You are on page 1of 177

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP2
Secure Login Server

PUBLIC
Document Version: 1.2 – December 2011

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com

© Copyright 2011 SAP AG. All rights reserved.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
No part of this publication may be reproduced or transmitted in any

under license for technology invented and implemented by Netscape.

form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

notice.

BusinessObjects Explorer, and other SAP products and services

Some software products marketed by SAP AG and its distributors

mentioned herein as well as their respective logos are trademarks or

contain proprietary software components of other software vendors.

registered trademarks of SAP AG in Germany and other countries.

Microsoft, Windows, Outlook, and PowerPoint are registered

Business Objects and the Business Objects logo, BusinessObjects,

trademarks of Microsoft Corporation.

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

as their respective logos are trademarks or registered trademarks of

System p5, System x, System z, System z10, System z9, z10, z9,

Business Objects Software Ltd. in the United States and in other

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

countries.

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

and other Sybase products and services mentioned herein as well as

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

their respective logos are trademarks or registered trademarks of

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

Sybase, Inc. Sybase is an SAP company.

WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.

All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves

Linux is the registered trademark of Linus Torvalds in the U.S. and

informational purposes only. National product specifications may

other countries.

vary.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

These materials are subject to change without notice. These materials

trademarks or registered trademarks of Adobe Systems Incorporated in

are provided by SAP AG and its affiliated companies ("SAP Group")

the United States and/or other countries.

for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions

Oracle is a registered trademark of Oracle Corporation.

with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

warranty statements accompanying such products and services, if any.

Open Group.

Nothing herein should be construed as constituting an additional

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

warranty.

VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.

Disclaimer
Some components of this product are based on Java™. Any

HTML, XML, XHTML and W3C are trademarks or registered

code change in these components may cause unpredictable

trademarks of W3C®, World Wide Web Consortium, Massachusetts

and severe malfunctions and is therefore expressively

Institute of Technology.

prohibited, as is any decompilation of these components.

Java is a registered trademark of Sun Microsystems, Inc.

Any Java™ Source Code delivered with this product is
only to be used by SAP’s Support Services and may not be

stringutils http://sourceforge.net/projects/stringutils/

modified or altered in any way.
Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo
Permission is hereby granted, free of charge, to any person obtaining a

Terms for Included Open
Source Software

copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,

This SAP software contains also the third party open source software

distribute, sublicense, and/or sell copies of the Software, and to permit

products listed below. Please note that for these third party products

persons to whom the Software is furnished to do so, subject to the

the following special terms and conditions shall apply.

following conditions:

Prototype JavaScript Framework http://www.prototypejs.org/

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

Copyright (c) 2005-2010 Sam Stephenson
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE

opencsv 1.7.1 http://opencsv.sourceforge.net/

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

Apache License

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

Version 2.0, January 2004

FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

http://www.apache.org/licenses/

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND
DISTRIBUTION
1. Definitions.

the Work and Derivative Works thereof. For the purposes of this definition. verbal. use. Grant of Copyright License. or written communication sent copyright owner that is granting the License. each Contributor hereby grants to You a perpetual."License" shall mean the terms and conditions for use. generated documentation. direct or indirect. irrevocable (except "Work" shall mean the work of authorship. and 3. License. offer Object form. Licensor for inclusion in the Work by the copyright owner or by an and distribution as defined by Sections 1 through 9 of this document. including but not limited to communication on electronic mailing lists. Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to "Derivative Works" shall mean any work. whether in Source or as stated in this section) patent license to make. publicly perform. worldwide. or merely link (or bind by name) to the interfaces of. worldwide. For the purposes of this definition. and distribute the Work and "Object" form shall mean any form resulting from mechanical such Derivative Works in Source or Object form. whether in Source or Object which such Contribution(s) was submitted. individual or Legal Entity authorized to submit on behalf of the copyright owner. where such copyright notice that is included in or attached to the work (an license applies only to those patent claims licensable by such example is provided in the Appendix below)." percent (50%) or more of the outstanding shares. source code control "Legal Entity" shall mean the union of the acting entity and all other systems. no-charge. 2. no-charge. the Licensor for the purpose of discussing and improving the Work. non-exclusive. and otherwise transfer the Work. transformation or translation of a Source form. each Contributor hereby grants to You a perpetual. an original work of authorship. permissions granted by this License. Grant of Patent License. as a whole. as indicated by a to sell. Subject to the terms and conditions of this conversions to other media types. "submitted" "Licensor" shall mean the copyright owner or entity authorized by the means any form of electronic. "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and "You" (or "Your") shall mean an individual or Legal Entity exercising subsequently incorporated within the Work. non-exclusive. reproduction. or (iii) beneficial ownership of such entity. You may reproduce and distribute copies of the "Contribution" shall mean any work of authorship. have made. including but not limited to software source code. or other modifications a lawsuit) alleging that the Work or a Contribution incorporated within represent. "control" means (i) but excluding communication that is conspicuously marked or the power. and configuration files. Redistribution. including the Work or Derivative Works thereof in any medium. prepare Derivative Works of. made available under the License. whether by contract or otherwise. are controlled by. sell. import. publicly display. modifications. to the Licensor or its representatives. shall terminate as of the date such litigation is filed. that is based on (or derived from) the Work and for which the litigation against any entity (including a cross-claim or counterclaim in editorial revisions. and in Source or Object form. annotations. and issue tracking systems that are managed by. to cause the direction or management of otherwise designated in writing by the copyright owner as "Not a such entity. Subject to the terms and conditions of "Source" form shall mean the preferred form for making this License. copyright license to reproduce. that is intentionally submitted to the following conditions: . including but not limited to compiled object code. elaborations. royalty-free. or are under common control of. royalty-free. Derivative Works shall not include works that remain any patent licenses granted to You under this License for that Work separable from. or (ii) ownership of fifty Contribution. then of this License. or on behalf entities that control. 4. For the purposes the Work constitutes direct or contributory patent infringement. sublicense. If You institute patent form. with or without original version of the Work and any modifications or additions to that modifications. with that entity. provided that You meet Work or Derivative Works thereof. irrevocable documentation source.

(d) If the Work includes a "NOTICE" text file as part of its MERCHANTABILITY. Licensor provides the Work (and each You distribute. reproduction. provided that such not limited to damages for loss of goodwill. including any direct. Limitation of Liability. and such Derivative Works as a whole. without limitation. special. unless Derivative Works. provided Your use. 8. such Contributor by reason of your accepting any License. even if such Contributor has been advised of the possibility of such damages. However. or product names of the Licensor.(a) You must give any other recipients of the Work or Derivative 6. and only if You agree to indemnify. charge a fee for. acceptance of support. Disclaimer of Warranty. work stoppage. service marks. Trademarks. trademark. or any and all other commercial damages or License. and hold any Contribution intentionally submitted for inclusion in the Work by each Contributor harmless for any liability incurred by. if and wherever such third-party notices normally appear. any warranties or conditions of TITLE. You may add Your own attribution notices consequential damages of any character arising as a result of this within Derivative Works that You distribute. Notwithstanding such warranty or additional liability. Unless You explicitly state otherwise. alongside or as an License or out of the use or inability to use the Work (including but addendum to the NOTICE text from the Work. or. While redistributing for use. excluding those notices that do not pertain to any risks associated with Your exercise of permissions under this License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions 9. patent. if provided along with the whether in tort (including negligence). trademarks. then any Derivative Works that You distribute must PURPOSE. part of the Derivative Works. including. NON-INFRINGEMENT. and 7. You are solely responsible for determining the include a readable copy of the attribution notices contained within appropriateness of using or redistributing the Work and assume any such NOTICE file. from the Source form of the Work. or otherwise. or for any the Work or Derivative Works thereof. without any additional terms or conditions. or FITNESS FOR A PARTICULAR distribution. This License does not grant permission to use the trade Works a copy of this License. defend. You may choose to offer. indirect. pertain to any part of the Derivative Works. or claims You to the Licensor shall be under the terms and conditions of this asserted against. or do not modify the License. Accepting Warranty or Additional Liability. losses). Unless required by applicable law or (c) You must retain. and attribution notices Contributor provides its Contributions) on an "AS IS" BASIS. computer additional attribution notices cannot be construed as modifying the failure or malfunction. except as required for reasonable and customary use in describing the (b) You must cause any modified files to carry prominent notices origin of the Work and reproducing the content of the NOTICE file. stating that You changed the files. Submission of Contributions. indemnity. In no event and under no legal theory. warranty. You may act only on Your own behalf and on Your sole responsibility. Contributor. incidental. and either express or implied. and names. the above. excluding those notices that do not WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. shall any Contributor be liable to You for contents of the NOTICE file are for informational purposes only and damages. within the Source form or documentation. all copyright. nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. reproduction. in accepting such obligations. . contract. within a display generated by the Derivative required by applicable law (such as deliberate and grossly negligent Works. or other and distribution of the Work otherwise complies with the conditions liability obligations and/or rights consistent with this License. not on behalf of any other 5. or distribution of Your modifications. in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works. stated in this License. in the Source form of any Derivative Works that agreed to in writing. The acts) or agreed to in writing.

see Help on Help  General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library. <Example text> Variable user entry. F2 or ENTER. upgrade and database tools. table names. graphic titles. For more information.Typographic Conventions Type Style Example Text Description Words or characters quoted from the screen. program names. EXAMPLE TEXT Keys on the keyboard. and menu options. These include report names. . screen titles. transaction codes. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Icons Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. pushbuttons labels. Example text Output on the screen. and key concepts of a programming language when they are surrounded by body text. menu paths. This includes file and directory names and their paths. and names of installation. menu names. Cross-references to other documentation Example text Emphasized words or phrases in body text. and table titles EXAMPLE TEXT Technical names of system objects. messages. for example. These include field names. These are words or characters that you enter in the system exactly as they appear in the documentation. SELECT and INCLUDE. source text. names of variables and parameters. for example. Example text Exact user entry.

...................3.........2 Welcome Page ...........................................3 System Overview with Secure Login Server ..................5 Certificate Template ...................1 Change Password........................................... 17 1.................6... 49 3........ 9 1.......2 System Overview with Security Token ..........................1 System Overview .................................1 Prerequisites ...........................................................................................2 Enable Remote Access for Initial Wizard............................................................4 Instance Management .............................................. 115 3.... 31 2.........................10 Sign Certificate Requests ............................. 83 3... 85 3............. 27 2..................................................................................... 48 3 Administration .... 21 2............. 87 3..........................................................6............ 20 2 Secure Login Server Installation ........................................................................................ 18 1....................4 Secure Login Server Uninstallation ..................3 Configure SSH Tunnel ....................................................... 22 2...............................11 Console Log Viewer ..............4..................... 82 3..4 Instances ...................................................................... 16 1.... 81 3..................... 30 2.......... 120 3............................................5......................................................4 Trust Store Management ...................................1 Edit Server Configuration ........................... 54 3......6 System Check .. 56 3.......2 Create a New Instance ...................................................................................3................................................................................................. 21 2............................................. 47 2.................................................................................5................12 Web Client Configuration ............................................1 Secure Login Library ...........................................................................5 PKI Structure ................................................................................................................2 Secure Login Server Installation with Telnet .....................3............................................1 Logon to Administration Console.................3......................8 SNC Configuration ............................7 Policy Server Overview ..........3 Secure Login Server Installation with JSPM ...................................................5 Console Users .......................... 52 3................... 14 1...........................................9 Server Status ...........3......................................... 50 3....................................................8......................................................... 123 3..... 30 2........................... 19 1....... 31 2. 10 1...........................1............6.......3 Locked Files Management .1 User Management ..............................................................................3..5...............................Contents 1 What is Secure Login? ................................................ 51 3... 76 3.....................................3 Certificate Management ..................................................................................................................... 125 06/2011 7 ..........................1 Export Restrictions ...... 120 3........................... 55 3...............3.......1 DefaultServer Configuration .................................................................................................. 124 4 Other Configurations ..................................2................. 11 1.......1 Initial Configuration ....................................................... 77 3..................3...................................................6 Initial Configuration Wizard ................7 Message Settings ................................................................................................................................................2 Edit Login Type Setting ............................................................................................................................3... 69 3....................................................................6 Secure Communication ...........5 Updating the Secure Login Server to SP2 ......................... 92 3.................................... 68 3.................... 92 3.............................................................................3....................4.....3............................... 26 2............................................................................. 20 1...........3 Server Configuration..................................3................ 49 3..............................................................8 Secure Login Web Client ..2 Role Management............................

.5 Configuring RSA Authentication with RADIUS............................................................4 Enable Secure Login Library Trace ................................8................... 163 6..........7 Internal Server Message ..................... 168 7 List of Abbreviations ...................................... 133 4....................................................3 SAP User Authentication ......................13................................................. 133 4.........8........ 154 5....................................................................................................................ini File .........13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver .......12 Configuring Secure Login Servers as Failover Servers for High Availability ............... 131 4.................... 160 6 Troubleshooting .............1 Client Policy ...........................11 Integrate into Existing PKI ............................................................. 156 5...................... 171 8 Glossary ............................................. 139 4...........................................................4..................1 Kerberos Authentication with SPNego ............ 152 4...... 162 6................................... 150 4.......................... 161 6............................. 149 4....................1 Web Service Status ..1 Secure Login Server Error Codes ..........................1 Checklist User Authentication Problem ........................... 125 4.............. 165 6.. 164 6..............7 Configure External Login ID ...... 141 4.. 166 6.................................................................................................................. 159 5......................1 Configuration of SAP NetWeaver AS Java ....2 XML Interface ........... 166 6.5................... 139 4..............................5.......... 173 8 06/2011 ..13........6 Configure SSL Certificate Logon ..............5......................................................................... 133 4............................... 163 6.........2 SAP Stacktrace Error Codes ...................................... 141 4.........5 Customize Secure Login Web Client ................. 147 4......... 161 6..............................2 Uninstall Mozilla Firefox Extension .........................................................................10..................................... 158 5...... 146 4...............................................................................8 Emergency Recovery Tool .............8 Error Codes .................................................2 Verify Authentication Server Configuration ................................2 Customer-Specific Configuration of the securid................................. 142 4................................................................. 154 5..............................................................................4..9 Monitoring ..........................................................................................9...........................................1 Install Firefox Extension ....................... 136 4. 157 5...... 134 4.................................... 135 4..............................................2 Secure Login Server SNC Problem .........................................3 Ensuring Encrypted Communication with Shared Secret .....1 Configure Login Module ..................15 Custom Use of Login Module with Login Module Stacks ...................3 Create Technical User in SAP Server ......................................................................... 136 4..............................4 Mozilla Firefox Support .......................... 165 6.............6 Access Denied Replies .............2 Configuration of the Secure Login Server ..... 135 4.....................................................................................................................................1 Configuration of the securid.....................................................................................9....3 Enable Secure Login Server Trace ...................................................................................................................... 155 5.............. 151 4. 139 4.........10 Secure Login Client Policy and Profiles ....14 Setting Failover Timeouts of the Login Modules ...............4..................................5 Secure Login Server Lock and Unlock ...................... 158 5........10....2 LDAP User Authentication ................................................................ini File .. 152 5 Configuration Examples ............2 Applications and Profiles ...................................4 RADIUS User Authentication..............................................................

the digital user certificates of the PKI can also be used by Secure Login. To secure networks. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between the SAP GUI and SAP server. SAP user names and passwords are transferred through the network without encryption.509 certificates In a default SAP setup. Secure Login allows you to benefit from the advantages of SNC without being forced to set up a Public Key Infrastructure (PKI). secure communication. Secure Login provides strong encryption. 06/2011 9 . users enter their SAP user name and password into the SAP GUI logon screen. SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. Secure Login allows users to authenticate with one of the following authentication mechanisms:       Microsoft Windows domain (Active Directory Server) RADIUS server LDAP server RSA SecurID token SAP NetWeaver server Smart Card authentication If a PKI has already been set up. thus providing secure single sign-on to SAP. and single sign-on between a wide variety of SAP components: Examples:  SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)  Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS)  Third party application server supporting X.1 What is Secure Login? 1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.

In addition. The Secure Login Web Client has the same authentication methods as the standalone Secure Login Client.Limited client policy configuration 10 06/2011 . alternative user authentication. You can use it for certificate-based authentication without being obliged to set up a PKI. All of these authentication methods can be used in parallel. Secure Login Library Crypto library for the SAP NetWeaver ABAP system. but with the following limited functions: .509v3 certificates (out-of-the-box PKI) to users and application server.User name and Password (Several Authentication Mechanism) The Secure Login Client prompts you for a user name and a password and uses these credentials for authentication at the Secure Login Server to receive a user X. Secure Login Web Client This client is based on a Web browser (Web GUI) and is part of the Secure Login Server. Configuration and Administration Guide. A policy server provides authentication profiles that specify how to log on to the desired SAP system. Secure Login Client Client application which provides security tokens (Kerberos and X. The Secure Login solution includes the following components:  Secure Login Server Central service which provides X. . and enhanced security easy for distributed SAP environments.1 What is Secure Login? 1.Microsoft Windows credentials The Microsoft Windows domain credentials (Kerberos token) can be used for authentication. the Microsoft Windows credentials can be used to receive a user X.   It is not necessary to install all components. The Secure Login Client is split into the following variants: Secure Login Client Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the Secure Login Server.509 and Kerberos technology. . The Secure Login Library supports both X. The stand-alone Secure Login Client can use the following authentication methods: . . For further information about Secure Login Client and Secure Login Library see the corresponding Installation.Limited integration with the client environment (interaction required) .Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. The Secure Login Web Client is provided as well.Smart Cards and USB tokens with an existing PKI certificate Secure Login Server and Authentication Server are not necessary.509 certificate with Secure Login Server. This depends on the use case.1 System Overview Secure Login is a client/server software system integrated with SAP software to make single sign-on.509 technology) for a variety of applications.509 certificate.

PKI Infrastructure Secure Login Client • Smart Card. Authentication Methods In a system environment without Secure Login Server. the Secure Login Client supports the following authentication methods:    Smart Card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store) Kerberos token 06/2011 11 . An existing PKI structure or Kerberos infrastructure can be used for user authentication. Main System Components The following figure shows the Secure Login system environment with the main system components if an existing PKI or Kerberos infrastructure is used.2 System Overview with Security Token The Secure Login Client is integrated with SAP software to provide a single sign-on capability and enhanced security.1 What is Secure Login? 1. USB Token • Microsoft Crypto Store Security Token • SAP GUI • Web GUI SAP NetWeaver Platform Kerberos Infrastructure • Secure Login Library • Kerberos Token Authentication and secure communication Kerberos Figure: Secure Login System Environment with Existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.

USB Token • Microsoft Crypto Store 4 Security Token 2 Client maps SNC name to authentication profile 1 Start connection and get SNC name 3 SAP NetWeaver Platform • Secure Login Library Unlock Security Token 5 Client provides certificate to SAP GUI application 6 Authentication and secure communication Figure: Principal Workflow 1. The Secure Login Client uses the authentication profile for this SNC name.509 certificate from the user security token.1 What is Secure Login? Workflow for X. The Secure Login Client receives the X. the Secure Login Client retrieves the SNC name from the desired SAP server system. The user is authenticated and the communication is secured. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. 6. The Secure Login Client provides the X. It provides the user keys to all CAPI-enabled applications.509 Certificates The following figure shows the principal workflow and communication between the individual components. 5. Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. 12 06/2011 . The Crypto Service Provider (CSP) from SAP is such a plug-in. The user unlocks the security token by entering the PIN or password. 2. PKI Infrastructure Secure Login Client • Smart Card. 4. Upon connection start.509 certificate for SAP single sign-on and secure communication between SAP Client and SAP Server. 3.

The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server. 3. 06/2011 13 . Upon connection start. 5. The user is authenticated and the communication is secured. The Secure Login Client receives the Kerberos Service token. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token. 2. the Secure Login Client retrieves the SNC name (Service Principal Name) from the respective SAP server system. Figure: Principal Workflow Kerberos Authentication 1. 4.1 What is Secure Login? Workflow for Kerberos Token The following figure shows the principal workflow and communication between the individual components.

509 certificates. It consists of a servlet and a set of associated classes and shared libraries. It is installed on an SAP NetWeaver application server. Based on the industry standard X.509 certificates are issued. For the application server.1 What is Secure Login? 1. the user needs to be authenticated (verified by the Secure Login Server). which authentication type should be used for which SAP application server). Users receive short term X.3 System Overview with Secure Login Server The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and application server systems (for example. Therefore the Secure Login Server supports several authentication server systems. The Secure Login Server is the central server component that connects all parts of the system. The Secure Login Server provides client authentication profiles to the Secure Login Client. 14 06/2011 . which allows flexible user authentication configurations (for example. SAP NetWeaver). The Secure Login Server is a pure Java application.509v3. Main System Components The following figure shows the Secure Login system environment with the main system components. Figure: Secure Login System Environment The Secure Login Client is responsible for the certificate-based logon to the SAP application server and encryption of the SAP client/server communication. long term X. the certificates can be used for non-SAP systems as well. It enables authentication against an authentication Server and provides the Secure Login Client with a short term certificate. In order to provide user certificates.

For each supported method. 3. The Secure Login Client uses the client policy for this SNC name. 06/2011 15 .509 Certificate Request The following figure shows the principal workflow and communication between the individual components. The following authentication methods are supported:        Microsoft Active Directory Service (ADS) RADIUS RSA SecurID token LDAP SAP ID-based logon SAP NetWeaver AS Java User Management Engine SAP NetWeaver AS Java SPNego Workflow with X. there is a corresponding configurable JAAS module.1 What is Secure Login? Authentication Methods Secure Login supports several authentication methods. Upon connection start. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. 2. Figure: Principal Workflow 1. The Secure Login Client receives the user login credentials. the Secure Login Client gets the SNC name from the desired SAP server system.

single sign-on. The Secure Login Client generates a certificate request. 7. Figure: Instances Examples It is still possible to use several Secure Login Servers and/or authentication servers for failover. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum.4 Instances The Secure Login instances feature allows multiple instances running on the same server. The Secure Login Server can connect to more than one authentication server. The Secure Login Client authentication profiles can be configured to use different Secure Login Server instances for different authentication methods. Secure Login Client provides the certificate to SAP GUI. or you can set an individual user CA certificate (PKI) for each instance. Secure Login Server instances can use a common user CA certificate for one or more instances. 1. 8. The Secure Login Client sends the user credentials and the authentication request to the Secure Login Server. 16 06/2011 . 5. 9. and secure communication between SAP client and server.1 What is Secure Login? 4. If the user credentials are valid. The user certificate is used to perform an authentication. The Secure Login Server forwards the user credentials to the authentication server and receives a response indicating whether the user credentials are valid or not. 6. the Secure Login Server generates a user certificate (certificate response) and provides it to the Secure Login Client.

1 What is Secure Login? 1.5 PKI Structure There are different integration scenarios available for Secure Login Server. The following out of the box PKI structure can be delivered with the Secure Login Server. Figure: Secure Login Server PKI Structure PKI Integration As the Secure Login Server is based on industry standard X. Out-of-the-Box PKI Secure Login Server Secure Login Server provides standard X. The required minimum is to provide a user CA certificate to the Secure Login Server.509 certificates for users (short term) and application server (long term).509v3. it is possible to integrate the Secure Login Server to an existing PKI. Figure: Secure Login Server Integration with an Existing PKI 06/2011 17 .

6 Secure Communication The goal of the Secure Login solution is to establish secure communication between all required components: Figure: Secure Communication Technology Used for Secure Communication Technology used for secure communication 18 From To Security Protocol / Interface SAP GUI SAP NetWeaver DIAG/RFC (SNC) Business Explorer SAP NetWeaver DIAG/RFC (SNC) Business Client SAP NetWeaver DIAG/RFC (SNC).1 What is Secure Login? 1. HTTPS Web GUI SAP NetWeaver HTTPS (SSL) Secure Login Client Secure Login Server HTTPS (SSL) Secure Login Server LDAP Server LDAPS (SSL) Secure Login Server SAP NetWeaver RFC (SNC) Secure Login Server RADIUS Server RADIUS (shared secret) 06/2011 .

The application contexts and profiles are stored in the Microsoft Windows Registry of the client. a default application context that links to a default profile can be defined.7 Policy Server Overview Secure Login Client configuration is profile-based. If no matching PSE URI is found. Figure: Default Application Context and Profile 06/2011 19 . The system then searches the application contexts for specific personal security environment universal resource identifiers (PSE URIs).1 What is Secure Login? 1. You can configure the application contexts to provide a mechanism for automatic application-based profile selection. You define these parameters in the XML policy file.

Another use case is providing short term certificates to external employees (for example. the Secure Login Web Client starts the SAP GUI.8. these components are classified with ECCN 4D003. The Secure Login Web Client triggers an authentication process and secure communication. The Secure Login Web Client contains components with cryptographic features for authentication and for a secure server/client network connection. The following main features are available:  Browser-based authentication (including all authentication server support) Support for SAP GUI for Microsoft Windows and SAP GUI for Java Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser URL redirect X. to external consultants). You also use it for authentication against SAP NetWeaver Web Application Server. 20 06/2011 .1 Export Restrictions At the start of the Secure Login Web Client. but Mac OS X. it transfers components that are required for authentication and for a secure network connection from the server to the client. and Linux-based client systems can be used as well. This means that the client is no longer limited to Microsoft Windows. With Secure Login Web Client the security library needs to be downloaded in a Web browser application.8 Secure Login Web Client Secure Login Web Client is a feature of the Secure Login Server.509 authentication support to SAP Web application server Localization and customization of HTML pages and applet messages     Differences between Secure Login Client and Secure Login Web Client:  With Secure Login Client the required security library is available.  1.1 What is Secure Login? 1. you are obliged to make sure that you abide by the export and import regulations of the countries involved. If server and client are not located in the same country a transfer takes place that requires compliance with applicable export and import control regulations. It is a Web-based solution for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms and for launching SAP GUI with SNC security. After the authentication process. Under German export control regulations. in SAP GUI). With Secure Login Client. If the Secure Login Server and the Secure Login Web Client are installed in different countries. the authentication process and secure communication can be triggered on demand (for example.

6 Java SUN Java 1.3 Optional: Secure Login Library The Secure Login Library installation is optional and required for SAP user authentication only.5.2 Secure Login Server Installation 2 Secure Login Server Installation This chapter describes how to install Secure Login Server. XP (32-bit) SUSE Linux Enterprise Desktop 11 Mac OS X 10. Vista. 9 Mozilla Firefox 3. 8. Configuration and Administration Guide of the Secure Login Library. 2.6 and higher 06/2011 21 . The SAP NetWeaver Application Server must be up and running. The Secure Login Library will be used to establish secure communication to SAP NetWeaver Application Server ABAP to verify SAP credentials. 10.5 or higher browser plug-in Internet browser (32-bit) Microsoft Internet Explorer 7.1 Prerequisites This chapter describes the prerequisites and requirements for the installation of Secure Login Server. Secure Login Web Client Details Operating systems Microsoft Windows 7. For operating system support see the Installation.2 SAP NetWeaver 7. The installation can be done using the Telnet application or with the Software Delivery Tool. Hardware Requirements Secure Login Server Details Hard disk space 50 MB of hard disk space HDD space for log files Random-access memory 1 GB RAM at minimum Software Requirements Secure Login Server Details Application server SAP NetWeaver CE 7.

2 Secure Login Server Installation Supported Authentication Servers Secure Login Server Details LDAP server system Microsoft Active Directory System 2003. is included in the Java library path. Secure Login Library for Microsoft Windows Operating System Step 1 – Copy Library Files Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB.1 Secure Login Library The Secure Login Library installation is optional and is required for SAP NetWeaver Application Server user authentication only.1.1 freeRADIUS Microsoft Network Policy and Access Services (NPA) Microsoft Internet Authentication Service (IAS) SAPNetWeaver AS Java User Man agement Engine (UME) BasicPasswordLoginModule 2.SAR –R <ASJava_installation>\exe\ Example sapcar –xvf D:\InstallSLS\SECURELOGINLIB. This document describes the installation for Microsoft Windows and Linux operating system. 2008 openLDAP SAP server system SAP NetWeaver Application Server ABAP 6. which is used by Secure Login Library.SAR with the SAPCAR command line tool to the following folder. Keep in mind that there are different Secure Login Library software packages available depending on the desired operating system.20 or higher version RADIUS server system RSA Authentication Manager 6. sapcar –xvf <source_path>\SECURELOGINLIB. Verify the Java Library Path (libpath) in the trace file <ASJava_installation>\work\dev_jstart.SAR –R D:\usr\sap\ABC\J00\exe\ Check if the folder <ASJava_installation>\exe. 22 06/2011 . The Secure Login Library is used to establish secure communication to SAP ABAP server and to verify SAP credentials.1 and 7.

exe As a result. use the snc command: <ASJava_installation>\exe\snc. The test is successful if the version is displayed. you get further information about the Secure Login Library. restart the SAP NetWeaver Application Server because the environment variable SECUDIR does not takes effect unless you perform a restart.exe Example D:\usr\sap\ABC\J00\exe\snc. Figure: Verify Secure Login Library with the Command snc Step 4 – Restart SAP NetWeaver Application Server In an installation under Microsoft Windows.2 Secure Login Server Installation Step 2 – Environment Variable SECUDIR Set the system environment variable SECUDIR to the following directory: SECUDIR=<ASJava_installation>\sec Example SECUDIR=D:\usr\sap\ABC\J00\sec Step 3 – Verify Secure Login Library To verify the Secure Login Library. 06/2011 23 .

Verify the Java library path (libpath) in the trace file <ASJava_installation>/work/dev_jstart.SAR with the SAPCAR command line tool to the following folder. is included in the Java library path. <SID>adm).SAR –R /usr/sap/ABC/J00/exe Check if the folder <ASJava_installation>/exe.SAR –R <ASJava_installation>/exe/ Example sapcar –xvf /InstallSLS/SECURELOGINLIB. Step 2 – Define File Attributes To use shared libraries in a shell. sapcar –xvf <source_path>/SECURELOGINLIB.2 Secure Login Server Installation Secure Login Library for Linux Operating System Step 1 – Copy Library Files Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application Server and extract the file SECURELOGINLIB. which is used by Secure Login Library. it is necessary to set the file permission attributes with the following command: chmod +rx <ASJava_installation>/exe/snc lib* Example chmod +rx /usr/sap/ABC/J00/exe/snc lib* Step 3 – Define File Owner Grant access rights to the user account that is used to start the SAP application (for example. Change to the folder <ASJava_installation>/exe/ and use the following command: chown [OWNER]:[GROUP] * Example chown abcadm:sapsys * Step 4 – Verify Secure Login Library To verify the Secure Login Library use the snc command (with user <SID>adm): <ASJava_installation>/exe/snc Example 24 06/2011 .

2 Secure Login Server Installation

/usr/sap/ABC/J00/exe/snc

As a result; further information about the Secure Login Library should be displayed.
The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the snc Command

06/2011

25

2 Secure Login Server Installation

2.2 Secure Login Server Installation with Telnet
1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver
Application Server.
2.) Start a Telnet session.
telnet localhost 5<instance_number>08
Example
telnet localhost 50008

3.) Deploy the Secure Login Server package.
deploy <source>\SECURE_LOGIN_SERVER0SP_0.sca
Microsoft Windows Example
deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca
The Secure Login Server application will be started automatically.
Start the initial configuration described in section 2.6 Initial Configuration Wizard.

List of Useful Telnet Commands
List of useful telnet commands
Action

Command

Deploy Application

deploy SECURE_LOGIN_SERVER0SP_0.sca

Undeploy Application

undeploy name=SecureLoginServer vendor=sap.com

List Application

list_app | grep SecureLoginServer

Stop Application

stop_app sap.com/SecureLoginServer

Start Application

start_app sap.com/SecureLoginServer

26

06/2011

2 Secure Login Server Installation

2.3 Secure Login Server Installation with JSPM
1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver
Application Server.
The target folder location is \\localhost\sapmnt\trans\EPS\in
Microsoft Windows
<drive>\usr\sap\trans\EPS\in
Linux
/usr/sap/trans/EPS/in

2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application
Server.
Microsoft Windows
<ASJava_Installation>\j2ee\JSPM\go.bat
Linux
<ASJava_Installation>/j2ee/JSPM/go
3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.

06/2011

27

com/SECURE_LOGIN_SERVER.) Select sap. 28 06/2011 .) Choose the New Software Components option.2 Secure Login Server Installation 4. 5.

) After the deployment finishes. 7. 06/2011 29 .2 Secure Login Server Installation 6. exit the JSPM application.) Start the deployment process.

stop_app sap. undeploy name=SecureLoginServer vendor=sap.registry Make a backup of these files before you execute an installation.) Stop the Secure Login Server application. You see the current version number of the Secure Login Server in the parameter Server Build. Uninstall the Secure Login Server in Telnet.5 Updating the Secure Login Server to SP2 In SAP Note 1660519 you find a description that tells you how to update the Secure Login Server to SP1. 30 06/2011 .properties file  userenv. 1. the following files are deleted:  config.com 2.4 Secure Login Server Uninstallation This chapter describes how to uninstall Secure Login Server.) Start a Telnet session. copy the files to the relevant directories. During the installation.) Undeploy the Secure Login Server package. After the installation. telnet localhost 5<instance_number>08 Example telnet localhost 50008 2. After the installation.9 Server Status). The entry REL_1_0_2_20 stands for SP2 (see 3.2 Secure Login Server Installation 2.com/SecureLoginServer 3. restart the system.3.

choose Continue. see section 2.3 Configure SSH Tunnel. Linux without X-Win) is not available.6. verify that the Secure Login Server application is running.xml file. 2. If a GUI (for example. Figure: Initial Configuration Wizard – Welcome Page 06/2011 31 . see section 2. the initial configuration of the Secure Login Server can be performed on local host only (same server computer on which the Secure Login resides). you must manually enable this feature by editing the Secure Login web. If everything is OK. however. Before starting the Initial Configuration Wizard. For re information. For more information. If.6. Start the initial configuration using the browser URL: http://localhost:5<instance_number>00/securelogin Welcome Page In the welcome page a prerequisite check is performed. you want to perform the initialization and configuration from a remote location.2 Secure Login Server Installation 2.1 Initial Configuration This section describes the initial configuration of the Secure Login Server.6 Initial Configuration Wizard After the deployment of Secure Login Server an initial configuration is required.6. Verify all prerequisites. For security reasons.2 Enable Remote Access for Initial Wizard. use an SSH localhost tunnel configuration for accessing the wizard.

The Secure Login Server does not work anymore and is locked. Example: D:\usr\sap\ServerKeyFile\KeyFile. in case the key file is changed or not available. There is a check whether the key file is available. 32 06/2011 .2 Secure Login Server Installation Key File for Encryption of Server Credentials The key file is a file on the server with random content and is used to secure password information in configuration files. After the configuration.txt Figure: Initial Configuration Wizard – Key file for server credentials encryption Keep in mind that. You can use any kind of file type which is larger than 32 bytes. choose Next to continue. Define the location of the key file. You must create or copy the file to the desired location on the server and define it in this configuration step. it is not possible to log on to the Secure Login Administration Console.

06/2011 33 . Figure: Initial Configuration Wizard – Administrator Account Entries marked with * are mandatory. choose Next to continue. Passwords used in Secure Login Server are restricted by the password policy definition.2 Secure Login Server Installation Administrator Account Define the password for the administration user Admin.  Passwords cannot be empty  Passwords must have a length between 8 to 20 characters  Passwords must contain at least one uppercase letter  Passwords must contain at least one lowercase letter  Passwords must contain at least one digit  Passwords must contain at least one special character After the configuration.

Example: Company xyz Locality Enter the regional information in this field (L). 2048.2 Secure Login Server Installation Create Root CA Certificate Define the parameter for the root CA certificate. Example: Root CA SAP Security Organization Unit Enter the division of the company in this field (OU). Figure: Initial Configuration Wizard – Create Root CA Entries marked with * are mandatory. 1024. Example: SAP Security Department Organization Enter the company name in this field (O). 34 06/2011 . Option Details Create a Root CA by providing certificate information Common Name* Enter the common name of the certificate (CN). or 4096 bits). 1536. 3072. Example: DE Encryption Key Length Select the encryption key length for the server (512. Example: Walldorf Country Enter the country abbreviation in this field (C).

Confirm Password* Confirm the encryption password entered in the field above. This means that you do not need to remember the password when editing this certificate at a later date. Skip all PKI certificates Check this option if you do not want to or do not need to enter information for any certificate at this time.2 Secure Login Server Installation Valid From* Enter the date from when the validity of this certificate starts (format: YYYY-MM-DD). this password is stored. Password* In this field you enter the password for this certificate. this password is stored. Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Import an Existing Key Store File Checking this option displays the following options: KeyStore File* Click Browse… to locate and load an existing KeyStore file (File Format is: *. After the configuration. SSL CA.pse). 06/2011 35 . This means you skip all the PKI certificates including the Root CA. SSL Server. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time. The password length is limited to 20 characters. choose Next to continue. Password* The password for the KeyStore (PSE) file. Save Password If this checkbox is activated. Save Password If this checkbox is activated. and User CA certificates. This means that you do not need to remember the password when editing this certificate at a later date. You can create or add certificate information at a later time in the Certificate Management function of the Administration Console.

see section 3. choose Next to continue. After having chosen an option configuration. 36 06/2011 . Skip all SSL certificates Check this option if you do not want to or do not need to enter information for SSL certificates at this time. Figure: Initial Configuration Wizard – Select the SSL Certificate Generation Type It is possible to install or import SSL certificates later on using the administration console  Certificate Management. For more information.3 Certificate Management.3.2 Secure Login Server Installation Select the SSL Certificate Generation Type Choose an option for the SSL certificate. Option Details Generate an SSL certificate using the Secure Login Administration Console The SSL certificates for the SAP NetWeaver Application Server (or other Web application server) are created using the Secure Login Administration Console.

2048. Figure: Initial Configuration Wizard – Create SSL CA Information Entries marked with * are mandatory. Example: SAP Security Department Organization Enter the company name in this field (O). Example: Walldorf Country Enter the country abbreviation in this field (C). 06/2011 37 . or 4096 bits). Example: SSL CA SAP Security Organization Unit Enter the division of the company in this field (OU).2 Secure Login Server Installation Create SSL CA Certificate This step is optional and is only available if the option Generate an SSL certificate using the Secure Login administration console was chosen. 1536. Example: Company xyz Locality Enter the regional information in this field (L). Example: DE Encryption Key Length Select the encryption key length for the server (512. Option Details Create a SSL CA by providing certificate information Common Name* Enter the common name of the certificate (CN). 3072. 1024.

After the configuration. Skip this certificate Check this option if you do not want to or do not need to enter any information for this specific certificate at this time. 38 06/2011 . Confirm password* Confirm the encryption password entered in the field above. choose Next to continue. This means that you do not need to remember the password when editing this certificate at a later date. The password length is limited to 20 characters. Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). this password is stored.2 Secure Login Server Installation Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Password* Enter the password for this certificate in this field. Import an Existing Key Store File Checking this option displays the following options: KeyStore File* Click Browse… to locate and load an existing Key Store File (file format: *. this password is stored. Save Password If this checkbox is activated. Create SSL Server Certificate This step is optional and is only available if you chose the option Generate an SSL certificate using the Secure Login administration console.pse). This means that you do not need to remember the password when editing this certificate at a later date. Save Password If this checkbox is activated. Password* The password for the KeyStore (PSE) file.

Typically this is the Fully Qualified Domain Name (FQDN). Example: Company xyz Locality Enter the regional information in this field (L). Example: SAP Security Department Organization Enter the company name in this field (O).2 Secure Login Server Installation Figure: Initial Configuration Wizard –SSL Server Information Entries marked with * are mandatory. Example: DE Subject Alternative Names (DNS) Enter the alternative name in this field.local Encryption Key Length Select the encryption key length for the server (512. Example: Alias Server Name Organization Unit Enter the division of the company in this field (OU). Option Details Create an SSL server by providing certificate information Common Name* Enter the common name of the certificate (CN). Example: ServerName@FQDN. Example: Walldorf Country Enter the country abbreviation in this field (C). 06/2011 39 .

2 Secure Login Server Installation

1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse… to locate and load an existing
KeyStore file (file format: *.p12).
Password*
The password for the KeyStore file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate

Check this option if you do not want or do not need to
enter any information for this specific certificate at this
time.

After the configuration, choose Next to continue.

40

06/2011

2 Secure Login Server Installation

Create User CA Certificate
Define the parameter for the user CA certificate.

Figure: Initial Configuration Wizard –User CA Information
Entries marked with * are mandatory.

Option

Details

Create a user CA by
providing certificate
information

Common Name*
Enter the common name of the certificate (CN).
Example: User CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).

06/2011

41

2 Secure Login Server Installation

Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse… to locate and load an existing
KeyStore file (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Skip this certificate

Check this option if you do not want or do not need to
enter any information for this specific certificate at this
time.

After the configuration, choose Next to continue.

42

06/2011

organization Enter the company name in this field (O).2 Secure Login Server Installation Define Server Configuration Define the parameters for the User Certificate Configuration and Application Information. 06/2011 43 . Figure: Initial Configuration Wizard – Server Configuration Entries marked with * are mandatory. The other configuration parameters are read-only (for verification reasons). Example: Walldorf DN. Option Details User Certificate Configuration DN.organizationalUnit Enter the division of the company in this field (OU). Example: SAP Security Department ValidityMinutes* Information for a temporary certificate: The period of time (in minutes) that the user certificate is valid. Example: DE DN.country Enter the country abbreviation in this field (C). Example: Company xyz DN.locality Enter the regional information in this field (L).

A lock file is created when the server encounters an internal error that requires manual intervention. ServerPort Port of this server. This parameter is used for the client policy definition and can be used for centrally changing the server host name and the server port in the instance configuration of the Secure Login Server. the file path is shown here. 44 06/2011 . the default instance configuration was changed) LockDir The path to which the lock file is saved. (for example. Authentication Server Configuration (read-only) AuthConfigPath Authentication server configurations file for the Secure Login Server. If you created a user CA in the previous step. choose Next to continue. (for example. the user authentication was successful) MonthlyLogDir In this log path the instance information for the default instance is logged. the default instance was started successful) AdminConsoleLogDir In this log path the admin console information for the Secure Login Administration Console is logged. Log Configuration (read-only) DailyLogDir In this log path the user authentication information for the default instance is logged.2 Secure Login Server Installation Application Information ServerHostName FQDN name or IP address of this server. Secure Login User CA Key Store (read-only) PseName The user CA key store file path. (for example. After the configuration. This parameter is used for the client policy definition and can be used for central change.

Figure: Initial Configuration Wizard – Congratulations Use the Telnet application to stop and start the Secure Login Server application (for more information. see section 2.2 Secure Login Server Installation with Telnet). Restart the Secure Login Server application. Another possibility in the Microsoft Windows environment is to use the SAP Management Console (sapmmc) application. Under AS Java Components.com/SecureLoginServer and restart the application.2 Secure Login Server Installation Setup Review Verify the action points and choose the Finish pushbutton to complete the initial wizard configuration. Figure: Initial Configuration Wizard –Setup Review Finish Setup After successful setup configuration this page appears. 06/2011 45 . choose the application sap.

Mark the application sap.com/SecureLoginServer and choose the option Restart (right-click option). Figure: SAP Management Console (sapmmc) 46 06/2011 .2 Secure Login Server Installation Microsoft Windows SAP Management Console In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to restart the Secure Login Server application.

xml <init-param> <param-name>remoteAccess</param-name> <param-value>true</param-value> </init-param> The configuration file web. For security reasons we recommend performing the initial configuration on the local host (same server computer on which the Secure Login Server resides).xml Linux <ASJava_Installation>/j2ee/cluster/apps/sap.xml is available in the following place: Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap. web.2 Secure Login Server Installation 2. In the configuration file web.xml.6. change the value to true for the parameter remoteAccess. 06/2011 47 .2 Enable Remote Access for Initial Wizard This configuration step is optional and is only required if you want to perform the initial configuration from a remote computer.com\SecureLoginServer\se rvlet_jsp\securelogin\root\WEB-INF\web.xml It is required to restart the Secure Login Server application.com/SecureLoginServer/se rvlet_jsp/securelogin/root/WEB-INF/web.

48 06/2011 . see section 2.6. For more information. Example: SSH tunnel configuration in PuTTY Parameter Value Source Port 5<instance_number>00 Example: 50000 Destination localhost:5<instance_number>00 Example: localhost:50000 After the SSH tunnel configuration.2 Secure Login Server Installation 2.3 Configure SSH Tunnel This configuration step is optional and belongs to the Linux environment if no GUI is available. PuTTY Configure the following parameter and choose Add. log on to this connection and perform the initial configuration.6 Initial Configuration Wizard. The localhost configuration can be performed using for example.

The port number is usually 50001 (corresponds to 01 in the table above).1 Logon to Administration Console To open the administration console. For more information about the configuration.3. see section 3. 3. enter the following URL in a Web browser: Communication URL Unsecured http://<IP/FQDN>:5<instance_number>00/securelogin Secured https://<IP/FQDN>:5<instance_number><https_port>/securelogin You find the https port in the SSL setting of the SAP NetWeaver configuration. Admin) and your password.3 Administration 3 Administration This chapter describes the configuration parameters in Secure Login Server. External Login User name/password combination authenticated in the authentication server database set in the JAAS module. The logon page appears.2 06/2011 49 . Figure: Administration Console – Logon Page Enter your administration user name (for example. Authentication type Details Local Login Default user name/password combination authenticated in the administration console database. Example: You can use the Microsoft Active Directory user database for logging on to the Secure Login Server administration console.

and you need to restart the Secure Login Server application for it to take effect. 3. For example.3 Administration Authentication type Details Edit Login Type Setting. The right-hand pane displays the details of any node selected in the left-hand pane.2 Welcome Page After successful logon. the welcome page appears. The login page will reappear (see previous page). 50 06/2011 . This page also appears when you click on Home. Connection must be HTTPS refers to the missing SSL connection between the console and the Secure Login Server. The bottom left-hand pane is the main navigation tree. The main area is split into three panes:     The top left-hand pane lists any tasks that have yet to be performed. Figure: Administration Console – Welcome Page The administration console interface allows you to easily configure the server to your needs. For easy reference. Logout Use this link to logout of the console. In the top right-hand corner there are three entries that appear on every page in the console: Change Password This allows you to change the password for the current administrator/user account. each node represents tasks that can be performed within the Secure Login Server framework. or Server needs to be restarted informs you that the configuration has been changed.

Enter the current password into the Old Password field. You may be asked to re-enter your user name and password if you leave the administration console for a long time. 2. Enter and confirm the new password into the fields New Password and Confirm New Password respectively. 4. Click OK The user admin is a permanent user that has the role super user and cannot be deleted. The following dialog box appears: Figure: Change Password 3.2. As a consequence. Choose Change Password in the title bar on any page.1 Change Password This section describes how to change the account password for the administration console. making sure that there is at least one user who can always access Secure Login to correct or configure the system. the admin user can log on to the system regardless of state (when a serious system error occurs). 5.3 Administration About Click this to view version information about the console. 3. 1. The default console timeout is 10 minutes. 06/2011 51 .

Edit some of the server parameters. The Server Configuration page allows you to do the following:   View the server configuration.Server Configuration The following options can be viewed on this page: 52 06/2011 .3 Server Configuration This section describes the server configuration page of the administration console. The following page appears: Figure: Administration Console . Choose the Server Configuration node in the left-hand pane of the administration console.3 Administration 3.

3 Administration
Option

Details/Value

Edit

Click Edit to change the Administration Console Description,
Trace Configuration, and Client Configuration.
For more information, see section 3.3.1 Edit Server
Configuration.

Description

The description of this administration console.

Console Login Type

The current types of authentication available for log on to the
administration console. The configuration can be changed
using the button Edit Login Type.
For more information, see section 3.3.2 Edit Login Type
Setting.

External Login JAAS
Module

The current JAAS module used for External Login
authentication to the Administration Console.
For further information see section 3.3.2 Edit Login Type
Setting.

The Authentication File
Path
(read-only)

The authentication configuration file used by this server. This
configuration is for information purposes only.

Trust Certificates
Storage File
(read-only)

The Trust Store file (TrustStore.jks) used by this server.

Console Log Directory
(read-only)

The directory in which the console log file is located.

Console Log Prefix
(read-only)

The file prefix for the console log file.

Enable Server Trace

Enable Secure Login Server trace to provide extended
traces.
true
Trace enabled
false
Trace enabled
Default value is false.

Path to the Server Lock
File
(read-only)

Path where the lock files are written. A lock file is generated if
something went wrong with the Secure Login Server. In this
case the Secure Login Server is locked.

Host Server Domain
Name

The host name or IP of the computer from which the console
is being used for the Secure Login Client policy configuration
(for all client policy URLs).

Port

The port of this computer from which the console is being
used for the Secure Login Client policy configuration (for all
client policy URLs).
We recommend that you use an HTTPS (SSL) port.

CREDDIR
(read-only)

The directory in which the credentials are stored for the
Secure Login Library.

NativeLibraryPath
(read-only)

The directory where native libraries are stored for the Secure
Login Library.

06/2011

53

3 Administration

3.3.1 Edit Server Configuration
Use the Edit button and the following page appears.

Figure: Administration Console – Edit Server Configuration
The following options can be set:
Option

Details/Value

Description

Here you can personalize the description for the
administration console.

Enable Server Trace

true
Write trace messages to the application server trace file
(defaultTrace_*.log).
false
Do not write trace messages to the application server trace
file.

Host Server Domain
Name

The host name or IP of the computer from which the console
is being used.

Port

The port of the computer from which the console is being
used. We recommend that you use an HTTPS (SSL) port.

Once you have changed any option, click Save to return to the Server Configuration page.

54

06/2011

3 Administration

3.3.2 Edit Login Type Setting
Use the Edit Login Type button, and you get to the page that allows you to configure, delete,
or add the following login types:
Local Login
Default user name/password combination authenticated with the administration console
database.
External Login
User name/password combination authenticated in the authentication server database set in
the JAAS module. If this option is used, select the appropriate JAAS module in the External
Login Jaas Module combo box.
1. To add a login option to the administration console login page, proceed as follows:
2. Select a login type from the All Login Type field and choose >>Add. As a
consequence, it appears in the Current Login Type field.
3. Use the Up and Down buttons to move a login option up or down and thus define its
priority.
4. To delete a login option from the administration console login page, select a login
type from the Current Login Type field and choose <<Delete.
5. Choose Save to confirm any changes.

External Login JAAS Module
Several login modules are available. They can be used for the External Login option.
Available Login JAAS Module
Login Module

Remarks

SPNegoLoginModule

Uses Kerberos/SPNego. This is the default setting
of the Secure Login Server.

SecureLoginModuleLDAP

Uses LDAP server or MS-ADS server system.

SecureLoginModuleRADIUS

Uses RADIUS server.

SecureLoginModuleSAP

Uses SAP NetWeaver Application Server.

BasicPasswordLoginModule

Uses for direct authentication with user name and
password. It is configured in the SAP NetWeaver
Administrator and UME provides users.

Choose Save to confirm any changes.

06/2011

55

replace. However.3 Certificate Management This section describes the Certificate Management page of the administration console. due to the high flexibility of Secure Login Server. The Certificate Management page allows you to do the following:     Create certificates View certificates Export certificates Import certificates What I have to do first is making a decision: Do I want the Secure Login Server to create and manage one or more public key infrastructures. Choose the Certificate Management node from the tree in the left-hand pane. it is no problem to add. even a mixture of it. or is there an existing company PKI that is supposed to be used on top. or delete PKIs at any time. 56 06/2011 .3 Administration 3. Both is possible. Create New Root CA Define a display name for the new PKI and create a top-level Certification Authority (Root CA). You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server.3. The following page appears: Figure: Administration Console – Certificate Management Option Details PKI Tree One or more tree views of independent PKIs. One DefaultPKITree named Root CA SAP Security is available here.

. More Details Further details of the X.509 certificate [PKI Information] Displays the name of the PKI structure [CA Operations] Selects the Certification Authority of a PKI for further management operations.p12. SAP_CA or SSL_CA). . Note: Only PSE files can be imported. A password must be given for each following management operation of this CA. This option is available for user CAs only. Path File path of the selected certificate file.pse or *. Save Password Password protection status of the selected certificate file.crt. Browse Opens a file browser to select the certificate file. [Export Certificate] Exports the selected certificate. Possible export types: . Issue Creates a new Certification Authority of this type (USER_CA. Each type can be associated only once./. Export Type Chooses the export type for the certificate.3 Administration Certificate Information Common Name Common name of the selected certificate.crt.'[]\| [Selection List] The selection list allows you to associate the type of CA of the certificate.. Mapping to Instance List of all instances and selections that are supposed to use this user CA.jks. Change Password Changes password of selected CA Remove Password Removes password of selected CA. This option is not available if you choose the export type . New Password Defines the password of the exported certificate file. PKI Name Displays the name of the new PKI the certificate belongs to. 06/2011 57 . [Import New PKI] Imports the key store into the certificate list. The following special characters are not supported: ~`!@#$%^&*()_-+= }{:"?><.

for example NEW PKI and choose Create New Root CA. The new PKI should be available in the PKI tree. 58 06/2011 . Define the certificate parameters for the new root CA certificate and choose Create.3 Administration Open Password Password that protects the certificate file Save Password Allows you to save the password in the configuration file. Create New PKI Use this function to create a new internal PKI that has its own root CA certificate. Enter a display name for the new PKI. Entries marked with an asterisk(*) are mandatory.

3. Select the type of CA that shall be imported. 06/2011 59 . Enter the password for the PSE file in the field Open Password. Enter a display name for the new PKI. Locate and open the PSE file.3 Administration Import New PKI Use this function to create a new PKI that uses external CA certificates. As an option. 5. Choose Browse… to open a file browser. 2. The imported PKI should be available in the PKI tree. 4. 6. ImportPKI. This way it is also possible to create a PKI without having the issuing root CA stored inside the Secure Login Server. for example. 1. ROOT_CA. for example. you can choose to save the password. Choose the Import pushbutton to complete.

Choose on the Root CA certificate in the PKI tree list. 2. Example: DE Encryption Key Length 60 06/2011 . Example: SAP CA SAP Security Organization Unit Enter the division of the company in this field (OU). Choose on the Issue pushbutton and define the certificate parameters. 3. 1. Option Details Create SAP_CA – Subject Information Common Name* Enter the common name of the certificate (CN). Example: Company xyz Locality Enter the regional information in this field (L). Example: Walldorf Country Enter the country abbreviation in this field (C). Select the certificate type SAP_CA in [CA Operations].3 Administration Create SAP CA Certificate Use this function to create an SAP CA certificate. Figure: Administration Console – Create SAP CA Certificate Entries marked with an asterisk(*) are mandatory. Example: SAP Security Department Organization Enter the company name in this field (O).

or 4096 bits). this password is stored. This means that you do not need to remember the password when editing this certificate at a later date. 3. Valid From* Enter the date when the validity of the certificate starts (format: YYYY-MM-DD). Choose the Issue pushbutton and define the certificate parameters. Valid To* Enter the date when the validity of the certificate ends (format: YYYY-MM-DD). 2. Choose on the SAP_CA certificate in the PKI tree list. 3072. Save Password If this checkbox is activated. 1536. Password* In this field you enter the password for this certificate. 1. The password length is limited to 20 characters. Select in [CA Operations] the certificate type SAP_Server. Create SAP Server Certificate Use this function to create a certificate for the SAP NetWeaver Application Server (AS). Confirm Password* Confirm the encryption password entered in the field above.3 Administration Select the encryption key length for the server (512. 1024. Figure: Administration Console – Create SAP Server Certificate 06/2011 61 . 2048.

this password is stored. Confirm Password* Confirm the encryption password entered in the field above. This means that you do not need to remember the password when editing this certificate at a later date. 3072. 2048. Option Details Specify the parameters of the SAP Server Certificate Common Name* Enter the common name of the certificate (CN). The password length is limited to 20 characters. or 4096 bits). Password* Enter the password for this certificate in this field. 62 06/2011 . Example: Walldorf Country Enter the country abbreviation in this field (C). Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). Example: SAP Security Department Organization Enter the company name in this field (O).3 Administration Entries marked with an asterisk (*) are mandatory. Example: Company xyz Locality Enter the regional information in this field (L). Example: SAP SID Organizational Unit Enter the division of the company in this field (OU). 1024. 1536. Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). Example: DE Encryption Key Length Select the encryption key length for the server (512. Save password to file If this checkbox is activated.

Choose the Issue pushbutton and define the certificate parameters. Example: SLSSNC Organizational Unit Enter the division of the company in this field (OU). Example: Walldorf Country Enter the country abbreviation in this field (C). Example: Company xyz Locality Enter the regional information in this field (L). Figure: Administration Console – Create SNS Certificate Entries marked with an asterisk (*) are mandatory. Example: SAP Security Department Organization Enter the company name in this field (O). 06/2011 63 . 2. Using this certificate the Secure Login Server establishes a secure communication with the SAP NetWeaver AS to verify SAP user credentials. Select the certificate type SNC_CERT in [CA Operations]. Option Details Create SNC_CERT – Subject Information Common Name* Enter the common name of the certificate (CN).3 Administration Create SNC Certificate Use this function to create a certificate for the SNC connection to SAP NetWeaver Application Server (AS). 1. Choose on the SAP_CA certificate in the PKI tree list. 3.

2048. The password length is limited to 20 characters. Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). This means that you do not need to remember the password when editing this certificate at a later date.3 Administration Example: DE Encryption Key Length Select the encryption key length for the server (512. Password* In this field. Save password to file If this checkbox is activated. Confirm Password* Confirm the encryption password entered in the field above. 1024. 1536. this password is stored. 64 06/2011 . Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). 3072. or 4096 bits). you enter the password for this certificate.

3 Administration Create Login Certificate Use this function to create a login certificate for the Secure Login administration console. Figure: Administration Console – Create Login Certificate Entries marked with an asterisk (*) are mandatory. 06/2011 65 . 1. The Secure Login Administrator establishes a certificate based login to the Administration Console. Choose the Issue pushbutton and define the certificate parameters. Choose on the SAP_CA certificate in the PKI tree list. Option Details Create LOGIN_CERT – Subject Information Common Name* Enter the common name of the certificate (CN). Example: Walldorf Country Enter the country abbreviation in this field (C). 2. Select the certificate type LOGIN_CERT in [CA Operations]. Example: Company xyz Locality Enter the regional information in this field (L). Example: Username Organizational Unit Enter the division of the company in this field (OU). 3. Example: SAP Security Department Organization Enter the company name in this field (O).

Password* In this field you enter the password for this certificate. it is required to assign this login certificate to a user (user mapping). see section 4. Valid To* Enter the date when the validity of this certificate ends (format: YYYY-MM-DD). 3072. Therefore export this certificate in *p12 format and import it to your browser application. this password is stored.3 Administration Example: DE (for Germany) Encryption Key Length Select the encryption key length for the server (512. 2048. see section 4. 1536. The password length is limited to 20 characters.6 Configure SSL Certificate Logon.6 Configure SSL Certificate Logon. Save password to file If this checkbox is activated. This means that you do not need to remember the password when editing this certificate at a later date. or 4096 bits). Example: LoginCert_Admin This login certificate needs to be imported into a browser application. this field is used. For more information. Valid From* Enter the date when the validity of this certificate starts (format: YYYY-MM-DD). 1024. Confirm Password* Confirm the encryption password entered in the field above. 66 06/2011 . Subject Alternative Names (E-mail)* In order to map a certificate to a user. For more information. In addition.

4. In case the desired certificate has no trust relation to the root CA certificate. 1. As an option. 4.crt Exports the public certificate information. . for example . Import Certificate If a certificate entry in the list is grayed out. it means this certificate is not present. Choose the Export pushbutton to save the file to the desired location. when available. Locate and open the PSE file. . Use the import function to load a new certificate. Select the Export Type. A trust relation to an existing root CA certificate.p12 Exports the certificate in P12 format. This file includes all keys and all certificates of the complete certificate chain. 2. 1. 06/2011 67 . 5. for example Root CA SAP Security. Enter the password for the PSE file in the field Open Password.pse. 2. Choose on a desired certificate in the PKI tree list. 3. .pse Exports the certificate in PSE format. This file includes all keys and all certificates of the complete certificate chain used. the error message Trust connection cannot be established with ROOT CA appears. Choose Browse… to open a file browser. 3. Choose the Import pushbutton to complete your import. Imported certificates need to be part of the PKI structure.jks Exports the certificate in Java Key Store format. you can choose to save the password. is required. Define the password of the exported certificate file.3 Administration Export Certificate Use this function to export any kind of certificate in the PKI list. Choose on a desired certificate in the PKI tree list. for example SAP_CA. Option Details Export Type .

and add new certificates. Certificate Location The certificate location.3. This certificate is used to verify the SSL connection in the option Server Status.4 Trust Store Management The Trust Store is used to declare a certificate as coming from a trusted source and can be used with Secure Login Server. Option Details Certificate Alias* Alias for the imported certificates. Typically the following certificates are installed in the Secure Login Server Trust Store:  SSL CA Certificate (public certificate). export a certificate. LDAPS CA Certificate (public certificate). This certificate is used to establish secure communication to the LDAP server.3 Administration 3. Figure: Administration Console – Trust Store Management Entries marked with an asterisk (*) are mandatory. delete a certificate. You can use this page to view the Trust Store file content. it may be necessary to import the certificate chain. Select one of the following locations (this causes the third option to change accordingly): Local Host* The path to a certificate in the local file system PublicURL* Certificate available via a public URL 68 06/2011 .  Depending on the PKI structure.

This takes you to the template creation page. Export Use this button to export the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store). Delete Deletes a template selected in the list. Per default the default template is available.3. changed. The Mapping option is only available if an additional certificate template is available. Changes in Trust Store require a restart of the SAP NetWeaver Application Server. 06/2011 69 . Use the functionality on this page to perform any certificate template-related task. Choose the Certificate Template node in the left-hand pane of the administration console. This takes you to the template creation page Edit Edits a selected template. Copy Duplicates the selected template.3 Administration Add to Trust Store Adds the certificate information to the Trust Store. Option Details Template Name Templates created by the user and available for use are listed here. This takes you to the template creation page. or exported.5 Certificate Template This section describes the Certificate Template page of the administration console. 3. The following page appears: Figure: Administration Console – Certificate Template Management The default template cannot be deleted. Delete Use this button to remove the selected certificate from the Trust Store (only visible if a certificate has been added to the Trust Store). Add Adds a new certificate template.

If you select more than one template for export. Option Details Template Name* The unique template identifier SubjectKeyIdentifier Use this option to identify the specific public key used in an application. Add a New Certificate Template This section describes how you create a new certificate template. 70 06/2011 . AuthorityKeyIdentifier Use this option to identify the public key corresponding to the private key that is used to sign a certificate. all of the templates are incorporated into a single XML file. Import Imports templates found on the local machine/network to the list. Click the Add button and the following information appears: Figure: Administration Console – New Certificate Template Entries marked with * are mandatory. Export Exports a template as an XML file.3 Administration Mapping Maps any template to another.

EncipherOnly Use only when key agreement is also enabled. KeyCertSign Use when the subject‟s public key is used for verifying a signature on public key certificates. DecipherOnly 06/2011 71 . NonRepudiation Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Key agreement is typically used with Diffie-Hellman ciphers. If the keyCertSign is asserted. Digital signatures are often used for entity authentication and data origin authentication with integrity. KeyUsage The key usage extension defines the purpose of the key contained in the certificate. Checking this option will open a mandatory field for the CertificatePolicies. DigitalSignature Use when the public key is used with a digital signature mechanism to support security services other than nonrepudiation. or CRL signing. SSL protocol also performs key enciphering. This key can be used to encrypt messages between the sender and receiver. certificate signing. KeyAgreement Use when the sender and receiver of the public key need to derive the key without using encryption. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). the CA bit in the basic constraints extension must also be asserted. other than cryptographic keys. CrlSign Use when the subject public key is used for verifying a signature on certificate revocation list. This enables the public key to be used only for enciphering data while performing key agreement.OID (enter the ID and choose Add). DataEncipherment Use when the public key is used for encrypting user data. KeyEncipherment Use when a certificate is used with a protocol that encrypts keys.3 Administration CertificatePolicies This option indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used. An example is S/MIME enveloping where a fast (symmetric) key is encrypted with the public key from the certificate. CrlSign must be asserted in certificates that are used to verify signatures on CRLs.

When you select this option.org/rfc/rfc3280.ietf. see http://www.ietf. Choose Add and open the Create Private Extension input page: 06/2011 .txt BasicConstraints This option defines whether the subject of the certificate is a Certification Authority and how deep a certification path may exist through that Certification Authority. Private Extensions 72 Add a user-specific extension to the template. the Path Length field opens.txt ExtendedKeyUsage This option defines the extended purpose of the key contained in the certificate. This enables the public key to be used only for deciphering data while performing key agreement. Example SNC/SSF Client Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment ExtendedKeyUsage ClientAuthentication Example SNC Server Certificate: KeyUsage DigitalSignature NonRepudiation KeyEncipherment DataEncipherment For more information about standard certificate extensions. see http://www. Enter the number of levels for which the constraints are valid. the basic constraints parameter is required in the certificate for communication to be successful. For more information about standard certificate extensions.org/rfc/rfc3280. Checking this option will open the following sub-options: Is critical? If you select this option.3 Administration Use only when „key agreement‟ is also enabled. Is CA? This option defines whether the subject of the certificate is a Certification Authority.

For more information about standard certificate extensions. Reset Clears the fields of any entries. Cancel Cancels the Create Certificate Template configuration step.ietf.txt 06/2011 73 .3 Administration Extension Name* The unique name for this extension Base64/DER Encoded Data* The content of the private extension in Base64 or DER format Add Adds the information from the fields above to the certificate template (this will also take you back to the Create Certificate Template page). Cancel Cancels the Create Private Extension configuration step.org/rfc/rfc3280. see http://www.

changed. 74 06/2011 . User Certificate Assigns the certificate template to an instance used for creating user certificates. or exported. To confirm any changes. Figure: Administration Console – Certificate Template The default template cannot be deleted. choose Save. Choose the desired template name and choose the Mapping button.3 Administration Mapping Certificate Template This section describes how you can map certificate templates to server instances (user certificates) or SAP server certificates. The Mapping option is only available for the default template if another certificate template is available. Figure: Administration Console – Certificate Template Mapping Option Details SAP Server Certificate Assigns the certificate template that is used to create SAP server certificates.

Export Executes the export procedure. All Templates Exports all certificate templates. Import Certificate Template This section describes how to import certificate templates into the Certificate Template Management page. Figure: Administration Console – Export Certificate Template Option Details [List Box] Selected Template Exports the selected certificate template. Figure: Administration Console – Import Certificate Template Option Details Browse Opens a file browser to locate a certificate template XML file. 06/2011 75 . Cancel Cancels the import procedure.3 Administration Export Certificate Template This section describes how to export certificate templates as an XML file. Import Executes the import procedure. Cancel Cancels the export procedure. Choose the desired template and choose the Export button. Choose the Import button.

This feature displays the status of the system configuration (whether the components necessary for Secure Login functionality are currently available). 76 06/2011 .3 Administration 3. Create PKCS#12 File Checks if a P12 certificate format can be created.3. This function is similar to the initial wizard page (prerequisite check). Create PSE File Checks if a PSE certificate format can be created. Figure: Administration Console – System Check Option Details Authentication Configuration Configuration of the authentication General System Checks Files and Folder Are read/write permissions to file system available? SAP Cryptolib Checks the JavaSDK of the Secure Login Server. IAIK SDK Checks for the location of the IAIK SDK and displays the version number. JRE Crypto Policy Checks if Java JCE is enabled.6 System Check This section describes the System Check page of the Administration Console.

3.Properties Portuguese serverMsg_ru.properties.Properties French serverMsg_ja._en.Properties German serverMsg.properties Template for translation serverMsg_de.7 Message Settings This section describes the Message Settings page of the Administration Console. The language for the fallback scenario is English. Server List Server Name Check Checks Instance Names and Instance ID‟s.3 Administration PKI Structure Checks if there are any missing or invalid certificates SAP ID Check SAP SNC Runtime Checks if Secure Login Library is installed and configured. 06/2011 77 .Properties Japanese serverMsg_pt.3.Properties Russian serverMsg_zh_CN. This message file is used if the required language is not available. SAP JCO Runtime Checks whether the SAP JCO can be found. The Message Settings page allows you to do the following:    View currently available message language files Create a new message language file Edit a message language file The following table contains the names of the message language files: Message File Name Language serverMsg.Properties English serverMsg_fr.Properties Chinese The fallback message file is serverMsg_en. The message settings are used to relate to specific server messages to the Secure Login Client. Trust Store TrustStore Check the Java Trust Store used by Secure Login Server.

The file format is defined as: ServerMsg_<language_abbreviation>. 78 06/2011 . In this example the newly chosen language is Afrikaans. the name of the message file is serverMsg_af. In this case.properties Edit a Message File Choose the relevant message file and choose the Edit button.3 Administration Create a Message File Choose the Add button to create a new message language file. Figure: Administration Console – Create Message File Choose the desired language and choose the Create New File button. The predefined language for the new message file is English and needs to be translated to the required language.properties.

choose Save.3 Administration Figure: Administration Console – Edit Message File To confirm any changes. delete the message text. Example: If the message Authentication process completed should be disabled. delete the message text for the parameter AUTH_RESULT_ACTION_OK_MSG. To disable a server message. 06/2011 79 .

<a href=”URL”>anchor</a> Inserts a link to the destination URL with the link text anchor. <b>text</b> Uses bold formatting for text. You can use the following codes: Code Details <body>message</body> The whole rich text message has to be enclosed in body start and end tags.3 Administration Message Format Configuration Option The message format can either be plain text or rich text. Rich text messages are contained in a body element. <any color=”red”>text<any> Uses the color red for text (red is the only color supported). File Location of the Message Files The server messages file are available in the following locations: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\classes Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/classes 80 06/2011 . \r\n Inserts a line break.

3. Two options are available to define the SNC certificate:  Import P12 File  Import from Console (Certificate Management) Import P12 File If using the setup type From Local. This secure communication is used to verify SAP User Authentication.3 Administration 3. Define the password and choose the Upload button to install the SNC certificate. Configuration. The SNC certificate is used to establish a secure communication to the desired SAP NetWeaver ABAP system. and Administration Guide of the Secure Login Library) is a prerequisite. choose the Browse button and select the desired P12 file. The installation of the Secure Login Library (described in the Installation. This configuration step is optional and is only required if you want to integrate SAP ID authentication. Figure: Administration Console – SNC Configuration – Option From Local 06/2011 81 .8 SNC Configuration This section describes the preparation required for Secure Login Server to run with SAP ID authentication.

3 Administration Import from Console The prerequisite for this option is that a SNC certificate (certificate type SNC_CERT) has been created in Certificate Management. Select the desired SNC certificate and choose the Upload button to install the SNC certificate. see section 3. Figure: Administration Console – SNC Configuration – Option: From Console 3. For more information.3. Figure: Administration Console – Server Status 82 06/2011 .9 Server Status The option Server Status provides server status information.3.3 Certificate Management.

As an example scenario. 3. Server Build Secure Login Server Version If the error message Cannot connect to the server using the SSL connection. Everything is OK and the server is up and running. On the SAP server. In this case. 06/2011 83 . check the server information pane in the top left of the screen for tasks that still need to be performed as well as the log files for possible problems. The Secure Login Server signs the certificate request and sends back a certificate response which is recorded in the SAP server. Configuration Status Integrity Check of the Secure Login Server Status Lock Status Lock Status = No The Secure Login Server is not locked.3.3 Administration Criteria Details Date Current date and time information Version Version of the Secure Login Server Kernel Uptime The amount of time the Server has remained active and running Instance ID Info: Server Instance Configuration URL File location of the Secure Login Server configuration file Configuration.10 Sign Certificate Requests This section describes how to submit a certificate request to the Secure Login Server Certification Authority in the administration console. see section 3. For more information. Import the server's certificate into the Trust Store is displayed. a certificate request is created and sent to the Secure Login Server. Secure Login Servlet Status Verifies the status of the Secure Login Server Java Servlet.properties. An Unlock button appears next to the table entry (provided that the administrator role has the necessary permissions).4 Trust Store Management.3. add the SSL CA certificate (public certificates) to Trust Store of the Secure Login Server. Lock Status = Yes The Secure Login Server is locked meaning that it has encountered a problem. choose the Unlock button to reset the Lock Status. Once you have resolved any problems. a PSE or P12 could be generated on the SAP server side.

Certificate Encoding Type Select DER or PEM encoding type. Use the option Browse for a file to insert to import a certificate request file. The default certificate template is used for the SAP environment. and you are asked to store the certificate reply file. Option Details Base-64 Encoded Certificate Request (PKCS #10) The content of the certificate request in Base64 encoding format.3 Administration Figure: Administration Console – Sign Certificate Requests Entries marked with * are mandatory. the certificate request should be signed. Issuer Choose the desired CA certificate. a certificate response should be generated. 84 06/2011 . Certificate Template If needed. Sign Certificate The certificate reply is generated. Validity Period of Certificate* Define the period of time for which the certificate is valid. select the desired certificate template. Use the button Read to import. Another option is to copy and paste the content of the certificate request to the Saved Request field.

3 Administration

3.3.11 Console Log Viewer
This section describes the Administration Console logging functionality. The log entries apply
only to the administration actions performed in the Administration Console.

Figure: Administration Console – Console Log Viewer

This page displays all of the tasks performed using the Administration Console since logging
began. This page allows you to do the following:

Select a period of time to view with the Log Month combo box.
Export log files to a *.csv file format with the Export Logs function.
This entry is only visible if log entries are present.

The monthly table contains the following information about the administration tasks:
Option

Details

Date

The date the task was performed.

Time

The time the task was performed.

Code

The internal message code of the task performed.

Level

An abbreviated description of the message level.
Possible message levels:
INF
Information
ERR
Error
WAR
Warning

User

The name of the user/administrator that performed
the action.

Action

A quick description of the action, for example EDIT or

06/2011

85

3 Administration

OTHER.
Server

The server instances to which the action was directed

Description

A description of the message/task

86

06/2011

3 Administration

3.3.12 Web Client Configuration
This section describes the configuration settings for the Secure Login Web Client.
The Web Client Configuration is separated in three tabs:

Properties Configuration
In this section, you can configure the Secure Login Web Client profiles is performed.
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Package Management
In this section, you can configure the SNC library for the respective Secure Login Web
Client. By default, three packages are available, for Microsoft Windows, Linux and Mac
OS X.
Note that there are server messages available for Secure Login Client (described in
section 3.3.7 Message Settings) and Secure Login Web Client.

Properties Configuration – Web Client Application Path
The parameter WebClientConfigPath is read-only and used for verification purposes. This
configuration links the Secure Login Server to the Secure Login Web Client application.

Properties Configuration – Common Configuration
The Common Configuration defines the parameter for Secure Login Web Client profile
Launch SAP Logon.

Figure: Secure Login Web Client profile Launch SAP Logon
To configure this profile, choose the Edit button. The following options are available in
Common Configuration:

Option

Details

PORTALURL

URL address for certificate-based login to be called
after successful user authentication
This option depends on the parameter ACTION.

06/2011

87

The location of the Secure Login Web Client files depends on the operating system: Microsoft Windows XP C:\Documents and Settings\<user>\sapsnc\ Microsoft Windows Vista / Microsoft Windows 7 C:\Users\<user>\sapsnc\ Mac OS /Users/<user>/sapsnc/ Linux /home/<user>/sapsnc/ 88 06/2011 . Temp Client creates a log file for each login session. no action is performed.3 Administration ACTION The action to be performed by the Secure Login Web Client after successful user authentication. Open Portal After successful user authentication the URL defined in PORTALURL is used. three SNC libraries are available in the folder DownloadPacks. and the SAP GUI application is started. for Linux. ClientLogging This option determines the logging options: No No Client log file is created and no logging is performed. PackURL The name of the folder where the SNC libraries for the Secure Login Web Client are stored. SAPLogon. Both SAP Portal and SAP GUI After successful user authentication the URL defined in PORTALURL is used.slsinstance Secure Login Server Instance (user authentication method) to be used for Secure Login Web Client. The log file is deleted when the Secure Login Web Client is closed. By default. The following options are available: No action after authentication After successful user authentication. Launch SAP GUI After successful user authentication the SAP GUI application is started. Save your changes. Full The client log file is never deleted. Microsoft Windows and Mac OS X.

view. Figure: Administration Console – SAP Server Management To create a new SAP server configuration. choose the button Upload SAP Server List from File. see section 4. The following screen contains the sections and parameters described below. Option Details SAP GUI for Java It is mandatory to fill these four fields. The Instance ID this server used Secure Login Server instance (user authentication method) to be used for Secure Login Web Client 06/2011 89 .Name Identifier used in multi-instance configurations. choose the Add button. Use this section of the page to Add new SAP server configuration. This type of profiles is used to log on directly to the desired SAP server system after successful user authentication.5 Customize Secure Login Web Client.ini files. host IP address or FQDN name of the desired SAP server system.3 Administration You can customize the file location of the Secure Login Web Client. port Port of the desired SAP server system sncname SNC name of the desired SAP server system SAP GUI for Microsoft Windows shortcut. and Edit current SAP server configuration and Delete SAP server configuration. This is the essential reference to the profile. For more information. To import SAP server configurations from saplogon. label Profile name. Properties Configuration – SAP Server Management In SAP Server Management you define the parameters for additional profiles in Secure Login Web Client. shortcut.Description The name of the server profile in SAP GUI for Microsoft Windows (in SAPGUI this is the Description field).

only SAP GUI for Java can be configured.3 Administration Properties Configuration – Platform Configuration In Platform Configuration you can define the parameter for SAP GUI for Microsoft Windows and SAP GUI for Java is defined. the Microsoft Windows platform is shown. For the operating system Microsoft Windows. For the operating system Mac OS and Linux. Figure: Administration Console – Platform Configuration . In this example. SAP GUI for Microsoft Windows and SAP GUI for Java can be configured. This configuration depends on the operating system. Figure: Administration Console – Platform Configuration Select a platform and choose the Edit button.Microsoft Windows 90 06/2011 .

logon. 06/2011 91 . Use the Add button to add an additional search path.3 Administration Option Details SAP GUI for Java SAP.binary GUI application name for SAP GUI for Microsoft Windows. SAP. The platform name is listed along with the files required by each platform to function correctly. SAP.win. Use the Delete button to remove an existing search path.win Path used to locate the SAP applications.start. Supported Operating System The platforms for which the properties on this page are applicable.binary SAP Logon application name for SAP GUI for Microsoft Windows. Use the button Add to create an additional search path.logon.binary GUI application name for SAP GUI for Java. SAP.start.win.start Path used to locate the SAP applications.start. Use the button Delete to remove an existing search path. SAP. SAP GUI for Microsoft Windows (This option is only available for Microsoft Windows platforms) SAP.binary SAP Logon application name for SAP GUI for Java.

click the folder DefaultServer Configuration. you can configure the server messages provided to the Secure Login Web Client. for Microsoft Windows.1 DefaultServer Configuration In the navigation tree. choose the Edit button. several packages are available. you can define the user authentication mechanism and client policy. The language for the fallback scenario is English. you can configure the SNC library for the desired Secure Login Web Client.4.3 Administration Message Settings In this section. choose the Upload button. To disable a server message. Figure: Administration Console – Message Settings The fallback message file is SNCAppletMessages. To update or add new files. To create a new message language file.4 Instance Management In Instance Management. By default. The DefaultServer Instance is installed by default with the Secure Login Server and cannot be changed. 3. Linux and Mac OS X. 3. The following screen appears. Package Management In this section. 92 06/2011 . To configure an existing message language file.properties. This message file is used if the required language is not available. delete the message text. choose the Add button.

3 Administration 06/2011 93 .

PseName Select the desired User CA for this instance. The name of the Login Modules is synchronized with the name of the JaasModule. you define the Distinguished Name of 94 06/2011 . Entries marked with * are mandatory. The default is SPNegoLoginModule.1 Configure Login Module. User Certificate In this section. see section 4. The following authentication mechanisms are available: SPNegoLoginModule SecureLoginModuleLDAP SecureLoginModuleRADIUS SecureLoginModuleSAP BasicPasswordLoginModule With the installation of Secure Login Server. Login Modules are installed in SAP NetWeaver. Option Details Authentication Server Configuration Login Module Select the desired user authentication mechanism.3 Administration Figure: Administration Console – Instance Management To define the parameters which are described below. Policy Configuration Name This is the name of the configured login module stack. The key store format is FilePSE. For more information about the configuration of the Login Modules. use the Edit button. Secure Login User CA Keystore PseType This parameter is read-only.

you can use this parameter to define whether the UPN is used in the CN field of the Distinguished Name of the user certificate. Example: If this parameter is configured with true. the CN field value is CN=Username@Domain. the CN field value is CN=Username Certificate Template Configuration These parameters are read-only and display-only parameters used for generating user certificates. The common name (CN) is calculated by the Secure Login Server using the user credentials. Example: Walldorf DN. see section 3. Example: Company xyz DN. This parameter is helpful if the client and server time are not in sync. DN.locality Enter the regional information in this field (L).country Enter the country abbreviation in this field (C). This is applicable only in challengemode (for example. For more information.organizationUnit Enter the division of the company in this field (OU). see Instance Log Management. Other Server Configuration LockDir The path to which the lock file is saved.3.3 Administration Configuration the user certificate will be defined.local If this parameter is configured with false. Example: SAP Security Department ValidityMinutes* Time (in minutes) for which a user certificate is valid. Example: DE DN.organization Enter the company name in this field (O). maxSessionInactiveInterval Specifies the time. For more information. password change) AdminServletHeader Header text to be displayed on the status page. UseUPN If the Microsoft user credentials are used and the User principal Name (UPN) is available.5 Certificate Template Log Configuration These parameters are read-only. A lock file is created when the server encounters an internal error that requires manual intervention. between client requests before the servlet container will invalidate this session. ValidityOffset* Time offset in minutes relative to the server system time for the certificates to start being valid. in seconds. 06/2011 95 .

You can configure the following:    Secure Login Web Client Certificate Format Certificate format used for Secure Login Web Client.1 Configure Login Module. User-Defined Properties Any properties defined by the administrator are configured here. User-Defined Properties User-Defined Properties are used to define additional configuration issues depending on the instance. Certificate User Mapping Service Change the value of the Common Name (CN) field of the user certificate Distinguished Name. For more information about possible parameters. In default instance the default value is PKCS12. This may be useful if the SAP user names and the authenticated user names (for example. based on the user mapping service. Footer text is used in Server Status and Instance Status. Secure Login Web Client Certificate Format Define the certificate export format for the Secure Login Web Client. Remember to configure the desired Login Module in SAP NetWeaver Administrator.3 Administration Header text is used in Server Status and Instance Status. see section 4. The default value is PKCS12. 96 06/2011 . you need to define this parameter. see User-Defined Properties section. If you create a new instance is created. For more information about the configuration of the Login Modules. WebClientKeyStoreType Defines the certificate export format for the Secure Login Web Client. from a Microsoft Windows domain) are not the same. based on the user name service. AdminServletTrailer Footer text to be displayed on the status page. Certificate User Mapping Service This section describes how to configure the use of an attribute from an LDAP or Microsoft Active Directory Server instead of the user name given by the client. Certificate User Name Service Change the value format of the Common Name (CN) field of the user certificate Distinguished Name.

and these attributes are used by the user certificate (issued by the Secure Login Server).com. this change would also affect the Secure Login Server. for example. the Secure Login Server can read this attribute and create a user certificate with the Distinguished Name CN=UserSAP. through a self-service. The advantage of having the SAP user name in Distinguished Name is easier configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping configuration).com This means that the user’s e-mail address is used for the user mapping in SNC. The string in the certificate has the following format: CN=employee@company. this user now has the possibility to enter. For this case. we recommend that you implement access restrictions for the change of user attributes. for example. Thus these users might get rights they are not supposed to have. An AS ABAP uses. for example. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate. If the SAP user name is stored in the Microsoft Active Directory. a situation may occur in which these users are able to assign additional rights to themselves. This issue will be configured in the Certificate User Mapping Service. his or her manager’s e-mail address (manager@company. through a self-service). the user receives a certificate with the Distinguished Name CN=manager@company. 06/2011 97 . Without the Certificate User Mapping Service the Secure Login Server would create a user certificate with the Distinguished Name CN=UserADS. first name. The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active Directory system. certificate-based logon with the users’ e-mail addresses in the Distinguished Names. This user is now able to log on to the AS ABAP as his or her manager. last name etc. for example. If an administrator enables the user to change his or her own data. If users change their own attributes (for example. e-mail address.com) as attribute.3 Administration Example The Microsoft user name is UserADS and the SAP user name is UserSAP. The Certificate User Mapping Service depends on the Secure Login Server user credential check against the authentication server. Since this data is usually maintained centrally. in the attribute employeeID.

Example Microsoft Active Directory: SecureLoginLDAP@DEMO. the property is ignored. To disable all configured servers.3 Administration Figure: Administration Console – User-Defined Properties Entries marked with * are mandatory. The given value is used as n to define an ordered list of servers that are called in a fail-over manner.LOCAL The value n in the parameter is a counter and is defined depending on the parameter LdapReadServers. Parameter Details LdapReadServers* Number of LDAP servers that are configured here. The prerequisite is that the user name is available on both servers. A numerical value is expected and must be 1 or higher. leave this field empty. LdapReadTimeoutn Connection timeout in seconds. Example: employeeID LdapReadPassn* Define the password of the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. LdapReadUrln* The LDAP server to be used to retrieve that attribute LdapReadBaseDNn* Define the Base DN of the desired LDAP server Example Microsoft Active Directory: DC=DEMO. The Secure Login Server is able to verify user credentials and perform Certificate User Mapping on a different server. If the name is already in UPN format.DC=LOCAL LdapReadDomainn* For Microsoft Active Directory: LDAP domain to be appended to the given user name if it is not a User Principle Name. LdapReadUsern* Define the technical user used to read the LDAP attribute from LDAP or Microsoft Active Directory Server. Certificate User Name Service 98 06/2011 . LdapReadAttributen* Define the LDAP attribute which is used for the common name (CN) of the user certificate Distinguished Name.

509 certificates. padding can be turned on. The result is ShortName is extended to 00ShortName Typically this configuration is used if personnel numbers are used.Client Configuration 06/2011 99 . The password length or value can be customized. Default value: None UserNamePaddingChar The padding character is used to fill user names on the left side if their size is smaller than the configured padding length (UserNamePaddingLength). Default value: None Example: UserNamePaddingLength = 11 and UserNamePaddingChar = 0. The password length or value can be customized. If user names in the common name (CN) field need a fixed or minimum length. which needs to be considered by SNC X. The padding length sets the minimum length of user names. Default value: 12 Example: LongUsernameSAP is cut off to LongUsername with the default settings. Instance Configuration . Figure: Administration Console – User-Defined Properties Parameter Details MaxUserNameLength Maximum number of characters that a user name in the common name (CN) field can have. Typically this configuration is used if personnel numbers are used.3 Administration There are two use cases available for configuring the Certificate User Name Service. it is cut from the right side.509 certificates. padding can be turned on. If the given user name is longer.   SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment). UserNamePaddingLength If user names in the common name (CN) field need a fixed or minimum length. SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment) which needs to be considered by SNC X.

Client Policy Entries marked with * are mandatory. the Secure Login Client verifies a new client policy during the system startup of the client PC. Figure: Administration Console – Instance Management . You can use this parameter. used by the Secure Login Client to retrieve the client policy. Parameter Details Policy URL* Network resource (Secure Login Server) from which the latest Secure Login Client policy can be downloaded.xml&path=000xx Client Policy defined in instance xx (instance number) of the Secure Login Server. Disable update policy on startup By default the Secure Login Client verifies during a new client policy during the system startup of the client PC.3 Administration This section describes how you can define the client policy and how it is used by the Secure Login Client. Client Policy Define the URL of the Secure Login Server. PolicyTTL* Lifetime in minutes for verifying (update) a new client policy.xml Client Policy defined in the default instance of the Secure Login Server. The default value is 45 seconds. Network Timeout (seconds)* Network timeout in seconds before the connection is closed if the server does not respond. Policy URL depends on the instance configuration: ClientPolicy. By default. ClientPolicy. 100 06/2011 . Default is 0 minutes. to disable this feature.

Applications Defines which client profile is used for which SAP server application. Default value is No. Cancel Cancels the configuration. The default value is Clean Add Application Adds new application Edit Edits the chosen application. Figure: Administration Console – Instance Management . 06/2011 101 . Replace Replaces any existing profiles of the same name in the selected policy key with a given one.Applications Parameter Details Specify the application‟s action Existing application profiles are handled as configured by action.3 Administration No Secure Login Client updates the client policy at startup. Clean Deletes all existing profiles in the selected policy key before the given ones are written. Save Saves the configuration. Keep Keeps any existing profiles of the same name in the selected policy does not write the given one (default). Yes Secure Login Client does not update the client policy at startup.

Profile The name of the client profile to be used for the desired application. Parameter Details Application Name* Defines a name for this application template. You can use the wildcards * and ?. To define the application parameter. OU=SAP Security. Yes A user can select the authentication profile manually in Secure Login Client. Figure: Administration Console – Instance Management – Edit Application Entries marked with * are mandatory. No A user cannot select the authentication profile manually in Secure Login Client. The default value is Yes.3 Administration Delete Deletes the chosen application. choose the Add Application or Edit button. GSS Target Name* Application specific PSE URI (SAP Server SNC Name) that is matched when a suitable profile is searched. allowFavorite Allows the user to select the authentication profile manually in Secure Login Client. C=DE SNC/CN=Server*. Clear Clears fields (Application Name and GSS Target 102 06/2011 . Examples: SNC/CN=SAP. Save Saves the configuration. O=Company xyz Using the value * means that the client profile is used for all SAP servers.

choose the Add Profile or Edit button. The default value is Clean Add Profile Adds a new profile Edit Edits the chosen profile. 06/2011 103 . does not write the given one (default). Clean Deletes all existing profiles in the selected policy key before the given ones are written. To define the profile parameter. Back Goes back to the Client Configuration page. Replace Replaces any existing profiles of the same name in the selected policy key with a given one. Profiles This section describes the configuration of the client profile.Profiles Parameter Details You can also specify the profile‟s action Existing profiles are handled as configured by action. Figure: Administration Console – Instance Management . Keep Keeps any existing profiles of the same name in the selected policy. Delete Deletes the chosen profile.3 Administration Name).

the user is prompted to enter the user credentials. the user credentials are provided automatically (only available for Microsoft Windows authentication with the SPNego login module). windowslogin Using this profile. Parameter Details Profile Name* Defines a name for this profile template. 104 06/2011 .3 Administration Figure: Administration Console – Instance Management – Edit Profile Entries marked with * are mandatory. PSE Type Authentication type. Enroll URL depends on the instance configuration. <Server>/securelogin/PseServer&id=000xx Enroll URL defined in instance xx (instance number) of the Secure Login Server. <Server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. The default value is windowslogin Enroll URL* Secure Login Server URL that is used for user authentication and certificate request. promptedlogin Using this profile.

The error counter is reset on success.address. Each SNC connection forces a new login. Value 0 No timeout. If the Secure Login Client establishes a connection to the first Enroll URL. SSO without constraints. The default value is 1024. The default value is 0. defined here.com:8888 Grace Period Value in seconds for the time in which an enrollment is to be carried out before the certificate expires The default value is 0 InactivityTimeout Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity). it tries the next Enroll URL. Possible values: Value -1 No Single Sign-On (SSO). Available values are pin and password. This is the failover configuration for the Secure Login Client. Only HTTP proxies without authentication and without SSL to proxy are supported. use the Add button. Unique Client ID Custom-defined string is displayed in the instance log or can be used for network filtering issues. HttpProxyURL HTTP proxy to be used with enrollment URLs. Example: http://example. Key Size RSA Key Length. Possible values: 0: Turn off: Does not re-enroll automatically. The default value is 0. does not cache user name and password. Auto-Reenroll Attempts The number of successive failed authentications after which automatic re-enrollment is stopped. You can activate the user name and password caching to ensure the automatic re-enrollment of certificates that are going to expire. >0 (n): Turn on with n tries to succeed: Tries to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. NewPinType Message text value used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client. 06/2011 105 . Value n Seconds until an automatic logout takes place.3 Administration To configure further Enroll URLs. A re-enrollment must always be performed manually by the user.

Example with the value 4: The Secure Login Client offers the logon form 4 times (the logons fail. True Verifies the SSL server host name with the Common Name (CN) field of the SSL Server certificate. due to wrong credential information) before the logon form is closed. False Does not verify if the extended key usage ServerAuthentication is defined in the SSL Server certificate. False Does not verify the SSL server host name with the Common Name (CN) field of the SSL Server certificate. The default value is False User Warning MSIE Turns on/off a warning dialog box that appears after a new certificate has been propagated to the Microsoft 106 06/2011 . for example. The default value is 0. True Verify if the extended key usage ServerAuthentication is defined in the SSL server certificate. The user needs to use the Cancel button to close the logon form. False Does not verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate.3 Administration Network Timeout (seconds) Network timeout (in seconds) before the connection is closed if the server does not respond The default value is 45 Reauthentication This parameter defines how many logon attempts are permitted with the Secure Login Client logon form before it is closed again. the logon form is never closed. SSL Host Common Name Check This applies to the SSL Server certificate – this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. The default value is False SSL Host Extension Check This applies to the SSL server certificate – this specifies whether the system checks if the extended key usage ServerAuthentication is defined. With this value. True Verifies the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. The default value is False SSL Host Alternative Name Check This applies to the SSL server certificate – this checks if the peer host name is given in the Subject Alternative Name attribute of the certificate.

Figure: Administration Console – Instance Management – Download Files Parameter Details Client Policy and customer. Save Saves the configuration. Use the files generated with this option. 06/2011 107 .3 Administration Crypto Store. False: Turn off True: Automatic provisioning of user certificates If pseType is set to windowslogin. if you want to export the client policy file for the current (active) instance. the system prompts the users to enter their credentials.509 certificate when the Secure Login Client starts. the system asks you which file you want to download. True Turns on a warning dialog box. Note: Microsoft Internet Explorer must be restarted. Download Files This section describes how to download the relevant Client policy files for the Secure Login Client. False Turns off a warning dialog box. Cancel Cancels the configuration. Clear Clears fields. The default value is False Auto-Enroll A user automatically gets an X. If pseType is set to promptedlogin.zip If you choose this option. user credentials are provided automatically (only applies for Microsoft Windows authentication).

This registry files can be used for the Secure Login Client installation. GlobalCustomer. To download the desired file. Figure: Administration Console – Instance Management – Global Client Policy Parameter Details Generate Use this button to generate the global client policy.reg Registry Key which includes the configuration of the Client Profile (Policy URL) and the Instance Profiles (Enroll URL). Click on the desired file for download.in the client policy files for the Secure Login Client. All instance client policy configurations are stored in a global client policy file. You can use this registry files for the Secure Login 108 06/2011 . You can use this registry file for the Secure Login Client installation to define where the client profiles can be retrieved.xml Instance profile configuration (Enroll URL) and client policy (Policy URL) in XML format. defining where the client profiles can be retrieved. customerAll. In addition the instance profiles will be installed. Customer.3 Administration ClientPolicy. Use this option if you want to include the complete Secure Login Server configuration – including all instances .zip Registry key that includes the configuration of the client profile (Policy URL). Download Downloads the desired file.reg Registry key that includes the configuration of the client profile (Policy URL). Global Client Policy This section describes how to download the relevant client policy files (including all instances) for the Secure Login Client. click it.

Remember to use the Generate button after making changes in instances.xml Profile configuration (Enroll URL) and client policy (Policy URL) for all instances in XML format. To download the desired file. The instance profiles of all instances are also installed.3 Administration Client installation to define where the client profiles of all instances can be retrieved. Daily Log Information about the user authentication.reg Registry key that includes the configuration of the client profile (Policy URL) and the Instance Profiles (Enroll URL). To download the desired file. Log Setting Configuration of the log settings. GlobalClientPolicy.Instance Log Management This section describes the instance logging functionality. Instance Configuration . Archive Log Archived logs are shown here. GlobalCustomerAll. You can use this registry files for the Secure Login Client installation to define where the client profiles of all instances can be retrieved. The Instance Log Management provides the following functions:      Monthly Log Information about the instance. Monthly Log 06/2011 109 . click it. note that you need to define unique application template names in each instance. Log Analysis Summary of statistical information for the instance. If using the Global Client Policy. click it.

Daily Log Figure: Administration Console – Instance Log – Daily Log The Daily Log table contains the following information: Option Details Log Date To display the log entries from a specific date.CSV format. Possible message levels are: INF Information ERR Error WAR Warning Description A description of the message/task. Level An abbreviated description of the message level. select it from the dropdown box. Use the button Export Logs to export the log file in *. Time The time the task was performed.3 Administration Figure: Administration Console – Instance Log – Monthly Log The Monthly Log table contains the following information: Option Details Log Month To display the log entries from a specific month. Date The date the task was performed. select 110 06/2011 . Code The internal message code of the task performed.

To display the statistical information. Result Description of the user authentication result. ACM_NEW_PIN_REJECTED New password/PIN not accepted. Use the button Export Logs to export the log file in *. Log Analysis You can use the Log Analysis to analyze statistical information about user authentication. View As NOTE: This field only appears if multiple sets of DNS/IP are configured on the admin computer – the IP values of one set are displayed. for example INIT_ACTION or AUTH_ACTION. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. Action A quick description of the action. define the desired start and end date and choose the Analysis button. Possible results are: ACM_OK User authentication was successful.CSV format.3 Administration it from the dropdown box. User The name of the user that performed the user authentication. ACM_NEW_PIN_ACCEPTED New password/PIN change was accepted. Client Custom information defined in the client profile (Unique Client ID) DNS/IP DNS and IP of the client computer from which a user authentication was performed. ACM_NEW_PIN_REQUIRED Password/PIN change was requested. ACM_ACCESS_DENIED User authentication failed. Time Time the user authentication was performed. INVALID_MESSAGE_FORMAT Invalid or incomplete client communication. OK Initial action was successful INTERNAL_SERVER_ERROR Server error. 06/2011 111 .

Option Details Maximum Log File Size* The maximum size in gigabytes for the log file directory (all log files). The default value is 1 gigabyte.3 Administration Figure: Administration Console – Instance Log – Log Analysis Log Setting This section describes the log file settings for the instance log management. The default value is 30 days. Monthly Log Cleanup The interval (in months) after which the next log 112 06/2011 . The default value is 10 megabytes. Maximum Individual File Size* The maximum size of a log file in megabytes before it is archived. Figure: Administration Console – Instance Log – Log Setting Entries marked with * are mandatory. Daily Log Cleanup Interval* The interval (in days) after which the next log cleanup starts.

This information is read-only. defined in Log Setting. Directory for Storing Daily Log Files* The directory for daily log storage. Monthly Log Prefix* The file prefix for monthly logs. select an archive from the Selected column and choose Download. Save Save the configuration. Daily Log Prefix* The file prefix for daily logs.3 Administration Interval* cleanup starts. This information is read-only. Option Details Archived File Name The name under which the server has saved the log file(s). Daily Log Analysis Period* Define the period length to be used in Log Analysis. To download a log file archive. Selected A radio button to indicate which file is downloaded. The default value is 30 days. The default value is 1 month. You are prompted to choose a location. Cancel Cancel the configuration. The log files are in ZIP format.Instance Check 06/2011 113 . Instance Configuration . Figure: Administration Console – Instance Log – Archived Log Archived Log files are stored in log file directory. To delete a log file archive. This information is read-only. Directory for Storing Monthly Log Files* The directory for monthly log storage. It defines the length of the period from Start Date until End Date. This information is read-only. select an archive from the Selected column and choose Delete. Archived Log This section describes the Archive Log page.

3 Administration In Instance Check. Figure: Administration Console – Instance Check Option Details Client Policy Checks the correct configuration of client policies and client profiles PKI Structure Checks if there are missing or invalid certificates Instance Configuration . you can check the Client Policy and PKI Structure for the chosen instance.Instance Status Use this option to display the status of the desired instance. 114 06/2011 . Criteria Details Date Current date and time information.

Instance ID Chosen instance name Configuration URL File location of the Secure Login Server configuration file Configuration. Configuration Status Integrity check of the Secure Login Server status.properties.2 Create a New Instance This section describes how to create a new instance.4. 06/2011 115 . Lock Status Lock Status = No Chosen Instance is not locked. In this case. Everything is OK and the Instance is up and running. choose the Unlock button to reset the Lock Status.3 Administration Version Version of the Secure Login Server Kernel. Figure: Administration Console – Instance Management To create a new instance. Lock Status = Yes Chosen Instance is locked. Once you have resolved any problems. An Unlock button appears next to the table entry (providing the administrator role has the necessary permissions). choose the Add button. Secure Login Servlet Status Verifies the status of the Instance Java Servlet. Server Build Secure Login Server Version 3. Uptime The amount of time the instance has remained active and running. which means it has encountered a problem. check the server information pane in the top left of the screen for tasks yet to be performed as well as the log files for possible problems.

3 Administration Figure: Administration Console – Instance Management – New Instance Define a name for the new instance and choose the OK button to continue. Figure: Administration Console – Instance Management – New Instance Select the option Create a New Server Instance and choose the OK button to continue. 116 06/2011 .

see section 3. By default. deactivate the option Use Default and define your own configuration.3 Administration Figure: Administration Console – Instance Management – Add New Instance Define the respective parameters (for more information.1 DefaultServer Configuration). For example if you want to define a different user authentication mechanism for this instance. After you have performed the configuration. deactivate the option User Default in JaasModule and define a new value. defined in DefaultServer Instance will be reused. Secure Login User CA Keystore and User Certificate Configuration. the configuration for Authentication Server Configuration. If you do not want to re-use this configuration information. choose the OK button to continue. 06/2011 117 .4.

118 06/2011 .3 Administration Figure: Administration Console – Instance Management – New Client Policy Define the parameter for the client policy and choose the OK button to continue. Create New Instance Option (Clone from an existing server instance using this Administration Console) You can use the option Clone from an existing server instance using this Administration Console. Remember to activate this new instance in Certificate Management (Mapping to Instance). to clone an existing instance configuration. Figure: Administration Console – Instance Management – New Instance Created The new instance was created and is displayed in the navigation tree.

3 Administration Figure: Choose Existing Instance Create New Instance Option Migrate from an External Secure Login Server You can use the option Migrate from an External Secure Login Server to choose an existing instance configuration that is available in the file system (for example. a backup file copy of another Secure Login Server). Figure: Choose Existing Instance from File Backup 06/2011 119 .

1 User Management This section describes the User Management node of the administration console. Assign Role Assigns a role to a selected user in the list.3 Administration 3. and assign a role to a user. Option Details Add Adds a new user. or logged off from the administration console. 120 06/2011 . Use this node to view when an administrator logged on to. This node displays a list of the users/administrators registered with the administration console and allows you to add a new user. Figure: Administration Console – User Management The Admin user cannot be deleted. Figure: Administration Console – Console Users 3. Edit Changes the settings for a selected user in the list. Delete Deletes a selected user from the list.5. edit or delete a current user.5 Console Users This section describes the Console Users page of the administration console.

Save Saves the configuration. SSL Certificate Login This feature enables certificate-based logon to the Secure Login Administration Console. Change Password This option is only visible when editing a user entry in the list!. Selecting this option displays the extra option External Login ID. Certificate Login ID For user mapping. the Subject Alternative Name (RFC822 name) attribute of the logon certificate is used.7 Configure External Login ID. For more information. 06/2011 121 . this user cannot log on to the administration console. External Login This feature uses user information stored in an Authentication Server database for authentication to Secure Login Administration Console. choose the Add button. The value of the Subject Alternative Name is verified with the value defined in Certificate Login ID. Check this option to change the password.3 Administration Add a User To create a new user. For more information.6 Configure SSL Certificate Logon. External Login ID Define the user name for the desired Authentication Server database. see section 4. Name User display name Password Defines user password. see section 4. Disabled If this option is enabled. Figure: Administration Console – Create User Option Details ID User logon name. Confirm Password Confirms user password. Selecting this option displays the extra option External Login ID.

122 06/2011 . Figure: Assign Role to User To transfer one or more roles to the user. To remove one or more roles from the user. choose the Save button. To save the configuration. select the role(s) in the My Role column on the right and choose >>Delete to remove the role(s).  Password cannot be empty  Length of the password must be between 8 and 20 characters  Password must contain at least one uppercase letter  Password must contain at least one lowercase letter  Password must contain at least one digit  Password must contain at least one of the special characters Assign a Role Choose the desired user and choose the Assign Role button.3 Administration Cancel Cancels the configuration. select one or more roles from the left-hand pane All Role and choose >>Add to transfer the roles to My Role. Passwords used in the Secure Login Server are restricted by the password policy.

Use this node to configure the permissions for each administrator role. use the Add button.2 Role Management This section describes the Role Management node of the Administration Console. To create a new role. Figure: Administration Console – Role Management Predefined roles cannot be deleted or changed.3 Administration 3.5. Figure: Administration Console – Role Management 06/2011 123 .

Different administrators are configuring the Secure Login Server at the same time. Example Message File ClientPolicy. assigned to this role. 3. To save the configuration. The permissions are described in the Permission Description.3 Administration Entries marked with * are mandatory. Figure: Administration Console – Locked File Management Select the locked file to be unlocked and choose the Release button. 124 06/2011 . ask the administrator to remove the lock. Name* The name used to describe the role. Permission List Define the permissions. use the Save button. When this happens one administrator will receive a message informing them to contact the specific administrator to unlock the file.3 Locked Files Management This section describes how to check whether any Secure Login Server-specific system files have been locked and how to unlock them. Instance List Define the permissions for the respective instances. Option Details ID* The unique identifier for the role.xml has been locked. Files are locked in the following scenarios.5. if necessary.

3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication > Configuring the UME for Kerberos Mapping. http://<host_name>:<port>/nwa Choose Configuration Management and Authentication and Single Sign-On. The following Secure Login Server Login Modules are available:     SPNegoLoginModule This login module is used to verify user credentials against a Microsoft Windows domain. use the appropriate configuration wizard. For more information. By default. see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using Kerberos Authentication.1 Configure Login Module You configure the Login Modules in the SAP NetWeaver Administrator. Choose the tab Authentication and the configuration option Login Modules.4 Other Configurations 4 Other Configurations This section describes some additional configuration steps. SecureLoginModuleRADIUS This login module is used to verify user credentials against a RADIUS Server. The names of the Secure Login Server Login Modules are used in Instance configuration. To configure SPNego. 4.4 Instance Management. see the SAP NetWeaver Library 7. SPNegoLoginModule SPNegoLoginModule is the default login module of the Secure Login Server. SecureLoginModuleSAP This login module is used to verify user credentials against an SAP ABAP server. SecureLoginModuleLDAP Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure its parameters. SPNegoLoginModule works in close conjunction with the user management engine (UME). Remember that you may need to configure the mapping mode of the Kerberos Principal Name to the UME or to change Customizing settings of the UME data source configuration. this login module is set in the Secure Login Server. 06/2011 125 . SecureLoginModuleLDAP This login module is used to verify user credentials against an LDAP Server or Microsoft Active Directory System. For more information. Log on to the SAP NetWeaver Administrator. Refer to section 3.

dc=com Microsoft Active Directory System Define the search path where the user is located.dc=yourdomain. LDAP Server Define the search path where the user is located. There are several configuration options. Example: $USERID@<Windows_domain> cn=$USERID.dc=com If the parameter is not configured (empty).4 Other Configurations Figure: SAP NetWeaver Administrator – SecureLoginModuleLDAP Entries marked with * are mandatory. the Microsoft Windows UPN name is required for user authentication (to be entered in Secure Login Client).dc=domain.cn=Users. The default value is en-US. LdapHost* URL of the LDAP server or Active Directory server system used to authenticate the user.ou=Users. Option Details LdapBaseDN Base DN of the LDAP Server (Start Search Path). ldaps://<FQDN or IP>:636 ldap://<FQDN or IP>:389 LdapProviderLang uage Character set encoding for communication between the Secure Login Server and the LDAP/ADS server. LdapTimeout Period of time the Secure Login Server waits for a response before 126 06/2011 . Example: uid=$USERID. We recommend that you configure secure communication using LDAPS. The variable $USERID is replaced by Secure Login Server with the user name for user verification against the authentication server.

Configure the following value: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ er\securelogin\Instances\TrustStore.jks) is mandatory when using LDAP over SSL (LDAPS). choose the Save button. no value is defined. For example: 127984619236406250 If a password expiration warning message is configured. This value is used for the password expiry warning only. By default no value is defined.jks To save the configuration. The PasswordExpirationAttribute value is used for the password expiry warning message only. By default. ServerID Determines which password expiry warning is used. TrustStore Path to the Java certificate key store used by Secure Login Server. LDAPS is required. For the LDAP authentication server. PasswordExpiratio nGracePeriod The interval (in days) for a password expiry warning message to be sent to the client prior to a password expiring. By default no value is defined. 06/2011 127 . The default value is 100 milliseconds. Use of the Java key store (*.jks Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelog in/Instances/TrustStore. the date must be in one of the following formats: UMT: 0060727081914Z Or 0060727081914+0700Z GMT (Greenwich Mean Time) in ADS format: 0060727081914. The certificate key store is used to enable LDAP over SSL (LDAPS).0+0700Z MS Gregorian calendar (the number of milliseconds since 01/01/1601). PasswordExpiratio nAttribute The expiration date format of the password.4 Other Configurations trying the next LDAP/ADS server (in milliseconds).0Z Or 0060727081914. the LdapBaseDN property must be given in complete DN form.

AuthPort* The port number used by the RADIUS server for authentication requests. 128 06/2011 . Possible values are: CHAP MSCHAP PAP The default value is PAP. For more information. The default value is false. SharedSecret* Shared Secret is used to encrypt the user password.4 Other Configurations SecureLoginModuleRADIUS Choose the login module SecureLoginModuleRADIUS and choose the Edit button to configure its parameters. This parameter is only used with OTP tokens. RADIUSServerIP* Host address of the RADIUS server (used for user authentication). Typically values are 1645 or 1812. 0-9). The default value is 1645. a PIN that contains alphanumeric and special characters (such as !$%&).3 Ensuring Encrypted Communication with Shared Secret. and use. false The user can choose. PinAlphanumeric PIN format. a-z. You need to define the full path and file name. see 5. SecureLoginModuleSAP Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure its parameters. Entries marked with * are mandatory. Option Details Authenticator* Authentication method for the RADIUS server.5. The default value is 5000 milliseconds. Save the shared secret as encrypted. and use. By default no configuration file is required. This Shared Secret also needs to be defined in the RADIUS Server. ServerIniFile For configuring specific RADIUS server messages. TimeOut* Period of time the Secure Login Server waits for a response before trying the next RADIUS Server (in milliseconds). Possible values: true The user can choose. a PIN that contains only alphanumeric characters (A-Z.

Configuration. This configuration is not required if the environment variable SECUDIR was configured (see Installation. 129 . Configure the appropriate value for your operating system: Microsoft Windows <ASJava_Installation>\sec Example: D:\usr\sap\ABC\J00\sec Linux <ASJava_Installation>/sec Example: /usr/sap/ABC/J00/sec PasswordAlphanummeric 06/2011 This parameter is part of the password policy for the client-side policy consistency check. The default value is true. a-z. and Administration Guide of the Secure Login Library). Possible values: true The password can contain only alphanumeric characters (A-Z. 0-9).4 Other Configurations Figure: SAP NetWeaver Administrator – SecureLoginModuleSAP Entries marked with * are mandatory. CREDDIR Path where the SNC certificate used by Secure Login Server is located. false The password can contain alphanumeric and special characters (such as !$%&). Option Details Client* Define the SAP client number in which the SAP user is to be verified. This parameter must be consistent with the SAP password policy.

4 Other Configurations PasswordMax This parameter is part of the password policy for the client-side policy consistency check. PasswordMin This parameter is part of the password policy for the client-side policy consistency check. specifically the maximum number of characters in the password to be used. specifically the minimum number of characters in the password to be used. This technical user will be created on the desired SAP ABAP server and you need to configure the SNC name. SNCServerName* SNC name of the desired SAP ABAP server. The default value is 30. Example: SLSSNC SAPServer* IP address or host name of the SAP ABAP server. SAPaccount* The technical SAP user account name used by Secure Login Server. C=DE SystemNo* SAP system number maxNbrConnections Maximum number of connections SAPTimeout Timeout for login Maximum number of connections until authentication is blocked 130 06/2011 . This parameter must be consistent with the SAP password policy. This parameter must be consistent with the SAP password policy. Example: p:CN=ABC. The default value is 1. OU=SAP Security.

06/2011 131 . Login modules are configured in SAP NetWeaver Administrator.2 Verify Authentication Server Configuration After successful configuration of Certificate Management. If the response is successful. The responsible instance for the chosen client profile is used. Instance Management and Login Module. You can configure the link to the login module (for example.4 Other Configurations 4.Secure Login Server Secure Login Admin Console SAP NetWeaver Administrator ABAP Server Secure Login Client Secure Login Web Client Instance 1 SecureLoginModuleLDAP Instance 2 SecureLoginModuleSAP Instance 3 SecureLoginModuleRADIUS Instance 4 SPNegoLoginModule RADIUS Server Java Server/ADS Figure: User Authentication Work Process The authentication work process takes place as follows: 1. the Secure Login Server provides a user certificate to the Secure Login Client or Secure Login Web Client. 4. The instance triggers the login module. LDAP Server SAP NetWeaver . Choose the desired client profile and enter your user name and password. SecureLoginModuleLDAP) within the Instance configuration (Secure Login Administration Console – Instance Management). 5. Start Secure Login Client or Secure Login Web Client. The login module establishes a connection to the authentication server. 2. 3. The Secure Login Server sends the user credentials to the authentication server. the Secure Login Client or Secure Login Web Client can be used to verify communication to the authentication server.

4 Other Configurations 132 06/2011 .

Figure: Mozilla Firefox Extension for Secure Login Web Client Use the link here to install the Firefox extension. 4.html Browser and operating system are recognized automatically. The Firefox Extension is provided by the Secure Login Server and can be downloaded using the following URL: http://<host_name>:<port>/SlsWebClient/Firefox/index.3 Create Technical User in SAP Server The technical user is used to verify SAP user credentials on the SAP ABAP server. Define the SNC name.4 Mozilla Firefox Support After successful user authentication.4. Choose the tab Profiles and define the following authorization profiles: S_A. which must match the SNC certificate created in Certificate Management (certificate type: SNC_CERT). Create a new user (for example. The same function is provided for the Mozilla Firefox Browser. 06/2011 133 .1 Install Firefox Extension It is a prerequisite that the Firefox Extension XPI is installed. the Secure Login Web Client stores.SYSTEM S_USER_ALL S_USER_RFC Z_TRANS_RFC Save the settings.SCON S_A.4 Other Configurations 4. Deactivate the password. Logon to the SAP ABAP server using SAP GUI and start the transaction SU01 (User Management). SLSSNC):     User type is System. 4. the certificate in the Microsoft Certificate Store.

4.4 Other Configurations If your Mozilla Firefox browser does not open an extension installation dialog. select the Firefox Extension Secure Login Security Module and choose the Remove button. but only allows you to save this file. then drag and drop it into any Firefox window. choose Add-ons Manager and Extensions. from the menu. Save the file to your Desktop.2 Uninstall Mozilla Firefox Extension Start the Mozilla Firefox application and. and restart Mozilla Firefox. you have the following choices:    Choose the option Open with and choose the Mozilla Firefox application. Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI files.4. Figure: Install Mozilla Firefox Extension Install the Firefox Extension by choosing Install Now. 134 06/2011 . Figure: Uninstall Mozilla Firefox Extension Secure Login Security Module To uninstall.

you copy the file to the relevant directory.4 Other Configurations 4.509 certificate has a trust relationship with the SSL server certificate of the SAP NetWeaver server. After the installation. This depends on the operating system: Microsoft Windows XP C:\Documents and Settings\<user>\sapsnc\ Microsoft Windows Vista / Microsoft Windows 7 C:\Users\<user>\sapsnc\ Mac OS /Users/<user>/sapsnc/ Linux /home/<user>/sapsnc/ You can use the configuration file config. Note that some configuration files are still stored in the default folder (sapsnc). The SAP NetWeaver HTTPS port also needs to be configured to accept certificate-based login (Request Certificate).properties file is deleted. export this certificate in P12 format and import it in the desired Administrator User environment (for example. In the certificate attribute Subject Alternative Names (E-mail). The prerequisites are that SSL is enabled on SAP NetWeaver server.    In the navigation tree. choose the node User Management and edit the desired user. import in Internet Explorer browser). 4.12 Web Client Configuration). Choose the option SSL Certificate Login and define the parameter Certificate Login ID (for example: LoginCert_Admin). define the name that will be mapped with the attribute Certificate Login ID in User Management (for example: LoginCert_Admin). 06/2011 135 . Config. Save the configuration and restart the Secure Login Server application server. and the X. and use the SAP CA to create a LOGIN_CERT certificate. Make a backup of this file before you execute an installation. You can upload the configuration file using te Secure Login Administration Console (section 3. choose the node Certificate Management. Save the settings. the config.5 Customize Secure Login Web Client By default.properties to define a different location for the libraries.properties USER_FOLDER=<Path to be used> During an installation.509 certificate to log on to the Secure Login Administration Console. In the navigation tree.6 Configure SSL Certificate Logon Use an X.3. the location of the Secure Login Web Client files is stored in the user environment of the client.

bat @echo off SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce. choose the certificate to be used for logon.jar. Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap. Edit the file SLSRecoverPassword. Access to the Key file for server credentials encryption.  In the navigation tree. where the Secure Login Server is installed. The External Login ID is the user name of the desired authentication server database.bat (Microsoft Windows) or SLSRecoverPassword.util. The key file is a file on the Secure Login Server with random content and is used to secure password information in configuration files. In this case.8 Emergency Recovery Tool The Emergency Recovery tool is used when the Secure Login Server administrator has forgotten his or her password and no longer has access to the Secure Login Administration Console.jar.SecudeUtilities %* goto End 136 06/2011 .com\SecureLoginServer\ servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword. choose the node User Management and edit the desired user. 4.  Start the Secure Login Administration Console URL. choose the option External Login and log on with the user name and password of the authentication server.1 Initial Configuration) Step 1 Log on to the operating system.4 Other Configurations  Start the Secure Login Administration Console by calling its URL using HTTPS (which is enabled for certificate based login) and the user should be authenticated automatically. where the Secure Login Server application is installed.jar IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib java -cp SLSRecoverPassword.  Save the configuration and restart the Secure Login Server application server. Define the desired authentication mechanism using the parameter External Login JAAS Module and Save the configuration. 4.bat SLSRecoverPassword. prompting you to choose the desired certificate. The prerequisites for the Emergency Recovery Tool:   Access to the operating system.secude.6.%IAIK_JARS_PATH% com. choose the node Server Configuration and choose the Edit Login Type button.7 Configure External Login ID Define an authentication mechanism to use to log on to the Secure Login Administration Console. The prerequisite is that the desired authentication mechanism is configured in the instance (parameter JaasModule).sh (Linux) and change the path to the file iaik_jce. This key file was generated in the Initial Wizard (section 2.misc. Choose the option External Login and define the parameter External Login ID.  In the navigation tree. A message box might appear.

jar: <drive>:\usr\sap\ABC\J00\j2ee\JSPM\lib\ <drive>:\usr\sap\ABC\SYS\global\security\lib\engine\ <drive>:\usr\sap\ABC\SYS\global\security\lib\tools\ Save the script file SLSRecoverPassword.4 Other Configurations :ErrorLib ECHO IAIK Library not found.SecudeUtilities $@ else echo "IAIK Library not found.xml. The user information is available in the configuration file user. then java -cp SLSRecoverPassword. The encrypted password string is later used in the command line tool.misc.sh #!/bin/sh # please check if this path points to the correct location of # the iaik library IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.sh SLSRecoverPassword.xml user.0" encoding="UTF-8" standalone="no"?> <Users> <User disable="false" id="Admin" lanCode="en_US" name="Administrator" predefined="true" roles="Super User"> 06/2011 137 . please correct the path to the library in this script! :End Linux <ASJava_Installation>/j2ee/cluster/apps/sap. which is located in the directory specified below: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\user.xml <?xml version="1. Step 2 Obtain the encrypted password string for the desired user.xml Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us er.util.secude. please correct the path to the library in this script!" fi Other possible locations of the file iaik_jce.jar if [ -f $IAIK_JARS_PATH ].jar:$IAIK_JARS_PATH com.com/SecureLoginServer/ servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.

bat (Microsoft Windows) and SLSRecoverPassword. Microsoft Windows <ASJava_Installation>\j2ee\cluster\apps\sap.sh is located.4 Other Configurations <Password>encrypted_password_string</Password> </User> </Users> Step 3 Open a command line shell and change to the folder where the file SLSRecoverPassword. SLSRecoverPassword –decrypt encrypted_password_string <file_location_of_the_key_file> Example SLSRecoverPassword –decrypt Encrypted Password String D:\usr\sap\ServerKeyFile\KeyFile.com\SecureLoginServer\ servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword. Output of SLSRecoverPassword Command Encode password=Encrypted Password String with key file=D:\usr\sap\ServerKeyFile\KeyFile.txt Out is <Password> You can use the following command to encrypt a password.bat Linux <ASJava_Installation>/j2ee/cluster/apps/sap. SLSRecoverPassword –encrypt Password <File Location of the key file> The encrypted password string is displayed.sh Start the following command to decrypt and display the password for the desired user.com/SecureLoginServer/ servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword. 138 06/2011 .txt The password is displayed.

9.1 Web Service Status Some examples are given below how to retrieve the Secure Login Server status by URL. click the node Instance Management and check the ID of the desired instance. for example. 4. Send the following Status Request to the URL: http://<host_name>:<port>/securelogin/PseServer Status Request <TransFairGram> <Control> <Version>Pepperbox 2.2 XML Interface Secure Login Server provides an XML interface to automate monitoring using your own or a third-party program.4 Other Configurations 4. 4.0. Server Status http://<host_name>:<port>/securelogin/PseServer?op=serverstatus Default Server Instance Status http://<host_name>:<port>/securelogin/PseServer?op=status Server Instance Number # Status http://<host_name>:<port>/securelogin/PseServer?op=status &id=00010 To retrieve the Server Instance Number. Secure Login Server has to be called with a specific request in XML format. for example. Several interfaces are available.9.9 Monitoring This section describes how to retrieve the Secure Login Server status. The Secure Login Server then returns an XML reply with the status information. integration in Network Monitoring Tools. to incorporate monitoring into administrative tools.0</Version> <ActionRequest> STATUS_REQUEST_ACTION </ActionRequest> </Control> </TransFairGram> 06/2011 139 .

0.0</Version> <ServerBuild>$Name: REL_1_0_0_17 $</ServerBuild> </Control> <Content> <Data> <Status> <ConfigURL> file:<Path To Secure Login Server>\Configuration.properties </ConfigURL> <ConfigurationStatus>OK</ConfigurationStatus> <Date>Mon May 18 12:02:54 CET 2011</Date> <ID>Instance 00010</ID> <LockFile/> <LockStatus>false</LockStatus> <PseServerStatus>OK</PseServerStatus> <ServerBuild>SLS_5-1-1-0</ServerBuild> </Status> <Message> The current Server status is enclosed with this transfairgram (only for diagnostic purpose) </Message> <MessageCode>0701</MessageCode> </Data> <DataType>application/xml</DataType> </Content> </TransFairGram> 140 06/2011 .4 Other Configurations The Status Reply is similar to the following example. Status Reply <TransFairGram> <Control> <ActionRequest>STATUS_ACTION</ActionRequest> <Version>Pepperbox 2.

xml&path=000xx Client policy defined in instance xx (instance number) of the Secure Login Server.reg and GlobalCustomer.10 Secure Login Client Policy and Profiles This section contains detailed information about the client policy and client profiles for Secure Login Client. ClientPolicy.10. 06/2011 141 . [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System] Parameter Type Description PolicyURL STRING Network resource from which the latest Secure Login Client profiles can be downloaded. GlobalClientPolicy.reg. The default is 45 seconds (hexadecimal value: 2d). the Secure Login Client verifies during system startup of the client PC. Default value is 0. Using the client policy configuration the client profiles can be downloaded from Secure Login Server. 0 Enable automatically policy download.xml Client policy defined in the default instance of the Secure Login Server. DisableUpdatePolicyOnStartup DWORD By default. The client policy is installed together with Secure Login Client on the client computer. Three types of client policy are available: ClientPolicy. 4.1 Client Policy These parameters are defined in the files customer. You can use this parameter to disable this feature.xml Global client policy includes all available instances of the Secure Login Server.4 Other Configurations 4. 1 Disable automatic policy download. PolicyTTL DWORD The lifetime in minutes for verifying (updating) a new client policy on the Secure Login Server. The default is 0 minutes (hexadecimal value: 0). the Secure Login Client verifies a new client policy during system startup of the client PC. By default. NetworkTimeout DWORD Network timeout in seconds before the connection is closed if the Secure Login Server does not respond.

You can use the wildcards * and ?. Example: SNC/CN=SAP. 142 06/2011 . 0 User cannot select the authentication profile manually in Secure Login Client. pseType STRING Authentication type. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ applications\<Application Name>] Parameter Type Description GssTargetName STRING Application specific PSE URI (SAP server SNC name) that is matched when a suitable profile is searched.2 Applications and Profiles The Secure Login Server provides the Applications and Profiles configuration to the Secure Login Client using ClientPolicy. promptedlogin Using this profile. allowFavorite DWORD Allow the user to select the authentication profile manually in Secure Login Client. O=Company xyz Using the value * means that the client profile is used for all SAP servers. C=DE SNC/CN=Server*. 1 User can select authentication profile manually in Secure Login Client.xml.reg files. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\ profiles\<Profile Name>] Parameter Type Description profileName STRING The name of the client profile to be used for the desired application.10. profile STRING The name of the client profile to be used for the desired application. it is possible to download the configuration using the customerAll. In addition. the user will be requested to enter the user credentials.4 Other Configurations 4.reg and GlobalCustomerAll.xml and GlobalClientPolicy. OU=SAP Security. The default value is 1.

Example with value 4: The Secure Login Client offers the login form 4 times (e. defined here. the Secure Login Client tries the next Enroll URL. User needs to use the button Cancel to close the login form. <server>/securelogin/PseServer Enroll URL defined in the default instance of the Secure Login Server. This is the failover configuration for the Secure Login Client. wrong credential information).com:8888 reAuthentication DWORD This parameter defines how many login attempts to the Secure Login Client login form is closed again. Only HTTP proxies without authentication and without SSL to proxy are supported. If the first Enroll URL cannot be established. Enroll URL depends on the instance configuration. Example: http://example. Each SNC connection forces a new login. before the login form will be closed. 06/2011 143 . httpProxyURL STRING HTTP proxy to be used with enrollment URLs. The login form will never be closed. the user credentials will be provided automatically (only available for Microsoft Windows authentication) Default value is windowslogin enrollURL0 STRING Secure Login Server URL that is used for user authentication and certificate request. Use the Add button to configure further Enroll URLs.4 Other Configurations windowslogin Using this profile. Default value is 0. Possible values: Value -1 No Single Sign-On (SSO). gracePeriod DWORD Value in seconds when an enrollment is to be carried out before the certificate expires Default value is 0 inactivityTimeout DWORD Value in seconds until an automatic logout is performed (due to mouse and keyboard inactivity).g. <server>/securelogin/PseServer&id=000xx Enroll URL defined in Instance xx (instance number) of the Secure Login Server.address.

autoEnroll DWORD A user automatically gets an X. >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. user credentials are provided automatically (only applies for Microsoft Windows authentication). A re-enrollment must always be performed manually by the user. The default value is 1024 (hexadecimal value: 400). do not cache user name and password. The default value is 0. autoReenrollTries DWORD The number of failed authentications in a row after which automatic re-enrollment is stopped. The default value is 0. The error counter is reset on success. UniqueClientID STRING Custom-defined string. Possible values: 0: Turn off: Do not re-enroll automatically.4 Other Configurations Value 0 No timeout. networkTimeout DWORD Network timeout (in seconds) before the connection is closed if the server does not respond 144 06/2011 . If pseType is set to promptedlogin. Value > 0 Seconds until until an automatic logout is executed. will be displayed in the instance log or can be used for network filtering issues. SSO without constraints. keySize DWORD RSA Key Length.509 certificate when the Secure Login Client starts. 0: Turn off 1: Automatic provisioning of user certificates If pseType is set to windowslogin. User name and password caching can be turned on to provide the automatic reenrollment of certificates that are going to expire. the system prompts the users to enter their credentials.

0 Do not verify the SSL server host name with the Subject Alternative Name attribute of the SSL server certificate. 1 Turn on a warning dialog box. The default value is 0 userWarningMSIE DWORD Turn on/off a warning dialog box that appears after a new certificate has been propagated to Microsoft Crypto Store. 0 Turn off a warning dialog box.4 Other Configurations The default value is 45 (hexadecimal value: 2d). 1 Verify the SSL server host name with the Subject Alternative Name attribute of the SSL Server certificate. 0 Do not verify SSL server host name with the Common Name (CN) field of the SSL Server certificate. sslHostCommonNameCheck DWORD This applies to the SSL server certificate – this checks if the peer host name is given in the Common Name (CN) field of the SSL Server certificate. 0 Do not verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. NOTE: Microsoft Internet Explorer must be restarted. Default value is 0 sslHostExtensionCheck DWORD This applies to the SSL server certificate – this checks if the extended key usage ServerAuthentication is defined. 1 Verify whether the extended key usage ServerAuthentication is defined in the SSL Server certificate. The default value is 0 sslHostAlternativeNameCheck DWORD This applies to the SSL server certificate – this checks whether the peer host name is given in its Subject Alternative Name attribute of the certificate. The default value is 0 06/2011 145 . 1 Verify the SSL server host name with the Common Name (CN) field of the SSL server certificate.

You can use the existing PKI to create the certificates for the SSL server and the SAP server. The following certificate attributes are required for the user CA certificate. the Secure Login Server requires a User CA certificate which needs to be provided by the PKI.p12 146 06/2011 . the Secure Login Server can be integrated. 4. To provide X. Available values are pin and password.pse <P12_file_name>. We recommend that you use 2048 Bit RSA keys or higher. The user CA certificate should include the complete certificate chain. The Secure Login Server requires a PSE format to import using Secure Login Administration Console. Certificate Attribute Details Version V3 Asymmetric Algorithm RSA Algorithm Key Usage Digital Signature Non-Repudiation Key Encipherment Data Encipherment Certificate Signing Off-line CRL Signing CRL Signing Basic Constraints Subject Type=CA Path Length Constraint=None The RSA Key Length depends on the customer requirements.4 Other Configurations newPinType STRING Message text value is used for messages (change PIN/password) to the Secure Login Client and Secure Login Web Client.509 user certificates. Use the SAP tool SAPGENPSE to convert the P12 format to PSE format.11 Integrate into Existing PKI If a Public Key Infrastructure (PKI) is available. sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p <PSE_file_name>. Typically the file is provided in P12 format. This means all public certificate information of the chain should be provided.

For example. Choose the Add Profile button to get to the Add/Modify Client Profile screen. you want to prevent that the Secure Login Client sends a certificate request and does not get a response. 3. 4. Choose USER_CA and the option Import Certificate. Restart the Secure Login Server Application.4 Other Configurations Log on to the Secure Login Administration Console and import the PSE file in Certificate Management. Log on to the administration console. Concept Install and run several Secure Login Servers on different AS Java servers acting as failover servers. 2. This is where the Secure Login Client checks which path to use. If the first Secure Login Server is down. it goes to the next Secure Login Server that is specified in the list Configuration 1. 06/2011 147 .12 Configuring Secure Login Servers as Failover Servers for High Availability Use Case You want to ensure high availability of the Secure Login Server. The URLs of the Secure Login Servers that are available are listed in the Enroll URL parameter of the client policy. Choose Instance Management > DefaultServer Configuration > Client Configuration und go to the Profiles tab.

148 06/2011 .4 Other Configurations 4. To configure more Secure Login Servers as failover servers. Behind the URL of the Enroll URL parameter. A new row with the previous URL as default value appears. 6. choose the Add button. 5. Enter the URL to the failover Secure Login Server. Save your entries. add new rows and enter the relevant URLs.

and do not organize them in a stack. Several login modules of the same kind are put into login module stacks (authentication stacks). see the Help Portal at http://help.10. the Secure Login Server tries to use all configured login modules until it gets to an authentication server that is online and returns an authentication result. you need to adapt values.2 Applications and Profiles. For more information about the parameter Enroll URL. 4. the destination paths and the timeout. the Secure Login Server sends its authentication request to the next login module in the stack and expects it to process the authentication request. If you simply try to insert and list login modules. When an authentication request comes in. For example. for example.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks. Concept Install and run authentication servers of the same type. If. see 4. you cannot change the configuration of the login module. for example two LDAP servers. SAP NetWeaver only accepts the default configuration of a login module. for the authentication failover solution. different IPs. in different networks acting as an authentication failover solution. for example.13 Configuring Login Module Stacks as Failover Servers in SAP NetWeaver Use Case You want to ensure high availability of the Secure Login Server. These login modules are configured to run with different authentication servers and have. For more information. you want to make sure that users are able to authenticate even if an authentication server for a configured authentication method is not available. for any reason.4 Other Configurations We recommend that you maintain this failover configuration in all Secure Login Servers you use. 06/2011 149 . the login module on top of the stack does not respond. The authentication logic of the Secure Login Server is handled by login modules. However.sap.

13. 150 06/2011 . Enter a configuration name and choose the type Custom. These entries appear in the Policy Configuration Name table. Note that we only support login module stacks with the same type of login modules. Log on to the administration console. Authentication with the Secure Login Server only works with the following login modules. To create a new login module stack for authentication custom configuration. proceed as follows: 7. Select the login modules you need. On the Authentication tab. 11. with UME SPNegoLoginModule Direct usage only Not for login module stack. If you double-click the cell for the login module name. with UME Limitations Put only login modules of the same kind into the login module stack. for example. Copy the login modules. change their names. and adapt the configuration.4 Other Configurations So you create a login module stack (with a dedicated name) that contains a number of login modules for authentication failover. Open the SAP NetWeaver Administrator and go to the Authentication and Single Sign-On service. 4. Login Modules Used by the Secure Login Server Name Usage Note SecureLoginModuleLDAP Direct usage or in login module stack Does not depend on UME SecureLoginModuleRADIUS Direct usage or in login module stack Does not depend on UME SecureLoginModuleSAP Direct usage or in login module stack Does not depend on UME BasicPasswordLoginModule Direct usage only Not for login module stack. there is a table under Component. We do not support the use of different login modules (mixed authentication types). In the section below under the Authentication Stack tab.1 Configuration of SAP NetWeaver AS Java To configure an SAP NetWeaver AS Java to act as an identity provider. 12. 9. with different IPs or destination paths. a dropdown list with the login modules that are available appears. add the login modules by choosing the Edit and Add buttons. This custom configuration serves as your new login module stack. 10. 8. choose the Create button. list them in a logon module stack. 13.

2. 3. 4. Set the authentication-relevant parameters and save your changes. 4. Save your changes.2 Configuration of the Secure Login Server The administration console of the Secure Login Server uses this newly created login module stack directly. 15. For more information. 06/2011 151 . In the Instance Configuration > Authentication Server Configuration. You have now implemented a failover solution using SAP NetWeaver login module stacks. choose the authentication type Policy Configuration Name and enter the name of the relevant login module stack. Set the flag to SUFFICIENT to make sure that the authentication proceeds down the list to the next login module if the authentication is not successful.4 Other Configurations 14. enter the name of the login module stack.13.com/nw731/ under SAP Library > SAP NetWeaver Library: Function-Oriented View > Security > User Authentication and Single Sign-On > Authentication Infrastructure > Login Modules > Policy Configurations and Authentication Stacks. In these entries. In the Secure Login Administration Console.sap. Keep in mind that you cannot adapt the parameters of the login module stack in the administration console. Choose the Edit button. you can change the names and the configuration. see the Application Help in http://help. 1.

the ICM timeout for a connection with an external system may be exceeded. 4. change authentication-relevant parameters in the SAP NetWeaver Administrator and store them in a login module stack with only one login module. and the authentication request is passed on and proceeds down the list in the login module stack. Working with a login module stack enables you to use the default configuration of the login module. To avoid this. for example.15 Custom Use of Login Module with Login Module Stacks Use Case You want to use several Secure Login Server instances with authentication types of the same kind. Go down to the section for the login module options and choose the Add button. enter the name of the parameter you want to add and provide a value. consider changing the ICM timeout for the entire system.14 Setting Failover Timeouts of the Login Modules When an authentication attempt arrives. Select the login module for which you want to change the timeout. Use this option if. Name of Login Module Parameter Name Description SecureLoginModuleLDAP LdapTimeout Timeout for login SecureLoginModuleSAP SAPTimeout maxNbrConnections Timeout for login Maximum number of connections until authentication is blocked SecureLoginModuleRADIUS TimeOut Timeout for login You can set the timeout of the login modules in the login module stack as follows: 1. see Internet Communication Manager (ICM) in the SAP Library under Administration of the Internet Communication Manager > Additional Profile Parameters > icm/conn_timeout. set the timeouts of the login module in your login module stacks so that the total of all timeouts does not exceed the default ICM timeout. For more information. Since it is only possible to have one configuration per login module. This leads to the error message „internal server error‟. 3. In the New Login Module Option dialog box. you can overwrite the login module configuration if you use it in a login module stack. 2. 4. Usually the default ICM timeout is 5000 ms. If the bandwidth is very limited. Create a login module stack for 152 06/2011 . you want to create one LDAP login module for a dedicated group of users and another one for another group of users. You need to make sure that the timeouts belonging to the single login modules do not exceed the ICM timeout. Save your changes. The table below the module name contains its parameters and their values.4 Other Configurations 4.

2. Configure a login module stack in the policy configuration of the SAP NetWeaver JAAS as described above (see 4.13. Use the REQUISITE flag for your login module stack. Proceed with the configuration as described above (see 4.2 Configuration of the Secure Login Server).13. with each login module stack containing only one login module. enter the name of the login module stack. In the Secure Login Administration Console. Configuration 1. 06/2011 153 . Set the authentication-relevant parameters as desired.4 Other Configurations the first group of users and one for the second group of users.1 Configuration of SAP NetWeaver AS Java).

Applications and Profiles (section 3. Import the customer. Prerequisites  Secure Login Server is installed and the initial wizard has been completed. and an X. Restart the client PC. Configuration Steps 1. In the Secure Login Client the profile defined in Instance Management is displayed in the Secure Login Client Console. see the Installation. Configuration and Administration Guide for Secure Login Client).  You have configured and enabled SPNego on the SAP NetWeaver Administrator. Verify whether the authentication mechanism in Instance is configured correctly.1 Kerberos Authentication with SPNego In this configuration example. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store).5 Configuration Examples 5 Configuration Examples This section describes some configuration examples for Secure Login Server. JaasModule = SPNegoLoginModule 3. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store).  In Certificate Management at least the User CA is available. After a successful authentication an X. Choose the node Client Configuration and configure Client Policy.reg files to the client registry.4 Instance Management). the user authentication is verified against a Microsoft Windows domain. Make sure that pseType is set to windowslogin.509 user certificate is provided. 5.reg) which is used for Secure Login Client Installation. Import missing certificates. 6.509 certificate is provided without further user interaction. Restart the Secure Login Server. 4. 7.  If you want to use HTTPS. Double-click this profile. 8. 154 06/2011 . Export the client policy (customer. Choose the node Certificate Management and verify if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. you need to enable SSL on the SAP NetWeaver server. Install the Secure Login Client application on the client PC (for more information. Log on to the Secure Login Administration Console and choose the node Instance Management. 5. 2.

1 Configure Login Module). Configuration and Administration Guide for the Secure Login Client). If you are using LDAPS. JaasModule = SecureLoginModuleLDAP 3. If you are using LDAPS.509 user certificate is provided.reg).5 Configuration Examples 5. In the Secure Login Client. Prerequisites  Secure Login Server is installed and the initial wizard has been completed. For further information. Applications and Profiles (section 3. 7. 8. 6. restart the SAP NetWeaver JAVA application server. After successful authentication an X. 4. Choose the node Client Configuration and configure Client Policy. 06/2011 155 . 2. you need to enable SSL on the SAP NetWeaver server. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this Instance. 9. Restart the Secure Login Server Application. Double-click this profile and enter the user name and password (Active Directory System or LDAP server).4 Instance Management). Verify whether the authentication mechanism in the instance is configured correctly. Export the Client Policy (customer.  In Certificate Management at least the User CA is available. Install the Secure Login Client application on the client PC (For more information. see the Installation. Configuration Steps 1. Import the customer.reg files to the Client registry. 10. the user authentication is verified against a Microsoft Active Directory System or LDAP server. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). the profile defined in Instance Management is displayed in Secure Login Client Console. Import missing certificates.2 LDAP User Authentication In this configuration example.4 Trust Store Management. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleLDAP (section 4. Log on to the Secure Login Administration Console and choose the node Instance Management. import the LDAPS certificate into the Secure Login Server Trust Store. which will be used for the Secure Login Client Installation. Restart your client PC. see section 3.  If you want to use HTTPS. 5.3.

10.1 Configure Login Module). Enable SNC configuration. Create a technical user (for Secure Login Server) in SAP User Management (for example. 2. and choose the node Certificate Management. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. Create a new certificate for the technical user (for Secure Login Server) choosing certificate type SNC_CERT (for example.509 certificates when they are logged on to a Microsoft Windows domain. Prerequisites  Secure Login Server is installed and the initial wizard has been completed. 5. 4. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleSAP (section 4.8 SNC Configuration. Export the Client Policy (customer. Configuration and Administration Guide for Secure Login Library.  In Certificate Management at least the user CA is available. 6.1.5 Configuration Examples This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). Choose the node Client Configuration and configure Client Policy. Install Secure Login Library on the target SAP ABAP server. The Microsoft Windows domain authentication is double-checked against the SAP ABAP server.reg) to be used for Secure Login Client Installation. Restart SAP ABAP Server. 3. Import SAP ABAP Server certificate in transaction STRUST.) and import the certificate of the technical user (Option: From Console).  Secure Login Library is installed (described in 2.4 Instance Management). Configuration Steps 1. JaasModule = SecureLoginModuleSAP 7. 9. Perform SNC Configuration (section 5. Restart the Secure Login Server application. Verify whether the authentication mechanism in the instance is configured correctly. CN=SLSSNC). 12. you configure that users automatically get X. you need to enable SSL in the SAP NetWeaver server. SLSSNC). 11. 8. 3. CN=ABC. Applications and Profiles (section 3. For further information see the Installation.3.1 Secure Login Library). Create a new SAP ABAP server certificate choosing certificate type SAP_SERVER (for example. define authorizations and configure the SNC Name (for 156 06/2011 .3 SAP User Authentication In this example. OU=SAP Security). Log on to the Secure Login Administration Console.  If you want to use HTTPS.

1 Configure Login Module). 15. 5. an X. Choose the node Client Configuration and configure Client Policy. Choose the node Certificate Management and check if the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. 4. Restart the Secure Login Server Application. Configuration and Administration Guide for the Secure Login Client). Double-click this profile and enter the SAP user name and password. Import the customer. Define the Shared Secret for this connection. Configuration Steps 1.5 Configuration Examples example. This means that the Secure Login Server can establish communication to the RADIUS Server. Install the Secure Login Client application on the client PC (for more information. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). Restart your client PC. 5. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Log on to the Secure Login Administration Console and choose the node Instance Management. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. see the Installation.  If you want to use HTTPS. 2. Verify whether the authentication mechanism in the instance is configured correctly. Prerequisites  Secure Login Server is installed and the initial wizard was completed.reg) to be used for Secure Login Client installation.509 user certificate is provided. Logon to SAP NetWeaver Administrator and define the connection parameters for the Login Module SecureLoginModuleRADIUS (section 4.4 Instance Management). see section 4. For more information. the user authentication is verified against a RADIUS server. 06/2011 157 . Export the Client Policy (customer.reg files into the client registry.4 RADIUS User Authentication In this configuration example. Applications and Profiles (section 3.  In Certificate Management at least the User CA is available. 6. In the RADIUS Server. 14.3 Create Technical User in SAP Server. Import missing certificates. you need to enable SSL in the SAP NetWeaver server. JaasModule = SecureLoginModuleRADIUS 3. configure Radius Client for Secure Login Server. 13. CN=SLSSNC). 7. After successful authentication.

the relative path to the securid. see the Installation.ini.509 user certificate is provided. After successful authentication. 158 06/2011 . The Secure Login Server supports new SecurID PINs and the next token code of RSA SecurID tokens. see 4. see the documentation of the RSA Authentication Server.5 Configuring RSA Authentication with RADIUS Prerequisites An RSA Authentication Manager (with a RADIUS server) is installed and running. which is provided by the RADIUS server. Import missing certificates. 9. For more information on the file path. You need not edit the file for the configuration. 2. Restart your client PC.1 and 7. The Secure Login Server installation package installs a sample securid.ini file. We recommend that you use the file provided by your RSA RADIUS server.5.ini. The versions currently supported are 6. Copy the new file to the global directory of the Secure Login Server.1) in the global directory.1 Configuration of the securid. 10. you need the securid. By default. To do this.ini file (corresponding to RSA Authentication Manager 7. Install the Secure Login Client application on the client PC (for more information.ini file in the SAP NetWeaver Administrator is %GLOBAL_SLS_CONF_DIR%/Instances/securid.5 Configuration Examples 8.ini File For communication with the RSA Authentication Manager. In Secure Login Client the profile defined in Instance Management is displayed in Secure Login Client Console. proceed as follows: 1. For more information on the parameters for RADIUS.reg files into the client registry. Verify whether the certificate chain (trust relation) of the SSL server certificate is in the Microsoft Certificate Store (Computer Certificate Store). Configuration and Administration Guide for Secure Login Client). 5. On the RADIUS server.1. go to the directory that contains securid.ini file. see the corresponding RSA Authentication Manager documentation. It communicates with the Secure Login Server through its RADIUS protocol using its own RADIUS server.1 Configure Login Module. RSA server messages automatically parse the PIN policy and the minimum and maximum PIN length and transfer the values to the Secure Login Client without any configuration effort on your side. For more information. 5. an X. and overwrite the old securid. Import the customer. This user certificate is displayed in the Secure Login Client Console and is available in the Microsoft Certificate Store (User Certificate Store). The path to the global directory remains the same. Double-click this profile and enter the user name and password (RADIUS user database).

5.5 Configuration Examples 5. Here you see the relative path to the global directory %GLOBAL_SLS_CONF_DIR%/Instances/securid.ini located in another directory 1. enter the path to the securid. either in the global directory or a directory of your choice. compare the securid.ini file. Rename securid. choose Login Modules. Rename your securid. Go to SAP NetWeaver Administrator.ini file in the configuration of the login module stack. 4. For more information.ini file. for example. 3.ini. see the Help Portal at http://help. In the latter case. securid. Update the installation to Secure Login Server SP2. 06/2011 159 . Check whether the path entered in the SAP NetWeaver Administrator is %GLOBAL_SLS_CONF_DIR%/Instances/securid. Make sure that your custom directory path is entered in the SAP NetWeaver Administrator. Select the login module SecureLoginModuleRADIUS.ini into the RADIUS server environment. Copy your securid. 3. 5.ini File If you want to keep your customer-specific securid. Under Authentication and Single Sign-On.ini located in the global directory 1. In either case.old. thus overwriting the installed sample file. Save your changes If you are using a login module stack. 4.ini into the RADIUS server environment. 2. To change the path in the SAP NetWeaver Administrator.ini. adapt the path in the SAP NetWeaver Administrator of the RADIUS login module. Take the following steps: Use Case Checks and Activities securid. Copy your securid.ini files on the Secure Login Server and on the RADIUS server to make sure that they are identical. to securid.ini.old to securid.2 Customer-Specific Configuration of the securid. you have to make sure that your file is located in the relevant directory.sap.com/nw703/ and choose Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key Capability > Security > User Authentication and Single Sign-On > Authentication on the AS Java > Login Modules and Login Module Stacks. find the parameter SecuridFile. 2. Enter the path where you stored your securid. either in the login module or in the login module stack. 5. proceed as follows: 1. 2.ini file. On the Login Module Options tab.

9. Paste the encrypted character string of the shared secret as the value for this parameter. 160 06/2011 . Since the shared secret is entered in the SAP NetWeaver Administrator and visible to other users. Paste the shared secret into the input field Shared Secret. 2. Enter a shared secret for the RSA RADIUS client or use the shared secret that is delivered as default. Save your changes. displays the encrypted result. Your system administrator must know the shared secret of the RADIUS server. choose the Encrypt button. The field Encrypted Secret. In SAP NetWeaver Administrator (you can use the convenient link on the screen of the Secure Login Server). 5.3 Ensuring Encrypted Communication with Shared Secret To make sure that the RSA Authentication Manager can communicate with the RSA server. 7. choose Authentication and Single Sign-On > Login Modules. Open the administration console of the Secure Login Server. If you are using a login module stack. 3. 4.5.ini file in the configuration of the login module stack. To encrypt the shared secret. you need to do the following: 1. find the parameter SharedSecret. encrypt the shared secret of the RADIUS server and insert the encrypted string into SAP NetWeaver Administrator. This means that only the Secure Login Server can read the shared secret. Add the SAP NetWeaver IP address to the list of the RSA RADIUS clients in the RSA Authentication Manager. take the following steps: 1. Configure the shared secret property SharedSecret in the configuration of the RADIUS login module accordingly. On the Login Module Options tab. 8.5 Configuration Examples 5. Choose Secret Encryption under Server Configuration. 3. which is immediately below. 2. Select the character string in this field and copy it to the clipboard. enter the path to the securid. To encrypt your input. Select the login module SecureLoginModuleRADIUS. 6.

there may be a problem on the Secure Login Client or Secure Login Web Client. Change the URL of the parameter enrollURL to HTTP and check if this works. For some configuration issues in Secure Login Administration Console a restart of the Secure Login Server Application is required. the problem may relate to the certificate trust relationship. Verify the following parameter in the registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>] enrollURL0 = <URL> Check whether the enrollURL is configured for the desired instance. If this works. Choose Logs and Traces and Security Troubleshooting Wizard.  Restart the Secure Login Server Application. Checklist Possible Issues  Is verification using different user credentials?  Log on to the Secure Login Administration Console and check the log information in Instance Log Management. If you are using HTTPS. Check in Secure Login Administration Console – Instance Management. Check if the user authentication is displayed.6 Troubleshooting 6 Troubleshooting This section gives additional information about troubleshooting for Secure Login Server. import the root certificate. Repeat the user authentication in Secure Login Client or Secure Login Web Client. and analyze the results. on which the SSL server certificate depends and move it to the Microsoft Certificate Store (Computer Certificate Store). there is a problem with the HTTPS connection.  Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModule<respective_authentication_server_type>. Copy this URL to the browser application and check if a response is displayed (ignore the responses ERROR_ACTION or INTERNAL_SERVER_ERROR).1 Checklist User Authentication Problem This section describes the configuration issues to check if a user authentication is not successful.  Verify whether the authentication mechanism in the instance is correctly configured. 06/2011 161 . JaasModule = SecureLoginModule<respective_authentication_server_type>  Choose the node Certificate Management and verify whether the parameter Mapping to Instance (USER_CA) is enabled (checkbox) for this instance. If this is not the case. Stop the trace by choosing the Stop Diagnostics button.3 Enable Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver Administrator. 6. Log on to SAP NetWeaver Administrator and choose Problem Management. If this is the case.  Enable the Server Trace in the Secure Login Administration Console (section 6. Choose the diagnostic type Authentication and start the trace by choosing Start Diagnostics.

 Verify whether Secure Login Library is installed correctly. Checklist Possible Issues  Log on to Secure Login Administration Console and verify the log information in Instance Log Management. For more information. The communication is secured using SNC. Verify SAP user access rights (authorization profiles). Verify whether the SNC name is configured correctly.2 Secure Login Server SNC Problem For the Secure Login Server to verify SAP user credentials.  Enable Secure Login Library trace and analyze the problem.zip is available in folder <ASJava_Installation>\sec Start the command line shell and change to the folder <ASJava_Installation>/exe. there may be a problem in the Secure Login Client or Secure Login Web Client. secure communication to the SAP ABAP server needs to be established. If this is not the case. 162 06/2011 . see section 6. JaasModule = SecureLoginModuleSAP  Verify whether the Instance Mapping in Certificate Management is enabled (checkbox) for this instance. Verify the installation described in section 2. which is used by Secure Login Library is included in JAVA Library Path.  Verify whether the authentication mechanism in Instance is configured correctly. Problem The Secure Login Server cannot establish an SNC connection to the SAP Server. Set the environment SECUDIR=<ASJava_Installation>/sec Use the command: snc –O <SAP Service User> status –v Microsoft Windows Example: snc –O SAPServiceABC status –v Linux Example: snc –O abcadm status –v  Verify whether a technical user was created on the SAP ABAP server.4 Enable Secure Login Library Trace. Verify the JAVA Library Path (libpath) in the trace file <ASJava_Installation>\work\dev_jstart. Verify whether the file pse. Check if the user authentication is displayed.  Verify whether an SNC certificate was provided to Secure Login Library PSE environment.1 Secure Login Library.6 Troubleshooting 6.  Start SAP NetWeaver Administrator and verify the connection configuration parameter in Login Module SecureLoginModuleSAP. Verify whether the folder <ASJava_Installation>\exe.1.

txt contains the name of the trace file. 6.txt need to be created in the folder: Microsoft Windows %HOMEDRIVE%%HOMEPATH%\sec or C:\sec Unix/Linux $HOME/sec or /etc/sec The file sec_log_file_filename. General and Default Trace (Java).4 Enable Secure Login Library Trace To enable the trace option. we recommend that you enable tracing. Secure Login Server can generate a large amount of trace output.txt C:\sec\log-%. Define the value true for the parameter Enable Server Trace and restart the Secure Login Server application. Verify the installation of Secure Login Library in section 2.txt 06/2011 163 . For production systems.6 Troubleshooting If the error messages Couldn‟t acquire DEFAULT INITIATING credentials is displayed. Logon to SAP NetWeaver Administrator and choose Problem Management. Deactivate the Secure Login Server Trace after you have analyzed the problem.PID.%. verify whether the environment variable SECUDIR is configured correctly for the user who is starting the SAP server. Choose the option Show View. For test systems. The name can contain %. Microsoft Windows Example sec_log_file_filename. which is replaced by the process ID. we recommend that you disable tracing since this might result in unnecessary log files and impact performance.1.%. Log and Traces and Log Viewer.1 Secure Login Library. the files sec_log_file_filename. The trace file is written to the Default Trace of SAP NetWeaver.3 Enable Secure Login Server Trace Choose the Server Configuration node in the left-hand pane of the Administration Console and enable the trace option.PID. A typical SAP Web AS creates multiple work processes. 6.txt and sec_log_file_level. so use this feature to avoid parallel access to the same file by all processes.

lock This file is used to lock the entire server. Example sec_log_file_level.properties file cannot be read.txt 4 Value Details 0 No trace 1 Errors 2 Errors and warnings 3 Errors. The PseServer.txt The file sec_log_file_level.PID. The LockDir property in the web. logs and information 6.lock file is written to the following folder: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances 164 06/2011 . To unlock the server or server instance. The server lock is only applied if the Configuration.xml file is used to apply the server lock. warnings. use the Unlock button in the Secure Login Administration Console or delete the lock file.txt /etc/sec/log-%.%. Secure Login Server uses the following files to lock the server or server instance: PseServer. warnings and logs 4 Errors.6 Troubleshooting Unix/Linux Example sec_log_file_filename.txt contains the trace level as a single digit.5 Secure Login Server Lock and Unlock Secure Login Server locks itself when it detects a serious problem such as authentication server failure that affects all clients.

06/2011 165 . The directory for the instance-based lock is specified by the property LockDir in Configuration. Problem The Secure Login Server is returning a large amount of Access Denied replies to the Secure Login Client during heavy load. This means that the parameter TcpTimedWaitDelay is set too high and must be changed.lock file is written to the folder: Microsoft Windows <INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\ Instances\<instance_number>\ Linux /usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i nstance_number>/ Analyze and solve the problem.6 Access Denied Replies This problem applies only to Microsoft Windows operating systems. For more information.com/windowsServer/en/library/38b8bf76-b7d3-473c84e8-e657c0c619d11033. before deleting the lock file or changing the status in Secure Login Administration Console (use the Unlock button). and this connection is closed down after the communication has taken place. but did not succeed.mspx): Solution Open regedit and locate the parameter TcpTimedWaitDelay under: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Set the value for TcpTimedWaitDelay to 30 seconds 6.properties. 6.lock If the Configuration. see the following Microsoft page: http://technet2.microsoft. The PseInstance<instance_number>. After a number of unsuccessful authentication attempts.7 Internal Server Message Use Case You tried to authenticate to an AS Java using a login module stack.6 Troubleshooting PseInstance<instance_number>.properties file can be read by Secure Login Server and a lock becomes necessary. the OS “keeps‟ this socket for some time until it releases it again for its next use. Secure Login Server creates an instance-based lock. Explanation The reason for this behavior is that after a TCP/IP socket has been used for communication. an „Internal server message‟ is displayed.

see 4. make sure that its CA certificate is imported into Trust store of Secure Login Server. Secure Login Server SAP user does not have required permissions. N/A (result only) NEW_PIN_REPLY_ REJECTED_MSG A new PIN/password is required N/A (result only) AUTH_SERVER_ TIMEOUT_MSG If the login module cannot establish a connection to the authentication server a timeout error will be set. N/A (result only) AUTH_RESULT_ ACTION_DENIED_ MSG Authentication denied. Possible reasons for this error may be one of the following: 166 Unable to establish an SNC connection to the SAP server: Secure Login Server SAP user is not properly configured. If using LDAPS. Faulty SNC configuration for the Secure Login Server.8. AUTH_RESULT_ ACTION_OK_MSG Authentication successful. Verify configuration of Login Module for LDAP. 6.14 Setting Failover Timeouts of the Login Modules and Internet Communication Manager (ICM) in the SAP Library under Administration of the Internet Communication Manager > Additional Profile Parameters > icm/conn_timeout. Check if the RADIUS server is up and running. 06/2011 .6 Troubleshooting A reason for this error could be an ICM timeout error. JAAS_RADIUS_ ERROR Authentication fails due to configuration errors of the login module for RADIUS or timing problems on the network.1 Secure Login Server Error Codes Error Code Description Solution JAAS_LDAP_ ERROR Authentication fails due to configuration errors of the login module for LDAP or timing problems on the network. their meaning and possible corrections.8 Error Codes This chapter describes the error codes and return codes. N/A (result only) NEW_PIN_REPLY_ ACCEPTED_MSG The new PIN/password was accepted. 6. For more information. Verify configuration of Login Module for LDAP.

Verify certificate in Certificate Management. Make sure that the configuration Configuration. Verify parameter PseName in Instance Management. Verify certificate in Certificate Management. PSE_INIT_ ERROR May be caused when initializing the servlets. and aliases for the specific PSE. Authentication server is down.properties file contains all mandatory entries. PSE_CREATE_ ERROR This code can indicate a problem while creating an outgoing message. Make sure the URL is set correctly to the Configuration. PSE_SERVER_ ERROR An error occurred with the PSE Server. PSE_ADMIN_ ERROR An error occurred inside the PSE admin Server. Make sure the application has the access rights to write to.properties file. Verify parameter PseName in Instance Management. Verify certificate in Certificate Management. PSE_HANDLING_ ERROR An error occurred while handling a client request. or no write access and so on. or create the specified log directory. CERT_INIT_ ERROR An error occurred while accessing the resources needed for this process. Verify parameter PseName in Instance Management. the PSE used. CERT_CREATE_ ERROR An error occurred while trying to create a new certificate. and that there is enough disk space. Make sure that the configuration file Configuration. either because the configuration URL is not set in the configuration file of the servlet engine or the file could not be found under the specified URL. This is usually the case when the Secure Login Server configuration could not be read. password.6 Troubleshooting Timeout in the network connection. Verify certificate in Certificate Management. PSE_IO_ ERROR Occurs when the servlet cannot send its response to the client due to network problems. Verify parameter PseName in Instance Management. PSE_SERVER_ The client session timed Check in the login module 06/2011 167 .properties contains the correct name. that is. Make sure the network is configured correctly and running. PSE_ARCHIVE_ ERROR This code may be due to insufficient disk space when writing/creating the log file due to insufficient disk space.

6 Troubleshooting TIMEOUT out.2 SAP Stacktrace Error Codes Runtime Error Code Description CALL_BACK_ENTRY_NOT_FOUND The called function module is not released for RFC. . The error code may have any of the 168 06/2011 . CALL_FUNCTION_NO_LB_DEST The specified destination (in load distribution mode) does not exist. This error code may have any of the following meanings: . an error occurred that has been logged in the calling system. . CALL_FUNCTION_NO_SENDER Current function is not called remotely. CALL_FUNCTION_NOT_REMOTE The function module being called is not flagged as being “remotely” callable. CALL_FUNCTION_OPTION_OVERFLOW Maximum length of options for the destination exceeded.User locked. 6.Incorrect password or invalid user ID. . CALL_FUNCTION_DEST_TYPE The type of the destination is not allowed. CALL_FUNCTION_SIGNON_INTRUDER Logon attempt in the form of an internal call in a target system not allowed.No external user check. CALL_FUNCTION_NO_RECEIVER Data received for unknown CPI-C connection.Validity period of the user exceeded. . CALL_FUNCTION_DESTINATION_NO_T Missing communication type (I for internal connection. CALL_FUNCTION_NO_DEST The specified destination does not exist. CALL_FUNCTION_SIGNON_INVALID RFC from external program without valid user ID.Error in authorization buffer (internal error). 3 for ABAP) when executing an asynchronous RFC.Invalid user type. configuration that the timeout value is high enough.Too many logon attempts.8. . CALL_FUNCTION_REMOTE_ERROR While executing an RFC. CALL_FUNCTION_SINGLE_LOGIN_REJ No authorization to log on as a trusted system. . CALL_FUNCTION_SIGNON_INCOMPL Logon data for the user is incomplete. CALL_FUNCTION_SIGNON_REJECTED Logon attempt in target system without valid user ID.

RFC_NO_AUTHORITY No RFC authorization for user. CALL_FUNCTION_WRONG_VALUE_LENG Invalid data type while transferring parameters. CALL_FUNCTION_TASK_IN_USE For asynchronous RFC only: task name is already being used. CALL_FUNCTION_ILLEGAL_DATA_TYP Invalid data type while transferring 06/2011 169 . The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ. CALL_XMLRFC_BACK_REJECTED Destination “BACK” is not permitted in current program. CALL_FUNCTION_CONFLICT_TAB_TYP Type conflict while transferring table. . CALL_FUNCTION_CREATE_TABLE No memory available for creating a local internal table. CALL_FUNCTION_TABLE_NO_MEMORY No memory available for table being imported. CALL_RPERF_SLOGIN_AUTH_ERROR No trusted authorization for RFC caller and trusted system. CALL_FUNCTION_SYSCALL_ONLY RFC without valid user ID only allowed when calling a system function module. CALL_FUNCTION_TABINFO Data error (info internal table) during a RFC. .Incorrect logon data for valid security ID. CALL_FUNCTION_PARAMETER_TYPE Invalid data type while transferring parameters. CALL_RPERF_SLOGIN_READ_ERROR No valid trusted entry for the calling system.Calling system is not a trusted system or security ID is invalid.Either the user does not have RFC authorization (authorization object S_RFCACL). CALL_FUNCTION_TASK_YET_OPEN For asynchronous RFC only: the specified task is already open. CALL_FUNCTION_NO_AUTH No RFC authorization. CALL_FUNCTION_UC_STRUCT Type conflict while transferring structure.6 Troubleshooting following meanings: . CALL_FUNCTION_DEEP_MISMATCH Type conflict while transferring structure. CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.Time stamp of the logon data is invalid. . CALL_FUNCTION_BACK_REJECTED Destination “BACK” is not permitted in current program. or a logon was performed using one of the protected users DDIC or SAP*. CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.

6 Troubleshooting parameters. CALL_FUNCTION_ILLEGAL_INT_LEN Type conflict while transferring an integer. CALL_FUNCTION_ILLEGAL_LEAVE Invalid LEAVE statement on RFC Server. CALL_FUNCTION_OBJECT_SIZE Type conflict while transferring a reference. CALL_FUNCTION_ILL_FLOAT_FORMAT Type conflict while transferring a floating point number. CALL_FUNCTION_ILL_FLOAT_LENG Type conflict while transferring a floating point number. CALL_FUNCTION_ROT_REGISTER Type conflict while transferring a reference. 170 06/2011 . CALL_FUNCTION_ILL_INT2_LENG Type conflict while transferring an integer.

7 List of Abbreviations 7 List of Abbreviations Abbreviation Meaning ADS Active Directory Service CA Certification Authority CAPI Microsoft Crypto API CSP Cryptographic Service Provider DN Distinguished Name EAR Enterprise Application Archive HTTP Hyper Text Transport Protocol HTTPS Hyper Text Transport Protocol with Secure Socket Layer (SSL) IAS Internet Authentication Service (Microsoft Windows Server 2003) JAAS Java Authentication and Authorization Service JSPM Java Support Package Manager LDAP Lightweight Directory Access Protocol NPA Network Policy and Access Services (Microsoft Windows Server 2008) PIN Personal Identification Number PKCS Public Key Cryptography Standards PKCS#10 Certification Request Standard PKCS#11 Cryptographic Token Interface Standard PKCS#12 Personal Information Exchange Syntax Standard PKI Public Key Infrastructure PSE Personal Security Environment RADIUS Remote Authentication Dial-In User Service RFC Remote function call (SAP NetWeaver term) RSA Rivest. Shamir and Adleman SAR SAP Archive SCA Software Component Archive SLAC Secure Login Administration Console SLC Secure Login Client SLL Secure Login Library SLS Secure Login Server SLWC Secure Login Web Client SNC Secure Network Communication (SAP term) SSL Secure Socket Layer 06/2011 171 .

7 List of Abbreviations UPN User Principal Name WAR Web Archive WAS Web Application Server 172 06/2011 .

CREDDIR A directory on the Server in which information is placed that goes beyond the PSE (personal security environment). Cryptographic credentials may be self-issued. or an organization. A certificate typically includes:      The public key being signed. Note: Base64 encoding expands binary data by 33%. which is quite efficient CAPI See Cryptographic Application Programming Interface’ Certificate A digital identity card. Base64 encoding The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. in many cases the only criterion for issuance is unambiguous association of the credential with a specific. Certification Authority (CA) An entity which issues and verifies digital certificates for use by other parties. or issued by a trusted third party. In a multi-user or network system. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. 06/2011 173 . The digital signature of the certificate produced by the private key of the CA. The most common certificate standard is the ITU-T X. Credentials Used to establish the identity of a party in communication. Cryptographic credentials are often designed to expire after a certain period. A name which can refer to a person. A validity period. Usually they take the form of machine-readable cryptographic keys and/or passwords. This encoding has been introduced in PEM (RFC1421) and MIME. authentication means the validation of a user‟s logon information. a computer.509. The location (URL) of a revocation center. real individual or other entity. A user‟s name and password are compared against an authorized list. Certificate Store Sets of security certificates belonging to user tokens or certification authorities.8 Glossary 8 Glossary Authentication A process that checks whether a person is really who they are.

Distinguished Name (DN) A name pattern that is used to create a globally unique identifier for a person. if you have a key used only for signing. it is in violation of the CA's policy. An extended key is either critical or non-critical. If the extension is critical. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process. For example. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is. enable the digital signature and/or non-repudiation extensions. Distinguished Names are defined in the ISO/ITU X. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.g. You can use them to restrict the public key to as few or as many operations as needed. Nevertheless. Within a PKI: Contains information about the public key of the user of the security infrastructure. enable key encipherment. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. It is a set of dynamically-linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. Key Usage (extended) Extended key usage further refines key usage extensions. the Certification Authority) and the serial number. or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography.8 Glossary although this is not mandatory. Cryptographic Application Programming Interface (CAPI) The Cryptographic Application Programming Interface (also known variously as CryptoAPI. the certificate must be used only for the indicated purpose or purposes.500 or LDAP directory). If the certificate is used for another purpose. Key Usage Key usage extensions define the purpose of the public key contained in a certificate. it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. If the extension is non-critical. applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable.500 standard. 174 06/2011 . a X. Microsoft Cryptography API. Directory Service Provides information in a structured format. Alternatively. All PKI users require a unique name. if a key is used only for key management. This name ensures that a certificate is never created for different people with the same name. similar to a telephone book (e.

The PSE can be either an encrypted file or a Smart Card and is protected with a password. PKCS#11 “PKCS” refers to a group of Public Key Cryptography Standards devised and published by RSA Security. the server sequentially processes the login module stack that applies to the component that the user accesses. PEM See Privacy Enhanced Mail. PEM defines a "printable encoding" scheme that uses Base64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters. It is possible to assign different login module stacks to different components.500. thus enabling pluggable authentication. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream. The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper. Personal Security Environment The PSE is a personal security area that every user requires to work with. and the "+" and "/" symbols. proposed by RFC 989 in 1987. a–z). PIN See Personal Identification Number. The "=" symbol is also used as a special suffix code. as required by transfer protocols such as SMTP. Personal Information Exchange Syntax Standard Specifies a portable format for saving or transporting a user‟s private keys. This includes the certificate and its secret private key. 06/2011 175 . Privacy-Enhanced Mail (PEM) The first known use of Base64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol. When a user is authenticated on the J2EE Engine. Login Module Stack (Authentication Stack) List of login modules containing authentication logic that is assigned to a component.and lower-case Roman alphabet characters (A–Z. A PSE contains security-related information. certificates.8 Glossary Lightweight Directory Access Protocol (LDAP) A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X. “PKCS#11” is an API defining a generic interface to cryptographic tokens. and other secret information. the numerals (0–9). Personal Identification Number (PIN) A unique code number assigned to the authorized user.

and methods that are involved in creating. integrity. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure. Is often structured hierarchically. for the secure exchange of information over the Internet. Is used in many common browsers and mail tools. cryptographically libraries. Shamir. saving. An external storage device that uses the same file system as the operating system. To check foreign certificates. a user requires the certificate path as well as the root certificate. and Adleman in 1977. There can be any amount of CAs between a user certificate and the root Certification Authority. and revoking certificates based on asymmetric cryptography. the hierarchy of certificates is always a top-down tree. Single Sign-On A system that administrates authentication information allowing a user to logon to 176 06/2011 . Public Key Infrastructure Comprises the hardware. In X. distributing.8 Glossary Public FSD Public file system device. Root Certification Authority The highest Certification Authority in a PKI. RSA An asymmetric. and authenticity of transferred data. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions. software. developed by Rivest. representing a CA that does not need to be authenticated by a trusted third party. with a root certificate at the top. Secure Network Communications A module in the SAP NetWeaver system that deals with the communication with external. Its certificate is signed with a private key. cryptographically procedure. Ensures the authorization of communication partners and the confidentiality. people. administering. All users of the PKI must trust it.509 PKI systems. Root certification The certificate of the root CA. guidelines. Public Key Cryptography Standards A collection of standards published by RSA Security Inc. Secure Sockets Layer A protocol developed by Netscape Communications for setting up secure connections over insecure channels. It is the most widely-used algorithm for encryption and authentication.

From the computer operating system‟s point of view such a token is a USB-connected Smart Card reader with one non-removable Smart Card present. X. authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. Tokens provide access to a private key that allows performing cryptographic operations.500 A standardized format for a tree-structured directory service. The term may also refer to software tokens.8 Glossary systems and open programs without the need to enter authentication every time (automatic authentication). X. The private key may be persistent (like a PSE file. a password. 06/2011 177 .509 A standardized format for certificates and blocking list. Token A security token (or sometimes a hardware token. Smart Card. Microsoft Windows Credentials A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. and a domain name (optional). and CAPI container) or non-persistent (like temporary keys provided by Secure Login). The credentials usually comprise a user name. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (Smart Card reader). Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the functionality of both USB tokens and Smart Cards.