Login Client
5 Secure Login plus Web Client Installation, Usage, and Removal
6.1 Administration Console
Introduction This section details the Administration Console for Secure Login. The console is based on Java Server pages (JSP) technology and is controlled from within an Internet browser. It makes administration tasks for SECUDE Secure Login easy. Every relevant administration and configuration task for both the Client and Server side can be performed via the console.
6.1.1
Open the Console
1. To open the console enter the following URL in a Web browser:
http://<Server IP address>/securelogin/admin/index.jsp For example: http://localhost:8080/securelogin/admin/index.jsp or for secure communication:
https://localhost:8443/securelogin/admin/index.jsp 2. The login page will appear:
Figure 6-1 Administration Console – login page
Enter your SECUDE Secure Login administration username, password, and
authentication type (detailed below). Click Login. If you make a mistake entering any details, just click Reset to clear the fields.
Authentication type Details
Local login Standard username/password combination authenticated via the Administration Console database.
External login Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you
120
Authentication type Details
use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box.
NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined..
SSL certificate login Username/password combination authenticated via a certificate imported into the Web-browser.
3. If login is successful the Welcome page will appear:
Figure 6-2 Administration Console – Home/welcome page
The Administration Console interface allows you to easily configure the Server to your needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example, “Connection should be https” refers to the missing SSL connection between the console and the Secure Login Server, or “Server needs to be restarted” informs you that the Server configuration has been changed and you need to restart the Server for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login framework.
The right-hand pane displays the details of any node selected in the left-hand pane.
In the top right-hand corner there are three entries that appear on every page in the console:
Change password – This allows you to change the password for the current
administrator/user account. For further details refer to section 6.1.3 on page 122.
Logout – Use this link to logout of the console. The login page will reappear (see previous page).
About – Click this to view version information about the console.
Click one of the nodes in the bottom left-hand pane to perform one of the following tasks:
Node Details
Home Use this node to return to the administration console start page (as seen above).
121
Node Details
Server Configuration Use this node to view and change the configuration of the whole Server. For further information see section 6.1.3. Server Configuration>
Certificate Management
Use this node to view details about the Secure Login Server certificate issuers and to add new issuers. For further information see section 6.1.4
Server Configuration> Authentication Management
Use this node to view details about the Secure Login Server JAAS module and to add a new Authentication Server. For further information see section 6.1.5.
Server Configuration> TrustStore Management
Use this node to view certificates in the TrustStore and add certificates to the TrustStore. For further information see section 6.1.6.
Server Configuration> Certificate Template
Use this node to view and change certificate templates. For further information see section 6.1.7.
Server Configuration> System Check
Use this node to view the current status of Secure Login components. For further information see section 6.1.8. Server Configuration>
Backup/Restore
Use this node to backup and/or restore the current Server configuration and PKI information of the administration system. For further information see section 6.1.9. Server Configuration>
Change Language Use this node to change the GUI language. For further information see section 6.1.10. Server Configuration>
Message Setting Use this node to change message content. For further information see section 6.1.11. Server Configuration>
SSS&JCO installation
Use this node to install the SECUDE signon&secure (SSS) and JCO components necessary for SAPID JAAS login module for Secure Login. For further information see section 6.1.12.
Server Configuration>
System Status Use this node to view the status of the current Secure Login Server. For further information see section 6.1.13. Server Configuration>
Sign Certificate Requests
Use this node to submit a certificate request to a certificate authority. For further information see section 6.1.14. Server Configuration>
Console log viewer
Use this node to view log entries of actions performed via the Administration Console only. Log files can be viewed on a monthly basis. For further information see section 6.1.15. Server Configuration>
Locked Files Management
Use this node to check if any files have been locked and, if necessary, unlock them.
For further information see section 6.4.3 on page 205. Server Configuration>
Web Client Configuration
Use this node to configure Web-Client parameters.For further information see section 6.1.16.
NOTE: this node only appears if the Web Client has been installed. For further details refer to section 5.3 on page 112.
Server Configuration> Email Report&Alert Configuration
Use this node to configure email notification and email alert parameters.For further information see section 6.1.16. Instance Management Use this node to administrate the Secure Login instances.
For further information see section 6.3. Instance Management>
Instance Configuration
Use this node to display the configuration of current Secure Login Server instance. For further information see section 6.3.1.
122
Node Details
Instance Management> Client Configuration
Use this node to view and change the Client configuration. For further information see section 6.3.3.
Instance Management> Instance Log
Management
Use this node to view log files on either a monthly or daily basis, and download the log files for archiving. For further information see section 6.3.4.
Instance Management>
Instance Check Use this node to view the status of the components for Client policies and PKI management. For further information see section 6.3.5.
Instance Management> Instance Status
Use this node to view the status of the current Secure Login Server. For further information see section 6.3.6.
Console Users Use this node to view when an administrator logged-in to, or logged-out of, the Administration Console. For further information see section 6.4.
Console Users> User Management
Use this node to display a list of the users/administrators registered to the Administration Console as well as add a new user, edit/delete a current user, and assign a role to a user. For further information see section 6.4.1 on page 199. Console Users>
Role Management Use this node to configure the permissions for a new or existing administrator role. For further information see section 6.4.2 on page 202.
Console Users> Locked Files Management
Use this node to unlock console files that are locked by dead operator sessions. For further information see section 6.4.2 on page 202.
You may be asked to re-enter your username and password if you leave the administration console for too long (console timeout).
This page also appears when you click the Home node.
6.1.2
Change the Administrator/User Password
This section details how to change the account password for the Administration Console. The user ‘Admin’ is a permanent user that has the role ‘super-user’ and cannot be deleted (only the password changed) or altered in any way.
As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a serious system error occurs), guaranteeing that there is at least one user that can always access Secure Login to correct or configure the system.
1. Click Change Password in the title bar on any page. 2. The following page will appear:
Figure 6-3 Administration Console – Change Administrator/User Password
3. Enter the current password into the Old Password field.
4. Enter and confirm the new password into the fields New Password and Confirm New Password respectively.
123 5. Click OK.
124
6.1.3
Server Configuration
This section details the Server Configuration page of the Administration Console. The Server Configuration page allows you to:
View the Server configuration.
Edit some of the Server parameters (see section 6.1.3.1 on page 126).
Edit the type of authentication used to login to the Administration Console (see section 6.1.3.2 on page 127).
1. Click the Server Configuration node in the left-hand pane of the Administration Console.
2. The following page will appear:
Figure 6-4 Administration Console – Server Configuration
125
Option Details/Value
Edit Click Edit to change the Administration Console description, Trace Configuration, Server Lock Configuration, Client
Configuration, and SNC Configuration (see section 6.1.3.1 on page 126).
Description The description of this Administration Console.
Console login type The current types of authentication available for login to the Administration Console. For further information see section 6.1.4.2 on page
External Login Jaas Module
The current JAAS module used for “external login” authentication to the Administration Console. For further information see section 6.1.3.2 on page 127.
The Authentication file path
The authentication file (*.login) used by this Server Trust Certificates
storage file
The TrustStore file (*.jks) used by this Server. TrustStorepassword The password for the TrustStore file.
Console Log Directory The directory in which the console log file will be located. Console Log Prefix The file prefix for the console log file.
Enable Server trace Display trace messages in the application Server console (i.e. the Tomcat command box).
Path to the Server lock file
The fall-back of the LockDir property in the
configuration.properties file. This property is stored in the Web.xml file.
Lock the Server when the logging function encounters fatal errors
If set to No, the Server will not be locked if transaction logging fails.
If set to Yes, the Server will be locked if transaction logging fails.
If a full transaction log is important to you please set this option to Yes.
Server name or IP to be used
The hostname or IP of the computer from which the console is being used for the Client configuration (i.e. for all Client policy URLs).
NOTE: do not use localhost. If on a local machine set the IP address or DNS/hostname.
CREDDIR The directory in which the credentials are stored by SECUDE signon&secure.
NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value.
NativeLibraryPath The directory where native libraries, platform dependendt, are landed.
126
6.1.3.1
Edit the Server Configuration
This section details the editable properties of the Server Configuration page of the Administration Console.
1. Click Edit to display the following information:
Figure 6-5 Administration Console – Edit Server Configuration
The following options can be set:
Option Details/Value
Description Here you can personalize the description for the Administration Console.
Enable Server trace Yes: write trace messages to the application Server trace file:
- For Tomcat: folder logs, files catalina*.log / localhost*.log
- For NetWeaver AS Java: defaultTrace_*.log No: Do not display trace messages in the application Server console
Lock the Server when the logging function encounters fatal errors
Yes: Lock the Server if transaction logging fails. No: Do not lock the Server if transaction logging fails. Server name or IP to be
used
The hostname or IP of the computer from which the console is being used.
NOTE: do not use localhost. If on a local machine set the IP address.
CREDDIR Use this option to define in which directory credentials will be written by SECUDE signon&secure. Enter the full path of the directory to be used, for example: C:\SSS
NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value.
NativeLibraryPath Use this option to define in which directory will be located the native libraries to be used on verification of the SAP Ticket.
2. Once you have changed any options, click Save to return to the Server Configuration page.
127
6.1.3.2
Change Console Login Type
This section details how to modify the way you authenticate to the Administration Console.
1. Click the Server Configuration node in the left-hand pane of the Administration Console.
2. Click Edit next to the Console Login Type Configuration heading to view the following information:
Figure 6-6 Administration Console – change login type
This page allows you to configure, delete, or add the following login types:
Local Login
Standard username/password combination authenticated via the Administration Console database.
External Login
Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box.
NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined..
SSL-Certificate Login
Username/password combination authenticated via a certificate imported into the Web-browser.
Add a
Login Type 1. To add a login option to the administration console login page, select a login type from the ALL Login Type field and click >>Add (it will appear in the Current Login Type field).
2. If necessary, use the Up and Down buttons to give a login option priority (the order of appearance in the Login Type combo-box on the login page).
3. Click Save to confirm any changes. Delete a
Login Type 1. To delete a login option from the administration console login page, select a login type from the Current Login Type field and click <<Delete (it will appear in the ALL Login Type field).
128
6.1.4
Certificate Management
This section details the Certificate Management page of the Administration console. These features allow you to view, edit, export, import, and create certificates.
The first thing to do is to make a decision: Shall Secure Login Server create and manage one or more Public Key Infrastructures, or is there an existing company PKI that shall be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI under your enterprise PKI, and two others independently created by Secure Login Server.
However, because of the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time.
Follow these steps to open Certificate management:
1. If you have not already done so, click the Certificate management node from the tree in the left-hand pane.
2. The following page will appear:
Figure 6-7 Administration Console – Certificate Management page
This page allows you to perform the following certificate tasks:
Create or import new PKIs or PKI sub trees
View certificates (see below).
Export certificates (refer to the next page).
Import certificates (refer to the next page).
Create SSL, SNC, login, and SAP certificates (refer to the page after next). This page has the following details:
Option Details
PKI Structure One or more tree views of independent PKIs.
Create New Root CA Give a display name for the new PKI and create the top level Certification Authority (Root CA)..
Certificate Information The name, file path, and password protection of the selected certificate.
Mapping to Instance List of all Secure Login Server instances, and selection of all instances that shall use this User CA.
Only available for User CAs.
More Details More X.509 name details and the certificate validity time frame. PKI Info Display name of the PKI structure.
CA Operations Select specific Certification Authority of a PKI for further management operations.
129 Issue Create a new Certification Authority of this type.
Change Password Change password of selected CA.
Remove Password Remove password of selected CA. Password must be given for each following management operation of this CA.
Export Certificate Export the selected certificate. Possible export types are: *.crt, *.p12, *.pse, *.jks.
New Password Password of the exported certificate file store Import New PKI Import the keystore into the certificate list.
NOTE: Only PSE files can be imported.
PKI Name Display name of new PKI where certificate shall be part of The selection list allows associating the type of CA of the certificate. Each type can be associated only once. Browse Opens a file browser to select the certificate store file. Open Passsword Password that protects the certificate store file. Save Password Allow to save the password in the configuration. View
Certificate Details
1. Click on a certificate name in the list, for example SecureLogin Root CA.
2. If the selected CA has not saved its password, enter the password for the certificate in the field Password and click View.
3. The following information will appear:
Figure 6-8 Administration Console – Certificate Management page
Create a new
PKI Use this function to create a new internal PKI that has its own Root CA certificate. 1. Enter a display name for the new PKI, for example SECUDE.
2. Click the right-hand Create New Root CA button and continue to read at Create a certificate.
3. A success message should appear and the new PKI will be shown in the list. Import a new
PKI Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing Root CA stored inside Secure Login Server.
1. Enter a display name for the new PKI, for example SECUDE. 2. Select the type of CA that shall be imported
3. Click Browse… to open a file browser. Locate and open the PSE file.
4. Enter the password for the PSE file in the field Open password. As an option, you can choose to save the password in the Secure Login system file by clicking Save
130
password? so you do not have to re-enter the password every time. 5. Click the right-hand Import button to complete the import.
6. A success message should appear and the new PKI will be shown in the list. Export a
Certificate 1. Click on a certificate name in the list, for example SECUDE Root CA. 2. Select the format of the certificate from the Export type combo-box. 3. Enter a new certificate password into the field New password.
4. Click the right-hand Export button to open a save dialog. Save the certificate file to a safe and secure location.
Import a Certificate
If a certificate entry in the list is grayed-out it means this certificate is not present. Use the Import function to load a new certificate.
1. Select the certificate entry from the list.
2. Click Browse… to open a file browser. Locate and open the PSE file.
3. Enter the password for the PSE file in the field Open password. As an option, you can