Installation Configuration and Administration Guide SAP NetWeaver Single Sign On SP4 Secure Login Library

Installation, Configuration, and Administration Guide
SAP NetWeaver Single Sign-On SP4

Secure Login Library
PUBLIC
Document Version: 1.4 September 2012
2012 SAP AG. All rights reserved.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, MultiTouch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or
No part of this publication may be reproduced or transmitted in any
registered trademarks of Apple Inc.
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
IOS is a registered trademark of Cisco Systems Inc.
notice.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,
Some software products marketed by SAP AG and its distributors
BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry
contain proprietary software components of other software vendors.
Storm2, BlackBerry PlayBook, and BlackBerry App World are

trademarks or registered trademarks of Research in Motion Limited.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and

Visual Studio are registered trademarks of Microsoft Corporation.
Google App Engine, Google Apps, Google Checkout, Google Data

API, Google Maps, Google Mobile Ads, Google Mobile Updater,
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
Google Mobile, Google Store, Google Sync, Google Updater, Google
System p5, System x, System z, System z10, z10, z/VM, z/OS,
Voice, Google Mail, Gmail, YouTube, Dalvik and Android are
OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems,
trademarks or registered trademarks of Google Inc.
POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale,

PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS,
INTERMEC is a registered trademark of Intermec Technologies
HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX,
Corporation.
Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet

are trademarks or registered trademarks of IBM Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Linux is the registered trademark of Linus Torvalds in the United
Bluetooth is a registered trademark of Bluetooth SIG Inc.
States and other countries.

Motorola is a registered trademark of Motorola Trademark Holdings
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are
LLC.
trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and other countries.
Computop is a registered trademark of Computop

Wirtschaftsinformatik GmbH.
Oracle and Java are registered trademarks of Oracle and its affiliates.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
Open Group.
products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
and other countries.
VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems Inc.
Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
HTML, XML, XHTML, and W3C are trademarks or registered
other Business Objects products and services mentioned herein as well
trademarks of W3C, World Wide Web Consortium, Massachusetts
as their respective logos are trademarks or registered trademarks of
Institute of Technology.
Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
Open LDAP http://www.openldap.org/
and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of
Sybase Inc. Sybase is an SAP company.
The OpenLDAP Public License

Version 2.8, 17 August 2003
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are
Redistribution and use of this software and associated documentation
registered trademarks of Crossgate AG in Germany and other
("Software"), with or without modification, are permitted provided
countries. Crossgate is an SAP company.
that the following conditions are met:
All other product and service names mentioned are the trademarks of
1. Redistributions in source form must retain copyright statements
their respective companies. Data contained in this document serves
and notices,
informational purposes only. National product specifications may

vary.
2. Redistributions in binary form must reproduce applicable copyright

statements and notices, this list of conditions, and the following
These materials are subject to change without notice. These materials
disclaimer in the documentation and/or other materials provided
are provided by SAP AG and its affiliated companies ("SAP Group")
with the distribution, and
for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions
3. Redistributions must contain a verbatim copy of this document.
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
The OpenLDAP Foundation may revise this license from time to time.
warranty statements accompanying such products and services, if any.
Each revision is distinguished by a version number. You may use
Nothing herein should be construed as constituting an additional
this Software under terms of this license revision or under the
warranty.
terms of any subsequent revision of the license.
Disclaimer
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP
Some components of this product are based on Java. Any
FOUNDATION AND ITS
code change in these components may cause unpredictable
CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
and severe malfunctions and is therefore expressively
WARRANTIES,
prohibited, as is any decompilation of these components.
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY
Any Java Source Code delivered with this product is
AND FITNESS FOR A PARTICULAR PURPOSE ARE
only to be used by SAPs Support Services and may not be
DISCLAIMED. IN NO EVENT
modified or altered in any way.
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS,

OR THE AUTHOR(S)
Terms for Included Open

Source Software
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY

DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
This SAP software contains also the third party open source software
DAMAGES (INCLUDING,
products listed below. Please note that for these third party products
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
the following special terms and conditions shall apply.
GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT
University of Cambridge Computing Service,
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
Cambridge, England.
OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Copyright (c) 1997-2010 University of Cambridge
ADVISED OF THE
All rights reserved.
POSSIBILITY OF SUCH DAMAGE.

The names of the authors and copyright holders must not be used in
THE C++ WRAPPER FUNCTIONS
advertising or otherwise to promote the sale, use or other dealing

in this Software without specific, written prior permission. Title
Contributed by: Google Inc.
to copyright in this Software shall at all times remain with copyright

holders.
Copyright (c) 2007-2010, Google Inc.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
THE "BSD" LICENCE
California, USA. All Rights Reserved. Permission to copy and

distribute verbatim copies of this document is granted.
Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are
PCRE http://www.pcre.org/
met:
PCRE LICENCE
* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.
PCRE is a library of functions to support regular expressions whose

syntax and semantics are as close as possible to those of the Perl 5
* Redistributions in binary form must reproduce the above copyright
language.
notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.
Release 8 of PCRE is distributed under the terms of the "BSD"

licence, as specified below. The documentation for PCRE, supplied in
* Neither the name of the University of Cambridge nor the name of
the "doc" directory, is distributed under the same terms as the software
Google Inc. nor the names of their contributors may be used to endorse
itself.
or promote products derived from this software without specific prior

written permission.
The basic library functions are written in C and are freestanding. Also
included in the distribution is a set of C++ wrapper functions.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT

HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
THE BASIC LIBRARY FUNCTIONS
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE
Written by:
Philip Hazel
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
Email local part: ph10
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
Email domain:
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
cam.ac.uk
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
3. All advertising materials mentioning features or use of this software
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
must display the following acknowledgement:
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
"This product includes cryptographic software written by Eric Young
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
(eay@cryptsoft.com)"
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
The word 'cryptographic' can be left out if the rouines from the library
ARISING IN ANY WAY OUT OF THE USE OF THIS
being used are not cryptographic related :-).
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4. If you include any Windows specific code (or a derivative thereof)
SUCH DAMAGE.
from the apps directory (application code) you must include an

acknowledgement:
SSLeay http://www2.psy.uq.edu.au/~ftp/Crypto/ssleay/
"This product includes software written by Tim Hudson

(tjh@cryptsoft.com)"
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
This package is an SSL implementation written by Eric Young
NOT LIMITED TO, THE IMPLIED WARRANTIES OF
(eay@cryptsoft.com). The implementation was written so as to
MERCHANTABILITY AND FITNESS FOR A PARTICULAR
conform with Netscapes SSL.
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
This library is free for commercial and non-commercial use as long as
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
the following conditions are aheared to. The following conditions
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
apply to all code found in this distribution, be it the RC4, RSA, lhash,
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
DES, etc., code; not just the SSL code. The SSL documentation
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
included with this distribution is covered by the same copyright terms
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
except that the holder is Tim Hudson (tjh@cryptsoft.com).
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
Copyright remains Eric Young's, and as such any Copyright notices in
RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
the code are not to be removed.
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
If this package is used in a product, Eric Young should be given

attribution as the author of the parts of the library used.
The licence and distribution terms for any publically available version
This can be in the form of a textual message at program startup or in
or derivative of this code cannot be changed. I.e. this code cannot
documentation (online or textual) provided with the package.
simply be copied and put under another distribution licence [including

the GNU Public Licence.]
Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Typographic Conventions
Type Style
Example Text
Description
Words or characters quoted from
the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation
Example text
Emphasized words or phrases in

body text, graphic titles, and
table titles
EXAMPLE TEXT
Technical names of system

objects. These include report
names, program names,
transaction codes, table names,
and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.
Example text
Output on the screen. This

includes file and directory names
and their paths, messages,
names of variables and
parameters, source text, and
names of installation, upgrade
and database tools.
Example text
Exact user entry. These are

words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example text>
Variable user entry. Angle

brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for

example, F2 or ENTER.
Icons
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library

documentation to help you identify different
types of information at a glance. For more
information, see Help on Help General
Information Classes and Information Classes
for Business Information Warehouse on the
first page of any version of SAP Library.
Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview ..................................................................................... 10
1.2 Main System Components ..................................................................... 10
2 Secure Login Library Installation .................................................... 12

2.1 Prerequisites ............................................................................................ 12
2.2 Installation on a Microsoft Windows Operation System .................... 13
2.3 Installation on a UNIX/Linux Operating System .................................. 15
2.4 Updating the Secure Login Library ....................................................... 17
2.5 Uninstallation ........................................................................................... 17
3 Secure Login Library Configuration................................................ 18

3.1 SNC X.509 Configuration ........................................................................ 18
3.2 SNC Kerberos Configuration ................................................................. 22
3.3 Using Kerberos for SNC with Users in Different Domains ................ 28
3.4 Authentication with X.509 Certificates and Kerberos ........................ 29
4 Configuration Options ...................................................................... 30

4.1 Enable Trace ............................................................................................. 30
4.2 Command Line Tool SNC ....................................................................... 31
4.2.1 Display Software Version Numbers ............................................................................ 32
4.2.2 Display Security Token Information ............................................................................ 32
4.2.3 Test SNC Function...................................................................................................... 33
4.2.4 Create PSE Environment ............................................................................................ 33
4.2.5 Distributing PSEs in a Cluster Environment ............................................................... 34
4.2.6 Register PKCS#12 to PSE ......................................................................................... 34
4.2.7 Unregister Security Token from PSE .......................................................................... 35
4.2.8 Create Kerberos Keytab ............................................................................................. 35
4.2.9 Import Trusted Certificate to PSE ............................................................................... 36
4.2.10 Remove Trusted Certificate from PSE...................................................................... 36
4.2.11 Create Root CA Token ............................................................................................. 36
4.2.12 Create SNC Server Token ........................................................................................ 37
4.3 Communication Protocol Parameters .................................................. 37

4.3.1 Reference of the Communication Protocol Parameters (Server) ............................... 38
4.3.2 Reference of the Communication Protocol Parameters (Client) ................................ 40
4.4 Use Cases of the Communication Protocol Parameters .................... 42

4.4.1 Configuring Certificate Lifetime in sigsession and ParallelSessions Mode ................ 42
4.4.2 Configuring sigsession Mode ...................................................................................... 42
4.4.3 Configuring ParallelSessions Mode ............................................................................ 44
4.4.4 Define Symmetric Algorithm ....................................................................................... 45
4.4.5 Uppercase Distinguished Name ................................................................................. 46
4.4.6 Alternative Name DN Feature ..................................................................................... 47
4.4.7 Shorten Long Distinguished Names ........................................................................... 49
4.4.8 User Schemas for SNC Names .................................................................................. 50
4.5 User Mapping ........................................................................................... 51
5 Using Certificate Revocation Lists .................................................. 54

5.1 Downloading CRLs with the CRL Tool ................................................. 54
5.2 Configuring the CRL Tool ....................................................................... 56
6 Use Cases .......................................................................................... 60
09/2012
Installation Guide: Secure Login Library
6.1 Support for Authentication with Kerberos and X.509 on AS ABAP . 60

6.1.1 Prerequisites ............................................................................................................... 60
6.1.2 Installation and Configuration Steps ........................................................................... 61
7 Troubleshooting ................................................................................ 63
7.1 SNC Library Not Found ........................................................................... 63
7.2 Credentials Not Found ............................................................................ 63
7.3 No User Exists with SNC Name ............................................................. 64
8 List of Abbreviations ........................................................................ 65

9 Glossary ............................................................................................. 67
09/2012
1 What is Secure Login?

Secure Login is an innovative software solution created specifically to improve user and IT
productivity and to protect business-critical data in SAP business solutions through secure
single sign-on to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between
a wide variety of SAP components.
Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)
Third party application server, supporting X.509 certificates
In a default SAP setup, users enter their SAP user name and password on the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that
enables users to log on to SAP systems without entering a user name or password. The SNC
interface can also pass calls through the Secure Login Library to encrypt all communication
between the SAP GUI and a SAP server, thus providing secure single sign-on to SAP.
Secure Login allows you to benefit from the advantages of SNC without the need to set up a
Public Key Infrastructure (PKI). Secure Login allows users to authenticate via one of the
following authentication mechanisms:
Windows Domain (Active Directory Server)

RADIUS server
LDAP server
SAP NetWeaver server
Smart card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by
Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and
other HTTPS-enabled Web applications) with SSL.
09/2012
1.1 System Overview

Secure Login is a client/server software system integrated with SAP software to facilitate
single sign-on, alternative user authentication, and enhanced security for distributed SAP
environments.
The Secure Login solution includes three components:
Secure Login Server

Central service that provides X.509v3 certificates (out of the box PKI) to users and
application server. The Secure Login Web Client is also provided.
Cryptographic Library for the SAP NetWeaver ABAP system. The Secure Login Library
supports X.509 and Kerberos technology in parallel.
Secure Login Client
Client application that provides security tokens (Kerberos and X.509 technology) for a
variety of applications.
The Secure Login Library is integrated with SAP software to provide single sign-on capability
and enhanced security. An existing PKI structure or the Kerberos technology can be used for
user authentication.
You do not need to install all of the components. This depends on your use case scenario.
For more information about Secure Login Server and Secure Login Client see their
Installation, Configuration and Administration Guides.
1.2 Main System Components

The following figure shows the Secure Login system environment with the main system
components:
Figure: Secure Login System Environment with existing PKI and Kerberos
10
09/2012
The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP Application Server and for secure communication.
For more information about Secure Login Server and Secure Login Client see the
Installation, Configuration and Administration Guide.
09/2012
11
2 Secure Login Library Installation

This section explains how to install Secure Login Library.
2.1 Prerequisites
This section deals with the prerequisites and requirements for the installation of Secure Login
Library.
You can download the SAP NetWeaver Single Sign-On software from the SAP Service
Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches
> Browse our Download Catalog > SAP NetWeaver and complementary products > SAP
NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1 > Comprised Software
Component Versions > Secure Login Library 1.0. The Secure Login Library is available for
the following operating systems:
AIX 32-bit
AIX 64-bit
HP-UX on IA-64 64-bit
HP-UX on PA-RISC 32-bit
HP-UX on PA-RISC 64-bit
Linux on IA32 32-bit
Linux on IA-64 64-bit
Linux on Power 64-bit
Linux on x86_64 64-bit
Linux on zSeries 64-bit
MacOS X 64-bit
Solaris on SPARC 32-bit
Solaris on SPARC 64-bit
Solaris on x64_64 64-bit
TRU64 64-bit
Microsoft Windows Server on IA32 32-bit
Microsoft Windows on IA-64 64-bit
Microsoft Windows on x64 64-bit
Hardware Requirements
Details
Hard Disk Space
10 MB Hard Disk Space
Random Access Memory
Min. 1 GB RAM
Software Requirements
Details
Operating Systems
Microsoft Windows Server 2003 x64 64-bit

Microsoft Windows Server 2003 on IA-64 64-bit
Microsoft Windows Server 2008 x64 64-bit
Microsoft Windows Server 2008 on IA-64 64-bit
12
09/2012
Microsoft Windows Server 2008 R2 x64 64-bit

Microsoft Windows Server 2008 R2 on IA-64 64-bit
AIX 5.2, 5.3, 6.1, 7.1 Power 64-bit
HP-UX 11.11, 11.23, 11.31 PA-RISC 64-bit
HP-UX 11.23, 11.31 IA-64 64-bit
Solaris 9, 10 SPARC 64-bit
Solaris 10 x64 64-bit
Linux SLES 9, 10, 11 IA-64 64-bit
Linux SLES 9, 10, 11 x86_64-bit
Linux SLES 9, 10, 11 Power 64-bit
Linux RHEL 4, 5, 6 IA-64 64-bit
Linux RHEL 4, 5, 6 x86_64-bit
Linux RHEL 4, 5, 6 Power 64-bit
OSF1 5.1 Alpha 64-bit
Mac OS X 10.5 Universal 96 (32-bit / 64-bit)
SAP Application Server
SAP R/3 Release 4.6C

SAP R/3 Enterprise Release 4.70
SAP Web Application Server 6.10
SAP NetWeaver 2004
SAP NetWeaver 7.0
SAP NetWeaver 7.0 EHP1
SAP NetWeaver 7.0 EHP2
SAP NetWeaver 7.3
SAPCRYPTOLIB
The SAPCRYPTOLIB is required to use the

transaction STRUST (PSE Management).
For more information, see the Product Availability Map of SAP NetWeaver Single Sign-On
1.0.
2.2 Installation on a Microsoft Windows

Operation System
Before starting the installation process, the Secure Login Library software
SECURELOGINLIB.SAR must be available. Copy the file to the target SAP NetWeaver
Application Server.
Secure Login Library must be installed in a directory to which the Application Server has
access at runtime. We recommend that you create this directory below the SAP NetWeaver
Application Server.
09/2012
13
Step 1 - Create Folder SLL

Create a new folder named SLL in:
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL
Microsoft Windows Example:
D:\usr\sap\ABC\DVEBMGS00\SLL
Step 2 - Extract SECURELOGINLIB.SAR

Extract the file SECURELOGINLIB.SAR to the new folder with the SAPCAR command line
tool.
sapcar xvf <SourcePath>\SECURELOGINLIB.SAR R
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL
Example:
sapcar xvf D:\SECURELOGINLIB.SAR R D:\usr\sap\ABC\DVEBMGS00\SLL
Step 3 - Test Secure Login Library

To verify Secure Login Library, use the following snc command:
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc.exe
Microsoft Windows Example
D:\usr\sap\ABC\DVEBMGS00\SLL\snc.exe
The system displays further information about the Secure Login Library.
The test is successful if the product version is displayed.
Figure: Verify Secure Login Library with the command snc
14
09/2012
2.3 Installation on a UNIX/Linux Operating

System
Before starting the installation process, the Secure Login Library software
SECURELOGINLIB.SAR must be available. Copy the file to the target SAP NetWeaver
Application Server.
Secure Login Library must be installed in a directory to which the Application Server has
access to at runtime. We recommend that you create this directory below the SAP
NetWeaver Application Server.
Perform the configuration steps for the Secure Login Library with the user account that
will start the SAP application (for example, <SID>adm). Once configuration is complete,
the <SID>adm user needs to have access rights to the Secure Login Library.
Step 1 - Create Folder SLL

Create a new folder named SLL in:
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL
Example:
/usr/sap/ABC/DVEBMGS00/SLL
Step 2 - Extract SECURELOGINLIB.SAR

Extract the file SECURELOGINLIB.SAR to the new folder with the SAPCAR command line
tool.
sapcar xvf <SourcePath>/SECURELOGINLIB.SAR R
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/
Example:
sapcar xvf /tmp/SECURELOGINLIB.SAR R
/usr/sap/ABC/DVEBMGS00/SLL/
Step 3 - Define File Attributes in UNIX/Linux

To use shared libraries in shell (operating system UNIX/Linux), you need to set the file
permission attributes with the following command:
chmod +rx <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/snc lib*
Example
chmod +rx /usr/sap/ABC/DVEBMS00/SLL/snc lib*
09/2012
15
To use the shell under the operating system HP-UX with the shared libraries, you need to
set an attribute with the following command:
chatr +s enable <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/snc
Step 4 - Define File Owner in UNIX/Linux

Apply access rights to the user account that will start the SAP application (for example,
<SID>adm).
Change to the folder <INSTDIR>/<SID>/DVEBMS<instance_number>/SLL/ and use the
following command:
chown [OWNER]:[GROUP] *
Example
chown abcadm:sapsys
Step 5 - Test Secure Login Library

To verify Secure Login Library, use the snc command (in UNIX/Linux environment test with
user <SID>adm):
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc
Example:
/usr/sap/ABC/DVEBMGS00/SLL/snc
The system displays further information about the Secure Login Library.
The test is successful if the product version is displayed.
Figure: Verify Secure Login Library with the command snc
16
09/2012
2.4 Updating the Secure Login Library

You can download the Support Package software from the SAP Service Marketplace. Go to
https://service.sap.com/swdc and choose Support Package and Patches > Browse our
Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single
Sign-On > SAP NetWeaver Single Sign-On 1.0. ADAPT_LINK
Simply copy the new version to the relevant folder and replace the old library files.
2.5 Uninstallation
This section explains how to uninstall Secure Login Library.
Remove Folder SLL

Remove the folder and the files in it:
Microsoft Windows
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\
UNIX/Linux
Deactivate SNC Library Configuration

This step is optional and required only if the Secure Login Library is configured in an SAP
NetWeaver instance profile parameter.
If you want deactivate SNC, define the following instance profile parameter and restart the
SAP NetWeaver ABAP Application Sever:
snc/enable = 0
For more information about the instance profile parameters see section 3 Secure Login
Library Configuration.
09/2012
17
3 Secure Login Library Configuration

You perform the SNC configuration for the SAP NetWeaver server system using the instance
profile. Use the transaction RZ10 to maintain the SNC profile parameters.
The Secure Login Library can be configured to accept user authentications based on
Kerberos tokens and X.509 certificates. Both authentication mechanisms can be used in
parallel.
You can create or import X.509 certificates in the Trust Manager using the transaction
STRUST. To configure the Secure Login Library for Kerberos, you can use a command line
tool.
For the complete description of the SNC interface and parameters, see the SAP SNC manual
(http://help.sap.com).
If you want to manage your PSEs in the Trust Manager, you must use SAPCRYPTOLIB.
SAPCRYPTOLIB comes with the SAP NetWeaver AS ABAP. If you do not run an SAP
NetWeaver AS ABAP, download SAPCRYPTOLIB from the SAP Service Marketplace.
Go to https://service.sap.com/swdc, choose Search for Software Downloads, and look for
the relevant download package.
You must set the environment variable secudir if you use SAP NetWeaver AS ABAP 7.0.
Otherwise SAP NetWeaver AS ABAP 7.0 does not start.
3.1 SNC X.509 Configuration

This section describes the SNC X.509 certificate configuration.
Prerequisites
The Secure Login Library uses X.509 client or server certificates for SNC connections. It
supports either no key usage in X.509 certificates or one or more supported key usages. The
supported key usages depend on whether the X.509 certificate is used for client-server or
server-server communication. Make sure the X.509 certificates are configured with supported
values.
For a list of the key usages the Secure Login Library supports for SNC, see the following
tables.
Key Usage for X.509 Client Certificates for Client-Server Communication
Certificate Fields
Values
Mode
[No key usage field]
[No values]
[No mode]
Key Usage
Digital Signature
sigsession, ParallelSessions
mode
Key Usage
Data Encipherment
Encryption
Key Usage
Key Encipherment
Encryption
18
09/2012
Key Usage for X.509 Server Certificates for Client-Server and Server-Server Communication
Certificate Fields
Values
Mode
[No key usage field]
[No values]
[No mode]
Key Usage
Digital Signature
sigsession, ParallelSessions
mode (client-server only)
Encryption
SNC Parameters
Log on to the SAP NetWeaver Application Server using SAP GUI. Start the transaction RZ10
and define the following SNC parameters in Instance Profile.
Parameter
Value
snc/enable
1
0
snc/gssapi_lib
Define the SNC library.

Microsoft Windows
<Path>\SLL\secgss.dll
HP-UX
<Path>/SLL/libsecgss.sl
Solaris / Linux / AIX
<Path>/SLL/libsecgss.so
snc/identity/as
Define the SNC name of the SAP servers security token.

X.509 Certificate Token
p:<X.509_Distinguished_Name>
Activate SNC
Deactivate SNC
Example:
p:CN=ABC, OU=SAP Security

Hint: If X.509 certificate token and Kerberos tokens are
used in parallel, define the X.509 certificate distinguished
name. This value is case sensitive.
snc/data_protection/max
snc/data_protection/min
snc/data_protection/use
snc/r3int_rfc_secure
snc/r3int_rfc_qop
snc/accept_insecure_cpic
snc/accept_insecure_gui
1 Accept insecure communication

Use this value if both insecure and secure
communication is to be allowed for SAP GUI.
0 Disallow insecure communication
Use this value only if secure communication is to be
allowed only (no insecure communication) for SAP GUI.
09/2012
19
U User-defined (User Management SU01)

Use this value if insecure or secure communication for
SAP GUI application is to be configured in the user
management tool (SU01).
We recommend that you set this value to 1. If you want to
enforce higher security, change this value to 0 (for all) or
U (user dependent).
snc/accept_insecure_rfc
snc/permit_insecure_start
snc/force_login_screen
Import X.509 Certificate

Start transaction STRUST and import the SAP server certificate. The SAP server certificate
must be available in a PSE format.
For a client/server communication, the certificates must be provided by a Public Key
Infrastructure (PKI). If no PKI is available the Secure Login Server (out of the box PKI)
can be used to provide certificates.
From the PSE menu, choose Import.
Figure: Transaction STRUST Import X.509 Certificate

Load the PSE file by entering the password, navigate back to the PSE menu, choose Save
as, and select SNC SAPCryptolib.
20
09/2012
Figure: Save PSE as SNC SAPCryptolib

If the certificate distinguished name of the PSE file does not match the SNC name
configuration set in the instance profile parameter (snc/identity/as), an error message
appears. This verification check is performed only if SNC is activated.
You can see trusted certificates that have been imported with the transaction STRUST if you
enter the following command:
Microsoft Windows:
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc O <SAPServiceSID>
Linux:
<INSTDIR>/<SID>adm/DVEBMGS<instance_number>/SLL/snc O <SIDadm>
Example
Microsoft Windows:
/usr/sap/ABC/DVEBMGS00/SLL/snc O SAPServiceABC
UNIX/Linux:
/usr/sap/ABCadm/DVEBMGS00/SLL/snc O absadm
Restart SAP NetWeaver Application Server

Verify the following checklist and restart the SAP NetWeaver Application Server.
Secure Login Library is installed and if required in shell, the environment variable
SECUDIR is defined.
File access rights are defined for Secure Login Library.
SNC parameters are defined in the instance profile.
Correct path and filename configuration for the SNC library.
Correct definition of the SNC name (case sensitive).
X.509 certificate for the SAP System has been imported using STRUST.
09/2012
21
3.2 SNC Kerberos Configuration

This section describes the SNC Kerberos configuration.
SNC Parameter
Log on to the SAP NetWeaver Server using SAP GUI. Start transaction RZ10 and define the
following SNC parameters In the instance profile.
Parameter
Value
snc/enable
1
0
snc/gssapi_lib
Define the SNC library.

Microsoft Windows
<Path>\SLL\secgss.dll
HP-UX
<Path>/SLL/libsecgss.sl
Solaris / Linux / AIX
<Path>/SLL/libsecgss.so
snc/identity/as
Define the SNC name of the SAP servers security token.

Kerberos Token
p:CN=<ServicePrincipalName>
Activate SNC
Deactivate SNC
Example:
p:CN=SAP/KerberosABC@DEMO.LOCAL
Hint: If X.509 certificate token and Kerberos tokens are
used in parallel, define the X.509 certificate distinguished
name. This value is case-sensitive.
snc/data_protection/max
snc/data_protection/min
snc/data_protection/use
snc/r3int_rfc_secure
snc/r3int_rfc_qop
snc/accept_insecure_cpic
snc/accept_insecure_gui
1 Accept insecure communication

Use this value if insecure and secure communication
should be allowed for SAP GUI.
0 Disallow insecure communication
Use this value only if secure communication is to be
allowed (no insecure communication) for SAP GUI.
U User-defined (User Management SU01)
Use this value if insecure or secure communication for
SAP GUI is to be configured in the user management tool
22
09/2012
(SU01).
We recommend that you set this value to 1. If you want to
enforce higher security, change this value to 0 (for all) or
U (user-dependent).
snc/accept_insecure_rfc
snc/permit_insecure_start
snc/force_login_screen
Microsoft Windows Account for SAP Server

In order to verify user Kerberos authentication, the Secure Login Library requires a Kerberos
keytab which you can create using the command line tool, provided by Secure Login Library.
The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from
the Microsoft Windows user password. Therefore a Microsoft Windows account in Microsoft
Active Directory is required.
Create a Microsoft Windows Account

Create a new Microsoft Windows Account. We recommend the format Kerberos<SID>.
Figure: Create a Microsoft Windows Account

Define a password and choose the option User cannot change password and Password
never expires.
09/2012
23
Figure: Create a Microsoft Windows Account

Make sure the password is as complex as possible.
Define Service Principal Name

The Service Principal Name will be used to provide Kerberos service tokens to the requested
users. This Service Principal Name is also required for the SNC name configuration.
Start the Microsoft Windows tool ADSIEDIT; choose the Microsoft Windows user (in our
example: KerberosABC) and define the field servicePrincipalName.
Figure: Define Service Principal Name

The mandatory format is SAP/Kerberos<SID>.
24
09/2012
Figure: Define Service Principal Name
Check for Multiple Service Principal Names

If the Secure Login Client does not get a service ticket from the domain server, this may be
due to the fact that the Service Principal Name used has been assigned several times in the
Active Directory system. Use the following command to check this:
Example:
setspn T * -T foo -X
Create Kerberos Keytab

You create the Kerberos keytab using a command line tool provided by Secure Login Library.
This Kerberos keytab is stored in the Personal Security Environment (pse.zip), which is a
container for security tokens.
Perform the configuration steps with the user account that will start the SAP application (for
example, <SID>adm). This does not apply for the Microsoft Windows operating system.
Create PSE Environment

Log on to the operating system where the Secure Login Library is installed. Open a command
line window and change to the Secure Login Library folder.
Microsoft Windows
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\
UNIX/Linux
Temporarily define the environment variable SECUDIR to perform the subsequent
configuration steps.
09/2012
25
Microsoft Windows
set SECUDIR=<INSTDIR>\<SID>\DVEBMGS<instance_number>\sec
UNIX/Linux (depends on shell)
setenv SECUDIR <INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
export SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
If no Personal Security Environment (PSE) is available; enter the following command to

create a PSE:
snc crtpse x <PSE_management_password>

The PSE management password is used if the PSE environment (pse.zip) is copied to
another host system. By default, a PSE can be used by the host system (if correct
hostname), or using this management password.
For more information, see section 4.2 Command Line Tool SNC.
Use the command snc to verify the location in which the PSE (pse.zip) was created. The PSE
is created in the path in which the environment variable SECUDIR is defined.
Figure: Verify PSE Location

PSE directory must point to the <INSTDIR>/<SID>/DVEBMS<instance_number>/sec
folder. The environment variable SECUDIR is defined automatically by the SAP server
process.
Define this environment variable manually (shell) if you need to access the PSE (for
example, using the snc command line application).
Generate Kerberos Keytab in PSE Environment

To create a Kerberos keytab in the PSE, enter the following command. The Service Principal
Name and the password of the Microsoft Windows account are required.
snc crtkeytab s SAP/Kerberos<SID>@<DOMAIN> -p <password>

Example
26
09/2012
snc crtkeytab s SAP/KerberosABC@DEMO.LOCAL -p **********
The domain name needs to be defined in uppercase.

Use the command snc to verify if the Kerberos keytab was generated.
Figure: Verify Kerberos keytab
Restart SAP NetWeaver Application Server

Verify the following checklist and restart the SAP NetWeaver Application Server.
Secure Login Library is installed and if required in shell; the environment variable
SECUDIR is defined.
File access rights are defined for Secure Login Library.
SNC parameters are defined in the instance profile.
Correct path and filename configuration for the SNC library.
Correct definition of the SNC name (case sensitive).
PSE Environment was created and the Kerberos keytab has been imported using the
Secure Login Library command line tool.
Verify SAP Server SNC Status

After you have restarted the SAP NetWeaver Application Server; verify the SNC status in the
log file dev_w0.
The result should be SNC (Secure Network Communication) enabled.
Example:
<INSTDIR>\<SID>\DVEBMGS<instance_number>\work\dev_w0
N SncInit(): Initializing Secure Network Communication (SNC)
N
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=D:\usr\sap\ABC\DVEBMGS00\SLL\secgss.dll
09/2012
27
N File "D:\usr\sap\ABC\DVEBMGS00\SLL\secgss.dll" dynamically loaded as

GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=ABC, OU=SAP Security
N
N Thu May 05 16:42:15 2011
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN= ABC, OU=SAP Security [thxxsnc.c 265]
M SNC (Secure Network Communication) enabled
Another possibility is to use transaction ST11 and open dev_w0.
If there are problems with the SNC configuration, the SAP server system will no longer
start. A quick solution is to disable SNC.
Open the instance profile configuration file and configure the parameter snc/enable = 0.
Restart the SAP NetWeaver Application Server and verify the SNC installation and
configuration.
3.3 Using Kerberos for SNC with Users in

Different Domains
Use Case
You use Kerberos for SNC and you have users in several Active Directory domains. In such
an environment, it would be the best to have a trust relationship between the different
domains. Every user would then be able to receive an authentication ticket from the Domain
Controller for this users domain. As a consequence, the user would be able to use this ticket
for the server, which might be in a different domain.
Since it is not so easy to configure trust relationship for different domains, the Secure Login
Library also supports another option.
Configuring Kerberos Users for Different Domains (ABAP

Server)
You have different Active Directory domains that are managed by different Domain
Controllers. Proceed as follows:
1. Create users with service principal name in each domain. The user names are
identical whereas the domain names differ. This user name is supposed to be used
for an ABAP server.
Example
You have created the user name KerberosNW1 in the Active Directory domain
DOMAIN1.COM with the service principal name
28
09/2012
SPN=SAP/KerberosNW1@DOMAIN1.COM. In the second domain called DOMAIN2.COM,

you have created a user with the same user name (KerberosNW1). Its service principal
name is SPN=SAP/KerberosNW1@DOMAIN2.COM.
2. Create keytabs for both service principal names.

3. To configure snc/identity/as, enter the value p:CN=SAP/Kerberos<SID>.
Now the ABAP server accepts Kerberos authentication tickets from this user because
keytabs for both domains are available.
There is a keytab for each domain. It is also possible to set the SNC name of the server
automatically to p:CN=SAP/Kerberos<SID>. The user logs on, and the client receives a
Kerberos authentication ticket for SAP/KerberosNW1 from the respective domain controller.
The user name SAP/Kerberos<SID> is known in each domain. The server authenticates
the ticket because the keytabs of all domains are registered in the server.
See also SAP Note 1763075.
3.4 Authentication with X.509 Certificates and

Kerberos
Use Case
You already have an authentication method in place that is based on SNC server certificates.
All users use the message server to authenticate at the application server. During the
authentication process, the message server always sends the same SNC name since it is
only able to use one single name. This means that the SNC name in the Network tab is a
fixed entry entered by the CA for certificate-based authentication.
To add users who are able to log on with Kerberos, you need to have a name in the CN part
(of the SNC name) that enables users to perform a Kerberos authentication as well.
Depending on the authentication method of the client, the Secure Login Client uses the
existing CN part for certificate-based authentication or tries to map the CN part to a Service
Principal Name that can be used for Kerberos authentication.
If this is not possible, the Secure Login Client converts the CN part as described in SAP Note
1696905.
09/2012
29
4 Configuration Options
This section describes some useful configuration and troubleshooting issues.
4.1 Enable Trace

To enable trace, you need to create the files sec_log_file_filename.txt and
sec_log_file_level.txt in the following folder:
Microsoft Windows
%HOMEDRIVE%%HOMEPATH%\sec or C:\sec
UNIX/Linux
$HOME/sec or /etc/sec
Both files must exist (for example, with level = 0) when the application server is started, if you
want to be able to activate traces later (by changing the trace level). The file
sec_log_file_filename.txt contains the name of the trace file. The name may contain %.PID.%
which is replaced by the process ID.
A typical SAP WebAS creates multiple work processes, so use this feature to avoid parallel
access to the same file by all processes.
Microsoft Windows Example
sec_log_file_filename.txt
C:\sec\log-%.PID.%.txt
UNIX/Linux Example
sec_log_file_filename.txt
/etc/sec/log-%.PID.%.txt
The file sec_log_file_level.txt contains the trace level as a single digit.

Example
sec_log_file_level.txt
4
Value
Details
No trace
Errors
Errors and warnings
Errors, warnings, and logs
Errors, warnings, logs, and information messages
30
09/2012
4.2 Command Line Tool SNC

We recommend that you use the trust manager (ABAP transaction STRUST) for all actions
related to the Personal Security Environment (PSE). For more information on the trust
manager, see the SAP Help Portal at Trust Manager. Use the SNC command line tool only
for functions that are not covered by the trust manager, for example Kerberos keytab
functions. The SNC command line tool enables you to perform the following tasks:
Display security token Information

Create a Personal Security Environment (pse.zip).
Import X.509 certificates
Certificate management
Create and import a Kerberos keytab
Create a root CA token and an SNC server token
You get detailed help when you enter snc H in the command line.
SNC Tool Commands

Command
Description
snc status
Shows the current status of the security tokens

(Kerberos keytab and X.509 certificates)
snc test
Tests the SNC function. Using the registered key for

client and server authentication, this command
performs a certificate-based login for testing
snc register
Registers a security token to the PSE. This command

uses either the absolute path to the certificate file
(PKCS#12 format) or the token URI.
snc unregister
Removes a security token which is registered in the

Personal Security Environment (PSE)
snc trust
Displays the list of trusted certificates. You can add

trusted certificates to the PSE or remove them.
snc crtpse
Creates a PSE (pse.zip file) with system credentials

in the path specified in the variable SECUDIR.Using
the system credentials enables you to access the
PSE without knowing the PSE password. You can
also use a key file for enhanced protection of the
PSE.
snc cred
Adds or removes system credentials for a specific

host or a user in a PSE. You can also use a key file
for enhanced protection of the PSE.
snc keytab
Manages a keytab object in the PSE
snc crtkeytab
Creates a Kerberos keytab file. You need to know the

Service Principal Name and the password of the
Microsoft Windows Kerberos service user.
snc createroot
Creates a root CA token with private key and X.509

certificate. This command saves the token as
PKCS#12 and PSE file in the current path.
09/2012
31
snc createserver
Creates an SNC server token with private key and

X.509 certificate including the root certificate. This
command saves the token as PKCS#12 and PSE file
in the current path.
If not defined, set the environment variable SECUDIR to:
<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
before using the snc command.
To call the snc command, add the <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL
directory to the PATH variable or call snc together with the following path:
Microsoft Windows
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc.exe
UNIX
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc
4.2.1 Display Software Version Numbers

Go to the installation directory and use the command snc or snc status to display the
version numbers of the installed software. You get the following output:
Example:
Product version
: Secure Login Library 1.0. SP 4 PL xx

: CryptoLib
8.3.7.2
: windows-x86-64
CryptoLib Version
Support Package
8.3.2
SP0/ATS
8.3.3
SP1
8.3.4.
SP2
8.3.5
SP3
8.3.7
SP4
4.2.2 Display Security Token Information

Use the snc status command to display the security tokens (Kerberos keytab and X.509
certificates). The level of details increases with the qualifiers v,V, -w, and W, from very
basic to very detailed.
snc status V
32
09/2012
Use the following command to save the status in a zip file with many details.
snc status W f snc_status.zip
To display the status for a specific user, use the following command:
snc O <user_name>
status -v
Example:
snc O abcadm status v
snc O SAPServiceABC status -v
4.2.3 Test SNC Function

Use the following command to test the SNC function with a certificate-based login.
snc test n <certificate_name>
Example:
snc test n CN=server, O=SAP AG, C=DE
4.2.4 Create PSE Environment

Use the following command to create a Personal Security Environment (PSE).
snc crtpse P <PSE_master_password>
The PSE (pse.zip) is created in the path specified by the environment variable SECUDIR.
By default, only the host system, where this PSE is created, and all users have access to the
PSE.
It is not possible to use this PSE (pse.zip) with another host system, without creating new
credentials.
Add new credentials for a new host name
snc cred P <PSE_master_password> -n <credential_name> s
<new_host_name>
Add new credentials for a new user

snc cred P <PSE_master_password> u <new_user>
Add new credentials and encrypt content
snc cred P <PSE_master_password> -n <credential_name> f
<server_key_file>
09/2012
33
The server key file is a file on the server with random content which is used to encrypt
credentials in the PSE. You can use any kind of file type which is larger than 32 Byte. Do not
change the path and content of the credentials because, if you do so, you cannot access the
credentials any longer.
4.2.5 Distributing PSEs in a Cluster Environment

To distribute PSEs in a cluster environment with the servers SERVA, SERVB, and SERVC,
you must add your credentials to the PSE for every server. After that the PSE is valid for all
these servers and is ready for distribution. Use the following steps.
1. Generate a PSE on SERVA with the following command:
snc crtpse P <PSE_master_password>
2. Register your PKCS#12 file to the PSE for the SERVA server. The passwordprotected PKCS#12 file is only valid for SERVA.
To do so, use the following command:
snc register f <full_file_path><file_name>.p12 -x
<token_password> n
Always specify the full path name of the P12 file. The service is unable to work with
relative path names.
The respective credentials are saved automatically.
3. Now you need to add your credentials to the PSE and make it valid for SERVB as
well. For this purpose, proceed with the following command for SERVB.
snc cred P MyPassword n ForEntireCluster s SERVB u
<SERVB_SID>adm
4. Proceed with the corresponding command and add the credentials for SERVC to the
PSE.
snc cred P MyPassword n ForEntireCluster s SERVC u
<SERVC_SID>adm
5. Copy the file pse.zip from SERVA to the servers SERVB and SERVC. Now you have
successfully distributed your PSE with your credentials to the entire cluster.
4.2.6 Register PKCS#12 to PSE

Use this command to register a key/certificate pair in PKCS#12 format in the Personal
Security Environment:
snc register f <full_file_path><file_name>.p12
34
09/2012
Example
snc register f C:\Certificate\cert.p12
Use the command snc status V to verify the import.
If you do not want to worry about the location of the PKCS#12 file, copy it into pse.zip, and
register it. To do so, use the following command:
Example:
snc register f cert.p12 n
4.2.7 Unregister Security Token from PSE

Use this command to remove a security token which is registered in the Personal Security
Environment.
You can unregister the security token by specifying the file with the absolute path.
Example
snc unregister P <PSE_master_password> f C:\Certificate\cert.p12
Use the command snc status V to display the value for toksw:
If the registered token was copied into the pse.zip file, get the token URI with the status
command.
snc status V
Use the information you receive from the status command to unregister the token URI.
snc unregister u <URI_from_status>
4.2.8 Create Kerberos Keytab

When you want to create a Kerberos keytab in the PSE, you need the Service Principal
Name and the password of the Microsoft Windows Kerberos service user. To create a
Kerberos keytab in the PSE, enter the following command:
snc crtkeytab s SAP/Kerberos<SID>@<DOMAIN>
-p <Kerberos_service_user_password>
Example
09/2012
35
4.2.9 Import Trusted Certificate to PSE

Use this command to import a certificate (for example, a trusted Root CA certificate) into the
Personal Security Environment:
snc trust a <certificate_file>
Example
snc trust a C:\Certificate\RootCA.cer
4.2.10 Remove Trusted Certificate from PSE

Use this command to remove a certificate (for example, a trusted Root CA certificate) from
the Personal Security Environment.
snc trust d <Distinguished_Name>
Example
snc trust d CN=Certificate, OU=SAP Security
Use the command snc status v to display the certificate Distinguished Name.
4.2.11 Create Root CA Token

If no PKI (public-key infrastructure) for SNC connections is available in your company, you
can create it with snc createroot and snc createserver. Use the command snc
createroot to create a root CA token with private key and X.509 certificate.
snc createroot r <root_CA_file_name> -P <CA_password> -N
<root_SNC_name>
Example
snc createroot r sncrootcatoken P ******** -N CN=SAP SNC
RootCA, O=Company, C=DE
Result:
sncrootcatoken.p12
sncrootcatoken.pse
sncrootcatoken.crt
After the creation, the root CA token is stored as PKCS#12, PSE, and CRT file (certificate
only) in the current path.
36
09/2012
4.2.12 Create SNC Server Token

Use the command snc createserver to create an SNC server token with private key and
X.509 certificate and root certificate.
snc createserver r <root_file_name> -P <CA_password> -p
<P12_password>
In the following example, you use the root CA token created in 4.2.11 Create Root CA Token
to issue a server token.
Example
snc createserver r sncrootcatoken -s server n CN=server, O=SAP
AG, C=DE P <CA_password> -p <P12_password>
Result:
server.p12
server.pse
server.crt
After the creation, the server token is stored in the current path as PKCS#12, PSE, and CRT
file (certificate only).
Use the trust manager (see Trust Manager) to import the PSE file as SNC SAPCryptolib
PSE.
4.3 Communication Protocol Parameters

In the file gss.xml, you can configure the SNC communication protocol for server-to-server
and client-to-server communication. You can, for example, configure formats for the
Distinguished Name. You can shorten long and complicated names, integrate elements such
as e-mail addresses, define the communication protocols to use, configure algorithms for the
protection of application data, keys, and algorithms for encryption and digital signatures.
Example
Include one value in the parameters. List several values in a list separated by blanks. Use
the following syntax:
<namecharset>latin1</namecharset>
<protocol_2010>
<ciphers>aes256 aes128 rc4</ciphers>
</protocol_2010>
09/2012
37
4.3.1 Reference of the Communication Protocol

Parameters (Server)
The following table contains the parameters that are valid for SNC on the server:
Configuration Parameters of gss.xml (Server Functions Only)
Parameter
Values
Description
namecharset
utf8
latin1
Character set used to

exchange names with
the application.
Default: latin1
nameconversions (with
parameter options)
Replaces excessively
long name
components with
shorter ones. Useful
when a server
application stores the
client name in a
database field with an
insufficient maximum
size.
searchstr
<long_client_name>
Enter the complete

client name for name
conversion.
replstr
<short_client_name>
Enter the abbreviated

client name to save
storage space in the
database.
UpperCaseClientName
true
false
During SNC
communication, the
client sends the
Distinguished Name
(DN) of the client
certificate in mixed
case by default. Set to
true to send the DN
in uppercase.
ClientNameSource
AltNameEMail
AltNameEMailWithoutDomain
AltNameDNS
AltNameDName
AltNameIP
AltNameUPN
AltNameUPNWithoutDomain
Subject
Subject alternative
name from the user
certificate to be sent
as the SAP SNC
name. Enter the
options separated by
a space. The server
tries the subject
alternative names in
order. It takes the first
option it can used.
protocol_1993 (with
<SNC_CRYPTOLIB_protocol>
Specifies whether to
use the 1993
38
09/2012
parameter options)
communication
protocol, which is
compatible to
SAPCRYPTOLIB 5.5.
use
true
false
Specifies whether or
not the 1993
communication
protocol is used.
Default: true
algs_encr
aes256t aes192 aes128

des3
List of encryption
algorithms available.
The system uses the
first one that is
possible. Default: all
algs_hash
sha512 sha 384 sha256

sha1 ripemd160
List of available hash

algorithms: The
system uses the first
algorithm that is
acceptsigmode
true
false
Specifies whether the

client key used for
digital signatures is
accepted as an
authentication
method. Default: true
acceptencrmode
true
false
Specifies whether the

client key used for
encryption is accepted
as an authentication
method. Default: true
acceptedttl
<temporary_key_lifetime>
Accepted lifetime of
temporary keys
(digital signature to
keep the session
alive) in seconds.
Default: 86400 (24
hours)
Defines whether the

server accepts the
2010 communication
protocol
use
true
false
Enables/disables the
use of the 2010
protocol. This protocol
supports
authentication with
X.509 and Kerberos
certificates.
acceptedttl
<temporary_key_lifetime>
Accepted lifetime of
temporary keys
(digital signature to
keep the session
protocol_2010 (with
parameter options)
09/2012
39
alive) in seconds.
Default: 86400 (24
hours)
ciphers
aes256 aes128 rc4
Algorithms used for

handshake and
application data
protection. Default: all
data_macs
HMAC-SHA256 HMAC-SHA1
HMAC-SHA512 HMACRIPEMD160
Algorithms used for

handshake and
application data
protection. Default:
HMAC-SHA256
HMAC-SHA1
4.3.2 Reference of the Communication Protocol

Parameters (Client)
A gss.xml file also exists in the client. You must specify the same communication protocol on
both sides (client and server). Depending on your SNC CRYPTOLIB, use either
protocol_1993 or protocol_2010.
The following table contains the parameters that are valid for SNC on the client:
Configuration Parameters of gss.xml (Client Functions Oonly)
Parameter
Values
Description
protocol_1993 (with
parameter options)
Specifies whether to
use the 1993
communication
protocol, which is
compatible to
SAPCRYPTOLIB
5.5.
use
true
false
Specifies whether or
not to use the 1993
communication
protocol. Default:
true
algs_encr
aes256 aes192 aes128

des3
List of encryption
algorithms available.
The system uses the
first one that is
algs_hash
sha512 sha 384 sha256

sha1 ripemd160
List of available hash

algorithms: The
system uses the first
algorithm that is
40
09/2012
authop
enc (encryption certificate)

sig (signature certificate)
sigsession (signature
certificates for key cached for
further sessions)
auto (automatic)
Specifies the
authentication mode
in the client. Default:
auto
age
<period_in_seconds>
Specifies a period of
the key validity
before the signing (in
seconds). This
period acts as a
tolerance period if
system times vary by
a couple of minutes.
Default: 600
ttl
<period_in_seconds>
Validity of temporary
key in seconds.
Default: None
Defines whether the

server accepts the
2010 communication
protocol
use
true
false
Enables/disables the
use of the 2010
protocol. This
protocol support
authentication with
X.509 and Kerberos
certificates.
ciphers
aes256 aes128 rc4
Algorithms used for

handshake and
application data
all
data_macs
HMAC-SHA256 HMAC-SHA1
HMAC-SHA512 HMACRIPEMD160
Algorithms used for

handshake and
application data
HMAC-SHA256
HMAC-SHA1
ParallelSessions
true/false
Enable use of
signature certificate
with a temporary key.
Default: false
ParallelSessionsTTL
<period_in_seconds>
Validity of temporary
key in seconds.
Default: 86400 (one
day)
protocol_2010 (with
parameter options)
09/2012
41
4.4 Use Cases of the Communication Protocol

Parameters
4.4.1 Configuring Certificate Lifetime in sigsession
and ParallelSessions Mode
Every time you use a token (smart card or soft token) to authenticate, you enter a PIN.If you
do not want to be forced to enter this PIN every time you open a session, you have the
following options:
In sigsession mode, the client creates a temporary key, which has a period of validity
specified in age and ttl. (age is the server system time offset relative to the client
system time.) During this period, the session remains valid. ttl is the validity of the
certificate in seconds. It is the time the key cache remains valid. The default is 180 s
starting 60 s earlier.
In ParallelSessions mode, the parameter ParallelSessionsTTL specifies the

validity period of the temporary key. This period of time is identical with the maximum
session length.
Whenever you reauthenticate, the temporary key and the associated session length are
reused for a new session.
4.4.2 Configuring sigsession Mode

If you use the 1993 protocol on the client and server, you must choose from the following
authentication modes:
enc: encryption certificate

sig: signature certificates and sign a temporary RSA key with it
sigsession: signature certificate and sign a temporary RSA key with it. This temporary
key is cached for further sessions until you close the last session.
Example
If you use a token (smart card or soft token) to authenticate, you enter a PIN. In sigsession
mode, the client creates a temporary key, which gets a period of validity specified in age and
ttl. age is the server system time offset relative to the client system time. During this period,
the session remains valid. ttl is the validity of the certificate in seconds. The default is 180 s
starting 60 s earlier.
If the value in ttl in the client exceeds the server value of acceptedttl, the SNC
42
09/2012
connection produces an error message.

Use the following syntax for the configuration:
Configuration example
Client configuration of gss.xml:
<protocol_1993>
<authop>sigsession</authop>
<age>300</age>
<ttl>1899</ttl>
</protocol_1993>
Server configuration of gss.xml:
<protocol_1993>
<acceptsigmode>true</acceptsigmode>
<acceptedttl>2000</acceptedttl>
</protocol_1993>
To specify the lifetime of a certificate in sigsession, proceed as follows:

1. Set a value for the system time tolerance in the parameter age in the gss.xml file of
the client, for example, 300.
2. Set a value in parameter ttl in the same file, for example, 3900.
3. Save the file.
4. Set the same value for acceptedttl as in ttl (3900) in the gss.xml file of the
server.
5. Save the file.
6. Restart the server.
To calculate the desired lifetime of the certificate, subtract the period specified in age from
the period specified in ttl. This results in a desired lifetime of 3600 s.
Example
3900 s 300 s = 3600 s
To illustrate the behavior of the client and server parameters in the gss.xml files, see the
following figure.
09/2012
43
Ensure that the configuration of acceptedttl (server gss.xml) and ttl (client gss.xml) are
identical.
The vertical dotted lines indicate the time when the certificate is issued or when it is verified.
If you verify the validity of the certificate within the period specified by ttl, the verification is
successful. Outside the period specified in the ttl parameter, the verification fails.
4.4.3 Configuring ParallelSessions Mode

Use parallel session mode for the 2010 protocol.
Example
If you use a token (smart card or soft token) to authenticate, you must enter a PIN. In parallel
session mode, the client creates a temporary RSA key, which is cached for re-authentication
in further sessions until you close the last session.
1. Enter true in ParallelSessions.
2. Enter a period of time (in seconds) in ParallelSessionsTTL to specify the period
of time during which reauthentication can occur.
3. Restart the server.
If the value in ParallelSessionsTTL in the client exceeds the server value of
acceptedttl, the SNC connection produces an error message.
Configuration example
Client configuration of gss.xml:
<protocol_2010>
44
09/2012
<ParallelSessions>true</ParallelSessions>
<ParallelSessionsTTL>1800</ParallelSessionsTTL>
</protocol_2010>
Server configuration of gss.xml:
<protocol_2010>
<acceptedttl>2000</acceptedttl>
</protocol_2010>
4.4.4 Define Symmetric Algorithm

This section explains how to define the symmetric algorithm, which is used to secure
communication. By default, the Secure Login Library provides the following symmetric
algorithm (priority in this order).
AES256
AES192 (old protocol 1993 only)
AES128
3DES (old protocol 1993 only)
RC4 (new protocol 2010 only)
Secure Login Library has implemented two protocols named protocol_1993 (old) and
protocol_2010 (new). The old protocol is compatible with SAP Crypto Library
(SAPCryptoLib). The new protocol supports X.509 certificates and Kerberos tokens in
parallel.
If SAP GUI establishes a secure communication to the SAP NetWeaver Application Server,
the symmetric algorithm is agreed between both partners. It is possible to force the use of, for
example, the AES256 symmetric algorithm.
You can define this in the Secure Login Library configuration file gss.xml.
Parameter
Details
<algs_encr>XXX</algs_encr>
Use this parameter to define the symmetric algorithm

for the old protocol, which is defined in section
<protocol_1993>. This protocol is compatible with
SAP Crypto Library (SAPCryptoLib).
By default, the strongest symmetric algorithm that is
available on both sides is agreed.
It is possible in the Secure Login Library to allow the
acceptance of only aes256, for example.
You can define the following algorithms:
aes256
09/2012
45
aes192
aes128
des3
Default is <empty>. The symmetric algorithm is
arranged during the authentication process.
<ciphers>XXX</ciphers>
Use this parameter to define the symmetric algorithm

for the new protocol, which is defined in section
<protocol_2010>. This protocol supports the
Kerberos solution.
By default, the strongest symmetric algorithm that is
available on both sides is agreed.
It is possible in the Secure Login Library to allow only
the acceptance of only AES256, for example.
You can define the following algorithms:
AES256
AES128
RC4
Default is <empty>. The symmetric algorithm is
arranged during the authentication process.
gss.xml
<gss>
<server>
<protocol_1993>
<algs_encr>xxx</algs_encr>
</protocol_1993>
<protocol_2010>
<ciphers>xxx</ciphers>
</protocol_2010>
</server>
</gss>
4.4.5 Uppercase Distinguished Name

To support case insensitivity for user certificate names used by SNC, the GSS Distinguished
Names presented to SAP SNC may be converted to uppercase.
This can be defined in the Secure Login Library configuration file gss.xml.
Parameter
Details
<UpperCaseClientName>XXX
</UpperCaseClientName>
Define the configuration in parameter

<UpperCaseClientName>.
true
The distinguished name is provided in uppercase.
46
09/2012
false
The distinguished name is provided in mixed case.
Default is false.
gss.xml
<gss>
<server>
<UpperCaseClientName>xxx</UpperCaseClientName>
</server>
</gss>
4.4.6 Alternative Name DN Feature

It is possible to use the Subject Alternative Name from the user certificate that is presented to
the SAP SNC interface.
You can define this in the Secure Login Library configuration file gss.xml.
Parameter
Details
<ClientNameSource>XXX
</ClientNameSource>
Defines the configuration in parameter

<ClientNameSource>.
AltNameEMAIL
RFC 822 name.
AltNameDNS
DNS name
AltNameDNAME
Directory name
AltNameURI
URI
AltNameIP
IP address
AltNameUPN
otherName with object identifier. Here the Microsoft
User Principal Name is used (otherName type with
OID 1.3.6.1.4.1.311.20.2.3).
AltNameEMAILWithoutDomain
RFC 822 name without domain. Here you can use the
local part of an E-mail address without the domain
part (j.smith instead of j.smith@company.com).
AltNameUPNWithout Domain
otherName with object identifier and without domain.
Here the Microsoft User Principal Name is used
(otherName type with OID 1.3.6.1.4.1.311.20.2.3)
without the domain part of the e-mail address.
09/2012
47
Subject
Distinguished Name
Default is <empty>. In this case, the Subject
(Distinguished Name) is used.
gss.xml
<gss>
<server>
<ClientNameSource>xxx</ClientNameSource>
</server>
</gss>
You can enter several values separated by commas or spaces. The system uses the first
value. If this is not possible, it proceeds to the second value etc. An error occurs when no
value can be used.
Example 1
The Secure Login Library uses the URI. If the URI is not available, it uses the subject
(Distinguished Name).
<ClientNameSource>AltNameURI Subject</ClientNameSource>
Example 2
The Secure Login Library uses the E-mail address and, as first alternative, the Microsoft
User Principal Name. If the second alternative value is not available, an error occurs.
<ClientNameSource>AltNameEMAIL AltNameUPN</ClientNameSource>
If users change their own attributes (for example, through a self-service), and these
attributes are used by the user certificate (issued by the Secure Login Server), a situation
may occur in which these users are able to assign additional rights to themselves. Thus
these users might get rights they are not supposed to have.
For this case, we recommend that you implement access restrictions for the change of
user attributes.
An AS ABAP uses, for example, certificate-based logon with the users e-mail addresses
in the Distinguished Names. The string in the certificate has the following format:
CN=employee@company.com
This means that the users e-mail address is used for the user mapping in SNC. If an
administrator enables the user to change his or her own data, for example, e-mail
address, first name, last name etc. through a self-service, this user now has the possibility
to enter, for example, his or her managers e-mail address (manager@company.com) as
48
09/2012
attribute. Since this data is usually maintained centrally, this change would also affect the
Secure Login Server. If the certification user mapping feature of the Secure Login Server
is configured with the e-mail address as an attribute of the certificate, the user receives a
certificate with the Distinguished Name CN=manager@company.com. This user is now
able to log on to the AS ABAP as his or her manager.
4.4.7 Shorten Long Distinguished Names

It is possible to shorten parts of the distinguished name (SNC Name) from the user
certificates that are presented to the SAP SNC interface. The character limit for SAP server
systems is 255 characters (in older systems 80 characters).
For example, you can remove entire parts such as a company name which are identical for
all users. You can define this in the Secure Login Library configuration file gss.xml.
Parameter
Details
<searchstr>XXX</searchstr>
In the <nameconversions> section, use the

<searchstr> parameter to define the part of the
distinguished name to be shortened.
Example:
OU=Very Long Organization Unit Name
<replstr>XXX</replstr>
In the <nameconversions> section, the <replstr>

parameter is used to define the part of the
distinguished name to be replaced.
Example:
OU=Short Name
gss.xml
<gss>
<nameconversions>
<searchstr>VeryLongNameComponent</searchstr>
<replstr>ShorterNameComponent</replstr>
</nameconversions>
<nameconversions>
<searchstr>AnotherVeryLongNameComponent</searchstr>
<replstr>AnotherShorterNameComponent</replstr>
</nameconversions>
</gss>
09/2012
49
4.4.8 User Schemas for SNC Names

The SNC names for a certificate-based logon consist of user schema attributes for example,
CN (common name), O (organization), OU (organizationalUnit), or C (country). These
attributes comply with the RFC2256 default for user schemas. For more information, see the
Summary of the X.500(96) User Schema for Use with LDAPv3.
Previous releases of SAPCRYPTOLIB and old SECUDE releases still use a user schema
with obsolete attributes. The table below shows RFC2256-compliant attributes and the
corresponding obsolete SAPCRYPTOLIB or SECUDE attributes, and the related keywords.
Keyword
RFC2256-Compliant
Attribute (Default)
Obsolete SAPCRYPTOLIB
or SECUDE Attribute
surname
SN
street
STREET
ST
title
TITLE
serialNumber
SERIALNUMBER
SN
businessCategory
BUSINESSCATEGORY
BC
description
DESCRIPTION
stateOrProvinceName
ST
SP
Default Settings
The default user schema of the Secure Login Library is RFC2256. The configuration is
located in the file base.xml. For more information about base.xml, see 5.2 Configuring the
CRL Tool.
By default, the configuration of the user schema in the file base.xml is empty (meaning
RFC2256). If you prefer, you can also enter RFC2256 for clarity.
Example 1
<name>
<encoding>UTF8</encoding>
<schema></schema> <!secude/'sapcryptolib' of 'rfc2256'
(default) specifies the schema for order and keywords of name
components -->
</name>
Example 2
<name>
<schema>rfc2256</schema> <!secude/'sapcryptolib' of
'rfc2256' (default) specifies the schema for order and keywords
of name components -->
</name>
50
09/2012
Setting for SAPCRYPTOLIB or SECUDE Release

If customers want to keep their old user schema attributes, overwrite the user schema
setting. To switch the Secure Login Library to use the attributes for obsolete SAPCRYTOLIB
or SECUDE releases, open the base.xml file and enter the schema sapcryptolib or
secude.
Example 1
<name>
<schema>sapcryptolib</schema> <!secude/'sapcryptolib' of
</name>
Example 2
<name>
<schema>secude</schema> <!secude/'sapcryptolib' of
</name>
4.5 User Mapping

This section details how to define the user mapping in SAP user management. For user
authentication using security tokens (X.509 certificate or Kerberos token), this mapping is
required to define which security token belongs to which SAP user.
For smooth and straightforward integration, we recommend that you use the SAP
NetWeaver Identity Management solution to manage user mapping.
Manual Configuration
Start the user management tool by calling transaction SU01. Choose the SNC tab.
If you are using Kerberos authentication, enter the Kerberos user name in the SNC name
field.
If you are using X.509 certificate based authentication, enter the X.509 Certificate
Distinguished Name in the SNC name field.
Note that the definition of the SNC name is case sensitive.
09/2012
51
Kerberos Example
In this example the SNC Name p:CN=MICROSOFTUSER@DEMO.LOCAL belongs to the
user SAPUSER.
X.509 Certificate Example

In this example, the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user
SAPUSER.
For more information about how to perform user mapping, see the Secure Login Library
Installation, Configuration, and Administration Guide.
52
09/2012
Set External Security Name for All Users

You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch
mode.
Note that the definition of the string is case sensitive.
With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups.
You can use the option Users without SNC names only to overwrite SNC names.
This batch tool will takes an SAP user and uses the components
<previous_character_string><SAP_user_name><following_character_string>
to build the SNC Name.
Kerberos Example
In this example, SNC names are generated with the following string for all users without an
SNC name.
p:CN=user_name@DEMO.LOCAL
X.509 Certificate Example

In this example, SNC names are generated with the following string for all users without an
SNC name:
p:CN=user_name, OU= SAP Security
09/2012
53
5 Using Certificate Revocation Lists

The Secure Login Library supports certificate revocation lists (CRLs). This enables you to
make sure that revoked certificates are not accepted. The CRL issued by the Certificate
Authority (CA) contains the revoked certificates. The CA issues CRLs at regular intervals.
They contain a list of certificates that have been declared as invalid. CAs regularly update
certificate revocation lists. They must be replaced regularly by a new CRL or by a CRL that
has not yet expired.
CAs place certificate revocation lists at CRL distribution points. The Secure Login Library
provides a tool that enables you to regularly download new CRLs from CRL distribution
points (LDAP or HTTP) to the local cache. Storing CRLs in the local cache ensures fast
accessing of the CRLs. You can schedule the download using a cron job. Storing CRLs in
the cache improves system performance. Otherwise performance suffers when the Secure
Login Library has to download CRLs from an external CRL distribution point.
To use the CRL functions, make the appropriate settings in the configuration files. For more
information, see 5.2 Configuring the CRL Tool.
The local cache for the CRLs is \SECUDIR\dbcrl.
Limitations
The Secure Login Library covers only basic functions on the server side, such as checking
client certificates with CRLs, getting CRLs from a distribution point, and storing it in a local
cache. The Secure Login Library has the following limitations:
Customers cannot use the extension IssuingDistributionPoint in CRLs with the

Secure Login Library.
No use of delta CRLs
At present the Secure Login Library assumes that, in a given environment, all CAs
provide CRLs. This means that multiple PKIs using different revocation checking
policies and one PKI with CAs using different revocation checking policies are not
supported.
Usually UNIX does not come with an LDAP client. To use the CRL tool to get CRLs
from LDAP, you must provide an OpenLDAP client (liboldap.*).
The Secure Login Client does not check CRLs.
5.1 Downloading CRLs with the CRL Tool

The main function of the CRL tool is to enable you to download CRLs from the CRL
distribution point and to make them available in the local cache \SECUDIR\dbcrls. When
the application server checks certificates, it uses the downloaded CRL. Run the CRL tool at
regular intervals to ensure that the most recent CRL is located in the local cache. We
recommend using a cron job to schedule the regular download.
Make sure the server process has read authorization for the CRL (files) in the cache
directory. We recommend using the same user or, in a UNIX environment, granting read
authorization with the umask command.
54
09/2012
To display detailed help, use crtl H.
CRL Tool Commands

Command
Description
crl get
Downloads a CRL from a given CRL distribution point

using a given URL (Web server or LDAP server). For
an Active Directory server, the user must be a domain
user, and ADS has to be configured in ldap.xml.
crl status
Shows the current status of the configuration and of

the module
crl list
Shows the CRLs currently located in the local cache
crl remove
Removes the CRL from the local cache
crl show
Shows the content of a CRL file
crl store
Stores a CRL in the local cache. If the certificates

contain a CRL distribution point, specify its location
with -u so that the CRL can be found during certificate
verification.
Examples of Getting a CRL from a CRL Distribution Point

In the following examples you see the commands for getting a CRL from a CRL distribution
point.
Use the following command to get a CRL and store it in a file:
crl get u <LDAP_server> -f <CRL_file>
Example
crl get u ldap:///sap.example.com -f file.crl
Use the following command to get a CRL and store it in a cache without a distribution point:
crl get -u <LDAP_server> store
Example
crl get u ldap:///sap.example.com store
Use the following command to get a CRL and store it in a cache using the same distribution
point (the URL in the store command must be the path of the CRL distribution list).
crl get -u <LDAP_server> store -u <LDAP_server>
Example
crl get u ldap:///sap.example.com u ldap:///sap.example.com
09/2012
55
Use the following command to get a CRL and store it in a cache using a different distribution
point (the URL in the store command must point to the CRL distribution point specified in the
certificate).
crl get u <HTTP_server> store -u <LDAP_server>
Example
crl get u http://server/ store -u ldap:///sap.example.com
5.2 Configuring the CRL Tool

The following configuration files are available in the \SLL folder:
pkix.xml
base.xml
ldap.xml
The parameters are similar to tags surrounding the values. You may use uppercase or
lowercase for entering values.
pkix.xml
In the configuration file pkix.xml, you can configure whether a CRL check is used at all. CRL
checking is active if the parameter revCheck is set to the value CRL. The default setting of
this parameter is no (no use of CRLs).
After you have entered changes in the configuration files, restart your ABAP server so
that the newly-set parameters take effect.
Example
<pkix>
<profile>
<acceptNoBCwithKeyUsage>true</acceptNoBCwithKeyUsage>
<revCheck>CRL</revCheck>
<certificatePolicies>noCheck</certificatePolicies>
</profile>
</pkix>
The following table contains all parameters and parameter options that are available in
pkix.xml.
Configuration parameters of pkix.xml
Parameter
Values
Description
profile (with parameter

options)
<CRL_checking_profile>
CRL checking profile
56
09/2012
accceptNoBCwithK
eyUsage
true/false
pkix.xml defines that CA

certificates must have
the BasicConstraint
extension. Default: true
revCheck
NO/CRL
Enables/disables
revocation checking.
Default: NO
certificatePolic
ies
noCheck/<trusted_certificate_p
olicy_object_identifiers>
List of trusted certificate

policy object identifiers
separated by a
semicolon (;). Default:
noCheck
If the parameter acceptNoBCwithKeyUsage has the value true, the system checks
whether certificates without the BasicContraints extension have the keyCertSign key
usage. In this case, they are accepted as CA certificates.
If the parameter acceptNoBCwithKeyUsage has the value false, the certificates are not
accepted.
base.xml
You can configure the cache and the verification of the CRL download in the file base.xml. If
you use CRLs that are located in the cache, performance will improve considerably.
By default, the parameter verificationonlineaccess is set to false to disable the function that
verifies the CRLs online, for example on an LDAP server or HTTP server.
If you want to activate CRL verification with the cache, set the parameter usepkicache to true
(default setting is false).
Example 1
If you want to define a different location for the cache directory, you may optionally use the
parameter pkicachedir and enter the location there (for multiple servers accessing the cache,
you could use an NFS cache).
<base>
<verificationonlineaccess>false</verificationonlineaccess>
<usepkicache>true</usepkicache>
<pkicachedir>\usr\sap\T2D\DVEBMGS00\sec</pkicachedir>
</base>
Example 2
Set the parameter verificationonlineaccess to false. If you do not want to define a different
location for the cache directory, set the parameter usepkicache to true. In this case, you need
not enter any value in pkicachedir.
09/2012
57
<base>
<verificationonlineaccess>true</verificationonlineaccess>
<usepkicache>false</usepkicache>
<pkicachedir></pkicachedir>
</base>
Example 3
If you want to carry out a CRL check from a remote LDAP directory, set the parameter
verificationonlineaccess to true and set the parameter usepkicache to false. In this case, you
need not enter any value in pkicachedir.
<base>
<verificationonlineaccess>true</verificationonlineaccess>
<usepkicache>false</usepkicache>
<pkicachedir></pkicachedir>
</base>
Example 4
If you want to make a CRL request from a proxy server, you must enter the host name and
the port number of the proxy server.
<base>
<proxy>
<url>host.example.com:8003</url>
</proxy>
The following table contains all parameters and parameter options that are available in
base.xml.
Configuration parameters of base.xml
Parameter
Values
Description
verification
onlineaccess
true/false
If set to true, missing CRLs and certificates are being

searched online. Default: false
usepkicache
true/false
Specifies whether a CRL check uses a cache directory

or a remote LDAP directory. Default: false
pkicachedir
<directory_pat
h>
Location of dbcert and dbcris directories. Default:

<PSE_directory>
proxy (with
parameter
options)
<proxy>
Defines the proxy if you use a proxy server for the CRL
request.
<host_name:p
ort>
Host name and port number ot the proxy
url
58
This parameter does not support proxy URLs.
09/2012
name (with
parameter
options)
<Distinguished
_Name>
Distinguished Name
escape
delimi
ter
doublequote
/backslash
Delimiters of the values. Default: doublequote
encodi
ng
UTF8/T.61
Character set used for encoding Distinguished Names

in ASN.1. Default: UTF8
schema
sapcryptoli
b/rfc2256
Schema for the sequence and keywords of the name

elements. Default: rfc2256
ldap.xml
You only need to modify this file in an Active Directory environment. If an LDAP URL that
does not contain the server name is used as a CRL distribution point (in the default setting,
the relevant section is commented out), define the name of the LDAP server in the
configuration file ldap.xml.
If you are in a Microsoft Windows domain and Active Directory is used as LDAP server, you
must enter the value ADS in the parameter name.
Example
<ldap>
<server>
<name>ADS</name>
</server>
</ldap>
Configuration parameters of ldap.xml

Parameter
Values
Description
timeout
<milliseconds>
Timeout of the LDAP

server in milliseconds.
Default: 40000
nettimeout
<milliseconds>
Network timeout in
milliseconds. Default:
800
server (with parameter options)
<Active_Directory>
Definition of LDAP
server used for CRL
ADS
Enter ADS if Active

Directory is used as an
LDAP server. Default:
no value
name
09/2012
59
6 Use Cases
6 Use Cases
This section gives an instruction for the most frequently used use cases of NetWeaver Single
Sign-On. It provides a rough overview of the steps you take if you want to set up such a
solution, and you find multiple helpful references and links.
6.1 Support for Authentication with Kerberos

and X.509 on AS ABAP
You want to use Kerberos authentication technology for the client-to-server communication
and thus enable single sign-on and secure server-to-server communication using SNC. We
assume that there is a Microsoft domain user who requests to authenticate at a Secure Login
Client. The Secure Login Client issues a Kerberos service token and authenticates at AS
ABAP system 1 with SNC. The server-to.server communication uses X.509 certificates.
6.1.1 Prerequisites
You have installed Secure Login Client on the client workstations in a Microsoft
domain.
Secure Login Library is installed in the AS ABAP systems 1 and 2. This makes an
SNC communication with X.509 certificates possible.
This setup is also possible if SAPCRYPTOLIB is installed in the AS ABAP system 2.
60
09/2012
6 Use Cases
The following SAP NetWeaver Single Sign-On components must be installed in the following
environment:
Systems
Software Components
Microsoft Windows client
Secure Login Client
AS ABAP system 1
Secure Login Library (SNC library)
AS ABAP system 2
Secure Login Library or SAPCRYPTOLIB (SNC

library)
6.1.2 Installation and Configuration Steps

Procedure
1. In Microsoft Active Directory, create a technical user that can be used in an AS
ABAP. Specify a Service Principal Name for this user (see options 1 and 2).
2. Install the Secure Login Library as SNC security library on AS ABAP system 1. For
more information, see the Secure Login Library Installation section in the Installation,
Configuration, and Administration Guide of SAP NetWeaver Single Sign-On, Secure
Login Library available on http://help.sap.com/nwsso10.
3. Install the Secure Login Library or SAPCRYPTOLIB as SNC security library on AS
ABAP system 2. For the installation procedure of SAPCRYPTOLIB on an AS ABAP,
see Installing the SAP Cryptographic Library on the AS ABAP
(http://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/236897bf5a1902e10000000
a42189c/frameset.htm) on the SAP Help Portal.
4. Configure the SNC parameters on both AS ABAP systems (1 and 2) in the Instance
Profile. Use the transaction RZ10 (see Maintaining Profiles
(http://help.sap.com/saphelp_nw73ehp1/helpdata/en/c4/3a616a505211d189550000e
829fbbd/frameset.htm) on the SAP Help Portal).
5. On AS ABAP system 1, use the Service Principal Name of the Microsoft Active
Directory technical user, create a Kerberos keytab file in the Secure Login Library
environment, and save it in the security token container pse.zip (see Installation,
Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0,
Secure Login Library, SNC Kerberos Configuration, Create Kerberos Keytab).
Generate X.509 certificates in transaction STRUST (for more information on the trust
manager, see
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a
42189c/frameset.htm). If you use self-signed certificates, import them from the AS
ABAP system 2.
Option 1
a) Create an X.509 certificate for the AS ABAP, for example
CN=KerberosABC, OU=SAP Security, C=DE.
Create a Microsoft Service Principal Name for the technical user of the AS
ABAP system, for example SAP/KerberosABC@DOMAIN.LOCAL.
b) Start the transaction RZ10 in the AS ABAP.
c) Choose your instance profile.
09/2012
61
6 Use Cases
d)
e)
f)
g)
Choose Extended Maintenance and Change.

Go to the parameter name snc/identities/as.
Enter p:CN=KerberosABC, OU=SAP Security, C=DE
The Secure Login Client (1.0 SP02, patch 03 and higher) converts the SNC
name for Kerberos use. If SAP GUI receives the SNC name
p:CN=KerberosABC, OU=SAP Security, C=DE, the Secure Login
Client rebuilds the Service Principal Name, for example, to
CN=SAP/KerberosABC@DOMAIN.LOCAL.
This happens if the Secure Login Client uses a Kerberos profile, and SAP GUI has
no Kerberos name.
For more information, see SAP Note 1696905.
Option 2
Create an X.509 certificate for the AS ABAP system
Example:
CN=SAP/KerberosABC@DOMAIN.LOCAL
Unlike some PKI vendors, Secure Login Server can generate a certificate with
special characters, for example @.
For more information, see the Installation, Configuration, and Administration Guide
for SAP NetWeaver Single Sign-On 1.0, Secure Login Library, Authentication with
X.509 Certificates and Kerberos.
6. On AS ABAP system 2, generate X.509 certificate in transaction STRUST (for more
information on the trust manager, see
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a
42189c/frameset.htm). If you use self-signed certificates, import them from the AS
ABAP system 1.
7. Restart the AS ABAP systems 1 and 2.
8. Install the Secure Login Client on your Windows client(s) (see Installation,
Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0,
Secure Login Client, Secure Login Client Installation), and enable SNC in SAP GUI
(see Installation, Configuration, and Administration Guide for SAP NetWeaver Single
Sign-On 1.0, Secure Login Client, Enable SNC in SAP GUI).
9. To configure the SNC user mapping, start transaction SU01 on the AS ABAP system
1 (see Installation, Configuration, and Administration Guide for SAP NetWeaver
Single Sign-On 1.0, Secure Login Client, User Mapping). Depending on the
communication direction, configure secure network communication (SNC) in
transaction SM59 (see
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d
b4d97d/frameset.htm).
10. Depending on the communication direction, configure secure network communication
(SNC) in transaction SM59 (see
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d
b4d97d/frameset.htm) for AS ABAP system 2.
62
09/2012
7 Troubleshooting
7 Troubleshooting
This section provides further information about how to perform troubleshooting for Secure
Login Library.
7.1 SNC Library Not Found

The SNC library and configuration are verified when the SAP ABAP server starts.
Problem
SNC library cannot be found.
Checklist Possible Issues
Verify SAP trace file dev_w0.

Verify if Secure Login Library is installed correctly.
Verify the installation described in section 2 Secure Login Library Installation.
Verify the SNC configuration.
Log on to SAP ABAP server using SAP GUI and start transaction RZ10.
Choose the instance profile and verify the value of the parameter snc/gssapi_lib.
For more information, see section 3 Secure Login Library Configuration.
Verify SNC library file access rights for the user starting the SAP server.
Verify the SNC library status with the command snc status v or snc O <user_name>
status v.
Enable Secure Login Library trace and analyze the problem. For more information, see
section 4.1 Enable Trace.
7.2 Credentials Not Found

The SNC library and configuration are verified when the SAP ABAP server starts.
Problem
Could not get credentials.
Checklist Possible Issues
Verify SAP trace file dev_w0.

Verify if Secure Login Library is installed correctly.
Verify the installation described in section 2 Secure Login Library Installation.
Verify the SNC configuration.
Log on to SAP ABAP server using SAP GUI and start transaction RZ10.
Choose the instance profile and verify the SNC configuration.
For more information, see section 3 Secure Login Library Configuration.
09/2012
63
7 Troubleshooting
Verify SNC library file access rights for the user starting the SAP server.
Verify if the SNC certificate was provided to the Secure Login Library PSE environment.
Start a command line shell and change to the Secure Login Library folder
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL.
Set the environment
SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
Use the command: snc O <SAP_service_user> status v
Microsoft Windows Example: snc O SAPServiceABC status v
Linux Example: snc O abcadm status v
Enable the Secure Login Library trace and analyze the problem. For more information,
see section 4.1 Enable Trace.
7.3 No User Exists with SNC Name

Problem
If the error message No user exists with SNC name occurs and your login fails, a
server with a default Secure Login Library configuration cannot find the SNC name in the
database. For further information, see the SAP Note 1635019.
64
09/2012
8 List of Abbreviations
Abbreviation
Meaning
ADS
Active Directory Service
CA
Certification Authority
CAPI
Microsoft Crypto API
CRL
Certification Revocation List
CSP
Cryptographic Service Provider
DN
Distinguished Name
EAR
Enterprise Application Archive
HTTP
Hyper Text Transport Protocol
HTTPS
Hyper Text Transport Protocol with Secure Socket Layer (SSL)
IAS
Internet Authentication Service (Microsoft Windows Server 2003)
JAAS
Java Authentication and Authorization Service
JSPM
Java Support Package Manager
LDAP
Lightweight Directory Access Protocol
NPA
Network Policy and Access Services (Microsoft Windows Server

2008)
PIN
Personal Identification Number
PKCS
Public Key Cryptography Standards
PKCS#10
Certification Request Standard
PKCS#11
Cryptographic Token Interface Standard
PKCS#12
Personal Information Exchange Syntax Standard
PKI
Public Key Infrastructure
PSE
Personal Security Environment
RADIUS
Remote Authentication Dial-In User Service
RFC
Remote function call (SAP NetWeaver term)
RSA
Rivest, Shamir and Adleman
SAR
SAP Archive
SCA
Software Component Archive
SLAC
Secure Login Administration Console
SLC
Secure Login Client
SLL
SLS
Secure Login Server
SLWC
Secure Login Web Client
SNC
Secure Network Communication (SAP term)
09/2012
65
SSL
Secure Socket Layer
UPN
User Principal Name
WAR
Web Archive
WAS
Web Application Server
66
09/2012
9 Glossary
9 Glossary
Authentication
A process that checks whether a person is really who they claim to be. In a multi-user or
network system, authentication means the validation of a users logon information. A
users name and password are compared against an authorized list.
Base64 encoding
Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64
characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses
include HTTP Basic Authentication headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:
The public key being signed.

A name, which can refer to a person, a computer or an organization.
A validity period.
The location (URL) of a revocation center.
The digital signature of the certificate produced by the CAs private key.
The most common certificate standard is the ITU-T X.509.
Certification Authority (CA)

An entity which issues and verifies digital certificates for use by other parties.
Certificate Revocation List (CRL)

A group of certificates that have been declared to be invalid. The certificate revocation list
is maintained and publically released by the issuing Certification Authority (CA) and
typically contains the following information:
The certificate's serial number

The issuing CA's Distinguished Name
The date of revocation.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the server in which information is placed that goes beyond the PSE
09/2012
67
9 Glossary
(personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may
be self-issued, or issued by a trusted third party; in many cases the only criterion for
issuance is unambiguous association of the credential with a specific, real individual or
other entity. Cryptographic credentials are often designed to expire after a certain period,
although this is not mandatory.
Credentials have a defined time to live (TTL) that is configured by a policy and managed
by a client service process.
CRL Distribution Point

Publicly available location where a Certification Authority (CA) hosts its certificate
revocation list (CRL).
Cryptographic Application Programming Interface (CAPI)

The Cryptographic Application Programming Interface (also known variously as
CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming
interface included with Microsoft Windows operating systems that provides services to
enable developers to secure Microsoft Windows-based applications using cryptography. It
is a set of dynamically-linked libraries that provides an abstraction layer that isolates
programmers from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that
perform cryptographic functions.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (for example,
an X.500 or LDAP directory).
Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name
ensures that identical certificates are never created for different people with the same name.
The uniqueness of the certificate is additionally ensured by the name of the issuer of the
certificate (that is, the certification authority) and the serial number. All PKI users require a
unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can
use them to restrict the public key to as few or as many operations as needed. For example,
if you have a key used only for signing, enable the digital signature and/or non-repudiation
extensions. Alternatively, if a key is used only for key management, enable key enciphering.
68
09/2012
9 Glossary
Key Usage (extended)

Extended key usage further refines key usage extensions. An extended key is either critical
or non-critical. If the extension is critical, the certificate must be used only for the indicated
purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's
policy.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and
may be used in finding the correct key/certificate of an entity that has multiple
keys/certificates. The extension is then only an informational field and does not imply that the
CA restricts use of the key to the purpose indicated. Nevertheless, applications that use
certificates may require that a particular purpose be indicated in order for the certificate to be
acceptable.
Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses
from a hierarchical directory such as X.500.
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
Personal Identification Number (PIN)

A unique code number assigned to the authorized user.
Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a users private keys, certificates,
and other secret information.
Personal Security Environment

The PSE is a personal security area that every user requires to work with. A PSE is a
security token container with security-related information. This includes the certificate and
its secret private key. The PSE can be either an encrypted file or a smart card and is
protected with a password.
PIN
See Personal Identification Number.
Privacy-Enhanced Mail (PEM)

The first known use of Base 64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a
"printable encoding" scheme that uses Base 64 encoding to transform an arbitrary
sequence of octets to a format that can be expressed in short lines of 7-bit characters, as
required by transfer protocols such as SMTP.
09/2012
69
9 Glossary
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet
consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals
(09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.
The original specification additionally used the "*" symbol to delimit encoded but
unencrypted data within the output stream.
Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.
Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of
information over the Internet.
Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in
creating, administering, saving, distributing, and revoking certificates based on
asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root
certificate at the top, representing a CA that does not need to be authenticated by a
trusted third party.
Root certification authority

The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate
is signed with a private key. There can be any number of CAs between a user certificate
and the root certification authority. To check foreign certificates, a user requires the
certificate path as well as the root certificate.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman
in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: key
lengths of 1024 bits or higher are regarded as secure.
Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external,
cryptographic libraries. The library is addressed using GSS API functions and provides
SAP NetWeaver components with access to security functions.
Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections
over insecure channels. Ensures the authorization of communication partners and the
confidentiality, integrity, and authenticity of transferred data.
70
09/2012
9 Glossary
Single Sign-On
A system that administrates authentication information allowing a user to logon to
systems and open programs without the need to enter authentication every time
(automatic authentication).
Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-card-based USB tokens (which contain a smart card chip inside) provide the
functionality of both USB tokens and smart cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional Smart Card without
requiring a unique input device (smart card reader). From the computer operating
systems point of view a token is a USB-connected smart card reader with one nonremovable smart card present.
Tokens provide access to a private key that allows the user to perform cryptographic
operations. The private key can be persistent (like a PSE file, smart card, or CAPI
container) or non-persistent (like temporary keys provided by Secure Login).
Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows
operating system on a computer. The credentials usually comprise a user name, a
password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
09/2012
71

Installation Configuration and Administration Guide SAP NetWeaver Single Sign On SP4 Secure Login Library

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Installation Configuration and Administration Guide SAP NetWeaver Single Sign On SP4 Secure Login Library

Uploaded by

Copyright:

Available Formats

Installation, Configuration, and Administration Guide

SAP NetWeaver Single Sign-On SP4

2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry

contain proprietary software components of other software vendors.

Storm2, BlackBerry PlayBook, and BlackBerry App World are

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and

Google App Engine, Google Apps, Google Checkout, Google Data

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

Google Mobile, Google Store, Google Sync, Google Updater, Google

System p5, System x, System z, System z10, z10, z/VM, z/OS,

Voice, Google Mail, Gmail, YouTube, Dalvik and Android are

OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems,

trademarks or registered trademarks of Google Inc.

POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale,

INTERMEC is a registered trademark of Intermec Technologies

HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX,

Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Linux is the registered trademark of Linus Torvalds in the United

Bluetooth is a registered trademark of Bluetooth SIG Inc.

States and other countries.

trademarks or registered trademarks of Adobe Systems Incorporated in

Computop is a registered trademark of Computop

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

and other countries.

VideoFrame, and MultiWin are trademarks or registered trademarks of

Business Objects and the Business Objects logo, BusinessObjects,

HTML, XML, XHTML, and W3C are trademarks or registered

other Business Objects products and services mentioned herein as well

trademarks of W3C, World Wide Web Consortium, Massachusetts

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

Open LDAP http://www.openldap.org/

and other Sybase products and services mentioned herein as well as

The OpenLDAP Public License

Redistribution and use of this software and associated documentation

registered trademarks of Crossgate AG in Germany and other

("Software"), with or without modification, are permitted provided

countries. Crossgate is an SAP company.

that the following conditions are met:

1. Redistributions in source form must retain copyright statements

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

2. Redistributions in binary form must reproduce applicable copyright

These materials are subject to change without notice. These materials

disclaimer in the documentation and/or other materials provided

are provided by SAP AG and its affiliated companies ("SAP Group")

with the distribution, and

for informational purposes only, without representation or warranty of

3. Redistributions must contain a verbatim copy of this document.

warranty statements accompanying such products and services, if any.

Each revision is distinguished by a version number. You may use

Nothing herein should be construed as constituting an additional

this Software under terms of this license revision or under the

terms of any subsequent revision of the license.

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP