Login Client
3.6 Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module
Introduction This section details the initialization and configuration of the Secure Login Server component using the Administration Console initialization wizard.
Contents Section 3.6.1 „Step 1 - Initial Installation‟, on page 54
Section 3.6.3 „Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)‟ on page 63
Section 3.6.4 „Step 3 - Configure Authentication Server Communication‟ on page 84 Section 3.6.5 „Step 4 - Test SECUDE Secure Login Server‟ on page 90
For reasons of security, the Secure Login Server component can only be initialized via the Administration Console and only when the console is called from the same Server computer on which the Secure Login resides. If however, you want to perform the initialization and configuration from a remote location, then you must manually enable this feature by editing the Secure Login Web.xml file. For further details please refer to section 7.17 on page 229).
If you want to use Secure Login on an operating system that does not have a GUI (for example Unix without X-Win), you must use SSH or Putty to tunnel to the Client Web- browser (as long as an SSH Daemon is running on the Server).
3.6.1
Step 1 - Initial Installation
Introduction This section describes the installation procedure and initial configuration of Secure Login. This is necessary for all Authentication Server types.
1. If you have not already done so, enter the following URL in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
2. If the deployment has been successful the SECUDE Secure Login Administration Console prerequisite check page should appear:
55 This page lists the prerequisites to run Secure Login successfully. Items with a green
“dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP ID-based logon).
For further information about the Administration Console refer to section 6.1 on page 114. 3. Click Continue.
4. The scenario selection page will appear:
Figure 3-20 Server initialization– authentication selection page
Use this page to choose between either an Authentication Server-specific, quick initialization, or a detailed multiple Authentication Server initialization.
Click on the logo next to one of the Server-specific methods Microsoft Windows Domain Username and Password, Username and Password Stored in LDAP Server, One-Time Password, or SAP Username and Password. For details about the next step, refer to the next section.
If you click on the Multiple Authentication Methods (Expert Mode) logo, the next step is in section 3.6.3 on page 63).
56
3.6.2
Step 2 – Server-Specific Quick Initialization
1. After clicking the logo next to the desired authentication method (Microsoft Windows Domain, SUN Directory Server or other LDAP Server, RSA SecureID or other One-Time- Password solution, or SAP Netweaver – see previous section), the Company
Information page will appear:
Figure 3-21 Server Setup Wizard – company information page
Enter basic information about your company. The following options are available (options marked with * are mandatory):
Option Details
Company Information Country
The abbreviation of your country. Click on the field to open and select a country from the drop down menu.
Example: DE for Germany Locality
The region in which your company is located. Example: Darmstadt
Company name
Enter the name of your company in this field. Example: SECUDE
Administrator Account Account name
The username for the account.
Password Information NOTE: The password will be used as the password for Administration Console access!
Password
The password for this account Confirm password
Confirm the password entered in the field above. Click Next to continue.
57 page 55, one of the following pages will appear:
For Microsoft Windows Domain authentication:
Figure 3-22 Server initialization – Microsoft Windows Domain authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter a
password in the fields Certificate Password and Confirm Certificate Password to be used for all automated PKI operations (PSE file and TrustStore passwords). Enter the Active
Directory Server…
The IP or URL of the Authentication Server. Click More to view open the following options:
Use SSL
Check this option if you want to use secure communication with the Server.
Port
The port number the Active Directory Server uses for communication.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the Active Directory Server.
58
Figure 3-23 Server initialization – SUN Directory Server/LDAP authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
Enter the LDAP
Server… The URL of the Authentication Server. Click the following options: More to view open Use SSL (LDAPs)
Check this option if you want to use secure communication with the Server.
NOTE: GetBaseDN will not work if SSL is enabled. If you want to use the GetBaseDN feature it is recommended you click it first and then enable SSL.
Port
The port number the SUN Directory Server/LDAP Server uses for communication.
Enter or select the LDAP search base
Manually enter the base dynamic name or click GetBaseDN to try and automatically retrieve it from the LDAP Server.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SUN DS/LDAP Server.
59
Figure 3-24 Server initialization – RSA SecurID authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure Login…
Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
Enter the RSA Server…
The URL of the RSA Server. Enter the password into the Shared Secret field. Click More to view open the following options: AuthPort
The authentication port at which the RSA Server expects to be queried for authentication requests.
Authenticator
This is the authentication protocol for the RSA Server. The possible options are:
CHAP
MSCHAP
PAP
NOTE: The RSA Authentication Manager only supports the PAP authentication protocol.
The communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the RSA Server.
60
Figure 3-25 Server initialization – SAP NetWeaver authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE
Secure Login… Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password.
SAPID
authentication…
If necessary, use the following options to install signon&secure and/or JCO for SAPID:
Install signon&secure
- Setup File
Click Browse… to locate the signon&secure package (*.zip file). The files can be located in the SSS+JCO sub-directory of the file SECUDE51SecureLoginNativeComponents.zip delivered with Secure Login.
- License File
Click Browse… to locate the file ticket.snc (received from SECUDE).
Install JCO for SAPID
- sapco.jar
61 (applies to both Windows and Linux/Sun).
- sapco library 1
Click Browse… to locate and open one of the following files (according to operating system):
- For Windows: librfc32.dll
- For Linux/Sun: librfccm.so
- sapco library 2
Click Browse… to locate and open one of the following files (according to operating system):
- For Windows: sapjcorfc.dll
- For Linux/Sun: libsapjcorfc.so Enter the SAP
Server… Enter the IP or URL of the SAP Server into the first (unmarked) field. Enter the password into the Username field. Click More to view open the following extra options:
Client
SAP System ID. System Number
SAP System Number. SNCServerName
The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. This option is not needed if you have selected the first option (let Secure Login use a custom PKI to establish trust between the user and Server). For example:
p:CN=SAP NetWeaver 2004, O=secude.local, C=DE The
communication between…
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SAP ID Server.
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery package. For further information please contact SECUDE support.
Click Next to continue.
62
Figure 3-26 Server initialization – install process page
This page will display the status of the installation/initialization. Click Start. The status of the installation will be displayed for each step. As soon as the step is complete a green check-mark will appear next to the step:
Figure 3-27 Server initialization – status of initialization
4. Once the initialization is successful, the following information will appear:
Figure 3-28 Server initialization – procedure complete
5. Manually restart the application Server.
Next Steps For information about how to login to the console and start using it, refer to section 6.1 „Administration Console‟ on page 119.
63
3.6.3
Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)
This section will guide you through the steps necessary to perform a quick, Authentication Server-specific initialization.
1. The Welcome page of wizard appears:
Figure 3-29 Server Setup Wizard – welcome page
This page introduces the wizard and displays the logical steps, necessary to initialize the Server, on the left-hand side. Click Next to continue.
Some of the more complicated wizard pages will have an information bubble icon next to the page header ( ). Click on the icon to open a pop-up dialog containing information about the entries on the page.
64
2. The Create Administrator Account page will appear:
Figure 3-30 Server Setup Wizard – create administrator account
This page allows you to create an account username and password to be used to logon to the console.
The following options are available:
Option Details
Account name The username of the account to be created.
Password The password for the account to be created. The password must fulfill the following criteria:
Be between 5 to 10 characters (use a mix of characters, numbers and special characters).
The password must contain at least one uppercase letter. Confirm password Enter the password a second time in this field to confirm the
entry made in the field Password. Click Next to continue.
65 3. The Setup Type page will appear:
Figure 3-31 Server Setup Wizard – select setup type
The next page to appear will vary according to the selection made here. You can choose between the following options:
Option Details and next steps
Create a new SECUDE Secure Login Server
Select this option to start configuring a new Server. Click Next to continue with section 3.6.3.1 on the next page.
Migrate from an existing SECUDE Secure Login Server
Select this option to migrate the configuration from an existing Secure Login Server. Click Next to continue with section 3.6.3.2 „Migrate from an Existing SECUDE Secure Login Server‟, on page 82. Restore from an existing backup
(*.zip) file Select this option to restore the configuration from a backup file. Click Next to continue withsection 3.6.3.3 „Restore from an Existing Secure Login Server Backup (*.zip) File‟, on page 83
NOTE: only backup files created using Secure Login 5.x and 4.3 are supported.
66
3.6.3.1
Create a New SECUDE Secure Login Server
Continue with this section if you selected Create a new SECUDE Secure Login Server in the previous section.
1. The Input root CA information page will appear:
Figure 3-32 Server Setup Wizard – Input root CA information
This page allows you to enter information about the root certificate authority for the Secure Login Server.
The following options are available (entries marked with * are mandatory):
Option Details
Create a Root CA by certificate information
Common name*
Enter the name of the root certificate authority in this field. Example: SECUDE CA
Organization unit
Enter the division of the company in this field. Example: Research+Development
Organization
Enter the company name in this field. Example: SECUDE
Locality
Enter the regional information in this field. Example: Darmstadt
Country
Enter the country abbreviation in this field. Example: DE for Germany
67
Option Details
Select the encryption key length for the Server (512, 1024, 1536, 2048, 3072, or 4096 bits).
Valid from*
Enter the date from which this certificate authority information is valid in this field (YYYY-MM-DD). Example: 2007-7-11
Validity period (months)*
Enter the number of months for which the certificate authority information is valid.
Password*
Enter the password to be used for encryption in this field. Check Save Password to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when editing this certificate at a later date.
Confirm password*
Confirm the encryption password entered in the field above.
Import an existing
KeyStore file Checking this option will display the following options:
Figure 3-33 Initialization Wizard – import existing keystore
KeyStore File
Click Browse… to locate and load an existing KeyStore (PSE) file (*.pse).
Password
The password for the KeyStore (PSE) file. Save Password
Check this option to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when re- loading the PSE file at a later date.
Skip this certificate Check this option if you do not want, or do not need, to enter any information for this specific certificate at this time. Skip all PKI
certificates
Check this option if you do not want, or do not need, to enter information for any certificate at this time. This means you skip all the PKI certificates, including the Root CA, SSL CA, SSL Server and User CA certificates. You can create or add certificate information at a later time via the „Certificate Management‟ function of the Administration Console (see section 6.3.2 on page 181).
If you select this option continue with the setup as from step 6 on page 70.
Click Next to continue.
68
Figure 3-34 Server Setup Wizard – SSL certificate generation type
This page allows you to configure the use of SSL certificates. To enable a higher level of security, SSL is used to encrypt the communication channels, which requires a special SSL certificate.
The following options are available:
Option Details
Generate SSL certificate using Secure Login Administration Console
If you select this option, the Secure Login Server will be configured as a root CA, and a SSL CA (the next two screens). This Root CA will then issue the SSL CA a valid certificate; the SSL CA will in turn issue a valid Server certificate to be installed on the Server. You will need to download this certificate, and install it according to your Server‟s particular configuration. Proceed with the next step.
Generate SSL certificate to be signed by an external CA
If you select this option, the Secure Login Server generates a valid certificate request. You may download this request, have it signed by an external CA, and imported it back to the Server to enable SSL connectivity. Proceed with the step 4 on page 69. Skip all SSL certificates Check this option if you do not want, or do not need,
to enter any SSL certificate information at this time. Proceed with step 5 on page 70.
69 3. The SSL CA Information page will appear:
Figure 3-35 Server Setup Wizard – input SSL CA information
This wizard page is for information about the certificate authority to be used for SSL. The options available on this page are the same as in step 1 on page 66. Options marked with a red * are mandatory. If you selected
Click Next to continue.
4. The SSL Server Information dialog appears:
Figure 3-36 Server Setup Wizard – input SSL Server information
This wizard page is for information about the Server to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory.
70
5. The User CA Information page will appear:
Figure 3-37 Server Setup Wizard – input user CA information
This wizard page is for information about the user certificate authority to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory.
Click Next to continue.
71
Figure 3-38 Server Setup Wizard – Server configuration
This wizard page helps you to setup basic Server parameters. The following options are available (options marked with * are mandatory):
Option Details
AuthConfigPath The path to the JAAS configuration file on the Server‟s file system, for example:
D:\SECUDE Secure Login\SLSJAAS.login
PseName The User CA keystore file path. If you created a User CA in the previous step, the file path will be shown here.
DN.Country Information for a temporary certificate: the country designation (for example: DE for Germany).
DN.Locality Information for a temporary certificate: the regional designation (for example: Darmstadt).
DN.Organization Information for a temporary certificate: the initializing designation (for example: SECUDE).
DN.Organizational Unit Information for a temporary certificate: the department designation (for example: Research and development). ValidityMinutes* Information for a temporary certificate: the period of time (in
minutes) that the user certificate is valid.
DailyLogDir The path of the directory to which the daily log files are stored. MonthlyLogDir The path of the directory to which the monthly log files are
72
stored.
doTrace This option determines whether to record the Server‟s execution trace for problem analysis.
true (yes)= enable trace messages false (no) = disable trace messages.
LockDir The path to which the lock file is saved. A lock file is created when the Server encounters an internal error that requires manual intervention.
Default value: the temporary directory of the java VM, a.k.a., the directory denoted by the java.io.tmpdir property. Client Name/IP The hostname or IP address used for all Client policy files
within URLs connecting to SLS. Click Next to continue.
7. The Authentication Server Configuration page will appear:
Figure 3-39 Server Setup Wizard – Authentication Server
If you want to add an Authentication Server click Add Server (if not click Next and go to the next step).
73 The specific settings for each type of the supported Authentication Server types are
covered in the following sections:
For further details about the settings for a servlet engine-based Server (such as Apache Tomcat) refer to page 84.
For further details about the settings for a RSA Server refer to page 86.
For further details about the settings for a SAP NetWeaver-based Server for SAP ID- based logon refer to page 87.
8. The Add Authentication Server page will appear:
Figure 3-40 Server Setup Wizard – add Authentication Server
Depending on which Server Type is selected; other options will appear/disappear in the table. The following options are available (options marked with * are mandatory): Options (general) Details