Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP2 Secure Login Client

PUBLIC Document Version: 1.2 December 2011

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Copyright 2011 SAP AG. All rights reserved. JavaScript is a registered trademark of Sun Microsystems, Inc., used No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. under license for technology invented and implemented by Netscape.

Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way. 3. Conditions and Limitations (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from

Terms for Included Open Source Software

This SAP software contains also the third party open source software products listed below. Please note that for these third party products the following special terms and conditions shall apply. Windows Template Library (WTL) http://wtl.sourceforge.net Microsoft Public License (MS-PL) This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software. 1. Definitions The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution. 2. Grant of Rights (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.

such contributor to the software ends automatically. (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement. zlib http://www.zlib.net zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.5, April 19th, 2010 Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-Loup Gailly Mark Adler

Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Example text

EXAMPLE TEXT

Example text

Example text

<Example text>

EXAMPLE TEXT

Installation Guide: Secure Login Client

Contents
1 What is Secure Login? ....................................................................... 7
1.1 System Overview .................................................................................... 8 1.2 Main System Components .................................................................... 9 1.3 Authentication Methods ........................................................................ 9 1.4 Workflow with X.509 Certificate .......................................................... 10 1.5 Workflow with Kerberos Token ........................................................... 11 1.6 Workflow with X.509 Certificate Request ........................................... 12

2 Secure Login Client Installation ...................................................... 13

2.1 Prerequisites ........................................................................................ 13 2.2 Installation ............................................................................................ 15 2.3 Unattended Installation ........................................................................ 17 2.4 Custom Installation .............................................................................. 20 2.5 Updating the Secure Login Client to SP2 ........................................... 22 2.6 Uninstallation........................................................................................ 23

3 Secure Login Client Console ........................................................... 26

3.1 Secure Login Server Integration ......................................................... 28 3.2 Use Profile for SAP Applications ........................................................ 29

4 Configuration Options ...................................................................... 34

4.1 Enable SNC in SAP GUI ....................................................................... 34 4.2 User Mapping........................................................................................ 36 4.3 Registry Configuration Options .......................................................... 39 4.4 Smart Card Integration ........................................................................ 43 4.5 Digital Signature (SSF) ........................................................................ 43

5 Secure Login Client for Citrix XenApp ............................................ 47

5.1 Secure Login Client with a Published Desktop ................................. 47 5.2 Secure Login Client with a Published SAP Logon ............................ 47 5.3 Other Features ...................................................................................... 48

6 Troubleshooting ................................................................................ 49
6.1 Error in SNC .......................................................................................... 49 6.2 User Name Not Found .......................................................................... 50 6.3 Invalid Security Token ......................................................................... 50 6.4 Wrong SNC Library Configured .......................................................... 51

7 List of Abbreviations ........................................................................ 53 8 Glossary ............................................................................................. 55

06/2011

1 What is Secure Login?

1 What is Secure Login?

Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components. Examples: SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC) Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS) Third party application server supporting X.509 certificates In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption. To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP. Secure Login allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:

Windows Domain (Active Directory Server) RADIUS server LDAP server SAP NetWeaver server Smart card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.

06/2011

1 What is Secure Login?

1.1 System Overview

Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments. The Secure Login solution includes several components:

Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is an additional function. Secure Login Library Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology. Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.

You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Library, see Installation, Configuration and Administration Guide.

The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI. The Secure Login Client can use the following authentication methods: - Smart cards and USB tokens with an existing PKI certificate Secure Login Server and authentication server are not necessary. - Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Windows Credentials The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication.The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server. - User name and password (several authentication mechanisms) The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate. All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.

06/2011

1 What is Secure Login?

1.2 Main System Components

The following figure shows the Secure Login system environment with the main system components:

PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store Security Token

Secure Login Client

SAP GUI Web GUI

Kerberos Infrastructure Kerberos Token

SAP NetWeaver Platform Secure Login Library

Authentication and secure communication

Kerberos

Figure: Secure Login System Environment with existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server.

1.3 Authentication Methods

In a system environment without Secure Login Server, the Secure Login Client supports the authentication methods listed in the table below: Authentication Method Authentication with X.509 certificates Details The certificate provider sends the X.509 certificates through secure network communication (SNC). The following certificate providers work with X.509 certificates:

Smart card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store)

In SNC the Secure Login Client can perform authentication with encryption and digital signing

06/2011

1 What is Secure Login?

certificates. The Secure Login Client supports RSA and DSA keys. Authentication with Kerberos tokens For more information about the authentication with a Kerberos token, see 1.5 Workflow with Kerberos Token.

1.4 Workflow with X.509 Certificate

The following figure shows the principal workflow and communication between the individual components:

PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store 4 Security Token

Secure Login Client

2 Client maps SNC name to authentication profile

1 Start connection and get SNC name SAP NetWeaver Platform Secure Login Library

3 Unlock Security Token

5
Client provides certificate to SAP GUI application 6 Authentication and secure communication

Figure: Principal Workflow for X.509 Certificate Authentication 1. 2. 3. 4. 5. 6. When the connection starts, the Secure Login Client retrieves the SNC name from the desired SAP server system. The Secure Login Client uses the authentication profile for this SNC name. The user unlocks the security token by entering the PIN or password. The Secure Login Client receives the X.509 certificate from the user security token. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP client and SAP server. The user is authenticated and the communication is secured.

10

06/2011

1 What is Secure Login?

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party cryptoengines. The Crypto Service Provider (CSP) of SAP is a plug-in of this type. It provides the user keys to all CAPI-enabled applications.

1.5 Workflow with Kerberos Token

The following figure shows the principal workflow and communication between the individual components:

Figure: Principal Workflow for Kerberos Authentication 1. 2. 3. 4. 5. When the connection starts, the Secure Login Client retrieves the SNC name (Service Principal Name) from the desired SAP server system. At the Ticket Granting Service the Secure Login Client starts a request for a Kerberos Service Token. The Secure Login Client receives the Kerberos Service Token. The Secure Login Client provides the Kerberos Service Token for SAP single sign-on and secure communication between SAP client and SAP server. The user is authenticated and the communication is secured.

06/2011

11

1 What is Secure Login?

1.6 Workflow with X.509 Certificate Request

The following figure shows the principal workflow and communication between the individual components:

Figure: Principal Workflow 1. 2. 3. 4. 5. 6. 7. 8. 9. When the connection starts, the Secure Login Client gets the SNC name from the desired SAP server system. Secure Login Client uses the client policy for this SNC name. Secure Login Client receives the user login credentials. Secure Login Client generates a certificate request. Secure Login Client sends the user credentials and the certification request to the Secure Login Server. Secure Login Server forwards the user credentials to the authentication server and receives an answer that indicates whether the user credentials are valid. If the user credentials are valid; the Secure Login Server generates a user certificate (certificate reply) and sends it to the Secure Login Client. Secure Login Client provides the certificate to SAP GUI. The user certificate is used to perform authentication, single sign-on, and secure communication between SAP client and server.

12

06/2011

2 Secure Login Client Installation

2 Secure Login Client Installation

This section explains how to install Secure Login Client.

2.1 Prerequisites
This section deals with the prerequisites and requirements for the installation of Secure Login Client. An installation of the Secure Login Client in a Citrix XenApp environment does not require any special steps or settings. You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0 > Comprised Software Component Versions > Secure Login Client 1.0 (32-bit or 64-bit).

Hardware Requirements
Secure Login Client Hard disk space Random access memory Smart card reader Details 20 MB hard disk space Min. 256 MB RAM Any PC/SC smart card reader can be used

Software Requirements
Secure Login Client Operating systems Details Microsoft Windows 7 64-bit Microsoft Windows 7 32-bit Microsoft Windows Vista 64-bit Microsoft Windows Vista 32-bit Microsoft Windows XP 32-bit Microsoft Windows Server 2008 R2 64-bit Microsoft Windows Server 2008 64-bit Microsoft Windows Server 2003 64-bit Microsoft Windows Server 2003 x64 / Citrix XenApp 5 Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6 SAP GUI for Windows 7.10 and higher SAP GUI for JAVA 7.10 and higher For smart card support the relevant smart card middleware needs to be installed. For more information, contact your vendor. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or PKCS#11 interface.

Citrix support

SAP GUI Smart card support

06/2011

13

2 Secure Login Client Installation

If you are using Microsoft Windows Server 2003 64-bit refer to the Microsoft Knowledge Base article KB960077 http://support.microsoft.com/kb/960077.

14

06/2011

2 Secure Login Client Installation

2.2 Installation
This section explains how to install Secure Login Client. The installation is performed using the MSI Installer. If a smart card is to be used in Secure Login Client, install the smart card reader and smart card middleware software. For more information, contact the vendor.

Start Installation
Use the appropriate MSI Installer for your operating system. Secure Login Client Software Package Type Microsoft Windows 32Bit Microsoft Windows 64Bit File Name SecureLoginClientx86.msi SecureLoginClientx64.msi

Administrative rights are required to install the Secure Login Client software.

To continue, choose the Next button. To install all components, choose the Complete option. To define the installation components, choose the Custom option. To continue, choose the Next button. If you choose the Custom option, the following features appear.

Feature Secure Login Client Components Options: Start during Microsoft Windows login Crypto & Certificate Store Providers Policy Download Agent Secure Login Server Support

Value This feature installs the basic components of Secure Login Client. This feature is mandatory. Options for an installation under Citrix XenApp. See Secure Login Client for Citrix XenApp.

This feature installs authentication support with Secure Login Server. Based on the provided user credentials, the Secure Login Server provides user certificates to the Secure Login Client. This feature installs the Kerberos authentication support. This feature installs smart card authentication support.

Kerberos Single Sign-On Smart Card Support

06/2011

15

2 Secure Login Client Installation

Logging Service

This feature installs the trace and logging option. We recommend that you install this option only for problem analysis.

To continue, choose the Install button. To complete the installation, choose the Finish button.

16

06/2011

2 Secure Login Client Installation

2.3 Unattended Installation

Use the MSI installation option to deploy the Secure Login Client software with software distribution tools. In the case of a Secure Login Server integration, remember to deploy the Root CA certificate and Client Policy URL as well. For more information, see section 2.4 Custom Installation.

Standard MSI Options

To help you understand the MSI options, open a command shell and enter the following command: msiexec /?

Secure Login Client MSI Options

To display the Secure Login Client MSI installation options, enter the following command: Microsoft Windows 32-bit msiexec /i <source_path>\SecureLoginClientx86.msi HELP=1 Microsoft Windows 64-bit msiexec /i <source_path>\SecureLoginClient x64.msi HELP=1

06/2011

17

2 Secure Login Client Installation

Entries marked with * are mandatory.

Feature Base_Components SAP_SecureLogin_base* SAP_SecureLogin_sbus* SAP_SecureLogin_i18n SAP_SecureLogin_pki* SAP_Security SAP_SecureLogin_sap_gss* SAP_Security SAP_SecureLogin_sap_ssf SAP_SecureLogin_capi

Value

Basic components of Secure Login Client. *This option is mandatory and cannot be changed. Secure Login Client service. *This option is mandatory and cannot be changed. International language files support. Standard feature. X.509 Cryptographic support. *This option is mandatory and cannot be changed. SAP Secure Network Communication (SNC) support. *This option is mandatory and cannot be changed. SAP Secure Store and Forward (SSF) support. Standard feature. Support for Microsoft Crypto API token plug-in. Use exisiting certificates in Secure Login Client. Standard feature. Cryptographic service provider plug-in for the Microsoft Crypto API. Secure Login Client provides certificates to the Microsoft Crypto API. *These options are mandatory and cannot be changed. Component to interact with Secure Login Server. Kerberos support. Smart card support Trace and logging option. We recommend that you install this option only for problem analysis.

SAP_SecureLogin_csp* SAP_SecureLogin_store*

SAP_SecureLogin_securelogin SAP_SecureLogin_kerberos_token SAP_SecureLogin_smartcard SAP_SecureLogin_notify

18

06/2011

2 Secure Login Client Installation

Unattended Installation Examples

Example 1
This example shows you how to install the Secure Login Client software without the logging service. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify The recommended installation is to install all components without the logging service.

Example 2
This example shows you how to install the Secure Login Client software without the logging service and Secure Login Server support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin

Example 3
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and Kerberos support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure Login_kerberos_token

Example 4
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and smart card support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure Login_smartcard

Example 5
This example shows you how to uninstall the Secure Login Client software. msiexec /qb /x "SecureLoginClientx86.msi"

06/2011

19

2 Secure Login Client Installation

2.4 Custom Installation

This section describes how to integrate the installation of the Root CA certificate (Microsoft Certificate Store) and client policy URL (Registry Key) for the Secure Login Client into software distribution tools. The customized aspects of this installation are associated only with the integration with Secure Login Server.

Install Root CA Certificate

You need to install the Root CA certificate from Secure Login Server in the client environment. The Root CA certificate is used to establish secure communication to the Secure Login Server. Use the Microsoft CertMgr tool; which is part of the Microsoft Windows Software Development Kit (SDK,) to import certificates. Use the following command to import a certificate: certmgr.exe /add /all /c <RootCA_file> /s ROOT /r localMachine The Root CA certificate is provided by the Secure Login Server.

Install Client Policy URL

The client policy URL (registry key) defines the connection information for the Secure Login Server. Use this client policy URL to retrieve authentication profiles for the Secure Login Client Console. Use the following command to import a registry file: reg.exe import customer.reg The registry file customer.reg can be provided by the Secure Login Server.

Example: Registry file customer.reg

customer.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System] "PolicyURL"="http://<IP/FQDN>:<Port>/securelogin/admin/Navigation?op=downloadFile&na me=ClientPolicy.xml" "PolicyTTL"=dword:00000000 "NetworkTimeout"=dword:0000002d "DisableUpdatePolicyOnStartup"=dword:00000000

20

06/2011

2 Secure Login Client Installation

Parameter PolicyURL

Description Network resource (Secure Login Server) from which the most recent Secure Login Client policy can be downloaded. The following types of client policies are available: ClientPolicy.xml Client Policy defined in default instance of the Secure Login Server. ClientPolicy.xml&path=000xx Client Policy defined in instance xx (instance number) of the Secure Login Server. GlobalClientPolicy.xml Global Client Policy includes all available instances of the Secure Login Server. For more information, see the Secure Login Server Installation, Configuration and Administration Guide.

PolicyTTL

The lifetime in minutes; verifying (update) for a new client policy on the Secure Login Server. Default is 0 minutes. By default, the Secure Login Client verifies a new client policy during system start of the client PC. Network timeout in seconds before connection is closed if the Secure Login Server does not respond. Default is 45 seconds (hex value: 2d). By default the Secure Login Client looks for a new client policy during the system startup of the client PC. You can use this parameter to disable this feature. 1 Disable automatic policy download. 0 Enable automatical policy download. Default value is 0.

NetworkTimeout

DisableUpdatePolicyOnStartup

For more information about registry configuration options, see section 4.3 Registry Configuration Options. For more information about registry settings, provided by Secure Login Server, see Installation, Configuration and Administration Guide for Secure Login Server.

06/2011

21

2 Secure Login Client Installation

2.5 Updating the Secure Login Client to SP2

You can download the Support Package software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0. You do not need to uninstall the existing version of the Secure Login Client. You simply run the installation software as described in 2.2 Installation and overwrite your existing Secure Login Client. To display the version number of your software, right-click the blue diamond of the Secure Login Client in the Microsoft Windows notification area and choose About. The version number 1.0.2 is displayed in the About screen of the Secure Login Client.

22

06/2011

2 Secure Login Client Installation

2.6 Uninstallation
Use the appropriate MSI file for your operating system. You can also use the Software Management Tool in Microsoft Windows. Secure Login Client Software Package Type Microsoft Windows 32-Bit Microsoft Windows 64-Bit File Name SecureLoginClientx86.msi SecureLoginClientx64.msi

Administration rights are required to uninstall the Secure Login Client software. If you want to use the software management tool in Microsoft Windows; choose Control Panel Uninstall a Program right-click Secure Login Client and choose the Uninstall option from the context menu. Another option is to start the Secure Login Client MSI software package. To continue, choose the Next button.

06/2011

23

2 Secure Login Client Installation

Select the Remove option and choose the Next button to continue.

To continue, choose the Remove button.

24

06/2011

2 Secure Login Client Installation

To complete the uninstallation, choose the Finish button.

You can remove the Secure Login Client software in unattended mode using the MSI options described in section 2.3 Unattended Installation.

06/2011

25

3 Secure Login Client Console

3 Secure Login Client Console

This section describes the Secure Login Client Console. The system tray contains a blue diamond icon.

To open the Secure Login Client Console, click this icon. In this example, no Kerberos token is available, because this user is not authenticated in the Microsoft domain.

Kerberos Token
If the user is authenticated in the Microsoft domain, the Kerberos token is displayed.

26

06/2011

3 Secure Login Client Console

You can switch users in the Microsoft domain. Right-click the Kerberos profile and choose the Log In option.

Enter the Microsoft domain user name and password.

The new Kerberos token is displayed.

06/2011

27

3 Secure Login Client Console

Certificate from Microsoft Certificate Store

If an X.509 certificate is available in the Microsoft Certificate Store; this certificate is displayed in the Secure Login Client Console and can be used in SAP GUI.

3.1 Secure Login Server Integration

If a Secure Login Server is used to provide user certificates, client profiles are available in the Secure Login Client Console.

Client profiles from Secure Login Server are available only if the option Secure Login Server Support is installed and if the Client Policy URL (registry value) is defined. For more information about the Client Policy URL, see section 2.4 Custom Installation.

Certificates requested using Secure Login Server and available in Secure Login Client Console; are provided to the Microsoft Certificate Store (for example, to use when logging on to SAP Enterprise Portal).

28

06/2011

3 Secure Login Client Console

Caution There may be problems if the Internet Explorer tries to execute an SSL client authentication. Of course, this also applies to a logon with the SAP NetWeaver Business Client. For more information, see SAP Note 1658181.

Automatic Provisioning of Certificates

The Secure Login Client supports profiles that enable users to automatically get X.509 certificates when the Secure Login Client starts up during a Microsoft Windows authentication. In the configuration of the Secure Login Server you can optionally set that the respective profile is provided.

Manual Provisioning of Certificates

If you right-click the profile in the Secure Login screen, you can choose the menu item Log In (while being logged on in a domain) to automatically get a certificate without being forced to enter your user name and password, or the system prompts you for your user credentials. With this setting, you get the additional menu item Log In as. When you choose Log In as (or if you are a local user), the system prompts you for your user name and password. Having entered both, you are provided with a certificate by the Secure Login Client.

3.2 Use Profile for SAP Applications

You can configure which profile is used for which SAP server system. It is possible to do this by right-clicking a profile and choosing Use Profile for SAP Applications.

If you choose this option, the position of the icon changes and this profile is used for SAP GUI. For example if you need to switch the profiles manually, this can be done using this feature. You can inactivate this menu item in the client policy provided by the Secure Login

06/2011

29

3 Secure Login Client Console

Server.

Log Console
If the option Logging Service was installed, the Log Console is available in the Secure Login Client Console. The log console (Secure Login Client Notification Viewer) is a support analysis tool that displays advanced information about the Secure Login and Enterprise Single Sign-On actions. The information is constantly updated (live).

We recommend that you use this installation option only for problem analysis to help support teams with troubleshooting.

Open the console as follows: 1. Choose the menu entry View > Log Console in the Secure Login dialog. The Live Trace pane is displayed:

30

06/2011

3 Secure Login Client Console

2. The Live Trace pane automatically scrolls down whenever a component performs a task and the task details are captured by the log console. Menu Item File Submenu Item/Details Open Opens trace files (*.xml) and contains trace messages that have previously been exported (cut) from the Live Trace pane. Explore Trace Files Use this option to open the folder on the local drive that contains the trace (*.xml) files. Save as Saves the current trace list as an XML file. Close Closes the current pane open in the log console. Exit Exits the log console. Live Trace Opens the Live Trace pane to display the log messages. Live Trace Copy The live trace messages file is duplicated into a new, static, XML file. The path of the file is visible in the title bar of the viewer. Live Trace Cut Cut the message information from the current live trace message feed, effectively clearing the Live Trace pane. The cut messages are automatically saved to an XML file and opened in a new pane in the log console window. The path of the file is visible in the title bar of the viewer. Options This opens the Options dialog for the logging service (sbustrace.exe) component:

View

Tools

06/2011

31

3 Secure Login Client Console

You can specify the following options in this dialog: Service These options allow you to install or remove the logging service component from Microsoft Windows, and to start/stop the service if it is installed (options not currently available are grayed-out). The current state of the service is displayed in the fields above the respective buttons. Live-Trace Caution: This option is for advanced users only. This option enables you to filter the messages when you click View and Live Trace Copy. You can do this by cutting and pasting an XML fragment into the field. TraceLevel Use this option to define the granularity of the live trace messages. Log Rotate Use this option to define the maximum size for a log file before it is archived and a new log file is started. Filter Use this option to filter trace messages. The filter must be manually defined with the help of the support team. Click OK to set any changes and close the window. Window Tile Horizontally Sort any open panes so that they are displayed equally/ horizontally across the log viewer window. Tile Vertically Sort any open panes so that they are displayed equally/vertically across the log viewer window. Cascade Sort the open panes so that they are displayed in a stack.

The column headers, which are located at the top of the Live Trace pane, are defined as follows:

32

06/2011

3 Secure Login Client Console

Live Trace Header L

Details This defines the message type: A yellow warning sign ( ) means that something may be wrong and needs to be checked. A red error icon ( ) means that the task could not be performed. A blue information icon ( message ) refers to a successful task or informational

Time PID TID App Mod Msg

The time the task was performed. Process ID Thread ID The component that performed the task The application module from which the task originated Information about the task performed

Version Information
Choose the SAP icon in Secure Login Console or right-click the system tray icon and choose the About Secure Login option. The version information is displayed.

06/2011

33

4 Configuration Options

4 Configuration Options
This section describes how to enable SNC in SAP GUI and how to define the user mapping in SAP user management.

4.1 Enable SNC in SAP GUI

To establish secure communication between SAP GUI and SAP NetWeaver application server; you need to enable the SNC option. Start the SAP GUI application; enable the SNC option, and define the SNC name of the SAP NetWeaver application server.

Kerberos SNC Name

Choose the option Activate Secure Network Communication and define the SNC Name.

Example SNC Name:

p:CN=SAP/KerberosABC@DEMO.LOCAL

The SNC name is provided by your SAP NetWeaver Administrator. For more information, about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides. Note that the definition of the SNC name is case-sensitive.

34

06/2011

4 Configuration Options

X.509 Certificate SNC Name

Choose the option Activate Secure Network Communication and define the SNC name.

Example SNC Name:

p:CN=ABC, OU=SAP Security

The SNC name is provided by your SAP NetWeaver administrator. For more information about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides. Note that the definition of the SNC Name is case-sensitive.

06/2011

35

4 Configuration Options

4.2 User Mapping

This section describes how to define the user mapping in SAP user management. For the user authentication using security tokens (X.509 certificate or Kerberos token), this mapping is required to define which security token belongs to which SAP user. For smooth and straightforward integration, we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping.

Manual Configuration
Start the user management tooly by calling transaction SU01. Choose the SNC tab. If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field. If you are using X.509 certificate based authentication, enter the X.509 certificate Distinguished Name in the SNC name field. Note that the definition of the SNC name is case-sensitive.

Kerberos Example
In this example, the SNC name p:CN=MICROSOFTUSER@DEMO.LOCAL belongs to the user SAPUSER.

36

06/2011

4 Configuration Options

X.509 Certificate Example

In this example the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user SAPUSER.

For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration and Administration Guide.

06/2011

37

4 Configuration Options

Set External Security Name for All Users

You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode. Note that the definition of the string is case-sensitive.

With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups. You can use the option Users without SNC names only to overwrite SNC names. This batch tool takes an SAP user and uses the components <previous_character_string><SAP_user_name><next_character_string> to build the SNC name.

Kerberos Example
In this example SNC names are generated with the following string for all users without an SNC name:

p:CN=SAP/<user_name>@DEMO.LOCAL

X.509 Certificate Example

In this example SNC names are generated with the following string for all users without an SNC name:

p:CN=<user_name>, OU= SAP Security

38

06/2011

4 Configuration Options

4.3 Registry Configuration Options

This section describes further configuration options in registry for the Secure Login Client.

Common Settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common] Parameter Locale Type STRING Description Language setting for Secure Login Client. The language is usually automatically recognized. Use this parameter for customizing. Possible values are: en_US (English) de_DE (German) fr_FR (French) ja_JP (Japanese) pt_BR (Portuguese) ru_RU (Russian) zh_CN (Chinese) Use this option to remove the Secure Login Client tray icon. To display the tray icon, set the value 0. To hide the tray icon, set the value 1. The default setting is that the tray icon is displayed. Use this option to define where Secure Login Client searches for trusted root certificates. The following values are possible: capi (default) Get trust from Microsoft Certificate Store token Use root certificates on tokens Get trust from files (.crt,.p7c,) in a single directory Use this option to specify an alternate location for the language files (.res). Default value is <install_path>/etc.

HideTrayIcon

DWORD

TrustDB

STRING

ResourcePath

STRING

06/2011

39

4 Configuration Options

PCSC Settings
The options in this section allow you to select which PCSC smart card readers are used or ignored. You can specify multiple patterns by separating the patterns with , or ; Wildcards (* and ?) are allowed.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc] Parameter IgnoredReadersPattern Type STRING Description Use this option to disable some PCSC smart card readers. The default value is <empty> (do not disable any PCSC smart card reader). Use this option the use only some specified PCSC smart card readers. This option is evaluated after IgnoredReadersPattern. The default value is * (use every PCSC smart card reader) Important: If you use an empty string (), all readers are used (same as *).

AllowedReadersPattern

STRING

CAPI Settings
The options in these sections allow you to select which certificates from third party CSPs may be used.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi] Parameter CAPIProviderFilter Type STRING Description Use this option to use only certificates provided by specific CSPs (the CSP name must begin with this string). Example: Microsoft Use only certificates provided by CSPs from Microsoft Use this option to use only certificates that are valid (issued in the past and not expired). Use this option to use only certificates that have an issuers Distinguished Name that contains CAPIFilterIssuerDN. Example: CN=My Companies CA Use this option to use only certificates that

CAPIFilterValidOnly

DWORD

CAPIFilterIssuerDN

STRING

CAPIFilterSubjectDN

STRING

40

06/2011

4 Configuration Options

have a subject Distinguished Name that contains CAPIFilterSubjectDN. Example: O=My Org Unit CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that have an issuers Distinguished Name that contains CAPIFilterExcludeIssuerDN. Example: CN=Test CA Use this option to disable certificates that have a subject Distinguished Name that contains CAPIFilterExcludeSubjectDN. Example: O=Testing only Use this option to use only certificates that have a specific key usage. The CAPIFilterKeyUsage may contain the following strings (you can specify multiple strings) +KEYUSAGE Use only certificates that have the specified key usage. -KEYUSAGE Do not use certificates that have the specified key usage Where KEYUSAGE can be one of the following: dataEncipherment Data encipherment key usage digitalSignature Digital-Signature Key-Usage keyAgreement Key agreement key usage keyEncipherment Key encipherment key usage nonRepudiation Non-repudiation key usage cRLSign CRL signature key usage Use this option to use only certificates that have a specific key usage. The syntax of this option is similar to CAPIFilterKeyUsage. The CAPIFilterExtendedKeyUsage may contain the following strings: +EXTKEYUSAGE Use only certificates that have the specified extended key usage -EXTKEYUSAGE

CAPIFilterExcludeSubjectDN STRING

STRING

CAPIFilterKeyUsage

STRING

CAPIFilterExtendedKeyUsage

STRING

06/2011

41

4 Configuration Options

Do not use certificates that have the specified extended key usage Where EXTKEYUSAGE can be one of the following: ServerAuthentication (1.3.6.1.5.5.7.3.1) ClientAuthentication (1.3.6.1.5.5.7.3.2) CodeSigning (1.3.6.1.5.5.7.3.3) EmailProtection (1.3.6.1.5.5.7.3.4) IpsecEndSystem (1.3.6.1.5.5.7.3.5) IpsecTunnel (1.3.6.1.5.5.7.3.6) IpsecUser (1.3.6.1.5.5.7.3.7) TimestampSigning (1.3.6.1.5.5.7.3.8) OcspSigning (1.3.6.1.5.5.7.3.9) MicrosoftEfs (1.3.6.1.4.1.311.10.3.4) MicrosoftEfsRecovery (1.3.6.1.4.1.311.10.3.4.1) MicrosoftKeyRecovery (1.3.6.1.4.1.311.10.3.11) MicrosoftDocumentSigning (1.3.6.1.4.1.311.10.3.12) MicrosoftSmartcardLogon (1.3.6.1.4.1.311.20.2.2)

Client Trace Setting

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\traces] Parameter TraceLevel Type DWORD Description Use this option to enable/disable traces and to configure the trace level Possible values: 0 disable traces 1 only errors 2 errors and warnings 3 errors, warnings and information 4 errors, warnings, information, and log 5 errors, warnings, information, log, and debug

For more information about registry settings provided by Secure Login Server, see the Installation, Configuration and Administration Guide for Secure Login Server.

42

06/2011

4 Configuration Options

4.4 Smart Card Integration

The Secure Login Client can use X.509 certificates stored in smart cards and supports 64-bit CSP. For smart card support, you need to install the relevant smart card middleware. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or the PKCS#11 interface. These interfaces are typically also supported by the smart card middleware software. Checklist for smart card support:

If required install smart card reader hardware and PC/SC driver. Typically the smart card reader is usually automatically recognized by the operating system. Install smart card middleware software. This middleware software should support the desired smart card. Some smart card vendors provide their own middleware software, and there are some middleware software vendors available who support different kinds of smart cards.

PIN management is handled by the middleware software. A typical situation is a user logging on to a Microsoft operating system using the smart card. This user needs to re-enter the PIN in the browser or in SAP GUI. Whether the user is able to do this depends on the smart card middleware, which might close the smart card after the logon to Microsoft Windows. For more information, contact your smart card middleware vendor.

4.5 Digital Signature (SSF)

The Secure Login Client can use X.509 certificates for digital signatures in an SAP environment. The supported interface is Secure Store and Forward (SSF). This option is part of the default installation. The prerequisite for using SSF is that SSF is configured in the SAP instance profile.

How to test SSF Client Signature

Log on to the SAP system using SAP GUI and start transaction SE38. Enter the program name SSF01 and execute this program. Choose a desired function you want test, for example, Signing. For the parameter RFC destination, enter the value SAP_SSFATGUI. For the parameter SSF format, enter the value PKCS7. There are two configuration cases described as following. Case 1 Use smart card or existing certificate In the ID field, enter the distinguished name of the smart card certificate. Example: CN=Smartcard User, OU=SAP Security

06/2011

43

4 Configuration Options

Case 2 Use Secure Login Client Profile provided by Secure Login Server In the ID field, enter the distinguished name of the user certificate. Example: CN=Username, OU=SAP Security In the SSF Profile field, enter the Secure Login Client profile configuration. Example: toksw:mem://securelogin/<profile_name>

<profile_name> is the profile name defined in Secure Login Server. In this example the profile name is SSF. In parameter Input data, enter the file to be signed. In the parameter Output data, enter the path and file name for the signed file.

Execute the program and choose the Sign button. The system prompts you for a password, which is not required. Choose the green OK button.

44

06/2011

4 Configuration Options

The file should be signed.

06/2011

45

4 Configuration Options

SSF User Configuration

Use this configuration step to define which Secure Login Client profile is used for the SSF interface. This is defined for each SAP user. Log on to the SAP system using SAP GUI and start transaction SU01. Edit the desired user and, on the Address tab, choose the Other Communication button. Choose the SSF option and define the desired parameter.

Parameter SSF-ID SSF-ID Part 2 SSF profile

Description Define the Distinguished Name of the user certificate. Example: CN=Username, OU=SAP Security Define an additional Distinguished Name of the user certificate. Define the Secure Login Client profile. There are three options available. Use Secure Login Client Profile The desired certificate is used for SSF, based on the Secure Login Client profile name. Example: toksw:mem://securelogin/<profile_name> Use Secure Login Client Profile and Re-authentication Adding the [reauth option] means that the user needs to authenticate again to the Secure Login Client profile, before a certificate is provided. Example: [reauth]toksw:mem://securelogin/<profile_

name>

<empty> If no SSF profile is defined, the SSF-ID can be used to search the certificate in Secure Login Client. Destination The RFC destination (logical destination) where the SSF RFC server program has been defined. Enter the value SAP_SSFATGUI (SSF for digital signatures on the front ends).

For more information, see the SAP Help Portal.

46

06/2011

5 Secure Login Client for Citrix XenApp

5 Secure Login Client for Citrix XenApp

This section describes how to use the Secure Login Client in a Citrix XenApp environment. The Secure Login Client supports only 64-bit Microsoft Windows operating systems. The following platforms are supported: Microsoft Windows Server 2003 x64 / Citrix XenApp 5 Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6

Use Case
The customer wants to run Secure Login Client in a Citrix XenApp environment.

5.1 Secure Login Client with a Published Desktop

A published desktop behaves similarly to a standard Microsoft Windows desktop. You can install the Secure Login Client in the same way as on a local Microsoft Windows operating system. To minimize memory and CPU consumption, we recommend unselecting the feature Start during Windows login. Unselect Crypto & Certificate Store Provider and Policy Download Agent during the installation if you do not use them.

5.2 Secure Login Client with a Published SAP Logon

The Secure Login Client does not start automatically when a user logs on to a published SAP Logon in a Citrix XenApp environment. When installing you may unselect the features Start during Windows login and Crypto & Certificate Store Provider.

How to Enable Automatic Startup with a Published SAP Logon

To automatically start the Secure Login Client, create a user login script called usrlogon_slc.cmd in the Microsoft Windows directory and insert it into the Microsoft Windows Registry. 1. Install the Secure Login Client. 2. Create the file usrlogon_slc.cmd in the Microsoft Windows directory. 3. Insert the following content: usrlogon_slc.cmd @ECHO OFF rem starting Secure Login Client, remove the next line if you do not want the SLC to start automatically start "Launch SLC" "%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\bin\sbus.exe"

06/2011

47

5 Secure Login Client for Citrix XenApp

rem register CSP, remove the next two lines if no CSP/CAPI support is required regsvr32.exe /s "%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll" regsvr32.exe /s "%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll" 4. Add the script to the Microsoft Windows Registry to make sure that the Secure Login Client starts automatically at startup. Open the Microsoft Windows Registry and go to the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
5. Open the key AppSetup and append the reference to the file usrlogon_slc.cmd to the value with a simple comma as a separator (without any space). Example: Registry value name: AppSetup Registry value: ctxhide.exe usrlogon.cmd,cmstart.exe,usrlogon_slc.cmd You must keep the sequence as shown in the example above because, when starting up, the system proceeds from one file to the next.

5.3 Other Features

Start during Windows login
The Secure Login Client starts automatically when a user logs on to a Microsoft Windows operating system. Remember that this automatic startup increases memory and CPU consumption. If you unselect the installation option Start during Windows login, the Secure Login Client does not start automatically.

Using Certificates for CAPI Applications

You only need this feature if you want to use certificates issued for CAPI applications by the Secure Login Server, such as for a client authentication with Internet Explorer. The CSP/CAPI service is registered during the installation.

Downloading Policies from the Secure Login Server

To automatically download client policies from the Secure Login Server, install the Policy Download Agent feature.

48

06/2011

6 Troubleshooting

6 Troubleshooting
This section describes some troubleshooting issues and how to solve them. If you need to contact SAP support, provide the Secure Login Client trace information described in section 3 Secure Login Client Console Log Console

6.1 Error in SNC

Use Case
SAP GUI user wants to authentice to SAP server using Kerberos token or X.509 user certificate.

Error Message
Miscellaneous failure. Error in SNC.

Checklist

If you are using a Kerberos token Verify if the user is authenticated in the Microsoft domain. Verify if Kerberos token is displayed in Secure Login Client Console. If you are using an X.509 certificate Verify if X.509 certificate is displayed in Secure Login Client Console. Verify if the security token (Kerberos or certificate) is used. Try with the option Use Profile for SAP Applications if the desired profile is used. Verify if SNC is enabled in SAP GUI for the desired SAP server Verify if the SNC name of the desired SAP server is configured in SAP GUI (saplogon.ini). Is the name correct? (Kerberos name / X.509 certificate name) Note that the SNC name is case-sensitive. Verify if the environment variable SNC_LIB is configured to use secgss.dll. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

06/2011

49

6 Troubleshooting

6.2 User Name Not Found

Use Case
SAP GUI user wants to authenticate to SAP server using Kerberos token or X.509 user certificate.

Error Message
No user exists with SNC name.

Checklist

If this message appears, the user mapping is not available or not configured correctly. Compare the user certificate distinguished name with the SNC name in SAP User Management (SU01). Note that SNC name is case-sensitive.

There may also be another reason for this error. For more information, see SAP Note 1635019.

6.3 Invalid Security Token

Use Case 1
SAP GUI wants to authenticate to SAP server using a Kerberos token or X.509 user certificate.

Error Message
SAP system message S.

Checklist

Verify if SNC is configured in the SAP ABAP server.

50

06/2011

6 Troubleshooting

If the Secure Login Library is installed on the SAP ABAP server and used for SNC, enable the trace and verify the results. For more information see the Installation, Configuration and Administration Guide for Secure Login Library.

Use Case 2
The Secure Login Client requests a service ticket from the domain server.

Error Message
The system displays the following error message: Supplied credentials not accepted by the server. In the trace log of the Secure Login Client, you find the error code A2600202.

Checklist

If the Secure Login Client does not get a service ticket from the domain server, you have to check whether the Service Principal Name used was assigned several times in the Active Directory system. To check this, you enter the following command: setspn T * -T foo -X

6.4 Wrong SNC Library Configured

Use Case
An SAP GUI user wants to authenticate to a SAP server using Kerberos token or X.509 user certificate.

Error Message
Unable to load GSS-API DLL named sncgss32.dll.

Checklist

The wrong SNC library (in this example sncgss32.dll) is assigned to SAP GUI. Verify the environment variable SNC_LIB.

06/2011

51

6 Troubleshooting

For Secure Login Client the SNC library secgss.dll is used. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

52

06/2011

7 List of Abbreviations

7 List of Abbreviations
Abbreviation ADS CA CAPI CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC SSL Meaning Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hypertext Transport Protocol Hypertext Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial In User Service Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) Secure Socket Layer

06/2011

53

7 List of Abbreviations

UPN WAR WAS

User Principal Name Web Archive Web Application Server

54

06/2011

8 Glossary

8 Glossary
Authentication
A process that checks whether a person who logs on is really the person corresponding to the respective user. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.

Base64 encoding
Base64 encoding is three-byte to four-character encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient.

CAPI
See Cryptographic Application Programming Interface

Certificate
A digital identity card. A certificate typically includes the following:

A public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. A location (URL) of a revocation center. A digital signature of the certificate produced by the private key of th CA.

The most common certificate standard is the ITU-T X.509.

Certification Authority (CA)

An entity that issues and verifies digital certificates to be used by other parties.

Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.

CREDDIR
A directory on the server where information is placed that goes beyond the PSE (personal security environment).

Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only reason for issuance is unambiguous association of the credential with a specific, real individual or

06/2011

55

8 Glossary

other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.

Cryptographic Application Programming Interface (CAPI)

The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Microsoft Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer that isolates programmers from the code used to encrypt the data. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.

Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example: an X.500 or LDAP directory).

Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name ensures that identifal certificates are never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (the certification authority) and a serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.

Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For instance, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.

Key Usage (Extended)

Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the policy from the CA. If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is only an information field and does not imply that the CA restricts the use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose should be indicated for the certificate to be acceptable.

56

06/2011

8 Glossary

Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500.

PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.

PEM
See Privacy Enhanced Mail.

Personal Identification Number (PIN)

A unique code number assigned to the authorized user.

Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a users private keys, certificates, and other secret information.

Personal Security Environment

The PSE is a personal security area that every user requires to work with. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password.

PIN
See Personal Identification Number.

Privacy-Enhanced Mail (PEM)

The first known use of Base 64 encoding for electronic data transfer was the PrivacyEnhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a printable encoding scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP. The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper-case and lower-case Roman alphabet characters (AZ, az), the numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.

Public FSD
Public file system device. An external storage device that uses the same file system as the operating system.

06/2011

57

8 Glossary

Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet.

Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically. In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.

Root certification authority

The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any number of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate.

Root certification
The certificate of the root CA.

RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: Key lengths of 1024 bits or higher are regarded as secure.

Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external, cryptographic libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions.

Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data.

Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).

58

06/2011

8 Glossary

Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-Card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the point of view of the computer operating system, a token of this type is a USB-connected smart card reader with one non-removable smart card present. Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).

Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).

X.500
A standardized format for a tree-structured directory service.

X.509
A standardized format for certificates and blocking list.

06/2011

59