
For SAP NetWeaver authentication: 59
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-25 Server initialization – SAP NetWeaver authentication page The following options are available (options marked with * are mandatory): Option
Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
SAPID authentication…
If necessary, use the following options to install signon&secure and/or JCO for SAPID: Install signon&secure - Setup File Click Browse… to locate the signon&secure package (*.zip file). The files can be located in the SSS+JCO sub-directory of the file SECUDE51SecureLoginNativeComponents.zip delivered with Secure Login. - License File Click Browse… to locate the file ticket.snc (received from SECUDE). Install JCO for SAPID - sapco.jar Click Browse… to locate and open the sapjco.jar file
60
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
(applies to both Windows and Linux/Sun). - sapco library 1 Click Browse… to locate and open one of the following files (according to operating system): - For Windows: librfc32.dll - For Linux/Sun: librfccm.so - sapco library 2 Click Browse… to locate and open one of the following files (according to operating system): - For Windows: sapjcorfc.dll - For Linux/Sun: libsapjcorfc.so Enter the SAP Server…
Enter the IP or URL of the SAP Server into the first (unmarked) field. Enter the password into the Username field. Click More to view open the following extra options: Client SAP System ID. System Number SAP System Number. SNCServerName The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. This option is not needed if you have selected the first option (let Secure Login use a custom PKI to establish trust between the user and Server). For example: p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SAP ID Server.
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery package. For further information please contact SECUDE support. Click Next to continue.
3.
The Install Process page will appear:
61
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-26 Server initialization – install process page This page will display the status of the installation/initialization. Click Start. The status of the installation will be displayed for each step. As soon as the step is complete a green check-mark will appear next to the step:
Figure 3-27 Server initialization – status of initialization 4.
Once the initialization is successful, the following information will appear:
Figure 3-28 Server initialization – procedure complete 5. Next Steps
62
Manually restart the application Server.
For information about how to login to the console and start using it, refer to section 6.1 „Administration Console‟ on page 119.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.6.3
Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard) This section will guide you through the steps necessary to perform a quick, Authentication Server-specific initialization. 1.
The Welcome page of wizard appears:
Figure 3-29 Server Setup Wizard – welcome page This page introduces the wizard and displays the logical steps, necessary to initialize the Server, on the left-hand side. Click Next to continue. Some of the more complicated wizard pages will have an information bubble icon next to the page header ( ). Click on the icon to open a pop-up dialog containing information about the entries on the page.
63
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.
The Create Administrator Account page will appear:
Figure 3-30 Server Setup Wizard – create administrator account This page allows you to create an account username and password to be used to logon to the console. The following options are available: Option
Details
Account name
The username of the account to be created.
Password
The password for the account to be created. The password must fulfill the following criteria: Be between 5 to 10 characters (use a mix of characters, numbers and special characters). The password must contain at least one uppercase letter.
Confirm password
Enter the password a second time in this field to confirm the entry made in the field Password.
Click Next to continue.
64
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.
The Setup Type page will appear:
Figure 3-31 Server Setup Wizard – select setup type The next page to appear will vary according to the selection made here. You can choose between the following options: Option
Details and next steps
Create a new SECUDE Secure Login Server
Select this option to start configuring a new Server. Click Next to continue with section 3.6.3.1 on the next page.
Migrate from an existing SECUDE Secure Login Server
Select this option to migrate the configuration from an existing Secure Login Server. Click Next to continue with section 3.6.3.2 „Migrate from an Existing SECUDE Secure Login Server‟, on page 82.
Restore from an existing backup (*.zip) file
Select this option to restore the configuration from a backup file. Click Next to continue with section 3.6.3.3 „Restore from an Existing Secure Login Server Backup (*.zip) File‟, on page 83 NOTE: only backup files created using Secure Login 5.x and 4.3 are supported.
65
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.6.3.1
Create a New SECUDE Secure Login Server Continue with this section if you selected Create a new SECUDE Secure Login Server in the previous section. 1.
The Input root CA information page will appear:
Figure 3-32 Server Setup Wizard – Input root CA information This page allows you to enter information about the root certificate authority for the Secure Login Server. The following options are available (entries marked with * are mandatory):
66
Option
Details
Create a Root CA by certificate information
Common name* Enter the name of the root certificate authority in this field. Example: SECUDE CA Organization unit Enter the division of the company in this field. Example: Research+Development Organization Enter the company name in this field. Example: SECUDE Locality Enter the regional information in this field. Example: Darmstadt Country Enter the country abbreviation in this field. Example: DE for Germany Encryption key length
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
Details Select the encryption key length for the Server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid from* Enter the date from which this certificate authority information is valid in this field (YYYY-MM-DD). Example: 2007-7-11 Validity period (months)* Enter the number of months for which the certificate authority information is valid. Password* Enter the password to be used for encryption in this field. Check Save Password to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when editing this certificate at a later date. Confirm password* Confirm the encryption password entered in the field above.
Import an existing KeyStore file
Checking this option will display the following options:
Figure 3-33 Initialization Wizard – import existing keystore KeyStore File Click Browse… to locate and load an existing KeyStore (PSE) file (*.pse). Password The password for the KeyStore (PSE) file. Save Password Check this option to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when reloading the PSE file at a later date. Skip this certificate
Check this option if you do not want, or do not need, to enter any information for this specific certificate at this time.
Skip all PKI certificates
Check this option if you do not want, or do not need, to enter information for any certificate at this time. This means you skip all the PKI certificates, including the Root CA, SSL CA, SSL Server and User CA certificates. You can create or add certificate information at a later time via the „Certificate Management‟ function of the Administration Console (see section 6.3.2 on page 181). If you select this option continue with the setup as from step 6 on page 70.
Click Next to continue.
2.
The SSL Certificate Generation Type page will appear: 67
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-34 Server Setup Wizard – SSL certificate generation type This page allows you to configure the use of SSL certificates. To enable a higher level of security, SSL is used to encrypt the communication channels, which requires a special SSL certificate. The following options are available: Option
Details
Generate SSL certificate using Secure Login Administration Console
If you select this option, the Secure Login Server will be configured as a root CA, and a SSL CA (the next two screens). This Root CA will then issue the SSL CA a valid certificate; the SSL CA will in turn issue a valid Server certificate to be installed on the Server. You will need to download this certificate, and install it according to your Server‟s particular configuration. Proceed with the next step.
Generate SSL certificate to be signed by an external CA
If you select this option, the Secure Login Server generates a valid certificate request. You may download this request, have it signed by an external CA, and imported it back to the Server to enable SSL connectivity. Proceed with the step 4 on page 69.
Skip all SSL certificates
Check this option if you do not want, or do not need, to enter any SSL certificate information at this time. Proceed with step 5 on page 70.
Click Next to continue.
68
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.
The SSL CA Information page will appear:
Figure 3-35 Server Setup Wizard – input SSL CA information This wizard page is for information about the certificate authority to be used for SSL. The options available on this page are the same as in step 1 on page 66. Options marked with a red * are mandatory. If you selected Click Next to continue. 4.
The SSL Server Information dialog appears:
Figure 3-36 Server Setup Wizard – input SSL Server information This wizard page is for information about the Server to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory. Click Next to continue.
69
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.
The User CA Information page will appear:
Figure 3-37 Server Setup Wizard – input user CA information This wizard page is for information about the user certificate authority to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory. Click Next to continue. 6.
70
The Server Configuration page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-38 Server Setup Wizard – Server configuration This wizard page helps you to setup basic Server parameters. The following options are available (options marked with * are mandatory): Option
Details
AuthConfigPath
The path to the JAAS configuration file on the Server‟s file system, for example: D:\SECUDE Secure Login\SLSJAAS.login
PseName
The User CA keystore file path. If you created a User CA in the previous step, the file path will be shown here.
DN.Country
Information for a temporary certificate: the country designation (for example: DE for Germany).
DN.Locality
Information for a temporary certificate: the regional designation (for example: Darmstadt).
DN.Organization
Information for a temporary certificate: the initializing designation (for example: SECUDE).
DN.Organizational Unit
Information for a temporary certificate: the department designation (for example: Research and development).
ValidityMinutes*
Information for a temporary certificate: the period of time (in minutes) that the user certificate is valid.
DailyLogDir
The path of the directory to which the daily log files are stored.
MonthlyLogDir
The path of the directory to which the monthly log files are 71
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
stored. doTrace
This option determines whether to record the Server‟s execution trace for problem analysis. true (yes)= enable trace messages false (no) = disable trace messages.
LockDir
The path to which the lock file is saved. A lock file is created when the Server encounters an internal error that requires manual intervention. Default value: the temporary directory of the java VM, a.k.a., the directory denoted by the java.io.tmpdir property.
Client Name/IP
The hostname or IP address used for all Client policy files within URLs connecting to SLS.
Click Next to continue.
7.
The Authentication Server Configuration page will appear:
Figure 3-39 Server Setup Wizard – Authentication Server If you want to add an Authentication Server click Add Server (if not click Next and go to the next step). 72
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The specific settings for each type of the supported Authentication Server types are covered in the following sections: For further details about the settings for a servlet engine-based Server (such as Apache Tomcat) refer to page 84. For further details about the settings for a RSA Server refer to page 86. For further details about the settings for a SAP NetWeaver-based Server for SAP IDbased logon refer to page 87. 8.
The Add Authentication Server page will appear:
Figure 3-40 Server Setup Wizard – add Authentication Server Depending on which Server Type is selected; other options will appear/disappear in the table. The following options are available (options marked with * are mandatory): Options (general)
Details
Application Name*
An “application name” is the identifier of the group of authentication modules associated with one instance of the SECUDE Secure Login Server (SLS). There can be only one instance of a particular authentication module residing in a JVM. However, there maybe multiple SLS instances running on the JVM. Therefore, the group of authentication modules used by an instance of SLS is assigned a unique application name for identification. Different SLS instances running on the same Server must have different application names. The default name is: SLSJaasModule
LoginModuleControlFl ag
The flag controls the Server‟s behavior when it proceeds down the authentication stack. For a detailed explanation, refer to the documentation of javax.security.auth.login.Configuration on the Sun Website. NOTE: this option cannot be changed.
73
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Server Type
Server type selection (LDAP, AD, RADIUS, or SAPID). Other options will appear/disappear in the table according to the selection made via this option.
TestUserName
Test user username. Use this option to setup a user to test the Server parameters.
TestUserPwd
Test user password. Use this option to setup a user to test the Server parameters.
TryAllServers
Determines when to try the next LDAP/ADS Server in the list. Possible values: FALSE (default): Try the next Server only if this Server cannot be reached. TRUE: Try the next Server if this Server cannot be reached, or access is denied.
74
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Options (LDAP)
Details
LdapHost*
The address of the LDAP Server. This option is for the configuration of the LDAP Server (including the Windows Active Directory Server). For example: ldap://my.host.com:389 (if SSL is used for the communication, the protocol should be changed to ldaps:// and the port number should be changed to 636). NOTE: An SSL Server certificate must have been successfully imported into the TrustStore for SSL to work. It is not possible to import a certificate until after the initial Server setup.
LdapBaseDN
Information that identifies a user in the user management system, LDAP or Active Directory. Either enter the information manually or click Get baseDN list to browse the LDAP directory fro the correct Base distinguished name. The following pop-up window will appear:
Figure 3-41 add Authentication Server – get baseDN The following options are available (options marked with a red * are mandatory): Host name* The host name of the LDAP Server. Port* The port of the LDAP Server. Username* The username used to communicate with the LDAP Server. SSL Check this option to use SSL protocol when communicating with the LDAP Server. If you use SSL in the communication, the protocol should be ldaps:// and a valid certificate is required. Anonymous bind Use this function to query the LDAP Server without a username (managerDN) and password (providing that the LDAP Server is so configured). managerDN Specific username. password The password used to communicate with the LDAP Server. Base DN Click Get baseDN list to query the LDAP Server for a list of based distinguished names to be displayed in the combobox. Get baseDN list After you have entered the above parameters click Get baseDN list to obtain the base DN‟s from the LDAP Server. LdapTimeout(ms)
Determines how long a Client should wait for a response from 75
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Options (LDAP)
Details an LDAP/ADS Server before trying to connect to the next one.
LdapProviderLanguag e
Character set for the encoding of the characters when the Server communicates with the LDAP/ADS Server. For example: in the case of ADS, a possible character set is ISO-8859-1.
PasswordExpiration Attribute
Password expiry date (from the LDAP Server). NOTE: If this option is used, the LdapBaseDN attribute must be given in complete DN form.
PasswordExpirationGracePeriod
Defines the interval in days, inside which the password expiration warning is sent to the Client prior to password expiry.
AuthServerID
The warning message to be sent to the Client in the event of password expiry.
Options (RADIUS)
Details
RadiusServerIP*
The IP address of the RADIUS Server.
AuthPort*
The authentication port at which the RSA/RADIUS Server expects to be queried for authentication requests.
SharedSecret*
A word/phrase used to encrypt the user password.
Timeout(ms)
Determines how long a request to a Server is to wait before being sent to the next Server.
Authenticator
Authentication protocol for the RSA/RADIUS Server. Possible options: CHAP MSCHAP PAP
PinMin
Minimum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 4
PinMax
Maximum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 8
PinAlphanumeric
PIN format. This parameter is only used with RSA SecurID tokens. Possible values: true: the user can choose, and use, a PIN which contains only alphanumeric characters (A-Z, a-z, 0-9). false (default): the user can choose, and use, a PIN which contains alphanumeric and special characters (such as !$%&). The default password policy for RSA allows only numeric PIN's which can not be setup via the Secure Login Server/Client policy properties.
RSAServerIniFile
76
If the RSA Server version is 6.1, a copy of the RSA Server RADIUS message *.ini file (securid.ini) has to be present. Make sure you enter the full path and file name, for example: \Webapps\securelogin\WEBINF\securid.ini
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Options (SAPID)
Details
SAPServer
IP or URL of the SAP Server.
Client
SAP System ID.
SystemNo
SAP System Number.
SNCServerName
The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. For example: p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
SAPaccount
The SAP user account name for the SECUDE Secure Login Server.
NativeLibraryPath
The folder of the native libraries and the SECUDE signon&secure package. NOTE: This configuration is a global Server Configuration property, which is also used by other JAAS modules.
PasswordMin
This parameter is part of the password policy for Client side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1
PasswordMax
This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30
PasswordAlphanumeric
This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
Once you have selected the appropriate options click Test to check the validity of the Server information. If the parameters are correct a message will appear confirming a successful connection. If any parameter is incorrect an error message will appear. Click Save to be returned to the Authentication Server page.
77
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The Authentication Server page should now look something like this:
Figure 3-42 Server Setup Wizard – added Authentication Servers As you can see, the page now contains an Authentication Server entry. You can now either click Edit to change any Authentication Server options, or click Delete to remove an entry from the Authentication Server list, or click Add Server to add another Server to the configuration. If the Server entries are correct and finished, click Next to continue. 9.
78
The Client Policy Configuration page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-43 Server Setup Wizard – configure Client policy This step will help you to enter Client policy information. A Client will need this information to communicate with the SECUDE Secure Login Server. At the end of the initial setup one Client policy file and two Windows registry files will be available for download (see step 10 on page 79) to be implemented in each Client. The following options are available (all mandatory): Option
Details
Policy URL*
The URL of the Clientpolicy.xml. It may be downloaded and installed to a Client system (see step 10 on page 79). For example: http:///SECUDE securelogin/ Clientpolicy.xml
Profile Name*
The name of Client profile.
Enroll URL*
The URL of the Secure Login Server to which the Client will connect. For example: https:///SECUDE securelogin/PseServer
Key Length*
The key length of the Client certificate.
Grace Period*
The grace period of the Client connect the Server.
Inactivity Period*
The maximum period of time the Client may be inactive.
Enter the Client policy details and click Next to continue. 10. The Setup Review page will appear:
79
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-44 Server Setup Wizard – Finish configuration The configuration and initialization of Secure Login is now complete. If needed, click on each of the links and save the files to disk for further use: PKI Certificate - Root CA Keystore (RootCA.pse) - Root CA Cert (RootCA.cer) - SSL CA Keystore (SSLCA.pse) - SSL Server Cert (SSLServer.cer) - SSL Server KeyStore(PKCS#12) (ServerKeyStore.p12)
- SSL Server KeyStore(JKS) (SSLServer.jks). If you click this the Privatekey Alias field will appear:
Figure 3-45 Server Setup Wizard – configure private key alias Enter the private key and click OK to download the file. Client Policy File (for import on each Client) - ClientPolicy.xml - customer.reg - customerAll.reg Click Finish to complete the initialization. 11. The completion page will appear:
80
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-46 Server Setup Wizard – completion The wizard is now finished. Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 „Administration Console‟, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
81
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.6.3.2
Migrate from an Existing SECUDE Secure Login Server Continue with this section if you selected Migrate from an existing SECUDE Secure Login Server in step 3 of section 3.6.3 on page 65. 1.
The Enter the Web Root Path of the Existing Server page will appear:
Figure 3-47 Server Setup Wizard – migrate existing Server #1 Enter the root path of the Web application into the field Web Application Root Path and click Next to continue. 2.
A success page will appear.
Figure 3-48 Server Setup Wizard – migrate existing Server #2 82
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 „Administration Console‟, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
3.6.3.3
Restore from an Existing Secure Login Server Backup (*.zip) File Continue with this section if you selected Restore from an existing backup (*.zip) file in step 2 of section 3.6.3.1 on page 67. Remember that this function only supports backup files created using Secure Login 5.x and 4.3. 1.
The Select the backup file (*.zip) page will appear:
Figure 3-49 Server Setup Wizard – restore from backup file #1 Either: - manually enter the path to the zipped backup file into the field Backup file or… - click Browse… to locate the zip file on the network or local drive. Click Next to continue. 2.
The Backup file information page will appear:
83
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-50 Server Setup Wizard – restore from backup file #2 Click Finish to restore the configuration. 3.
If successful the following dialog will appear:
Figure 3-51 Server Setup Wizard – restore from backup file #3 Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 „Administration Console‟, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
3.6.4
Step 3 - Configure Authentication Server Communication The next step is to configure the Server to communicate with the Authentication Server. There are several different authentication methods to configure, depending on which type of Authentication Server you want to use: If you are going to use a servlet engine-based Server (such as Apache Tomcat) then continue with the section below.
84
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
If you are going to use a Radius/RSA Server continue with the Authentication Server description in section 3.6.4.2 on page 86. If you are going to use a SAP NetWeaver-based Server for SAP ID-based logon continue with the Authentication Server description in section 3.6.4.3 on page 87.
3.6.4.1
Configure the Secure Login Server for ADS/LDAP The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case for an Active Directory Server (ADS) or LDAP. 1.
If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin
2.
If the LDAP connection between the SECUDE Secure Login Server and the Microsoft ADS has to be secure, you have to establish trust between the SECUDE Secure Login Server and ADS. The prerequisite for this is the certification authority (CA) certificate of the issuing instance (usually root) of the ADS Server. To establish trust the ADS Server CA certificate must be imported into the KeyStore via one of two methods: Either a signed certificate must be made available from the ADS administrator for import directly into Secure Login (via TrustStore management - see section 6.1.6 on page 141) or… …you can sign a certificate request for the Active Directory Server (SSL connection) via the Administration Console (via Sign ITS certificate - see section 6.1.14 on page 163) and generate a *.p7b file. Convert the *.p7B file into a certificate file (*.crt, *.cer). Now you must import the certificate into the TrustStore (via TrustStore management - see section 6.1.6 on page 141).
Ask your Microsoft ADS administrator to send you an export file containing this certificate. The public key infrastructure (PKI) on the ADS side is completely independent of the SECUDE Secure Login PKI. It is possible to convert the *.p7B file into a *.cer file via a number of tools. The usage of these tools is not part of this manual. Please refer to the third-party documentation. 3.
The next step is to define the connection details between Secure Login and ADS. Click the Authentication Management node in the Administration Console.
4.
Click Add Server and enter at least the following details into the appropriate fields: Server Type: ADS or LDAP LdapHost: ldaps://:636 For example: ldaps://testldap.secude.local:636 Test username: The username must include the domain name. For example:
[email protected] Once you have entered the Server details click Save. For further information about the Authentication Server parameters on this page refer to section 6.1.4 on page 128.
5.
The Secure Login Server is now ready for ADS authentication.
6.
Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183).
7.
Click Applications and then Add application.
8.
In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists – in which case you need only select 85
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). For further information about the Add application page refer to section 6.3.3.1 on page 184. 9.
Click Profiles and then Add profile.
10. In the Add/Modify Client Profile page enter the profile details. Click Save. For further information about the Add/Modify Client Profile page refer to section 6.3.3.2 on page 187. 11. Click Files download and download the Client files according to your Client setup: Download the customerAll.reg file if you want a rollout a static policy to the Clients (the customerAll.reg file contains a the information from the ClientPolicy.xml file) Download the customer.reg if you want a rollout a dynamic policy to the Clients (customer.reg file only contains information about where to obtain the entries in the ClientPolicy.xml file on a Server) 12. Rollout the customer.reg or customerAll.reg policy files to the Clients. 13. ADS can now be accessed using SSL. NOTE: SSL is used whenever an LDAP host address with port 636 is specified (LDAPS). 14. Multiple Authentication Server setup / instance management [optional] If you use more than one Authentication Server and not all Servers have the same CA, you have to import the certificate of each CA to Secure Login Server. For further information about instances refer to section 6.3.1 on page 179. You have to use a unique alias for each CA certificate!
3.6.4.2
Configure the Secure Login Server for RADIUS/RSA The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case for RADIUS/RSA. 1.
If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin
For advanced details about setting properties manually (not recommended), refer to section 9.2.3 ‘Configuration.properties’, on page 248. 2.
If you are using RSA Server v.6.1 (version 6.0 is not affected) copy the securid.ini file to the Secure Login WEB-INF directory. For example (Tomcat): \Webapps\securelogin\WEB-INF Every time a message text entry in the securid.ini file is changed the file must be re-copied to the Secure Login WEB-INF directory. The securid.ini file is not part of the Secure Login delivery package. It is part of the RSA Server 6.1 software. For further information please refer to the proprietary documentation. Secure Login depends on the following message text entries in the securid.ini file: InputMustChoose_S_S = \r\nEnter a new PIN having from 4 to 8 digits: InputNextCode = \r\nWait for token to change,\r\nthen
86
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
enter the new tokencode: InputReenterPin = \r\nPlease re-enter new PIN: OutputChange = \r\nPIN Accepted.\r\nWait for the token code to change,\r\nthen enter the new passcode: For passwords to be handled properly between SLS and RSA/RADIUS, the securid.ini file must be setup on both Servers. Follow these steps: -
For the RSA/Radius Server: copy/update the securid.ini file to: C:\Program Files\RSA Security\RSA Radius\Service\securid.ini …and then restart RSA/RADIUS services.
-
For the Secure Login Server (Windows): copy the securid.ini file to the path setup in SLSJaasModule.login – RSAServerIniFile. For example: \Webapps\securelogin\WEB-INF
-
For the Secure Login Server (Linux): copy the securid.ini to the path setup in SLSJaasModule.login – RSAServerIniFile. For example: /var/lib/tomcat5.5/Webapps/securelogin/WEB-INF By default the RSA/RADIUS services are not started automatically after a Server restart. To start them:
-
open the RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr Services.
-
Below Service Management check Start and stop RADIUS Server together with authentication engine. [Edit…] Click Auto Start and check Automatically start services on system startup.
-
Confirm and click Close.
3.
The next step is to define the connection details between Secure Login and RADIUS/RSA. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128).
4.
Click Add Server and enter at least the following details into the appropriate fields: Server Type: RADIUS RadiusServerIP: Example: radius01.secudeTest.local RSAServerIniFile: path to the securid.ini file (for example: \Webapps\securelogin\WEB-INF\securid.ini). Once you have entered the Server details click Save. For further information about the Authentication Server parameters on this page refer to section 6.1.4 on page 128.
3.6.4.3
5.
The Secure Login Server is now ready for RADIUS authentication.
6.
Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183).
7.
Click Applications and then Add application.
8.
In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists – in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page).
9.
For further information about the Add application page refer to section 6.3.3.1 on page 184.
Configure the Secure Login Server for SAP ID-Based Logon The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SAP ID-based logon. Make sure that the following has been installed and configured on the SAP Server side before preceding with this section: 87
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
SECUDE signon&secure is installed and configured. Ensure that the SAP Server account is able to access the credentials and that the credentials are set for the correct user account. The user configured on the SAP Server for the SECUDE Secure Login Server access must be configured for the following: -
SNC access: Note that the SNC Distinguished Name of the user must be the same as that used in the PSE files imported during the SSS&JCO installation.
A special set of privileges in their profile. These are: - S_A.SCON - S_A.SYSTEM - S_USER_ALL - S_USER_RFC - Z_TRANS_RFC For details about how to set a profile refer to the SAP administrator documentation. -
It is important to set the correct environment variables for SECUDE Signon&Secure. For details about the settings for both Unix and Windows-based Servers refer to section 7.5 on page 217. 1.
If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 „Configuration‟, on page 248.
2.
The next step is to install the SAP JCO libraries (one java library and two systemdependent native libraries) - SAP-Jco-2.1.8-platforms. The SAP JCO libraries are not part of the Secure Login delivery package. The libraries can be downloaded from http://service.sap.com/connectors (requires SAP account). For details about which library version is needed for Secure Login please contact SECUDE support. It has to be ensured that all referenced dynamic-linked libraries exist on the operating system. For example, on a Linux platform the referenced gcc libraries have to be present in the required version.
88
3.
Click the SSS&JCO installation node in the Administration Console (see section 6.1.12 on page 158).
4.
Install the SECUDE cryptolib package (in the delivery package ZIP file SECUDE51SecureLoginNativeComponents.zip), ticket, JCO, and JCO PSE.
5.
The next step is to define the connection details between Secure Login and SAP ID. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128).
6.
Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 „ JAAS Module Configuration Files for SAP ID‟, on page 260.
7.
The Secure Login Server is now ready for SAP ID-based logon.
8.
Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183).
9.
Click Applications and then Add application.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
10. In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists – in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). 11. For further information about the Add application page refer to section 6.3.3.1 on page 184.
3.6.4.4
Configure the Secure Login Server for SAP Logon Ticket-Based Logon The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SAP Logon Ticket-based logon. 1.
If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 „Configuration‟, on page 248.
2.
The next step is to install the SAP Verification PSE and the SAP SSOEXT libraries (two system-dependent native libraries). The SAP Verification PSE can be exported from SAP NetWeaver Portal, or by the STRUST transaction in the ABAP Stack. The SAP SSOEXT libraries are not part of the Secure Login delivery package. The libraries can be downloaded from http://service.sap.com/connectors (requires SAP account). For details about which library version is needed for Secure Login please contact SECUDE support. It has to be ensured that all referenced dynamic-linked libraries exist on the operating system. For example, on a Linux platform the referenced gcc libraries have to be present in the required version.
3.6.4.5
3.
Click the SSS&JCO installation node in the Administration Console (see section 6.1.12 on page 158).
4.
Install the SAP Verification PSE, SAPSECU, and SAPSSOEXT.
5.
The next step is to define the connection details between Secure Login and SAP Logon Ticket. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128).
6.
Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 „ JAAS Module Configuration Files for SAP ID‟, on page 260.
7.
In the common Server configuration Native Library Path, the path to the SAPSECU, and SAPSSOEXT libraries must be configured.
8.
The Secure Login Server is now ready for SAP Logon Ticket-based login.
9.
Now to configure the Secure Login Web Client. Click the Web Client configuration node in the Administration Console (see section 6.1.16 on page 183).
Configure the Secude Login Server for SQL Database-Based Logon 89
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SQL Database-based logon. 1.
If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http:///securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 „Configuration‟, on page 248.
2.
The next step is to install the fitting Java database driver for your database. The Java database driver depends on the database system you have in use. Each database vendor provides such Java libraries (JAR), e.g. for MySQL, the JAR file mysqlconnector-java-5.1.12 can be downloaded from http://dev.mysql.com/downloads/connector/j/ On Tomcat, the connector libraries need to be copied manually into a shared library folder. On SAP NetWeaver, connector libraries need to be deployed and configured with Visual Administrator.
3.6.5
3.
The next step is to define the connection details between Secure Login and SAP Logon Ticket. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128).
4.
Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 „ JAAS Module Configuration Files for SAP ID‟, on page 260.
5.
The Secure Login Server is now ready for SQL Database-based logon.
6.
Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183).
7.
Click Applications and then Add application.
8.
In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists – in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page).
9.
For further information about the Add application page refer to section 6.3.3.1 on page 184.
Step 4 - Test SECUDE Secure Login Server The following step describes how to test the Secure Login files deployed to the Server. Make sure that file name and path notations used in this step are correct for the target operating system. 1.
90
In your browser, enter the following URL: http:///securelogin/ admin/index.jsp For example: http://localhost:8080/securelogin/admin/index.jsp
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.
If the deployment has been successful the SECUDE Secure Login Administration Console login page should appear:
Figure 3-52 Administration Console – login page For further information about the Administration Console refer to section 6.1 on page 119. If the location of the SECUDE Secure Login Server configuration file is not specified correctly, the browser displays a red error message.
3.7 3.7.1
Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server Remove SECUDE Secure Login Server - Tomcat This section details the removal procedure for the Secure Login Server component from ADS, LDAP, RADIUS, and SAP ID Servers. It is recommended to backup the configuration and settings in case you want to use Secure Login again. For further information refer to section 6.1.9.1 on page 151. 1.
Stop your Web application Server.
2.
Delete the following directories/files:
/securelogin/ /securelogin.war If you want to use Secure Login again follow the procedure as from section 3.2.
91
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.7.2
3.7.3
Remove SECUDE Login Server – BEA Weblogic 1.
Stop and delete securelogin.war in Bea WebLogic console for Bea 9 and Bea 10.
2.
Remove all files and directory under /Server/bin/myServer/stage/securelogin.war
Remove SECUDE Secure Login Server - SAP NetWeaver This section details the removal procedure for the Secure Login Server component from SAP NetWeaver Servers. It is recommended to backup the configuration and settings in case you want to use Secure Login again. For further information refer to section 6.1.9.1 on page 151. 1.
Logon to SAP Visual Administrator.
2.
Select Server(x)>Services>Deploy, from the tree in the left-hand pane.
3.
Select the deployed secude.com/SecureLogin component from the Runtime tab in the middle pane.
Figure 3-53 SAP Visual Administrator – locate Secure Login component Click Remove on the right-hand side of the window.
4. 92
A confirmation dialog will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 3-54 SAP Visual Administrator – removal confirmation dialog Click OK.
93
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4
94
Client Installation, Configuration, and Removal
Introduction
This chapter describes the configuration and installation of the SECUDE Secure Login Client. To save configuration time, install and rollout the Client AFTER you have fully installed and configured the Secure Login Server.
Sections in this Chapter
Section Section Section Section
4.1 4.2 4.3 4.4
„Prerequisites‟, on page 95 „SECUDE Secure Login Client Preparation„, on page 96 „Client Rollout‟, on page 97 „Remove SECUDE Secure Login Client‟, on page 106
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.1 Introduction Contents
Prerequisites This section lists the hardware and software requirements. Section 4.1.1 „Hardware Requirements for SECUDE Secure Login Client‟, on page 95 Section 4.1.2 „Software Requirements for SECUDE Secure Login Client‟, on page 95 You will need administrator access rights to install the Secure Login package.
4.1.1
4.1.2
Hardware Requirements for SECUDE Secure Login Client Hardware
Details
RAM
256 MB minimal, 512 MB optimal.
Hard disk
12 – 22 MB, depending on which SECUDE modules are installed.
Software Requirements for SECUDE Secure Login Client For the…
…you require the following software
Operating System
Windows XP (SP3) Windows Vista Windows 7 Citrix Terminal Server
Installation
Software for unpacking the zip installation package MSI 3.1 installer
Customizing
MMC snap in, if customizing with group policies is to be used (ADM templates are available)
System runtime environment
SAP NetWeaver ABAP 6.4 or higher. SECUDE Secure Login Server (unless existing PKI is used). Correctly installed smart card or Microsoft Crypto Store for respective authentication (see below).
Authentication with a Smart Card
As a precondition for authentication using smart cards, a smart card reader with a card driver (PKCS#11 middleware) must be installed. If smart cards other than TCOS are to be used, a card driver must also be available (TCOS cards are directly supported without an additional driver).
Authentication with Microsoft Crypto API
As a precondition for authentication using Microsoft Crypto API, a certificate in a CSP must be available by one of the following methods: Import of PFX- or P12 file into the personal Microsoft Crypto Store CSP on a smartcard Online certificate (for example, VeriSign, Web.de) Managed PKI software (for example, Entrust, Microsoft CA)
95
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.2
SECUDE Secure Login Client Preparation The SECUDE Secure Login Client is delivered as a zip archive. This archive contains all of the files and data required to install the SECUDE Secure Login Client. Follow these steps to install the Secure Login Client: 1.
Unpack the zip archive SECUDE42securelogin.zip to any directory.
2.
Check the \customer\sample\ directory (this directory contains samples of the optional configuration files).
The optional configuration files can be configured manually (see below) using the sample files. The configuration file secude.xml contains smart card-specific configuration settings, protocol settings, and the settings for the SECUDE crypto library. The secude.xml file is configured automatically. For information about the configuration of this file, please contact SECUDE technical support. 3.
During installation, all of the files used to customize the product during installation must be located in the customer directory next to the MSI installer. The \customer\sample\ directory contains examples of all configurable files. The customer can adapt the sample files to fit the PKI and environment of the company. The MSI installer reads the following files in the customer folder during installation:
File
Used for…
bridge.p7c, bridge.p7s
A list of trusted trust-center certificates (root CA‟s). This is a digitally-signed set of DER-encoded certificates, which is used automatically for each PSE which has its own root CA stored in it. For further details about the extensions, refer to the file bridge.txt. For further details about the content, refer to the file certs.txt.
Certs.p7c, certs.p7s
A list of certificates (CA‟s). This is a digitally-signed set of DER-encoded certificates, which is used automatically for each PSE where CA certificates are missing. For further details about the content, refer to the file certs.txt.
customer.reg
All Microsoft registry settings the customer can configure automatically (SECUDE tickets, group policies).
Psesvc.xml
Overlay configuration for PSE Service smart card token, provided by SECUDE.
Roots.p7b, root.cer
Root CA certificates of SECUDE Secure Login Server‟s SSL peer that are trusted automatically for machine and users. For HTTPS trust, the SSL Server‟s Root CA certificate is added to the user‟s personal certificate store or the computer system certificate store, either „Trusted Root Certification Authorities‟ or „Enterprise Trust‟. Formats: A single certificate or PKCS#7 certificate list, DER or base64 encoded.
96
ticket.snc
Customer-specific SECUDE file ticket for SAP SNC/GSS.
Ticket.ssf (optional)
Customer-specific SECUDE file ticket for SAP SSF
token_prompted.bmp
Custom bitmap picture for all SECUDE Secure Login profiles with password prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
File
Used for…
Token_smartcard.bmp
Custom bitmap picture for all smart card or Microsoft CAPI profiles with PIN prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth.
Token_soft.bmp
Custom bitmap picture for all soft-token profiles with password prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24bit color depth.
Token_windows.bmp
Custom bitmap picture for all SECUDE Secure Login profiles with Windows credentials in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth.
4.
If necessary, you can now customize the Secure Login Client: The SECUDE Secure Login Client (SLC) system service is a standard component of the SECUDE Secure Login Client, which (among other things) is responsible for communication with the SECUDE Secure Login Server for logging in using Windows credentials. Another task of the SLC system service is to obtain the latest Client policy. This could be done, for example, by downloading a policy file from a given URL (the policy Server) during start up or regularly via a configurable time interval. The XML formatted policy file (see section 9.1.1 „ClientPolicy.xml File‟ on page 239) is translated into Windows registry database keys and values after a successful verification. If the policy download is not successful, the existing policy is kept. The policy download from the policy Server can be replaced by configuring the SECUDE Secure Login Client using Microsoft group policies (see section 9.1.4 „ClientPolicy.xml File‟ on page 245).
A combination of an XML file on the policy Server and MS group policies is not recommended. The properties for the SLC system service can be configured using the customer.reg file or can be integrated in the company‟s group policies. The property names are not case-sensitive. For further information about the registry entries refer to section 9.3 „Secure Login Client Registry Values‟ on page 264.
4.3 Introduction
Contents
Client Rollout The SECUDE Secure Login Client is usually installed on a large number of systems. Therefore, the Client setup is usually performed as an unattended installation using Microsoft MSI. The Client setup is implemented as an MSI 3.1 package. During installation, all files used to customize the product during installation are stored in the customer subfolder, which must be located in the same directory as the MSI setup. The MSI setup reads and copies them during installation. Section 4.3.1 „ Installation‟, on page 98 Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103
97
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.3.1
Installation Before proceeding with this section make sure that it is the stand-alone Client you want to install and not the Web Client. For details about the Web Client installation refer to chapter 5 ‘Secure Login plus Web Client - Installation, Usage, and Removal’ on page 109. The installation wizard is usually used for a single installation of the Group Policies. 1.
Double-click the MSI installer SECUDE Secure Login.msi.
2.
The welcome dialog will appear:
Figure 4-1 installation – welcome dialog Click Next. 3.
The program information appears:
Figure 4-2 installation – program information dialog Click Next.
98
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.
The license agreement appears:
Figure 4-3 installation – license agreement dialog Check I accept the terms of the license agreement and click Next. 5.
The setup type dialog appears:
Figure 4-4 installation – setup type dialog - Check Complete if you want to install all of the features (go to step 7). - Check Custom if you want to install specific features (go to step 6).
The installer contains the following components (Components marked with * are preselected by default): 99
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Component
Details/Value
Business Client addins
SNC/GSS (primary) * This installs primary the SAP Secure Network Communication support addin for SAP Clients. SNC/GSS (secondary) This installs secondary the SAP Secure Network Communication support addin for SAP Clients. (Only required if another SNC library is already installed. The primary SNC/GSS (primary) must be de-selected in this case.) SSF This installs the SAP Secure Store and Forward support addin for SAP Clients.
SECUDE Secure Login
Secure Login system service: Windows Network Provider addin* Network provider addin for retrieving Windows credentials for authentication against Active Directory. Windows Kerberos addin Secure Login addin to use local Windows Kerberos authentication against a local Secure Login service for CITRIX.
Profile Management*
PSE Service* Personal Security Environment user service. Security Tokens:* - Smartcard support* PKCS#11 and TCOS-based smart card token plugins. - CAPI support* Microsoft CryptoAPI token plugin.
SECUDE CSP*
SECUDE cryptographic service provider.
Group Policies
Microsoft group policy templates (ADM files).
Notification
Notification service and GUI for tracing purposes.
Once you have chosen a setup type click Next.
6.
100
If you chose to install specific features in the previous dialog, the custom setup dialog appears:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 4-5 installation – custom setup dialog - Select the features you wish to install and click Next. - If you want to prevent the installation of a component, click on the hard drive symbol next to the component and select The feature will not be available from the context menu:
Figure 4-6 installation – component selection - To return to the default selection click Reset. - Once you have made your selection click Next.
7.
The ready to install appears:
101
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 4-7 installation – ready to install dialog Click Install. 8.
The installation status dialog appears:
Figure 4-8 installation – installation status dialog The installation my take a few minutes, so please be patient. 9.
Once the installation is complete the following dialog appears:
Figure 4-9 installation – completion dialog Click Finish. The installation is now complete. 10. It is necessary to restart the computer to start using Secure Login. Click 102
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Start>Shutdown>Restart to restart. Further Information
4.3.2 Introduction Contents
4.3.2.1
Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103
Command Line Options to Influence the MSI Setup This section details command line options that can influence the Microsoft installer (MSI) setup. Section 4.3.2.1 „Standard MSI Options‟, on page 103 Section 4.3.2.2 „Secure Login MSI Options‟, on page 104
Standard MSI Options To help you understand the MSI options, open a command shell and enter the following syntax: msiexec /? The following dialog will be displayed:
Figure 4-10 installation – restart dialog
103
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.3.2.2
Secure Login MSI Options To view the options specific to the SECUDE Secure Login setup, open a command shell and enter the following syntax: msiexec /i “\SECUDE Secure Login.msi” HELP=1 For example: msiexec /i “C:\SECUDE Secure Login.msi” HELP=1 The following dialog will be displayed:
Figure 4-11 installation – restart dialog The components that can be installed individually have the following syntax and meaning (features marked with * are installed by default if no specific components are selected):
104
Feature abbreviation for command line syntax
Package name in custom setup
Description
ProfileManagement
Profile management
User components.
PSE Service
PSE Service
User GUI and SSO process.
Token
Security tokens
Persistent security tokens.
Capi
CAPI support*
Microsoft Crypto API token plug-in.
Smartcard
Smartcard support*
PKCS#11 and TCOS based smartcard token plug-ins.
CSP
SECUDE CSP*
Cryptographic service provider
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Feature abbreviation for command line syntax
Package name in custom setup
Description plug-in for the Microsoft Crypto API.
GroupPolicies
Group Policies
Group policies, ADM files.
Notification
Notification
Notification service and viewer for SECUDE applications.
secure_login
SECUDE Secure Login*
Credentials-based certificate enrollment
secure_login_Pepperbox
n/a
Basic non-persistent tokens support.
secure_login_Kerberos
Windows Kerberos addin
Kerberos support.
secure_login_NetworkProvider
Windows network provider addin*
Network provider add-in for retrieving Windows credentials.
secure_login_Service
Secure login system service*
SECUDE Secure Login system service for policy download and Windows credentials management.
signon_secure
Business Client addins
SAPGUI security component.
signon_secure_SNC
SNC/GSS (primary)*
SAP Secure Network Communication support.
signon_secure_SSF
SSF
SAP Secure Store and Forward support
For a full list of components installed by default (i.e. when no specific components are installed) refer to section 4.3.1, step 5, on page 99. Example Installation Syntax 1
This example has been put together to achieve the following: Install SECUDE Secure Login without the user wizard but with the progress bar; do not install the Windows login component (option qb). Set the personal security environment (PSE) path to that of the subfolder SECUDE in the user profile (option CREDDIR=$USERPROFILE$\SECUDE). Install German language modules only (option SECUDE LANG=1031). Install programs into the default folder; do not install ADM files for group policy support (option qb). Add massive logging (option l*v sl.log). So, to achieve the above the syntax should be as follows: msiexec.exe /i “C:\SECUDE Secure Login.msi” /qb /l*v sl.log ADDLOCAL=ALL REMOVE=secure_login_NetworkProvider,GroupPolicies CREDDIR=$USERPROFILE$\SECUDE LANG=1031 If you execute the above syntax then you will notice after the installation that both the German and the English GUI have been installed. This is because English language support cannot be de-selected as it is the fallback GUI. No reboot is required. The system tray icon is displayed, and enrolment profiles are provided immediately.
Example Installation Syntax 2
This example has been put together to demonstrate a simple installation and feature selection: Msiexec /i "SECUDE Secure Login.msi" INSTALLDIR="C:\Program Files\SECUDE\SL" LAUNCH=1 LANG=0000 ADDLOCAL=ALL REMOVE=Notification,GroupPolicies,Smartcard,secure_login_Kerberos 105
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
In most cases, it is the easiest way to install all but a few features, which is best configured by ADDLOCAL=ALL REMOVE=feat1,feat2,…
4.4
Remove SECUDE Secure Login Client This section details the removal procedure for the Secure Login Client component. It is recommended to backup any certificates you may have imported into the PSE service before removing the Secure Login Client component. 1.
Start the removal procedure via one of the following options: Open a command box and enter msiexec /i “SECUDE Secure Login.msi” Double-click the SECUDE Secure Login.msi installer Click Start>Control panel>Add and Remove Programs, select SECUDE Secure Login from the list and click Remove
2.
The Welcome dialog will appear:
Figure 4-12 removal – welcome dialog Click Next. 3.
106
The Program Maintenance dialog appears:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 4-13 removal – program maintenance dialog Check Remove and click Next. 4.
The Remove Program dialog appears:
Figure 4-14 removal – remove program dialog Click Remove. 5.
The status of the removal will be displayed:
Figure 4-15 removal – removal status dialog 6.
If the removal is successful the following dialog will appear:
107
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 4-16 removal – welcome dialog Click Finish.
108
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5 Introduction
Secure Login plus Web Client - Installation, Usage, and Removal This chapter details how to install, use, and remove the Secure Login Web Client. The Web Client installation is not just the Web Client but rather the complete Secure Login Server plus Web Client. Make sure that it is this version of Secure Login (i.e. with Web Client) you want to deploy before proceeding with this chapter. For details about the standard installation refer to chapter 3 ‘Server Installation, Configuration, and Removal’ on page 32. Currently, there is no version of the Web Client for BEA WebLogic. The installation routine also differs slightly from the standard installation: The Secure Login Web Client installation routine for Tomcat is similar to the standard Secure Login installation to Tomcat but there are several extra steps: - deploy the Apache Axis2 Web service architecture within Tomcat - deploy the Secure Login Web service within Axis2. The Secure Login Web Client installation routine for NetWeaver is the same as the standard Secure Login installation to NetWeaver with the exception that a different archive is deployed.
Contents of Web Client Delivery Package
Within the main deliver package (SECUDE51secureloginServer.zip) the Web Client directories for Tomcat and NetWeaver contain the following files: For Apache Tomcat (Tomcat WS): - axis2.war - AXIS2 Web application from Apache (version 1.4). - shared.zip - All Secure Login JAR files (SECUDE+third party) as well as Server message files. - iaik_jce_full.jar - Institute for Applied Information Processing and Communication (IAIK) provider for the Java Cryptography Extension (JCE) - opencsv-1-7-1.jar - opencsv is a very simple csv (comma-separated values) parser library for Java. - radClient3.jar – Radius Client application - SECUDE-JavaSDK.jar – SECUDE Java SDK - SECUDE-SecureLogin.jar – SECUDE Secure Login application - SECUDE-Transfair.jar – SECUDE Secure Login application framework - ServerMsg.properties – The file that contains the default Server messages (will be duplicated when creating a new Server messages file in an alternate language). - ServerMsg_de.properties - Server messages file in English. - ServerMsg_en.properties - Server messages file in German. - SlsWebClient.war – The Secure Login Web Client - securelogin.war - The main Secure Login file including the Administration Console (but without JAR files und Server message files). - secureloginservice.aar - Secure Login AXIS2 Web Service For SAP NetWeaver (NetWeaver WS): - secureloginservice.ear – Enterprise archive containing all of the necessary components ready for deployment. This includes the Web Service and Web Client.
Sections in this Chapter
Section Section Section Section Section
5.1 5.2 5.3 5.4 5.5
„Prerequisites‟ on page 110 „Preparing the Server for Installation‟ on page 111 „Install and Configure the Web Client‟, on page 112 „Use the Web Client‟, on page 115 „Remove the Web Client‟, on page 117
109
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.1
Prerequisites This section lists the hardware and software requirements for Secure Login and the Web Client.
110
Prerequisite for…
Details
Secure Login Server
The hardware/software requirements are the same as the standard Secure Login installation. For a complete list of requirements please refer to section 3.1 on page 33.
Secure Login Web Client
Supported operating systems: - Windows - Linux - Mac OS X - Others (depending on the SECUDE C-SDK) System requirements: - Java 1.5 or higher browser plug-in - SAPGUI for Java - SAPGUI for Windows (limited) Supported Internet browsers: - Linux Konqueror - Mozilla Firefox 2.x, 3.x or any other Mozilla-based Web browser - Microsoft Internet Explorer 6/7 - Apple Safari 3.x Supported Operating Systems for SAP-ID-based authentication (SunOS/Solaris/HP-UX have no Web Client support, Mac OSX has no Server support): - Linux-i686-2.2-GLIBC2.1-mt-32 - Linux-i686-2.4-GLIBC2.2-mt-32 - Linux-i686-2.6-GLIBC2.3-mt-32 - Linux-i686-2.6-GLIBC2.7-mt-32 - MacOSX10.4-mt-32 - SunOS-sparc-5.10-mt-32 - SunOS-sparc-5.10-mt-64 - SunOS-sparc-5.8-mt-32 - SunOS-sparc-5.8-mt-64 - Windows-i686-VS7.1-mt-32 - HP-UX 11.11 (PA-RISC) - HP-UX 11.23 (Itanium) The native components for each OS are part of the delivery package.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.2 Introduction
Preparing the Server for Installation The Server must be prepared for the installation of Secure Login plus the Web Client. If you have already prepared the Server go to the next section to start with the installation. If you have not prepared the Server, the following list indicates what must be installed and configured before starting with the installation of SECUDE Secure Login: Install the operating system (plus updates if necessary). Install Java (JCE will be automatically installed). Install the application Server. This manual does not detail the installation and configuration of the above mentioned software. It is assumed that the knowledge and skills necessary to perform the Server preparation is already present and must not be documented.
Contents of Delivery Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as follows: SECUDE51SecureLoginNativeComponents.zip This file contains the necessary native Secure Login components for each supported platform: \extra Example secude.xml file \SSS+JCO Native components for the Signon&Secure and JCO installation \WebClient Native components necessary to run the Web Client SECUDE51SecureLoginServer.zip \doc This directory contains the documentation, license agreements, and readme files. \SECUDE51SecureLoginServer.zip Despite the fact this ZIP file has the same name as the file containing it, this file contains the standard Secure Login applications as well as the Web Client variants: - \NetWeaver\securelogin.ear Standard Secure Login application for SAP NetWeaver to work with the Secure Login Client. - \NetWeaver WS\secureloginservice.ear The Web Client version of Secure Login for SAP NetWeaver. - \Tomcat\securelogin.war Standard Secure Login application for Apache Tomcat to work with the Secure Login Client. - \Tomcat WS\axis2.war, securelogin.war, secureloginservice.aar, shared.zip, SlsWebClient.war The Web Client version of Secure Login for Apache Tomcat plus secondary files necessary for operation.
Prepare the Files
In preparation for installation, it is recommended to unpack the ZIP archive SECUDE51SecureLoginServer.zip to produce the four application sub-directories as well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the native components. This manual contains steps in which it is necessary to choose and confirm passwords. For reasons of security Secure Login will only allow you to choose passwords that are hard to guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
111
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.3
Install and Configure the Web Client The Web Client itself is delivered in two versions – one for Apache Tomcat and one for SAP NetWeaver. The next two sub-sections detail the installation steps for the Secure Login Web Client on both systems.
Sections
5.3.1
Section 5.3.1 „Web Client installation on Tomcat‟, on page 112 Section 5.3.2 „Web Client Installation on NetWeaver‟, on page 114
Web Client installation on Tomcat 1.
If necessary, stop Tomcat.
2.
Unpack the contents of the file shared.zip located in the directory SECUDE51SecureLoginServer/Tomcat WS/ (in the delivery package - see section 5.2 on page 111). This step differs according to the version of Tomcat you use: - Tomcat 6: Unzip the content directly to the directory \shared. - Tomcat 5: - Unzip the *.properties files to the directory: \shared\classes - Unzip the *.jar files to the directory: \shared\lib
Apache Tomcat 6.x does not use a ‘shared’ directory as standard and it must therefore not only be created but also manually entered into the Tomcat configuration (failure to do so will result in errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not implemented’ – despite the fact that the components are in the correct directory): Create the shared directory directly under the Tomcat home directory, for example: \shared Open the Tomcat properties file catalina.properties in the directory \conf in a text editor. Locate the following section: # List of comma-separated paths defining the contents of the "shared" # classloader. Prefixes should be used to define what is the repository type. # Path may be relative to the CATALINA_BASE path or absolute. If left as blank, # the "common" loader will be used as Catalina's "shared" loader. # Examples: # "foo": Add this folder as a class repository # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository # Please note that for single jars, e.g. bar.jar, you need the URL form # starting with file:. shared.loader=
Change the last line to read: shared.loader=${catalina.home}/shared,${catalina.home}/shared/*.jar
Save the changes and close the text editor. 3.
112
Copy the file securelogin.war from the delivery package to \Webapps.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.
Start Tomcat to deploy the securelogin.war file.
5.
Start the Administration Console and create your basic configuration (see section 6.1 on page 119). Once completed, logout of the console.
6.
Deploy the file axis2.war by copying it from the delivery package to the directory \Webapps. The deployment should be automatic but if not, restart Tomcat.
When configuring an SAP-ID-based Authentication Server, the Administration Console will usually take care of the signon&secure/JCO installation. This includes copying the file sapjco.jar to the directory: \Webapps\securelogin\WEB-INF\lib. This also applies to the AXIS Web Client scenario. The file sapjco.jar will be copied to the ‘shared’ directory: For Tomcat 5.x: \shared\lib For Tomcat 6.x: \shared However, for the AXIS Web Client scenario, if you have not set the option TomcatSharedPath in the Administration Console page Web Client Configuration, then you will have to copy the sapjco.jar file manually to the respective Tomcat 5.x/6.x directory. For further details about the Web Client Configuration node refer to section 6.1.16 on page 166. 7. Deploy the file secureloginservice.aar by copying it from the delivery package to the directory \Webapps\axis2\WEBINF\services. The deployment should be automatic but if not, restart Tomcat. 8. Open the file \Webapps\axis2\WEBINF\Web.xml in a text editor. Locate and remove the line XXX. Save the file and close the editor. 9.
Deploy the file SlsWebClient.war by copying it from the delivery package to the directory \Webapps
The Tomcat Security Manager Usually, after a fresh Tomcat installation, the Tomcat Security Manager is deactivated. However, if it is active then errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not implemented’ may occur despite the fact that everything in the configuration appears to be as it should. The Tomcat Security Manager must be deactivated: For Tomcat 5.5 under Linux: The following security manager option is located in the Tomcat start script in the directory init.d : #Use the Java security manager? (yes/no) #TOMCATS_SECURITY=yes Either comment it out or set it to no. For Windows: The security manager is usually started using the runtime option –security. Do not use this option.
Change default Apache Axis2 administration account Apache Axis2 also has an administration front-end. It is available via the URL: http://localhost:8080/axis2/axis2-admin/ This allows the upload (and hence the change) of Web Service Archives and the activation/deactivation of deployed services. The front-end is shipped with a default account: user=admin, password=axis2. This of course, presents a security issue and therefore it is recommended that the Secure Login administrator change the password of the AXIS2 admin front-end. This can be accomplished as follows: 113
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\ Locate the follow lines: -
admin
- axis2 Change the entries marked above - in red - accordingly. 10. Start the Administration Console and login. Click the Web Client Configuration node to start configuring the Web Client (see section 6.1.16 on page 166). Next Step
5.3.2
Configure the Secure Login Server using the Administration Console – see section 6.1 'Administration Console‟ on page 119 Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115
Web Client Installation on NetWeaver The Web Client installation for NetWeaver is exactly the same as the standard Secure Login installation detailed in section 3.7 on page 91. However, instead of deploying the standard Secure Login application (securelogin.ear) you deploy the Web Service application secureloginservice.ear (located in the NetWeaver WS directory in the delivery package).
Next Step
114
Configure the Secure Login Server using the Administration Console – see section 6.1 'Administration Console‟ on page 119 Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.4
Use the Web Client This section describes how to open and use the Secure Login Web Client. Only use the Web Client once you have finished configuring not only the Secure Login Server, but also the Web Client settings via the Administration Console (see sections 6.1 on page 119, and 6.1.16 on page 166 respectively). 1.
Enter the following URL in your Internet browser: http:///SlsWebClient
A security warning to confirm the digital signature of the Web Client Applet may appear. If so, confirm the signature to proceed to load the Web Client. You can choose to either to confirm the signature once or for always – choosing ‘always’ will mean that the security warning will reappear the next time you want to logon to the Web Client. 2.
The Web Client login page will appear:
Figure 5-1 Web Client – login page 3.
Enter your Username and Password, and select a Server to logon to from the Server combo-box. The next step will differ according to whichever Server you are about to authenticate and logon to: If you have configured the Web Client to start the SAP interface directly without calling the SAP logon dialog first (Web Client Configuration node> SAP GUI Management) then the next screen you should see is the SAP interface. The procedure ends with this step. If you have configured the Web Client to start the SAP logon dialog then the SAP Logon dialog will appear. Go to the next step.
4.
On Windows Clients only: The new user certificate is propagated into the Windows Certificate Store in the background. Internet Explorer could use it for certificate based authentication if an SSL protected Web page is opened.
5.
The SAP Logon dialog/GUI will appear (if the SAP Logon GUI for Java is correctly installed, it will take preference over the SAP Logon GUI for Windows):
115
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 5-2 Web Client – SAP Logon GUI (left: Windows, right: Java)
Web Client Logging When logging-in via the SAP Logon dialog/GUI user information is stored in the local user directory. For Windows this directory is: C:\Documents and Settings\\secudesnc. The directory will contain some, or all, of the following files: ComSecudeUtil.dll – SECUDE library copied over from the Server cred_v2 – Credentials file SapProfile.sap – SAP profile secude.dll – SECUDE library copied over from the Server SecudeSNCApplet.log – logfile of Web Client activity SNC.pse – SNC personal security environment ticket.snc – license file copied over from the Server user.properties – user properties file containing the username, date+time, and snc version. version.txt – Native components version file copied over from the Server It is possible to configure the Web Client to automatically delete the files in the secudesnc directory. Use the Administration Console option Client Logging under the node Web Client Configuration>Common Configuration. For further information see section 6.1.16.1 on page 168.
5.4.1
Configure SSL Trust for the Web Client Java Applet This section details how to secure the communication between the Internet browser and Web Client using SSL thus helping to eliminate the security warnings when calling the Web Client (and any alarm this may cause – including extra hotline activity). A normal call between Browser and the Web Client is established via Java over HTTP and therefore how we establish the SSL trust is Browser-dependent: Linux Konqueror and Mozilla Firefox 3 do not use their own certificate store but rather the Java certificate store. Microsoft Internet Explorer 6/7 and Apple Safari use their own certificate store. Trust may be established in two ways: No permanent certificate: this means that the user computer is left untouched and the Web Client is called using an HTTPS URL. If SSL trust has not yet been established a Java pop-up will appear prompting the user if they wish to trust the SSL Server. Permanent certificate: this means that the user computer has an imported root
116
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
certificate (via remote distribution) and the Web Client is called using an HTTPS URL. This can be configured so that no pop-ups will appear. These are the three points of security configuration relevant to the Web Client, or rather the three possible levels at which action may be taken – depending on how far you want to go (all of which are for a permanent certificate only!): SSL Trust between Browser and Application Server (for example, Tomcat). This simply involves importing the Administration Console root certificate into the Browser‟s certificate truststore. SSL Trust between Java Applet and Application Server This only applies to Linux Konqueror and Mozilla Firefox 3! This will import the Administration Console root certificate into the Java environment. This can be performed on a two levels – per machine for all users, or per user: - Per machine (all operating systems): Locate the Java truststore file cacerts under the path jre\lib\security. Use the Java Keytool to import the Administration Console root certificate into the Java truststore. - Per machine (alternative method): Use the Administration Console to export the root certificate in JKS format. Rename the resulting keystore file in jssecacerts (no extension!) and place the file under jre\lib\security. - Per user: Use the Administration Console to export the root certificate in JKS format. Rename the resulting keystore file in trusted.jssecacerts (no extension!) and place the file under: - Windows: %HOMEPATH%\Application Data\Sun\Java\Deployment\security - Linux/Mac: $HOME/.java/deployment/security Execution rights for signed applet (i.e. user warning prompts) This will import the Administration Console root certificate and suppress the user warning prompts. The applet in the SSL Server SlsWebClient directory will always be „trusted‟. This can be performed on a two levels – per machine for all users, or per user: - Per machine: Open the Java Security Policy file java.policy in the directory jre\lib\security. Add the following code: grant codeBase "https:///SlsWebClient/*" { permission java.security.AllPermission; };
Save and close the file. - Per user: Open an editor and enter the following code: grant codeBase "https:///SlsWebClient/*" { permission java.security.AllPermission; };
Save the file as .java.policy in the user home directory (all operating systems).
5.5
Remove the Web Client This section describes how to remove the Web Client from both Tomcat and NetWeaver Servers.
Web Client removal from Tomcat
Before proceeding, if you have not already done so, stop the Tomcat Server. Delete the following folders from the \Webapps directory: - axis2 117
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
- Securelogin - SlsWebClient Delete the following files from the \Webapps directory: - axis2.war - securelogin.war - SlsWebClient.war For Tomcat 6.x only: delete the following files from the directory: - \shared\iaik_jce_full.jar - \shared\opencsv-1-7-1.jar - \shared\radClient3.jar - \shared\SECUDE-JavaSDK.jar - \shared\SECUDE-SecureLogin.jar - \shared\SECUDE-Transfair.jar - \shared\ServerMsg.properties - \shared\ServerMsg_.properties For Tomcat 5.x only: delete the following files from the directory: - \shared\lib\iaik_jce_full.jar - \shared\lib\opencsv-1-7-1.jar - \shared\lib\radClient3.jar - \shared\lib\SECUDE-JavaSDK.jar - \shared\lib\SECUDE-SecureLogin.jar - \shared\lib\SECUDE-Transfair.jar - \shared\classes\ServerMsg.properties - \shared\classes\ServerMsg_.properties Web Client removal from NetWeaver
118
To remove a Secure Login Web Client installation from NetWeaver, follow the same steps as detailed in section 3.7.2 on page 92.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6
Administration
Introduction
This chapter describes how to administrate the SECUDE Secure Login Server via either the administration console or the XML interface.
Sections in this Chapter
Section 6.1 „Administration Console‟, on page 119 Section 6.2 „ Email Report&Alert Configuration‟, on page 177 Section 6.3 „Instance Management‟, on page 178 Section 6.4 „ Console Users‟, on page 198 Section 6.5 „Other Administration Features‟, on page 206
6.1 Introduction
6.1.1
Administration Console This section details the Administration Console for Secure Login. The console is based on Java Server pages (JSP) technology and is controlled from within an Internet browser. It makes administration tasks for SECUDE Secure Login easy. Every relevant administration and configuration task for both the Client and Server side can be performed via the console.
Open the Console 1.
To open the console enter the following URL in a Web browser: http:///securelogin/admin/index.jsp For example: http://localhost:8080/securelogin/admin/index.jsp or for secure communication: https://localhost:8443/securelogin/admin/index.jsp
2.
The login page will appear:
Figure 6-1 Administration Console – login page Enter your SECUDE Secure Login administration username, password, and authentication type (detailed below). Click Login. If you make a mistake entering any details, just click Reset to clear the fields. Authentication type
Details
Local login
Standard username/password combination authenticated via the Administration Console database.
External login
Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you 119
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Authentication type
Details use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box. NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined..
SSL certificate login
Username/password combination authenticated via a certificate imported into the Web-browser.
3.
If login is successful the Welcome page will appear:
Figure 6-2 Administration Console – Home/welcome page The Administration Console interface allows you to easily configure the Server to your needs. The main area is split into three panes: The top left-hand pane lists any tasks that have yet to be performed. For example, “Connection should be https” refers to the missing SSL connection between the console and the Secure Login Server, or “Server needs to be restarted” informs you that the Server configuration has been changed and you need to restart the Server for it to take effect. The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login framework. The right-hand pane displays the details of any node selected in the left-hand pane. In the top right-hand corner there are three entries that appear on every page in the console: Change password – This allows you to change the password for the current administrator/user account. For further details refer to section 6.1.3 on page 122. Logout – Use this link to logout of the console. The login page will reappear (see previous page). About – Click this to view version information about the console. Click one of the nodes in the bottom left-hand pane to perform one of the following tasks:
120
Node
Details
Home
Use this node to return to the administration console start page (as seen above).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Node
Details
Server Configuration
Use this node to view and change the configuration of the whole Server. For further information see section 6.1.3.
Server Configuration> Certificate Management
Use this node to view details about the Secure Login Server certificate issuers and to add new issuers. For further information see section 6.1.4
Server Configuration> Authentication Management
Use this node to view details about the Secure Login Server JAAS module and to add a new Authentication Server. For further information see section 6.1.5.
Server Configuration> TrustStore Management
Use this node to view certificates in the TrustStore and add certificates to the TrustStore. For further information see section 6.1.6.
Server Configuration> Certificate Template
Use this node to view and change certificate templates. For further information see section 6.1.7.
Server Configuration> System Check
Use this node to view the current status of Secure Login components. For further information see section 6.1.8.
Server Configuration> Backup/Restore
Use this node to backup and/or restore the current Server configuration and PKI information of the administration system. For further information see section 6.1.9.
Server Configuration> Change Language
Use this node to change the GUI language. For further information see section 6.1.10.
Server Configuration> Message Setting
Use this node to change message content. For further information see section 6.1.11.
Server Configuration> SSS&JCO installation
Use this node to install the SECUDE signon&secure (SSS) and JCO components necessary for SAPID JAAS login module for Secure Login. For further information see section 6.1.12.
Server Configuration> System Status
Use this node to view the status of the current Secure Login Server. For further information see section 6.1.13.
Server Configuration> Sign Certificate Requests
Use this node to submit a certificate request to a certificate authority. For further information see section 6.1.14.
Server Configuration> Console log viewer
Use this node to view log entries of actions performed via the Administration Console only. Log files can be viewed on a monthly basis. For further information see section 6.1.15.
Server Configuration> Locked Files Management
Use this node to check if any files have been locked and, if necessary, unlock them. For further information see section 6.4.3 on page 205.
Server Configuration> Web Client Configuration
Use this node to configure Web-Client parameters. For further information see section 6.1.16. NOTE: this node only appears if the Web Client has been installed. For further details refer to section 5.3 on page 112.
Server Configuration> Email Report&Alert Configuration
Use this node to configure email notification and email alert parameters. For further information see section 6.1.16.
Instance Management
Use this node to administrate the Secure Login instances. For further information see section 6.3.
Instance Management> Instance Configuration
Use this node to display the configuration of current Secure Login Server instance. For further information see section 6.3.1. 121
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Node
Details
Instance Management> Client Configuration
Use this node to view and change the Client configuration. For further information see section 6.3.3.
Instance Management> Instance Log Management
Use this node to view log files on either a monthly or daily basis, and download the log files for archiving. For further information see section 6.3.4.
Instance Management> Instance Check
Use this node to view the status of the components for Client policies and PKI management. For further information see section 6.3.5.
Instance Management> Instance Status
Use this node to view the status of the current Secure Login Server. For further information see section 6.3.6.
Console Users
Use this node to view when an administrator logged-in to, or logged-out of, the Administration Console. For further information see section 6.4.
Console Users> User Management
Use this node to display a list of the users/administrators registered to the Administration Console as well as add a new user, edit/delete a current user, and assign a role to a user. For further information see section 6.4.1 on page 199.
Console Users> Role Management
Use this node to configure the permissions for a new or existing administrator role. For further information see section 6.4.2 on page 202.
Console Users> Locked Files Management
Use this node to unlock console files that are locked by dead operator sessions. For further information see section 6.4.2 on page 202.
You may be asked to re-enter your username and password if you leave the administration console for too long (console timeout). This page also appears when you click the Home node.
6.1.2
Change the Administrator/User Password This section details how to change the account password for the Administration Console. The user ‘Admin’ is a permanent user that has the role ‘super-user’ and cannot be deleted (only the password changed) or altered in any way. As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a serious system error occurs), guaranteeing that there is at least one user that can always access Secure Login to correct or configure the system. 1.
Click Change Password in the title bar on any page.
2.
The following page will appear:
Figure 6-3 Administration Console – Change Administrator/User Password
122
3.
Enter the current password into the Old Password field.
4.
Enter and confirm the new password into the fields New Password and Confirm New Password respectively.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5.
Click OK.
123
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.1.3
Server Configuration This section details the Server Configuration page of the Administration Console. The Server Configuration page allows you to: View the Server configuration. Edit some of the Server parameters (see section 6.1.3.1 on page 126). Edit the type of authentication used to login to the Administration Console (see section 6.1.3.2 on page 127). 1.
Click the Server Configuration node in the left-hand pane of the Administration Console.
2.
The following page will appear:
Figure 6-4 Administration Console – Server Configuration
The following options can be viewed on this page: 124
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
Details/Value
Edit
Click Edit to change the Administration Console description, Trace Configuration, Server Lock Configuration, Client Configuration, and SNC Configuration (see section 6.1.3.1 on page 126).
Description
The description of this Administration Console.
Console login type
The current types of authentication available for login to the Administration Console. For further information see section 6.1.4.2 on page
External Login Jaas Module
The current JAAS module used for “external login” authentication to the Administration Console. For further information see section 6.1.3.2 on page 127.
The Authentication file path
The authentication file (*.login) used by this Server
Trust Certificates storage file
The TrustStore file (*.jks) used by this Server.
TrustStore password
The password for the TrustStore file.
Console Log Directory
The directory in which the console log file will be located.
Console Log Prefix
The file prefix for the console log file.
Enable Server trace
Display trace messages in the application Server console (i.e. the Tomcat command box).
Path to the Server lock file
The fall-back of the LockDir property in the configuration.properties file. This property is stored in the Web.xml file.
Lock the Server when the logging function encounters fatal errors
If set to No, the Server will not be locked if transaction logging fails. If set to Yes, the Server will be locked if transaction logging fails. If a full transaction log is important to you please set this option to Yes.
Server name or IP to be used
The hostname or IP of the computer from which the console is being used for the Client configuration (i.e. for all Client policy URLs). NOTE: do not use localhost. If on a local machine set the IP address or DNS/hostname.
CREDDIR
The directory in which the credentials are stored by SECUDE signon&secure. NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value.
NativeLibraryPath
The directory where native libraries, platform dependendt, are landed.
125
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.1.3.1
Edit the Server Configuration This section details the editable properties of the Server Configuration page of the Administration Console. 1.
Click Edit to display the following information:
Figure 6-5 Administration Console – Edit Server Configuration The following options can be set: Option
Details/Value
Description
Here you can personalize the description for the Administration Console.
Enable Server trace
Yes: write trace messages to the application Server trace file: - For Tomcat: folder logs, files catalina*.log / localhost*.log - For NetWeaver AS Java: defaultTrace_*.log No: Do not display trace messages in the application Server console
Lock the Server when the logging function encounters fatal errors
Yes: Lock the Server if transaction logging fails. No: Do not lock the Server if transaction logging fails.
Server name or IP to be used
The hostname or IP of the computer from which the console is being used. NOTE: do not use localhost. If on a local machine set the IP address.
CREDDIR
Use this option to define in which directory credentials will be written by SECUDE signon&secure. Enter the full path of the directory to be used, for example: C:\SSS NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value.
NativeLibraryPath
2.
126
Use this option to define in which directory will be located the native libraries to be used on verification of the SAP Ticket.
Once you have changed any options, click Save to return to the Server Configuration page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.1.3.2
Change Console Login Type This section details how to modify the way you authenticate to the Administration Console. 1.
Click the Server Configuration node in the left-hand pane of the Administration Console.
2.
Click Edit next to the Console Login Type Configuration heading to view the following information:
Figure 6-6 Administration Console – change login type This page allows you to configure, delete, or add the following login types: Local Login Standard username/password combination authenticated via the Administration Console database. External Login Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box. NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined.. SSL-Certificate Login Username/password combination authenticated via a certificate imported into the Web-browser. Add a Login Type
Delete a Login Type
1.
To add a login option to the administration console login page, select a login type from the ALL Login Type field and click >>Add (it will appear in the Current Login Type field).
2.
If necessary, use the Up and Down buttons to give a login option priority (the order of appearance in the Login Type combo-box on the login page).
3.
Click Save to confirm any changes.
1.
To delete a login option from the administration console login page, select a login type from the Current Login Type field and click Add to create a new Server entry, or select an existing Server from the Servers Management list and click Edit. The following page will appear:
Figure 6-46 Web Client configuration – Servers management page The following options are available:
168
Option/parameter
Details
SAP GUI for Java
Label Arbitrary text describing this Server. Host The SAP NetWeaver ABAP IP address or hostname. Port Port number used by the Server. Default ABAP stack is
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3200. SNCname The SNC name. For example: p:CN=sapnw01,OU=QA,O=SECUDE,C=DE SAP GUI for Windows
shortcut.Name The SAP Server identifier used in multi-instance configurations. shortcut.Description The name of the Server profile in the SAPGUI for Windows (in SAPGUI this is the "description" field). This is THE essential reference to the Server profile for Windows-SAPGUI.
Instance ID this Server used
The instance identifier to be used by this Server.
Save
Save any changes made via this page.
3.
6.1.16.2
Enter the necessary values and click Save to confirm the entries.
Web Client - Platform Configuration This section details the platform configuration page for the Secure Login Web Client. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1.
If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear.
2.
Select a platform from the Platform Configuration list and click Edit.
3.
The following page will appear:
Figure 6-47 Web Client configuration – platform configuration page The Platform Configuration page may appear in slightly different forms according to 169
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
whichever platform was chosen under the Platform Configuration option in the main Web Client Management page: Windows: The options to select the SAP GUI for the Java-based Client as well as the stand-alone Client are available. Mac OSX/Linux: Only the option to select the SAP GUI for the Java-based Client is available. The following options are available:
170
Option
Details
SAP GUI for Java (appears for all platforms)
Binary name of SAP GUI tool - SAP.start.binary The application name of the SAP GUI for Java. - Windows: guistart.bat - Mac OSX: SAPGUI - Linux: guistart - SAP.logon.binary The application name of the SAP logon frontend. - Windows: guilogon.bat - Mac OSX: SAPGUI - Linux: guilogon To enter a different binary name, simply enter a new name in the respective field and click Save. Search Path for SAP GUI The path used by the Web Client to locate the Java binaries. Click Add to open a secondary field and manually enter the path to the Java binaries for each one. Click Save to confirm the entry.
SAP GUI for Windows (appears for Windows only)
Binary name of SAP GUI tool - SAP.start.binary The application name of the SAP GUI for Windows. - Windows: sapgui.exe - SAP.logon.binary The application name of the SAP logon frontend. - Windows: saplogon.exe To enter a different binary name, simply enter a new name in the respective field and click Save. Search Path for SAP GUI The path used by the Web Client to locate the Java binaries. Click Add to open a secondary field and manually enter the path to the Java binaries for each one. Click Save to confirm the entry.
Supported OS
The platforms for which the properties on this page are applicable. The platform name will be listed along with the files required by each platform to function correctly. If you want to remove support for a specific platform (i.e. remove 64-bit support from Windows) click Delete.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.1.16.3
Message Settings This section details the message settings for the Secure Login Web Client. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1.
If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear.
2.
Click the Message Settings tab:
Figure 6-48 Web Client configuration – message settings page A list of language files for the messages will be displayed. You can now either: - Click New… to create a message file in a specific language (see below), or… - Select an existing message file from the list and click Edit… to alter the messages for that language (refer to the next page). Create a new Message File
1.
Click New… to create a message file in a specific language. A language selection bar will appear below the message list:
Figure 6-49 Web Client configuration – create new message file 2.
Select the language in which you want to create the messages from the combo-box and click Create New file.
3.
The message file will be created using proprietary messages (in English) and will appear in the list:
Figure 6-50 Web Client configuration – new message file in list Select the message file from the list and click Edit…
171
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.
The message properties page will appear:
Figure 6-51 Web Client configuration – edit message properties Translate or alter each message to the given context and click Save. Edit an existing Message File
1.
Select a message file from the list and click Edit…
2.
The message properties page will appear:
Figure 6-52 Web Client configuration – edit message properties Translate or alter each message to the given context and click Save.
172
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.1.16.4
Package Management This section details package management for the Secure Login Web Client. Use this page to consolidate the files necessary for Web Client operation. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1.
If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear.
2.
Click the Package Management tab:
Figure 6-53 Web Client configuration – package management page The following options are available: Option / table column
Details
Platform name
Select the platforms for which you want to consolidate files. This will display the appropriate processor-specific information for each platform.
[Table]
Package name The name of the package corresponding to the processor type. Version The Web Client version. Filename in the package A list of files currently in the package. Missing files A list of missing files needed for the package to run.
File path
Click Browse to locate and load each individual file for the package preselected in the list.
Upload
Load either the ZIP file containing the native components, or individual native component files (located and opened via Browse) into the platform-specific package.
Remove All
Remove all of the Web Client files from a pre-selected package.
Synchronize Ticket
Synchronize the license file (ticket.snc) used for the signon&secure/JCO installation to all the operating system packages. This applies even if you do not implement SAP ID authentication. For further information refer to section 6.1.12 on page 158.
3.
Select a platform from the combo-box and click Browse… to locate either the complete Native Components ZIP file, or any missing Native Component files for each operating system/processor type necessary for the configuration. 173
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The SECUDE libraries (ComSecudeUtil, secude) and the version file can be located in the file SECUDE51SecureLoginNativeComponents.zip delivered with the Secure Login package (optionally, the license file (ticket.snc) can also be loaded in this manner – see step 5 below).
6.1.16.5
4.
Click Upload to load each file individually into the package.
5.
As an optional step, to save time loading the license file (ticket.snc) into each of the operating system packages, you can click Synchronize Ticket to automatically perform this task.
HTML Settings This section details the HTML settings for the Secure Login Web Client. Use this page to customize the messages and/or look of the Web Client pages. For information about how to install and use the Web Client refer to chapter chapter 5 on page 109. 1.
If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear.
2.
Click the HTML Settings tab:
Figure 6-54 Web Client configuration – HTML settings page A list of language files for the GUI will be displayed. You can now either: - Click New… to create a message file in a specific language (see below), or… - Select an existing message file from the list and click Edit… to alter the messages for that language (refer to the next page). Create a new Language File
1.
Click New… to create a HTML pages for the Web Client. A language selection bar will appear below the message list:
Figure 6-55 Web Client configuration – HTML settings > create new language file 2.
174
Select the language in which you want to create the messages from the combo-box and click Create New file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3.
The new language file will be created using proprietary files (in English) and will appear in the list:
Figure 6-56 Web Client configuration – HTML settings > select language file to edit Select the language file from the list and click Edit… 4.
The HTML editor page will appear:
Figure 6-57 Web Client configuration – HTML settings > edit language files The following options are available: Option
Details
[HTML pages]
InitApplet.html This is the initial page to be called by the Web Client. This page performs a Java check as well as a communication timeout and user preferences check. SNCAppletAuth.html This is the main Web Client page containing the logon form and configurable Server-list. If you do not want to support direct login to SAP Servers but rather only the launching of SAP logon, you can change the HTML template of this main page. SNCAppletNewpin.html This is the page for new PIN entry applicable to RSA and SAP ID. If Secure Login Server JAAS authentication modules of the types RSA or SAP ID are configured, it may occur that users have to change their passwords. This page is for this purpose. SNCAppletNexttoken.html This is the page for a new token entry applicable to RSA Server requests. 175
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Edit an existing Language File
Option
Details If the Secure Login Server RSA JAAS authentication module is configured, it may occur that the RSA Server will request a new token code. This page is for this purpose. SNCAppletSaplogon.html, SNCAppletSapstart.html One of these pages will appear if the SAP GUI binary tools configured on the Server-side cannot be found on the Client computer. The pages will prompt the user to specify which SAP GUI executable is to be used. Once specified this parameter is then stored, together with the Client computer-hostname, in the configuration file user.properties in the user‟s home directory.
Save
Save any changes made in the HTML editor pane.
Reset
Reset any changes to those in the previously saved version of the template.
Preview
Preview the HTML code in your Web-browser.
5.
Select the template you want to edit from the left-hand pane and edit the HTML code as necessary. Repeat for any further templates (remember to click Save after completing each template to save the changes for each one).
1.
Select a language from the list and click Edit…
2.
The HTML editor page will appear:
Figure 6-58 Web Client configuration – HTML settings > edit language files Refer to the previous page for a list of the options available on this page. 3.
176
Select the template you want to edit from the left-hand pane and edit the HTML code as necessary. Repeat for any further templates (remember to click Save after completing each template to save the changes for each one).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.2
Email Report&Alert Configuration 1.
Define settings of E-Mail Server account
Figure 6-59 Email Report&Alert configuration – Email Server Setting 2.
Specify name or IP of SMTP Server. Specify username and password of SMTP user. Specify E-Mail address of the sender. Specify E-Mail address of the default receiver. Optional text signature to be appended to mails.
Select System Alert Settings and/or Log Alert Settings.
Figure 6-60 Email Report&Alert configuration – System Alert Setting
Select the Check and Send Email check box. Define desired check interval. Select the items to be monitored in order to provide report or check All. Click on Send Email to Default in case receiver will be the default one already defined or specify it on edit box. 177
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3
Instance Management This section details the Instance management page of the Administration Console. Instance management is the main hub that allows you to switch between Server instances to configure each one (i.e. to configure a specific Server instance you must first open this page and switch to it). Follow these steps to configure Server instances: 1.
If you have not already done so, click the Instance management node from the tree in the left-hand pane.
2.
The following page will appear:
Figure 6-61 Administration Console – instance management This page displays all of the Server instances in the Secure Login configuration. The red * next to the instance name depicts the current Server instance. This page has the following options: Area
Options + details
Instance information list
ServerName: The name of the instance. Click Edit to change the Server name. ID: The ID of the instance. Also is the folder name where this instance's configuration files stored. Server Root Path: The path this instance's folder. Status: The active status of this instance. The inactive instance will be shown in gray. Lock: The status of the Server instance (locked/unlocked).
Buttons
Add: Add a new Server instance. This will start a wizard to help you through the creation process. For further information about the creation process refer to section 3.6.3 on page 63. Edit: Edit the name of the selected Server instance. To use this function check the Server instance you wish to edit to and click Edit. Enter the new name in the new page and click Save. Active: Activate a selected Server instance. If a Server instance entry is grayed-out this means that it has been deactivated. Use the Active function to re-activate the Server instance. Inactive: Deactivate a selected Server instance. This function should
178
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Area
6.3.1
Options + details only be used when a Server instance needs to be deactivated for maintenance or for a temporary task. Unlock Unlock a Server instance. A Server instance may be locked if, for example, log files can no longer be written. Delete: Delete the selected Server instance. All the configuration files of this instance will also be deleted.
Instance Configuration This section details the Instance Configuration page of the Administration Console. The node can be recognized as Configuration or DefaultServer Configuration in the navigation tree. This page displays the configuration of current instance and allows you to: View a Server configuration pre-selected in the Instance Management page. Edit the Server configuration. Follow these steps to view and configure Server instances: 1.
If you have not already done so, click the Instance management node from the tree in the left-hand pane to select the Server instance you wish to view/edit (see section 6.3).
2.
The following page will appear:
Figure 6-62 Administration Console – Instance Configuration page (extract) This page displays an overview of the Secure Login Server configuration properties.
Click Edit in the top right-hand corner to edit the following parameters: Option
Can be edited?
Details/Value
Authentication Server configuration
No
JaasModule: The JAAS login module to be used with this Server instance. 179
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
Can be edited?
Details/Value
SECUDE Secure Login UserCA KeyStore
No
PseType Type of PSE used by the Server to sign the generated certificates. PseName: The path to the PSE file.
User Certificate Configuration
Yes
These values will be used to generate Client certificates. As a result, all the Client certificates will have the same country, locality, organization, and organizational unit values. These certificates are distinguished by different common name, which is not set here: DN.xxx: Information used to identify the Clients for the SECUDE Secure Login Server. Use a mix of letters, digits, and special characters. ValidityMinutes: the amount of time, in minutes, for which a Client certificate is valid. ValidityOffset: Time offset in minutes relative to the Server system time for the certificates to start being valid. UseUPN: Use the User Principle Name
Certificate Template Configuration
No
The following options cannot be edited in this page. For details about how to set these options refer to section 6.1.7 on page 143. CertificateName CertificateFormat SerialNumberPolicy StandardExtension PrivateExtension KeyUsage ExtendedKeyUsage
Log Configuration
No
The following options cannot be edited in this page. For details about how to set these options refer to section 6.3.4.2, on page 195. EnableLog: Is logging enabled? DailyLogPrefix: The file prefix for daily logs. DailyLogDir: The directory for daily log storage MonthlyLogPrefix: The file prefix for monthly logs. MonthlyLogDir: The directory to which the monthly log files are saved. LogMaxSize: The maximum size for the log file directory (all log files) in gigabytes. LogRotationSize: The maximum size a log file may be before archiving. LogCleanDays: The interval, in days, after which the next log cleanup starts.
Other Server Configuration
180
All except LockDir are editable
LockInstanceOnTransactionLogFailure Lock the Server instance should the transaction log fail (for example when the logfile can no longer be written due to lack of disk space).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
Can be edited?
Details/Value - Yes = lock the Server - No = Do not lock the Server LockDir The directory in which the lock file will be placed. This requires a path to a valid folder to which the Server has write access. If the value is a valid directory path but the folder does not exist, then one will be created (if the path is not valid, or the Server has no write access, then no lock file can be created and the Server cannot be locked). NOTE: Changing the lock directory value requires a Server restart. maxSessionInactiveInterval Specifies the time, in seconds, between Client requests before the servlet container will invalidate this session. This is applicable only in challenge-mode (PIN change etc.). AdminServletHeader The header text to be displayed on the status page (used by StandardServlet status page not used by the Administration Console GUI). AdminServletTrailer The footer text to be displayed on the status page (used by StandardServlet status page - not used by the Administration Console GUI).
User-defined properties
3.
6.3.2
Yes
Any properties defined by the Server administrator will be listed here. To add a new property click Edit, navigate to the bottom of the page, click Add, then enter the property name in the first field and a false/true parameter in the second field. Click Delete to remove an administrator-defined property from the configuration.
Once you have made changes to the Server instance click Save to apply them to the Server configuration.
Customizing With User-Defined Properties This section details Secure Login features to assist an administrator by means of userdefined properties.
Contents
Section 6.3.2.1 „Alternative User Name from LDAP Directory‟ page 181 Section 6.3.2.2 „ Length of Username in ‟ page 183 Section Error! Reference source not found. „Username Configuration For SQL JAAS Module‟ page Error! Bookmark not defined.
6.3.2.1
Alternative User Name from LDAP Directory This section details how to configure an LDAP or Active Directory Server attribute value to be used instead of the user name given by the Client. This may be useful if the SAP SNC user names and the authenticated user names (e.g. from a Windows domain) are not the same. 181
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Each instance may have its own configuration. 1.
Open the Instance configuration in Edit mode as described on page 179.
2.
Scroll down to the bottom and add a set of User-defined properties:
Figure 6-63 User-defined properties – sample LDAP attribute configuration The following properties are available (properties marked with * are mandatory): Property
Details
LdapReadServers*
Number of LDAP Servers that are configured here. A numeric value is expected that must be 1 or higher. The given value is used as n to define an ordered list of Servers that are called in a fail-over manner. Keep empty to disable all configured Servers.
LdapReadAttributen*
The LDAP attribute that shall be used instead of the given user name. A simple text value is expected.
LdapReadUrln*
The LDAP Server that shall be used to retrieve that attribute.
LdapReadTimeoutn
Connection timeout in seconds.
LdapReadDomainn*
For Active Directory: LDAP domain to be appended to the given user name if it is not a User Principle Name. If the name is already in UPN format, the property is ignored.
LdapReadUsern*
LDAP user to open the LDAP session (bind user).
LdapReadPassn*
LDAP password of bind user. Warning: This password is displayed and stored in clear text. It is recommended to use an LDAP user with read-only permissions.
LdapReadBaseDNn*
LDAP search base / sub tree to be used to search for the given user name.
The user certificate‟s common name part (CN) gets the value of LdapReadAttribute if There is an LDAP entry for the given user, and the attribute LdapReadAttribute exists and contains a text value. Otherwise, the CN is generated as usual. For a protected communication to the directory Server, LDAP/SSL may be configured. In this case, the existing trust store of Secure Login Server is used.
182
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.2.2
Length of Username in Certificate SAP user IDs have a maximum length of 12 characters, which needs to be considered by SNC X.509 certificates. The default behaviour of Secure Login Server 5.1 is to strip off any user name value to this length in the CN field of issued certificates. This default length may be customized. Property
Details
MaxUserNameLength
Maximal number of characters a user name in the CN field may have. If the given user name is longer, it is cut from the right side. Default value: 12. Sample: SCHWARZENEGGER is cut off to SCHWARZENEGG with default settings
6.3.2.3
UserNamePaddingLength
If user names in the CN field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names. Default value: None.
UserNamePaddingChar
The padding character is used to fill user names on the left side if their size is smaller than the configured padding length. Default value: None. Sample: ARNOLD is extended to 00ARNOLD with UserNamePaddingLength=”8” and UserNamePaddingChar=”0”.
Username Configuration for SQL JAAS Module Depending on the username/Client ID schema used for database authentication, some special configuration properties may be needed to define which user name is put into the certificate. This is only to be considered if Secure Login Client sends compound username values. Property
Details
UseQualifiedName
If true, the full received username value is taken for the user certificate‟s CN field If false, only the user ID part before the separator is taken, and UserNameSeparator must be set to a non-blank value to apply this property. Default value: true.
UserNameSeperator
String of one or more characters that separates username and Client identifier sent by the Secure Login Client. If configured, DBColumnClientID must also be configured in the SQL JAAS module. Default value: None. Sample: USER001#CLIENT999 is splitted to USER001 with UseQualifiedName =”false” and UserNameSeperator=”#”.
6.3.3
Client Configuration This section details the Client configuration page of the administration console. Follow these steps to open Client configuration: 1.
If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
183
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2.
The following page will appear:
Figure 6-64 Client configuration page This page automatically opens on the Client Policy file management page. The following options are available (options marked with * are mandatory): Option
Details/Value
Client Policy
Opens the Client policy management page (the default page).
Applications
Opens the Applications management page. For further information see section 6.3.3.1 „ Application Management‟ on page 184.
Profiles
Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download
Opens the Files download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Policy URL*
Network resource URL from which the latest SECUDE Secure Login Client policy can be downloaded. Example: http://proxyurl.secude.com:3128
Policy TTL*
The time (in minutes) that a policy remains valid.
Network Timeout (s)*
The elapsed time (in seconds) before a connection is closed if the Server does not respond.
Disable update policy on startup
Turn off automatic policy download and registration when the system service is started. false = update policy enabled true = update policy disabled
3.
6.3.3.1
If necessary, edit the parameters and click Save to set the changes.
Application Management This section details how to administrate applications for the Client. 1.
184
If you have not already done so, click the Client configuration node from the tree in
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
the left-hand pane. 2.
Click Applications. The following information will appear:
Figure 6-65 Client configuration – Application Management page The following options are available (options marked with * are mandatory):
Add/Edit an Application
Option
Details/Value
Client Policy
Opens the Client policy management page. For further information see section 6.3.3.1 „ Application Management‟ on page 184.
Applications
Opens the Applications management page (this page).
Profiles
Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download
Opens the Files download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Application action
The action of the selected application. There are 3 types of action: clean, replace, or keep. Click Save to set the application action.
Add Application
Add a new application (see next page).
Edit
Modify a selected application (only applicable if an application is available in the Applications list). See below.
Delete
Delete a selected application (only applicable if an application is available in the Applications list).
Follow these steps to add an application: 1.
Click Add Application. The following information will appear:
Figure 6-66 Client configuration – add an application The following options are available (options marked with * are mandatory): Option
Details/Value
Application name*
The name of the application.
SAP Server
Select the SAP Server certificate for this policy. 185
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
NOTE: this field only appears if you have created an SAP CA, plus certificate, in the Certificate Management page (see section 6.3.2.3 on page 183).
186
PSEURI*
Application specific PSE URI that is matched when a fitting profile is searched. For example: SNC/cn=SAP, o=SECUDE, c=DE SNC/CN=Server*, ou=Strong The wildcards * and ? can be used.
Profile
The name of the security profile to be used for the application. The name must match the profile name in the profiles section. The profile name * is used for the default security profile that is configured by the user (for example, the smart card profile). For further information about profiles see section 6.3.3.2 „Client Profile Management‟ on page 187.
allowFavorite
Allow the user to select another profile as „favorite‟ for this SNC application context. false (default) = always use configured profile true = Do not use configured profile
2.
Enter the application parameters and click Save. This will return you to the Applications page (see section 6.3.3.1 „
3.
Application Management‟ on page 184).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.3.2
Client Profile Management This section details how to administrate profiles for the Client. 1.
If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
2.
Click Profiles. The following page will appear:
Figure 6-67 Client configuration – Client profiles page The following options are available (options marked with * are mandatory): Option
Details/Value
Client Policy
Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 „Client Configuration‟ on page 183.
Applications
Click to open the Applications Management page For further information see section 6.3.3.1 „ Application Management‟ on page 184.
Profiles
Click to open the Profiles Management page (this page).
Files download
Opens the Files Download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Profile action
The action of the profile. There are 3 types of action: clean, replace, or keep. Click Save to set the application action.
Add Profile
Add a new profile (see next page).
Edit
Modify an application (only applicable if a profile is available in the Profile list). See below.
Delete
Delete an application (only applicable if a profile is available in the Profile list).
187
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Add/Edit a Client Profile
Follow these steps to add/edit a profile: 1.
Click Add Profile.
2.
The following page will appear:
Figure 6-68 Client configuration – add/modify Client profile The following options are available (options marked with * are mandatory): Option
Details/Value
Profile name*
The name of the profile
PSEType
The type of profile. Possible values include: promptedlogin windowslogin
EnrollURL0*
Secure Login URL that is used for authentication and certificate enrolment. The URL locates the Server instance that is valid for the Secure Login Client. For example: http://myServer.local/securelogin/PseServer?id=0001
EnrollURL1
Fallback Secure Login URL if URL 0 fails. The URL locates the Server instance that is valid for the Secure Login Client. For example: http://myServer.local/securelogin/PseServer?id=0002
188
HttpProxyURL
HTTP proxy to be used with enrolment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888
GracePeriod
The number of seconds that will expire before a certificate will automatically re-enroll. Default: 0
InactivityTimeout
The number of seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: > 1: The number of seconds of inactivity. -1: No single sign-on (SSO). Each SNC connection forces a new login 0 (default): No timeout. SSO without constraints.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
Details/Value
AutoReenrollTries
The number of failed authentications in a row until automatic reenrolment is stopped. User name and password caching can be turned on to provide the automatic re-enrolment of certificates that are going to expire. Possible values: 0: Turn off (default): Do not re-enroll automatically; do not cache user name and password. A re-enrolment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. A manual re-enrolment is also possible. You can delete all cached credentials from memory (except those stored in the Secure Login Client system service) via the logout entry in the context menu of the SECUDE PSE service in the system tray. Deleting the cache of the windowslogin token has no effect as the credentials can be retrieved from the Secure Login Client system service.
KeySize
Key size of the newly-generated RSA keys. Range: 512 – 16384 Default: 512
ReUseKey
Defines if the RSA key is kept for the profile. If true, the RSA key is kept unless a manual logout is performed or the user process psesvc.exe is shut down. Default: false
UniqueClientID
Customer-defined string Default: NULL
Network timeout (seconds)
Network timeout (in seconds) before the connection is closed if the Server does not respond Default: 45
SSLHostCommonNameCheck
This applies to the SSL Server certificate – this checks if the peer host name is given in its common name. Default: false
SSLHostAlternativeNameCheck
This applies to the SSL Server certificate – this checks the Server's SSL certificate for the correct DNS name in the Subject Alternative Names Attribute. Default: false
SSLHostExtensionCheck
This applies to the SSL Server certificate – this checks if the peer‟s certificate has the extended key usage ServerAuthentication set. Default: false
UseSslPse
If set to true, this parameter turns on the former SSL.PSEbased TrustStore for HTTPS. If set to false (default), the Microsoft CAPI is used for HTTPS trust.
UserWarningPassword
Turn on/off a warning dialog box that appears before the user name and password are sent to the Secure Login Server. Default: false
UserWarningMSIE
Turn on/off a warning dialog box that appears after a new 189
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
3.
6.3.3.3
Details/Value certificate has been propagated to Microsoft Crypto Store. NOTE: Microsoft Internet Explorer must be restarted. Default: false
Enter the profile parameters and click Save. This will return you to the Profiles page (see section 6.3.3.2 „Client Profile Management‟ on page 187).
Files Download This section details how to download the relevant Client policy files for the Secure Login Client. Use the files generated via this option (instead of the files generated via the Global Client Policy option - section 6.3.3.4 on page 191), if you want to export the Client policy files for the current (active) instance only. 1.
If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
2.
Click Files download.
3.
The following page will appear:
Figure 6-69 Files download page The following options are available (options marked with * are mandatory): Option
Details/Value
Client Policy
Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 „Client Configuration‟ on page 183.
Applications
Click to open the Applications Management page For further information see section 6.3.3.1 „ Application Management‟ on page 184.
Profiles
Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download
Opens the Files Download page (this page).
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Download
Download the selected policy file(s).
This dialog allows you to download the following files: The ClientPolicy.xml file and customer.zip (which contains the root certificate and simple registry file). This is used for dynamic Client policy retrieval (via a policy Server). The customerAll.reg registry file. This is a static Client policy written as registry values to the Windows registry. 190
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.3.4
4.
To download, check the appropriate policy file and click download.
5.
A download dialog will open. Click the download link at the bottom of the page, browse for a download location, and save the file.
6.
Close the download dialog.
Global Client Policy This section details how to download the relevant Client policy files (including instances) for the Secure Login Client. Use the files generated via this option (instead of the files generated via the Files Download option - section 6.3.3.3 on page 190), if you want to include the complete Secure Login Server configuration – including all instances - in the Client policy files for the Secure Login Client. 1.
If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
2.
Click Global Client Policy.
3.
The following page will appear:
Figure 6-70 Global Client policy page The following options are available (options marked with * are mandatory): Option
Details/Value
Client Policy
Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 „Client Configuration‟ on page 183.
Applications
Click to open the Applications Management page For further information see section 6.3.3.1 „ Application Management‟ on page 184.
Profiles
Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download
Opens the Files Download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page (this page).
Generate
Generate Client policy files for the whole configuration.
191
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4.
Click Generate to generate (or re-generate) the global Client policy files. If the information in each of the Client policy instance files can be merged then a list of files will appear below the Generate button:
This following files can be downloaded: The GlobalClientPolicy.xml and GlobalCustomer.reg files are used for dynamic Client policy retrieval (via a policy Server). The GlobalCustomerAll.reg registry file is a static Client policy written as registry values to the Windows registry. To download, just click the appropriate file(s) to browse for a download location, and save the file. If the information in each of the Client policy instance files cannot be merged then a message will appear stating which parameters are conflicting. Locate and change the specific parameters via the Client Policy, Applications, and Profiles options. 5.
6.3.4
Close the download dialog.
Instance Log Management This section details the Server/instance logging functionality of the Administration Console. The log entries apply only to Server actions. 1.
If you have not already done so, click the Instance log management node from the tree in the left-hand pane.
2.
By default the Monthly log page will appear:
Figure 6-71 Instance log management - main page/monthly log page
192
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
This page displays all of the tasks performed via the Administration Console since logging began as well as the Secure Login Server log. This page allows you to: You can select a period of time to view via the Log Month or Log Day combo-box. Change log settings. Export log files to a *.csv file. This page displays the following options: Option
Details
Monthly log
View the monthly log (as in the figure above). For information about the log entries refer to the table below.
Daily log
Select this if the logging list is too long to view or if you just wish to view the logging data from a specific day in the current month. For further information see section 6.3.4.1 „Daily Log‟ on page 193.
Log analysis
Provides graphical visualization of authentication operations.
Log settings
Change the logging settings. For further information see section 6.3.4.2 „ Log Settings‟ on page 195.
Archived Log
This option allows you to view archived log files. For further information see section 6.3.4.3 „Archived Log‟ on page 196.
Log month
View the log entries from a specific month via the combo-box.
Export logs
Click to export the current page of log entries to a file (*.csv). NOTE: This entry is only visible if log entries are present.
By default, the page will display the log entries from the current month in a table. The monthly table contains the following information about the administration tasks:
6.3.4.1
Table column
Details
Date
The date the task was performed.
Time
The time the task was performed.
Code
The internal code of the task performed.
Level
An abbreviated description of the message, i.e. INF for information, or ERR for error.
Description
A description of the message/task.
Daily Log This section details how to view and export the daily log file entries from the Daily log page of the Administration Console. 1.
If you have not already done so, click the Instance log management node from the tree in the left-hand pane.
2.
The following information will appear:
Figure 6-72 Instance log management - daily log page
193
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
This page displays the log entries from the current day (going back a total of one week) in a table. This page allows you to : You can select a day to view via the Log date combo-box. Change log settings. Export log files to a *.csv file. The following options are available: Option
Details
Monthly Log
View the monthly log. For further information see section 6.3.4 „Instance Log Management‟ on page 192.
Daily Log
View the daily log (as in the figure above). For information about the log entries refer to the table on the next page.
Log settings
Change the logging settings. For further information see section 6.3.4.2 „ Log Settings‟ on page 195.
Archived Log
This option allows you to view archived log files. For further information see section 6.3.4.3 „Archived Log‟ on page 196.
Log date
View the log entries from a specific day via the combo-box.
Export logs
Click to export the current page of log entries to a file (*.csv). NOTE: This entry is only visible if log entries are present.
By default, the page will display the log entries from the current day in a table. The table contains the following information about the administration tasks:
194
Table column
Details
Time
The time the administrative task occurred.
Client
The Client computer from which the administrative task was initiated.
DNS/IP
The DNS and IP of the Client computer from which the administrative task was initiated.
View As
NOTE: This field only appears if multiple sets of DNS/IP are configured on the admin computer – the IP values of one set are displayed.
User
The name of the user that initiated the administrative task.
Action
The administrative task performed by the user.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.4.2
Log Settings This section details the log file settings for the Instance log management page of the Administration Console. 1.
If you have not already done so, click the Instance log management node from the tree in the left-hand pane.
2.
The following information will appear:
Figure 6-73 Instance log management – log settings This page allows you to change the logging parameters via the following options (options marked with * are mandatory): Option
Details
Maximum log file size*
The maximum size for the log file directory (all log files) in gigabytes.
Maximum individual file size*
The maximum size a log file may be before archiving.
Daily log file cleanup interval*
The interval, in days, after which the next log cleanup starts.
Monthly log cleanup interval*
The interval, in months, after which the next log cleanup starts.
Daily log prefix* (non-editable)
The file prefix for daily logs.
Directory for storing daily logs* (non-editable)
The directory for daily log storage.
Monthly log prefix* (non-editable)
The file prefix for monthly logs.
Directory for storing monthly logs* (non-editable)
The directory to which the monthly log files are saved.
Certificate and request archiving directory (also known as ArchivingDir in the configuration.properties file)
The directory for storing all Client and Server communication data (certificate and certificate requests). NOTE: Make sure that you enter a valid path! If the path is invalid the error Internal Server Error may occur when the Secure Login Client tries to logon.
3.
Enter the parameters for each option and click Save. You will be returned to the Instance log management main page.
195
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.4.3
Archived Log This section details the Archive log file page of the Administration Console. 1.
If you have not already done so, click the Instance Log Management node from the tree in the left-hand pane.
2.
Click Archived log. The following information will appear:
Figure 6-74 Instance log management - archived log files The following options are available: Option
Details
Archived file name
The name under which the Server has saved the log file(s).
Selected
A radio button to indicate which file should be downloaded.
3.
You now have the following options: To download a log file archive, select an archive from the Selected column and click Download. You will be prompted to choose a location. The log files are in ZIP format. To delete a log file archive, select an archive from the Selected column and click Delete.
6.3.5
Instance Check This section details the Instance Check page of the Administration Console. 1.
If you have not already done so, click the Instance Check node from the tree in the left-hand pane.
2.
The following page will appear:
Figure 6-75 Instance Check page This page displays the status of the Secure Login components Client policy, and PKI structure. For information about how to fix problems with system components either refer to chapter 7 „Troubleshooting‟, on page 211 or contact SECUDE support. 196
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.3.6
Instance Status This section details the Instance Status page of the Administration Console. 1.
If you have not already done so, click the Instance Check node from the tree in the left-hand pane.
2.
The following page will appear:
Figure 6-76 Instance Check page The Instance status is displayed as a table containing the following details: Criteria
Details
Date
Current date and time.
Version
Version of SECUDE Secure Login Server being used.
Uptime
The amount of time the Server has remained active and running.
Instance ID
The identity of the current Server instance.
Configuration URL
Location of the configuration.properties file.
Configuration status
configuration.properties file permission status (i.e. readable or not readable).
Server locked
Is the Server instance locked?
PSE Server status
Alive = working.
Server build
SECUDE Secure Login Server version.
197
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.4
Console Users This section details the Console Users page of the Administration Console. Use this node to view when an administrator logged-in to, or logged-out of, the Administration Console. 1.
If you have not already done so, click the Console Users node from the tree in the left-hand pane.
2.
The following page will appear:
Figure 6-77 Console Users page This page displays the current login/logoff status for each administrator in chronological order with the latest entry at the top of the table. No further actions can be performed on this page. Related Information
198
For detailed information about any action performed by an administrator refer to: the Console Log Viewer node (see section 6.1.15 on page 165) the Instance Log Management node (see section 6.3.4 on page 192) the Locked Files Management node (see section 6.4.3 on page 205)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.4.1
User Management This section details the User Management node of the Administration Console. This node displays a list of the users/administrators registered to the Administration Console and allows you to add a new user, edit/delete a current user, and assign a role to a user (for further information about roles refer to the next section). 1.
If you have not already done so, click the User Management node from the tree in the left-hand pane.
2.
The User management page will appear:
Figure 6-78 Administration Console - user management page The current list of roles in the database will appear in a table. The following options are available: Option
Details
Add
Add a new user/administrator to the Administration Console user database.
Edit
Edit any entry preselected from the list. This will open the Create User page.
Delete
Delete any entry preselected from the list.
Assign Role
Assign a role to any preselected user in the list. For further information refer to the next page.
It is only possible to delete users that have been added/configured by you. The user ‘Admin’ is a permanent user that has the role ‘super-user’ and cannot be deleted (only the password changed) or altered in any way. As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a serious system error occurs), guaranteeing that there is at least one user that can always access Secure Login to correct or configure the system.
199
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Add/Edit a User
1.
Click either Add or Edit to open the following page:
Figure 6-79 User management – add/edit a user The following options are available (options marked with * are mandatory): Option
Details
ID*
The unique identifier for the user inside of the Administration Console.
Name*
The username to be used for login. NOTE: If you want to use either External login or SSL Certificate Login make sure that this entry is consistent with the respective certificate/database.
Change Password
This option is only visible when editing a user entry in the list! Check this option to change the password.
Password*
The password to be used for local login. NOTE: The password must be at least 8 characters in length and contain a mix of uppercase/lowercase letters, special characters and numbers.
Confirm Password*
Confirm the password to be used for local login.
External login
Use JAAS module-based login. This feature uses user information stored in an Authentication Server database for identification. Clicking this option will display the extra option External Login ID. NOTE: an Authentication Server must be pre-configured for this feature to work correctly (see section Error! Reference source not found. on page Error! Bookmark not defined.).
External Login ID
The unique identifier (password) for JAAS module-based authentication. NOTE: This option is only visible when the option External login is checked!
SSL Certificate Login
Use certificate-based authentication. Clicking this option will display the extra option Certificate Login ID.
Certificate Login ID
The unique identifier (password) for certificate-based login. This entry must be the same as the subject_alt_name used during login certificate creation. NOTE: This option is only visible when the option SSL Certificate Login is checked! For further information about login certificates refer to section 3.3.3.1 on page 37.
Disabled 200
If checked, the user cannot log on to the console.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
NOTE: This option is not available for the default user (Admin). If the options External login and SSL Certificate Login are both left unchecked, the default method – local login – is used.
Assign a Role to a User
2.
Enter information for each of the options and click Save.
1.
Select the user from the user list to which the role is to be assigned.
2.
Click Assign Role to open the following page:
Figure 6-80 User management – assign role to a user Select one or more roles from the left-hand pane (All Roles) and click >>Add to transfer that role to the user (My Roles).
Delete a Role from a User
3.
Click Save.
1.
Select the user from the user list from which the role is to be removed.
2.
Click Assign Role to open the following page:
Figure 6-81 User management – assign role to a user Select the role(s) from the right-hand pane (My Roles) and click >>Delete to remove the role from the user. 3.
Click Save.
201
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.4.2
Role Management This section details the Role Management node of the Administration Console. Use this node to configure the permissions for each administrator role. 1.
If you have not already done so, click the Role Management node from the tree in the left-hand pane.
2.
The Role Management page will appear:
Figure 6-82 Role management - main page This page displays a list of roles available in the Administration Console, as well as allowing you to configure the roles. The following options are available: Option
Details
Add
Add a new role to the Administration Console.
Copy
Copy any entry preselected in the list. This will open the Create Role page. For further details refer to the next page.
Edit
Edit any entry preselected from the list. This will open the Create Role page. For further details refer to the next page.
Delete
Delete any entry preselected from the list.
It is only possible to edit and delete roles that have been added or copied. The default roles (Super User, CA Administrator, User Administrator, Auditor, Operator) cannot be altered or deleted.
202
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Add/Edit a Role
1.
Either click either Add to make a completely new role, or select the role on which you want to base a similar role, and click Copy.
2.
The Create Role page will appear:
Figure 6-83 Role management – add/copy a role The following options are available (options marked with * are mandatory) Option
Details
ID*
The unique identifier for the role.
Name*
The name used to describe the role.
Permission List
sssPermission Perform signon&secure-related operations. If left unchecked, the SSS&JCO Installation node will not appear in the navigation tree. logROPermission Permission to view the log file. If left unchecked, the Console Log Viewer and Instance Log Management nodes will not appear in the navigation tree (unless the option logRWPermission is checked). logRWPermission Permission to change the logging configuration and export log files. If left unchecked, the Console Log Viewer and Instance Log Management nodes will not appear in the navigation tree (unless the option logROPermission is checked). statusPermission Permission to view the status of the Server as well as each instance in the configuration. If left unchecked, the Server Status and Instance Status nodes will not appear in the navigation tree (unless the option statusUnlockPermission is checked). statusUnlockPermission Permissions to unlock a locked Server or instance.
203
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
204
Details localizationPermission Permission to perform GUI language-related operations. If left unchecked, the Change Language node will not appear in the navigation tree. lockFilePermission Permissions to unlock locked files. If left unchecked, the Locked Files Management node will not appear in the navigation tree. WebClientPermission Permission to configure the Web-Clients. If left unchecked, the Web Client Configuration node will not appear in the navigation tree. confRWPermission Permission to edit the Server configuration or instance configuration. If left unchecked, the Server Configuration and DefaultServer Configuration nodes will not appear in the navigation tree (unless the option confROPermission is checked). confROPermission Permission only to view the Server configuration or instance configuration. If left unchecked, the Server Configuration and DefaultServer Configuration nodes will not appear in the navigation tree (unless the option confRWPermission is checked). multiRWPermission Permission to add, edit, and delete instances. If left unchecked, the Instance Management node will not appear in the navigation tree (unless the option multiViewPermission is checked). sysAnalyzePermission Permission to check the system for missing or faulty components. If left unchecked, the System Check and Instance Check nodes will not appear in the navigation tree. backRestorePermission Permission to perform backup and restore operations. If left unchecked, the Backup/Restore node will not appear in the navigation tree. userPermission Permission to perform user-related operations, such as creating a new user. If left unchecked, the User Management node will not appear in the navigation tree. rolePermission Permission to perform role-related operations, such as creating a new role. If left unchecked, the Role Management node will not appear in the navigation tree. multiViewPermission Permission only to view instance details. If left unchecked, the Instance Management node will not appear in the navigation tree (unless the option multiRWPermission is checked). caPermission Permission to perform certificate authority-related tasks. If left unchecked, the Certificate Template, Sign Certificate Requests, and Certificate Management nodes will not appear in the navigation tree. authPermission Permission to perform authentication and Truststore operations. If left unchecked, the Authentication Management and Truststore Management nodes will not appear in the navigation tree. ClientPermission
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Option
6.4.3
Details Permission to perform Client policy operations. If left unchecked, the Client Configuration node will not appear in the navigation tree.
3.
Enter a unique identifier for the role into the field ID and enter a description of the role into field Name.
4.
Check each of the options appropriate fro the intended role and click Save.
Locked Files Management This section details how to check if any Secure Login-specific system files have been locked and, if necessary, unlock them (providing the necessary rights have been granted to the administrator role – see section 6.4.2 on page 202). Files are locked in the following scenarios: When multiple administrators try to configure Secure Login at the same time. When this happens one administrator will receive a message informing them to contact the specific administrator to unlock the file. This message may appear under several nodes. When a user closes the Internet browser window without clicking Logout first. 1.
If you have not already done so, click the Locked Files Management node from the tree in the left-hand pane.
2.
The Locked Files Management page will appear:
Figure 6-84 Instance log management - main page/monthly log page This page displays any files that have been locked. The following files may appear in the list: - Web.xml - Configuration.properties - Clientpolicy.xml - Cert_template.xml - Keystore.xml - Role.xml - User.xml - Serverlist.xml - SLSJaasModule.login 3.
Select the file(s) that you want to unlock and click Release.
205
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.5
Other Administration Features This section details Secure Login features to assist an administrator – without the need to use the Administration Console. The most useful function for an administrator is the ability to view the Server or Server instance status in a quick manner. To this end, Secure Login can be queried via HTTP POST (see next section) or HTTP GET (via a browser). The HTTP POST method returns an XML formatted back, HTTP GET can return both HTTP and XML formats. The status information returned via both methods is the same.
Contents
6.5.1
Section 6.5.1 „Status Query via an Internet Browser‟ on page 206 Section 6.5.2 „Secure Login Web Service Status Query‟ on page 209 Section 6.5.3 „ XML Interface‟ on page 209
Status Query via an Internet Browser This section details how to quickly retrieve the Server status via an Internet browser.
Parameters
The following parameters can be applied to obtain the Server status, or can be mixed to retrieve the status of a specific Server/Server instance: op = add an option Possible values: - status = retrieve the status of the default Server instance - Serverstatus = retrieve the status of the Server (all other parameters will be ignored) id = add a Server ID Possible values:
- = retrieve the status of a specific Server instance (use in combination with status) xml = retrieve status information in XML format Possible values:
- on : (only for HTTP GET) Example 1: Retrieve the Status of the Default Server Instance Example 2: Retrieve the Status of a Specific Server Instance Example 3: Retrieve the Status of the Server
Example 4: Retrieve Status informaTion 206
Use the following example to quickly retrieve the status of the default Server instance: http:///securelogin/ PseServer?op=status
For example: http://localhost:8080/securelogin/PseServer?op=status Use the following example to quickly retrieve the status of a specific Server instance: http:///securelogin/PseServer? op=status&id=0001
For example: http://localhost:8080/securelogin/PseServer?op=status&id=0001 Use the following example to quickly retrieve the status of the Server: http:///securelogin/ PseServer?op=Serverstatus
For example: http://localhost:8080/securelogin/PseServer?op=Serverstatus Use the following example to retrieve status information: http:///securelogin/ PseServer?&
For example, to retrieve the status of a specific Server instance:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual http://localhost:8080/securelogin/PseServer?op=status&id=0001
Example Reply
Figure 6-85 Direct Server query – Server instance query
6.5.2 Introduction
Secure Login Web Service Status Query This section details, in brief, how to query the Secure Login Web Service for status and available operations. This section applies only to Servers to which Secure Login - with the Web service - have been deployed. For further information refer to chapter 5 on page 109. The Web Service query will vary according to application Server: On Tomcat, the Secure Login Web Service is deployed to Apache Axis2 Web-service provider and therefore it is Apache Axis2 that will be queried. On NetWeaver, the Secure Login Web Service can be queried directly. Before proceeding Make sure that you have deployed the Secure Login Web Client application to either Tomcat or NetWeaver and the application Server has been started.
Web Service Query using Tomcat
To view the Web service status enter the following URL in your Internet browser: To view the Axis2 main page: http:///axis2/axis2-Web/index.jsp This page enables you to view any services deployed to Axis2 as well as to perform any administration tasks and system checks. To view the status of all running Web services: http:///axis2/services/listServices To view the Web service directly: http:///axis2/services/secureloginservice?wsdl
Here is an example of the Axis2 Available services page:
207
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Figure 6-86 Web Service – Axis2 available services Click the secureloginservice link to view the status of the service in XML format. Web Service Query using NetWeaver
Enter the following URL in your Internet browser to view the Web service status: http:///SecureLoginService/Config1?style=document Apache Axis2 also has an administration front-end. It is available via the URL: http://localhost:8080/axis2/axis2-admin/ This allows the upload (and hence the change) of Web Service Archives and the activation/deactivation of deployed services. The front-end is shipped with a default account: user=admin, password=axis2. This of course, presents a security issue and therefore it is recommended that the Secure Login administrator change the password of the AXIS2 admin front-end. This can be accomplished as follows: Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\ Locate the follow lines: -
admin
- axis2 Change the entries marked in red above accordingly.
208
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6.5.3 Introduction
Contents
6.5.3.1 Request Format
Use HTTP POST to get a Status Request Example
6.5.3.2 Reply Format
XML Interface In addition to the Administration Console, SECUDE Secure Login Server provides an XML interface to automate monitoring using your own or a third-party program, e.g. to incorporate monitoring into administrative tools. SECUDE Secure Login Server has to be called with a specific request in XML format. The Secure Login Server then returns an XML reply with the status information. Section 6.5.3.1 „Status Request‟, on page 209 Section 6.5.3.2 „Status Reply‟, on page 209
Status Request Pepperbox 2.0.0 STATUS_REQUEST_ACTION To post a status request send the XML request to the address: http:///securelogin/PseServer
http://localhost:8080/securelogin/PseServer
Status Reply STATUS_ACTION Pepperbox 2.0.0 $Name: SLS_5-1-1-0 $ file:C:/Program Files/Apache Software Foundation/ Tomcat 6.0/Webapps/securelogin/WEB-INF/Instances/ Configuration.properties OK Mon Jan 28 12:02:54 CET 2010 Instance 00020 false OK SLS_5-1-1-0 The current Server status is enclosed with this 209
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
transfairgram (only for diagnostic purpose) 0701 application/xml
210
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7
Troubleshooting
Introduction
This chapter describes the SECUDE Secure Login Server features for logging and error recovery.
Sections in this Chapter
Section Section Section Section Section 217 Section Section Section Section Section Section
7.1 7.2 7.3 7.4 7.5
„How to use Unlimited Key Length Policies‟, on page 212 „Log Files‟ on page 213 „Turning Tracing On/Off‟, on page 215 „SECUDE Secure Login Server Lock and Unlock‟, on page 216 „Setting the Correct Environment Variables for SAP ID-Based Logon‟ on page
7.6 „Problems with the Client URL‟ on page 218 7.7 „Implement an SSL.PSE-Based TrustStore for HTTPS‟ on page 218 7.8 „Access Denied‟ Replies‟ on page 219 7.9 „Why the Secure Login Instance/Server is Locked‟ on page 219 7.10 „Password Expiry Warnings on Sun LDAP (1)‟ on page 220 7.11 „Password Expiry Warnings on Sun LDAP (2)‟ on page 220
Section 7.12 „Secure Login Server Cannot Establish an SNC Connection to the SAP Server‟ on page 221 Section 7.13 „Administration Console Pages Appear „broken‟‟ on page 221 Section 7.14 „Problem Loading the GSS Library (SAP-ID Module)‟ on page 222 Section 7.16 „Users Cannot be Successfully Authenticated to any JAAS Module‟ on page 227
211
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.1
How to use Unlimited Key Length Policies This section details how to solve any problems with key length restrictions for several algorithms.
Problem
The creation of PKCS#12 files using passwords longer than 7 characters is not possible in the Administration Console.
Solution
The standard JCE settings restrict the key length for several algorithms. Follow these steps to disable the restrictions: 1.
Browse to the Java lib\security sub-directory (for example: \ jdk1.5.0_08\jre\lib\security)
2.
Locate the files local_policy.jar and US_export_policy.jar.
3.
Make duplicates of both files and give them the file extension *.bak (this means that you can return to the original files if you need to).
4.
Delete local_policy.jar.
5.
Duplicate US_export_policy.jar and rename it to local_policy.jar.
To check that both the files US_export_policy.jar and local_policy.jar are unrestricted, unzip them and open the file default_US_export.policy in a text editor. If the following text is displayed the check is successful and the policies are unrestricted: // Manufacturing policy file. grant { // There is no restriction to any algorithms. permission javax.crypto.CryptoAllPermission; }; If the JCE files local_policy.jar and US_export_policy.jar are not present in the directory jre\lib\security, download the ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’ from one of the following locations (depending on which Java version you use): http://java.sun.com/javase/downloads/index_jdk5.jsp (for Java 5) http://java.sun.com/javase/downloads/index.jsp (for Java 6) (These will work for all JCE versions.) Extract the contents of the ZIP file to the Java lib\security directory (for example \jre\lib\security). These files already have necessary permissions.
212
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.2 Introduction
Contents
7.2.1 Introduction
Result Codes
Sample Daily
Log Files For the SECUDE Secure Login Server, log files for daily and monthly logging are created. The location and log file names can be specified using one of these methods: Manually in the SECUDE Secure Login Server configuration properties (see section 9.2.3 „Configuration‟ on page 248). Via the Administration Console (see section 6.3.4 „Instance Log Management‟ on page 177). Section 7.2.1 „Daily Log File‟, on page 213 Section 7.2.2 „Monthly Log File‟, on page 215
Daily Log File The daily log file has an entry for each transaction. An entry contains the following information (if available): Time and date of the transaction ID of the Client Instance ID IP address and DNS entry as sent by the Client Client IP address and DNS entry as seen by the Server Name of the user making the request Action code of the request Result of the transaction The following table describes the possible result codes in alphabetical order: Result Code
Details
ACM_ACCESS_DENIED
Authentication failed
ACE_INVALID_ARG
Invalid PIN
ACM_NEXT_CODE_REQUIRED
Next token code required to continue authentication
ACM_NEW_PIN_ACCEPTED
New PIN accepted
ACM_NEW_PIN_REJECTED
New PIN not accepted
ACM_NEW_PIN_REQUIRED
User needs a new PIN
ACM_OK
User could be authenticated
ACE_UNDEFINED_NEXT_PASSCODE
Empty or invalid token code
ACE_UNDEFINED_PASSCODE
Empty or invalid password
ACE_UNDEFINED_USERNAME
Empty or invalid user name
INTERNAL_SERVER_ERROR (plus error description)
Server error
INVALID_MESSAGE_FORMAT (plus error description)
Invalid or incomplete Client message
OK
Transaction successful
08/15/2008, 11:47:34 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1, 213
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Log File
214
action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:47:42 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 11:49:17 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:49:29 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser7, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 11:50:43 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:50:51 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser5, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 14:30:06 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:30:14 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default08/15/2008, 14:30:18 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: Default08/15/2008, 14:30:32 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_REJECTED, instance: -Default08/15/2008, 14:33:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser3, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:33:50 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: Default08/15/2008, 14:33:56 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_ACCEPTED, instance: -Default08/15/2008, 14:41:57 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:42:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default08/15/2008, 14:42:46 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: -Default08/15/2008, 14:42:51 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default-
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.2.2 Introduction
Result Codes
Sample Monthly Log File
7.3 Introduction
Monthly Log File Monthly log files contain system events and errors. An entry contains the following information: Time and date of the event or error Event or error code (see section 8 „Error and Return Codes‟ on page 231) Error level Description of the event or error Error level Instance ID The following table describes the possible error levels in alphabetical order: Error Level
Details
ERR
Fatal error
INF
Information
WAR
Warning
08/15/2008, 13:15:40 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default08/15/2008, 13:16:39 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default08/15/2008, 14:00:37 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default08/15/2008, 14:20:24 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Unknown08/15/2008, 14:21:21 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default08/15/2008, 14:22:25 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default08/15/2008, 14:23:05 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default08/15/2008, 14:56:40 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default08/15/2008, 16:12:46 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default08/15/2008, 16:14:49 (CEST), PSE_STARTUP, INF, “Admin servlet startup.” -Default08/15/2008, 16:14:50 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default08/15/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default08/16/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers .” -Default08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, “Admin servlet shutdown.” -Default08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default08/17/2007, 17:47:09 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No certificate chain found in key store.” -Default08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No root certificate found in key store.” -Default08/18/2007, 14:32:36 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default08/18/2007, 15:14:54 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
Turning Tracing On/Off This section details how enable and disable trace messages. 215
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The trace options can be changed via the Administration Console (see section 6.1.3 ‟Server Configuration‟ on page 124). Turn Tracing On
Turn Tracing Off
1.
In the Server Configuration page of the Administration Console click Edit.
2.
Under the option Show trace on the console Select Yes.
3.
Click Save.
1.
In the Server Configuration page of the Administration Console click Edit.
2.
Under the option Show trace on the console Select No.
3.
Click Save.
SECUDE Secure Login Server can generate a large amount of trace output. For test systems, it is recommended to enable tracing. For production systems it is recommended to disable tracing as this might result in unnecessary log files and impede performance.
7.4 Introduction Lock Files
What happens when the Server Locks?
Unlock the Server
SECUDE Secure Login Server Lock and Unlock The SECUDE Secure Login Server locks itself when it detects a serious problem such as Authentication Server failure that affects all Clients. SECUDE Secure Login uses the following files to lock the Server/ Server instance: PseServer.lock This file is used to lock the complete Server. The Server lock will only be applied if the Configuration.properties file cannot be read. The LockDir property in the Web.xml file is used to apply the Server lock. .lock If the Configuration.properties file can be read by Secure Login and a lock becomes necessary, Secure Login will create an instance-based lock. The directory for the instance-based lock is specified by the property LockDir in Configuration.properties, but LockDir in Web.xml will work as a fallback. The filename of the instance lock file will be based on the following parameters (example): - LOCK_FILE_PREFIX = "PseInstance"; - LOCK_FILE_SUFFIX = ".lock"; Two lock files will be created from these parameters. A „normal‟ lock file that includes the instance ID and a fallback lock file, for example: - PseInstance001.lock - PseInstanceDefault.lock If a SECUDE Secure Login Server lock occurs: The lock file PseServer.lock / .lock is created (also contains the time of its creation). The location of the lock file can be configured in the Web.xml file via the LockDir parameter. The SECUDE Secure Login Server responds to SECUDE Secure Login Client requests with the HTTP status code 404. This indicates that the Server is not available. The Client fails over to the next Server/instance in the Server list. The Administration Console Status page contains an entry that indicates that the Server is locked (see section 7.9 on page 219). Use the unlock functionality of the Administration Console (see section 6.1 on page 119). It is not necessary to shutdown the Server to perform this task.
216
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.5 Introduction
Variables
Setting the Correct Environment Variables for SAP ID-Based Logon The information in this section applies to SAP ID-based logon only. The variables USER, HOME or CREDDIR have no relevance - in terms of environment variables - for SECUDE Secure Login Server 5.0. Furthermore, NetWeaver Application Server Java (regardless of platform) is precluded because the environment variables described below are exclusively for SAP JCO. In any case, with NetWeaver the JCO libraries are already available system-wide (i.e. for Windows this means that the JCO libraries sapjcorfc.dll and librfc32.dll are located in the directory windows\system32). If JCO has been manually set as a system-wide variable (not via the Secure Login Administration Console), this will also bypass all Secure Login components. The environment variables are no longer needed (i.e. there will then be no need to perform the steps in this section). For SECUDE signon&secure to make a successful SNC connection for SAP ID-based authentication, the correct credentials/variables are needed. According to platform these are: Linux+Solaris: LD_LIBRARY_PATH Windows: PATH Both of these should point to the SSS (Signon&Secure) directory within the Secure Login Web application. They should be set either system-wide or in the start script of the Application Server/Container Engine. Follow these steps to set the correct environment variables for SECUDE Signon&Secure (according to platform):
Linux/Solaris
4.
Enter the following syntax in a command shell to set the parameter for the variable LD_LIBRARY_PATH: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/lib/tomcat5/ Webapps/securelogin/WEB-INF/SSS
5. To check if it was successful, open the Administration Console and navigate to the node Server Configuration>System Check. Under the SAP ID Check header the SECUDE SNC runtime entry should read as OK. Windows
Using Tomcat 5.x as an example, enter the following syntax in a command shell to set the parameter for the variable PATH: set PATH=%PATH%;\Webapps\securelogin\WEB-INF\SSS As an alternative you can use the following method to set the variable: 1.
Open Control Panel>System.
2.
Click the Advanced tab.
3.
Click Environment Variables.
4.
Under the System Variables heading click New.
5.
Enter PATH into the Variable Name field and \securelogin\WEB-INF\SSS in the field Variable Value. For example: \Webapps\securelogin\WEB-INF\SSS
6.
Click OK.
7.
If the application Server is running, restart it.
8.
To check if it was successful, open the Administration Console and navigate to the node Server Configuration>System Check. Under the SAP ID Check header the SECUDE SNC runtime entry should read as OK.
217
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.6
Problems with the Client URL
Problem
The URL entered by the Client returns the error Internal Server Error. This is a necessary error message to indicate an invalid Server instance (in a multiple instance environment) or other Server problems.
Solution
The first thing to check is that the Secure Login URL points to the correct Server instance. It is likely that the instance referred in the URL is invalid. For example: http://myServer.local/securelogin/PseServer?id=0001 For details about how to alter the URL see section 6.3.3.2 on page 187.
7.7 Problem Prerequisites
Implement an SSL.PSE-Based TrustStore for HTTPS You want to use an SSL.PSE-based TrustStore for HTTPS instead of the Microsoft CAPI TrustStore. Knowledge of the SECUDE shell (secude.exe). The secude.exe is available only as part of the Signon&Secure package. For further information contact SECUDE support. Make sure that you have already performed the procedure on the certificate before starting the solution below: 1.
Import the root certificate using the Administration Console as a *.crt file. The certificate will be stored in a PEM-encoded format.
2.
Open the file in an editor and remove the first and last line of the file: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----respectively. Save the file.
3.
Open a SECUDE shell and enter the following command to convert the base64 encoded contents of the file into a binary file: secude decode \ROOT_CA.crt root.der
Solution
Follow these steps to enable an SSL.PSE-based TrustStore for HTTPS: 1.
Create a PSE (Personal Security Environment) and name it ssl.pse. To do this, open a SECUDE shell and enter the following command: secude psecrt –p ssl.pse "CN=dummy" The Dname (Distinguished Name) used for this is irrelevant. The example here uses CN=dummy. Enter the PIN 1234 twice (this value is mandatory). After a short period of time the PSE file ssl.pse will be generated and saved to your Signon&Secure directory.
2.
The resulting PSE must be changed by creating the root certificate. Enter the following commands in the SECUDE shell (press Return after each line and change the parts marked in red accordingly – see below): > secude psemaint –p ssl.pse > import xxx \root.der > cert2pkroot xxx PKRoot > yes (to overwrite the old PKRoot) > delete xxx > q The first command will open the SECUDE shell the other commands are entered. The xxx is an alias - replace it with a specific name of your choice. The command q will close the command prompt.
3.
218
Copy the SSL.PSE file to the Secure Login Client in the directory: C:\Program Files\SECUDE\OfficeSecurity\. This file can be distributed with the Secure Login Client installation, via the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
customer folder. 4.
Open the Windows Registry Editor and create the following registry key (REG_DWORD): [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System] "useSslPse"=dword:00000001
5.
7.8 Problem Target OS Explanation
Restart the SECUDE securelogin COM Service (the Microsoft ADS profile will be missing) or reboot the computer.
‘Access Denied’ Replies The Secure Login Server is returning a large amount of "access denied" replies to the Secure Login Client during heavy load. Windows Server The reason for this behavior is that after a TCP/IP socket has been used for communication, and this connection is closed-down after the communication has taken place, the OS „keeps‟ this socket for some time until it releases it again for it‟s next use. This means that the parameter TcpTimedWaitDelay is set to high and must be changed. For further information refer to the following Microsoft page: http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3473c-84e8-e657c0c619d11033.mspx):
Solution
7.9 Problem Target OS Explanation/ Solution
Open regedit and locate the parameter TcpTimedWaitDelay under: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Set the value for TcpTimedWaitDelay to 30 seconds
Why the Secure Login Instance/Server is Locked The Secure Login instance/Server is locked. All The Server may be locked because: The configuration.properties file cannot be read. Solution: Check the integrity and path of the configuration.properties file. The parameter LockServerOnEventLogFailure is set to true and.. - the hard disk is full. Solution: Increase the hard disk capacity/delete unnecessary files. - the file permissions are incorrect. Solution: Check the file permissions of the user under which the Secure Login Server processes run. - the log folder does not exist. Solution: Re-define/check the log settings in the Administration Console (section 6.3.4.2 on page 195). The Server instance may be locked because: The ArchivingDir property is set to a non-existent directory. Solution: Check the log settings in the Administration Console (section 6.3.4.2 on page 195). User CA PSE cannot be opened by the Secure Login Server. Solution: Check the validity and integrity of the certificate authority PSE file. The configuration.properties file cannot be read. Solution: Check the integrity and path of the configuration.properties file. The parameter LockInstanceOnTransactionLogFailure is set to true and.. - the hard disk is full. Solution: Increase the hard disk capacity/delete unnecessary files. - the file permissions are incorrect. Solution: Check the file permissions of the user under which the Secure Login Server processes run. - the log folder does not exist. Solution: Re-define/check the log settings in the 219
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Administration Console (section 6.3.4.2 on page 195). Under heavy load the Server may lock because the user has a limitation on the maximum number of files they can have open at the same time. Solution: Check the Secure Login Server event log for java_io_file_exception stating “too many open files”. If so this means that Secure Login was not allowed to open log files for writing resulting in the lock state. Allow the “user” that starts/owns the Secure Login Server process to open more files than configured in the default configurations set in some system property (limits.conf).
7.10 Problem
Password expiration warning is shown regardless of password policy setting on Sun LDAP.
Effected Systems
Sun ONE Directory Server v5.2 Sun Java System Directory Server v5.2 Sun Java System Directory Server v6.0
Explanation
Solution
7.11
When the LDAP attribute passwordExpirationTime was set (for example, via a password policy and the password policy was later removed), the attribute still exists and causes useless expiry messages in the Secure Login Client, such as: “Attention: Your password will expire on 12.07.2004” (expiry date in the past) This is a problem caused by the directory Server and not by Secure Login Server. Please refer to the Sun Directory Server release notes for details.
Password Expiry Warnings on Sun LDAP (2)
Problem
A password expiry message is displayed on the Secure Login Client, even though Sun ONE LDAP is configured so that the password does not expire.
Effected Systems
Sun ONE Directory Server v5.2 Sun Java System Directory Server v5.2 Sun Java System Directory Server v6.0
Explanation Solution
220
Password Expiry Warnings on Sun LDAP (1)
This is a Sun ONE password policy problem, due to an enabled password policy No5. Please refer to the Sun ONE Directory Server release notes for details.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.12
Secure Login Server Cannot Establish an SNC Connection to the SAP Server
Problem
The Secure Login Server cannot establish an SNC connection to the SAP Server.
Effected Systems
-
Explanation/ Solution
The Secure Login Server SNC PSE is not valid: There will be no working SNC connection (JCO trace reads only "SNC connection cannot be established, empty answer"). This may be due to the following: The credentials cannot be found: There will be no working SNC connection (JCO trace says only "No credentials supplied") The Ticket.snc file cannot be found: If the ticket is not installed correctly or cannot be found by the SECUDE signon&secure/SECUDE library, it occurs that no error log output can be found but connections to the backend just stop. If Tomcat is used as the container engine, it might happen that the Tomcat process is terminated when the ticket cannot be found but SAP-ID logon is used. The SNC name of the Server is incorrect: In the SAP Logon Client software the Server SNC name is equal to the SNCServerName parameter in the Secure Login Server SAP-ID module. This parameter value has to correspond with the DN of the PSE on the SAP Server. The SNC names of users are incorrect: The SNC name of SAP users (see SAP transaction su01) must correspond with the DN of the user certificates coming from the Secure Login Server. - The user for the SLS (e.g., SLSSNC) must also have an SNC name which corresponds with the DN in SLSSNC's PSE (can be generated in the Administration Console; this is called the JCO PSE which is used by Secure Login Server for the SNC connection to the SAP Server). A valid SNC Server connection: Requires a valid PSE from the Server PKI (e.g., the user certificate must be from the same root). A valid SNC user connection: Requires a valid certificate of the Server PKI and a registered user account at the SAP Server. - The Secure Login Server SAP-ID uses the user account credentials at the SAP Server for JAAS authentication. The SAP Server uses the DN of the user certificate as SNC name of the corresponding SAP account to verify the user.
7.13 Problem
Administration Console Pages Appear ‘broken’ The Administration Console pages have an odd appearance/appear to be „broken‟. This may include, but not limited to: Missing icons Missing items in combo-boxes Buttons do not work. For example, the Start button of the initialization wizard batch creation page or, the Upload button in the Web Client platform configuration.
Effected Systems Explanation/ Solution
The most likely cause for Administration Console pages that have an odd appearance (especially during the initialization wizard), is that a previous version of Secure Login Server has been removed from the same Tomcat Server but the Tomcat JSP cache has not been removed or has not been automatically updated. The solution to this problem is to stop Tomcat, and delete all old securelogin folders from the Webapps directory. Also delete the Tomcat cache directory: /work Restart Tomcat. The Administration Console pages should now be OK.
221
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.14 Problem
Problem Loading the GSS Library (SAP-ID Module) Problems occur when configuring the SAP-ID module so that no Server connection exists. In the Application Server trace SNC errors exist (as the following examples): [Thr 168] Fri Jul 18 09:34:33 2008 [Thr 168] *** ERROR => SncPDLInit(): DlLoadLib("\secude.dll")=DLEINV AL [Thr 168] [sncxxdl.0340][Thr 168] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) \secude.dll not loaded [Thr 168] [sncxxdl.0604]Exception in thread "main" com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00 LOCATION ERROR
CPIC (TCP/IP) on local host SNCERR_INIT Resource problem or gssapi library invalid/missing sec_avail="false"
TIME RELEASE COMPONENT VERSION RC MODULE DETAIL COUNTER
Fri Jul 18 09:34:33 2008 710 SNC (Secure Network Communication) 5 -1 sncxx.c SncInit 2
Or... [Thr 5008] Fri Jul 18 09:42:10 2008 [Thr 5008] *** ERROR => SncPDLInit(): DlLoadLib("\secude.dll")=DLEINVAL [Thr 5008] [sncxxdl.0340][Thr 5008] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) \secude.dll not loaded [Thr 5008] [sncxxdl.0604]Exception in thread "main" com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00
Effected Systems Explanation/ Solution
222
LOCATION ERROR
CPIC (TCP/IP) on local host Unable to load the GSS-API DLL named "\secude.dll"
TIME RELEASE COMPONENT VERSION RC MODULE
Fri Jul 18 09:42:10 2008 710 SNC (Secure Network Communication) 5 -1 sncxxdl.c
Possible causes and solutions: The SECUDE SNC library does not exist at the given path. Solution: Locate the SECUDE SNC library and move it to the correct directory. The SECUDE SNC library is incorrect for this platform (i.e. 32bit vs. 64bit, C-runtime version, etc.). Solution: Delete the incorrect components, locate the SECUDE SNC library suitable for the Server environment and move it to the correct directory.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
If the above causes do not apply, then the problem may be the length of the path (i.e. the number of characters) to the SECUDE SNC library. This is a problem caused by JCO. JCO is not capable of loading the GSS library when the length of the path is more than 100 characters. Solution: Move the SSS package as well as the SECUDE library to a directory with a shorter path, and configure the SAP-ID module accordingly (NativeLibraryPath).
7.15 Problem
Blank Page when Logging into the Secure Login Administration Console When logging into the Secure Login Administration Console the GUI does not appear – only a blank page appears. The following example error appears in the defaulttrace of the NetWeaver Application Server: #1.5#001AA00E3F65004E0000028E0000111C00045224BE3B94F3#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###java.lang.NullPointerException# #1.5#001AA00E3F65004E0000028F0000111C00045224BE3B982E#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.Web.framework.login.impl.UserManager.getUserById (UserManager.java:52)# #1.5#001AA00E3F65004E000002900000111C00045224BE3B98A5#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.util.AdminAccount.canLogin (AdminAccount.java:178)# #1.5#001AA00E3F65004E000002910000111C00045224BE3B9916#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.AdminAccountHandler. tryLogin(AdminAccountHandler.java:162)# #1.5#001AA00E3F65004E000002920000111C00045224BE3B9986#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui .AdminAccountHandler.process(AdminAccountHandler.java:63)# #1.5#001AA00E3F65004E000002930000111C00045224BE3B99F7#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.NavigationServlet. process(NavigationServlet.java:170)# #1.5#001AA00E3F65004E000002940000111C00045224BE3B9A67#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.NavigationServlet. doPost(NavigationServlet.java:89)# #1.5#001AA00E3F65004E000002950000111C00045224BE3B9AD8#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)# #1.5#001AA00E3F65004E000002960000111C00045224BE3B9B45#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)# #1.5#001AA00E3F65004E000002970000111C00045224BE3B9BB3#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.runServlet(FilterChainImpl.java:117)# #1.5#001AA00E3F65004E000002980000111C00045224BE3B9C23#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.doFilter(FilterChainImpl.java:62)# #1.5#001AA00E3F65004E000002990000111C00045224BE3B9C95#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter 223
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (ConsoleFilter.java:29)# #1.5#001AA00E3F65004E0000029A0000111C00045224BE3B9D04#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.doFilter(FilterChainImpl.java:58)# #1.5#001AA00E3F65004E0000029B0000111C00045224BE3B9D75#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. runServlet(HttpHandlerImpl.java:373)# #1.5#001AA00E3F65004E0000029C0000111C00045224BE3B9DF5#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. handleRequest(HttpHandlerImpl.java:264)# #1.5#001AA00E3F65004E0000029D0000111C00045224BE3B9E67#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. startServlet(RequestAnalizer.java:347)# #1.5#001AA00E3F65004E0000029E0000111C00045224BE3B9ED8#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. startServlet(RequestAnalizer.java:325)# #1.5#001AA00E3F65004E0000029F0000111C00045224BE3B9F49#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. invokeWebContainer(RequestAnalizer.java:887)# #1.5#001AA00E3F65004E000002A00000111C00045224BE3B9FBB#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. handle(RequestAnalizer.java:241)# #1.5#001AA00E3F65004E000002A10000111C00045224BE3BA02B#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.Client.handle (Client.java:92)# #1.5#001AA00E3F65004E000002A20000111C00045224BE3BA09A#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.Processor.request (Processor.java:148)# #1.5#001AA00E3F65004E000002A30000111C00045224BE3BA109#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.service630.context.cluster.session. ApplicationSessionMessageListener.process(ApplicationSessionMessageListen er.java:33)# #1.5#001AA00E3F65004E000002A40000111C00045224BE3BA17F#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.cluster.impl6.session.MessageRunner.run (MessageRunner.java:41)# #1.5#001AA00E3F65004E000002A50000111C00045224BE3BA1EE#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.ActionObject.run (ActionObject.java:37)# #1.5#001AA00E3F65004E000002A60000111C00045224BE3BA262#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at java.security.AccessController.doPrivileged(Native Method)# #1.5#001AA00E3F65004E000002A70000111C00045224BE3BA2D1#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.SingleThread.execute 224
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (SingleThread.java:100)# #1.5#001AA00E3F65004E000002A80000111C00045224BE3BA33F#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)# #1.5#001AA00E3F65004E000002A90000111C00045224BE3BB6B7#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###com.sap.engine.services.servlets_js p.Server.exceptions.WebServletException: Error in JSP.at com.sap.engine.services.servlets_jsp.Server.jsp. PageContextImpl.handleErrorPage(PageContextImpl.java:707) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl. handlePageException(PageContextImpl.java:702) at jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav a:65535) at com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j ava:112) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:544) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:186) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . forward(RequestDispatcherImpl.java:377) at com.secude.transfair.pepperbox.adminui.ErrorHandler.process(ErrorHandler. java:27) at com.secude.transfair.pepperbox.adminui.NavigationServlet.process (NavigationServlet.java:179) at com.secude.transfair.pepperbox.adminui.NavigationServlet.doPost (NavigationServlet.java:89) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.runSe rvlet (FilterChainImpl.java:117) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil ter (FilterChainImpl.java:62) at com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter(ConsoleFilter. java:29) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil ter (FilterChainImpl.java:58) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet (HttpHandlerImpl.java:373) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.handleRequest (HttpHandlerImpl.java:264) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:347) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:325) at com.sap.engine.services.httpServer.Server.RequestAnalizer.invokeWebContai ner (RequestAnalizer.java:887) at com.sap.engine.services.httpServer.Server.RequestAnalizer.handle 225
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (RequestAnalizer.java:241) at com.sap.engine.services.httpServer.Server.Client.handle(Client.java:92) at com.sap.engine.services.httpServer.Server.Processor.request(Processor.jav a:148) at com.sap.engine.core.service630.context.cluster.session. ApplicationSessionMessageListener.process(ApplicationSessionMessageListen er.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run (MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1 00) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) Caused by: com.sap.engine.services.servlets_jsp.Server.exceptions.WebServletExceptio n: Error in JSP. at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.handleErr orPage (PageContextImpl.java:744) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl. handlePageException(PageContextImpl.java:702) at jsp_top1216110529928._jspService(jsp_top1216110529928.java:65535) at com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j ava:112) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:544) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:186) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl .include (RequestDispatcherImpl.java:473) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.include (PageContextImpl.java:165) at jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav a:10) ... 29 more Caused by: com.sap.engine.services.servlets_jsp.Server.exceptions.WebIllegalStateExc eption: The stream has already been committed. at com.sap.engine.services.servlets_jsp.Server.runtime.Client.HttpServletRes ponseFacade.sendRedirect(HttpServletResponseFacade.java:997) at jsp_top1216110529928._jspService(jsp_top1216110529928.java:11)
... 37 more Effected Systems Explanation/ Solution
226
NetWeaver Application Server only. There is no current workaround for this sporadic problem. To solve the problem re-deploy Secure Login to NetWeaver.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.16 Problem
Users Cannot be Successfully Authenticated to any JAAS Module After Secure Login has been successfully deployed to NetWeaver, no user can authenticate successfully to any JAAS module. The following example error appears in the files security_*.log and default_*.trc of the NetWeaver AS Java: #1.5#001AA02C2EA0002B000003A80000039800897B2BD532EEFC#1216364672406#Syste m.err#secude.com/SecureLogin#System.err#Guest#2464####c59e8c80549711ddb8f 5001aa02c2ea0#HTTP Worker [1]##0#0#Error##Plain###com.sap.engine.services.security.exceptions.BaseL oginException: Cannot authenticate the user. at com.sap.engine.services.security.login.ModulesProcessAction.run (ModulesProcessAction.java:177) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.services.security.login.FastLoginContext.login (FastLoginContext.java:216) at com.sap.engine.system.SystemLoginModule.login (SystemLoginModule.java:90) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000 (LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv (LoginContext.java:680) at javax.security.auth.login.LoginContext.login (LoginContext.java:579) at com.secude.transfair.pepperbox.JaasRsaRadiusAuthenticationManager. authenticate(JaasRsaRadiusAuthenticationManager.java:186) at com.secude.transfair.pepperbox.ServerMessageHandler.handleAuthAction (ServerMessageHandler.java:889) at com.secude.transfair.pepperbox.ServerMessageHandler.handleInMessage (ServerMessageHandler.java:223) at com.secude.transfair.framework.LocalTFManager.handleInMessage (LocalTFManager.java:211) at com.secude.transfair.pepperbox.SlsKernel.doSls(SlsKernel.java:360) at com.secude.transfair.pepperbox.StandardServlet.doPost (StandardServlet.java:155) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke (Invokable.java:66) at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke (Invokable.java:32) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet (HttpHandlerImpl.java:431) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. handleRequest(HttpHandlerImpl.java:289) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:387) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:376) at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process (ServletSelector.java:85) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector. process(ApplicationSelector.java:160) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.WebContainerInvoker.process 227
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (WebContainerInvoker.java:67) at com.sap.engine.services.httpServer.chain.HostFilter.process (HostFilter.java:9) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.ResponseLogWriter.process (ResponseLogWriter.java:60) at com.sap.engine.services.httpServer.chain.HostFilter.process (HostFilter.java:9) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.DefineHostFilter.process (DefineHostFilter.java:27) at com.sap.engine.services.httpServer.chain.ServerFilter.process (ServerFilter.java:12) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.MonitoringFilter.process (MonitoringFilter.java:29) at com.sap.engine.services.httpServer.chain.ServerFilter.process (ServerFilter.java:12) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.Server.Processor.chainedRequest (Processor.java:309) at com.sap.engine.services.httpServer.Server. Processor$FCAProcessorThread.run(Processor.java:222) at com.sap.engine.core.thread.impl3.ActionObject.run (ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1 52) at com.sap.engine.core.thread.impl3.SingleThread.run (SingleThread.java:247) Caused by: javax.security.auth.login.LoginException: Error: Callback com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not supported. at com.secude.transfair.pepperbox.LdapJaasModule.login (LdapJaasModule.java:208) at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl. login(LoginModuleLoggingWrapperImpl.java:220) at com.sap.engine.services.security.login.ModulesProcessAction.run (ModulesProcessAction.java:70) Error: Callback com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not supported.null#
Effected Systems Explanation/ Solution
228
NetWeaver This problem occurs especially while updating the complete Secure Login Server EARpackage when an existing Secure Login installation already uses the AS Java on the Server. The error entry marked in red in the example above is the cause that should be looked for. It usually appears as the last line in the stack trace. Unfortunately you must completely restart the Application Server Java. A restart of the Secure Login application will not help. There is currently no other workaround.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7.17
Enable Remote Access to Initialize and Configure Secure Login Server
Problem
After installing Secure Login Server the initialization/configuration cannot be performed from a remote location (only directly on the Server).
Effected Systems
All.
Explanation/ Solution
For reasons of security, the Secure Login Server component can only be initialized via the Administration Console and only when the console is called from the same Server computer on which the Secure Login resides (see section 3.6 on page 54). If however, you want to perform the initialization and configuration from a remote location, then you must manually enable this feature by editing the Secure Login Web.xml file directly on the application Server: 1.
Locate the Web.xml file in your application Server Web application directory: securelogin\WEB-INF\Web.xml
2.
Open the Web.xml file in an editor.
3.
locate the following section: Navigation com.secude.transfair.pepperbox.adminui. NavigationServlet … remoteAccess false
4.
Edit the remoteAccess parameter value (marked in red above) to true.
5.
Save the Web.xml file.
After you have completed the initialization and configuration of Secure Login Server it is recommended to reinstate security by changing the remoteAccess parameter value back to false.
7.18
Problems Accessing the Administration Console or the Web Client via Firefox
Problem
Errors are displayed when accessing the Administration Console or the Web Client using Mozilla Firefox (SSL connection).
Effected Systems
The error occurs when a combination of the following components are used: Server: Tomcat 5 or 6 (Java 1.4 or above, all platforms) with an SSL connector Client: Firefox 2 + 3 (all platforms) Secure Login components: Secure Login Administration Console or Web Client
Explanation/ Solution
The best workaround for this is to configure the Tomcat SSL connector port accordingly. Tomcat's Server.xml file has to be modified as follows to use a fixed list of ciphers only. The following example applies to Tomcat 5 and 5.5: The solution for Tomcat 6 is the same as above but it also requires an additional attribute for its SSL connector. Change the attribute SSLEnabled to true.
7.19 Problem
An error message appears when using the Administration Console in Firefox 3 to view certificate details.
Effected Systems
All systems using Firefox 3 The Secure Login Administration Console is installed and configured (Certificate)
Explanation
Solution
230
Error Message when viewing Certificate Details using Firefox 3
This error occurs when the Firefox password manager is used to store the Administration Console username/password. The error can be repeated as follows: 1.
Start the Administration Console in Firefox 3, enter the username and password, and click Login.
2.
Firefox will now prompt you to store the username/password in the Firefox password manager (a promt bar will appear at the top of the page). Click Remember.
3.
The Administration Console will appear as normal.
4.
From the main page, go to any Instance Configuration/Certificate Manager.
5.
Under Certificate name, select a certificate and click View.
6.
The error message Open password is incorrect will appear.
1.
Open the Firefox Menu Tools > Options.
2.
The Options dialog will appear. Click the Security tab and then click Saved Passwords
3.
The Saved Passwords dialog will appear. Select the Secure Login Administration Console site or hostname from the list and click Remove. Close the Saved Passwords and Options dialogs.
4.
Re-login to the Administration Console. The prompt bar will reappear. Click Never for this site. The Secure Login host will now appear in a list of exceptions (Menu Tools > Options > Security tab > Exceptions…)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8 Introduction Sections
Error and Return Codes This chapter details the error codes and return codes, their meaning and possible corrections. In each section, the codes are listed in alphabetical order. Section Section Section Section Section Section Section
8.1 8.2 8.3 8.4 8.5 8.6 8.7
„ADS Authentication Errors‟, on page 232 „RSA Authentication Errors‟, on page 232 „SAP ID Error Codes and Return Codes‟, on page 232 „Stacktrace Error Codes‟, on page 234 „Common Errors‟, on page 236 „CERT Errors‟, on page 237 „PSE Errors‟, on page 237
231
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.1
8.2
8.3
ADS Authentication Errors Error code
Description
Solution
JAAS_LDAP _ERROR
Authentication fails due to configuration errors of the JAAS module for ADS or timing problems on the network.
Make sure that at least one Server is specified in the configuration (and is running) and that the Server names are specified correctly in the configuration file. If the Server is accessed via port 636, make sure that its CA certificate is imported into the keystore of SECUDE Secure Login.
RSA Authentication Errors Error code
Description
Solution
JAAS_RADI US_ERROR
Authentication fails due to configuration errors of the JAAS module for RSA/RADIUS or timing problems on the network.
Make sure that the ACE Server is running.
SAP ID Error Codes and Return Codes This section details the return codes for SAP ID-based login, and the error codes caused by the JAAS module.
Contents
8.3.1
Section 8.3.1 „Authentication-based Codes‟, on page 232 Section 8.3.2 „Password Change Related Codes‟, on page 233 Section 8.3.3 „Connectivity Related Codes‟, on page 233
Authentication-based Codes Error code
Description
Solution
AUTH_RESULT_ ACTION_OK_MS G (Return code)
Authentication successful. The AUTH_RESULT_ACTION_OK_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client along with the created certificate.
-
AUTH_RESULT_ ACTION_DENIE D_MSG (Return code)
Authentication denied. The AUTH_RESULT_ACTION_DENIED_ MSG variable defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. This message may be combined with the variable $SERVERMSG to present the user with a reason for the denial. The $SERVERMSG variable is an option to forward the raw Authentication Server message to the Secure Login Client. For example: Access denied because..$SERVERMSG
The $SERVERMSG variable should only be used with Sun directory Servers and SAP-ID. If used with RSA no messages will be sent by default, and if used with ADS a cryptic text message will be sent.
232
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.3.2
Password Change Related Codes Error code
Description
Solution
NEW_PIN_R EPLY_ACCE PTED_MSG (Return code)
For a succeeded password change the NEW_PIN_REPLY_ACCEPTED _MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client.
-
NEW_PIN_R EPLY_REJE CTED_MSG (Return code)
If the SAP Server denies the new password. A new password-rejected state will be the result and the NEW_PIN_REPLY_REJECTED_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. The corresponding trace and error log for the entry is “Password not conform to password rules” followed by the stacktrace information of the return code.
8.3.3
Connectivity Related Codes Error/Return code
Description
Solution
AUTH_SERV ER_ TIMEOUT_M SG (Error code)
If the JAAS module cannot establish a connection to the SAP Server a timeout error will be set and the error AUTH_SERVER_ TIMEOUT_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. The corresponding trace and error log for this entry is: “No connection to SAP system can be established” followed by the stacktrace information for this code.
Possible reasons for this error may be one of the following (no differentiation between the SECUDE Secure Login Server or the Client): Unable to establish a SNC connection to the SAP Server: - SECUDE Secure Login Server SAP user is not properly configured. - SECUDE Secure Login Server SAP user does not have required permissions. - Faulty SNC configuration for the SECUDE Secure Login Server. Timeout in the network connection. SAP Server is down. For a list of stacktrace codes refer to section 8.4 „Stacktrace Error Codes‟ on page 234. For a list of common error reasons refer to section 8.5 „Common Errors‟ on page 236.
233
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.4
Stacktrace Error Codes This section lists the possible SAP exceptions that can be logged in the stacktrace. Runtime error code
Description
CALL_BACK_ENTRY_NOT_FOUND
The called function module is not released for RFC.
CALL_FUNCTION_DEST_TYPE
The type of the destination is not allowed.
CALL_FUNCTION_NO_SENDER
Current function is not called remotely.
CALL_FUNCTION_DESTINATION_N O_T
Missing communication type (I for internal connection, 3 for ABAP) when executing an asynchronous RFC.
CALL_FUNCTION_NO_DEST
The specified destination does not exist.
CALL_FUNCTION_OPTION_OVERFL OW
Maximum length of options for the destination exceeded.
CALL_FUNCTION_NO_LB_DEST
The specified destination (in load distribution mode) does not exist.
CALL_FUNCTION_NO_RECEIVER
Data received for unknown CPI-C connection.
CALL_FUNCTION_NOT_REMOTE
The function module being called is not flagged as being “remotely” callable.
CALL_FUNCTION_REMOTE_ERROR
While executing an RFC, an error occurred that has been logged in the calling system.
CALL_FUNCTION_SIGNON_INCOMP L
Logon data for the user is incomplete.
CALL_FUNCTION_SIGNON_INTRUD ER
Logon attempt in the form of an internal call in a target system not allowed.
CALL_FUNCTION_SIGNON_INVALI D
RFC from external program without valid user ID.
CALL_FUNCTION_SIGNON_REJECT ED
Logon attempt in target system without valid user ID. This error code may have any of the following meanings: Incorrect password or invalid user ID. User locked. Too many login attempts. Error in authorization buffer (internal error). No external user check. Invalid user type. Validity period of the user exceeded.
CALL_FUNCTION_SINGLE_LOGIN_ REJ
No authorization to log on as Trusted System. The error code may have any of the following meanings: Incorrect logon data for valid security ID. Calling system is not a Trusted System or security ID is invalid. Either the user does not have RFC authorization (authorization object S_RFCACL), or a logon was performed using one of the protected users DDIC or SAP*. Time stamp of the logon data is invalid.
CALL_FUNCTION_SYSCALL_ONLY 234
RFC without valid user ID only allowed when
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Runtime error code
Description calling a system function module. The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ.
CALL_FUNCTION_TABINFO
Data error (info internal table) during a RFC.
CALL_FUNCTION_TABLE_NO_MEMO RY
No memory available for table being imported.
CALL_FUNCTION_TASK_IN_USE
For asynchronous RFC only: task name is already being used.
CALL_FUNCTION_TASK_YET_OPEN
For asynchronous RFC only: the specified task is already open.
CALL_FUNCTION_NO_AUTH
No RFC authorization.
CALL_RPERF_SLOGIN_AUTH_ERRO R
No trusted authorization for RFC caller and trusted system.
CALL_RPERF_SLOGIN_READ_ERRO R
No valid trusted entry for the calling system.
RFC_NO_AUTHORITY
No RFC authorization for user.
CALL_FUNCTION_BACK_REJECTED
Destination “BACK” is not permitted in current program.
CALL_XMLRFC_BACK_REJECTED
Destination “BACK” is not permitted in current program.
CALL_FUNCTION_DEST_SCAN
Error while evaluating RFC destination.
CALL_FUNCTION_DEST_SCAN
Error while evaluating RFC destination.
CALL_FUNCTION_CONFLICT_TAB_ TYP
Type conflict while transferring table.
CALL_FUNCTION_CREATE_TABLE
No memory available for creating a local internal table.
CALL_FUNCTION_UC_STRUCT
Type conflict while transferring structure.
CALL_FUNCTION_DEEP_MISMATCH
Type conflict while transferring structure.
CALL_FUNCTION_WRONG_VALUE_L ENG
Invalid data type while transferring parameters.
CALL_FUNCTION_PARAMETER_TYP E
Invalid data type while transferring parameters.
CALL_FUNCTION_ILLEGAL_DATA_ TYP
Invalid data type while transferring parameters.
CALL_FUNCTION_ILLEGAL_INT_L EN
Type conflict while transferring an integer.
CALL_FUNCTION_ILL_INT2_LENG
Type conflict while transferring an integer.
CALL_FUNCTION_ILL_FLOAT_FOR MAT
Type conflict while transferring a floating point number.
CALL_FUNCTION_ILL_FLOAT_LEN G
Type conflict while transferring a floating point number.
CALL_FUNCTION_ILLEGAL_LEAVE
Invalid LEAVE statement on RFC Server.
CALL_FUNCTION_OBJECT_SIZE
Type conflict while transferring a reference.
CALL_FUNCTION_ROT_REGISTER
Type conflict while transferring a reference.
235
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.5
How to find out what the Problem is
Common Errors Runtime error code
Description
The credentials are not set for the user account the SECUDE Secure Login Server runs in.
SNC is not properly configured on the SECUDE Secure Login Server side.
The credentials are not set for the user account the SAP Server runs in.
SNC is not properly configured on the SAP Server side.
The user configured on the SAP Server for SECUDE Secure Login Server access is not properly configured (for example, not all required profiles are set).
Check the user profile.
The JVM on the SECUDE Secure Login Server can not load the required libraries (both SECUDE and SAP).
The directory wherein the libraries reside is not included in the PATH or the LD_LIBRARY_PATH environment variable of the operating system.
The JVM on the SECUDE Secure Login Server cannot load the required SAP jar library.
The directory wherein the sapjco.jar file resides is not included in the CLASSPATH variable for the Java installation.
The sapjco library displays link errors although the shipped libraries are installed in the correct places.
If installed on UNIX/Linux systems it must be ensured that all of the required libraries are built for the same architecture (all 32Bit or all 64Bit).
Enabling trace messages for the SECUDE Secure Login Server in the Web.xml file will provide detailed information about possible errors. The SAP library error trace is enabled automatically. The SAP library trace file dev_rfc.trc will be created in the same directory from which the whole SECUDE Secure Login Server process is started. As an example, if the SECUDE Secure Login Server is deployed on Apache Tomcat, the SAP trace files will be created in the /tomcat-installation-path/bin/ directory in which the 236nitiali.bat/sh resides. For details about how to enable tracing refer to the following sections: For manual configuration see section 7.3 „Turning Tracing On/Off‟ on page 215. Via the Administration Console – see section 6.1.3 ‟Server Configuration‟ on page 124. Enabling the SECUDE SNC tracing will provide information about the SNC certificate handshake and the key exchange. If the handshake fails, an additional error trace file will be created. For details about how to enable tracing refer to the SECUDE signon&secure documentation.
236
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8.6
CERT Errors Error/Return code
Description
Solution
CERT_CREA TE_ERROR
An error occurred while trying to create a new certificate.
-
CERT_INIT _ERROR
An error occurred while accessing the resources needed for this process, i.e. the PSE used.
Make sure that the configuration file contains the correct name, password, and aliases for the specific PSE. If the SECUDE SDK is used to access the PSE, it is also necessary that the libComSecude.so library is contained in the library path. For hardware PSE‟s, the PseType in the configuration.properties file has to be set to NativePSE.
8.7
PSE Errors Error/Return code
Description
Solution
PSE_ADMIN _ERROR
An error occurred inside the PSE admin Server.
-
PSE_ARCHI VE_ERROR
This code may be due to insufficient disk space when writing/creating the log file due to insufficient disk space, or no write access etc.
Make sure the application has the access rights to write to, or create the specified log directory, and that there is enough disk space.
PSE_CREAT E_ERROR
This code can indicate a problem while creating an outgoing message. A possible cause is a missing mottoof-the-day or disclaimer message (ClientMotd, ClientDisc) in the configuration file.
Make sure that the configuration file contains all mandatory entries.
PSE_HANDL ING_ERROR
An error occurred while handling a Client request.
-
PSE_INIT_ ERROR
May be caused when initializing the servlets. This is usually the case when the SECUDE Secure Login configuration could not be read, either because the configuration URL is not set in the configuration file of the servlet engine or the file could not be found under the specified URL.
Make sure the URL is set correctly to the configuration. properties file.
PSE_IO_ER ROR
Occurs when the servlet cannot send its response to the Client due to network problems.
Make sure the network is configured correctly and running.
PSE_SERVE R_ERROR
An error occurred with the PSE Server.
-
PSE_SERVE R_TIMEOUT
The Client session timed out.
Check in the servlet configuration that the timeout value is high enough.
237
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9 Introduction Contents
Appendix This chapter contains various advanced details ad administrator may need to configure Secure Login. Section 9.1 „Client Policy‟ on page 239 Section 9.2 „Configurable Properties‟ on page 246 Section 9.3 „Secure Login Client Registry Values‟ on page 264 Section 9.4 „ Key Usage Reference‟ on page 266 Most of the information in this section is provided purely as extra information for debugging. It is not recommended to alter any Secure Login system file manually! Doing so may result in a corrupted configuration! Please use the Administration Console at all times!
238
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.1 Introduction Contents
9.1.1 Registry Keys and Values
Client Policy This section contains detailed information about the Client policy for Secure Login. Section 9.1.1 „ClientPolicy.xml File Registry Keys and Values‟, on page 239 Section 9.1.2 „ClientPolicy.xml File Example‟, on page 240 Section 9.1.4 „Configuring Secure Login with Microsoft Group Policies‟, on page 245
ClientPolicy.xml File Registry Keys and Values When the Secure Login Client system service is started (on the Client side) the XMLformatted policy file is translated into the following Windows registry keys and values (providing that the ClientPolicy.xml file is dynamic!): [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\appication\] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]
239
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.1.2
ClientPolicy.xml File Example
240
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
ClientPolicy.xml File Elements and Attributes
The following table details each of the elements of the ClientPolicy.xml file.
XML Elements and Attribute names (A-Z)
Mandatory /Optional
Description, Example
Action
optional
Existing registry keys are handled as configured by action. clean Delete all existing profiles in the selected policy key before the given ones are written. replace Replace any existing profiles of the same name in the selected policy key by a given one. keep Keep any existing profiles of the same name in the selected policy, do not write the given one (default).
AllowFavourite
mandatory
Allow the user to select another profile as „favorite‟ for this SNC application context. false (default) = always use configured profile true = Do not use configured profile
Application
mandatory
Start of application element, the element is repeated for each application.
Applications
mandatory
Start of application section, which contains the unsorted list of application contexts.
AutoReenrollTries
optional
Number of failed authentications in a sequence until automatic re-enrollment is stopped. User name and password caching can be turned on to provide the automatic re-enrollment of certificates that are going to expire. 0 Turn off (default): Do not re-enroll automatically; do not cache user name and password. A re-enrollment must always be performed by the user interactively. N Turn on with n tries to succeed: Try to reenroll max. n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. A manual re-enrollment is also possible. You can delete all cached credentials from memory (except those stored in the SLC system service) with the Logout context menu of the SECUDE PSE service in the system tray. Deleting the cache of the Windows login token has no effect as the credentials can be retrieved from the SLC system service.
EnrollURL0
mandatory
Secure Login URL that is used for authentication and certificate enrolment. The URL locates the 241
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
XML Elements and Attribute names (A-Z)
Mandatory /Optional
Description, Example Server instance that is valid for the Secure Login Client. For example: http://myServer.local/securelogin/PseSe rver?id=0001
EnrollURL
optional
URL of fallback SECUDE Secure Login Server, if URL n-1 fails (with n>1). The counter n must be a positive integer without leading 0‟s. The sequence must be strictly increasing by one. A gap stops the sequence, all remaining URLs are ignored. Empty URLs are ignored and skipped.
GracePeriod
optional
Seconds before expiration of this certificate to re-enroll automatically. (default: 0)
HttpProxyURL
optional
HTTP proxy to be used with enroll URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://proxy.secude.com:3128
InactivityTimeout
optional
Seconds until an automatic logout is performed. Mouse and keyboard events are checked for inactivity. > 0 :Seconds of inactivity -1 :No single sign on (SSO), each SNC connection forces new login 0 :No timeout, SSO without limitation (default)
242
KeySize
optional
Size in bits of the newly-generated RSA keys. Range: 512 – 16384 (default: 512)
machine
mandatory
Machine policy node. Subnodes inside this node are written to: [HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\SECUDE] User policies are not supported.
Name
mandatory
Name of application context which also builds the registry key name. The special name “*” is used for the default application entry, for which no PSEURI has to be defined. It comprises automatically all SNC names which are not defined explicitly or with wildcards (see PSEURI attribute).
NetworkTimeout
optional
Network timeout in seconds before connection is closed if the Server does not respond (default: 45).
Profile
mandatory
Name of the security profile to be used for the application, the name must match the profile name in the profiles section.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
XML Elements and Attribute names (A-Z)
Mandatory /Optional
Description, Example The profile name “*” is used for the default security profile that is configured by the user (for example, the smart card profile).
Profiles
mandatory
Start of profile section, which contains the unsorted list of security profiles.
PSEType
mandatory
Type of profile: promptedlogin For authentication using an RSA Server. windowslogin For authentication using an ADS Server.
PSEURI
mandatory
Application-specific PSE URI (full qualified SNC name, or substring of SNC name or *), that is matched when a fitting profile is searched. The wildcards “*” and “?” can be used. Examples: “SNC/cn=SAP, o=SECUDE, c=DE” “SNC/CN=Server*, ou=Strong” For further examples, see section 9.1.3 „Wildcards in Distinguished Names for the PSEURI Attribute‟on page 244.
ReUseKey
optional
If true, the RSA key is kept unless a manual logout is performed or the user process psesvc.exe is shut down (default: false).
secude
mandatory
Root node
securelogin
mandatory
SECUDE Secure Login policy node
SSLHostAlternative -NameCheck
optional
SSL Server certificate: Check if peer host name is given in its subject alternative names (default: false).
SSLHostCommonNameCheck
optional
SSL Server certificate: Check if peer host name is given in its subject common name (default: false).
SSLHostExtensionCheck
optional
SSL Server certificate: Check if the peer‟s certificate has extended key usage ServerAuthentication set (default: false).
UniqueClientID
optional
Customer-defined string (default: NULL).
useSslPse
optional
If true, turns on the former SSL PSE based trust store for HTTPS. If false (default), the Microsoft CAPI is used for HTTPS trust.
UserWarningPasswor d
optional
Warning dialog box before user name and password are sent to SLS (default: false).
UserWarningMSIE
optional
Display of warning dialog box after a new certificate has been propagated to Microsoft Crypto Store: MSIE must be restarted (default: false).
243
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.1.3 Introduction
Rules
Wildcards in Distinguished Names for the PSEURI Attribute The PSEURI attribute allows you to use wildcards to identify an SAP system by its SNC name. The SNC name is given as a printed X.500 distinguished name. The wildcards are as follows: Use “*” for many characters Use “?” for just one character There are a few rules to follow for the use of wildcards: Do not use wildcards if you want to select a distinguished Server. Make the patterns as long as possible. Should there be more than one pattern matching a Server, than the longest pattern wins (and with equal length, the one with lesser wildcards).
Example
The following example assumes that the following Servers exist: Server-A: “SNC/CN=Server-A, CN=Low-Security, C=DE” Server-B: “SNC/CN=Server-B, CN=High-Security, C=DE” Server-C: “SNC/CN=Server-C, CN=High-Security, C=DE” Server-D: “SNC/CN=Server-D, CN=High-Security, C=DE” Pattern for PSEURI
Matching…
*
Any Server.
SNC/*
Any Server.
SNC/CN=Server-*,CN=*-Security,C=DE
Any Server.
SNC/*,CN=High-Security,*
Only high security Servers (B,C,D).
Assuming, you have used the last pattern for all high security Servers, but you need another treatment for Server D, you may use the following patterns:
244
Pattern for PSEURI
Matching…
SNC/CN=Server-D,CN=High-Security,C=DE
Only Server D.
SNC/CN=Server-D,CN=High-Security,*
Only Server D.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.1.4 Introduction
Configuring Secure Login with Microsoft Group Policies SECUDE Secure Login allows you to integrate the registry keys and values for the SECUDE Secure Login Client in your company‟s group policies. 1.
If you have not already installed the Secure Login group policy file supplied with the installer package, double-click the package and follow the instructions until you get to the Custom Setup dialog:
Figure 9-1 installer – custom setup – group policies 2.
Deselect all of the components except Group Policies. Click Next and continue until the installation is finished. The SECUDEsecurelogin.ADM file will be copied to the following directory: Windows\inf When edited by the policy editor they will be copied to the following directory: Windows\system32\GroupPolicies\adm The SECUDEsecurelogin.ADM file contains the keys used to configure the SECUDE security profiles.
In addition to installing the ADM file, selecting Group Policies installs the full group policy documentation (HTML) to the directory: C:\Program Files\Common Files\SECUDE\officesecurity\ADM-DOC
As well as a link in the start menu: Start > All Programs > SECUDE > officesecurity > ADM Documentation. For a description of the keys and values, refer to the explanations provided by the group policy editor.
245
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2 Introduction Sections
9.2.1 Introduction Files
Configurable Properties This chapter describes the Secure Login properties that can be configured via a number of files. Section Section Section Section
9.2.1 9.2.2 9.2.3 9.2.4
„Files‟, on page 246 „Web.xml‟, on page 247 „Configuration.properties‟, on page 248 „JAAS Module Configuration‟, on page 253
Files that Contain Configurable Properties This section details the configuration files needed by Secure Login. SECUDE Secure Login Server is configured in the following files (these files are included in the installation package): File to be configured
Details
Web.xml
This file contains deployment information for the SECUDE Secure Login servlet. For further information refer to 9.2.2 „Web.xml‟, on page 247.
Configuration.properties
This is the main SECUDE Secure Login Server configuration file. For further information refer to section 9.2.3 „Configuration.properties‟ on page 248.
JAAS module configuration files
This file defines specific properties for authentication. NOTE: for each authentication method used (LDAP/ADS, RADIUS/RSA/SAP-ID), there is a special JAAS module configuration file. For further information refer to section 9.2.4 „JAAS Module Configuration‟ on page 253.
Server message property files
246
These files contain localized messages for the Clients. For further information refer to section 0 „Error! Reference source not found.‟, on page Error! Bookmark not defined..
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.2 Introduction
Web.xml File The Web.xml file contains the deployment information for the SECUDE Secure Login servlet. This information is required by the servlet engine to map the URL to a specific servlet and it also contains further information for the operation of SECUDE Secure Login Server. You can configure the following parameters in the Web.xml file: The location of the SECUDE Secure Login Server configuration.properties file. The location of the lock file
Configure configuration .properties
File Location
Configure Lock File Location
Locate the following code snippet in the Web.xml file to set the file path: ConfigURL URL Parameter
Details
URL
Change the property URL to that of the configuration.properties file. For example: \Webapps\securelogin\WEB-INF\Instances\ Configuration.properties
Locate the following code snippet in the Web.xml file to set the lock file path: LockDir path Parameter
Details
path
Path of the PseServer.lock file. By default the file is stored in the standard temporary directory of the Java VM. For example: \Webapps\securelogin\WEB-INF\Instances
247
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.3 Introduction
Multiple SECUDE Secure Login Server Instances
Configuration.properties File The SECUDE Secure Login Server is configured via a set of properties stored in a standard Java property file. The name of this file is configuration.properties. The configuration.properties file does not contain authentication-specific properties. It does contain the parameter AuthConfigPath which specifies the location of the separate JAAS module configuration file. For further information refer to section 9.2.4 „JAAS Module Configuration‟ on page 253. If several SECUDE Secure Login Server instances are to run on the same application Server, all SECUDE Secure Login Server instances have to use the same JAAS module configuration file. In other words, the AuthConfigPath parameter must contain the same value for all Server instances. If you want to use different authentication-specific properties for different SECUDE Secure Login Server instances, you have to use different JAAS module names using the JaasModule configuration property.
Configurable Properties
The following table details the SECUDE Secure Login Server configuration properties (in alphabetical order): Property
Mandatory /Optional
Details
AdminServle tHeader
Optional
Header displayed above the results on the result page of the administrative servlet.
AdminServle tTrailer
Optional
Trailer displayed below the results on the result page of the administrative servlet.
ArchivingDi r
Optional
Name of the directory in which certificate requests and certificates are archived. If set, this enables the archiving of all certificate requests and all issued certificates. Certificate requests are archived as BASE64 encoded PKCS#10 files. Certificates are archived as BASE64 encoded PKCS#7 files. The file naming convention for both certificates and certificate requests is as follows: [date][user][ServerURL].ext, where: date is in the form: yyyymmddhhmmssmm. user is the name of the authenticated user. ServerURL is derived from the URL of the SECUDE Secure Login Server, by replacing all sequences of characters other than A-Z, a-z, 0-9, and dots (.) with one underscore (_). The ServerURL is empty if the user los in via the Web Client. .ext is p10 or p7c for PKCS#10 or PKCS#7 files, respectively.
AuthConfigP ath
248
Mandatory
URL of the JAAS module configuration file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
Details
Certificate Format
Optional
Type of the generated certificate. Possible values: V1 (default) for a version 1 certificate For version 1 certificates the following properties are ignored: - PrivateExtension - PrivateExtension.name - StandardExtension - CertificatePolicies.OID V3 for a version 3 certificate For version 3 certificates, the following standard extensions are always added to the certificate: - BasicConstraints - KeyUsage Note: V3 has a negative performance impact because the V3 format is more complicated than the V1 format.
Certificate Name
Optional
The Case of the character for the user name included as the DN in the certificate. Possible values: Uppercase Lowercase Default value: The user name is entered as it is received from the Client.
Certificate Policies.OI D
Optional
If CertificatePolicies is specified in the StandardExtension property, this entry is used to list the object identifiers (separated by spaces) to be contained in the extension. Default value: The CertificatePolicies extensions are not included in the certificate.
DailyLogDir
Mandatory
Directory in which the daily log files are stored.
DailyLogPre fix
Mandatory
Prefix for the daily log files. The generated log file name is: prefix_yyyy_mm_dd.log y, m, and d are as specified in the Java SDK API class java.text.SimpleDateFormat.
DN.country
Mandatory
Country part of the DN for the certificate.
DN.locality
Optional
Locality part of the DN for the certificate.
DN.organiza tion
Optional
Organization part of the DN for the certificate.
DN.organiza tionalUnit
Optional
Organizational unit part of the DN for the certificate.
JaasModule
Optional
Name of the JAAS module. The default value is: SLSJaasModule
LockServerO nEventLogFailure
Optional
Defines if the Server should be locked if transaction logging fails. False = do not lock the Server True = lock the Server
LockInstanc eOnTransaction LogFailure
Defines if the Server instance should be locked if transaction logging fails. False = do not lock the Server True = lock the Server 249
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
Details
MonthlyLogD ir
Mandatory
Directory in which the monthly log files are stored.
MonthlyLogP refix
Mandatory
Prefix for the monthly log files. The generated log file name is: prefix _yyyy_mm.log y and m are as specified in the Java SDK API class java.text.SimpleDateFormat.
PrivateExte nsion
Optional
Contains a list of names (separated by spaces) of private extensions to be included in the certificate. For each name in the list, there has to be a property PrivateExtension.name.
PrivateExte nsion.name
Optional
A Base64 encoded extension to be included in the certificate. Name must be one of the extension names specified in PrivateExtension.
PseName
Mandatory
Name or URL of the PSE to be used. If PseType is configured to NativePSE , PseName has to be entered in the following form (follow the punctuation exactly): p11sc:,pkcs11 interface (vendor interface name „pkcs11 library name‟):
PsePassword
Mandatory
Password of the PSE. The PSE password is encrypted with a standard 256 bit AES key via the Administration Console and is decrypted by Secure Login before being read.
PsePasswordI sUnencrypted
Optional
Manually set the User CA PSE password (password is not encrypted). true : Do not encrypt the password. false : Encrypt the password. This feature is NOT recommended! It should only be used if you do not want to use the Administration Console.
PseType
Mandatory
Type of PSE used by the Server to sign the generated certificates. Possible values: FilePSE for using a file PSE. NativePSE for using the native SECUDE core component for PSE access.
SerialNumbe rPolicy
Optional
This parameter can be used to select serial number generation algorithms. Possible value: Hash: The serial number is the hashed subject name (which is always the same for the same user but unique for different users). The property CertificateName=Uppercase must be entered as well. Default value: If empty or not entered, each new issued certificate receives the current time stamp as the serial number (which is, in a way, unique).
250
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Sample configuration .properties File
Property
Mandatory /Optional
Details
StandardExt ension
Optional
List of additional standard extensions to be contained in the certificate. Possible values: AuthorityKeyIdentifier SubjectKeyIdentifier CertificatePolicies In the case of CertificatePolicies, the policy OIDs have to be specified via the property CertificatePolicies.OID. Other values are ignored.
UseUPN
Optional
Determines the UPN (User Principal Name) for the user certificate. Possible values: true : (default) Use the complete UPN. false : Use the user name component of the UPN.
ValidityMin utes
Mandatory
Time period in minutes that the generated certificate is valid.
ValidityOff set
Mandatory
Time offset in minutes relative to the Server system time for the certificates to start being valid.
#This is the SecureLogin configuration file #Last Modified:Wed Jan 16 18:05:38 CET 2008 # These properties are the global settings AdminUser=SECUDEAdmin AdminPassword=7ZUHN9miuh7nuhoO98HGZo\=\= AuthConfigPath=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLSJaasModule.login TrustStore=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\TrustStore.jks TrustStorePassword=HJU7hg1tkjU/hj8U/onli8HJgZ7H\=\= Localization=en doTrace=true ActiveInstances=00020 LastServerID=00020 # The default settings for the Server instance PseType=FilePSE PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLS_USERCA_PSE.pse PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\= DN.country=DE DN.locality=Darmstadt DN.organization=SECUDE DN.organizationalUnit= ValidityMinutes=480 ValidityOffset=-5 CertificateFormat=V3 CertificateName=Uppercase UseUPN=true StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment ExtendedKeyUsage= PrivateExtension= SerialNumberPolicy=Hash ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system,
251
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose. ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days. ClientInactivityTimeout=300 maxSessionInactiveInterval=640 DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log DailyLogPrefix=Transaction MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log MonthlyLogPrefix=Event LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\ AdminServletHeader=The status of the PSE Server in the Hybury facility is as follows\: AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to mailto\:
[email protected] EnableLog=false DN.commonName= # The settings of the instance 00020 00020.PseType=FilePSE 00020.PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\SLS_USERCA_PSE.pse 00020.PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\= 00020.DN.country=DE 00020.DN.locality=Darmstadt 00020.DN.organization=SECUDE 00020.DN.organizationalUnit= 00020.ValidityMinutes=480 00020.ValidityOffset=-5 00020.CertificateFormat=V3 00020.CertificateName=Uppercase 00020.UseUPN=true 00020.StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier 00020.KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment 00020.ExtendedKeyUsage= 00020.PrivateExtension= 00020.SerialNumberPolicy=Hash 00020.ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system, including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose. 00020.ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days. 00020.ClientInactivityTimeout=300 00020.maxSessionInactiveInterval=640 00020.DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log 00020.DailyLogPrefix=Transaction 00020.MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log 00020.MonthlyLogPrefix=Event 00020.LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020 00020.AdminServletHeader=The status of the PSE Server in the Hybury
252
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual facility is as follows\: 00020.AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to mailto\:
[email protected] 00020.EnableLog=false 00020.DN.commonName=
9.2.4 Introduction Contents
9.2.4.1 Introduction
Multiple Authentication Servers
JAAS Module Configuration Files For each authentication method, a specific JAAS module has to be configured. Section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟, on page 253 Section 9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟, on page 257 Section 9.2.4.3 „ JAAS Module Configuration Files for SAP ID‟, on page 260
JAAS Module Configuration Files for LDAP/ADS The JAAS module configuration file for LDAP/ADS contains the authentication specific properties for LDAP authentication. The JAAS module class name for the LDAP module is: com.secude.transfair.pepperbox.LdapJaasModule Each LDAP Server has its own section in the JAAS module configuration file. If the first Server cannot be reached, the next Server in the list is used (providing that more than one Server is specified in the configuration file). The order in which the Servers are entered in the configuration file defines the priority the Servers have in the authentication process. By default, the first Server in the list that can be reached ends the authentication process, regardless of the type of response (OK or Access Denied). However, if the parameter TryAllServers is set to true, all of the Servers are queried until the first OK response is received.
Configurable Properties
The following table details the properties within the JAAS module configuration file for LDAP/ADS (in alphabetical order): Property
Mandatory /Optional
Details
LdapBaseDN
optional
Specifies the base domain name that is combined with the user name before sending it to the Active Directory Server. The following formats are valid: Domain part of UPN: The domain part is appended to the user name, using the @ separator. Example: If set to… my.domain.com …the user test is authenticated as…
[email protected] …with the respective Server. Complete DN: The variable $USERID is replaced with the user name. Example: If set to… cn=$USERID,cn=Users,dc=domain,dc=com, 253
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
Details …the user test is authenticated as… cn=test,cn=Users,dc=domain,dc=com …with the respective Server. NOTE: If a password expiry warning message is configured, only the second form can be used. For further information refer to section 9.2.5.2 „Password Expiry Warning Message‟ on page 264.
LdapHost
mandatory
URL of the Active Directory Server used to authenticate the user. The LdapHost value is passed to JNDI, therefore the interpretation of the protocol to be used is performed entirely by the JVM. To use LDAP over SSL the protocol has to be ldaps. For example: ldaps://my.host.com:636
254
LdapProvide rLanguage
optional
Character set encoding for communication between the Secure Login Server and the LDAP/ADS Server. For example: ISO-8859-1 (for ADS)
LdapTimeout
optional
Period of time the Secure Login Server waits for a response before trying the next LDAP/ADS Server (in milliseconds).
PasswordExp irationAttribute
optional
The expiry date of the password. For the LDAP Authentication Server, the date must be in one of the following formats: UMT: - 0060727081914Z Or.. - 0060727081914+0700Z GMT in ADS format: - 0060727081914.0Z Or.. - 0060727081914.0+0700Z MS Gregorian calendar (the number of milliseconds since 01/01/1601). For example: 127984619236406250 If a password expiry warning message is configured, the LdapBaseDN property must be given in complete DN form. The PasswordExpirationAttribute value is used for the password expiry warning only. For further information refer to section 9.2.5.2 „Password Expiry Warning Message‟ on page 264.
PasswordExp irationGracePeriod
optional
The interval (in days) a password expiry warning is sent to the Client prior to password expiry. For further information refer to section 9.2.5.2 „Password Expiry Warning Message‟ on page 264.
ServerID
optional
Determines which password expiry warning is used. This value is used for the password expiry warning only. For further information refer to section 9.2.5.2 „Password Expiry Warning Message‟ on page 264.
TrustStore
optional
Path to the CA certificates keystore used for Server authentication when using LDAP over SSL. Used globally
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
Details for all LDAP modules in a TrustStore. Use of the Java keystore (*.jks) is mandatory when using LDAP over SSL.
TryAllServe rs
optional
Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
255
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Sample JAAS Module Configuration File for LDAP/ADS
SLSJaasModule { com.secude.transfair.pepperbox.LdapJaasModule sufficient LdapHost=”ldaps://10.49.0.150:636” LdapBaseDN=”secude.com” LdapTimeout=”100” LdapProviderLanguage=”en-US” TryAllServers=”true”; com.secude.transfair.pepperbox.LdapJaasModule sufficient LdapHost=”ldap://10.49.3.166:389” LdapBaseDN=”uid=$USERID,ou=people,÷ dc=neptun,d=secude,dc=com” LdapTimeout=”100” LdapProviderLanguage=”en-US” ServerID=”LDAP1” PasswordExpirationAttribute=”passwordRenew” PasswordExpirationGracePeriod=”20”; TryAllServers=”true”; com.secude.transfair.pepperbox.LdapJaasModule ÷ sufficient LdapHost=”ldaps://10.49.0.151:636” LdapBaseDN=”secude.com” LdapTimeout=”100” LdapProviderLanguage=”en-US” TryAllServers=”true”; };
256
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.4.2
JAAS Module Configuration Files for RADIUS/RSA
Introduction
The JAAS module configuration file for RADIUS/RSA contains the authentication specific properties for RADIUS authentication. The JAAS module class name for the LDAP module is: com.secude.transfair.pepperbox.RsaRadiusJaasModule
Multiple Authentication Servers
Each RADIUS/RSA Server has its own section in the JAAS module configuration file. If the first Server cannot be reached, the next Server in the list is used (providing that more than one Server is specified in the configuration file). The order in which the Servers are entered in the configuration file defines the priority the Servers have in the authentication process. By default, the first Server in the list that can be reached ends the authentication process, regardless of the type of response (OK or Access Denied). However, if the parameter TryAllServers is set to true, all of the Servers are queried until the first OK response is received.
Configurable Properties
The following table details the properties within the JAAS module configuration file for RADIUS/RSA (in alphabetical order): Property
Mandatory /Optional
Details
Authenticat or
mandatory
Authentication method for the RADIUS/RSA Server. Possible values: CHAP MSCHAP PAP NOTE: The RSA Authentication Manager only supports the PAP authentication protocol.
AuthPort
mandatory
The port number used by the RADIUS/RSA Server for authentication requests.
PinAlphanum eric
optional
PIN format. This parameter is only used with RSA SecurID tokens. Possible values: true: the user can choose, and use, a PIN which contains only alphanumeric characters (A-Z, a-z, 0-9). false (default): the user can choose, and use, a PIN which contains alphanumeric and special characters (such as !$%&). The default password policy for RSA allows only numeric PIN's which can not be setup via the Secure Login Server/Client policy properties.
PinMax
optional
Maximum PIN length for a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 8
PinMin
optional
Minimum PIN length for a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 4
RadiusServe rIP
mandatory
Host address of the RADIUS/RSA Server (used for user authentication).
RSAServerIn iFile
optional
For configuring RSA Server messages. If the RSA Server version is 6.1, a copy of the RSA Server RADIUS message *.ini file (securid.ini) has to be present. Make sure you enter the full path and file name, for example: \Webapps\securelogin\WEBINF\securid.ini
SharedSecre
mandatory
Shared secret used by the RADIUS/RSA Server to 257
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
t
Details encrypt the user password.
TimeOut
mandatory
Period of time the Secure Login Server waits for a response before trying the next RADIUS/RSA Server (in milliseconds).
TryAllServe rs
optional
Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
Other attributes
Sample JAAS Module Configuration File for RADIUS / RSA – Example 1
optional
Any RADIUS attribute present in the Clients dictionary and which the Server expects to be included in the request. For example: NAS-IP-Address NAS-Port
SLSJaasModule { com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=”10.49.7.15” AuthPort=”1812” SharedSecret=”ActivPack” TimeOut=”5000” Authenticator=”pap” NAS-IP-Address=”213.188.106.173” NAS-Port=”235”; TryAllServers=”true”; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=”10.49.2.5” AuthPort=”1645” SharedSecret=”secret” TimeOut=”5000” Authenticator=”pap” PinMin=”6” PinMax=”8” PinAlphanumeric=”true”; TryAllServers=”true”; };
258
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Example 2
The following configuration is for a scenario in which the Authentication Servers are configured for failover and share the same user database. To prevent the counter for failed logins to be incremented by 3, TryAllServers is set to false. When a user enters the wrong password, only the first reachable Server answers Access Denied, and increments the counter for failed logins by 1: SLSJaasModule { com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=”10.49.7.15” AuthPort=”1812” SharedSecret=”ActivPack” TimeOut=”5000” Authenticator=”pap” NAS-IP-Address=”213.188.106.173” NAS-Port=”235”; TryAllServers=”false”; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=”10.49.7.16” AuthPort=”1812” SharedSecret=”ActivPack” TimeOut=”5000” Authenticator=”pap” NAS-IP-Address=”213.188.106.173” NAS-Port=”235”; TryAllServers=”false”; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=”10.49.7.17” AuthPort=”1812” SharedSecret=”ActivPack” TimeOut=”5000” Authenticator=”pap” NAS-IP-Address=”213.188.106.173” NAS-Port=”235”; TryAllServers=”false”; };
259
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.4.3 Introduction Example Configuration File
Configurable Properties
JAAS Module Configuration Files for SAP ID The JAAS module configuration file SLSsap.login must be configured if you want to use SAP ID-based authentication. Here is an example of a finished configuration file: SLSJaasModule { com.secude.transfair.pepperbox.SAPJaasModule sufficient SAPServer=”10.49.7.3” Client=”000” SystemNo=”00” SNCServerName=”p:CN=SAP NetWeaver 2004, O=secude.local, C=DE” SAPaccount=”SLSServer” NativeLibraryPath=”C:\\SECUDE”; } ; The following table details the properties within the JAAS module configuration file for SAP ID (in alphabetical order): Property
Mandatory /Optional
Details
Client
Mandatory
SAP System ID
NativeLibra ryPath
Mandatory
The fully qualified path to the native files (SECUDE SNC plus, if needed, SAP JCO)
PasswordAlp hanumeric
Optional
This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
260
PasswordMax
Optional
This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30
PasswordMin
Optional
This parameter is part of the password policy for Clientside policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1
SAPaccount
Mandatory
The SAP user account name for the SECUDE Secure Login Server.
SAPServer
Mandatory
IP or URL of the SAP Server
SNCServerNa me
Mandatory
The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property
Mandatory /Optional
Details For example: p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
SystemNo
Mandatory
SAP System Number
TryAllServe rs
optional
Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
Please contact the SAP Server administrator to make sure that the password policy information in the configuration file is correct. Related Information
For information about SECUDE Secure Login Server error codes that may be produced by the JAAS module, refer to section 8.3 „SAP ID Error Codes and Return Codes‟ on page 232.
261
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.5 Introduction
Files for Server Message Configuration The SECUDE Secure Login Server can provide localized messages for the Clients. This is done by creating property files for all required languages. It is recommended to use the Administration Console to edit any messages (see section 6.1.11 on page 156).
Location of the Message Property Files Message Property File Names
Message Format
262
The property files have to be provided in the classes subdirectory of the application Server‟s Webapps directory. For example (Tomcat): \Webapps\ securelogin\WEB-INF\classes The property files for the Server messages are as follows: ServerMsg.properties ServerMsg_language.properties ServerMsg__.properties - The naming convention for the ServerMsg_ files varies according to the following: - ISO 636 language code, consisting of two lower case letters - ISO 3166 country code, consisting of two upper case letters The Server provides the messages in the language requested by the Client, if available, or else uses a more generic language. For example, if the Client requests language de_CH, then the Server provides messages configured for de_CH, if available. If de_CH is not available, the Server provides messages configured for de, if available. If de is also not available, the Server provides messages configured in the generic ServerMsg.properties file. The message format can be either plain text or rich text. Rich text messages are contained in a body element. You can use the following codes: Code
Details
message
The whole rich text message has to be enclosed in body start and end tags.
\r\n
Inserts a line break.
text
Uses bold formatting for text.
text
Uses italics formatting for text.
text
Uses the color red for text (red is the only color supported).
anchor
Inserts a link to the destination URL with the link text anchor.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.2.5.1
Configurable Messages A property file for Server messages contains pairs of message code and message values. Every property file must contain all message codes, but the message value part may be left empty. It is recommended to use the Administration Console to edit any messages (see section 6.1.11 on page 156). To split long messages in the property file to span several lines, use backslash (\) escaped line endings. The configurable messages are as follows (the values shown are the messages as delivered with Secure Login): Message
Entry
AUTH_EMPTY_CREDENTI AL_ERROR_MSG
No empty usernames or passwords are allowed.
AUTH_LDAP_NAMING_ER ROR_MSG
The LDAP Server denied the retrieval of data with the entered username and password.
AUTH_RESULT_ACTION_ DENIED_MSG
The authentication failed. This message can be combined with the variable $SERVERMSG to present the user with a reason for the denial. The $SERVERMSG variable is an option to forward the raw Authentication Server message to the Secure Login Client. For example: Access denied because..$SERVERMSG
The $SERVERMSG variable should only be used with Sun directory Servers and SAP-ID. If used with RSA no messages will be sent by default, and if used with ADS a cryptic text message will be sent. AUTH_RESULT_ACTION_ OK_MSG
The authentication process has finished successfully.
AUTH_SERVER_CANT_RE SOLVE_MSG
The Authentication Server name cannot be resolved.
AUTH_SERVER_TIMEOUT _MSG
While trying to reach the Authentication Server, a timeout occurred.
CONFIG_ACTION_DISCL AIMER_MSG
The disclaimer message.
CONFIG_ACTION_MSG
The salutatory message.
ERROR_ACTION_FORMAT _MSG
An error occurred due to a message sent by the Client, which the Server can not interpret.
ERROR_ACTION_INTERN AL_MSG
A fatal error occurred due to Server problems.
_WARN_MSG
Attention!Your password will expire on $EXPDATE
NEW_PIN_REPLY_ACCEP TED_MSG
The newly selected PIN has been accepted by the Server.
NEW_PIN_REPLY_REJEC TED_MSG
The newly selected PIN has been rejected by the Server.
NEW_PIN_REQUIRED_AC TION_MSG
The user has to enter a new PIN for a Server forced PIN change.
SEND_NEXT_TOKEN_COD E_ACTION_MSG
The user has to enter the next token code displayed on the RSA SecureID token.
STATUS_ACTION_MSG
The current Server status is enclosed with this transfairgram (only for diagnostic 263
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Message
Entry purpose)
In addition, optional password expiration messages for LDAP Authentication Servers can be included in this file. For further information refer to section 9.2.5.2 „Password Expiry Warning Message‟ on page 264.
9.2.5.2
Password Expiry Warning Message
Introduction
The property file for Server messages may optionally contain password expiry warning messages for any LDAP Authentication Server.
Examples
An entry for such a message has the following structure: ServerID_WARN_MSG = Attention! Your password will expire on $EXPDATE. The following list details the variables in the warning message:
9.3 Introduction
Location
Variable
Details
ServerID
Determines which password expiry warning is used for which Server. Corresponds to the ServerID property in the JAAS module configuration file (see section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟ on page 253).
$EXPDATE
You can use the $EXPDATE variable in the password expiry warning to state the expiry date in the message. The date is retrieved from the LDAP/ADS Server using the PasswordExpirationAttribute property in the JAAS module configuration file. The date is formatted according to the local settings of the Client.
Secure Login Client Registry Values The properties for the Secure Login Client system service can be configured using the customer.reg file or can be integrated in the company‟s group policies. The property names are not case-sensitive. The following properties: HttpProxyUrl SSLHostCommonNameCheck SSLHostAlternativenameCheck SSlHostExtentionCheck UseSslPse …can be located under the registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\]
The other properties can be loacted under the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System
The following properties can be created/edited:
264
Property
Data Type
Description, Example
DisableUpda tePolicyOnS
BOOLEAN
This sets whether the Client policy file is automatically downloaded and registered from an XML file when the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Property tartup
Data Type
Description, Example system service is started. true = disable automatic policy download. false (default) = enable automatically policy download.
HttpProxyUR L
STRING
HTTP proxy to be used with PolicyURL. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://proxy.secude.com:3128
NetworkTime out
DWORD
Network timeout in seconds before connection is closed if the Server does not respond (default: 45).
PolicyRetri es
DWORD
The number of times the Client tries to retrieve the Clientpolicy.xml file from the policy Server before giving up.
PolicyTTL
DWORD
„Policy time-to-live‟. The lifetime, in minutes, of the SECUDE Secure Login Client policy before retrieving the Clientpolicy.xml file from the policy Server.
PolicyURL
STRING
Network resource where the latest SECUDE Secure Login Client policy can be downloaded from. Mandatory, if an XML file is used for the policy Server, see section 9.1.1 „ClientPolicy.xml File‟ on page 239. Example: https://securelogin.secude. com:8443/securelogin/ClientPolicy.xml
SSLHostComm onNameCheck
BOOLEAN
SSL Server certificate: Check if peer host name is given in its subject common name (default: false).
SSLHostAlte rnativeName Check
BOOLEAN
SSL Server certificate: Check if peer host name is given in its subject alternative names (default: false).
SSLHostExte nsionCheck
BOOLEAN
SSL Server certificate: Check if the peer‟s certificate has extended key usage ServerAuthentication set (default: false).
useSslPse
BOOLEAN
If true, turns on the former SSL PSE based trust store for HTTPS. If false (default), the Microsoft CAPI is used for HTTPS trust.
265
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9.4
Key Usage Reference Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or nonrepudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment. The following table describes the key usage extensions available for keys created using the CA process. Key Usage Extension
Details
Digital signature
Use when the public key is used with a digital signature mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity.
Non-repudiation
Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing).
Key encipherment
Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.
Data encipherment
Use when the public key is used for encrypting user data, other than cryptographic keys.
Key agreement
Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers.
Encipher only
Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement.
Decipher only
Use only when „key agreement‟ is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
Client authentication
Enable only for „Digital signature‟ and/or „Key agreement‟
E-mail protection
Enable only for „Digital signature‟, „Non-repudiation‟, and/or „Key encipherment‟ or „Key agreement‟.
Encrypted filesystem
This key usage is defined by Microsoft. The certificate can be used to encrypt files by using the Encrypting File Systems. For further information refer to: http://msdn2.microsoft.com/en-gb/library/aa378132.aspx
Smart card login
266
This key usage is defined by Microsoft. The certificate enables an individual to log on to a computer via a smart card.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
10
List of Abbreviations Abbreviation
Meaning
ADS
Active Directory Service
CA
Certification Authority
CAPI
Microsoft Crypto API
CSP
Cryptographic Service Provider
DN
Distinguished Name
EAR
Enterprise Application Archive
HTTP
Hyper Text Transport Protocol
HTTPS
Hyper Text Transport Protocol with Secure Socket Layer (SSL)
JAAS
Java Authentication and Authorization Service
LDAP
Lightweight Directory Access Protocol
PIN
Personal Identification Number
PKCS
Public Key Cryptography Standards
PKCS#11
Cryptographic Token Interface Standard
PKCS#12
Personal Information Exchange Syntax Standard
PKI
Public Key Infrastructure
PSE
Personal Security Environment
RFC
Remote function call (SAP NetWeaver term)
RSA
Rivest, Shamir and Adleman
SLAC
Secure Login Administration Console
SLC
SECUDE Secure Login Client
SLS
SECUDE Secure Login Server
SNC
Secure Network Communication
SSL
Secure Socket Layer
UPN
User Principal Name
WAR
Web Archive
WAS
Web Application Server
267
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Glossary
A
Authentication A process that checks whether a person is really who they are. In a multi-user or network system, authentication means the validation of a user‟s logon information. A user‟s name and password are compared against an authorized list.
B
Base64 encoding
C
CAPI See „Cryptographic Application Programming Interface’
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient
Certificate A digital identity card. A certificate typically includes: The public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate produced by the CA‟s private key. The most common certificate standard is the ITU-T X.509. Certification Authority (CA) An entity which issues and verifies digital certificates for use by other parties. Certificate Store Sets of security certificates belonging to user tokens or certification authorities. CREDDIR A directory on the Server in which information is placed that goes beyond the PSE (personal security environment). Credentials Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process.
Cryptographic Application Programming Interface (CAPI) 268
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.
D
Directory Service Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500 or LDAP directory). Distinguished Name (DN) A name pattern that is used to create a globally unique identifier for a person. This name ensures that a certificate is never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is, the certification authority) and the serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
K
Key Usage Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or nonrepudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment. Key Usage (extended) Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy. If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable.
L
Lightweight Directory Access Protocol (LDAP)
P
PKCS#11 “PKCS” refers to a group of Public Key Cryptography Standards devised and published by RSA Security. “PKCS#11” is an API defining a generic interface to cryptographic tokens.
A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500.
PEM See Privacy Enhanced Mail. Personal Identification Number (PIN) 269
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
A unique code number assigned to the authorized user. Personal Information Exchange Syntax Standard Specifies a portable format for saving or transporting a user‟s private keys, certificates, and other secret information. Personal Security Environment The PSE is a personal security area that every user requires to work with SECUDE. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password. PIN See Personal Identification Number. Privacy-Enhanced Mail (PEM) The first known use of Base 64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a "printable encoding" scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP. The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream. Public FSD Public file system device. An external storage device that uses the same file system as the operating system. Public Key Cryptography Standards A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet. Public Key Infrastructure Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically. In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.
R
Root certification authority The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any amount of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate. Root certification The certificate of the root CA. RSA
270
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
An asymmetric, cryptographical procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.
S
Secure Network Communications A module in the SAP NetWeaver system that deals with the communication with external, cryptographical libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functionality of SECUDE. Secure Sockets Layer A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data. Single sign-on A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
T
Token A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the computer operating system‟s point of view such a token is a USB-connected smart card reader with one non-removable smart card present. Tokens provide access to a private key that allows performing cryptographic operations. The private key may be persistent (like a PSE file, smart card, and CAPI container) or nonpersistent (like temporary SECUDE Secure Login keys).
W
Windows Credentials A unique set of information authorizing the user to access the Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).
X
X.500 A standardized format for a tree-structured directory service. X.509 A standardized format for certificates and blocking list.
271
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
272
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Index A About this manual ...................... 7 Active Directory Server (ADS) authentication ....................... 23 administration ........................ 119 administration console ............ 119 administration console application management ...... 184 administration console authentication management . 131 administration console certificate management ....... 128 administration console certificate template ............. 143 administration console - change language ............................ 155 administration console - change the administrator password .. 122 administration console - client configuration ....................... 183 administration console - client profile management ............ 187 administration console - console log viewer ........................... 165 administration console - files download ............................ 190 administration console - instance check ................................. 196 administration console - instance configuration ....................... 179 administration console - instance log management ................. 192 administration console - instance management....................... 178 administration console - message settings .............................. 156 administration console - open .. 119 administration console - server configuration ....................... 124 administration console – server instance status ................... 197 administration console - server status ................................ 162 administration console - signed certificate requests ............. 163 administration console SSS&JCO installation .......... 158 administration console - system backup ............................... 151 administration console - system check ................................. 149 administration console - system restore ............................... 152 administration console TrustStore management ...... 141 ADS/LDAP - configure ............... 85
application management ......... 184 archived log ........................... 196 authentication management .... 131 authentication method (PKI) ...... 13
C certificate management .......... 128 certificate template ................ 143 certificate template – create new144 certificate template - export ..... 147 certificate template - import .... 148 certificate template - mapping . 146 change language .................... 155 client authentication ............... 266 client configuration ................. 183 client policy ............................ 239 client profile management ....... 187 client URL - troubleshooting ..... 218 ClientPolicy.xml - registry keys . 239 configurable messages ........... 263 configurable properties ........... 246 configuration.properties .......... 248 Configure Authentication Server Communication ..................... 84 Configure SSL in Tomcat ........... 36 console log viewer .................. 165 Contacting Technical Support .... 10 Conventions used in this manual . 9
D daily log ................................. 193 daily log file ........................... 213 data encipherment ................. 266 decipher only ......................... 266 digital signature ..................... 266 download files secure login client.................................. 190
E e-mail protection .................... 266 encipher only ......................... 266 encrypted filesystem ............... 266 environment variables - SAP IDbased logon ........................ 217 error and return codes ............ 231
F files download ........................ 190 files download - global client policy ................................. 191
G global client policy .................. 191
273
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
I
R Icons used in this manual ......... 10 instance check ....................... 196 instance configuration............. 179 instance log management ....... 192 instance management ............ 178 instance status ...................... 197 Instances - global client policy . 191 instances - overview.................. 18
J
S JAAS module - configuration files253 JAAS module - LDAP/ADS ........ 253 JAAS module - RADIUS/RSA .... 257 JAAS module - SAP ID ............. 260 JCO - installation .................... 158
K key agreement ....................... 266 key encipherment ................... 266 Key Length Policies................. 212 key usage - reference ...... 238, 266
L LD_LIBRARY_PATH.................. 217 log files ................................. 213 log settings ............................ 195 logging - archived log files ....... 196 logging - daily log .................... 193 logging - daily log file............... 213 logging – instance log management....................... 192 logging - log settings ............... 195 logging - monthly log file .......... 215 logging – view console logs ..... 165
M message settings ................... 156 messages - configure .............. 263 Microsoft crypto store ............... 12 Microsoft group policies .......... 245 Migrate from an Existing SECUDE secure login Server .................. 82 monthly log file ....................... 215
N non-repudiation ...................... 266
O other administration features .. 206
P password expiry - warning message ............................ 264 password expiry warnings ........ 220 PKI certificate ........................... 12 policy server overview ............... 30 PseServer.lock ....................... 216 274
RADIUS / RSA authentication .... 24 RADIUS/RSA - configure ............ 86 registry values - secure login client.................................. 264 Related documentation ............... 7 Restore from an Existing secure login Server Backup (*.zip) File83 return codes .......................... 231
SAP ID authentication ............... 25 SAP ID-based logon - configure .. 87 SAP Logon Ticket authentication 28 SAP Logon Ticket-based logon configure .............................. 89 SAP NetWeaver ........................ 49 SAP NetWeaver - installation 40, 42 SECUDE50secureloginServer.zip109 secure login - authentication Method (PKI) ......................... 13 secure login - authentication methods ............................... 22 secure login - instance/server lock.................................... 219 secure login - server lock and unlock ................................ 216 secure login - system overview .. 16 secure login – what is it? .......... 11 secure login client - registry values ................................ 264 secure login client - remove ..... 106 secure login client installation94, 98 secure login client installation – MSI options ........................ 103 secure login client rollout .......... 97 secure login components .......... 13 secure login server – remove (ADS, LDAP, Radius, SAP ID) .. 91 secure login server – remove (SAP NetWeaver) ................... 92 server configuration ................ 124 server installation ..................... 32 server lock and unlock ............ 216 server message configuration files ................................... 262 Server Setup Wizard ..... 43, 54, 63 server status.......................... 162 signed certificate requests ...... 163 signon&secure - installation .... 158 smart card login ..................... 266 SNC connection - troublrshooting221 SQL Database Table authentication................. 22, 28 SQL Database-based logon configure .............................. 89 SSL.PSE ................................ 218 SSL.PSE-based TrustStore for HTTPS ................................ 218
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
SSS&JCO installation .............. 158 status query - internet browser 206 Support ................................... 10 system backup ....................... 151 system check ......................... 149 system overview ................. 12, 16 system overview - PKI ............... 13 system restore ....................... 152
T Target audience.......................... 7 Technical Support, contacting .... 10 Tomcat - configure SSL ............. 36 trace messages – enable/disable215
tracing ................................... 215 Troubleshooting ..................... 211 TrustStore management.......... 141
W warnings - password expiry ...... 220 Web Client ............................. 109 web.xml ................................. 247 what is SECUDE secure login? ... 11
X XML Interface ......................... 209
275
