Secure Login Client for OS X

You can run Secure Login Client on Mac client computers with the OS X operating system. These Mac clients can use Secure Login Client to authenticate against an SAP GUI using SNC.

SAP Single Sign-On 2.0 SP03 has a software component which allows you to use SAP GUI with SNC on a Mac client with OS X 10.7 or higher. The clients can use either Kerberos-based authentication or, after you made the respective configuration, X.509 certificates for single sign-on with SNC.

Restriction

A Mac client cannot use both authentication methods, Kerberos and X.509 certificates, at the same time.

If you want to authenticate to several SAP GUIs and some have SAP GUI connections with X.509 certificates and others support the Kerberos authentication method, you must switch your certificates in your Mac client depending on the authentication method used by the respective SAP GUI connection.

Secure Login Client for OS X does not support Server Login Server profiles.

The Mac clients must belong to a Microsoft Active Directory domain. By default, the Secure Login Client for OS X uses Kerberos for authenticating against an SAP GUI connection.

Table 8: Prerequisites

Application Server ABAP (server) You have installed Secure Login Library or the SAP Cryptographic Library.

OS X client ● OS X 10.7 or higher

● SAP GUI for Java

(If applicable) For Kerberos as authentication mode for SNC

The Mac client is running OS X 10.7 or higher. The user and the computer must belong to a Microsoft Active Directory domain.

2.8.1 Installing Secure Login Client on a Mac Client

The installation of Secure Login Client on an OS X client uses the default OS X installation procedure.

Procedure

1. Download the PKG file of the Secure Login Client from the SAP Service Marketplace.

2. Start the default installation wizard on your Mac client. For more information, see the relevant documentation of Apple Inc.

You have completed the installation of the Secure Login Client. By default, Secure Login Client can use Kerberos to authenticate against an SAP GUI using an SNC connection. You do not need to reboot your Mac client to run single sign-on with SAP GUI.

2.8.2 Uninstalling Secure Login Client from a Mac Client

We recommend that you uninstall Secure Login Client from your Mac client by using a dedicated uninstall script.

Context

The uninstall script uninstall.sh uninstalls Secure Login Client completely.

Procedure

1. Open the Terminal application in Applications Utilities .

2. Go to the Secure Login Client folder where the uninstall script is located. Use the following command:

cd /Application/SecureLoginClient.app 3. Run the uninstall script.

sudo ./uninstall.sh

You have completely uninstalled Secure Login Client without having left any remains on your Mac client.

2.8.2.1 Cleaning Up after Removal of Secure Login Client on OS X

You have removed Secure Login Client from a Mac client without having used the recommended method (see the related link). As a consequence, you must manually clean up all remains of Secure Login Client.

Context

You have removed Secure Login Client, for example, by moving the application into the trash. The following items remain and must be removed:

● The file launchd.conf in the /etc folder still has some rows referring to the already uninstalled cryptographic library of Secure Login Library.

setenv SNC_LIB /Applications/SecureLoginClient.app/Contents/MacOS/lib/

libsapcrypto.dylib

setenv SNC_LIB_64 /Applications/SecureLoginClient.app/Contents/MacOS/lib/

libsapcrypto.dylib

setenv SSF_LIBRARY_PATH /Applications/SecureLoginClient.app/Contents/MacOS/lib/

libsapcrypto.dylib

setenv SSF_LIBRARY_PATH_64 /Applications/SecureLoginClient.app/Contents/

MacOS/lib/libsapcrypto.dylib

● The SAP Secure Login Client preference pane

Procedure

1. Open the file launchd.conf and remove the respective rows.

2. Open the system preferences and remove the SAP Secure Login Client preference pane.

Related Information

Uninstalling Secure Login Client from a Mac Client [page 72]

We recommend that you uninstall Secure Login Client from your Mac client by using a dedicated uninstall script.

2.8.3 Configuring Secure Login Client on a Mac Client

By default, Secure Login Client uses Kerberos to authentication at an SAP GUI with an SNC connection.

Nevertheless you can also configure your Mac client to use X.509 certificates.

Context

● Kerberos is the default authentication mode of your Mac client for logging on to an SAP GUI. You need not do anything because Kerberos is already available after the installation. Since your Mac client belongs to Microsoft Active Directory, Kerberos-based authentication mode is supported (see the related link).

● If you want to use X.509 certificates as authentication mode for the SAP GUI with SNC, you must configure it in the OS X System Preference Pane.

Procedure

1. Open the Secure Login Client in your Applications folder or in the System Preferences window.

2. In the parameter Select your SSO method of the Single Sign-On section, switch to Use your selected certificate.

3. Go to the parameter Select your certificate and choose the certificate you want to use for certificate-based authentication to SAP GUI with an SNC connection.

Note

Another option is configuring authentication with X.509 certificates in the Keychain view of OS X. You find the preferred certificate as a Secure Login identity preference.

Caution

Do not switch certificates in the Secure Login preference pane while changing the settings in the Secure Login Identity Preference of the OS X Keychain. You risk getting an inconsistent configuration.

Related Information

Secure Login Client for OS X [page 71]

You can run Secure Login Client on Mac client computers with the OS X operating system. These Mac clients can use Secure Login Client to authenticate against an SAP GUI using SNC.