Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP4 Secure Login Library
Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP4 Secure Login Library
Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP4 Secure Login Library
2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, MultiTouch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries.
BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates.
LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Open LDAP http://www.openldap.org/ The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. PCRE http://www.pcre.org/ PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 8 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. The basic library functions are written in C and are freestanding. Also included in the distribution is a set of C++ wrapper functions. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED THE BASIC LIBRARY FUNCTIONS Written by: Email domain: Philip Hazel cam.ac.uk TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR Email local part: ph10 * Neither the name of the University of Cambridge nor the name of Google Inc. nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. THE "BSD" LICENCE Copyright (c) 2007-2010, Google Inc. All rights reserved. Contributed by: Google Inc. THE C++ WRAPPER FUNCTIONS Copyright (c) 1997-2010 University of Cambridge All rights reserved. University of Cambridge Computing Service, Cambridge, England.
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SSLeay http://www2.psy.uq.edu.au/~ftp/Crypto/ssleay/ Copyright (C) 1995-1998 Eric Young ([email protected]) All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. I.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young ([email protected])" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson ([email protected])"
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
1 What is Secure Login? ....................................................................... 9
1.1 System Overview ..................................................................................... 10 1.2 Main System Components ..................................................................... 10
09/2012
7 Troubleshooting ................................................................................ 63
7.1 SNC Library Not Found ........................................................................... 63 7.2 Credentials Not Found ............................................................................ 63 7.3 No User Exists with SNC Name ............................................................. 64
09/2012
Windows Domain (Active Directory Server) RADIUS server LDAP server SAP NetWeaver server Smart card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
09/2012
Secure Login Server Central service that provides X.509v3 certificates (out of the box PKI) to users and application server. The Secure Login Web Client is also provided. Secure Login Library Cryptographic Library for the SAP NetWeaver ABAP system. The Secure Login Library supports X.509 and Kerberos technology in parallel. Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.
The Secure Login Library is integrated with SAP software to provide single sign-on capability and enhanced security. An existing PKI structure or the Kerberos technology can be used for user authentication. You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Client see their Installation, Configuration and Administration Guides.
Figure: Secure Login System Environment with existing PKI and Kerberos
10
09/2012
The Secure Login Client is responsible for the certificate-based authentication and Kerberosbased authentication to the SAP Application Server and for secure communication. For more information about Secure Login Server and Secure Login Client see the Installation, Configuration and Administration Guide.
09/2012
11
2.1 Prerequisites
This section deals with the prerequisites and requirements for the installation of Secure Login Library. You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1 > Comprised Software Component Versions > Secure Login Library 1.0. The Secure Login Library is available for the following operating systems: AIX 32-bit AIX 64-bit HP-UX on IA-64 64-bit HP-UX on PA-RISC 32-bit HP-UX on PA-RISC 64-bit Linux on IA32 32-bit Linux on IA-64 64-bit Linux on Power 64-bit Linux on x86_64 64-bit Linux on zSeries 64-bit MacOS X 64-bit Solaris on SPARC 32-bit Solaris on SPARC 64-bit Solaris on x64_64 64-bit TRU64 64-bit Microsoft Windows Server on IA32 32-bit Microsoft Windows on IA-64 64-bit Microsoft Windows on x64 64-bit
Hardware Requirements
Secure Login Library Hard Disk Space Random Access Memory Details 10 MB Hard Disk Space Min. 1 GB RAM
Software Requirements
Secure Login Library Operating Systems Details Microsoft Windows Server 2003 x64 64-bit Microsoft Windows Server 2003 on IA-64 64-bit Microsoft Windows Server 2008 x64 64-bit Microsoft Windows Server 2008 on IA-64 64-bit
12
09/2012
Microsoft Windows Server 2008 R2 x64 64-bit Microsoft Windows Server 2008 R2 on IA-64 64-bit AIX 5.2, 5.3, 6.1, 7.1 Power 64-bit HP-UX 11.11, 11.23, 11.31 PA-RISC 64-bit HP-UX 11.23, 11.31 IA-64 64-bit Solaris 9, 10 SPARC 64-bit Solaris 10 x64 64-bit Linux SLES 9, 10, 11 IA-64 64-bit Linux SLES 9, 10, 11 x86_64-bit Linux SLES 9, 10, 11 Power 64-bit Linux RHEL 4, 5, 6 IA-64 64-bit Linux RHEL 4, 5, 6 x86_64-bit Linux RHEL 4, 5, 6 Power 64-bit OSF1 5.1 Alpha 64-bit Mac OS X 10.5 Universal 96 (32-bit / 64-bit) SAP Application Server SAP R/3 Release 4.6C SAP R/3 Enterprise Release 4.70 SAP Web Application Server 6.10 SAP Web Application Server 6.20 SAP Web Application Server 6.30 SAP NetWeaver 2004 SAP NetWeaver 7.0 SAP NetWeaver 7.0 EHP1 SAP NetWeaver 7.0 EHP2 SAP NetWeaver 7.3 The SAPCRYPTOLIB is required to use the transaction STRUST (PSE Management).
SAPCRYPTOLIB
For more information, see the Product Availability Map of SAP NetWeaver Single Sign-On 1.0.
09/2012
13
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL
Microsoft Windows Example: D:\usr\sap\ABC\DVEBMGS00\SLL
<INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc.exe
Microsoft Windows Example D:\usr\sap\ABC\DVEBMGS00\SLL\snc.exe The system displays further information about the Secure Login Library. The test is successful if the product version is displayed.
14
09/2012
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL
Example: /usr/sap/ABC/DVEBMGS00/SLL
09/2012
15
To use the shell under the operating system HP-UX with the shared libraries, you need to set an attribute with the following command:
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc
Example: /usr/sap/ABC/DVEBMGS00/SLL/snc The system displays further information about the Secure Login Library. The test is successful if the product version is displayed.
16
09/2012
2.5 Uninstallation
This section explains how to uninstall Secure Login Library.
<INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/
09/2012
17
You must set the environment variable secudir if you use SAP NetWeaver AS ABAP 7.0. Otherwise SAP NetWeaver AS ABAP 7.0 does not start.
Prerequisites
The Secure Login Library uses X.509 client or server certificates for SNC connections. It supports either no key usage in X.509 certificates or one or more supported key usages. The supported key usages depend on whether the X.509 certificate is used for client-server or server-server communication. Make sure the X.509 certificates are configured with supported values. For a list of the key usages the Secure Login Library supports for SNC, see the following tables. Key Usage for X.509 Client Certificates for Client-Server Communication Certificate Fields [No key usage field] Key Usage Key Usage Key Usage Values [No values] Digital Signature Data Encipherment Key Encipherment Mode [No mode] sigsession, ParallelSessions mode Encryption Encryption
18
09/2012
Key Usage for X.509 Server Certificates for Client-Server and Server-Server Communication Certificate Fields [No key usage field] Key Usage Values [No values] Digital Signature Mode [No mode] sigsession, ParallelSessions mode (client-server only) Encryption
SNC Parameters
Log on to the SAP NetWeaver Application Server using SAP GUI. Start the transaction RZ10 and define the following SNC parameters in Instance Profile.
Define the SNC library. Microsoft Windows <Path>\SLL\secgss.dll HP-UX <Path>/SLL/libsecgss.sl Solaris / Linux / AIX <Path>/SLL/libsecgss.so Define the SNC name of the SAP servers security token. X.509 Certificate Token p:<X.509_Distinguished_Name> Example:
snc/identity/as
09/2012
19
U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01). We recommend that you set this value to 1. If you want to enforce higher security, change this value to 0 (for all) or U (user dependent). snc/accept_insecure_rfc snc/permit_insecure_start snc/force_login_screen 1 1 0
Figure: Transaction STRUST Import X.509 Certificate Load the PSE file by entering the password, navigate back to the PSE menu, choose Save as, and select SNC SAPCryptolib.
20
09/2012
Figure: Save PSE as SNC SAPCryptolib If the certificate distinguished name of the PSE file does not match the SNC name configuration set in the instance profile parameter (snc/identity/as), an error message appears. This verification check is performed only if SNC is activated. You can see trusted certificates that have been imported with the transaction STRUST if you enter the following command: Microsoft Windows: <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc O <SAPServiceSID> Linux: <INSTDIR>/<SID>adm/DVEBMGS<instance_number>/SLL/snc O <SIDadm> Example Microsoft Windows: /usr/sap/ABC/DVEBMGS00/SLL/snc O SAPServiceABC UNIX/Linux: /usr/sap/ABCadm/DVEBMGS00/SLL/snc O absadm
Secure Login Library is installed and if required in shell, the environment variable SECUDIR is defined. File access rights are defined for Secure Login Library. SNC parameters are defined in the instance profile. Correct path and filename configuration for the SNC library. Correct definition of the SNC name (case sensitive). X.509 certificate for the SAP System has been imported using STRUST.
09/2012
21
SNC Parameter
Log on to the SAP NetWeaver Server using SAP GUI. Start transaction RZ10 and define the following SNC parameters In the instance profile.
Define the SNC library. Microsoft Windows <Path>\SLL\secgss.dll HP-UX <Path>/SLL/libsecgss.sl Solaris / Linux / AIX <Path>/SLL/libsecgss.so Define the SNC name of the SAP servers security token. Kerberos Token p:CN=<ServicePrincipalName> Example:
snc/identity/as
p:CN=SAP/[email protected]
Hint: If X.509 certificate token and Kerberos tokens are used in parallel, define the X.509 certificate distinguished name. This value is case-sensitive. snc/data_protection/max snc/data_protection/min snc/data_protection/use snc/r3int_rfc_secure snc/r3int_rfc_qop snc/accept_insecure_cpic snc/accept_insecure_gui 3 2 3 0 8 1 1 Accept insecure communication Use this value if insecure and secure communication should be allowed for SAP GUI. 0 Disallow insecure communication Use this value only if secure communication is to be allowed (no insecure communication) for SAP GUI. U User-defined (User Management SU01) Use this value if insecure or secure communication for SAP GUI is to be configured in the user management tool
22
09/2012
(SU01). We recommend that you set this value to 1. If you want to enforce higher security, change this value to 0 (for all) or U (user-dependent). snc/accept_insecure_rfc snc/permit_insecure_start snc/force_login_screen 1 1 0
Figure: Create a Microsoft Windows Account Define a password and choose the option User cannot change password and Password never expires.
09/2012
23
Figure: Create a Microsoft Windows Account Make sure the password is as complex as possible.
24
09/2012
09/2012
25
Microsoft Windows set SECUDIR=<INSTDIR>\<SID>\DVEBMGS<instance_number>\sec UNIX/Linux (depends on shell) setenv SECUDIR <INSTDIR>/<SID>/DVEBMGS<instance_number>/sec export SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
If no Personal Security Environment (PSE) is available; enter the following command to create a PSE:
Figure: Verify PSE Location PSE directory must point to the <INSTDIR>/<SID>/DVEBMS<instance_number>/sec folder. The environment variable SECUDIR is defined automatically by the SAP server process. Define this environment variable manually (shell) if you need to access the PSE (for example, using the snc command line application).
26
09/2012
Secure Login Library is installed and if required in shell; the environment variable SECUDIR is defined. File access rights are defined for Secure Login Library. SNC parameters are defined in the instance profile. Correct path and filename configuration for the SNC library. Correct definition of the SNC name (case sensitive). PSE Environment was created and the Kerberos keytab has been imported using the Secure Login Library command line tool.
09/2012
27
N File "D:\usr\sap\ABC\DVEBMGS00\SLL\secgss.dll" dynamically loaded as GSS-API v2 library. N The internal Adapter for the loaded GSS-API mechanism identifies as: N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2 N SncInit(): found snc/identity/as=p:CN=ABC, OU=SAP Security N N Thu May 05 16:42:15 2011 N SncInit(): Accepting Credentials available, lifetime=Indefinite N SncInit(): Initiating Credentials available, lifetime=Indefinite M ***LOG R1Q=> p:CN= ABC, OU=SAP Security [thxxsnc.c 265] M SNC (Secure Network Communication) enabled
If there are problems with the SNC configuration, the SAP server system will no longer start. A quick solution is to disable SNC. Open the instance profile configuration file and configure the parameter snc/enable = 0. Restart the SAP NetWeaver Application Server and verify the SNC installation and configuration.
28
09/2012
SPN=SAP/[email protected]. In the second domain called DOMAIN2.COM, you have created a user with the same user name (KerberosNW1). Its service principal name is SPN=SAP/[email protected].
2. Create keytabs for both service principal names. 3. To configure snc/identity/as, enter the value p:CN=SAP/Kerberos<SID>. Now the ABAP server accepts Kerberos authentication tickets from this user because keytabs for both domains are available. There is a keytab for each domain. It is also possible to set the SNC name of the server automatically to p:CN=SAP/Kerberos<SID>. The user logs on, and the client receives a Kerberos authentication ticket for SAP/KerberosNW1 from the respective domain controller. The user name SAP/Kerberos<SID> is known in each domain. The server authenticates the ticket because the keytabs of all domains are registered in the server. See also SAP Note 1763075.
09/2012
29
4 Configuration Options
4 Configuration Options
This section describes some useful configuration and troubleshooting issues.
The file sec_log_file_level.txt contains the trace level as a single digit. Example sec_log_file_level.txt 4 Value 0 1 2 3 4 Details No trace Errors Errors and warnings Errors, warnings, and logs Errors, warnings, logs, and information messages
30
09/2012
4 Configuration Options
Display security token Information Create a Personal Security Environment (pse.zip). Import X.509 certificates Certificate management Create and import a Kerberos keytab Create a root CA token and an SNC server token
You get detailed help when you enter snc H in the command line.
snc register
snc cred
snc createroot
09/2012
31
4 Configuration Options
snc createserver
Creates an SNC server token with private key and X.509 certificate including the root certificate. This command saves the token as PKCS#12 and PSE file in the current path.
If not defined, set the environment variable SECUDIR to: before using the snc command.
<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec
To call the snc command, add the <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL directory to the PATH variable or call snc together with the following path: Microsoft Windows <INSTDIR>\<SID>\DVEBMGS<instance_number>\SLL\snc.exe UNIX <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL/snc
: Secure Login Library 1.0. SP 4 PL xx : CryptoLib 8.3.7.2 : windows-x86-64 Support Package SP0/ATS SP1 SP2 SP3 SP4
32
09/2012
4 Configuration Options
Use the following command to save the status in a zip file with many details. snc status W f snc_status.zip To display the status for a specific user, use the following command: snc O <user_name> status -v
<new_host_name>
Add new credentials for a new user snc cred P <PSE_master_password> u <new_user> Add new credentials and encrypt content snc cred P <PSE_master_password> -n <credential_name> f
<server_key_file>
09/2012
33
4 Configuration Options
The server key file is a file on the server with random content which is used to encrypt credentials in the PSE. You can use any kind of file type which is larger than 32 Byte. Do not change the path and content of the credentials because, if you do so, you cannot access the credentials any longer.
34
09/2012
4 Configuration Options
Example snc register f C:\Certificate\cert.p12 Use the command snc status V to verify the import. If you do not want to worry about the location of the PKCS#12 file, copy it into pse.zip, and register it. To do so, use the following command: Example: snc register f cert.p12 n
09/2012
35
4 Configuration Options
<root_SNC_name>
Example snc createroot r sncrootcatoken P ******** -N CN=SAP SNC RootCA, O=Company, C=DE Result: sncrootcatoken.p12 sncrootcatoken.pse sncrootcatoken.crt After the creation, the root CA token is stored as PKCS#12, PSE, and CRT file (certificate only) in the current path.
36
09/2012
4 Configuration Options
<P12_password>
In the following example, you use the root CA token created in 4.2.11 Create Root CA Token to issue a server token. Example snc createserver r sncrootcatoken -s server n CN=server, O=SAP AG, C=DE P <CA_password> -p <P12_password> Result: server.p12 server.pse server.crt After the creation, the server token is stored in the current path as PKCS#12, PSE, and CRT file (certificate only). Use the trust manager (see Trust Manager) to import the PSE file as SNC SAPCryptolib PSE.
09/2012
37
4 Configuration Options
searchstr
replstr
<short_client_name>
UpperCaseClientName
true false
ClientNameSource
protocol_1993 (with
38
09/2012
4 Configuration Options
parameter options)
communication protocol, which is compatible to SAPCRYPTOLIB 5.5. true false Specifies whether or not the 1993 communication protocol is used. Default: true List of encryption algorithms available. The system uses the first one that is possible. Default: all List of available hash algorithms: The system uses the first algorithm that is possible. Default: all Specifies whether the client key used for digital signatures is accepted as an authentication method. Default: true Specifies whether the client key used for encryption is accepted as an authentication method. Default: true Accepted lifetime of temporary keys (digital signature to keep the session alive) in seconds. Default: 86400 (24 hours) Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol. This protocol supports authentication with X.509 and Kerberos certificates. Accepted lifetime of temporary keys (digital signature to keep the session
use
algs_encr
algs_hash
acceptsigmode
true false
acceptencrmode
true false
acceptedttl
<temporary_key_lifetime>
<SNC_CRYPTOLIB_protocol>
use
true false
acceptedttl
<temporary_key_lifetime>
09/2012
39
4 Configuration Options
alive) in seconds. Default: 86400 (24 hours) ciphers aes256 aes128 rc4 Algorithms used for handshake and application data protection. Default: all Algorithms used for handshake and application data protection. Default: HMAC-SHA256 HMAC-SHA1
data_macs
use
true false
algs_encr
algs_hash
40
09/2012
4 Configuration Options
authop
enc (encryption certificate) sig (signature certificate) sigsession (signature certificates for key cached for further sessions) auto (automatic)
age
<period_in_seconds>
Specifies a period of the key validity before the signing (in seconds). This period acts as a tolerance period if system times vary by a couple of minutes. Default: 600 Validity of temporary key in seconds. Default: None Defines whether the server accepts the 2010 communication protocol Enables/disables the use of the 2010 protocol. This protocol support authentication with X.509 and Kerberos certificates. Algorithms used for handshake and application data protection. Default: all Algorithms used for handshake and application data protection. Default: HMAC-SHA256 HMAC-SHA1 Enable use of signature certificate with a temporary key. Default: false Validity of temporary key in seconds. Default: 86400 (one day)
ttl
<period_in_seconds>
<SNC_CRYPTOLIB_protocol>
use
true false
ciphers
data_macs
ParallelSessions
true/false
ParallelSessionsTTL
<period_in_seconds>
09/2012
41
4 Configuration Options
Whenever you reauthenticate, the temporary key and the associated session length are reused for a new session.
Example If you use a token (smart card or soft token) to authenticate, you enter a PIN. In sigsession mode, the client creates a temporary key, which gets a period of validity specified in age and ttl. age is the server system time offset relative to the client system time. During this period, the session remains valid. ttl is the validity of the certificate in seconds. The default is 180 s starting 60 s earlier. If the value in ttl in the client exceeds the server value of acceptedttl, the SNC
42
09/2012
4 Configuration Options
connection produces an error message. Use the following syntax for the configuration: Configuration example Client configuration of gss.xml: <protocol_1993> <authop>sigsession</authop> <age>300</age> <ttl>1899</ttl> </protocol_1993> Server configuration of gss.xml: <protocol_1993> <acceptsigmode>true</acceptsigmode> <acceptedttl>2000</acceptedttl> </protocol_1993>
To specify the lifetime of a certificate in sigsession, proceed as follows: 1. Set a value for the system time tolerance in the parameter age in the gss.xml file of the client, for example, 300. 2. Set a value in parameter ttl in the same file, for example, 3900. 3. Save the file. 4. Set the same value for acceptedttl as in ttl (3900) in the gss.xml file of the server. 5. Save the file. 6. Restart the server. To calculate the desired lifetime of the certificate, subtract the period specified in age from the period specified in ttl. This results in a desired lifetime of 3600 s. Example 3900 s 300 s = 3600 s To illustrate the behavior of the client and server parameters in the gss.xml files, see the following figure.
09/2012
43
4 Configuration Options
Ensure that the configuration of acceptedttl (server gss.xml) and ttl (client gss.xml) are identical. The vertical dotted lines indicate the time when the certificate is issued or when it is verified. If you verify the validity of the certificate within the period specified by ttl, the verification is successful. Outside the period specified in the ttl parameter, the verification fails.
44
09/2012
4 Configuration Options
AES256 AES192 (old protocol 1993 only) AES128 3DES (old protocol 1993 only) RC4 (new protocol 2010 only)
Secure Login Library has implemented two protocols named protocol_1993 (old) and protocol_2010 (new). The old protocol is compatible with SAP Crypto Library (SAPCryptoLib). The new protocol supports X.509 certificates and Kerberos tokens in parallel. If SAP GUI establishes a secure communication to the SAP NetWeaver Application Server, the symmetric algorithm is agreed between both partners. It is possible to force the use of, for example, the AES256 symmetric algorithm. You can define this in the Secure Login Library configuration file gss.xml.
Parameter <algs_encr>XXX</algs_encr>
Details Use this parameter to define the symmetric algorithm for the old protocol, which is defined in section <protocol_1993>. This protocol is compatible with SAP Crypto Library (SAPCryptoLib). By default, the strongest symmetric algorithm that is available on both sides is agreed. It is possible in the Secure Login Library to allow the acceptance of only aes256, for example. You can define the following algorithms: aes256
09/2012
45
4 Configuration Options
aes192 aes128 des3 Default is <empty>. The symmetric algorithm is arranged during the authentication process. <ciphers>XXX</ciphers> Use this parameter to define the symmetric algorithm for the new protocol, which is defined in section <protocol_2010>. This protocol supports the Kerberos solution. By default, the strongest symmetric algorithm that is available on both sides is agreed. It is possible in the Secure Login Library to allow only the acceptance of only AES256, for example. You can define the following algorithms: AES256 AES128 RC4 Default is <empty>. The symmetric algorithm is arranged during the authentication process.
gss.xml
<gss> <server> <protocol_1993> <algs_encr>xxx</algs_encr> </protocol_1993> <protocol_2010> <ciphers>xxx</ciphers> </protocol_2010> </server> </gss>
Details Define the configuration in parameter <UpperCaseClientName>. true The distinguished name is provided in uppercase.
46
09/2012
4 Configuration Options
gss.xml
<gss> <server> <UpperCaseClientName>xxx</UpperCaseClientName> </server> </gss>
Details Defines the configuration in parameter <ClientNameSource>. AltNameEMAIL RFC 822 name. AltNameDNS DNS name AltNameDNAME Directory name AltNameURI URI AltNameIP IP address AltNameUPN otherName with object identifier. Here the Microsoft User Principal Name is used (otherName type with OID 1.3.6.1.4.1.311.20.2.3). AltNameEMAILWithoutDomain RFC 822 name without domain. Here you can use the local part of an E-mail address without the domain part (j.smith instead of [email protected]). AltNameUPNWithout Domain otherName with object identifier and without domain. Here the Microsoft User Principal Name is used (otherName type with OID 1.3.6.1.4.1.311.20.2.3) without the domain part of the e-mail address.
09/2012
47
4 Configuration Options
Subject Distinguished Name Default is <empty>. In this case, the Subject (Distinguished Name) is used.
gss.xml
<gss> <server> <ClientNameSource>xxx</ClientNameSource> </server> </gss>
You can enter several values separated by commas or spaces. The system uses the first value. If this is not possible, it proceeds to the second value etc. An error occurs when no value can be used. Example 1 The Secure Login Library uses the URI. If the URI is not available, it uses the subject (Distinguished Name). <ClientNameSource>AltNameURI Subject</ClientNameSource> Example 2 The Secure Login Library uses the E-mail address and, as first alternative, the Microsoft User Principal Name. If the second alternative value is not available, an error occurs. <ClientNameSource>AltNameEMAIL AltNameUPN</ClientNameSource>
If users change their own attributes (for example, through a self-service), and these attributes are used by the user certificate (issued by the Secure Login Server), a situation may occur in which these users are able to assign additional rights to themselves. Thus these users might get rights they are not supposed to have. For this case, we recommend that you implement access restrictions for the change of user attributes.
An AS ABAP uses, for example, certificate-based logon with the users e-mail addresses in the Distinguished Names. The string in the certificate has the following format: [email protected] This means that the users e-mail address is used for the user mapping in SNC. If an administrator enables the user to change his or her own data, for example, e-mail address, first name, last name etc. through a self-service, this user now has the possibility to enter, for example, his or her managers e -mail address ([email protected]) as
48
09/2012
4 Configuration Options
attribute. Since this data is usually maintained centrally, this change would also affect the Secure Login Server. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate, the user receives a certificate with the Distinguished Name [email protected]. This user is now able to log on to the AS ABAP as his or her manager.
Parameter <searchstr>XXX</searchstr>
Details In the <nameconversions> section, use the <searchstr> parameter to define the part of the distinguished name to be shortened. Example: OU=Very Long Organization Unit Name In the <nameconversions> section, the <replstr> parameter is used to define the part of the distinguished name to be replaced. Example: OU=Short Name
<replstr>XXX</replstr>
gss.xml
<gss> <nameconversions> <searchstr>VeryLongNameComponent</searchstr> <replstr>ShorterNameComponent</replstr> </nameconversions> <nameconversions> <searchstr>AnotherVeryLongNameComponent</searchstr> <replstr>AnotherShorterNameComponent</replstr> </nameconversions> </gss>
09/2012
49
4 Configuration Options
Default Settings
The default user schema of the Secure Login Library is RFC2256. The configuration is located in the file base.xml. For more information about base.xml, see 5.2 Configuring the CRL Tool. By default, the configuration of the user schema in the file base.xml is empty (meaning RFC2256). If you prefer, you can also enter RFC2256 for clarity. Example 1 <name> <encoding>UTF8</encoding> <schema></schema> <!secude/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name>
Example 2 <name> <encoding>UTF8</encoding> <schema>rfc2256</schema> <!secude/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name>
50
09/2012
4 Configuration Options
Example 2 <name> <encoding>UTF8</encoding> <schema>secude</schema> <!secude/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components --> </name>
Manual Configuration
Start the user management tool by calling transaction SU01. Choose the SNC tab. If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field. If you are using X.509 certificate based authentication, enter the X.509 Certificate Distinguished Name in the SNC name field. Note that the definition of the SNC name is case sensitive.
09/2012
51
4 Configuration Options
Kerberos Example
In this example the SNC Name p:[email protected] belongs to the user SAPUSER.
For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration, and Administration Guide.
52
09/2012
4 Configuration Options
Kerberos Example
In this example, SNC names are generated with the following string for all users without an SNC name.
09/2012
53
Limitations
The Secure Login Library covers only basic functions on the server side, such as checking client certificates with CRLs, getting CRLs from a distribution point, and storing it in a local cache. The Secure Login Library has the following limitations: Customers cannot use the extension IssuingDistributionPoint in CRLs with the Secure Login Library. No use of delta CRLs At present the Secure Login Library assumes that, in a given environment, all CAs provide CRLs. This means that multiple PKIs using different revocation checking policies and one PKI with CAs using different revocation checking policies are not supported. Usually UNIX does not come with an LDAP client. To use the CRL tool to get CRLs from LDAP, you must provide an OpenLDAP client (liboldap.*). The Secure Login Client does not check CRLs.
54
09/2012
crl status crl list crl remove crl show crl store
09/2012
55
Use the following command to get a CRL and store it in a cache using a different distribution point (the URL in the store command must point to the CRL distribution point specified in the certificate). crl get u <HTTP_server> store -u <LDAP_server> Example crl get u http://server/ store -u ldap:///sap.example.com
pkix.xml
In the configuration file pkix.xml, you can configure whether a CRL check is used at all. CRL checking is active if the parameter revCheck is set to the value CRL. The default setting of this parameter is no (no use of CRLs). After you have entered changes in the configuration files, restart your ABAP server so that the newly-set parameters take effect.
Example <pkix> <profile> <acceptNoBCwithKeyUsage>true</acceptNoBCwithKeyUsage> <revCheck>CRL</revCheck> <certificatePolicies>noCheck</certificatePolicies> </profile> </pkix> The following table contains all parameters and parameter options that are available in pkix.xml. Configuration parameters of pkix.xml Parameter profile (with parameter options) Values <CRL_checking_profile> Description CRL checking profile
56
09/2012
accceptNoBCwithK eyUsage
true/false
pkix.xml defines that CA certificates must have the BasicConstraint extension. Default: true Enables/disables revocation checking. Default: NO List of trusted certificate policy object identifiers separated by a semicolon (;). Default: noCheck
revCheck
NO/CRL
certificatePolic ies
noCheck/<trusted_certificate_p olicy_object_identifiers>
If the parameter acceptNoBCwithKeyUsage has the value true, the system checks whether certificates without the BasicContraints extension have the keyCertSign key usage. In this case, they are accepted as CA certificates. If the parameter acceptNoBCwithKeyUsage has the value false, the certificates are not accepted.
base.xml
You can configure the cache and the verification of the CRL download in the file base.xml. If you use CRLs that are located in the cache, performance will improve considerably. By default, the parameter verificationonlineaccess is set to false to disable the function that verifies the CRLs online, for example on an LDAP server or HTTP server. If you want to activate CRL verification with the cache, set the parameter usepkicache to true (default setting is false). Example 1 If you want to define a different location for the cache directory, you may optionally use the parameter pkicachedir and enter the location there (for multiple servers accessing the cache, you could use an NFS cache). <base> <verificationonlineaccess>false</verificationonlineaccess> <usepkicache>true</usepkicache> <pkicachedir>\usr\sap\T2D\DVEBMGS00\sec</pkicachedir> </base> Example 2 Set the parameter verificationonlineaccess to false. If you do not want to define a different location for the cache directory, set the parameter usepkicache to true. In this case, you need not enter any value in pkicachedir.
09/2012
57
<base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example 3 If you want to carry out a CRL check from a remote LDAP directory, set the parameter verificationonlineaccess to true and set the parameter usepkicache to false. In this case, you need not enter any value in pkicachedir. <base> <verificationonlineaccess>true</verificationonlineaccess> <usepkicache>false</usepkicache> <pkicachedir></pkicachedir> </base> Example 4 If you want to make a CRL request from a proxy server, you must enter the host name and the port number of the proxy server. <base> <proxy> <url>host.example.com:8003</url> </proxy> The following table contains all parameters and parameter options that are available in base.xml. Configuration parameters of base.xml Parameter verification onlineaccess usepkicache Values true/false true/false Description If set to true, missing CRLs and certificates are being searched online. Default: false Specifies whether a CRL check uses a cache directory or a remote LDAP directory. Default: false Location of dbcert and dbcris directories. Default: <PSE_directory> Defines the proxy if you use a proxy server for the CRL request. Host name and port number ot the proxy This parameter does not support proxy URLs.
<host_name:p ort>
58
09/2012
Distinguished Name
Character set used for encoding Distinguished Names in ASN.1. Default: UTF8 Schema for the sequence and keywords of the name elements. Default: rfc2256
ldap.xml
You only need to modify this file in an Active Directory environment. If an LDAP URL that does not contain the server name is used as a CRL distribution point (in the default setting, the relevant section is commented out), define the name of the LDAP server in the configuration file ldap.xml. If you are in a Microsoft Windows domain and Active Directory is used as LDAP server, you must enter the value ADS in the parameter name. Example <ldap> <server> <name>ADS</name> </server> </ldap>
Configuration parameters of ldap.xml Parameter timeout Values <milliseconds> Description Timeout of the LDAP server in milliseconds. Default: 40000 Network timeout in milliseconds. Default: 800 Definition of LDAP server used for CRL Enter ADS if Active Directory is used as an LDAP server. Default: no value
nettimeout
<milliseconds>
<Active_Directory> ADS
09/2012
59
6 Use Cases
6 Use Cases
This section gives an instruction for the most frequently used use cases of NetWeaver Single Sign-On. It provides a rough overview of the steps you take if you want to set up such a solution, and you find multiple helpful references and links.
6.1.1 Prerequisites
You have installed Secure Login Client on the client workstations in a Microsoft domain. Secure Login Library is installed in the AS ABAP systems 1 and 2. This makes an SNC communication with X.509 certificates possible.
60
09/2012
6 Use Cases
The following SAP NetWeaver Single Sign-On components must be installed in the following environment:
Software Components Secure Login Client Secure Login Library (SNC library) Secure Login Library or SAPCRYPTOLIB (SNC library)
09/2012
61
6 Use Cases
Choose Extended Maintenance and Change. Go to the parameter name snc/identities/as. Enter p:CN=KerberosABC, OU=SAP Security, C=DE The Secure Login Client (1.0 SP02, patch 03 and higher) converts the SNC name for Kerberos use. If SAP GUI receives the SNC name p:CN=KerberosABC, OU=SAP Security, C=DE, the Secure Login Client rebuilds the Service Principal Name, for example, to CN=SAP/[email protected]. This happens if the Secure Login Client uses a Kerberos profile, and SAP GUI has no Kerberos name. For more information, see SAP Note 1696905. Option 2 Create an X.509 certificate for the AS ABAP system Example: CN=SAP/[email protected] Unlike some PKI vendors, Secure Login Server can generate a certificate with special characters, for example @. For more information, see the Installation, Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0, Secure Login Library, Authentication with X.509 Certificates and Kerberos. 6. On AS ABAP system 2, generate X.509 certificate in transaction STRUST (for more information on the trust manager, see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdb17f85640f1e10000000a 42189c/frameset.htm). If you use self-signed certificates, import them from the AS ABAP system 1. 7. Restart the AS ABAP systems 1 and 2. 8. Install the Secure Login Client on your Windows client(s) (see Installation, Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0, Secure Login Client, Secure Login Client Installation), and enable SNC in SAP GUI (see Installation, Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0, Secure Login Client, Enable SNC in SAP GUI). 9. To configure the SNC user mapping, start transaction SU01 on the AS ABAP system 1 (see Installation, Configuration, and Administration Guide for SAP NetWeaver Single Sign-On 1.0, Secure Login Client, User Mapping). Depending on the communication direction, configure secure network communication (SNC) in transaction SM59 (see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d b4d97d/frameset.htm). 10. Depending on the communication direction, configure secure network communication (SNC) in transaction SM59 (see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/7e/6ca46b1ee4468a98280ff00d b4d97d/frameset.htm) for AS ABAP system 2.
d) e) f) g)
62
09/2012
7 Troubleshooting
7 Troubleshooting
This section provides further information about how to perform troubleshooting for Secure Login Library.
Verify SAP trace file dev_w0. Verify if Secure Login Library is installed correctly. Verify the installation described in section 2 Secure Login Library Installation. Verify the SNC configuration. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. Choose the instance profile and verify the value of the parameter snc/gssapi_lib. For more information, see section 3 Secure Login Library Configuration. Verify SNC library file access rights for the user starting the SAP server. Verify the SNC library status with the command snc status v or snc O <user_name> status v. Enable Secure Login Library trace and analyze the problem. For more information, see section 4.1 Enable Trace.
Verify SAP trace file dev_w0. Verify if Secure Login Library is installed correctly. Verify the installation described in section 2 Secure Login Library Installation. Verify the SNC configuration. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. Choose the instance profile and verify the SNC configuration. For more information, see section 3 Secure Login Library Configuration.
09/2012
63
7 Troubleshooting
Verify SNC library file access rights for the user starting the SAP server. Verify if the SNC certificate was provided to the Secure Login Library PSE environment. Start a command line shell and change to the Secure Login Library folder <INSTDIR>/<SID>/DVEBMGS<instance_number>/SLL. Set the environment SECUDIR=<INSTDIR>/<SID>/DVEBMGS<instance_number>/sec Use the command: snc O <SAP_service_user> status v Microsoft Windows Example: snc O SAPServiceABC status v Linux Example: snc O abcadm status v
Enable the Secure Login Library trace and analyze the problem. For more information, see section 4.1 Enable Trace.
64
09/2012
8 List of Abbreviations
8 List of Abbreviations
Abbreviation ADS CA CAPI CRL CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC Meaning Active Directory Service Certification Authority Microsoft Crypto API Certification Revocation List Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial-In User Service Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term)
09/2012
65
8 List of Abbreviations
Secure Socket Layer User Principal Name Web Archive Web Application Server
66
09/2012
9 Glossary
9 Glossary
Authentication
A process that checks whether a person is really who they claim to be. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.
Base64 encoding
Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes:
The public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate produced by the CAs private key.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the server in which information is placed that goes beyond the PSE
09/2012
67
9 Glossary
Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example, an X.500 or LDAP directory).
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.
68
09/2012
9 Glossary
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
PIN
See Personal Identification Number.
09/2012
69
9 Glossary
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (A Z, az), the numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.
Public FSD
Public file system device. An external storage device that uses the same file system as the operating system.
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.
70
09/2012
9 Glossary
Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (smart card reader). From the computer operating systems point of view a token is a USB -connected smart card reader with one nonremovable smart card present. Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, or CAPI container) or non-persistent (like temporary keys provided by Secure Login).
Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
09/2012
71