Browser-Based Enrollment of Secure Login Client Using a Secure Login Server Profilea Secure Login Server Profile

Client Tracing of Secure Login Client

2.6 Configuration Options

2.6.6 Browser-Based Enrollment of Secure Login Client Using a Secure Login Server Profilea Secure Login Server Profile

You want to start SAP GUI using a browser shortcut, but you do not have a suitable certificate. For this reason, you need a browser-supported enrollment of the Secure Login Client.

Restriction

● This function is only available for Microsoft Windows clients running Microsoft Internet Explorer.

● Only web sites from trusted hosts can use the front-end control.

A user who uses the Secure Login Client wants to get an SNC connection to an Application Server ABAP with a specific SNC name, but no suitable certificate is available. The user wants to use the user certificate configuration of a dedicated Secure Login Server profile. Using a front-end control in the browser, the Secure Login Client initiates an enrollment with a Secure Login Server profile. The enrolled certificate is meant to be used for connections to an AS ABAP with a given SNC name. The front-end control determines that this Secure Login Server profile is used for connections with a specific AS ABAP, which is identified by the SNC name.

When you log off from the current Secure Login Client session, or when the certificate lifetime has expired, you remove the certificate that is tied to the specified Secure Login Server profile.

This temporary setting overrides the current application policies in the client's registry.

Prerequisites

You need to fulfill the following requirements on the side of your clients:

● You have installed the Secure Login Client 2.0 with the Secure Login Server Support option. The front-end control slsax.dll comes with the Secure Login Client. After the installation, the front-end control is located in the installation folder of the Secure Login Client. For more information, see the related link.

● Your client uses Microsoft Internet Explorer.

● You have installed SAP GUI.

● You are using Secure Login Server profiles.

Observe the following server-side prerequisites:

● You are running SAP NetWeaver Application Server ABAP and Java.

● You have installed Secure Login Server 2.0 on an AS Java.

● You are using SAP Cryptographic Library, or you have installed Secure Login Library 2.0 on an AS ABAP.

● You have configured Secure Login Server profiles.

Related Information

Secure Login Client Installation [page 26]

This section explains the installation and the installation options of the Secure Login Client.

2.6.6.1 API Methods for Profile Enrollment

The front-end control slsax.dll implements a number of methods for enrolling Secure Login Server profiles at the Secure Login Client.

ProfileIsEnrolled

This method displays whether a profile exists and is enrolled.

Syntax

bool ProfileIsEnrolled(BSTR szProfile)

Return Values Description

true The relevant profile exists and is enrolled.

false All other situations

ProfileEnroll

This method executes an enrollment for an authentication with user name and password or for an authentication where credentials are provided by Microsoft Windows. The method sends an exception if szProfile is too long or contains invalid characters.

Syntax

bool ProfileEnroll (BSTR szProfile)

ProfileEnrollSNC

This method binds the SNC name to the relevant profile. This binding overrides the registry settings provided by the application policies. The method sends an exception if the profile is too long or contains invalid characters.

For more information, see the related link.

Syntax

bool ProfileEnrollSNC(BSTR szProfile, BSTR SNCname)

Return Values Description

true The relevant profile exists and is enrolled.

false All other situations

ProfileLogout

This method triggers a logout of the relevant Secure Login Server profile without any return values. As a consequence, any call of ProfileIsEnrolled returns false.

Syntax

void ProfileLogout(BSTR szProfile)

ClearSSLCache

This method sends an exception if the relevant profile is too long or contains invalid characters.

Syntax

void ClearSSSLCache()

Related Information

HTML Code Example with Secure Login Server Profile and SNC Name [page 57]

If you want to use this function, integrate the front-end control, for example, into your portal page.

2.6.6.2 HTML Code Example with Secure Login Server Profile and SNC Name

If you want to use this function, integrate the front-end control, for example, into your portal page.

The front-end control slsax.dll enables you to force the Secure Login Client to initiate an enrollment with a dedicated Secure Login Server profile at an AS ABAP having a specific SNC name. For this reason, you define at least the following things in your front-end control:

● Secure Login Server profile you want to use

● SNC name of the AS ABAP for which the certificate is meant to be used

Example

The following simple HTML code example tells you how to tie a dedicated Secure Login Server profile to an SNC name of the AS ABAP you want to connect to. The user interface displays a pushbutton where you can trigger the enrollment with the Secure Login Server profile called MyProfile that is tied to the SNC name

CN=my_SNC_server of the AS ABAP.

<html>

<head><title>SlcAx Test Page</title></head>

doEnroll = function()

{ var retval = slsax.ProfileEnrollSNC("MyProfile", "CN=my_snc_server");

}</script>

<body>

</form>

width="0" height="0" />

</body>

</html>

The result is a web site with an Enroll pushbutton.

When you choose Enroll, the Secure Login Client enrolls the Secure Login Server profile, prompts you for your credentials, and issues a certificate.

After having entered the user credentials, the user gets the certificate of the Secure Login Server profile name (MyProfile), and can log on to the AS ABAP with the SNC name CN=my_snc_server.

In document PUBLIC Secure Login for SAP Single Sign-On Implementation Guide (Page 55-58)