SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17

Believe in

a higher level

of IT security

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual


2

Copyright

© 2010 SECUDE AG. All Rights Reserved.

This SECUDE-branded software and its corresponding documentation is the exclusive property of

SECUDE AG of Emmetten, Switzerland and is protected under the various copyright laws around the

world and by various other intellectual property laws. Use of this software and/or its documentation

and any copying thereof by end users is subject to the terms of a license agreement with SECUDE AG.

The wrongful use or copying of this software and/or documentation subjects infringers to both criminal

and civil liabilities.

The SECUDE and FinallySecure trademarks are owned by SECUDE AG, protected internationally and

used by SECUDE AG pursuant to an exclusive license. All other trademarks, service marks, and trade

names referenced herein are the property of their respective owners.

ANY USE, COPYING, REPRODUCTION, ALTERATION, TRANSMISSION, OR TRANSLATION OF THESE

MATERIALS, IN WHOLE OR IN PART, IN ANY FORM OR BY ANY MEANS, IS STRICTLY PROHIBITED

WITHOUT THE PRIOR WRITTEN PERMISSION OF SECUDE AG. IF THIS MATERIAL IS PROVIDED WITH

SOFTWARE LICENSED BY SECUDE, THE INFORMATION HEREIN IS PROVIDED SUBJECT TO THE TERMS

OF THE WARRANTY PROVIDED WITH THE PRODUCT LICENSE. IF THIS MATERIAL IS NOT PROVIDED

WITH LICENSED SOFTWARE, THE INFORMATION HEREIN IS PROVIDED "AS IS" WITHOUT WARRANTY

OF ANY KIND. IN EITHER CASE, THERE ARE NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED,

INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE, NONINFRINGEMENT, OR QUALITY. IN NO EVENT SHALL SECUDE AG OR ANY

OF ITS AFFILIATES BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL,

PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE MATERIALS

AND/OR INFORMATION CONTAINED HEREIN. Some jurisdictions do not allow the exclusion of implied

warranties, so the above exclusion may not apply to you.

SECUDE AG takes reasonable measures to ensure the quality of the data and other information

produced herein. However, these materials may contain technical inaccuracies or typographical errors,

and are not guaranteed to be error-free. Information may be changed or updated without notice.

SECUDE AG has no obligation to update these materials based on changes to its products or services

or those of third parties. SECUDE AG may also make improvements or changes to the products or

services described in this information at any time without notice. SECUDE AG frequently releases new

versions of its software and updates them. Therefore, images shown in this document may be slightly

different from what you see on your screen.

As with any security product, SECUDE AG highly recommends the back up of data as well as

passwords on a regular basis. SECUDE AG is not responsible for the loss of passwords or data that

cannot be retrieved based upon a user‟s failure to adhere to stringent backup and safe-keeping

conventions.

SECUDE

SECUDE AG SECUDE IT Security GmbH SECUDE IT Security, LLC

Bergegg 1 Goebelstrasse 21 380 Sundown Drive

6376 Emmetten, NW 64293 Darmstadt Dawsonville, GA 30524

Switzerland Germany USA

P: +41 (0) 44 575 19-00 P: +49 (0)6151 82897-0 P: +1 (706) 216 8609

F: +41 (0) 44 575 19-75 F: +49 (0)6151 82897-26 F: +1 (706) 216 4696

Sales Europe: [email protected] Sales US: [email protected]

Support Europe: [email protected] Support US: [email protected]

Documentation: [email protected]

www.secude.com www.finallysecure.com

mailto:[email protected]





http://www.secude.com/

http://www.finallysecure.com/


3

Table of Contents

1 What is SECUDE Secure Login? 11

2 System Overview 12

2.1 System Overview with PKI 13

2.1.1 Main System Components 13 2.1.2 Authentication Method 13 2.1.3 Workflow 14 2.1.4 Secured Communication for SAP 15

2.2 System Overview with SECUDE Secure Login Server 16

2.2.1 Main System Components 16 2.2.2 Authentication Method 17 2.2.3 Instances 18 2.2.4 PKI Structure 19 2.2.5 Workflow 20 2.2.6 Secure Communication 21

2.3 Methods of Authentication in SECUDE Secure Login 22

2.3.1 Active Directory Server (ADS) Authentication 23 2.3.2 RADIUS / RSA Authentication 24 2.3.3 SAP ID Authentication 25 2.3.4 SAP Logon Ticket Authentication 28 2.3.5 SQL Database Authentication 28

2.4 Policy Server Overview 30

2.5 Secure Login Web Client 31

3 Server Installation, Configuration, and Removal 32

3.1 Prerequisites 33

3.1.1 Hardware Requirements 33 3.1.2 Software Requirements 33

3.2 Preparing the Server for Installation 34

3.3 Installation Procedure for Apache Tomcat-based Server Installations 35

3.3.1 Option to Configure SSL in Tomcat 36 3.3.2 Test the SSL Connection for Tomcat 36 3.3.3 Single Sign-On for the Administration Console (Tomcat Only) 37

3.4 Installation Procedure for BEA Weblogic-based Server Installations 40 3.5 Installation Procedure for SAP NetWeaver-based Server Installations 42

3.5.1 Configure the System Environment (only for SAP ID-Based Logon) 43 3.5.2 Configure the Authentication Server in SAP NetWeaver 49 3.5.3 Test the SSL Connection 53

3.6 Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket,

and Database Module 54

3.6.1 Step 1 - Initial Installation 54 3.6.2 Step 2 – Server-Specific Quick Initialization 56 3.6.3 Step 2 – Multiple Authentication Server Initialization – Expert Mode

(Wizard) 63 3.6.4 Step 3 - Configure Authentication Server Communication 84 3.6.5 Step 4 - Test SECUDE Secure Login Server 90

3.7 Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server 91

3.7.1 Remove SECUDE Secure Login Server - Tomcat 91 3.7.2 Remove SECUDE Login Server – BEA Weblogic 92


4

3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver 92

4 Client Installation, Configuration, and Removal 94


4.1.1 Hardware Requirements for SECUDE Secure Login Client 95 4.1.2 Software Requirements for SECUDE Secure Login Client 95

4.2 SECUDE Secure Login Client Preparation 96

4.3 Client Rollout 97

4.3.1 Installation 98 4.3.2 Command Line Options to Influence the MSI Setup 103

4.4 Remove SECUDE Secure Login Client 106

5 Secure Login plus Web Client - Installation, Usage, and

Removal 109


5.2 Preparing the Server for Installation 111 5.3 Install and Configure the Web Client 112

5.3.1 Web Client installation on Tomcat 112 5.3.2 Web Client Installation on NetWeaver 114

5.4 Use the Web Client 115

5.4.1 Configure SSL Trust for the Web Client Java Applet 116 5.5 Remove the Web Client 117

6 Administration 119

6.1 Administration Console 119

6.1.1 Open the Console 119 6.1.2 Change the Administrator/User Password 122 6.1.3 Server Configuration 124 6.1.4 Certificate Management 128 6.1.5 Authentication Management 131 6.1.6 TrustStore Management 141 6.1.7 Certificate Template 143 6.1.8 System Check 149 6.1.9 Backup/Restore 150 6.1.10 Change Language 155 6.1.11 Message Setting 156 6.1.12 SSS&JCO Installation 158 6.1.13 Server Status 162 6.1.14 Sign Certificate Requests 163 6.1.15 Console Log Viewer 165 6.1.16 Web Client Configuration 166

6.2 Email Report&Alert Configuration 177

6.3 Instance Management 178

6.3.1 Instance Configuration 179 6.3.2 Customizing With User-Defined Properties 181 6.3.3 Client Configuration 183 6.3.4 Instance Log Management 192 6.3.5 Instance Check 196 6.3.6 Instance Status 197

6.4 Console Users 198

6.4.1 User Management 199 6.4.2 Role Management 202


5

6.4.3 Locked Files Management 205 6.5 Other Administration Features 206

6.5.1 Status Query via an Internet Browser 206 6.5.2 Secure Login Web Service Status Query 207 6.5.3 XML Interface 209

7 Troubleshooting 211

7.1 How to use Unlimited Key Length Policies 212

7.2 Log Files 213

7.2.1 Daily Log File 213 7.2.2 Monthly Log File 215

7.3 Turning Tracing On/Off 215

7.4 SECUDE Secure Login Server Lock and Unlock 216 7.5 Setting the Correct Environment Variables for SAP ID-Based Logon 217

7.6 Problems with the Client URL 218

7.7 Implement an SSL.PSE-Based TrustStore for HTTPS 218

7.8 ‘Access Denied’ Replies 219

7.9 Why the Secure Login Instance/Server is Locked 219 7.10 Password Expiry Warnings on Sun LDAP (1) 220 7.11 Password Expiry Warnings on Sun LDAP (2) 220

7.12 Secure Login Server Cannot Establish an SNC Connection to the SAP Server 221

7.13 Administration Console Pages Appear ‘broken’ 221

7.14 Problem Loading the GSS Library (SAP-ID Module) 222

7.15 Blank Page when Logging into the Secure Login Administration Console 223 7.16 Users Cannot be Successfully Authenticated to any JAAS Module 227

7.17 Enable Remote Access to Initialize and Configure Secure Login Server 229 7.18 Problems Accessing the Administration Console or the Web Client via

Firefox 229 7.19 Error Message when viewing Certificate Details using Firefox 3 230

8 Error and Return Codes 231

8.1 ADS Authentication Errors 232 8.2 RSA Authentication Errors 232

8.3 SAP ID Error Codes and Return Codes 232

8.3.1 Authentication-based Codes 232 8.3.2 Password Change Related Codes 233 8.3.3 Connectivity Related Codes 233

8.4 Stacktrace Error Codes 234

8.5 Common Errors 236

8.6 CERT Errors 237 8.7 PSE Errors 237

9 Appendix 238

9.1 Client Policy 239

9.1.1 ClientPolicy.xml File Registry Keys and Values 239 9.1.2 ClientPolicy.xml File Example 240 9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute 244 9.1.4 Configuring Secure Login with Microsoft Group Policies 245

9.2 Configurable Properties 246

9.2.1 Files that Contain Configurable Properties 246 9.2.2 Web.xml File 247 9.2.3 Configuration.properties File 248


6

9.2.4 JAAS Module Configuration Files 253 9.2.5 Files for Server Message Configuration 262

9.3 Secure Login Client Registry Values 264

9.4 Key Usage Reference 266

10 List of Abbreviations 267


7

Preface

About this Manual

This manual describes the administration tasks necessary to install, configure, and run

SECUDE Secure Login 5.1.1.

Target Audience

This manual is targeted at the system and security administrators responsible for the

installation and maintenance of Secure Login. It is necessary to have the following

knowledge to complete the tasks set in this manual:

Security knowledge!

For a list of hardware and software requirements for the Secure Login Client

installation, refer to section 4.1 on page 95.

For a list of hardware and software requirements for the Secure Login Server

installation, refer to section 3.1 on page 33.

Related Documentation

The following documentation is available for SECUDE Secure Login:

This manual.

The SECUDE signon&secure Server installation manual.

SECUDE Secure Login 5.1 Release notes

Secure Network Communications, SNC User Manual, version 1.2; SAP AG; Walldorf.


8

Contents

This manual contains the following chapters:

Chapter 1 „What is SECUDE Secure Login?‟, on page 11

This chapter presents Secure Login.

Chapter 2 „System Overview‟, on page 12

This chapter provides an overview of the overall system architecture and the principal

workflow. It also details the specific system architecture and workflow for the

authentication methods supported by Secure Login: ADS, RADIUS/RSA, and SAP ID-

based logon.

Chapter 3 „Server Installation, Configuration, and Removal‟, on page 32

This chapter describes the installation of the SECUDE Secure Login Server.

Chapter 4 „Client Installation, Configuration, and Removal‟, on page 94

This chapter describes the configuration and installation of the SECUDE Secure Login

Client.

Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page

109

This chapter details the SECUDE Secure Login Web Client.

Chapter 6 „Administration‟, on page 119

This chapter details how to monitor the SECUDE Secure Login Server.

Chapter 7 „Troubleshooting‟, on page 211

This chapter describes the SECUDE Secure Login Server features for logging and error

recovery.

Chapter 8 „Error and Return Codes‟, on page 231

This chapter describes error and return codes, their meaning, and possible corrections.

Chapter 9 „Appendix‟, on page 238

This chapter contains various advanced details an administrator may need to configure

Secure Login.

Chapter 10 „List of Abbreviations‟, on page 267

This chapter lists the abbreviation used in the manual.

A glossary and index are provided at the end of this manual.


9

Conventions used in this Manual

Style Meaning

Bold Emphasis

Defined terms

Italics References – especially when referring to another manual‟s

title

Application or company names – such as Windows or

SECUDE

Important information appearing in notes, warnings, and

Hints

Monospace Package names

Filenames and directory names

XML element names and attribute names

Method names

Variables

Parameters

Code examples

Monospace italics Replaceable elements within user input

Monospace bold Main element in a syntax description

Initial Capital Letters Tool names

Product names

<Pointed brackets> Code elements (i.e. XML)

[Square brackets] Options within a syntax description

…|… “or” within a syntax description

Blue text Elements of the graphical user interface

Action sequences such as “Menu>Submenu” or “select

Option X”

Internet links

Cross references such as “see section 2.1”


10

Icons and Step Indication in this Manual

Notes

Notes contain detailed information about a topic and are of direct importance to the subject

at hand. Notes are displayed in italic text, with a pen/paper icon to the left of the text body.

Warnings

A warning will contain information about circumstances, parameters, and so on that MUST

be fulfilled. Failure to comply will have consequences for the current operation. Warnings

are displayed in italic text with a warning icon to the left of the text body.

Hints

Hints contain useful information about the operation of the application. Hints are displayed

in italic text, with a light bulb icon to the left of the text body.

Steps/Procedures

Procedures indicate the steps necessary to perform a task. They are displayed in normal

text, with a light grey background.

Contacting Technical Support

For technical assistance contact SECUDE Support:

Phone

+49 (0)6151 82897 33

Fax

+49 (0)6151 82897 26

E-mail

[email protected] (Europe and Asia), [email protected] (USA)

Web

http://www.secude.com/htm/338/en/Support.htm

When you want to open a support case, please provide as much of the following information

as possible (error information needed by support will vary between products):

Name (customer or partner) and contract number

Name of SECUDE product plus version and service pack

Involved and relevant third-party products plus versions

The hardware on which the product is running plus Operating System + service pack

Date, time, and description of the error

Is the error reproducible? If yes, state the steps necessary to reproduce the error

Corresponding log files generated during operation

Any other information necessary to reproduce the error

Error priority:

Priority Description

Critical Loss of data within SECUDE application, severe memory leak,

application crashes.

Major The SECUDE application has a major loss of functionality.

Normal The SECUDE application loses some functionality without a

severe impact on the overall stability or data integrity.

Minor The SECUDE application suffers minor functionality loss, or other

problems in which an easy workaround is present.

Trivial „Look and feel‟ problems such as misspelled words or misaligned

text.

Enhancement Request for an enhancement to the SECUDE application.



http://www.secude.com/htm/338/en/Support.htm


11

1 What is SECUDE Secure Login?

Introduction

SECUDE Secure Login is an innovative software solution created specifically to improve

user and IT productivity and to protect business-critical data in SAP business solutions

through secure single sign-on to the SAP environment.

SECUDE Secure Login, together with SECUDE signon&secure, provides strong encryption,

secure communication, and single sign-on between a wide variety of SAP components,

including but not limited to:

SAPGUI and SAP NetWeaver platform via Secure Network Communications (SNC)

Web browsers and SAP Portal (via Secure Socket Layer – SSL)

Other SAP components such as SAP NetWeaver Java, SAP ITS, SAP Router, SAP LPD

Scope of

secure

communication

In a standard SAP setup, users enter their SAP user name and password into the SAPGUI

logon screen. SAP user names and passwords are transferred through the network without

encryption.

To help secure networks, SAP provides a „Secure Network Communications‟ module (SNC)

that enables users to login to SAP systems without entering a user name or password.

The SNC module can also pass calls through a third-party crypto-library to encrypt all

communication between the SAPGUI and SAP Server, thus providing secure single sign-on

to SAP.

SECUDE Secure Login is the third-party crypto-library of choice for SAP. It uses session

keys to encrypt the communication, and digital user certificates (X.509) for user

authentication.

Authentication

mechanisms

SECUDE Secure Login allows you to benefit from the advantages of SNC without the need

to setup a Public Key Infrastructure (PKI). SECUDE Secure Login allows users to

authenticate via one of the following authentication mechanisms:

Windows logon information

Radius and RSA Token (one-time password)

LDAP

SAP user ID and password

SAP Logon Ticket

SQL Database

Smart card and PIN

If a PKI has already been set up, then the digital user certificates of the PKI can also be

used by SECUDE Secure Login. Further authentication mechanisms can be supported on

request – please contact SECUDE support.

Access

methods

SECUDE Secure Login also helps save time insofar that, through the use of the optional

single sign-on, a user does not need to re-authenticate every time a new SAP application

is opened or a different SAP Server is used. It also provides single sign-on for Web

browser access to the SAP Portal (and other HTTPS-enabled Web applications) via SSL.


12

2 System Overview

Introduction

This chapter describes the SECUDE Secure Login architecture and concepts that are valid

for all product variants.

The product

SECUDE Secure Login is a Client/Server software system integrated with SAP software to

facilitate single sign-on, alternative user authentication, and enhanced security for

distributed SAP environments.

The SECUDE Secure Login Client is split into two variants:

A stand-alone Client (Windows only). The SECUDE Secure Login Client can either be used

with an existing public key infrastructure (PKI) or together with the SECUDE Secure Login

Server it can be used for certificate-based authentication without having to set up a PKI.

The stand-alone SECUDE Secure Login Client can use the following authentication

methods:

Smart cards and USB tokens with an existing PKI certificate

SECUDE Secure Login Server and Authentication Server are not necessary.

Microsoft Crypto Store

SECUDE Secure Login Server and Authentication Server are not necessary.

Windows credentials (without user interaction)

The user is authenticated via their Windows credentials (user name, domain,

password), which the user entered during Windows login. No SECUDE Secure Login

dialog box appears to ask for these values.

Username and password

The Client prompts for user name and password (e.g. with RSA SecurID) and

authenticates with these credentials via the SECUDE Secure Login Server.

All of these authentication methods can be used in parallel. A policy Server provides

profiles that specify how to log in to the intended SAP system.

A Web Client (via an Internet browser on almost any system). At the heart of the Web

Client is a signed Java applet. This means that the Internet browser will display a Java

warning prompting you to confirm the applet signed-certificate. If you decide not to trust

the certificate, the applet will still run but the warning will reappear when you next logon. If

you decide to trust the certificate the warning will not reappear.

The SECUDE Secure Login Web Client has the same authentication methods as the

stand-alone Client but with the following limited functionality:

No single sign-on to SAP

No policy configuration

Only one instance can be used at any one time

Sections in

this chapter

Section 2.1 „System Overview with PKI‟ on page 13

Section 2.2 „System Overview with SECUDE Secure Login Server‟ on page 16

Section 2.3 „Methods of Authentication in SECUDE Secure Login‟ on page 22

Section 2.4 „Policy Server Overview‟ on page 30


13

2.1 System Overview with PKI

The SECUDE Secure Login Client is integrated with SAP software to provide single sign-on

capability and enhanced security. An existing PKI structure can be used to create

certificates for user authentication.

2.1.1 Main System Components

The following figure shows the SECUDE Secure Login system environment with the main

system components if an existing PKI structure is used:

Figure 2-1 SECUDE Secure Login system environment with existing PKI

Client

The SECUDE Secure Login Client is responsible for the certificate-based login to the SAP

application Server and encryption of the SAP Client/Server communication.

Policy Server

The policy Server provides profiles that specify how to log in to the intended SAP system.

2.1.2 Authentication Method

In a system environment without SECUDE Secure Login Server, the SECUDE Secure Login

Client supports the following authentication methods:

Smart cards and USB tokens with an existing PKI certificate

Microsoft Crypto Store


14

2.1.3 Workflow

The following figure shows the principal workflow and communication between the

individual components:

Figure 2-2 Principal workflow between components

1. Upon connection start, the SECUDE Secure Login Client retrieves the SNC name from

the SAP Server.

2. The SECUDE Secure Login Client uses the authentication profile for this SNC name.

3. The SECUDE Secure Login Client receives the authentication data from the user login

token.

4. The user unlocks the login token by entering the PIN.

5. The SECUDE Secure Login Client provides the authentication data for SAP single sign-

on and secure communication between SAP Client and Server.

6. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client

and SAP EP Server/SAP WAS use SSL for secure communication.


15

2.1.4 Secured Communication for SAP

Secure communication is established between all system components.

Figure 2-3 Secure communication for SAP

Secure

communication

between SAP

GUI and SAP

Server

Communication between the SAP GUI and the SAP NetWeaver Platform is protected using

the SECUDE Secure Login Client. This product integrates itself into the network interface of

any SAP process through the SAP SNC (Secure Network Communication) module. It

enables certificate-based authentication among SAP components. For example, an SAP

Client can authenticate itself using its certificate on the SAP application Server, and vice

versa. Communication takes place over a secure channel.

Secure

communication

between

Internet

Explorer and

Web Server

The communication between Microsoft Internet Explorer and a Web Server can be secured

using SSL. The Web Server has to authenticate the Web browser with its Server certificate

(Server authentication). In addition, the Web browser has to authenticate the Web Server

with its user certificate (Client authentication).

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic

operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto-

engines. The SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides

the user keys to all CAPI-enabled applications.


16

2.2 System Overview with SECUDE Secure Login Server

Introduction

SECUDE Secure Login Client/Server system is combined with an Authentication Server and

the SAP system to facilitate authentication and to enhance security.

Using the SECUDE Secure Login Client/Server system, it is possible to use certificate-

based authentication without having to set up a PKI.

Contents

Section 2.2.1 „Main System Components‟, on page 16

Section 2.2.2 „Authentication Method‟, on page 17

Section 2.2.3 „Instances‟, on page 18

Section 2.2.4 „PKI Structure‟, on page 19

Section 2.2.5 „Workflow‟, on page 20

Section 2.2.6 „Secure Communication‟, on page 21

2.2.1 Main System Components

The following figure shows the SECUDE Secure Login system environment with the main

system components:

Figure 2-4 SECUDE Secure Login system environment

Client

The SECUDE Secure Login Client is the Client part of the Client/Server system. It is

responsible for the certificate-based login to the SAP application Server and encryption of

the SAP Client/Server communication.

Server

The SECUDE Secure Login Server is the central Server component that connects all parts

of the system. It enables authentication against an Authentication Server and provides the

SECUDE Secure Login Client with a temporary certificate. This certificate contains the user

data and the public key to authenticate the user to the SAP application Server.

The SECUDE Secure Login Server is a pure Java application. It consists of a servlet and a

set of associated classes and shared libraries. It runs in a Server environment in

combination with an application Server (such as SAP NetWeaver) or a Web Server with a

servlet engine (such as Tomcat).

Policy Server

The policy Server provides profiles that specify how to log in to the intended SAP system.


17

2.2.2 Authentication Method

Introduction

SECUDE Secure Login supports several authentication methods. It uses the Java

Authentication and Authorization Service (JAAS) as a generic interface for the different

authentication methods. For each supported method, there is a corresponding

configurable JAAS module.

Supported

Authentication

Methods

The following authentication methods are supported:

Microsoft Active Directory Service (ADS)

RSA SecurID Token

RADIUS

SAP ID-based logon

SAP Logon Tickets

SQL Database Tables

Third-party JAAS module

For information on how to use a specific third-party JAAS module, refer to the proprietary

documentation.

Figure 2-5 SECUDE Secure Login Server with JAAS interface


18

2.2.3 Instances

The SECUDE Secure Login instances feature allows multiple instances of Secure Login to

run on the same Server. The main advantage of using instances is that the time spent on

maintaining Secure Login is reduced to a minimum. If you want the single-Server

functionality of Secure Login version 4.2 you need only use a single instance.

SECUDE Secure Login Server instances can use a common PSE file for one or more

instances, or you can set an individual PSE for each instance.

The SECUDE Secure Login Client authentication profiles can be configured to use different

SECUDE Secure Login Server instances for different authentication methods, or different

user groups can be assigned to a Server instance according to access rights/type. For

example:

Figure 2-6 Instances example

Failover

It is still possible to use several SECUDE Secure Login Servers and/or Authentication

Servers for failover. SECUDE Secure Login Server can connect to more than one

Authentication Server (all of which use the same authentication method).

Further

Information

For details about how to configure instances via the Administration Console see section

6.2 on page 177.


19

2.2.4 PKI Structure

Introduction

SECUDE Secure Login creates standard X.509 certificates to authenticate users to the

SAP application Server and to encrypt the Client/Server communication. These user

certificates are generated on demand and have only a limited lifetime. Therefore, it is not

necessary to set up and administrate a standard PKI.

Nevertheless, SECUDE Secure Login needs two PKIs for the following two scenarios:

Secure communication between the SECUDE Secure Login Server and Client:

The Web Server needs a certificate for the SSL connection between the SECUDE

Secure Login Client and Server. The SECUDE Secure Login Client must verify the

certificate of the Web Server.

Secure communication between the SAP Client and SAP Server

The SAP Server needs a certificate to communicate securely with the SAP GUI.

The recommended simple PKI can be setup via the Administration Console.

Simple PKI

Structure

Many possible PKI hierarchies meet the SECUDE Secure Login demands. The following

figure shows the simplest approach. It also complies with the convention that one CA

should only issue one kind of certificate.

Figure 2-7 Simple PKI structure

Trust

Hierarchy

Each application Server (such as Tomcat or SAP NetWeaver) with a running SECUDE

Secure Login Server needs an SSL Server certificate (“SSL CA”, as shown in the previous

figure) and a corresponding key pair. With this SSL certificate, the Server can be

authenticated by the SECUDE Secure Login Client and the communication between the

SECUDE Secure Login Server and Client can be encrypted. The SECUDE Secure Login

Client must have a copy of the SSL certificate in order to verify the SECUDE Secure Login

Server certificate.

Each SAP application Server needs a key pair and a certificate from the “SAP CA”. This

Server certificate is used to encrypt the SNC channel between the SAP application Server

and the SAP GUI Client. The SAP GUI must have a copy of the root CA certificate in order

to verify the Server CA certificate provided to it by the SAP application Server.

The “User CA” (which generates each of the Client certificates: User 1, User 2, …, User n)

is included as part of the SECUDE Secure Login Server. The user CA key pair and

certificate, from which each Client certificate is derived, is stored in a personal security

environment (PSE).


20

2.2.5 Workflow

The following figure shows the principal workflow and communication between the

individual components:

Figure 2-8 Principal workflow

1. Upon connection start, the SECUDE Secure Login Client gets the SNC name from the

SAP Server.

2. The SECUDE Secure Login Client uses the Client policy for this SNC name. The Client

policy is either static (i.e. the Client policy information is set in the Windows registry),

or the policy information is retrieved dynamically from the Secure Login Server.

For further information about how to download the relevant files for a static or

dynamic Client policy see section 6.3.3 „Client Configuration‟ on page 183.

3. The SECUDE Secure Login Client receives the user login as authentication data.

4. In addition, the SECUDE Secure Login Client generates an RSA key pair.

5. The SECUDE Secure Login Client sends the authentication data and the certification

request for the public key of the RSA key pair to the SECUDE Secure Login Server.

This connection is secured using SSL.

6. The SECUDE Secure Login Server forwards the authentication data to the

Authentication Server using a secure connection.

The Authentication Server informs the SECUDE Secure Login Server whether

authentication has been successful.

7. If authentication is successful, the SECUDE Secure Login Server generates a

temporary user certificate based on the user‟s public key and identification.

The certification reply is transferred from the SECUDE Secure Login Server to the

SECUDE Secure Login Client. The certification reply also contains necessary additional

certificates from the certificate chain.

8. The SECUDE Secure Login Client provides the certificate for SAP single sign-on and

secure communication between SAP Client and Server.

9. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client

and SAP EP Server/SAP WAS use SSL for secure communication.


21

2.2.6 Secure Communication

Secure communication is established between all system components:

Figure 2-9 Secure communication

Communication Between SECUDE Secure Login Client and Server

Format

The communication between the Client and the Server uses SSL. The administrator must

configure the URL, including the port number of the Server, on the Clients.

Security

An SSL connection is necessary for secure communication. The SSL connection is

established using the certificate of the SECUDE Secure Login Server (Server

authentication).

Reliability

For an SSL connection, the SECUDE Secure Login Client must be configured to trust the

Server certificate. A list of SECUDE Secure Login Servers can be configured. If the Client

cannot reach a Server after a configurable time, it tries to connect to the next Server on

the list.

Communication Between SECUDE Secure Login Server and Authentication Server

Security

The communication between SECUDE Secure Login Server and Authentication Server must

be secured. This is important because the authentication data of the user is on the

network.

Reliability

A list of Authentication Servers can be configured in the SECUDE Secure Login Server. If

the SECUDE Secure Login Server cannot reach an Authentication Server after a

configurable time, it tries to connect to the next Server on the list.

Communication Between SAP GUI and SAP Server

Security

Communication between SAP GUI and the SAP NetWeaver Platform is protected using the

SECUDE Secure Login Client. This product integrates itself into the network interface of

any SAP process through the SAP SNC (Secure Network Communication) module. It

enables certificate-based authentication among SAP components. For example, an SAP

Client can authenticate itself using its certificate on the SAP application Server, and vice

versa. Communication takes place over a secure channel.


22

Communication Between Internet Explorer and Web Server

Security

The communication between Microsoft Internet Explorer and a Web Server can be secured

using SSL. The Web Server has to authenticate the Web browser with its Server certificate

(Server authentication). In addition, the Web browser has to authenticate the Web Server

with its user certificate (Client authentication).

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic

operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto

engines. SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the

user keys to all CAPI-enabled applications.

2.3 Methods of Authentication in SECUDE Secure Login

Introduction

This chapter details each of the authentication methods supported by Secure Login.

Contents

Section 2.3.1 „Active Directory Server (ADS) Authentication‟, on page 23

Section 2.3.2 „RADIUS / RSA‟, on page 24

Section 2.3.3 'SAP ID‟, on page 25

Section 2.3.4 „SAP Logon Ticket Authentication‟, on page 28

Section 2.3.5 „SQL Database Authentication

This chapter describes the specific system architecture and workflow for the SECUDE

Secure Login SQL database-based authentication method.

System

Architecture

for SQL DB-

based Logon

The following figure shows the SECUDE Secure Login system environment for SQL DB-

based logon:

Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon

JAAS Module

The SQL DB variant of the SECUDE Secure Login Server consists of the normal

SECUDE Secure Login Server core components plus a special JAAS module to

communicate with the SQL database.

For this method of authentication to work, additional third-party SQL driver libraries

are needed for the SECUDE Secure Login Server to function correctly:

For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar.

SQL Database

The JAAS module uses standard SQL queries to find the given user ID and

password in a table. This table and its column names could either be randomly

configured, or predefined names are used for higher performance.

The simplest form is to have usernames and passwords stored in two columns. For


23

given username and password, a row is searched that fits:

If the Client side supports it, a third value can be given to qualify the Client identifier.

This could be a Client machine identification value or some application defined data:

This Client ID is transported in the username field of the protocol, and requires a

separator string definition.

Positive False Authentication

Another configuration allows using the database as combination of white and black

list. In this scenario, all exact matches in the database return a positive result, as

well as all username values that are not found in the table at all.

It is recommended to implement this feature only if Client identifiers are used that

are sufficient to protect this kind of positive false authentication.

2.3.1 Active Directory Server (ADS) Authentication

This section describes the specific system architecture and workflow for the SECUDE

Secure Login Active Directory Server (ADS) authentication method.

System

Architecture

for ADS

The following figure shows the SECUDE Secure Login system environment for ADS:

Figure 2-10 SECUDE Secure Login system environment for ADS

Client

The SECUDE Secure Login Client is integrated into the Windows logon process. It

sends the domain, user ID, and password entered by a user to the SECUDE Secure


24

Login Server to authenticate the user.

The SECUDE Secure Login Client is represented by a small icon in the system tray that

shows the status of the login.

Server

The SECUDE Secure Login Server receives the authentication data sent by the Client

and forwards it to the Microsoft Active Directory Service (ADS).

If the authentication on ADS is successful, the SECUDE Secure Login Server certifies

the user‟s public key. The certification reply is generated and transferred to the

Client.

If ADS cannot authenticate the user, the SECUDE Secure Login Server informs the

Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the

SSL-secured Web Server.

The SECUDE Secure Login Server provides the service of an online certification

authority (CA).

ADS

The Microsoft ADS verifies the authentication data sent by the Client (domain, user

ID, password). It informs the SECUDE Secure Login Server about whether the user

could be authenticated.

Secure Login

Process

1. A user logs on to Microsoft Windows as usual.

2. The SECUDE Secure Login Server receives the authentication information of the user‟s

Windows logon. It forwards the information via an SSL secured connection to the

Microsoft Active Directory Server and requests confirmation.

3. If the Microsoft Active Directory Server is able to authenticate the user successfully, a

temporary certificate is created for the user. This certificate is sent to the Client

workstation and made available to the SAP GUI for Windows. Thus, a certificate-based

login to the SAP application Server is performed without a corporate PKI.

4. When users start the SAP GUI for Windows, they are automatically logged on to the

SAP applications for which they have authorization. The connection to these SAP

applications is secure.

2.3.2 RADIUS / RSA Authentication


Secure Login RADIUS/RSA authentication method.

System

Architecture

for RSA

The following figure shows the SECUDE Secure Login system environment for

RADIUS/RSA:


25

Figure 2-11 SECUDE Secure Login system environment for RADIUS/RSA

Client

The SECUDE Secure Login Client is a stand-alone Windows application. The SECUDE

Secure Login Client provides a user interface to enter a user name and a SecurID

password. The SecurID password is composed of a PIN which the user has to provide

and the one-time password generated by the RSA SecurID token.

Server

The SECUDE Secure Login Server receives the authentication data sent by the Client

and forwards it to the RSA Authentication Manager or another RADIUS Server.

If the authentication is successful, the SECUDE Secure Login Server certifies the

user‟s public key. The certification reply is generated and transferred to the Client.

If authentication fails, the SECUDE Secure Login Server informs the Client. The user

can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web

Server, but can repeat authentication.

RSA Authentication. Manager

The RSA Authentication Manager verifies the authentication data sent by the Client. It

informs the SECUDE Secure Login Server about whether the user could be

authenticated.

Secure Login

Process

1. A user enters his/her credentials using the SECUDE Secure Login Client user

interface.

2. The SECUDE Secure Login Server receives the authentication information. It forwards

the information to the RSA Authentication Manager or RADIUS Server and requests

confirmation.

3. If the RSA Authentication Manager or RADIUS Server is able to authenticate the user

successfully, a temporary certificate is created for the user. This certificate is sent to

the Client workstation and made available to the SAP GUI for Windows. Thus, a

certificate-based login to the SAP application Server is performed without a corporate

PKI.

2.3.3 SAP ID Authentication


Secure Login SAP ID-based authentication method.

System

Architecture

for SAP ID-

based Logon

The following figure shows the SECUDE Secure Login system environment for SAP ID-based

logon:

Figure 2-12 SECUDE Secure Login system environment for SAP ID-based logon


26

JAAS Module

The SAP ID variant of the SECUDE Secure Login Server consists of the normal SECUDE

Secure Login Server core components plus a special JAAS module to communicate

with the SAP Server.

The JAAS module uses two ABAP functions on the SAP Server via SNC secured RFC.

To use these RFC calls, the SAP Server version has to be at least 6.2.

For this method of authentication to work, several libraries are needed for the

SECUDE Secure Login Server to function correctly:

The native RFC library

An additional native library required for the JNI (Java Native Interface) access

The Java JCO library

For details about how to install these libraries refer to chapter 3 „Server Installation‟,

on page 32.

SAP System User

An “SAP system user” is an individual with access rights beyond those of a normal

user. These rights can be used to check the logon details of a normal user.

The SAP System user profile must contain the following entries for this method of

authentication to work:

S_A.SCON

S_A.SYSTEM

S_USER_ALL

S_USER_RFC

Z_TRANS_RFC

Mode of Operation

The SECUDE Secure Login Server acts on behalf of the SAP system user and obtains

the normal SAP user logon data via the SECUDE Secure Login Client.

Password Policy

The SAP Server has a special password policy that can force the immediate change of

the user password under the following circumstances:

For newly created users during their initial logon to the SAP system

Password expiration date

SAP user administrator forced password changes

These changes are (and can only be) triggered by the SAP Server. The SECUDE Secure

Login Server and Client cannot force a change.

The confidentiality of the SAP user password is ensured by using SNC to protect the

connection between the SAP Server and the SECUDE Secure Login Server.

Password Rejection

In the password change process the new password might be rejected by the SAP

Server for the following reasons:

Password does not comply with password policy (length, complexity)

Password is already present in password history

The wrong password has been entered too many times

As with the password policy, password rejection is controlled by the SAP Server.


27

Secure Login

Process

The following figure shows the SECUDE Secure Login process for SAP ID-based logon:

Figure 2-13 SECUDE Secure Login process for SAP ID-based logon

1. In the first step, a process initialization request is sent from the SECUDE Secure

Login Client to the SECUDE Secure Login Server.

2. The SECUDE Secure Login Server replies that initialization can start.

3. The SECUDE Secure Login Client sends a logon request (plus unsigned certificate) to

the SAP Server via the SECUDE Secure Login Server.

4. The SAP Server will reply with one of the following:

Reject the password (see previous section)

Force a password change (initial logon, password expired etc.)

Password OK > authentication successful

5. When logon is successful the SECUDE Secure Login Server will send the Client a

signed certificate and is made available to the SAP GUI for Windows.

Initialization request

SAP server

secure login

server

secure login

client

New password reply

Initialization reply

Logon requestLogon request

Logon reply

New password request

Authentication reply


28

2.3.4 SAP Logon Ticket Authentication

This section describes the specific system architecture and workflow for the SECUDE

Secure Login SAP Logon Ticket authentication method.

System

Architecture

for SAP

Logon Ticket

The following figure shows the SECUDE Secure Login system environment for SAP Logon

Ticket:

Figure 2-14 SECUDE Secure Login system environment for SAP Logon Ticket

Client

This authentication module only applies to the Secure Login Web Client. It sends the

user ID and password entered by a user or a program to the SAP NetWeaver Portal

URL to call its user login procedure. If successful, the portal returns with a SAP Logon

Ticket in form of a HTTP Cookie, which is handed over to the Web browser where the

Secure Login Web Client is running.

Alternatively, the SAP Logon Ticket could be handed over to the Secure Login Web

Client by other means, e.g. a browser script. This allows having the Web Client

running in unattended and invisible mode.

The Secure Login Web Client then sends the SAP Logon Ticket to the SECUDE Secure

Login Server to authenticate the user.

Server

The SECUDE Secure Login Server receives the SAP Logon Ticket sent by the Client

and performs offline verification.

If the authentication is successful, the SECUDE Secure Login Server certifies the

user‟s public key. The certification reply is generated and transferred to the Client.

2.3.5 SQL Database Authentication


Secure Login SQL database-based authentication method.

System

Architecture

for SQL DB-

based Logon

The following figure shows the SECUDE Secure Login system environment for SQL DB-

based logon:


29

Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon

JAAS Module

The SQL DB variant of the SECUDE Secure Login Server consists of the normal

SECUDE Secure Login Server core components plus a special JAAS module to

communicate with the SQL database.

For this method of authentication to work, additional third-party SQL driver libraries

are needed for the SECUDE Secure Login Server to function correctly:

For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar.

SQL Database

The JAAS module uses standard SQL queries to find the given user ID and password

in a table. This table and its column names could either be randomly configured, or

predefined names are used for higher performance.

The simplest form is to have usernames and passwords stored in two columns. For

given username and password, a row is searched that fits:

If the Client side supports it, a third value can be given to qualify the Client identifier.

This could be a Client machine identification value or some application defined data:

This Client ID is transported in the username field of the protocol, and requires a

separator string definition.

Positive False Authentication

Another configuration allows using the database as combination of white and black

list. In this scenario, all exact matches in the database return a positive result, as

well as all username values that are not found in the table at all.

It is recommended to implement this feature only if Client identifiers are used that

are sufficient to protect this kind of positive false authentication.


30

2.4 Policy Server Overview

Introduction

SECUDE Secure Login Client configuration is profile-based. To provide a mechanism for

automatic application-based profile selection, application contexts can be configured.

They are then searched for specific „personal security environment universal resource

identifiers‟ (PSE URIs).

If no matching PSE URI is found, a default application context can be defined that links to

a default profile.

Figure 2-16 Default application context and profile

The application contexts and profiles are stored in the Windows registry of the Client

(including other internal keys for the Client). These parameters are defined within the XML

policy file (ClientPolicy.xml).

You can also integrate the values for the SECUDE Secure Login Client in your company‟s

group policies via an ADM file.

Further

Information

For further information about how to download the relevant files for a static or dynamic

Client policy see section 6.3.3 „Client Configuration‟ on page 183.

For further information about how to integrate the policy values for the SECUDE Secure

Login Client into your company‟s group policies (ADM file), refer to section 9.1.4

„Configuring Secure Login with Microsoft Group Policies‟ on page 245.

Advanced details about the Client policy file XML syntax can be found in section 9.1.1

„ClientPolicy.xml File‟ on page 239 along with the use of wildcards in section 9.1.3 on

page 244.


31

2.5 Secure Login Web Client

Introduction

A new feature of SECUDE Secure Login 5.1 is the Web Service and Web Client. The Web

Client is an SNC provider developed mainly for SAP Logon GUI for Java – making the most

of Windows as well as non-Windows platforms. It is a Web-based solution to authenticate

users via Web-browsers (i.e. in portal scenarios) on a variety of platforms and to launch

the SAPGUI with SECUDE SNC security.

This means that the Client is no longer exclusively for Windows, but also Mac OS X and a

range of Linux-based systems (due to differences between the SAPGUI for Java and

SAPGUI for Windows the Web Client for Windows only has limited functionality). Moreover,

in contrast to SECUDE Secure Login stand-alone Client for Windows (SLC) the Web Client

has no SSL Client-authentication.

The Web Client can be deployed to Apache Tomcat and SAP NetWeaver but, currently, not

to BEA WebLogic.

Main

Features

Browser-based authentication against Secure Login Server (all back-ends are supported -

including RSA and challenge-mode functions such as password changes)

Download and prepare the SECUDE SNC library (simple to update the native libraries when

a new version is available).

Soft-token provider via Secure Login Server

Create credentials for crypto-token

Launch SAPGUI for Java/Windows with SNC parameters and crypto-token

Launch SAPGUI or directly login to SAP Server (AS ABAP)

Specify search path for SAPGUI binaries either centrally on the Server side, or by

the user on the Client side (host-specific)

Localization and customization of HTML pages and Applet messages

Stylesheet (CSS) support, preconfigured for NetWeaver Portal

Optional clean-up of temporary files when browser is closed (such as soft-tokens and

credentials).

Further

Information

Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page 109


32

3 Server Installation, Configuration, and Removal

Introduction

This chapter describes the SECUDE Secure Login Server installation. It is necessary to

install and configure Secure Login Server BEFORE installing Secure Login Client.

This chapter details the installation and configuration procedure for various target

systems, for example, Servers that use servlet engines such as Apache Tomcat or SAP

NetWeaver.

If you want to install Secure Login with the Web Client then refer directly to chapter 5. This

is because the Web Client installation is not just the Web Client but rather the complete

Secure Login Server plus Web Client. The installation routine is quite different for Tomcat

and only slightly different for NetWeaver.

Sections in

this Chapter

Section 3.1 „Prerequisites‟, on page 33

Section 3.2 „Preparing the Server for Installation„, on page 34

Section 3.3 „Installation Procedure for Apache Tomcat-based Server Installations‟, on

page 35

Section 3.4 „Installation Procedure for BEA Weblogic-based Server Installations‟ on page

40

Section 3.5 „Installation Procedure for SAP NetWeaver-based Server Installations‟, on

page 42

Section 3.6 „Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket,

and Database Module‟, on page 54

Section 3.7 „Remove SECUDE Secure Login Server‟, on page 91


33

3.1 Prerequisites

This section lists the hardware and software requirements.

3.1.1 Hardware Requirements

Hardware Details

Hard disk space 20-50MB plus space for log files

RAM 1GB

3.1.2 Software Requirements

For the… …you require the following software

Operating System for

Secure Login Server

One of the following:

Windows 2003 Server - R2 (x86)

Windows XP Professional - SP2 (x86)

Suse Linux Enterprise Server 9 or 10 (x86)

Solaris 8, 9, or 10 (SPARC)

HP-UX 11.11 (PA-RISC)

HP-UX 11.23 (Itanium)

Java

http://java.sun.com/

JDK 1.5. with the Java Cryptography Extension (JCE)

JCE Unlimited Strength Jurisdiction Policy files (usually part of

the JDK or JRE).

Supported Application

Servers

BEA WebLogic 8.1, 9.0, 10.0

Apache Tomcat version 5.x/6.x with JDK 1.4-1.6 (make sure

that the optional components „Service Setup‟ and „Native‟ are

selected in the setup). In case RSA ACE 6.1.2 is installed on

Solaris it is mandatory to have JDK maximum 1.5.

SAP NetWeaver Java 6.4 – 7.0 with:

SAP Java connector 2.1.8 (necessary for SAP-ID based

logon. Please contact SAP for these libraries.)

SAP Java Cryptographic Toolkit

A running and configured SSL service provider

Server supporting

LDAP/ADS

authentication

openLDAP

Sun ONE LDAP

Microsoft Active Directory Server (ADS) 2000 or 2003

Sun Java System Directory Server

Server supporting

RADIUS/RSA

authentication

freeRADIUS

RSA Authentication Manager 6.0 or higher

Server supporting

SAP ID-based login

The following SAP application Server versions are supported:

SAP Server 6.20

SAP NetWeaver ABAP 7.00

Support for additional platforms or versions may be available on

request. Please contact SECUDE for further information.

http://java.sun.com/


34

3.2 Preparing the Server for Installation

Introduction

The Server must be prepared for the installation of Secure Login. If you have already

prepared the Server go to the next section below. If you have not prepared the Server, the

following list indicates what must be installed and configured before starting with the

installation of SECUDE Secure Login:

Install the operating system (plus updates if necessary).

Install Java (JCE will be automatically installed).

Install the application Server.

This manual does not detail the installation and configuration of the above mentioned

software. It is assumed that the knowledge and skills necessary to perform the Server

preparation is already present and must not be documented.

Contents of

Delivery

Package

Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as

follows:

SECUDE51SecureLoginNativeComponents.zip

This file contains the necessary native Secure Login components for each supported

platform.

SECUDE51SecureLoginServer.zip

\doc

This directory contains the documentation, license agreements, and readme files.

\SECUDE51SecureLoginServer.zip

Despite the fact this ZIP file has the same name as the file containing it, this file

contains the standard Secure Login applications as well as the Web Client

variants:

\NetWeaver 70\securelogin.ear

Standard Secure Login application for SAP NetWeaver to work with the Secure

Login Client.

\NetWeaver 70 WS\secureloginservice.ear

The Web Client version of Secure Login for SAP NetWeaver.

\Tomcat\securelogin.war

Standard Secure Login application for Apache Tomcat to work with the Secure

Login Client.

\Tomcat WS\axis2.war, securelogin.war,

secureloginservice.aar, shared.zip, SlsWebClient.war

The Web Client version of Secure Login for Apache Tomcat plus secondary files

necessary for operation.

Prepare the

Files

In preparation for installation, it is recommended to unpack the ZIP archive

SECUDE51SecureLoginServer.zip to produce the four application sub-directories:

\NetWeaver 70

\NetWeaver 70 WS

\Tomcat

\Tomcat WS

…as well as SECUDE51SecureLoginNativeComponents.zip to produce the files

for the native components.

This manual contains steps in which it is necessary to choose and confirm passwords. For

reasons of security Secure Login will only allow you to choose passwords that are hard to

guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).


35

3.3 Installation Procedure for Apache Tomcat-based Server Installations

Introduction

This section describes the installation procedure for an environment using Apache

Tomcat. These steps assume that Tomcat and the necessary runtime components are

already installed.

1. Locate the unzipped Tomcat deployment file (see section 3.2 on page 34):

SECUDE51SecureLoginServer\Tomcat\securelogin.war

2. Deploy the securelogin.war file:

This step describes how to deploy the files to the Server using Tomcat 6.0 as an

example (you can also use the Tomcat Manager to deploy Secure Login).

Make sure that file name and path notations used in this step are correct for the target

operating system.

These bulleted steps describe how to transfer the WAR file and configuration files to

the target servlet engine:

Stop the servlet engine (Tomcat) if it is running.

If necessary, remove the existing SECUDE Secure Login Web application

directories and securelogin.war file:

<Tomcat home>\Webapps\securelogin\

<Tomcat home>\Webapps\securelogin.war

Copy the new securelogin.war file into the directory:

<Tomcat home>\Webapps\

Start the servlet engine (Tomcat).

3. Now to test the deployment. In your Internet browser, enter the following URL:

http://<URL-Where-Your-Servlet-Resides>/securelogin

For example: http://localhost:8080/securelogin


operating system.

4. If the deployment has been successful, the SECUDE Secure Login Administration

Console prerequisite check page should appear:

Figure 3-1 Administration Console – prerequisite check page

This page lists the prerequisites to run Secure Login successfully. Items with a


36

green “dot” in front of them indicate the correct availability and functionality.

Items with a red light in front of them indicate an error. Items with a yellow light in

front of them indicate an optional component that may be needed according to

Server and setup type (for example the SAP Adapter is needed for the SAP ID-

based logon).

5. Use the Adminstration Console initialization wizard to create the Secure Login

environment (see section 3.6 on page 54).

3.3.1 Option to Configure SSL in Tomcat

If you are remotely administrating Secure Login over a network it is recommended to use

an SSL connection. This means that SSL must be activated in Tomcat.

Follow these steps to activate SSL in Tomcat (this example details SSL for Tomcat v.6.0):

1. If Tomcat is running, stop and exit it.

2. Open the Server.xml file from the directory <Tomcat home>\conf.

3. Copy the following code behind the commented-out SSL configuration example in the

Server.xml file (edit the information in the following example syntax accordingly):

<Connector port=”8443” maxHttpHeaderSize=”8192”

maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75”

enableLookups=”false” disableUploadTimeout=”true”

acceptCount=”100” scheme=”https” SSLEnabled=”true”

secure=”true” ClientAuth=”false” sslProtocol=”TLS”

keystorePass=”123456” keystoreFile=”<Tomcat home>\Webapps\ securelogin\WEB-INF\Instances\<optional instance directory>\ <SSLServer_*>.p12” keystoreType=”PKCS12”/>

The PKCS12 (*.p12) file should already have been generated via the Administration

Console during the Server setup. If not use the Certificate management function of the

Administration Console to generate one (see section 6.3.2 on page 181).

4. Save and close the Server.xml file.

5. Start Tomcat.

Despite using HTTPS for the URLs in policies and generating SSL Server certificates (both

via the Administration Console) you still need to manually activate SSL in Tomcat.

3.3.2 Test the SSL Connection for Tomcat

1. To test the SSL connection enter the following URL in your browser:

https://URL-Where-Your-Servlet-Resides/securelogin

For example: https://localhost:8443/securelogin

2. This should open the Administration Console login page (see section 6.1

„Administration Console‟ on page 119).


37

3.3.3 Single Sign-On for the Administration Console (Tomcat Only)

This section details how to setup Tomcat to:

Use a login certificate generated via the Administration Console for SSL-based

authentication (refer to the next section below).

Trust only those certificates created via the Administration Console as well as using single

sign-on authentication to the Administration Console (refer to section 3.3.3.2 below).

Setup a single SSL port in Tomcat for both the Secure Login Administration Console and

the Secure Login Client to share (refer to section 3.3.3.1 below).

3.3.3.1 Use a Login Certificate Generated via the Administration Console for SSL-based Authentication

This section details how to setup Tomcat to use a SSL login certificates, generated using

the Administration Console, for authentication (the Administration Console offers the

option to login to the Secure Login Server using certificate-based SSL authentication).

The following steps assume that you have already:

Created a user via the User Management node (see section 6.4.1 on page 199) that uses

the subject alternative name in the certificate for the option Certificate Login ID.

Created a login certificate (under SAP CA) via the Certificate Management node. The

subject alternative name provided in the certificate creation must match the entry

in the option Certificate Login ID for the user created in User Management. The resulting

certificate has been exported as a *.p12 file and imported into Internet Explorer or

Firefox.

By default, Tomcat uses the Java trust store to perform the authentication. This means,

all CAs that are trusted by the Java VM could be used to create Administration Console

login certificates – as long as the subject_alt_name in the certificate matches an

Administration Console user account.

If you decide to use the JVM truststore (jre\lib\security\cacerts), the

Adminstration Console root certificate or SAP-CA certificate must be imported into it using

Java's keytool. For further information refer to section 5.4.1 „Configure SSL Trust for the

Web Client Java Applet‟ on page 116.

3.3.3.2 Setup Tomcat to Trust Only Administration Console-Generated Certificates

This section details how to setup Tomcat to trust only those certificates created via the

Administration Console and also how to create a truststore (and set ports) specifically for

the purpose of single sign-on to the Administration Console.

To use only those certificates created via the Administration Console you must configure

the Tomcat SSL connector must to use a truststore other than the Java VM. This can be

achieved by either creating a new truststore or using the Secure Login Administration

Console truststore.

To setup single sign-on it is necessary to create and use a trustore specifically for the

purpose of single sign-on (refer to the next page).

The following example creates two ports – one for the Administration Console and one for

the Secure Login Client.


38

Create a New

Truststore

1. As a first step we must create a new truststore that contains only the Administration

Console root certificate:

Open a command box and enter the following:

keytool –import –v –trustcacerts -alias my_root_ca –file

C:\root.crt –keypass 123456 –keystore C:\myTruststoreFile –storepass 123456

Press Return.

2. Now to configure a Tomcat SSL connector to use this truststore only (for single sign-

on):

Open the Server.xml file from the directory <Tomcat home>\conf.

The following example code should be entered behind the commented-out SSL

configuration example in the Server.xml file (edit the information marked in red

in the following example syntax accordingly):

<Connector port=”4443”



acceptCount=”100” debug=”0” scheme=”https” secure=”true”

ClientAuth=”false” sslProtocol=”TLS”

keystoreType=”pkcs12”

keystoreFile=”C:\SSL_SERVER.p12”

keystorePass=”123456”

/>





ClientAuth=”true” sslProtocol=”TLS”




truststoreFile=”C:\myTruststoreFile.jks”

truststoreType=”jks”

truststorePass=”123456”

/>

In this example note that there are two connectors – one for the Secure Login

Client (port 4443 in the example) and one only to be used for the single sign-on to

the Administration Console (port 8443 in the example). This is to avoid any

possible access conflicts.

As you can see by the parameters/values marked in blue, the connector to be

used for single sign-on has the following specifics:

A different port number

The parameter ClientAuth is set to true.

The truststore file (*.jks) is stated.


39

3.3.3.3 Setup Tomcat for Single SSL Port Usage for both the Administration Console and Secure Login Client

This section details how to setup a single SSL port in Tomcat for both the Secure Login

Administration Console and the Secure Login Client to share. This means it is possible to

perform:

…certificate-based single sign-on via the Secure Login Administration Console as well

as…

…standard login for the Secure Login Client

…using the same port.

Create a Single

SSL Port

1. Open the Server.xml file from the directory <Tomcat home>\conf.

2. The following example code should be entered behind the commented-out SSL

configuration example in the Server.xml file (edit the information marked in red in

the following example syntax accordingly):





ClientAuth=”want” sslProtocol=”TLS”




truststoreFile=”C:\myTruststoreFile.jks”

truststoreType=”jks”

truststorePass=”123456”

/>

As you can see by the parameter marked in blue (ClientAuth=”want”), Client

authentication is now optional.


40

3.4 Installation Procedure for BEA Weblogic-based Server Installations

Introduction

This section describes the installation procedure for an environment using BEA Weblogic.

These steps assume that BEA WebLogic and the necessary runtime components are

already installed.

1. This first step applies to BEA WebLogic 8.1 only. If you are using BEA WebLogic 9 or

10 please start with step 5.

Before deploying the application you must check the readiness of the Server for

application deployment by setting the „Staging Mode‟. If you have already performed

this task then go to step 5. Start the WebLogic Server and open the BEA WebLogic

console:

http://<hostname or IP:port>/console

2. Select <domain>Server>myServer from the navigation tree.

3. Select the tabs Configuration>Deployment:

Figure 3-2 BEA console – check staging mode

Make sure that the Staging Mode is set to stage. If not, select stage from the combo-

box and click Apply.

4. Close the console and restart the WebLogic Server.

5. Create a new directory:

<BEA home>/Server/bin/myServer/stage/securelogin.war

6. Unzip the contents of the securelogin.war file to the directory stated in the

previous step.

7. Now to deploy the Secure Login application. Open the BEA WebLogic console:

http://<hostname or IP:port>/console


41

8. The BEA WebLogic Server Home page will appear:

Figure 3-3 BEA console – WebLogic Server Home page

Click Web Application Modules.

9. The Web Applications page will appear.

Figure 3-4 BEA console –Web applications page

Click Deploy a new Web Application Module…


42

10. The Deploy a new Web Application Module page will appear:

Figure 3-5 BEA console – deploy Web application page

Use Location to navigate to the stage Server directory (do not use the upload your

files link). For example:

10.49.13.169/opt/bea/Weblogic81/Server/bin/myServer/stage

11. Select the securelogin.war application and click Target Module.

12. Start the Secure Login application in BEA WebLogic.

13. After Secure Login has been successfully deployed, open your Internet browser and

enter the Secure Login Administration Console URL:

http://<host:port>/securelogin

14. Use the Adminstration Console initialization wizard to create the Secure Login

environment (refer to the next section).

3.5 Installation Procedure for SAP NetWeaver-based Server Installations

Introduction

This section describes the installation procedure for an environment with SAP NetWeaver.

After unpacking the installation package, the installation of the SECUDE Secure Login

Server comprises the following tasks:

Create SSL certificates

Configure the SECUDE Secure Login Server

Deploy the files on SAP NetWeaver

Configure the Authentication Server in SAP NetWeaver

Test the SECUDE Secure Login Server

Configure SSL

Test the SSL connection


43

3.5.1 Configure the System Environment (only for SAP ID-Based Logon)

This section details the steps necessary to pre-configure the system for the respective

environment.

1. Configure NetWeaver (prerequisite to run the Secure Login Administration Console):

Change the password of the Guest user via NetWeaver user management. Select

Server0 > services > Security provider from the tree in the left-hand pane.

Select the Runtime tab and then the User Management tab.

Open the Users tab and locate the entry Guest.

Enter a new password in the field Change password, check No password change

required, and click Change. A password confirmation dialog will appear:

Figure 3-6 Confirm password change

Re-enter the new password and click OK.

2. Now it is time to deploy the Secure Login enterprise archive to NetWeaver. The

archive is located in the directory already unzipped in section 3.2 on page 34:

SECUDE51SecureLoginServer\NetWeaver\securelogin.ear

The easiest method of deploying the archive is to use either the SAP Software

Deployment Tool or SAP Visual Administrator. For further details please refer to the

proprietary documentation.

Make sure that file name and path notation is correct for the target operating system.

3. Open and logon to the Administration Console:

In your browser, enter the following URL:

http://<URL-Where-Your-Servlet-Resides>/securelogin/

For example: http://SAPNetWeaverHost:50000/securelogin/


44

The SECUDE Secure Login Administration Console prerequisite check page should

appear:


This page lists the prerequisites to run Secure Login successfully. Items with a

green “dot” in front of them indicate the correct availability and functionality.

Items with a red light in front of them indicate an error. Items with a yellow light in

front of them indicate an optional component that may be needed according to

Server and setup type (for example the SAP Adapter is needed for the SAP ID-

based logon).

Click Continue to go through the setup wizard as described in section 3.6.3 'Step

2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)‟ on page

63.

4. After completing the initial setup, the Web.xml file in the WEB-INF directory must be

updated (re-read). This is achieved via the SAP Visual Administrator:

Open the SAP Visual Administrator.

Select the Server(x)>Services>Deploy node from the tree in the left-hand pane.

Select the deployed secude.com/SecureLogin component from the Runtime tab in

the middle pane.


45

Click Single File Update on the right-hand side. The following dialog will appear:

Figure 3-8 Update Web.xml file

Click OK.

5. Open and logon to the Administration Console:

In your browser, enter the following URL:

http://<URL-Where-Your-Servlet-Resides>/securelogin/

For example: http://SAPNetWeaverHost:50000/securelogin/

The login page should appear:

Figure 3-9 Administration Console – login page

Generate the SSL certificates as a *.p12 file as described in section 6.3.2.3

„Username Configuration for SQL JAAS Module

Depending on the username/Client ID schema used for database authentication, some special

configuration properties may be needed to define which user name is put into the certificate.

This is only to be considered if Secure Login Client sends compound username values.

Property Details

UseQualifiedName If true, the full received username value is taken for the user

certificate‟s CN field

If false, only the user ID part before the separator is taken,

and UserNameSeparator must be set to a non-blank value to

apply this property.


46

Default value: true.

UserNameSeperator String of one or more characters that separates username and

Client identifier sent by the Secure Login Client. If configured,

DBColumnClientID must also be configured in the SQL JAAS

module.

Default value: None.

Sample: USER001#CLIENT999 is splitted to USER001 with

UseQualifiedName =”false” and UserNameSeperator=”#”.

‟ on page 183. Locate the SSL certificate and change the file extension to

*.pfx. For further information about the Administration Console refer to section

6.1 on page 119.

6. Now to enable SSL in SAP NetWeaver:

If there is more than one Server installed, this step has to be performed for each of the

Servers.


47


Select the Server(x)>Services>ConfigurationAdapter node from the tree in the left-

hand pane.

Select the Runtime tab and then the Display configuration tab.

Select the following node from the middle pane:

Conifgurations>cluster_data>dispatcher>cfg>services>Propertysheet.ssl-runtime

Figure 3-10 enable SSL – select Propertysheet.ssl-runtime node

Click the pencil icon (middle icon under the tab heading) to display the Change

Configuration dialog:

Figure 3-11 enable SSL – Change Configuration dialog

Select the property startup-mode and enter always into the field value (make

sure that the custom checkbox is unchecked).

Click OK.


48

The same set of properties must also be changed at another Server node. Select

the following node from the middle pane:

Conifgurations>cluster_data>Server>cfg>services>Propertysheet.ssl-runtime

As above, select the property startup-mode and enter always into the field

value (make sure that the custom checkbox is unchecked).

Click OK.

7. Now that Secure Login has been deployed and SSL has been enabled the Server

must be restarted to make use of the new settings.

8. Now for certificate import and validation:

To enable Server authentication, the Server has to have an SSL Server certificate.

This certificate and the associated private key must be imported into SAP NetWeaver.

This is achieved by using the *.pfx file generated in step 5.

SAP NetWeaver only accepts PKCS#12 software token files with the extension *.pfx.


Select the Server(x)>Services>KeyStorage node from the tree in the left-hand

pane.

Select the Runtime tab. The certificates are organized into sub-groups, so called

„Views‟. Each of the „Views‟ groups is purpose-based, and contains certificates

that suit the purpose, for example, TrustedCAs and the service_ssl Views, or

Views defined by the administrator:

Figure 3-12 certificate import – key storage

Click the service_ssl entry in the Views list.

Click Load.

Locate and open the SSL certificate created by the Administration Console in

step 5.

Before the SSL certificate can be verified, all certificates up to the root have to be

imported in the manner described above. Furthermore the root certificate must be


49

imported (loaded) into the TrustedCAs view. NetWeaver only accept certificates as

a trust anchor contained in this view.

Use the Load button to import a certificate.

The certificate file has to be base64-encoded with the file name extension *.crt.

9. Now for SSL configuration:

To enable Client authentication the SSL Provider must be configured to request the

Client certificates.


Select the Server(x)>Services>SSL Provider node from the tree in the left-hand

pane.

Select the Runtime tab and then the Client Authentication tab in the bottom right-

hand pane.

Select Do not request Client certificate:

Figure 3-13 set SSL configuration

Click the Server Identity tab.

Click Add to browse for the credentials uploaded in step 9.

10. The configuration of SAP NetWeaver for Secure Login is now complete.

Next Steps

The next step is to configure the Authentication Servers for Secure Login. Please refer to

the next section - 3.5.2 on page 49.

When installing the signon&secure components for SAP ID-based logon (see section 6.1.12 '

SSS&JCO Installation’, on page 158), you can ignore the third step Install JCO because SAP

NetWeaver already has these components installed and set.

3.5.2 Configure the Authentication Server in SAP NetWeaver


50

Introduction

The JAAS module used by the SECUDE Secure Login Server must be configured directly

inside SAP NetWeaver. You have to create one JAAS module with a corresponding policy

and to add a configuration for each Authentication Server in the JAAS module.

The configuration process consists of the following steps:

Configure the LoginModuleClassLoader property.

Create a JAAS module.

Configure the first Authentication Server in the JAAS module.

Create a JAAS policy.

Configure an Authentication Server in JAAS module.

Configuration is performed in SAP Visual Administrator. The relevant configuration node is

the Security Provider node in the Services section.

Follow these steps to configure LoginModuleClassLoader:

1. Open the SAP Visual Administrator.

2. Select the Security Provider node from the left-hand pane and the Properties tab from

the right-hand pane.

3. Select the LoginModuleClassLoaders property from the list and enter the

following value into the field Value at the bottom of the window:

library:SECUDE-SecureLogin

Figure 3-14 SAP Visual Administrator – Configure the LoginModuleClassLoader

property

4. Click Update at the bottom of the window.

5. Now to create a JAAS module:

Select the Security Provider node from the left-hand pane and the Runtime tab

from the right-hand pane.

This will open a second row of tabs. Select the User Management tab.

Select the pencil icon above the top row to change to edit mode.

Click Manage Security Stores. The area for the login module administration is

displayed:


51

Figure 3-15 SAP Visual Administrator – Configure the JAAS module

Click Add Login Module on the right-hand side of the window. The following window

appears:

Figure 3-16 SAP Visual Administrator – add login module

In the Class Name field enter the class name of the JAAS module:

For ADS:

com.secude.transfair.pepperbox.LdapJaasModule

For RSA/RADIUS:

com.secude.transfair.pepperbox.RsaRadiusJaasModule

For SAP-ID:

com.secude.transfair.pepperbox.SAPJaasModule

Enter descriptive strings in the fields Display Name and Description.

6. Now to configure the first Authentication Server in the JAAS module:

In the Add Login Module enter the names and values of the configurable module


52

properties for the first Authentication Server in the Options table.

For a description of the configurable properties for ADS, see section 9.2.4.1 „JAAS

Module Configuration Files for LDAP/ADS‟ on page 253.

For a description of the configurable properties for RSA/RADIUS, see section

9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟ on page 257.

Click OK.

7. Now to create a JAAS policy:

Select the Security Provider node from the left-hand pane and the Runtime tab

from the right-hand pane.

This will open a second row of tabs. Select the Policy Configuration tab.

Click Add under the component list.

A new dialog will open. Under Name, enter SLSJaasModule.

Click OK. The window now appears as follows:

Figure 3-17 SAP Visual Administrator – add JAAS module

8. Now to configure an Authentication Server in the JAAS module:

Select the newly created SLSJaasModule policy/login module configuration from

the Components list.

Click Add New from the bottom right-hand side of the window. The available login

modules are displayed.

Select the JAAS module you want to configure.

Click OK.

The Edit Login Module window opens:


53

Figure 3-18 SAP Visual Administrator – edit login module

Enter the names and values of the configurable module properties of the added

Authentication Server (a list of property names and examples can be found in the

section covering Authentication Server configuration via the Administration

Console (see section 6.1.4 on page 128).

3.5.3 Test the SSL Connection

The following step describes how to test the Secure Login files deployed to the Server.


operating system.

1. In your browser, enter the following URL:

https://<URL-Where-Your-Servlet-Resides>/securelogin/ PseServer?op=Serverstatus

For example: https://SAPNetWeaverHost:50001/securelogin/ PseServer?op=Serverstatus

2. If the deployment has been successful the SECUDE Secure Login Administration

Console login page should appear as in section 6.1.1.


54

3.6 Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and

Database Module

Introduction

This section details the initialization and configuration of the Secure Login Server

component using the Administration Console initialization wizard.

Contents

Section 3.6.1 „Step 1 - Initial Installation‟, on page 54

Section 3.6.3 „Step 2 – Multiple Authentication Server Initialization – Expert Mode

(Wizard)‟ on page 63

Section 3.6.4 „Step 3 - Configure Authentication Server Communication‟ on page 84

Section 3.6.5 „Step 4 - Test SECUDE Secure Login Server‟ on page 90

For reasons of security, the Secure Login Server component can only be initialized via

the Administration Console and only when the console is called from the same Server

computer on which the Secure Login resides. If however, you want to perform the

initialization and configuration from a remote location, then you must manually enable

this feature by editing the Secure Login Web.xml file. For further details please refer to

section 7.17 on page 229).

If you want to use Secure Login on an operating system that does not have a GUI (for

example Unix without X-Win), you must use SSH or Putty to tunnel to the Client Web-

browser (as long as an SSH Daemon is running on the Server).

3.6.1 Step 1 - Initial Installation

Introduction

This section describes the installation procedure and initial configuration of Secure Login.

This is necessary for all Authentication Server types.

1. If you have not already done so, enter the following URL in your Internet browser:




Console prerequisite check page should appear:



55

This page lists the prerequisites to run Secure Login successfully. Items with a green

“dot” in front of them indicate the correct availability and functionality. Items with a

red light in front of them indicate an error. Items with a yellow light in front of them

indicate an optional component that may be needed according to Server and setup

type (for example the SAP Adapter is needed for the SAP ID-based logon).

For further information about the Administration Console refer to section 6.1 on page 114.

3. Click Continue.

4. The scenario selection page will appear:

Figure 3-20 Server initialization– authentication selection page

Use this page to choose between either an Authentication Server-specific, quick

initialization, or a detailed multiple Authentication Server initialization.

Click on the logo next to one of the Server-specific methods Microsoft Windows

Domain Username and Password, Username and Password Stored in LDAP

Server, One-Time Password, or SAP Username and Password. For details about

the next step, refer to the next section.

If you click on the Multiple Authentication Methods (Expert Mode) logo, the next

step is in section 3.6.3 on page 63).


56

3.6.2 Step 2 – Server-Specific Quick Initialization

1. After clicking the logo next to the desired authentication method (Microsoft Windows

Domain, SUN Directory Server or other LDAP Server, RSA SecureID or other One-Time-

Password solution, or SAP Netweaver – see previous section), the Company

Information page will appear:

Figure 3-21 Server Setup Wizard – company information page

Enter basic information about your company. The following options are available

(options marked with * are mandatory):

Option Details

Company Information Country

The abbreviation of your country. Click on the field to open

and select a country from the drop down menu.

Example: DE for Germany

Locality

The region in which your company is located.

Example: Darmstadt

Company name

Enter the name of your company in this field.

Example: SECUDE

Administrator Account Account name

The username for the account.

Password Information NOTE: The password will be used as the password for

Administration Console access!

Password

The password for this account

Confirm password

Confirm the password entered in the field above.

Click Next to continue.

2. According to which authentication method you selected in section 3.6.1, step 4, on


57

page 55, one of the following pages will appear:

For Microsoft Windows Domain authentication:

Figure 3-22 Server initialization – Microsoft Windows Domain authentication page

The following options are available (options marked with * are mandatory):

Option Details

Let SECUDE Secure

Login…

Check this option if you want Secure Login to use a custom PKI

to establish trust between the user and Server. Enter a

password in the fields Certificate Password and Confirm

Certificate Password to be used for all automated PKI

operations (PSE file and TrustStore passwords).

Enter the Active

Directory Server…

The IP or URL of the Authentication Server. Click More to view

open the following options:

Use SSL

Check this option if you want to use secure

communication with the Server.

Port

The port number the Active Directory Server uses for

communication.

The communication

between…

Use this option to activate SSL communication between the

Secure Login Client, Secure Login Server, and the Active

Directory Server.

For SUN Directory Server/LDAP authentication:


58

Figure 3-23 Server initialization – SUN Directory Server/LDAP authentication page


Option Details

Let SECUDE Secure

Login…


to establish trust between the user and Server. Enter the

certificate password in the fields Certificate Password and

Confirm Certificate Password.

Enter the LDAP

Server…

The URL of the Authentication Server. Click More to view open

the following options:

Use SSL (LDAPs)

Check this option if you want to use secure

communication with the Server.

NOTE: GetBaseDN will not work if SSL is enabled. If you

want to use the GetBaseDN feature it is recommended

you click it first and then enable SSL.

Port

The port number the SUN Directory Server/LDAP Server

uses for communication.

Enter or select the

LDAP search base

Manually enter the base dynamic name or click GetBaseDN to

try and automatically retrieve it from the LDAP Server.

The communication

between…


Secure Login Client, Secure Login Server, and SUN DS/LDAP

Server.

For RSA SecurID authentication or other one-time password solutions:


59

Figure 3-24 Server initialization – RSA SecurID authentication page


Option Details

Let SECUDE Secure

Login…


to establish trust between the user and Server. Enter the

certificate password in the fields Certificate Password and

Confirm Certificate Password.

Enter the RSA

Server…

The URL of the RSA Server. Enter the password into the Shared

Secret field. Click More to view open the following options:

AuthPort

The authentication port at which the RSA Server expects to

be queried for authentication requests.

Authenticator

This is the authentication protocol for the RSA Server. The

possible options are:

CHAP

MSCHAP

PAP

NOTE: The RSA Authentication Manager only supports the

PAP authentication protocol.

The communication

between…


Secure Login Client, Secure Login Server, and the RSA Server.

For SAP NetWeaver authentication:


60

Figure 3-25 Server initialization – SAP NetWeaver authentication page


Option Details

Let SECUDE

Secure Login…

Check this option if you want Secure Login to use a custom PKI to

establish trust between the user and Server. Enter the certificate

password in the fields Certificate Password and Confirm Certificate

Password.

SAPID

authentication…

If necessary, use the following options to install signon&secure

and/or JCO for SAPID:

Install signon&secure

Setup File

Click Browse… to locate the signon&secure package (*.zip

file). The files can be located in the SSS+JCO sub-directory

of the file SECUDE51SecureLoginNativeComponents.zip

delivered with Secure Login.

License File

Click Browse… to locate the file ticket.snc (received

from SECUDE).

Install JCO for SAPID

sapco.jar

Click Browse… to locate and open the sapjco.jar file


61

(applies to both Windows and Linux/Sun).

sapco library 1

Click Browse… to locate and open one of the following files

(according to operating system):

For Windows: librfc32.dll

For Linux/Sun: librfccm.so

sapco library 2

Click Browse… to locate and open one of the following files

(according to operating system):

For Windows: sapjcorfc.dll

For Linux/Sun: libsapjcorfc.so

Enter the SAP

Server…

Enter the IP or URL of the SAP Server into the first (unmarked) field.

Enter the password into the Username field. Click More to view open

the following extra options:

Client

SAP System ID.

System Number

SAP System Number.

SNCServerName

The DN of the SAP Server, as stated in the Server certificate.

The subject DN of the X.509 certificate. This option is not

needed if you have selected the first option (let Secure Login

use a custom PKI to establish trust between the user and

Server). For example:

p:CN=SAP NetWeaver 2004, O=secude.local, C=DE

The

communication

between…

Use this option to activate SSL communication between the Secure

Login Client, Secure Login Server, and SAP ID Server.

Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery

package. For further information please contact SECUDE support.


3. The Install Process page will appear:


62

Figure 3-26 Server initialization – install process page

This page will display the status of the installation/initialization. Click Start. The

status of the installation will be displayed for each step. As soon as the step is

complete a green check-mark will appear next to the step:

Figure 3-27 Server initialization – status of initialization

4. Once the initialization is successful, the following information will appear:

Figure 3-28 Server initialization – procedure complete

5. Manually restart the application Server.

Next Steps

For information about how to login to the console and start using it, refer to section 6.1

„Administration Console‟ on page 119.


63

3.6.3 Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)

This section will guide you through the steps necessary to perform a quick, Authentication

Server-specific initialization.

1. The Welcome page of wizard appears:

Figure 3-29 Server Setup Wizard – welcome page

This page introduces the wizard and displays the logical steps, necessary to initialize

the Server, on the left-hand side. Click Next to continue.

Some of the more complicated wizard pages will have an information bubble icon next to

the page header ( ). Click on the icon to open a pop-up dialog containing information

about the entries on the page.


64

2. The Create Administrator Account page will appear:

Figure 3-30 Server Setup Wizard – create administrator account

This page allows you to create an account username and password to be used to

logon to the console.

The following options are available:

Option Details

Account name The username of the account to be created.

Password The password for the account to be created. The password

must fulfill the following criteria:

Be between 5 to 10 characters (use a mix of characters,

numbers and special characters).

The password must contain at least one uppercase letter.

Confirm password Enter the password a second time in this field to confirm the

entry made in the field Password.



65

3. The Setup Type page will appear:

Figure 3-31 Server Setup Wizard – select setup type

The next page to appear will vary according to the selection made here. You can

choose between the following options:

Option Details and next steps

Create a new SECUDE Secure

Login Server

Select this option to start configuring a new Server.

Click Next to continue with section 3.6.3.1 on the

next page.

Migrate from an existing SECUDE

Secure Login Server

Select this option to migrate the configuration from

an existing Secure Login Server. Click Next to

continue with section 3.6.3.2 „Migrate from an

Existing SECUDE Secure Login Server‟, on page 82.

Restore from an existing backup

(*.zip) file

Select this option to restore the configuration from

a backup file. Click Next to continue with section

3.6.3.3 „Restore from an Existing Secure Login

Server Backup (*.zip) File‟, on page 83

NOTE: only backup files created using Secure Login

5.x and 4.3 are supported.


66

3.6.3.1 Create a New SECUDE Secure Login Server

Continue with this section if you selected Create a new SECUDE Secure Login Server in

the previous section.

1. The Input root CA information page will appear:

Figure 3-32 Server Setup Wizard – Input root CA information

This page allows you to enter information about the root certificate authority for the

Secure Login Server.

The following options are available (entries marked with * are mandatory):

Option Details

Create a Root CA by

certificate information

Common name*

Enter the name of the root certificate authority in this field.

Example: SECUDE CA

Organization unit

Enter the division of the company in this field.

Example: Research+Development

Organization

Enter the company name in this field.

Example: SECUDE

Locality

Enter the regional information in this field.

Example: Darmstadt

Country

Enter the country abbreviation in this field.

Example: DE for Germany

Encryption key length


67

Option Details

Select the encryption key length for the Server (512,

1024, 1536, 2048, 3072, or 4096 bits).

Valid from*

Enter the date from which this certificate authority

information is valid in this field (YYYY-MM-DD).

Example: 2007-7-11

Validity period (months)*

Enter the number of months for which the certificate

authority information is valid.

Password*

Enter the password to be used for encryption in this field.

Check Save Password to store the password for this

certificate in a separate Secure Login password file. This

means that you do not need to remember the password

when editing this certificate at a later date.

Confirm password*

Confirm the encryption password entered in the field

above.

Import an existing

KeyStore file

Checking this option will display the following options:

Figure 3-33 Initialization Wizard – import existing keystore

KeyStore File

Click Browse… to locate and load an existing KeyStore

(PSE) file (*.pse).

Password

The password for the KeyStore (PSE) file.

Save Password

Check this option to store the password for this certificate

in a separate Secure Login password file. This means that

you do not need to remember the password when re-

loading the PSE file at a later date.

Skip this certificate Check this option if you do not want, or do not need, to enter

any information for this specific certificate at this time.

Skip all PKI

certificates

Check this option if you do not want, or do not need, to enter

information for any certificate at this time. This means you skip

all the PKI certificates, including the Root CA, SSL CA, SSL

Server and User CA certificates. You can create or add

certificate information at a later time via the „Certificate

Management‟ function of the Administration Console (see

section 6.3.2 on page 181).

If you select this option continue with the setup as from step 6

on page 70.


2. The SSL Certificate Generation Type page will appear:


68

Figure 3-34 Server Setup Wizard – SSL certificate generation type

This page allows you to configure the use of SSL certificates. To enable a higher level

of security, SSL is used to encrypt the communication channels, which requires a

special SSL certificate.


Option Details

Generate SSL certificate using

Secure Login Administration

Console

If you select this option, the Secure Login Server will

be configured as a root CA, and a SSL CA (the next

two screens). This Root CA will then issue the SSL

CA a valid certificate; the SSL CA will in turn issue a

valid Server certificate to be installed on the Server.

You will need to download this certificate, and install

it according to your Server‟s particular configuration.

Proceed with the next step.

Generate SSL certificate to be

signed by an external CA

If you select this option, the Secure Login Server

generates a valid certificate request. You may

download this request, have it signed by an external

CA, and imported it back to the Server to enable SSL

connectivity. Proceed with the step 4 on page 69.

Skip all SSL certificates Check this option if you do not want, or do not need,

to enter any SSL certificate information at this time.

Proceed with step 5 on page 70.



69

3. The SSL CA Information page will appear:

Figure 3-35 Server Setup Wizard – input SSL CA information

This wizard page is for information about the certificate authority to be used for SSL.

The options available on this page are the same as in step 1 on page 66. Options

marked with a red * are mandatory. If you selected


4. The SSL Server Information dialog appears:

Figure 3-36 Server Setup Wizard – input SSL Server information

This wizard page is for information about the Server to be used for SSL. For

information about the options available on this page refer to step 1 on page 66.

Options marked with * are mandatory.



70

5. The User CA Information page will appear:

Figure 3-37 Server Setup Wizard – input user CA information

This wizard page is for information about the user certificate authority to be used for

SSL. For information about the options available on this page refer to step 1 on page

66. Options marked with * are mandatory.


6. The Server Configuration page will appear:


71

Figure 3-38 Server Setup Wizard – Server configuration

This wizard page helps you to setup basic Server parameters. The following options

are available (options marked with * are mandatory):

Option Details

AuthConfigPath The path to the JAAS configuration file on the

Server‟s file system, for example:

D:\SECUDE Secure Login\SLSJAAS.login

PseName The User CA keystore file path. If you created a User CA in the

previous step, the file path will be shown here.

DN.Country Information for a temporary certificate: the country designation

(for example: DE for Germany).

DN.Locality Information for a temporary certificate: the regional

designation (for example: Darmstadt).

DN.Organization Information for a temporary certificate: the initializing

designation (for example: SECUDE).

DN.Organizational Unit Information for a temporary certificate: the department

designation (for example: Research and development).

ValidityMinutes* Information for a temporary certificate: the period of time (in

minutes) that the user certificate is valid.

DailyLogDir The path of the directory to which the daily log files are stored.

MonthlyLogDir The path of the directory to which the monthly log files are


72

stored.

doTrace This option determines whether to record the Server‟s

execution trace for problem analysis.

true (yes)= enable trace messages

false (no) = disable trace messages.

LockDir The path to which the lock file is saved. A lock file is created

when the Server encounters an internal error that requires

manual intervention.

Default value: the temporary directory of the java VM, a.k.a.,

the directory denoted by the java.io.tmpdir property.

Client Name/IP The hostname or IP address used for all Client policy files

within URLs connecting to SLS.


7. The Authentication Server Configuration page will appear:

Figure 3-39 Server Setup Wizard – Authentication Server

If you want to add an Authentication Server click Add Server (if not click Next and go

to the next step).


73

The specific settings for each type of the supported Authentication Server types are

covered in the following sections:

For further details about the settings for a servlet engine-based Server (such as

Apache Tomcat) refer to page 84.

For further details about the settings for a RSA Server refer to page 86.

For further details about the settings for a SAP NetWeaver-based Server for SAP ID-

based logon refer to page 87.

8. The Add Authentication Server page will appear:

Figure 3-40 Server Setup Wizard – add Authentication Server

Depending on which Server Type is selected; other options will appear/disappear in

the table. The following options are available (options marked with * are mandatory):

Options (general) Details

Application Name* An “application name” is the identifier of the group of

authentication modules associated with one instance of the

SECUDE Secure Login Server (SLS). There can be only one

instance of a particular authentication module residing in a

JVM. However, there maybe multiple SLS instances running on

the JVM. Therefore, the group of authentication modules used

by an instance of SLS is assigned a unique application name

for identification. Different SLS instances running on the same

Server must have different application names.

The default name is: SLSJaasModule

LoginModuleControlFl

ag

The flag controls the Server‟s behavior when it proceeds down

the authentication stack. For a detailed explanation, refer to the

documentation of

javax.security.auth.login.Configuration on the

Sun Website.

NOTE: this option cannot be changed.


74

Server Type Server type selection (LDAP, AD, RADIUS, or SAPID). Other

options will appear/disappear in the table according to the

selection made via this option.

TestUserName Test user username. Use this option to setup a user to test the

Server parameters.

TestUserPwd Test user password. Use this option to setup a user to test the

Server parameters.

TryAllServers Determines when to try the next LDAP/ADS Server in the list.

Possible values:

FALSE (default): Try the next Server only if this Server cannot

be reached.

TRUE: Try the next Server if this Server cannot be reached, or

access is denied.


75

Options (LDAP) Details

LdapHost* The address of the LDAP Server. This option is for the

configuration of the LDAP Server (including the Windows Active

Directory Server).

For example: ldap://my.host.com:389 (if SSL is used for

the communication, the protocol should be changed to

ldaps:// and the port number should be changed to 636).

NOTE: An SSL Server certificate must have been successfully

imported into the TrustStore for SSL to work. It is not possible

to import a certificate until after the initial Server setup.

LdapBaseDN Information that identifies a user in the user management

system, LDAP or Active Directory. Either enter the information

manually or click Get baseDN list to browse the LDAP directory

fro the correct Base distinguished name.

The following pop-up window will appear:

Figure 3-41 add Authentication Server – get baseDN

The following options are available (options marked with a red *

are mandatory):

Host name*

The host name of the LDAP Server.

Port*

The port of the LDAP Server.

Username*

The username used to communicate with the LDAP Server.

SSL

Check this option to use SSL protocol when communicating

with the LDAP Server. If you use SSL in the communication,

the protocol should be ldaps:// and a valid certificate is

required.

Anonymous bind

Use this function to query the LDAP Server without a

username (managerDN) and password (providing that the

LDAP Server is so configured).

managerDN

Specific username.

password

The password used to communicate with the LDAP Server.

Base DN

Click Get baseDN list to query the LDAP Server for a list of

based distinguished names to be displayed in the combo-

box.

Get baseDN list

After you have entered the above parameters click Get

baseDN list to obtain the base DN‟s from the LDAP Server.

LdapTimeout(ms) Determines how long a Client should wait for a response from


76

Options (LDAP) Details

an LDAP/ADS Server before trying to connect to the next one.

LdapProviderLanguag

e

Character set for the encoding of the characters when the

Server communicates with the LDAP/ADS Server.

For example: in the case of ADS, a possible character set is

ISO-8859-1.

PasswordExpiration

Attribute

Password expiry date (from the LDAP Server).

NOTE: If this option is used, the LdapBaseDN attribute must be

given in complete DN form.

PasswordExpiration-

GracePeriod

Defines the interval in days, inside which the password

expiration warning is sent to the Client prior to password expiry.

AuthServerID The warning message to be sent to the Client in the event of

password expiry.

Options (RADIUS) Details

RadiusServerIP* The IP address of the RADIUS Server.

AuthPort* The authentication port at which the RSA/RADIUS Server

expects to be queried for authentication requests.

SharedSecret* A word/phrase used to encrypt the user password.

Timeout(ms) Determines how long a request to a Server is to wait before

being sent to the next Server.

Authenticator Authentication protocol for the RSA/RADIUS Server. Possible

options:

CHAP

MSCHAP

PAP

PinMin Minimum PIN length for users choosing a new PIN. This

parameter is only used with RSA SecurID tokens.

Default value: 4

PinMax Maximum PIN length for users choosing a new PIN. This


Default value: 8

PinAlphanumeric PIN format. This parameter is only used with RSA SecurID

tokens. Possible values:

true: the user can choose, and use, a PIN which contains only

alphanumeric characters (A-Z, a-z, 0-9).

false (default): the user can choose, and use, a PIN which

contains alphanumeric and special characters (such as !$%&).

The default password policy for RSA allows only numeric PIN's

which can not be setup via the Secure Login Server/Client policy

properties.

RSAServerIniFile If the RSA Server version is 6.1, a copy of the RSA Server RADIUS

message *.ini file (securid.ini) has to be present. Make sure you

enter the full path and file name, for example:

<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini


77

Options (SAPID) Details

SAPServer IP or URL of the SAP Server.

Client SAP System ID.

SystemNo SAP System Number.

SNCServerName The DN of the SAP Server, as stated in the Server certificate.

The subject DN of the X.509 certificate.

For example:


SAPaccount The SAP user account name for the SECUDE Secure Login

Server.

NativeLibraryPath The folder of the native libraries and the SECUDE signon&secure

package.

NOTE: This configuration is a global Server Configuration

property, which is also used by other JAAS modules.

PasswordMin This parameter is part of the password policy for Client side

policy consistency check, specifically the minimum number of

characters in the password to be used. This parameter must be

consistent with the SAP password policy.

Default value = 1

PasswordMax This parameter is part of the password policy for Client side

policy consistency check, specifically the maximum number of

characters in the password to be used. This parameter must be

consistent with the SAP password policy.

Default value = 30

PasswordAlphanumeric This parameter is part of the password policy for Client side

policy consistency check. Possible values:

true (default): the password can contain only alphanumeric

characters (A-Z, a-z, 0-9).

false: the password can contain alphanumeric and special

characters (such as !$%&).

This parameter must be consistent with the SAP password

policy.

Once you have selected the appropriate options click Test to check the validity of the

Server information. If the parameters are correct a message will appear confirming a

successful connection. If any parameter is incorrect an error message will appear.

Click Save to be returned to the Authentication Server page.


78

The Authentication Server page should now look something like this:

Figure 3-42 Server Setup Wizard – added Authentication Servers

As you can see, the page now contains an Authentication Server entry. You can now

either click Edit to change any Authentication Server options, or click Delete to

remove an entry from the Authentication Server list, or click Add Server to add

another Server to the configuration.

If the Server entries are correct and finished, click Next to continue.

9. The Client Policy Configuration page will appear:


79

Figure 3-43 Server Setup Wizard – configure Client policy

This step will help you to enter Client policy information. A Client will need this

information to communicate with the SECUDE Secure Login Server. At the end of the

initial setup one Client policy file and two Windows registry files will be available for

download (see step 10 on page 79) to be implemented in each Client.

The following options are available (all mandatory):

Option Details

Policy URL* The URL of the Clientpolicy.xml. It may be downloaded and

installed to a Client system (see step 10 on page 79). For example:

http://<IP address>/SECUDE securelogin/ Clientpolicy.xml

Profile Name* The name of Client profile.

Enroll URL* The URL of the Secure Login Server to which the Client will connect.

For example:

https://<IP address>/SECUDE securelogin/PseServer

Key Length* The key length of the Client certificate.

Grace Period* The grace period of the Client connect the Server.

Inactivity Period* The maximum period of time the Client may be inactive.

Enter the Client policy details and click Next to continue.

10. The Setup Review page will appear:


80

Figure 3-44 Server Setup Wizard – Finish configuration

The configuration and initialization of Secure Login is now complete.

If needed, click on each of the links and save the files to disk for further use:

PKI Certificate

Root CA Keystore (RootCA.pse)

Root CA Cert (RootCA.cer)

SSL CA Keystore (SSLCA.pse)

SSL Server Cert (SSLServer.cer)

SSL Server KeyStore(PKCS#12) (ServerKeyStore.p12)

SSL Server KeyStore(JKS) (SSLServer.jks). If you click this the Privatekey

Alias field will appear:

Figure 3-45 Server Setup Wizard – configure private key alias

Enter the private key and click OK to download the file.

Client Policy File (for import on each Client)

ClientPolicy.xml

customer.reg

customerAll.reg

Click Finish to complete the initialization.

11. The completion page will appear:


81

Figure 3-46 Server Setup Wizard – completion

The wizard is now finished. Click Reload to reload the Secure Login application in the

application Server (e.g. Tomcat). For information about how to open the

Administration Console to perform further tasks refer to section 6.1 „Administration

Console‟, on page 119.

If the Administration Console login page does not appear, it may be necessary to restart the

application Server manually.


82

3.6.3.2 Migrate from an Existing SECUDE Secure Login Server

Continue with this section if you selected Migrate from an existing SECUDE Secure Login

Server in step 3 of section 3.6.3 on page 65.

1. The Enter the Web Root Path of the Existing Server page will appear:

Figure 3-47 Server Setup Wizard – migrate existing Server #1

Enter the root path of the Web application into the field Web Application Root Path

and click Next to continue.

2. A success page will appear.

Figure 3-48 Server Setup Wizard – migrate existing Server #2


83

Click Reload to reload the Secure Login application in the application Server (e.g.

Tomcat). For information about how to open the Administration Console to perform

further tasks refer to section 6.1 „Administration Console‟, on page 119.



3.6.3.3 Restore from an Existing Secure Login Server Backup (*.zip) File

Continue with this section if you selected Restore from an existing backup (*.zip) file in

step 2 of section 3.6.3.1 on page 67.

Remember that this function only supports backup files created using Secure Login 5.x

and 4.3.

1. The Select the backup file (*.zip) page will appear:

Figure 3-49 Server Setup Wizard – restore from backup file #1

Either:

manually enter the path to the zipped backup file into the field Backup file or…

click Browse… to locate the zip file on the network or local drive.


2. The Backup file information page will appear:


84


Click Finish to restore the configuration.

3. If successful the following dialog will appear:


Click Reload to reload the Secure Login application in the application Server (e.g.

Tomcat). For information about how to open the Administration Console to perform

further tasks refer to section 6.1 „Administration Console‟, on page 119.



3.6.4 Step 3 - Configure Authentication Server Communication

The next step is to configure the Server to communicate with the Authentication Server.

There are several different authentication methods to configure, depending on which type

of Authentication Server you want to use:

If you are going to use a servlet engine-based Server (such as Apache Tomcat) then

continue with the section below.


85

If you are going to use a Radius/RSA Server continue with the Authentication Server

description in section 3.6.4.2 on page 86.

If you are going to use a SAP NetWeaver-based Server for SAP ID-based logon continue

with the Authentication Server description in section 3.6.4.3 on page 87.

3.6.4.1 Configure the Secure Login Server for ADS/LDAP

The SECUDE Secure Login Server must now be configured for the respective Authentication

Server, in this case for an Active Directory Server (ADS) or LDAP.

1. If you have not already done so, start the Administration Console and logon to Secure

Login by entering the following in your Internet browser:



2. If the LDAP connection between the SECUDE Secure Login Server and the Microsoft

ADS has to be secure, you have to establish trust between the SECUDE Secure Login

Server and ADS. The prerequisite for this is the certification authority (CA) certificate

of the issuing instance (usually root) of the ADS Server.

To establish trust the ADS Server CA certificate must be imported into the KeyStore

via one of two methods:

Either a signed certificate must be made available from the ADS administrator for

import directly into Secure Login (via TrustStore management - see section 6.1.6

on page 141) or…

…you can sign a certificate request for the Active Directory Server (SSL

connection) via the Administration Console (via Sign ITS certificate - see section

6.1.14 on page 163) and generate a *.p7b file. Convert the *.p7B file into a

certificate file (*.crt, *.cer). Now you must import the certificate into the

TrustStore (via TrustStore management - see section 6.1.6 on page 141).

Ask your Microsoft ADS administrator to send you an export file containing this certificate.

The public key infrastructure (PKI) on the ADS side is completely independent of the

SECUDE Secure Login PKI.

It is possible to convert the *.p7B file into a *.cer file via a number of tools. The

usage of these tools is not part of this manual. Please refer to the third-party

documentation.

3. The next step is to define the connection details between Secure Login and ADS.

Click the Authentication Management node in the Administration Console.

4. Click Add Server and enter at least the following details into the appropriate fields:

Server Type: ADS or LDAP

LdapHost: ldaps://<yourdomain>:636

For example: ldaps://testldap.secude.local:636

Test username: The username must include the domain name.

For example: [email protected]

Once you have entered the Server details click Save. For further information about the

Authentication Server parameters on this page refer to section 6.1.4 on page 128.

5. The Secure Login Server is now ready for ADS authentication.

6. Now to configure the Secure Login Client. Click the Client configuration node in the

Administration Console (see section 6.3.3 on page 183).

7. Click Applications and then Add application.

8. In the Add application page enter an Application name and PSEURI. A PSEURI may

not be needed if a SAP certificate already exists – in which case you need only select


86

the certificate from the SAP Server field and the PSEURI will automatically be entered.

Once you have entered the application details click Save (this will take you back to

the Client Policy management page).

For further information about the Add application page refer to section 6.3.3.1 on

page 184.

9. Click Profiles and then Add profile.

10. In the Add/Modify Client Profile page enter the profile details. Click Save.

For further information about the Add/Modify Client Profile page refer to section

6.3.3.2 on page 187.

11. Click Files download and download the Client files according to your Client setup:

Download the customerAll.reg file if you want a rollout a static policy to the

Clients (the customerAll.reg file contains a the information from the

ClientPolicy.xml file)

Download the customer.reg if you want a rollout a dynamic policy to the Clients

(customer.reg file only contains information about where to obtain the entries

in the ClientPolicy.xml file on a Server)

12. Rollout the customer.reg or customerAll.reg policy files to the Clients.

13. ADS can now be accessed using SSL.

NOTE: SSL is used whenever an LDAP host address with port 636 is specified (LDAPS).

14. Multiple Authentication Server setup / instance management [optional]

If you use more than one Authentication Server and not all Servers have the same

CA, you have to import the certificate of each CA to Secure Login Server.

For further information about instances refer to section 6.3.1 on page 179.

You have to use a unique alias for each CA certificate!

3.6.4.2 Configure the Secure Login Server for RADIUS/RSA


Server, in this case for RADIUS/RSA.





For advanced details about setting properties manually (not recommended), refer to section

9.2.3 ‘Configuration.properties’, on page 248.

2. If you are using RSA Server v.6.1 (version 6.0 is not affected) copy the

securid.ini file to the Secure Login WEB-INF directory. For example (Tomcat):

<Tomcat home>\Webapps\securelogin\WEB-INF

Every time a message text entry in the securid.ini file is changed the file must be

re-copied to the Secure Login WEB-INF directory.

The securid.ini file is not part of the Secure Login delivery package. It is part of

the RSA Server 6.1 software. For further information please refer to the proprietary

documentation.

Secure Login depends on the following message text entries in the securid.ini file:

InputMustChoose_S_S = \r\nEnter a new PIN having from 4 to 8

digits:

InputNextCode = \r\nWait for token to change,\r\nthen


87

enter the new tokencode:

InputReenterPin = \r\nPlease re-enter new PIN:

OutputChange = \r\nPIN Accepted.\r\nWait for the

token code to change,\r\nthen enter the new passcode:

For passwords to be handled properly between SLS and RSA/RADIUS, the

securid.ini file must be setup on both Servers. Follow these steps:

For the RSA/Radius Server: copy/update the securid.ini file to: C:\Program Files\RSA Security\RSA Radius\Service\securid.ini

…and then restart RSA/RADIUS services.

For the Secure Login Server (Windows): copy the securid.ini file to the path

setup in SLSJaasModule.login – RSAServerIniFile.

For example: <tomcat home>\Webapps\securelogin\WEB-INF

For the Secure Login Server (Linux): copy the securid.ini to the path setup in

SLSJaasModule.login – RSAServerIniFile.

For example: /var/lib/tomcat5.5/Webapps/securelogin/WEB-INF

By default the RSA/RADIUS services are not started automatically after a Server

restart. To start them:

open the RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr

Services.

Below Service Management check Start and stop RADIUS Server together with

authentication engine. [Edit…] Click Auto Start and check Automatically start

services on system startup.

Confirm and click Close.

3. The next step is to define the connection details between Secure Login and

RADIUS/RSA. Click the Authentication Management node in the Administration


4. Click Add Server and enter at least the following details into the appropriate fields:

Server Type: RADIUS

RadiusServerIP: Example: radius01.secudeTest.local

RSAServerIniFile: path to the securid.ini file (for example:

<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini).

Once you have entered the Server details click Save. For further information about the

Authentication Server parameters on this page refer to section 6.1.4 on page 128.

5. The Secure Login Server is now ready for RADIUS authentication.









9. For further information about the Add application page refer to section 6.3.3.1 on

page 184.

3.6.4.3 Configure the Secure Login Server for SAP ID-Based Logon


Server, in this case SAP ID-based logon.

Make sure that the following has been installed and configured on the SAP Server side

before preceding with this section:


88

SECUDE signon&secure is installed and configured.

Ensure that the SAP Server account is able to access the credentials and that the

credentials are set for the correct user account.

The user configured on the SAP Server for the SECUDE Secure Login Server access

must be configured for the following:

SNC access: Note that the SNC Distinguished Name of the user must be the same

as that used in the PSE files imported during the SSS&JCO installation.

A special set of privileges in their profile. These are:

S_A.SCON

S_A.SYSTEM

S_USER_ALL

S_USER_RFC

Z_TRANS_RFC

For details about how to set a profile refer to the SAP administrator documentation.

It is important to set the correct environment variables for SECUDE Signon&Secure. For

details about the settings for both Unix and Windows-based Servers refer to section 7.5 on

page 217.





For advanced details about the properties that can be configured, refer to section

9.2.3 „Configuration‟, on page 248.

2. The next step is to install the SAP JCO libraries (one java library and two system-

dependent native libraries) - SAP-Jco-2.1.8-platforms.

The SAP JCO libraries are not part of the Secure Login delivery package. The libraries

can be downloaded from http://service.sap.com/connectors (requires SAP

account). For details about which library version is needed for Secure Login please

contact SECUDE support.

It has to be ensured that all referenced dynamic-linked libraries exist on the operating

system. For example, on a Linux platform the referenced gcc libraries have to be

present in the required version.

3. Click the SSS&JCO installation node in the Administration Console (see section

6.1.12 on page 158).

4. Install the SECUDE cryptolib package (in the delivery package ZIP file

SECUDE51SecureLoginNativeComponents.zip), ticket, JCO, and JCO PSE.

5. The next step is to define the connection details between Secure Login and SAP ID.

Click the Authentication Management node in the Administration Console (see

section 6.1.4 on page 128).

6. Click Add Server and enter the Server details into the appropriate fields. Once you

have finished click Save.

For details about setting the Authentication Server parameters via the Administration

Console refer to section 6.1.4 on page 128. For advanced details about each

parameter, plus optional parameters, see section 9.2.4.3 „

JAAS Module Configuration Files for SAP ID‟, on page 260.

7. The Secure Login Server is now ready for SAP ID-based logon.





89







page 184.

3.6.4.4 Configure the Secure Login Server for SAP Logon Ticket-Based Logon


Server, in this case SAP Logon Ticket-based logon.







2. The next step is to install the SAP Verification PSE and the SAP SSOEXT libraries (two

system-dependent native libraries).

The SAP Verification PSE can be exported from SAP NetWeaver Portal, or by the STRUST

transaction in the ABAP Stack.

The SAP SSOEXT libraries are not part of the Secure Login delivery package. The

libraries can be downloaded from http://service.sap.com/connectors

(requires SAP account). For details about which library version is needed for Secure

Login please contact SECUDE support.

It has to be ensured that all referenced dynamic-linked libraries exist on the operating

system. For example, on a Linux platform the referenced gcc libraries have to be

present in the required version.

3. Click the SSS&JCO installation node in the Administration Console (see section

6.1.12 on page 158).

4. Install the SAP Verification PSE, SAPSECU, and SAPSSOEXT.

5. The next step is to define the connection details between Secure Login and SAP

Logon Ticket. Click the Authentication Management node in the Administration








7. In the common Server configuration Native Library Path, the path to the SAPSECU,

and SAPSSOEXT libraries must be configured.

8. The Secure Login Server is now ready for SAP Logon Ticket-based login.

9. Now to configure the Secure Login Web Client. Click the Web Client configuration node

in the Administration Console (see section 6.1.16 on page 183).

3.6.4.5 Configure the Secude Login Server for SQL Database-Based Logon


90


Server, in this case SQL Database-based logon.







2. The next step is to install the fitting Java database driver for your database.

The Java database driver depends on the database system you have in use. Each

database vendor provides such Java libraries (JAR), e.g. for MySQL, the JAR file mysql-

connector-java-5.1.12 can be downloaded from

http://dev.mysql.com/downloads/connector/j/

On Tomcat, the connector libraries need to be copied manually into a shared library

folder.

On SAP NetWeaver, connector libraries need to be deployed and configured with Visual

Administrator.

3. The next step is to define the connection details between Secure Login and SAP

Logon Ticket. Click the Authentication Management node in the Administration








5. The Secure Login Server is now ready for SQL Database-based logon.










page 184.

3.6.5 Step 4 - Test SECUDE Secure Login Server

The following step describes how to test the Secure Login files deployed to the Server.


operating system.

1. In your browser, enter the following URL:

http://<URL-Where-Your-Servlet-Resides>/securelogin/ admin/index.jsp

For example: http://localhost:8080/securelogin/admin/index.jsp

http://dev.mysql.com/downloads/connector/j/

http://localhost:8080/securelogin/admin/index.jsp


91


Console login page should appear:


For further information about the Administration Console refer to section 6.1 on page

119.

If the location of the SECUDE Secure Login Server configuration file is not specified

correctly, the browser displays a red error message.

3.7 Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server

3.7.1 Remove SECUDE Secure Login Server - Tomcat

This section details the removal procedure for the Secure Login Server component from

ADS, LDAP, RADIUS, and SAP ID Servers.

It is recommended to backup the configuration and settings in case you want to use Secure

Login again. For further information refer to section 6.1.9.1 on page 151.

1. Stop your Web application Server.

2. Delete the following directories/files:

<application Server Web-apps directory>/securelogin/

<application Server Web-apps directory>/securelogin.war

If you want to use Secure Login again follow the procedure as from section 3.2.


92

3.7.2 Remove SECUDE Login Server – BEA Weblogic

1. Stop and delete securelogin.war in Bea WebLogic console for Bea 9 and Bea 10.

2. Remove all files and directory under <BEA home>/Server/bin/myServer/stage/securelogin.war

3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver

This section details the removal procedure for the Secure Login Server component from

SAP NetWeaver Servers.

It is recommended to backup the configuration and settings in case you want to use Secure

Login again. For further information refer to section 6.1.9.1 on page 151.

1. Logon to SAP Visual Administrator.

2. Select Server(x)>Services>Deploy, from the tree in the left-hand pane.

3. Select the deployed secude.com/SecureLogin component from the Runtime tab in

the middle pane.

Figure 3-53 SAP Visual Administrator – locate Secure Login component

Click Remove on the right-hand side of the window.

4. A confirmation dialog will appear:


93

Figure 3-54 SAP Visual Administrator – removal confirmation dialog

Click OK.


94

4 Client Installation, Configuration, and Removal

Introduction

This chapter describes the configuration and installation of the SECUDE Secure Login

Client. To save configuration time, install and rollout the Client AFTER you have fully

installed and configured the Secure Login Server.

Sections in

this Chapter

Section 4.1 „Prerequisites‟, on page 95

Section 4.2 „SECUDE Secure Login Client Preparation„, on page 96

Section 4.3 „Client Rollout‟, on page 97

Section 4.4 „Remove SECUDE Secure Login Client‟, on page 106


95

4.1 Prerequisites

Introduction

This section lists the hardware and software requirements.

Contents

Section 4.1.1 „Hardware Requirements for SECUDE Secure Login Client‟, on page 95

Section 4.1.2 „Software Requirements for SECUDE Secure Login Client‟, on page 95

You will need administrator access rights to install the Secure Login package.

4.1.1 Hardware Requirements for SECUDE Secure Login Client

Hardware Details

RAM 256 MB minimal, 512 MB optimal.

Hard disk 12 – 22 MB, depending on which SECUDE modules are

installed.

4.1.2 Software Requirements for SECUDE Secure Login Client

For the… …you require the following software

Operating System Windows XP (SP3)

Windows Vista

Windows 7

Citrix Terminal Server

Installation Software for unpacking the zip installation package

MSI 3.1 installer

Customizing MMC snap in, if customizing with group policies is to be

used (ADM templates are available)

System runtime

environment

SAP NetWeaver ABAP 6.4 or higher.

SECUDE Secure Login Server (unless existing PKI is used).

Correctly installed smart card or Microsoft Crypto Store for

respective authentication (see below).

Authentication

with a Smart

Card

As a precondition for authentication using smart cards, a smart card reader with a card

driver (PKCS#11 middleware) must be installed. If smart cards other than TCOS are to be

used, a card driver must also be available (TCOS cards are directly supported without an

additional driver).

Authentication

with Microsoft

Crypto API

As a precondition for authentication using Microsoft Crypto API, a certificate in a CSP must

be available by one of the following methods:

Import of PFX- or P12 file into the personal Microsoft Crypto Store

CSP on a smartcard

Online certificate (for example, VeriSign, Web.de)

Managed PKI software (for example, Entrust, Microsoft CA)


96

4.2 SECUDE Secure Login Client Preparation

The SECUDE Secure Login Client is delivered as a zip archive. This archive contains all of

the files and data required to install the SECUDE Secure Login Client.

Follow these steps to install the Secure Login Client:

1. Unpack the zip archive SECUDE42securelogin.zip to any directory.

2. Check the \customer\sample\ directory (this directory contains samples of the

optional configuration files).

The optional configuration files can be configured manually (see below) using the sample

files.

The configuration file secude.xml contains smart card-specific configuration settings,

protocol settings, and the settings for the SECUDE crypto library. The secude.xml file is

configured automatically. For information about the configuration of this file, please contact

SECUDE technical support.

3. During installation, all of the files used to customize the product during installation

must be located in the customer directory next to the MSI installer. The

\customer\sample\ directory contains examples of all configurable files. The

customer can adapt the sample files to fit the PKI and environment of the company.

The MSI installer reads the following files in the customer folder during installation:

File Used for…

bridge.p7c,

bridge.p7s A list of trusted trust-center certificates (root CA‟s). This is

a digitally-signed set of DER-encoded certificates, which is

used automatically for each PSE which has its own root

CA stored in it.

For further details about the extensions, refer to the file

bridge.txt. For further details about the content, refer

to the file certs.txt.

Certs.p7c, certs.p7s

A list of certificates (CA‟s). This is a digitally-signed set of

DER-encoded certificates, which is used automatically for

each PSE where CA certificates are missing.

For further details about the content, refer to the file

certs.txt.

customer.reg All Microsoft registry settings the customer can configure

automatically (SECUDE tickets, group policies).

Psesvc.xml Overlay configuration for PSE Service smart card token,

provided by SECUDE.

Roots.p7b, root.cer Root CA certificates of SECUDE Secure Login Server‟s SSL

peer that are trusted automatically for machine and users.

For HTTPS trust, the SSL Server‟s Root CA certificate is

added to the user‟s personal certificate store or the

computer system certificate store, either „Trusted Root

Certification Authorities‟ or „Enterprise Trust‟.

Formats: A single certificate or PKCS#7 certificate list,

DER or base64 encoded.

ticket.snc Customer-specific SECUDE file ticket for SAP SNC/GSS.

Ticket.ssf (optional) Customer-specific SECUDE file ticket for SAP SSF

token_prompted.bmp Custom bitmap picture for all SECUDE Secure Login

profiles with password prompt in the login dialog box. It

overwrites the default bitmap and must be 200x90 pixels

and have a 24-bit color depth.


97

File Used for…

Token_smartcard.bmp Custom bitmap picture for all smart card or Microsoft CAPI

profiles with PIN prompt in the login dialog box. It



Token_soft.bmp Custom bitmap picture for all soft-token profiles with

password prompt in the login dialog box. It overwrites the

default bitmap and must be 200x90 pixels and have a 24-

bit color depth.

Token_windows.bmp Custom bitmap picture for all SECUDE Secure Login

profiles with Windows credentials in the login dialog box. It



4. If necessary, you can now customize the Secure Login Client:

The SECUDE Secure Login Client (SLC) system service is a standard component of the

SECUDE Secure Login Client, which (among other things) is responsible for

communication with the SECUDE Secure Login Server for logging in using Windows

credentials.

Another task of the SLC system service is to obtain the latest Client policy. This could

be done, for example, by downloading a policy file from a given URL (the policy

Server) during start up or regularly via a configurable time interval. The XML formatted

policy file (see section 9.1.1 „ClientPolicy.xml File‟ on page 239) is translated into

Windows registry database keys and values after a successful verification.

If the policy download is not successful, the existing policy is kept.

The policy download from the policy Server can be replaced by configuring the

SECUDE Secure Login Client using Microsoft group policies (see section 9.1.4

„ClientPolicy.xml File‟ on page 245).

A combination of an XML file on the policy Server and MS group policies is not

recommended.

The properties for the SLC system service can be configured using the

customer.reg file or can be integrated in the company‟s group policies. The

property names are not case-sensitive. For further information about the registry

entries refer to section 9.3 „Secure Login Client Registry Values‟ on page 264.

4.3 Client Rollout

Introduction

The SECUDE Secure Login Client is usually installed on a large number of systems.

Therefore, the Client setup is usually performed as an unattended installation using

Microsoft MSI. The Client setup is implemented as an MSI 3.1 package.

During installation, all files used to customize the product during installation are stored in

the customer subfolder, which must be located in the same directory as the MSI setup.

The MSI setup reads and copies them during installation.

Contents

Section 4.3.1 „

Installation‟, on page 98

Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103


98

4.3.1 Installation

Before proceeding with this section make sure that it is the stand-alone Client you want to

install and not the Web Client. For details about the Web Client installation refer to chapter

5 ‘Secure Login plus Web Client - Installation, Usage, and Removal’ on page 109.

The installation wizard is usually used for a single installation of the Group Policies.

1. Double-click the MSI installer SECUDE Secure Login.msi.

2. The welcome dialog will appear:

Figure 4-1 installation – welcome dialog

Click Next.

3. The program information appears:

Figure 4-2 installation – program information dialog

Click Next.


99

4. The license agreement appears:

Figure 4-3 installation – license agreement dialog

Check I accept the terms of the license agreement and click Next.

5. The setup type dialog appears:

Figure 4-4 installation – setup type dialog

Check Complete if you want to install all of the features (go to step 7).

Check Custom if you want to install specific features (go to step 6).

The installer contains the following components (Components marked with * are pre-

selected by default):


100

Component Details/Value

Business Client

addins

SNC/GSS (primary) *

This installs primary the SAP Secure Network

Communication support addin for SAP Clients.

SNC/GSS (secondary)

This installs secondary the SAP Secure Network

Communication support addin for SAP Clients. (Only

required if another SNC library is already installed. The

primary SNC/GSS (primary) must be de-selected in this

case.)

SSF

This installs the SAP Secure Store and Forward support

addin for SAP Clients.

SECUDE Secure Login Secure Login system service:

Windows Network Provider addin*

Network provider addin for retrieving Windows credentials

for authentication against Active Directory.

Windows Kerberos addin

Secure Login addin to use local Windows Kerberos

authentication against a local Secure Login service for

CITRIX.

Profile Management* PSE Service*

Personal Security Environment user service.

Security Tokens:*

Smartcard support*

PKCS#11 and TCOS-based smart card token plugins.

CAPI support*

Microsoft CryptoAPI token plugin.

SECUDE CSP* SECUDE cryptographic service provider.

Group Policies Microsoft group policy templates (ADM files).

Notification Notification service and GUI for tracing purposes.

Once you have chosen a setup type click Next.

6. If you chose to install specific features in the previous dialog, the custom setup

dialog appears:


101

Figure 4-5 installation – custom setup dialog

Select the features you wish to install and click Next.

If you want to prevent the installation of a component, click on the hard drive

symbol next to the component and select The feature will not be available from

the context menu:

Figure 4-6 installation – component selection

To return to the default selection click Reset.

Once you have made your selection click Next.

7. The ready to install appears:


102

Figure 4-7 installation – ready to install dialog

Click Install.

8. The installation status dialog appears:

Figure 4-8 installation – installation status dialog

The installation my take a few minutes, so please be patient.

9. Once the installation is complete the following dialog appears:

Figure 4-9 installation – completion dialog

Click Finish. The installation is now complete.

10. It is necessary to restart the computer to start using Secure Login. Click


103

Start>Shutdown>Restart to restart.

Further

Information

Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103

4.3.2 Command Line Options to Influence the MSI Setup

Introduction

This section details command line options that can influence the Microsoft installer (MSI)

setup.

Contents

Section 4.3.2.1 „Standard MSI Options‟, on page 103

Section 4.3.2.2 „Secure Login MSI Options‟, on page 104

4.3.2.1 Standard MSI Options

To help you understand the MSI options, open a command shell and enter the following

syntax:

msiexec /?

The following dialog will be displayed:

Figure 4-10 installation – restart dialog


104

4.3.2.2 Secure Login MSI Options

To view the options specific to the SECUDE Secure Login setup, open a command shell

and enter the following syntax:

msiexec /i “<path>\SECUDE Secure Login.msi” HELP=1

For example:

msiexec /i “C:\SECUDE Secure Login.msi” HELP=1

The following dialog will be displayed:

Figure 4-11 installation – restart dialog

The components that can be installed individually have the following syntax and meaning

(features marked with * are installed by default if no specific components are selected):

Feature abbreviation for

command line syntax

Package name in

custom setup

Description

ProfileManagement Profile management User components.

PSE Service PSE Service User GUI and SSO process.

Token Security tokens Persistent security tokens.

Capi CAPI support* Microsoft Crypto API token

plug-in.

Smartcard Smartcard support* PKCS#11 and TCOS based

smartcard token plug-ins.

CSP SECUDE CSP* Cryptographic service provider


105

Feature abbreviation for

command line syntax

Package name in

custom setup

Description

plug-in for the Microsoft

Crypto API.

GroupPolicies Group Policies Group policies, ADM files.

Notification Notification Notification service and viewer

for SECUDE applications.

secure_login SECUDE Secure

Login*

Credentials-based certificate

enrollment

secure_login_Pepperbox n/a Basic non-persistent tokens

support.

secure_login_Kerberos Windows Kerberos

addin

Kerberos support.

secure_login_NetworkProvider Windows network

provider addin*

Network provider add-in for

retrieving Windows

credentials.

secure_login_Service Secure login system

service*

SECUDE Secure Login system

service for policy download

and Windows credentials

management.

signon_secure Business Client

addins

SAPGUI security component.

signon_secure_SNC SNC/GSS (primary)* SAP Secure Network

Communication support.

signon_secure_SSF SSF SAP Secure Store and

Forward support

For a full list of components installed by default (i.e. when no specific components are

installed) refer to section 4.3.1, step 5, on page 99.

Example

Installation

Syntax 1

This example has been put together to achieve the following:

Install SECUDE Secure Login without the user wizard but with the progress bar; do not

install the Windows login component (option qb).

Set the personal security environment (PSE) path to that of the subfolder SECUDE in the

user profile (option CREDDIR=$USERPROFILE$\SECUDE).

Install German language modules only (option SECUDE LANG=1031).

Install programs into the default folder; do not install ADM files for group policy support

(option qb).

Add massive logging (option l*v sl.log).

So, to achieve the above the syntax should be as follows:

msiexec.exe /i “C:\SECUDE Secure Login.msi” /qb /l*v sl.log

ADDLOCAL=ALL REMOVE=secure_login_NetworkProvider,GroupPolicies

CREDDIR=$USERPROFILE$\SECUDE LANG=1031

If you execute the above syntax then you will notice after the installation that both the

German and the English GUI have been installed. This is because English language

support cannot be de-selected as it is the fallback GUI. No reboot is required. The system

tray icon is displayed, and enrolment profiles are provided immediately.

Example

Installation

Syntax 2

This example has been put together to demonstrate a simple installation and feature

selection:

Msiexec /i "SECUDE Secure Login.msi" INSTALLDIR="C:\Program Files\SECUDE\SL" LAUNCH=1 LANG=0000 ADDLOCAL=ALL REMOVE=Notification,GroupPolicies,Smartcard,secure_login_Kerberos


106

In most cases, it is the easiest way to install all but a few features, which is best configured

by ADDLOCAL=ALL REMOVE=feat1,feat2,…

4.4 Remove SECUDE Secure Login Client

This section details the removal procedure for the Secure Login Client component.

It is recommended to backup any certificates you may have imported into the PSE service

before removing the Secure Login Client component.

1. Start the removal procedure via one of the following options:

Open a command box and enter msiexec /i “<path to msi file>SECUDE Secure Login.msi”

Double-click the SECUDE Secure Login.msi installer

Click Start>Control panel>Add and Remove Programs, select SECUDE Secure

Login from the list and click Remove

2. The Welcome dialog will appear:

Figure 4-12 removal – welcome dialog

Click Next.

3. The Program Maintenance dialog appears:


107

Figure 4-13 removal – program maintenance dialog

Check Remove and click Next.

4. The Remove Program dialog appears:

Figure 4-14 removal – remove program dialog

Click Remove.

5. The status of the removal will be displayed:

Figure 4-15 removal – removal status dialog

6. If the removal is successful the following dialog will appear:


108

Figure 4-16 removal – welcome dialog

Click Finish.


109

5 Secure Login plus Web Client - Installation, Usage, and Removal

Introduction

This chapter details how to install, use, and remove the Secure Login Web Client.

The Web Client installation is not just the Web Client but rather the complete Secure Login

Server plus Web Client.

Make sure that it is this version of Secure Login (i.e. with Web Client) you want to deploy

before proceeding with this chapter. For details about the standard installation refer to

chapter 3 ‘Server Installation, Configuration, and Removal’ on page 32.

Currently, there is no version of the Web Client for BEA WebLogic.

The installation routine also differs slightly from the standard installation:

The Secure Login Web Client installation routine for Tomcat is similar to the standard

Secure Login installation to Tomcat but there are several extra steps:

deploy the Apache Axis2 Web service architecture within Tomcat

deploy the Secure Login Web service within Axis2.

The Secure Login Web Client installation routine for NetWeaver is the same as the

standard Secure Login installation to NetWeaver with the exception that a different archive

is deployed.

Contents of

Web Client

Delivery

Package

Within the main deliver package (SECUDE51secureloginServer.zip) the Web Client

directories for Tomcat and NetWeaver contain the following files:

For Apache Tomcat (Tomcat WS):

axis2.war - AXIS2 Web application from Apache (version 1.4).

shared.zip - All Secure Login JAR files (SECUDE+third party) as well as Server

message files.

iaik_jce_full.jar - Institute for Applied Information Processing and

Communication (IAIK) provider for the Java Cryptography Extension (JCE)

opencsv-1-7-1.jar - opencsv is a very simple csv (comma-separated

values) parser library for Java.

radClient3.jar – Radius Client application

SECUDE-JavaSDK.jar – SECUDE Java SDK

SECUDE-SecureLogin.jar – SECUDE Secure Login application

SECUDE-Transfair.jar – SECUDE Secure Login application framework

ServerMsg.properties – The file that contains the default Server

messages (will be duplicated when creating a new Server messages file in an

alternate language).

ServerMsg_de.properties - Server messages file in English.

ServerMsg_en.properties - Server messages file in German.

SlsWebClient.war – The Secure Login Web Client

securelogin.war - The main Secure Login file including the Administration

Console (but without JAR files und Server message files).

secureloginservice.aar - Secure Login AXIS2 Web Service

For SAP NetWeaver (NetWeaver WS):

secureloginservice.ear – Enterprise archive containing all of the necessary

components ready for deployment. This includes the Web Service and Web Client.

Sections in

this Chapter

Section 5.1 „Prerequisites‟ on page 110

Section 5.2 „Preparing the Server for Installation‟ on page 111

Section 5.3 „Install and Configure the Web Client‟, on page 112

Section 5.4 „Use the Web Client‟, on page 115

Section 5.5 „Remove the Web Client‟, on page 117


110

5.1 Prerequisites

This section lists the hardware and software requirements for Secure Login and the Web

Client.

Prerequisite for… Details

Secure Login Server The hardware/software requirements are the same as the

standard Secure Login installation. For a complete list of

requirements please refer to section 3.1 on page 33.

Secure Login Web Client Supported operating systems:

Windows

Linux

Mac OS X

Others (depending on the SECUDE C-SDK)

System requirements:

Java 1.5 or higher browser plug-in

SAPGUI for Java

SAPGUI for Windows (limited)

Supported Internet browsers:

Linux Konqueror

Mozilla Firefox 2.x, 3.x or any other Mozilla-based

Web browser

Microsoft Internet Explorer 6/7

Apple Safari 3.x

Supported Operating Systems for SAP-ID-based

authentication (SunOS/Solaris/HP-UX have no Web Client

support, Mac OSX has no Server support):

Linux-i686-2.2-GLIBC2.1-mt-32




MacOSX10.4-mt-32

SunOS-sparc-5.10-mt-32




Windows-i686-VS7.1-mt-32

HP-UX 11.11 (PA-RISC)

HP-UX 11.23 (Itanium)

The native components for each OS are part of the

delivery package.


111

5.2 Preparing the Server for Installation

Introduction

The Server must be prepared for the installation of Secure Login plus the Web Client. If

you have already prepared the Server go to the next section to start with the installation. If

you have not prepared the Server, the following list indicates what must be installed and

configured before starting with the installation of SECUDE Secure Login:

Install the operating system (plus updates if necessary).

Install Java (JCE will be automatically installed).

Install the application Server.

This manual does not detail the installation and configuration of the above mentioned

software. It is assumed that the knowledge and skills necessary to perform the Server

preparation is already present and must not be documented.

Contents of

Delivery

Package

Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as

follows:

SECUDE51SecureLoginNativeComponents.zip

This file contains the necessary native Secure Login components for each supported

platform:

\extra

Example secude.xml file

\SSS+JCO

Native components for the Signon&Secure and JCO installation

\WebClient

Native components necessary to run the Web Client

SECUDE51SecureLoginServer.zip

\doc

This directory contains the documentation, license agreements, and readme files.

\SECUDE51SecureLoginServer.zip

Despite the fact this ZIP file has the same name as the file containing it, this file

contains the standard Secure Login applications as well as the Web Client

variants:

\NetWeaver\securelogin.ear

Standard Secure Login application for SAP NetWeaver to work with the Secure

Login Client.

\NetWeaver WS\secureloginservice.ear

The Web Client version of Secure Login for SAP NetWeaver.

\Tomcat\securelogin.war

Standard Secure Login application for Apache Tomcat to work with the Secure

Login Client.

\Tomcat WS\axis2.war, securelogin.war,

secureloginservice.aar, shared.zip, SlsWebClient.war

The Web Client version of Secure Login for Apache Tomcat plus secondary files

necessary for operation.

Prepare the

Files

In preparation for installation, it is recommended to unpack the ZIP archive

SECUDE51SecureLoginServer.zip to produce the four application sub-directories as

well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the

native components.

This manual contains steps in which it is necessary to choose and confirm passwords. For

reasons of security Secure Login will only allow you to choose passwords that are hard to

guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).


112

5.3 Install and Configure the Web Client

The Web Client itself is delivered in two versions – one for Apache Tomcat and one for SAP

NetWeaver. The next two sub-sections detail the installation steps for the Secure Login

Web Client on both systems.

Sections

Section 5.3.1 „Web Client installation on Tomcat‟, on page 112

Section 5.3.2 „Web Client Installation on NetWeaver‟, on page 114

5.3.1 Web Client installation on Tomcat

1. If necessary, stop Tomcat.

2. Unpack the contents of the file shared.zip located in the directory <unzipped

location on hard disk>SECUDE51SecureLoginServer/Tomcat WS/ (in

the delivery package - see section 5.2 on page 111). This step differs according to

the version of Tomcat you use:

Tomcat 6: Unzip the content directly to the directory

<Tomcat home directory>\shared.

Tomcat 5:

Unzip the *.properties files to the directory:

<Tomcat home directory>\shared\classes

Unzip the *.jar files to the directory:

<Tomcat home directory>\shared\lib

Apache Tomcat 6.x does not use a ‘shared’ directory as standard and it must therefore not

only be created but also manually entered into the Tomcat configuration (failure to do so will

result in errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not implemented’ –

despite the fact that the components are in the correct directory):

Create the shared directory directly under the Tomcat home directory, for example:

<Tomcat home>\shared

Open the Tomcat properties file catalina.properties in the directory

<Tomcat home>\conf in a text editor.

Locate the following section:

# List of comma-separated paths defining the contents of the "shared"

# classloader. Prefixes should be used to define what is the repository type.

# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,

# the "common" loader will be used as Catalina's "shared" loader.

# Examples:

# "foo": Add this folder as a class repository

# "foo/*.jar": Add all the JARs of the specified folder as class

# repositories

# "foo/bar.jar": Add bar.jar as a class repository

# Please note that for single jars, e.g. bar.jar, you need the URL form

# starting with file:.

shared.loader=

Change the last line to read:

shared.loader=${catalina.home}/shared,${catalina.home}/shared/*.jar

Save the changes and close the text editor.

3. Copy the file securelogin.war from the delivery package to <Tomcat home directory>\Webapps.


113

4. Start Tomcat to deploy the securelogin.war file.

5. Start the Administration Console and create your basic configuration (see section 6.1

on page 119). Once completed, logout of the console.

6. Deploy the file axis2.war by copying it from the delivery package to the directory

<Tomcat home directory>\Webapps. The deployment should be automatic but

if not, restart Tomcat.

When configuring an SAP-ID-based Authentication Server, the Administration Console will

usually take care of the signon&secure/JCO installation. This includes copying the file

sapjco.jar to the directory:

<Tomcat home>\Webapps\securelogin\WEB-INF\lib.

This also applies to the AXIS Web Client scenario. The file sapjco.jar will be copied to

the ‘shared’ directory:

For Tomcat 5.x: <Tomcat home directory>\shared\lib

For Tomcat 6.x: <Tomcat home directory>\shared

However, for the AXIS Web Client scenario, if you have not set the option TomcatSharedPath

in the Administration Console page Web Client Configuration, then you will have to copy the

sapjco.jar file manually to the respective Tomcat 5.x/6.x directory. For further details

about the Web Client Configuration node refer to section 6.1.16 on page 166.

7. Deploy the file secureloginservice.aar by copying it from the delivery package

to the directory <Tomcat home directory>\Webapps\axis2\WEB-

INF\services. The deployment should be automatic but if not, restart Tomcat.

8. Open the file <Tomcat home directory>\Webapps\axis2\WEB-

INF\Web.xml in a text editor. Locate and remove the line

<load-on-startup>XXX</load-on-startup>. Save the file and close the

editor.

9. Deploy the file SlsWebClient.war by copying it from the delivery package to the

directory <Tomcat home directory>\Webapps

The Tomcat Security Manager

Usually, after a fresh Tomcat installation, the Tomcat Security Manager is deactivated.

However, if it is active then errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not

implemented’ may occur despite the fact that everything in the configuration appears to be

as it should. The Tomcat Security Manager must be deactivated:

For Tomcat 5.5 under Linux:

The following security manager option is located in the Tomcat start script in the

directory init.d :

#Use the Java security manager? (yes/no)

#TOMCATS_SECURITY=yes

Either comment it out or set it to no.

For Windows:

The security manager is usually started using the runtime option –security. Do

not use this option.

Change default Apache Axis2 administration account

Apache Axis2 also has an administration front-end. It is available via the URL:

http://localhost:8080/axis2/axis2-admin/

This allows the upload (and hence the change) of Web Service Archives and the

activation/deactivation of deployed services.

The front-end is shipped with a default account: user=admin, password=axis2. This of

course, presents a security issue and therefore it is recommended that the Secure Login

administrator change the password of the AXIS2 admin front-end. This can be accomplished

as follows:


114

Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\

Locate the follow lines:

<parameter name="userName">admin</parameter>

<parameter name="password">axis2</parameter>

Change the entries marked above - in red - accordingly.

10. Start the Administration Console and login. Click the Web Client Configuration node to

start configuring the Web Client (see section 6.1.16 on page 166).

Next Step

Configure the Secure Login Server using the Administration Console – see section 6.1

'Administration Console‟ on page 119

Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115

5.3.2 Web Client Installation on NetWeaver

The Web Client installation for NetWeaver is exactly the same as the standard Secure

Login installation detailed in section 3.7 on page 91. However, instead of deploying the

standard Secure Login application (securelogin.ear) you deploy the Web Service

application secureloginservice.ear (located in the NetWeaver WS directory in the

delivery package).

Next Step

Configure the Secure Login Server using the Administration Console – see section 6.1

'Administration Console‟ on page 119

Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115


115

5.4 Use the Web Client

This section describes how to open and use the Secure Login Web Client.

Only use the Web Client once you have finished configuring not only the Secure Login

Server, but also the Web Client settings via the Administration Console (see sections 6.1 on

page 119, and 6.1.16 on page 166 respectively).

1. Enter the following URL in your Internet browser:

http://<hostname:port>/SlsWebClient

A security warning to confirm the digital signature of the Web Client Applet may appear. If

so, confirm the signature to proceed to load the Web Client. You can choose to either to

confirm the signature once or for always – choosing ‘always’ will mean that the security

warning will reappear the next time you want to logon to the Web Client.

2. The Web Client login page will appear:

Figure 5-1 Web Client – login page

3. Enter your Username and Password, and select a Server to logon to from the Server

combo-box. The next step will differ according to whichever Server you are about to

authenticate and logon to:

If you have configured the Web Client to start the SAP interface directly without

calling the SAP logon dialog first (Web Client Configuration node> SAP GUI

Management) then the next screen you should see is the SAP interface. The

procedure ends with this step.

If you have configured the Web Client to start the SAP logon dialog then the SAP

Logon dialog will appear. Go to the next step.

4. On Windows Clients only: The new user certificate is propagated into the Windows

Certificate Store in the background. Internet Explorer could use it for certificate based

authentication if an SSL protected Web page is opened.

5. The SAP Logon dialog/GUI will appear (if the SAP Logon GUI for Java is correctly

installed, it will take preference over the SAP Logon GUI for Windows):


116

Figure 5-2 Web Client – SAP Logon GUI (left: Windows, right: Java)

Web Client Logging

When logging-in via the SAP Logon dialog/GUI user information is stored in the local user

directory. For Windows this directory is:

C:\Documents and Settings\<user>\secudesnc.

The directory will contain some, or all, of the following files:

ComSecudeUtil.dll – SECUDE library copied over from the Server

cred_v2 – Credentials file

SapProfile.sap – SAP profile

secude.dll – SECUDE library copied over from the Server

SecudeSNCApplet.log – logfile of Web Client activity

SNC.pse – SNC personal security environment

ticket.snc – license file copied over from the Server

user.properties – user properties file containing the username, date+time, and

snc version.

version.txt – Native components version file copied over from the Server

It is possible to configure the Web Client to automatically delete the files in the secudesnc

directory. Use the Administration Console option Client Logging under the node Web Client

Configuration>Common Configuration. For further information see section 6.1.16.1 on page

168.

5.4.1 Configure SSL Trust for the Web Client Java Applet

This section details how to secure the communication between the Internet browser and

Web Client using SSL thus helping to eliminate the security warnings when calling the

Web Client (and any alarm this may cause – including extra hotline activity).

A normal call between Browser and the Web Client is established via Java over HTTP and

therefore how we establish the SSL trust is Browser-dependent:

Linux Konqueror and Mozilla Firefox 3 do not use their own certificate store but rather the

Java certificate store.

Microsoft Internet Explorer 6/7 and Apple Safari use their own certificate store.

Trust may be established in two ways:

No permanent certificate: this means that the user computer is left untouched and the

Web Client is called using an HTTPS URL. If SSL trust has not yet been established a Java

pop-up will appear prompting the user if they wish to trust the SSL Server.

Permanent certificate: this means that the user computer has an imported root


117

certificate (via remote distribution) and the Web Client is called using an HTTPS URL. This

can be configured so that no pop-ups will appear.

These are the three points of security configuration relevant to the Web Client, or rather

the three possible levels at which action may be taken – depending on how far you want

to go (all of which are for a permanent certificate only!):

SSL Trust between Browser and Application Server (for example, Tomcat).

This simply involves importing the Administration Console root certificate into the

Browser‟s certificate truststore.

SSL Trust between Java Applet and Application Server

This only applies to Linux Konqueror and Mozilla Firefox 3! This will import the

Administration Console root certificate into the Java environment. This can be

performed on a two levels – per machine for all users, or per user:

Per machine (all operating systems): Locate the Java truststore file cacerts

under the path jre\lib\security. Use the Java Keytool to import the

Administration Console root certificate into the Java truststore.

Per machine (alternative method): Use the Administration Console to export the

root certificate in JKS format. Rename the resulting keystore file in jssecacerts

(no extension!) and place the file under jre\lib\security.

Per user: Use the Administration Console to export the root certificate in JKS

format. Rename the resulting keystore file in trusted.jssecacerts (no

extension!) and place the file under:

Windows: %HOMEPATH%\Application Data\Sun\Java\Deployment\security

Linux/Mac: $HOME/.java/deployment/security

Execution rights for signed applet (i.e. user warning prompts)

This will import the Administration Console root certificate and suppress the user

warning prompts. The applet in the SSL Server SlsWebClient directory will always be

„trusted‟. This can be performed on a two levels – per machine for all users, or per

user:

Per machine: Open the Java Security Policy file java.policy in the directory

jre\lib\security. Add the following code:

grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" {

permission java.security.AllPermission;

};

Save and close the file.

Per user: Open an editor and enter the following code:

grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" {

permission java.security.AllPermission;

};

Save the file as .java.policy in the user home directory (all operating

systems).

5.5 Remove the Web Client

This section describes how to remove the Web Client from both Tomcat and NetWeaver

Servers.

Web Client

removal from

Tomcat

Before proceeding, if you have not already done so, stop the Tomcat Server.

Delete the following folders from the <Tomcat home>\Webapps directory:

axis2


118

Securelogin

SlsWebClient

Delete the following files from the <Tomcat home>\Webapps directory:

axis2.war

securelogin.war

SlsWebClient.war

For Tomcat 6.x only: delete the following files from the <Tomcat home> directory:

\shared\iaik_jce_full.jar

\shared\opencsv-1-7-1.jar

\shared\radClient3.jar

\shared\SECUDE-JavaSDK.jar

\shared\SECUDE-SecureLogin.jar

\shared\SECUDE-Transfair.jar

\shared\ServerMsg.properties

\shared\ServerMsg_<country abbreviation>.properties

For Tomcat 5.x only: delete the following files from the <Tomcat home> directory:

\shared\lib\iaik_jce_full.jar

\shared\lib\opencsv-1-7-1.jar

\shared\lib\radClient3.jar

\shared\lib\SECUDE-JavaSDK.jar

\shared\lib\SECUDE-SecureLogin.jar

\shared\lib\SECUDE-Transfair.jar

\shared\classes\ServerMsg.properties

\shared\classes\ServerMsg_<country abbreviation>.properties

Web Client

removal from

NetWeaver

To remove a Secure Login Web Client installation from NetWeaver, follow the same steps

as detailed in section 3.7.2 on page 92.


119

6 Administration

Introduction

This chapter describes how to administrate the SECUDE Secure Login Server via either the

administration console or the XML interface.

Sections in

this Chapter

Section 6.1 „Administration Console‟, on page 119

Section 6.2 „

Email Report&Alert Configuration‟, on page 177

Section 6.3 „Instance Management‟, on page 178

Section 6.4 „

Console Users‟, on page 198

Section 6.5 „Other Administration Features‟, on page 206

6.1 Administration Console

Introduction

This section details the Administration Console for Secure Login. The console is based on

Java Server pages (JSP) technology and is controlled from within an Internet browser. It

makes administration tasks for SECUDE Secure Login easy. Every relevant administration

and configuration task for both the Client and Server side can be performed via the

console.

6.1.1 Open the Console

1. To open the console enter the following URL in a Web browser:

http://<Server IP address>/securelogin/admin/index.jsp

For example: http://localhost:8080/securelogin/admin/index.jsp

or for secure communication: https://localhost:8443/securelogin/admin/index.jsp

2. The login page will appear:


Enter your SECUDE Secure Login administration username, password, and

authentication type (detailed below). Click Login. If you make a mistake entering any

details, just click Reset to clear the fields.

Authentication type Details

Local login Standard username/password combination authenticated via

the Administration Console database.

External login Username/password combination authenticated via the

Authentication Server database set in the JAAS module. If you


120

Authentication type Details

use this option you must also select the appropriate JAAS

module in the External Login Jaas Module combo-box.

NOTE: an Authentication Server must already be configured for

there to be any entries in the combo-box. For information about

configuring an Authentication Server refer to section 6.1.5 on

page Error! Bookmark not defined..

SSL certificate login Username/password combination authenticated via a

certificate imported into the Web-browser.

3. If login is successful the Welcome page will appear:

Figure 6-2 Administration Console – Home/welcome page

The Administration Console interface allows you to easily configure the Server to your

needs. The main area is split into three panes:

The top left-hand pane lists any tasks that have yet to be performed. For example,

“Connection should be https” refers to the missing SSL connection

between the console and the Secure Login Server, or “Server needs to be

restarted” informs you that the Server configuration has been changed and you

need to restart the Server for it to take effect.

The bottom left-hand pane is the main navigation tree. For easy reference, each

node represents tasks that can be performed within the Secure Login framework.

The right-hand pane displays the details of any node selected in the left-hand

pane.

In the top right-hand corner there are three entries that appear on every page in the

console:

Change password – This allows you to change the password for the current

administrator/user account. For further details refer to section 6.1.3 on page 122.

Logout – Use this link to logout of the console. The login page will reappear (see

previous page).

About – Click this to view version information about the console.

Click one of the nodes in the bottom left-hand pane to perform one of the following

tasks:

Node Details

Home Use this node to return to the administration console start

page (as seen above).


121

Node Details

Server Configuration Use this node to view and change the configuration of the

whole Server. For further information see section 6.1.3.

Server Configuration>

Certificate Management

Use this node to view details about the Secure Login Server

certificate issuers and to add new issuers. For further

information see section 6.1.4


Authentication

Management

Use this node to view details about the Secure Login Server

JAAS module and to add a new Authentication Server. For

further information see section 6.1.5.


TrustStore Management

Use this node to view certificates in the TrustStore and add

certificates to the TrustStore. For further information see

section 6.1.6.


Certificate Template

Use this node to view and change certificate templates. For



System Check

Use this node to view the current status of Secure Login

components. For further information see section 6.1.8.


Backup/Restore

Use this node to backup and/or restore the current Server

configuration and PKI information of the administration

system. For further information see section 6.1.9.


Change Language

Use this node to change the GUI language. For further

information see section 6.1.10.


Message Setting

Use this node to change message content. For further



SSS&JCO installation

Use this node to install the SECUDE signon&secure (SSS)

and JCO components necessary for SAPID JAAS login

module for Secure Login. For further information see section

6.1.12.


System Status

Use this node to view the status of the current Secure Login

Server. For further information see section 6.1.13.


Sign Certificate

Requests

Use this node to submit a certificate request to a certificate

authority. For further information see section 6.1.14.


Console log viewer

Use this node to view log entries of actions performed via

the Administration Console only. Log files can be viewed on

a monthly basis. For further information see section 6.1.15.


Locked Files

Management

Use this node to check if any files have been locked and, if

necessary, unlock them.

For further information see section 6.4.3 on page 205.


Web Client Configuration

Use this node to configure Web-Client parameters. For


NOTE: this node only appears if the Web Client has been

installed. For further details refer to section 5.3 on page

112.


Email Report&Alert

Configuration

Use this node to configure email notification and email alert

parameters. For further information see section 6.1.16.

Instance Management Use this node to administrate the Secure Login instances.

For further information see section 6.3.

Instance Management>

Instance Configuration

Use this node to display the configuration of current Secure

Login Server instance. For further information see section

6.3.1.


122

Node Details


Client Configuration

Use this node to view and change the Client configuration.

For further information see section 6.3.3.


Instance Log

Management

Use this node to view log files on either a monthly or daily

basis, and download the log files for archiving. For further



Instance Check

Use this node to view the status of the components for

Client policies and PKI management. For further information

see section 6.3.5.


Instance Status

Use this node to view the status of the current Secure Login

Server. For further information see section 6.3.6.

Console Users Use this node to view when an administrator logged-in to, or

logged-out of, the Administration Console. For further

information see section 6.4.

Console Users>

User Management

Use this node to display a list of the users/administrators

registered to the Administration Console as well as add a

new user, edit/delete a current user, and assign a role to a

user. For further information see section 6.4.1 on page 199.

Console Users>

Role Management

Use this node to configure the permissions for a new or

existing administrator role. For further information see

section 6.4.2 on page 202.

Console Users>

Locked Files

Management

Use this node to unlock console files that are locked by

dead operator sessions. For further information see section

6.4.2 on page 202.

You may be asked to re-enter your username and password if you leave the

administration console for too long (console timeout).

This page also appears when you click the Home node.

6.1.2 Change the Administrator/User Password

This section details how to change the account password for the Administration Console.

The user ‘Admin’ is a permanent user that has the role ‘super-user’ and cannot be deleted

(only the password changed) or altered in any way.

As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a

serious system error occurs), guaranteeing that there is at least one user that can always

access Secure Login to correct or configure the system.

1. Click Change Password in the title bar on any page.

2. The following page will appear:

Figure 6-3 Administration Console – Change Administrator/User Password

3. Enter the current password into the Old Password field.

4. Enter and confirm the new password into the fields New Password and Confirm New

Password respectively.


123

5. Click OK.


124

6.1.3 Server Configuration

This section details the Server Configuration page of the Administration Console.

The Server Configuration page allows you to:

View the Server configuration.

Edit some of the Server parameters (see section 6.1.3.1 on page 126).

Edit the type of authentication used to login to the Administration Console (see section

6.1.3.2 on page 127).

1. Click the Server Configuration node in the left-hand pane of the Administration

Console.


Figure 6-4 Administration Console – Server Configuration

The following options can be viewed on this page:


125

Option Details/Value

Edit Click Edit to change the Administration Console description,

Trace Configuration, Server Lock Configuration, Client

Configuration, and SNC Configuration (see section 6.1.3.1 on

page 126).

Description The description of this Administration Console.

Console login type The current types of authentication available for login to the

Administration Console. For further information see section

6.1.4.2 on page

External Login Jaas

Module

The current JAAS module used for “external login”

authentication to the Administration Console. For further

information see section 6.1.3.2 on page 127.

The Authentication file

path

The authentication file (*.login) used by this Server

Trust Certificates

storage file

The TrustStore file (*.jks) used by this Server.

TrustStore password The password for the TrustStore file.

Console Log Directory The directory in which the console log file will be located.

Console Log Prefix The file prefix for the console log file.

Enable Server trace Display trace messages in the application Server console

(i.e. the Tomcat command box).

Path to the Server lock

file

The fall-back of the LockDir property in the

configuration.properties file. This property is stored

in the Web.xml file.

Lock the Server when

the logging function

encounters fatal errors

If set to No, the Server will not be locked if transaction

logging fails.

If set to Yes, the Server will be locked if transaction logging

fails.

If a full transaction log is important to you please set this

option to Yes.

Server name or IP to be

used

The hostname or IP of the computer from which the console

is being used for the Client configuration (i.e. for all Client

policy URLs).

NOTE: do not use localhost. If on a local machine set the

IP address or DNS/hostname.

CREDDIR The directory in which the credentials are stored by SECUDE

signon&secure.

NOTE: This option will overwrite any existing SAP ID-based

Server CREDDIR value (automatically generated during the

Authentication Server creation) with this value.

NativeLibraryPath The directory where native libraries, platform dependendt, are

landed.


126

6.1.3.1 Edit the Server Configuration

This section details the editable properties of the Server Configuration page of the

Administration Console.

1. Click Edit to display the following information:

Figure 6-5 Administration Console – Edit Server Configuration

The following options can be set:


Description Here you can personalize the description for the


Enable Server trace Yes: write trace messages to the application Server trace

file:

For Tomcat: folder logs, files catalina*.log / localhost*.log

For NetWeaver AS Java: defaultTrace_*.log

No: Do not display trace messages in the application Server

console

Lock the Server when

the logging function

encounters fatal errors

Yes: Lock the Server if transaction logging fails.

No: Do not lock the Server if transaction logging fails.

Server name or IP to be

used

The hostname or IP of the computer from which the console

is being used.

NOTE: do not use localhost. If on a local machine set the

IP address.

CREDDIR Use this option to define in which directory credentials will

be written by SECUDE signon&secure. Enter the full path of

the directory to be used, for example: C:\SSS

NOTE: This option will overwrite any existing SAP ID-based

Server CREDDIR value (automatically generated during the

Authentication Server creation) with this value.

NativeLibraryPath Use this option to define in which directory will be located

the native libraries to be used on verification of the SAP

Ticket.

2. Once you have changed any options, click Save to return to the Server Configuration

page.


127

6.1.3.2 Change Console Login Type

This section details how to modify the way you authenticate to the Administration

Console.

1. Click the Server Configuration node in the left-hand pane of the Administration

Console.

2. Click Edit next to the Console Login Type Configuration heading to view the following

information:

Figure 6-6 Administration Console – change login type

This page allows you to configure, delete, or add the following login types:

Local Login

Standard username/password combination authenticated via the Administration

Console database.

External Login

Username/password combination authenticated via the Authentication Server

database set in the JAAS module. If you use this option you must also select the

appropriate JAAS module in the External Login Jaas Module combo-box.

NOTE: an Authentication Server must already be configured for there to be any

entries in the combo-box. For information about configuring an Authentication

Server refer to section 6.1.5 on page Error! Bookmark not defined..

SSL-Certificate Login

Username/password combination authenticated via a certificate imported into the

Web-browser.

Add a

Login Type

1. To add a login option to the administration console login page, select a login type

from the ALL Login Type field and click >>Add (it will appear in the Current Login Type

field).

2. If necessary, use the Up and Down buttons to give a login option priority (the order of

appearance in the Login Type combo-box on the login page).

3. Click Save to confirm any changes.

Delete a

Login Type

1. To delete a login option from the administration console login page, select a login

type from the Current Login Type field and click <<Delete (it will appear in the ALL

Login Type field).

2. Click Save to confirm any changes.


128

6.1.4 Certificate Management

This section details the Certificate Management page of the Administration console.

These features allow you to view, edit, export, import, and create certificates.

The first thing to do is to make a decision: Shall Secure Login Server create and manage

one or more Public Key Infrastructures, or is there an existing company PKI that shall be

used on top. Both is possible, even a mixture of it. You may want to have one Secure

Login Server PKI under your enterprise PKI, and two others independently created by

Secure Login Server.

However, because of the high flexibility of Secure Login Server, it is no problem to add,

replace, or delete PKIs at any time.

Follow these steps to open Certificate management:

1. If you have not already done so, click the Certificate management node from the tree

in the left-hand pane.


Figure 6-7 Administration Console – Certificate Management page

This page allows you to perform the following certificate tasks:

Create or import new PKIs or PKI sub trees

View certificates (see below).

Export certificates (refer to the next page).

Import certificates (refer to the next page).

Create SSL, SNC, login, and SAP certificates (refer to the page after next).

This page has the following details:

Option Details

PKI Structure One or more tree views of independent PKIs.

Create New Root CA Give a display name for the new PKI and create the top level

Certification Authority (Root CA)..

Certificate Information The name, file path, and password protection of the selected

certificate.

Mapping to Instance List of all Secure Login Server instances, and selection of all

instances that shall use this User CA.

Only available for User CAs.

More Details More X.509 name details and the certificate validity time frame.

PKI Info Display name of the PKI structure.

CA Operations Select specific Certification Authority of a PKI for further

management operations.


129

Issue Create a new Certification Authority of this type.

Change Password Change password of selected CA.

Remove Password Remove password of selected CA. Password must be given for

each following management operation of this CA.

Export Certificate Export the selected certificate. Possible export types are:

*.crt, *.p12, *.pse, *.jks.

New Password Password of the exported certificate file store

Import New PKI Import the keystore into the certificate list.

NOTE: Only PSE files can be imported.

PKI Name Display name of new PKI where certificate shall be part of

The selection list allows associating the type of CA of the

certificate. Each type can be associated only once.

Browse Opens a file browser to select the certificate store file.

Open Passsword Password that protects the certificate store file.

Save Password Allow to save the password in the configuration.

View

Certificate

Details

1. Click on a certificate name in the list, for example SecureLogin Root CA.

2. If the selected CA has not saved its password, enter the password for the certificate

in the field Password and click View.

3. The following information will appear:

Figure 6-8 Administration Console – Certificate Management page

Create a new

PKI

Use this function to create a new internal PKI that has its own Root CA certificate.

1. Enter a display name for the new PKI, for example SECUDE.

2. Click the right-hand Create New Root CA button and continue to read at Create a

certificate.

3. A success message should appear and the new PKI will be shown in the list.

Import a new

PKI

Use this function to create a new PKI that uses external CA certificates. This way it is also

possible to create a PKI without having the issuing Root CA stored inside Secure Login

Server.

1. Enter a display name for the new PKI, for example SECUDE.

2. Select the type of CA that shall be imported

3. Click Browse… to open a file browser. Locate and open the PSE file.

4. Enter the password for the PSE file in the field Open password. As an option, you can

choose to save the password in the Secure Login system file by clicking Save


130

password? so you do not have to re-enter the password every time.

5. Click the right-hand Import button to complete the import.

6. A success message should appear and the new PKI will be shown in the list.

Export a

Certificate

1. Click on a certificate name in the list, for example SECUDE Root CA.

2. Select the format of the certificate from the Export type combo-box.

3. Enter a new certificate password into the field New password.

4. Click the right-hand Export button to open a save dialog. Save the certificate file to a

safe and secure location.

Import a

Certificate

If a certificate entry in the list is grayed-out it means this certificate is not present. Use

the Import function to load a new certificate.

1. Select the certificate entry from the list.

2. Click Browse… to open a file browser. Locate and open the PSE file.

3. Enter the password for the PSE file in the field Open password. As an option, you can

choose to save the password in the Secure Login system file by clicking Save

password? so you do not have to re-enter the password every time.

4. Click the right-hand Import button to complete the import.

5. A success message should appear and the entry in the list will no longer be greyed-

out.

Create a

Certificate

If the certificate shall be created internally instead of importing it, use the Issue function.

6. In CA Operations, click Issue (only available if a Root, SSL, or SAP CA is selected).

7. A page such as the following will appear (parameters may differ):

Figure 6-9 Administration Console – create certificate

This page allows you to enter the following certificate information:

Option Details

Common name The name of the certificate to be issued. Make sure you

choose a name that applies to CA at hand, for example,

SECUDE SAP-CA or SECUDE SSL-CA.

However, this property differs when creating SSL Server

certificates. In this case you must enter the hostname by

which the Server is accessed, for example,

user1.secude.local or www.myprivatehost.com.

http://www.myprivatehost.com/


131

Option Details

Organization unit The division of the company.

Example: Sales

Organization The company name.

Example: SECUDE

Locality The regional information.

Example: Darmstadt

Country The country abbreviation.

Example: DE (for Germany)

Encryption key length The encryption key length for the Server (1024 bit or 512 bit).

SAP Server Type (only

available when creating

an SAP Server

certificate)

The type of keystore file (PSE file for ABAP Server, P12 file for

java Server).

Subject Alter Names

(DNS) (only available

when creating an SSL

Server certificate)

The host name or IP to be used for the „Subject Alternative

Name‟ in the certificate.

Subject Alter Names

(E_mail) (only available

when creating a login

certificate)

The E-mail address to be used for the „Subject Alternative

Name‟ in the certificate.

Valid from The date from which this certificate authority information is

valid (YYYY-MM-DD hh:mm:ss). Use the calendar box to

select a day.

Example: 2010-04-25 17:09:31

NOTE: The validity time frame of a new certificate must be

inside the time frame of the issuing CA

Valid to The date to which this certificate authority information is valid

(YYYY-MM- DD hh:mm:ss). Use the calendar box to select a

day.

Example: 2020-04-17 16:19:00

NOTE: The validity time frame of a new certificate must be

inside the time frame of the issuing CA

Password The password to be used for encryption (maximum of 20

characters).

Confirm password Confirmation of the encryption password entered in the field

Password.

Save password to file? Define if the encryption password stated in the field

Password should be saved in the keystore.xml file.

Issuer password Issuing CA´s password (only seen if this CA has not saved its

password).

8. Enter the relevant details and click Create (or for SAP certificates: Create SAP Server

certificate).

For further information about how to configure Tomcat for login certificates refer to section

3.3.3.1 and 3.3.3.2 on page 37.

6.1.5 Authentication Management


132

This section details the Authentication Management page of the Administration Console.

Use this page to add, configure, test, and delete Authentication Servers from the

configuration.

The following section applies only to Apache Tomcat and BEA WebLogic. The Authentication

Server configuration for NetWeaver should be performed in SAP Visual Administrator.

However, should you wish to test the Authentication Server connection you can create a

dummy JAAS module using the same module name as created in SAP Visual Administrator

(via the attribute Application Name).

1. Click the Authentication Management node in the left-hand pane of the Administration

Console.


Figure 6-10 Authentication Server Manager

This page allows you to:

Add new Authentication Servers

View and edit any current Server settings

Delete any Server from the Server list (select a Server entry and click Delete)

Change the order in which Servers are queried

Quick-test the username and password used for Authentication Server access

Select an application under Application Name (i.e. the SLSJaasModule application) to

display the Authentication Servers in the application under Servers in

SLSJaasModule. For further information refer to the following pages.


133

View

Authentication

Server Details

1. To view the settings for any Server in the list click on one of the Server entries below

the Servers in SLSJaasModule heading and click Display.

NOTE: These values are required for configuring Secure Login Server modules inside

SAP NetWeaver.

2. The follow information will appear:

Figure 6-11 Authentication Server Manager – Display Server settings

Here you can Edit the Server settings (see below), or Delete the Server entry

completely from the Secure Login configuration.

Add/Edit an

Authentication

Server

Follow these steps to add an Authentication Server or edit the settings of a current

Authentication Server entry:

1. If you have not already done so, click the Authentication Management node from the

tree in the left-hand pane.

2. To add a new Server to the configuration click Add Server. The following information

will appear:

Figure 6-12 Authentication Server Manager – add new Server


134

..or if you want to edit the settings of a current Authentication Server click Edit.

The following information will appear:

Figure 6-13 Authentication Server Manager – edit Server

3. Enter/edit the Server details (for a detailed list of the Server parameters that can be

set in this page refer to the next page). If you want to check the validity of the Server

connection click Test. Once you have finished click Save.

4. Your Server should now appear in the Server list on the Authentication Management

page.

When editing Authentication Server parameters, some entries are grayed-out and cannot be

changed. This is normal. The only way to change such an entry is to add a new Server and

re-enter the correct Server details.

Authentication

Server

Parameters

Not all of the parameters in this list are immediately visible in the Administration Console

interface. Some options will appear/disappear in the table according to the selection

made via the option Server Type.

The following few pages detail the Authentication Server parameters according to common

parameters, and Server Type-specific parameters (those marked with * are mandatory):


135

Common

Parameters

Options (common) Details

Server Type Server type selection (AD, LDAP, RADIUS, SAP ID, SAP Logon

Ticket, or SQL Database).

LoginModuleControlFlag The flag controls the Server‟s behavior when it proceeds

down the authentication stack. For a detailed explanation,

refer to the documentation of

javax.security.auth.login.Configuration on the

Sun Website.

NOTE: this option cannot be changed.

Application Name* An “application name” is the identifier of the group of

authentication modules associated with one instance of the

SECUDE Secure Login Server (SLS). There can be only one

instance of a particular authentication module residing in a

JVM. However, there maybe multiple SLS instances running

on the JVM. Therefore, the group of authentication modules

used by an instance of SLS is assigned a unique application

name for identification. Different SLS instances running on

the same Server must have different application names.

The default name is: SLSJaasModule

TestUserName Test user username. Use this option to setup a user to test

the Server parameters.

TestUserPwd Test user password. Use this option to setup a user to test


TryAllServers Determines when to try the next LDAP/ADS Server in the list.

Possible values:

FALSE (default): Try the next Server only if this Server

cannot be reached.

TRUE: Try the next Server if this Server cannot be reached,

or access is denied.

LDAP/AD-

specific

Parameters

Options (LDAP/AD) Details

LdapHost* The address of the LDAP Server. This option is for the

configuration of the LDAP Server (including the Windows

Active Directory Server).

For example: ldap://my.host.com:389 (if SSL is used

for the communication, the protocol should be changed to

ldaps:// and the port number should be changed to 636).

NOTE: A TrustStore must exist for the SSL to be configured

properly.

LdapBaseDN

(LDAP only)

The domain name of the LDAP Server, for example:

my.domain.com (NOTE: The LdapBaseDN parameters are

not needed for Active Directory Servers – leave empty).

This specifies the base domain name that will be combined

with the user name before sending it to the Active Directory

Server.

Example 1 (domain part of UPN): If set to my.domain.com,

the user test is authenticated as [email protected]

with the respective Server.

Example 2 (complete DN): If set to… cn=$USERID,ou=Users,dc=domain,dc=com

…the user test is authenticated as…

cn=test,ou=Users, dc=domain,dc=com

…to the respective Server.


136

Click Get baseDN list to browse the LDAP directory for the

correct Base Distinguished Name. The following pop-up

window will appear:

Figure 6-14 add Authentication Server – get baseDN

The following options are available (options marked with a

red * are mandatory):

Host name*

The host name of the LDAP Server.

Port*

The port of the LDAP Server.

Username*

The username used to communicate with the LDAP

Server.

SSL

Check this option to use SSL protocol when

communicating with the LDAP Server. If you use SSL in

the communication, the protocol should be ldaps://

and a valid certificate is required.

Anonymous bind

Check this option to query the LDAP Server without a

specific username (managerDN) and password

(providing that the LDAP Server is so configured).

managerDN (manager distinguished name)

Specific username.

password

The password used to communicate with the LDAP

Server.

Base DN (Base Distinguished Name)

Click Get baseDN list to query the LDAP Server for a list

of based distinguished names to be displayed in the

combo-box.

Get baseDN list

After you have entered the above parameters click Get

baseDN list to obtain the base DN‟s from the LDAP

Server.

LdapTimeout(ms) Determines how long a Client should wait for a response

from an LDAP/ADS Server before trying to connect to the

next one.

LdapProviderLanguage Character set for the encoding of the characters when the

Server communicates with the LDAP/ADS Server.

For example: in the case of ADS, a possible character set is

ISO-8859-1.

PasswordExpiration- Password expiry date (from the LDAP Server).


137

Attribute NOTE: If this option is used, the LdapBaseDN attribute must

be given in complete DN form (see above).

PasswordExpiration-

GracePeriod

Defines the interval in days, inside which the password

expiration warning is sent to the Client prior to password

expiry.

AuthServerID The warning message to be sent to the Client in the event of

password expiry.

RADIUS-

specific

Parameters

Options (RADIUS) Details

RadiusServerIP* The IP address of the RADIUS Server.

AuthPort* The authentication port at which the RSA/RADIUS Server

expects to be queried for authentication requests.

SharedSecret* A word/phrase used to encrypt the user password.

Timeout(ms) Determines how long a request to a Server is to wait before

being sent to the next Server.

Authenticator Authentication protocol for the RSA/RADIUS Server. Possible

options:

CHAP

MSCHAP

PAP

PinMin Minimum PIN length for users choosing a new PIN. This


Default value: 4

PinMax Maximum PIN length for users choosing a new PIN. This


Default value: 8

PinAlphanumeric PIN format. This parameter is only used with RSA SecurID

tokens. Possible values:

true: the user can choose, and use, a PIN which contains

only alphanumeric characters (A-Z, a-z, 0-9).

false (default): the user can choose, and use, a PIN which

contains alphanumeric and special characters (such as

!$%&).

The default password policy for RSA allows only numeric

PIN's which can not be setup via the Secure Login

Server/Client policy properties.

RSAServerIniFile If the RSA Server version is 6.1, a copy of the RSA Server RADIUS

message *.ini file (securid.ini) has to be present. Make sure

you enter the full path and file name, for example:


Add new attributes

(button)

Use this option to enter any RADIUS attribute present in the

Client‟s dictionary and which the Server expects to be

included in the request. For further information refer to

section 9.2.4.2 on page 257.

SAP ID-

specific

Parameters


SAP Server IP or URL of the SAP Server.

Client (System ID) SAP System ID.



138


Server.


The subject DN of the X.509 certificate. For example: p:CN=SAP NetWeaver 2004, O=secude, C=DE

NativeLibraryPath The folder of the native libraries and the SECUDE

signon&secure package.

CREDDIR The credentials directory on the Server. The field is grayed-

out because it is automatically allocated by the system.

However, the credentials directory can be changed via the

Server Configuration node (see section 6.1.4.1 on page

126).


policy consistency check, specifically the minimum number

of characters in the password to be used. This parameter

must be consistent with the SAP password policy.

Default value = 1


policy consistency check, specifically the maximum number

of characters in the password to be used.


policy. Default value = 30








policy.

SAP ID-

specific

Parameters


SAP Server IP or URL of the SAP Server.

Client (System ID) SAP System ID.



Server.


The subject DN of the X.509 certificate. For example: p:CN=SAP NetWeaver 2004, O=secude, C=DE

NativeLibraryPath The folder of the native libraries and the SECUDE

signon&secure package.

CREDDIR The credentials directory on the Server. The field is grayed-

out because it is automatically allocated by the system.

However, the credentials directory can be changed via the

Server Configuration node (see section 6.1.4.1 on page

126).


policy consistency check, specifically the minimum number

of characters in the password to be used. This parameter

must be consistent with the SAP password policy.

Default value = 1


139


policy consistency check, specifically the maximum number

of characters in the password to be used.


policy. Default value = 30








policy.

SAP Logon

Ticket-specific

Parameters

Options (SAP TICKET) Details

VerificationName Name of SAP Verification PSE that has been exported from

the SAP NetWeaver Portal.

VerificationPassword) Password of SAP Verification PSE.

PSEs usually have no password if exported from the portal.

However, enter any value here in this case, e.g. empty

SQL DB-

specific

Parameters

Options (SQL DB) Details

DBDriver Java Data Base Connection driver for the respective

database system.

DBURI Host, port, and name of the database to be used.

DBAuthUsername Database system user name to be used to send search

queries in configured table.

DBAuthPassowrd Database system user´s password.

SetDBScheme Select to use predefined names of table and columns or

custom values. If predefined values are used, the JAAS

module uses Java Precompiled Statements for the SQL

connection and queries, which may increase the

performance.

false (default): use predefined values as described in

following fields.

true: use custom values, more configuration fields are

shown then.

DBTable Database table name to be used.

Only available if SetDBScheme is true.

DBColumnUsername Database column name to store usernames in.


DBColumnPassword Database column name to store passwords in.


DBColumnClientID Database column name to store Client IDs in.


PoolName Name of connection pool to be used. This can be any

unique string identifier, for example:

MYSECURELOGINPOOL

MaxConn Maximum number of connections to database that shall be

used in parallel.


140

GrantAccessToUnknownIDs Turn on or off Positive False Authentication.

false (default): only exact matches of given credentials

return positive results.

true: combinations of usernames and Client IDs that are

not found in one row also return a positive result, the

password is ignored then.

TestUserName Test user username. Use this option to setup a user to test


TestUserPwd Test user password. Use this option to setup a user to test


Change the

Order in which

Servers are

Queried



2. Click the Server entry you wish to move below the Servers in SLSJaasModule

heading.

Figure 6-15 Authentication Server Manager – change Server query order

3. To move the Server entry up in the list (and therefore increase its priority) click Up. To

move a Server entry down in the list (and therefore decrease its priority) click Down.

4. Click Save.

Quick Test the

Communication

to the

Authentication

Server



2. Enter the username and password in the respective fields:

Figure 6-16 Authentication Server Manager – test Server

3. Click Test.


141

4. A result (success/failure) will be displayed at the bottom of the page.

6.1.6 TrustStore Management

This section details how to add certificates to the TrustStore via the Administration

Console.

Open the

TrustStore

Management

Page

1. Click the TrustStore Management node in the left-hand pane of the Administration

Console.


Figure 6-17 Administration Console – TrustStore Management page

The TrustStore is used to declare a certificate as coming from a trusted source and

can be used with SECUDE Secure Login. You can use this page to view the TrustStore

file content, export a certificate, delete a certificate, and add new certificates.

This page will display the current state of the TrustStore, including the message „No

certificate currently in this TrustStore‟ to indicate that a certificate must still be added

to the TrustStore.


Option Details

Certificate

alias*

The alias by which this certificate will be imported into the Server‟s

TrustStore.

Certificate

location

The certificate location. Select one of the following locations (this will

cause the third option to change accordingly):

Localhost*: The path to a certificate in the local file system.

PublicURL*: The LDAP CA available via a public URL.

Add to

TrustStore

Add the certificate information to the TrustStore.

Delete Use this button to remove the selected certificate from the TrustStore

(only visible if a certificate has been added to the TrustStore).

Export Use this button to export the selected certificate from the TrustStore

(only visible if a certificate has been added to the TrustStore).


142

Add a

Certificate to

the TrustStore

Follow these steps to add a certificate to the TrustStore:

1. Enter an alias for the certificate into the Certificate alias field.

2. Select the location on which the certificate is stored from the Certificate Location

combo-box. The field below will change according to your selection (Localhost or

PublicURL).

3. If you selected PublicURL in the previous step then enter the location manually into

the field. If you selected LocalHost in the previous step then click Browse… to locate

and open the certificate file.

4. Click Add to TrustStore. This will update the page to display the certificate information

under the Certificate Alias heading (if you have more then one certificate then select

a Certificate alias to display the certificate content).

You now have the option to add another certificate, delete any certificate selected in

the Certificate alias field, or export any selected certificate as a *.cer file.


143

6.1.7 Certificate Template

This section details the Certificate Template page of the Administration Console. Use the

functionality on this page to perform any certificate template-related task.

Open the

Certificate

Template

Page

1. Click the Certificate Template node in the left-hand pane of the Administration

Console.


Figure 6-18 Administration Console - Certificate template management

Existing certificate templates will automatically appear in the table. The following

options are available to help you perform certificate template-related tasks:

Option Details

Template name Templates created by the user, and available for use, are listed here.

Add Add a new certificate template. This will take you to the template

reation page (see section 6.1.7.1 „Create a New Certificate Template‟

on page 144).

Copy Duplicate the selected template. This will take you to the template

creation page (see section 6.1.7.1 „Create a New Certificate

Template‟ on page 144).

Edit Edit a selected template. This will take you to the template creation

page (see section 6.1.7.1 „Create a New Certificate Template‟ on

page 144).

Delete Delete a template selected in the list.

Mapping Map any template to another. For further information see section

6.1.7.2 „Template Mapping‟ on page 146).


144

Option Details

Export Export the template(s) as an XML file. If you select more than one

template to export then all of the templates will be incorporated into a

single XML file. For further information see section 6.1.7.3 „Export

Certificate Templates‟ on page 147).

Import Import templates found on the local machine/network to the list. For

further information see section 6.1.7.4 „Import Certificate Templates‟

on page 148).

6.1.7.1 Create a New Certificate Template

This section details how to create a new certificate template.

Open the

Certificate

Template

Page

1. If you have not already done so, click the Certificate Template node in the left-hand

pane of the Administration Console.

2. Click Add. The following information will appear:

Figure 6-19 Certificate template management – create new certificate template

This page is used to select the properties a certificate template should use.

The following properties are available (options marked with * are mandatory):

Properties Details

Template name* The unique template identifier.

SubjectKeyIdentifier Use this option as a means of identifying the specific public key

used in an application.

AuthorityKeyIdentifier Use this option as a means of identifying the public key

corresponding to the private key that is used to sign a

certificate.

CertificatePolicies This option indicates the policy under which the certificate has

been issued and the purposes for which the certificate may be

used. Checking this option will open a mandatory field for the

policy ID (enter the ID and click Add under the

CertificatePolicies.OID field).


145

Properties Details

KeyUsage This option defines the purpose of the key contained in the

certificate, for example, encipherment, signature, or certificate

signing.

ExtendedKeyUsage This option defines the extended purpose of the key contained in

the certificate. Check Is Critical? to make sure that any extended

key usage parameter is needed in the certificate for

communication to be successful.

BasicConstraints This option defines whether the subject of the certificate is a

certificate authority and how deep a certification path may exist

through that certificate authority.

Click this option to open the following sub-options:

Is critical?

Click Is Critical? to make sure that the basic constraints

parameter is needed in the certificate for communication to

be successful.

Is CA?

Click Is CA? to define if the subject of the certificate is a

certificate authority. When clicked, the path length field

opens – enter for how many levels the constraints are valid.

Private Extensions Add a user-specific extension to the template. Click Add open

the Create Private extension input page:

Figure 6-20 Certificate template creation – add private extensions

This page has the following options:

Extension name*

The unique name for this extension.

Base64/DER encoded data*

The content of the private extension in base64/DER

encoding.

Add

Add the information from the fields above to the certificate

template (this will also take you back to the Create

Certificate Template page).

Reset Clear the fields of any entries.

3. Select options that you wish to use in the template and click Save.

4. The certificate template page will reappear (see section 6.1.7 on page 143).


146

6.1.7.2 Template Mapping

This section details how to map certificate templates on a Server instance.

1. If you have not already done so, click the Certificate Template node in the left-hand

pane of the Administration Console.

2. Select the template you wish to map.

3. Click Mapping. The following information appears:

Figure 6-21 Certificate template management – template mapping #1

Check the radio button of the template to which you wish to map to another template.

4. Click Mapping.

5. The following information appears:

Figure 6-22 Certificate template management – template mapping #2

The options on this page allow you to map templates and also delete a template

mapping. The following options are available:

Option Details

Server Instance (non-editable) The name of the current Server instance.

SAP Server certificate template The templates available for mapping to SAP

certificates.

User certificate template The templates available for mapping to user

certificates.

6. Select a certificate from the User certificate template combo-box (if a user certificate

has not yet been created then there will not be any certificates listed in the combo-

box).

7. Select a certificate from the SAP Server certificate template combo-box.

8. Click Save.


147

Disable a

Certificate

Template

Mapping

Follow these steps to disable an existing certificate mapping:

1. Select the (Default) entry from the SAP Server certificate template and User

certificate template combo-boxes:

Figure 6-23 Certificate template management – disable template mapping

2. Click Save.

6.1.7.3 Export Certificate Templates

This section details how to export certificate templates as an XML file.

1. Click the Certificate template node in the Administration Console.

2. The Certificate template management page will appear.

3. Click Export to open further options:

Figure 6-24 Certificate template management – export template


Option Details

[Combo-box] Select which template(s) to export:

Selected template: for single template export (the correct template

must be pre-selected from the list above).

All templates: Export every template in the list.

Export Execute the export procedure.

Cancel Close these options.

4. If you want to export a specific template preselect it from the list, select Selected

template from the combo-box, and click the bottommost Export button. If you want to

export all the templates select All templates from the combo-box, and click

bottommost Export button.

Only a single XML file will be exported. If you selected All templates from the combo-box the

certificate templates will be incorporated into this single XML file.


148

6.1.7.4 Import Certificate Templates

This section details how to import certificate templates into the Certificate template

management page.

1. Click the Certificate template node in the Administration Console.

2. The Certificate template management page will appear.

3. Click Import to open further options:

Figure 6-25 Certificate template management – import template


Option Details

Browse… Open a file browser to locate a certificate template XML file.

Import Execute the import procedure.

Cancel Close these options.

4. Click Browse… to open a file browser. Locate a certificate template XML file and

open it.

5. Click bottommost Import button.

6. A success/error message will appear on the page.


149

6.1.8 System Check

This section details the System Check page of the Administration Console. This feature

will display the status of the system configuration (i.e. are the components necessary for

Secure Login functionality actually present?). This is similar to the initial page

(prerequisite check) when first configuring Secure Login.

1. Click the System Check node in the Administration Console.


Figure 6-26 Administration Console - System Check

This page displays the current status of the Secure Login system configuration for

Authentication, System components, SAP ID, Server list, and TrustStore. The status,

or version number, will be displayed next to an entry. For information about problems

with system components refer to chapter 7 „Troubleshooting‟, on page 211.

The following system components are listed on this page:

Component Sub-component/details

Authentication Is authentication configured correctly? OK = yes

Other System

Check

Files and folders

Does the file system have read/write permissions?

SECUDE SDK

Check for the location of the SECUDE SDK.

IAIK SDK

Check for the location of the IAIK SDK + display version number.


150

Component Sub-component/details

PKCS#12 file creation

Check if a *.p12 certificate can be created.

PSE file creation

Check if the PSE certificate can be created.

JRE Crypto Policy

Check if a long password can be used to create a certificate. If the

check fails, you may need download Java Cryptography Extension

(JCE) Unlimited Strength Jurisdiction Policy Files from

http://java.sun.com/javase/downloads/ and replace

the local_policy.jar and US_export_policy.jar files in

the directory %JAVA_HOME%/jre/lib/security.

SAP ID Check SECUDE SNC runtime

Check for SECUDE Signon&Secure on the Server.

SAP JCO runtime

Check that the JCO can be found in the configuration. Sometimes,

this check does not show the real status of the system, especially

if SECUDE Signon&Secure and JCO are installed after a system

check is performed. The user may need to restart the Web Server

to receive a successful system check result.

Server List Does the Server List configuration have the correct integrity?

TrustStore Does the TrustStore configuration have the correct integrity?

6.1.9 Backup/Restore

Introduction

This section details the Backup/Restore page of the Administration Console. Use this

page to backup your Secure Login system configuration for safekeeping, or restore the

Secure Login system configuration from a backup file.

Sections

Backup (see below).

Restore (see section 6.1.9.2 „System Restore‟, on page 152).


151

6.1.9.1 System Backup

This page allows you to make a backup of the current configuration and PKI information

and also to restore the configuration from a previous backup. The system backup page

will appear by default.

Follow these steps to create a backup of the configuration:

1. If you have not already done so, click the Backup/Restore node from the tree in the

left-hand pane (or if you are on the Restore page click Backup at the top of the page):

Figure 6-27 Administration Console - system backup

2. Click Go.

3. The following pop-up window appears:

Figure 6-28 System backup – file download

4. Click the backup.zip link at the bottom of the page and save the file to a safe,

secure location.


152

6.1.9.2 System Restore

The Administration Console presents you with two methods to restore the system:

From a backup file (see below).

Directly from the automatic backups made by the Server (refer to the page after next).

The configuration can only be restored from a backup ZIP file created using version 5.0 of

the Secure Login Administration Console.

Restore from

a Backup File

Follow these steps to restore the configuration from a backup file:


left-hand pane.

2. Click the Restore tab at the top of the page. The following page will appear:

Figure 6-29 System restore – from backup file

3. Click Browse… to open the file browser. Locate and open a backup.zip file (see

section 6.1.9.1 „System Backup‟ on page 151). The file path will appear next to the

Browse… button.

4. Click Select files to restore to display the log files within the ZIP file:

Figure 6-30 System restore – select exact files to restore


153

The files within the backup file will be displayed according to priority. Some files

cannot be deselected (must select files) because they will be needed if the

configuration is to work correctly. The following files are displayed:

File Mandatory

/optional

Details

Configuration.properties Mandatory This is the main configuration file.

Serverlist.xml Mandatory This file contains a list of the Server

instances and also which Server is

currently active.

SLSJaasModule.login Optional This file contains the configuration

details for the Authentication Servers.

Cert_template.xml Optional This file contains all of the certificate

templates and certificate template

mappings.

TrustStore.jks Optional This file contains the Secure Login

TrustStore mappings to certificates.

user.xml Optional This file contains a list of users.

role.xml Optional This file contains a list of Secure

Login administrator roles.

Instances Optional Any number of Server instances may

be visible under Instances. Check a

specific Server instance if you want to

restore information such as

Authentication Server configuration or

the Secure Login user CA KeyStore

etc.

According to whenever the last backup was created, the information in the backup files may

not be the same as the previously functioning version (e.g. the users and roles registered

with Secure Login at the time the backup may differ because newer roles have been added

since the backup was created).

5. Check the files you wish to restore.

6. Click Upload and restore. If successful, the message Restore configuration and PKI

information successful will appear at the bottom of the page.


154

Restore from

Automatic

Backups

Follow these steps to restore the configuration from automatic backups made by the

Server:


left-hand pane.

2. Click the Restore tab at the top of the page. The following page will appear:

Figure 6-31 System restore – from system backup

The Select restore files button (at the bottom of the page) is only active if you have already

performed a backup to a file (every time a file backup is performed the Secure Login system

will automatically make a duplicate backup for direct-restore purposes).

3. Click Select restore files at the bottom of the page. The following options will appear:

Figure 6-32 System restore – select restore files from automatic backups

For information about each of the files refer to the previous page.

4. Check the files you wish to restore.

5. Click Restore directly to restore the files.


155

6.1.10 Change Language

This section details the Change Language page of the Administration Console. This

feature only changes the GUI language of the Administration Console!

In order to change language it is necessary to select desired language from the drop-down

menu.

Figure 6-33 Administration Console - change language

Select a language from the list and click Change language. The changes will take effect

immediately.


156

6.1.11 Message Setting

This section details the Message setting page of the Administration Console. The

message files are used to relay specific Server messages to a Secure Login administrator.

Use the Message setting page to:

view the current message files available in the configuration

create a new message file in an alternate language

edit the messages in an existing message file

Open the

Message

Settings

Page

1. If you have not already done so, click the Message setting node from the tree in the

left-hand pane.


Figure 6-34 Administration Console - message setting page

Use the option on this page to either edit an existing message file by selecting a

respective language from the list (ServerMsg_<country

abbreviation>.properties) and click Edit…, or create a new messages file in a

language of your choice by clicking New....

Create a new

Messages

File / Edit

Messages

Follow these steps to create a new Server messages language file:

1. Click New…


Figure 6-35 Message setting – create new Server messages language file

3. Select a language from the combo-box and click Create new file (take note of the file

extension in readiness for the next step – for example ‟fr„ for French).


157

4. The message properties file will appear in the list.

5. Select the new entry from the list (take note of the file extension – see above) and

click Edit…


Figure 6-36 Message setting – edit new Server messages language file

The Server messages are listed alphabetically in the default language. Edit the

message text in each field to conform to the appropriate language.

7. Once the entries have been changed click Save.

8. Depending on which application Server you use, either stop and then restart the

Server, or stop and restart the Secure Login application.

Delete a

Server

Messages

File

Follow these steps to create a new Server messages language file:

1. The message settings files are stored in the Secure Login Web-applications directory

of the application Server – for example (Tomcat):

<Tomcat home>\Webapps\securelogin\WEB-INF\classes

2. Remove the desired Server messages file. For example: ServerMsg_af.properties

Only remove Server message property files that are either not currently in use or when

the application Server is not running.

Make sure you remove the correct message file (the extension denotes the language –

for example ServerMsg_af.properties for Afrikaans)


158

6.1.12 SSS&JCO Installation

This section details the preparation for Secure Login to run with SAP ID- or SAP Logon

Ticket-based logon and authentication. This includes the installation of SECUDE

Signon&Secure crypto libraries (SSS), the SECUDE license file, the SAP libraries, and the

PSE files.

Follow these steps to install the necessary components for SAP ID-based logon:

1. If you have not already done so, click the SSS&JCO installation node from the tree in

the left-hand pane.


Figure 6-37 Administration Console - SSS&JCO installation > locate SSS package

This page informs you not only about the current status of the signon&secure

installation, but also represents the first step of five needed to prepare Secure Login

for SAP ID- or SAP Logon Ticket-based logon. If the bullet icons for each Setup Step

are green then signon&secure has already been successfully installed. If some, or all,

bullet points are red then the signon&secure installation has not yet been successful.

You can click each Setup Step to go directly to that step to perform any tasks. For example,

if you want to load a license file (ticket.snc) for Web Client ticket-management, but do

not need a signon&secure installation, you can click the step Install ticket to load the

license file onto the Server.

3. Click Browse… to locate and open the package (ZIP) file (delivered in the Native

Components package) applicable to your system.

4. Click Upload to deploy the package to Secure Login. A success message should

appear.

5. Click Next to move on to the ticket installation:


159

Figure 6-38 SSS&JCO installation – locate ticket

6. Click Browse… to locate and open the ticket file (ticket.snc).

7. Click Upload to deploy the ticket to Secure Login. A success message will appear.

8. Click Next to move on to the JCO PSE configuration:

Figure 6-39 SSS&JCO installation – configure JCO PSE

9. This page allows you to install and configure the SNC PSE file (JCO/RFC connection

to the SAP Server). The following options are available:

Field Details

Setup type From local: load a PSE file generated by an application other than

the Administration Console.

From SLAC: load a PSE file generated by the Administration

Console

PSE file (From

local only)

The path to the PSE file. Click Browse… to locate and open the

PSE file.

PSE password The password for PSE file access.

10. Select a Setup type and locate the PSE file accordingly.

11. Click Upload to deploy the PSE to Secure Login. A success message should appear.

12. Click Next to move on to the SAP Logon Ticket configuration:


160

Figure 6-40 SSS&JCO installation – configure SAP Login Ticket

13. Click Browse… next to each field to locate and open the following files:

Field File to locate…

Verification PSE Windows and Linux/UNIX: verify.pse (or similar). Usually, this file

can be downloaded from the SAP NetWeaver Portal:

or from the SAP ABAP STRUST transaction:


161

Library file

SAPSECU (native)

For Windows: sapsecu.dll

For Linux/UNIX: libsapsecu.so

Library file

SAPSSOEXT

(native)

For Windows: sapssoext.dll

For Linux/UNIX: libsapssoext.so

Due to legal restrictions, the SAPSECU and SAPSSOEXT libraries are not part of the Secure

Login delivery package. The libraries can be downloaded from:

http://service.sap.com/connectors (requires SAP account).

For further information please contact SECUDE support.

14. Select a Setup type and locate the PSE file accordingly.

15. Click Upload to deploy PSE and libariy files to Secure Login. A success message

should appear.

16. Click Next to move on to the JCO installation (if you are using SAP NetWeaver ignore

this step, and move on to step 15):

Figure 6-41 SSS&JCO installation – install JCO

17. Click Browse… next to each field to locate and open the following files:

Field File to locate…

Library file

sapco.jar

Windows and Linux/UNIX: sapjco.jar

Library file LIBRFC

(native)

For Windows: librfc32.dll

For Linux/UNIX: librfccm.so

Library file SAPJCO

(native)

For Windows: sapjcorfc.dll

For Linux/UNIX: libsapjcorfc.so

Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery

package. The libraries can be downloaded from:

http://service.sap.com/connectors (requires SAP account).

For further information please contact SECUDE support.

18. Click Upload to deploy the SAP JCO components to Secure Login. A success message

should appear.

19. Click Check to finish the signon&secure and JCO installation for Secure Login. This

will take you to the System Check page to verify the installation (see section 6.1.8 on

page 149).

20. Depending on which application Server you use, either stop and then restart the

Server, or stop and restart the Secure Login application.


162

6.1.13 Server Status

This section details the System Status page of the Administration Console. Use this page

to view the current status of the PSE Server.

1. If you have not already done so, click the System Status node from the tree in the

left-hand pane of the Administration Console.


Figure 6-42 Administration Console - System status of PSE Server

The system status is displayed as a table containing the following details:

Criteria Details

Date Current date and time.

Version Version of SECUDE Secure Login Server being used.

Uptime The amount of time the Server has remained active and running.

Instance ID The identity of the current Server instance.

Configuration URL Location of the configuration.properties file.

Configuration

Status

configuration.properties file permission status (i.e.

readable or not readable). OK = readable.

Server Lock Server lock status. If the entry Yes appears, it means that Secure

Login has encountered a problem. In such a case, check the

Server Information pane in the top left-hand corner for tasks yet to

be performed as well as the log files for possible problems.

An Unlock button will appear next to the table entry (providing the

administrator role has the necessary permissions). Once any

problems have been resolved, click Unlock to start the Server.

PSE Server status OK = working.

Server Build SECUDE Secure Login Server version.


163

6.1.14 Sign Certificate Requests

This section details how to submit a certificate request to a certificate authority via the


This function is only valid for the default PKI and therefore for the default Server instance.

If you create a new PKI, including SSL CA, in a non-default instance, you cannot use the SSL

CA to sign certificates. You can only use the SSL CA of the default instance.

Follow these steps to submit a PKCS#10 certificate request to the CA:

1. If you have not already done so, click the Signed certificate requests node from the



Figure 6-43 Administration Console – Submit a Certificate Request page


Option Details

Base 64 encoded

certificate request

(PKCS #10)

The content of the private extension in base64/DER encoding.

There are two ways of filling this field:

Copy & paste: Paste the request into the Saved request field.

Enter a path to the certificate: Click Browse for a file to insert

to reveal the Full path name field. Click Browse…, to locate

and open a certificate request. Click Read.

Valid period of

Certificate*

The period of time for which the certificate is valid.

Certificate encoding

type

The encoding type for the certificate:

PEM encoding

DER encoding

NOTE: if you wish to sign the certificate for a WebLogic Server,

the encoding type must be PEM.

Issuer password The issuer password for the certificate file.


164

3. Enter the certificate request details as stated above and click Sign certificate (i.e.

send to the SSL CA).


165

6.1.15 Console Log Viewer

This section details the Administration Console logging functionality. The log entries apply

only to the administration actions performed via the Administration Console.

1. If you have not already done so, click the Console log Viewer node from the tree in

the left-hand pane.

2. The Log management – console log page will appear:

Figure 6-44 Administration Console - Instance log management > main page/monthly

log page

This page displays all of the tasks performed via the Administration Console since

logging began. This page allows you to:

Select a period of time to view via the Log Month combo-box.

Export log files to a *.csv file via the Export logs function. NOTE: This entry is

only visible if log entries are present.

The monthly table contains the following information about the administration tasks:

Table column Details

Date The date the task was performed.

Time The time the task was performed.

Code The internal code of the task performed.

Level An abbreviated description of the message, i.e. INF for information,

or ERR for error.

User The name of the user/administrator that performed the action.

Action A quick description of the action, for example EDIT or OTHER.

Server The Server instance(s) to which the action was directed

Description A description of the message/task.


166

6.1.16 Web Client Configuration

This section details the configuration settings for the Secure Login Web Client. For

information about how to install and use the Web Client refer to chapter 5 on page 109.

1. If you have not already done so, click the WebClient Configuration node from the tree

in the left-hand pane.

2. The WebClient Management page will appear, by default, displaying the Properties

Configuration tab:

Figure 6-45 Web Client configuration - main page/monthly log page

The following options apply to the Properties Configuration tab (options marked with *

are mandatory):

Option Details

Web Client

Application

Path

WebClientConfigPath*

The full path to the Secure Login Web Client directory. Click

Change to manually enter the full path.

Tomcat: <Tomcat home>\Webapps\SlsWebClient

NetWeaver: <NetWeaver home>\apps\secude.com\ SecureLogin\servlet_jsp\SlsWebClient\root

TomcatSharedPath

The path to the Tomcat shared directory. This is usually:

<Tomcat home>\shared

Click Save to confirm the entries.

NOTE: until a valid Web Client application path is entered the tabs

Message Settings, Package Management, and HTML Settings remain

hidden.


167

Option Details

Common

Configuration

Click Edit to change the following properties:

WSURL

The URL of the Secure Login service.

Tomcat uses: http://<hostname:port>/axis2/ services/secureloginservice

NetWeaver uses: http://<hostname>:<port>/ SecureLoginService/Config1?style=document

LOGONURL

Address of SAP portal to perform a login with in case of SAP

Login Ticket authentication: http://<hostname:port>/irj/portal

PORTALURL

Address to be called after successful authentication, e.g. if

the Client certificate shall be used: https://<hostname:sslport>/irj/portal

AUTHENTICATIONSCHEME

The SAP Portal Scheme to be used for authentication.

ACTION

The Web Client's action to be performed after successful

authentication.

Start local SAPGUI (either SAPGUI for Windows or SAPGUI for

Java)

Open SAP Portal Web page

Both

Nothing

PackURL

The name of the directory in which the subfolders WIN32,

MAC_UNI etc. are stored. (the original files can be located in the

WebClient subdirectory of the delivery package

SECUDE51SecureLoginNativeComponents.zip).

Each of the subfolders contains the SECUDE libraries, licence file,

and version file. For example, the Windows files needed are:

ComSecudeUtil.dll, secude.dll, ticket.snc,

version.txt.

SAPLogon.slsinstance

The SLS instance identifier to be used for authentication when

launching only the SAPGUI - without login to a specific Server.

Cleanup Temporary Files

This option determines if the temporary files are deleted after the

Web session has ended. The following entries are possible:

no [default]: Do not delete files created on the Client side

after logout. Keep this value if the Web Client opens a new

Web page (PORTALURL is set).

user: All user files are deleted when the Web Client or the

browser is closed. This includes the user‟s soft-tokens.

full: This option will remove all Client files including the SNC

library and the user settings.

Client Logging

This option determines if logging is performed. The Web Client

logfile can be located under:

Windows XP: C:\Documents and Settings\<user>\secudesnc

Windows Vista and 7: C:\Users\<user>\secudesnc


168

Option Details

Mac OS: /Users/<user>/secudesnc

Linux: /home/<user>/secudesnc

The following entries are possible:

no [default]: No Client log file will be created and no logging is

performed.

temp: The Client creates a log file for each login session. The

log file is deleted when the Web Client is closed.

keep: The Client‟s log file is never deleted.

SAP GUI

Management

Use this part of the page to add new SAP Servers to the configuration,

view and edit current SAP Servers, and delete any Server from the

configuration. For further information refer to the next section.

Platform

Configuration

Configure the individual Web Client properties for each platform. For

further information refer to section 6.1.16.2 on page 169.

6.1.16.1 Web Client Management for SAP GUI

This section details the Web Client Management page of the Administration Console.

For information about how to install and use the Web Client refer to chapter 5 on page

109.

1. If you have not already done so, click the Web Client Configuration node from the tree

in the left-hand pane. The Web Client Management page will appear.

2. Either click Servers Management>Add to create a new Server entry, or select an

existing Server from the Servers Management list and click Edit. The following page

will appear:

Figure 6-46 Web Client configuration – Servers management page


Option/parameter Details

SAP GUI for Java Label

Arbitrary text describing this Server.

Host

The SAP NetWeaver ABAP IP address or hostname.

Port

Port number used by the Server. Default ABAP stack is


169

3200.

SNCname

The SNC name. For example:

p:CN=sapnw01,OU=QA,O=SECUDE,C=DE

SAP GUI for

Windows

shortcut.Name

The SAP Server identifier used in multi-instance

configurations.

shortcut.Description

The name of the Server profile in the SAPGUI for Windows (in

SAPGUI this is the "description" field). This is THE essential

reference to the Server profile for Windows-SAPGUI.

Instance ID this

Server used

The instance identifier to be used by this Server.

Save Save any changes made via this page.

3. Enter the necessary values and click Save to confirm the entries.

6.1.16.2 Web Client - Platform Configuration

This section details the platform configuration page for the Secure Login Web Client.


109.



2. Select a platform from the Platform Configuration list and click Edit.


Figure 6-47 Web Client configuration – platform configuration page

The Platform Configuration page may appear in slightly different forms according to


170

whichever platform was chosen under the Platform Configuration option in the main

Web Client Management page:

Windows: The options to select the SAP GUI for the Java-based Client as well as

the stand-alone Client are available.

Mac OSX/Linux: Only the option to select the SAP GUI for the Java-based Client is

available.


Option Details

SAP GUI for

Java (appears

for all

platforms)

Binary name of SAP GUI tool

SAP.start.binary

The application name of the SAP GUI for Java.

Windows: guistart.bat

Mac OSX: SAPGUI

Linux: guistart

SAP.logon.binary

The application name of the SAP logon frontend.

Windows: guilogon.bat

Mac OSX: SAPGUI

Linux: guilogon

To enter a different binary name, simply enter a new name in

the respective field and click Save.

Search Path for SAP GUI

The path used by the Web Client to locate the Java binaries. Click

Add to open a secondary field and manually enter the path to the

Java binaries for each one. Click Save to confirm the entry.

SAP GUI for

Windows

(appears for

Windows only)

Binary name of SAP GUI tool

SAP.start.binary

The application name of the SAP GUI for Windows.

Windows: sapgui.exe

SAP.logon.binary

The application name of the SAP logon frontend.

Windows: saplogon.exe

To enter a different binary name, simply enter a new name in the

respective field and click Save.

Search Path for SAP GUI

The path used by the Web Client to locate the Java binaries. Click

Add to open a secondary field and manually enter the path to the

Java binaries for each one. Click Save to confirm the entry.

Supported OS The platforms for which the properties on this page are applicable. The

platform name will be listed along with the files required by each

platform to function correctly.

If you want to remove support for a specific platform (i.e. remove 64-bit

support from Windows) click Delete.


171

6.1.16.3 Message Settings

This section details the message settings for the Secure Login Web Client. For information

about how to install and use the Web Client refer to chapter 5 on page 109.



2. Click the Message Settings tab:

Figure 6-48 Web Client configuration – message settings page

A list of language files for the messages will be displayed. You can now either:

Click New… to create a message file in a specific language (see below), or…

Select an existing message file from the list and click Edit… to alter the

messages for that language (refer to the next page).

Create a new

Message File

1. Click New… to create a message file in a specific language. A language selection bar

will appear below the message list:

Figure 6-49 Web Client configuration – create new message file

2. Select the language in which you want to create the messages from the combo-box

and click Create New file.

3. The message file will be created using proprietary messages (in English) and will

appear in the list:

Figure 6-50 Web Client configuration – new message file in list

Select the message file from the list and click Edit…


172

4. The message properties page will appear:

Figure 6-51 Web Client configuration – edit message properties

Translate or alter each message to the given context and click Save.

Edit an existing

Message File

1. Select a message file from the list and click Edit…

2. The message properties page will appear:

Figure 6-52 Web Client configuration – edit message properties

Translate or alter each message to the given context and click Save.


173

6.1.16.4 Package Management

This section details package management for the Secure Login Web Client. Use this page

to consolidate the files necessary for Web Client operation.


109.



2. Click the Package Management tab:

Figure 6-53 Web Client configuration – package management page


Option /

table column

Details

Platform name Select the platforms for which you want to consolidate files. This

will display the appropriate processor-specific information for each

platform.

[Table] Package name

The name of the package corresponding to the processor type.

Version

The Web Client version.

Filename in the package

A list of files currently in the package.

Missing files

A list of missing files needed for the package to run.

File path Click Browse to locate and load each individual file for the package

preselected in the list.

Upload Load either the ZIP file containing the native components, or

individual native component files (located and opened via Browse)

into the platform-specific package.

Remove All Remove all of the Web Client files from a pre-selected package.

Synchronize

Ticket

Synchronize the license file (ticket.snc) used for the

signon&secure/JCO installation to all the operating system

packages. This applies even if you do not implement SAP ID

authentication. For further information refer to section 6.1.12 on

page 158.

3. Select a platform from the combo-box and click Browse… to locate either the

complete Native Components ZIP file, or any missing Native Component files for each

operating system/processor type necessary for the configuration.


174

The SECUDE libraries (ComSecudeUtil, secude) and the version file can be

located in the file SECUDE51SecureLoginNativeComponents.zip delivered with

the Secure Login package (optionally, the license file (ticket.snc) can also be

loaded in this manner – see step 5 below).

4. Click Upload to load each file individually into the package.

5. As an optional step, to save time loading the license file (ticket.snc) into each of

the operating system packages, you can click Synchronize Ticket to automatically

perform this task.

6.1.16.5 HTML Settings

This section details the HTML settings for the Secure Login Web Client. Use this page to

customize the messages and/or look of the Web Client pages.

For information about how to install and use the Web Client refer to chapter chapter 5 on

page 109.



2. Click the HTML Settings tab:

Figure 6-54 Web Client configuration – HTML settings page

A list of language files for the GUI will be displayed. You can now either:

Click New… to create a message file in a specific language (see below), or…

Select an existing message file from the list and click Edit… to alter the

messages for that language (refer to the next page).

Create a new

Language File

1. Click New… to create a HTML pages for the Web Client. A language selection bar will

appear below the message list:

Figure 6-55 Web Client configuration – HTML settings > create new language file

2. Select the language in which you want to create the messages from the combo-box

and click Create New file.


175

3. The new language file will be created using proprietary files (in English) and will

appear in the list:

Figure 6-56 Web Client configuration – HTML settings > select language file to edit

Select the language file from the list and click Edit…

4. The HTML editor page will appear:

Figure 6-57 Web Client configuration – HTML settings > edit language files


Option Details

[HTML pages] InitApplet.html

This is the initial page to be called by the Web Client. This page

performs a Java check as well as a communication timeout and

user preferences check.

SNCAppletAuth.html

This is the main Web Client page containing the logon form and

configurable Server-list. If you do not want to support direct login

to SAP Servers but rather only the launching of SAP logon, you can

change the HTML template of this main page.

SNCAppletNewpin.html

This is the page for new PIN entry applicable to RSA and SAP ID.

If Secure Login Server JAAS authentication modules of the types

RSA or SAP ID are configured, it may occur that users have to

change their passwords. This page is for this purpose.

SNCAppletNexttoken.html

This is the page for a new token entry applicable to RSA Server

requests.


176

Option Details

If the Secure Login Server RSA JAAS authentication module is

configured, it may occur that the RSA Server will request a new

token code. This page is for this purpose.

SNCAppletSaplogon.html, SNCAppletSapstart.html

One of these pages will appear if the SAP GUI binary tools

configured on the Server-side cannot be found on the Client

computer. The pages will prompt the user to specify which SAP

GUI executable is to be used. Once specified this parameter is

then stored, together with the Client computer-hostname, in the

configuration file user.properties in the user‟s home

directory.

Save Save any changes made in the HTML editor pane.

Reset Reset any changes to those in the previously saved version of the

template.

Preview Preview the HTML code in your Web-browser.

5. Select the template you want to edit from the left-hand pane and edit the HTML code

as necessary. Repeat for any further templates (remember to click Save after

completing each template to save the changes for each one).

Edit an existing

Language File

1. Select a language from the list and click Edit…

2. The HTML editor page will appear:

Figure 6-58 Web Client configuration – HTML settings > edit language files

Refer to the previous page for a list of the options available on this page.

3. Select the template you want to edit from the left-hand pane and edit the HTML code

as necessary. Repeat for any further templates (remember to click Save after

completing each template to save the changes for each one).


177

6.2 Email Report&Alert Configuration

1. Define settings of E-Mail Server account

Figure 6-59 Email Report&Alert configuration – Email Server Setting

Specify name or IP of SMTP Server.

Specify username and password of SMTP user.

Specify E-Mail address of the sender.

Specify E-Mail address of the default receiver.

Optional text signature to be appended to mails.

2. Select System Alert Settings and/or Log Alert Settings.

Figure 6-60 Email Report&Alert configuration – System Alert Setting

Select the Check and Send Email check box.

Define desired check interval.

Select the items to be monitored in order to provide report or check All.

Click on Send Email to Default in case receiver will be the default one already

defined or specify it on edit box.


178

6.3 Instance Management

This section details the Instance management page of the Administration Console.

Instance management is the main hub that allows you to switch between Server instances

to configure each one (i.e. to configure a specific Server instance you must first open this

page and switch to it).

Follow these steps to configure Server instances:

1. If you have not already done so, click the Instance management node from the tree in

the left-hand pane.


Figure 6-61 Administration Console – instance management

This page displays all of the Server instances in the Secure Login configuration. The

red * next to the instance name depicts the current Server instance. This page has

the following options:

Area Options + details

Instance

information

list

ServerName: The name of the instance. Click Edit to change the Server

name.

ID: The ID of the instance. Also is the folder name where this instance's

configuration files stored.

Server Root Path: The path this instance's folder.

Status: The active status of this instance. The inactive instance will be

shown in gray.

Lock: The status of the Server instance (locked/unlocked).

Buttons Add: Add a new Server instance. This will start a wizard to help you

through the creation process. For further information about the creation

process refer to section 3.6.3 on page 63.

Edit: Edit the name of the selected Server instance.

To use this function check the Server instance you wish to edit to

and click Edit. Enter the new name in the new page and click Save.

Active: Activate a selected Server instance. If a Server instance entry is

grayed-out this means that it has been deactivated. Use the Active

function to re-activate the Server instance.

Inactive: Deactivate a selected Server instance. This function should


179

Area Options + details

only be used when a Server instance needs to be deactivated for

maintenance or for a temporary task.

Unlock

Unlock a Server instance. A Server instance may be locked if, for

example, log files can no longer be written.

Delete: Delete the selected Server instance. All the configuration files

of this instance will also be deleted.

6.3.1 Instance Configuration

This section details the Instance Configuration page of the Administration Console. The

node can be recognized as <Server name> Configuration or DefaultServer Configuration in

the navigation tree.

This page displays the configuration of current instance and allows you to:

View a Server configuration pre-selected in the Instance Management page.

Edit the Server configuration.

Follow these steps to view and configure Server instances:

1. If you have not already done so, click the Instance management node from the tree in

the left-hand pane to select the Server instance you wish to view/edit (see section

6.3).


Figure 6-62 Administration Console – Instance Configuration page (extract)

This page displays an overview of the Secure Login Server configuration properties.

Click Edit in the top right-hand corner to edit the following parameters:

Option Can be

edited?

Details/Value

Authentication

Server configuration

No JaasModule: The JAAS login module to be used with

this Server instance.


180

Option Can be

edited?

Details/Value

SECUDE Secure

Login UserCA

KeyStore

No PseType Type of PSE used by the Server to sign the

generated certificates.

PseName: The path to the PSE file.

User Certificate

Configuration

Yes These values will be used to generate Client

certificates. As a result, all the Client certificates will

have the same country, locality, organization, and

organizational unit values. These certificates are

distinguished by different common name, which is not

set here:

DN.xxx: Information used to identify the Clients for the

SECUDE Secure Login Server. Use a mix of letters,

digits, and special characters.

ValidityMinutes: the amount of time, in minutes, for

which a Client certificate is valid.

ValidityOffset: Time offset in minutes relative to the

Server system time for the certificates to start being

valid.

UseUPN: Use the User Principle Name

Certificate Template

Configuration

No The following options cannot be edited in this page.

For details about how to set these options refer to

section 6.1.7 on page 143.

CertificateName

CertificateFormat

SerialNumberPolicy

StandardExtension

PrivateExtension

KeyUsage

ExtendedKeyUsage

Log Configuration No The following options cannot be edited in this page.

For details about how to set these options refer to

section 6.3.4.2, on page 195.

EnableLog: Is logging enabled?

DailyLogPrefix: The file prefix for daily logs.

DailyLogDir: The directory for daily log storage

MonthlyLogPrefix: The file prefix for monthly logs.

MonthlyLogDir: The directory to which the monthly log

files are saved.

LogMaxSize: The maximum size for the log file

directory (all log files) in gigabytes.

LogRotationSize: The maximum size a log file may be

before archiving.

LogCleanDays: The interval, in days, after which the

next log cleanup starts.

Other Server

Configuration

All

except

LockDir

are

editable

LockInstanceOnTransactionLogFailure

Lock the Server instance should the transaction

log fail (for example when the logfile can no

longer be written due to lack of disk space).


181

Option Can be

edited?

Details/Value

Yes = lock the Server

No = Do not lock the Server

LockDir

The directory in which the lock file will be placed.

This requires a path to a valid folder to which the

Server has write access. If the value is a valid

directory path but the folder does not exist, then

one will be created (if the path is not valid, or the

Server has no write access, then no lock file can

be created and the Server cannot be locked).

NOTE: Changing the lock directory value requires

a Server restart.

maxSessionInactiveInterval

Specifies the time, in seconds, between Client

requests before the servlet container will

invalidate this session. This is applicable only in

challenge-mode (PIN change etc.).

AdminServletHeader

The header text to be displayed on the status

page (used by StandardServlet status page -

not used by the Administration Console GUI).

AdminServletTrailer

The footer text to be displayed on the status page

(used by StandardServlet status page - not

used by the Administration Console GUI).

User-defined

properties

Yes Any properties defined by the Server administrator will

be listed here. To add a new property click Edit,

navigate to the bottom of the page, click Add, then

enter the property name in the first field and a

false/true parameter in the second field. Click

Delete to remove an administrator-defined property

from the configuration.

3. Once you have made changes to the Server instance click Save to apply them to the

Server configuration.

6.3.2 Customizing With User-Defined Properties

This section details Secure Login features to assist an administrator by means of user-

defined properties.

Contents

Section 6.3.2.1 „Alternative User Name from LDAP Directory‟ page 181

Section 6.3.2.2 „

Length of Username in ‟ page 183

Section Error! Reference source not found. „Username Configuration For SQL JAAS

Module‟ page Error! Bookmark not defined.

6.3.2.1 Alternative User Name from LDAP Directory

This section details how to configure an LDAP or Active Directory Server attribute value to

be used instead of the user name given by the Client. This may be useful if the SAP SNC

user names and the authenticated user names (e.g. from a Windows domain) are not the

same.


182

Each instance may have its own configuration.

1. Open the Instance configuration in Edit mode as described on page 179.

2. Scroll down to the bottom and add a set of User-defined properties:

Figure 6-63 User-defined properties – sample LDAP attribute configuration

The following properties are available (properties marked with * are mandatory):

Property Details

LdapReadServers* Number of LDAP Servers that are configured here. A numeric

value is expected that must be 1 or higher. The given value is

used as n to define an ordered list of Servers that are called in

a fail-over manner.

Keep empty to disable all configured Servers.

LdapReadAttributen* The LDAP attribute that shall be used instead of the given user

name. A simple text value is expected.

LdapReadUrln* The LDAP Server that shall be used to retrieve that attribute.

LdapReadTimeoutn Connection timeout in seconds.

LdapReadDomainn* For Active Directory: LDAP domain to be appended to the given

user name if it is not a User Principle Name. If the name is

already in UPN format, the property is ignored.

LdapReadUsern* LDAP user to open the LDAP session (bind user).

LdapReadPassn* LDAP password of bind user. Warning: This password is

displayed and stored in clear text. It is recommended to use an

LDAP user with read-only permissions.

LdapReadBaseDNn* LDAP search base / sub tree to be used to search for the given

user name.

The user certificate‟s common name part (CN) gets the value of LdapReadAttribute if

There is an LDAP entry for the given user, and

the attribute LdapReadAttribute exists and contains a text value.

Otherwise, the CN is generated as usual.

For a protected communication to the directory Server, LDAP/SSL may be configured.

In this case, the existing trust store of Secure Login Server is used.


183

6.3.2.2 Length of Username in Certificate

SAP user IDs have a maximum length of 12 characters, which needs to be considered by SNC

X.509 certificates. The default behaviour of Secure Login Server 5.1 is to strip off any user

name value to this length in the CN field of issued certificates. This default length may be

customized.

Property Details

MaxUserNameLength Maximal number of characters a user name in the CN field may

have. If the given user name is longer, it is cut from the right

side.

Default value: 12.

Sample: SCHWARZENEGGER is cut off to SCHWARZENEGG with

default settings

UserNamePaddingLength If user names in the CN field need a fixed or minimum length,

padding can be turned on. The padding length sets the

minimum length of user names.


UserNamePaddingChar The padding character is used to fill user names on the left side

if their size is smaller than the configured padding length.


Sample: ARNOLD is extended to 00ARNOLD with

UserNamePaddingLength=”8” and UserNamePaddingChar=”0”.

6.3.2.3 Username Configuration for SQL JAAS Module

Depending on the username/Client ID schema used for database authentication, some special

configuration properties may be needed to define which user name is put into the certificate.

This is only to be considered if Secure Login Client sends compound username values.

Property Details

UseQualifiedName If true, the full received username value is taken for the user

certificate‟s CN field

If false, only the user ID part before the separator is taken,

and UserNameSeparator must be set to a non-blank value to

apply this property.

Default value: true.

UserNameSeperator String of one or more characters that separates username and

Client identifier sent by the Secure Login Client. If configured,

DBColumnClientID must also be configured in the SQL JAAS

module.


Sample: USER001#CLIENT999 is splitted to USER001 with

UseQualifiedName =”false” and UserNameSeperator=”#”.

6.3.3 Client Configuration

This section details the Client configuration page of the administration console.

Follow these steps to open Client configuration:

1. If you have not already done so, click the Client configuration node from the tree in

the left-hand pane.


184


Figure 6-64 Client configuration page

This page automatically opens on the Client Policy file management page.



Client Policy Opens the Client policy management page (the default page).

Applications Opens the Applications management page. For further information see

section 6.3.3.1 „

Application Management‟ on page 184.

Profiles Opens the Profiles management page. For further information see

section 6.3.3.2 „Client Profile Management‟ on page 187.

Files download Opens the Files download page. For further information see section

6.3.3.3 „Files Download‟ on page 190.

Global Client

Policy

Opens the Global Client Policy page. For further information see

section 6.3.3.4 „Global Client Policy‟ on page 191.

Policy URL* Network resource URL from which the latest SECUDE Secure Login

Client policy can be downloaded.

Example: http://proxyurl.secude.com:3128

Policy TTL* The time (in minutes) that a policy remains valid.

Network

Timeout (s)*

The elapsed time (in seconds) before a connection is closed if the

Server does not respond.

Disable update

policy on

startup

Turn off automatic policy download and registration when the system

service is started.

false = update policy enabled

true = update policy disabled

3. If necessary, edit the parameters and click Save to set the changes.

6.3.3.1 Application Management

This section details how to administrate applications for the Client.



185

the left-hand pane.

2. Click Applications. The following information will appear:

Figure 6-65 Client configuration – Application Management page



Client Policy Opens the Client policy management page. For further information see

section 6.3.3.1 „


Applications Opens the Applications management page (this page).



Files download Opens the Files download page. For further information see section


Global Client

Policy

Opens the Global Client Policy page. For further information see


Application

action

The action of the selected application. There are 3 types of action:

clean, replace, or keep. Click Save to set the application action.

Add Application Add a new application (see next page).

Edit Modify a selected application (only applicable if an application is

available in the Applications list). See below.

Delete Delete a selected application (only applicable if an application is

available in the Applications list).

Add/Edit an

Application

Follow these steps to add an application:

1. Click Add Application. The following information will appear:

Figure 6-66 Client configuration – add an application



Application name* The name of the application.

SAP Server Select the SAP Server certificate for this policy.


186

NOTE: this field only appears if you have created an SAP CA, plus

certificate, in the Certificate Management page (see section

6.3.2.3 on page 183).

PSEURI* Application specific PSE URI that is matched when a fitting profile

is searched. For example:

SNC/cn=SAP, o=SECUDE, c=DE

SNC/CN=Server*, ou=Strong

The wildcards * and ? can be used.

Profile The name of the security profile to be used for the application.

The name must match the profile name in the profiles section.

The profile name * is used for the default security profile that is

configured by the user (for example, the smart card profile).

For further information about profiles see section 6.3.3.2 „Client

Profile Management‟ on page 187.

allowFavorite Allow the user to select another profile as „favorite‟ for this SNC

application context.

false (default) = always use configured profile

true = Do not use configured profile

2. Enter the application parameters and click Save. This will return you to the

Applications page (see section 6.3.3.1 „

3. Application Management‟ on page 184).


187

6.3.3.2 Client Profile Management

This section details how to administrate profiles for the Client.


the left-hand pane.

2. Click Profiles. The following page will appear:

Figure 6-67 Client configuration – Client profiles page



Client Policy Click to open the Client Policy Management page (the default page). For

further information see section 6.3.3 „Client Configuration‟ on page 183.

Applications Click to open the Applications Management page For further information

see section 6.3.3.1 „


Profiles Click to open the Profiles Management page (this page).

Files

download

Opens the Files Download page. For further information see section


Global Client

Policy

Opens the Global Client Policy page. For further information see section

6.3.3.4 „Global Client Policy‟ on page 191.

Profile

action

The action of the profile. There are 3 types of action: clean, replace,

or keep. Click Save to set the application action.

Add Profile Add a new profile (see next page).

Edit Modify an application (only applicable if a profile is available in the Profile

list). See below.

Delete Delete an application (only applicable if a profile is available in the Profile

list).


188

Add/Edit a

Client Profile

Follow these steps to add/edit a profile:

1. Click Add Profile.


Figure 6-68 Client configuration – add/modify Client profile



Profile name* The name of the profile

PSEType The type of profile. Possible values include:

promptedlogin

windowslogin

EnrollURL0* Secure Login URL that is used for authentication and certificate

enrolment. The URL locates the Server instance that is valid for

the Secure Login Client. For example: http://myServer.local/securelogin/PseServer?id=0001

EnrollURL1 Fallback Secure Login URL if URL 0 fails. The URL locates the

Server instance that is valid for the Secure Login Client. For

example: http://myServer.local/securelogin/PseServer?id=0002

HttpProxyURL HTTP proxy to be used with enrolment URLs. Only HTTP proxies

without authentication and without SSL to proxy are supported.

Example: http://example.address.com:8888

GracePeriod The number of seconds that will expire before a certificate will

automatically re-enroll.

Default: 0

InactivityTimeout The number of seconds until an automatic logout is performed

(due to mouse and keyboard inactivity). Possible values:

> 1: The number of seconds of inactivity.

-1: No single sign-on (SSO). Each SNC connection forces a new

login

0 (default): No timeout. SSO without constraints.


189


AutoReenrollTries The number of failed authentications in a row until automatic re-

enrolment is stopped.

User name and password caching can be turned on to provide

the automatic re-enrolment of certificates that are going to

expire. Possible values:

0: Turn off (default): Do not re-enroll automatically; do not cache

user name and password. A re-enrolment must always be

performed manually by the user.

>0 (n): Turn on with n tries to succeed: Try to re-enroll a

maximum of n times before either a new certificate is received or

the user name and password cache are cleared.

The error counter is reset on success. A manual re-enrolment is

also possible. You can delete all cached credentials from

memory (except those stored in the Secure Login Client system

service) via the logout entry in the context menu of the SECUDE

PSE service in the system tray.

Deleting the cache of the windowslogin token has no effect as

the credentials can be retrieved from the Secure Login Client

system service.

KeySize Key size of the newly-generated RSA keys.

Range: 512 – 16384

Default: 512

ReUseKey Defines if the RSA key is kept for the profile. If true, the RSA

key is kept unless a manual logout is performed or the user

process psesvc.exe is shut down.

Default: false

UniqueClientID Customer-defined string

Default: NULL

Network timeout

(seconds)

Network timeout (in seconds) before the connection is closed if

the Server does not respond

Default: 45

SSLHostCommon-

NameCheck

This applies to the SSL Server certificate – this checks if the peer

host name is given in its common name.

Default: false

SSLHostAlternative-

NameCheck

This applies to the SSL Server certificate – this checks the

Server's SSL certificate for the correct DNS name in the

Subject Alternative Names Attribute.

Default: false

SSLHostExtension-

Check

This applies to the SSL Server certificate – this checks if the

peer‟s certificate has the extended key usage

ServerAuthentication set.

Default: false

UseSslPse If set to true, this parameter turns on the former SSL.PSE-

based TrustStore for HTTPS.

If set to false (default), the Microsoft CAPI is used for HTTPS

trust.

UserWarning-

Password

Turn on/off a warning dialog box that appears before the user

name and password are sent to the Secure Login Server.

Default: false

UserWarningMSIE Turn on/off a warning dialog box that appears after a new


190


certificate has been propagated to Microsoft Crypto Store.

NOTE: Microsoft Internet Explorer must be restarted.

Default: false

3. Enter the profile parameters and click Save. This will return you to the Profiles page

(see section 6.3.3.2 „Client Profile Management‟ on page 187).

6.3.3.3 Files Download

This section details how to download the relevant Client policy files for the Secure Login

Client. Use the files generated via this option (instead of the files generated via the Global

Client Policy option - section 6.3.3.4 on page 191), if you want to export the Client policy

files for the current (active) instance only.


the left-hand pane.

2. Click Files download.


Figure 6-69 Files download page



Client Policy Click to open the Client Policy Management page (the default

page). For further information see section 6.3.3 „Client

Configuration‟ on page 183.

Applications Click to open the Applications Management page For further

information see section 6.3.3.1 „




Files download Opens the Files Download page (this page).

Global Client Policy Opens the Global Client Policy page. For further information see


Download Download the selected policy file(s).

This dialog allows you to download the following files:

The ClientPolicy.xml file and customer.zip (which contains the root

certificate and simple registry file). This is used for dynamic Client policy retrieval

(via a policy Server).

The customerAll.reg registry file. This is a static Client policy written as

registry values to the Windows registry.


191

4. To download, check the appropriate policy file and click download.

5. A download dialog will open. Click the download link at the bottom of the page,

browse for a download location, and save the file.

6. Close the download dialog.

6.3.3.4 Global Client Policy

This section details how to download the relevant Client policy files (including instances)

for the Secure Login Client. Use the files generated via this option (instead of the files

generated via the Files Download option - section 6.3.3.3 on page 190), if you want to

include the complete Secure Login Server configuration – including all instances - in the

Client policy files for the Secure Login Client.


the left-hand pane.

2. Click Global Client Policy.


Figure 6-70 Global Client policy page



Client Policy Click to open the Client Policy Management page (the default page). For

further information see section 6.3.3 „Client Configuration‟ on page 183.

Applications Click to open the Applications Management page For further information

see section 6.3.3.1 „




Files

download

Opens the Files Download page. For further information see section


Global Client

Policy

Opens the Global Client Policy page (this page).

Generate Generate Client policy files for the whole configuration.


192

4. Click Generate to generate (or re-generate) the global Client policy files. If the

information in each of the Client policy instance files can be merged then a list of

files will appear below the Generate button:

This following files can be downloaded:

The GlobalClientPolicy.xml and GlobalCustomer.reg files are used for

dynamic Client policy retrieval (via a policy Server).

The GlobalCustomerAll.reg registry file is a static Client policy written as

registry values to the Windows registry.

To download, just click the appropriate file(s) to browse for a download location, and

save the file.

If the information in each of the Client policy instance files cannot be merged then a

message will appear stating which parameters are conflicting. Locate and change the

specific parameters via the Client Policy, Applications, and Profiles options.

5. Close the download dialog.

6.3.4 Instance Log Management

This section details the Server/instance logging functionality of the Administration

Console. The log entries apply only to Server actions.

1. If you have not already done so, click the Instance log management node from the


2. By default the Monthly log page will appear:

Figure 6-71 Instance log management - main page/monthly log page


193

This page displays all of the tasks performed via the Administration Console since

logging began as well as the Secure Login Server log. This page allows you to:

You can select a period of time to view via the Log Month or Log Day combo-box.

Change log settings.

Export log files to a *.csv file.

This page displays the following options:

Option Details

Monthly log View the monthly log (as in the figure above). For information about

the log entries refer to the table below.

Daily log Select this if the logging list is too long to view or if you just wish to

view the logging data from a specific day in the current month. For

further information see section 6.3.4.1 „Daily Log‟ on page 193.

Log analysis Provides graphical visualization of authentication operations.

Log settings Change the logging settings. For further information see section

6.3.4.2 „

Log Settings‟ on page 195.

Archived Log This option allows you to view archived log files. For further

information see section 6.3.4.3 „Archived Log‟ on page 196.

Log month View the log entries from a specific month via the combo-box.

Export logs Click to export the current page of log entries to a file (*.csv).

NOTE: This entry is only visible if log entries are present.

By default, the page will display the log entries from the current month in a table. The

monthly table contains the following information about the administration tasks:


Date The date the task was performed.

Time The time the task was performed.

Code The internal code of the task performed.

Level An abbreviated description of the message, i.e. INF for information,

or ERR for error.

Description A description of the message/task.

6.3.4.1 Daily Log

This section details how to view and export the daily log file entries from the Daily log

page of the Administration Console.




Figure 6-72 Instance log management - daily log page


194

This page displays the log entries from the current day (going back a total of one

week) in a table. This page allows you to :

You can select a day to view via the Log date combo-box.

Change log settings.

Export log files to a *.csv file.


Option Details

Monthly Log View the monthly log. For further information see section 6.3.4

„Instance Log Management‟ on page 192.

Daily Log View the daily log (as in the figure above). For information about the

log entries refer to the table on the next page.

Log settings Change the logging settings. For further information see section

6.3.4.2 „

Log Settings‟ on page 195.

Archived Log This option allows you to view archived log files. For further

information see section 6.3.4.3 „Archived Log‟ on page 196.

Log date View the log entries from a specific day via the combo-box.

Export logs Click to export the current page of log entries to a file (*.csv).

NOTE: This entry is only visible if log entries are present.

By default, the page will display the log entries from the current day in a table.

The table contains the following information about the administration tasks:


Time The time the administrative task occurred.

Client The Client computer from which the administrative task was initiated.

DNS/IP The DNS and IP of the Client computer from which the administrative

task was initiated.

View As NOTE: This field only appears if multiple sets of DNS/IP are configured

on the admin computer – the IP values of one set are displayed.

User The name of the user that initiated the administrative task.

Action The administrative task performed by the user.


195

6.3.4.2 Log Settings

This section details the log file settings for the Instance log management page of the





Figure 6-73 Instance log management – log settings

This page allows you to change the logging parameters via the following options

(options marked with * are mandatory):

Option Details

Maximum log file size* The maximum size for the log file directory (all log

files) in gigabytes.

Maximum individual file size* The maximum size a log file may be before

archiving.

Daily log file cleanup interval* The interval, in days, after which the next log

cleanup starts.

Monthly log cleanup interval* The interval, in months, after which the next log

cleanup starts.

Daily log prefix* (non-editable) The file prefix for daily logs.

Directory for storing daily logs*

(non-editable)

The directory for daily log storage.

Monthly log prefix* (non-editable) The file prefix for monthly logs.

Directory for storing monthly logs*

(non-editable)

The directory to which the monthly log files are

saved.

Certificate and request archiving

directory (also known as

ArchivingDir in the configuration.properties

file)

The directory for storing all Client and Server

communication data (certificate and certificate

requests).

NOTE: Make sure that you enter a valid path! If

the path is invalid the error Internal Server

Error may occur when the Secure Login Client

tries to logon.

3. Enter the parameters for each option and click Save. You will be returned to the

Instance log management main page.


196

6.3.4.3 Archived Log

This section details the Archive log file page of the Administration Console.

1. If you have not already done so, click the Instance Log Management node from the


2. Click Archived log. The following information will appear:

Figure 6-74 Instance log management - archived log files


Option Details

Archived file name The name under which the Server has saved the log file(s).

Selected A radio button to indicate which file should be downloaded.

3. You now have the following options:

To download a log file archive, select an archive from the Selected column and

click Download. You will be prompted to choose a location. The log files are in ZIP

format.

To delete a log file archive, select an archive from the Selected column and click

Delete.

6.3.5 Instance Check

This section details the Instance Check page of the Administration Console.

1. If you have not already done so, click the Instance Check node from the tree in the

left-hand pane.


Figure 6-75 Instance Check page

This page displays the status of the Secure Login components Client policy, and PKI

structure.

For information about how to fix problems with system components either refer to

chapter 7 „Troubleshooting‟, on page 211 or contact SECUDE support.


197

6.3.6 Instance Status

This section details the Instance Status page of the Administration Console.

1. If you have not already done so, click the Instance Check node from the tree in the

left-hand pane.


Figure 6-76 Instance Check page

The Instance status is displayed as a table containing the following details:

Criteria Details

Date Current date and time.

Version Version of SECUDE Secure Login Server being used.

Uptime The amount of time the Server has remained active and

running.

Instance ID The identity of the current Server instance.

Configuration URL Location of the configuration.properties file.

Configuration status configuration.properties file permission status (i.e.

readable or not readable).

Server locked Is the Server instance locked?

PSE Server status Alive = working.

Server build SECUDE Secure Login Server version.


198

6.4 Console Users

This section details the Console Users page of the Administration Console. Use this node

to view when an administrator logged-in to, or logged-out of, the Administration Console.

1. If you have not already done so, click the Console Users node from the tree in the

left-hand pane.


Figure 6-77 Console Users page

This page displays the current login/logoff status for each administrator in

chronological order with the latest entry at the top of the table. No further actions can

be performed on this page.

Related

Information

For detailed information about any action performed by an administrator refer to:

the Console Log Viewer node (see section 6.1.15 on page 165)

the Instance Log Management node (see section 6.3.4 on page 192)

the Locked Files Management node (see section 6.4.3 on page 205)


199

6.4.1 User Management

This section details the User Management node of the Administration Console.

This node displays a list of the users/administrators registered to the Administration

Console and allows you to add a new user, edit/delete a current user, and assign a role

to a user (for further information about roles refer to the next section).

1. If you have not already done so, click the User Management node from the tree in the

left-hand pane.

2. The User management page will appear:

Figure 6-78 Administration Console - user management page

The current list of roles in the database will appear in a table. The following options

are available:

Option Details

Add Add a new user/administrator to the Administration Console user database.

Edit Edit any entry preselected from the list. This will open the Create User page.

Delete Delete any entry preselected from the list.

Assign

Role

Assign a role to any preselected user in the list. For further information refer

to the next page.

It is only possible to delete users that have been added/configured by you. The user ‘Admin’

is a permanent user that has the role ‘super-user’ and cannot be deleted (only the password

changed) or altered in any way.

As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a

serious system error occurs), guaranteeing that there is at least one user that can always

access Secure Login to correct or configure the system.


200

Add/Edit a

User

1. Click either Add or Edit to open the following page:

Figure 6-79 User management – add/edit a user


Option Details

ID* The unique identifier for the user inside of the Administration

Console.

Name* The username to be used for login.

NOTE: If you want to use either External login or SSL Certificate

Login make sure that this entry is consistent with the

respective certificate/database.

Change Password This option is only visible when editing a user entry in the list!

Check this option to change the password.

Password* The password to be used for local login.

NOTE: The password must be at least 8 characters in length

and contain a mix of uppercase/lowercase letters, special

characters and numbers.

Confirm Password* Confirm the password to be used for local login.

External login Use JAAS module-based login. This feature uses user

information stored in an Authentication Server database for

identification. Clicking this option will display the extra option

External Login ID.

NOTE: an Authentication Server must be pre-configured for this

feature to work correctly (see section Error! Reference source

not found. on page Error! Bookmark not defined.).

External Login ID The unique identifier (password) for JAAS module-based

authentication.

NOTE: This option is only visible when the option External login

is checked!

SSL Certificate Login Use certificate-based authentication. Clicking this option will

display the extra option Certificate Login ID.

Certificate Login ID The unique identifier (password) for certificate-based login.

This entry must be the same as the subject_alt_name

used during login certificate creation.

NOTE: This option is only visible when the option SSL

Certificate Login is checked!

For further information about login certificates refer to section

3.3.3.1 on page 37.

Disabled If checked, the user cannot log on to the console.


201

NOTE: This option is not available for the default user (Admin).

If the options External login and SSL Certificate Login are both left unchecked, the default

method – local login – is used.

2. Enter information for each of the options and click Save.

Assign a Role

to a User

1. Select the user from the user list to which the role is to be assigned.

2. Click Assign Role to open the following page:

Figure 6-80 User management – assign role to a user

Select one or more roles from the left-hand pane (All Roles) and click >>Add to

transfer that role to the user (My Roles).

3. Click Save.

Delete a Role

from a User

1. Select the user from the user list from which the role is to be removed.

2. Click Assign Role to open the following page:

Figure 6-81 User management – assign role to a user

Select the role(s) from the right-hand pane (My Roles) and click >>Delete to remove

the role from the user.

3. Click Save.


202

6.4.2 Role Management

This section details the Role Management node of the Administration Console. Use this

node to configure the permissions for each administrator role.

1. If you have not already done so, click the Role Management node from the tree in the

left-hand pane.

2. The Role Management page will appear:

Figure 6-82 Role management - main page

This page displays a list of roles available in the Administration Console, as well as

allowing you to configure the roles.


Option Details

Add Add a new role to the Administration Console.

Copy Copy any entry preselected in the list. This will open the Create Role page.

For further details refer to the next page.

Edit Edit any entry preselected from the list. This will open the Create Role page.

For further details refer to the next page.

Delete Delete any entry preselected from the list.

It is only possible to edit and delete roles that have been added or copied. The default roles

(Super User, CA Administrator, User Administrator, Auditor, Operator) cannot be altered or

deleted.


203

Add/Edit a

Role

1. Either click either Add to make a completely new role, or select the role on which you

want to base a similar role, and click Copy.

2. The Create Role page will appear:

Figure 6-83 Role management – add/copy a role

The following options are available (options marked with * are mandatory)

Option Details

ID* The unique identifier for the role.

Name* The name used to describe the role.

Permission

List

sssPermission

Perform signon&secure-related operations. If left unchecked, the

SSS&JCO Installation node will not appear in the navigation tree.

logROPermission

Permission to view the log file. If left unchecked, the Console Log

Viewer and Instance Log Management nodes will not appear in the

navigation tree (unless the option logRWPermission is checked).

logRWPermission

Permission to change the logging configuration and export log files. If

left unchecked, the Console Log Viewer and Instance Log

Management nodes will not appear in the navigation tree (unless the

option logROPermission is checked).

statusPermission

Permission to view the status of the Server as well as each instance

in the configuration. If left unchecked, the Server Status and

Instance Status nodes will not appear in the navigation tree (unless

the option statusUnlockPermission is checked).

statusUnlockPermission

Permissions to unlock a locked Server or instance.


204

Option Details

localizationPermission

Permission to perform GUI language-related operations. If left

unchecked, the Change Language node will not appear in the

navigation tree.

lockFilePermission

Permissions to unlock locked files. If left unchecked, the Locked

Files Management node will not appear in the navigation tree.

WebClientPermission

Permission to configure the Web-Clients. If left unchecked, the Web

Client Configuration node will not appear in the navigation tree.

confRWPermission

Permission to edit the Server configuration or instance configuration.

If left unchecked, the Server Configuration and DefaultServer

Configuration nodes will not appear in the navigation tree (unless the

option confROPermission is checked).

confROPermission

Permission only to view the Server configuration or instance

configuration. If left unchecked, the Server Configuration and

DefaultServer Configuration nodes will not appear in the navigation

tree (unless the option confRWPermission is checked).

multiRWPermission

Permission to add, edit, and delete instances. If left unchecked, the

Instance Management node will not appear in the navigation tree

(unless the option multiViewPermission is checked).

sysAnalyzePermission

Permission to check the system for missing or faulty components. If

left unchecked, the System Check and Instance Check nodes will not

appear in the navigation tree.

backRestorePermission

Permission to perform backup and restore operations. If left

unchecked, the Backup/Restore node will not appear in the

navigation tree.

userPermission

Permission to perform user-related operations, such as creating a

new user. If left unchecked, the User Management node will not


rolePermission

Permission to perform role-related operations, such as creating a

new role. If left unchecked, the Role Management node will not


multiViewPermission

Permission only to view instance details. If left unchecked, the

Instance Management node will not appear in the navigation tree

(unless the option multiRWPermission is checked).

caPermission

Permission to perform certificate authority-related tasks. If left

unchecked, the Certificate Template, Sign Certificate Requests, and

Certificate Management nodes will not appear in the navigation tree.

authPermission

Permission to perform authentication and Truststore operations. If

left unchecked, the Authentication Management and Truststore

Management nodes will not appear in the navigation tree.

ClientPermission


205

Option Details

Permission to perform Client policy operations. If left unchecked, the

Client Configuration node will not appear in the navigation tree.

3. Enter a unique identifier for the role into the field ID and enter a description of the

role into field Name.

4. Check each of the options appropriate fro the intended role and click Save.

6.4.3 Locked Files Management

This section details how to check if any Secure Login-specific system files have been

locked and, if necessary, unlock them (providing the necessary rights have been granted

to the administrator role – see section 6.4.2 on page 202).

Files are locked in the following scenarios:

When multiple administrators try to configure Secure Login at the same time. When this

happens one administrator will receive a message informing them to contact the specific

administrator to unlock the file. This message may appear under several nodes.

When a user closes the Internet browser window without clicking Logout first.

1. If you have not already done so, click the Locked Files Management node from the


2. The Locked Files Management page will appear:

Figure 6-84 Instance log management - main page/monthly log page

This page displays any files that have been locked. The following files may appear in

the list:

Web.xml

Configuration.properties

Clientpolicy.xml

Cert_template.xml

Keystore.xml

Role.xml

User.xml

Serverlist.xml

SLSJaasModule.login

3. Select the file(s) that you want to unlock and click Release.


206

6.5 Other Administration Features

This section details Secure Login features to assist an administrator – without the need to

use the Administration Console.

The most useful function for an administrator is the ability to view the Server or Server

instance status in a quick manner. To this end, Secure Login can be queried via HTTP

POST (see next section) or HTTP GET (via a browser). The HTTP POST method returns

an XML formatted back, HTTP GET can return both HTTP and XML formats. The status

information returned via both methods is the same.

Contents

Section 6.5.1 „Status Query via an Internet Browser‟ on page 206

Section 6.5.2 „Secure Login Web Service Status Query‟ on page 209

Section 6.5.3 „

XML Interface‟ on page 209

6.5.1 Status Query via an Internet Browser

This section details how to quickly retrieve the Server status via an Internet browser.

Parameters

The following parameters can be applied to obtain the Server status, or can be mixed to

retrieve the status of a specific Server/Server instance:

op = add an option

Possible values:

status = retrieve the status of the default Server instance

Serverstatus = retrieve the status of the Server (all other parameters will be

ignored)

id = add a Server ID

Possible values:

<InstanceIDs> = retrieve the status of a specific Server instance (use in

combination with status)

xml = retrieve status information in XML format

Possible values:

on : (only for HTTP GET)

Example 1:

Retrieve the

Status of the

Default Server

Instance

Use the following example to quickly retrieve the status of the default Server instance:

http://<application Server Web-apps directory>/securelogin/ PseServer?op=status

For example:

http://localhost:8080/securelogin/PseServer?op=status

Example 2:

Retrieve the

Status of a

Specific

Server

Instance

Use the following example to quickly retrieve the status of a specific Server instance:

http://<application Server Web-apps directory>/securelogin/PseServer? op=status&id=0001

For example:

http://localhost:8080/securelogin/PseServer?op=status&id=0001

Example 3:

Retrieve the

Status of the

Server

Use the following example to quickly retrieve the status of the Server:

http://<application Server Web-apps directory>/securelogin/ PseServer?op=Serverstatus

For example:

http://localhost:8080/securelogin/PseServer?op=Serverstatus

Example 4:

Retrieve

Status

informaTion

Use the following example to retrieve status information:

http://<application Server Web-apps directory>/securelogin/ PseServer?<options>&<ServerID>

For example, to retrieve the status of a specific Server instance:


207

http://localhost:8080/securelogin/PseServer?op=status&id=0001

Example Reply

Figure 6-85 Direct Server query – Server instance query

6.5.2 Secure Login Web Service Status Query

Introduction

This section details, in brief, how to query the Secure Login Web Service for status and

available operations. This section applies only to Servers to which Secure Login - with the

Web service - have been deployed. For further information refer to chapter 5 on page 109.

The Web Service query will vary according to application Server:

On Tomcat, the Secure Login Web Service is deployed to Apache Axis2 Web-service provider

and therefore it is Apache Axis2 that will be queried.

On NetWeaver, the Secure Login Web Service can be queried directly.

Before proceeding Make sure that you have deployed the Secure Login Web Client

application to either Tomcat or NetWeaver and the application Server has been started.

Web Service

Query using

Tomcat

To view the Web service status enter the following URL in your Internet browser:

To view the Axis2 main page:

http://<host:port>/axis2/axis2-Web/index.jsp

This page enables you to view any services deployed to Axis2 as well as to perform

any administration tasks and system checks.

To view the status of all running Web services:

http://<host:port>/axis2/services/listServices

To view the Web service directly:

http://<host:port>/axis2/services/secureloginservice?wsdl

Here is an example of the Axis2 Available services page:


208

Figure 6-86 Web Service – Axis2 available services

Click the secureloginservice link to view the status of the service in XML format.

Web Service

Query using

NetWeaver

Enter the following URL in your Internet browser to view the Web service status:

http://<host:port>/SecureLoginService/Config1?style=document

Apache Axis2 also has an administration front-end. It is available via the URL:

http://localhost:8080/axis2/axis2-admin/

This allows the upload (and hence the change) of Web Service Archives and the

activation/deactivation of deployed services.

The front-end is shipped with a default account: user=admin, password=axis2. This of

course, presents a security issue and therefore it is recommended that the Secure Login

administrator change the password of the AXIS2 admin front-end. This can be accomplished

as follows:

Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\

Locate the follow lines:

<parameter name="userName">admin</parameter>

<parameter name="password">axis2</parameter>

Change the entries marked in red above accordingly.


209

6.5.3 XML Interface

Introduction

In addition to the Administration Console, SECUDE Secure Login Server provides an XML

interface to automate monitoring using your own or a third-party program, e.g. to

incorporate monitoring into administrative tools.

SECUDE Secure Login Server has to be called with a specific request in XML format. The

Secure Login Server then returns an XML reply with the status information.

Contents

Section 6.5.3.1 „Status Request‟, on page 209

Section 6.5.3.2 „Status Reply‟, on page 209

6.5.3.1 Status Request

Request

Format

<TransFairGram>

<Control>

<Version>Pepperbox 2.0.0</Version>

<ActionRequest>

STATUS_REQUEST_ACTION

</ActionRequest>

</Control>

</TransFairGram>

Use HTTP

POST to get

a Status

Request

To post a status request send the XML request to the address:

http://<Servlet URL>/securelogin/PseServer

Example

http://localhost:8080/securelogin/PseServer

6.5.3.2 Status Reply

Reply Format

<TransFairGram>

<Control>

<ActionRequest>STATUS_ACTION</ActionRequest>

<Version>Pepperbox 2.0.0</Version>

<ServerBuild>$Name: SLS_5-1-1-0 $</ServerBuild>

</Control>

<Content>

<Data>

<Status>

<ConfigURL>

file:C:/Program Files/Apache Software Foundation/

Tomcat 6.0/Webapps/securelogin/WEB-INF/Instances/


</ConfigURL>

<ConfigurationStatus>OK</ConfigurationStatus>

<Date>Mon Jan 28 12:02:54 CET 2010</Date>

<ID>Instance 00020</ID>

<LockFile/>

<LockStatus>false</LockStatus>

<PseServerStatus>OK</PseServerStatus>

<ServerBuild>SLS_5-1-1-0</ServerBuild>

</Status>

<Message>

The current Server status is enclosed with this


210

transfairgram (only for diagnostic purpose)

</Message>

<MessageCode>0701</MessageCode>

</Data>

<DataType>application/xml</DataType>

</Content>

</TransFairGram>


211

7 Troubleshooting

Introduction

This chapter describes the SECUDE Secure Login Server features for logging and error

recovery.

Sections in

this Chapter

Section 7.1 „How to use Unlimited Key Length Policies‟, on page 212

Section 7.2 „Log Files‟ on page 213

Section 7.3 „Turning Tracing On/Off‟, on page 215

Section 7.4 „SECUDE Secure Login Server Lock and Unlock‟, on page 216

Section 7.5 „Setting the Correct Environment Variables for SAP ID-Based Logon‟ on page

217

Section 7.6 „Problems with the Client URL‟ on page 218

Section 7.7 „Implement an SSL.PSE-Based TrustStore for HTTPS‟ on page 218

Section 7.8 „Access Denied‟ Replies‟ on page 219

Section 7.9 „Why the Secure Login Instance/Server is Locked‟ on page 219

Section 7.10 „Password Expiry Warnings on Sun LDAP (1)‟ on page 220

Section 7.11 „Password Expiry Warnings on Sun LDAP (2)‟ on page 220

Section 7.12 „Secure Login Server Cannot Establish an SNC Connection to the SAP

Server‟ on page 221

Section 7.13 „Administration Console Pages Appear „broken‟‟ on page 221

Section 7.14 „Problem Loading the GSS Library (SAP-ID Module)‟ on page 222

Section 7.16 „Users Cannot be Successfully Authenticated to any JAAS Module‟ on page

227


212

7.1 How to use Unlimited Key Length Policies

This section details how to solve any problems with key length restrictions for several

algorithms.

Problem

The creation of PKCS#12 files using passwords longer than 7 characters is not possible

in the Administration Console.

Solution

The standard JCE settings restrict the key length for several algorithms. Follow these

steps to disable the restrictions:

1. Browse to the Java lib\security sub-directory (for example: <Java home>\

jdk1.5.0_08\jre\lib\security)

2. Locate the files local_policy.jar and US_export_policy.jar.

3. Make duplicates of both files and give them the file extension *.bak (this means

that you can return to the original files if you need to).

4. Delete local_policy.jar.

5. Duplicate US_export_policy.jar and rename it to local_policy.jar.

To check that both the files US_export_policy.jar and local_policy.jar are

unrestricted, unzip them and open the file default_US_export.policy in a text editor.

If the following text is displayed the check is successful and the policies are unrestricted:

// Manufacturing policy file.

grant {

// There is no restriction to any algorithms.

permission javax.crypto.CryptoAllPermission;

};

If the JCE files local_policy.jar and US_export_policy.jar are not present

in the directory jre\lib\security, download the ‘Java Cryptography Extension (JCE)

Unlimited Strength Jurisdiction Policy Files’ from one of the following locations

(depending on which Java version you use):

http://java.sun.com/javase/downloads/index_jdk5.jsp (for Java 5)

http://java.sun.com/javase/downloads/index.jsp (for Java 6)

(These will work for all JCE versions.)

Extract the contents of the ZIP file to the Java lib\security directory (for example

<Java home>\jre\lib\security). These files already have necessary

permissions.


213

7.2 Log Files

Introduction

For the SECUDE Secure Login Server, log files for daily and monthly logging are created.

The location and log file names can be specified using one of these methods:

Manually in the SECUDE Secure Login Server configuration properties (see section 9.2.3

„Configuration‟ on page 248).

Via the Administration Console (see section 6.3.4 „Instance Log Management‟ on page

177).

Contents

Section 7.2.1 „Daily Log File‟, on page 213

Section 7.2.2 „Monthly Log File‟, on page 215

7.2.1 Daily Log File

Introduction

The daily log file has an entry for each transaction. An entry contains the following

information (if available):

Time and date of the transaction

ID of the Client

Instance ID

IP address and DNS entry as sent by the Client

Client IP address and DNS entry as seen by the Server

Name of the user making the request

Action code of the request

Result of the transaction

Result Codes

The following table describes the possible result codes in alphabetical order:

Result Code Details

ACM_ACCESS_DENIED Authentication failed

ACE_INVALID_ARG Invalid PIN

ACM_NEXT_CODE_REQUIRED Next token code required to continue

authentication

ACM_NEW_PIN_ACCEPTED New PIN accepted

ACM_NEW_PIN_REJECTED New PIN not accepted

ACM_NEW_PIN_REQUIRED User needs a new PIN

ACM_OK User could be authenticated

ACE_UNDEFINED_NEXT_PASSCODE Empty or invalid token code

ACE_UNDEFINED_PASSCODE Empty or invalid password

ACE_UNDEFINED_USERNAME Empty or invalid user name

INTERNAL_SERVER_ERROR (plus error

description)

Server error

INVALID_MESSAGE_FORMAT (plus error

description)

Invalid or incomplete Client message

OK Transaction successful

Sample Daily

08/15/2008, 11:47:34 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1,


214

Log File action: INIT_ACTION, result: OK, instance: -Default-

08/15/2008, 11:47:42 (CEST), Client: unknown, pc-duke.SECUDE.COM/

10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: AUTH_ACTION, result: ACM_OK, instance: -Default-

08/15/2008, 11:49:17 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default-



08/15/2008, 11:50:43 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default-



08/15/2008, 14:30:06 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default-

08/15/2008, 14:30:14 (CEST), Client: unknown, PC-BM2.SECUDE.COM/

10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5,

action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-

08/15/2008, 14:30:18 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: - Default-


10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_REJECTED, instance: -Default-


10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser3, action: INIT_ACTION, result: OK, instance: -Default-

08/15/2008, 14:33:50 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: - Default-


10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_ACCEPTED, instance: -Default-

08/15/2008, 14:41:57 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default-


10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-


10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: -Default-

08/15/2008, 14:42:51 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-


215

7.2.2 Monthly Log File

Introduction

Monthly log files contain system events and errors. An entry contains the following

information:

Time and date of the event or error

Event or error code (see section 8 „Error and Return Codes‟ on page 231)

Error level

Description of the event or error

Error level

Instance ID

Result Codes

The following table describes the possible error levels in alphabetical order:

Error Level Details

ERR Fatal error

INF Information

WAR Warning

Sample

Monthly

Log File

08/15/2008, 13:15:40 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-

08/15/2008, 13:16:39 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default-


08/15/2008, 14:20:24 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Unknown-




08/15/2008, 14:56:40 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default-


08/15/2008, 16:14:49 (CEST), PSE_STARTUP, INF, “Admin servlet startup.” -Default-

08/15/2008, 16:14:50 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default-

08/15/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default-

08/16/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers .” -Default-

08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, “Admin servlet shutdown.” -Default-



08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No certificate chain found in key store.” -Default-

08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No root certificate found in key store.” -Default-



7.3 Turning Tracing On/Off

Introduction

This section details how enable and disable trace messages.


216

The trace options can be changed via the Administration Console (see section 6.1.3

‟Server Configuration‟ on page 124).

Turn Tracing

On

1. In the Server Configuration page of the Administration Console click Edit.

2. Under the option Show trace on the console Select Yes.

3. Click Save.

Turn Tracing

Off

1. In the Server Configuration page of the Administration Console click Edit.

2. Under the option Show trace on the console Select No.

3. Click Save.

SECUDE Secure Login Server can generate a large amount of trace output. For test systems,

it is recommended to enable tracing. For production systems it is recommended to disable

tracing as this might result in unnecessary log files and impede performance.

7.4 SECUDE Secure Login Server Lock and Unlock

Introduction

The SECUDE Secure Login Server locks itself when it detects a serious problem such as

Authentication Server failure that affects all Clients.

Lock Files

SECUDE Secure Login uses the following files to lock the Server/ Server instance:

PseServer.lock

This file is used to lock the complete Server. The Server lock will only be applied if

the Configuration.properties file cannot be read. The LockDir property in

the Web.xml file is used to apply the Server lock.

<Server Instance>.lock

If the Configuration.properties file can be read by Secure Login and a lock

becomes necessary, Secure Login will create an instance-based lock. The directory for

the instance-based lock is specified by the property LockDir in

Configuration.properties, but LockDir in Web.xml will work as a fallback.

The filename of the instance lock file will be based on the following parameters

(example):

LOCK_FILE_PREFIX = "PseInstance";

LOCK_FILE_SUFFIX = ".lock";

Two lock files will be created from these parameters. A „normal‟ lock file that includes

the instance ID and a fallback lock file, for example:

PseInstance001.lock

PseInstanceDefault.lock

What

happens

when the

Server

Locks?

If a SECUDE Secure Login Server lock occurs:

The lock file PseServer.lock / <ServerInstance>.lock is created (also contains

the time of its creation). The location of the lock file can be configured in the Web.xml

file via the LockDir parameter.

The SECUDE Secure Login Server responds to SECUDE Secure Login Client requests with

the HTTP status code 404. This indicates that the Server is not available.

The Client fails over to the next Server/instance in the Server list.

The Administration Console Status page contains an entry that indicates that the Server

is locked (see section 7.9 on page 219).

Unlock the

Server

Use the unlock functionality of the Administration Console (see section 6.1 on page 119).

It is not necessary to shutdown the Server to perform this task.


217

7.5 Setting the Correct Environment Variables for SAP ID-Based Logon

Introduction

The information in this section applies to SAP ID-based logon only. The variables USER,

HOME or CREDDIR have no relevance - in terms of environment variables - for SECUDE

Secure Login Server 5.0.

Furthermore, NetWeaver Application Server Java (regardless of platform) is precluded

because the environment variables described below are exclusively for SAP JCO. In any

case, with NetWeaver the JCO libraries are already available system-wide (i.e. for Windows

this means that the JCO libraries sapjcorfc.dll and librfc32.dll are located in

the directory windows\system32).

If JCO has been manually set as a system-wide variable (not via the Secure Login

Administration Console), this will also bypass all Secure Login components. The

environment variables are no longer needed (i.e. there will then be no need to perform the

steps in this section).

Variables

For SECUDE signon&secure to make a successful SNC connection for SAP ID-based

authentication, the correct credentials/variables are needed. According to platform these

are:

Linux+Solaris: LD_LIBRARY_PATH

Windows: PATH

Both of these should point to the SSS (Signon&Secure) directory within the Secure Login

Web application. They should be set either system-wide or in the start script of the

Application Server/Container Engine.

Follow these steps to set the correct environment variables for SECUDE Signon&Secure

(according to platform):

Linux/Solaris

4. Enter the following syntax in a command shell to set the parameter for the variable

LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/lib/tomcat5/ Webapps/securelogin/WEB-INF/SSS

5. To check if it was successful, open the Administration Console and navigate to the

node Server Configuration>System Check. Under the SAP ID Check header the

SECUDE SNC runtime entry should read as OK.

Windows

Using Tomcat 5.x as an example, enter the following syntax in a command shell to set the

parameter for the variable PATH:

set PATH=%PATH%;<Tomcat home>\Webapps\securelogin\WEB-INF\SSS

As an alternative you can use the following method to set the variable:

1. Open Control Panel>System.

2. Click the Advanced tab.

3. Click Environment Variables.

4. Under the System Variables heading click New.

5. Enter PATH into the Variable Name field and <application Server Web-app

directory>\securelogin\WEB-INF\SSS in the field Variable Value.

For example: <Tomcat home>\Webapps\securelogin\WEB-INF\SSS

6. Click OK.

7. If the application Server is running, restart it.

8. To check if it was successful, open the Administration Console and navigate to the

node Server Configuration>System Check. Under the SAP ID Check header the

SECUDE SNC runtime entry should read as OK.


218

7.6 Problems with the Client URL

Problem

The URL entered by the Client returns the error Internal Server Error. This is a

necessary error message to indicate an invalid Server instance (in a multiple instance

environment) or other Server problems.

Solution

The first thing to check is that the Secure Login URL points to the correct Server instance.

It is likely that the instance referred in the URL is invalid.

For example: http://myServer.local/securelogin/PseServer?id=0001

For details about how to alter the URL see section 6.3.3.2 on page 187.

7.7 Implement an SSL.PSE-Based TrustStore for HTTPS

Problem

You want to use an SSL.PSE-based TrustStore for HTTPS instead of the Microsoft CAPI

TrustStore.

Prerequisites

Knowledge of the SECUDE shell (secude.exe). The secude.exe is available only as part

of the Signon&Secure package. For further information contact SECUDE support.

Make sure that you have already performed the procedure on the certificate before

starting the solution below:

1. Import the root certificate using the Administration Console as a *.crt file. The

certificate will be stored in a PEM-encoded format.

2. Open the file in an editor and remove the first and last line of the file:

-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

respectively. Save the file.

3. Open a SECUDE shell and enter the following command to convert the base64

encoded contents of the file into a binary file:

secude decode <path where the file is located>\ROOT_CA.crt root.der

Solution

Follow these steps to enable an SSL.PSE-based TrustStore for HTTPS:

1. Create a PSE (Personal Security Environment) and name it ssl.pse. To do this,

open a SECUDE shell and enter the following command:

secude psecrt –p ssl.pse "CN=dummy"

The Dname (Distinguished Name) used for this is irrelevant. The example here uses

CN=dummy. Enter the PIN 1234 twice (this value is mandatory). After a short period

of time the PSE file ssl.pse will be generated and saved to your Signon&Secure

directory.

2. The resulting PSE must be changed by creating the root certificate. Enter the following

commands in the SECUDE shell (press Return after each line and change the parts

marked in red accordingly – see below):

> secude psemaint –p ssl.pse

<Enter the PIN>

> import xxx <path where the file is located>\root.der

> cert2pkroot xxx PKRoot

> yes (to overwrite the old PKRoot)

> delete xxx

> q

The first command will open the SECUDE shell the other commands are entered. The

xxx is an alias - replace it with a specific name of your choice. The command q will

close the command prompt.

3. Copy the SSL.PSE file to the Secure Login Client in the directory:

C:\Program Files\SECUDE\OfficeSecurity\.

This file can be distributed with the Secure Login Client installation, via the


219

customer folder.

4. Open the Windows Registry Editor and create the following registry key (REG_DWORD):

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]

"useSslPse"=dword:00000001

5. Restart the SECUDE securelogin COM Service (the Microsoft ADS profile will

be missing) or reboot the computer.

7.8 ‘Access Denied’ Replies

Problem

The Secure Login Server is returning a large amount of "access denied" replies to the

Secure Login Client during heavy load.

Target OS

Windows Server

Explanation

The reason for this behavior is that after a TCP/IP socket has been used for

communication, and this connection is closed-down after the communication has taken

place, the OS „keeps‟ this socket for some time until it releases it again for it‟s next use.

This means that the parameter TcpTimedWaitDelay is set to high and must be

changed. For further information refer to the following Microsoft page: http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3-

473c-84e8-e657c0c619d11033.mspx):

Solution

Open regedit and locate the parameter TcpTimedWaitDelay under:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Set the value for TcpTimedWaitDelay to 30 seconds

7.9 Why the Secure Login Instance/Server is Locked

Problem

The Secure Login instance/Server is locked.

Target OS

All

Explanation/

Solution

The Server may be locked because:

The configuration.properties file cannot be read. Solution: Check the

integrity and path of the configuration.properties file.

The parameter LockServerOnEventLogFailure is set to true and..

the hard disk is full. Solution: Increase the hard disk capacity/delete

unnecessary files.

the file permissions are incorrect. Solution: Check the file permissions of the

user under which the Secure Login Server processes run.

the log folder does not exist. Solution: Re-define/check the log settings in the

Administration Console (section 6.3.4.2 on page 195).

The Server instance may be locked because:

The ArchivingDir property is set to a non-existent directory.

Solution: Check the log settings in the Administration Console (section 6.3.4.2 on

page 195).

User CA PSE cannot be opened by the Secure Login Server. Solution: Check the

validity and integrity of the certificate authority PSE file.

The configuration.properties file cannot be read. Solution: Check the

integrity and path of the configuration.properties file.

The parameter LockInstanceOnTransactionLogFailure is set to true

and..

the hard disk is full. Solution: Increase the hard disk capacity/delete

unnecessary files.

the file permissions are incorrect. Solution: Check the file permissions of the

user under which the Secure Login Server processes run.

the log folder does not exist. Solution: Re-define/check the log settings in the

http://technet2.microsoft.com/windowsserver/en/library/38b8bf76-b7d3-473c-84e8-e657c0c619d11033.mspx

http://technet2.microsoft.com/windowsserver/en/library/38b8bf76-b7d3-473c-84e8-e657c0c619d11033.mspx


220

Administration Console (section 6.3.4.2 on page 195).

Under heavy load the Server may lock because the user has a limitation on the maximum

number of files they can have open at the same time.

Solution: Check the Secure Login Server event log for java_io_file_exception

stating “too many open files”. If so this means that Secure Login was not

allowed to open log files for writing resulting in the lock state. Allow the “user” that

starts/owns the Secure Login Server process to open more files than configured in

the default configurations set in some system property (limits.conf).

7.10 Password Expiry Warnings on Sun LDAP (1)

Problem

Password expiration warning is shown regardless of password policy setting on Sun LDAP.

Effected

Systems

Sun ONE Directory Server v5.2

Sun Java System Directory Server v5.2


Explanation

When the LDAP attribute passwordExpirationTime was set (for example, via a

password policy and the password policy was later removed), the attribute still exists and

causes useless expiry messages in the Secure Login Client, such as:

“Attention: Your password will expire on 12.07.2004” (expiry date in the past)

Solution

This is a problem caused by the directory Server and not by Secure Login Server. Please

refer to the Sun Directory Server release notes for details.

7.11 Password Expiry Warnings on Sun LDAP (2)

Problem

A password expiry message is displayed on the Secure Login Client, even though Sun ONE

LDAP is configured so that the password does not expire.

Effected

Systems

Sun ONE Directory Server v5.2



Explanation

This is a Sun ONE password policy problem, due to an enabled password policy No5.

Solution

Please refer to the Sun ONE Directory Server release notes for details.


221

7.12 Secure Login Server Cannot Establish an SNC Connection to the SAP Server

Problem

The Secure Login Server cannot establish an SNC connection to the SAP Server.

Effected

Systems

-

Explanation/

Solution

The Secure Login Server SNC PSE is not valid: There will be no working SNC connection

(JCO trace reads only "SNC connection cannot be established, empty

answer"). This may be due to the following:

The credentials cannot be found: There will be no working SNC connection (JCO trace says

only "No credentials supplied")

The Ticket.snc file cannot be found: If the ticket is not installed correctly or cannot be

found by the SECUDE signon&secure/SECUDE library, it occurs that no error log output can

be found but connections to the backend just stop. If Tomcat is used as the container

engine, it might happen that the Tomcat process is terminated when the ticket cannot be

found but SAP-ID logon is used.

The SNC name of the Server is incorrect: In the SAP Logon Client software the Server SNC

name is equal to the SNCServerName parameter in the Secure Login Server SAP-ID

module. This parameter value has to correspond with the DN of the PSE on the SAP

Server.

The SNC names of users are incorrect: The SNC name of SAP users (see SAP transaction

su01) must correspond with the DN of the user certificates coming from the Secure Login

Server.

The user for the SLS (e.g., SLSSNC) must also have an SNC name which

corresponds with the DN in SLSSNC's PSE (can be generated in the

Administration Console; this is called the JCO PSE which is used by Secure Login

Server for the SNC connection to the SAP Server).

A valid SNC Server connection: Requires a valid PSE from the Server PKI (e.g., the user

certificate must be from the same root).

A valid SNC user connection: Requires a valid certificate of the Server PKI and a

registered user account at the SAP Server.

The Secure Login Server SAP-ID uses the user account credentials at the SAP

Server for JAAS authentication. The SAP Server uses the DN of the user certificate

as SNC name of the corresponding SAP account to verify the user.

7.13 Administration Console Pages Appear ‘broken’

Problem

The Administration Console pages have an odd appearance/appear to be „broken‟. This

may include, but not limited to:

Missing icons

Missing items in combo-boxes

Buttons do not work. For example, the Start button of the initialization wizard batch

creation page or, the Upload button in the Web Client platform configuration.

Effected

Systems

-

Explanation/

Solution

The most likely cause for Administration Console pages that have an odd appearance

(especially during the initialization wizard), is that a previous version of Secure Login

Server has been removed from the same Tomcat Server but the Tomcat JSP cache has

not been removed or has not been automatically updated.

The solution to this problem is to stop Tomcat, and delete all old securelogin folders

from the Webapps directory. Also delete the Tomcat cache directory:

<Tomcat ROOT>/work

Restart Tomcat. The Administration Console pages should now be OK.


222

7.14 Problem Loading the GSS Library (SAP-ID Module)

Problem

Problems occur when configuring the SAP-ID module so that no Server connection exists.

In the Application Server trace SNC errors exist (as the following examples):

[Thr 168] Fri Jul 18 09:34:33 2008

[Thr 168] *** ERROR => SncPDLInit():

DlLoadLib("<PATH>\secude.dll")=DLEINV

AL

[Thr 168] [sncxxdl.0340][Thr 168] *** ERROR =>

SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded

[Thr 168] [sncxxdl.0604]Exception in thread "main"

com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to

SAP gateway failed

Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00

LOCATION CPIC (TCP/IP) on local host

ERROR SNCERR_INIT

Resource problem or gssapi library invalid/missing

sec_avail="false"

TIME Fri Jul 18 09:34:33 2008

RELEASE 710

COMPONENT SNC (Secure Network Communication)

VERSION 5

RC -1

MODULE sncxx.c

DETAIL SncInit

COUNTER 2

Or...

[Thr 5008] Fri Jul 18 09:42:10 2008

[Thr 5008] *** ERROR => SncPDLInit():

DlLoadLib("<PATH>\secude.dll")=DLEINVAL

[Thr 5008] [sncxxdl.0340][Thr 5008] *** ERROR =>

SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded

[Thr 5008] [sncxxdl.0604]Exception in thread "main"

com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to

SAP gateway failed

Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00

LOCATION CPIC (TCP/IP) on local host

ERROR Unable to load the GSS-API DLL

named

"<PATH>\secude.dll"

TIME Fri Jul 18 09:42:10 2008

RELEASE 710

COMPONENT SNC (Secure Network Communication)

VERSION 5

RC -1

MODULE sncxxdl.c

Effected

Systems

-

Explanation/

Solution

Possible causes and solutions:

The SECUDE SNC library does not exist at the given path.

Solution: Locate the SECUDE SNC library and move it to the correct directory.

The SECUDE SNC library is incorrect for this platform (i.e. 32bit vs. 64bit, C-runtime

version, etc.).

Solution: Delete the incorrect components, locate the SECUDE SNC library suitable

for the Server environment and move it to the correct directory.


223

If the above causes do not apply, then the problem may be the length of the path (i.e. the

number of characters) to the SECUDE SNC library. This is a problem caused by JCO. JCO is

not capable of loading the GSS library when the length of the path is more than 100

characters.

Solution: Move the SSS package as well as the SECUDE library to a directory with a

shorter path, and configure the SAP-ID module accordingly (NativeLibraryPath).

7.15 Blank Page when Logging into the Secure Login Administration Console

Problem

When logging into the Secure Login Administration Console the GUI does not appear – only

a blank page appears. The following example error appears in the defaulttrace of the

NetWeaver Application Server:

#1.5#001AA00E3F65004E0000028E0000111C00045224BE3B94F3#1216217670546#Syste

m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application

_Thread[impl:3]_8##0#0#Error##Plain###java.lang.NullPointerException#

#1.5#001AA00E3F65004E0000028F0000111C00045224BE3B982E#1216217670546#Syste


_Thread[impl:3]_8##0#0#Error##Plain###at

com.secude.Web.framework.login.impl.UserManager.getUserById

(UserManager.java:52)#

#1.5#001AA00E3F65004E000002900000111C00045224BE3B98A5#1216217670546#Syste



com.secude.transfair.pepperbox.util.AdminAccount.canLogin

(AdminAccount.java:178)#

#1.5#001AA00E3F65004E000002910000111C00045224BE3B9916#1216217670546#Syste



com.secude.transfair.pepperbox.adminui.AdminAccountHandler.

tryLogin(AdminAccountHandler.java:162)#

#1.5#001AA00E3F65004E000002920000111C00045224BE3B9986#1216217670546#Syste



com.secude.transfair.pepperbox.adminui

.AdminAccountHandler.process(AdminAccountHandler.java:63)#

#1.5#001AA00E3F65004E000002930000111C00045224BE3B99F7#1216217670546#Syste



com.secude.transfair.pepperbox.adminui.NavigationServlet.

process(NavigationServlet.java:170)#

#1.5#001AA00E3F65004E000002940000111C00045224BE3B9A67#1216217670546#Syste



com.secude.transfair.pepperbox.adminui.NavigationServlet.

doPost(NavigationServlet.java:89)#

#1.5#001AA00E3F65004E000002950000111C00045224BE3B9AD8#1216217670546#Syste



javax.servlet.http.HttpServlet.service(HttpServlet.java:760)#

#1.5#001AA00E3F65004E000002960000111C00045224BE3B9B45#1216217670546#Syste



javax.servlet.http.HttpServlet.service(HttpServlet.java:853)#

#1.5#001AA00E3F65004E000002970000111C00045224BE3B9BB3#1216217670546#Syste



com.sap.engine.services.servlets_jsp.Server.runtime.

FilterChainImpl.runServlet(FilterChainImpl.java:117)#

#1.5#001AA00E3F65004E000002980000111C00045224BE3B9C23#1216217670546#Syste




FilterChainImpl.doFilter(FilterChainImpl.java:62)#

#1.5#001AA00E3F65004E000002990000111C00045224BE3B9C95#1216217670546#Syste



com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter


224

(ConsoleFilter.java:29)#

#1.5#001AA00E3F65004E0000029A0000111C00045224BE3B9D04#1216217670546#Syste




FilterChainImpl.doFilter(FilterChainImpl.java:58)#

#1.5#001AA00E3F65004E0000029B0000111C00045224BE3B9D75#1216217670546#Syste



com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.

runServlet(HttpHandlerImpl.java:373)#

#1.5#001AA00E3F65004E0000029C0000111C00045224BE3B9DF5#1216217670546#Syste



com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.

handleRequest(HttpHandlerImpl.java:264)#

#1.5#001AA00E3F65004E0000029D0000111C00045224BE3B9E67#1216217670546#Syste



com.sap.engine.services.httpServer.Server.RequestAnalizer.

startServlet(RequestAnalizer.java:347)#

#1.5#001AA00E3F65004E0000029E0000111C00045224BE3B9ED8#1216217670546#Syste




startServlet(RequestAnalizer.java:325)#

#1.5#001AA00E3F65004E0000029F0000111C00045224BE3B9F49#1216217670546#Syste




invokeWebContainer(RequestAnalizer.java:887)#

#1.5#001AA00E3F65004E000002A00000111C00045224BE3B9FBB#1216217670546#Syste




handle(RequestAnalizer.java:241)#

#1.5#001AA00E3F65004E000002A10000111C00045224BE3BA02B#1216217670546#Syste



com.sap.engine.services.httpServer.Server.Client.handle

(Client.java:92)#

#1.5#001AA00E3F65004E000002A20000111C00045224BE3BA09A#1216217670546#Syste



com.sap.engine.services.httpServer.Server.Processor.request

(Processor.java:148)#

#1.5#001AA00E3F65004E000002A30000111C00045224BE3BA109#1216217670546#Syste



com.sap.engine.core.service630.context.cluster.session.

ApplicationSessionMessageListener.process(ApplicationSessionMessageListen

er.java:33)#

#1.5#001AA00E3F65004E000002A40000111C00045224BE3BA17F#1216217670546#Syste



com.sap.engine.core.cluster.impl6.session.MessageRunner.run

(MessageRunner.java:41)#

#1.5#001AA00E3F65004E000002A50000111C00045224BE3BA1EE#1216217670546#Syste



com.sap.engine.core.thread.impl3.ActionObject.run

(ActionObject.java:37)#

#1.5#001AA00E3F65004E000002A60000111C00045224BE3BA262#1216217670562#Syste



java.security.AccessController.doPrivileged(Native Method)#

#1.5#001AA00E3F65004E000002A70000111C00045224BE3BA2D1#1216217670562#Syste



com.sap.engine.core.thread.impl3.SingleThread.execute


225

(SingleThread.java:100)#

#1.5#001AA00E3F65004E000002A80000111C00045224BE3BA33F#1216217670562#Syste



com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)#

#1.5#001AA00E3F65004E000002A90000111C00045224BE3BB6B7#1216217670562#Syste


_Thread[impl:3]_8##0#0#Error##Plain###com.sap.engine.services.servlets_js

p.Server.exceptions.WebServletException: Error in JSP.at

com.sap.engine.services.servlets_jsp.Server.jsp.

PageContextImpl.handleErrorPage(PageContextImpl.java:707)

at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.

handlePageException(PageContextImpl.java:702)

at

jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav

a:65535)

at

com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j

ava:112)

at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service

(JSPServlet.java:544)



at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl

.

doWork(RequestDispatcherImpl.java:321)

at


.

forward(RequestDispatcherImpl.java:377)

at

com.secude.transfair.pepperbox.adminui.ErrorHandler.process(ErrorHandler.

java:27)

at com.secude.transfair.pepperbox.adminui.NavigationServlet.process

(NavigationServlet.java:179)

at com.secude.transfair.pepperbox.adminui.NavigationServlet.doPost

(NavigationServlet.java:89)



at

com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.runSe

rvlet

(FilterChainImpl.java:117)

at

com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil

ter


at

com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter(ConsoleFilter.

java:29)

at

com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil

ter


at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet

(HttpHandlerImpl.java:373)

at

com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.handleRequest


at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet

(RequestAnalizer.java:347)



at

com.sap.engine.services.httpServer.Server.RequestAnalizer.invokeWebContai

ner


at com.sap.engine.services.httpServer.Server.RequestAnalizer.handle


226


at

com.sap.engine.services.httpServer.Server.Client.handle(Client.java:92)

at

com.sap.engine.services.httpServer.Server.Processor.request(Processor.jav

a:148)

at com.sap.engine.core.service630.context.cluster.session.

ApplicationSessionMessageListener.process(ApplicationSessionMessageListen

er.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run

(MessageRunner.java:41)

at

com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1

00)

at

com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

Caused by:

com.sap.engine.services.servlets_jsp.Server.exceptions.WebServletExceptio

n: Error in JSP.

at

com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.handleErr

orPage

(PageContextImpl.java:744)

at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.

handlePageException(PageContextImpl.java:702)

at jsp_top1216110529928._jspService(jsp_top1216110529928.java:65535)

at

com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j

ava:112)






at


.

doWork(RequestDispatcherImpl.java:321)

at


.include

(RequestDispatcherImpl.java:473)

at

com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.include

(PageContextImpl.java:165)

at

jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav

a:10)

... 29 more

Caused by:

com.sap.engine.services.servlets_jsp.Server.exceptions.WebIllegalStateExc

eption: The stream has already been committed.

at

com.sap.engine.services.servlets_jsp.Server.runtime.Client.HttpServletRes

ponseFacade.sendRedirect(HttpServletResponseFacade.java:997)

at jsp_top1216110529928._jspService(jsp_top1216110529928.java:11)

... 37 more

Effected

Systems

NetWeaver Application Server only.

Explanation/

Solution

There is no current workaround for this sporadic problem. To solve the problem re-deploy

Secure Login to NetWeaver.


227

7.16 Users Cannot be Successfully Authenticated to any JAAS Module

Problem

After Secure Login has been successfully deployed to NetWeaver, no user can

authenticate successfully to any JAAS module.

The following example error appears in the files security_*.log and default_*.trc

of the NetWeaver AS Java:

#1.5#001AA02C2EA0002B000003A80000039800897B2BD532EEFC#1216364672406#Syste

m.err#secude.com/SecureLogin#System.err#Guest#2464####c59e8c80549711ddb8f

5001aa02c2ea0#HTTP Worker

[1]##0#0#Error##Plain###com.sap.engine.services.security.exceptions.BaseL

oginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run

(ModulesProcessAction.java:177)


at com.sap.engine.services.security.login.FastLoginContext.login

(FastLoginContext.java:216)

at com.sap.engine.system.SystemLoginModule.login

(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0

(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke

(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke

(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000

(LoginContext.java:186)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)


at javax.security.auth.login.LoginContext.invokePriv


at javax.security.auth.login.LoginContext.login


at com.secude.transfair.pepperbox.JaasRsaRadiusAuthenticationManager.

authenticate(JaasRsaRadiusAuthenticationManager.java:186)

at com.secude.transfair.pepperbox.ServerMessageHandler.handleAuthAction

(ServerMessageHandler.java:889)

at com.secude.transfair.pepperbox.ServerMessageHandler.handleInMessage

(ServerMessageHandler.java:223)

at com.secude.transfair.framework.LocalTFManager.handleInMessage

(LocalTFManager.java:211)

at com.secude.transfair.pepperbox.SlsKernel.doSls(SlsKernel.java:360)

at com.secude.transfair.pepperbox.StandardServlet.doPost

(StandardServlet.java:155)



at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke

(Invokable.java:66)

at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke

(Invokable.java:32)

at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet


at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.

handleRequest(HttpHandlerImpl.java:289)





at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process

(ServletSelector.java:85)

at com.sap.engine.services.httpServer.chain.AbstractChain.process

(AbstractChain.java:71)

at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.

process(ApplicationSelector.java:160)



at com.sap.engine.services.httpServer.filters.WebContainerInvoker.process


228

(WebContainerInvoker.java:67)

at com.sap.engine.services.httpServer.chain.HostFilter.process

(HostFilter.java:9)



at com.sap.engine.services.httpServer.filters.ResponseLogWriter.process

(ResponseLogWriter.java:60)

at com.sap.engine.services.httpServer.chain.HostFilter.process

(HostFilter.java:9)



at com.sap.engine.services.httpServer.filters.DefineHostFilter.process

(DefineHostFilter.java:27)

at com.sap.engine.services.httpServer.chain.ServerFilter.process

(ServerFilter.java:12)



at com.sap.engine.services.httpServer.filters.MonitoringFilter.process

(MonitoringFilter.java:29)

at com.sap.engine.services.httpServer.chain.ServerFilter.process

(ServerFilter.java:12)



at com.sap.engine.services.httpServer.Server.Processor.chainedRequest

(Processor.java:309)

at com.sap.engine.services.httpServer.Server.

Processor$FCAProcessorThread.run(Processor.java:222)

at com.sap.engine.core.thread.impl3.ActionObject.run

(ActionObject.java:37)


at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1

52)

at com.sap.engine.core.thread.impl3.SingleThread.run

(SingleThread.java:247)

Caused by: javax.security.auth.login.LoginException: Error: Callback

com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not

supported.

at com.secude.transfair.pepperbox.LdapJaasModule.login

(LdapJaasModule.java:208)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.

login(LoginModuleLoggingWrapperImpl.java:220)

at com.sap.engine.services.security.login.ModulesProcessAction.run

(ModulesProcessAction.java:70)

Error: Callback

com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not

supported.null#

Effected

Systems

NetWeaver

Explanation/

Solution

This problem occurs especially while updating the complete Secure Login Server EAR-

package when an existing Secure Login installation already uses the AS Java on the

Server.

The error entry marked in red in the example above is the cause that should be looked for.

It usually appears as the last line in the stack trace.

Unfortunately you must completely restart the Application Server Java. A restart of the

Secure Login application will not help. There is currently no other workaround.


229

7.17 Enable Remote Access to Initialize and Configure Secure Login Server

Problem

After installing Secure Login Server the initialization/configuration cannot be performed

from a remote location (only directly on the Server).

Effected

Systems

All.

Explanation/

Solution

For reasons of security, the Secure Login Server component can only be initialized via the

Administration Console and only when the console is called from the same Server

computer on which the Secure Login resides (see section 3.6 on page 54). If however, you

want to perform the initialization and configuration from a remote location, then you must

manually enable this feature by editing the Secure Login Web.xml file directly on the

application Server:

1. Locate the Web.xml file in your application Server Web application directory:

securelogin\WEB-INF\Web.xml

2. Open the Web.xml file in an editor.

3. locate the following section:

<servlet-name>Navigation</servlet-name>

<servlet-class>com.secude.transfair.pepperbox.adminui. NavigationServlet</servlet-class>

…

<init-param>

<param-name>remoteAccess</param-name>

<param-value>false</param-value>

</init-param>

4. Edit the remoteAccess parameter value (marked in red above) to true.

5. Save the Web.xml file.

After you have completed the initialization and configuration of Secure Login Server it is

recommended to reinstate security by changing the remoteAccess parameter value back

to false.

7.18 Problems Accessing the Administration Console or the Web Client via Firefox

Problem

Errors are displayed when accessing the Administration Console or the Web Client using

Mozilla Firefox (SSL connection).

Effected

Systems

The error occurs when a combination of the following components are used:

Server: Tomcat 5 or 6 (Java 1.4 or above, all platforms) with an SSL connector

Client: Firefox 2 + 3 (all platforms)

Secure Login components: Secure Login Administration Console or Web Client

Explanation/

Solution

The best workaround for this is to configure the Tomcat SSL connector port accordingly.

Tomcat's Server.xml file has to be modified as follows to use a fixed list of ciphers

only. The following example applies to Tomcat 5 and 5.5:

<Connector port="8443" minProcessors="5" maxProcessors="75"

enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"

ClientAuth="false" sslProtocol="TLS" keystorePass="123456" keystoreFile="C:\SSL_SERVER.p12" keystoreType="PKCS12"

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_DES_CBC_SHA,

SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"


230

/>

The solution for Tomcat 6 is the same as above but it also requires an additional attribute

for its SSL connector. Change the attribute SSLEnabled to true.

7.19 Error Message when viewing Certificate Details using Firefox 3

Problem

An error message appears when using the Administration Console in Firefox 3 to view

certificate details.

Effected

Systems

All systems using Firefox 3

The Secure Login Administration Console is installed and configured (Certificate)

Explanation

This error occurs when the Firefox password manager is used to store the Administration

Console username/password. The error can be repeated as follows:

1. Start the Administration Console in Firefox 3, enter the username and password, and

click Login.

2. Firefox will now prompt you to store the username/password in the Firefox password

manager (a promt bar will appear at the top of the page). Click Remember.

3. The Administration Console will appear as normal.

4. From the main page, go to any Instance Configuration/Certificate Manager.

5. Under Certificate name, select a certificate and click View.

6. The error message Open password is incorrect will appear.

Solution

1. Open the Firefox Menu Tools > Options.

2. The Options dialog will appear. Click the Security tab and then click Saved Passwords

3. The Saved Passwords dialog will appear. Select the Secure Login Administration

Console site or hostname from the list and click Remove. Close the Saved Passwords

and Options dialogs.

4. Re-login to the Administration Console. The prompt bar will reappear. Click Never for

this site. The Secure Login host will now appear in a list of exceptions (Menu Tools >

Options > Security tab > Exceptions…)


231

8 Error and Return Codes

Introduction

This chapter details the error codes and return codes, their meaning and possible

corrections. In each section, the codes are listed in alphabetical order.

Sections

Section 8.1 „ADS Authentication Errors‟, on page 232

Section 8.2 „RSA Authentication Errors‟, on page 232

Section 8.3 „SAP ID Error Codes and Return Codes‟, on page 232

Section 8.4 „Stacktrace Error Codes‟, on page 234

Section 8.5 „Common Errors‟, on page 236

Section 8.6 „CERT Errors‟, on page 237

Section 8.7 „PSE Errors‟, on page 237


232

8.1 ADS Authentication Errors

Error code Description Solution

JAAS_LDAP

_ERROR Authentication fails due to

configuration errors of the JAAS

module for ADS or timing

problems on the network.

Make sure that at least one Server is

specified in the configuration (and is

running) and that the Server names

are specified correctly in the

configuration file.

If the Server is accessed via port

636, make sure that its CA certificate

is imported into the keystore of

SECUDE Secure Login.

8.2 RSA Authentication Errors


JAAS_RADI

US_ERROR Authentication fails due to configuration

errors of the JAAS module for

RSA/RADIUS or timing problems on the

network.

Make sure that the ACE

Server is running.

8.3 SAP ID Error Codes and Return Codes

This section details the return codes for SAP ID-based login, and the error codes caused

by the JAAS module.

Contents

Section 8.3.1 „Authentication-based Codes‟, on page 232

Section 8.3.2 „Password Change Related Codes‟, on page 233

Section 8.3.3 „Connectivity Related Codes‟, on page 233

8.3.1 Authentication-based Codes


AUTH_RESULT_

ACTION_OK_MS

G

(Return code)

Authentication successful. The

AUTH_RESULT_ACTION_OK_MSG defined in the file

ServerMsg.properties will be sent to the SECUDE

Secure Login Client along with the created certificate.

-

AUTH_RESULT_

ACTION_DENIE

D_MSG (Return

code)

Authentication denied. The

AUTH_RESULT_ACTION_DENIED_ MSG variable

defined in the file ServerMsg.properties will be

sent to the SECUDE Secure Login Client.

This message may be combined with the variable

$SERVERMSG to present the user with a reason for the

denial. The $SERVERMSG variable is an option to

forward the raw Authentication Server message to the

Secure Login Client.

For example:

Access denied because..$SERVERMSG

The $SERVERMSG variable should only be used with Sun

directory Servers and SAP-ID. If used with RSA no

messages will be sent by default, and if used with ADS

a cryptic text message will be sent.


233

8.3.2 Password Change Related Codes


NEW_PIN_R

EPLY_ACCEPTED_MSG

(Return

code)

For a succeeded password change the NEW_PIN_REPLY_ACCEPTED

_MSG defined in the file ServerMsg.properties will

be sent to the SECUDE Secure Login Client.

-

NEW_PIN_REPLY_REJECTED_MSG

(Return

code)

If the SAP Server denies the new password. A new

password-rejected state will be the result and the

NEW_PIN_REPLY_REJECTED_MSG defined in the file

ServerMsg.properties will be sent to the SECUDE

Secure Login Client.

The corresponding trace and error log for the entry is

“Password not conform to password rules” followed by the

stacktrace information of the return code.

8.3.3 Connectivity Related Codes

Error/Return

code

Description Solution

AUTH_SERVER_

TIMEOUT_M

SG

(Error code)

If the JAAS module cannot

establish a connection to the SAP

Server a timeout error will be set

and the error AUTH_SERVER_

TIMEOUT_MSG defined in the file

ServerMsg.properties will be

sent to the SECUDE Secure Login

Client.

The corresponding trace and error

log for this entry is:

“No connection to SAP system can be

established” followed by the

stacktrace information for this

code.

Possible reasons for this error may

be one of the following (no

differentiation between the

SECUDE Secure Login Server or the

Client):

Unable to establish a SNC

connection to the SAP Server:

SECUDE Secure Login

Server SAP user is not

properly configured.

SECUDE Secure Login

Server SAP user does not

have required permissions.

Faulty SNC configuration

for the SECUDE Secure

Login Server.

Timeout in the network

connection.

SAP Server is down.

For a list of stacktrace codes refer

to section 8.4 „Stacktrace Error

Codes‟ on page 234.

For a list of common error reasons

refer to section 8.5 „Common

Errors‟ on page 236.


234

8.4 Stacktrace Error Codes

This section lists the possible SAP exceptions that can be logged in the stacktrace.

Runtime error code Description

CALL_BACK_ENTRY_NOT_FOUND The called function module is not released for

RFC.

CALL_FUNCTION_DEST_TYPE The type of the destination is not allowed.

CALL_FUNCTION_NO_SENDER Current function is not called remotely.

CALL_FUNCTION_DESTINATION_NO_T

Missing communication type (I for internal

connection, 3 for ABAP) when executing an

asynchronous RFC.

CALL_FUNCTION_NO_DEST The specified destination does not exist.

CALL_FUNCTION_OPTION_OVERFL

OW Maximum length of options for the destination

exceeded.

CALL_FUNCTION_NO_LB_DEST The specified destination (in load distribution

mode) does not exist.

CALL_FUNCTION_NO_RECEIVER Data received for unknown CPI-C connection.

CALL_FUNCTION_NOT_REMOTE The function module being called is not flagged

as being “remotely” callable.

CALL_FUNCTION_REMOTE_ERROR While executing an RFC, an error occurred that

has been logged in the calling system.

CALL_FUNCTION_SIGNON_INCOMPL

Logon data for the user is incomplete.

CALL_FUNCTION_SIGNON_INTRUDER

Logon attempt in the form of an internal call in a

target system not allowed.

CALL_FUNCTION_SIGNON_INVALID

RFC from external program without valid user ID.

CALL_FUNCTION_SIGNON_REJECT

ED Logon attempt in target system without valid

user ID. This error code may have any of the

following meanings:

Incorrect password or invalid user ID.

User locked.

Too many login attempts.

Error in authorization buffer (internal error).

No external user check.

Invalid user type.

Validity period of the user exceeded.

CALL_FUNCTION_SINGLE_LOGIN_REJ

No authorization to log on as Trusted System.

The error code may have any of the following

meanings:

Incorrect logon data for valid security ID.

Calling system is not a Trusted System or

security ID is invalid.

Either the user does not have RFC authorization

(authorization object S_RFCACL), or a logon was

performed using one of the protected users

DDIC or SAP*.

Time stamp of the logon data is invalid.

CALL_FUNCTION_SYSCALL_ONLY RFC without valid user ID only allowed when


235


calling a system function module. The meaning

of the error codes is the same as for

CALL_FUNCTION_SINGLE_LOGIN_REJ.

CALL_FUNCTION_TABINFO Data error (info internal table) during a RFC.

CALL_FUNCTION_TABLE_NO_MEMORY

No memory available for table being imported.

CALL_FUNCTION_TASK_IN_USE For asynchronous RFC only: task name is

already being used.

CALL_FUNCTION_TASK_YET_OPEN For asynchronous RFC only: the specified task is

already open.

CALL_FUNCTION_NO_AUTH No RFC authorization.

CALL_RPERF_SLOGIN_AUTH_ERRO

R No trusted authorization for RFC caller and

trusted system.

CALL_RPERF_SLOGIN_READ_ERRO

R No valid trusted entry for the calling system.

RFC_NO_AUTHORITY No RFC authorization for user.

CALL_FUNCTION_BACK_REJECTED Destination “BACK” is not permitted in current

program.

CALL_XMLRFC_BACK_REJECTED Destination “BACK” is not permitted in current

program.

CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.

CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.

CALL_FUNCTION_CONFLICT_TAB_TYP

Type conflict while transferring table.

CALL_FUNCTION_CREATE_TABLE No memory available for creating a local internal

table.

CALL_FUNCTION_UC_STRUCT Type conflict while transferring structure.

CALL_FUNCTION_DEEP_MISMATCH Type conflict while transferring structure.

CALL_FUNCTION_WRONG_VALUE_LENG

Invalid data type while transferring parameters.

CALL_FUNCTION_PARAMETER_TYP

E Invalid data type while transferring parameters.

CALL_FUNCTION_ILLEGAL_DATA_TYP

Invalid data type while transferring parameters.

CALL_FUNCTION_ILLEGAL_INT_L

EN Type conflict while transferring an integer.

CALL_FUNCTION_ILL_INT2_LENG Type conflict while transferring an integer.

CALL_FUNCTION_ILL_FLOAT_FOR

MAT Type conflict while transferring a floating point

number.

CALL_FUNCTION_ILL_FLOAT_LEN

G Type conflict while transferring a floating point

number.

CALL_FUNCTION_ILLEGAL_LEAVE Invalid LEAVE statement on RFC Server.

CALL_FUNCTION_OBJECT_SIZE Type conflict while transferring a reference.

CALL_FUNCTION_ROT_REGISTER Type conflict while transferring a reference.


236

8.5 Common Errors


The credentials are not set for the

user account the SECUDE Secure

Login Server runs in.

SNC is not properly configured on the SECUDE

Secure Login Server side.

The credentials are not set for the

user account the SAP Server runs in.

SNC is not properly configured on the SAP

Server side.

The user configured on the SAP

Server for SECUDE Secure Login

Server access is not properly

configured (for example, not all

required profiles are set).

Check the user profile.

The JVM on the SECUDE Secure Login

Server can not load the required

libraries (both SECUDE and SAP).

The directory wherein the libraries reside is not

included in the PATH or the LD_LIBRARY_PATH

environment variable of the operating system.

The JVM on the SECUDE Secure Login

Server cannot load the required SAP

jar library.

The directory wherein the sapjco.jar file

resides is not included in the CLASSPATH

variable for the Java installation.

The sapjco library displays link

errors although the shipped libraries

are installed in the correct places.

If installed on UNIX/Linux systems it must be

ensured that all of the required libraries are built

for the same architecture (all 32Bit or all 64Bit).

How to find

out what the

Problem is

Enabling trace messages for the SECUDE Secure Login Server in the Web.xml file will

provide detailed information about possible errors. The SAP library error trace is enabled

automatically. The SAP library trace file dev_rfc.trc will be created in the same

directory from which the whole SECUDE Secure Login Server process is started.

As an example, if the SECUDE Secure Login Server is deployed on Apache Tomcat, the SAP

trace files will be created in the /tomcat-installation-path/bin/ directory in

which the 236nitiali.bat/sh resides.

For details about how to enable tracing refer to the following sections:

For manual configuration see section 7.3 „Turning Tracing On/Off‟ on page 215.

Via the Administration Console – see section 6.1.3 ‟Server Configuration‟ on page 124.

Enabling the SECUDE SNC tracing will provide information about the SNC certificate

handshake and the key exchange. If the handshake fails, an additional error trace file will

be created. For details about how to enable tracing refer to the SECUDE signon&secure

documentation.


237

8.6 CERT Errors

Error/Return

code


CERT_CREA

TE_ERROR An error occurred while

trying to create a new

certificate.

-

CERT_INIT

_ERROR An error occurred while

accessing the resources

needed for this process, i.e.

the PSE used.

Make sure that the configuration file

contains the correct name, password,

and aliases for the specific PSE.

If the SECUDE SDK is used to access the

PSE, it is also necessary that the

libComSecude.so library is contained

in the library path.

For hardware PSE‟s, the PseType in the

configuration.properties file has

to be set to NativePSE.

8.7 PSE Errors

Error/Return

code


PSE_ADMIN_ERROR

An error occurred inside the PSE

admin Server.

-

PSE_ARCHIVE_ERROR

This code may be due to insufficient

disk space when writing/creating the

log file due to insufficient disk space,

or no write access etc.

Make sure the application has

the access rights to write to, or

create the specified log

directory, and that there is

enough disk space.

PSE_CREAT

E_ERROR This code can indicate a problem

while creating an outgoing message.

A possible cause is a missing motto-

of-the-day or disclaimer message

(ClientMotd, ClientDisc) in the

configuration file.

Make sure that the

configuration file contains all

mandatory entries.

PSE_HANDLING_ERROR

An error occurred while handling a

Client request.

-

PSE_INIT_

ERROR May be caused when initializing the

servlets. This is usually the case

when the SECUDE Secure Login

configuration could not be read,

either because the configuration URL

is not set in the configuration file of

the servlet engine or the file could

not be found under the specified URL.

Make sure the URL is set

correctly to the configuration.

properties file.

PSE_IO_ER

ROR Occurs when the servlet cannot send

its response to the Client due to

network problems.

Make sure the network is

configured correctly and

running.

PSE_SERVE

R_ERROR An error occurred with the PSE

Server.

-

PSE_SERVE

R_TIMEOUT The Client session timed out. Check in the servlet

configuration that the timeout

value is high enough.


238

9 Appendix

Introduction

This chapter contains various advanced details ad administrator may need to configure

Secure Login.

Contents

Section 9.1 „Client Policy‟ on page 239

Section 9.2 „Configurable Properties‟ on page 246

Section 9.3 „Secure Login Client Registry Values‟ on page 264

Section 9.4 „

Key Usage Reference‟ on page 266

Most of the information in this section is provided purely as extra information for debugging.

It is not recommended to alter any Secure Login system file manually! Doing so may result

in a corrupted configuration! Please use the Administration Console at all times!


239

9.1 Client Policy

Introduction

This section contains detailed information about the Client policy for Secure Login.

Contents

Section 9.1.1 „ClientPolicy.xml File Registry Keys and Values‟, on page 239

Section 9.1.2 „ClientPolicy.xml File Example‟, on page 240

Section 9.1.4 „Configuring Secure Login with Microsoft Group Policies‟, on page 245

9.1.1 ClientPolicy.xml File Registry Keys and Values

Registry Keys

and Values

When the Secure Login Client system service is started (on the Client side) the XML-

formatted policy file is translated into the following Windows registry keys and values

(providing that the ClientPolicy.xml file is dynamic!):

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\appication\<aplication name>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]


240

9.1.2 ClientPolicy.xml File Example

<?xml version=”1.0” encoding=”ISO-8859-1”?>

<secude> <securelogin> <machine> <applications action=“clean“> <application name=”SAP Server Strong Authentication”> <attributes> <attribute name=”pseURI” value=”ou=Strong Authentication” type=”string”/> <attribute name=”profile” value=”SAP with RSA SecurID” type=”string”/> </attributes> </application> <application name=”SAP Server ADS”> <attributes> <attribute name=”pseURI” value=”SNC/cn=SAPServer,o=SECUDE,ou=Support,c=DE” type=”string”/> <attribute name=”profile” value=”SAP with Windows Logon” type=”string”/> </attributes> </application> <application name=”DEFAULT”> <attributes> <attribute name=”pseURI” value=”*” type=”string”/> <attribute name=”profile” value=”*” type=”string”/> </attributes> </application> </applications> <profiles action=“replace“> <profile name=”SAP with RSA SecurID”> <attributes> <attribute name=”pseType” value=”promptedlogin” type=”string”/> <attribute name=”enrollURL0=” value=”https://rsalogin:8443/securelogin/PseServer?=0001” type=”string”/> <attribute name=”autoReenrollTries=” value=”0” type=”integer”/> <attribute name=”sslHostCommonNameCheck=” value=”true” type=”240nitial”/> </attributes> </profile> <profile name=”SAP with Windows Logon”> <attributes> <attribute name=”pseType” value=”windowslogin” type=”string”/> <attribute name=”enrollURL0” value=”https://adslogin:8443/securelogin/PseServer?=0003” type=”string”/> <attribute name=”enrollURL1” value=”https://adsloginbackup:8443/securelogin/PseServer?=0003” type=”string”/> <attribute name=”enrollURL2” value=”https://192.168.47.47:8443/securelogin/ PseServer?=0005” type=”string”/> <attribute name=”httpProxyURL” value=”http://10.49.48.47:3128” type=”string”/> <attribute name=”autoReenrollTries” value=”3” type=”integer”/> <attribute name=”reUseKey” value=”true” type=”240nitial”/> <attribute name=”gracePeriod” value=”10” type=”integer”/> </attributes> </profile> </profiles> </machine> </securelogin> </secude>


241

ClientPolicy.xml

File Elements

and Attributes

The following table details each of the elements of the ClientPolicy.xml file.

XML Elements and

Attribute names (A-Z)

Mandatory

/Optional

Description, Example

Action optional Existing registry keys are handled as configured

by action.

clean

Delete all existing profiles in the selected

policy key before the given ones are written.

replace

Replace any existing profiles of the same

name in the selected policy key by a given

one.

keep

Keep any existing profiles of the same

name in the selected policy, do not write

the given one (default).

AllowFavourite mandatory Allow the user to select another profile as

„favorite‟ for this SNC application context.

false (default) = always use configured profile

true = Do not use configured profile

Application mandatory Start of application element, the element is

repeated for each application.

Applications mandatory Start of application section, which contains the

unsorted list of application contexts.

AutoReenrollTries optional Number of failed authentications in a sequence

until automatic re-enrollment is stopped.

User name and password caching can be turned

on to provide the automatic re-enrollment of

certificates that are going to expire.

0

Turn off (default): Do not re-enroll

automatically; do not cache user name and

password. A re-enrollment must always be

performed by the user interactively.

N

Turn on with n tries to succeed: Try to re-

enroll max. n times before either a new

certificate is received or the user name and

password cache are cleared.

The error counter is reset on success. A manual

re-enrollment is also possible.

You can delete all cached credentials from

memory (except those stored in the SLC system

service) with the Logout context menu of the

SECUDE PSE service in the system tray.

Deleting the cache of the Windows login token

has no effect as the credentials can be retrieved

from the SLC system service.

EnrollURL0 mandatory Secure Login URL that is used for authentication

and certificate enrolment. The URL locates the


242

XML Elements and


Mandatory

/Optional


Server instance that is valid for the Secure Login

Client. For example: http://myServer.local/securelogin/PseServer?id=0001

EnrollURL<n> optional URL of fallback SECUDE Secure Login Server, if

URL n-1 fails (with n>1).

The counter n must be a positive integer without

leading 0‟s. The sequence must be strictly

increasing by one. A gap stops the sequence, all

remaining URLs are ignored. Empty URLs are

ignored and skipped.

GracePeriod optional Seconds before expiration of this certificate to

re-enroll automatically.

(default: 0)

HttpProxyURL optional HTTP proxy to be used with enroll URLs. Only

HTTP proxies without authentication and without

SSL to proxy are supported.

Example: http://proxy.secude.com:3128

InactivityTimeout optional Seconds until an automatic logout is performed.

Mouse and keyboard events are checked for

inactivity.

> 0 :Seconds of inactivity

-1 :No single sign on (SSO), each SNC

connection forces new login

0 :No timeout, SSO without limitation

(default)

KeySize optional Size in bits of the newly-generated RSA keys.

Range: 512 – 16384 (default: 512)

machine mandatory Machine policy node.

Subnodes inside this node are written to: [HKEY_LOCAL_MACHINE\SOFTWARE\

Policies\SECUDE]

User policies are not supported.

Name mandatory Name of application context which also builds

the registry key name.

The special name “*” is used for the default

application entry, for which no PSEURI has to be

defined. It comprises automatically all SNC

names which are not defined explicitly or with

wildcards (see PSEURI attribute).

NetworkTimeout optional Network timeout in seconds before connection

is closed if the Server does not respond

(default: 45).

Profile mandatory Name of the security profile to be used for the

application, the name must match the profile

name in the profiles section.


243

XML Elements and


Mandatory

/Optional


The profile name “*” is used for the default

security profile that is configured by the user (for

example, the smart card profile).

Profiles mandatory Start of profile section, which contains the

unsorted list of security profiles.

PSEType mandatory Type of profile:

promptedlogin

For authentication using an RSA Server.

windowslogin

For authentication using an ADS Server.

PSEURI mandatory Application-specific PSE URI (full qualified SNC

name, or substring of SNC name or *), that is

matched when a fitting profile is searched.

The wildcards “*” and “?” can be used.

Examples:

“SNC/cn=SAP, o=SECUDE, c=DE”

“SNC/CN=Server*, ou=Strong”

For further examples, see section 9.1.3

„Wildcards in Distinguished Names for the

PSEURI Attribute‟on page 244.

ReUseKey optional If true, the RSA key is kept unless a manual

logout is performed or the user process

psesvc.exe is shut down (default: false).

secude mandatory Root node

securelogin mandatory SECUDE Secure Login policy node

SSLHostAlternative-NameCheck

optional SSL Server certificate: Check if peer host name

is given in its subject alternative names (default:

false).

SSLHostCommon-NameCheck

optional SSL Server certificate: Check if peer host name

is given in its subject common name (default:

false).

SSLHostExtension-Check

optional SSL Server certificate: Check if the peer‟s

certificate has extended key usage

ServerAuthentication set (default:

false).

UniqueClientID optional Customer-defined string (default: NULL).

useSslPse optional If true, turns on the former SSL PSE based

trust store for HTTPS. If false (default), the

Microsoft CAPI is used for HTTPS trust.

UserWarningPassword

optional Warning dialog box before user name and

password are sent to SLS (default: false).

UserWarningMSIE optional Display of warning dialog box after a new

certificate has been propagated to Microsoft

Crypto Store: MSIE must be restarted (default:

false).


244

9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute

Introduction

The PSEURI attribute allows you to use wildcards to identify an SAP system by its SNC

name. The SNC name is given as a printed X.500 distinguished name. The wildcards are

as follows:

Use “*” for many characters

Use “?” for just one character

Rules

There are a few rules to follow for the use of wildcards:

Do not use wildcards if you want to select a distinguished Server.

Make the patterns as long as possible.

Should there be more than one pattern matching a Server, than the longest pattern wins

(and with equal length, the one with lesser wildcards).

Example

The following example assumes that the following Servers exist:

Server-A: “SNC/CN=Server-A, CN=Low-Security, C=DE”

Server-B: “SNC/CN=Server-B, CN=High-Security, C=DE”

Server-C: “SNC/CN=Server-C, CN=High-Security, C=DE”

Server-D: “SNC/CN=Server-D, CN=High-Security, C=DE”

Pattern for PSEURI Matching…

* Any Server.

SNC/* Any Server.

SNC/CN=Server-*,CN=*-Security,C=DE Any Server.

SNC/*,CN=High-Security,* Only high security Servers (B,C,D).

Assuming, you have used the last pattern for all high security Servers, but you need

another treatment for Server D, you may use the following patterns:

Pattern for PSEURI Matching…

SNC/CN=Server-D,CN=High-Security,C=DE Only Server D.

SNC/CN=Server-D,CN=High-Security,* Only Server D.


245

9.1.4 Configuring Secure Login with Microsoft Group Policies

Introduction

SECUDE Secure Login allows you to integrate the registry keys and values for the SECUDE

Secure Login Client in your company‟s group policies.

1. If you have not already installed the Secure Login group policy file supplied with the

installer package, double-click the package and follow the instructions until you get to

the Custom Setup dialog:

Figure 9-1 installer – custom setup – group policies

2. Deselect all of the components except Group Policies. Click Next and continue until

the installation is finished.

The SECUDEsecurelogin.ADM file will be copied to the following directory:

Windows\inf

When edited by the policy editor they will be copied to the following directory:

Windows\system32\GroupPolicies\adm

The SECUDEsecurelogin.ADM file contains the keys used to configure the SECUDE

security profiles.

In addition to installing the ADM file, selecting Group Policies

installs the full group policy documentation (HTML) to the

directory:

C:\Program Files\Common Files\SECUDE\officesecurity\ADM-DOC

As well as a link in the start menu:

Start > All Programs > SECUDE > officesecurity > ADM Documentation.

For a description of the keys and values, refer to the explanations provided by the group

policy editor.


246

9.2 Configurable Properties

Introduction

This chapter describes the Secure Login properties that can be configured via a number of

files.

Sections

Section 9.2.1 „Files‟, on page 246

Section 9.2.2 „Web.xml‟, on page 247

Section 9.2.3 „Configuration.properties‟, on page 248

Section 9.2.4 „JAAS Module Configuration‟, on page 253

9.2.1 Files that Contain Configurable Properties

Introduction

This section details the configuration files needed by Secure Login.

Files

SECUDE Secure Login Server is configured in the following files (these files are included in

the installation package):

File to be configured Details

Web.xml

This file contains deployment information for the

SECUDE Secure Login servlet.

For further information refer to 9.2.2 „Web.xml‟, on

page 247.

Configuration.properties This is the main SECUDE Secure Login Server

configuration file.

For further information refer to section 9.2.3

„Configuration.properties‟ on page 248.

JAAS module configuration files This file defines specific properties for

authentication.

NOTE: for each authentication method used

(LDAP/ADS, RADIUS/RSA/SAP-ID), there is a

special JAAS module configuration file.

For further information refer to section 9.2.4 „JAAS

Module Configuration‟ on page 253.

Server message property files These files contain localized messages for the

Clients.

For further information refer to section 0 „Error!

Reference source not found.‟, on page Error!

Bookmark not defined..


247

9.2.2 Web.xml File

Introduction

The Web.xml file contains the deployment information for the SECUDE Secure Login

servlet. This information is required by the servlet engine to map the URL to a specific

servlet and it also contains further information for the operation of SECUDE Secure Login

Server.

You can configure the following parameters in the Web.xml file:

The location of the SECUDE Secure Login Server configuration.properties file.

The location of the lock file

Configure configuration

.properties File Location

Locate the following code snippet in the Web.xml file to set the file path:

<init-param>

<param-name>ConfigURL</param-name>

<param-value>URL</param-value>

</init-param>

Parameter Details

URL Change the property URL to that of the configuration.properties

file. For example:

<Tomcat home>\Webapps\securelogin\WEB-INF\Instances\


Configure Lock

File Location

Locate the following code snippet in the Web.xml file to set the lock file path:

<init-param>

<param-name>LockDir</param-name>

<param-value>path</param-value>

</init-param>

Parameter Details

path Path of the PseServer.lock file. By default the file is stored in the

standard temporary directory of the Java VM. For example:

<Tomcat home>\Webapps\securelogin\WEB-INF\Instances


248

9.2.3 Configuration.properties File

Introduction

The SECUDE Secure Login Server is configured via a set of properties stored in a standard

Java property file. The name of this file is configuration.properties.

The configuration.properties file does not contain authentication-specific

properties. It does contain the parameter AuthConfigPath which specifies the location

of the separate JAAS module configuration file. For further information refer to section

9.2.4 „JAAS Module Configuration‟ on page 253.

Multiple

SECUDE

Secure Login

Server

Instances

If several SECUDE Secure Login Server instances are to run on the same application

Server, all SECUDE Secure Login Server instances have to use the same JAAS module

configuration file.

In other words, the AuthConfigPath parameter must contain the same value for all

Server instances.

If you want to use different authentication-specific properties for different SECUDE Secure

Login Server instances, you have to use different JAAS module names using the

JaasModule configuration property.

Configurable

Properties

The following table details the SECUDE Secure Login Server configuration properties (in

alphabetical order):

Property Mandatory

/Optional

Details

AdminServletHeader

Optional Header displayed above the results on the result page

of the administrative servlet.

AdminServletTrailer

Optional Trailer displayed below the results on the result page of

the administrative servlet.

ArchivingDir

Optional Name of the directory in which certificate requests and

certificates are archived. If set, this enables the

archiving of all certificate requests and all issued

certificates.

Certificate requests are archived as BASE64 encoded

PKCS#10 files.

Certificates are archived as BASE64 encoded PKCS#7

files.

The file naming convention for both certificates and

certificate requests is as follows:

[date][user][ServerURL].ext, where:

date is in the form: yyyymmddhhmmssmm.

user is the name of the authenticated user.

ServerURL is derived from the URL of the SECUDE

Secure Login Server, by replacing all sequences of

characters other than A-Z, a-z, 0-9, and dots (.) with one

underscore (_). The ServerURL is empty if the user los

in via the Web Client.

.ext is p10 or p7c for PKCS#10 or PKCS#7 files,

respectively.

AuthConfigP

ath Mandatory URL of the JAAS module configuration file.


249

Property Mandatory

/Optional

Details

Certificate

Format Optional Type of the generated certificate. Possible values:

V1 (default) for a version 1 certificate

For version 1 certificates the following properties

are ignored:

PrivateExtension

PrivateExtension.name

StandardExtension

CertificatePolicies.OID

V3 for a version 3 certificate

For version 3 certificates, the following standard

extensions are always added to the certificate:

BasicConstraints

KeyUsage

Note: V3 has a negative performance impact

because the V3 format is more complicated than

the V1 format.

Certificate

Name Optional The Case of the character for the user name included

as the DN in the certificate. Possible values:

Uppercase

Lowercase

Default value: The user name is entered as it is

received from the Client.

Certificate

Policies.OID

Optional If CertificatePolicies is specified in the

StandardExtension property, this entry is used to

list the object identifiers (separated by spaces) to be

contained in the extension.

Default value: The CertificatePolicies extensions

are not included in the certificate.

DailyLogDir Mandatory Directory in which the daily log files are stored.

DailyLogPrefix

Mandatory Prefix for the daily log files. The generated log file name

is: prefix_yyyy_mm_dd.log

y, m, and d are as specified in the Java SDK API class

java.text.SimpleDateFormat.

DN.country Mandatory Country part of the DN for the certificate.

DN.locality Optional Locality part of the DN for the certificate.

DN.organiza

tion Optional Organization part of the DN for the certificate.

DN.organizationalUnit

Optional Organizational unit part of the DN for the certificate.

JaasModule Optional Name of the JAAS module. The default value is:

SLSJaasModule

LockServerOnEventLog-

Failure

Optional Defines if the Server should be locked if transaction

logging fails.

False = do not lock the Server

True = lock the Server

LockInstanceOn-Transaction

LogFailure

Defines if the Server instance should be locked if

transaction logging fails.

False = do not lock the Server

True = lock the Server


250

Property Mandatory

/Optional

Details

MonthlyLogD

ir Mandatory Directory in which the monthly log files are stored.

MonthlyLogPrefix

Mandatory Prefix for the monthly log files. The generated log file

name is: prefix _yyyy_mm.log

y and m are as specified in the Java SDK API class

java.text.SimpleDateFormat.

PrivateExte

nsion Optional Contains a list of names (separated by spaces) of

private extensions to be included in the certificate. For

each name in the list, there has to be a property

PrivateExtension.name.

PrivateExtension.name

Optional A Base64 encoded extension to be included in the

certificate.

Name must be one of the extension names specified in

PrivateExtension.

PseName Mandatory Name or URL of the PSE to be used.

If PseType is configured to NativePSE , PseName

has to be entered in the following form (follow the

punctuation exactly):

p11sc:,pkcs11 interface

(vendor interface name

„pkcs11 library name‟):

PsePassword Mandatory Password of the PSE. The PSE password is encrypted

with a standard 256 bit AES key via the Administration

Console and is decrypted by Secure Login before being

read.

PsePasswordIsUnencrypted

Optional Manually set the User CA PSE password (password is

not encrypted).

true : Do not encrypt the password.

false : Encrypt the password.

This feature is NOT recommended! It should only be

used if you do not want to use the Administration

Console.

PseType Mandatory Type of PSE used by the Server to sign the generated

certificates. Possible values:

FilePSE for using a file PSE.

NativePSE for using the native SECUDE core

component for PSE access.

SerialNumbe

rPolicy Optional This parameter can be used to select serial number

generation algorithms. Possible value:

Hash: The serial number is the hashed subject name

(which is always the same for the same user but unique

for different users). The property

CertificateName=Uppercase must be entered as

well.

Default value: If empty or not entered, each new issued

certificate receives the current time stamp as the serial

number (which is, in a way, unique).


251

Property Mandatory

/Optional

Details

StandardExt

ension Optional List of additional standard extensions to be contained in

the certificate. Possible values:

AuthorityKeyIdentifier

SubjectKeyIdentifier

CertificatePolicies

In the case of CertificatePolicies, the policy

OIDs have to be specified via the property

CertificatePolicies.OID.

Other values are ignored.

UseUPN Optional Determines the UPN (User Principal Name) for the user

certificate. Possible values:

true : (default) Use the complete UPN.

false : Use the user name component of the UPN.

ValidityMin

utes Mandatory Time period in minutes that the generated certificate is

valid.

ValidityOffset

Mandatory Time offset in minutes relative to the Server system

time for the certificates to start being valid.

Sample configuration

.properties

File

#This is the SecureLogin configuration file

#Last Modified:Wed Jan 16 18:05:38 CET 2008

# These properties are the global settings

AdminUser=SECUDEAdmin

AdminPassword=7ZUHN9miuh7nuhoO98HGZo\=\=

AuthConfigPath=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLSJaasModule.login

TrustStore=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\TrustStore.jks

TrustStorePassword=HJU7hg1tkjU/hj8U/onli8HJgZ7H\=\=

Localization=en

doTrace=true

ActiveInstances=00020

LastServerID=00020

# The default settings for the Server instance

PseType=FilePSE

PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLS_USERCA_PSE.pse

PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\=

DN.country=DE

DN.locality=Darmstadt

DN.organization=SECUDE

DN.organizationalUnit=

ValidityMinutes=480

ValidityOffset=-5

CertificateFormat=V3

CertificateName=Uppercase

UseUPN=true

StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier

KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment

ExtendedKeyUsage=

PrivateExtension=

SerialNumberPolicy=Hash

ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system,


252

including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose.

ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a

newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days.

ClientInactivityTimeout=300

maxSessionInactiveInterval=640

DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log

DailyLogPrefix=Transaction

MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log

MonthlyLogPrefix=Event

LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\

AdminServletHeader=The status of the PSE Server in the Hybury facility is as follows\:

AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to <a

href\="mailto\:[email protected]">mailto\:[email protected]</a>

EnableLog=false

DN.commonName=

# The settings of the instance 00020

00020.PseType=FilePSE

00020.PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\SLS_USERCA_PSE.pse

00020.PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\=

00020.DN.country=DE

00020.DN.locality=Darmstadt

00020.DN.organization=SECUDE

00020.DN.organizationalUnit=

00020.ValidityMinutes=480

00020.ValidityOffset=-5

00020.CertificateFormat=V3

00020.CertificateName=Uppercase

00020.UseUPN=true

00020.StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier

00020.KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment

00020.ExtendedKeyUsage=

00020.PrivateExtension=

00020.SerialNumberPolicy=Hash

00020.ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system, including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose.

00020.ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If

you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days.

00020.ClientInactivityTimeout=300

00020.maxSessionInactiveInterval=640

00020.DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log

00020.DailyLogPrefix=Transaction

00020.MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log

00020.MonthlyLogPrefix=Event

00020.LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020

00020.AdminServletHeader=The status of the PSE Server in the Hybury


253

facility is as follows\:

00020.AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to <a href\="mailto\:[email protected]">mailto\:[email protected]</a>

00020.EnableLog=false

00020.DN.commonName=

9.2.4 JAAS Module Configuration Files

Introduction

For each authentication method, a specific JAAS module has to be configured.

Contents

Section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟, on page 253

Section 9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟, on page 257

Section 9.2.4.3 „

JAAS Module Configuration Files for SAP ID‟, on page 260

9.2.4.1 JAAS Module Configuration Files for LDAP/ADS

Introduction

The JAAS module configuration file for LDAP/ADS contains the authentication specific

properties for LDAP authentication. The JAAS module class name for the LDAP module is:

com.secude.transfair.pepperbox.LdapJaasModule

Multiple

Authentication

Servers

Each LDAP Server has its own section in the JAAS module configuration file. If the first

Server cannot be reached, the next Server in the list is used (providing that more than one

Server is specified in the configuration file).

The order in which the Servers are entered in the configuration file defines the priority the

Servers have in the authentication process.

By default, the first Server in the list that can be reached ends the authentication

process, regardless of the type of response (OK or Access Denied). However, if the

parameter TryAllServers is set to true, all of the Servers are queried until the first

OK response is received.

Configurable

Properties

The following table details the properties within the JAAS module configuration file for

LDAP/ADS (in alphabetical order):

Property Mandatory

/Optional

Details

LdapBaseDN optional Specifies the base domain name that is combined with

the user name before sending it to the Active Directory

Server. The following formats are valid:

Domain part of UPN:

The domain part is appended to the user name,

using the @ separator.

Example: If set to…

my.domain.com


[email protected]

…with the respective Server.

Complete DN:

The variable $USERID is replaced with the user

name.

Example: If set to…

cn=$USERID,cn=Users,dc=domain,dc=com,


254

Property Mandatory

/Optional

Details


cn=test,cn=Users,dc=domain,dc=com

…with the respective Server.

NOTE: If a password expiry warning message is

configured, only the second form can be used. For

further information refer to section 9.2.5.2 „Password

Expiry Warning Message‟ on page 264.

LdapHost mandatory URL of the Active Directory Server used to authenticate

the user.

The LdapHost value is passed to JNDI, therefore the

interpretation of the protocol to be used is performed

entirely by the JVM.

To use LDAP over SSL the protocol has to be ldaps.

For example: ldaps://my.host.com:636

LdapProviderLanguage

optional Character set encoding for communication between the

Secure Login Server and the LDAP/ADS Server.

For example: ISO-8859-1 (for ADS)

LdapTimeout optional Period of time the Secure Login Server waits for a

response before trying the next LDAP/ADS Server (in

milliseconds).

PasswordExpiration-

Attribute

optional The expiry date of the password. For the LDAP

Authentication Server, the date must be in one of the

following formats:

UMT:

0060727081914Z

Or..

0060727081914+0700Z

GMT in ADS format:

0060727081914.0Z

Or..

0060727081914.0+0700Z

MS Gregorian calendar (the number of milliseconds

since 01/01/1601). For example:

127984619236406250

If a password expiry warning message is configured, the

LdapBaseDN property must be given in complete DN

form.

The PasswordExpirationAttribute value is used

for the password expiry warning only.

For further information refer to section 9.2.5.2

„Password Expiry Warning Message‟ on page 264.

PasswordExp

iration-GracePeriod

optional The interval (in days) a password expiry warning is sent

to the Client prior to password expiry.



ServerID optional Determines which password expiry warning is used. This

value is used for the password expiry warning only.



TrustStore optional Path to the CA certificates keystore used for Server

authentication when using LDAP over SSL. Used globally


255

Property Mandatory

/Optional

Details

for all LDAP modules in a TrustStore.

Use of the Java keystore (*.jks) is mandatory when

using LDAP over SSL.

TryAllServe

rs optional Determines when to try the next Server in the list.

Values:

false (default): Try the next Server only if this Server

cannot be reached.

true: Try the next Server if this Server cannot be

reached or answers Access Denied.

All Servers have to be configured to either false or

true.


256

Sample JAAS

Module

Configuration

File for

LDAP/ADS

SLSJaasModule

{

com.secude.transfair.pepperbox.LdapJaasModule sufficient

LdapHost=”ldaps://10.49.0.150:636”

LdapBaseDN=”secude.com”

LdapTimeout=”100”

LdapProviderLanguage=”en-US”

TryAllServers=”true”;

com.secude.transfair.pepperbox.LdapJaasModule sufficient

LdapHost=”ldap://10.49.3.166:389”

LdapBaseDN=”uid=$USERID,ou=people,÷

dc=neptun,d=secude,dc=com”



ServerID=”LDAP1”

PasswordExpirationAttribute=”passwordRenew”

PasswordExpirationGracePeriod=”20”;


com.secude.transfair.pepperbox.LdapJaasModule ÷

sufficient

LdapHost=”ldaps://10.49.0.151:636”

LdapBaseDN=”secude.com”




};


257

9.2.4.2 JAAS Module Configuration Files for RADIUS/RSA

Introduction

The JAAS module configuration file for RADIUS/RSA contains the authentication specific

properties for RADIUS authentication. The JAAS module class name for the LDAP module

is: com.secude.transfair.pepperbox.RsaRadiusJaasModule

Multiple

Authentication

Servers

Each RADIUS/RSA Server has its own section in the JAAS module configuration file. If the

first Server cannot be reached, the next Server in the list is used (providing that more

than one Server is specified in the configuration file).

The order in which the Servers are entered in the configuration file defines the priority the

Servers have in the authentication process.

By default, the first Server in the list that can be reached ends the authentication

process, regardless of the type of response (OK or Access Denied). However, if the

parameter TryAllServers is set to true, all of the Servers are queried until the first

OK response is received.

Configurable

Properties

The following table details the properties within the JAAS module configuration file for

RADIUS/RSA (in alphabetical order):

Property Mandatory

/Optional

Details

Authenticat

or mandatory Authentication method for the RADIUS/RSA Server.

Possible values:

CHAP

MSCHAP

PAP

NOTE: The RSA Authentication Manager only supports

the PAP authentication protocol.

AuthPort mandatory The port number used by the RADIUS/RSA Server for

authentication requests.

PinAlphanum

eric optional PIN format. This parameter is only used with RSA

SecurID tokens. Possible values:

true: the user can choose, and use, a PIN which

contains only alphanumeric characters (A-Z, a-z, 0-9).

false (default): the user can choose, and use, a PIN

which contains alphanumeric and special characters

(such as !$%&).

The default password policy for RSA allows only numeric

PIN's which can not be setup via the Secure Login

Server/Client policy properties.

PinMax optional Maximum PIN length for a new PIN. This parameter is

only used with RSA SecurID tokens.

Default value: 8

PinMin optional Minimum PIN length for a new PIN. This parameter is

only used with RSA SecurID tokens.

Default value: 4

RadiusServe

rIP mandatory Host address of the RADIUS/RSA Server (used for user

authentication).

RSAServerIn

iFile optional For configuring RSA Server messages. If the RSA Server

version is 6.1, a copy of the RSA Server RADIUS message

*.ini file (securid.ini) has to be present. Make sure you

enter the full path and file name, for example:


SharedSecre mandatory Shared secret used by the RADIUS/RSA Server to


258

Property Mandatory

/Optional

Details

t encrypt the user password.

TimeOut mandatory Period of time the Secure Login Server waits for a

response before trying the next RADIUS/RSA Server (in

milliseconds).

TryAllServe

rs optional Determines when to try the next Server in the list.

Values:


cannot be reached.




true.

Other attributes

optional Any RADIUS attribute present in the Clients dictionary

and which the Server expects to be included in the

request.

For example:

NAS-IP-Address

NAS-Port

Sample JAAS

Module

Configuration

File for

RADIUS / RSA

– Example 1

SLSJaasModule

{

com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient

RadiusServerIP=”10.49.7.15”

AuthPort=”1812”

SharedSecret=”ActivPack”

TimeOut=”5000”

Authenticator=”pap”

NAS-IP-Address=”213.188.106.173”

NAS-Port=”235”;




AuthPort=”1645”

SharedSecret=”secret”

TimeOut=”5000”


PinMin=”6”

PinMax=”8”

PinAlphanumeric=”true”;


};


259

Example 2

The following configuration is for a scenario in which the Authentication Servers are

configured for failover and share the same user database. To prevent the counter for

failed logins to be incremented by 3, TryAllServers is set to false. When a user

enters the wrong password, only the first reachable Server answers Access Denied,

and increments the counter for failed logins by 1:

SLSJaasModule

{



AuthPort=”1812”


TimeOut=”5000”


NAS-IP-Address=”213.188.106.173”

NAS-Port=”235”;

TryAllServers=”false”;



AuthPort=”1812”


TimeOut=”5000”


NAS-IP-Address=”213.188.106.173”

NAS-Port=”235”;




AuthPort=”1812”


TimeOut=”5000”


NAS-IP-Address=”213.188.106.173”

NAS-Port=”235”;


};


260

9.2.4.3 JAAS Module Configuration Files for SAP ID

Introduction

The JAAS module configuration file SLSsap.login must be configured if you want to use

SAP ID-based authentication.

Example

Configuration

File

Here is an example of a finished configuration file:

SLSJaasModule

{

com.secude.transfair.pepperbox.SAPJaasModule sufficient

SAPServer=”10.49.7.3”

Client=”000”

SystemNo=”00”

SNCServerName=”p:CN=SAP NetWeaver 2004, O=secude.local, C=DE”

SAPaccount=”SLSServer”

NativeLibraryPath=”C:\\SECUDE”;

} ;

Configurable

Properties

The following table details the properties within the JAAS module configuration file for SAP

ID (in alphabetical order):

Property Mandatory

/Optional

Details

Client Mandatory SAP System ID

NativeLibraryPath

Mandatory The fully qualified path to the native files (SECUDE SNC

plus, if needed, SAP JCO)

PasswordAlphanumeric

Optional This parameter is part of the password policy for Client

side policy consistency check. Possible values:

true (default): the password can contain only

alphanumeric characters (A-Z, a-z, 0-9).

false: the password can contain alphanumeric and

special characters (such as !$%&).

This parameter must be consistent with the SAP

password policy.

PasswordMax Optional This parameter is part of the password policy for Client

side policy consistency check, specifically the maximum

number of characters in the password to be used.


password policy.

Default value = 30

PasswordMin Optional This parameter is part of the password policy for Client-

side policy consistency check, specifically the minimum

number of characters in the password to be used.


password policy.

Default value = 1

SAPaccount Mandatory The SAP user account name for the SECUDE Secure

Login Server.

SAPServer Mandatory IP or URL of the SAP Server

SNCServerName

Mandatory The DN of the SAP Server, as stated in the Server

certificate. The subject DN of the X.509 certificate.


261

Property Mandatory

/Optional

Details

For example:


SystemNo Mandatory SAP System Number

TryAllServers

optional Determines when to try the next Server in the list.

Values:


cannot be reached.




true.

Please contact the SAP Server administrator to make sure that the password policy

information in the configuration file is correct.

Related

Information

For information about SECUDE Secure Login Server error codes that may be produced by

the JAAS module, refer to section 8.3 „SAP ID Error Codes and Return Codes‟ on page

232.


262

9.2.5 Files for Server Message Configuration

Introduction

The SECUDE Secure Login Server can provide localized messages for the Clients. This is

done by creating property files for all required languages.

It is recommended to use the Administration Console to edit any messages (see section

6.1.11 on page 156).

Location of

the Message

Property Files

The property files have to be provided in the classes subdirectory of the application

Server‟s Webapps directory. For example (Tomcat):

<Tomcat home>\Webapps\ securelogin\WEB-INF\classes

Message

Property File

Names

The property files for the Server messages are as follows:

ServerMsg.properties

ServerMsg_language.properties

ServerMsg_<language>_<country>.properties

The naming convention for the ServerMsg_ files varies according to the

following:

<language>

ISO 636 language code, consisting of two lower case letters

<country>

ISO 3166 country code, consisting of two upper case letters

The Server provides the messages in the language requested by the Client, if

available, or else uses a more generic language.

For example, if the Client requests language de_CH, then the Server provides

messages configured for de_CH, if available. If de_CH is not available, the Server

provides messages configured for de, if available. If de is also not available, the

Server provides messages configured in the generic ServerMsg.properties file.

Message

Format

The message format can be either plain text or rich text. Rich text messages are

contained in a body element. You can use the following codes:

Code Details

<body>message</body> The whole rich text message has to be enclosed

in body start and end tags.

\r\n Inserts a line break.

text Uses bold formatting for text.

text Uses italics formatting for text.

<any color=”red”>text<any> Uses the color red for text (red is the only color

supported).

<a href=”URL”>anchor</a> Inserts a link to the destination URL with the link

text anchor.


263

9.2.5.1 Configurable Messages

A property file for Server messages contains pairs of message code and message values.

Every property file must contain all message codes, but the message value part may be

left empty.

It is recommended to use the Administration Console to edit any messages (see section

6.1.11 on page 156).

To split long messages in the property file to span several lines, use backslash (\)

escaped line endings.

The configurable messages are as follows (the values shown are the messages as

delivered with Secure Login):

Message Entry

AUTH_EMPTY_CREDENTI

AL_ERROR_MSG

No empty usernames or passwords are

allowed.

AUTH_LDAP_NAMING_ER

ROR_MSG

The LDAP Server denied the retrieval of

data with the entered username and

password.

AUTH_RESULT_ACTION_DENIED_MSG

The authentication failed.

This message can be combined with the variable

$SERVERMSG to present the user with a reason for the

denial. The $SERVERMSG variable is an option to forward

the raw Authentication Server message to the Secure Login

Client. For example:

Access denied because..$SERVERMSG

The $SERVERMSG variable should only be used with Sun

directory Servers and SAP-ID. If used with RSA no

messages will be sent by default, and if used with ADS a

cryptic text message will be sent.

AUTH_RESULT_ACTION_

OK_MSG

The authentication process has finished

successfully.

AUTH_SERVER_CANT_RE

SOLVE_MSG

The Authentication Server name cannot be

resolved.

AUTH_SERVER_TIMEOUT_MSG

While trying to reach the Authentication Server, a timeout occurred.

CONFIG_ACTION_DISCL

AIMER_MSG

The disclaimer message.

CONFIG_ACTION_MSG The salutatory message.

ERROR_ACTION_FORMAT_MSG

An error occurred due to a message sent by the Client, which the Server can not

interpret.

ERROR_ACTION_INTERNAL_MSG

A fatal error occurred due to Server problems.

<ServerID>_WARN_MSG <body>Attention!Your password will

expire on $EXPDATE</body>

NEW_PIN_REPLY_ACCEPTED_MSG

The newly selected PIN has been accepted by the Server.

NEW_PIN_REPLY_REJEC

TED_MSG

The newly selected PIN has been rejected by

the Server.

NEW_PIN_REQUIRED_ACTION_MSG

The user has to enter a new PIN for a Server forced PIN change.

SEND_NEXT_TOKEN_CODE_ACTION_MSG

The user has to enter the next token code displayed on the RSA SecureID token.

STATUS_ACTION_MSG The current Server status is enclosed with

this transfairgram (only for diagnostic


264

Message Entry

purpose)

In addition, optional password expiration messages for LDAP Authentication Servers can

be included in this file. For further information refer to section 9.2.5.2 „Password Expiry

Warning Message‟ on page 264.

9.2.5.2 Password Expiry Warning Message

Introduction

The property file for Server messages may optionally contain password expiry warning

messages for any LDAP Authentication Server.

Examples

An entry for such a message has the following structure:

ServerID_WARN_MSG = <body>Attention! Your password will expire on $EXPDATE.</body>

The following list details the variables in the warning message:

Variable Details

ServerID Determines which password expiry warning is used for which Server.

Corresponds to the ServerID property in the JAAS module

configuration file (see section 9.2.4.1 „JAAS Module Configuration Files

for LDAP/ADS‟ on page 253).

$EXPDATE You can use the $EXPDATE variable in the password expiry warning to

state the expiry date in the message.

The date is retrieved from the LDAP/ADS Server using the

PasswordExpirationAttribute property in the JAAS module

configuration file.

The date is formatted according to the local settings of the Client.

9.3 Secure Login Client Registry Values

Introduction

The properties for the Secure Login Client system service can be configured using the

customer.reg file or can be integrated in the company‟s group policies. The property

names are not case-sensitive.

Location

The following properties:

HttpProxyUrl

SSLHostCommonNameCheck

SSLHostAlternativenameCheck

SSlHostExtentionCheck

UseSslPse

…can be located under the registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>]

The other properties can be loacted under the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System

The following properties can be created/edited:

Property Data Type Description, Example

DisableUpdatePolicyOnS

BOOLEAN This sets whether the Client policy file is automatically

downloaded and registered from an XML file when the


265

Property Data Type Description, Example

tartup system service is started.

true = disable automatic policy download.

false (default) = enable automatically policy download.

HttpProxyURL

STRING HTTP proxy to be used with PolicyURL. Only HTTP

proxies without authentication and without SSL to proxy

are supported.

Example: http://proxy.secude.com:3128

NetworkTimeout

DWORD Network timeout in seconds before connection is closed

if the Server does not respond (default: 45).

PolicyRetri

es

DWORD The number of times the Client tries to retrieve the

Clientpolicy.xml file from the policy Server before

giving up.

PolicyTTL DWORD „Policy time-to-live‟. The lifetime, in minutes, of the

SECUDE Secure Login Client policy before retrieving the

Clientpolicy.xml file from the policy Server.

PolicyURL STRING Network resource where the latest SECUDE Secure Login

Client policy can be downloaded from.

Mandatory, if an XML file is used for the policy Server,

see section 9.1.1 „ClientPolicy.xml File‟ on page 239.

Example: https://securelogin.secude. com:8443/securelogin/ClientPolicy.xml

SSLHostCommonNameCheck

BOOLEAN SSL Server certificate: Check if peer host name is given

in its subject common name (default: false).

SSLHostAlternativeNameCheck

BOOLEAN SSL Server certificate: Check if peer host name is given

in its subject alternative names (default: false).

SSLHostExtensionCheck

BOOLEAN SSL Server certificate: Check if the peer‟s certificate

has extended key usage ServerAuthentication set

(default: false).

useSslPse BOOLEAN If true, turns on the former SSL PSE based trust store

for HTTPS.

If false (default), the Microsoft CAPI is used for HTTPS

trust.


266

9.4 Key Usage Reference

Key usage extensions define the purpose of the public key contained in a certificate. You

can use them to restrict the public key to as few or as many operations as needed. For

example, if you have a key used only for signing, enable the digital signature and/or non-

repudiation extensions. Alternatively, if a key is used only for key management, enable key

encipherment.

The following table describes the key usage extensions available for keys created using

the CA process.

Key Usage Extension Details

Digital signature Use when the public key is used with a digital signature

mechanism to support security services other than non-

repudiation, certificate signing, or CRL signing. A digital

signature is often used for entity authentication and data origin

authentication with integrity.

Non-repudiation Use when the public key is used to verify digital signatures

used to provide a non-repudiation service. Non-repudiation

protects against the signing entity falsely denying some action

(excluding certificate or CRL signing).

Key encipherment Use when a certificate will be used with a protocol that encrypts

keys. An example is S/MIME enveloping, where a fast

(symmetric) key is encrypted with the public key from the

certificate. SSL protocol also performs key encipherment.

Data encipherment Use when the public key is used for encrypting user data, other

than cryptographic keys.

Key agreement

Use when the sender and receiver of the public key need to

derive the key without using encryption. This key can then be

used to encrypt messages between the sender and receiver.

Key agreement is typically used with Diffie-Hellman ciphers.

Encipher only Use only when key agreement is also enabled. This enables the

public key to be used only for enciphering data while performing

key agreement.

Decipher only Use only when „key agreement‟ is also enabled. This enables

the public key to be used only for deciphering data while

performing key agreement.

Client authentication Enable only for „Digital signature‟ and/or „Key agreement‟

E-mail protection

Enable only for „Digital signature‟, „Non-repudiation‟, and/or

„Key encipherment‟ or „Key agreement‟.

Encrypted filesystem This key usage is defined by Microsoft. The certificate can be

used to encrypt files by using the Encrypting File Systems. For

further information refer to:

http://msdn2.microsoft.com/en-gb/library/aa378132.aspx

Smart card login This key usage is defined by Microsoft. The certificate enables

an individual to log on to a computer via a smart card.


267

10 List of Abbreviations

Abbreviation Meaning

ADS Active Directory Service

CA Certification Authority

CAPI Microsoft Crypto API

CSP Cryptographic Service Provider

DN Distinguished Name

EAR Enterprise Application Archive

HTTP Hyper Text Transport Protocol

HTTPS Hyper Text Transport Protocol with Secure Socket Layer (SSL)

JAAS Java Authentication and Authorization Service

LDAP Lightweight Directory Access Protocol

PIN Personal Identification Number

PKCS Public Key Cryptography Standards

PKCS#11 Cryptographic Token Interface Standard

PKCS#12 Personal Information Exchange Syntax Standard

PKI Public Key Infrastructure

PSE Personal Security Environment

RFC Remote function call (SAP NetWeaver term)

RSA Rivest, Shamir and Adleman

SLAC Secure Login Administration Console

SLC SECUDE Secure Login Client

SLS SECUDE Secure Login Server

SNC Secure Network Communication

SSL Secure Socket Layer

UPN User Principal Name

WAR Web Archive

WAS Web Application Server


268

Glossary

A

Authentication

A process that checks whether a person is really who they are. In a multi-user or network

system, authentication means the validation of a user‟s logon information. A user‟s name

and password are compared against an authorized list.

B

Base64 encoding

The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of

64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other

uses include HTTP Basic Authentication Headers and general binary-to-text encoding

applications.

Note: Base64 encoding expands binary data by 33%, which is quite efficient

C

CAPI

See „Cryptographic Application Programming Interface’

Certificate

A digital identity card. A certificate typically includes:

The public key being signed.

A name, which can refer to a person, a computer or an organization.

A validity period.

The location (URL) of a revocation center.

The digital signature of the certificate produced by the CA‟s private key.

The most common certificate standard is the ITU-T X.509.

Certification Authority (CA)

An entity which issues and verifies digital certificates for use by other parties.

Certificate Store

Sets of security certificates belonging to user tokens or certification authorities.

CREDDIR

A directory on the Server in which information is placed that goes beyond the PSE

(personal security environment).

Credentials

Used to establish the identity of a party in communication. Usually they take the form of

machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be

self-issued, or issued by a trusted third party; in many cases the only criterion for

issuance is unambiguous association of the credential with a specific, real individual or

other entity. Cryptographic credentials are often designed to expire after a certain period,

although this is not mandatory.

Credentials have a defined time to live (TTL) that is configured by a policy and managed by

a Client service process.

Cryptographic Application Programming Interface (CAPI)


269

The Cryptographic Application Programming Interface (also known variously as CryptoAPI,

Microsoft Cryptography API, or simply CAPI) is an application programming interface

included with Microsoft Windows operating systems that provides services to enable

developers to secure Windows-based applications using cryptography. It is a set of

dynamically-linked libraries that provides an abstraction layer which isolates programmers

from the code used to encrypt the data.

Cryptographic Token Interface Standard

A standardized crypto-interface for devices that contain cryptographic information or that

perform cryptographic functions.

D

Directory Service

Provides information in a structured format. Within a PKI: Contains information about the

public key of the user of the security infrastructure, similar to a telephone book (e.g. a

X.500 or LDAP directory).

Distinguished Name (DN)

A name pattern that is used to create a globally unique identifier for a person. This name

ensures that a certificate is never created for different people with the same name. The

uniqueness of the certificate is additionally ensured by the name of the issuer of the

certificate (that is, the certification authority) and the serial number. All PKI users require

a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.

K

Key Usage

Key usage extensions define the purpose of the public key contained in a certificate. You

can use them to restrict the public key to as few or as many operations as needed. For

example, if you have a key used only for signing, enable the digital signature and/or non-

repudiation extensions. Alternatively, if a key is used only for key management, enable key

encipherment.

Key Usage (extended)

Extended key usage further refines key usage extensions. An extended key is either

critical or non-critical. If the extension is critical, the certificate must be used only for the

indicated purpose or purposes. If the certificate is used for another purpose, it is in

violation of the CA's policy.

If the extension is non-critical, it indicates the intended purpose or purposes of the key

and may be used in finding the correct key/certificate of an entity that has multiple

keys/certificates. The extension is then only an informational field and does not imply that

the CA restricts use of the key to the purpose indicated. Nevertheless, applications that

use certificates may require that a particular purpose be indicated in order for the

certificate to be acceptable.

L

Lightweight Directory Access Protocol (LDAP)

A network protocol designed to extract information such as names and e-mail addresses

from a hierarchical directory such as X.500.

P

PKCS#11

“PKCS” refers to a group of Public Key Cryptography Standards devised and published by

RSA Security. “PKCS#11” is an API defining a generic interface to cryptographic tokens.

PEM

See Privacy Enhanced Mail.

Personal Identification Number (PIN)


270

A unique code number assigned to the authorized user.

Personal Information Exchange Syntax Standard

Specifies a portable format for saving or transporting a user‟s private keys, certificates,

and other secret information.

Personal Security Environment

The PSE is a personal security area that every user requires to work with SECUDE. A PSE

contains security-related information. This includes the certificate and its secret private

key. The PSE can be either an encrypted file or a smart card and is protected with a

password.

PIN

See Personal Identification Number.

Privacy-Enhanced Mail (PEM)

The first known use of Base 64 encoding for electronic data transfer was the Privacy-

enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a

"printable encoding" scheme that uses Base 64 encoding to transform an arbitrary

sequence of octets to a format that can be expressed in short lines of 7-bit characters, as

required by transfer protocols such as SMTP.

The current version of PEM (specified in RFC 1421) uses a 64-character alphabet

consisting of upper- and lower-case Roman alphabet characters (A–Z, a–z), the numerals

(0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.

The original specification additionally used the "*" symbol to delimit encoded but

unencrypted data within the output stream.

Public FSD

Public file system device. An external storage device that uses the same file system as

the operating system.

Public Key Cryptography Standards

A collection of standards published by RSA Security Inc. for the secure exchange of

information over the Internet.

Public Key Infrastructure

Comprises the hardware, software, people, guidelines, and methods that are involved in

creating, administering, saving, distributing, and revoking certificates based on

asymmetric cryptography. Is often structured hierarchically.

In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root

certificate at the top, representing a CA that does not need to be authenticated by a

trusted third party.

R

Root certification authority

The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate

is signed with a private key. There can be any amount of CAs between a user certificate

and the root certification authority. To check foreign certificates, a user requires the

certificate path as well as the root certificate.

Root certification

The certificate of the root CA.

RSA


271

An asymmetric, cryptographical procedure, developed by Rivest, Shamir, and Adleman in

1977. It is the most widely-used algorithm for encryption and authentication. Is used in

many common browsers and mail tools. Security depends on the length of the key: key

lengths of 1024 bits or higher are regarded as secure.

S

Secure Network Communications

A module in the SAP NetWeaver system that deals with the communication with external,

cryptographical libraries. The library is addressed using GSS API functions and provides

NetWeaver components with access to the security functionality of SECUDE.

Secure Sockets Layer

A protocol developed by Netscape Communications for setting up secure connections over

insecure channels. Ensures the authorization of communication partners and the

confidentiality, integrity, and authenticity of transferred data.

Single sign-on

A system that administrates authentication information allowing a user to logon to

systems and open programs without the need to enter authentication every time

(automatic authentication).

T

Token

A security token (or sometimes a hardware token, authentication token or cryptographic

token) may be a physical device that an authorized user of computer services is given to

aid in authentication. The term may also refer to software tokens.

Smart-card-based USB tokens (which contain a smart card chip inside) provide the

functionality of both USB tokens and smart cards. They enable a broad range of security

solutions and provide the abilities and security of a traditional smart card without requiring

a unique input device (smart card reader). From the computer operating system‟s point of

view such a token is a USB-connected smart card reader with one non-removable smart

card present.

Tokens provide access to a private key that allows performing cryptographic operations.

The private key may be persistent (like a PSE file, smart card, and CAPI container) or non-

persistent (like temporary SECUDE Secure Login keys).

W

Windows Credentials

A unique set of information authorizing the user to access the Windows operating system

on a computer. The credentials usually comprise a user name, a password, and a domain

name (optional).

X

X.500

A standardized format for a tree-structured directory service.

X.509

A standardized format for certificates and blocking list.


272


273

Index

A

About this manual ...................... 7

Active Directory Server (ADS)

authentication ....................... 23

administration ........................ 119

administration console ............ 119

administration console -

application management ...... 184


authentication management . 131


certificate management ....... 128


certificate template ............. 143

administration console - change

language ............................ 155

administration console - change

the administrator password .. 122

administration console - client

configuration ....................... 183

administration console - client

profile management ............ 187

administration console - console

log viewer ........................... 165

administration console - files

download ............................ 190

administration console - instance

check ................................. 196


configuration ....................... 179


log management ................. 192


management....................... 178

administration console - message

settings .............................. 156

administration console - open .. 119

administration console - server

configuration ....................... 124

administration console – server

instance status ................... 197

administration console - server

status ................................ 162

administration console - signed

certificate requests ............. 163


SSS&JCO installation .......... 158

administration console - system

backup ............................... 151


check ................................. 149


restore ............................... 152


TrustStore management ...... 141

ADS/LDAP - configure ............... 85

application management ......... 184

archived log ........................... 196

authentication management .... 131

authentication method (PKI) ...... 13

C

certificate management .......... 128

certificate template ................ 143

certificate template – create new144

certificate template - export ..... 147

certificate template - import .... 148

certificate template - mapping . 146

change language .................... 155

client authentication ............... 266

client configuration ................. 183

client policy ............................ 239

client profile management ....... 187

client URL - troubleshooting ..... 218

ClientPolicy.xml - registry keys . 239

configurable messages ........... 263

configurable properties ........... 246

configuration.properties .......... 248

Configure Authentication Server

Communication ..................... 84

Configure SSL in Tomcat ........... 36

console log viewer .................. 165

Contacting Technical Support .... 10

Conventions used in this manual . 9

D

daily log ................................. 193

daily log file ........................... 213

data encipherment ................. 266

decipher only ......................... 266

digital signature ..................... 266

download files secure login

client.................................. 190

E

e-mail protection .................... 266

encipher only ......................... 266

encrypted filesystem ............... 266

environment variables - SAP ID-

based logon ........................ 217

error and return codes ............ 231

F

files download ........................ 190

files download - global client

policy ................................. 191

G

global client policy .................. 191


274

I

Icons used in this manual ......... 10

instance check ....................... 196

instance configuration ............. 179

instance log management ....... 192

instance management ............ 178

instance status ...................... 197

Instances - global client policy . 191

instances - overview.................. 18

J

JAAS module - configuration files253

JAAS module - LDAP/ADS ........ 253

JAAS module - RADIUS/RSA .... 257

JAAS module - SAP ID ............. 260

JCO - installation .................... 158

K

key agreement ....................... 266

key encipherment ................... 266

Key Length Policies................. 212

key usage - reference ...... 238, 266

L

LD_LIBRARY_PATH.................. 217

log files ................................. 213

log settings ............................ 195

logging - archived log files ....... 196

logging - daily log .................... 193

logging - daily log file ............... 213

logging – instance log

management....................... 192

logging - log settings ............... 195

logging - monthly log file .......... 215

logging – view console logs ..... 165

M

message settings ................... 156

messages - configure .............. 263

Microsoft crypto store ............... 12

Microsoft group policies .......... 245

Migrate from an Existing SECUDE secure login Server .................. 82

monthly log file ....................... 215

N

non-repudiation ...................... 266

O

other administration features .. 206

P

password expiry - warning

message ............................ 264

password expiry warnings ........ 220

PKI certificate ........................... 12

policy server overview ............... 30

PseServer.lock ....................... 216

R

RADIUS / RSA authentication .... 24

RADIUS/RSA - configure ............ 86

registry values - secure login

client.................................. 264

Related documentation ............... 7

Restore from an Existing secure

login Server Backup (*.zip) File83

return codes .......................... 231

S

SAP ID authentication ............... 25

SAP ID-based logon - configure .. 87

SAP Logon Ticket authentication 28

SAP Logon Ticket-based logon -

configure .............................. 89

SAP NetWeaver ........................ 49

SAP NetWeaver - installation 40, 42

SECUDE50secureloginServer.zip109

secure login - authentication

Method (PKI) ......................... 13

secure login - authentication

methods ............................... 22

secure login - instance/server

lock.................................... 219

secure login - server lock and

unlock ................................ 216

secure login - system overview .. 16

secure login – what is it? .......... 11

secure login client - registry

values ................................ 264

secure login client - remove ..... 106

secure login client installation94, 98

secure login client installation –

MSI options ........................ 103

secure login client rollout .......... 97

secure login components .......... 13

secure login server – remove

(ADS, LDAP, Radius, SAP ID) .. 91

secure login server – remove

(SAP NetWeaver) ................... 92

server configuration ................ 124

server installation ..................... 32

server lock and unlock ............ 216

server message configuration -

files ................................... 262

Server Setup Wizard ..... 43, 54, 63

server status .......................... 162

signed certificate requests ...... 163

signon&secure - installation .... 158

smart card login ..................... 266

SNC connection - troublrshooting221

SQL Database Table

authentication ................. 22, 28

SQL Database-based logon -

configure .............................. 89

SSL.PSE ................................ 218

SSL.PSE-based TrustStore for

HTTPS ................................ 218


275

SSS&JCO installation .............. 158

status query - internet browser 206

Support ................................... 10

system backup ....................... 151

system check ......................... 149

system overview ................. 12, 16

system overview - PKI ............... 13

system restore ....................... 152

T

Target audience.......................... 7

Technical Support, contacting .... 10

Tomcat - configure SSL ............. 36

trace messages – enable/disable215

tracing ................................... 215

Troubleshooting ..................... 211

TrustStore management .......... 141

W

warnings - password expiry ...... 220

Web Client ............................. 109

web.xml ................................. 247

what is SECUDE secure login? ... 11

X

XML Interface ......................... 209