Installation Configuration and Administration Guide SAP NetWeaver Single Sign-On SP2 Secure Login Client

Installation, Configuration, and Administration Guide

SAP NetWeaver Single Sign-On SP2

Secure Login Client

PUBLIC

Document Version: 1.2 – December 2011

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

WebSphere, Netfinity, Tivoli and Informix are trademarks or

registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, and other SAP products and services

mentioned herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in other

countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

SAP AG

Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Any Java™ Source Code delivered with this product is

only to be used by SAP’s Support Services and may not be

modified or altered in any way.

Terms for Included Open

Source Software

This SAP software contains also the third party open source software

products listed below. Please note that for these third party products

the following special terms and conditions shall apply.

Windows Template Library (WTL) http://wtl.sourceforge.net

Microsoft Public License (MS-PL)

This license governs use of the accompanying software. If you use the

software, you accept this license. If you do not accept the license, do

not use the software.

1. Definitions

The terms "reproduce," "reproduction," "derivative works," and

"distribution" have the same meaning here as under U.S. copyright

law. A "contribution" is the original software or any additions or

changes to the software. A "contributor" is any person that distributes

its contribution under this license. "Licensed patents" are a

contributor's patent claims that read directly on its contribution.

2. Grant of Rights

(A) Copyright Grant- Subject to the terms of this license, including the

license conditions and limitations in section 3, each contributor grants

you a non-exclusive, worldwide, royalty-free copyright license to

reproduce its contribution, prepare derivative works of its contribution,

and distribute its contribution or any derivative works that you create.

(B) Patent Grant- Subject to the terms of this license, including the

license conditions and limitations in section 3, each contributor grants

you a non-exclusive, worldwide, royalty-free license under its licensed

patents to make, have made, use, sell, offer for sale, import, and/or

otherwise dispose of its contribution in the software or derivative

works of the contribution in the software.

3. Conditions and Limitations

(A) No Trademark License- This license does not grant you rights to

use any contributors' name, logo, or trademarks.

(B) If you bring a patent claim against any contributor over patents

that you claim are infringed by the software, your patent license from

such contributor to the software ends automatically.

(C) If you distribute any portion of the software, you must retain all

copyright, patent, trademark, and attribution notices that are present in

the software.

(D) If you distribute any portion of the software in source code form,

you may do so only under this license by including a complete copy of

this license with your distribution. If you distribute any portion of the

software in compiled or object code form, you may only do so under a

license that complies with this license.

(E) The software is licensed "as-is." You bear the risk of using it. The

contributors give no express warranties, guarantees or conditions. You

may have additional consumer rights under your local laws which this

license cannot change. To the extent permitted under your local laws,

the contributors exclude the implied warranties of merchantability,

fitness for a particular purpose and non-infringement.

zlib http://www.zlib.net

zlib.h -- interface of the 'zlib' general purpose compression library

version 1.2.5, April 19th, 2010

Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied

warranty. In no event will the authors be held liable for any damages

arising from the use of this software.

Permission is granted to anyone to use this software for any purpose,

including commercial applications, and to alter it and redistribute it

freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must

not claim that you wrote the original software. If you use this software

in a product, an acknowledgment in the product documentation would

be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must

not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source

distribution.

Jean-Loup Gailly

Mark Adler

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more

information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Installation Guide: Secure Login Client

6 06/2011

Contents

1 What is Secure Login? ....................................................................... 7

1.1 System Overview .................................................................................... 8

1.2 Main System Components .................................................................... 9

1.3 Authentication Methods ........................................................................ 9

1.4 Workflow with X.509 Certificate .......................................................... 10

1.5 Workflow with Kerberos Token ........................................................... 11

1.6 Workflow with X.509 Certificate Request ........................................... 12

2 Secure Login Client Installation ...................................................... 13

2.1 Prerequisites ........................................................................................ 13

2.2 Installation ............................................................................................ 15

2.3 Unattended Installation ........................................................................ 17

2.4 Custom Installation .............................................................................. 20

2.5 Updating the Secure Login Client to SP2 ........................................... 22

2.6 Uninstallation........................................................................................ 23

3 Secure Login Client Console ........................................................... 26

3.1 Secure Login Server Integration ......................................................... 28

3.2 Use Profile for SAP Applications ........................................................ 29

4 Configuration Options ...................................................................... 34

4.1 Enable SNC in SAP GUI ....................................................................... 34

4.2 User Mapping........................................................................................ 36

4.3 Registry Configuration Options .......................................................... 39

4.4 Smart Card Integration ........................................................................ 43

4.5 Digital Signature (SSF) ........................................................................ 43

5 Secure Login Client for Citrix XenApp ............................................ 47

5.1 Secure Login Client with a Published Desktop ................................. 47

5.2 Secure Login Client with a Published SAP Logon ............................ 47

5.3 Other Features ...................................................................................... 48

6 Troubleshooting ................................................................................ 49

6.1 Error in SNC .......................................................................................... 49

6.2 User Name Not Found .......................................................................... 50

6.3 Invalid Security Token ......................................................................... 50

6.4 Wrong SNC Library Configured .......................................................... 51

7 List of Abbreviations ........................................................................ 53

8 Glossary ............................................................................................. 55

1 What is Secure Login?

06/2011 7

1 What is Secure Login? Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.

Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components.

Examples:

SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)

Web GUI and SAP NetWeaver platform with Secure Socket Layer – SSL (HTTPS)

Third party application server supporting X.509 certificates

In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a Secure Network Communications interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.

Secure Login allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). Secure Login allows users to authenticate with one of the following authentication mechanisms:

Windows Domain (Active Directory Server)

RADIUS server

LDAP server

SAP NetWeaver server

Smart card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

Secure Login also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) with SSL.


8 06/2011

1.1 System Overview Secure Login is a client/server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments.

The Secure Login solution includes several components:

Secure Login Server Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and application servers. The Secure Login Web Client is an additional function.

Secure Login Library Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Library supports both X.509 and Kerberos technology.

Secure Login Client Client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications.

You do not need to install all of the components. This depends on your use case scenario. For more information about Secure Login Server and Secure Login Library, see Installation, Configuration and Administration Guide.

The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI.

The Secure Login Client can use the following authentication methods:

Smart cards and USB tokens with an existing PKI certificate

Secure Login Server and authentication server are not necessary.

Microsoft Crypto Store with an existing PKI certificate

Secure Login Server and Authentication Server are not necessary.

Microsoft Windows Credentials

The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication.The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server.

User name and password (several authentication mechanisms)

The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate.

All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.


06/2011 9

1.2 Main System Components The following figure shows the Secure Login system environment with the main system components:

Secure Login ClientPKI Infrastructure

• Smart Card, USB Token

• Microsoft Crypto Store

• Secure Login Library

Authentication and

secure communication

• SAP GUI

• Web GUI

SAP NetWeaver Platform

Security Token

Kerberos Infrastructure

• Kerberos Token

Kerberos

Figure: Secure Login System Environment with existing PKI and Kerberos

The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server.

1.3 Authentication Methods In a system environment without Secure Login Server, the Secure Login Client supports the authentication methods listed in the table below:

Authentication Method Details

Authentication with X.509 certificates

The certificate provider sends the X.509 certificates through secure network communication (SNC). The following certificate providers work with X.509 certificates:

Smart card and USB tokens with an existing PKI certificate

Microsoft Crypto Store (Certificate Store)

In SNC the Secure Login Client can perform authentication with encryption and digital signing


10 06/2011

certificates. The Secure Login Client supports RSA and DSA keys.

Authentication with Kerberos tokens

For more information about the authentication with a Kerberos token, see 1.5 Workflow with Kerberos Token.

1.4 Workflow with X.509 Certificate The following figure shows the principal workflow and communication between the individual components:

1

Start connection and

get SNC name

Client maps

SNC name to

authentication

profile

Secure Login Client

Security Token2

4

PKI Infrastructure

6

SAP NetWeaver Platform

Client provides certificate

to SAP GUI application

Authentication and

secure communication

• Smart Card, USB Token

• Microsoft Crypto Store

• Secure Login Library

5

Unlock Security Token

3

Figure: Principal Workflow for X.509 Certificate Authentication

1. When the connection starts, the Secure Login Client retrieves the SNC name from the desired SAP server system.

2. The Secure Login Client uses the authentication profile for this SNC name.

3. The user unlocks the security token by entering the PIN or password.

4. The Secure Login Client receives the X.509 certificate from the user security token.

5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and secure communication between SAP client and SAP server.

6. The user is authenticated and the communication is secured.


06/2011 11

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto-engines. The Crypto Service Provider (CSP) of SAP is a plug-in of this type. It provides the user keys to all CAPI-enabled applications.

1.5 Workflow with Kerberos Token The following figure shows the principal workflow and communication between the individual components:

Figure: Principal Workflow for Kerberos Authentication

1. When the connection starts, the Secure Login Client retrieves the SNC name (Service Principal Name) from the desired SAP server system.

2. At the Ticket Granting Service the Secure Login Client starts a request for a Kerberos Service Token.

3. The Secure Login Client receives the Kerberos Service Token.

4. The Secure Login Client provides the Kerberos Service Token for SAP single sign-on and secure communication between SAP client and SAP server.

5. The user is authenticated and the communication is secured.


12 06/2011

1.6 Workflow with X.509 Certificate Request The following figure shows the principal workflow and communication between the individual components:

Figure: Principal Workflow

1. When the connection starts, the Secure Login Client gets the SNC name from the desired SAP server system.

2. Secure Login Client uses the client policy for this SNC name.

3. Secure Login Client receives the user login credentials.

4. Secure Login Client generates a certificate request.

5. Secure Login Client sends the user credentials and the certification request to the Secure Login Server.

6. Secure Login Server forwards the user credentials to the authentication server and receives an answer that indicates whether the user credentials are valid.

7. If the user credentials are valid; the Secure Login Server generates a user certificate (certificate reply) and sends it to the Secure Login Client.

8. Secure Login Client provides the certificate to SAP GUI.

9. The user certificate is used to perform authentication, single sign-on, and secure communication between SAP client and server.

2 Secure Login Client Installation

06/2011 13

2 Secure Login Client Installation This section explains how to install Secure Login Client.

2.1 Prerequisites This section deals with the prerequisites and requirements for the installation of Secure Login Client. An installation of the Secure Login Client in a Citrix XenApp environment does not require any special steps or settings.

You can download the SAP NetWeaver Single Sign-On software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0 > Comprised Software Component Versions > Secure Login Client 1.0 (32-bit or 64-bit).

Hardware Requirements

Secure Login Client Details

Hard disk space 20 MB hard disk space

Random access memory Min. 256 MB RAM

Smart card reader Any PC/SC smart card reader can be used

Software Requirements

Secure Login Client Details

Operating systems Microsoft Windows 7 64-bit

Microsoft Windows 7 32-bit

Microsoft Windows Vista 64-bit

Microsoft Windows Vista 32-bit

Microsoft Windows XP 32-bit

Microsoft Windows Server 2008 R2 64-bit

Microsoft Windows Server 2008 64-bit

Microsoft Windows Server 2003 64-bit

Citrix support Microsoft Windows Server 2003 x64 / Citrix XenApp 5

Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6

SAP GUI SAP GUI for Windows 7.10 and higher

SAP GUI for JAVA 7.10 and higher

Smart card support For smart card support the relevant smart card middleware needs to be installed. For more information, contact your vendor.

Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or PKCS#11 interface.

https://service.sap.com/swdc


14 06/2011

If you are using Microsoft Windows Server 2003 64-bit refer to the Microsoft Knowledge Base article KB960077 http://support.microsoft.com/kb/960077.

http://support.microsoft.com/kb/960077


06/2011 15

2.2 Installation This section explains how to install Secure Login Client. The installation is performed using the MSI Installer.

If a smart card is to be used in Secure Login Client, install the smart card reader and smart card middleware software. For more information, contact the vendor.

Start Installation Use the appropriate MSI Installer for your operating system.

Secure Login Client Software Package

Type File Name

Microsoft Windows 32Bit SecureLoginClientx86.msi

Microsoft Windows 64Bit SecureLoginClientx64.msi

Administrative rights are required to install the Secure Login Client software.

To continue, choose the Next button.

To install all components, choose the Complete option.

To define the installation components, choose the Custom option.


If you choose the Custom option, the following features appear.

Feature Value

Secure Login Client Components This feature installs the basic components of Secure Login Client. This feature is mandatory.

Options: Start during Microsoft Windows login

Crypto & Certificate Store Providers

Policy Download Agent

Options for an installation under Citrix XenApp. See Secure Login Client for Citrix XenApp.

Secure Login Server Support This feature installs authentication support with Secure Login Server. Based on the provided user credentials, the Secure Login Server provides user certificates to the Secure Login Client.

Kerberos Single Sign-On This feature installs the Kerberos authentication support.

Smart Card Support This feature installs smart card authentication support.


16 06/2011

To continue, choose the Install button.

To complete the installation, choose the Finish button.

Logging Service This feature installs the trace and logging option.

We recommend that you install this option only for problem analysis.


06/2011 17

2.3 Unattended Installation Use the MSI installation option to deploy the Secure Login Client software with software distribution tools.

In the case of a Secure Login Server integration, remember to deploy the Root CA certificate and Client Policy URL as well. For more information, see section 2.4 Custom Installation.

Standard MSI Options To help you understand the MSI options, open a command shell and enter the following command:

msiexec /?

Secure Login Client MSI Options To display the Secure Login Client MSI installation options, enter the following command:

Microsoft Windows 32-bit

msiexec /i “<source_path>\SecureLoginClientx86.msi” HELP=1

Microsoft Windows 64-bit

msiexec /i “<source_path>\SecureLoginClient x64.msi” HELP=1


18 06/2011

Entries marked with * are mandatory.

Feature Value

Base_Components

SAP_SecureLogin_base* Basic components of Secure Login Client. *This option is mandatory and cannot be changed.

SAP_SecureLogin_sbus* Secure Login Client service.

*This option is mandatory and cannot be changed.

SAP_SecureLogin_i18n International language files support.

Standard feature.

SAP_SecureLogin_pki* X.509 Cryptographic support.


SAP_Security

SAP_SecureLogin_sap_gss*

SAP Secure Network Communication (SNC) support.


SAP_Security

SAP_SecureLogin_sap_ssf

SAP Secure Store and Forward (SSF) support.

Standard feature.

SAP_SecureLogin_capi Support for Microsoft Crypto API token plug-in. Use exisiting certificates in Secure Login Client.

Standard feature.

SAP_SecureLogin_csp*

SAP_SecureLogin_store*

Cryptographic service provider plug-in for the Microsoft Crypto API. Secure Login Client provides certificates to the Microsoft Crypto API.

*These options are mandatory and cannot be changed.

SAP_SecureLogin_securelogin Component to interact with Secure Login Server.

SAP_SecureLogin_kerberos_token Kerberos support.

SAP_SecureLogin_smartcard Smart card support

SAP_SecureLogin_notify Trace and logging option.

We recommend that you install this option only for problem analysis.


06/2011 19

Unattended Installation Examples

Example 1

This example shows you how to install the Secure Login Client software without the logging service.

msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify

The recommended installation is to install all components without the logging service.

Example 2

This example shows you how to install the Secure Login Client software without the logging service and Secure Login Server support.

msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin

Example 3

This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and Kerberos support.

msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_SecureLogin_kerberos_token

Example 4

This example shows you how to install the Secure Login Client software without the logging service, Secure Login Server support, and smart card support.

msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_SecureLogin_smartcard

Example 5

This example shows you how to uninstall the Secure Login Client software.

msiexec /qb /x "SecureLoginClientx86.msi"


20 06/2011

2.4 Custom Installation This section describes how to integrate the installation of the Root CA certificate (Microsoft Certificate Store) and client policy URL (Registry Key) for the Secure Login Client into software distribution tools.

The customized aspects of this installation are associated only with the integration with Secure Login Server.

Install Root CA Certificate You need to install the Root CA certificate from Secure Login Server in the client environment. The Root CA certificate is used to establish secure communication to the Secure Login Server.

Use the Microsoft CertMgr tool; which is part of the Microsoft Windows Software Development Kit (SDK,) to import certificates. Use the following command to import a certificate:

certmgr.exe /add /all /c <RootCA_file> /s ROOT /r localMachine

The Root CA certificate is provided by the Secure Login Server.

Install Client Policy URL The client policy URL (registry key) defines the connection information for the Secure Login Server. Use this client policy URL to retrieve authentication profiles for the Secure Login Client Console.

Use the following command to import a registry file:

reg.exe import customer.reg

The registry file customer.reg can be provided by the Secure Login Server.

Example: Registry file customer.reg

customer.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]

"PolicyURL"="http://<IP/FQDN>:<Port>/securelogin/admin/Navigation?op=downloadFile&name=ClientPolicy.xml"

"PolicyTTL"=dword:00000000

"NetworkTimeout"=dword:0000002d

"DisableUpdatePolicyOnStartup"=dword:00000000


06/2011 21

For more information about registry configuration options, see section 4.3 Registry Configuration Options.

For more information about registry settings, provided by Secure Login Server, see Installation, Configuration and Administration Guide for Secure Login Server.

Parameter Description

PolicyURL Network resource (Secure Login Server) from which the most recent Secure Login Client policy can be downloaded.

The following types of client policies are available:

ClientPolicy.xml

Client Policy defined in default instance of the Secure Login Server.

ClientPolicy.xml&path=000xx

Client Policy defined in instance xx (instance number) of the Secure Login Server.

GlobalClientPolicy.xml

Global Client Policy includes all available instances of the Secure Login Server.

For more information, see the Secure Login Server Installation, Configuration and Administration Guide.

PolicyTTL The lifetime in minutes; verifying (update) for a new client policy on the Secure Login Server.

Default is 0 minutes.

By default, the Secure Login Client verifies a new client policy during system start of the client PC.

NetworkTimeout Network timeout in seconds before connection is closed if the Secure Login Server does not respond.

Default is 45 seconds (hex value: 2d).

DisableUpdatePolicyOnStartup By default the Secure Login Client looks for a new client policy during the system startup of the client PC.

You can use this parameter to disable this feature.

1 Disable automatic policy download.

0 Enable automatical policy download.

Default value is 0.


22 06/2011

2.5 Updating the Secure Login Client to SP2

You can download the Support Package software from the SAP Service Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches > Browse our Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0.

You do not need to uninstall the existing version of the Secure Login Client. You simply run the installation software as described in 2.2 Installation and overwrite your existing Secure Login Client.

To display the version number of your software, right-click the blue diamond of the Secure Login Client in the Microsoft Windows notification area and choose About. The version number 1.0.2 is displayed in the About screen of the Secure Login Client.

https://service.sap.com/swdc


06/2011 23

2.6 Uninstallation Use the appropriate MSI file for your operating system. You can also use the Software Management Tool in Microsoft Windows.

Secure Login Client Software Package

Type File Name

Microsoft Windows 32-Bit SecureLoginClientx86.msi

Microsoft Windows 64-Bit SecureLoginClientx64.msi

Administration rights are required to uninstall the Secure Login Client software.

If you want to use the software management tool in Microsoft Windows; choose Control Panel Uninstall a Program right-click Secure Login Client and choose the Uninstall option from the context menu.

Another option is to start the Secure Login Client MSI software package.



24 06/2011

Select the Remove option and choose the Next button to continue.

To continue, choose the Remove button.


06/2011 25

To complete the uninstallation, choose the Finish button.

You can remove the Secure Login Client software in unattended mode using the MSI options described in section 2.3 Unattended Installation.

3 Secure Login Client Console

26 06/2011

3 Secure Login Client Console This section describes the Secure Login Client Console.

The system tray contains a blue diamond icon.

To open the Secure Login Client Console, click this icon.

In this example, no Kerberos token is available, because this user is not authenticated in the Microsoft domain.

Kerberos Token If the user is authenticated in the Microsoft domain, the Kerberos token is displayed.


06/2011 27

You can switch users in the Microsoft domain.

Right-click the Kerberos profile and choose the Log In option.

Enter the Microsoft domain user name and password.

The new Kerberos token is displayed.


28 06/2011

Certificate from Microsoft Certificate Store If an X.509 certificate is available in the Microsoft Certificate Store; this certificate is displayed in the Secure Login Client Console and can be used in SAP GUI.

3.1 Secure Login Server Integration If a Secure Login Server is used to provide user certificates, client profiles are available in the Secure Login Client Console.

Client profiles from Secure Login Server are available only if the option Secure Login Server Support is installed and if the Client Policy URL (registry value) is defined.

For more information about the Client Policy URL, see section 2.4 Custom Installation.

Certificates requested using Secure Login Server and available in Secure Login Client Console; are provided to the Microsoft Certificate Store (for example, to use when logging on to SAP Enterprise Portal).


06/2011 29

Caution There may be problems if the Internet Explorer tries to execute an SSL client authentication. Of course, this also applies to a logon with the SAP NetWeaver Business Client. For more information, see SAP Note 1658181.

Automatic Provisioning of Certificates The Secure Login Client supports profiles that enable users to automatically get X.509 certificates when the Secure Login Client starts up during a Microsoft Windows authentication. In the configuration of the Secure Login Server you can optionally set that the respective profile is provided.

Manual Provisioning of Certificates If you right-click the profile in the Secure Login screen, you can choose the menu item Log In (while being logged on in a domain) to automatically get a certificate without being forced to enter your user name and password, or the system prompts you for your user credentials.

With this setting, you get the additional menu item Log In as. When you choose Log In as (or if you are a local user), the system prompts you for your user name and password. Having entered both, you are provided with a certificate by the Secure Login Client.

3.2 Use Profile for SAP Applications You can configure which profile is used for which SAP server system. It is possible to do this by right-clicking a profile and choosing Use Profile for SAP Applications.

If you choose this option, the position of the icon changes and this profile is used for SAP GUI. For example if you need to switch the profiles manually, this can be done using this feature.

You can inactivate this menu item in the client policy provided by the Secure Login


30 06/2011

Server.

Log Console If the option Logging Service was installed, the Log Console is available in the Secure Login Client Console.

The log console (Secure Login Client Notification Viewer) is a support analysis tool that displays advanced information about the Secure Login and Enterprise Single Sign-On actions. The information is constantly updated (live).

We recommend that you use this installation option only for problem analysis to help support teams with troubleshooting.

Open the console as follows:

1. Choose the menu entry View > Log Console in the Secure Login dialog. The Live Trace pane is displayed:


06/2011 31

2. The Live Trace pane automatically scrolls down whenever a component performs a task and the task details are captured by the log console.

Menu Item Submenu Item/Details

File Open

Opens trace files (*.xml) and contains trace messages that have previously been exported (cut) from the Live Trace pane.

Explore Trace Files

Use this option to open the folder on the local drive that contains the trace (*.xml) files.

Save as

Saves the current trace list as an XML file.

Close

Closes the current pane open in the log console.

Exit

Exits the log console.

View Live Trace

Opens the Live Trace pane to display the log messages.

Live Trace Copy

The live trace messages file is duplicated into a new, static, XML file. The path of the file is visible in the title bar of the viewer.

Live Trace Cut

Cut the message information from the current live trace message feed, effectively clearing the Live Trace pane. The cut messages are automatically saved to an XML file and opened in a new pane in the log console window. The path of the file is visible in the title bar of the viewer.

Tools Options

This opens the Options dialog for the logging service (sbustrace.exe) component:


32 06/2011

You can specify the following options in this dialog:

Service

These options allow you to install or remove the logging service component from Microsoft Windows, and to start/stop the service if it is installed (options not currently available are grayed-out). The current state of the service is displayed in the fields above the respective buttons.

Live-Trace

Caution:

This option is for advanced users only.

This option enables you to filter the messages when you click View and Live Trace Copy. You can do this by cutting and pasting an XML fragment into the field.

TraceLevel

Use this option to define the granularity of the live trace messages.

Log Rotate

Use this option to define the maximum size for a log file before it is archived and a new log file is started.

Filter

Use this option to filter trace messages. The filter must be manually defined with the help of the support team.

Click OK to set any changes and close the window.

Window Tile Horizontally

Sort any open panes so that they are displayed equally/ horizontally across the log viewer window.

Tile Vertically

Sort any open panes so that they are displayed equally/vertically across the log viewer window.

Cascade

Sort the open panes so that they are displayed in a stack.

The column headers, which are located at the top of the Live Trace pane, are defined as follows:


06/2011 33

Live Trace Header

Details

L This defines the message type:

A yellow warning sign ( ) means that something may be wrong and needs to be checked.

A red “error” icon ( ) means that the task could not be performed.

A blue information icon ( ) refers to a successful task or informational message

Time The time the task was performed.

PID Process ID

TID Thread ID

App The component that performed the task

Mod The application module from which the task originated

Msg Information about the task performed

Version Information Choose the SAP icon in Secure Login Console or right-click the system tray icon and choose the About Secure Login option. The version information is displayed.

4 Configuration Options

34 06/2011

4 Configuration Options This section describes how to enable SNC in SAP GUI and how to define the user mapping in SAP user management.

4.1 Enable SNC in SAP GUI To establish secure communication between SAP GUI and SAP NetWeaver application server; you need to enable the SNC option.

Start the SAP GUI application; enable the SNC option, and define the SNC name of the SAP NetWeaver application server.

Kerberos SNC Name Choose the option Activate Secure Network Communication and define the SNC Name.

Example SNC Name:

p:CN=SAP/[email protected]

The SNC name is provided by your SAP NetWeaver Administrator. For more information, about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides.

Note that the definition of the SNC name is case-sensitive.


06/2011 35

X.509 Certificate SNC Name Choose the option Activate Secure Network Communication and define the SNC name.

Example SNC Name:

p:CN=ABC, OU=SAP Security

The SNC name is provided by your SAP NetWeaver administrator. For more information about how to install the SNC library on the SAP NetWeaver application server, see the Secure Login Library Installation, Configuration, and Administration Guides.

Note that the definition of the SNC Name is case-sensitive.


36 06/2011

4.2 User Mapping This section describes how to define the user mapping in SAP user management. For the user authentication using security tokens (X.509 certificate or Kerberos token), this mapping is required to define which security token belongs to which SAP user.

For smooth and straightforward integration, we recommend that you use the SAP NetWeaver Identity Management solution to manage user mapping.

Manual Configuration Start the user management tooly by calling transaction SU01. Choose the SNC tab.

If you are using Kerberos authentication, enter the Kerberos user name in the SNC name field.

If you are using X.509 certificate based authentication, enter the X.509 certificate Distinguished Name in the SNC name field.

Note that the definition of the SNC name is case-sensitive.

Kerberos Example In this example, the SNC name p:[email protected] belongs to the user SAPUSER.


06/2011 37

X.509 Certificate Example In this example the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user SAPUSER.

For more information about how to perform user mapping, see the Secure Login Library Installation, Configuration and Administration Guide.


38 06/2011

Set External Security Name for All Users You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch mode.

Note that the definition of the string is case-sensitive.

With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups.

You can use the option Users without SNC names only to overwrite SNC names.

This batch tool takes an SAP user and uses the components

<previous_character_string><SAP_user_name><next_character_string>

to build the SNC name.

Kerberos Example In this example SNC names are generated with the following string for all users without an SNC name:

p:CN=SAP/<user_name>@DEMO.LOCAL

X.509 Certificate Example In this example SNC names are generated with the following string for all users without an SNC name:

p:CN=<user_name>, OU= SAP Security


06/2011 39

4.3 Registry Configuration Options This section describes further configuration options in registry for the Secure Login Client.

Common Settings

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common]

Parameter Type Description

Locale STRING Language setting for Secure Login Client. The language is usually automatically recognized. Use this parameter for customizing.

Possible values are:

en_US (English)

de_DE (German)

fr_FR (French)

ja_JP (Japanese)

pt_BR (Portuguese)

ru_RU (Russian)

zh_CN (Chinese)

HideTrayIcon DWORD Use this option to remove the Secure Login Client tray icon.

To display the tray icon, set the value 0.

To hide the tray icon, set the value 1.

The default setting is that the tray icon is displayed.

TrustDB STRING Use this option to define where Secure Login Client searches for trusted root certificates.

The following values are possible:

capi (default) Get trust from Microsoft Certificate Store

token Use root certificates on tokens

Get trust from files (.crt,.p7c,…) in a single directory

ResourcePath STRING Use this option to specify an alternate location for the language files (.res).

Default value is <install_path>/etc.


40 06/2011

PCSC Settings The options in this section allow you to select which PCSC smart card readers are used or ignored. You can specify multiple patterns by separating the patterns with „,‟ or „;‟

Wildcards („*‟ and „?‟) are allowed.

CAPI Settings The options in these sections allow you to select which certificates from third party CSPs may be used.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc]


IgnoredReadersPattern STRING Use this option to disable some PCSC smart card readers.

The default value is <empty> (do not disable any PCSC smart card reader).

AllowedReadersPattern STRING Use this option the use only some specified PCSC smart card readers.

This option is evaluated after IgnoredReadersPattern.

The default value is „*‟ (use every PCSC smart card reader)

Important: If you use an empty string („‟), all readers are used (same as „*‟).

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi]


CAPIProviderFilter STRING Use this option to use only certificates provided by specific CSPs (the CSP name must begin with this string).

Example:

Microsoft Use only certificates provided by CSPs from Microsoft

CAPIFilterValidOnly DWORD Use this option to use only certificates that are valid (issued in the past and not expired).

CAPIFilterIssuerDN STRING Use this option to use only certificates that have an issuer‟s Distinguished Name that contains CAPIFilterIssuerDN.

Example:

CN=My Companies CA

CAPIFilterSubjectDN STRING Use this option to use only certificates that


06/2011 41

have a subject Distinguished Name that contains CAPIFilterSubjectDN.

Example:

O=My Org Unit

CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that have an issuer‟s Distinguished Name that contains CAPIFilterExcludeIssuerDN.

Example:

CN=Test CA

CAPIFilterExcludeSubjectDN STRING

STRING Use this option to disable certificates that have a subject Distinguished Name that contains CAPIFilterExcludeSubjectDN.

Example:

O=Testing only

CAPIFilterKeyUsage STRING Use this option to use only certificates that have a specific key usage.

The CAPIFilterKeyUsage may contain the following strings (you can specify multiple strings)

+KEYUSAGE Use only certificates that have the specified key usage.

-KEYUSAGE Do not use certificates that have the specified key usage

Where KEYUSAGE can be one of the following:

dataEncipherment Data encipherment key usage

digitalSignature Digital-Signature Key-Usage

keyAgreement Key agreement key usage

keyEncipherment Key encipherment key usage

nonRepudiation Non-repudiation key usage

cRLSign CRL signature key usage

CAPIFilterExtendedKeyUsage STRING Use this option to use only certificates that have a specific key usage.

The syntax of this option is similar to CAPIFilterKeyUsage.

The CAPIFilterExtendedKeyUsage may contain the following strings:

+EXTKEYUSAGE Use only certificates that have the specified extended key usage

-EXTKEYUSAGE


42 06/2011

Client Trace Setting

For more information about registry settings provided by Secure Login Server, see the Installation, Configuration and Administration Guide for Secure Login Server.

Do not use certificates that have the specified extended key usage

Where EXTKEYUSAGE can be one of the following:

ServerAuthentication (1.3.6.1.5.5.7.3.1)

ClientAuthentication (1.3.6.1.5.5.7.3.2)

CodeSigning (1.3.6.1.5.5.7.3.3)

EmailProtection (1.3.6.1.5.5.7.3.4)

IpsecEndSystem (1.3.6.1.5.5.7.3.5)

IpsecTunnel (1.3.6.1.5.5.7.3.6)

IpsecUser (1.3.6.1.5.5.7.3.7)

TimestampSigning (1.3.6.1.5.5.7.3.8)

OcspSigning (1.3.6.1.5.5.7.3.9)

MicrosoftEfs (1.3.6.1.4.1.311.10.3.4)

MicrosoftEfsRecovery (1.3.6.1.4.1.311.10.3.4.1)

MicrosoftKeyRecovery (1.3.6.1.4.1.311.10.3.11)

MicrosoftDocumentSigning (1.3.6.1.4.1.311.10.3.12)

MicrosoftSmartcardLogon (1.3.6.1.4.1.311.20.2.2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\traces]


TraceLevel DWORD Use this option to enable/disable traces and to configure the trace level

Possible values:

0 disable traces

1 only errors

2 errors and warnings

3 errors, warnings and information

4 errors, warnings, information, and log

5 errors, warnings, information, log, and debug


06/2011 43

4.4 Smart Card Integration The Secure Login Client can use X.509 certificates stored in smart cards and supports 64-bit CSP.

For smart card support, you need to install the relevant smart card middleware. Secure Login Client supports smart cards through the Microsoft Crypto API (CSP) or the PKCS#11 interface.

These interfaces are typically also supported by the smart card middleware software.

Checklist for smart card support:

If required install smart card reader hardware and PC/SC driver. Typically the smart card reader is usually automatically recognized by the operating system.

Install smart card middleware software. This middleware software should support the desired smart card. Some smart card vendors provide their own middleware software, and there are some middleware software vendors available who support different kinds of smart cards.

PIN management is handled by the middleware software. A typical situation is a user logging on to a Microsoft operating system using the smart card. This user needs to re-enter the PIN in the browser or in SAP GUI.

Whether the user is able to do this depends on the smart card middleware, which might close the smart card after the logon to Microsoft Windows. For more information, contact your smart card middleware vendor.

4.5 Digital Signature (SSF) The Secure Login Client can use X.509 certificates for digital signatures in an SAP environment. The supported interface is Secure Store and Forward (SSF).

This option is part of the default installation.

The prerequisite for using SSF is that SSF is configured in the SAP instance profile.

How to test SSF Client Signature Log on to the SAP system using SAP GUI and start transaction SE38.

Enter the program name SSF01 and execute this program.

Choose a desired function you want test, for example, Signing.

For the parameter RFC destination, enter the value SAP_SSFATGUI.

For the parameter SSF format, enter the value PKCS7.

There are two configuration cases described as following.

Case 1 – Use smart card or existing certificate

In the ID field, enter the distinguished name of the smart card certificate. Example: CN=Smartcard User, OU=SAP Security


44 06/2011

Case 2 – Use Secure Login Client Profile provided by Secure Login Server

In the ID field, enter the distinguished name of the user certificate. Example: CN=Username, OU=SAP Security

In the SSF Profile field, enter the Secure Login Client profile configuration.

Example: toksw:mem://securelogin/<profile_name>

<profile_name> is the profile name defined in Secure Login Server. In this example the profile name is SSF.

In parameter Input data, enter the file to be signed.

In the parameter Output data, enter the path and file name for the signed file.

Execute the program and choose the Sign button.

The system prompts you for a password, which is not required. Choose the green OK button.


06/2011 45

The file should be signed.


46 06/2011

SSF User Configuration Use this configuration step to define which Secure Login Client profile is used for the SSF interface. This is defined for each SAP user.

Log on to the SAP system using SAP GUI and start transaction SU01.

Edit the desired user and, on the Address tab, choose the Other Communication button.

Choose the SSF option and define the desired parameter.

For more information, see the SAP Help Portal.

Parameter Description

SSF-ID Define the Distinguished Name of the user certificate.

Example: CN=Username, OU=SAP Security

SSF-ID Part 2 Define an additional Distinguished Name of the user certificate.

SSF profile Define the Secure Login Client profile. There are three options available.

Use Secure Login Client Profile The desired certificate is used for SSF, based on the Secure Login Client profile name. Example: toksw:mem://securelogin/<profile_name>

Use Secure Login Client Profile and Re-authentication Adding the [reauth option] means that the user needs to authenticate again to the Secure Login Client profile, before a certificate is provided. Example: [reauth]toksw:mem://securelogin/<profile_name>

<empty> If no SSF profile is defined, the SSF-ID can be used to search the certificate in Secure Login Client.

Destination The RFC destination (logical destination) where the SSF RFC server program has been defined.

Enter the value SAP_SSFATGUI (SSF for digital signatures on the front ends).

5 Secure Login Client for Citrix XenApp

06/2011 47

5 Secure Login Client for Citrix XenApp This section describes how to use the Secure Login Client in a Citrix XenApp environment. The Secure Login Client supports only 64-bit Microsoft Windows operating systems. The following platforms are supported:

Microsoft Windows Server 2003 x64 / Citrix XenApp 5

Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6

Use Case The customer wants to run Secure Login Client in a Citrix XenApp environment.

5.1 Secure Login Client with a Published Desktop A published desktop behaves similarly to a standard Microsoft Windows desktop. You can install the Secure Login Client in the same way as on a local Microsoft Windows operating system. To minimize memory and CPU consumption, we recommend unselecting the feature Start during Windows login. Unselect Crypto & Certificate Store Provider and Policy Download Agent during the installation if you do not use them.

5.2 Secure Login Client with a Published SAP Logon The Secure Login Client does not start automatically when a user logs on to a published SAP Logon in a Citrix XenApp environment. When installing you may unselect the features Start during Windows login and Crypto & Certificate Store Provider.

How to Enable Automatic Startup with a Published SAP Logon To automatically start the Secure Login Client, create a user login script called

usrlogon_slc.cmd in the Microsoft Windows directory and insert it into the Microsoft

Windows Registry.

1. Install the Secure Login Client. 2. Create the file usrlogon_slc.cmd in the Microsoft Windows directory. 3. Insert the following content:

usrlogon_slc.cmd

@ECHO OFF

rem starting Secure Login Client, remove the next line if you do not

want the SLC to start automatically

start "Launch SLC"

"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\bin\sbus.exe"

5 Secure Login Client for Citrix XenApp

48 06/2011

rem register CSP, remove the next two lines if no CSP/CAPI support

is required

regsvr32.exe /s

"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"

regsvr32.exe /s

"%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"

4. Add the script to the Microsoft Windows Registry to make sure that the Secure Login Client starts automatically at startup. Open the Microsoft Windows Registry and go to the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon

5. Open the key AppSetup and append the reference to the file usrlogon_slc.cmd to the value with a simple comma as a separator (without any space).

Example: Registry value name:

AppSetup

Registry value:

ctxhide.exe usrlogon.cmd,cmstart.exe,usrlogon_slc.cmd

You must keep the sequence as shown in the example above because, when starting up, the system proceeds from one file to the next.

5.3 Other Features

Start during Windows login The Secure Login Client starts automatically when a user logs on to a Microsoft Windows operating system. Remember that this automatic startup increases memory and CPU consumption.

If you unselect the installation option Start during Windows login, the Secure Login Client does not start automatically.

Using Certificates for CAPI Applications You only need this feature if you want to use certificates issued for CAPI applications by the Secure Login Server, such as for a client authentication with Internet Explorer. The CSP/CAPI service is registered during the installation.

Downloading Policies from the Secure Login Server To automatically download client policies from the Secure Login Server, install the Policy Download Agent feature.

6 Troubleshooting

06/2011 49

6 Troubleshooting This section describes some troubleshooting issues and how to solve them.

If you need to contact SAP support, provide the Secure Login Client trace information described in section 3 Secure Login Client Console – Log Console

6.1 Error in SNC

Use Case SAP GUI user wants to authentice to SAP server using Kerberos token or X.509 user certificate.

Error Message Miscellaneous failure. Error in SNC.

Checklist

If you are using a Kerberos token Verify if the user is authenticated in the Microsoft domain. Verify if Kerberos token is displayed in Secure Login Client Console.

If you are using an X.509 certificate Verify if X.509 certificate is displayed in Secure Login Client Console.

Verify if the security token (Kerberos or certificate) is used. Try with the option Use Profile for SAP Applications if the desired profile is used.

Verify if SNC is enabled in SAP GUI for the desired SAP server Verify if the SNC name of the desired SAP server is configured in SAP GUI

(saplogon.ini). Is the name correct? (Kerberos name / X.509 certificate name) Note that the SNC name is case-sensitive.

Verify if the environment variable SNC_LIB is configured to use secgss.dll. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

6 Troubleshooting

50 06/2011

6.2 User Name Not Found

Use Case SAP GUI user wants to authenticate to SAP server using Kerberos token or X.509 user certificate.

Error Message No user exists with SNC name.

Checklist

If this message appears, the user mapping is not available or not configured correctly. Compare the user certificate distinguished name with the SNC name in SAP User Management (SU01). Note that SNC name is case-sensitive.

There may also be another reason for this error. For more information, see SAP Note 1635019.

6.3 Invalid Security Token

Use Case 1 SAP GUI wants to authenticate to SAP server using a Kerberos token or X.509 user certificate.

Error Message SAP system message S.

Checklist

Verify if SNC is configured in the SAP ABAP server.

6 Troubleshooting

06/2011 51

If the Secure Login Library is installed on the SAP ABAP server and used for SNC, enable the trace and verify the results. For more information see the Installation, Configuration and Administration Guide for Secure Login Library.

Use Case 2 The Secure Login Client requests a service ticket from the domain server.

Error Message The system displays the following error message:

Supplied credentials not accepted by the server.

In the trace log of the Secure Login Client, you find the error code A2600202.

Checklist

If the Secure Login Client does not get a service ticket from the domain server, you have to check whether the Service Principal Name used was assigned several times in the Active Directory system. To check this, you enter the following command: setspn –T * -T foo -X

6.4 Wrong SNC Library Configured

Use Case An SAP GUI user wants to authenticate to a SAP server using Kerberos token or X.509 user certificate.

Error Message Unable to load GSS-API DLL named “sncgss32.dll”.

Checklist

The wrong SNC library (in this example sncgss32.dll) is assigned to SAP GUI. Verify the environment variable SNC_LIB.

6 Troubleshooting

52 06/2011

For Secure Login Client the SNC library secgss.dll is used. Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

7 List of Abbreviations

06/2011 53


Abbreviation Meaning

ADS Active Directory Service

CA Certification Authority

CAPI Microsoft Crypto API

CSP Cryptographic Service Provider

DN Distinguished Name

EAR Enterprise Application Archive

HTTP Hypertext Transport Protocol

HTTPS Hypertext Transport Protocol with Secure Socket Layer (SSL)

IAS Internet Authentication Service (Microsoft Windows Server 2003)

JAAS Java Authentication and Authorization Service

JSPM Java Support Package Manager

LDAP Lightweight Directory Access Protocol

NPA Network Policy and Access Services (Microsoft Windows Server 2008)

PIN Personal Identification Number

PKCS Public Key Cryptography Standards

PKCS#10 Certification Request Standard

PKCS#11 Cryptographic Token Interface Standard

PKCS#12 Personal Information Exchange Syntax Standard

PKI Public Key Infrastructure

PSE Personal Security Environment

RADIUS Remote Authentication Dial In User Service

RFC Remote function call (SAP NetWeaver term)

RSA Rivest, Shamir and Adleman

SAR SAP Archive

SCA Software Component Archive

SLAC Secure Login Administration Console

SLC Secure Login Client

SLL Secure Login Library

SLS Secure Login Server

SLWC Secure Login Web Client

SNC Secure Network Communication (SAP term)

SSL Secure Socket Layer


54 06/2011

UPN User Principal Name

WAR Web Archive

WAS Web Application Server

8 Glossary

06/2011 55

8 Glossary

Authentication

A process that checks whether a person who logs on is really the person corresponding to the respective user. In a multi-user or network system, authentication means the validation of a user‟s logon information. A user‟s name and password are compared against an authorized list.

Base64 encoding

Base64 encoding is three-byte to four-character encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication headers and general binary-to-text encoding applications.

Note: Base64 encoding expands binary data by 33%, which is quite efficient.

CAPI

See Cryptographic Application Programming Interface

Certificate

A digital identity card. A certificate typically includes the following:

A public key being signed.

A name, which can refer to a person, a computer or an organization.

A validity period.

A location (URL) of a revocation center.

A digital signature of the certificate produced by the private key of th CA.

The most common certificate standard is the ITU-T X.509.

Certification Authority (CA)

An entity that issues and verifies digital certificates to be used by other parties.

Certificate Store

Sets of security certificates belonging to user tokens or certification authorities.

CREDDIR

A directory on the server where information is placed that goes beyond the PSE (personal security environment).

Credentials

Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only reason for issuance is unambiguous association of the credential with a specific, real individual or

8 Glossary

56 06/2011

other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory.

Credentials have a defined time to live (TTL) that is configured by a policy and managed by a client service process.

Cryptographic Application Programming Interface (CAPI)

The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Microsoft Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer that isolates programmers from the code used to encrypt the data.

Cryptographic Token Interface Standard

A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.

Directory Service

Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (for example: an X.500 or LDAP directory).

Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name ensures that identifal certificates are never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (the certification authority) and a serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.

Key Usage

Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For instance, if you have a key used only for signing, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key enciphering.

Key Usage (Extended)

Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the policy from the CA.

If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is only an information field and does not imply that the CA restricts the use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose should be indicated for the certificate to be acceptable.

8 Glossary

06/2011 57

Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500.

PKCS#11

PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.

PEM

See Privacy Enhanced Mail.

Personal Identification Number (PIN)

A unique code number assigned to the authorized user.

Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a user‟s private keys, certificates, and other secret information.

Personal Security Environment

The PSE is a personal security area that every user requires to work with. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password.

PIN

See Personal Identification Number.

Privacy-Enhanced Mail (PEM)

The first known use of Base 64 encoding for electronic data transfer was the Privacy-Enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a „printable encoding‟ scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP.

The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper-case and lower-case Roman alphabet characters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.

Public FSD

Public file system device. An external storage device that uses the same file system as the operating system.

8 Glossary

58 06/2011

Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet.

Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically.

In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.

Root certification authority

The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any number of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate.

Root certification

The certificate of the root CA.

RSA

An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: Key lengths of 1024 bits or higher are regarded as secure.

Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external, cryptographic libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functions.

Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data.

Single Sign-On

A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).

8 Glossary

06/2011 59

Token

A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens.

Smart-Card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the point of view of the computer operating system, a token of this type is a USB-connected smart card reader with one non-removable smart card present.

Tokens provide access to a private key that allows the user to perform cryptographic operations. The private key can be persistent (like a PSE file, smart card, and CAPI container) or non-persistent (like temporary keys provided by Secure Login).

Windows Credentials

A unique set of information authorizing the user to access the Microsoft Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional).

X.500

A standardized format for a tree-structured directory service.

X.509

A standardized format for certificates and blocking list.

Documents

Installation Configuration and Administration Guide SAP NetWeaver Single Sign-On SP2 Secure Login Client