Fiori Configuration

(1)

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP2

Secure Login Server

PUBLIC

(2)

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively

Germany

T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

(3)

Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

Terms for Included Open

Source Software

This SAP software contains also the third party open source software products listed below. Please note that for these third party products the following special terms and conditions shall apply.

Prototype JavaScript Framework http://www.prototypejs.org/

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

stringutils http://sourceforge.net/projects/stringutils/

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

opencsv 1.7.1 http://opencsv.sourceforge.net/

Apache License

Version 2.0, January 2004 http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

(4)

"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

(5)

(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and

(b) You must cause any modified files to carry prominent notices stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and

(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this

6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,

MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any

(6)

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a

programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the

documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons

Icon Meaning Caution Example Note Recommendation Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help  General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

(7)

1 What is Secure Login? ... 9

1.1 System Overview ... 10

1.2 System Overview with Security Token ... 11

1.3 System Overview with Secure Login Server ... 14

1.4 Instances ... 16

1.5 PKI Structure ... 17

1.6 Secure Communication ... 18

1.7 Policy Server Overview ... 19

1.8 Secure Login Web Client ... 20

1.8.1 Export Restrictions ... 20

2 Secure Login Server Installation ... 21

2.1 Prerequisites ... 21

2.1.1 Secure Login Library ... 22

2.2 Secure Login Server Installation with Telnet ... 26

2.3 Secure Login Server Installation with JSPM ... 27

2.4 Secure Login Server Uninstallation ... 30

2.5 Updating the Secure Login Server to SP2 ... 30

2.6 Initial Configuration Wizard ... 31

2.6.1 Initial Configuration ... 31

2.6.2 Enable Remote Access for Initial Wizard... 47

2.6.3 Configure SSH Tunnel ... 48

3 Administration ... 49

3.1 Logon to Administration Console ... 49

3.2 Welcome Page ... 50

3.2.1 Change Password... 51

3.3 Server Configuration ... 52

3.3.1 Edit Server Configuration ... 54

3.3.2 Edit Login Type Setting ... 55

3.3.3 Certificate Management ... 56

3.3.4 Trust Store Management ... 68

3.3.5 Certificate Template ... 69

3.3.6 System Check ... 76

3.3.7 Message Settings ... 77

3.3.8 SNC Configuration ... 81

3.3.9 Server Status ... 82

3.3.10 Sign Certificate Requests ... 83

3.3.11 Console Log Viewer ... 85

3.3.12 Web Client Configuration ... 87

3.4 Instance Management ... 92

3.4.1 DefaultServer Configuration ... 92

3.4.2 Create a New Instance ... 115

3.5 Console Users ... 120

3.5.1 User Management ... 120

3.5.2 Role Management... 123

3.5.3 Locked Files Management ... 124

(8)

4.1 Configure Login Module ... 125

4.2 Verify Authentication Server Configuration ... 131

4.3 Create Technical User in SAP Server ... 133

4.4 Mozilla Firefox Support ... 133

4.4.1 Install Firefox Extension ... 133

4.4.2 Uninstall Mozilla Firefox Extension ... 134

4.5 Customize Secure Login Web Client ... 135

4.6 Configure SSL Certificate Logon ... 135

4.7 Configure External Login ID ... 136

4.8 Emergency Recovery Tool ... 136

4.9 Monitoring ... 139

4.9.1 Web Service Status ... 139

4.9.2 XML Interface ... 139

4.10 Secure Login Client Policy and Profiles ... 141

4.10.1 Client Policy ... 141

4.10.2 Applications and Profiles ... 142

4.11 Integrate into Existing PKI ... 146

4.12 Configuring Secure Login Servers as Failover Servers for High

Availability ... 147

4.13 Configuring Login Module Stacks as Failover Servers in SAP

NetWeaver ... 149

4.13.1 Configuration of SAP NetWeaver AS Java ... 150

4.13.2 Configuration of the Secure Login Server ... 151

4.14 Setting Failover Timeouts of the Login Modules ... 152

4.15 Custom Use of Login Module with Login Module Stacks ... 152

5 Configuration Examples ... 154

5.1 Kerberos Authentication with SPNego ... 154

5.2 LDAP User Authentication ... 155

5.3 SAP User Authentication ... 156

5.4 RADIUS User Authentication... 157

5.5 Configuring RSA Authentication with RADIUS ... 158

5.5.1 Configuration of the securid.ini File ... 158

5.5.2 Customer-Specific Configuration of the securid.ini File ... 159

5.5.3 Ensuring Encrypted Communication with Shared Secret ... 160

6 Troubleshooting ... 161

6.1 Checklist User Authentication Problem ... 161

6.2 Secure Login Server SNC Problem ... 162

6.3 Enable Secure Login Server Trace ... 163

6.4 Enable Secure Login Library Trace ... 163

6.5 Secure Login Server Lock and Unlock ... 164

6.6 Access Denied Replies ... 165

6.7 Internal Server Message ... 165

6.8 Error Codes ... 166

6.8.1 Secure Login Server Error Codes ... 166

6.8.2 SAP Stacktrace Error Codes ... 168

7 List of Abbreviations ... 171

(9)

1 What is Secure Login?

1 What is Secure Login?

Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment.

Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components:

Examples:

 SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)  Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS)  Third party application server supporting X.509 certificates

In a default SAP setup, users enter their SAP user name and password into the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all

communication between the SAP GUI and SAP server, thus providing secure single sign-on to SAP.

Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:

 Microsoft Windows domain (Active Directory Server)  RADIUS server

 LDAP server  RSA SecurID token  SAP NetWeaver server  Smart Card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.

(10)

1.1 System Overview

Secure Login is a client/server software system integrated with SAP software to make single sign-on, alternative user authentication, and enhanced security easy for distributed SAP environments.

The Secure Login solution includes the following components:  Secure Login Server

Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and application server. The Secure Login Web Client is provided as well.

 Secure Login Library

Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology.

 Secure Login Client

Client application which provides security tokens (Kerberos and X.509 technology) for a variety of applications.

It is not necessary to install all components. This depends on the use case. For further information about Secure Login Client and Secure Login Library see the corresponding Installation, Configuration and Administration Guide.

The Secure Login Client is split into the following variants: Secure Login Client

Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server. You can use it for certificate-based authentication without being obliged to set up a PKI.

The stand-alone Secure Login Client can use the following authentication methods: - Smart Cards and USB tokens with an existing PKI certificate

Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store with an existing PKI certificate

Secure Login Server and Authentication Server are not necessary. - Microsoft Windows credentials

The Microsoft Windows domain credentials (Kerberos token) can be used for

authentication. In addition, the Microsoft Windows credentials can be used to receive a user X.509 certificate with Secure Login Server.

- User name and Password (Several Authentication Mechanism)

The Secure Login Client prompts you for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive a user X.509 certificate.

All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.

Secure Login Web Client

This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client, but with the following limited functions:

- Limited integration with the client environment (interaction required) - Limited client policy configuration

(11)

1.2 System Overview with Security Token

The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for user authentication.

Main System Components

The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.

Secure Login Client PKI Infrastructure

• Smart Card, USB Token • Microsoft Crypto Store

• Secure Login Library

Authentication and secure communication • SAP GUI

• Web GUI

SAP NetWeaver Platform Security Token

Kerberos Infrastructure • Kerberos Token

Kerberos

Figure: Secure Login System Environment with Existing PKI and Kerberos

The Secure Login Client is responsible for the certificate-based authentication and Kerberos-based authentication to the SAP application server.

Authentication Methods

In a system environment without Secure Login Server, the Secure Login Client supports the following authentication methods:

 Smart Card and USB tokens with an existing PKI certificate  Microsoft Crypto Store (Certificate Store)

(12)

Workflow for X.509 Certificates

The following figure shows the principal workflow and communication between the individual components.

1

Start connection and get SNC name Client maps

SNC name to authentication

profile Secure Login Client

Security Token ₂ 4

PKI Infrastructure

6

SAP NetWeaver Platform

Client provides certificate to SAP GUI application

Authentication and secure communication • Smart Card, USB Token

• Microsoft Crypto Store

• Secure Login Library 5

Unlock Security Token 3

Figure: Principal Workflow

1. Upon connection start, the Secure Login Client retrieves the SNC name from the desired SAP server system.

2. The Secure Login Client uses the authentication profile for this SNC name. 3. The user unlocks the security token by entering the PIN or password.

4. The Secure Login Client receives the X.509 certificate from the user security token. 5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and

secure communication between SAP Client and SAP Server. 6. The user is authenticated and the communication is secured.

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the user keys to all CAPI-enabled applications.

(13)

Workflow for Kerberos Token

Figure: Principal Workflow Kerberos Authentication

1. Upon connection start, the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system.

2. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.

3. The Secure Login Client receives the Kerberos Service token.

4. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server.

(14)

1.3 System Overview with Secure Login Server

The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example, SAP NetWeaver).

Users receive short term X.509 certificates. For the application server, long term X.509 certificates are issued. Based on the industry standard X.509v3, the certificates can be used for non-SAP systems as well.

In order to provide user certificates, the user needs to be authenticated (verified by the Secure Login Server). Therefore the Secure Login Server supports several authentication server systems.

Main System Components

The following figure shows the Secure Login system environment with the main system components.

Figure: Secure Login System Environment

The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication.

The Secure Login Server is the central server component that connects all parts of the system. It enables authentication against an authentication Server and provides the Secure Login Client with a short term certificate. The Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server.

The Secure Login Server provides client authentication profiles to the Secure Login Client, which allows flexible user authentication configurations (for example, which authentication type should be used for which SAP application server).

(15)

Authentication Methods

Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module.

The following authentication methods are supported:  Microsoft Active Directory Service (ADS)

 RADIUS

 RSA SecurID token  LDAP

 SAP ID-based logon

 SAP NetWeaver AS Java User Management Engine  SAP NetWeaver AS Java SPNego

Workflow with X.509 Certificate Request

Figure: Principal Workflow

1. Upon connection start, the Secure Login Client gets the SNC name from the desired SAP server system.

2. The Secure Login Client uses the client policy for this SNC name. 3. The Secure Login Client receives the user login credentials.

(16)

4. The Secure Login Client generates a certificate request.

5. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server.

6. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not.

7. If the user credentials are valid, the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client.

8. Secure Login Client provides the certificate to SAP GUI.

9. The user certificate is used to perform an authentication, single sign-on, and secure communication between SAP client and server.

1.4 Instances

The Secure Login instances feature allows multiple instances running on the same server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum.

Secure Login Server instances can use a common user CA certificate for one or more instances, or you can set an individual user CA certificate (PKI) for each instance. The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods.

Figure: Instances Examples

It is still possible to use several Secure Login Servers and/or authentication servers for failover. The Secure Login Server can connect to more than one authentication server.

(17)

1.5 PKI Structure

There are different integration scenarios available for Secure Login Server.

Out-of-the-Box PKI Secure Login Server

Secure Login Server provides standard X.509 certificates for users (short term) and application server (long term). The following out of the box PKI structure can be delivered with the Secure Login Server.

Figure: Secure Login Server PKI Structure

PKI Integration

As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate the Secure Login Server to an existing PKI. The required minimum is to provide a user CA certificate to the Secure Login Server.

(18)

1.6 Secure Communication

The goal of the Secure Login solution is to establish secure communication between all required components:

Figure: Secure Communication

Technology Used for Secure Communication

Technology used for secure communication

From To Security Protocol / Interface

SAP GUI SAP NetWeaver DIAG/RFC (SNC)

Business Explorer SAP NetWeaver DIAG/RFC (SNC)

Business Client SAP NetWeaver DIAG/RFC (SNC), HTTPS

Web GUI SAP NetWeaver HTTPS (SSL)

Secure Login Client Secure Login Server HTTPS (SSL) Secure Login Server LDAP Server LDAPS (SSL) Secure Login Server SAP NetWeaver RFC (SNC)

(19)

1.7 Policy Server Overview

Secure Login Client configuration is profile-based. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs).

If no matching PSE URI is found, a default application context that links to a default profile can be defined.

The application contexts and profiles are stored in the Microsoft Windows Registry of the client. You define these parameters in the XML policy file.

(20)

1.8 Secure Login Web Client

Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. You also use it for authentication against SAP NetWeaver Web Application Server.

This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and Linux-based client systems can be used as well. Another use case is providing short term certificates to external employees (for example, to external consultants).

The following main features are available:

 Browser-based authentication (including all authentication server support)  Support for SAP GUI for Microsoft Windows and SAP GUI for Java

 Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser  URL redirect X.509 authentication support to SAP Web application server

 Localization and customization of HTML pages and applet messages

Differences between Secure Login Client and Secure Login Web Client:  With Secure Login Client the required security library is available.

With Secure Login Web Client the security library needs to be downloaded in a Web browser application.

 With Secure Login Client, the authentication process and secure communication can be triggered on demand (for example, in SAP GUI).

The Secure Login Web Client triggers an authentication process and secure

communication. After the authentication process, the Secure Login Web Client starts the SAP GUI.

1.8.1 Export Restrictions

At the start of the Secure Login Web Client, it transfers components that are required for authentication and for a secure network connection from the server to the client. The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. Under German export control regulations, these components are classified with ECCN 4D003. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations.

If the Secure Login Server and the Secure Login Web Client are installed in different countries, you are obliged to make sure that you abide by the export and import regulations of the countries involved.

(21)

2 Secure Login Server Installation

2 Secure Login Server Installation

This chapter describes how to install Secure Login Server.

The installation can be done using the Telnet application or with the Software Delivery Tool.

2.1 Prerequisites

This chapter describes the prerequisites and requirements for the installation of Secure Login Server. The SAP NetWeaver Application Server must be up and running.

Hardware Requirements

Secure Login Server Details

Hard disk space 50 MB of hard disk space HDD space for log files Random-access memory 1 GB RAM at minimum

Software Requirements

Application server SAP NetWeaver CE 7.2 SAP NetWeaver 7.3 Optional:

Secure Login Library

The Secure Login Library installation is optional and required for SAP user authentication only.

The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials.

For operating system support see the Installation, Configuration and Administration Guide of the Secure Login Library.

Secure Login Web Client Details

Operating systems Microsoft Windows 7, Vista, XP (32-bit) SUSE Linux Enterprise Desktop 11 Mac OS X 10.5, 10.6

Java SUN Java 1.5 or higher browser plug-in Internet browser (32-bit) Microsoft Internet Explorer 7, 8, 9

(22)

Supported Authentication Servers

LDAP server system Microsoft Active Directory System 2003, 2008 openLDAP

SAP server system SAP NetWeaver Application Server ABAP 6.20 or higher version

RADIUS server system RSA Authentication Manager 6.1 and 7.1 freeRADIUS

Microsoft Network Policy and Access Services(NPA) Microsoft Internet Authentication Service (IAS) SAPNetWeaver AS Java

User Man agement Engine (UME)

BasicPasswordLoginModule

2.1.1 Secure Login Library

The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only. The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials.

Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system. This document describes the installation for Microsoft Windows and Linux operating system.

Secure Login Library for Microsoft Windows Operating

System

Step 1 – Copy Library Files

Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder.

sapcar –xvf <source_path>\SECURELOGINLIB.SAR –R <ASJava_installation>\exe\

Example

sapcar –xvf D:\InstallSLS\SECURELOGINLIB.SAR –R D:\usr\sap\ABC\J00\exe\

Check if the folder <ASJava_installation>\exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java Library Path (libpath) in the trace file <ASJava_installation>\work\dev_jstart.

(23)

Step 2

–

Environment Variable SECUDIR

Set the system environment variable SECUDIR to the following directory: SECUDIR=<ASJava_installation>\sec

Example

SECUDIR=D:\usr\sap\ABC\J00\sec

Step 3 – Verify Secure Login Library

To verify the Secure Login Library, use the snc command: <ASJava_installation>\exe\snc.exe

Example

D:\usr\sap\ABC\J00\exe\snc.exe

As a result, you get further information about the Secure Login Library. The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the Command snc

Step 4 – Restart SAP NetWeaver Application Server

In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.

(24)

Secure Login Library for Linux Operating System

Step 1 – Copy Library Files

Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to the following folder.

sapcar –xvf <source_path>/SECURELOGINLIB.SAR –R <ASJava_installation>/exe/

Example

sapcar –xvf /InstallSLS/SECURELOGINLIB.SAR –R /usr/sap/ABC/J00/exe

Check if the folder <ASJava_installation>/exe, which is used by Secure Login Library, is included in the Java library path. Verify the Java library path (libpath) in the trace file <ASJava_installation>/work/dev_jstart.

Step 2

–

Define File Attributes

To use shared libraries in a shell, it is necessary to set the file permission attributes with the following command:

chmod +rx <ASJava_installation>/exe/snc lib* Example

chmod +rx /usr/sap/ABC/J00/exe/snc lib*

Step 3

–

Define File Owner

Grant access rights to the user account that is used to start the SAP application (for example,

<SID>adm).

Change to the folder <ASJava_installation>/exe/ and use the following command: chown [OWNER]:[GROUP] *

Example

chown abcadm:sapsys *

Step 4 – Verify Secure Login Library

To verify the Secure Login Library use the snc command (with user <SID>adm): <ASJava_installation>/exe/snc

(25)

/usr/sap/ABC/J00/exe/snc

As a result; further information about the Secure Login Library should be displayed. The test is successful if the version is displayed.

(26)

2.2 Secure Login Server Installation with Telnet

1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver

Application Server. 2.) Start a Telnet session.

telnet localhost 5<instance_number>08 Example

telnet localhost 50008

3.) Deploy the Secure Login Server package.

deploy <source>\SECURE_LOGIN_SERVER0SP_0.sca Microsoft Windows Example

deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca The Secure Login Server application will be started automatically.

Start the initial configuration described in section 2.6 Initial Configuration Wizard.

List of Useful Telnet Commands

List of useful telnet commands

Action Command

Deploy Application deploy SECURE_LOGIN_SERVER0SP_0.sca

Undeploy Application undeploy name=SecureLoginServer vendor=sap.com List Application list_app | grep SecureLoginServer

Stop Application stop_app sap.com/SecureLoginServer Start Application start_app sap.com/SecureLoginServer

(27)

2.3 Secure Login Server Installation with JSPM

1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver

Application Server.

The target folder location is \\localhost\sapmnt\trans\EPS\in Microsoft Windows

<drive>\usr\sap\trans\EPS\in Linux

/usr/sap/trans/EPS/in

2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application Server.

Microsoft Windows

<ASJava_Installation>\j2ee\JSPM\go.bat Linux

<ASJava_Installation>/j2ee/JSPM/go

(28)

4.) Choose the New Software Components option.

(29)

6.) Start the deployment process.

(30)

2.4 Secure Login Server Uninstallation

This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login Server in Telnet.

1.) Start a Telnet session.

telnet localhost 5<instance_number>08 Example

telnet localhost 50008

2.) Stop the Secure Login Server application. stop_app sap.com/SecureLoginServer 3.) Undeploy the Secure Login Server package.

undeploy name=SecureLoginServer vendor=sap.com

2.5 Updating the Secure Login Server to SP2

In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to SP1. You see the current version number of the Secure Login Server in the parameter Server Build. The entry REL_1_0_2_20 stands for SP2 (see 3.3.9 Server Status). After the installation, restart the system.

During the installation, the following files are deleted:

 config.properties file

 userenv.registry

Make a backup of these files before you execute an installation. After the installation, copy the files to the relevant directories.

(31)

2.6 Initial Configuration Wizard

After the deployment of Secure Login Server an initial configuration is required.

For security reasons, the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides).

If, however, you want to perform the initialization and configuration from a remote location, you must manually enable this feature by editing the Secure Login web.xml file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard. If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost tunnel configuration for accessing the wizard. For re information, see section 2.6.3 Configure SSH Tunnel.

2.6.1 Initial Configuration

This section describes the initial configuration of the Secure Login Server.

Before starting the Initial Configuration Wizard, verify that the Secure Login Server application is running.

Start the initial configuration using the browser URL: http://localhost:5<instance_number>00/securelogin

Welcome Page

In the welcome page a prerequisite check is performed. Verify all prerequisites. If everything is OK, choose Continue.

(32)

Key File for Encryption of Server Credentials

The key file is a file on the server with random content and is used to secure password information in configuration files. You can use any kind of file type which is larger than 32 bytes. You must create or copy the file to the desired location on the server and define it in this configuration step. There is a check whether the key file is available.

Define the location of the key file.

Example:

D:\usr\sap\ServerKeyFile\KeyFile.txt

Figure: Initial Configuration Wizard – Key file for server credentials encryption

Keep in mind that, in case the key file is changed or not available, it is not possible to log on to the Secure Login Administration Console. The Secure Login Server does not work anymore and is locked.

(33)

Administrator Account

Define the password for the administration user Admin.

Figure: Initial Configuration Wizard – Administrator Account Entries marked with * are mandatory.

Passwords used in Secure Login Server are restricted by the password policy definition.  Passwords cannot be empty

 Passwords must have a length between 8 to 20 characters  Passwords must contain at least one uppercase letter  Passwords must contain at least one lowercase letter  Passwords must contain at least one digit

 Passwords must contain at least one special character

(34)

Create Root CA Certificate

Define the parameter for the root CA certificate.

Figure: Initial Configuration Wizard – Create Root CA Entries marked with * are mandatory.

Option Details

Create a Root CA by providing certificate information

Common Name*

Enter the common name of the certificate (CN). Example: Root CA SAP Security

Organization Unit

Enter the division of the company in this field (OU). Example: SAP Security Department

Organization

Enter the company name in this field (O). Example: Company xyz

Locality

Enter the regional information in this field (L). Example: Walldorf

Country

Enter the country abbreviation in this field (C). Example: DE

Encryption Key Length

Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).

(35)

Valid From*

Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD).

Valid To*

Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).

Password*

In this field you enter the password for this certificate. The password length is limited to 20 characters.

Save Password

If this checkbox is activated, this password is stored. This means that you do not need to remember the password when editing this certificate at a later date.

Confirm Password*

Confirm the encryption password entered in the field above.

Import an Existing Key Store File

Checking this option displays the following options:

KeyStore File*

Click Browse… to locate and load an existing KeyStore file (File Format is: *.pse).

Password*

The password for the KeyStore (PSE) file.

Save Password

Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.

Skip all PKI certificates Check this option if you do not want to or do not need to enter information for any certificate at this time. This means you skip all the PKI certificates including the Root CA, SSL CA, SSL Server, and User CA certificates.

You can create or add certificate information at a later time in the CertificateManagement function of the Administration Console.

(36)

Select the SSL Certificate Generation Type

Choose an option for the SSL certificate.

Figure: Initial Configuration Wizard – Select the SSL Certificate Generation Type

It is possible to install or import SSL certificates later on using the administration console  Certificate Management. For more information, see section 3.3.3 Certificate

Management.

Generate an SSL certificate using the Secure Login

Administration Console

The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console.

Skip all SSL certificates Check this option if you do not want to or do not need to enter information for SSL certificates at this time.

(37)

Create SSL CA Certificate

This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen.

Figure: Initial Configuration Wizard – Create SSL CA Information Entries marked with * are mandatory.

Create a SSL CA by providing certificate information

Common Name*

Enter the common name of the certificate (CN). Example: SSL CA SAP Security

Organization

Locality

Country

(38)

Valid From*

Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).

Valid To*

Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).

Password*

Enter the password for this certificate in this field. The password length is limited to 20 characters.

Save Password

Confirm password*

KeyStore File*

Click Browse… to locate and load an existing Key Store File (file format: *.pse).

Password*

Save Password

Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time.

After the configuration, choose Next to continue.

Create SSL Server Certificate

This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.

(39)

Figure: Initial Configuration Wizard –SSL Server Information Entries marked with * are mandatory.

Create an SSL server by providing certificate information

Common Name*

Enter the common name of the certificate (CN). Example: Alias Server Name

Organization

Locality

Country

Subject Alternative Names (DNS)

Enter the alternative name in this field. Typically this is the Fully Qualified Domain Name (FQDN). Example: [email protected]

(40)

1024, 1536, 2048, 3072, or 4096 bits).

Valid From*

Valid To*

Password*

In this field, you enter the password for this certificate. The password length is limited to 20 characters.

Save Password

If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.

Confirm Password*

KeyStore File*

Click Browse… to locate and load an existing KeyStore file (file format: *.p12).

Password*

The password for the KeyStore file.

Save Password

Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.

(41)

Create User CA Certificate

Define the parameter for the user CA certificate.

Figure: Initial Configuration Wizard –User CA Information Entries marked with * are mandatory.

Create a user CA by providing certificate information

Common Name*

Enter the common name of the certificate (CN). Example: User CA SAP Security

Organization

Locality

Country

(42)

Valid From*

Valid To*

Password*

In this field you enter the password for this certificate. The password length is limited to 20 characters.

Save Password

Confirm Password*

KeyStore File*

Click Browse… to locate and load an existing KeyStore file (file format: *.pse).

Password*

Save Password

If this checkbox is activated, this password will be stored. This means that you do not need to remember the password when editing this certificate at a later date.

Skip this certificate Check this option if you do not want or do not need to enter any information for this specific certificate at this time.

(43)

Define Server Configuration

Define the parameters for the User Certificate Configuration and Application Information. The other configuration parameters are read-only (for verification reasons).

Figure: Initial Configuration Wizard – Server Configuration Entries marked with * are mandatory.

User Certificate Configuration

DN.country

DN.locality

DN.organization

DN.organizationalUnit

ValidityMinutes*

Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid.

(44)

Application Information ServerHostName

FQDN name or IP address of this server.

This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server.

ServerPort

Port of this server.

This parameter is used for the client policy definition and can be used for central change.

Authentication Server Configuration

(read-only)

AuthConfigPath

Authentication server configurations file for the Secure Login Server.

Secure Login User CA Key Store

(read-only)

PseName

The user CA key store file path. If you created a user CA in the previous step, the file path is shown here.

Log Configuration

(read-only)

DailyLogDir

In this log path the user authentication information for the default instance is logged.

(for example, the user authentication was successful)

MonthlyLogDir

In this log path the instance information for the default instance is logged.

(for example, the default instance was started successful)

AdminConsoleLogDir

In this log path the admin console information for the Secure Login Administration Console is logged. (for example, the default instance configuration was changed)

LockDir

The path to which the lock file is saved. A lock file is created when the server encounters an internal error that requires manual intervention.

(45)

Setup Review

Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration.

Figure: Initial Configuration Wizard –Setup Review

Finish Setup

After successful setup configuration this page appears. Restart the Secure Login Server application.

Figure: Initial Configuration Wizard – Congratulations

Use the Telnet application to stop and start the Secure Login Server application (for more information, see section2.2 Secure Login Server Installation with Telnet).

Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components, choose the application sap.com/SecureLoginServer and restart the application.

(46)

Microsoft Windows SAP Management Console

In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer

and choose the option Restart (right-click option).

(47)

2.6.2 Enable Remote Access for Initial Wizard

This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer.

For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides).

In the configuration file web.xml, change the value to true for the parameter remoteAccess.

web.xml

<init-param>

<param-name>remoteAccess</param-name> <param-value>true</param-value> </init-param>

The configuration file web.xml is available in the following place:

Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\se rvlet_jsp\securelogin\root\WEB-INF\web.xml Linux <ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/se rvlet_jsp/securelogin/root/WEB-INF/web.xml

(48)

2.6.3 Configure SSH Tunnel

This configuration step is optional and belongs to the Linux environment if no GUI is available. The localhost configuration can be performed using for example, PuTTY Configure the following parameter and choose Add.

Example: SSH tunnel configuration in PuTTY

Parameter Value

Source Port 5<instance_number>00 Example: 50000

Destination localhost:5<instance_number>00 Example: localhost:50000

After the SSH tunnel configuration, log on to this connection and perform the initial configuration. For more information, see section 2.6 Initial Configuration Wizard.

(49)

3 Administration

3 Administration

This chapter describes the configuration parameters in Secure Login Server.

3.1 Logon to Administration Console

To open the administration console, enter the following URL in a Web browser:

Communication URL

Unsecured http://<IP/FQDN>:5<instance_number>00/securelogin

Secured https://<IP/FQDN>:5<instance_number><https_port>/securelogin

You find the https port in the SSL setting of the SAP NetWeaver configuration. The port number is usually 50001 (corresponds to 01 in the table above).

The logon page appears.

Figure: Administration Console – Logon Page

Enter your administration user name (for example, Admin) and your password.

Authentication type Details

Local Login Default user name/password combination authenticated in the administration console database.

External Login User name/password combination authenticated in the authentication server database set in the JAAS module. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console.

(50)

Authentication type Details

Edit Login Type Setting.

3.2 Welcome Page

After successful logon, the welcome page appears. This page also appears when you click on Home.

Figure: Administration Console – Welcome Page

The administration console interface allows you to easily configure the server to your needs. The main area is split into three panes:

 The top left-hand pane lists any tasks that have yet to be performed.

For example, Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the configuration has been changed, and you need to restart the Secure Login Server application for it to take effect.

 The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login Server framework.  The right-hand pane displays the details of any node selected in the left-hand pane.  In the top right-hand corner there are three entries that appear on every page in the

console:

Change Password

This allows you to change the password for the current administrator/user account.

Logout

Fiori Configuration

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP2

Secure Login Server

PUBLIC

Terms for Included Open

Source Software

Typographic Conventions

Icons

Contents

1 What is Secure Login? ... 9

1.1 System Overview ... 10

1.2 System Overview with Security Token ... 11

1.3 System Overview with Secure Login Server ... 14

1.4 Instances ... 16

1.5 PKI Structure ... 17

1.6 Secure Communication ... 18

1.7 Policy Server Overview ... 19

1.8 Secure Login Web Client ... 20

1.8.1 Export Restrictions ... 20

2 Secure Login Server Installation ... 21

2.1 Prerequisites ... 21

2.2 Secure Login Server Installation with Telnet ... 26

2.3 Secure Login Server Installation with JSPM ... 27

2.4 Secure Login Server Uninstallation ... 30

2.5 Updating the Secure Login Server to SP2 ... 30

2.6 Initial Configuration Wizard ... 31

3 Administration ... 49

3.1 Logon to Administration Console ... 49

3.2 Welcome Page ... 50

3.3 Server Configuration ... 52

3.4 Instance Management ... 92

3.5 Console Users ... 120

4.1 Configure Login Module ... 125

4.2 Verify Authentication Server Configuration ... 131

4.3 Create Technical User in SAP Server ... 133

4.4 Mozilla Firefox Support ... 133

4.5 Customize Secure Login Web Client ... 135

4.6 Configure SSL Certificate Logon ... 135

4.7 Configure External Login ID ... 136

4.8 Emergency Recovery Tool ... 136

4.9 Monitoring ... 139

4.10 Secure Login Client Policy and Profiles ... 141

4.11 Integrate into Existing PKI ... 146

4.12 Configuring Secure Login Servers as Failover Servers for High

Availability ... 147

4.13 Configuring Login Module Stacks as Failover Servers in SAP

NetWeaver ... 149

4.14 Setting Failover Timeouts of the Login Modules ... 152

4.15 Custom Use of Login Module with Login Module Stacks ... 152

5 Configuration Examples ... 154

5.1 Kerberos Authentication with SPNego ... 154

5.2 LDAP User Authentication ... 155

5.3 SAP User Authentication ... 156

5.4 RADIUS User Authentication... 157

5.5 Configuring RSA Authentication with RADIUS ... 158

6 Troubleshooting ... 161

6.1 Checklist User Authentication Problem ... 161

6.2 Secure Login Server SNC Problem ... 162

6.3 Enable Secure Login Server Trace ... 163

6.4 Enable Secure Login Library Trace ... 163

6.5 Secure Login Server Lock and Unlock ... 164

6.6 Access Denied Replies ... 165

6.7 Internal Server Message ... 165

6.8 Error Codes ... 166

7 List of Abbreviations ... 171

1 What is Secure Login?

1.1 System Overview

1.2 System Overview with Security Token

Main System Components

Authentication Methods

Workflow for X.509 Certificates

Workflow for Kerberos Token

1.3 System Overview with Secure Login Server

Main System Components

Authentication Methods

Workflow with X.509 Certificate Request

1.4 Instances

1.5 PKI Structure

Out-of-the-Box PKI Secure Login Server