Login Client
3.5 Installation Procedure for SAP NetWeaver-based Server Installations
Introduction This section describes the installation procedure for an environment with SAP NetWeaver. After unpacking the installation package, the installation of the SECUDE Secure Login Server comprises the following tasks:
Create SSL certificates
Configure the SECUDE Secure Login Server Deploy the files on SAP NetWeaver
Configure the Authentication Server in SAP NetWeaver Test the SECUDE Secure Login Server
Configure SSL
43
3.5.1
Configure the System Environment (only for SAP ID-Based Logon)
This section details the steps necessary to pre-configure the system for the respective environment.
1. Configure NetWeaver (prerequisite to run the Secure Login Administration Console):
Change the password of the Guest user via NetWeaver user management. Select Server0 > services > Security provider from the tree in the left-hand pane.
Select the Runtime tab and then the User Management tab.
Open the Users tab and locate the entry Guest.
Enter a new password in the field Change password, check No password change required, and click Change. A password confirmation dialog will appear:
Figure 3-6 Confirm password change
Re-enter the new password and click OK.
2. Now it is time to deploy the Secure Login enterprise archive to NetWeaver. The archive is located in the directory already unzipped in section 3.2 on page 34: SECUDE51SecureLoginServer\NetWeaver\securelogin.ear The easiest method of deploying the archive is to use either the SAP Software Deployment Tool or SAP Visual Administrator. For further details please refer to the proprietary documentation.
Make sure that file name and path notation is correct for the target operating system. 3. Open and logon to the Administration Console:
In your browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/
44
The SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-7 Administration Console – prerequisite check page
This page lists the prerequisites to run Secure Login successfully. Items with a green “dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP ID- based logon).
Click Continue to go through the setup wizard as described in section 3.6.3 'Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)‟ on page 63.
4. After completing the initial setup, the Web.xml file in the WEB-INF directory must be updated (re-read). This is achieved via the SAP Visual Administrator:
Open the SAP Visual Administrator.
Select the Server(x)>Services>Deploy node from the tree in the left-hand pane.
Select the deployed secude.com/SecureLogin component from the Runtime tab in the middle pane.
45
Click Single File Update on the right-hand side. The following dialog will appear:
Figure 3-8 Update Web.xml file
Click OK.
5. Open and logon to the Administration Console:
In your browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/ The login page should appear:
Figure 3-9 Administration Console – login page
Generate the SSL certificates as a *.p12 file as described in section 6.3.2.3 „Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, some special configuration properties may be needed to define which user name is put into the certificate. This is only to be considered if Secure Login Client sends compound username values.
Property Details
UseQualifiedName If true, the full received username value is taken for the user certificate‟s CN field
If false, only the user ID part before the separator is taken, and UserNameSeparator must be set to a non-blank value to apply this property.
46
Default value: true.
UserNameSeperator String of one or more characters that separates username and Client identifier sent by the Secure Login Client. If configured, DBColumnClientID must also be configured in the SQL JAAS module.
Default value: None.
Sample: USER001#CLIENT999 is splitted to USER001 with UseQualifiedName =”false” and UserNameSeperator=”#”.
‟ on page 183. Locate the SSL certificate and change the file extension to *.pfx. For further information about the Administration Console refer to section 6.1 on page 119.
6. Now to enable SSL in SAP NetWeaver:
If there is more than one Server installed, this step has to be performed for each of the Servers.
47
Open the SAP Visual Administrator.
Select the Server(x)>Services>ConfigurationAdapter node from the tree in the left- hand pane.
Select the Runtime tab and then the Display configuration tab.
Select the following node from the middle pane:
Conifgurations>cluster_data>dispatcher>cfg>services>Propertysheet.ssl-runtime
Figure 3-10 enable SSL – select Propertysheet.ssl-runtime node
Click the pencil icon (middle icon under the tab heading) to display the Change Configuration dialog:
Figure 3-11 enable SSL – Change Configuration dialog
Select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked).
48
The same set of properties must also be changed at another Server node. Select the following node from the middle pane:
Conifgurations>cluster_data>Server>cfg>services>Propertysheet.ssl-runtime
As above, select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked).
Click OK.
7. Now that Secure Login has been deployed and SSL has been enabled the Server must be restarted to make use of the new settings.
8. Now for certificate import and validation:
To enable Server authentication, the Server has to have an SSL Server certificate. This certificate and the associated private key must be imported into SAP NetWeaver. This is achieved by using the *.pfx file generated in step 5.
SAP NetWeaver only accepts PKCS#12 software token files with the extension *.pfx. Open the SAP Visual Administrator.
Select the Server(x)>Services>KeyStorage node from the tree in the left-hand pane.
Select the Runtime tab. The certificates are organized into sub-groups, so called „Views‟. Each of the „Views‟ groups is purpose-based, and contains certificates that suit the purpose, for example, TrustedCAs and the service_ssl Views, or Views defined by the administrator:
Figure 3-12 certificate import – key storage
Click the service_ssl entry in the Views list.
Click Load.
Locate and open the SSL certificate created by the Administration Console in step 5.
Before the SSL certificate can be verified, all certificates up to the root have to be imported in the manner described above. Furthermore the root certificate must be
49 imported (loaded) into the TrustedCAs view. NetWeaver only accept certificates as
a trust anchor contained in this view. Use the Load button to import a certificate.
The certificate file has to be base64-encoded with the file name extension *.crt. 9. Now for SSL configuration:
To enable Client authentication the SSL Provider must be configured to request the Client certificates.
Open the SAP Visual Administrator.
Select the Server(x)>Services>SSL Provider node from the tree in the left-hand pane.
Select the Runtime tab and then the Client Authentication tab in the bottom right- hand pane.
Select Do not request Client certificate:
Figure 3-13 set SSL configuration
Click the Server Identity tab.
Click Add to browse for the credentials uploaded in step 9.
10. The configuration of SAP NetWeaver for Secure Login is now complete.
Next Steps The next step is to configure the Authentication Servers for Secure Login. Please refer to the next section - 3.5.2 on page 49.
When installing the signon&secure components for SAP ID-based logon (see section 6.1.12 ' SSS&JCO Installation’, on page 158), you can ignore the third step Install JCO because SAP NetWeaver already has these components installed and set.
50
Introduction The JAAS module used by the SECUDE Secure Login Server must be configured directly inside SAP NetWeaver. You have to create one JAAS module with a corresponding policy and to add a configuration for each Authentication Server in the JAAS module.
The configuration process consists of the following steps: Configure the LoginModuleClassLoader property. Create a JAAS module.
Configure the first Authentication Server in the JAAS module. Create a JAAS policy.
Configure an Authentication Server in JAAS module.
Configuration is performed in SAP Visual Administrator. The relevant configuration node is the Security Provider node in the Services section.
Follow these steps to configure LoginModuleClassLoader: 1. Open the SAP Visual Administrator.
2. Select the Security Provider node from the left-hand pane and the Properties tab from the right-hand pane.
3. Select the LoginModuleClassLoaders property from the list and enter the following value into the field Value at the bottom of the window:
library:SECUDE-SecureLogin
Figure 3-14 SAP Visual Administrator – Configure the LoginModuleClassLoader property
4. Click Update at the bottom of the window. 5. Now to create a JAAS module:
Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane.
This will open a second row of tabs. Select the User Management tab.
Select the pencil icon above the top row to change to edit mode.
Click Manage Security Stores. The area for the login module administration is displayed:
51
Figure 3-15 SAP Visual Administrator – Configure the JAAS module
Click Add Login Module on the right-hand side of the window. The following window appears:
Figure 3-16 SAP Visual Administrator – add login module
In the Class Name field enter the class name of the JAAS module:
- For ADS: com.secude.transfair.pepperbox.LdapJaasModule - For RSA/RADIUS: com.secude.transfair.pepperbox.RsaRadiusJaasModule - For SAP-ID: com.secude.transfair.pepperbox.SAPJaasModule
Enter descriptive strings in the fields Display Name and Description. 6. Now to configure the first Authentication Server in the JAAS module:
52
properties for the first Authentication Server in the Options table.
For a description of the configurable properties for ADS, see section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟ on page 253.
For a description of the configurable properties for RSA/RADIUS, see section 9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟ on page 257.
Click OK.
7. Now to create a JAAS policy:
Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane.
This will open a second row of tabs. Select the Policy Configuration tab.
Click Add under the component list.
A new dialog will open. Under Name, enter SLSJaasModule.
Click OK. The window now appears as follows:
Figure 3-17 SAP Visual Administrator – add JAAS module
8. Now to configure an Authentication Server in the JAAS module:
Select the newly created SLSJaasModule policy/login module configuration from the Components list.
Click Add New from the bottom right-hand side of the window. The available login modules are displayed.
Select the JAAS module you want to configure.
Click OK.
53
Figure 3-18 SAP Visual Administrator – edit login module
Enter the names and values of the configurable module properties of the added Authentication Server (a list of property names and examples can be found in the section covering Authentication Server configuration via the Administration Console (see section 6.1.4 on page 128).
3.5.3
Test the SSL Connection
The following step describes how to test the Secure Login files deployed to the Server. Make sure that file name and path notations used in this step are correct for the target operating system.
1. In your browser, enter the following URL:
https://<URL-Where-Your-Servlet-Resides>/securelogin/ PseServer?op=Serverstatus
For example: https://SAPNetWeaverHost:50001/securelogin/ PseServer?op=Serverstatus
2. If the deployment has been successful the SECUDE Secure Login Administration Console login page should appear as in section 6.1.1.
54