You are on page 1of 177

Installation, Configuration and Administration Guide

SAP NetWeaver Single-Sign-On SP2


Secure Login Server

PUBLIC
Document Version: 1.2 December 2011

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com

Copyright 2011 SAP AG. All rights reserved.


JavaScript is a registered trademark of Sun Microsystems, Inc., used
No part of this publication may be reproduced or transmitted in any

under license for technology invented and implemented by Netscape.

form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

notice.

BusinessObjects Explorer, and other SAP products and services

Some software products marketed by SAP AG and its distributors

mentioned herein as well as their respective logos are trademarks or

contain proprietary software components of other software vendors.

registered trademarks of SAP AG in Germany and other countries.

Microsoft, Windows, Outlook, and PowerPoint are registered

Business Objects and the Business Objects logo, BusinessObjects,

trademarks of Microsoft Corporation.

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and


other Business Objects products and services mentioned herein as well

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

as their respective logos are trademarks or registered trademarks of

System p5, System x, System z, System z10, System z9, z10, z9,

Business Objects Software Ltd. in the United States and in other

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

countries.

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,


Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

and other Sybase products and services mentioned herein as well as

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

their respective logos are trademarks or registered trademarks of

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

Sybase, Inc. Sybase is an SAP company.

WebSphere, Netfinity, Tivoli and Informix are trademarks or


registered trademarks of IBM Corporation.

All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves

Linux is the registered trademark of Linus Torvalds in the U.S. and

informational purposes only. National product specifications may

other countries.

vary.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

These materials are subject to change without notice. These materials

trademarks or registered trademarks of Adobe Systems Incorporated in

are provided by SAP AG and its affiliated companies ("SAP Group")

the United States and/or other countries.

for informational purposes only, without representation or warranty of


any kind, and SAP Group shall not be liable for errors or omissions

Oracle is a registered trademark of Oracle Corporation.

with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

warranty statements accompanying such products and services, if any.

Open Group.

Nothing herein should be construed as constituting an additional

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

warranty.

VideoFrame, and MultiWin are trademarks or registered trademarks of


Citrix Systems, Inc.

Disclaimer
Some components of this product are based on Java. Any

HTML, XML, XHTML and W3C are trademarks or registered

code change in these components may cause unpredictable

trademarks of W3C, World Wide Web Consortium, Massachusetts

and severe malfunctions and is therefore expressively

Institute of Technology.

prohibited, as is any decompilation of these components.

Java is a registered trademark of Sun Microsystems, Inc.

Any Java Source Code delivered with this product is


only to be used by SAPs Support Services and may not be

stringutils http://sourceforge.net/projects/stringutils/

modified or altered in any way.


Copyright (c) 2006 Andrea S. Gozzi, Valerio Romeo
Permission is hereby granted, free of charge, to any person obtaining a

Terms for Included Open


Source Software

copy of this software and associated documentation files (the


"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,

This SAP software contains also the third party open source software

distribute, sublicense, and/or sell copies of the Software, and to permit

products listed below. Please note that for these third party products

persons to whom the Software is furnished to do so, subject to the

the following special terms and conditions shall apply.

following conditions:

Prototype JavaScript Framework http://www.prototypejs.org/

The above copyright notice and this permission notice shall be


included in all copies or substantial portions of the Software.

Copyright (c) 2005-2010 Sam Stephenson


THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,


INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,


INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE

opencsv 1.7.1 http://opencsv.sourceforge.net/

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY


CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

Apache License

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

Version 2.0, January 2004

FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

http://www.apache.org/licenses/

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND
DISTRIBUTION
1. Definitions.

"License" shall mean the terms and conditions for use, reproduction,

Licensor for inclusion in the Work by the copyright owner or by an

and distribution as defined by Sections 1 through 9 of this document.

individual or Legal Entity authorized to submit on behalf of the


copyright owner. For the purposes of this definition, "submitted"

"Licensor" shall mean the copyright owner or entity authorized by the

means any form of electronic, verbal, or written communication sent

copyright owner that is granting the License.

to the Licensor or its representatives, including but not limited to


communication on electronic mailing lists, source code control

"Legal Entity" shall mean the union of the acting entity and all other

systems, and issue tracking systems that are managed by, or on behalf

entities that control, are controlled by, or are under common control

of, the Licensor for the purpose of discussing and improving the Work,

with that entity. For the purposes of this definition, "control" means (i)

but excluding communication that is conspicuously marked or

the power, direct or indirect, to cause the direction or management of

otherwise designated in writing by the copyright owner as "Not a

such entity, whether by contract or otherwise, or (ii) ownership of fifty

Contribution."

percent (50%) or more of the outstanding shares, or (iii) beneficial


ownership of such entity.

"Contributor" shall mean Licensor and any individual or Legal Entity


on behalf of whom a Contribution has been received by Licensor and

"You" (or "Your") shall mean an individual or Legal Entity exercising

subsequently incorporated within the Work.

permissions granted by this License.


2. Grant of Copyright License. Subject to the terms and conditions of
"Source" form shall mean the preferred form for making

this License, each Contributor hereby grants to You a perpetual,

modifications, including but not limited to software source code,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable

documentation source, and configuration files.

copyright license to reproduce, prepare Derivative Works of, publicly


display, publicly perform, sublicense, and distribute the Work and

"Object" form shall mean any form resulting from mechanical

such Derivative Works in Source or Object form.

transformation or translation of a Source form, including but not


limited to compiled object code, generated documentation, and

3. Grant of Patent License. Subject to the terms and conditions of this

conversions to other media types.

License, each Contributor hereby grants to You a perpetual,


worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except

"Work" shall mean the work of authorship, whether in Source or

as stated in this section) patent license to make, have made, use, offer

Object form, made available under the License, as indicated by a

to sell, sell, import, and otherwise transfer the Work, where such

copyright notice that is included in or attached to the work (an

license applies only to those patent claims licensable by such

example is provided in the Appendix below).

Contributor that are necessarily infringed by their Contribution(s)


alone or by combination of their Contribution(s) with the Work to

"Derivative Works" shall mean any work, whether in Source or Object

which such Contribution(s) was submitted. If You institute patent

form, that is based on (or derived from) the Work and for which the

litigation against any entity (including a cross-claim or counterclaim in

editorial revisions, annotations, elaborations, or other modifications

a lawsuit) alleging that the Work or a Contribution incorporated within

represent, as a whole, an original work of authorship. For the purposes

the Work constitutes direct or contributory patent infringement, then

of this License, Derivative Works shall not include works that remain

any patent licenses granted to You under this License for that Work

separable from, or merely link (or bind by name) to the interfaces of,

shall terminate as of the date such litigation is filed.

the Work and Derivative Works thereof.


4. Redistribution. You may reproduce and distribute copies of the
"Contribution" shall mean any work of authorship, including the

Work or Derivative Works thereof in any medium, with or without

original version of the Work and any modifications or additions to that

modifications, and in Source or Object form, provided that You meet

Work or Derivative Works thereof, that is intentionally submitted to

the following conditions:

(a) You must give any other recipients of the Work or Derivative

6. Trademarks. This License does not grant permission to use the trade

Works a copy of this License; and

names, trademarks, service marks, or product names of the Licensor,


except as required for reasonable and customary use in describing the

(b) You must cause any modified files to carry prominent notices

origin of the Work and reproducing the content of the NOTICE file.

stating that You changed the files; and


7. Disclaimer of Warranty. Unless required by applicable law or
(c) You must retain, in the Source form of any Derivative Works that

agreed to in writing, Licensor provides the Work (and each

You distribute, all copyright, patent, trademark, and attribution notices

Contributor provides its Contributions) on an "AS IS" BASIS,

from the Source form of the Work, excluding those notices that do not

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,

pertain to any part of the Derivative Works; and

either express or implied, including, without limitation, any warranties


or conditions of TITLE, NON-INFRINGEMENT,

(d) If the Work includes a "NOTICE" text file as part of its

MERCHANTABILITY, or FITNESS FOR A PARTICULAR

distribution, then any Derivative Works that You distribute must

PURPOSE. You are solely responsible for determining the

include a readable copy of the attribution notices contained within

appropriateness of using or redistributing the Work and assume any

such NOTICE file, excluding those notices that do not pertain to any

risks associated with Your exercise of permissions under this License.

part of the Derivative Works, in at least one of the following places:


within a NOTICE text file distributed as part of the Derivative Works;

8. Limitation of Liability. In no event and under no legal theory,

within the Source form or documentation, if provided along with the

whether in tort (including negligence), contract, or otherwise, unless

Derivative Works; or, within a display generated by the Derivative

required by applicable law (such as deliberate and grossly negligent

Works, if and wherever such third-party notices normally appear. The

acts) or agreed to in writing, shall any Contributor be liable to You for

contents of the NOTICE file are for informational purposes only and

damages, including any direct, indirect, special, incidental, or

do not modify the License. You may add Your own attribution notices

consequential damages of any character arising as a result of this

within Derivative Works that You distribute, alongside or as an

License or out of the use or inability to use the Work (including but

addendum to the NOTICE text from the Work, provided that such

not limited to damages for loss of goodwill, work stoppage, computer

additional attribution notices cannot be construed as modifying the

failure or malfunction, or any and all other commercial damages or

License.

losses), even if such Contributor has been advised of the possibility of


such damages.

You may add Your own copyright statement to Your modifications


and may provide additional or different license terms and conditions

9. Accepting Warranty or Additional Liability. While redistributing

for use, reproduction, or distribution of Your modifications, or for any

the Work or Derivative Works thereof, You may choose to offer, and

such Derivative Works as a whole, provided Your use, reproduction,

charge a fee for, acceptance of support, warranty, indemnity, or other

and distribution of the Work otherwise complies with the conditions

liability obligations and/or rights consistent with this License.

stated in this License.

However, in accepting such obligations, You may act only on Your


own behalf and on Your sole responsibility, not on behalf of any other

5. Submission of Contributions. Unless You explicitly state otherwise,

Contributor, and only if You agree to indemnify, defend, and hold

any Contribution intentionally submitted for inclusion in the Work by

each Contributor harmless for any liability incurred by, or claims

You to the Licensor shall be under the terms and conditions of this

asserted against, such Contributor by reason of your accepting any

License, without any additional terms or conditions. Notwithstanding

such warranty or additional liability.

the above, nothing herein shall supersede or modify the terms of any
separate license agreement you may have executed with Licensor
regarding such Contributions.

Typographic Conventions
Type Style
Example Text

Description
Words or characters quoted from
the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation

Example text

Emphasized words or phrases in


body text, graphic titles, and
table titles

EXAMPLE TEXT

Technical names of system


objects. These include report
names, program names,
transaction codes, table names,
and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.

Example text

Output on the screen. This


includes file and directory names
and their paths, messages,
names of variables and
parameters, source text, and
names of installation, upgrade
and database tools.

Example text

Exact user entry. These are


words or characters that you
enter in the system exactly as
they appear in the
documentation.

<Example text>

Variable user entry. Angle


brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.

EXAMPLE TEXT

Keys on the keyboard, for


example, F2 or ENTER.

Icons
Icon

Meaning
Caution
Example
Note
Recommendation
Syntax

Additional icons are used in SAP Library


documentation to help you identify different
types of information at a glance. For more
information, see Help on Help General
Information Classes and Information Classes
for Business Information Warehouse on the
first page of any version of SAP Library.

Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview .................................................................................. 10
1.2 System Overview with Security Token ............................................... 11
1.3 System Overview with Secure Login Server ...................................... 14
1.4 Instances ............................................................................................... 16
1.5 PKI Structure ........................................................................................ 17
1.6 Secure Communication ....................................................................... 18
1.7 Policy Server Overview ........................................................................ 19
1.8 Secure Login Web Client ..................................................................... 20
1.8.1 Export Restrictions ........................................................................... 20

2 Secure Login Server Installation ..................................................... 21


2.1 Prerequisites ........................................................................................ 21
2.1.1 Secure Login Library ................................................................................................... 22

2.2 Secure Login Server Installation with Telnet ..................................... 26


2.3 Secure Login Server Installation with JSPM ...................................... 27
2.4 Secure Login Server Uninstallation .................................................... 30
2.5 Updating the Secure Login Server to SP2 ......................................... 30
2.6 Initial Configuration Wizard ................................................................. 31
2.6.1 Initial Configuration ..................................................................................................... 31
2.6.2 Enable Remote Access for Initial Wizard.................................................................... 47
2.6.3 Configure SSH Tunnel ................................................................................................ 48

3 Administration ................................................................................... 49
3.1 Logon to Administration Console....................................................... 49
3.2 Welcome Page ...................................................................................... 50
3.2.1 Change Password....................................................................................................... 51

3.3 Server Configuration............................................................................ 52


3.3.1 Edit Server Configuration ............................................................................................ 54
3.3.2 Edit Login Type Setting ............................................................................................... 55
3.3.3 Certificate Management .............................................................................................. 56
3.3.4 Trust Store Management ............................................................................................ 68
3.3.5 Certificate Template .................................................................................................... 69
3.3.6 System Check ............................................................................................................. 76
3.3.7 Message Settings ....................................................................................................... 77
3.3.8 SNC Configuration ...................................................................................................... 81
3.3.9 Server Status .............................................................................................................. 82
3.3.10 Sign Certificate Requests ......................................................................................... 83
3.3.11 Console Log Viewer .................................................................................................. 85
3.3.12 Web Client Configuration .......................................................................................... 87

3.4 Instance Management .......................................................................... 92


3.4.1 DefaultServer Configuration ....................................................................................... 92
3.4.2 Create a New Instance ............................................................................................. 115

3.5 Console Users .................................................................................... 120


3.5.1 User Management .................................................................................................... 120
3.5.2 Role Management..................................................................................................... 123
3.5.3 Locked Files Management ........................................................................................ 124

4 Other Configurations ...................................................................... 125

06/2011

4.1 Configure Login Module .................................................................... 125


4.2 Verify Authentication Server Configuration ..................................... 131
4.3 Create Technical User in SAP Server ............................................... 133
4.4 Mozilla Firefox Support ...................................................................... 133
4.4.1 Install Firefox Extension ............................................................................................ 133
4.4.2 Uninstall Mozilla Firefox Extension ........................................................................... 134

4.5 Customize Secure Login Web Client ................................................ 135


4.6 Configure SSL Certificate Logon ...................................................... 135
4.7 Configure External Login ID .............................................................. 136
4.8 Emergency Recovery Tool ................................................................ 136
4.9 Monitoring ........................................................................................... 139
4.9.1 Web Service Status .................................................................................................. 139
4.9.2 XML Interface ............................................................................................................ 139

4.10 Secure Login Client Policy and Profiles ......................................... 141


4.10.1 Client Policy ............................................................................................................ 141
4.10.2 Applications and Profiles ........................................................................................ 142

4.11 Integrate into Existing PKI ............................................................... 146


4.12 Configuring Secure Login Servers as Failover Servers for High
Availability ................................................................................................ 147
4.13 Configuring Login Module Stacks as Failover Servers in SAP
NetWeaver ................................................................................................. 149
4.13.1 Configuration of SAP NetWeaver AS Java ............................................................. 150
4.13.2 Configuration of the Secure Login Server .............................................................. 151

4.14 Setting Failover Timeouts of the Login Modules ........................... 152


4.15 Custom Use of Login Module with Login Module Stacks ............. 152

5 Configuration Examples ................................................................. 154


5.1 Kerberos Authentication with SPNego ............................................. 154
5.2 LDAP User Authentication ................................................................ 155
5.3 SAP User Authentication ................................................................... 156
5.4 RADIUS User Authentication............................................................. 157
5.5 Configuring RSA Authentication with RADIUS................................ 158
5.5.1 Configuration of the securid.ini File .......................................................................... 158
5.5.2 Customer-Specific Configuration of the securid.ini File ............................................ 159
5.5.3 Ensuring Encrypted Communication with Shared Secret ......................................... 160

6 Troubleshooting .............................................................................. 161


6.1 Checklist User Authentication Problem ........................................... 161
6.2 Secure Login Server SNC Problem ................................................... 162
6.3 Enable Secure Login Server Trace ................................................... 163
6.4 Enable Secure Login Library Trace .................................................. 163
6.5 Secure Login Server Lock and Unlock ............................................. 164
6.6 Access Denied Replies ...................................................................... 165
6.7 Internal Server Message .................................................................... 165
6.8 Error Codes ........................................................................................ 166
6.8.1 Secure Login Server Error Codes ............................................................................. 166
6.8.2 SAP Stacktrace Error Codes .................................................................................... 168

7 List of Abbreviations ...................................................................... 171


8 Glossary ........................................................................................... 173

06/2011

1 What is Secure Login?

1 What is Secure Login?


Secure Login is an innovative software solution created specifically to improve user and IT
productivity and to protect business-critical data in SAP business solutions through secure
Single Sign-On to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between
a wide variety of SAP components:
Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)
Third party application server supporting X.509 certificates
In a default SAP setup, users enter their SAP user name and password into the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that
enables users to log on to SAP systems without entering a user name or password. The
SNC interface can also direct calls through the Secure Login Library to encrypt all
communication between the SAP GUI and SAP server, thus providing secure single sign-on
to SAP.
Secure Login allows you to benefit from the advantages of SNC without being forced to set
up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate with one of
the following authentication mechanisms:

Microsoft Windows domain (Active Directory Server)


RADIUS server
LDAP server
RSA SecurID token
SAP NetWeaver server
Smart Card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by
Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and
other HTTPS-enabled Web applications) with SSL.

06/2011

1 What is Secure Login?

1.1 System Overview


Secure Login is a client/server software system integrated with SAP software to make single
sign-on, alternative user authentication, and enhanced security easy for distributed SAP
environments.
The Secure Login solution includes the following components:

Secure Login Server


Central service which provides X.509v3 certificates (out-of-the-box PKI) to users and
application server. The Secure Login Web Client is provided as well.
Secure Login Library
Crypto library for the SAP NetWeaver ABAP system. The Secure Login Library supports
both X.509 and Kerberos technology.
Secure Login Client
Client application which provides security tokens (Kerberos and X.509 technology) for a
variety of applications.

It is not necessary to install all components. This depends on the use case. For further
information about Secure Login Client and Secure Login Library see the corresponding
Installation, Configuration and Administration Guide.

The Secure Login Client is split into the following variants:


Secure Login Client
Secure Login Client can either be used with an existing public key infrastructure (PKI) or
together with the Secure Login Server. You can use it for certificate-based authentication
without being obliged to set up a PKI.
The stand-alone Secure Login Client can use the following authentication methods:
- Smart Cards and USB tokens with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Crypto Store with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Windows credentials
The Microsoft Windows domain credentials (Kerberos token) can be used for
authentication. In addition, the Microsoft Windows credentials can be used to receive
a user X.509 certificate with Secure Login Server.
- User name and Password (Several Authentication Mechanism)
The Secure Login Client prompts you for a user name and a password and uses
these credentials for authentication at the Secure Login Server to receive a user
X.509 certificate.
All of these authentication methods can be used in parallel. A policy server provides
authentication profiles that specify how to log on to the desired SAP system.
Secure Login Web Client
This client is based on a Web browser (Web GUI) and is part of the Secure Login Server.
The Secure Login Web Client has the same authentication methods as the standalone
Secure Login Client, but with the following limited functions:
- Limited integration with the client environment (interaction required)
- Limited client policy configuration

10

06/2011

1 What is Secure Login?

1.2 System Overview with Security Token


The Secure Login Client is integrated with SAP software to provide a single sign-on capability
and enhanced security. An existing PKI structure or Kerberos infrastructure can be used for
user authentication.

Main System Components


The following figure shows the Secure Login system environment with the main system
components if an existing PKI or Kerberos infrastructure is used.

PKI Infrastructure

Secure Login Client

Smart Card, USB Token


Microsoft Crypto Store

Security Token
SAP GUI
Web GUI

SAP NetWeaver Platform

Kerberos Infrastructure

Secure Login Library

Kerberos Token

Authentication and
secure communication
Kerberos

Figure: Secure Login System Environment with Existing PKI and Kerberos
The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP application server.

Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the
following authentication methods:

Smart Card and USB tokens with an existing PKI certificate


Microsoft Crypto Store (Certificate Store)
Kerberos token

06/2011

11

1 What is Secure Login?

Workflow for X.509 Certificates


The following figure shows the principal workflow and communication between the individual
components.

PKI Infrastructure

Secure Login Client

Smart Card, USB Token


Microsoft Crypto Store

4
Security Token

2
Client maps
SNC name to
authentication
profile

1
Start connection and
get SNC name

SAP NetWeaver Platform


Secure Login Library

Unlock Security Token

5
Client provides certificate
to SAP GUI application

6
Authentication and
secure communication

Figure: Principal Workflow


1.

Upon connection start, the Secure Login Client retrieves the SNC name from the
desired SAP server system.

2.

The Secure Login Client uses the authentication profile for this SNC name.

3.

The user unlocks the security token by entering the PIN or password.

4.

The Secure Login Client receives the X.509 certificate from the user security token.

5.

The Secure Login Client provides the X.509 certificate for SAP single sign-on and
secure communication between SAP Client and SAP Server.

6.

The user is authenticated and the communication is secured.

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto
engines. The Crypto Service Provider (CSP) from SAP is such a plug-in. It provides the
user keys to all CAPI-enabled applications.

12

06/2011

1 What is Secure Login?

Workflow for Kerberos Token


The following figure shows the principal workflow and communication between the individual
components.

Figure: Principal Workflow Kerberos Authentication


1.

Upon connection start, the Secure Login Client retrieves the SNC name (Service
Principal Name) from the respective SAP server system.

2.

The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos
Service token.

3.

The Secure Login Client receives the Kerberos Service token.

4.

The Secure Login Client provides the Kerberos Service token for SAP single sign-on
and secure communication between SAP Client and SAP server.

5.

The user is authenticated and the communication is secured.

06/2011

13

1 What is Secure Login?

1.3 System Overview with Secure Login Server


The main feature of the Secure Login Server is to provide an out-of-the-box PKI for users and
application server systems (for example, SAP NetWeaver).
Users receive short term X.509 certificates. For the application server, long term X.509
certificates are issued. Based on the industry standard X.509v3, the certificates can be used
for non-SAP systems as well.
In order to provide user certificates, the user needs to be authenticated (verified by the
Secure Login Server). Therefore the Secure Login Server supports several authentication
server systems.

Main System Components


The following figure shows the Secure Login system environment with the main system
components.

Figure: Secure Login System Environment


The Secure Login Client is responsible for the certificate-based logon to the SAP application
server and encryption of the SAP client/server communication.
The Secure Login Server is the central server component that connects all parts of the
system. It enables authentication against an authentication Server and provides the Secure
Login Client with a short term certificate. The Secure Login Server is a pure Java application.
It consists of a servlet and a set of associated classes and shared libraries. It is installed on
an SAP NetWeaver application server.
The Secure Login Server provides client authentication profiles to the Secure Login Client,
which allows flexible user authentication configurations (for example, which authentication
type should be used for which SAP application server).

14

06/2011

1 What is Secure Login?

Authentication Methods
Secure Login supports several authentication methods. It uses the Java Authentication and
Authorization Service (JAAS) as a generic interface for the different authentication methods.
For each supported method, there is a corresponding configurable JAAS module.
The following authentication methods are supported:

Microsoft Active Directory Service (ADS)


RADIUS
RSA SecurID token
LDAP
SAP ID-based logon
SAP NetWeaver AS Java User Management Engine
SAP NetWeaver AS Java SPNego

Workflow with X.509 Certificate Request


The following figure shows the principal workflow and communication between the individual
components.

Figure: Principal Workflow


1.

Upon connection start, the Secure Login Client gets the SNC name from the desired
SAP server system.

2.

The Secure Login Client uses the client policy for this SNC name.

3.

The Secure Login Client receives the user login credentials.

06/2011

15

1 What is Secure Login?

4.

The Secure Login Client generates a certificate request.

5.

The Secure Login Client sends the user credentials and the authentication request to
the Secure Login Server.

6.

The Secure Login Server forwards the user credentials to the authentication server and
receives a response indicating whether the user credentials are valid or not.

7.

If the user credentials are valid, the Secure Login Server generates a user certificate
(certificate response) and provides it to the Secure Login Client.

8.

Secure Login Client provides the certificate to SAP GUI.

9.

The user certificate is used to perform an authentication, single sign-on, and secure
communication between SAP client and server.

1.4 Instances
The Secure Login instances feature allows multiple instances running on the same server.
The main advantage of using instances is that the time spent on maintaining Secure Login is
reduced to a minimum.
Secure Login Server instances can use a common user CA certificate for one or more
instances, or you can set an individual user CA certificate (PKI) for each instance.
The Secure Login Client authentication profiles can be configured to use different Secure
Login Server instances for different authentication methods.

Figure: Instances Examples

It is still possible to use several Secure Login Servers and/or authentication servers for
failover. The Secure Login Server can connect to more than one authentication server.

16

06/2011

1 What is Secure Login?

1.5 PKI Structure


There are different integration scenarios available for Secure Login Server.

Out-of-the-Box PKI Secure Login Server


Secure Login Server provides standard X.509 certificates for users (short term) and
application server (long term). The following out of the box PKI structure can be delivered
with the Secure Login Server.

Figure: Secure Login Server PKI Structure

PKI Integration
As the Secure Login Server is based on industry standard X.509v3, it is possible to integrate
the Secure Login Server to an existing PKI. The required minimum is to provide a user CA
certificate to the Secure Login Server.

Figure: Secure Login Server Integration with an Existing PKI

06/2011

17

1 What is Secure Login?

1.6 Secure Communication


The goal of the Secure Login solution is to establish secure communication between all
required components:

Figure: Secure Communication

Technology Used for Secure Communication


Technology used for secure communication

18

From

To

Security Protocol / Interface

SAP GUI

SAP NetWeaver

DIAG/RFC (SNC)

Business Explorer

SAP NetWeaver

DIAG/RFC (SNC)

Business Client

SAP NetWeaver

DIAG/RFC (SNC), HTTPS

Web GUI

SAP NetWeaver

HTTPS (SSL)

Secure Login Client

Secure Login Server

HTTPS (SSL)

Secure Login Server

LDAP Server

LDAPS (SSL)

Secure Login Server

SAP NetWeaver

RFC (SNC)

Secure Login Server

RADIUS Server

RADIUS (shared secret)

06/2011

1 What is Secure Login?

1.7 Policy Server Overview


Secure Login Client configuration is profile-based. You can configure the application contexts
to provide a mechanism for automatic application-based profile selection. The system then
searches the application contexts for specific personal security environment universal
resource identifiers (PSE URIs).
If no matching PSE URI is found, a default application context that links to a default profile
can be defined.
The application contexts and profiles are stored in the Microsoft Windows Registry of the
client. You define these parameters in the XML policy file.

Figure: Default Application Context and Profile

06/2011

19

1 What is Secure Login?

1.8 Secure Login Web Client


Secure Login Web Client is a feature of the Secure Login Server. It is a Web-based solution
for the authentication of users in Web browsers (in portal scenarios) on a variety of platforms
and for launching SAP GUI with SNC security. You also use it for authentication against SAP
NetWeaver Web Application Server.
This means that the client is no longer limited to Microsoft Windows, but Mac OS X, and
Linux-based client systems can be used as well. Another use case is providing short term
certificates to external employees (for example, to external consultants).
The following main features are available:

Browser-based authentication (including all authentication server support)


Support for SAP GUI for Microsoft Windows and SAP GUI for Java
Certificate store support for Microsoft Internet Explorer and Mozilla Firefox browser
URL redirect X.509 authentication support to SAP Web application server
Localization and customization of HTML pages and applet messages

Differences between Secure Login Client and Secure Login Web Client:

With Secure Login Client the required security library is available.


With Secure Login Web Client the security library needs to be downloaded in a Web
browser application.
With Secure Login Client, the authentication process and secure communication can be
triggered on demand (for example, in SAP GUI).
The Secure Login Web Client triggers an authentication process and secure
communication. After the authentication process, the Secure Login Web Client starts the
SAP GUI.

1.8.1 Export Restrictions


At the start of the Secure Login Web Client, it transfers components that are required for
authentication and for a secure network connection from the server to the client.
The Secure Login Web Client contains components with cryptographic features for
authentication and for a secure server/client network connection. Under German export
control regulations, these components are classified with ECCN 4D003. If server and client
are not located in the same country a transfer takes place that requires compliance with
applicable export and import control regulations.
If the Secure Login Server and the Secure Login Web Client are installed in different
countries, you are obliged to make sure that you abide by the export and import
regulations of the countries involved.

20

06/2011

2 Secure Login Server Installation

2 Secure Login Server Installation


This chapter describes how to install Secure Login Server.
The installation can be done using the Telnet application or with the Software Delivery Tool.

2.1 Prerequisites
This chapter describes the prerequisites and requirements for the installation of Secure Login
Server. The SAP NetWeaver Application Server must be up and running.

Hardware Requirements
Secure Login Server

Details

Hard disk space

50 MB of hard disk space


HDD space for log files

Random-access memory

1 GB RAM at minimum

Software Requirements
Secure Login Server

Details

Application server

SAP NetWeaver CE 7.2


SAP NetWeaver 7.3

Optional:
Secure Login Library

The Secure Login Library installation is optional and


required for SAP user authentication only.
The Secure Login Library will be used to establish
secure communication to SAP NetWeaver Application
Server ABAP to verify SAP credentials.
For operating system support see the Installation,
Configuration and Administration Guide of the Secure
Login Library.

Secure Login Web Client

Details

Operating systems

Microsoft Windows 7, Vista, XP (32-bit)


SUSE Linux Enterprise Desktop 11
Mac OS X 10.5, 10.6

Java

SUN Java 1.5 or higher browser plug-in

Internet browser (32-bit)

Microsoft Internet Explorer 7, 8, 9


Mozilla Firefox 3.6 and higher

06/2011

21

2 Secure Login Server Installation

Supported Authentication Servers


Secure Login Server

Details

LDAP server system

Microsoft Active Directory System 2003, 2008


openLDAP

SAP server system

SAP NetWeaver Application Server ABAP 6.20 or


higher version

RADIUS server system

RSA Authentication Manager 6.1 and 7.1


freeRADIUS
Microsoft Network Policy and Access Services (NPA)
Microsoft Internet Authentication Service (IAS)

SAPNetWeaver AS Java
User Man agement Engine
(UME)

BasicPasswordLoginModule

2.1.1 Secure Login Library


The Secure Login Library installation is optional and is required for SAP NetWeaver
Application Server user authentication only. The Secure Login Library is used to establish
secure communication to SAP ABAP server and to verify SAP credentials.
Keep in mind that there are different Secure Login Library software packages available
depending on the desired operating system. This document describes the installation for
Microsoft Windows and Linux operating system.

Secure Login Library for Microsoft Windows Operating


System
Step 1 Copy Library Files
Copy the Secure Login Library software for Microsoft Windows to the target SAP NetWeaver
Application Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command
line tool to the following folder.
sapcar xvf <source_path>\SECURELOGINLIB.SAR R
<ASJava_installation>\exe\
Example
sapcar xvf D:\InstallSLS\SECURELOGINLIB.SAR R
D:\usr\sap\ABC\J00\exe\

Check if the folder <ASJava_installation>\exe, which is used by Secure Login Library, is


included in the Java library path. Verify the Java Library Path (libpath) in the trace file
<ASJava_installation>\work\dev_jstart.

22

06/2011

2 Secure Login Server Installation

Step 2 Environment Variable SECUDIR


Set the system environment variable SECUDIR to the following directory:
SECUDIR=<ASJava_installation>\sec
Example
SECUDIR=D:\usr\sap\ABC\J00\sec

Step 3 Verify Secure Login Library


To verify the Secure Login Library, use the snc command:

<ASJava_installation>\exe\snc.exe
Example
D:\usr\sap\ABC\J00\exe\snc.exe

As a result, you get further information about the Secure Login Library.
The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the Command snc

Step 4 Restart SAP NetWeaver Application Server


In an installation under Microsoft Windows, restart the SAP NetWeaver Application Server
because the environment variable SECUDIR does not takes effect unless you perform a
restart.

06/2011

23

2 Secure Login Server Installation

Secure Login Library for Linux Operating System


Step 1 Copy Library Files
Copy the Secure Login Library software for Linux to the target SAP NetWeaver Application
Server and extract the file SECURELOGINLIB.SAR with the SAPCAR command line tool to
the following folder.
sapcar xvf <source_path>/SECURELOGINLIB.SAR R
<ASJava_installation>/exe/
Example
sapcar xvf /InstallSLS/SECURELOGINLIB.SAR R /usr/sap/ABC/J00/exe

Check if the folder <ASJava_installation>/exe, which is used by Secure Login Library, is


included in the Java library path. Verify the Java library path (libpath) in the trace file
<ASJava_installation>/work/dev_jstart.

Step 2 Define File Attributes


To use shared libraries in a shell, it is necessary to set the file permission attributes with the
following command:
chmod +rx <ASJava_installation>/exe/snc lib*
Example
chmod +rx /usr/sap/ABC/J00/exe/snc lib*

Step 3 Define File Owner


Grant access rights to the user account that is used to start the SAP application (for example,
<SID>adm).
Change to the folder <ASJava_installation>/exe/ and use the following command:
chown [OWNER]:[GROUP] *
Example
chown abcadm:sapsys *

Step 4 Verify Secure Login Library


To verify the Secure Login Library use the snc command (with user <SID>adm):

<ASJava_installation>/exe/snc
Example

24

06/2011

2 Secure Login Server Installation

/usr/sap/ABC/J00/exe/snc

As a result; further information about the Secure Login Library should be displayed.
The test is successful if the version is displayed.

Figure: Verify Secure Login Library with the snc Command

06/2011

25

2 Secure Login Server Installation

2.2 Secure Login Server Installation with Telnet


1.) Copy the file SECURE_LOGIN_SERVER00_0.sca to the target SAP NetWeaver
Application Server.
2.) Start a Telnet session.
telnet localhost 5<instance_number>08
Example
telnet localhost 50008

3.) Deploy the Secure Login Server package.


deploy <source>\SECURE_LOGIN_SERVER0SP_0.sca
Microsoft Windows Example
deploy D:\InstallSLS\SECURE_LOGIN_SERVER0SP_0.sca
The Secure Login Server application will be started automatically.
Start the initial configuration described in section 2.6 Initial Configuration Wizard.

List of Useful Telnet Commands


List of useful telnet commands
Action

Command

Deploy Application

deploy SECURE_LOGIN_SERVER0SP_0.sca

Undeploy Application

undeploy name=SecureLoginServer vendor=sap.com

List Application

list_app | grep SecureLoginServer

Stop Application

stop_app sap.com/SecureLoginServer

Start Application

start_app sap.com/SecureLoginServer

26

06/2011

2 Secure Login Server Installation

2.3 Secure Login Server Installation with JSPM


1.) Copy the file SECURE_LOGIN_SERVER0SP_0.sca to the target SAP NetWeaver
Application Server.
The target folder location is \\localhost\sapmnt\trans\EPS\in
Microsoft Windows
<drive>\usr\sap\trans\EPS\in
Linux
/usr/sap/trans/EPS/in

2.) Start the JSPM application (SAP Software Delivery Tool) on SAP NetWeaver Application
Server.
Microsoft Windows
<ASJava_Installation>\j2ee\JSPM\go.bat
Linux
<ASJava_Installation>/j2ee/JSPM/go
3.) Log on to SAP NetWeaver AS Java with a user with administration privileges.

06/2011

27

2 Secure Login Server Installation

4.) Choose the New Software Components option.

5.) Select sap.com/SECURE_LOGIN_SERVER.

28

06/2011

2 Secure Login Server Installation

6.) Start the deployment process.

7.) After the deployment finishes, exit the JSPM application.

06/2011

29

2 Secure Login Server Installation

2.4 Secure Login Server Uninstallation


This chapter describes how to uninstall Secure Login Server. Uninstall the Secure Login
Server in Telnet.
1.) Start a Telnet session.
telnet localhost 5<instance_number>08
Example
telnet localhost 50008
2.) Stop the Secure Login Server application.
stop_app sap.com/SecureLoginServer
3.) Undeploy the Secure Login Server package.
undeploy name=SecureLoginServer vendor=sap.com

2.5 Updating the Secure Login Server to SP2


In SAP Note 1660519 you find a description that tells you how to update the Secure Login
Server to SP1. You see the current version number of the Secure Login Server in the
parameter Server Build. The entry REL_1_0_2_20 stands for SP2 (see 3.3.9 Server
Status). After the installation, restart the system.
During the installation, the following files are deleted:
config.properties file
userenv.registry
Make a backup of these files before you execute an installation. After the installation, copy
the files to the relevant directories.

30

06/2011

2 Secure Login Server Installation

2.6 Initial Configuration Wizard


After the deployment of Secure Login Server an initial configuration is required.
For security reasons, the initial configuration of the Secure Login Server can be
performed on local host only (same server computer on which the Secure Login
resides).
If, however, you want to perform the initialization and configuration from a remote
location, you must manually enable this feature by editing the Secure Login web.xml
file. For more information, see section 2.6.2 Enable Remote Access for Initial Wizard.
If a GUI (for example, Linux without X-Win) is not available, use an SSH localhost
tunnel configuration for accessing the wizard. For re information, see section 2.6.3
Configure SSH Tunnel.

2.6.1 Initial Configuration


This section describes the initial configuration of the Secure Login Server.
Before starting the Initial Configuration Wizard, verify that the Secure Login Server
application is running.
Start the initial configuration using the browser URL:
http://localhost:5<instance_number>00/securelogin

Welcome Page
In the welcome page a prerequisite check is performed. Verify all prerequisites.
If everything is OK, choose Continue.

Figure: Initial Configuration Wizard Welcome Page

06/2011

31

2 Secure Login Server Installation

Key File for Encryption of Server Credentials


The key file is a file on the server with random content and is used to secure password
information in configuration files. You can use any kind of file type which is larger than 32
bytes. You must create or copy the file to the desired location on the server and define it in
this configuration step. There is a check whether the key file is available.
Define the location of the key file.
Example:
D:\usr\sap\ServerKeyFile\KeyFile.txt

Figure: Initial Configuration Wizard Key file for server credentials encryption

Keep in mind that, in case the key file is changed or not available, it is not possible to log
on to the Secure Login Administration Console. The Secure Login Server does not work
anymore and is locked.

After the configuration, choose Next to continue.

32

06/2011

2 Secure Login Server Installation

Administrator Account
Define the password for the administration user Admin.

Figure: Initial Configuration Wizard Administrator Account


Entries marked with * are mandatory.

Passwords used in Secure Login Server are restricted by the password policy definition.
Passwords cannot be empty
Passwords must have a length between 8 to 20 characters
Passwords must contain at least one uppercase letter
Passwords must contain at least one lowercase letter
Passwords must contain at least one digit
Passwords must contain at least one special character

After the configuration, choose Next to continue.

06/2011

33

2 Secure Login Server Installation

Create Root CA Certificate


Define the parameter for the root CA certificate.

Figure: Initial Configuration Wizard Create Root CA


Entries marked with * are mandatory.

Option

Details

Create a Root CA by
providing certificate
information

Common Name*
Enter the common name of the certificate (CN).
Example: Root CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).

34

06/2011

2 Secure Login Server Installation

Valid From*
Enter the date from when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse to locate and load an existing
KeyStore file (File Format is: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate

Check this option if you do not want to or do not need


to enter any information for this specific certificate at
this time.

Skip all PKI certificates

Check this option if you do not want to or do not need


to enter information for any certificate at this time.
This means you skip all the PKI certificates including
the Root CA, SSL CA, SSL Server, and User CA
certificates.
You can create or add certificate information at a later
time in the Certificate Management function of the
Administration Console.

After the configuration, choose Next to continue.

06/2011

35

2 Secure Login Server Installation

Select the SSL Certificate Generation Type


Choose an option for the SSL certificate.

Figure: Initial Configuration Wizard Select the SSL Certificate Generation Type
It is possible to install or import SSL certificates later on using the administration console
Certificate Management. For more information, see section 3.3.3 Certificate
Management.

Option

Details

Generate an SSL
certificate using the
Secure Login
Administration Console

The SSL certificates for the SAP NetWeaver


Application Server (or other Web application server)
are created using the Secure Login Administration
Console.

Skip all SSL certificates

Check this option if you do not want to or do not need


to enter information for SSL certificates at this time.

After having chosen an option configuration, choose Next to continue.

36

06/2011

2 Secure Login Server Installation

Create SSL CA Certificate


This step is optional and is only available if the option Generate an SSL certificate using the
Secure Login administration console was chosen.

Figure: Initial Configuration Wizard Create SSL CA Information


Entries marked with * are mandatory.

Option

Details

Create a SSL CA by
providing certificate
information

Common Name*
Enter the common name of the certificate (CN).
Example: SSL CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).

06/2011

37

2 Secure Login Server Installation

Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse to locate and load an existing Key
Store File (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate

Check this option if you do not want to or do not need


to enter any information for this specific certificate at
this time.

After the configuration, choose Next to continue.

Create SSL Server Certificate


This step is optional and is only available if you chose the option Generate an SSL certificate
using the Secure Login administration console.

38

06/2011

2 Secure Login Server Installation

Figure: Initial Configuration Wizard SSL Server Information


Entries marked with * are mandatory.

Option

Details

Create an SSL server by


providing certificate
information

Common Name*
Enter the common name of the certificate (CN).
Example: Alias Server Name
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Subject Alternative Names (DNS)
Enter the alternative name in this field. Typically this
is the Fully Qualified Domain Name (FQDN).
Example: ServerName@FQDN.local
Encryption Key Length
Select the encryption key length for the server (512,

06/2011

39

2 Secure Login Server Installation

1024, 1536, 2048, 3072, or 4096 bits).


Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse to locate and load an existing
KeyStore file (file format: *.p12).
Password*
The password for the KeyStore file.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Skip this certificate

Check this option if you do not want or do not need to


enter any information for this specific certificate at this
time.

After the configuration, choose Next to continue.

40

06/2011

2 Secure Login Server Installation

Create User CA Certificate


Define the parameter for the user CA certificate.

Figure: Initial Configuration Wizard User CA Information


Entries marked with * are mandatory.

Option

Details

Create a user CA by
providing certificate
information

Common Name*
Enter the common name of the certificate (CN).
Example: User CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).

06/2011

41

2 Secure Login Server Installation

Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.
Import an Existing Key
Store File

Checking this option displays the following options:

KeyStore File*
Click Browse to locate and load an existing
KeyStore file (file format: *.pse).
Password*
The password for the KeyStore (PSE) file.
Save Password
If this checkbox is activated, this password will be
stored. This means that you do not need to remember
the password when editing this certificate at a later
date.
Skip this certificate

Check this option if you do not want or do not need to


enter any information for this specific certificate at this
time.

After the configuration, choose Next to continue.

42

06/2011

2 Secure Login Server Installation

Define Server Configuration


Define the parameters for the User Certificate Configuration and Application Information.
The other configuration parameters are read-only (for verification reasons).

Figure: Initial Configuration Wizard Server Configuration


Entries marked with * are mandatory.

Option

Details

User Certificate
Configuration

DN.country
Enter the country abbreviation in this field (C).
Example: DE
DN.locality
Enter the regional information in this field (L).
Example: Walldorf
DN.organization
Enter the company name in this field (O).
Example: Company xyz
DN.organizationalUnit
Enter the division of the company in this field (OU).
Example: SAP Security Department
ValidityMinutes*
Information for a temporary certificate: The period of
time (in minutes) that the user certificate is valid.

06/2011

43

2 Secure Login Server Installation

Application Information

ServerHostName
FQDN name or IP address of this server.
This parameter is used for the client policy definition
and can be used for centrally changing the server
host name and the server port in the instance
configuration of the Secure Login Server.
ServerPort
Port of this server.
This parameter is used for the client policy definition
and can be used for central change.

Authentication Server
Configuration
(read-only)

AuthConfigPath
Authentication server configurations file for the
Secure Login Server.

Secure Login User CA Key


Store
(read-only)

PseName
The user CA key store file path. If you created a user
CA in the previous step, the file path is shown here.

Log Configuration
(read-only)

DailyLogDir
In this log path the user authentication information for
the default instance is logged.
(for example, the user authentication was successful)
MonthlyLogDir
In this log path the instance information for the default
instance is logged.
(for example, the default instance was started
successful)
AdminConsoleLogDir
In this log path the admin console information for the
Secure Login Administration Console is logged.
(for example, the default instance configuration was
changed)
LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.

After the configuration, choose Next to continue.

44

06/2011

2 Secure Login Server Installation

Setup Review
Verify the action points and choose the Finish pushbutton to complete the initial wizard
configuration.

Figure: Initial Configuration Wizard Setup Review

Finish Setup
After successful setup configuration this page appears. Restart the Secure Login Server
application.

Figure: Initial Configuration Wizard Congratulations


Use the Telnet application to stop and start the Secure Login Server application (for more
information, see section 2.2 Secure Login Server Installation with Telnet).
Another possibility in the Microsoft Windows environment is to use the SAP Management
Console (sapmmc) application. Under AS Java Components, choose the application
sap.com/SecureLoginServer and restart the application.

06/2011

45

2 Secure Login Server Installation

Microsoft Windows SAP Management Console


In Microsoft Windows environment the SAP Management Console (sapmmc) can be used to
restart the Secure Login Server application. Mark the application sap.com/SecureLoginServer
and choose the option Restart (right-click option).

Figure: SAP Management Console (sapmmc)

46

06/2011

2 Secure Login Server Installation

2.6.2 Enable Remote Access for Initial Wizard


This configuration step is optional and is only required if you want to perform the initial
configuration from a remote computer.
For security reasons we recommend performing the initial configuration on the local host
(same server computer on which the Secure Login Server resides).

In the configuration file web.xml, change the value to true for the parameter remoteAccess.
web.xml
<init-param>
<param-name>remoteAccess</param-name>
<param-value>true</param-value>
</init-param>

The configuration file web.xml is available in the following place:


Microsoft Windows
<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\se
rvlet_jsp\securelogin\root\WEB-INF\web.xml
Linux
<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/se
rvlet_jsp/securelogin/root/WEB-INF/web.xml
It is required to restart the Secure Login Server application.

06/2011

47

2 Secure Login Server Installation

2.6.3 Configure SSH Tunnel


This configuration step is optional and belongs to the Linux environment if no GUI is
available. The localhost configuration can be performed using for example, PuTTY
Configure the following parameter and choose Add.
Example: SSH tunnel configuration in PuTTY
Parameter

Value

Source Port

5<instance_number>00

Example: 50000

Destination

localhost:5<instance_number>00

Example: localhost:50000

After the SSH tunnel configuration, log on to this connection and perform the initial
configuration. For more information, see section 2.6 Initial Configuration Wizard.

48

06/2011

3 Administration

3 Administration
This chapter describes the configuration parameters in Secure Login Server.

3.1 Logon to Administration Console


To open the administration console, enter the following URL in a Web browser:
Communication

URL

Unsecured

http://<IP/FQDN>:5<instance_number>00/securelogin

Secured

https://<IP/FQDN>:5<instance_number><https_port>/securelogin

You find the https port in the SSL setting of the SAP NetWeaver configuration. The port
number is usually 50001 (corresponds to 01 in the table above).
The logon page appears.

Figure: Administration Console Logon Page


Enter your administration user name (for example, Admin) and your password.
Authentication type

Details

Local Login

Default user name/password combination authenticated in the


administration console database.

External Login

User name/password combination authenticated in the


authentication server database set in the JAAS module.
Example: You can use the Microsoft Active Directory user
database for logging on to the Secure Login Server
administration console.
For more information about the configuration, see section 3.3.2

06/2011

49

3 Administration

Authentication type

Details
Edit Login Type Setting.

3.2 Welcome Page


After successful logon, the welcome page appears. This page also appears when you click
on Home.

Figure: Administration Console Welcome Page


The administration console interface allows you to easily configure the server to your needs.
The main area is split into three panes:

The top left-hand pane lists any tasks that have yet to be performed.
For example, Connection must be HTTPS refers to the missing SSL connection between
the console and the Secure Login Server, or Server needs to be restarted informs you
that the configuration has been changed, and you need to restart the Secure Login
Server application for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each node
represents tasks that can be performed within the Secure Login Server framework.
The right-hand pane displays the details of any node selected in the left-hand pane.
In the top right-hand corner there are three entries that appear on every page in the
console:
Change Password
This allows you to change the password for the current administrator/user account.
Logout
Use this link to logout of the console. The login page will reappear (see previous page).

50

06/2011

3 Administration

About
Click this to view version information about the console.

You may be asked to re-enter your user name and password if you leave the
administration console for a long time. The default console timeout is 10 minutes.

3.2.1 Change Password


This section describes how to change the account password for the administration console.
1. Choose Change Password in the title bar on any page.
2. The following dialog box appears:

Figure: Change Password


3. Enter the current password into the Old Password field.
4. Enter and confirm the new password into the fields New Password and Confirm New
Password respectively.
5. Click OK

The user admin is a permanent user that has the role super user and cannot be deleted.
As a consequence, the admin user can log on to the system regardless of state (when a
serious system error occurs), making sure that there is at least one user who can always
access Secure Login to correct or configure the system.

06/2011

51

3 Administration

3.3 Server Configuration


This section describes the server configuration page of the administration console.
The Server Configuration page allows you to do the following:

View the server configuration.


Edit some of the server parameters.

Choose the Server Configuration node in the left-hand pane of the administration console.
The following page appears:

Figure: Administration Console - Server Configuration

The following options can be viewed on this page:

52

06/2011

3 Administration
Option

Details/Value

Edit

Click Edit to change the Administration Console Description,


Trace Configuration, and Client Configuration.
For more information, see section 3.3.1 Edit Server
Configuration.

Description

The description of this administration console.

Console Login Type

The current types of authentication available for log on to the


administration console. The configuration can be changed
using the button Edit Login Type.
For more information, see section 3.3.2 Edit Login Type
Setting.

External Login JAAS


Module

The current JAAS module used for External Login


authentication to the Administration Console.
For further information see section 3.3.2 Edit Login Type
Setting.

The Authentication File


Path
(read-only)

The authentication configuration file used by this server. This


configuration is for information purposes only.

Trust Certificates
Storage File
(read-only)

The Trust Store file (TrustStore.jks) used by this server.

Console Log Directory


(read-only)

The directory in which the console log file is located.

Console Log Prefix


(read-only)

The file prefix for the console log file.

Enable Server Trace

Enable Secure Login Server trace to provide extended


traces.
true
Trace enabled
false
Trace enabled
Default value is false.

Path to the Server Lock


File
(read-only)

Path where the lock files are written. A lock file is generated if
something went wrong with the Secure Login Server. In this
case the Secure Login Server is locked.

Host Server Domain


Name

The host name or IP of the computer from which the console


is being used for the Secure Login Client policy configuration
(for all client policy URLs).

Port

The port of this computer from which the console is being


used for the Secure Login Client policy configuration (for all
client policy URLs).
We recommend that you use an HTTPS (SSL) port.

CREDDIR
(read-only)

The directory in which the credentials are stored for the


Secure Login Library.

NativeLibraryPath
(read-only)

The directory where native libraries are stored for the Secure
Login Library.

06/2011

53

3 Administration

3.3.1 Edit Server Configuration


Use the Edit button and the following page appears.

Figure: Administration Console Edit Server Configuration


The following options can be set:
Option

Details/Value

Description

Here you can personalize the description for the


administration console.

Enable Server Trace

true
Write trace messages to the application server trace file
(defaultTrace_*.log).
false
Do not write trace messages to the application server trace
file.

Host Server Domain


Name

The host name or IP of the computer from which the console


is being used.

Port

The port of the computer from which the console is being


used. We recommend that you use an HTTPS (SSL) port.

Once you have changed any option, click Save to return to the Server Configuration page.

54

06/2011

3 Administration

3.3.2 Edit Login Type Setting


Use the Edit Login Type button, and you get to the page that allows you to configure, delete,
or add the following login types:
Local Login
Default user name/password combination authenticated with the administration console
database.
External Login
User name/password combination authenticated in the authentication server database set in
the JAAS module. If this option is used, select the appropriate JAAS module in the External
Login Jaas Module combo box.
1. To add a login option to the administration console login page, proceed as follows:
2. Select a login type from the All Login Type field and choose >>Add. As a
consequence, it appears in the Current Login Type field.
3. Use the Up and Down buttons to move a login option up or down and thus define its
priority.
4. To delete a login option from the administration console login page, select a login
type from the Current Login Type field and choose <<Delete.
5. Choose Save to confirm any changes.

External Login JAAS Module


Several login modules are available. They can be used for the External Login option.
Available Login JAAS Module
Login Module

Remarks

SPNegoLoginModule

Uses Kerberos/SPNego. This is the default setting


of the Secure Login Server.

SecureLoginModuleLDAP

Uses LDAP server or MS-ADS server system.

SecureLoginModuleRADIUS

Uses RADIUS server.

SecureLoginModuleSAP

Uses SAP NetWeaver Application Server.

BasicPasswordLoginModule

Uses for direct authentication with user name and


password. It is configured in the SAP NetWeaver
Administrator and UME provides users.

Choose Save to confirm any changes.

06/2011

55

3 Administration

3.3.3 Certificate Management


This section describes the Certificate Management page of the administration console.
The Certificate Management page allows you to do the following:

Create certificates
View certificates
Export certificates
Import certificates

What I have to do first is making a decision:


Do I want the Secure Login Server to create and manage one or more public key
infrastructures, or is there an existing company PKI that is supposed to be used on top.
Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI
below your enterprise PKI and two others independently created by Secure Login Server.
However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or
delete PKIs at any time.
Choose the Certificate Management node from the tree in the left-hand pane.
The following page appears:

Figure: Administration Console Certificate Management

Option

Details

PKI Tree

One or more tree views of independent PKIs.


One DefaultPKITree named Root CA SAP Security is
available here.

Create New Root CA

Define a display name for the new PKI and create a top-level
Certification Authority (Root CA).

56

06/2011

3 Administration

Certificate Information

Common Name
Common name of the selected certificate.
Path
File path of the selected certificate file.
Save Password
Password protection status of the selected certificate file.
Mapping to Instance
List of all instances and selections that are supposed to use
this user CA. This option is available for user CAs only.

More Details

Further details of the X.509 certificate

[PKI Information]

Displays the name of the PKI structure

[CA Operations]

Selects the Certification Authority of a PKI for further


management operations.
Issue
Creates a new Certification Authority of this type (USER_CA,
SAP_CA or SSL_CA).
Change Password
Changes password of selected CA
Remove Password
Removes password of selected CA. A password must be
given for each following management operation of this CA.

[Export Certificate]

Exports the selected certificate.


Export Type
Chooses the export type for the certificate.
Possible export types: .crt, .p12, .pse or *.jks.
New Password
Defines the password of the exported certificate file. This
option is not available if you choose the export type .crt.

[Import New PKI]

Imports the key store into the certificate list.


Note: Only PSE files can be imported.
PKI Name
Displays the name of the new PKI the certificate belongs to.
The following special characters are not supported:
~`!@#$%^&*()_-+= }{:"?><,./;'[]\|

[Selection List]
The selection list allows you to associate the type of CA of
the certificate. Each type can be associated only once.
Browse
Opens a file browser to select the certificate file.

06/2011

57

3 Administration

Open Password
Password that protects the certificate file
Save Password
Allows you to save the password in the configuration file.

Create New PKI


Use this function to create a new internal PKI that has its own root CA certificate.
Enter a display name for the new PKI, for example NEW PKI and choose Create New Root
CA.

Define the certificate parameters for the new root CA certificate and choose Create.

Entries marked with an asterisk(*) are mandatory.


The new PKI should be available in the PKI tree.

58

06/2011

3 Administration

Import New PKI


Use this function to create a new PKI that uses external CA certificates. This way it is also
possible to create a PKI without having the issuing root CA stored inside the Secure Login
Server.
1. Enter a display name for the new PKI, for example, ImportPKI.
2. Select the type of CA that shall be imported, for example, ROOT_CA.
3. Choose Browse to open a file browser. Locate and open the PSE file.
4. Enter the password for the PSE file in the field Open Password.
5. As an option, you can choose to save the password.
6. Choose the Import pushbutton to complete.

The imported PKI should be available in the PKI tree.

06/2011

59

3 Administration

Create SAP CA Certificate


Use this function to create an SAP CA certificate.
1. Choose on the Root CA certificate in the PKI tree list.
2. Select the certificate type SAP_CA in [CA Operations].
3. Choose on the Issue pushbutton and define the certificate parameters.

Figure: Administration Console Create SAP CA Certificate

Entries marked with an asterisk(*) are mandatory.

Option

Details

Create SAP_CA Subject


Information

Common Name*
Enter the common name of the certificate (CN).
Example: SAP CA SAP Security
Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length

60

06/2011

3 Administration

Select the encryption key length for the server (512,


1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of the certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field
above.

Create SAP Server Certificate


Use this function to create a certificate for the SAP NetWeaver Application Server (AS).
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select in [CA Operations] the certificate type SAP_Server.
3. Choose the Issue pushbutton and define the certificate parameters.

Figure: Administration Console Create SAP Server Certificate

06/2011

61

3 Administration

Entries marked with an asterisk (*) are mandatory.

Option

Details

Specify the parameters of


the SAP Server Certificate

Common Name*
Enter the common name of the certificate (CN).
Example: SAP SID
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The
password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field
above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.

62

06/2011

3 Administration

Create SNC Certificate


Use this function to create a certificate for the SNC connection to SAP NetWeaver
Application Server (AS).
Using this certificate the Secure Login Server establishes a secure communication with the
SAP NetWeaver AS to verify SAP user credentials.
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select the certificate type SNC_CERT in [CA Operations].
3. Choose the Issue pushbutton and define the certificate parameters.

Figure: Administration Console Create SNS Certificate

Entries marked with an asterisk (*) are mandatory.

Option

Details

Create SNC_CERT
Subject Information

Common Name*
Enter the common name of the certificate (CN).
Example: SLSSNC
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).

06/2011

63

3 Administration

Example: DE
Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate.
The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field
above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.

64

06/2011

3 Administration

Create Login Certificate


Use this function to create a login certificate for the Secure Login administration console. The
Secure Login Administrator establishes a certificate based login to the Administration
Console.
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select the certificate type LOGIN_CERT in [CA Operations].
3. Choose the Issue pushbutton and define the certificate parameters.

Figure: Administration Console Create Login Certificate

Entries marked with an asterisk (*) are mandatory.

Option

Details

Create LOGIN_CERT
Subject Information

Common Name*
Enter the common name of the certificate (CN).
Example: Username
Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department
Organization
Enter the company name in this field (O).
Example: Company xyz
Locality
Enter the regional information in this field (L).
Example: Walldorf
Country
Enter the country abbreviation in this field (C).

06/2011

65

3 Administration

Example: DE (for Germany)


Encryption Key Length
Select the encryption key length for the server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate
starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends
(format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field
above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the
password when editing this certificate at a later date.
Subject Alternative Names (E-mail)*
In order to map a certificate to a user, this field is
used. For more information, see section 4.6 Configure
SSL Certificate Logon.
Example: LoginCert_Admin

This login certificate needs to be imported into a browser application. Therefore export
this certificate in *p12 format and import it to your browser application.
In addition, it is required to assign this login certificate to a user (user mapping). For more
information, see section 4.6 Configure SSL Certificate Logon.

66

06/2011

3 Administration

Export Certificate
Use this function to export any kind of certificate in the PKI list.
1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP
Security.
2. Select the Export Type, for example .pse.
3. Define the password of the exported certificate file.
4. Choose the Export pushbutton to save the file to the desired location.

Option

Details

Export Type

.pse
Exports the certificate in PSE format.
This file includes all keys and all certificates of the
complete certificate chain.
.crt
Exports the public certificate information.
.p12
Exports the certificate in P12 format.
This file includes all keys and all certificates of the
complete certificate chain used.
.jks
Exports the certificate in Java Key Store format.

Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the
import function to load a new certificate.
1.
2.
3.
4.
5.

Choose on a desired certificate in the PKI tree list, for example SAP_CA.
Choose Browse to open a file browser. Locate and open the PSE file.
Enter the password for the PSE file in the field Open Password.
As an option, you can choose to save the password.
Choose the Import pushbutton to complete your import.

Imported certificates need to be part of the PKI structure. A trust relation to an existing
root CA certificate, when available, is required.
In case the desired certificate has no trust relation to the root CA certificate, the error
message Trust connection cannot be established with ROOT CA appears.

06/2011

67

3 Administration

3.3.4 Trust Store Management


The Trust Store is used to declare a certificate as coming from a trusted source and can be
used with Secure Login Server. You can use this page to view the Trust Store file content,
export a certificate, delete a certificate, and add new certificates.
Typically the following certificates are installed in the Secure Login Server Trust Store:

SSL CA Certificate (public certificate).


This certificate is used to verify the SSL connection in the option Server Status.
LDAPS CA Certificate (public certificate).
This certificate is used to establish secure communication to the LDAP server.

Depending on the PKI structure, it may be necessary to import the certificate chain.

Figure: Administration Console Trust Store Management

Entries marked with an asterisk (*) are mandatory.

Option

Details

Certificate Alias*

Alias for the imported certificates.

Certificate Location

The certificate location. Select one of the following


locations (this causes the third option to change
accordingly):
Local Host*
The path to a certificate in the local file system
PublicURL*
Certificate available via a public URL

68

06/2011

3 Administration

Add to Trust Store

Adds the certificate information to the Trust Store.

Delete

Use this button to remove the selected certificate from


the Trust Store (only visible if a certificate has been
added to the Trust Store).

Export

Use this button to export the selected certificate from


the Trust Store (only visible if a certificate has been
added to the Trust Store).

Changes in Trust Store require a restart of the SAP NetWeaver Application Server.

3.3.5 Certificate Template


This section describes the Certificate Template page of the administration console. Use the
functionality on this page to perform any certificate template-related task.
Choose the Certificate Template node in the left-hand pane of the administration console.
The following page appears:

Figure: Administration Console Certificate Template Management

The default template cannot be deleted, changed, or exported. The Mapping option is only
available if an additional certificate template is available.

Option

Details

Template Name

Templates created by the user and available for use are


listed here. Per default the default template is available.

Add

Adds a new certificate template. This takes you to the


template creation page.

Copy

Duplicates the selected template. This takes you to the


template creation page

Edit

Edits a selected template. This takes you to the template


creation page.

Delete

Deletes a template selected in the list.

06/2011

69

3 Administration

Mapping

Maps any template to another.

Export

Exports a template as an XML file. If you select more than


one template for export, all of the templates are incorporated
into a single XML file.

Import

Imports templates found on the local machine/network to the


list.

Add a New Certificate Template


This section describes how you create a new certificate template.
Click the Add button and the following information appears:

Figure: Administration Console New Certificate Template

Entries marked with * are mandatory.

Option

Details

Template Name*

The unique template identifier

SubjectKeyIdentifier

Use this option to identify the specific public key used in an


application.

AuthorityKeyIdentifier

Use this option to identify the public key corresponding to the


private key that is used to sign a certificate.

70

06/2011

3 Administration

CertificatePolicies

This option indicates the policy under which the certificate


has been issued and the purposes for which the certificate
may be used.
Checking this option will open a mandatory field for the
CertificatePolicies.OID (enter the ID and choose Add).

KeyUsage

The key usage extension defines the purpose of the key


contained in the certificate.
DigitalSignature
Use when the public key is used with a digital signature
mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. Digital
signatures are often used for entity authentication and data
origin authentication with integrity.
NonRepudiation
Use when the public key is used to verify digital signatures
used to provide a non-repudiation service. Non-repudiation
protects against the signing entity falsely denying some
action (excluding certificate or CRL signing).
KeyEncipherment
Use when a certificate is used with a protocol that encrypts
keys. An example is S/MIME enveloping where a fast
(symmetric) key is encrypted with the public key from the
certificate. SSL protocol also performs key enciphering.
DataEncipherment
Use when the public key is used for encrypting user data,
other than cryptographic keys.
KeyAgreement
Use when the sender and receiver of the public key need to
derive the key without using encryption. This key can be
used to encrypt messages between the sender and receiver.
Key agreement is typically used with Diffie-Hellman ciphers.
KeyCertSign
Use when the subjects public key is used for verifying a
signature on public key certificates. If the keyCertSign is
asserted, the CA bit in the basic constraints extension must
also be asserted.
CrlSign
Use when the subject public key is used for verifying a
signature on certificate revocation list. CrlSign must be
asserted in certificates that are used to verify signatures on
CRLs.
EncipherOnly
Use only when key agreement is also enabled. This enables
the public key to be used only for enciphering data while
performing key agreement.
DecipherOnly

06/2011

71

3 Administration

Use only when key agreement is also enabled. This


enables the public key to be used only for deciphering data
while performing key agreement.
For more information about standard certificate extensions,
see http://www.ietf.org/rfc/rfc3280.txt
ExtendedKeyUsage

This option defines the extended purpose of the key


contained in the certificate.
Example SNC/SSF Client Certificate:
KeyUsage
DigitalSignature
NonRepudiation
KeyEncipherment
DataEncipherment
ExtendedKeyUsage
ClientAuthentication
Example SNC Server Certificate:
KeyUsage
DigitalSignature
NonRepudiation
KeyEncipherment
DataEncipherment
For more information about standard certificate extensions,
see http://www.ietf.org/rfc/rfc3280.txt

BasicConstraints

This option defines whether the subject of the certificate is a


Certification Authority and how deep a certification path may
exist through that Certification Authority.
Checking this option will open the following sub-options:

Is critical?
If you select this option, the basic constraints parameter is
required in the certificate for communication to be
successful.
Is CA?
This option defines whether the subject of the certificate is a
Certification Authority. When you select this option, the Path
Length field opens. Enter the number of levels for which the
constraints are valid.

Private Extensions

72

Add a user-specific extension to the template.


Choose Add and open the Create Private Extension input
page:

06/2011

3 Administration

Extension Name*
The unique name for this extension
Base64/DER Encoded Data*
The content of the private extension in Base64 or DER
format
Add
Adds the information from the fields above to the certificate
template (this will also take you back to the Create
Certificate Template page).
Cancel
Cancels the Create Private Extension configuration step.
Reset

Clears the fields of any entries.

Cancel

Cancels the Create Certificate Template configuration step.

For more information about standard certificate extensions, see


http://www.ietf.org/rfc/rfc3280.txt

06/2011

73

3 Administration

Mapping Certificate Template


This section describes how you can map certificate templates to server instances (user
certificates) or SAP server certificates.
Choose the desired template name and choose the Mapping button.

Figure: Administration Console Certificate Template

The default template cannot be deleted, changed, or exported. The Mapping option is only
available for the default template if another certificate template is available.

Figure: Administration Console Certificate Template Mapping


Option

Details

SAP Server Certificate

Assigns the certificate template that is used to create SAP


server certificates.

User Certificate

Assigns the certificate template to an instance used for


creating user certificates.

To confirm any changes, choose Save.

74

06/2011

3 Administration

Export Certificate Template


This section describes how to export certificate templates as an XML file.
Choose the desired template and choose the Export button.

Figure: Administration Console Export Certificate Template


Option

Details

[List Box]

Selected Template
Exports the selected certificate template.
All Templates
Exports all certificate templates.

Export

Executes the export procedure.

Cancel

Cancels the export procedure.

Import Certificate Template


This section describes how to import certificate templates into the Certificate Template
Management page.
Choose the Import button.

Figure: Administration Console Import Certificate Template


Option

Details

Browse

Opens a file browser to locate a certificate template XML file.

Import

Executes the import procedure.

Cancel

Cancels the import procedure.

06/2011

75

3 Administration

3.3.6 System Check


This section describes the System Check page of the Administration Console. This feature
displays the status of the system configuration (whether the components necessary for
Secure Login functionality are currently available).
This function is similar to the initial wizard page (prerequisite check).

Figure: Administration Console System Check


Option

Details

Authentication
Configuration

Configuration of the authentication

General System Checks

Files and Folder


Are read/write permissions to file system available?
SAP Cryptolib
Checks the JavaSDK of the Secure Login Server.
IAIK SDK
Checks for the location of the IAIK SDK and displays the
version number.
Create PKCS#12 File
Checks if a P12 certificate format can be created.
Create PSE File
Checks if a PSE certificate format can be created.
JRE Crypto Policy
Checks if Java JCE is enabled.

76

06/2011

3 Administration

PKI Structure

Checks if there are any missing or invalid certificates

SAP ID Check

SAP SNC Runtime


Checks if Secure Login Library is installed and configured.
SAP JCO Runtime
Checks whether the SAP JCO can be found.

Server List

Server Name Check


Checks Instance Names and Instance IDs.

Trust Store

TrustStore
Check the Java Trust Store used by Secure Login Server.

3.3.7 Message Settings


This section describes the Message Settings page of the Administration Console. The
message settings are used to relate to specific server messages to the Secure Login Client.
The Message Settings page allows you to do the following:

View currently available message language files


Create a new message language file
Edit a message language file

The following table contains the names of the message language files:
Message File Name

Language

serverMsg.properties

Template for translation

serverMsg_de.Properties

German

serverMsg._en.Properties

English

serverMsg_fr.Properties

French

serverMsg_ja.Properties

Japanese

serverMsg_pt.Properties

Portuguese

serverMsg_ru.Properties

Russian

serverMsg_zh_CN.Properties

Chinese

The fallback message file is serverMsg_en.properties. This message file is used if the
required language is not available. The language for the fallback scenario is English.

06/2011

77

3 Administration

Create a Message File


Choose the Add button to create a new message language file.

Figure: Administration Console Create Message File


Choose the desired language and choose the Create New File button.
In this example the newly chosen language is Afrikaans. In this case, the name of the
message file is serverMsg_af.properties.
The predefined language for the new message file is English and needs to be translated
to the required language.
The file format is defined as: ServerMsg_<language_abbreviation>.properties

Edit a Message File


Choose the relevant message file and choose the Edit button.

78

06/2011

3 Administration

Figure: Administration Console Edit Message File


To confirm any changes, choose Save.

To disable a server message, delete the message text.


Example: If the message Authentication process completed should be disabled, delete the
message text for the parameter AUTH_RESULT_ACTION_OK_MSG.

06/2011

79

3 Administration

Message Format Configuration Option


The message format can either be plain text or rich text. Rich text messages are contained in
a body element. You can use the following codes:
Code

Details

<body>message</body>

The whole rich text message has to be enclosed in


body start and end tags.

\r\n

Inserts a line break.

<b>text</b>

Uses bold formatting for text.

<any color=red>text<any>

Uses the color red for text (red is the only color
supported).

<a href=URL>anchor</a>

Inserts a link to the destination URL with the link


text anchor.

File Location of the Message Files


The server messages file are available in the following locations:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\classes
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/classes

80

06/2011

3 Administration

3.3.8 SNC Configuration


This section describes the preparation required for Secure Login Server to run with SAP ID
authentication. This configuration step is optional and is only required if you want to integrate
SAP ID authentication.
The SNC certificate is used to establish a secure communication to the desired SAP
NetWeaver ABAP system. This secure communication is used to verify SAP User
Authentication.

The installation of the Secure Login Library (described in the Installation, Configuration,
and Administration Guide of the Secure Login Library) is a prerequisite.

Two options are available to define the SNC certificate:


Import P12 File
Import from Console (Certificate Management)

Import P12 File


If using the setup type From Local, choose the Browse button and select the desired P12
file. Define the password and choose the Upload button to install the SNC certificate.

Figure: Administration Console SNC Configuration Option From Local

06/2011

81

3 Administration

Import from Console


The prerequisite for this option is that a SNC certificate (certificate type SNC_CERT) has
been created in Certificate Management. For more information, see section 3.3.3 Certificate
Management.
Select the desired SNC certificate and choose the Upload button to install the SNC
certificate.

Figure: Administration Console SNC Configuration Option: From Console

3.3.9 Server Status


The option Server Status provides server status information.

Figure: Administration Console Server Status

82

06/2011

3 Administration

Criteria

Details

Date

Current date and time information

Version

Version of the Secure Login Server Kernel

Uptime

The amount of time the Server has remained active and


running

Instance ID

Info: Server Instance

Configuration URL

File location of the Secure Login Server configuration file


Configuration.properties.

Configuration Status

Integrity Check of the Secure Login Server Status

Lock Status

Lock Status = No
The Secure Login Server is not locked. Everything is OK and
the server is up and running.
Lock Status = Yes
The Secure Login Server is locked meaning that it has
encountered a problem. In this case, check the server
information pane in the top left of the screen for tasks that
still need to be performed as well as the log files for possible
problems.
An Unlock button appears next to the table entry (provided
that the administrator role has the necessary permissions).
Once you have resolved any problems, choose the Unlock
button to reset the Lock Status.

Secure Login Servlet


Status

Verifies the status of the Secure Login Server Java Servlet.

Server Build

Secure Login Server Version

If the error message Cannot connect to the server using the SSL connection. Import the
server's certificate into the Trust Store is displayed, add the SSL CA certificate (public
certificates) to Trust Store of the Secure Login Server.
For more information, see section 3.3.4 Trust Store Management.

3.3.10 Sign Certificate Requests


This section describes how to submit a certificate request to the Secure Login Server
Certification Authority in the administration console.
As an example scenario, a PSE or P12 could be generated on the SAP server side. On
the SAP server, a certificate request is created and sent to the Secure Login Server.
The Secure Login Server signs the certificate request and sends back a certificate
response which is recorded in the SAP server.

06/2011

83

3 Administration

Figure: Administration Console Sign Certificate Requests

Entries marked with * are mandatory.

Option

Details

Base-64 Encoded
Certificate Request (PKCS
#10)

The content of the certificate request in Base64


encoding format.
Use the option Browse for a file to insert to import a
certificate request file. Use the button Read to import.
Another option is to copy and paste the content of the
certificate request to the Saved Request field.

Validity Period of
Certificate*

Define the period of time for which the certificate is


valid.

Certificate Encoding Type

Select DER or PEM encoding type, a certificate


response should be generated.

Certificate Template

If needed, select the desired certificate template. The


default certificate template is used for the SAP
environment.

Issuer

Choose the desired CA certificate; the certificate


request should be signed.

Sign Certificate

The certificate reply is generated, and you are asked


to store the certificate reply file.

84

06/2011

3 Administration

3.3.11 Console Log Viewer


This section describes the Administration Console logging functionality. The log entries apply
only to the administration actions performed in the Administration Console.

Figure: Administration Console Console Log Viewer

This page displays all of the tasks performed using the Administration Console since logging
began. This page allows you to do the following:

Select a period of time to view with the Log Month combo box.
Export log files to a *.csv file format with the Export Logs function.
This entry is only visible if log entries are present.

The monthly table contains the following information about the administration tasks:
Option

Details

Date

The date the task was performed.

Time

The time the task was performed.

Code

The internal message code of the task performed.

Level

An abbreviated description of the message level.


Possible message levels:
INF
Information
ERR
Error
WAR
Warning

User

The name of the user/administrator that performed


the action.

Action

A quick description of the action, for example EDIT or

06/2011

85

3 Administration

OTHER.
Server

The server instances to which the action was directed

Description

A description of the message/task

86

06/2011

3 Administration

3.3.12 Web Client Configuration


This section describes the configuration settings for the Secure Login Web Client.
The Web Client Configuration is separated in three tabs:

Properties Configuration
In this section, you can configure the Secure Login Web Client profiles is performed.
Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.
Package Management
In this section, you can configure the SNC library for the respective Secure Login Web
Client. By default, three packages are available, for Microsoft Windows, Linux and Mac
OS X.
Note that there are server messages available for Secure Login Client (described in
section 3.3.7 Message Settings) and Secure Login Web Client.

Properties Configuration Web Client Application Path


The parameter WebClientConfigPath is read-only and used for verification purposes. This
configuration links the Secure Login Server to the Secure Login Web Client application.

Properties Configuration Common Configuration


The Common Configuration defines the parameter for Secure Login Web Client profile
Launch SAP Logon.

Figure: Secure Login Web Client profile Launch SAP Logon


To configure this profile, choose the Edit button. The following options are available in
Common Configuration:

Option

Details

PORTALURL

URL address for certificate-based login to be called


after successful user authentication
This option depends on the parameter ACTION.

06/2011

87

3 Administration

ACTION

The action to be performed by the Secure Login Web


Client after successful user authentication. The
following options are available:
No action after authentication
After successful user authentication, no action is
performed.
Open Portal
After successful user authentication the URL defined
in PORTALURL is used.
Launch SAP GUI
After successful user authentication the SAP GUI
application is started.
Both SAP Portal and SAP GUI
After successful user authentication the URL defined
in PORTALURL is used, and the SAP GUI application
is started.

PackURL

The name of the folder where the SNC libraries for


the Secure Login Web Client are stored.
By default, three SNC libraries are available in the
folder DownloadPacks, for Linux, Microsoft Windows
and Mac OS X.

SAPLogon.slsinstance

Secure Login Server Instance (user authentication


method) to be used for Secure Login Web Client.

ClientLogging

This option determines the logging options:


No
No Client log file is created and no logging is
performed.
Temp
Client creates a log file for each login session. The
log file is deleted when the Secure Login Web Client
is closed.
Full
The client log file is never deleted.

Save your changes.


The location of the Secure Login Web Client files depends on the operating system:
Microsoft Windows XP
C:\Documents and Settings\<user>\sapsnc\
Microsoft Windows Vista / Microsoft Windows 7
C:\Users\<user>\sapsnc\
Mac OS
/Users/<user>/sapsnc/
Linux
/home/<user>/sapsnc/

88

06/2011

3 Administration

You can customize the file location of the Secure Login Web Client. For more information,
see section 4.5 Customize Secure Login Web Client.

Properties Configuration SAP Server Management


In SAP Server Management you define the parameters for additional profiles in Secure Login
Web Client. This type of profiles is used to log on directly to the desired SAP server system
after successful user authentication.
Use this section of the page to Add new SAP server configuration, view, and Edit current
SAP server configuration and Delete SAP server configuration.
To import SAP server configurations from saplogon.ini files, choose the button Upload SAP
Server List from File.

Figure: Administration Console SAP Server Management


To create a new SAP server configuration, choose the Add button. The following screen
contains the sections and parameters described below.
Option

Details

SAP GUI for Java

It is mandatory to fill these four fields.


label
Profile name.
host
IP address or FQDN name of the desired SAP server
system.
port
Port of the desired SAP server system
sncname
SNC name of the desired SAP server system

SAP GUI for Microsoft


Windows

shortcut.Name
Identifier used in multi-instance configurations.
shortcut.Description
The name of the server profile in SAP GUI for
Microsoft Windows (in SAPGUI this is the Description
field). This is the essential reference to the profile.

The Instance ID this server


used

Secure Login Server instance (user authentication


method) to be used for Secure Login Web Client

06/2011

89

3 Administration

Properties Configuration Platform Configuration


In Platform Configuration you can define the parameter for SAP GUI for Microsoft Windows
and SAP GUI for Java is defined. This configuration depends on the operating system.
For the operating system Mac OS and Linux, only SAP GUI for Java can be configured.
For the operating system Microsoft Windows, SAP GUI for Microsoft Windows and SAP GUI
for Java can be configured.

Figure: Administration Console Platform Configuration


Select a platform and choose the Edit button. In this example, the Microsoft Windows
platform is shown.

Figure: Administration Console Platform Configuration - Microsoft Windows

90

06/2011

3 Administration

Option

Details

SAP GUI for Java

SAP.start.binary
GUI application name for SAP GUI for Java.
SAP.logon.binary
SAP Logon application name for SAP GUI for Java.
SAP.start
Path used to locate the SAP applications. Use the
Add button to add an additional search path. Use the
Delete button to remove an existing search path.

SAP GUI for Microsoft


Windows
(This option is only
available for Microsoft
Windows platforms)

SAP.start.win.binary
GUI application name for SAP GUI for Microsoft
Windows.
SAP.logon.win.binary
SAP Logon application name for SAP GUI for
Microsoft Windows.
SAP.start.win
Path used to locate the SAP applications. Use the
button Add to create an additional search path. Use
the button Delete to remove an existing search path.

Supported Operating
System

The platforms for which the properties on this page


are applicable. The platform name is listed along with
the files required by each platform to function
correctly.

06/2011

91

3 Administration

Message Settings
In this section, you can configure the server messages provided to the Secure Login Web
Client.

Figure: Administration Console Message Settings

The fallback message file is SNCAppletMessages.properties. This message file is used if


the required language is not available. The language for the fallback scenario is English.
To disable a server message, delete the message text.
To create a new message language file, choose the Add button. To configure an existing
message language file, choose the Edit button.

Package Management
In this section, you can configure the SNC library for the desired Secure Login Web Client. By
default, several packages are available, for Microsoft Windows, Linux and Mac OS X.
To update or add new files, choose the Upload button.

3.4 Instance Management


In Instance Management, you can define the user authentication mechanism and client
policy. The DefaultServer Instance is installed by default with the Secure Login Server and
cannot be changed.

3.4.1 DefaultServer Configuration


In the navigation tree, click the folder DefaultServer Configuration. The following screen
appears.

92

06/2011

3 Administration

06/2011

93

3 Administration

Figure: Administration Console Instance Management


To define the parameters which are described below, use the Edit button.
Entries marked with * are mandatory.

Option

Details

Authentication Server
Configuration

Login Module
Select the desired user authentication mechanism.
The following authentication mechanisms are
available:
SPNegoLoginModule
SecureLoginModuleLDAP
SecureLoginModuleRADIUS
SecureLoginModuleSAP
BasicPasswordLoginModule
With the installation of Secure Login Server; Login
Modules are installed in SAP NetWeaver. The name
of the Login Modules is synchronized with the name
of the JaasModule. The default is
SPNegoLoginModule.
For more information about the configuration of the
Login Modules, see section 4.1 Configure Login
Module.
Policy Configuration Name
This is the name of the configured login module stack.

Secure Login User CA


Keystore

PseType
This parameter is read-only. The key store format is
FilePSE.
PseName
Select the desired User CA for this instance.

User Certificate

In this section, you define the Distinguished Name of

94

06/2011

3 Administration

Configuration

the user certificate will be defined. The common


name (CN) is calculated by the Secure Login Server
using the user credentials.
DN.country
Enter the country abbreviation in this field (C).
Example: DE
DN.locality
Enter the regional information in this field (L).
Example: Walldorf
DN.organization
Enter the company name in this field (O).
Example: Company xyz
DN.organizationUnit
Enter the division of the company in this field (OU).
Example: SAP Security Department
ValidityMinutes*
Time (in minutes) for which a user certificate is valid.
ValidityOffset*
Time offset in minutes relative to the server system
time for the certificates to start being valid. This
parameter is helpful if the client and server time are
not in sync.
UseUPN
If the Microsoft user credentials are used and the
User principal Name (UPN) is available, you can use
this parameter to define whether the UPN is used in
the CN field of the Distinguished Name of the user
certificate.
Example:
If this parameter is configured with true, the CN field
value is CN=Username@Domain.local
If this parameter is configured with false, the CN field
value is CN=Username

Certificate Template
Configuration

These parameters are read-only and display-only


parameters used for generating user certificates. For
more information, see section 3.3.5 Certificate
Template

Log Configuration

These parameters are read-only. For more


information, see Instance Log Management.

Other Server Configuration

LockDir
The path to which the lock file is saved. A lock file is
created when the server encounters an internal error
that requires manual intervention.
maxSessionInactiveInterval
Specifies the time, in seconds, between client
requests before the servlet container will invalidate
this session. This is applicable only in challengemode (for example, password change)
AdminServletHeader
Header text to be displayed on the status page.

06/2011

95

3 Administration

Header text is used in Server Status and Instance


Status.
AdminServletTrailer
Footer text to be displayed on the status page. Footer
text is used in Server Status and Instance Status.
User-Defined Properties

Any properties defined by the administrator are


configured here.
WebClientKeyStoreType
Defines the certificate export format for the Secure
Login Web Client. The default value is PKCS12.
For more information about possible parameters, see
User-Defined Properties section.

Remember to configure the desired Login Module in SAP NetWeaver Administrator. For
more information about the configuration of the Login Modules, see section 4.1 Configure
Login Module.

User-Defined Properties
User-Defined Properties are used to define additional configuration issues depending on the
instance. You can configure the following:

Secure Login Web Client Certificate Format


Certificate format used for Secure Login Web Client.
Certificate User Mapping Service
Change the value of the Common Name (CN) field of the user certificate Distinguished
Name, based on the user mapping service.
Certificate User Name Service
Change the value format of the Common Name (CN) field of the user certificate
Distinguished Name, based on the user name service.

Secure Login Web Client Certificate Format


Define the certificate export format for the Secure Login Web Client.
In default instance the default value is PKCS12. If you create a new instance is created, you
need to define this parameter.

Certificate User Mapping Service


This section describes how to configure the use of an attribute from an LDAP or Microsoft
Active Directory Server instead of the user name given by the client. This may be useful if the
SAP user names and the authenticated user names (for example, from a Microsoft Windows
domain) are not the same.

96

06/2011

3 Administration

Example
The Microsoft user name is UserADS and the SAP user name is UserSAP. Without the
Certificate User Mapping Service the Secure Login Server would create a user certificate
with the Distinguished Name CN=UserADS.
If the SAP user name is stored in the Microsoft Active Directory, for example, in the
attribute employeeID, the Secure Login Server can read this attribute and create a user
certificate with the Distinguished Name CN=UserSAP.
This issue will be configured in the Certificate User Mapping Service.
The advantage of having the SAP user name in Distinguished Name is easier
configuration in the SAP NetWeaver ABAP/JAVA Server environment (user mapping
configuration).

If users change their own attributes (for example, through a self-service), and these
attributes are used by the user certificate (issued by the Secure Login Server), a situation
may occur in which these users are able to assign additional rights to themselves. Thus
these users might get rights they are not supposed to have.
For this case, we recommend that you implement access restrictions for the change of
user attributes.

An AS ABAP uses, for example, certificate-based logon with the users e-mail addresses
in the Distinguished Names. The string in the certificate has the following format:
CN=employee@company.com
This means that the users e-mail address is used for the user mapping in SNC. If an
administrator enables the user to change his or her own data, for example, e-mail
address, first name, last name etc. through a self-service, this user now has the possibility
to enter, for example, his or her managers e-mail address (manager@company.com) as
attribute. Since this data is usually maintained centrally, this change would also affect the
Secure Login Server. If the certification user mapping feature of the Secure Login Server
is configured with the e-mail address as an attribute of the certificate, the user receives a
certificate with the Distinguished Name CN=manager@company.com. This user is now
able to log on to the AS ABAP as his or her manager.

The prerequisite is that the SAP user name is stored in the LDAP or Microsoft Active
Directory system. The Certificate User Mapping Service depends on the Secure Login Server
user credential check against the authentication server.

06/2011

97

3 Administration

Figure: Administration Console User-Defined Properties

Entries marked with * are mandatory.

Parameter

Details

LdapReadServers*

Number of LDAP servers that are configured here.


A numerical value is expected and must be 1 or
higher. The given value is used as n to define an
ordered list of servers that are called in a fail-over
manner.
To disable all configured servers, leave this field
empty.

LdapReadTimeoutn

Connection timeout in seconds.

LdapReadUrln*

The LDAP server to be used to retrieve that attribute

LdapReadBaseDNn*

Define the Base DN of the desired LDAP server


Example Microsoft Active Directory:
DC=DEMO,DC=LOCAL

LdapReadDomainn*

For Microsoft Active Directory:


LDAP domain to be appended to the given user name
if it is not a User Principle Name. If the name is
already in UPN format, the property is ignored.

LdapReadUsern*

Define the technical user used to read the LDAP


attribute from LDAP or Microsoft Active Directory
Server.
Example: employeeID

LdapReadPassn*

Define the password of the technical user used to


read the LDAP attribute from LDAP or Microsoft
Active Directory Server.

LdapReadAttributen*

Define the LDAP attribute which is used for the


common name (CN) of the user certificate
Distinguished Name.
Example Microsoft Active Directory:
SecureLoginLDAP@DEMO.LOCAL

The value n in the parameter is a counter and is defined depending on the parameter
LdapReadServers.

The Secure Login Server is able to verify user credentials and perform Certificate User
Mapping on a different server. The prerequisite is that the user name is available on both
servers.

Certificate User Name Service

98

06/2011

3 Administration

There are two use cases available for configuring the Certificate User Name Service.

SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP
environment), which needs to be considered by SNC X.509 certificates. The password
length or value can be customized.
If user names in the common name (CN) field need a fixed or minimum length, padding
can be turned on. Typically this configuration is used if personnel numbers are used.

SAP user IDs have a maximum length of 12 characters (SAP NetWeaver ABAP environment)
which needs to be considered by SNC X.509 certificates. The password length or value can
be customized.

Figure: Administration Console User-Defined Properties


Parameter

Details

MaxUserNameLength

Maximum number of characters that a user name in


the common name (CN) field can have. If the given
user name is longer, it is cut from the right side.
Default value: 12
Example:
LongUsernameSAP is cut off to LongUsername with
the default settings.

UserNamePaddingLength

If user names in the common name (CN) field need a


fixed or minimum length, padding can be turned on.
The padding length sets the minimum length of user
names.
Default value: None

UserNamePaddingChar

The padding character is used to fill user names on


the left side if their size is smaller than the configured
padding length (UserNamePaddingLength).
Default value: None
Example:
UserNamePaddingLength = 11 and
UserNamePaddingChar = 0.
The result is ShortName is extended to
00ShortName
Typically this configuration is used if personnel
numbers are used.

Instance Configuration - Client Configuration

06/2011

99

3 Administration

This section describes how you can define the client policy and how it is used by the Secure
Login Client.
Client Policy
Define the URL of the Secure Login Server; used by the Secure Login Client to retrieve the
client policy.

Figure: Administration Console Instance Management - Client Policy

Entries marked with * are mandatory.

Parameter

Details

Policy URL*

Network resource (Secure Login Server) from which


the latest Secure Login Client policy can be
downloaded.
Policy URL depends on the instance configuration:
ClientPolicy.xml
Client Policy defined in the default instance of the
Secure Login Server.
ClientPolicy.xml&path=000xx
Client Policy defined in instance xx (instance number)
of the Secure Login Server.

PolicyTTL*

Lifetime in minutes for verifying (update) a new client


policy.
Default is 0 minutes.
By default, the Secure Login Client verifies a new
client policy during the system startup of the client
PC.

Network Timeout
(seconds)*

Network timeout in seconds before the connection is


closed if the server does not respond.
The default value is 45 seconds.

Disable update policy on


startup

By default the Secure Login Client verifies during a


new client policy during the system startup of the
client PC.
You can use this parameter, to disable this feature.

100

06/2011

3 Administration

No
Secure Login Client updates the client policy at
startup.
Yes
Secure Login Client does not update the client policy
at startup.
Default value is No.
Save

Saves the configuration.

Cancel

Cancels the configuration.

Applications
Defines which client profile is used for which SAP server application.

Figure: Administration Console Instance Management - Applications

Parameter

Details

Specify the applications


action

Existing application profiles are handled as configured


by action.
Clean
Deletes all existing profiles in the selected policy key
before the given ones are written.
Replace
Replaces any existing profiles of the same name in
the selected policy key with a given one.
Keep
Keeps any existing profiles of the same name in the
selected policy does not write the given one (default).
The default value is Clean

Add Application

Adds new application

Edit

Edits the chosen application.

06/2011

101

3 Administration

Delete

Deletes the chosen application.

To define the application parameter, choose the Add Application or Edit button.

Figure: Administration Console Instance Management Edit Application

Entries marked with * are mandatory.

Parameter

Details

Application Name*

Defines a name for this application template.

GSS Target Name*

Application specific PSE URI (SAP Server SNC


Name) that is matched when a suitable profile is
searched. You can use the wildcards * and ?.
Examples:
SNC/CN=SAP, OU=SAP Security, C=DE
SNC/CN=Server*, O=Company xyz
Using the value * means that the client profile is used
for all SAP servers.

Profile

The name of the client profile to be used for the


desired application.

allowFavorite

Allows the user to select the authentication profile


manually in Secure Login Client.
No
A user cannot select the authentication profile
manually in Secure Login Client.
Yes
A user can select the authentication profile manually
in Secure Login Client.
The default value is Yes.

Save

Saves the configuration.

Clear

Clears fields (Application Name and GSS Target

102

06/2011

3 Administration

Name).
Back

Goes back to the Client Configuration page.

Profiles
This section describes the configuration of the client profile.

Figure: Administration Console Instance Management - Profiles


Parameter

Details

You can also specify the


profiles action

Existing profiles are handled as configured by action.


Clean
Deletes all existing profiles in the selected policy key
before the given ones are written.
Replace
Replaces any existing profiles of the same name in
the selected policy key with a given one.
Keep
Keeps any existing profiles of the same name in the
selected policy, does not write the given one (default).
The default value is Clean

Add Profile

Adds a new profile

Edit

Edits the chosen profile.

Delete

Deletes the chosen profile.

To define the profile parameter, choose the Add Profile or Edit button.

06/2011

103

3 Administration

Figure: Administration Console Instance Management Edit Profile

Entries marked with * are mandatory.

Parameter

Details

Profile Name*

Defines a name for this profile template.

PSE Type

Authentication type.
promptedlogin
Using this profile, the user is prompted to enter the
user credentials.
windowslogin
Using this profile, the user credentials are provided
automatically (only available for Microsoft Windows
authentication with the SPNego login module).
The default value is windowslogin

Enroll URL*

Secure Login Server URL that is used for user


authentication and certificate request.
Enroll URL depends on the instance configuration.
<Server>/securelogin/PseServer
Enroll URL defined in the default instance of the
Secure Login Server.
<Server>/securelogin/PseServer&id=000xx
Enroll URL defined in instance xx (instance number)
of the Secure Login Server.

104

06/2011

3 Administration

To configure further Enroll URLs, use the Add button.


This is the failover configuration for the Secure Login
Client. If the Secure Login Client establishes a
connection to the first Enroll URL, it tries the next
Enroll URL, defined here.
HttpProxyURL

HTTP proxy to be used with enrollment URLs. Only


HTTP proxies without authentication and without SSL
to proxy are supported.
Example: http://example.address.com:8888

Grace Period

Value in seconds for the time in which an enrollment


is to be carried out before the certificate expires
The default value is 0

InactivityTimeout

Value in seconds until an automatic logout is


performed (due to mouse and keyboard inactivity).
Possible values:
Value -1
No Single Sign-On (SSO). Each SNC connection
forces a new login.
Value 0
No timeout. SSO without constraints.
The default value is 0.
Value n
Seconds until an automatic logout takes place.

Auto-Reenroll Attempts

The number of successive failed authentications after


which automatic re-enrollment is stopped.
You can activate the user name and password
caching to ensure the automatic re-enrollment of
certificates that are going to expire. Possible values:
0: Turn off:
Does not re-enroll automatically, does not cache user
name and password. A re-enrollment must always be
performed manually by the user.
>0 (n): Turn on with n tries to succeed:
Tries to re-enroll a maximum of n times before either
a new certificate is received or the user name and
password cache are cleared. The error counter is
reset on success.
The default value is 0.

Key Size

RSA Key Length.


The default value is 1024.

NewPinType

Message text value used for messages (change


PIN/password) to the Secure Login Client and Secure
Login Web Client.
Available values are pin and password.

Unique Client ID

Custom-defined string is displayed in the instance log


or can be used for network filtering issues.

06/2011

105

3 Administration

Network Timeout
(seconds)

Network timeout (in seconds) before the connection is


closed if the server does not respond
The default value is 45

Reauthentication

This parameter defines how many logon attempts are


permitted with the Secure Login Client logon form
before it is closed again.
Example with the value 4:
The Secure Login Client offers the logon form 4 times
(the logons fail, for example, due to wrong credential
information) before the logon form is closed.
The default value is 0.
With this value, the logon form is never closed. The
user needs to use the Cancel button to close the
logon form.

SSL Host Common Name


Check

This applies to the SSL Server certificate this


checks if the peer host name is given in the Common
Name (CN) field of the SSL Server certificate.
True
Verifies the SSL server host name with the Common
Name (CN) field of the SSL Server certificate.
False
Does not verify the SSL server host name with the
Common Name (CN) field of the SSL Server
certificate.
The default value is False

SSL Host Alternative


Name Check

This applies to the SSL server certificate this


checks if the peer host name is given in the Subject
Alternative Name attribute of the certificate.
True
Verifies the SSL server host name with the Subject
Alternative Name attribute of the SSL Server
certificate.
False
Does not verify the SSL server host name with the
Subject Alternative Name attribute of the SSL Server
certificate.
The default value is False

SSL Host Extension Check

This applies to the SSL server certificate this


specifies whether the system checks if the extended
key usage ServerAuthentication is defined.
True
Verify if the extended key usage ServerAuthentication
is defined in the SSL server certificate.
False
Does not verify if the extended key usage
ServerAuthentication is defined in the SSL Server
certificate.
The default value is False

User Warning MSIE

Turns on/off a warning dialog box that appears after a


new certificate has been propagated to the Microsoft

106

06/2011

3 Administration

Crypto Store.
True
Turns on a warning dialog box.
False
Turns off a warning dialog box.
Note: Microsoft Internet Explorer must be restarted.
The default value is False
Auto-Enroll

A user automatically gets an X.509 certificate when


the Secure Login Client starts.
False: Turn off
True: Automatic provisioning of user certificates
If pseType is set to windowslogin, user credentials
are provided automatically (only applies for Microsoft
Windows authentication).
If pseType is set to promptedlogin, the system
prompts the users to enter their credentials.

Save

Saves the configuration.

Clear

Clears fields.

Cancel

Cancels the configuration.

Download Files
This section describes how to download the relevant Client policy files for the Secure Login
Client. Use the files generated with this option, if you want to export the client policy file for
the current (active) instance.

Figure: Administration Console Instance Management Download Files


Parameter

Details

Client Policy and


customer.zip

If you choose this option, the system asks you which


file you want to download.

06/2011

107

3 Administration

ClientPolicy.xml
Instance profile configuration (Enroll URL) and client
policy (Policy URL) in XML format.
Customer.zip
Registry key that includes the configuration of the
client profile (Policy URL).
You can use this registry file for the Secure Login
Client installation to define where the client profiles
can be retrieved.
To download the desired file, click it.
customerAll.reg

Registry Key which includes the configuration of the


Client Profile (Policy URL) and the Instance Profiles
(Enroll URL).
This registry files can be used for the Secure Login
Client installation; defining where the client profiles
can be retrieved. In addition the instance profiles will
be installed.
Click on the desired file for download.

Download

Downloads the desired file.

Global Client Policy


This section describes how to download the relevant client policy files (including all instances)
for the Secure Login Client. Use this option if you want to include the complete Secure Login
Server configuration including all instances - in the client policy files for the Secure Login
Client.

Figure: Administration Console Instance Management Global Client Policy


Parameter

Details

Generate

Use this button to generate the global client policy. All


instance client policy configurations are stored in a
global client policy file.

GlobalCustomer.reg

Registry key that includes the configuration of the


client profile (Policy URL).
You can use this registry files for the Secure Login

108

06/2011

3 Administration

Client installation to define where the client profiles of


all instances can be retrieved.
To download the desired file, click it.
GlobalCustomerAll.reg

Registry key that includes the configuration of the


client profile (Policy URL) and the Instance Profiles
(Enroll URL).
You can use this registry files for the Secure Login
Client installation to define where the client profiles of
all instances can be retrieved. The instance profiles of
all instances are also installed.
To download the desired file, click it.

GlobalClientPolicy.xml

Profile configuration (Enroll URL) and client policy


(Policy URL) for all instances in XML format.

If using the Global Client Policy, note that you need to define unique application template
names in each instance.
Remember to use the Generate button after making changes in instances.

Instance Configuration - Instance Log Management


This section describes the instance logging functionality. The Instance Log Management
provides the following functions:

Monthly Log
Information about the instance.
Daily Log
Information about the user authentication.
Log Analysis
Summary of statistical information for the instance.
Log Setting
Configuration of the log settings.
Archive Log
Archived logs are shown here.

Monthly Log

06/2011

109

3 Administration

Figure: Administration Console Instance Log Monthly Log


The Monthly Log table contains the following information:
Option

Details

Log Month

To display the log entries from a specific month,


select it from the dropdown box.
Use the button Export Logs to export the log file in
*.CSV format.

Date

The date the task was performed.

Time

The time the task was performed.

Code

The internal message code of the task performed.

Level

An abbreviated description of the message level.


Possible message levels are:
INF
Information
ERR
Error
WAR
Warning

Description

A description of the message/task.

Daily Log

Figure: Administration Console Instance Log Daily Log


The Daily Log table contains the following information:
Option

Details

Log Date

To display the log entries from a specific date, select

110

06/2011

3 Administration

it from the dropdown box.


Use the button Export Logs to export the log file in
*.CSV format.

Time

Time the user authentication was performed.

Client

Custom information defined in the client profile


(Unique Client ID)

DNS/IP

DNS and IP of the client computer from which a user


authentication was performed.

View As

NOTE: This field only appears if multiple sets of


DNS/IP are configured on the admin computer the
IP values of one set are displayed.

User

The name of the user that performed the user


authentication.

Action

A quick description of the action, for example


INIT_ACTION or AUTH_ACTION.

Result

Description of the user authentication result.


Possible results are:
ACM_OK
User authentication was successful.
ACM_ACCESS_DENIED
User authentication failed.
ACM_NEW_PIN_REQUIRED
Password/PIN change was requested.
ACM_NEW_PIN_REJECTED
New password/PIN not accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
ACM_NEW_PIN_ACCEPTED
New password/PIN change was accepted.
OK
Initial action was successful
INTERNAL_SERVER_ERROR
Server error.
INVALID_MESSAGE_FORMAT
Invalid or incomplete client communication.

Log Analysis
You can use the Log Analysis to analyze statistical information about user authentication.
To display the statistical information, define the desired start and end date and choose the
Analysis button.

06/2011

111

3 Administration

Figure: Administration Console Instance Log Log Analysis


Log Setting
This section describes the log file settings for the instance log management.

Figure: Administration Console Instance Log Log Setting

Entries marked with * are mandatory.

Option

Details

Maximum Log File Size*

The maximum size in gigabytes for the log file


directory (all log files).
The default value is 1 gigabyte.

Maximum Individual File


Size*

The maximum size of a log file in megabytes before it


is archived.
The default value is 10 megabytes.

Daily Log Cleanup


Interval*

The interval (in days) after which the next log cleanup
starts.
The default value is 30 days.

Monthly Log Cleanup

The interval (in months) after which the next log

112

06/2011

3 Administration

Interval*

cleanup starts.
The default value is 1 month.

Daily Log Analysis Period*

Define the period length to be used in Log Analysis. It


defines the length of the period from Start Date until
End Date.
The default value is 30 days.

Daily Log Prefix*

The file prefix for daily logs.


This information is read-only.

Directory for Storing Daily


Log Files*

The directory for daily log storage.


This information is read-only.

Monthly Log Prefix*

The file prefix for monthly logs.


This information is read-only.

Directory for Storing


Monthly Log Files*

The directory for monthly log storage.


This information is read-only.

Save

Save the configuration.

Cancel

Cancel the configuration.

Archived Log
This section describes the Archive Log page.

Figure: Administration Console Instance Log Archived Log

Archived Log files are stored in log file directory, defined in Log Setting.

Option

Details

Archived File Name

The name under which the server has saved the log file(s).

Selected

A radio button to indicate which file is downloaded.

To download a log file archive, select an archive from the Selected column and choose
Download. You are prompted to choose a location. The log files are in ZIP format.
To delete a log file archive, select an archive from the Selected column and choose Delete.

Instance Configuration - Instance Check

06/2011

113

3 Administration

In Instance Check, you can check the Client Policy and PKI Structure for the chosen
instance.

Figure: Administration Console Instance Check


Option

Details

Client Policy

Checks the correct configuration of client policies and client


profiles

PKI Structure

Checks if there are missing or invalid certificates

Instance Configuration - Instance Status


Use this option to display the status of the desired instance.

Criteria

Details

Date

Current date and time information.

114

06/2011

3 Administration

Version

Version of the Secure Login Server Kernel.

Uptime

The amount of time the instance has remained active and


running.

Instance ID

Chosen instance name

Configuration URL

File location of the Secure Login Server configuration file


Configuration.properties.

Configuration Status

Integrity check of the Secure Login Server status.

Lock Status

Lock Status = No
Chosen Instance is not locked. Everything is OK and the
Instance is up and running.
Lock Status = Yes
Chosen Instance is locked, which means it has encountered
a problem. In this case, check the server information pane in
the top left of the screen for tasks yet to be performed as
well as the log files for possible problems.
An Unlock button appears next to the table entry (providing
the administrator role has the necessary permissions). Once
you have resolved any problems, choose the Unlock button
to reset the Lock Status.

Secure Login Servlet


Status

Verifies the status of the Instance Java Servlet.

Server Build

Secure Login Server Version

3.4.2 Create a New Instance


This section describes how to create a new instance.

Figure: Administration Console Instance Management


To create a new instance, choose the Add button.

06/2011

115

3 Administration

Figure: Administration Console Instance Management New Instance


Define a name for the new instance and choose the OK button to continue.

Figure: Administration Console Instance Management New Instance


Select the option Create a New Server Instance and choose the OK button to continue.

116

06/2011

3 Administration

Figure: Administration Console Instance Management Add New Instance


Define the respective parameters (for more information, see section 3.4.1 DefaultServer
Configuration).
By default, the configuration for Authentication Server Configuration, Secure Login User CA
Keystore and User Certificate Configuration, defined in DefaultServer Instance will be reused.
If you do not want to re-use this configuration information, deactivate the option Use Default
and define your own configuration.

For example if you want to define a different user authentication mechanism for this
instance, deactivate the option User Default in JaasModule and define a new value.

After you have performed the configuration, choose the OK button to continue.

06/2011

117

3 Administration

Figure: Administration Console Instance Management New Client Policy


Define the parameter for the client policy and choose the OK button to continue.

Figure: Administration Console Instance Management New Instance Created


The new instance was created and is displayed in the navigation tree.

Remember to activate this new instance in Certificate Management (Mapping to


Instance).

Create New Instance Option


(Clone from an existing server instance using this Administration Console)
You can use the option Clone from an existing server instance using this Administration
Console, to clone an existing instance configuration.

118

06/2011

3 Administration

Figure: Choose Existing Instance

Create New Instance Option


Migrate from an External Secure Login Server
You can use the option Migrate from an External Secure Login Server to choose an existing
instance configuration that is available in the file system (for example, a backup file copy of
another Secure Login Server).

Figure: Choose Existing Instance from File Backup

06/2011

119

3 Administration

3.5 Console Users


This section describes the Console Users page of the administration console. Use this node
to view when an administrator logged on to, or logged off from the administration console.

Figure: Administration Console Console Users

3.5.1 User Management


This section describes the User Management node of the administration console.
This node displays a list of the users/administrators registered with the administration console
and allows you to add a new user, edit or delete a current user, and assign a role to a user.

Figure: Administration Console User Management

The Admin user cannot be deleted.

Option

Details

Add

Adds a new user.

Edit

Changes the settings for a selected user in the list.

Delete

Deletes a selected user from the list.

Assign Role

Assigns a role to a selected user in the list.

120

06/2011

3 Administration

Add a User
To create a new user, choose the Add button.

Figure: Administration Console Create User


Option

Details

ID

User logon name.

Name

User display name

Password

Defines user password.

Confirm Password

Confirms user password.

Disabled

If this option is enabled, this user cannot log on to the


administration console.

Change Password

This option is only visible when editing a user entry in the


list!.
Check this option to change the password.

External Login

This feature uses user information stored in an


Authentication Server database for authentication to Secure
Login Administration Console. Selecting this option displays
the extra option External Login ID.
External Login ID
Define the user name for the desired Authentication Server
database.
For more information, see section 4.7 Configure External
Login ID.

SSL Certificate Login

This feature enables certificate-based logon to the Secure


Login Administration Console. Selecting this option displays
the extra option External Login ID.
Certificate Login ID
For user mapping, the Subject Alternative Name (RFC822
name) attribute of the logon certificate is used. The value of
the Subject Alternative Name is verified with the value
defined in Certificate Login ID.
For more information, see section 4.6 Configure SSL
Certificate Logon.

Save

Saves the configuration.

06/2011

121

3 Administration

Cancel

Cancels the configuration.

Passwords used in the Secure Login Server are restricted by the password policy.
Password cannot be empty
Length of the password must be between 8 and 20 characters
Password must contain at least one uppercase letter
Password must contain at least one lowercase letter
Password must contain at least one digit
Password must contain at least one of the special characters

Assign a Role
Choose the desired user and choose the Assign Role button.

Figure: Assign Role to User


To transfer one or more roles to the user, select one or more roles from the left-hand pane All
Role and choose >>Add to transfer the roles to My Role.
To remove one or more roles from the user, select the role(s) in the My Role column on the
right and choose >>Delete to remove the role(s).
To save the configuration, choose the Save button.

122

06/2011

3 Administration

3.5.2 Role Management


This section describes the Role Management node of the Administration Console. Use this
node to configure the permissions for each administrator role.

Figure: Administration Console Role Management

Predefined roles cannot be deleted or changed.


To create a new role, use the Add button.

Figure: Administration Console Role Management

06/2011

123

3 Administration

Entries marked with * are mandatory.

Option

Details

ID*

The unique identifier for the role.

Name*

The name used to describe the role.

Permission List

Define the permissions; assigned to this role.


The permissions are described in the Permission
Description.

Instance List

Define the permissions for the respective instances.

To save the configuration, use the Save button.

3.5.3 Locked Files Management


This section describes how to check whether any Secure Login Server-specific system files
have been locked and how to unlock them, if necessary.
Files are locked in the following scenarios.
Different administrators are configuring the Secure Login Server at the same time.
When this happens one administrator will receive a message informing them to contact the
specific administrator to unlock the file.
Example Message
File ClientPolicy.xml has been locked, ask the administrator to remove the lock.

Figure: Administration Console Locked File Management


Select the locked file to be unlocked and choose the Release button.

124

06/2011

4 Other Configurations

4 Other Configurations
This section describes some additional configuration steps.

4.1 Configure Login Module


You configure the Login Modules in the SAP NetWeaver Administrator. Log on to the SAP
NetWeaver Administrator.

http://<host_name>:<port>/nwa
Choose Configuration Management and Authentication and Single Sign-On.
Choose the tab Authentication and the configuration option Login Modules.
The following Secure Login Server Login Modules are available:

SPNegoLoginModule
This login module is used to verify user credentials against a Microsoft Windows domain.
By default, this login module is set in the Secure Login Server.
SecureLoginModuleLDAP
This login module is used to verify user credentials against an LDAP Server or Microsoft
Active Directory System.
SecureLoginModuleRADIUS
This login module is used to verify user credentials against a RADIUS Server.
SecureLoginModuleSAP
This login module is used to verify user credentials against an SAP ABAP server.
The names of the Secure Login Server Login Modules are used in Instance configuration.
Refer to section 3.4 Instance Management.

SPNegoLoginModule
SPNegoLoginModule is the default login module of the Secure Login Server. To configure
SPNego, use the appropriate configuration wizard. For more information, see the SAP
NetWeaver Library 7.3 under SAP NetWeaver Library: Function-Oriented View > Security>
User Authentication and Single Sign-On > Integration in Single Sign-On (SSO) Environments
> Single Sign-On for Web-Based Access > Using Kerberos Authentication.
SPNegoLoginModule works in close conjunction with the user management engine (UME).
Remember that you may need to configure the mapping mode of the Kerberos Principal
Name to the UME or to change Customizing settings of the UME data source configuration.
For more information, see the SAP NetWeaver Library 7.3 under SAP NetWeaver Library:
Function-Oriented View > Security> User Authentication and Single Sign-On > Integration in
Single Sign-On (SSO) Environments > Single Sign-On for Web-Based Access > Using
Kerberos Authentication > Configuring the UME for Kerberos Mapping.
SecureLoginModuleLDAP
Choose the login module SecureLoginModuleLDAP and choose the Edit button to configure
its parameters.

06/2011

125

4 Other Configurations

Figure: SAP NetWeaver Administrator SecureLoginModuleLDAP

Entries marked with * are mandatory.

Option

Details

LdapBaseDN

Base DN of the LDAP Server (Start Search Path).


There are several configuration options. The variable $USERID is
replaced by Secure Login Server with the user name for user
verification against the authentication server.
LDAP Server
Define the search path where the user is located.
Example:
uid=$USERID,ou=Users,dc=yourdomain,dc=com
Microsoft Active Directory System
Define the search path where the user is located.
Example:
$USERID@<Windows_domain>
cn=$USERID,cn=Users,dc=domain,dc=com
If the parameter is not configured (empty), the Microsoft Windows UPN
name is required for user authentication (to be entered in Secure Login
Client).

LdapHost*

URL of the LDAP server or Active Directory server system used to


authenticate the user.
We recommend that you configure secure communication using
LDAPS.
ldaps://<FQDN or IP>:636
ldap://<FQDN or IP>:389

LdapProviderLang
uage

Character set encoding for communication between the Secure Login


Server and the LDAP/ADS server.
The default value is en-US.

LdapTimeout

Period of time the Secure Login Server waits for a response before

126

06/2011

4 Other Configurations

trying the next LDAP/ADS server (in milliseconds).


The default value is 100 milliseconds.
PasswordExpiratio
nAttribute

The expiration date format of the password. For the LDAP


authentication server, the date must be in one of the following formats:
UMT:
0060727081914Z
Or
0060727081914+0700Z
GMT (Greenwich Mean Time) in ADS format:
0060727081914.0Z
Or
0060727081914.0+0700Z
MS Gregorian calendar (the number of milliseconds since 01/01/1601).
For example:
127984619236406250
If a password expiration warning message is configured, the
LdapBaseDN property must be given in complete DN form.
The PasswordExpirationAttribute value is used for the password expiry
warning message only.
By default no value is defined.

PasswordExpiratio
nGracePeriod

The interval (in days) for a password expiry warning message to be sent
to the client prior to a password expiring.

ServerID

Determines which password expiry warning is used. This value is used


for the password expiry warning only.
By default no value is defined.

TrustStore

Path to the Java certificate key store used by Secure Login Server. The
certificate key store is used to enable LDAP over SSL (LDAPS).
Use of the Java key store (*.jks) is mandatory when using LDAP over
SSL (LDAPS).
By default, no value is defined.
LDAPS is required. Configure the following value:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServ
er\securelogin\Instances\TrustStore.jks
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelog
in/Instances/TrustStore.jks

To save the configuration, choose the Save button.

06/2011

127

4 Other Configurations

SecureLoginModuleRADIUS
Choose the login module SecureLoginModuleRADIUS and choose the Edit button to
configure its parameters.
Entries marked with * are mandatory.

Option

Details

Authenticator*

Authentication method for the RADIUS server.


Possible values are:
CHAP
MSCHAP
PAP
The default value is PAP.

AuthPort*

The port number used by the RADIUS server for


authentication requests.
Typically values are 1645 or 1812.
The default value is 1645.

PinAlphanumeric

PIN format. This parameter is only used with OTP


tokens. Possible values:
true
The user can choose, and use, a PIN that contains
only alphanumeric characters (A-Z, a-z, 0-9).
false
The user can choose, and use, a PIN that contains
alphanumeric and special characters (such as !$%&).
The default value is false.

RADIUSServerIP*

Host address of the RADIUS server (used for user


authentication).

ServerIniFile

For configuring specific RADIUS server messages.


You need to define the full path and file name.
By default no configuration file is required.

SharedSecret*

Shared Secret is used to encrypt the user password.


This Shared Secret also needs to be defined in the
RADIUS Server. Save the shared secret as
encrypted. For more information, see 5.5.3 Ensuring
Encrypted Communication with Shared Secret.

TimeOut*

Period of time the Secure Login Server waits for a


response before trying the next RADIUS Server (in
milliseconds).
The default value is 5000 milliseconds.

SecureLoginModuleSAP
Choose the Login Module SecureLoginModuleSAP and choose the Edit button to configure
its parameters.

128

06/2011

4 Other Configurations

Figure: SAP NetWeaver Administrator SecureLoginModuleSAP

Entries marked with * are mandatory.

Option

Details

Client*

Define the SAP client number in which the SAP user


is to be verified.

CREDDIR

Path where the SNC certificate used by Secure Login


Server is located.
This configuration is not required if the environment
variable SECUDIR was configured (see Installation,
Configuration, and Administration Guide of the
Secure Login Library).
Configure the appropriate value for your operating
system:
Microsoft Windows
<ASJava_Installation>\sec
Example: D:\usr\sap\ABC\J00\sec
Linux

<ASJava_Installation>/sec
Example: /usr/sap/ABC/J00/sec
PasswordAlphanummeric

06/2011

This parameter is part of the password policy for the


client-side policy consistency check. Possible values:
true
The password can contain only alphanumeric
characters (A-Z, a-z, 0-9).
false
The password can contain alphanumeric and special
characters (such as !$%&).
This parameter must be consistent with the SAP
password policy.
The default value is true.

129

4 Other Configurations

PasswordMax

This parameter is part of the password policy for the


client-side policy consistency check, specifically the
maximum number of characters in the password to be
used.
This parameter must be consistent with the SAP
password policy.
The default value is 30.

PasswordMin

This parameter is part of the password policy for the


client-side policy consistency check, specifically the
minimum number of characters in the password to be
used.
This parameter must be consistent with the SAP
password policy.
The default value is 1.

SAPaccount*

The technical SAP user account name used by


Secure Login Server. This technical user will be
created on the desired SAP ABAP server and you
need to configure the SNC name.
Example: SLSSNC

SAPServer*

IP address or host name of the SAP ABAP server.

SNCServerName*

SNC name of the desired SAP ABAP server.


Example:
p:CN=ABC, OU=SAP Security, C=DE

SystemNo*

SAP system number

maxNbrConnections

Maximum number of connections

SAPTimeout

Timeout for login


Maximum number of connections until authentication
is blocked

130

06/2011

4 Other Configurations

4.2 Verify Authentication Server Configuration


After successful configuration of Certificate Management, Instance Management and Login
Module, the Secure Login Client or Secure Login Web Client can be used to verify
communication to the authentication server.

LDAP Server

SAP NetWeaver - Secure Login Server


Secure Login
Admin Console

SAP NetWeaver Administrator

ABAP Server

Secure Login Client


Secure Login Web Client

Instance 1

SecureLoginModuleLDAP

Instance 2

SecureLoginModuleSAP

Instance 3

SecureLoginModuleRADIUS

Instance 4

SPNegoLoginModule

RADIUS Server

Java Server/ADS

Figure: User Authentication Work Process


The authentication work process takes place as follows:
1. Start Secure Login Client or Secure Login Web Client.
2. Choose the desired client profile and enter your user name and password.
3. The responsible instance for the chosen client profile is used.
You can configure the link to the login module (for example,
SecureLoginModuleLDAP) within the Instance configuration (Secure Login
Administration Console Instance Management).
4. The instance triggers the login module. The login module establishes a connection to
the authentication server. Login modules are configured in SAP NetWeaver
Administrator.
5. The Secure Login Server sends the user credentials to the authentication server.
If the response is successful, the Secure Login Server provides a user certificate to
the Secure Login Client or Secure Login Web Client.

06/2011

131

4 Other Configurations

132

06/2011

4 Other Configurations

4.3 Create Technical User in SAP Server


The technical user is used to verify SAP user credentials on the SAP ABAP server.
Logon to the SAP ABAP server using SAP GUI and start the transaction SU01 (User
Management).
Create a new user (for example, SLSSNC):

User type is System.


Deactivate the password.
Define the SNC name, which must match the SNC certificate created in Certificate
Management (certificate type: SNC_CERT).
Choose the tab Profiles and define the following authorization profiles:
S_A.SCON
S_A.SYSTEM
S_USER_ALL
S_USER_RFC
Z_TRANS_RFC

Save the settings.

4.4 Mozilla Firefox Support


After successful user authentication, the Secure Login Web Client stores, the certificate in the
Microsoft Certificate Store. The same function is provided for the Mozilla Firefox Browser.

4.4.1 Install Firefox Extension


It is a prerequisite that the Firefox Extension XPI is installed. The Firefox Extension is
provided by the Secure Login Server and can be downloaded using the following URL:
http://<host_name>:<port>/SlsWebClient/Firefox/index.html
Browser and operating system are recognized automatically.

Figure: Mozilla Firefox Extension for Secure Login Web Client


Use the link here to install the Firefox extension.

06/2011

133

4 Other Configurations

If your Mozilla Firefox browser does not open an extension installation dialog, but only allows
you to save this file, you have the following choices:

Choose the option Open with and choose the Mozilla Firefox application.
Save the file to your Desktop, then drag and drop it into any Firefox window.
Ask your Web portal administrator to add a new MIME type application/x-xpinstall for XPI
files.

Figure: Install Mozilla Firefox Extension


Install the Firefox Extension by choosing Install Now, and restart Mozilla Firefox.

4.4.2 Uninstall Mozilla Firefox Extension


Start the Mozilla Firefox application and, from the menu, choose Add-ons Manager and
Extensions.

Figure: Uninstall Mozilla Firefox Extension Secure Login Security Module


To uninstall, select the Firefox Extension Secure Login Security Module and choose the
Remove button.

134

06/2011

4 Other Configurations

4.5 Customize Secure Login Web Client


By default, the location of the Secure Login Web Client files is stored in the user environment
of the client. This depends on the operating system:
Microsoft Windows XP
C:\Documents and Settings\<user>\sapsnc\
Microsoft Windows Vista / Microsoft Windows 7
C:\Users\<user>\sapsnc\
Mac OS
/Users/<user>/sapsnc/
Linux
/home/<user>/sapsnc/
You can use the configuration file config.properties to define a different location for the
libraries. You can upload the configuration file using te Secure Login Administration Console
(section 3.3.12 Web Client Configuration).
Config.properties
USER_FOLDER=<Path to be used>

During an installation, the config.properties file is deleted. Make a backup of this file
before you execute an installation. After the installation, you copy the file to the relevant
directory.

Note that some configuration files are still stored in the default folder (sapsnc).

4.6 Configure SSL Certificate Logon


Use an X.509 certificate to log on to the Secure Login Administration Console.
The prerequisites are that SSL is enabled on SAP NetWeaver server, and the X.509
certificate has a trust relationship with the SSL server certificate of the SAP NetWeaver
server.
The SAP NetWeaver HTTPS port also needs to be configured to accept certificate-based
login (Request Certificate).

In the navigation tree, choose the node Certificate Management, and use the SAP CA to
create a LOGIN_CERT certificate.
In the certificate attribute Subject Alternative Names (E-mail), define the name that will be
mapped with the attribute Certificate Login ID in User Management (for example:
LoginCert_Admin). Save the settings, export this certificate in P12 format and import it in
the desired Administrator User environment (for example, import in Internet Explorer
browser).
In the navigation tree, choose the node User Management and edit the desired user.
Choose the option SSL Certificate Login and define the parameter Certificate Login ID
(for example: LoginCert_Admin).
Save the configuration and restart the Secure Login Server application server.

06/2011

135

4 Other Configurations

Start the Secure Login Administration Console by calling its URL using HTTPS (which is
enabled for certificate based login) and the user should be authenticated automatically.
A message box might appear, prompting you to choose the desired certificate. In this
case, choose the certificate to be used for logon.

4.7 Configure External Login ID


Define an authentication mechanism to use to log on to the Secure Login Administration
Console. The prerequisite is that the desired authentication mechanism is configured in the
instance (parameter JaasModule).
In the navigation tree, choose the node Server Configuration and choose the Edit Login
Type button. Define the desired authentication mechanism using the parameter External
Login JAAS Module and Save the configuration.
In the navigation tree, choose the node User Management and edit the desired user.
Choose the option External Login and define the parameter External Login ID. The
External Login ID is the user name of the desired authentication server database.
Save the configuration and restart the Secure Login Server application server.
Start the Secure Login Administration Console URL, choose the option External Login
and log on with the user name and password of the authentication server.

4.8 Emergency Recovery Tool


The Emergency Recovery tool is used when the Secure Login Server administrator has
forgotten his or her password and no longer has access to the Secure Login Administration
Console.
The prerequisites for the Emergency Recovery Tool:

Access to the operating system, where the Secure Login Server application is installed.
Access to the Key file for server credentials encryption. The key file is a file on the
Secure Login Server with random content and is used to secure password information in
configuration files. This key file was generated in the Initial Wizard (section 2.6.1 Initial
Configuration)

Step 1
Log on to the operating system, where the Secure Login Server is installed.
Edit the file SLSRecoverPassword.bat (Microsoft Windows) or SLSRecoverPassword.sh
(Linux) and change the path to the file iaik_jce.jar.
Microsoft Windows

<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
SLSRecoverPassword.bat
@echo off
SET IAIK_JARS_PATH=D:\usr\sap\ABC\J00\j2ee\cluster\bootstrap\iaik_jce.jar
IF NOT EXIST %IAIK_JARS_PATH% GOTO ErrorLib
java -cp SLSRecoverPassword.jar;%IAIK_JARS_PATH%
com.secude.util.misc.SecudeUtilities %*
goto End

136

06/2011

4 Other Configurations

:ErrorLib
ECHO IAIK Library not found, please correct the path to the library in this
script!
:End

Linux

<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh
SLSRecoverPassword.sh
#!/bin/sh
# please check if this path points to the correct location of
# the iaik library
IAIK_JARS_PATH=/usr/sap/ABC/J00/j2ee/cluster/bootstrap/iaik_jce.jar
if [ -f $IAIK_JARS_PATH ];
then
java -cp SLSRecoverPassword.jar:$IAIK_JARS_PATH
com.secude.util.misc.SecudeUtilities $@
else
echo "IAIK Library not found, please correct the path to the library in this
script!"
fi

Other possible locations of the file iaik_jce.jar:


<drive>:\usr\sap\ABC\J00\j2ee\JSPM\lib\
<drive>:\usr\sap\ABC\SYS\global\security\lib\engine\
<drive>:\usr\sap\ABC\SYS\global\security\lib\tools\
Save the script file SLSRecoverPassword.

Step 2
Obtain the encrypted password string for the desired user. The encrypted password string is
later used in the command line tool. The user information is available in the configuration file
user.xml, which is located in the directory specified below:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances\user.xml
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/us
er.xml
user.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Users>
<User disable="false" id="Admin" lanCode="en_US" name="Administrator"
predefined="true" roles="Super User">

06/2011

137

4 Other Configurations

<Password>encrypted_password_string</Password>
</User>
</Users>

Step 3
Open a command line shell and change to the folder where the file SLSRecoverPassword.bat
(Microsoft Windows) and SLSRecoverPassword.sh is located.
Microsoft Windows

<ASJava_Installation>\j2ee\cluster\apps\sap.com\SecureLoginServer\
servlet_jsp\securelogin\root\WEB-INF\lib\SLSRecoverPassword.bat
Linux

<ASJava_Installation>/j2ee/cluster/apps/sap.com/SecureLoginServer/
servlet_jsp/securelogin/root/WEB-INF/lib/SLSRecoverPassword.sh

Start the following command to decrypt and display the password for the desired user.
SLSRecoverPassword decrypt encrypted_password_string

<file_location_of_the_key_file>

Example
SLSRecoverPassword decrypt Encrypted Password String
D:\usr\sap\ServerKeyFile\KeyFile.txt
The password is displayed.
Output of SLSRecoverPassword Command
Encode password=Encrypted Password String with key
file=D:\usr\sap\ServerKeyFile\KeyFile.txt
Out is <Password>

You can use the following command to encrypt a password.


SLSRecoverPassword encrypt Password <File Location of the key

file>

The encrypted password string is displayed.

138

06/2011

4 Other Configurations

4.9 Monitoring
This section describes how to retrieve the Secure Login Server status; for example,
integration in Network Monitoring Tools. Several interfaces are available.

4.9.1 Web Service Status


Some examples are given below how to retrieve the Secure Login Server status by URL.
Server Status
http://<host_name>:<port>/securelogin/PseServer?op=serverstatus
Default Server Instance Status
http://<host_name>:<port>/securelogin/PseServer?op=status

Server Instance Number # Status


http://<host_name>:<port>/securelogin/PseServer?op=status &id=00010
To retrieve the Server Instance Number, click the node Instance Management and check
the ID of the desired instance.

4.9.2 XML Interface


Secure Login Server provides an XML interface to automate monitoring using your own or a
third-party program, for example, to incorporate monitoring into administrative tools.
Secure Login Server has to be called with a specific request in XML format. The Secure
Login Server then returns an XML reply with the status information.
Send the following Status Request to the URL:
http://<host_name>:<port>/securelogin/PseServer
Status Request
<TransFairGram>
<Control>
<Version>Pepperbox 2.0.0</Version>
<ActionRequest>
STATUS_REQUEST_ACTION
</ActionRequest>
</Control>
</TransFairGram>

06/2011

139

4 Other Configurations

The Status Reply is similar to the following example.


Status Reply
<TransFairGram>
<Control>
<ActionRequest>STATUS_ACTION</ActionRequest>
<Version>Pepperbox 2.0.0</Version>
<ServerBuild>$Name: REL_1_0_0_17 $</ServerBuild>
</Control>
<Content>
<Data>
<Status>
<ConfigURL>
file:<Path To Secure Login Server>\Configuration.properties
</ConfigURL>
<ConfigurationStatus>OK</ConfigurationStatus>
<Date>Mon May 18 12:02:54 CET 2011</Date>
<ID>Instance 00010</ID>
<LockFile/>
<LockStatus>false</LockStatus>
<PseServerStatus>OK</PseServerStatus>
<ServerBuild>SLS_5-1-1-0</ServerBuild>
</Status>
<Message>
The current Server status is enclosed with this transfairgram (only for
diagnostic purpose)
</Message>
<MessageCode>0701</MessageCode>
</Data>
<DataType>application/xml</DataType>
</Content>
</TransFairGram>

140

06/2011

4 Other Configurations

4.10 Secure Login Client Policy and Profiles


This section contains detailed information about the client policy and client profiles for Secure
Login Client. The client policy is installed together with Secure Login Client on the client
computer. Using the client policy configuration the client profiles can be downloaded from
Secure Login Server.

4.10.1 Client Policy


These parameters are defined in the files customer.reg and GlobalCustomer.reg.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]
Parameter

Type

Description

PolicyURL

STRING

Network resource from which the latest


Secure Login Client profiles can be
downloaded.
Three types of client policy are available:
ClientPolicy.xml
Client policy defined in the default instance
of the Secure Login Server.
ClientPolicy.xml&path=000xx
Client policy defined in instance xx
(instance number) of the Secure Login
Server.
GlobalClientPolicy.xml
Global client policy includes all available
instances of the Secure Login Server.

PolicyTTL

DWORD

The lifetime in minutes for verifying


(updating) a new client policy on the
Secure Login Server.
The default is 0 minutes (hexadecimal
value: 0).
By default, the Secure Login Client verifies
during system startup of the client PC.

NetworkTimeout

DWORD

Network timeout in seconds before the


connection is closed if the Secure Login
Server does not respond.
The default is 45 seconds (hexadecimal
value: 2d).

DisableUpdatePolicyOnStartup

DWORD

By default, the Secure Login Client verifies


a new client policy during system startup of
the client PC.
You can use this parameter to disable this
feature.
1
Disable automatic policy download.
0
Enable automatically policy download.
Default value is 0.

06/2011

141

4 Other Configurations

4.10.2 Applications and Profiles


The Secure Login Server provides the Applications and Profiles configuration to the Secure
Login Client using ClientPolicy.xml and GlobalClientPolicy.xml.
In addition, it is possible to download the configuration using the customerAll.reg and
GlobalCustomerAll.reg files.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
applications\<Application Name>]
Parameter

Type

Description

GssTargetName

STRING

Application specific PSE URI (SAP server


SNC name) that is matched when a
suitable profile is searched. You can use
the wildcards * and ?.
Example:
SNC/CN=SAP, OU=SAP Security,
C=DE
SNC/CN=Server*, O=Company xyz
Using the value * means that the client
profile is used for all SAP servers.

profile

STRING

The name of the client profile to be used for


the desired application.

allowFavorite

DWORD

Allow the user to select the authentication


profile manually in Secure Login Client.
0
User cannot select the authentication profile
manually in Secure Login Client.
1
User can select authentication profile
manually in Secure Login Client.
The default value is 1.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\
profiles\<Profile Name>]
Parameter

Type

Description

profileName

STRING

The name of the client profile to be used for


the desired application.

pseType

STRING

Authentication type.
promptedlogin
Using this profile, the user will be requested
to enter the user credentials.

142

06/2011

4 Other Configurations

windowslogin
Using this profile, the user credentials will
be provided automatically (only available for
Microsoft Windows authentication)
Default value is windowslogin
enrollURL0

STRING

Secure Login Server URL that is used for


user authentication and certificate request.
Enroll URL depends on the instance
configuration.
<server>/securelogin/PseServer
Enroll URL defined in the default instance
of the Secure Login Server.
<server>/securelogin/PseServer&id=000xx
Enroll URL defined in Instance xx (instance
number) of the Secure Login Server.
Use the Add button to configure further
Enroll URLs. This is the failover
configuration for the Secure Login Client. If
the first Enroll URL cannot be established,
the Secure Login Client tries the next Enroll
URL, defined here.

httpProxyURL

STRING

HTTP proxy to be used with enrollment


URLs. Only HTTP proxies without
authentication and without SSL to proxy are
supported.
Example:
http://example.address.com:8888

reAuthentication

DWORD

This parameter defines how many login


attempts to the Secure Login Client login
form is closed again.
Example with value 4:
The Secure Login Client offers the login
form 4 times (e.g. wrong credential
information), before the login form will be
closed.
Default value is 0.
The login form will never be closed. User
needs to use the button Cancel to close the
login form.

gracePeriod

DWORD

Value in seconds when an enrollment is to


be carried out before the certificate expires
Default value is 0

inactivityTimeout

DWORD

Value in seconds until an automatic logout


is performed (due to mouse and keyboard
inactivity). Possible values:
Value -1
No Single Sign-On (SSO). Each SNC
connection forces a new login.

06/2011

143

4 Other Configurations

Value 0
No timeout. SSO without constraints.
The default value is 0.
Value > 0
Seconds until until an automatic logout is
executed.
autoReenrollTries

DWORD

The number of failed authentications in a


row after which automatic re-enrollment is
stopped.
User name and password caching can be
turned on to provide the automatic reenrollment of certificates that are going to
expire. Possible values:
0: Turn off:
Do not re-enroll automatically; do not cache
user name and password. A re-enrollment
must always be performed manually by the
user.
>0 (n): Turn on with n tries to succeed:
Try to re-enroll a maximum of n times
before either a new certificate is received or
the user name and password cache are
cleared. The error counter is reset on
success.
The default value is 0.

autoEnroll

DWORD

A user automatically gets an X.509


certificate when the Secure Login Client
starts.
0: Turn off
1: Automatic provisioning of user
certificates
If pseType is set to windowslogin, user
credentials are provided automatically (only
applies for Microsoft Windows
authentication).
If pseType is set to promptedlogin, the
system prompts the users to enter their
credentials.

keySize

DWORD

RSA Key Length.


The default value is 1024 (hexadecimal
value: 400).

UniqueClientID

STRING

Custom-defined string; will be displayed in


the instance log or can be used for network
filtering issues.

networkTimeout

DWORD

Network timeout (in seconds) before the


connection is closed if the server does not
respond

144

06/2011

4 Other Configurations

The default value is 45 (hexadecimal value:


2d).
sslHostCommonNameCheck

DWORD

This applies to the SSL server certificate


this checks if the peer host name is given in
the Common Name (CN) field of the SSL
Server certificate.
1
Verify the SSL server host name with the
Common Name (CN) field of the SSL
server certificate.
0
Do not verify SSL server host name with
the Common Name (CN) field of the SSL
Server certificate.
The default value is 0

sslHostAlternativeNameCheck

DWORD

This applies to the SSL server certificate


this checks whether the peer host name is
given in its Subject Alternative Name
attribute of the certificate.
1
Verify the SSL server host name with the
Subject Alternative Name attribute of the
SSL Server certificate.
0
Do not verify the SSL server host name
with the Subject Alternative Name attribute
of the SSL server certificate.
Default value is 0

sslHostExtensionCheck

DWORD

This applies to the SSL server certificate


this checks if the extended key usage
ServerAuthentication is defined.
1
Verify whether the extended key usage
ServerAuthentication is defined in the SSL
Server certificate.
0
Do not verify whether the extended key
usage ServerAuthentication is defined in
the SSL Server certificate.
The default value is 0

userWarningMSIE

DWORD

Turn on/off a warning dialog box that


appears after a new certificate has been
propagated to Microsoft Crypto Store.
1
Turn on a warning dialog box.
0
Turn off a warning dialog box.
NOTE: Microsoft Internet Explorer must be
restarted.
The default value is 0

06/2011

145

4 Other Configurations

newPinType

STRING

Message text value is used for messages


(change PIN/password) to the Secure Login
Client and Secure Login Web Client.
Available values are pin and password.

4.11 Integrate into Existing PKI


If a Public Key Infrastructure (PKI) is available, the Secure Login Server can be integrated.
You can use the existing PKI to create the certificates for the SSL server and the SAP server.
To provide X.509 user certificates, the Secure Login Server requires a User CA certificate
which needs to be provided by the PKI.
The following certificate attributes are required for the user CA certificate.
Certificate Attribute

Details

Version

V3

Asymmetric Algorithm

RSA Algorithm

Key Usage

Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Certificate Signing
Off-line CRL Signing
CRL Signing

Basic Constraints

Subject Type=CA
Path Length Constraint=None

The RSA Key Length depends on the customer requirements. We recommend that you
use 2048 Bit RSA keys or higher.

The user CA certificate should include the complete certificate chain. This means all
public certificate information of the chain should be provided.

Typically the file is provided in P12 format. The Secure Login Server requires a PSE format to
import using Secure Login Administration Console.
Use the SAP tool SAPGENPSE to convert the P12 format to PSE format.
sapgenpse import_p12 -x <PSE_password> -z <P12_password> -p
<PSE_file_name>.pse <P12_file_name>.p12

146

06/2011

4 Other Configurations

Log on to the Secure Login Administration Console and import the PSE file in Certificate
Management. Choose USER_CA and the option Import Certificate.
Restart the Secure Login Server Application.

4.12 Configuring Secure Login Servers as


Failover Servers for High Availability
Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to
prevent that the Secure Login Client sends a certificate request and does not get a response.

Concept
Install and run several Secure Login Servers on different AS Java servers acting as failover
servers. The URLs of the Secure Login Servers that are available are listed in the Enroll URL
parameter of the client policy. This is where the Secure Login Client checks which path to
use. If the first Secure Login Server is down, it goes to the next Secure Login Server that is
specified in the list

Configuration
1. Log on to the administration console.
2. Choose Instance Management > DefaultServer Configuration > Client Configuration
und go to the Profiles tab.

3. Choose the Add Profile button to get to the Add/Modify Client Profile screen.

06/2011

147

4 Other Configurations

4. Behind the URL of the Enroll URL parameter, choose the Add button. A new row with
the previous URL as default value appears.

5. Enter the URL to the failover Secure Login Server. To configure more Secure Login
Servers as failover servers, add new rows and enter the relevant URLs.
6. Save your entries.

148

06/2011

4 Other Configurations

We recommend that you maintain this failover configuration in all Secure Login Servers you
use. For more information about the parameter Enroll URL, see 4.10.2 Applications and
Profiles.

4.13 Configuring Login Module Stacks as


Failover Servers in SAP NetWeaver
Use Case
You want to ensure high availability of the Secure Login Server. For example, you want to
make sure that users are able to authenticate even if an authentication server for a
configured authentication method is not available.

Concept
Install and run authentication servers of the same type, for example two LDAP servers, in
different networks acting as an authentication failover solution. The authentication logic of the
Secure Login Server is handled by login modules. Several login modules of the same kind
are put into login module stacks (authentication stacks). These login modules are configured
to run with different authentication servers and have, for example, different IPs. When an
authentication request comes in, the Secure Login Server tries to use all configured login
modules until it gets to an authentication server that is online and returns an authentication
result. If, for any reason, the login module on top of the stack does not respond, the Secure
Login Server sends its authentication request to the next login module in the stack and
expects it to process the authentication request.
For more information, see the Help Portal at http://help.sap.com/nw703/ and choose
Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key
Capability > Security > User Authentication and Single Sign-On > Authentication on the AS
Java > Login Modules and Login Module Stacks.
If you simply try to insert and list login modules, and do not organize them in a stack, you
cannot change the configuration of the login module. SAP NetWeaver only accepts the
default configuration of a login module. However, for the authentication failover solution, you
need to adapt values, for example, the destination paths and the timeout.

06/2011

149

4 Other Configurations

So you create a login module stack (with a dedicated name) that contains a number of login
modules for authentication failover. Copy the login modules, list them in a logon module
stack, change their names, and adapt the configuration.
Authentication with the Secure Login Server only works with the following login modules.

Login Modules Used by the Secure Login Server


Name

Usage

Note

SecureLoginModuleLDAP

Direct usage or in login


module stack

Does not depend on UME

SecureLoginModuleRADIUS

Direct usage or in login


module stack

Does not depend on UME

SecureLoginModuleSAP

Direct usage or in login


module stack

Does not depend on UME

BasicPasswordLoginModule

Direct usage only

Not for login module stack,


with UME

SPNegoLoginModule

Direct usage only

Not for login module stack,


with UME

Limitations
Put only login modules of the same kind into the login module stack. We do not support the
use of different login modules (mixed authentication types).

4.13.1 Configuration of SAP NetWeaver AS Java


To configure an SAP NetWeaver AS Java to act as an identity provider, proceed as follows:
7. Open the SAP NetWeaver Administrator and go to the Authentication and Single
Sign-On service.
8. On the Authentication tab, there is a table under Component. Log on to the
administration console.
9. To create a new login module stack for authentication custom configuration, choose
the Create button. This custom configuration serves as your new login module stack.
10. Enter a configuration name and choose the type Custom. These entries appear in the
Policy Configuration Name table.
11. In the section below under the Authentication Stack tab, add the login modules by
choosing the Edit and Add buttons.
12. If you double-click the cell for the login module name, a dropdown list with the login
modules that are available appears.
13. Select the login modules you need.
Note that we only support login module stacks with the same type of login modules, for
example, with different IPs or destination paths.

150

06/2011

4 Other Configurations

14. Set the flag to SUFFICIENT to make sure that the authentication proceeds down the
list to the next login module if the authentication is not successful.
15. Set the authentication-relevant parameters and save your changes.
In these entries, you can change the names and the configuration.
For more information, see the Application Help in http://help.sap.com/nw731/ under SAP
Library > SAP NetWeaver Library: Function-Oriented View > Security > User Authentication
and Single Sign-On > Authentication Infrastructure > Login Modules > Policy Configurations
and Authentication Stacks.

4.13.2 Configuration of the Secure Login Server


The administration console of the Secure Login Server uses this newly created login module
stack directly. Keep in mind that you cannot adapt the parameters of the login module stack
in the administration console.
1. In the Secure Login Administration Console, enter the name of the login module
stack.
2. Choose the Edit button.
3. In the Instance Configuration > Authentication Server Configuration, choose the
authentication type Policy Configuration Name and enter the name of the relevant
login module stack.

4. Save your changes.


You have now implemented a failover solution using SAP NetWeaver login module stacks.

06/2011

151

4 Other Configurations

4.14 Setting Failover Timeouts of the Login


Modules
When an authentication attempt arrives, and the authentication request is passed on and
proceeds down the list in the login module stack, the ICM timeout for a connection with an
external system may be exceeded. This leads to the error message internal server error.
Usually the default ICM timeout is 5000 ms.
You need to make sure that the timeouts belonging to the single login modules do not exceed
the ICM timeout. To avoid this, set the timeouts of the login module in your login module
stacks so that the total of all timeouts does not exceed the default ICM timeout.
If the bandwidth is very limited, consider changing the ICM timeout for the entire system. For
more information, see Internet Communication Manager (ICM) in the SAP Library under
Administration of the Internet Communication Manager > Additional Profile Parameters >
icm/conn_timeout.

Name of Login Module

Parameter Name

Description

SecureLoginModuleLDAP

LdapTimeout

Timeout for login

SecureLoginModuleSAP

SAPTimeout
maxNbrConnections

Timeout for login


Maximum number of
connections until
authentication is blocked

SecureLoginModuleRADIUS

TimeOut

Timeout for login

You can set the timeout of the login modules in the login module stack as follows:
1. Select the login module for which you want to change the timeout. The table below
the module name contains its parameters and their values.
2. Go down to the section for the login module options and choose the Add button.
3. In the New Login Module Option dialog box, enter the name of the parameter you
want to add and provide a value.
4. Save your changes.

4.15 Custom Use of Login Module with Login


Module Stacks
Use Case
You want to use several Secure Login Server instances with authentication types of the same
kind. Since it is only possible to have one configuration per login module, you can overwrite
the login module configuration if you use it in a login module stack. Working with a login
module stack enables you to use the default configuration of the login module, change
authentication-relevant parameters in the SAP NetWeaver Administrator and store them in a
login module stack with only one login module.
Use this option if, for example, you want to create one LDAP login module for a dedicated
group of users and another one for another group of users. Create a login module stack for

152

06/2011

4 Other Configurations

the first group of users and one for the second group of users, with each login module stack
containing only one login module.

Configuration
1. Configure a login module stack in the policy configuration of the SAP NetWeaver
JAAS as described above (see 4.13.1 Configuration of SAP NetWeaver AS Java).
Use the REQUISITE flag for your login module stack. Set the authentication-relevant
parameters as desired.
2. In the Secure Login Administration Console, enter the name of the login module
stack. Proceed with the configuration as described above (see 4.13.2 Configuration
of the Secure Login Server).

06/2011

153

5 Configuration Examples

5 Configuration Examples
This section describes some configuration examples for Secure Login Server.

5.1 Kerberos Authentication with SPNego


In this configuration example, the user authentication is verified against a Microsoft Windows
domain.
Prerequisites
Secure Login Server is installed and the initial wizard has been completed.
In Certificate Management at least the User CA is available.
If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server.
You have configured and enabled SPNego on the SAP NetWeaver Administrator.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node Instance
Management.
2. Verify whether the authentication mechanism in Instance is configured correctly.
JaasModule = SPNegoLoginModule
3. Choose the node Certificate Management and verify if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.
4. Choose the node Client Configuration and configure Client Policy, Applications and
Profiles (section 3.4 Instance Management). Make sure that pseType is set to
windowslogin.
Export the client policy (customer.reg) which is used for Secure Login Client
Installation.
5. Restart the Secure Login Server.
6. Install the Secure Login Client application on the client PC (for more information, see
the Installation, Configuration and Administration Guide for Secure Login Client).
Import the customer.reg files to the client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is in
the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
7. Restart the client PC.
8. In the Secure Login Client the profile defined in Instance Management is displayed in
the Secure Login Client Console.
Double-click this profile, and an X.509 certificate is provided without further user
interaction.
After a successful authentication an X.509 user certificate is provided.
This user certificate is displayed in the Secure Login Client Console and is available
in the Microsoft Certificate Store (User Certificate Store).

154

06/2011

5 Configuration Examples

5.2 LDAP User Authentication


In this configuration example, the user authentication is verified against a Microsoft Active
Directory System or LDAP server.
Prerequisites
Secure Login Server is installed and the initial wizard has been completed.
In Certificate Management at least the User CA is available.
If you want to use HTTPS, you need to enable SSL on the SAP NetWeaver server.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node
Instance Management.
2. Verify whether the authentication mechanism in the instance is configured
correctly.
JaasModule = SecureLoginModuleLDAP
3. Choose the node Certificate Management and check if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this Instance.
4. Choose the node Client Configuration and configure Client Policy, Applications
and Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg), which will be used for the Secure Login
Client Installation.
5. Logon to SAP NetWeaver Administrator and define the connection parameters
for the Login Module SecureLoginModuleLDAP (section 4.1 Configure Login
Module).
6. If you are using LDAPS, import the LDAPS certificate into the Secure Login
Server Trust Store. For further information, see section 3.3.4 Trust Store
Management.
7. Restart the Secure Login Server Application.
If you are using LDAPS, restart the SAP NetWeaver JAVA application server.
8. Install the Secure Login Client application on the client PC (For more information,
see the Installation, Configuration and Administration Guide for the Secure Login
Client).
Import the customer.reg files to the Client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is
in the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
9. Restart your client PC.
10. In the Secure Login Client, the profile defined in Instance Management is
displayed in Secure Login Client Console.
Double-click this profile and enter the user name and password (Active Directory
System or LDAP server).
After successful authentication an X.509 user certificate is provided.

06/2011

155

5 Configuration Examples

This user certificate is displayed in the Secure Login Client Console and is
available in the Microsoft Certificate Store (User Certificate Store).

5.3 SAP User Authentication


In this example, you configure that users automatically get X.509 certificates when they are
logged on to a Microsoft Windows domain. The Microsoft Windows domain authentication is
double-checked against the SAP ABAP server.
Prerequisites
Secure Login Server is installed and the initial wizard has been completed.
In Certificate Management at least the user CA is available.
If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server.
Secure Login Library is installed (described in 2.1.1 Secure Login Library).
Configuration Steps
1. Log on to the Secure Login Administration Console, and choose the node Certificate
Management.
2. Create a new certificate for the technical user (for Secure Login Server) choosing
certificate type SNC_CERT (for example, CN=SLSSNC).
3. Create a new SAP ABAP server certificate choosing certificate type SAP_SERVER
(for example, CN=ABC, OU=SAP Security).
4. Perform SNC Configuration (section
5. 3.3.8 SNC Configuration.) and import the certificate of the technical user (Option:
From Console).
6. Verify whether the authentication mechanism in the instance is configured correctly.
JaasModule = SecureLoginModuleSAP
7. Choose the node Certificate Management and check if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.
8. Choose the node Client Configuration and configure Client Policy, Applications and
Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg) to be used for Secure Login Client
Installation.
9. Logon to SAP NetWeaver Administrator and define the connection parameters for
the Login Module SecureLoginModuleSAP (section 4.1 Configure Login Module).
10. Restart the Secure Login Server application.
11. Install Secure Login Library on the target SAP ABAP server.
Enable SNC configuration.
Import SAP ABAP Server certificate in transaction STRUST.
Restart SAP ABAP Server.
For further information see the Installation, Configuration and Administration Guide
for Secure Login Library.
12. Create a technical user (for Secure Login Server) in SAP User Management (for
example, SLSSNC), define authorizations and configure the SNC Name (for

156

06/2011

5 Configuration Examples

example, CN=SLSSNC).
For more information, see section 4.3 Create Technical User in SAP Server.
13. Install the Secure Login Client application on the client PC (for more information, see
the Installation, Configuration and Administration Guide for the Secure Login Client).
Import the customer.reg files into the client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is in
the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
14. Restart your client PC.
15. In Secure Login Client the profile defined in Instance Management is displayed in
Secure Login Client Console.
Double-click this profile and enter the SAP user name and password.
After successful authentication, an X.509 user certificate is provided.
This user certificate is displayed in the Secure Login Client Console and is available
in the Microsoft Certificate Store (User Certificate Store).

5.4 RADIUS User Authentication


In this configuration example, the user authentication is verified against a RADIUS server.
Prerequisites
Secure Login Server is installed and the initial wizard was completed.
In Certificate Management at least the User CA is available.
If you want to use HTTPS, you need to enable SSL in the SAP NetWeaver server.
Configuration Steps
1. Log on to the Secure Login Administration Console and choose the node Instance
Management.
2. Verify whether the authentication mechanism in the instance is configured correctly.
JaasModule = SecureLoginModuleRADIUS
3. Choose the node Certificate Management and check if the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.
4. Choose the node Client Configuration and configure Client Policy, Applications and
Profiles (section 3.4 Instance Management).
Export the Client Policy (customer.reg) to be used for Secure Login Client
installation.
5. In the RADIUS Server, configure Radius Client for Secure Login Server. This means
that the Secure Login Server can establish communication to the RADIUS Server.
Define the Shared Secret for this connection.
6. Logon to SAP NetWeaver Administrator and define the connection parameters for
the Login Module SecureLoginModuleRADIUS (section 4.1 Configure Login Module).
7. Restart the Secure Login Server Application.

06/2011

157

5 Configuration Examples

8. Install the Secure Login Client application on the client PC (for more information, see
the Installation, Configuration and Administration Guide for Secure Login Client).
Import the customer.reg files into the client registry.
Verify whether the certificate chain (trust relation) of the SSL server certificate is in
the Microsoft Certificate Store (Computer Certificate Store). Import missing
certificates.
9. Restart your client PC.
10. In Secure Login Client the profile defined in Instance Management is displayed in
Secure Login Client Console.
Double-click this profile and enter the user name and password (RADIUS user
database).
After successful authentication, an X.509 user certificate is provided.
This user certificate is displayed in the Secure Login Client Console and is available
in the Microsoft Certificate Store (User Certificate Store).

5.5 Configuring RSA Authentication with


RADIUS
Prerequisites
An RSA Authentication Manager (with a RADIUS server) is installed and running. The
versions currently supported are 6.1 and 7.1. It communicates with the Secure Login Server
through its RADIUS protocol using its own RADIUS server. The Secure Login Server
supports new SecurID PINs and the next token code of RSA SecurID tokens. For more
information, see the corresponding RSA Authentication Manager documentation. For more
information on the parameters for RADIUS, see 4.1 Configure Login Module.

5.5.1 Configuration of the securid.ini File


For communication with the RSA Authentication Manager, you need the securid.ini file, which
is provided by the RADIUS server. The Secure Login Server installation package installs a
sample securid.ini file (corresponding to RSA Authentication Manager 7.1) in the global
directory. You need not edit the file for the configuration. RSA server messages automatically
parse the PIN policy and the minimum and maximum PIN length and transfer the values to
the Secure Login Client without any configuration effort on your side.
We recommend that you use the file provided by your RSA RADIUS server. To do this,
proceed as follows:
1. On the RADIUS server, go to the directory that contains securid.ini. For more
information on the file path, see the documentation of the RSA Authentication Server.
2. Copy the new file to the global directory of the Secure Login Server, and overwrite
the old securid.ini file. The path to the global directory remains the same. By default,
the relative path to the securid.ini file in the SAP NetWeaver Administrator is
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.

158

06/2011

5 Configuration Examples

5.5.2 Customer-Specific Configuration of the


securid.ini File
If you want to keep your customer-specific securid.ini file, you have to make sure that your
file is located in the relevant directory, either in the global directory or a directory of your
choice. In the latter case, adapt the path in the SAP NetWeaver Administrator of the RADIUS
login module.
Take the following steps:

Use Case

Checks and Activities

securid.ini located in the


global directory

1. Rename your securid.ini file, for example, to securid.old.


2. Update the installation to Secure Login Server SP2.
3. Rename securid.old to securid.ini, thus overwriting the installed
sample file.
4. Check whether the path entered in the SAP NetWeaver
Administrator is
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
5. Copy your securid.ini into the RADIUS server environment.

securid.ini located in
another directory

1. Make sure that your custom directory path is entered in the SAP
NetWeaver Administrator, either in the login module or in the
login module stack.
2. Copy your securid.ini into the RADIUS server environment.

In either case, compare the securid.ini files on the Secure Login Server and on the
RADIUS server to make sure that they are identical.
To change the path in the SAP NetWeaver Administrator, proceed as follows:
1. Go to SAP NetWeaver Administrator. Under Authentication and Single Sign-On,
choose Login Modules.
2. Select the login module SecureLoginModuleRADIUS.
3. On the Login Module Options tab, find the parameter SecuridFile. Here you see the
relative path to the global directory
%GLOBAL_SLS_CONF_DIR%/Instances/securid.ini.
4. Enter the path where you stored your securid.ini file.
5. Save your changes

If you are using a login module stack, enter the path to the securid.ini file in the
configuration of the login module stack.

For more information, see the Help Portal at http://help.sap.com/nw703/ and choose
Application Help > SAP Library > SAP NetWeaver Library > SAP NetWeaver by Key
Capability > Security > User Authentication and Single Sign-On > Authentication on the AS
Java > Login Modules and Login Module Stacks.

06/2011

159

5 Configuration Examples

5.5.3 Ensuring Encrypted Communication with Shared


Secret
To make sure that the RSA Authentication Manager can communicate with the RSA server,
you need to do the following:
1. Add the SAP NetWeaver IP address to the list of the RSA RADIUS clients in the RSA
Authentication Manager.
2. Enter a shared secret for the RSA RADIUS client or use the shared secret that is
delivered as default.
3. Configure the shared secret property SharedSecret in the configuration of the
RADIUS login module accordingly.
Since the shared secret is entered in the SAP NetWeaver Administrator and visible to other
users, encrypt the shared secret of the RADIUS server and insert the encrypted string into
SAP NetWeaver Administrator. This means that only the Secure Login Server can read the
shared secret.
Your system administrator must know the shared secret of the RADIUS server. To
encrypt the shared secret, take the following steps:
1.
2.
3.
4.

Open the administration console of the Secure Login Server.


Choose Secret Encryption under Server Configuration.
Paste the shared secret into the input field Shared Secret.
To encrypt your input, choose the Encrypt button. The field Encrypted Secret, which
is immediately below, displays the encrypted result.

5. Select the character string in this field and copy it to the clipboard.
6. In SAP NetWeaver Administrator (you can use the convenient link on the screen of
the Secure Login Server), choose Authentication and Single Sign-On > Login
Modules.
7. Select the login module SecureLoginModuleRADIUS.
8. On the Login Module Options tab, find the parameter SharedSecret. Paste the
encrypted character string of the shared secret as the value for this parameter.
9. Save your changes.

If you are using a login module stack, enter the path to the securid.ini file in the
configuration of the login module stack.

160

06/2011

6 Troubleshooting

6 Troubleshooting
This section gives additional information about troubleshooting for Secure Login Server.

6.1 Checklist User Authentication Problem


This section describes the configuration issues to check if a user authentication is not
successful.
Checklist Possible Issues

Is verification using different user credentials?

Log on to the Secure Login Administration Console and check the log information in
Instance Log Management. Check if the user authentication is displayed. If this is not the
case, there may be a problem on the Secure Login Client or Secure Login Web Client.
Verify the following parameter in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile_name>]
enrollURL0 = <URL>

Check whether the enrollURL is configured for the desired instance. Check in Secure
Login Administration Console Instance Management.
Copy this URL to the browser application and check if a response is displayed (ignore the
responses ERROR_ACTION or INTERNAL_SERVER_ERROR).
Change the URL of the parameter enrollURL to HTTP and check if this works.
If this works, there is a problem with the HTTPS connection.
If you are using HTTPS, the problem may relate to the certificate trust relationship.
If this is the case, import the root certificate, on which the SSL server certificate depends
and move it to the Microsoft Certificate Store (Computer Certificate Store).

Verify whether the authentication mechanism in the instance is correctly configured.


JaasModule = SecureLoginModule<respective_authentication_server_type>

Choose the node Certificate Management and verify whether the parameter Mapping to
Instance (USER_CA) is enabled (checkbox) for this instance.

Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModule<respective_authentication_server_type>.

Restart the Secure Login Server Application. For some configuration issues in Secure
Login Administration Console a restart of the Secure Login Server Application is required.

Enable the Server Trace in the Secure Login Administration Console (section 6.3 Enable
Secure Login Server Trace) and start the diagnostic trace tool in SAP NetWeaver
Administrator.
Log on to SAP NetWeaver Administrator and choose Problem Management. Choose
Logs and Traces and Security Troubleshooting Wizard.
Choose the diagnostic type Authentication and start the trace by choosing Start
Diagnostics.
Repeat the user authentication in Secure Login Client or Secure Login Web Client.
Stop the trace by choosing the Stop Diagnostics button, and analyze the results.

06/2011

161

6 Troubleshooting

6.2 Secure Login Server SNC Problem


For the Secure Login Server to verify SAP user credentials, secure communication to the
SAP ABAP server needs to be established. The communication is secured using SNC.
Problem
The Secure Login Server cannot establish an SNC connection to the SAP Server.
Checklist Possible Issues

Log on to Secure Login Administration Console and verify the log information in Instance
Log Management. Check if the user authentication is displayed. If this is not the case,
there may be a problem in the Secure Login Client or Secure Login Web Client.

Verify whether the authentication mechanism in Instance is configured correctly.


JaasModule = SecureLoginModuleSAP

Verify whether the Instance Mapping in Certificate Management is enabled (checkbox)


for this instance.

Start SAP NetWeaver Administrator and verify the connection configuration parameter in
Login Module SecureLoginModuleSAP.

Verify whether Secure Login Library is installed correctly.


Verify the installation described in section 2.1.1 Secure Login Library.
Verify whether the folder <ASJava_Installation>\exe, which is used by Secure Login
Library is included in JAVA Library Path. Verify the JAVA Library Path (libpath) in the
trace file <ASJava_Installation>\work\dev_jstart.

Verify whether an SNC certificate was provided to Secure Login Library PSE
environment.
Verify whether the file pse.zip is available in folder <ASJava_Installation>\sec
Start the command line shell and change to the folder <ASJava_Installation>/exe.
Set the environment SECUDIR=<ASJava_Installation>/sec
Use the command: snc O <SAP Service User> status v
Microsoft Windows Example: snc O SAPServiceABC status v
Linux Example: snc O abcadm status v

Verify whether a technical user was created on the SAP ABAP server.
Verify SAP user access rights (authorization profiles).
Verify whether the SNC name is configured correctly.

Enable Secure Login Library trace and analyze the problem. For more information, see
section 6.4 Enable Secure Login Library Trace.

162

06/2011

6 Troubleshooting

If the error messages Couldnt acquire DEFAULT INITIATING credentials is displayed,


verify whether the environment variable SECUDIR is configured correctly for the user
who is starting the SAP server. Verify the installation of Secure Login Library in section
2.1.1 Secure Login Library.

6.3 Enable Secure Login Server Trace


Choose the Server Configuration node in the left-hand pane of the Administration Console
and enable the trace option. Define the value true for the parameter Enable Server Trace and
restart the Secure Login Server application.
The trace file is written to the Default Trace of SAP NetWeaver. Logon to SAP NetWeaver
Administrator and choose Problem Management, Log and Traces and Log Viewer.
Choose the option Show View, General and Default Trace (Java).
Secure Login Server can generate a large amount of trace output. For test systems, we
recommend that you enable tracing. For production systems, we recommend that you
disable tracing since this might result in unnecessary log files and impact performance.
Deactivate the Secure Login Server Trace after you have analyzed the problem.

6.4 Enable Secure Login Library Trace


To enable the trace option, the files sec_log_file_filename.txt and sec_log_file_level.txt need
to be created in the folder:
Microsoft Windows
%HOMEDRIVE%%HOMEPATH%\sec or C:\sec
Unix/Linux
$HOME/sec or /etc/sec

The file sec_log_file_filename.txt contains the name of the trace file.


The name can contain %.PID.%, which is replaced by the process ID.
A typical SAP Web AS creates multiple work processes, so use this feature to avoid parallel
access to the same file by all processes.
Microsoft Windows Example
sec_log_file_filename.txt
C:\sec\log-%.PID.%.txt

06/2011

163

6 Troubleshooting

Unix/Linux Example
sec_log_file_filename.txt
/etc/sec/log-%.PID.%.txt

The file sec_log_file_level.txt contains the trace level as a single digit.


Example
sec_log_file_level.txt
4
Value

Details

No trace

Errors

Errors and warnings

Errors, warnings and logs

Errors, warnings, logs and information

6.5 Secure Login Server Lock and Unlock


Secure Login Server locks itself when it detects a serious problem such as authentication
server failure that affects all clients. To unlock the server or server instance, use the Unlock
button in the Secure Login Administration Console or delete the lock file.
Secure Login Server uses the following files to lock the server or server instance:
PseServer.lock
This file is used to lock the entire server. The server lock is only applied if the
Configuration.properties file cannot be read. The LockDir property in the web.xml file is used
to apply the server lock.
The PseServer.lock file is written to the following folder:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances

164

06/2011

6 Troubleshooting

PseInstance<instance_number>.lock
If the Configuration.properties file can be read by Secure Login Server and a lock becomes
necessary, Secure Login Server creates an instance-based lock. The directory for the
instance-based lock is specified by the property LockDir in Configuration.properties.
The PseInstance<instance_number>.lock file is written to the folder:
Microsoft Windows
<INSTDRIVE>:\usr\sap\<SID>\SYS\global\SecureLoginServer\securelogin\
Instances\<instance_number>\
Linux
/usr/sap/<SID>/SYS/global/SecureLoginServer/securelogin/Instances/<i
nstance_number>/
Analyze and solve the problem, before deleting the lock file or changing the status in
Secure Login Administration Console (use the Unlock button).

6.6 Access Denied Replies


This problem applies only to Microsoft Windows operating systems.
Problem
The Secure Login Server is returning a large amount of Access Denied replies to the Secure
Login Client during heavy load.
Explanation
The reason for this behavior is that after a TCP/IP socket has been used for communication,
and this connection is closed down after the communication has taken place, the OS keeps
this socket for some time until it releases it again for its next use.
This means that the parameter TcpTimedWaitDelay is set too high and must be changed. For
more information, see the following Microsoft page:
http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3-473c84e8-e657c0c619d11033.mspx):

Solution
Open regedit and locate the parameter TcpTimedWaitDelay under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the value for TcpTimedWaitDelay to 30 seconds

6.7 Internal Server Message


Use Case
You tried to authenticate to an AS Java using a login module stack, but did not succeed. After
a number of unsuccessful authentication attempts, an Internal server message is displayed.

06/2011

165

6 Troubleshooting

A reason for this error could be an ICM timeout error. For more information, see 4.14 Setting
Failover Timeouts of the Login Modules and Internet Communication Manager (ICM) in the
SAP Library under Administration of the Internet Communication Manager > Additional Profile
Parameters > icm/conn_timeout.

6.8 Error Codes


This chapter describes the error codes and return codes, their meaning and possible
corrections.

6.8.1 Secure Login Server Error Codes


Error Code

Description

Solution

JAAS_LDAP_
ERROR

Authentication fails due to


configuration errors of the
login module for LDAP or
timing problems on the
network.

Verify configuration of Login


Module for LDAP.
If using LDAPS, make sure that its
CA certificate is imported into Trust
store of Secure Login Server.

JAAS_RADIUS_
ERROR

Authentication fails due to


configuration errors of the
login module for RADIUS or
timing problems on the
network.

Verify configuration of Login


Module for LDAP.
Check if the RADIUS server is up
and running.

AUTH_RESULT_
ACTION_OK_MSG

Authentication successful.

N/A (result only)

AUTH_RESULT_
ACTION_DENIED_
MSG

Authentication denied.

N/A (result only)

NEW_PIN_REPLY_
ACCEPTED_MSG

The new PIN/password


was accepted.

N/A (result only)

NEW_PIN_REPLY_
REJECTED_MSG

A new PIN/password is
required

N/A (result only)

AUTH_SERVER_
TIMEOUT_MSG

If the login module cannot


establish a connection to
the authentication server a
timeout error will be set.

Possible reasons for this error may


be one of the following:

166

Unable to establish an SNC


connection to the SAP server:
Secure Login Server SAP user is
not properly configured.
Secure Login Server SAP user
does not have required
permissions.
Faulty SNC configuration for the
Secure Login Server.

06/2011

6 Troubleshooting

Timeout in the network connection.


Authentication server is down.
CERT_CREATE_
ERROR

An error occurred while


trying to create a new
certificate.

Verify certificate in Certificate


Management.
Verify parameter PseName in
Instance Management.

CERT_INIT_
ERROR

An error occurred while


accessing the resources
needed for this process,
that is, the PSE used.

Make sure that the configuration file


Configuration.properties contains
the correct name, password, and
aliases for the specific PSE.

PSE_ADMIN_
ERROR

An error occurred inside the


PSE admin Server.

Verify certificate in Certificate


Management.
Verify parameter PseName in
Instance Management.

PSE_ARCHIVE_
ERROR

This code may be due to


insufficient disk space
when writing/creating the
log file due to insufficient
disk space, or no write
access and so on.

Make sure the application has the


access rights to write to, or create
the specified log directory, and that
there is enough disk space.

PSE_CREATE_
ERROR

This code can indicate a


problem while creating an
outgoing message.

Make sure that the configuration


Configuration.properties file
contains all mandatory entries.

PSE_HANDLING_
ERROR

An error occurred while


handling a client request.

Verify certificate in Certificate


Management.
Verify parameter PseName in
Instance Management.

PSE_INIT_
ERROR

May be caused when


initializing the servlets. This
is usually the case when
the Secure Login Server
configuration could not be
read, either because the
configuration URL is not set
in the configuration file of
the servlet engine or the file
could not be found under
the specified URL.

Make sure the URL is set correctly


to the Configuration.properties file.

PSE_IO_
ERROR

Occurs when the servlet


cannot send its response to
the client due to network
problems.

Make sure the network is


configured correctly and running.

PSE_SERVER_
ERROR

An error occurred with the


PSE Server.

Verify certificate in Certificate


Management.
Verify parameter PseName in
Instance Management.

PSE_SERVER_

The client session timed

Check in the login module

06/2011

167

6 Troubleshooting

TIMEOUT

out.

configuration that the timeout value


is high enough.

6.8.2 SAP Stacktrace Error Codes


Runtime Error Code

Description

CALL_BACK_ENTRY_NOT_FOUND

The called function module is not released


for RFC.

CALL_FUNCTION_DEST_TYPE

The type of the destination is not allowed.

CALL_FUNCTION_NO_SENDER

Current function is not called remotely.

CALL_FUNCTION_DESTINATION_NO_T

Missing communication type (I for internal


connection, 3 for ABAP) when executing an
asynchronous RFC.

CALL_FUNCTION_NO_DEST

The specified destination does not exist.

CALL_FUNCTION_OPTION_OVERFLOW

Maximum length of options for the


destination exceeded.

CALL_FUNCTION_NO_LB_DEST

The specified destination (in load


distribution mode) does not exist.

CALL_FUNCTION_NO_RECEIVER

Data received for unknown CPI-C


connection.

CALL_FUNCTION_NOT_REMOTE

The function module being called is not


flagged as being remotely callable.

CALL_FUNCTION_REMOTE_ERROR

While executing an RFC, an error occurred


that has been logged in the calling system.

CALL_FUNCTION_SIGNON_INCOMPL

Logon data for the user is incomplete.

CALL_FUNCTION_SIGNON_INTRUDER

Logon attempt in the form of an internal call


in a target system not allowed.

CALL_FUNCTION_SIGNON_INVALID

RFC from external program without valid


user ID.

CALL_FUNCTION_SIGNON_REJECTED

Logon attempt in target system without valid


user ID. This error code may have any of
the following meanings:
- Incorrect password or invalid user
ID.
- User locked.
- Too many logon attempts.
- Error in authorization buffer (internal
error).
- No external user check.
- Invalid user type.
- Validity period of the user
exceeded.

CALL_FUNCTION_SINGLE_LOGIN_REJ

No authorization to log on as a trusted


system. The error code may have any of the

168

06/2011

6 Troubleshooting

following meanings:
- Incorrect logon data for valid
security ID.
- Calling system is not a trusted
system or security ID is invalid.
- Either the user does not have RFC
authorization (authorization object
S_RFCACL), or a logon was
performed using one of the
protected users DDIC or SAP*.
- Time stamp of the logon data is
invalid.
CALL_FUNCTION_SYSCALL_ONLY

RFC without valid user ID only allowed


when calling a system function module. The
meaning of the error codes is the same as
for
CALL_FUNCTION_SINGLE_LOGIN_REJ.

CALL_FUNCTION_TABINFO

Data error (info internal table) during a RFC.

CALL_FUNCTION_TABLE_NO_MEMORY

No memory available for table being


imported.

CALL_FUNCTION_TASK_IN_USE

For asynchronous RFC only: task name is


already being used.

CALL_FUNCTION_TASK_YET_OPEN

For asynchronous RFC only: the specified


task is already open.

CALL_FUNCTION_NO_AUTH

No RFC authorization.

CALL_RPERF_SLOGIN_AUTH_ERROR

No trusted authorization for RFC caller and


trusted system.

CALL_RPERF_SLOGIN_READ_ERROR

No valid trusted entry for the calling system.

RFC_NO_AUTHORITY

No RFC authorization for user.

CALL_FUNCTION_BACK_REJECTED

Destination BACK is not permitted in


current program.

CALL_XMLRFC_BACK_REJECTED

Destination BACK is not permitted in


current program.

CALL_FUNCTION_DEST_SCAN

Error while evaluating RFC destination.

CALL_FUNCTION_DEST_SCAN

Error while evaluating RFC destination.

CALL_FUNCTION_CONFLICT_TAB_TYP

Type conflict while transferring table.

CALL_FUNCTION_CREATE_TABLE

No memory available for creating a local


internal table.

CALL_FUNCTION_UC_STRUCT

Type conflict while transferring structure.

CALL_FUNCTION_DEEP_MISMATCH

Type conflict while transferring structure.

CALL_FUNCTION_WRONG_VALUE_LENG

Invalid data type while transferring


parameters.

CALL_FUNCTION_PARAMETER_TYPE

Invalid data type while transferring


parameters.

CALL_FUNCTION_ILLEGAL_DATA_TYP

Invalid data type while transferring

06/2011

169

6 Troubleshooting

parameters.
CALL_FUNCTION_ILLEGAL_INT_LEN

Type conflict while transferring an integer.

CALL_FUNCTION_ILL_INT2_LENG

Type conflict while transferring an integer.

CALL_FUNCTION_ILL_FLOAT_FORMAT

Type conflict while transferring a floating


point number.

CALL_FUNCTION_ILL_FLOAT_LENG

Type conflict while transferring a floating


point number.

CALL_FUNCTION_ILLEGAL_LEAVE

Invalid LEAVE statement on RFC Server.

CALL_FUNCTION_OBJECT_SIZE

Type conflict while transferring a reference.

CALL_FUNCTION_ROT_REGISTER

Type conflict while transferring a reference.

170

06/2011

7 List of Abbreviations

7 List of Abbreviations
Abbreviation

Meaning

ADS

Active Directory Service

CA

Certification Authority

CAPI

Microsoft Crypto API

CSP

Cryptographic Service Provider

DN

Distinguished Name

EAR

Enterprise Application Archive

HTTP

Hyper Text Transport Protocol

HTTPS

Hyper Text Transport Protocol with Secure Socket Layer (SSL)

IAS

Internet Authentication Service (Microsoft Windows Server 2003)

JAAS

Java Authentication and Authorization Service

JSPM

Java Support Package Manager

LDAP

Lightweight Directory Access Protocol

NPA

Network Policy and Access Services (Microsoft Windows Server


2008)

PIN

Personal Identification Number

PKCS

Public Key Cryptography Standards

PKCS#10

Certification Request Standard

PKCS#11

Cryptographic Token Interface Standard

PKCS#12

Personal Information Exchange Syntax Standard

PKI

Public Key Infrastructure

PSE

Personal Security Environment

RADIUS

Remote Authentication Dial-In User Service

RFC

Remote function call (SAP NetWeaver term)

RSA

Rivest, Shamir and Adleman

SAR

SAP Archive

SCA

Software Component Archive

SLAC

Secure Login Administration Console

SLC

Secure Login Client

SLL

Secure Login Library

SLS

Secure Login Server

SLWC

Secure Login Web Client

SNC

Secure Network Communication (SAP term)

SSL

Secure Socket Layer

06/2011

171

7 List of Abbreviations

UPN

User Principal Name

WAR

Web Archive

WAS

Web Application Server

172

06/2011

8 Glossary

8 Glossary
Authentication
A process that checks whether a person is really who they are. In a multi-user or network
system, authentication means the validation of a users logon information. A users name
and password are compared against an authorized list.

Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of
64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other
uses include HTTP Basic Authentication Headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient

CAPI
See Cryptographic Application Programming Interface

Certificate
A digital identity card. A certificate typically includes:

The public key being signed.


A name which can refer to a person, a computer, or an organization.
A validity period.
The location (URL) of a revocation center.
The digital signature of the certificate produced by the private key of the CA.

The most common certificate standard is the ITU-T X.509.

Certification Authority (CA)


An entity which issues and verifies digital certificates for use by other parties.

Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.

CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE
(personal security environment).

Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may
be self-issued, or issued by a trusted third party; in many cases the only criterion for
issuance is unambiguous association of the credential with a specific, real individual or
other entity. Cryptographic credentials are often designed to expire after a certain period,

06/2011

173

8 Glossary

although this is not mandatory.


Credentials have a defined time to live (TTL) that is configured by a policy and managed
by a Client service process.

Cryptographic Application Programming Interface (CAPI)


The Cryptographic Application Programming Interface (also known variously as
CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming
interface included with Microsoft Windows operating systems that provides services to
enable developers to secure Windows-based applications using cryptography. It is a set
of dynamically-linked libraries that provides an abstraction layer which isolates
programmers from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that
perform cryptographic functions.

Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500
or LDAP directory).

Distinguished Name (DN)


A name pattern that is used to create a globally unique identifier for a person. This name
ensures that a certificate is never created for different people with the same name. The
uniqueness of the certificate is additionally ensured by the name of the issuer of the
certificate (that is, the Certification Authority) and the serial number. All PKI users require a
unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.

Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can
use them to restrict the public key to as few or as many operations as needed. For example,
if you have a key used only for signing, enable the digital signature and/or non-repudiation
extensions. Alternatively, if a key is used only for key management, enable key
encipherment.

Key Usage (extended)


Extended key usage further refines key usage extensions. An extended key is either critical
or non-critical. If the extension is critical, the certificate must be used only for the indicated
purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's
policy.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and
may be used in finding the correct key/certificate of an entity that has multiple
keys/certificates. The extension is then only an informational field and does not imply that the
CA restricts use of the key to the purpose indicated. Nevertheless, applications that use
certificates may require that a particular purpose be indicated in order for the certificate to be
acceptable.

174

06/2011

8 Glossary

Lightweight Directory Access Protocol (LDAP)


A network protocol designed to extract information such as names and e-mail addresses
from a hierarchical directory such as X.500.

Login Module Stack (Authentication Stack)


List of login modules containing authentication logic that is assigned to a component.
When a user is authenticated on the J2EE Engine, the server sequentially processes the
login module stack that applies to the component that the user accesses. It is possible to
assign different login module stacks to different components, thus enabling pluggable
authentication.

PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.

PEM
See Privacy Enhanced Mail.

Personal Identification Number (PIN)


A unique code number assigned to the authorized user.

Personal Information Exchange Syntax Standard


Specifies a portable format for saving or transporting a users private keys, certificates,
and other secret information.

Personal Security Environment


The PSE is a personal security area that every user requires to work with. A PSE contains
security-related information. This includes the certificate and its secret private key. The
PSE can be either an encrypted file or a Smart Card and is protected with a password.

PIN
See Personal Identification Number.

Privacy-Enhanced Mail (PEM)


The first known use of Base64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a
"printable encoding" scheme that uses Base64 encoding to transform an arbitrary
sequence of octets to a format that can be expressed in short lines of 7-bit characters, as
required by transfer protocols such as SMTP.
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet
consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals
(09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.
The original specification additionally used the "*" symbol to delimit encoded but
unencrypted data within the output stream.

06/2011

175

8 Glossary

Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.

Public Key Cryptography Standards


A collection of standards published by RSA Security Inc. for the secure exchange of
information over the Internet.

Public Key Infrastructure


Comprises the hardware, software, people, guidelines, and methods that are involved in
creating, administering, saving, distributing, and revoking certificates based on
asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root
certificate at the top, representing a CA that does not need to be authenticated by a
trusted third party.

Root Certification Authority


The highest Certification Authority in a PKI. All users of the PKI must trust it. Its certificate
is signed with a private key. There can be any amount of CAs between a user certificate
and the root Certification Authority. To check foreign certificates, a user requires the
certificate path as well as the root certificate.

Root certification
The certificate of the root CA.

RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman
in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: key
lengths of 1024 bits or higher are regarded as secure.

Secure Network Communications


A module in the SAP NetWeaver system that deals with the communication with external,
cryptographically libraries. The library is addressed using GSS API functions and
provides NetWeaver components with access to the security functions.

Secure Sockets Layer


A protocol developed by Netscape Communications for setting up secure connections
over insecure channels. Ensures the authorization of communication partners and the
confidentiality, integrity, and authenticity of transferred data.

Single Sign-On
A system that administrates authentication information allowing a user to logon to

176

06/2011

8 Glossary

systems and open programs without the need to enter authentication every time
(automatic authentication).

Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-card-based USB tokens (which contain a Smart Card chip inside) provide the
functionality of both USB tokens and Smart Cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional Smart Card without
requiring a unique input device (Smart Card reader). From the computer operating
systems point of view such a token is a USB-connected Smart Card reader with one
non-removable Smart Card present.
Tokens provide access to a private key that allows performing cryptographic operations.
The private key may be persistent (like a PSE file, Smart Card, and CAPI container) or
non-persistent (like temporary keys provided by Secure Login).

Microsoft Windows Credentials


A unique set of information authorizing the user to access the Microsoft Windows
operating system on a computer. The credentials usually comprise a user name, a
password, and a domain name (optional).

X.500
A standardized format for a tree-structured directory service.

X.509
A standardized format for certificates and blocking list.

06/2011

177