Prerequisites
An RSA Authentication Manager (with a RADIUS server) is installed and running. The versions currently supported are 6.1 and 7.1. It communicates with the Secure Login Server through its RADIUS protocol using its own RADIUS server. The Secure Login Server supports new SecurID PINs and the next token code of RSA SecurID tokens. For more information, see the corresponding RSA Authentication Manager documentation. For more information on the parameters for RADIUS, see 4.1 Configure Login Module.
5.5.1 Configuration of the securid.ini File
For communication with the RSA Authentication Manager, you need the securid.ini file, which is provided by the RADIUS server. The Secure Login Server installation package installs a sample securid.ini file (corresponding to RSA Authentication Manager 7.1) in the global directory. You need not edit the file for the configuration. RSA server messages automatically parse the PIN policy and the minimum and maximum PIN length and transfer the values to the Secure Login Client without any configuration effort on your side.
We recommend that you use the file provided by your RSA RADIUS server. To do this, proceed as follows:
1. On the RADIUS server, go to the directory that contains securid.ini. For more
information on the file path, see the documentation of the RSA Authentication Server.
2. Copy the new file to the global directory of the Secure Login Server, and overwrite the old securid.ini file. The path to the global directory remains the same. By default, the relative path to the securid.ini file in the SAP NetWeaver Administrator is
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
5 Configuration Examples
5.5.2 Customer-Specific Configuration of the securid.ini File
If you want to keep your customer-specific securid.ini file, you have to make sure that your file is located in the relevant directory, either in the global directory or a directory of your choice. In the latter case, adapt the path in the SAP NetWeaver Administrator of the RADIUS login module.
Take the following steps:
Use Case Checks and Activities
securid.ini located in the global directory
1. Rename your securid.ini file, for example, to securid.old.
2. Update the installation to Secure Login Server SP2.
3. Rename securid.old to securid.ini, thus overwriting the installed sample file.
4. Check whether the path entered in the SAP NetWeaver Administrator is
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
5. Copy your securid.ini into the RADIUS server environment.
securid.ini located in another directory
1. Make sure that your custom directory path is entered in the SAP NetWeaver Administrator, either in the login module or in the login module stack.
2. Copy your securid.ini into the RADIUS server environment.
In either case, compare the securid.ini files on the Secure Login Server and on the RADIUS server to make sure that they are identical.
To change the path in the SAP NetWeaver Administrator, proceed as follows:
1. Go to SAP NetWeaver Administrator. Under Authentication and Single Sign-On, choose Login Modules.
2. Select the login module SecureLoginModuleRADIUS.
3. On the Login Module Options tab, find the parameter SecuridFile. Here you see the relative path to the global directory
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
4. Enter the path where you stored your securid.ini file.
5. Save your changes
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
For more information, see the Help Portal at http://help.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks.
5.5.3 Ensuring Encrypted Communication with Shared Secret
To make sure that the RSA Authentication Manager can communicate with the RSA server, you need to do the following:
1. Add the SAP NetWeaver IP address to the list of the RSA RADIUS clients in the RSA Authentication Manager.
2. Enter a shared secret for the RSA RADIUS client or use the shared secret that is delivered as default.
3. Configure the shared secret property SharedSecret in the configuration of the RADIUS login module accordingly.
Since the shared secret is entered in the SAP NetWeaver Administrator and visible to other users, encrypt the shared secret of the RADIUS server and insert the encrypted string into SAP NetWeaver Administrator. This means that only the Secure Login Server can read the shared secret.
Your system administrator must know the shared secret of the RADIUS server. To encrypt the shared secret, take the following steps:
1. Open the administration console of the Secure Login Server.
2. Choose Secret Encryption under Server Configuration.
3. Paste the shared secret into the input field Shared Secret.
4. To encrypt your input, choose the Encrypt button. The field Encrypted Secret, which is immediately below, displays the encrypted result.
5. Select the character string in this field and copy it to the clipboard.
6. In SAP NetWeaver Administrator (you can use the convenient link on the screen of the Secure Login Server), choose Authentication and Single Sign-On > Login Modules.
7. Select the login module SecureLoginModuleRADIUS.
8. On the Login Module Options tab, find the parameter SharedSecret. Paste the encrypted character string of the shared secret as the value for this parameter.
9. Save your changes.
If you are using a login module stack, enter the path to the securid.ini file in the configuration of the login module stack.
6 Troubleshooting
6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.