How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

(1)

How to Implement the X.509

Certificate Based Single Sign-On

(2)

(3)

(4)

(5)

(6)

(7)

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 7 of 34

Preparations: Copy Installation Files

2 Minutes

1. Logon with the user name SCI266 and password welcome to domain FAIR

Username and password are only specific for this demo.

2. Copy the files from folder

Session (TechEd File Server)

\\Fairfile.fair.sap.corp\session\SCI266\

to folder

Session (Local Folder) D:\Files\Session\SCI266\

(8)

Exercise 1: Install and Configure Secure Login Server

25 Minutes

3. Logon with the user name SCI266 and password welcome to domain FAIR

4. Start cmd.exe and enter the command

telnet localhost 50008

(9)

6. Start the command

deploy D:\Files\Session\SCI266\SLS\ SECURE_LOGIN_SERVER00_0.sca

7. After deployment, close the windows or enter the command

exit

twice

8. Start Microsoft Internet Explorer and enter the URL

http://localhost:50000/securelogin

9. On the Welcome screen press the button

(10)

10. Define the value

D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt

for the parameter Server File and press the button: Next

11. For the account name Admin define the password 1qay!QAY

Please confirm the password and press the button Next

(Watch out for upper/lower case)

12. Choose the option

Import an Existing Key Store File

Browse for the file

D:\Files\Session\SCI266\Certificates_ SCI266\ROOT_CA.pse

Define the password 1qay!QAY

Please use another password!

Check the option Save Password and press the button: Next

Skip all SSL certificates

and press the button: Next

Import an Existing Key Store File

Browse for the file

D:\Files\Session\SCI266\Certificates_ SCI266\USER_CA.pse

(11)

15. On the Server Configuration page press the button: Next

16. On the Setup Review page press the button: Finish

17. Start the SAP Management Console (Desktop Icon)

Navigate to AS Java Components

Search for the application

(12)

Right-click on application

sap.com/SecureLoginServer

and choose the option Restart

Maybe user credentials are requested: Logon with the user name FAIR\SCI266 and password welcome

18. Verify that the logon to the Secure Login Administration Console is successful Start Microsoft Internet Explorer and enter the URL

http://localhost:50000/securelogin

or use the Reload button from the initial configuration wizard

Logon with user Admin and password

(13)

19. In Microsoft Internet Explorer enter the

URL http://localhost:50000/nwa

Logon with user Admin and password

abc123

20. Choose Configuration tab Security

Authentication and Single Sign-On

Choose the option Login Modules

Choose the Login Module

SecureLoginModuleLDAP

(14)

For the parameter LdapBaseDN define the value:

[email protected]

For the parameter LdapHost define the value:

ldap://dc1emea:389

Save the configuration and log off the

(15)

Exercise 2: Install Secure Login Client

5 Minutes

1. Start Windows Explorer and change to the folder D:\Files\Session\SCI266\SLC\ Start the unattended Secure Login Client installation with double-click on

UnattendedSetup_SLC_SCI266.cmd

Please install the software based on the documentation at help.sap.com -> SAP NetWeaver Single Sign-on -> Secure Login Client

After installation the blue icon should be available in the taskbar

2. Log off user SCI266

In case the message box Save console

settings to sapmmc.msc will appear,

press the button No

Logon with the user name SCI266 and password welcome to domain FAIR

(16)

4. The Secure Login Client Console should be

displayed

Double-click on the default profile

Press the OK button

Enter username SCI266 and password

welcome. Then press the OK button

5. Press the OK button

In case the authentication failed, verify the user credentials (SCI266 / welcome) or check the configuration in Login Module (SAP NetWeaver Administrator) for typing errors

(17)

As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided

(18)

Exercise 3: Configure SNC for SAP ABAP Server

30 Minutes

1. Start the SAP Logon application

Choose TDI system Local SAP ABAP

Server

Logon with username admin and password abc123

2. Start transaction RZ10

Import the profiles of the active servers by selecting

Utilities

Import profiles Of active servers

Press the exit (yellow) button

(19)

Select the Instance profile (double-click)

TDI_DVEBMGS00_MADR9EL187NW

Choose the option

Extended maintenance

and press the Change button

3. Change the following SNC parameters:

snc/gssapi_lib snc/identity/as

and verify the other SNC parameters Configuration details are described in the following table (next page)

(20)

Parameter Value Remarks

snc/force_login_screen 0 Predefined snc/permit_insecure_start 1 Predefined snc/accept_insecure_rfc 1 Predefined snc/accept_insecure_gui 1 Predefined snc/accept_insecure_cpic 1 Predefined snc/r3int_rfc_qop 8 Predefined snc/r3int_rfc_secure 0 Predefined snc/data_protection/use 3 Predefined snc/data_protection/min 2 Predefined snc/data_protection/max 3 Predefined snc/enable 0 Predefined

snc/gssapi_lib D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll To Be Changed snc/identity/as p:CN=TDI, OU=TechEd 2011, O=SAP AG To Be Changed

Parameter Description

snc/enable Set this parameter to activate SNC on the AS ABAP.

1: SNC is activated 0: SNC is not activated

snc/gssapi_lib Specify the path and file name of the GSS-API V2 shared

library.

D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll

snc/identity/as Specify the SNC name of the AS ABAP with this

parameter. Format:

<name type>:<external name> or

<name type>/<product>:<external name> p:CN=TDI, OU=TechEd 2011, O=SAP AG

4. After the configuration, save the profile configuration (Button Yes) and press the

Exit button (yellow)

Press the Save button

(21)

On the next screen (Incorrect parameter

values detected. Display values?)

select the No button

On the next screen select Yes to activate the profile

The next version of the instance profile is saved and activated

Confirm this message box (green tick)

Confirm this message box (green tick) Log off SAP Logon application

5. Restart the SAP NetWeaver Application Server

Start the SAP Management Console (Desktop Icon)

(22)

Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome

HINT: The SAP ABAP Stack will be available in about 2-3 minutes

6. Start the SAP Logon application

Choose TDI system

Local SAP ABAP Server

Logon with

username admin and password abc123

Start transaction STRUST

Choose in menu PSE Import

Open the file:

D:\Files\Session\SCI266\Certificates_ SCI266\SAP_SERVER_TDI.pse

Choose the option

Allow this one time and press OK button

(23)

Enter the password 1qay!QAY and confirm the message box (green tick)

Choose in menu PSE Save as…

Choose the option SNC SAPCryptolib and confirm the message box (green tick)

On the bottom of the screen, the message

Data saved successfully should be

displayed and an entry for SNC

SAPCryptolib should be available

Start the transaction /nRZ10

Select the Instance profile (double-click)

TDI_DVEBMGS00_MADR9EL187NW

Choose the option Extended

maintenance and press the Change

(24)

Define the value 1 for the parameter

snc/enable ( activate SNC)

After the configuration, save the profile configuration (Button Yes) and press the

Exit button (yellow)

On the next screen (Incorrect parameter

values detected. Display values?)

select No button

Select Yes to activate the profile

The next version of the instance profile is saved and activated

Confirm this message box (green tick)

(25)

7. Restart the

SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon)

Click on SAP System TDI and with mouse right-click choose the option Restart

Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome

(26)

Exercise 4: Enable SNC in SAP GUI Application

5 Minutes

1. Click on the SAP Logon Icon on the Desktop

and press the New Button

2. Press the Next button

3. Define the following parameter: Description: Local SAP Server (SNC) Application Server: localhost

Instance Number: 00 System ID: TDI

and press the button Next

4. Activate Secure Network Communication (checkmark)

Define the value

p:CN=TDI, OU=TechEd 2011, O=SAP AG

(27)

Exercise 5: Configure SNC User Mapping in SAP User

Management

5 minutes

1. Start SAP GUI application and

logon to the Local SAP ABAP

Server with username admin

and password abc123

2. Start transaction SU01 and enter SCI266 for the User

Press the Change button

3. Choose tab SNC

For the parameter SNC name define the value

p:CN=SCI266, O=SAP, L=Walldorf, C=DE

and save the configuration

4. Log off the user Admin 5. Start the SAP GUI application

and use the SNC enabled connection Local SAP Server

(28)

6. If there are no configuration errors, you are directly logged on with the user SCI266 without using a password

Maybe a SAP license message will appear

In this case press the OK button

HINT: If no certificate is available, the Windows user credentials are requested In this case enter username

SCI266 and password welcome

(29)

Exercise 6: Additional Single Sign-On Scenarios

15 Minutes (Optional)

1. SSO to SAP Enterprise Portal Start Microsoft Internet Explorer and enter the URL:

https://localhost:50001/irj/portal

or use the shortcut link in:

D:\Files\Session\SCI266\Shortcut s\

X.509 Based Login SAP Enterprise Portal

As a result the user SCI266 will be authenticated automatically to SAP Enterprise Portal

How it was configured?

In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST

In order to verify the certificate, start SAP Logon application and logon with username Admin and password abc123

Start the transaction STRUST and choose the SSL server Standard certificate

The password for the certificate is

(30)

In addition the user mapping for the SAP Enterprise Portal was

configured in the

ClientCertLoginModule

Logon to SAP NetWeaver Administrator

http://localhost:50000/nwa

Choose Configuration Security

Authentication and Single

Sign-On

Choose Components ticket

In this login module stack (ticket) the login module

ClientCertLoginModule is

configured to use the CN field of the certificate distinguished name to map the SAP user

2. SAP GUI for HTML (ABAP Stack) Start Microsoft Internet Explorer and enter the URL:

https://localhost:50001/sap/bc/gui /

(31)

or use the shortcut link in:

D:\Files\Session\SCI266\Shortcut s\

X.509 Based Login SAP ABAP Web GUI

As a result the user SCI266 will be authenticated automatically to SAP ABAP Web Application Server

In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST (as described before)

In addition the user mapping (External User ID) needs to be configured

In order to verify user mapping, start SAP Logon application and logon with username Admin and password abc123

Start the transaction SM30 Enter the value VUSREXTID and press the button Maintain Define DN for the work area

In this table the External ID

CN=SCI266, O=SAP, L=Walldorf, C=DE

(32)

3. SSO for Business Explorer

Select Start Programs SAP

SAP Business Explorer Query Designer

Choose Local SAP Server (SNC) and press the OK button

Define the following parameter: Client 001

User SCI266 Language EN

and press the OK button

HINT: It takes some time, Business Explorer Client (Query Designer) will be started

(33)

4. Secure Login Web Client

In taskbar click on the blue icon

Log Out the user certificate

(right-click on default profile).

Close SAP GUI and Microsoft

Internet Explorer application.

Start Microsoft Internet Explorer and enter the URL:

http://localhost:50000/SlsWebClient

(34)

SAP Logon application will be started automatically.

Choose SNC enabled connection

Local SAP Server (SNC)

If there are no configuration errors, you are directly logged on with the user SCI266 without using a password

With Secure Login Server deployment, per default the Secure Login Web Client is configured for LDAP authentication. As the SecureLoginModuleLDAP is configured for the Microsoft Active Directory System (configured in SAP

NetWeaver Administrator), this configuration is used by the Secure Login Web Client too. Additional client profiles can be configured in Secure Login Administration Console.