Configuring Secure Login Library During an Update to the Current Support Packagethe Current Support Package

When updating Secure Login Library 2.0 to the current support package, you can use your already existing Secure Login Library configuration or you can define a new configuration.

Context

You can change, for example, the SNC communication parameters or the use of certificate revocation lists. For more information, see related link.

Secure Login Library uses only the configuration files that are located in you installation folder. The installation folder is usually the /SLL folder

Note

After having extracted the SAR file, you find the configuration files in the /defaults subfolder.

Procedure

● If you want to use your previous configuration files (for example, from version 2.0 SP01), proceed as follows:

a) Copy the configuration files to the installation folder, for example /SLL.

b) If you want to use Secure Login Library trace, copy sectrace.ini with your preferred trace

configuration (from version 2.0 SP01) to the installation folder. For more information, see related link.

c) Save your changes.

● If you want to enter a new configuration, take the following steps:

a) Copy the relevant configuration files from the /defaults subfolder to the installation folder.

b) Open it in the installation folder and modify the parameters.

c) Save your changes.

If you want to enter a new configuration, you also have the following option:

a) Create a new configuration file in the installation folder.

b) Add the required parameters.

c) Save your changes.

Start the SAP NetWeaver Application Server.

Related Information

Configuration of the Cryptographic Library [page 108]

You perform the secure network communication (SNC) configuration for the SAP NetWeaver server system using the instance profile. Use transaction RZ10 to maintain the SNC profile parameters.

Configuring Tracing for the Cryptographic Library [page 148]

In the case of an error, you can activate tracing for the SAP Cryptographic Library, the Secure Login Library, or any other cryptographic library you are using.

4.4 Migrating Secure Login Library to SAP NetWeaver Single Sign-On 2.0 from 1.0

This topic describes how you migrate the cryptographic library from SAP NetWeaver Single Sign-On 1.0 to 2.0.

Context

Note

If you migrate to SAP NetWeaver Single Sign-On 2.0 SP03 or higher, you need not migrate the cryptographic library. By default, Secure Login uses the SAP Cryptographic Library, which comes with the SAP NetWeaver Application Server. For more information, see SAP Note 1848999 .

Prerequisites:

● You have already installed Secure Login Library of SAP NetWeaver Single Sign-On 1.0.

Migrating Secure Login Library basically means replacing the library of SAP NetWeaver Single Sign-On 1.0 by the library SAP NetWeaver Single Sign-On 2.0. If you are using SNC, you must make sure that an SNC SAPCryptolib PSE (called SAPSNCS.pse in the file system) is available in the trust manager of the Application Server ABAP. In the next step, you stop the AS ABAP. This is the time when you replace the libraries because the AS ABAP does not access them. After having started the AS ABAP, you enable the Application Server ABAP to use the library of SAP NetWeaver Single Sign-On 2.0.

Procedure

1. Create a directory called SLLnew.

2. Unpack SECURELOGINLIB.SAR in SLLnew.

Example

sapcar –xvf D:\SECURELOGINLIB.SAR –R D:\usr\sap\ABC\DVEBMGS00\SLLnew

3. (Optional) Check the SNC status to see which certificate and keytab you are using in SAP NetWeaver Single Sign-On 1.0. Use the following command:

D:\usr\sap\ABC\DVEBMGS00\SLL\snc status

4. If you use SNC with certificates, you must make sure that an SNC PSE called SAPSNCS.pse is available. If you already managed your PSEs in the trust manager of the Application Server ABAP, proceed with the next main step. If you used, for example, pse.zip for SNC with PKCS#12 files, you must convert these files to

SAPSNCS.pse in the correct format. The subsequent substeps guide you through the procedure.

a) If the PKCS#12 file is included in pse.zip, extract it.

b) Convert the PKCS#12 file to a PSE file.

c) Go to D:\usr\sap\ABC\DVEBMGS00\SLLnew.

d) Use the following command:

sapgenpse import_p12 -x <New_PSE_password> -z <PKCS#12_password> -p

<PSE_file_to_create> <PKCS#12_file>

e) If you maintain your PSEs in the trust manager, start the trust manager (transaction STRUST) in SAP GUI or SAP GUI for HTML.

f) Choose PSE Import . g) Select the newly converted PSE.

h) To import the file, choose Open.

i) (If required) Enter a password if your PSE is password-protected.

j) Choose

k) To save the content, choose PSE Save as... . l) Choose SNC SAPCryptolib in the popup.

m) Choose .

The content of your PSE is in the database of the SAP NetWeaver Application Server ABAP. The trust manager distributes the PSE throughout your system environment.

n) If you need additional trusted certificates, add them using the trust manager.

5. (If required) If you use SNC with Kerberos authentication, create a Kerberos keytab file. Use the sapgenpse command in the SSLnew folder. For more information, see related link.

6. Change the name of the profile parameter snc/gssapi_lib to $(DIR_INSTANCE)$(DIR_SEP)SLL$

(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) in the Application Server ABAP. For more information, see related link.

7. Stop the SAP NetWeaver Application Server ABAP.

8. Remove the SLL directory.

9. Rename the SLLnew directory to SLL.

10. Start the Application Server ABAP.

This enables the Secure Login Library to access the content on the level of the file system.

Related Information

Creating Keytab for Kerberos [page 116]

You need a keytab file to use SNC with Kerberos authentication.

SNC X.509 Configuration [page 110]

This section describes the SNC X.509 certificate configuration.

4.5 Scenarios for Migrating to SAP Cryptographic Library of