Login Client
5 Secure Login plus Web Client Installation, Usage, and Removal
6.3 Instance Management
This section details the Instance management page of the Administration Console. Instance management is the main hub that allows you to switch between Server instances to configure each one (i.e. to configure a specific Server instance you must first open this page and switch to it).
Follow these steps to configure Server instances:
1. If you have not already done so, click the Instance management node from the tree in the left-hand pane.
2. The following page will appear:
Figure 6-61 Administration Console – instance management
This page displays all of the Server instances in the Secure Login configuration. The red * next to the instance name depicts the current Server instance. This page has the following options:
Area Options + details Instance
information list
ServerName: The name of the instance. Click Edit to change the Server name.
ID: The ID of the instance. Also is the folder name where this instance's configuration files stored.
Server Root Path: The path this instance's folder.
Status: The active status of this instance. The inactive instance will be shown in gray.
Lock: The status of the Server instance (locked/unlocked).
Buttons Add: Add a new Server instance. This will start a wizard to help you through the creation process. For further information about the creation process refer to section 3.6.3 on page 63.
Edit: Edit the name of the selected Server instance.
To use this function check the Server instance you wish to edit to and click Edit. Enter the new name in the new page and click Save. Active: Activate a selected Server instance. If a Server instance entry is grayed-out this means that it has been deactivated. Use the Active function to re-activate the Server instance.
179 Area Options + details
only be used when a Server instance needs to be deactivated for maintenance or for a temporary task.
Unlock
Unlock a Server instance. A Server instance may be locked if, for example, log files can no longer be written.
Delete: Delete the selected Server instance. All the configuration files of this instance will also be deleted.
6.3.1
Instance Configuration
This section details the Instance Configuration page of the Administration Console. The node can be recognized as <Server name> Configuration or DefaultServer Configuration in the navigation tree.
This page displays the configuration of current instance and allows you to: View a Server configuration pre-selected in the Instance Management page. Edit the Server configuration.
Follow these steps to view and configure Server instances:
1. If you have not already done so, click the Instance management node from the tree in the left-hand pane to select the Server instance you wish to view/edit (see section 6.3).
2. The following page will appear:
Figure 6-62 Administration Console – Instance Configuration page (extract)
This page displays an overview of the Secure Login Server configuration properties.
Click Edit in the top right-hand corner to edit the following parameters:
Option Can be
edited?
Details/Value Authentication
180 Option Can be edited? Details/Value SECUDE Secure Login UserCA KeyStore
No PseType Type of PSE used by the Server to sign the generated certificates.
PseName: The path to the PSE file. User Certificate
Configuration
Yes These values will be used to generate Client
certificates. As a result, all the Client certificates will have the same country, locality, organization, and organizational unit values. These certificates are distinguished by different common name, which is not set here:
DN.xxx: Information used to identify the Clients for the SECUDE Secure Login Server. Use a mix of letters, digits, and special characters.
ValidityMinutes: the amount of time, in minutes, for which a Client certificate is valid.
ValidityOffset: Time offset in minutes relative to the Server system time for the certificates to start being valid.
UseUPN: Use the User Principle Name Certificate Template
Configuration
No The following options cannot be edited in this page. For details about how to set these options refer to section 6.1.7 on page 143. CertificateName CertificateFormat SerialNumberPolicy StandardExtension PrivateExtension KeyUsage ExtendedKeyUsage
Log Configuration No The following options cannot be edited in this page. For details about how to set these options refer to section 6.3.4.2, on page 195.
EnableLog: Is logging enabled?
DailyLogPrefix: The file prefix for daily logs. DailyLogDir: The directory for daily log storage MonthlyLogPrefix: The file prefix for monthly logs. MonthlyLogDir: The directory to which the monthly log files are saved.
LogMaxSize: The maximum size for the log file directory (all log files) in gigabytes.
LogRotationSize: The maximum size a log file may be before archiving.
LogCleanDays: The interval, in days, after which the next log cleanup starts.
Other Server
Configuration All except LockDir are editable
LockInstanceOnTransactionLogFailure
Lock the Server instance should the transaction log fail (for example when the logfile can no longer be written due to lack of disk space).
181
Option Can be
edited?
Details/Value
- Yes = lock the Server
- No = Do not lock the Server LockDir
The directory in which the lock file will be placed. This requires a path to a valid folder to which the Server has write access. If the value is a valid directory path but the folder does not exist, then one will be created (if the path is not valid, or the Server has no write access, then no lock file can be created and the Server cannot be locked). NOTE: Changing the lock directory value requires a Server restart.
maxSessionInactiveInterval
Specifies the time, in seconds, between Client requests before the servlet container will invalidate this session. This is applicable only in challenge-mode (PIN change etc.).
AdminServletHeader
The header text to be displayed on the status page (used by StandardServlet status page - not used by the Administration Console GUI). AdminServletTrailer
The footer text to be displayed on the status page (used by StandardServlet status page - not used by the Administration Console GUI). User-defined
properties
Yes Any properties defined by the Server administrator will be listed here. To add a new property click Edit, navigate to the bottom of the page, click Add, then enter the property name in the first field and a false/true parameter in the second field. Click Delete to remove an administrator-defined property from the configuration.
3. Once you have made changes to the Server instance click Save to apply them to the Server configuration.
6.3.2
Customizing With User-Defined Properties
This section details Secure Login features to assist an administrator by means of user- defined properties.
Contents Section 6.3.2.1 „Alternative User Name from LDAP Directory‟ page 181 Section 6.3.2.2 „
Length of Username in ‟ page 183
Section Error! Reference source not found. „Username Configuration For SQL JAAS Module‟ page Error! Bookmark not defined.
6.3.2.1
Alternative User Name from LDAP Directory
This section details how to configure an LDAP or Active Directory Server attribute value to be used instead of the user name given by the Client. This may be useful if the SAP SNC user names and the authenticated user names (e.g. from a Windows domain) are not the same.
182
Each instance may have its own configuration.
1. Open the Instance configuration in Edit mode as described on page 179. 2. Scroll down to the bottom and add a set of User-defined properties:
Figure 6-63 User-defined properties – sample LDAP attribute configuration
The following properties are available (properties marked with * are mandatory):
Property Details
LdapReadServers* Number of LDAP Servers that are configured here. A numeric value is expected that must be 1 or higher. The given value is used as n to define an ordered list of Servers that are called in a fail-over manner.
Keep empty to disable all configured Servers.
LdapReadAttributen* The LDAP attribute that shall be used instead of the given user name. A simple text value is expected.
LdapReadUrln* The LDAP Server that shall be used to retrieve that attribute. LdapReadTimeoutn Connection timeout in seconds.
LdapReadDomainn* For Active Directory: LDAP domain to be appended to the given user name if it is not a User Principle Name. If the name is already in UPN format, the property is ignored.
LdapReadUsern* LDAP user to open the LDAP session (bind user). LdapReadPassn* LDAP password of bind user. Warning: This password is
displayed and stored in clear text. It is recommended to use an LDAP user with read-only permissions.
LdapReadBaseDNn* LDAP search base / sub tree to be used to search for the given user name.
The user certificate‟s common name part (CN) gets the value of LdapReadAttribute if There is an LDAP entry for the given user, and
the attribute LdapReadAttribute exists and contains a text value. Otherwise, the CN is generated as usual.
For a protected communication to the directory Server, LDAP/SSL may be configured. In this case, the existing trust store of Secure Login Server is used.
183
6.3.2.2
Length of Username in Certificate
SAP user IDs have a maximum length of 12 characters, which needs to be considered by SNC X.509 certificates. The default behaviour of Secure Login Server 5.1 is to strip off any user name value to this length in the CN field of issued certificates. This default length may be customized.
Property Details
MaxUserNameLength Maximal number of characters a user name in the CN field may have. If the given user name is longer, it is cut from the right side.
Default value: 12.
Sample: SCHWARZENEGGER is cut off to SCHWARZENEGG with default settings
UserNamePaddingLength If user names in the CN field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names.
Default value: None.
UserNamePaddingChar The padding character is used to fill user names on the left side if their size is smaller than the configured padding length. Default value: None.
Sample: ARNOLD is extended to 00ARNOLD with
UserNamePaddingLength=”8” and UserNamePaddingChar=”0”.
6.3.2.3
Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, some special configuration properties may be needed to define which user name is put into the certificate. This is only to be considered if Secure Login Client sends compound username values.
Property Details
UseQualifiedName If true, the full received username value is taken for the user certificate‟s CN field
If false, only the user ID part before the separator is taken, and UserNameSeparator must be set to a non-blank value to apply this property.
Default value: true.
UserNameSeperator String of one or more characters that separates username and Client identifier sent by the Secure Login Client. If configured, DBColumnClientID must also be configured in the SQL JAAS module.
Default value: None.
Sample: USER001#CLIENT999 is splitted to USER001 with UseQualifiedName =”false” and UserNameSeperator=”#”.
6.3.3
Client Configuration
This section details the Client configuration page of the administration console. Follow these steps to open Client configuration:
1. If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
184
2. The following page will appear:
Figure 6-64 Client configuration page
This page automatically opens on the Client Policy file management page. The following options are available (options marked with * are mandatory): Option Details/Value
Client Policy Opens the Client policy management page (the default page).
Applications Opens the Applications management page. For further information see section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download Opens the Files download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Policy URL* Network resource URL from which the latest SECUDE Secure Login Client policy can be downloaded.
Example: http://proxyurl.secude.com:3128 Policy TTL* The time (in minutes) that a policy remains valid. Network
Timeout (s)*
The elapsed time (in seconds) before a connection is closed if the Server does not respond.
Disable update policy on startup
Turn off automatic policy download and registration when the system service is started.
false = update policy enabled true = update policy disabled
3. If necessary, edit the parameters and click Save to set the changes.
6.3.3.1
Application Management
This section details how to administrate applications for the Client.
185 the left-hand pane.
2. Click Applications. The following information will appear:
Figure 6-65 Client configuration – Application Management page
The following options are available (options marked with * are mandatory): Option Details/Value
Client Policy Opens the Client policy management page. For further information see section 6.3.3.1 „
Application Management‟ on page 184.
Applications Opens the Applications management page (this page).
Profiles Opens the Profiles management page. For further information see section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download Opens the Files download page. For further information see section 6.3.3.3 „Files Download‟ on page 190.
Global Client Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Application action
The action of the selected application. There are 3 types of action: clean, replace, or keep. Click Save to set the application action. Add Application Add a new application (see next page).
Edit Modify a selected application (only applicable if an application is available in the Applications list). See below.
Delete Delete a selected application (only applicable if an application is available in the Applications list).
Add/Edit an Application
Follow these steps to add an application:
1. Click Add Application. The following information will appear:
Figure 6-66 Client configuration – add an application
The following options are available (options marked with * are mandatory):
Option Details/Value
Application name* The name of the application.
186
NOTE: this field only appears if you have created an SAP CA, plus certificate, in the Certificate Management page (see section 6.3.2.3 on page 183).
PSEURI* Application specific PSE URI that is matched when a fitting profile is searched. For example:
SNC/cn=SAP, o=SECUDE, c=DE SNC/CN=Server*, ou=Strong The wildcards * and ? can be used.
Profile The name of the security profile to be used for the application. The name must match the profile name in the profiles section. The profile name * is used for the default security profile that is configured by the user (for example, the smart card profile). For further information about profiles see section 6.3.3.2 „Client Profile Management‟ on page 187.
allowFavorite Allow the user to select another profile as „favorite‟ for this SNC application context.
false (default) = always use configured profile true = Do not use configured profile
2. Enter the application parameters and click Save. This will return you to the Applications page (see section 6.3.3.1 „
187
6.3.3.2
Client Profile Management
This section details how to administrate profiles for the Client.
1. If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
2. Click Profiles. The following page will appear:
Figure 6-67 Client configuration – Client profiles page
The following options are available (options marked with * are mandatory): Option Details/Value
Client Policy Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 „Client Configuration‟ on page 183. Applications Click to open the Applications Management page For further information
see section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Click to open the Profiles Management page (this page). Files
download Opens the 6.3.3.3 „Files Download‟ on page 190Files Download page. For further information see . section Global Client
Policy
Opens the Global Client Policy page. For further information see section 6.3.3.4 „Global Client Policy‟ on page 191.
Profile action
The action of the profile. There are 3 types of action: clean, replace, or keep. Click Save to set the application action.
Add Profile Add a new profile (see next page).
Edit Modify an application (only applicable if a profile is available in the Profile list). See below.
Delete Delete an application (only applicable if a profile is available in the Profile list).
188
Add/Edit a Client Profile
Follow these steps to add/edit a profile: 1. Click Add Profile.
2. The following page will appear:
Figure 6-68 Client configuration – add/modify Client profile
The following options are available (options marked with * are mandatory):
Option Details/Value
Profile name* The name of the profile
PSEType The type of profile. Possible values include: promptedlogin
windowslogin
EnrollURL0* Secure Login URL that is used for authentication and certificate enrolment. The URL locates the Server instance that is valid for the Secure Login Client. For example:
http://myServer.local/securelogin/PseServer?id=0001 EnrollURL1 Fallback Secure Login URL if URL 0 fails. The URL locates the
Server instance that is valid for the Secure Login Client. For example:
http://myServer.local/securelogin/PseServer?id=0002 HttpProxyURL HTTP proxy to be used with enrolment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888
GracePeriod The number of seconds that will expire before a certificate will automatically re-enroll.
Default: 0
InactivityTimeout The number of seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: > 1: The number of seconds of inactivity.
-1: No single sign-on (SSO). Each SNC connection forces a new login
189
Option Details/Value
AutoReenrollTries The number of failed authentications in a row until automatic re- enrolment is stopped.
User name and password caching can be turned on to provide the automatic re-enrolment of certificates that are going to expire. Possible values:
0: Turn off (default): Do not re-enroll automatically; do not cache user name and password. A re-enrolment must always be performed manually by the user.
>0 (n): Turn on with n tries to succeed: Try to re-enroll a
maximum of n times before either a new certificate is received or the user name and password cache are cleared.
The error counter is reset on success. A manual re-enrolment is also possible. You can delete all cached credentials from memory (except those stored in the Secure Login Client system service) via the logout entry in the context menu of the SECUDE PSE service in the system tray.
Deleting the cache of the windowslogin token has no effect as the credentials can be retrieved from the Secure Login Client system service.
KeySize Key size of the newly-generated RSA keys. Range: 512 – 16384
Default: 512
ReUseKey Defines if the RSA key is kept for the profile. If true, the RSA key is kept unless a manual logout is performed or the user process psesvc.exe is shut down.
Default: false
UniqueClientID Customer-defined string Default: NULL
Network timeout (seconds)
Network timeout (in seconds) before the connection is closed if the Server does not respond
Default: 45 SSLHostCommon-
NameCheck
This applies to the SSL Server certificate – this checks if the peer host name is given in its common name.
Default: false SSLHostAlternative-
NameCheck
This applies to the SSL Server certificate – this checks the Server's SSL certificate for the correct DNS name in the Subject Alternative Names Attribute.
Default: false SSLHostExtension-
Check
This applies to the SSL Server certificate – this checks if the peer‟s certificate has the extended key usage