Professional Documents
Culture Documents
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2011 SAP AG. All rights reserved. JavaScript is a registered trademark of Sun Microsystems, Inc., used No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. under license for technology invented and implemented by Netscape.
Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way. 3. Conditions and Limitations (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from
such contributor to the software ends automatically. (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement. zlib http://www.zlib.net zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.5, April 19th, 2010 Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-Loup Gailly Mark Adler
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
1 What is Secure Login? ....................................................................... 7
1.1 System Overview .................................................................................... 8 1.2 Main System Components .................................................................... 9 1.3 Authentication Methods ........................................................................ 9 1.4 Workflow with X.509 Certificate .......................................................... 10 1.5 Workflow with Kerberos Token ........................................................... 11 1.6 Workflow with X.509 Certificate Request ........................................... 12
6 Troubleshooting ................................................................................ 49
6.1 Error in SNC .......................................................................................... 49 6.2 User Name Not Found .......................................................................... 50 6.3 Invalid Security Token ......................................................................... 50 6.4 Wrong SNC Library Configured .......................................................... 51
06/2011
Windows Domain (Active Directory Server) RADIUS server LDAP server SAP NetWeaver server Smart card authentication
If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login. Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.
06/2011
Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is an additional function. Secure Login Library Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology. Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.
You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Library, see Installation, Configuration and Administration Guide.
The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI. The Secure Login Client can use the following authentication methods: - Smart cards and USB tokens with an existing PKI certificate Secure Login Server and authentication server are not necessary. - Microsoft Crypto Store with an existing PKI certificate Secure Login Server and Authentication Server are not necessary. - Microsoft Windows Credentials The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication.The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server. - User name and password (several authentication mechanisms) The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate. All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.
06/2011
PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store Security Token
Figure: Secure Login System Environment with existing PKI and Kerberos The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server.
Smart card and USB tokens with an existing PKI certificate Microsoft Crypto Store (Certificate Store)
In SNC the Secure Login Client can perform authentication with encryption and digital signing
06/2011
certificates. The Secure Login Client supports RSA and DSA keys. Authentication with Kerberos tokens For more information about the authentication with a Kerberos token, see 1.5 Workflow with Kerberos Token.
PKI Infrastructure Smart Card, USB Token Microsoft Crypto Store 4 Security Token
1 Start connection and get SNC name SAP NetWeaver Platform Secure Login Library
5
Client provides certificate to SAP GUI application 6 Authentication and secure communication
Figure: Principal Workflow for X.509 Certificate Authentication 1. 2. 3. 4. 5. 6. When the connection starts, the Secure Login Client retrieves the SNC name from the desired SAP server system. The Secure Login Client uses the authentication profile for this SNC name. The user unlocks the security token by entering the PIN or password. The Secure Login Client receives the X.509 certificate from the user security token. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP client and SAP server. The user is authenticated and the communication is secured.
10
06/2011
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party cryptoengines. The Crypto Service Provider (CSP) of SAP is a plug-in of this type. It provides the user keys to all CAPI-enabled applications.
Figure: Principal Workflow for Kerberos Authentication 1. 2. 3. 4. 5. When the connection starts, the Secure Login Client retrieves the SNC name (Service Principal Name) from the desired SAP server system. At the Ticket Granting Service the Secure Login Client starts a request for a Kerberos Service Token. The Secure Login Client receives the Kerberos Service Token. The Secure Login Client provides the Kerberos Service Token for SAP single sign-on and secure communication between SAP client and SAP server. The user is authenticated and the communication is secured.
06/2011
11
Figure: Principal Workflow 1. 2. 3. 4. 5. 6. 7. 8. 9. When the connection starts, the Secure Login Client gets the SNC name from the desired SAP server system. Secure Login Client uses the client policy for this SNC name. Secure Login Client receives the user login credentials. Secure Login Client generates a certificate request. Secure Login Client sends the user credentials and the certification request to the Secure Login Server. Secure Login Server forwards the user credentials to the authentication server and receives an answer that indicates whether the user credentials are valid. If the user credentials are valid; the Secure Login Server generates a user certificate (certificate reply) and sends it to the Secure Login Client. Secure Login Client provides the certificate to SAP GUI. The user certificate is used to perform authentication, single sign-on, and secure communication between SAP client and server.
12
06/2011
2.1 Prerequisites
This section deals with the prerequisites and requirements for the installation of Secure Login Client. An installation of the Secure Login Client in a Citrix XenApp environment does not require any special steps or settings. You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0 > Comprised Software Component Versions > Secure Login Client 1.0 (32-bit or 64-bit).
Hardware Requirements
Secure Login Client Hard disk space Random access memory Smart card reader Details 20 MB hard disk space Min. 256 MB RAM Any PC/SC smart card reader can be used
Software Requirements
Secure Login Client Operating systems Details Microsoft Windows 7 64-bit Microsoft Windows 7 32-bit Microsoft Windows Vista 64-bit Microsoft Windows Vista 32-bit Microsoft Windows XP 32-bit Microsoft Windows Server 2008 R2 64-bit Microsoft Windows Server 2008 64-bit Microsoft Windows Server 2003 64-bit Microsoft Windows Server 2003 x64 / Citrix XenApp 5 Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6 SAP GUI for Windows 7.10 and higher SAP GUI for JAVA 7.10 and higher For smart card support the relevant smart card middleware needs to be installed. For more information, contact your vendor. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or PKCS#11 interface.
Citrix support
06/2011
13
If you are using Microsoft Windows Server 2003 64-bit refer to the Microsoft Knowledge Base article KB960077 http://support.microsoft.com/kb/960077.
14
06/2011
2.2 Installation
This section explains how to install Secure Login Client. The installation is performed using the MSI Installer. If a smart card is to be used in Secure Login Client, install the smart card reader and smart card middleware software. For more information, contact the vendor.
Start Installation
Use the appropriate MSI Installer for your operating system. Secure Login Client Software Package Type Microsoft Windows 32Bit Microsoft Windows 64Bit File Name SecureLoginClientx86.msi SecureLoginClientx64.msi
Administrative rights are required to install the Secure Login Client software.
To continue, choose the Next button. To install all components, choose the Complete option. To define the installation components, choose the Custom option. To continue, choose the Next button. If you choose the Custom option, the following features appear.
Feature Secure Login Client Components Options: Start during Microsoft Windows login Crypto & Certificate Store Providers Policy Download Agent Secure Login Server Support
Value This feature installs the basic components of Secure Login Client. This feature is mandatory. Options for an installation under Citrix XenApp. See Secure Login Client for Citrix XenApp.
This feature installs authentication support with Secure Login Server. Based on the provided user credentials, the Secure Login Server provides user certificates to the Secure Login Client. This feature installs the Kerberos authentication support. This feature installs smart card authentication support.
06/2011
15
Logging Service
This feature installs the trace and logging option. We recommend that you install this option only for problem analysis.
To continue, choose the Install button. To complete the installation, choose the Finish button.
16
06/2011
06/2011
17
Feature Base_Components SAP_SecureLogin_base* SAP_SecureLogin_sbus* SAP_SecureLogin_i18n SAP_SecureLogin_pki* SAP_Security SAP_SecureLogin_sap_gss* SAP_Security SAP_SecureLogin_sap_ssf SAP_SecureLogin_capi
Value
Basic components of Secure Login Client. *This option is mandatory and cannot be changed. Secure Login Client service. *This option is mandatory and cannot be changed. International language files support. Standard feature. X.509 Cryptographic support. *This option is mandatory and cannot be changed. SAP Secure Network Communication (SNC) support. *This option is mandatory and cannot be changed. SAP Secure Store and Forward (SSF) support. Standard feature. Support for Microsoft Crypto API token plug-in. Use exisiting certificates in Secure Login Client. Standard feature. Cryptographic service provider plug-in for the Microsoft Crypto API. Secure Login Client provides certificates to the Microsoft Crypto API. *These options are mandatory and cannot be changed. Component to interact with Secure Login Server. Kerberos support. Smart card support Trace and logging option. We recommend that you install this option only for problem analysis.
SAP_SecureLogin_csp* SAP_SecureLogin_store*
18
06/2011
Example 2
This example shows you how to install the Secure Login Client software without the logging service and Secure Login Server support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin
Example 3
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and Kerberos support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure Login_kerberos_token
Example 4
This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and smart card support. msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure Login_smartcard
Example 5
This example shows you how to uninstall the Secure Login Client software. msiexec /qb /x "SecureLoginClientx86.msi"
06/2011
19
20
06/2011
Parameter PolicyURL
Description Network resource (Secure Login Server) from which the most recent Secure Login Client policy can be downloaded. The following types of client policies are available: ClientPolicy.xml Client Policy defined in default instance of the Secure Login Server. ClientPolicy.xml&path=000xx Client Policy defined in instance xx (instance number) of the Secure Login Server. GlobalClientPolicy.xml Global Client Policy includes all available instances of the Secure Login Server. For more information, see the Secure Login Server Installation, Configuration and Administration Guide.
PolicyTTL
The lifetime in minutes; verifying (update) for a new client policy on the Secure Login Server. Default is 0 minutes. By default, the Secure Login Client verifies a new client policy during system start of the client PC. Network timeout in seconds before connection is closed if the Secure Login Server does not respond. Default is 45 seconds (hex value: 2d). By default the Secure Login Client looks for a new client policy during the system startup of the client PC. You can use this parameter to disable this feature. 1 Disable automatic policy download. 0 Enable automatical policy download. Default value is 0.
NetworkTimeout
DisableUpdatePolicyOnStartup
For more information about registry configuration options, see section 4.3 Registry Configuration Options. For more information about registry settings, provided by Secure Login Server, see Installation, Configuration and Administration Guide for Secure Login Server.
06/2011
21
22
06/2011
2.6 Uninstallation
Use the appropriate MSI file for your operating system. You can also use the Software Management Tool in Microsoft Windows. Secure Login Client Software Package Type Microsoft Windows 32-Bit Microsoft Windows 64-Bit File Name SecureLoginClientx86.msi SecureLoginClientx64.msi
Administration rights are required to uninstall the Secure Login Client software. If you want to use the software management tool in Microsoft Windows; choose Control Panel Uninstall a Program right-click Secure Login Client and choose the Uninstall option from the context menu. Another option is to start the Secure Login Client MSI software package. To continue, choose the Next button.
06/2011
23
Select the Remove option and choose the Next button to continue.
24
06/2011
You can remove the Secure Login Client software in unattended mode using the MSI options described in section 2.3 Unattended Installation.
06/2011
25
To open the Secure Login Client Console, click this icon. In this example, no Kerberos token is available, because this user is not authenticated in the Microsoft domain.
Kerberos Token
If the user is authenticated in the Microsoft domain, the Kerberos token is displayed.
26
06/2011
You can switch users in the Microsoft domain. Right-click the Kerberos profile and choose the Log In option.
06/2011
27
Client profiles from Secure Login Server are available only if the option Secure Login Server Support is installed and if the Client Policy URL (registry value) is defined. For more information about the Client Policy URL, see section 2.4 Custom Installation.
Certificates requested using Secure Login Server and available in Secure Login Client Console; are provided to the Microsoft Certificate Store (for example, to use when logging on to SAP Enterprise Portal).
28
06/2011
Caution There may be problems if the Internet Explorer tries to execute an SSL client authentication. Of course, this also applies to a logon with the SAP NetWeaver Business Client. For more information, see SAP Note 1658181.
If you choose this option, the position of the icon changes and this profile is used for SAP GUI. For example if you need to switch the profiles manually, this can be done using this feature. You can inactivate this menu item in the client policy provided by the Secure Login
06/2011
29
Server.
Log Console
If the option Logging Service was installed, the Log Console is available in the Secure Login Client Console. The log console (Secure Login Client Notification Viewer) is a support analysis tool that displays advanced information about the Secure Login and Enterprise Single Sign-On actions. The information is constantly updated (live).
We recommend that you use this installation option only for problem analysis to help support teams with troubleshooting.
Open the console as follows: 1. Choose the menu entry View > Log Console in the Secure Login dialog. The Live Trace pane is displayed:
30
06/2011
2. The Live Trace pane automatically scrolls down whenever a component performs a task and the task details are captured by the log console. Menu Item File Submenu Item/Details Open Opens trace files (*.xml) and contains trace messages that have previously been exported (cut) from the Live Trace pane. Explore Trace Files Use this option to open the folder on the local drive that contains the trace (*.xml) files. Save as Saves the current trace list as an XML file. Close Closes the current pane open in the log console. Exit Exits the log console. Live Trace Opens the Live Trace pane to display the log messages. Live Trace Copy The live trace messages file is duplicated into a new, static, XML file. The path of the file is visible in the title bar of the viewer. Live Trace Cut Cut the message information from the current live trace message feed, effectively clearing the Live Trace pane. The cut messages are automatically saved to an XML file and opened in a new pane in the log console window. The path of the file is visible in the title bar of the viewer. Options This opens the Options dialog for the logging service (sbustrace.exe) component:
View
Tools
06/2011
31
You can specify the following options in this dialog: Service These options allow you to install or remove the logging service component from Microsoft Windows, and to start/stop the service if it is installed (options not currently available are grayed-out). The current state of the service is displayed in the fields above the respective buttons. Live-Trace Caution: This option is for advanced users only. This option enables you to filter the messages when you click View and Live Trace Copy. You can do this by cutting and pasting an XML fragment into the field. TraceLevel Use this option to define the granularity of the live trace messages. Log Rotate Use this option to define the maximum size for a log file before it is archived and a new log file is started. Filter Use this option to filter trace messages. The filter must be manually defined with the help of the support team. Click OK to set any changes and close the window. Window Tile Horizontally Sort any open panes so that they are displayed equally/ horizontally across the log viewer window. Tile Vertically Sort any open panes so that they are displayed equally/vertically across the log viewer window. Cascade Sort the open panes so that they are displayed in a stack.
The column headers, which are located at the top of the Live Trace pane, are defined as follows:
32
06/2011
Details This defines the message type: A yellow warning sign ( ) means that something may be wrong and needs to be checked. A red error icon ( ) means that the task could not be performed. A blue information icon ( message ) refers to a successful task or informational
The time the task was performed. Process ID Thread ID The component that performed the task The application module from which the task originated Information about the task performed
Version Information
Choose the SAP icon in Secure Login Console or right-click the system tray icon and choose the About Secure Login option. The version information is displayed.
06/2011
33
4 Configuration Options
4 Configuration Options
This section describes how to enable SNC in SAP GUI and how to define the user mapping in SAP user management.
p:CN=SAP/KerberosABC@DEMO.LOCAL
The SNC name is provided by your SAP NetWeaver Administrator. For more information, about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides. Note that the definition of the SNC name is case-sensitive.
34
06/2011
4 Configuration Options
The SNC name is provided by your SAP NetWeaver administrator. For more information about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides. Note that the definition of the SNC Name is case-sensitive.
06/2011
35
4 Configuration Options
Manual Configuration
Start the user management tooly by calling transaction SU01. Choose the SNC tab. If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field. If you are using X.509 certificate based authentication, enter the X.509 certificate Distinguished Name in the SNC name field. Note that the definition of the SNC name is case-sensitive.
Kerberos Example
In this example, the SNC name p:CN=MICROSOFTUSER@DEMO.LOCAL belongs to the user SAPUSER.
36
06/2011
4 Configuration Options
For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration and Administration Guide.
06/2011
37
4 Configuration Options
With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups. You can use the option Users without SNC names only to overwrite SNC names. This batch tool takes an SAP user and uses the components <previous_character_string><SAP_user_name><next_character_string> to build the SNC name.
Kerberos Example
In this example SNC names are generated with the following string for all users without an SNC name:
p:CN=SAP/<user_name>@DEMO.LOCAL
38
06/2011
4 Configuration Options
Common Settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common] Parameter Locale Type STRING Description Language setting for Secure Login Client. The language is usually automatically recognized. Use this parameter for customizing. Possible values are: en_US (English) de_DE (German) fr_FR (French) ja_JP (Japanese) pt_BR (Portuguese) ru_RU (Russian) zh_CN (Chinese) Use this option to remove the Secure Login Client tray icon. To display the tray icon, set the value 0. To hide the tray icon, set the value 1. The default setting is that the tray icon is displayed. Use this option to define where Secure Login Client searches for trusted root certificates. The following values are possible: capi (default) Get trust from Microsoft Certificate Store token Use root certificates on tokens Get trust from files (.crt,.p7c,) in a single directory Use this option to specify an alternate location for the language files (.res). Default value is <install_path>/etc.
HideTrayIcon
DWORD
TrustDB
STRING
ResourcePath
STRING
06/2011
39
4 Configuration Options
PCSC Settings
The options in this section allow you to select which PCSC smart card readers are used or ignored. You can specify multiple patterns by separating the patterns with , or ; Wildcards (* and ?) are allowed.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc] Parameter IgnoredReadersPattern Type STRING Description Use this option to disable some PCSC smart card readers. The default value is <empty> (do not disable any PCSC smart card reader). Use this option the use only some specified PCSC smart card readers. This option is evaluated after IgnoredReadersPattern. The default value is * (use every PCSC smart card reader) Important: If you use an empty string (), all readers are used (same as *).
AllowedReadersPattern
STRING
CAPI Settings
The options in these sections allow you to select which certificates from third party CSPs may be used.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi] Parameter CAPIProviderFilter Type STRING Description Use this option to use only certificates provided by specific CSPs (the CSP name must begin with this string). Example: Microsoft Use only certificates provided by CSPs from Microsoft Use this option to use only certificates that are valid (issued in the past and not expired). Use this option to use only certificates that have an issuers Distinguished Name that contains CAPIFilterIssuerDN. Example: CN=My Companies CA Use this option to use only certificates that
CAPIFilterValidOnly
DWORD
CAPIFilterIssuerDN
STRING
CAPIFilterSubjectDN
STRING
40
06/2011
4 Configuration Options
have a subject Distinguished Name that contains CAPIFilterSubjectDN. Example: O=My Org Unit CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that have an issuers Distinguished Name that contains CAPIFilterExcludeIssuerDN. Example: CN=Test CA Use this option to disable certificates that have a subject Distinguished Name that contains CAPIFilterExcludeSubjectDN. Example: O=Testing only Use this option to use only certificates that have a specific key usage. The CAPIFilterKeyUsage may contain the following strings (you can specify multiple strings) +KEYUSAGE Use only certificates that have the specified key usage. -KEYUSAGE Do not use certificates that have the specified key usage Where KEYUSAGE can be one of the following: dataEncipherment Data encipherment key usage digitalSignature Digital-Signature Key-Usage keyAgreement Key agreement key usage keyEncipherment Key encipherment key usage nonRepudiation Non-repudiation key usage cRLSign CRL signature key usage Use this option to use only certificates that have a specific key usage. The syntax of this option is similar to CAPIFilterKeyUsage. The CAPIFilterExtendedKeyUsage may contain the following strings: +EXTKEYUSAGE Use only certificates that have the specified extended key usage -EXTKEYUSAGE
CAPIFilterExcludeSubjectDN STRING
STRING
CAPIFilterKeyUsage
STRING
CAPIFilterExtendedKeyUsage
STRING
06/2011
41
4 Configuration Options
Do not use certificates that have the specified extended key usage Where EXTKEYUSAGE can be one of the following: ServerAuthentication (1.3.6.1.5.5.7.3.1) ClientAuthentication (1.3.6.1.5.5.7.3.2) CodeSigning (1.3.6.1.5.5.7.3.3) EmailProtection (1.3.6.1.5.5.7.3.4) IpsecEndSystem (1.3.6.1.5.5.7.3.5) IpsecTunnel (1.3.6.1.5.5.7.3.6) IpsecUser (1.3.6.1.5.5.7.3.7) TimestampSigning (1.3.6.1.5.5.7.3.8) OcspSigning (1.3.6.1.5.5.7.3.9) MicrosoftEfs (1.3.6.1.4.1.311.10.3.4) MicrosoftEfsRecovery (1.3.6.1.4.1.311.10.3.4.1) MicrosoftKeyRecovery (1.3.6.1.4.1.311.10.3.11) MicrosoftDocumentSigning (1.3.6.1.4.1.311.10.3.12) MicrosoftSmartcardLogon (1.3.6.1.4.1.311.20.2.2)
For more information about registry settings provided by Secure Login Server, see the Installation, Configuration and Administration Guide for Secure Login Server.
42
06/2011
4 Configuration Options
If required install smart card reader hardware and PC/SC driver. Typically the smart card reader is usually automatically recognized by the operating system. Install smart card middleware software. This middleware software should support the desired smart card. Some smart card vendors provide their own middleware software, and there are some middleware software vendors available who support different kinds of smart cards.
PIN management is handled by the middleware software. A typical situation is a user logging on to a Microsoft operating system using the smart card. This user needs to re-enter the PIN in the browser or in SAP GUI. Whether the user is able to do this depends on the smart card middleware, which might close the smart card after the logon to Microsoft Windows. For more information, contact your smart card middleware vendor.
06/2011
43
4 Configuration Options
Case 2 Use Secure Login Client Profile provided by Secure Login Server In the ID field, enter the distinguished name of the user certificate. Example: CN=Username, OU=SAP Security In the SSF Profile field, enter the Secure Login Client profile configuration. Example: toksw:mem://securelogin/<profile_name>
<profile_name> is the profile name defined in Secure Login Server. In this example the profile name is SSF. In parameter Input data, enter the file to be signed. In the parameter Output data, enter the path and file name for the signed file.
Execute the program and choose the Sign button. The system prompts you for a password, which is not required. Choose the green OK button.
44
06/2011
4 Configuration Options
06/2011
45
4 Configuration Options
Description Define the Distinguished Name of the user certificate. Example: CN=Username, OU=SAP Security Define an additional Distinguished Name of the user certificate. Define the Secure Login Client profile. There are three options available. Use Secure Login Client Profile The desired certificate is used for SSF, based on the Secure Login Client profile name. Example: toksw:mem://securelogin/<profile_name> Use Secure Login Client Profile and Re-authentication Adding the [reauth option] means that the user needs to authenticate again to the Secure Login Client profile, before a certificate is provided. Example: [reauth]toksw:mem://securelogin/<profile_
name>
<empty> If no SSF profile is defined, the SSF-ID can be used to search the certificate in Secure Login Client. Destination The RFC destination (logical destination) where the SSF RFC server program has been defined. Enter the value SAP_SSFATGUI (SSF for digital signatures on the front ends).
46
06/2011
Use Case
The customer wants to run Secure Login Client in a Citrix XenApp environment.
06/2011
47
rem register CSP, remove the next two lines if no CSP/CAPI support is required regsvr32.exe /s "%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll" regsvr32.exe /s "%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll" 4. Add the script to the Microsoft Windows Registry to make sure that the Secure Login Client starts automatically at startup. Open the Microsoft Windows Registry and go to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
5. Open the key AppSetup and append the reference to the file usrlogon_slc.cmd to the value with a simple comma as a separator (without any space). Example: Registry value name: AppSetup Registry value: ctxhide.exe usrlogon.cmd,cmstart.exe,usrlogon_slc.cmd You must keep the sequence as shown in the example above because, when starting up, the system proceeds from one file to the next.
48
06/2011
6 Troubleshooting
6 Troubleshooting
This section describes some troubleshooting issues and how to solve them. If you need to contact SAP support, provide the Secure Login Client trace information described in section 3 Secure Login Client Console Log Console
Error Message
Miscellaneous failure. Error in SNC.
Checklist
If you are using a Kerberos token Verify if the user is authenticated in the Microsoft domain. Verify if Kerberos token is displayed in Secure Login Client Console. If you are using an X.509 certificate Verify if X.509 certificate is displayed in Secure Login Client Console. Verify if the security token (Kerberos or certificate) is used. Try with the option Use Profile for SAP Applications if the desired profile is used. Verify if SNC is enabled in SAP GUI for the desired SAP server Verify if the SNC name of the desired SAP server is configured in SAP GUI (saplogon.ini). Is the name correct? (Kerberos name / X.509 certificate name) Note that the SNC name is case-sensitive. Verify if the environment variable SNC_LIB is configured to use secgss.dll. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll
06/2011
49
6 Troubleshooting
Error Message
No user exists with SNC name.
Checklist
If this message appears, the user mapping is not available or not configured correctly. Compare the user certificate distinguished name with the SNC name in SAP User Management (SU01). Note that SNC name is case-sensitive.
There may also be another reason for this error. For more information, see SAP Note 1635019.
Error Message
SAP system message S.
Checklist
50
06/2011
6 Troubleshooting
If the Secure Login Library is installed on the SAP ABAP server and used for SNC, enable the trace and verify the results. For more information see the Installation, Configuration and Administration Guide for Secure Login Library.
Use Case 2
The Secure Login Client requests a service ticket from the domain server.
Error Message
The system displays the following error message: Supplied credentials not accepted by the server. In the trace log of the Secure Login Client, you find the error code A2600202.
Checklist
If the Secure Login Client does not get a service ticket from the domain server, you have to check whether the Service Principal Name used was assigned several times in the Active Directory system. To check this, you enter the following command: setspn T * -T foo -X
Error Message
Unable to load GSS-API DLL named sncgss32.dll.
Checklist
The wrong SNC library (in this example sncgss32.dll) is assigned to SAP GUI. Verify the environment variable SNC_LIB.
06/2011
51
6 Troubleshooting
For Secure Login Client the SNC library secgss.dll is used. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll
52
06/2011
7 List of Abbreviations
7 List of Abbreviations
Abbreviation ADS CA CAPI CSP DN EAR HTTP HTTPS IAS JAAS JSPM LDAP NPA PIN PKCS PKCS#10 PKCS#11 PKCS#12 PKI PSE RADIUS RFC RSA SAR SCA SLAC SLC SLL SLS SLWC SNC SSL Meaning Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hypertext Transport Protocol Hypertext Transport Protocol with Secure Socket Layer (SSL) Internet Authentication Service (Microsoft Windows Server 2003) Java Authentication and Authorization Service Java Support Package Manager Lightweight Directory Access Protocol Network Policy and Access Services (Microsoft Windows Server 2008) Personal Identification Number Public Key Cryptography Standards Certification Request Standard Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote Authentication Dial In User Service Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman SAP Archive Software Component Archive Secure Login Administration Console Secure Login Client Secure Login Library Secure Login Server Secure Login Web Client Secure Network Communication (SAP term) Secure Socket Layer
06/2011
53
7 List of Abbreviations
54
06/2011
8 Glossary
8 Glossary
Authentication
A process that checks whether a person who logs on is really the person corresponding to the respective user. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list.
Base64 encoding
Base64 encoding is three-byte to four-character encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient.
CAPI
See Cryptographic Application Programming Interface
Certificate
A digital identity card. A certificate typically includes the following:
A public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. A location (URL) of a revocation center. A digital signature of the certificate produced by the private key of th CA.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the server where information is placed that goes beyond the PSE (personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only reason for issuance is unambiguous association of the credential with a specific, real individual or
06/2011
55
8 Glossary
other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example: an X.500 or LDAP directory).
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For instance, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.
56
06/2011
8 Glossary
PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
PIN
See Personal Identification Number.
Public FSD
Public file system device. An external storage device that uses the same file system as the operating system.
06/2011
57
8 Glossary
Root certification
The certificate of the root CA.
RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: Key lengths of 1024 bits or higher are regarded as secure.
Single Sign-On
A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
58
06/2011
8 Glossary
Token
A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-Card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the point of view of the computer operating system, a token of this type is a USB-connected smart card reader with one non-removable smart card present. Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).
Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
06/2011
59