Preparing the Server for Installation - Server Installation, Configuration, and Removal

3 Server Installation, Configuration, and Removal

3.2 Preparing the Server for Installation

Introduction The Server must be prepared for the installation of Secure Login. If you have already prepared the Server go to the next section below. If you have not prepared the Server, the following list indicates what must be installed and configured before starting with the installation of SECUDE Secure Login:

Install the operating system (plus updates if necessary). Install Java (JCE will be automatically installed).

Install the application Server.

This manual does not detail the installation and configuration of the above mentioned software. It is assumed that the knowledge and skills necessary to perform the Server preparation is already present and must not be documented.

Contents of Delivery Package

Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as follows:

SECUDE51SecureLoginNativeComponents.zip

This file contains the necessary native Secure Login components for each supported platform.

SECUDE51SecureLoginServer.zip

 \doc

This directory contains the documentation, license agreements, and readme files.

 \SECUDE51SecureLoginServer.zip

Despite the fact this ZIP file has the same name as the file containing it, this file contains the standard Secure Login applications as well as the Web Client variants:

- \NetWeaver 70\securelogin.ear

Standard Secure Login application for SAP NetWeaver to work with the Secure Login Client.

- \NetWeaver 70 WS\secureloginservice.ear The Web Client version of Secure Login for SAP NetWeaver.

- \Tomcat\securelogin.war

Standard Secure Login application for Apache Tomcat to work with the Secure Login Client.

- \Tomcat WS\axis2.war, securelogin.war,

secureloginservice.aar, shared.zip, SlsWebClient.war The Web Client version of Secure Login for Apache Tomcat plus secondary files necessary for operation.

Prepare the Files

In preparation for installation, it is recommended to unpack the ZIP archive

SECUDE51SecureLoginServer.zip to produce the four application sub-directories: \NetWeaver 70

\NetWeaver 70 WS \Tomcat

\Tomcat WS

…as well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the native components.

This manual contains steps in which it is necessary to choose and confirm passwords. For reasons of security Secure Login will only allow you to choose passwords that are hard to guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).

3.3 Installation Procedure for Apache Tomcat-based Server Installations

Introduction This section describes the installation procedure for an environment using Apache Tomcat. These steps assume that Tomcat and the necessary runtime components are already installed.

1. Locate the unzipped Tomcat deployment file (see section 3.2 on page 34): SECUDE51SecureLoginServer\Tomcat\securelogin.war

2. Deploy the securelogin.war file:

This step describes how to deploy the files to the Server using Tomcat 6.0 as an example (you can also use the Tomcat Manager to deploy Secure Login).

Make sure that file name and path notations used in this step are correct for the target operating system.

These bulleted steps describe how to transfer the WAR file and configuration files to the target servlet engine:

 Stop the servlet engine (Tomcat) if it is running.

 If necessary, remove the existing SECUDE Secure Login Web application directories and securelogin.war file:

- <Tomcat home>\Webapps\securelogin\

- <Tomcat home>\Webapps\securelogin.war

 Copy the new securelogin.war file into the directory: <Tomcat home>\Webapps\

 Start the servlet engine (Tomcat).

3. Now to test the deployment. In your Internet browser, enter the following URL: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin

Make sure that file name and path notations used in this step are correct for the target operating system.

4. If the deployment has been successful, the SECUDE Secure Login Administration Console prerequisite check page should appear:

Figure 3-1 Administration Console – prerequisite check page

green “dot” in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP ID- based logon).

5. Use the Adminstration Console initialization wizard to create the Secure Login environment (see section 3.6 on page 54).

3.3.1 Option to Configure SSL in Tomcat

If you are remotely administrating Secure Login over a network it is recommended to use an SSL connection. This means that SSL must be activated in Tomcat.

Follow these steps to activate SSL in Tomcat (this example details SSL for Tomcat v.6.0): 1. If Tomcat is running, stop and exit it.

2. Open the Server.xml file from the directory <Tomcat home>\conf.

3. Copy the following code behind the commented-out SSL configuration example in the Server.xml file (edit the information in the following example syntax accordingly): <Connector port=”8443” maxHttpHeaderSize=”8192”

maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75” enableLookups=”false” disableUploadTimeout=”true”

acceptCount=”100” scheme=”https” SSLEnabled=”true” secure=”true” ClientAuth=”false” sslProtocol=”TLS”

keystorePass=”123456” keystoreFile=”<Tomcat home>\Webapps\ securelogin\WEB-INF\Instances\<optional instance directory>\ <SSLServer_*>.p12” keystoreType=”PKCS12”/>

The PKCS12 (*.p12) file should already have been generated via the Administration Console during the Server setup. If not use the Certificate management function of the Administration Console to generate one (see section 6.3.2 on page 181).

4. Save and close the Server.xml file. 5. Start Tomcat.

Despite using HTTPS for the URLs in policies and generating SSL Server certificates (both via the Administration Console) you still need to manually activate SSL in Tomcat.

3.3.2 Test the SSL Connection for Tomcat

1. To test the SSL connection enter the following URL in your browser: https://URL-Where-Your-Servlet-Resides/securelogin For example: https://localhost:8443/securelogin

2. This should open the Administration Console login page (see section 6.1 „Administration Console‟ on page 119).

3.3.3 Single Sign-On for the Administration Console (Tomcat Only)

This section details how to setup Tomcat to:

Use a login certificate generated via the Administration Console for SSL-based authentication (refer to the next section below).

Trust only those certificates created via the Administration Console as well as using single sign-on authentication to the Administration Console (refer to section 3.3.3.2 below). Setup a single SSL port in Tomcat for both the Secure Login Administration Console and the Secure Login Client to share (refer to section 3.3.3.1 below).

3.3.3.1 Use a Login Certificate Generated via the Administration Console for SSL-based

Authentication

This section details how to setup Tomcat to use a SSL login certificates, generated using the Administration Console, for authentication (the Administration Console offers the option to login to the Secure Login Server using certificate-based SSL authentication). The following steps assume that you have already:

Created a user via the User Management node (see section 6.4.1 on page 199) that uses the subject alternative name in the certificate for the option Certificate Login ID. Created a login certificate (under SAP CA) via the Certificate Management node. The subject alternative name provided in the certificate creation must match the entry in the option Certificate Login ID for the user created in User Management. The resulting certificate has been exported as a *.p12 file and imported into Internet Explorer or Firefox.

By default, Tomcat uses the Java trust store to perform the authentication. This means, all CAs that are trusted by the Java VM could be used to create Administration Console login certificates – as long as the subject_alt_name in the certificate matches an Administration Console user account.

If you decide to use the JVM truststore (jre\lib\security\cacerts), the

Adminstration Console root certificate or SAP-CA certificate must be imported into it using Java's keytool. For further information refer to section 5.4.1 „Configure SSL Trust for the Web Client Java Applet‟ on page 116.

3.3.3.2 Setup Tomcat to Trust Only Administration Console-Generated Certificates

This section details how to setup Tomcat to trust only those certificates created via the Administration Console and also how to create a truststore (and set ports) specifically for the purpose of single sign-on to the Administration Console.

To use only those certificates created via the Administration Console you must configure the Tomcat SSL connector must to use a truststore other than the Java VM. This can be achieved by either creating a new truststore or using the Secure Login Administration Console truststore.

To setup single sign-on it is necessary to create and use a trustore specifically for the purpose of single sign-on (refer to the next page).

The following example creates two ports – one for the Administration Console and one for the Secure Login Client.

Create a New

Truststore 1. As a first step we must create a new truststore that contains only the Administration _{Console root certificate:}

 Open a command box and enter the following:

keytool –import –v –trustcacerts -alias my_root_ca –file

C:\root.crt –keypass 123456 –keystore C:\myTruststoreFile –

storepass 123456

 Press Return.

2. Now to configure a Tomcat SSL connector to use this truststore only (for single sign- on):

- Open the Server.xml file from the directory <Tomcat home>\conf.

- The following example code should be entered behind the commented-out SSL configuration example in the Server.xml file (edit the information marked in red in the following example syntax accordingly):

<Connector port=”4443”

maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75” enableLookups=”false” disableUploadTimeout=”true”

acceptCount=”100” debug=”0” scheme=”https” secure=”true” ClientAuth=”false” sslProtocol=”TLS”

keystoreType=”pkcs12”

keystoreFile=”C:\SSL_SERVER.p12” keystorePass=”123456”

<Connector port=”8443”

maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75” enableLookups=”false” disableUploadTimeout=”true”

acceptCount=”100” debug=”0” scheme=”https” secure=”true” ClientAuth=”true” sslProtocol=”TLS”

keystoreType=”pkcs12” keystoreFile=”C:\SSL_SERVER.p12” keystorePass=”123456” truststoreFile=”C:\myTruststoreFile.jks” truststoreType=”jks” truststorePass=”123456” />

In this example note that there are two connectors – one for the Secure Login Client (port 4443 in the example) and one only to be used for the single sign-on to the Administration Console (port 8443 in the example). This is to avoid any possible access conflicts.

As you can see by the parameters/values marked in blue, the connector to be used for single sign-on has the following specifics:

- A different port number

- The parameter ClientAuth is set to true.

3.3.3.3 Setup Tomcat for Single SSL Port Usage for both the Administration Console and Secure

In document SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17 (Page 34-39)