installation, configuration, and administration guide sap … · 2019-11-12 · installation,...
TRANSCRIPT
Installation, Configuration, and Administration Guide
SAP NetWeaver Single Sign-On SP1
Secure Login Client
PUBLIC
Document Version: 1.1 – October 2011
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. in the United States and in other
countries.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
Disclaimer
Some components of this product are based on Java™. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
SAP AG
Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Any Java™ Source Code delivered with this product is
only to be used by SAP’s Support Services and may not be
modified or altered in any way.
Terms for Included Open
Source Software
This SAP software contains also the third party open source software
products listed below. Please note that for these third party products
the following special terms and conditions shall apply.
Windows Template Library (WTL) http://wtl.sourceforge.net
Microsoft Public License (MS-PL)
This license governs use of the accompanying software. If you use the
software, you accept this license. If you do not accept the license, do
not use the software.
1. Definitions
The terms "reproduce," "reproduction," "derivative works," and
"distribution" have the same meaning here as under U.S. copyright
law. A "contribution" is the original software or any additions or
changes to the software. A "contributor" is any person that distributes
its contribution under this license. "Licensed patents" are a
contributor's patent claims that read directly on its contribution.
2. Grant of Rights
(A) Copyright Grant- Subject to the terms of this license, including the
license conditions and limitations in section 3, each contributor grants
you a non-exclusive, worldwide, royalty-free copyright license to
reproduce its contribution, prepare derivative works of its contribution,
and distribute its contribution or any derivative works that you create.
(B) Patent Grant- Subject to the terms of this license, including the
license conditions and limitations in section 3, each contributor grants
you a non-exclusive, worldwide, royalty-free license under its licensed
patents to make, have made, use, sell, offer for sale, import, and/or
otherwise dispose of its contribution in the software or derivative
works of the contribution in the software.
3. Conditions and Limitations
(A) No Trademark License- This license does not grant you rights to
use any contributors' name, logo, or trademarks.
(B) If you bring a patent claim against any contributor over patents
that you claim are infringed by the software, your patent license from
such contributor to the software ends automatically.
(C) If you distribute any portion of the software, you must retain all
copyright, patent, trademark, and attribution notices that are present in
the software.
(D) If you distribute any portion of the software in source code form,
you may do so only under this license by including a complete copy of
this license with your distribution. If you distribute any portion of the
software in compiled or object code form, you may only do so under a
license that complies with this license.
(E) The software is licensed "as-is." You bear the risk of using it. The
contributors give no express warranties, guarantees or conditions. You
may have additional consumer rights under your local laws which this
license cannot change. To the extent permitted under your local laws,
the contributors exclude the implied warranties of merchantability,
fitness for a particular purpose and non-infringement.
zlib http://www.zlib.net
zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.5, April 19th, 2010
Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must
not claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would
be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must
not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source
distribution.
Jean-Loup Gailly
Mark Adler
Typographic Conventions
Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic titles, and table titles
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more
information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Installation Guide: Secure Login Client
6 06/2011
Contents
1 What is Secure Login? ....................................................................... 7
1.1 System Overview .................................................................................... 8
1.2 Main System Components .................................................................... 9
1.3 Authentication Methods ........................................................................ 9
1.4 Workflow with X.509 Certificate .......................................................... 10
1.5 Workflow with Kerberos Token ........................................................... 11
1.6 Workflow with X.509 Certificate Request ........................................... 12
2 Secure Login Client Installation ...................................................... 13
2.1 Prerequisites ........................................................................................ 13
2.2 Installation ............................................................................................ 15
2.3 Unattended Installation ........................................................................ 17
2.4 Custom Installation .............................................................................. 20
2.5 Updating the Secure Login Client to SP1 ........................................... 22
2.6 Uninstallation........................................................................................ 23
3 Secure Login Client Console ........................................................... 26
3.1 Secure Login Server Integration ......................................................... 28
3.2 Use Profile for SAP Applications ........................................................ 29
4 Configuration Options ...................................................................... 35
4.1 Enable SNC in SAP GUI ....................................................................... 35
4.2 User Mapping........................................................................................ 37
4.3 Registry Configuration Options .......................................................... 40
4.4 Smart Card Integration ........................................................................ 44
4.5 Digital Signature (SSF) ........................................................................ 44
5 Secure Login Client for Citrix XenApp ............................................ 48
5.1 Secure Login Client with a Published Desktop ................................. 48
5.2 Secure Login Client with a Published SAP Logon ............................ 48
5.3 Other Features ...................................................................................... 49
6 Troubleshooting ................................................................................ 50
6.1 Error in SNC .......................................................................................... 50
6.2 User Name Not Found .......................................................................... 51
6.3 Invalid Security Token ......................................................................... 51
6.4 Wrong SNC Library Configured .......................................................... 52
7 List of Abbreviations ........................................................................ 54
8 Glossary ............................................................................................. 56
1 What is Secure Login?
06/2011 7
1 What is Secure Login? Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components.
Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS)
Third party application server supporting X.509 certificates
In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.
Secure Login allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:
Windows Domain (Active Directory Server)
RADIUS server
LDAP server
SAP NetWeaver server
Smart card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.
Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
1 What is Secure Login?
8 06/2011
1.1 System Overview Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments.
The Secure Login solution includes several components:
Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is an additional function.
Secure Login Library Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology.
Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.
You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Library, see Installation, Configuration and Administration Guide.
The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI.
The Secure Login Client can use the following authentication methods:
Smart cards and USB tokens with an existing PKI certificate
Secure Login Server and authentication server are not necessary.
Microsoft Crypto Store with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
Microsoft Windows Credentials
The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication.The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server.
User name and password (several authentication mechanisms)
The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate.
All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.
1 What is Secure Login?
06/2011 9
1.2 Main System Components The following figure shows the Secure Login system environment with the main system components:
Secure Login ClientPKI Infrastructure
• Smart Card, USB Token
• Microsoft Crypto Store
• Secure Login Library
Authentication and
secure communication
• SAP GUI
• Web GUI
SAP NetWeaver Platform
Security Token
Kerberos Infrastructure
• Kerberos Token
Kerberos
Figure: Secure Login System Environment with existing PKI and Kerberos
The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server.
1.3 Authentication Methods In a system environment without Secure Login Server, the Secure Login Client supports the authentication methods listed in the table below:
Authentication Method Details
Authentication with X.509 certificates
The certificate provider sends the X.509 certificates through secure network communication (SNC). The following certificate providers work with X.509 certificates:
Smart card and USB tokens with an existing PKI certificate
Microsoft Crypto Store (Certificate Store)
In SNC the Secure Login Client can perform authentication with encryption and digital signing
1 What is Secure Login?
10 06/2011
certificates. The Secure Login Client supports RSA and DSA keys.
Authentication with Kerberos tokens
For more information about the authentication with a Kerberos token, see 1.5 Workflow with Kerberos Token.
1.4 Workflow with X.509 Certificate The following figure shows the principal workflow and communication between the individual components:
1
Start connection and
get SNC name
Client maps
SNC name to
authentication
profile
Secure Login Client
Security Token2
4
PKI Infrastructure
6
SAP NetWeaver Platform
Client provides certificate
to SAP GUI application
Authentication and
secure communication
• Smart Card, USB Token
• Microsoft Crypto Store
• Secure Login Library
5
Unlock Security Token
3
Figure: Principal Workflow for X.509 Certificate Authentication
1. When the connection starts, the Secure Login Client retrieves the SNC name from the desired SAP server system.
2. The Secure Login Client uses the authentication profile for this SNC name.
3. The user unlocks the security token by entering the PIN or password.
4. The Secure Login Client receives the X.509 certificate from the user security token.
5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP client and SAP server.
6. The user is authenticated and the communication is secured.
1 What is Secure Login?
06/2011 11
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto-engines. The Crypto Service Provider (CSP) of SAP is a plug-in of this type. It provides the user keys to all CAPI-enabled applications.
1.5 Workflow with Kerberos Token The following figure shows the principal workflow and communication between the individual components:
Figure: Principal Workflow for Kerberos Authentication
1. When the connection starts, the Secure Login Client retrieves the SNC name (Service Principal Name) from the desired SAP server system.
2. At the Ticket Granting Service the Secure Login Client starts a request for a Kerberos Service Token.
3. The Secure Login Client receives the Kerberos Service Token.
4. The Secure Login Client provides the Kerberos Service Token for SAP single sign-on and secure communication between SAP client and SAP server.
5. The user is authenticated and the communication is secured.
1 What is Secure Login?
12 06/2011
1.6 Workflow with X.509 Certificate Request The following figure shows the principal workflow and communication between the individual components:
Figure: Principal Workflow
1. When the connection starts, the Secure Login Client gets the SNC name from the desired SAP server system.
2. Secure Login Client uses the client policy for this SNC name.
3. Secure Login Client receives the user login credentials.
4. Secure Login Client generates a certificate request.
5. Secure Login Client sends the user credentials and the certification request to the Secure Login Server.
6. Secure Login Server forwards the user credentials to the authentication server and receives an answer that indicates whether the user credentials are valid.
7. If the user credentials are valid; the Secure Login Server generates a user certificate (certificate reply) and sends it to the Secure Login Client.
8. Secure Login Client provides the certificate to SAP GUI.
9. The user certificate is used to perform authentication, single sign-on, and secure communication between SAP client and server.
2 Secure Login Client Installation
06/2011 13
2 Secure Login Client Installation This section explains how to install Secure Login Client.
2.1 Prerequisites This section deals with the prerequisites and requirements for the installation of Secure Login Client. An installation of the Secure Login Client in a Citrix XenApp environment does not require any special steps or settings.
You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0 > Comprised Software Component Versions > Secure Login Client 1.0 (32-bit or 64-bit).
Hardware Requirements
Secure Login Client Details
Hard disk space 20 MB hard disk space
Random access memory Min. 256 MB RAM
Smart card reader Any PC/SC smart card reader can be used
Software Requirements
Secure Login Client Details
Operating systems Microsoft Windows 7 64-bit
Microsoft Windows 7 32-bit
Microsoft Windows Vista 64-bit
Microsoft Windows Vista 32-bit
Microsoft Windows XP 32-bit
Microsoft Windows Server 2008 R2 64-bit
Microsoft Windows Server 2008 64-bit
Microsoft Windows Server 2003 64-bit
Citrix support Microsoft Windows Server 2003 x64 / Citrix XenApp 5
Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6
SAP GUI SAP GUI for Windows 7.10 and higher
SAP GUI for JAVA 7.10 and higher
Smart card support For smart card support the relevant smart card middleware needs to be installed. For more information, contact your vendor.
Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or PKCS#11 interface.
2 Secure Login Client Installation
14 06/2011
If you are using Microsoft Windows Server 2003 64-bit refer to the Microsoft Knowledge Base article KB960077 http://support.microsoft.com/kb/960077.
2 Secure Login Client Installation
06/2011 15
2.2 Installation This section explains how to install Secure Login Client. The installation is performed using the MSI Installer.
If a smart card is to be used in Secure Login Client, install the smart card reader and smart card middleware software. For more information, contact the vendor.
Start Installation Use the appropriate MSI Installer for your operating system.
Secure Login Client Software Package
Type File Name
Microsoft Windows 32Bit SecureLoginClientx86.msi
Microsoft Windows 64Bit SecureLoginClientx64.msi
Administrative rights are required to install the Secure Login Client software.
To continue, choose the Next button.
To install all components, choose the Complete option.
To define the installation components, choose the Custom option.
To continue, choose the Next button.
If you choose the Custom option, the following features appear.
Feature Value
Secure Login Client Components This feature installs the basic components of Secure Login Client. This feature is mandatory.
Options: Start during Microsoft Windows login
Crypto & Certificate Store Providers
Policy Download Agent
Options for an installation under Citrix XenApp. See Secure Login Client for Citrix XenApp.
Secure Login Server Support This feature installs authentication support with Secure Login Server. Based on the provided user credentials, the Secure Login Server provides user certificates to the Secure Login Client.
Kerberos Single Sign-On This feature installs the Kerberos authentication support.
Smart Card Support This feature installs smart card authentication support.
2 Secure Login Client Installation
16 06/2011
To continue, choose the Install button.
To complete the installation, choose the Finish button.
Logging Service This feature installs the trace and logging option.
We recommend that you install this option only for problem analysis.
2 Secure Login Client Installation
06/2011 17
2.3 Unattended Installation Use the MSI installation option to deploy the Secure Login Client software with software distribution tools.
In the case of a Secure Login Server integration, remember to deploy the Root CA certificate and Client Policy URL as well. For more information, see section 2.4 Custom Installation.
Standard MSI Options To help you understand the MSI options, open a command shell and enter the following command:
msiexec /?
Secure Login Client MSI Options To display the Secure Login Client MSI installation options, enter the following command:
Microsoft Windows 32-bit
msiexec /i “<source_path>\SecureLoginClientx86.msi” HELP=1
Microsoft Windows 64-bit
msiexec /i “<source_path>\SecureLoginClient x64.msi” HELP=1
2 Secure Login Client Installation
18 06/2011
Entries marked with * are mandatory.
Feature Value
Base_Components
SAP_SecureLogin_base* Basic components of Secure Login Client. *This option is mandatory and cannot be changed.
SAP_SecureLogin_sbus* Secure Login Client service.
*This option is mandatory and cannot be changed.
SAP_SecureLogin_i18n International language files support.
Standard feature.
SAP_SecureLogin_pki* X.509 Cryptographic support.
*This option is mandatory and cannot be changed.
SAP_Security
SAP_SecureLogin_sap_gss*
SAP Secure Network Communication (SNC) support.
*This option is mandatory and cannot be changed.
SAP_Security
SAP_SecureLogin_sap_ssf
SAP Secure Store and Forward (SSF) support.
Standard feature.
SAP_SecureLogin_capi Support for Microsoft Crypto API token plug-in. Use exisiting certificates in Secure Login Client.
Standard feature.
SAP_SecureLogin_csp*
SAP_SecureLogin_store*
Cryptographic service provider plug-in for the Microsoft Crypto API. Secure Login Client provides certificates to the Microsoft Crypto API.
*These options are mandatory and cannot be changed.
SAP_SecureLogin_securelogin Component to interact with Secure Login Server.
SAP_SecureLogin_kerberos_token Kerberos support.
SAP_SecureLogin_smartcard Smart card support
SAP_SecureLogin_notify Trace and logging option.
We recommend that you install this option only for problem analysis.
2 Secure Login Client Installation
06/2011 19
Unattended Installation Examples
Example 1
This example shows you how to install the Secure Login Client software without the logging service.
msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify
The recommended installation is to install all components without the logging service.
Example 2
This example shows you how to install the Secure Login Client software without the logging service and Secure Login Server support.
msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin
Example 3
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and Kerberos support.
msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_SecureLogin_kerberos_token
Example 4
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and smart card support.
msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_SecureLogin_smartcard
Example 5
This example shows you how to uninstall the Secure Login Client software.
msiexec /qb /x "SecureLoginClientx86.msi"
2 Secure Login Client Installation
20 06/2011
2.4 Custom Installation This section describes how to integrate the installation of the Root CA certificate (Microsoft Certificate Store) and client policy URL (Registry Key) for the Secure Login Client into software distribution tools.
The customized aspects of this installation are associated only with the integration with Secure Login Server.
Install Root CA Certificate You need to install the Root CA certificate from Secure Login Server in the client environment. The Root CA certificate is used to establish secure communication to the Secure Login Server.
Use the Microsoft CertMgr tool; which is part of the Microsoft Windows Software Development Kit (SDK,) to import certificates. Use the following command to import a certificate:
certmgr.exe /add /all /c <RootCA_file> /s ROOT /r localMachine
The Root CA certificate is provided by the Secure Login Server.
Install Client Policy URL The client policy URL (registry key) defines the connection information for the Secure Login Server. Use this client policy URL to retrieve authentication profiles for the Secure Login Client Console.
Use the following command to import a registry file:
reg.exe import customer.reg
The registry file customer.reg can be provided by the Secure Login Server.
Example: Registry file customer.reg
customer.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]
"PolicyURL"="http://<IP/FQDN>:<Port>/securelogin/admin/Navigation?op=downloadFile&name=ClientPolicy.xml"
"PolicyTTL"=dword:00000000
"NetworkTimeout"=dword:0000002d
"DisableUpdatePolicyOnStartup"=dword:00000000
2 Secure Login Client Installation
06/2011 21
For more information about registry configuration options, see section 4.3 Registry Configuration Options.
For more information about registry settings, provided by Secure Login Server, see Installation, Configuration and Administration Guide for Secure Login Server.
Parameter Description
PolicyURL Network resource (Secure Login Server) from which the most recent Secure Login Client policy can be downloaded.
The following types of client policies are available:
ClientPolicy.xml
Client Policy defined in default instance of the Secure Login Server.
ClientPolicy.xml&path=000xx
Client Policy defined in instance xx (instance number) of the Secure Login Server.
GlobalClientPolicy.xml
Global Client Policy includes all available instances of the Secure Login Server.
For more information, see the Secure Login Server Installation, Configuration and Administration Guide.
PolicyTTL The lifetime in minutes; verifying (update) for a new client policy on the Secure Login Server.
Default is 0 minutes.
By default, the Secure Login Client verifies a new client policy during system start of the client PC.
NetworkTimeout Network timeout in seconds before connection is closed if the Secure Login Server does not respond.
Default is 45 seconds (hex value: 2d).
DisableUpdatePolicyOnStartup By default the Secure Login Client looks for a new client policy during the system startup of the client PC.
You can use this parameter to disable this feature.
1 Disable automatic policy download.
0 Enable automatical policy download.
Default value is 0.
2 Secure Login Client Installation
22 06/2011
2.5 Updating the Secure Login Client to SP1
You can download the Support Package software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0.
You do not need to uninstall the existing version of the Secure Login Client. You simply run the installation software as described in 2.2 Installation and overwrite your existing Secure Login Client.
To display the version number of your software, right-click the blue diamond of the Secure Login Client in the Microsoft Windows notification area and choose About. The version number is displayed in the About screen of the Secure Login Client.
2 Secure Login Client Installation
06/2011 23
2.6 Uninstallation Use the appropriate MSI file for your operating system. You can also use the Software Management Tool in Microsoft Windows.
Secure Login Client Software Package
Type File Name
Microsoft Windows 32-Bit SecureLoginClientx86.msi
Microsoft Windows 64-Bit SecureLoginClientx64.msi
Administration rights are required to uninstall the Secure Login Client software.
If you want to use the software management tool in Microsoft Windows; choose Control Panel Uninstall a Program right-click Secure Login Client and choose the Uninstall option from the context menu.
Another option is to start the Secure Login Client MSI software package.
To continue, choose the Next button.
2 Secure Login Client Installation
24 06/2011
Select the Remove option and choose the Next button to continue.
To continue, choose the Remove button.
2 Secure Login Client Installation
06/2011 25
To complete the uninstallation, choose the Finish button.
You can remove the Secure Login Client software in unattended mode using the MSI options described in section 2.3 Unattended Installation.
3 Secure Login Client Console
26 06/2011
3 Secure Login Client Console This section describes the Secure Login Client Console.
The system tray contains a blue diamond icon.
To open the Secure Login Client Console, click this icon.
In this example, no Kerberos token is available, because this user is not authenticated in the Microsoft domain.
Kerberos Token If the user is authenticated in the Microsoft domain, the Kerberos token is displayed.
3 Secure Login Client Console
06/2011 27
You can switch users in the Microsoft domain.
Right-click the Kerberos profile and choose the Log In option.
Enter the Microsoft domain user name and password.
The new Kerberos token is displayed.
3 Secure Login Client Console
28 06/2011
Certificate from Microsoft Certificate Store If an X.509 certificate is available in the Microsoft Certificate Store; this certificate is displayed in the Secure Login Client Console and can be used in SAP GUI.
3.1 Secure Login Server Integration If a Secure Login Server is used to provide user certificates, client profiles are available in the Secure Login Client Console.
Client profiles from Secure Login Server are available only if the option Secure Login Server Support is installed and if the Client Policy URL (registry value) is defined.
For more information about the Client Policy URL, see section 2.4 Custom Installation.
Certificates requested using Secure Login Server and available in Secure Login Client Console; are provided to the Microsoft Certificate Store (for example, to use when logging on to SAP Enterprise Portal).
3 Secure Login Client Console
06/2011 29
Automatic Provisioning of Certificates The Secure Login Client supports profiles that enable users to automatically get X.509 certificates when the Secure Login Client starts up during a Microsoft Windows authentication. In the configuration of the Secure Login Server you can optionally set that the respective profile is provided.
Manual Provisioning of Certificates If you right-click the profile in the Secure Login screen, you can choose the menu item Log In (while being logged on in a domain) to automatically get a certificate without being forced to enter your user name and password, or the system prompts you for your user credentials.
With this setting, you get the additional menu item Log In as. When you choose Log In as (or if you are a local user), the system prompts you for your user name and password. Having entered both, you are provided with a certificate by the Secure Login Client.
3.2 Use Profile for SAP Applications You can configure which profile is used for which SAP server system. It is possible to do this by right-clicking a profile and choosing Use Profile for SAP Applications.
If you choose this option, the position of the icon changes and this profile is used for SAP GUI. For example if you need to switch the profiles manually, this can be done using this feature.
You can inactivate this menu item in the client policy provided by the Secure Login Server.
3 Secure Login Client Console
30 06/2011
Log Console If the option Logging Service was installed, the Log Console is available in the Secure Login Client Console.
The log console (Secure Login Client Notification Viewer) is a support analysis tool that displays advanced information about the Secure Login and Enterprise Single Sign-On actions. The information is constantly updated (live).
We recommend that you use this installation option only for problem analysis to help support teams with troubleshooting.
Open the console as follows:
1. Choose the menu entry View > Log Console in the Secure Login dialog. The Live Trace pane is displayed:
3 Secure Login Client Console
06/2011 31
2. The Live Trace pane automatically scrolls down whenever a component performs a task and the task details are captured by the log console.
Menu Item Submenu Item/Details
File Open
Opens trace files (*.xml) and contains trace messages that have previously been exported (cut) from the Live Trace pane.
Explore Trace Files
Use this option to open the folder on the local drive that contains the trace (*.xml) files.
Save as
Saves the current trace list as an XML file.
Close
Closes the current pane open in the log console.
Exit
Exits the log console.
View Live Trace
Opens the Live Trace pane to display the log messages.
Live Trace Copy
The live trace messages file is duplicated into a new, static, XML file. The path of the file is visible in the title bar of the viewer.
Live Trace Cut
Cut the message information from the current live trace message feed, effectively clearing the Live Trace pane. The cut messages are automatically saved to an XML file and opened in a new pane in the log console window. The path of the file is visible in the title bar of the viewer.
Tools Options
This opens the Options dialog for the logging service (sbustrace.exe) component:
3 Secure Login Client Console
32 06/2011
You can specify the following options in this dialog:
Service
These options allow you to install or remove the logging service component from Microsoft Windows, and to start/stop the service if it is installed (options not currently available are grayed-out). The current state of the service is displayed in the fields above the respective buttons.
Live-Trace
Caution:
This option is for advanced users only.
This option enables you to filter the messages when you click View and Live Trace Copy. You can do this by cutting and pasting an XML fragment into the field.
TraceLevel
Use this option to define the granularity of the live trace messages.
Log Rotate
Use this option to define the maximum size for a log file before it is archived and a new log file is started.
Filter
Use this option to filter trace messages. The filter must be manually defined with the help of the support team.
Click OK to set any changes and close the window.
Window Tile Horizontally
Sort any open panes so that they are displayed equally/ horizontally across the log viewer window.
Tile Vertically
Sort any open panes so that they are displayed equally/vertically across the log viewer window.
Cascade
Sort the open panes so that they are displayed in a stack.
The column headers, which are located at the top of the Live Trace pane, are defined as follows:
3 Secure Login Client Console
06/2011 33
Live Trace Header
Details
L This defines the message type:
A yellow warning sign ( ) means that something may be wrong and needs to be checked.
A red “error” icon ( ) means that the task could not be performed.
A blue information icon ( ) refers to a successful task or informational message
Time The time the task was performed.
PID Process ID
TID Thread ID
App The component that performed the task
Mod The application module from which the task originated
Msg Information about the task performed
3 Secure Login Client Console
34 06/2011
Version Information Choose the SAP icon in Secure Login Console or right-click the system tray icon and choose the About Secure Login option. The version information is displayed.
4 Configuration Options
06/2011 35
4 Configuration Options This section describes how to enable SNC in SAP GUI and how to define the user mapping in SAP user management.
4.1 Enable SNC in SAP GUI To establish secure communication between SAP GUI and SAP NetWeaver application server; you need to enable the SNC option.
Start the SAP GUI application; enable the SNC option, and define the SNC name of the SAP NetWeaver application server.
Kerberos SNC Name Choose the option Activate Secure Network Communication and define the SNC Name.
Example SNC Name:
p:CN=SAP/[email protected]
The SNC name is provided by your SAP NetWeaver Administrator. For more information, about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides.
Note that the definition of the SNC name is case-sensitive.
4 Configuration Options
36 06/2011
X.509 Certificate SNC Name Choose the option Activate Secure Network Communication and define the SNC name.
Example SNC Name:
p:CN=ABC, OU=SAP Security
The SNC name is provided by your SAP NetWeaver administrator. For more information about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides.
Note that the definition of the SNC Name is case-sensitive.
4 Configuration Options
06/2011 37
4.2 User Mapping This section describes how to define the user mapping in SAP user management. For the user authentication using security tokens (X.509 certificate or Kerberos token), this mapping is required to define which security token belongs to which SAP user.
For smooth and straightforward integration, we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping.
Manual Configuration Start the user management tooly by calling transaction SU01. Choose the SNC tab.
If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field.
If you are using X.509 certificate based authentication, enter the X.509 certificate Distinguished Name in the SNC name field.
Note that the definition of the SNC name is case-sensitive.
Kerberos Example In this example, the SNC name p:[email protected] belongs to the user SAPUSER.
4 Configuration Options
38 06/2011
X.509 Certificate Example In this example the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user SAPUSER.
For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration and Administration Guide.
4 Configuration Options
06/2011 39
Set External Security Name for All Users You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode.
Note that the definition of the string is case-sensitive.
With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups.
You can use the option Users without SNC names only to overwrite SNC names.
This batch tool takes an SAP user and uses the components
<previous_character_string><SAP_user_name><next_character_string>
to build the SNC name.
Kerberos Example In this example SNC names are generated with the following string for all users without an SNC name:
p:CN=SAP/<user_name>@DEMO.LOCAL
X.509 Certificate Example In this example SNC names are generated with the following string for all users without an SNC name:
p:CN=<user_name>, OU= SAP Security
4 Configuration Options
40 06/2011
4.3 Registry Configuration Options This section describes further configuration options in registry for the Secure Login Client.
Common Settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common]
Parameter Type Description
Locale STRING Language setting for Secure Login Client. The language is usually automatically recognized. Use this parameter for customizing.
Possible values are:
en_US (English)
de_DE (German)
fr_FR (French)
ja_JP (Japanese)
pt_BR (Portuguese)
ru_RU (Russian)
zh_CN (Chinese)
HideTrayIcon DWORD Use this option to remove the Secure Login Client tray icon.
To display the tray icon, set the value 0.
To hide the tray icon, set the value 1.
The default setting is that the tray icon is displayed.
TrustDB STRING Use this option to define where Secure Login Client searches for trusted root certificates.
The following values are possible:
capi (default) Get trust from Microsoft Certificate Store
token Use root certificates on tokens
Get trust from files (.crt,.p7c,…) in a single directory
ResourcePath STRING Use this option to specify an alternate location for the language files (.res).
Default value is <install_path>/etc.
4 Configuration Options
06/2011 41
PCSC Settings The options in this section allow you to select which PCSC smart card readers are used or ignored. You can specify multiple patterns by separating the patterns with „,‟ or „;‟
Wildcards („*‟ and „?‟) are allowed.
CAPI Settings The options in these sections allow you to select which certificates from third party CSPs may be used.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc]
Parameter Type Description
IgnoredReadersPattern STRING Use this option to disable some PCSC smart card readers.
The default value is <empty> (do not disable any PCSC smart card reader).
AllowedReadersPattern STRING Use this option the use only some specified PCSC smart card readers.
This option is evaluated after IgnoredReadersPattern.
The default value is „*‟ (use every PCSC smart card reader)
Important: If you use an empty string („‟), all readers are used (same as „*‟).
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi]
Parameter Type Description
CAPIProviderFilter STRING Use this option to use only certificates provided by specific CSPs (the CSP name must begin with this string).
Example:
Microsoft Use only certificates provided by CSPs from Microsoft
CAPIFilterValidOnly DWORD Use this option to use only certificates that are valid (issued in the past and not expired).
CAPIFilterIssuerDN STRING Use this option to use only certificates that have an issuer‟s Distinguished Name that contains CAPIFilterIssuerDN.
Example:
CN=My Companies CA
CAPIFilterSubjectDN STRING Use this option to use only certificates that
4 Configuration Options
42 06/2011
have a subject Distinguished Name that contains CAPIFilterSubjectDN.
Example:
O=My Org Unit
CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that have an issuer‟s Distinguished Name that contains CAPIFilterExcludeIssuerDN.
Example:
CN=Test CA
CAPIFilterExcludeSubjectDN STRING
STRING Use this option to disable certificates that have a subject Distinguished Name that contains CAPIFilterExcludeSubjectDN.
Example:
O=Testing only
CAPIFilterKeyUsage STRING Use this option to use only certificates that have a specific key usage.
The CAPIFilterKeyUsage may contain the following strings (you can specify multiple strings)
+KEYUSAGE Use only certificates that have the specified key usage.
-KEYUSAGE Do not use certificates that have the specified key usage
Where KEYUSAGE can be one of the following:
dataEncipherment Data encipherment key usage
digitalSignature Digital-Signature Key-Usage
keyAgreement Key agreement key usage
keyEncipherment Key encipherment key usage
nonRepudiation Non-repudiation key usage
cRLSign CRL signature key usage
CAPIFilterExtendedKeyUsage STRING Use this option to use only certificates that have a specific key usage.
The syntax of this option is similar to CAPIFilterKeyUsage.
The CAPIFilterExtendedKeyUsage may contain the following strings:
+EXTKEYUSAGE Use only certificates that have the specified extended key usage
-EXTKEYUSAGE
4 Configuration Options
06/2011 43
Client Trace Setting
For more information about registry settings provided by Secure Login Server, see the Installation, Configuration and Administration Guide for Secure Login Server.
Do not use certificates that have the specified extended key usage
Where EXTKEYUSAGE can be one of the following:
ServerAuthentication (1.3.6.1.5.5.7.3.1)
ClientAuthentication (1.3.6.1.5.5.7.3.2)
CodeSigning (1.3.6.1.5.5.7.3.3)
EmailProtection (1.3.6.1.5.5.7.3.4)
IpsecEndSystem (1.3.6.1.5.5.7.3.5)
IpsecTunnel (1.3.6.1.5.5.7.3.6)
IpsecUser (1.3.6.1.5.5.7.3.7)
TimestampSigning (1.3.6.1.5.5.7.3.8)
OcspSigning (1.3.6.1.5.5.7.3.9)
MicrosoftEfs (1.3.6.1.4.1.311.10.3.4)
MicrosoftEfsRecovery (1.3.6.1.4.1.311.10.3.4.1)
MicrosoftKeyRecovery (1.3.6.1.4.1.311.10.3.11)
MicrosoftDocumentSigning (1.3.6.1.4.1.311.10.3.12)
MicrosoftSmartcardLogon (1.3.6.1.4.1.311.20.2.2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\traces]
Parameter Type Description
TraceLevel DWORD Use this option to enable/disable traces and to configure the trace level
Possible values:
0 disable traces
1 only errors
2 errors and warnings
3 errors, warnings and information
4 errors, warnings, information, and log
5 errors, warnings, information, log, and debug
4 Configuration Options
44 06/2011
4.4 Smart Card Integration The Secure Login Client can use X.509 certificates stored in smart cards and supports 64-bit CSP.
For smart card support, you need to install the relevant smart card middleware. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or the PKCS#11 interface.
These interfaces are typically also supported by the smart card middleware software.
Checklist for smart card support:
If required install smart card reader hardware and PC/SC driver. Typically the smart card reader is usually automatically recognized by the operating system.
Install smart card middleware software. This middleware software should support the desired smart card. Some smart card vendors provide their own middleware software, and there are some middleware software vendors available who support different kinds of smart cards.
PIN management is handled by the middleware software. A typical situation is a user logging on to a Microsoft operating system using the smart card. This user needs to re-enter the PIN in the browser or in SAP GUI.
Whether the user is able to do this depends on the smart card middleware, which might close the smart card after the logon to Microsoft Windows. For more information, contact your smart card middleware vendor.
4.5 Digital Signature (SSF) The Secure Login Client can use X.509 certificates for digital signatures in an SAP environment. The supported interface is Secure Store and Forward (SSF).
This option is part of the default installation.
The prerequisite for using SSF is that SSF is configured in the SAP instance profile.
How to test SSF Client Signature Log on to the SAP system using SAP GUI and start transaction SE38.
Enter the program name SSF01 and execute this program.
Choose a desired function you want test, for example, Signing.
For the parameter RFC destination, enter the value SAP_SSFATGUI.
For the parameter SSF format, enter the value PKCS7.
There are two configuration cases described as following.
Case 1 – Use smart card or existing certificate
In the ID field, enter the distinguished name of the smart card certificate. Example: CN=Smartcard User, OU=SAP Security
4 Configuration Options
06/2011 45
Case 2 – Use Secure Login Client Profile provided by Secure Login Server
In the ID field, enter the distinguished name of the user certificate. Example: CN=Username, OU=SAP Security
In the SSF Profile field, enter the Secure Login Client profile configuration.
Example: toksw:mem://securelogin/<profile_name>
<profile_name> is the profile name defined in Secure Login Server. In this example the profile name is SSF.
In parameter Input data, enter the file to be signed.
In the parameter Output data, enter the path and file name for the signed file.
Execute the program and choose the Sign button.
The system prompts you for a password, which is not required. Choose the green OK button.
4 Configuration Options
46 06/2011
The file should be signed.
4 Configuration Options
06/2011 47
SSF User Configuration Use this configuration step to define which Secure Login Client profile is used for the SSF interface. This is defined for each SAP user.
Log on to the SAP system using SAP GUI and start transaction SU01.
Edit the desired user and, on the Address tab, choose the Other Communication button.
Choose the SSF option and define the desired parameter.
For more information, see the SAP Help Portal.
Parameter Description
SSF-ID Define the Distinguished Name of the user certificate.
Example: CN=Username, OU=SAP Security
SSF-ID Part 2 Define an additional Distinguished Name of the user certificate.
SSF profile Define the Secure Login Client profile. There are three options available.
Use Secure Login Client Profile The desired certificate is used for SSF, based on the Secure Login Client profile name. Example: toksw:mem://securelogin/<profile_name>
Use Secure Login Client Profile and Re-authentication Adding the [reauth option] means that the user needs to authenticate again to the Secure Login Client profile, before a certificate is provided. Example: [reauth]toksw:mem://securelogin/<profile_name>
<empty> If no SSF profile is defined, the SSF-ID can be used to search the certificate in Secure Login Client.
Destination The RFC destination (logical destination) where the SSF RFC server program has been defined.
Enter the value SAP_SSFATGUI (SSF for digital signatures on the front ends).
5 Secure Login Client for Citrix XenApp
48 06/2011
5 Secure Login Client for Citrix XenApp This section describes how to use the Secure Login Client in a Citrix XenApp environment. The Secure Login Client supports only 64-bit Microsoft Windows operating systems. The following platforms are supported:
Microsoft Windows Server 2003 x64 / Citrix XenApp 5
Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6
Use Case The customer wants to run Secure Login Client in a Citrix XenApp environment.
5.1 Secure Login Client with a Published Desktop A published desktop behaves similarly to a standard Microsoft Windows desktop. You can install the Secure Login Client in the same way as on a local Microsoft Windows operating system. To minimize memory and CPU consumption, we recommend unselecting the feature Start during Windows login. Unselect Crypto & Certificate Store Provider and Policy Download Agent during the installation if you do not use them.
5.2 Secure Login Client with a Published SAP Logon The Secure Login Client does not start automatically when a user logs on to a published SAP Logon in a Citrix XenApp environment. When installing you may unselect the features Start during Windows login and Crypto & Certificate Store Provider.
How to Enable Automatic Startup with a Published SAP Logon To automatically start the Secure Login Client, create a user login script called
usrlogon_slc.cmd in the Microsoft Windows directory and insert it into the Microsoft
Windows Registry.
1. Install the Secure Login Client. 2. Create the file usrlogon_slc.cmd in the Microsoft Windows directory. 3. Insert the following content:
usrlogon_slc.cmd
@ECHO OFF
rem starting Secure Login Client, remove the next line if you do not
want the SLC to start automatically
start "Launch SLC"
"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\bin\sbus.exe"
5 Secure Login Client for Citrix XenApp
06/2011 49
rem register CSP, remove the next two lines if no CSP/CAPI support
is required
regsvr32.exe /s
"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"
regsvr32.exe /s
"%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"
4. Add the script to the Microsoft Windows Registry to make sure that the Secure Login Client starts automatically at startup. Open the Microsoft Windows Registry and go to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
5. Open the key AppSetup and append the reference to the file usrlogon_slc.cmd to the value with a simple comma as a separator (without any space).
Example: Registry value name:
AppSetup
Registry value:
ctxhide.exe usrlogon.cmd,cmstart.exe,usrlogon_slc.cmd
You must keep the sequence as shown in the example above because, when starting up, the system proceeds from one file to the next.
5.3 Other Features
Start during Windows login The Secure Login Client starts automatically when a user logs on to a Microsoft Windows operating system. Remember that this automatic startup increases memory and CPU consumption.
If you unselect the installation option Start during Windows login, the Secure Login Client does not start automatically.
Using Certificates for CAPI Applications You only need this feature if you want to use certificates issued for CAPI applications by the Secure Login Server, such as for a client authentication with Internet Explorer. The CSP/CAPI service is registered during the installation.
Downloading Policies from the Secure Login Server To automatically download client policies from the Secure Login Server, install the Policy Download Agent feature.
6 Troubleshooting
50 06/2011
6 Troubleshooting This section describes some troubleshooting issues and how to solve them.
If you need to contact SAP support, provide the Secure Login Client trace information described in section 3 Secure Login Client Console – Log Console
6.1 Error in SNC
Use Case SAP GUI user wants to authentice to SAP server using Kerberos token or X.509 user certificate.
Error Message Miscellaneous failure. Error in SNC.
Checklist
If you are using a Kerberos token Verify if the user is authenticated in the Microsoft domain. Verify if Kerberos token is displayed in Secure Login Client Console.
If you are using an X.509 certificate Verify if X.509 certificate is displayed in Secure Login Client Console.
Verify if the security token (Kerberos or certificate) is used. Try with the option Use Profile for SAP Applications if the desired profile is used.
Verify if SNC is enabled in SAP GUI for the desired SAP server Verify if the SNC name of the desired SAP server is configured in SAP GUI
(saplogon.ini). Is the name correct? (Kerberos name / X.509 certificate name) Note that the SNC name is case-sensitive.
Verify if the environment variable SNC_LIB is configured to use secgss.dll. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll
6 Troubleshooting
06/2011 51
6.2 User Name Not Found
Use Case SAP GUI user wants to authenticate to SAP server using Kerberos token or X.509 user certificate.
Error Message No user exists with SNC name.
Checklist
If this message appears, the user mapping is not available or not configured correctly. Compare the user certificate distinguished name with the SNC name in SAP User Management (SU01). Note that SNC name is case-sensitive.
There may also be another reason for this error. For more information, see SAP Note 1635019.
6.3 Invalid Security Token
Use Case 1 SAP GUI wants to authenticate to SAP server using a Kerberos token or X.509 user certificate.
Error Message SAP system message S.
Checklist
Verify if SNC is configured in the SAP ABAP server.
6 Troubleshooting
52 06/2011
If the Secure Login Library is installed on the SAP ABAP server and used for SNC, enable the trace and verify the results. For more information see the Installation, Configuration and Administration Guide for Secure Login Library.
Use Case 2 The Secure Login Client requests a service ticket from the domain server.
Error Message The system displays the following error message:
Supplied credentials not accepted by the server.
In the trace log of the Secure Login Client, you find the error code A2600202.
Checklist
If the Secure Login Client does not get a service ticket from the domain server, you have to check whether the Service Principal Name used was assigned several times in the Active Directory system. To check this, you enter the following command: setspn –T * -T foo -X
6.4 Wrong SNC Library Configured
Use Case An SAP GUI user wants to authenticate to a SAP server using Kerberos token or X.509 user certificate.
Error Message Unable to load GSS-API DLL named “sncgss32.dll”.
Checklist
The wrong SNC library (in this example sncgss32.dll) is assigned to SAP GUI. Verify the environment variable SNC_LIB.
6 Troubleshooting
06/2011 53
For Secure Login Client the SNC library secgss.dll is used. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll
7 List of Abbreviations
54 06/2011
7 List of Abbreviations
Abbreviation Meaning
ADS Active Directory Service
CA Certification Authority
CAPI Microsoft Crypto API
CSP Cryptographic Service Provider
DN Distinguished Name
EAR Enterprise Application Archive
HTTP Hypertext Transport Protocol
HTTPS Hypertext Transport Protocol with Secure Socket Layer (SSL)
IAS Internet Authentication Service (Microsoft Windows Server 2003)
JAAS Java Authentication and Authorization Service
JSPM Java Support Package Manager
LDAP Lightweight Directory Access Protocol
NPA Network Policy and Access Services (Microsoft Windows Server 2008)
PIN Personal Identification Number
PKCS Public Key Cryptography Standards
PKCS#10 Certification Request Standard
PKCS#11 Cryptographic Token Interface Standard
PKCS#12 Personal Information Exchange Syntax Standard
PKI Public Key Infrastructure
PSE Personal Security Environment
RADIUS Remote Authentication Dial In User Service
RFC Remote function call (SAP NetWeaver term)
RSA Rivest, Shamir and Adleman
SAR SAP Archive
SCA Software Component Archive
SLAC Secure Login Administration Console
SLC Secure Login Client
SLL Secure Login Library
SLS Secure Login Server
SLWC Secure Login Web Client
SNC Secure Network Communication (SAP term)
SSL Secure Socket Layer
7 List of Abbreviations
06/2011 55
UPN User Principal Name
WAR Web Archive
WAS Web Application Server
8 Glossary
56 06/2011
8 Glossary
Authentication
A process that checks whether a person who logs on is really the person corresponding to the respective user. In a multi-user or network system, authentication means the validation of a user‟s logon information. A user‟s name and password are compared against an authorized list.
Base64 encoding
Base64 encoding is three-byte to four-character encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient.
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes the following:
A public key being signed.
A name, which can refer to a person, a computer or an organization.
A validity period.
A location (URL) of a revocation center.
A digital signature of the certificate produced by the private key of th CA.
The most common certificate standard is the ITU-T X.509.
Certification Authority (CA)
An entity that issues and verifies digital certificates to be used by other parties.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the server where information is placed that goes beyond the PSE (personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only reason for issuance is unambiguous association of the credential with a specific, real individual or
8 Glossary
06/2011 57
other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory.
Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.
Cryptographic Application Programming Interface (CAPI)
The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Microsoft Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer that isolates programmers from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example: an X.500 or LDAP directory).
Distinguished Name (DN)
A name pattern that is used to create a globally unique identifier for a person. This name ensures that identifal certificates are never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (the certification authority) and a serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For instance, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.
Key Usage (Extended)
Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the policy from the CA.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is only an information field and does not imply that the CA restricts the use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose should be indicated for the certificate to be acceptable.
8 Glossary
58 06/2011
Lightweight Directory Access Protocol (LDAP)
A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500.
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
Personal Identification Number (PIN)
A unique code number assigned to the authorized user.
Personal Information Exchange Syntax Standard
Specifies a portable format for saving or transporting a user‟s private keys, certificates, and other secret information.
Personal Security Environment
The PSE is a personal security area that every user requires to work with. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password.
PIN
See Personal Identification Number.
Privacy-Enhanced Mail (PEM)
The first known use of Base 64 encoding for electronic data transfer was the Privacy-Enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a „printable encoding‟ scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP.
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper-case and lower-case Roman alphabet characters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.
Public FSD
Public file system device. An external storage device that uses the same file system as the operating system.
8 Glossary
06/2011 59
Public Key Cryptography Standards
A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet.
Public Key Infrastructure
Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.
Root certification authority
The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any number of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: Key lengths of 1024 bits or higher are regarded as secure.
Secure Network Communications
A module in the SAP NetWeaver system that deals with the communication with external, cryptographic libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions.
Secure Sockets Layer
A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data.
Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
8 Glossary
60 06/2011
Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens.
Smart-Card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the point of view of the computer operating system, a token of this type is a USB-connected smart card reader with one non-removable smart card present.
Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).
Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.