54
Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 Secure Login Library PUBLIC Document Version: 1.1 October 2011

SNC Config

Embed Size (px)

DESCRIPTION

SAP SNC Config

Citation preview

  • Installation, Configuration, and Administration Guide

    SAP NetWeaver Single Sign-On SP1

    Secure Login Library

    PUBLIC

    Document Version: 1.1 October 2011

  • Copyright 2011 SAP AG. All rights reserved.

    No part of this publication may be reproduced or transmitted in any

    form or for any purpose without the express permission of SAP AG.

    The information contained herein may be changed without prior

    notice.

    Some software products marketed by SAP AG and its distributors

    contain proprietary software components of other software vendors.

    Microsoft, Windows, Outlook, and PowerPoint are registered

    trademarks of Microsoft Corporation.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p,

    System p5, System x, System z, System z10, System z9, z10, z9,

    iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

    OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

    Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

    POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

    Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

    OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

    WebSphere, Netfinity, Tivoli and Informix are trademarks or

    registered trademarks of IBM Corporation.

    Linux is the registered trademark of Linus Torvalds in the U.S. and

    other countries.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

    trademarks or registered trademarks of Adobe Systems Incorporated in

    the United States and/or other countries.

    Oracle is a registered trademark of Oracle Corporation.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

    Open Group.

    Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

    VideoFrame, and MultiWin are trademarks or registered trademarks of

    Citrix Systems, Inc.

    HTML, XML, XHTML and W3C are trademarks or registered

    trademarks of W3C, World Wide Web Consortium, Massachusetts

    Institute of Technology.

    Java is a registered trademark of Sun Microsystems, Inc.

    JavaScript is a registered trademark of Sun Microsystems, Inc., used

    under license for technology invented and implemented by Netscape.

    SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

    BusinessObjects Explorer, and other SAP products and services

    mentioned herein as well as their respective logos are trademarks or

    registered trademarks of SAP AG in Germany and other countries.

    Business Objects and the Business Objects logo, BusinessObjects,

    Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

    other Business Objects products and services mentioned herein as well

    as their respective logos are trademarks or registered trademarks of

    Business Objects Software Ltd. in the United States and in other

    countries.

    Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

    and other Sybase products and services mentioned herein as well as

    their respective logos are trademarks or registered trademarks of

    Sybase, Inc. Sybase is an SAP company.

    bs

    All other product and service names mentioned are the trademarks of

    their respective companies. Data contained in this document serves

    informational purposes only. National product specifications may

    vary.

    These materials are subject to change without notice. These materials

    are provided by SAP AG and its affiliated companies ("SAP Group")

    for informational purposes only, without representation or warranty of

    any kind, and SAP Group shall not be liable for errors or omissions

    with respect to the materials. The only warranties for SAP Group

    products and services are those that are set forth in the express

    warranty statements accompanying such products and services, if any.

    Nothing herein should be construed as constituting an additional

    warranty.

    Disclaimer

    Some components of this product are based on Java. Any

    code change in these components may cause unpredictable

    and severe malfunctions and is therefore expressively

    prohibited, as is any decompilation of these components.

    SAP AG

    Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

  • Any Java Source Code delivered with this product is

    only to be used by SAPs Support Services and may not be

    modified or altered in any way.

    Terms for Included Open

    Source Software

    This SAP software contains also the third party open source software

    products listed below. Please note that for these third party products

    the following special terms and conditions shall apply.

    Open LDAP http://www.openldap.org/

    The OpenLDAP Public License

    Version 2.8, 17 August 2003

    Redistribution and use of this software and associated documentation

    ("Software"), with or without modification, are permitted provided

    that the following conditions are met:

    1. Redistributions in source form must retain copyright statements

    and notices,

    2. Redistributions in binary form must reproduce applicable copyright

    statements and notices, this list of conditions, and the following

    disclaimer in the documentation and/or other materials provided

    with the distribution, and

    3. Redistributions must contain a verbatim copy of this document.

    The OpenLDAP Foundation may revise this license from time to time.

    Each revision is distinguished by a version number. You may use

    this Software under terms of this license revision or under the

    terms of any subsequent revision of the license.

    THIS SOFTWARE IS PROVIDED BY THE OPENLDAP

    FOUNDATION AND ITS

    CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED

    WARRANTIES,

    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

    WARRANTIES OF MERCHANTABILITY

    AND FITNESS FOR A PARTICULAR PURPOSE ARE

    DISCLAIMED. IN NO EVENT

    SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS,

    OR THE AUTHOR(S)

    OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY

    DIRECT, INDIRECT,

    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

    DAMAGES (INCLUDING,

    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

    GOODS OR SERVICES;

    LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

    INTERRUPTION) HOWEVER

    CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

    CONTRACT, STRICT

    LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR

    OTHERWISE) ARISING IN

    ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

    ADVISED OF THE

    POSSIBILITY OF SUCH DAMAGE.

    The names of the authors and copyright holders must not be used in

    advertising or otherwise to promote the sale, use or other dealing

    in this Software without specific, written prior permission. Title

    to copyright in this Software shall at all times remain with copyright

    holders.

    OpenLDAP is a registered trademark of the OpenLDAP Foundation.

    Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,

    California, USA. All Rights Reserved. Permission to copy and

    distribute verbatim copies of this document is granted.

    PCRE http://www.pcre.org/

    PCRE LICENCE

    PCRE is a library of functions to support regular expressions whose

    syntax and semantics are as close as possible to those of the Perl 5

    language.

  • Release 8 of PCRE is distributed under the terms of the "BSD"

    licence, as specified below. The documentation for PCRE, supplied in

    the "doc" directory, is distributed under the same terms as the software

    itself.

    The basic library functions are written in C and are freestanding. Also

    included in the distribution is a set of C++ wrapper functions.

    THE BASIC LIBRARY FUNCTIONS

    Written by: Philip Hazel

    Email local part: ph10

    Email domain: cam.ac.uk

    University of Cambridge Computing Service,

    Cambridge, England.

    Copyright (c) 1997-2010 University of Cambridge

    All rights reserved.

    THE C++ WRAPPER FUNCTIONS

    Contributed by: Google Inc.

    Copyright (c) 2007-2010, Google Inc.

    All rights reserved.

    THE "BSD" LICENCE

    Redistribution and use in source and binary forms, with or without

    modification, are permitted provided that the following conditions are

    met:

    * Redistributions of source code must retain the above copyright

    notice, this list of conditions and the following disclaimer.

    * Redistributions in binary form must reproduce the above copyright

    notice, this list of conditions and the following disclaimer in the

    documentation and/or other materials provided with the distribution.

    * Neither the name of the University of Cambridge nor the name of

    Google Inc. nor the names of their contributors may be used to endorse

    or promote products derived from this software without specific prior

    written permission.

    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT

    HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS

    OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED

    TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

    AND FITNESS FOR A PARTICULAR PURPOSE ARE

    DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

    SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

    OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

    OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    ARISING IN ANY WAY OUT OF THE USE OF THIS

    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

    SUCH DAMAGE.

    SSLeay http://www2.psy.uq.edu.au/~ftp/Crypto/ssleay/

    Copyright (C) 1995-1998 Eric Young ([email protected])

    All rights reserved.

    This package is an SSL implementation written by Eric Young

    ([email protected]). The implementation was written so as to

    conform with Netscapes SSL.

    This library is free for commercial and non-commercial use as long as

    the following conditions are aheared to. The following conditions

    apply to all code found in this distribution, be it the RC4, RSA, lhash,

    DES, etc., code; not just the SSL code. The SSL documentation

    included with this distribution is covered by the same copyright terms

    except that the holder is Tim Hudson ([email protected]).

    Copyright remains Eric Young's, and as such any Copyright notices in

    the code are not to be removed.

  • If this package is used in a product, Eric Young should be given

    attribution as the author of the parts of the library used.

    This can be in the form of a textual message at program startup or in

    documentation (online or textual) provided with the package.

    Redistribution and use in source and binary forms, with or without

    modification, are permitted provided that the following conditions are

    met:

    1. Redistributions of source code must retain the copyright notice, this

    list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright

    notice, this list of conditions and the following disclaimer in the

    documentation and/or other materials provided with the distribution.

    3. All advertising materials mentioning features or use of this software

    must display the following acknowledgement:

    "This product includes cryptographic software written by Eric Young

    ([email protected])"

    The word 'cryptographic' can be left out if the rouines from the library

    being used are not cryptographic related :-).

    4. If you include any Windows specific code (or a derivative thereof)

    from the apps directory (application code) you must include an

    acknowledgement:

    "This product includes software written by Tim Hudson

    ([email protected])"

    THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT

    NOT LIMITED TO, THE IMPLIED WARRANTIES OF

    MERCHANTABILITY AND FITNESS FOR A PARTICULAR

    PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

    AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

    SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

    OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

    OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

    EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    The licence and distribution terms for any publically available version

    or derivative of this code cannot be changed. I.e. this code cannot

    simply be copied and put under another distribution licence [including

    the GNU Public Licence.]

  • Typographic Conventions

    Type Style Description

    Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

    Cross-references to other documentation

    Example text Emphasized words or phrases in body text, graphic titles, and table titles

    EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

    Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

    Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

    Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

    EXAMPLE TEXT Keys on the keyboard, for

    example, F2 or ENTER.

    Icons

    Icon Meaning

    Caution

    Example

    Note

    Recommendation

    Syntax

    Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more

    information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

  • 06/2011 7

    Contents

    1 What is Secure Login? ....................................................................... 8

    1.1 System Overview .................................................................................... 9

    1.2 Main System Components .................................................................. 10

    2 Secure Login Library Installation .................................................... 11 2.1 Prerequisites ........................................................................................ 11

    2.2 Installation on a Microsoft Windows Operation System ................... 12

    2.3 Installation on a UNIX/Linux Operating System ................................ 15

    2.4 Updating the Secure Login Library ..................................................... 17

    2.5 Uninstallation........................................................................................ 18

    3 Secure Login Library Configuration................................................ 19 3.1 SNC X.509 Configuration ..................................................................... 19

    3.2 SNC Kerberos Configuration............................................................... 22

    4 Configuration Options ...................................................................... 30 4.1 Enable Trace ......................................................................................... 30

    4.2 Command Line Tool SNC .................................................................... 31

    4.3 Define Symmetric Algorithm ............................................................... 34

    4.4 Uppercase Distinguished Name Feature ............................................ 36

    4.5 Alternative Name DN Feature .............................................................. 37

    4.6 Shorten Long Distinguished Names ................................................... 38

    4.7 User Mapping........................................................................................ 39

    5 Using Certificate Revocation Lists .................................................. 42 5.1 Downloading CRLs with the CRL Tool ............................................... 42

    5.2 Configuring the CRL Tool .................................................................... 44

    6 Troubleshooting ................................................................................ 46 6.1 SNC Library Not Found ........................................................................ 46

    6.2 Credentials Not Found ......................................................................... 46

    6.3 No User Exists with SNC Name ........................................................... 47

    7 List of Abbreviations ........................................................................ 48

    8 Glossary ............................................................................................. 50

  • 1 What is Secure Login?

    8 06/2011

    1 What is Secure Login? Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure single sign-on to the SAP environment.

    Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components.

    Examples:

    SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)

    Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)

    Third party application server, supporting X.509 certificates

    In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

    To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also pass calls through the Secure Login Library to encrypt all communication between the SAP GUI and a SAP server, thus providing secure single sign-on to SAP.

    Secure Login allows you to benefit from the advantages of SNC without the need to set up a Public Key Infrastructure (PKI). Secure Login allows users to authenticate via one of the following authentication mechanisms:

    Windows Domain (Active Directory Server)

    RADIUS server

    LDAP server

    SAP NetWeaver server

    Smart card authentication

    If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

    Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.

  • 1 What is Secure Login?

    06/2011 9

    1.1 System Overview Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments.

    The Secure Login solution includes 3 components:

    Secure Login Server Central service that provides X.509v3 certificates (out of the box PKI) to users and application server. The Secure Login Web Client is also provided.

    Secure Login Library Crypto Library for the SAP NetWeaver ABAP system. The Secure Login Library supports X.509 and Kerberos technology in parallel.

    Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.

    The Secure Login Library is integrated with SAP software to provide single sign-on capability and enhanced security. An existing PKI structure or the Kerberos technology can be used for user authentication.

    You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Client see their Installation, Configuration and Administration Guides.

  • 1 What is Secure Login?

    10 06/2011

    1.2 Main System Components The following figure shows the Secure Login system environment with the main system components:

    Figure: Secure Login System Environment with existing PKI and Kerberos

    The Secure Login Client is responsible for the certificate-based authentication and Kerberos-based authentication to the SAP Application Server and for secure communication.

    For more information about Secure Login Server and Secure Login Client see the Installation, Configuration and Administration Guide.

  • 2 Secure Login Library Installation

    06/2011 11

    2 Secure Login Library Installation This section explains how to install Secure Login Library.

    2.1 Prerequisites This section deals with the prerequisites and requirements for the installation of Secure Login Library.

    You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1 > Comprised Software Component Versions > Secure Login Library 1.0. The Secure Login Library is available for the following operating systems:

    AIX 32-bit

    AIX 64-bit

    HP-UX on IA-64 64-bit

    HP-UX on PA-RISC 32-bit

    HP-UX on PA-RISC 64-bit

    Linux on IA32 32-bit

    Linux on IA-64 64-bit

    Linux on Power 64-bit

    Linux on x86_64 64-bit

    Linux on zSeries 64-bit

    MacOS X 64-bit

    Solaris on SPARC 32-bit

    Solaris on SPARC 64-bit

    Solaris on x64_64 64-bit

    TRU64 64-bit

    Microsoft Windows Server on IA32 32-bit

    Microsoft Windows on IA-64 64-bit

    Microsoft Windows on x64 64-bit

    Hardware Requirements

    Secure Login Library Details

    Hard Disk Space 10 MB Hard Disk Space

    Random Access Memory Min. 1 GB RAM

    Software Requirements

    Secure Login Library Details

    Operating Systems Microsoft Windows Server 2003 x64 64-bit

    Microsoft Windows Server 2003 on IA-64 64-bit

    Microsoft Windows Server 2008 x64 64-bit

    Microsoft Windows Server 2008 on IA-64 64-bit

  • 2 Secure Login Library Installation

    12 06/2011

    Microsoft Windows Server 2008 R2 x64 64-bit

    Microsoft Windows Server 2008 R2 on IA-64 64-bit

    AIX 5.2, 5.3, 6.1, 7.1 Power 64-bit

    HP-UX 11.11, 11.23, 11.31 PA-RISC 64-bit

    HP-UX 11.23, 11.31 IA-64 64-bit

    Solaris 9, 10 SPARC 64-bit

    Solaris 10 x64 64-bit

    Linux SLES 9, 10, 11 IA-64 64-bit

    Linux SLES 9, 10, 11 x86_64-bit

    Linux SLES 9, 10, 11 Power 64-bit

    Linux RHEL 4, 5, 6 IA-64 64-bit

    Linux RHEL 4, 5, 6 x86_64-bit

    Linux RHEL 4, 5, 6 Power 64-bit

    OSF1 5.1 Alpha 64-bit

    Mac OS X 10.5 Universal 96 (32-bit / 64-bit)

    SAP Application Server SAP R/3 Release 4.6C

    SAP R/3 Enterprise Release 4.70

    SAP Web Application Server 6.10

    SAP Web Application Server 6.20

    SAP Web Application Server 6.30

    SAP NetWeaver 2004

    SAP NetWeaver 7.0

    SAP NetWeaver 7.0 EHP1

    SAP NetWeaver 7.0 EHP2

    SAP NetWeaver 7.3

    SAPCRYPTOLIB The SAPCRYPTOLIB is required to use the transaction STRUST (PSE Management).

    Microsoft Library (optional) The Microsoft library Microsoft Visual C++ 2010 Redistributable Package can be installed if you use a Windows operating system.

    2.2 Installation on a Microsoft Windows Operation System Before starting the installation process, the Secure Login Library software SECURELOGINLIB.SAR must be available. Copy the file to the target SAP NetWeaver Application Server.

    Secure Login Library must be installed in a directory to which the Application Server has access at runtime. We recommend to create this directory below the SAP NetWeaver Application Server.

  • 2 Secure Login Library Installation

    06/2011 13

    Step 1 Install Microsoft Redistributable Package The Microsoft library Microsoft Visual C++ 2010 Redistributable Package is required for the Secure Login Library installation. Download the library from the Microsoft Web page and install on the SAP NetWeaver System.

    Install the appropriate installation package for the operating system that you are using (32-bit or 64-bit system).

    32-Bit Operating System Microsoft Visual C++ 2010 Redistributable Package (x86)

    Choose the file name vcredist_x86.exe:

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a7b7a05e-6de6-4d3a-a423-37bf0912db84

    64-Bit Operating System Microsoft Visual C++ 2010 Redistributable Package (x64)

    Choose the file name vcredist_x64.exe:

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=bd512d9e-43c8-4655-81bf-9350143d5867

    Step 2 - Create Folder SLL Create a new folder named SLL in:

    \\DVEBMGS\SLL

    Microsoft Windows Example:

    D:\usr\sap\ABC\DVEBMGS00\SLL

  • 2 Secure Login Library Installation

    14 06/2011

    Step 3 - Extract SECURELOGINLIB.SAR Extract the file SECURELOGINLIB.SAR to the new folder with the SAPCAR command line tool. sapcar xvf \SECURELOGINLIB.SAR R \\DVEBMGS\SLL\

    Example:

    sapcar xvf D:\SECURELOGINLIB.SAR R D:\usr\sap\ABC\DVEBMGS00\SLL\

    Step 4 - Test Secure Login Library To verify Secure Login Library, use the following snc command:

    \\DVEBMGS\SLL\snc.exe

    Microsoft Windows Example D:\usr\sap\ABC\DVEBMGS00\SLL\snc.exe

    The system displays further information about the Secure Login Library.

    The test is successful if the product version is displayed.

    Figure: Verify Secure Login Library with the command snc

    If the following error message is displayed, install the Microsoft Visual C++ 2010 Redistributable Package.

  • 2 Secure Login Library Installation

    06/2011 15

    2.3 Installation on a UNIX/Linux Operating System Before starting the installation process, the Secure Login Library software SECURELOGINLIB.SAR must be available. Copy the file to the target SAP NetWeaver Application Server.

    Secure Login Library must be installed in a directory to which the Application Server has access to at runtime. We recommend that you create this directory below the SAP NetWeaver Application Server.

    Perform the configuration steps for the Secure Login Library with the user account that will start the SAP application (for example, adm). Once configuration is complete, the adm user needs to have access rights to the Secure Login Library.

    Step 1 - Create Folder SLL Create a new folder named SLL in:

    //DVEBMGS/SLL

    Example:

    /usr/sap/ABC/DVEBMGS00/SLL

    Step 2 - Extract SECURELOGINLIB.SAR Extract the file SECURELOGINLIB.SAR to the new folder with the SAPCAR command line tool. sapcar xvf /SECURELOGINLIB.SAR R //DVEBMGS/SLL/

    Example:

    sapcar xvf /tmp/SECURELOGINLIB.SAR R /usr/sap/ABC/DVEBMGS00/SLL/

    Step 3 - Define File Attributes in UNIX/Linux To use shared libraries in shell (operating system UNIX/Linux), you need to set the file permission attributes with the following command:

    chmod +rx //DVEBMS/SLL/snc lib*

    Example

    chmod +rx /usr/sap/ABC/DVEBMS00/SLL/snc lib*

  • 2 Secure Login Library Installation

    16 06/2011

    To use the shell under the operating system HP-UX with the shared libraries, you need to set an attribute with the following command:

    chatr +s enable //DVEBMS/SLL/snc

    Step 4 - Define File Owner in UNIX/Linux Apply access rights to the user account that will start the SAP application (for example, adm).

    Change to the folder //DVEBMS/SLL/ and use the following command:

    chown [OWNER]:[GROUP] *

    Example

    chown abcadm:sapsys

    Step 5 - Test Secure Login Library To verify Secure Login Library, use the snc command (in UNIX/Linux environment test with user adm):

    //DVEBMGS/SLL/snc

    Example: /usr/sap/ABC/DVEBMGS00/SLL/snc

    The system displays further information about the Secure Login Library.

    The test is successful if the product version is displayed.

    Figure: Verify Secure Login Library with the command snc

  • 2 Secure Login Library Installation

    06/2011 17

    2.4 Updating the Secure Login Library

    You can download the Support Package software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0. ADAPT_LINK

    Simply copy the new version to the relevant folder and replace the old library files.

  • 2 Secure Login Library Installation

    18 06/2011

    2.5 Uninstallation This section explains how to uninstall Secure Login Library.

    Remove Folder SLL

    Remove the folder and the files in it:

    Microsoft Windows \\DVEBMGS\SLL\ UNIX/Linux //DVEBMGS/SLL/

    Deactivate SNC Library Configuration

    This step is optional and required only if the Secure Login Library is configured in an SAP NetWeaver instance profile parameter.

    If you want deactivate SNC, define the following instance profile parameter and restart the SAP NetWeaver ABAP Application Sever:

    snc/enable = 0

    For more information about the instance profile parameters see section 3 Secure Login Library Configuration.

  • 3 Secure Login Library Configuration

    06/2011 19

    3 Secure Login Library Configuration You perform the SNC configuration for the SAP NetWeaver server system using the instance profile. Use the transaction RZ10 to maintain the SNC profile parameters.

    The Secure Login Library can be configured to accept user authentications based on Kerberos tokens and X.509 certificates. Both authentication mechanisms can be used in parallel.

    You can create or import X.509 certificates in the Trust Manager using the transaction STRUST. To configure the Secure Login Library for Kerberos, you can use a command line tool.

    For the complete description of the SNC interface and parameters, see the SAP SNC manual (http://help.sap.com).

    If you want to manage your PSEs in the Trust Manager, you must use SAPCRYPTOLIB. SAPCRYPTOLIB comes with the SAP NetWeaver AS ABAP. If you do not run an SAP NetWeaver AS ABAP, download SAPCRYPTOLIB from the SAP Service Marketplace. Go to https://service.sap.com/swdc, choose Search for Software Downloads, and look for the relevant download package.

    3.1 SNC X.509 Configuration This section describes the SNC X.509 certificate configuration.

    SNC Parameters Log on to the SAP NetWeaver Application Server using SAP GUI. Start the transaction RZ10 and define the following SNC parameters in Instance Profile.

    Parameter Value

    snc/enable 1 Activate SNC

    0 Deactivate SNC

    snc/gssapi_lib Define the SNC library.

    Microsoft Windows \SLL\secgss.dll HP-UX /SLL/libsecgss.sl

    Solaris / Linux / AIX /SLL/libsecgss.so

    snc/identity/as Define the SNC name of the SAP servers security token.

    X.509 Certificate Token p: Example: p:CN=ABC, OU=SAP Security

  • 3 Secure Login Library Configuration

    20 06/2011

    Import X.509 Certificate Start transaction STRUST and import the SAP server certificate. The SAP server certificate must be available in a PSE format.

    For a client/server communication, the certificates must be provided by a Public Key Infrastructure (PKI). If no PKI is available the Secure Login Server (out of the box PKI) can be used to provide certificates.

    From the PSE menu, choose Import.

    Hint: If X.509 certificate token and Kerberos tokens are used in parallel, define the X.509 certificate distinguished name. This value is case sensitive.

    snc/data_protection/max 3

    snc/data_protection/min 2

    snc/data_protection/use 3

    snc/r3int_rfc_secure 0

    snc/r3int_rfc_qop 8

    snc/accept_insecure_cpic 1

    snc/accept_insecure_gui 1 Accept insecure communication

    Use this value if both insecure and secure communication are to be allowed for SAP GUI.

    0 Disallow insecure communication

    Use this value only if secure communication is to be allowed only (no insecure communication) for SAP GUI.

    U User-defined (User Management SU01)

    Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01).

    We recommend that you set this value to 1. If you want to enforce higher security, change this value to 0 (for all) or U (user dependent).

    snc/accept_insecure_rfc 1

    snc/permit_insecure_start 1

    snc/force_login_screen 0

  • 3 Secure Login Library Configuration

    06/2011 21

    Figure: Transaction STRUST Import X.509 Certificate

    Load the PSE file by entering the password, navigate back to the PSE menu, choose Save as, and select SNC SAPCryptolib.

    Figure: Save PSE as SNC SAPCryptolib

    If the certificate distinguished name of the PSE file does not match the SNC name configuration set in the instance profile parameter (snc/identity/as), an error message appears. This verification check is performed only if SNC is activated.

    You can see trusted certificates that have been imported with the transaction STRUST if you enter the following command:

    Microsoft Windows:

    //DVEBMGS/SLL/snc O Linux:

    /adm/DVEBMGS/SLL/snc O

    Example

    Microsoft Windows: /usr/sap/ABC/DVEBMGS00/SLL/snc O SAPServiceABC UNIX/Linux: /usr/sap/ABCadm/DVEBMGS00/SLL/snc O absadm

  • 3 Secure Login Library Configuration

    22 06/2011

    Restart SAP NetWeaver Application Server

    Verify the following checklist and restart the SAP NetWeaver Application Server.

    Secure Login Library is installed and if required in shell; the environment variable SECUDIR is defined. File access rights are defined for Secure Login Library.

    SNC parameters are defined in the instance profile. Correct path and filename configuration for the SNC library. Correct definition of the SNC name (case sensitive).

    X.509 certificate for the SAP System has been imported using STRUST.

    3.2 SNC Kerberos Configuration This section describes the SNC Kerberos configuration.

    SNC Parameter Login on to the SAP NetWeaver Server using SAP GUI. Start transaction RZ10 and define the following SNC parameters In the instance profile.

    Parameter Value

    snc/enable 1 Activate SNC

    0 Deactivate SNC

    snc/gssapi_lib Define the SNC library.

    Microsoft Windows \SLL\secgss.dll HP-UX /SLL/libsecgss.sl

    Solaris / Linux / AIX /SLL/libsecgss.so

    snc/identity/as Define the SNC name of the SAP servers security token.

    Kerberos Token p:CN=

    Example:

    p:CN=SAP/[email protected]

    Hint: If X.509 certificate token and Kerberos tokens are used in parallel, define the X.509 certificate distinguished name. This value is case sensitive.

    snc/data_protection/max 3

    snc/data_protection/min 2

    snc/data_protection/use 3

  • 3 Secure Login Library Configuration

    06/2011 23

    Microsoft Windows Account for SAP Server In order to verify user Kerberos authentication, the Secure Login Library requires a Kerberos keytab which you can create using the command line tool, provided by Secure Login Library.

    The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. Therefore a Microsoft Windows account in Microsoft Active Directory is required.

    Create a Microsoft Windows Account

    Create a new Microsoft Windows Account. We recommend the format Kerberos.

    snc/r3int_rfc_secure 0

    snc/r3int_rfc_qop 8

    snc/accept_insecure_cpic 1

    snc/accept_insecure_gui 1 Accept insecure communication

    Use this value if insecure and secure communication should be allowed for SAP GUI.

    0 Disallow insecure communication

    Use this value only if secure communication is to be allowed (no insecure communication) for SAP GUI.

    U User-defined (User Management SU01)

    Use this value if insecure or secure communication for SAP GUI is to be configured in the user management tool (SU01).

    We recommend that you set this value to 1. If you want to enforce higher security, change this value to 0 (for all) or U (user-dependent).

    snc/accept_insecure_rfc 1

    snc/permit_insecure_start 1

    snc/force_login_screen 0

  • 3 Secure Login Library Configuration

    24 06/2011

    Figure: Create a Microsoft Windows Account

    Define a password and choose the option User cannot change password and Password never expires.

    Figure: Create a Microsoft Windows Account

    Make sure the password is as complex as possible.

    Define Service Principal Name

    The Service Principal Name will be used to provide Kerberos service tokens to the requested users. This Service Principal Name is also required for the SNC name configuration.

    Start the Microsoft Windows tool ADSIEDIT; choose the Microsoft Windows user (in our example: KerberosABC) and define the field servicePrincipalName.

  • 3 Secure Login Library Configuration

    06/2011 25

    Figure: Define Service Principal Name

    The required format is SAP/Kerberos.

    Figure: Define Service Principal Name

    Check for Multiple Service Principal Names If the Secure Login Client does not get a service ticket from the domain server, this may be due to the fact that the Service Principal Name used has been assigned several times in the Active Directory system. Use the following command to check this:

    Example:

  • 3 Secure Login Library Configuration

    26 06/2011

    setspn T * -T foo -X

    Create Kerberos Keytab You create the Kerberos keytab using a command line tool provided by Secure Login Library. This Kerberos keytab is stored in the Personal Security Environment (pse.zip).

    Perform the configuration steps with the user account that will start the SAP application (for example, adm). This does not apply for the Microsoft Windows operating system.

    Create PSE Environment

    Log on to the operating system where the Secure Login Library is installed. Open a command line window and change to the Secure Login Library folder.

    Microsoft Windows \\DVEBMGS\SLL\ UNIX/Linux //DVEBMGS/SLL/

    Temporarily define the environment variable SECUDIR to perform the subsequent configuration steps.

    Microsoft Windows

    set SECUDIR=\\DVEBMGS\sec

    UNIX/Linux (depends on shell)

    setenv SECUDIR //DVEBMGS/sec

    export SECUDIR=//DVEBMGS/sec

    If no Personal Security Environment (PSE) is available; enter the following command to create a PSE:

    snc crtpse x

    The PSE management password is used if the PSE environment (pse.zip) is copied to another host system. By default, a PSE can be used by the host system (if correct hostname), or using this management password.

    For more information, see section 4.2 Command Line Tool SNC.

    Use the command snc to verify the location in which the PSE (pse.zip) was created. The PSE is created in the path in which the environment variable SECUDIR is defined.

  • 3 Secure Login Library Configuration

    06/2011 27

    Figure: Verify PSE Location

    PSE directory must point to the //DVEBMS/sec folder. The environment variable SECUDIR is defined automatically by the SAP server process.

    Define this environment variable manually (shell) if you need to access the PSE (for example, using the snc command line application).

    Generate Kerberos Keytab in PSE Environment

    To create a Kerberos keytab in the PSE, enter the following command. The Service Principal Name and the password of the Microsoft Windows account are required.

    snc crtkeytab s SAP/Kerberos@ -p

    Example

    snc crtkeytab s SAP/[email protected] -p **********

    The domain name needs to be defined in uppercase.

    snc crtkeytab s SAP/[email protected] -p **********

    Use the command snc to verify if the Kerberos keytab was generated.

    Figure: Verify Kerberos keytab

  • 3 Secure Login Library Configuration

    28 06/2011

    Restart SAP NetWeaver Application Server

    Verify the following checklist and restart the SAP NetWeaver Application Server.

    Secure Login Library is installed and if required in shell; the environment variable SECUDIR is defined. File access rights are defined for Secure Login Library.

    SNC parameters are defined in the instance profile. Correct path and filename configuration for the SNC library. Correct definition of the SNC name (case sensitive).

    PSE Environment was created and the Kerberos keytab has been imported using the Secure Login Library command line tool.

    Verify SAP Server SNC Status

    After you have restarted the SAP NetWeaver Application Server; verify the SNC status in the log file dev_w0.

    The result should be SNC (Secure Network Communication) enabled.

    Example:

    \\DVEBMGS\work\dev_w0

    N SncInit(): Initializing Secure Network Communication (SNC)

    N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

    N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

    N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

    N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

    N SncInit(): found snc/gssapi_lib=D:\usr\sap\ABC\DVEBMGS00\SLL\secgss.dll

    N File "D:\usr\sap\ABC\DVEBMGS00\SLL\secgss.dll" dynamically loaded as GSS-API v2 library.

    N The internal Adapter for the loaded GSS-API mechanism identifies as:

    N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

    N SncInit(): found snc/identity/as=p:CN=ABC, OU=SAP Security

    N

    N Thu May 05 16:42:15 2011

    N SncInit(): Accepting Credentials available, lifetime=Indefinite

    N SncInit(): Initiating Credentials available, lifetime=Indefinite

    M ***LOG R1Q=> p:CN= ABC, OU=SAP Security [thxxsnc.c 265]

    M SNC (Secure Network Communication) enabled

    Another possibility is to use transaction ST11 and open dev_w0.

    If there are problems with the SNC configuration, the SAP server system will no longer

  • 3 Secure Login Library Configuration

    06/2011 29

    start. A quick solution is to disable SNC.

    Open the instance profile configuration file and configure the parameter snc/enable = 0. Restart the SAP NetWeaver Application Server and verify the SNC installation and configuration.

  • 4 Configuration Options

    30 06/2011

    4 Configuration Options This section describes some useful configuration and troubleshooting issues.

    4.1 Enable Trace To enable trace, you need to create the files sec_log_file_filename.txt and sec_log_file_level.txt in the folder: Both files must exist (for example, with level = 0) when the application server is started, if you want to be able to activate traces later (by changing the trace level).

    Microsoft Windows %HOMEDRIVE%%HOMEPATH%\sec or C:\sec UNIX/Linux $HOME/sec or /etc/sec

    The file sec_log_file_filename.txt contains the name of the trace file.

    The name may contain %.PID.% which is replaced by the process ID.

    A typical SAP WebAS creates multiple work processes, so use this feature to avoid parallel access to the same file by all processes.

    Microsoft Windows Example

    sec_log_file_filename.txt

    C:\sec\log-%.PID.%.txt

    UNIX/Linux Example

    sec_log_file_filename.txt

    /etc/sec/log-%.PID.%.txt

    The file sec_log_file_level.txt contains the trace level as a single digit.

    Example

    sec_log_file_level.txt

    4

    Value Details

    0 No trace

    1 Errors

    2 Errors and warnings

    3 Errors, warnings, and logs

    4 Errors, warnings, logs, and information messages

  • 4 Configuration Options

    06/2011 31

    4.2 Command Line Tool SNC You can use the command line tool SNC to perform the following task:

    Display security token Information

    Create a Personal Security Environment (pse.zip).

    Import X.509 certificates

    Certificate management

    Create and import a Kerberos keytab

    If not defined, set the environment variable SECUDIR to:

    //DVEBMGS/sec before using the snc command.

    To call the snc command, add the //DVEBMGS/SLL directory to the PATH variable or call snc together with the following path:

    Microsoft Windows

    \\DVEBMGS\SLL\snc.exe

    UNIX

    //DVEBMGS/SLL/snc

    Use the command snc H to display the complete documentation of each parameter.

    Display Software Version Number

    Go to the installation directory and use the command snc or snc status to display the

    version number of the installed software. You get the following output:

    Example:

    Product : Secure Login Library 1.0.0

    : CryptoLib 8.3.4.0

    Version Number Support Package

    8.3.2 SP0/ATS

    8.3.3 SP1

    8.3.4. SP2

    Display Security Token Information

    Use the following command to display the security tokens (Kerberos keytab and X.509 certificates).

    snc status -v

  • 4 Configuration Options

    32 06/2011

    To display the status for a specific user use the following command:

    snc O status -v

    Example: snc O abcadm status v snc O SAPServiceABC status -v

    Create PSE Environment

    Use the following command to create a Personal Security Environment (PSE).

    snc crtpse x

    The PSE (pse.zip) will be created in the path; the environment variable SECUDIR is defined.

    By default, the host system, where this PSE is created, and the owner of the PSE Management Password have access to PSE.

    It is not possible to copy this PSE (pse.zip) to another host system, without creating new credentials.

    Add new credentials for a new hostname

    snc cred x s

    Add new credentials for a new user

    snc cred x u

    Configure key server file for PSE

    snc cred x f

    The server key file is a file on the server with random content which is used to grant access to the PSE. You can use any kind of file type which is larger than 32 Byte.

    It is required to create or copy the file to the desired location on the server.

    Usinga server key file limits the use of PSE to the user, who has file access rights to the server key file.

    Register PKCS#12 to PSE

    Use this command to register a key/certificate pair in PKCS#12 format in the Personal Security Environment

    snc register f

    Example

  • 4 Configuration Options

    06/2011 33

    snc register f C:\Certificate\cert.p12

    Use the command snc status v to verify the import.

    Unregister Security Token from PSE

    Use this command to remove a security token which is registered in the Personal Security Environment.

    snc unregister u toksw:

    Example

    snc unregister u toksw:C:\Certificate\cert.p12

    Use the command snc status v to display the value for toksw:

    Create Kerberos Keytab

    To create a Kerberos keytab in the PSE, enter the following command. The Service Principal Name and the password of the Microsoft Windows account are required.

    snc crtkeytab s SAP/Kerberos@ -p

    Example

    snc crtkeytab s SAP/[email protected] -p **********

    Import Trusted Certificate to PSE

    Use this command to import a certificate (for example, a trusted Root CA certificate) into the Personal Security Environment.

    snc trust a

    Example

    snc trust a C:\Certificate\RootCA.cer

    Remove Trusted Certificate from PSE

    Use this command to remove a certificate (ffor example, a trusted Root CA certificate) from the Personal Security Environment.

    snc trust d

  • 4 Configuration Options

    34 06/2011

    Example

    snc trust d CN=Certificate, OU=SAP Security

    Use the command snc status v to display the certificate distinguished name.

    Use the command snc -H to display further configuration parameters.

    4.3 Define Symmetric Algorithm This section explains how to define the symmetric algorithm, which is used to secure communication. By default, the Secure Login Library provides the following symmetric algorithm (priority in this order).

    AES256

    AES192 (old protocol 1993 only)

    AES128

    3DES (old protocol 1993 only)

    RC4 (new protocol 2010 only)

    Secure Login Library has implemented two protocols named protocol_1993 (old) and protocol_2010 (new). The old protocol is compatible with SAP Crypto Library (SAPCryptoLib). The new protocol supports X.509 certificates and Kerberos tokens in parallel.

    If SAP GUI establishes a secure communication to the SAP NetWeaver Application Server, the symmetric algorithm is agreed between both partners. It is possible to force the use of, for example, the AES256 symmetric algorithm.

    You can define this in the Secure Login Library configuration file gss.xml.

    Parameter Details

    XXX Use this parameter to define the symmetric algorithm for the old protocol, which is defined in section . This protocol is compatible with SAP Crypto Library (SAPCryptoLib).

    By default, the strongest symmetric algorithm that is available on both sides is agreed.

    It is possible in the Secure Login Library to allow the acceptance of only aes256, for example.

    You can define the following algorithms:

    aes256

    aes192

    aes128

  • 4 Configuration Options

    06/2011 35

    gss.xml

    xxx

    xxx

    des3

    Default is . The symmetric algorithm is arranged during the authentication process.

    XXX Use this parameter to define the symmetric algorithm for the new protocol, which is defined in section . This protocol supports the Kerberos solution.

    By default, the strongest symmetric algorithm that is available on both sides is agreed.

    It is possible in the Secure Login Library to allow only the acceptance of only AES256, for example.

    You can define the following algorithms:

    AES256

    AES128

    RC4

    Default is . The symmetric algorithm is arranged during the authentication process.

  • 4 Configuration Options

    36 06/2011

    4.4 Uppercase Distinguished Name Feature To support case insensitivity for user certificate names used by SNC, the GSS Distinguished Names presented to SAP SNC may be converted to UPPERCASE.

    This can be defined in the Secure Login Library configuration file gss.xml.

    gss.xml

    xxx

    Parameter Details

    XXX

    Define the configuration in parameter .

    true The distinguished name is provided in uppercase.

    false

    The distinguished name is provided in mixed case.

    Default is false.

  • 4 Configuration Options

    06/2011 37

    4.5 Alternative Name DN Feature It is possible to use the Subject Alternative Name from the user certificate that is presented to the SAP SNC interface.

    You can define this in the Secure Login Library configuration file gss.xml.

    gss.xml

    xxx

    Parameter Details

    XXX

    Define the configuration in parameter .

    AltNameEMAIL RFC 822 name.

    AltNameDNS

    DNS name

    AltNameDNAME

    Directory name

    AltNameURI

    URI

    AltNameIP

    IP address

    AltNameUPN

    otherName with object identifier

    Subject

    Distinguished Name

    Default is . In this case, the Subject (Distinguished Name) is used.

  • 4 Configuration Options

    38 06/2011

    4.6 Shorten Long Distinguished Names It is possible to shorten parts of the distinguished name (SNC Name) from the user certificates that are presented to the SAP SNC interface. The character limit for SAP server systems is 255 characters (in older systems 80 characters).

    For example, you can remove entire parts such as a company name which are identical for all users. You can define this in the Secure Login Library configuration file gss.xml.

    gss.xml

    VeryLongNameComponent

    ShorterNameComponent

    AnotherVeryLongNameComponent

    AnotherShorterNameComponent

    Parameter Details

    XXX In the section, use the parameter to define the part of the distinguished name to be shortened.

    Example:

    OU=Very Long Organization Unit Name

    XXX In the section, the parameter is used to define the part of the distinguished name to be replaced.

    Example:

    OU=Short Name

  • 4 Configuration Options

    06/2011 39

    4.7 User Mapping This section details how to define the user mapping in SAP user management. For user authentication using security tokens (X.509 certificate or Kerberos token), this mapping is required to define which security token belongs to which SAP user.

    For smooth and straightforward integration, we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping.

    Manual Configuration Start the user management tool by calling transaction SU01. Choose the SNC tab.

    If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field.

    If you are using X.509 certificate based authentication, enter the X.509 Certificate Distinguished Name in the SNC name field.

    Note that the definition of the SNC name is case sensitive.

    Kerberos Example In this example the SNC Name p:[email protected] belongs to the user SAPUSER.

  • 4 Configuration Options

    40 06/2011

    X.509 Certificate Example In this example, the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user SAPUSER.

    For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration, and Administration Guide.

    Set External Security Name for All Users You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode.

    Note that the definition of the string is case sensitive.

    With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups.

    You can use the option Users without SNC names only to overwrite SNC names.

    This batch tool will takes an SAP user and uses the components

    to build the SNC Name.

    Kerberos Example In this example, SNC names are generated with the following string for all users without an SNC name.

    p:[email protected]

  • 4 Configuration Options

    06/2011 41

    X.509 Certificate Example In this example, SNC names are generated with the following string for all users without an SNC name:

    p:CN=user_name, OU= SAP Security

  • 5 Using Certificate Revocation Lists

    42 06/2011

    5 Using Certificate Revocation Lists

    The Secure Login Library supports certificate revocation lists (CRLs). This enables you to make sure that revoked certificates are not accepted. The CRL issued by the Certificate Authority (CA) contains the revoked certificates. The CA issues CRLs at regular intervals. They contain a list of certificates that have been declared as invalid. CAs regularly update certificate revocation lists. They must be replaced regularly by a new CRL or by a CRL that has not yet expired.

    CAs place certificate revocation lists at CRL distribution points. The Secure Login Library provides a tool that enables you to regularly download new CRLs from CRL distribution points (LDAP or HTTP) to the local cache. Storing CRLs in the local cache ensures fast

    accessing of the CRLs. You can schedule the download using a cron job. Storing CRLs in

    the cache improves system performance. Otherwise performance suffers when the Secure Login Library has to download CRLs from an external CRL distribution point.

    To use the CRL functions, make the appropriate settings in the configuration files. For more information, see 5.2 Configuring the CRL Tool.

    The local cache for the CRLs is \SECUDIR\dbcrl.

    Limitations The Secure Login Library covers only basic functions on the server side, such as checking client certificates with CRLs, getting CRLs from a distribution point, and storing it in a local cache. The Secure Login Library has the following limitations:

    Customers cannot use the extension IssuingDistributionPoint in CRLs with the Secure Login Library.

    No use of delta CRLs

    At present the Secure Login Library assumes that, in a given environment, all CAs provide CRLs. This means that multiple PKIs using different revocation checking policies and one PKI with CAs using different revocation checking policies are not supported.

    Usually UNIX does not come with an LDAP client. To use the CRL tool to get CRLs from LDAP, you must provide an OpenLDAP client (liboldap.*).

    The Secure Login Client does not check CRLs.

    5.1 Downloading CRLs with the CRL Tool The main function of the CRL tool is to enable you to download CRLs from the CRL

    distribution point and to make them available in the local cache \SECUDIR\dbcrls. When

    the application server checks certificates, it uses the downloaded CRL. Run the CRL tool at regular intervals to ensure that the most recent CRL is located in the local cache. We

    recommend using a cron job to schedule the regular download.

    Make sure the server process has read authorization for the CRL (files) in the cache directory. We recommend using the same user or, in a UNIX environment, granting read

    authorization with the umask command.

  • 5 Using Certificate Revocation Lists

    06/2011 43

    CRL Tool Commands

    Command Description

    crl get Downloads a CRL from a given CRL distribution point using a given URL (Web server or LDAP server). For an Active Directory server, the user must be a domain

    user, and ADS has to be configured in ldap.xml.

    crl status Shows the current status of the configuration and of the module

    crl list Shows the CRLs currently located in the local cache

    crl remove Removes the CRL from the local cache

    crl show Shows the content of a CRL file

    crl store Stores a CRL in the local cache. If the certificates contain a CRL distribution point, specify its location with -u so that the CRL can be found during certificate verification.

    Examples of Getting a CRL from a CRL Distribution Point In the following examples you see the commands for getting a CRL from a CRL distribution point.

    Use the following command to get a CRL and store it in a file:

    crl get u -f

    Example

    crl get u ldap:///sap.example.com -f file.crl

    Use the following command to get a CRL and store it in a cache without a distribution point:

    crl get -u store

    Example

    crl get u ldap:///sap.example.com store

    Use the following command to get a CRL and store it in a cache using the same distribution

    point (the URL in the store command must be the path of the CRL distribution list).

    crl get -u store -u

    Example

    crl get u ldap:///sap.example.com u ldap:///sap.example.com

    Use the following command to get a CRL and store it in a cache using a different distribution point (the URL in the store command must point to the CRL distribution point specified in the certificate).

    crl get u store -u

  • 5 Using Certificate Revocation Lists

    44 06/2011

    Example

    crl get u http://server/ store -u ldap:///sap.example.com

    5.2 Configuring the CRL Tool

    The following configuration files are available in the \SLL folder:

    pkix.xml

    base.xml

    ldap.xml

    pkix.xml In the configuration file pkix.xml, you can configure whether a CRL check is used at all. CRL checking is active if the parameter revCheck is set to the value CRL. The default setting of this parameter is no (no use of CRLs).

    After you have entered changes in the configuration files, restart your ABAP server so that the newly-set parameters take effect.

    Example

    TRUE

    CRL

    noCheck

    base.xml You can configure the cache and the verification of the CRL download in the file base.xml. If you use CRLs that are located in the cache, performance will improve considerably.

    By default, the parameter verificationonlineaccess is set to false to disable the function that verifies the CRLs online.

    If you want to activate the CRL cache, set the parameter usepkicache to true (default setting is false).

    If you want to define a different location for the cache directory, you may optionally use the parameter pkicachedir and enter the location there (for multiple servers accessing the cache, you could use an NFS cache).

    Example

  • 5 Using Certificate Revocation Lists

    06/2011 45

    false

    true

    ldap.xml You only need to modify this file if an LDAP URL that does not contain the server name is used as a CRL distribution point (in the default setting, the relevant section is commented out). In this case, you define the name of the LDAP server in the configuration file ldap.xml.

    If you are in a Microsoft Windows domain and Active Directory is used as LDAP server, you must enter the value ADS in the parameter name.

    Example

    ADS

  • 6 Troubleshooting

    46 06/2011

    6 Troubleshooting This section provides further information about how to perform troubleshooting for Secure Login Library.

    6.1 SNC Library Not Found The SNC library and configuration are verified when the SAP ABAP server starts.

    Problem

    SNC library cannot be found.

    Checklist Possible Issues

    Verify SAP trace file dev_w0.

    Verify if Secure Login Library is installed correctly. Verify the installation described in section 2 Secure Login Library Installation.

    Verify the SNC configuration. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. Choose the instance profile and verify the value of the parameter snc/gssapi_lib. For more information, see section 3 Secure Login Library Configuration.

    Verify SNC library file access rights for the user starting the SAP server.

    Verify the SNC library status with the command snc status v or snc O status v.

    Enable Secure Login Library trace and analyze the problem. For more information, see section 4.1 Enable Trace.

    6.2 Credentials Not Found The SNC library and configuration are verified when the SAP ABAP server starts.

    Problem

    Could not get credentials.

    Checklist Possible Issues

    Verify SAP trace file dev_w0.

    Verify if Secure Login Library is installed correctly. Verify the installation described in section 2 Secure Login Library Installation.

    Verify the SNC configuration. Log on to SAP ABAP server using SAP GUI and start transaction RZ10. Choose the instance profile and verify the SNC configuration. For more information, see section 3 Secure Login Library Configuration.

  • 6 Troubleshooting

    06/2011 47

    Verify SNC library file access rights for the user starting the SAP server.

    Verify if the SNC certificate was provided to the Secure Login Library PSE environment. Start a command line shell and change to the Secure Login Library folder //DVEBMGS/SLL. Set the environment SECUDIR=//DVEBMGS/sec Use the command: snc O status v Microsoft Windows Example: snc O SAPServiceABC status v Linux Example: snc O abcadm status v

    Enable the Secure Login Library trace and analyze the problem. For more information, see section 4.1 Enable Trace.

    6.3 No User Exists with SNC Name

    Problem

    If the error message No user exists with SNC name occurs and your login fails, a

    server with a default Secure Login Library configuration cannot find the SNC name in the database. For further information, see the SAP Note 1635019.

  • 7 List of Abbreviations

    48 06/2011

    7 List of Abbreviations

    Abbreviation Meaning

    ADS Active Directory Service

    CA Certification Authority

    CAPI Microsoft Crypto API

    CRL Certification Revocation List

    CSP Cryptographic Service Provider

    DN Distinguished Name

    EAR Enterprise Application Archive

    HTTP Hyper Text Transport Protocol

    HTTPS Hyper Text Transport Protocol with Secure Socket Layer (SSL)

    IAS Internet Authentication Service (Microsoft Windows Server 2003)

    JAAS Java Authentication and Authorization Service

    JSPM Java Support Package Manager

    LDAP Lightweight Directory Access Protocol

    NPA Network Policy and Access Services (Microsoft Windows Server 2008)

    PIN Personal Identification Number

    PKCS Public Key Cryptography Standards

    PKCS#10 Certification Request Standard

    PKCS#11 Cryptographic Token Interface Standard

    PKCS#12 Personal Information Exchange Syntax Standard

    PKI Public Key Infrastructure

    PSE Personal Security Environment

    RADIUS Remote Authentication Dial-In User Service

    RFC Remote function call (SAP NetWeaver term)

    RSA Rivest, Shamir and Adleman

    SAR SAP Archive

    SCA Software Component Archive

    SLAC Secure Login Administration Console

    SLC Secure Login Client

    SLL Secure Login Library

    SLS Secure Login Server

    SLWC Secure Login Web Client

    SNC Secure Network Communication (SAP term)

  • 7 List of Abbreviations

    06/2011 49

    SSL Secure Socket Layer

    UPN User Principal Name

    WAR Web Archive

    WAS Web Application Server

  • 8 Glossary

    50 06/2011

    8 Glossary

    Authentication

    A process that checks whether a person is really who they claim to be. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.

    Base64 encoding

    Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications.

    Note: Base64 encoding expands binary data by 33%, which is quite efficient

    CAPI

    See Cryptographic Application Programming Interface

    Certificate

    A digital identity card. A certificate typically includes:

    The public key being signed.

    A name, which can refer to a person, a computer or an organization.

    A validity period.

    The location (URL) of a revocation center.

    The digital signature of the certificate produced by the CAs private key.

    The most common certificate standard is the ITU-T X.509.

    Certification Authority (CA)

    An entity which issues and verifies digital certificates for use by other parties.

    Certificate Revocation List (CRL)

    A group of certificates that have been declared to be invalid. The certificate revocation list is maintained and publically released by the issuing Certification Authority (CA) and typically contains the following information:

    The certificate's serial number

    The issuing CA's Distinguished Name

    The date of revocation.

    Certificate Store

    Sets of security certificates belonging to user tokens or certification authorities.

    CREDDIR

    A directory on the server in which information is placed that goes beyond the PSE

  • 8 Glossary

    06/2011 51

    (personal security environment).

    Credentials

    Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory.

    Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.

    CRL Distribution Point

    Publicly available location where a Certification Authority (CA) hosts its certificate revocation list (CRL).

    Cryptographic Application Programming Interface (CAPI)

    The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Microsoft Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer that isolates programmers from the code used to encrypt the data.

    Cryptographic Token Interface Standard

    A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.

    Directory Service

    Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example, an X.500 or LDAP directory).

    Distinguished Name (DN)

    A name pattern that is used to create a globally unique identifier for a person. This name ensures that identical certificates are never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is, the certification authority) and the serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.

    Key Usage

    Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.

    Key Usage (extended)

  • 8 Glossary

    52 06/2011

    Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy.

    If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable.

    Lightweight Directory Access Protocol (LDAP)

    A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500.

    PKCS#11

    PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.

    PEM

    See Privacy Enhanced Mail.

    Personal Identification Number (PIN)

    A unique code number assigned to the authorized user.

    Personal Information Exchange Syntax Standard

    Specifies a portable format for saving or transporting a users private keys, certificates, and other secret information.

    Personal Security Environment

    The PSE is a personal security area that every user requires to work with. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password.

    PIN

    See Personal Identification Number.

    Privacy-Enhanced Mail (PEM)

    The first known use of Base 64 encoding for electronic data transfer was the Privacy-enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a "printable encoding" scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP.

    The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.

  • 8 Glossary

    06/2011 53

    The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.

    Public FSD

    Public file system device. An external storage device that uses the same file system as the operating system.

    Public Key Cryptography Standards

    A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet.

    Public Key Infrastructure

    Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically.

    In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.

    Root certification authority

    The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any number of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate.

    Root certification

    The certificate of the root CA.

    RSA

    An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.

    Secure Network Communications

    A module in the SAP NetWeaver system that deals with the communication with external, cryptographic libraries. The library is addressed using GSS API functions and provides SAP NetWeaver components with access to security functions.

    Secure Sockets Layer

    A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data.

  • 8 Glossary

    54 06/2011

    Single Sign-On

    A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).

    Token

    A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens.

    Smart-card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional Smart Card without requiring a unique input device (smart card reader). From the computer operating systems point of view a token is a USB-connected smart card reader with one non-removable smart card present.

    Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, or CAPI container) or non-persistent (like temporary keys provided by Secure Login).

    Windows Credentials

    A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).

    X.500

    A standardized format for a tree-structured directory service.

    X.509

    A standardized format for certificates and blocking list.