Upload
panarayana69
View
1.183
Download
1
Embed Size (px)
Citation preview
Believe in
a higher level
of IT security
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
2
Copyright
© 2010 SECUDE AG. All Rights Reserved.
This SECUDE-branded software and its corresponding documentation is the exclusive property of
SECUDE AG of Emmetten, Switzerland and is protected under the various copyright laws around the
world and by various other intellectual property laws. Use of this software and/or its documentation
and any copying thereof by end users is subject to the terms of a license agreement with SECUDE AG.
The wrongful use or copying of this software and/or documentation subjects infringers to both criminal
and civil liabilities.
The SECUDE and FinallySecure trademarks are owned by SECUDE AG, protected internationally and
used by SECUDE AG pursuant to an exclusive license. All other trademarks, service marks, and trade
names referenced herein are the property of their respective owners.
ANY USE, COPYING, REPRODUCTION, ALTERATION, TRANSMISSION, OR TRANSLATION OF THESE
MATERIALS, IN WHOLE OR IN PART, IN ANY FORM OR BY ANY MEANS, IS STRICTLY PROHIBITED
WITHOUT THE PRIOR WRITTEN PERMISSION OF SECUDE AG. IF THIS MATERIAL IS PROVIDED WITH
SOFTWARE LICENSED BY SECUDE, THE INFORMATION HEREIN IS PROVIDED SUBJECT TO THE TERMS
OF THE WARRANTY PROVIDED WITH THE PRODUCT LICENSE. IF THIS MATERIAL IS NOT PROVIDED
WITH LICENSED SOFTWARE, THE INFORMATION HEREIN IS PROVIDED "AS IS" WITHOUT WARRANTY
OF ANY KIND. IN EITHER CASE, THERE ARE NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, OR QUALITY. IN NO EVENT SHALL SECUDE AG OR ANY
OF ITS AFFILIATES BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL,
PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE MATERIALS
AND/OR INFORMATION CONTAINED HEREIN. Some jurisdictions do not allow the exclusion of implied
warranties, so the above exclusion may not apply to you.
SECUDE AG takes reasonable measures to ensure the quality of the data and other information
produced herein. However, these materials may contain technical inaccuracies or typographical errors,
and are not guaranteed to be error-free. Information may be changed or updated without notice.
SECUDE AG has no obligation to update these materials based on changes to its products or services
or those of third parties. SECUDE AG may also make improvements or changes to the products or
services described in this information at any time without notice. SECUDE AG frequently releases new
versions of its software and updates them. Therefore, images shown in this document may be slightly
different from what you see on your screen.
As with any security product, SECUDE AG highly recommends the back up of data as well as
passwords on a regular basis. SECUDE AG is not responsible for the loss of passwords or data that
cannot be retrieved based upon a user‟s failure to adhere to stringent backup and safe-keeping
conventions.
SECUDE
SECUDE AG SECUDE IT Security GmbH SECUDE IT Security, LLC
Bergegg 1 Goebelstrasse 21 380 Sundown Drive
6376 Emmetten, NW 64293 Darmstadt Dawsonville, GA 30524
Switzerland Germany USA
P: +41 (0) 44 575 19-00 P: +49 (0)6151 82897-0 P: +1 (706) 216 8609
F: +41 (0) 44 575 19-75 F: +49 (0)6151 82897-26 F: +1 (706) 216 4696
Sales Europe: [email protected] Sales US: [email protected]
Support Europe: [email protected] Support US: [email protected]
Documentation: [email protected]
www.secude.com www.finallysecure.com
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
3
Table of Contents
1 What is SECUDE Secure Login? 11
2 System Overview 12
2.1 System Overview with PKI 13
2.1.1 Main System Components 13 2.1.2 Authentication Method 13 2.1.3 Workflow 14 2.1.4 Secured Communication for SAP 15
2.2 System Overview with SECUDE Secure Login Server 16
2.2.1 Main System Components 16 2.2.2 Authentication Method 17 2.2.3 Instances 18 2.2.4 PKI Structure 19 2.2.5 Workflow 20 2.2.6 Secure Communication 21
2.3 Methods of Authentication in SECUDE Secure Login 22
2.3.1 Active Directory Server (ADS) Authentication 23 2.3.2 RADIUS / RSA Authentication 24 2.3.3 SAP ID Authentication 25 2.3.4 SAP Logon Ticket Authentication 28 2.3.5 SQL Database Authentication 28
2.4 Policy Server Overview 30
2.5 Secure Login Web Client 31
3 Server Installation, Configuration, and Removal 32
3.1 Prerequisites 33
3.1.1 Hardware Requirements 33 3.1.2 Software Requirements 33
3.2 Preparing the Server for Installation 34
3.3 Installation Procedure for Apache Tomcat-based Server Installations 35
3.3.1 Option to Configure SSL in Tomcat 36 3.3.2 Test the SSL Connection for Tomcat 36 3.3.3 Single Sign-On for the Administration Console (Tomcat Only) 37
3.4 Installation Procedure for BEA Weblogic-based Server Installations 40 3.5 Installation Procedure for SAP NetWeaver-based Server Installations 42
3.5.1 Configure the System Environment (only for SAP ID-Based Logon) 43 3.5.2 Configure the Authentication Server in SAP NetWeaver 49 3.5.3 Test the SSL Connection 53
3.6 Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket,
and Database Module 54
3.6.1 Step 1 - Initial Installation 54 3.6.2 Step 2 – Server-Specific Quick Initialization 56 3.6.3 Step 2 – Multiple Authentication Server Initialization – Expert Mode
(Wizard) 63 3.6.4 Step 3 - Configure Authentication Server Communication 84 3.6.5 Step 4 - Test SECUDE Secure Login Server 90
3.7 Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server 91
3.7.1 Remove SECUDE Secure Login Server - Tomcat 91 3.7.2 Remove SECUDE Login Server – BEA Weblogic 92
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
4
3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver 92
4 Client Installation, Configuration, and Removal 94
4.1 Prerequisites 95
4.1.1 Hardware Requirements for SECUDE Secure Login Client 95 4.1.2 Software Requirements for SECUDE Secure Login Client 95
4.2 SECUDE Secure Login Client Preparation 96
4.3 Client Rollout 97
4.3.1 Installation 98 4.3.2 Command Line Options to Influence the MSI Setup 103
4.4 Remove SECUDE Secure Login Client 106
5 Secure Login plus Web Client - Installation, Usage, and
Removal 109
5.1 Prerequisites 110
5.2 Preparing the Server for Installation 111 5.3 Install and Configure the Web Client 112
5.3.1 Web Client installation on Tomcat 112 5.3.2 Web Client Installation on NetWeaver 114
5.4 Use the Web Client 115
5.4.1 Configure SSL Trust for the Web Client Java Applet 116 5.5 Remove the Web Client 117
6 Administration 119
6.1 Administration Console 119
6.1.1 Open the Console 119 6.1.2 Change the Administrator/User Password 122 6.1.3 Server Configuration 124 6.1.4 Certificate Management 128 6.1.5 Authentication Management 131 6.1.6 TrustStore Management 141 6.1.7 Certificate Template 143 6.1.8 System Check 149 6.1.9 Backup/Restore 150 6.1.10 Change Language 155 6.1.11 Message Setting 156 6.1.12 SSS&JCO Installation 158 6.1.13 Server Status 162 6.1.14 Sign Certificate Requests 163 6.1.15 Console Log Viewer 165 6.1.16 Web Client Configuration 166
6.2 Email Report&Alert Configuration 177
6.3 Instance Management 178
6.3.1 Instance Configuration 179 6.3.2 Customizing With User-Defined Properties 181 6.3.3 Client Configuration 183 6.3.4 Instance Log Management 192 6.3.5 Instance Check 196 6.3.6 Instance Status 197
6.4 Console Users 198
6.4.1 User Management 199 6.4.2 Role Management 202
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
5
6.4.3 Locked Files Management 205 6.5 Other Administration Features 206
6.5.1 Status Query via an Internet Browser 206 6.5.2 Secure Login Web Service Status Query 207 6.5.3 XML Interface 209
7 Troubleshooting 211
7.1 How to use Unlimited Key Length Policies 212
7.2 Log Files 213
7.2.1 Daily Log File 213 7.2.2 Monthly Log File 215
7.3 Turning Tracing On/Off 215
7.4 SECUDE Secure Login Server Lock and Unlock 216 7.5 Setting the Correct Environment Variables for SAP ID-Based Logon 217
7.6 Problems with the Client URL 218
7.7 Implement an SSL.PSE-Based TrustStore for HTTPS 218
7.8 ‘Access Denied’ Replies 219
7.9 Why the Secure Login Instance/Server is Locked 219 7.10 Password Expiry Warnings on Sun LDAP (1) 220 7.11 Password Expiry Warnings on Sun LDAP (2) 220
7.12 Secure Login Server Cannot Establish an SNC Connection to the SAP Server 221
7.13 Administration Console Pages Appear ‘broken’ 221
7.14 Problem Loading the GSS Library (SAP-ID Module) 222
7.15 Blank Page when Logging into the Secure Login Administration Console 223 7.16 Users Cannot be Successfully Authenticated to any JAAS Module 227
7.17 Enable Remote Access to Initialize and Configure Secure Login Server 229 7.18 Problems Accessing the Administration Console or the Web Client via
Firefox 229 7.19 Error Message when viewing Certificate Details using Firefox 3 230
8 Error and Return Codes 231
8.1 ADS Authentication Errors 232 8.2 RSA Authentication Errors 232
8.3 SAP ID Error Codes and Return Codes 232
8.3.1 Authentication-based Codes 232 8.3.2 Password Change Related Codes 233 8.3.3 Connectivity Related Codes 233
8.4 Stacktrace Error Codes 234
8.5 Common Errors 236
8.6 CERT Errors 237 8.7 PSE Errors 237
9 Appendix 238
9.1 Client Policy 239
9.1.1 ClientPolicy.xml File Registry Keys and Values 239 9.1.2 ClientPolicy.xml File Example 240 9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute 244 9.1.4 Configuring Secure Login with Microsoft Group Policies 245
9.2 Configurable Properties 246
9.2.1 Files that Contain Configurable Properties 246 9.2.2 Web.xml File 247 9.2.3 Configuration.properties File 248
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
6
9.2.4 JAAS Module Configuration Files 253 9.2.5 Files for Server Message Configuration 262
9.3 Secure Login Client Registry Values 264
9.4 Key Usage Reference 266
10 List of Abbreviations 267
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
7
Preface
About this Manual
This manual describes the administration tasks necessary to install, configure, and run
SECUDE Secure Login 5.1.1.
Target Audience
This manual is targeted at the system and security administrators responsible for the
installation and maintenance of Secure Login. It is necessary to have the following
knowledge to complete the tasks set in this manual:
Security knowledge!
For a list of hardware and software requirements for the Secure Login Client
installation, refer to section 4.1 on page 95.
For a list of hardware and software requirements for the Secure Login Server
installation, refer to section 3.1 on page 33.
Related Documentation
The following documentation is available for SECUDE Secure Login:
This manual.
The SECUDE signon&secure Server installation manual.
SECUDE Secure Login 5.1 Release notes
Secure Network Communications, SNC User Manual, version 1.2; SAP AG; Walldorf.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
8
Contents
This manual contains the following chapters:
Chapter 1 „What is SECUDE Secure Login?‟, on page 11
This chapter presents Secure Login.
Chapter 2 „System Overview‟, on page 12
This chapter provides an overview of the overall system architecture and the principal
workflow. It also details the specific system architecture and workflow for the
authentication methods supported by Secure Login: ADS, RADIUS/RSA, and SAP ID-
based logon.
Chapter 3 „Server Installation, Configuration, and Removal‟, on page 32
This chapter describes the installation of the SECUDE Secure Login Server.
Chapter 4 „Client Installation, Configuration, and Removal‟, on page 94
This chapter describes the configuration and installation of the SECUDE Secure Login
Client.
Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page
109
This chapter details the SECUDE Secure Login Web Client.
Chapter 6 „Administration‟, on page 119
This chapter details how to monitor the SECUDE Secure Login Server.
Chapter 7 „Troubleshooting‟, on page 211
This chapter describes the SECUDE Secure Login Server features for logging and error
recovery.
Chapter 8 „Error and Return Codes‟, on page 231
This chapter describes error and return codes, their meaning, and possible corrections.
Chapter 9 „Appendix‟, on page 238
This chapter contains various advanced details an administrator may need to configure
Secure Login.
Chapter 10 „List of Abbreviations‟, on page 267
This chapter lists the abbreviation used in the manual.
A glossary and index are provided at the end of this manual.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
9
Conventions used in this Manual
Style Meaning
Bold Emphasis
Defined terms
Italics References – especially when referring to another manual‟s
title
Application or company names – such as Windows or
SECUDE
Important information appearing in notes, warnings, and
Hints
Monospace Package names
Filenames and directory names
XML element names and attribute names
Method names
Variables
Parameters
Code examples
Monospace italics Replaceable elements within user input
Monospace bold Main element in a syntax description
Initial Capital Letters Tool names
Product names
<Pointed brackets> Code elements (i.e. XML)
[Square brackets] Options within a syntax description
…|… “or” within a syntax description
Blue text Elements of the graphical user interface
Action sequences such as “Menu>Submenu” or “select
Option X”
Internet links
Cross references such as “see section 2.1”
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
10
Icons and Step Indication in this Manual
Notes
Notes contain detailed information about a topic and are of direct importance to the subject
at hand. Notes are displayed in italic text, with a pen/paper icon to the left of the text body.
Warnings
A warning will contain information about circumstances, parameters, and so on that MUST
be fulfilled. Failure to comply will have consequences for the current operation. Warnings
are displayed in italic text with a warning icon to the left of the text body.
Hints
Hints contain useful information about the operation of the application. Hints are displayed
in italic text, with a light bulb icon to the left of the text body.
Steps/Procedures
Procedures indicate the steps necessary to perform a task. They are displayed in normal
text, with a light grey background.
Contacting Technical Support
For technical assistance contact SECUDE Support:
Phone
+49 (0)6151 82897 33
Fax
+49 (0)6151 82897 26
[email protected] (Europe and Asia), [email protected] (USA)
Web
http://www.secude.com/htm/338/en/Support.htm
When you want to open a support case, please provide as much of the following information
as possible (error information needed by support will vary between products):
Name (customer or partner) and contract number
Name of SECUDE product plus version and service pack
Involved and relevant third-party products plus versions
The hardware on which the product is running plus Operating System + service pack
Date, time, and description of the error
Is the error reproducible? If yes, state the steps necessary to reproduce the error
Corresponding log files generated during operation
Any other information necessary to reproduce the error
Error priority:
Priority Description
Critical Loss of data within SECUDE application, severe memory leak,
application crashes.
Major The SECUDE application has a major loss of functionality.
Normal The SECUDE application loses some functionality without a
severe impact on the overall stability or data integrity.
Minor The SECUDE application suffers minor functionality loss, or other
problems in which an easy workaround is present.
Trivial „Look and feel‟ problems such as misspelled words or misaligned
text.
Enhancement Request for an enhancement to the SECUDE application.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
11
1 What is SECUDE Secure Login?
Introduction
SECUDE Secure Login is an innovative software solution created specifically to improve
user and IT productivity and to protect business-critical data in SAP business solutions
through secure single sign-on to the SAP environment.
SECUDE Secure Login, together with SECUDE signon&secure, provides strong encryption,
secure communication, and single sign-on between a wide variety of SAP components,
including but not limited to:
SAPGUI and SAP NetWeaver platform via Secure Network Communications (SNC)
Web browsers and SAP Portal (via Secure Socket Layer – SSL)
Other SAP components such as SAP NetWeaver Java, SAP ITS, SAP Router, SAP LPD
Scope of
secure
communication
In a standard SAP setup, users enter their SAP user name and password into the SAPGUI
logon screen. SAP user names and passwords are transferred through the network without
encryption.
To help secure networks, SAP provides a „Secure Network Communications‟ module (SNC)
that enables users to login to SAP systems without entering a user name or password.
The SNC module can also pass calls through a third-party crypto-library to encrypt all
communication between the SAPGUI and SAP Server, thus providing secure single sign-on
to SAP.
SECUDE Secure Login is the third-party crypto-library of choice for SAP. It uses session
keys to encrypt the communication, and digital user certificates (X.509) for user
authentication.
Authentication
mechanisms
SECUDE Secure Login allows you to benefit from the advantages of SNC without the need
to setup a Public Key Infrastructure (PKI). SECUDE Secure Login allows users to
authenticate via one of the following authentication mechanisms:
Windows logon information
Radius and RSA Token (one-time password)
LDAP
SAP user ID and password
SAP Logon Ticket
SQL Database
Smart card and PIN
If a PKI has already been set up, then the digital user certificates of the PKI can also be
used by SECUDE Secure Login. Further authentication mechanisms can be supported on
request – please contact SECUDE support.
Access
methods
SECUDE Secure Login also helps save time insofar that, through the use of the optional
single sign-on, a user does not need to re-authenticate every time a new SAP application
is opened or a different SAP Server is used. It also provides single sign-on for Web
browser access to the SAP Portal (and other HTTPS-enabled Web applications) via SSL.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
12
2 System Overview
Introduction
This chapter describes the SECUDE Secure Login architecture and concepts that are valid
for all product variants.
The product
SECUDE Secure Login is a Client/Server software system integrated with SAP software to
facilitate single sign-on, alternative user authentication, and enhanced security for
distributed SAP environments.
The SECUDE Secure Login Client is split into two variants:
A stand-alone Client (Windows only). The SECUDE Secure Login Client can either be used
with an existing public key infrastructure (PKI) or together with the SECUDE Secure Login
Server it can be used for certificate-based authentication without having to set up a PKI.
The stand-alone SECUDE Secure Login Client can use the following authentication
methods:
Smart cards and USB tokens with an existing PKI certificate
SECUDE Secure Login Server and Authentication Server are not necessary.
Microsoft Crypto Store
SECUDE Secure Login Server and Authentication Server are not necessary.
Windows credentials (without user interaction)
The user is authenticated via their Windows credentials (user name, domain,
password), which the user entered during Windows login. No SECUDE Secure Login
dialog box appears to ask for these values.
Username and password
The Client prompts for user name and password (e.g. with RSA SecurID) and
authenticates with these credentials via the SECUDE Secure Login Server.
All of these authentication methods can be used in parallel. A policy Server provides
profiles that specify how to log in to the intended SAP system.
A Web Client (via an Internet browser on almost any system). At the heart of the Web
Client is a signed Java applet. This means that the Internet browser will display a Java
warning prompting you to confirm the applet signed-certificate. If you decide not to trust
the certificate, the applet will still run but the warning will reappear when you next logon. If
you decide to trust the certificate the warning will not reappear.
The SECUDE Secure Login Web Client has the same authentication methods as the
stand-alone Client but with the following limited functionality:
No single sign-on to SAP
No policy configuration
Only one instance can be used at any one time
Sections in
this chapter
Section 2.1 „System Overview with PKI‟ on page 13
Section 2.2 „System Overview with SECUDE Secure Login Server‟ on page 16
Section 2.3 „Methods of Authentication in SECUDE Secure Login‟ on page 22
Section 2.4 „Policy Server Overview‟ on page 30
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
13
2.1 System Overview with PKI
The SECUDE Secure Login Client is integrated with SAP software to provide single sign-on
capability and enhanced security. An existing PKI structure can be used to create
certificates for user authentication.
2.1.1 Main System Components
The following figure shows the SECUDE Secure Login system environment with the main
system components if an existing PKI structure is used:
Figure 2-1 SECUDE Secure Login system environment with existing PKI
Client
The SECUDE Secure Login Client is responsible for the certificate-based login to the SAP
application Server and encryption of the SAP Client/Server communication.
Policy Server
The policy Server provides profiles that specify how to log in to the intended SAP system.
2.1.2 Authentication Method
In a system environment without SECUDE Secure Login Server, the SECUDE Secure Login
Client supports the following authentication methods:
Smart cards and USB tokens with an existing PKI certificate
Microsoft Crypto Store
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
14
2.1.3 Workflow
The following figure shows the principal workflow and communication between the
individual components:
Figure 2-2 Principal workflow between components
1. Upon connection start, the SECUDE Secure Login Client retrieves the SNC name from
the SAP Server.
2. The SECUDE Secure Login Client uses the authentication profile for this SNC name.
3. The SECUDE Secure Login Client receives the authentication data from the user login
token.
4. The user unlocks the login token by entering the PIN.
5. The SECUDE Secure Login Client provides the authentication data for SAP single sign-
on and secure communication between SAP Client and Server.
6. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client
and SAP EP Server/SAP WAS use SSL for secure communication.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
15
2.1.4 Secured Communication for SAP
Secure communication is established between all system components.
Figure 2-3 Secure communication for SAP
Secure
communication
between SAP
GUI and SAP
Server
Communication between the SAP GUI and the SAP NetWeaver Platform is protected using
the SECUDE Secure Login Client. This product integrates itself into the network interface of
any SAP process through the SAP SNC (Secure Network Communication) module. It
enables certificate-based authentication among SAP components. For example, an SAP
Client can authenticate itself using its certificate on the SAP application Server, and vice
versa. Communication takes place over a secure channel.
Secure
communication
between
Internet
Explorer and
Web Server
The communication between Microsoft Internet Explorer and a Web Server can be secured
using SSL. The Web Server has to authenticate the Web browser with its Server certificate
(Server authentication). In addition, the Web browser has to authenticate the Web Server
with its user certificate (Client authentication).
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto-
engines. The SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides
the user keys to all CAPI-enabled applications.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
16
2.2 System Overview with SECUDE Secure Login Server
Introduction
SECUDE Secure Login Client/Server system is combined with an Authentication Server and
the SAP system to facilitate authentication and to enhance security.
Using the SECUDE Secure Login Client/Server system, it is possible to use certificate-
based authentication without having to set up a PKI.
Contents
Section 2.2.1 „Main System Components‟, on page 16
Section 2.2.2 „Authentication Method‟, on page 17
Section 2.2.3 „Instances‟, on page 18
Section 2.2.4 „PKI Structure‟, on page 19
Section 2.2.5 „Workflow‟, on page 20
Section 2.2.6 „Secure Communication‟, on page 21
2.2.1 Main System Components
The following figure shows the SECUDE Secure Login system environment with the main
system components:
Figure 2-4 SECUDE Secure Login system environment
Client
The SECUDE Secure Login Client is the Client part of the Client/Server system. It is
responsible for the certificate-based login to the SAP application Server and encryption of
the SAP Client/Server communication.
Server
The SECUDE Secure Login Server is the central Server component that connects all parts
of the system. It enables authentication against an Authentication Server and provides the
SECUDE Secure Login Client with a temporary certificate. This certificate contains the user
data and the public key to authenticate the user to the SAP application Server.
The SECUDE Secure Login Server is a pure Java application. It consists of a servlet and a
set of associated classes and shared libraries. It runs in a Server environment in
combination with an application Server (such as SAP NetWeaver) or a Web Server with a
servlet engine (such as Tomcat).
Policy Server
The policy Server provides profiles that specify how to log in to the intended SAP system.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
17
2.2.2 Authentication Method
Introduction
SECUDE Secure Login supports several authentication methods. It uses the Java
Authentication and Authorization Service (JAAS) as a generic interface for the different
authentication methods. For each supported method, there is a corresponding
configurable JAAS module.
Supported
Authentication
Methods
The following authentication methods are supported:
Microsoft Active Directory Service (ADS)
RSA SecurID Token
RADIUS
SAP ID-based logon
SAP Logon Tickets
SQL Database Tables
Third-party JAAS module
For information on how to use a specific third-party JAAS module, refer to the proprietary
documentation.
Figure 2-5 SECUDE Secure Login Server with JAAS interface
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
18
2.2.3 Instances
The SECUDE Secure Login instances feature allows multiple instances of Secure Login to
run on the same Server. The main advantage of using instances is that the time spent on
maintaining Secure Login is reduced to a minimum. If you want the single-Server
functionality of Secure Login version 4.2 you need only use a single instance.
SECUDE Secure Login Server instances can use a common PSE file for one or more
instances, or you can set an individual PSE for each instance.
The SECUDE Secure Login Client authentication profiles can be configured to use different
SECUDE Secure Login Server instances for different authentication methods, or different
user groups can be assigned to a Server instance according to access rights/type. For
example:
Figure 2-6 Instances example
Failover
It is still possible to use several SECUDE Secure Login Servers and/or Authentication
Servers for failover. SECUDE Secure Login Server can connect to more than one
Authentication Server (all of which use the same authentication method).
Further
Information
For details about how to configure instances via the Administration Console see section
6.2 on page 177.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
19
2.2.4 PKI Structure
Introduction
SECUDE Secure Login creates standard X.509 certificates to authenticate users to the
SAP application Server and to encrypt the Client/Server communication. These user
certificates are generated on demand and have only a limited lifetime. Therefore, it is not
necessary to set up and administrate a standard PKI.
Nevertheless, SECUDE Secure Login needs two PKIs for the following two scenarios:
Secure communication between the SECUDE Secure Login Server and Client:
The Web Server needs a certificate for the SSL connection between the SECUDE
Secure Login Client and Server. The SECUDE Secure Login Client must verify the
certificate of the Web Server.
Secure communication between the SAP Client and SAP Server
The SAP Server needs a certificate to communicate securely with the SAP GUI.
The recommended simple PKI can be setup via the Administration Console.
Simple PKI
Structure
Many possible PKI hierarchies meet the SECUDE Secure Login demands. The following
figure shows the simplest approach. It also complies with the convention that one CA
should only issue one kind of certificate.
Figure 2-7 Simple PKI structure
Trust
Hierarchy
Each application Server (such as Tomcat or SAP NetWeaver) with a running SECUDE
Secure Login Server needs an SSL Server certificate (“SSL CA”, as shown in the previous
figure) and a corresponding key pair. With this SSL certificate, the Server can be
authenticated by the SECUDE Secure Login Client and the communication between the
SECUDE Secure Login Server and Client can be encrypted. The SECUDE Secure Login
Client must have a copy of the SSL certificate in order to verify the SECUDE Secure Login
Server certificate.
Each SAP application Server needs a key pair and a certificate from the “SAP CA”. This
Server certificate is used to encrypt the SNC channel between the SAP application Server
and the SAP GUI Client. The SAP GUI must have a copy of the root CA certificate in order
to verify the Server CA certificate provided to it by the SAP application Server.
The “User CA” (which generates each of the Client certificates: User 1, User 2, …, User n)
is included as part of the SECUDE Secure Login Server. The user CA key pair and
certificate, from which each Client certificate is derived, is stored in a personal security
environment (PSE).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
20
2.2.5 Workflow
The following figure shows the principal workflow and communication between the
individual components:
Figure 2-8 Principal workflow
1. Upon connection start, the SECUDE Secure Login Client gets the SNC name from the
SAP Server.
2. The SECUDE Secure Login Client uses the Client policy for this SNC name. The Client
policy is either static (i.e. the Client policy information is set in the Windows registry),
or the policy information is retrieved dynamically from the Secure Login Server.
For further information about how to download the relevant files for a static or
dynamic Client policy see section 6.3.3 „Client Configuration‟ on page 183.
3. The SECUDE Secure Login Client receives the user login as authentication data.
4. In addition, the SECUDE Secure Login Client generates an RSA key pair.
5. The SECUDE Secure Login Client sends the authentication data and the certification
request for the public key of the RSA key pair to the SECUDE Secure Login Server.
This connection is secured using SSL.
6. The SECUDE Secure Login Server forwards the authentication data to the
Authentication Server using a secure connection.
The Authentication Server informs the SECUDE Secure Login Server whether
authentication has been successful.
7. If authentication is successful, the SECUDE Secure Login Server generates a
temporary user certificate based on the user‟s public key and identification.
The certification reply is transferred from the SECUDE Secure Login Server to the
SECUDE Secure Login Client. The certification reply also contains necessary additional
certificates from the certificate chain.
8. The SECUDE Secure Login Client provides the certificate for SAP single sign-on and
secure communication between SAP Client and Server.
9. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client
and SAP EP Server/SAP WAS use SSL for secure communication.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
21
2.2.6 Secure Communication
Secure communication is established between all system components:
Figure 2-9 Secure communication
Communication Between SECUDE Secure Login Client and Server
Format
The communication between the Client and the Server uses SSL. The administrator must
configure the URL, including the port number of the Server, on the Clients.
Security
An SSL connection is necessary for secure communication. The SSL connection is
established using the certificate of the SECUDE Secure Login Server (Server
authentication).
Reliability
For an SSL connection, the SECUDE Secure Login Client must be configured to trust the
Server certificate. A list of SECUDE Secure Login Servers can be configured. If the Client
cannot reach a Server after a configurable time, it tries to connect to the next Server on
the list.
Communication Between SECUDE Secure Login Server and Authentication Server
Security
The communication between SECUDE Secure Login Server and Authentication Server must
be secured. This is important because the authentication data of the user is on the
network.
Reliability
A list of Authentication Servers can be configured in the SECUDE Secure Login Server. If
the SECUDE Secure Login Server cannot reach an Authentication Server after a
configurable time, it tries to connect to the next Server on the list.
Communication Between SAP GUI and SAP Server
Security
Communication between SAP GUI and the SAP NetWeaver Platform is protected using the
SECUDE Secure Login Client. This product integrates itself into the network interface of
any SAP process through the SAP SNC (Secure Network Communication) module. It
enables certificate-based authentication among SAP components. For example, an SAP
Client can authenticate itself using its certificate on the SAP application Server, and vice
versa. Communication takes place over a secure channel.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
22
Communication Between Internet Explorer and Web Server
Security
The communication between Microsoft Internet Explorer and a Web Server can be secured
using SSL. The Web Server has to authenticate the Web browser with its Server certificate
(Server authentication). In addition, the Web browser has to authenticate the Web Server
with its user certificate (Client authentication).
Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto
engines. SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the
user keys to all CAPI-enabled applications.
2.3 Methods of Authentication in SECUDE Secure Login
Introduction
This chapter details each of the authentication methods supported by Secure Login.
Contents
Section 2.3.1 „Active Directory Server (ADS) Authentication‟, on page 23
Section 2.3.2 „RADIUS / RSA‟, on page 24
Section 2.3.3 'SAP ID‟, on page 25
Section 2.3.4 „SAP Logon Ticket Authentication‟, on page 28
Section 2.3.5 „SQL Database Authentication
This chapter describes the specific system architecture and workflow for the SECUDE
Secure Login SQL database-based authentication method.
System
Architecture
for SQL DB-
based Logon
The following figure shows the SECUDE Secure Login system environment for SQL DB-
based logon:
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon
JAAS Module
The SQL DB variant of the SECUDE Secure Login Server consists of the normal
SECUDE Secure Login Server core components plus a special JAAS module to
communicate with the SQL database.
For this method of authentication to work, additional third-party SQL driver libraries
are needed for the SECUDE Secure Login Server to function correctly:
For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar.
SQL Database
The JAAS module uses standard SQL queries to find the given user ID and
password in a table. This table and its column names could either be randomly
configured, or predefined names are used for higher performance.
The simplest form is to have usernames and passwords stored in two columns. For
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
23
given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client identifier.
This could be a Client machine identification value or some application defined data:
This Client ID is transported in the username field of the protocol, and requires a
separator string definition.
Positive False Authentication
Another configuration allows using the database as combination of white and black
list. In this scenario, all exact matches in the database return a positive result, as
well as all username values that are not found in the table at all.
It is recommended to implement this feature only if Client identifiers are used that
are sufficient to protect this kind of positive false authentication.
2.3.1 Active Directory Server (ADS) Authentication
This section describes the specific system architecture and workflow for the SECUDE
Secure Login Active Directory Server (ADS) authentication method.
System
Architecture
for ADS
The following figure shows the SECUDE Secure Login system environment for ADS:
Figure 2-10 SECUDE Secure Login system environment for ADS
Client
The SECUDE Secure Login Client is integrated into the Windows logon process. It
sends the domain, user ID, and password entered by a user to the SECUDE Secure
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
24
Login Server to authenticate the user.
The SECUDE Secure Login Client is represented by a small icon in the system tray that
shows the status of the login.
Server
The SECUDE Secure Login Server receives the authentication data sent by the Client
and forwards it to the Microsoft Active Directory Service (ADS).
If the authentication on ADS is successful, the SECUDE Secure Login Server certifies
the user‟s public key. The certification reply is generated and transferred to the
Client.
If ADS cannot authenticate the user, the SECUDE Secure Login Server informs the
Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the
SSL-secured Web Server.
The SECUDE Secure Login Server provides the service of an online certification
authority (CA).
ADS
The Microsoft ADS verifies the authentication data sent by the Client (domain, user
ID, password). It informs the SECUDE Secure Login Server about whether the user
could be authenticated.
Secure Login
Process
1. A user logs on to Microsoft Windows as usual.
2. The SECUDE Secure Login Server receives the authentication information of the user‟s
Windows logon. It forwards the information via an SSL secured connection to the
Microsoft Active Directory Server and requests confirmation.
3. If the Microsoft Active Directory Server is able to authenticate the user successfully, a
temporary certificate is created for the user. This certificate is sent to the Client
workstation and made available to the SAP GUI for Windows. Thus, a certificate-based
login to the SAP application Server is performed without a corporate PKI.
4. When users start the SAP GUI for Windows, they are automatically logged on to the
SAP applications for which they have authorization. The connection to these SAP
applications is secure.
2.3.2 RADIUS / RSA Authentication
This chapter describes the specific system architecture and workflow for the SECUDE
Secure Login RADIUS/RSA authentication method.
System
Architecture
for RSA
The following figure shows the SECUDE Secure Login system environment for
RADIUS/RSA:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
25
Figure 2-11 SECUDE Secure Login system environment for RADIUS/RSA
Client
The SECUDE Secure Login Client is a stand-alone Windows application. The SECUDE
Secure Login Client provides a user interface to enter a user name and a SecurID
password. The SecurID password is composed of a PIN which the user has to provide
and the one-time password generated by the RSA SecurID token.
Server
The SECUDE Secure Login Server receives the authentication data sent by the Client
and forwards it to the RSA Authentication Manager or another RADIUS Server.
If the authentication is successful, the SECUDE Secure Login Server certifies the
user‟s public key. The certification reply is generated and transferred to the Client.
If authentication fails, the SECUDE Secure Login Server informs the Client. The user
can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web
Server, but can repeat authentication.
RSA Authentication. Manager
The RSA Authentication Manager verifies the authentication data sent by the Client. It
informs the SECUDE Secure Login Server about whether the user could be
authenticated.
Secure Login
Process
1. A user enters his/her credentials using the SECUDE Secure Login Client user
interface.
2. The SECUDE Secure Login Server receives the authentication information. It forwards
the information to the RSA Authentication Manager or RADIUS Server and requests
confirmation.
3. If the RSA Authentication Manager or RADIUS Server is able to authenticate the user
successfully, a temporary certificate is created for the user. This certificate is sent to
the Client workstation and made available to the SAP GUI for Windows. Thus, a
certificate-based login to the SAP application Server is performed without a corporate
PKI.
2.3.3 SAP ID Authentication
This chapter describes the specific system architecture and workflow for the SECUDE
Secure Login SAP ID-based authentication method.
System
Architecture
for SAP ID-
based Logon
The following figure shows the SECUDE Secure Login system environment for SAP ID-based
logon:
Figure 2-12 SECUDE Secure Login system environment for SAP ID-based logon
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
26
JAAS Module
The SAP ID variant of the SECUDE Secure Login Server consists of the normal SECUDE
Secure Login Server core components plus a special JAAS module to communicate
with the SAP Server.
The JAAS module uses two ABAP functions on the SAP Server via SNC secured RFC.
To use these RFC calls, the SAP Server version has to be at least 6.2.
For this method of authentication to work, several libraries are needed for the
SECUDE Secure Login Server to function correctly:
The native RFC library
An additional native library required for the JNI (Java Native Interface) access
The Java JCO library
For details about how to install these libraries refer to chapter 3 „Server Installation‟,
on page 32.
SAP System User
An “SAP system user” is an individual with access rights beyond those of a normal
user. These rights can be used to check the logon details of a normal user.
The SAP System user profile must contain the following entries for this method of
authentication to work:
S_A.SCON
S_A.SYSTEM
S_USER_ALL
S_USER_RFC
Z_TRANS_RFC
Mode of Operation
The SECUDE Secure Login Server acts on behalf of the SAP system user and obtains
the normal SAP user logon data via the SECUDE Secure Login Client.
Password Policy
The SAP Server has a special password policy that can force the immediate change of
the user password under the following circumstances:
For newly created users during their initial logon to the SAP system
Password expiration date
SAP user administrator forced password changes
These changes are (and can only be) triggered by the SAP Server. The SECUDE Secure
Login Server and Client cannot force a change.
The confidentiality of the SAP user password is ensured by using SNC to protect the
connection between the SAP Server and the SECUDE Secure Login Server.
Password Rejection
In the password change process the new password might be rejected by the SAP
Server for the following reasons:
Password does not comply with password policy (length, complexity)
Password is already present in password history
The wrong password has been entered too many times
As with the password policy, password rejection is controlled by the SAP Server.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
27
Secure Login
Process
The following figure shows the SECUDE Secure Login process for SAP ID-based logon:
Figure 2-13 SECUDE Secure Login process for SAP ID-based logon
1. In the first step, a process initialization request is sent from the SECUDE Secure
Login Client to the SECUDE Secure Login Server.
2. The SECUDE Secure Login Server replies that initialization can start.
3. The SECUDE Secure Login Client sends a logon request (plus unsigned certificate) to
the SAP Server via the SECUDE Secure Login Server.
4. The SAP Server will reply with one of the following:
Reject the password (see previous section)
Force a password change (initial logon, password expired etc.)
Password OK > authentication successful
5. When logon is successful the SECUDE Secure Login Server will send the Client a
signed certificate and is made available to the SAP GUI for Windows.
Initialization request
SAP server
secure login
server
secure login
client
New password reply
Initialization reply
Logon requestLogon request
Logon reply
New password request
Authentication reply
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
28
2.3.4 SAP Logon Ticket Authentication
This section describes the specific system architecture and workflow for the SECUDE
Secure Login SAP Logon Ticket authentication method.
System
Architecture
for SAP
Logon Ticket
The following figure shows the SECUDE Secure Login system environment for SAP Logon
Ticket:
Figure 2-14 SECUDE Secure Login system environment for SAP Logon Ticket
Client
This authentication module only applies to the Secure Login Web Client. It sends the
user ID and password entered by a user or a program to the SAP NetWeaver Portal
URL to call its user login procedure. If successful, the portal returns with a SAP Logon
Ticket in form of a HTTP Cookie, which is handed over to the Web browser where the
Secure Login Web Client is running.
Alternatively, the SAP Logon Ticket could be handed over to the Secure Login Web
Client by other means, e.g. a browser script. This allows having the Web Client
running in unattended and invisible mode.
The Secure Login Web Client then sends the SAP Logon Ticket to the SECUDE Secure
Login Server to authenticate the user.
Server
The SECUDE Secure Login Server receives the SAP Logon Ticket sent by the Client
and performs offline verification.
If the authentication is successful, the SECUDE Secure Login Server certifies the
user‟s public key. The certification reply is generated and transferred to the Client.
2.3.5 SQL Database Authentication
This chapter describes the specific system architecture and workflow for the SECUDE
Secure Login SQL database-based authentication method.
System
Architecture
for SQL DB-
based Logon
The following figure shows the SECUDE Secure Login system environment for SQL DB-
based logon:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
29
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon
JAAS Module
The SQL DB variant of the SECUDE Secure Login Server consists of the normal
SECUDE Secure Login Server core components plus a special JAAS module to
communicate with the SQL database.
For this method of authentication to work, additional third-party SQL driver libraries
are needed for the SECUDE Secure Login Server to function correctly:
For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar.
SQL Database
The JAAS module uses standard SQL queries to find the given user ID and password
in a table. This table and its column names could either be randomly configured, or
predefined names are used for higher performance.
The simplest form is to have usernames and passwords stored in two columns. For
given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client identifier.
This could be a Client machine identification value or some application defined data:
This Client ID is transported in the username field of the protocol, and requires a
separator string definition.
Positive False Authentication
Another configuration allows using the database as combination of white and black
list. In this scenario, all exact matches in the database return a positive result, as
well as all username values that are not found in the table at all.
It is recommended to implement this feature only if Client identifiers are used that
are sufficient to protect this kind of positive false authentication.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
30
2.4 Policy Server Overview
Introduction
SECUDE Secure Login Client configuration is profile-based. To provide a mechanism for
automatic application-based profile selection, application contexts can be configured.
They are then searched for specific „personal security environment universal resource
identifiers‟ (PSE URIs).
If no matching PSE URI is found, a default application context can be defined that links to
a default profile.
Figure 2-16 Default application context and profile
The application contexts and profiles are stored in the Windows registry of the Client
(including other internal keys for the Client). These parameters are defined within the XML
policy file (ClientPolicy.xml).
You can also integrate the values for the SECUDE Secure Login Client in your company‟s
group policies via an ADM file.
Further
Information
For further information about how to download the relevant files for a static or dynamic
Client policy see section 6.3.3 „Client Configuration‟ on page 183.
For further information about how to integrate the policy values for the SECUDE Secure
Login Client into your company‟s group policies (ADM file), refer to section 9.1.4
„Configuring Secure Login with Microsoft Group Policies‟ on page 245.
Advanced details about the Client policy file XML syntax can be found in section 9.1.1
„ClientPolicy.xml File‟ on page 239 along with the use of wildcards in section 9.1.3 on
page 244.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
31
2.5 Secure Login Web Client
Introduction
A new feature of SECUDE Secure Login 5.1 is the Web Service and Web Client. The Web
Client is an SNC provider developed mainly for SAP Logon GUI for Java – making the most
of Windows as well as non-Windows platforms. It is a Web-based solution to authenticate
users via Web-browsers (i.e. in portal scenarios) on a variety of platforms and to launch
the SAPGUI with SECUDE SNC security.
This means that the Client is no longer exclusively for Windows, but also Mac OS X and a
range of Linux-based systems (due to differences between the SAPGUI for Java and
SAPGUI for Windows the Web Client for Windows only has limited functionality). Moreover,
in contrast to SECUDE Secure Login stand-alone Client for Windows (SLC) the Web Client
has no SSL Client-authentication.
The Web Client can be deployed to Apache Tomcat and SAP NetWeaver but, currently, not
to BEA WebLogic.
Main
Features
Browser-based authentication against Secure Login Server (all back-ends are supported -
including RSA and challenge-mode functions such as password changes)
Download and prepare the SECUDE SNC library (simple to update the native libraries when
a new version is available).
Soft-token provider via Secure Login Server
Create credentials for crypto-token
Launch SAPGUI for Java/Windows with SNC parameters and crypto-token
Launch SAPGUI or directly login to SAP Server (AS ABAP)
Specify search path for SAPGUI binaries either centrally on the Server side, or by
the user on the Client side (host-specific)
Localization and customization of HTML pages and Applet messages
Stylesheet (CSS) support, preconfigured for NetWeaver Portal
Optional clean-up of temporary files when browser is closed (such as soft-tokens and
credentials).
Further
Information
Chapter 5 „Secure Login plus Web Client - Installation, Usage, and Removal‟, on page 109
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
32
3 Server Installation, Configuration, and Removal
Introduction
This chapter describes the SECUDE Secure Login Server installation. It is necessary to
install and configure Secure Login Server BEFORE installing Secure Login Client.
This chapter details the installation and configuration procedure for various target
systems, for example, Servers that use servlet engines such as Apache Tomcat or SAP
NetWeaver.
If you want to install Secure Login with the Web Client then refer directly to chapter 5. This
is because the Web Client installation is not just the Web Client but rather the complete
Secure Login Server plus Web Client. The installation routine is quite different for Tomcat
and only slightly different for NetWeaver.
Sections in
this Chapter
Section 3.1 „Prerequisites‟, on page 33
Section 3.2 „Preparing the Server for Installation„, on page 34
Section 3.3 „Installation Procedure for Apache Tomcat-based Server Installations‟, on
page 35
Section 3.4 „Installation Procedure for BEA Weblogic-based Server Installations‟ on page
40
Section 3.5 „Installation Procedure for SAP NetWeaver-based Server Installations‟, on
page 42
Section 3.6 „Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket,
and Database Module‟, on page 54
Section 3.7 „Remove SECUDE Secure Login Server‟, on page 91
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
33
3.1 Prerequisites
This section lists the hardware and software requirements.
3.1.1 Hardware Requirements
Hardware Details
Hard disk space 20-50MB plus space for log files
RAM 1GB
3.1.2 Software Requirements
For the… …you require the following software
Operating System for
Secure Login Server
One of the following:
Windows 2003 Server - R2 (x86)
Windows XP Professional - SP2 (x86)
Suse Linux Enterprise Server 9 or 10 (x86)
Solaris 8, 9, or 10 (SPARC)
HP-UX 11.11 (PA-RISC)
HP-UX 11.23 (Itanium)
Java
http://java.sun.com/
JDK 1.5. with the Java Cryptography Extension (JCE)
JCE Unlimited Strength Jurisdiction Policy files (usually part of
the JDK or JRE).
Supported Application
Servers
BEA WebLogic 8.1, 9.0, 10.0
Apache Tomcat version 5.x/6.x with JDK 1.4-1.6 (make sure
that the optional components „Service Setup‟ and „Native‟ are
selected in the setup). In case RSA ACE 6.1.2 is installed on
Solaris it is mandatory to have JDK maximum 1.5.
SAP NetWeaver Java 6.4 – 7.0 with:
SAP Java connector 2.1.8 (necessary for SAP-ID based
logon. Please contact SAP for these libraries.)
SAP Java Cryptographic Toolkit
A running and configured SSL service provider
Server supporting
LDAP/ADS
authentication
openLDAP
Sun ONE LDAP
Microsoft Active Directory Server (ADS) 2000 or 2003
Sun Java System Directory Server
Server supporting
RADIUS/RSA
authentication
freeRADIUS
RSA Authentication Manager 6.0 or higher
Server supporting
SAP ID-based login
The following SAP application Server versions are supported:
SAP Server 6.20
SAP NetWeaver ABAP 7.00
Support for additional platforms or versions may be available on
request. Please contact SECUDE for further information.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
34
3.2 Preparing the Server for Installation
Introduction
The Server must be prepared for the installation of Secure Login. If you have already
prepared the Server go to the next section below. If you have not prepared the Server, the
following list indicates what must be installed and configured before starting with the
installation of SECUDE Secure Login:
Install the operating system (plus updates if necessary).
Install Java (JCE will be automatically installed).
Install the application Server.
This manual does not detail the installation and configuration of the above mentioned
software. It is assumed that the knowledge and skills necessary to perform the Server
preparation is already present and must not be documented.
Contents of
Delivery
Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as
follows:
SECUDE51SecureLoginNativeComponents.zip
This file contains the necessary native Secure Login components for each supported
platform.
SECUDE51SecureLoginServer.zip
\doc
This directory contains the documentation, license agreements, and readme files.
\SECUDE51SecureLoginServer.zip
Despite the fact this ZIP file has the same name as the file containing it, this file
contains the standard Secure Login applications as well as the Web Client
variants:
\NetWeaver 70\securelogin.ear
Standard Secure Login application for SAP NetWeaver to work with the Secure
Login Client.
\NetWeaver 70 WS\secureloginservice.ear
The Web Client version of Secure Login for SAP NetWeaver.
\Tomcat\securelogin.war
Standard Secure Login application for Apache Tomcat to work with the Secure
Login Client.
\Tomcat WS\axis2.war, securelogin.war,
secureloginservice.aar, shared.zip, SlsWebClient.war
The Web Client version of Secure Login for Apache Tomcat plus secondary files
necessary for operation.
Prepare the
Files
In preparation for installation, it is recommended to unpack the ZIP archive
SECUDE51SecureLoginServer.zip to produce the four application sub-directories:
\NetWeaver 70
\NetWeaver 70 WS
\Tomcat
\Tomcat WS
…as well as SECUDE51SecureLoginNativeComponents.zip to produce the files
for the native components.
This manual contains steps in which it is necessary to choose and confirm passwords. For
reasons of security Secure Login will only allow you to choose passwords that are hard to
guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
35
3.3 Installation Procedure for Apache Tomcat-based Server Installations
Introduction
This section describes the installation procedure for an environment using Apache
Tomcat. These steps assume that Tomcat and the necessary runtime components are
already installed.
1. Locate the unzipped Tomcat deployment file (see section 3.2 on page 34):
SECUDE51SecureLoginServer\Tomcat\securelogin.war
2. Deploy the securelogin.war file:
This step describes how to deploy the files to the Server using Tomcat 6.0 as an
example (you can also use the Tomcat Manager to deploy Secure Login).
Make sure that file name and path notations used in this step are correct for the target
operating system.
These bulleted steps describe how to transfer the WAR file and configuration files to
the target servlet engine:
Stop the servlet engine (Tomcat) if it is running.
If necessary, remove the existing SECUDE Secure Login Web application
directories and securelogin.war file:
<Tomcat home>\Webapps\securelogin\
<Tomcat home>\Webapps\securelogin.war
Copy the new securelogin.war file into the directory:
<Tomcat home>\Webapps\
Start the servlet engine (Tomcat).
3. Now to test the deployment. In your Internet browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
Make sure that file name and path notations used in this step are correct for the target
operating system.
4. If the deployment has been successful, the SECUDE Secure Login Administration
Console prerequisite check page should appear:
Figure 3-1 Administration Console – prerequisite check page
This page lists the prerequisites to run Secure Login successfully. Items with a
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
36
green “dot” in front of them indicate the correct availability and functionality.
Items with a red light in front of them indicate an error. Items with a yellow light in
front of them indicate an optional component that may be needed according to
Server and setup type (for example the SAP Adapter is needed for the SAP ID-
based logon).
5. Use the Adminstration Console initialization wizard to create the Secure Login
environment (see section 3.6 on page 54).
3.3.1 Option to Configure SSL in Tomcat
If you are remotely administrating Secure Login over a network it is recommended to use
an SSL connection. This means that SSL must be activated in Tomcat.
Follow these steps to activate SSL in Tomcat (this example details SSL for Tomcat v.6.0):
1. If Tomcat is running, stop and exit it.
2. Open the Server.xml file from the directory <Tomcat home>\conf.
3. Copy the following code behind the commented-out SSL configuration example in the
Server.xml file (edit the information in the following example syntax accordingly):
<Connector port=”8443” maxHttpHeaderSize=”8192”
maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75”
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100” scheme=”https” SSLEnabled=”true”
secure=”true” ClientAuth=”false” sslProtocol=”TLS”
keystorePass=”123456” keystoreFile=”<Tomcat home>\Webapps\ securelogin\WEB-INF\Instances\<optional instance directory>\ <SSLServer_*>.p12” keystoreType=”PKCS12”/>
The PKCS12 (*.p12) file should already have been generated via the Administration
Console during the Server setup. If not use the Certificate management function of the
Administration Console to generate one (see section 6.3.2 on page 181).
4. Save and close the Server.xml file.
5. Start Tomcat.
Despite using HTTPS for the URLs in policies and generating SSL Server certificates (both
via the Administration Console) you still need to manually activate SSL in Tomcat.
3.3.2 Test the SSL Connection for Tomcat
1. To test the SSL connection enter the following URL in your browser:
https://URL-Where-Your-Servlet-Resides/securelogin
For example: https://localhost:8443/securelogin
2. This should open the Administration Console login page (see section 6.1
„Administration Console‟ on page 119).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
37
3.3.3 Single Sign-On for the Administration Console (Tomcat Only)
This section details how to setup Tomcat to:
Use a login certificate generated via the Administration Console for SSL-based
authentication (refer to the next section below).
Trust only those certificates created via the Administration Console as well as using single
sign-on authentication to the Administration Console (refer to section 3.3.3.2 below).
Setup a single SSL port in Tomcat for both the Secure Login Administration Console and
the Secure Login Client to share (refer to section 3.3.3.1 below).
3.3.3.1 Use a Login Certificate Generated via the Administration Console for SSL-based Authentication
This section details how to setup Tomcat to use a SSL login certificates, generated using
the Administration Console, for authentication (the Administration Console offers the
option to login to the Secure Login Server using certificate-based SSL authentication).
The following steps assume that you have already:
Created a user via the User Management node (see section 6.4.1 on page 199) that uses
the subject alternative name in the certificate for the option Certificate Login ID.
Created a login certificate (under SAP CA) via the Certificate Management node. The
subject alternative name provided in the certificate creation must match the entry
in the option Certificate Login ID for the user created in User Management. The resulting
certificate has been exported as a *.p12 file and imported into Internet Explorer or
Firefox.
By default, Tomcat uses the Java trust store to perform the authentication. This means,
all CAs that are trusted by the Java VM could be used to create Administration Console
login certificates – as long as the subject_alt_name in the certificate matches an
Administration Console user account.
If you decide to use the JVM truststore (jre\lib\security\cacerts), the
Adminstration Console root certificate or SAP-CA certificate must be imported into it using
Java's keytool. For further information refer to section 5.4.1 „Configure SSL Trust for the
Web Client Java Applet‟ on page 116.
3.3.3.2 Setup Tomcat to Trust Only Administration Console-Generated Certificates
This section details how to setup Tomcat to trust only those certificates created via the
Administration Console and also how to create a truststore (and set ports) specifically for
the purpose of single sign-on to the Administration Console.
To use only those certificates created via the Administration Console you must configure
the Tomcat SSL connector must to use a truststore other than the Java VM. This can be
achieved by either creating a new truststore or using the Secure Login Administration
Console truststore.
To setup single sign-on it is necessary to create and use a trustore specifically for the
purpose of single sign-on (refer to the next page).
The following example creates two ports – one for the Administration Console and one for
the Secure Login Client.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
38
Create a New
Truststore
1. As a first step we must create a new truststore that contains only the Administration
Console root certificate:
Open a command box and enter the following:
keytool –import –v –trustcacerts -alias my_root_ca –file
C:\root.crt –keypass 123456 –keystore C:\myTruststoreFile –storepass 123456
Press Return.
2. Now to configure a Tomcat SSL connector to use this truststore only (for single sign-
on):
Open the Server.xml file from the directory <Tomcat home>\conf.
The following example code should be entered behind the commented-out SSL
configuration example in the Server.xml file (edit the information marked in red
in the following example syntax accordingly):
<Connector port=”4443”
maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75”
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100” debug=”0” scheme=”https” secure=”true”
ClientAuth=”false” sslProtocol=”TLS”
keystoreType=”pkcs12”
keystoreFile=”C:\SSL_SERVER.p12”
keystorePass=”123456”
/>
<Connector port=”8443”
maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75”
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100” debug=”0” scheme=”https” secure=”true”
ClientAuth=”true” sslProtocol=”TLS”
keystoreType=”pkcs12”
keystoreFile=”C:\SSL_SERVER.p12”
keystorePass=”123456”
truststoreFile=”C:\myTruststoreFile.jks”
truststoreType=”jks”
truststorePass=”123456”
/>
In this example note that there are two connectors – one for the Secure Login
Client (port 4443 in the example) and one only to be used for the single sign-on to
the Administration Console (port 8443 in the example). This is to avoid any
possible access conflicts.
As you can see by the parameters/values marked in blue, the connector to be
used for single sign-on has the following specifics:
A different port number
The parameter ClientAuth is set to true.
The truststore file (*.jks) is stated.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
39
3.3.3.3 Setup Tomcat for Single SSL Port Usage for both the Administration Console and Secure Login Client
This section details how to setup a single SSL port in Tomcat for both the Secure Login
Administration Console and the Secure Login Client to share. This means it is possible to
perform:
…certificate-based single sign-on via the Secure Login Administration Console as well
as…
…standard login for the Secure Login Client
…using the same port.
Create a Single
SSL Port
1. Open the Server.xml file from the directory <Tomcat home>\conf.
2. The following example code should be entered behind the commented-out SSL
configuration example in the Server.xml file (edit the information marked in red in
the following example syntax accordingly):
<Connector port=”4443”
maxThreads=”150” minSpareThreads=”25” maxSpareThreads=”75”
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100” debug=”0” scheme=”https” secure=”true”
ClientAuth=”want” sslProtocol=”TLS”
keystoreType=”pkcs12”
keystoreFile=”C:\SSL_SERVER.p12”
keystorePass=”123456”
truststoreFile=”C:\myTruststoreFile.jks”
truststoreType=”jks”
truststorePass=”123456”
/>
As you can see by the parameter marked in blue (ClientAuth=”want”), Client
authentication is now optional.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
40
3.4 Installation Procedure for BEA Weblogic-based Server Installations
Introduction
This section describes the installation procedure for an environment using BEA Weblogic.
These steps assume that BEA WebLogic and the necessary runtime components are
already installed.
1. This first step applies to BEA WebLogic 8.1 only. If you are using BEA WebLogic 9 or
10 please start with step 5.
Before deploying the application you must check the readiness of the Server for
application deployment by setting the „Staging Mode‟. If you have already performed
this task then go to step 5. Start the WebLogic Server and open the BEA WebLogic
console:
http://<hostname or IP:port>/console
2. Select <domain>Server>myServer from the navigation tree.
3. Select the tabs Configuration>Deployment:
Figure 3-2 BEA console – check staging mode
Make sure that the Staging Mode is set to stage. If not, select stage from the combo-
box and click Apply.
4. Close the console and restart the WebLogic Server.
5. Create a new directory:
<BEA home>/Server/bin/myServer/stage/securelogin.war
6. Unzip the contents of the securelogin.war file to the directory stated in the
previous step.
7. Now to deploy the Secure Login application. Open the BEA WebLogic console:
http://<hostname or IP:port>/console
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
41
8. The BEA WebLogic Server Home page will appear:
Figure 3-3 BEA console – WebLogic Server Home page
Click Web Application Modules.
9. The Web Applications page will appear.
Figure 3-4 BEA console –Web applications page
Click Deploy a new Web Application Module…
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
42
10. The Deploy a new Web Application Module page will appear:
Figure 3-5 BEA console – deploy Web application page
Use Location to navigate to the stage Server directory (do not use the upload your
files link). For example:
10.49.13.169/opt/bea/Weblogic81/Server/bin/myServer/stage
11. Select the securelogin.war application and click Target Module.
12. Start the Secure Login application in BEA WebLogic.
13. After Secure Login has been successfully deployed, open your Internet browser and
enter the Secure Login Administration Console URL:
http://<host:port>/securelogin
14. Use the Adminstration Console initialization wizard to create the Secure Login
environment (refer to the next section).
3.5 Installation Procedure for SAP NetWeaver-based Server Installations
Introduction
This section describes the installation procedure for an environment with SAP NetWeaver.
After unpacking the installation package, the installation of the SECUDE Secure Login
Server comprises the following tasks:
Create SSL certificates
Configure the SECUDE Secure Login Server
Deploy the files on SAP NetWeaver
Configure the Authentication Server in SAP NetWeaver
Test the SECUDE Secure Login Server
Configure SSL
Test the SSL connection
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
43
3.5.1 Configure the System Environment (only for SAP ID-Based Logon)
This section details the steps necessary to pre-configure the system for the respective
environment.
1. Configure NetWeaver (prerequisite to run the Secure Login Administration Console):
Change the password of the Guest user via NetWeaver user management. Select
Server0 > services > Security provider from the tree in the left-hand pane.
Select the Runtime tab and then the User Management tab.
Open the Users tab and locate the entry Guest.
Enter a new password in the field Change password, check No password change
required, and click Change. A password confirmation dialog will appear:
Figure 3-6 Confirm password change
Re-enter the new password and click OK.
2. Now it is time to deploy the Secure Login enterprise archive to NetWeaver. The
archive is located in the directory already unzipped in section 3.2 on page 34:
SECUDE51SecureLoginServer\NetWeaver\securelogin.ear
The easiest method of deploying the archive is to use either the SAP Software
Deployment Tool or SAP Visual Administrator. For further details please refer to the
proprietary documentation.
Make sure that file name and path notation is correct for the target operating system.
3. Open and logon to the Administration Console:
In your browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin/
For example: http://SAPNetWeaverHost:50000/securelogin/
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
44
The SECUDE Secure Login Administration Console prerequisite check page should
appear:
Figure 3-7 Administration Console – prerequisite check page
This page lists the prerequisites to run Secure Login successfully. Items with a
green “dot” in front of them indicate the correct availability and functionality.
Items with a red light in front of them indicate an error. Items with a yellow light in
front of them indicate an optional component that may be needed according to
Server and setup type (for example the SAP Adapter is needed for the SAP ID-
based logon).
Click Continue to go through the setup wizard as described in section 3.6.3 'Step
2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)‟ on page
63.
4. After completing the initial setup, the Web.xml file in the WEB-INF directory must be
updated (re-read). This is achieved via the SAP Visual Administrator:
Open the SAP Visual Administrator.
Select the Server(x)>Services>Deploy node from the tree in the left-hand pane.
Select the deployed secude.com/SecureLogin component from the Runtime tab in
the middle pane.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
45
Click Single File Update on the right-hand side. The following dialog will appear:
Figure 3-8 Update Web.xml file
Click OK.
5. Open and logon to the Administration Console:
In your browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin/
For example: http://SAPNetWeaverHost:50000/securelogin/
The login page should appear:
Figure 3-9 Administration Console – login page
Generate the SSL certificates as a *.p12 file as described in section 6.3.2.3
„Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, some special
configuration properties may be needed to define which user name is put into the certificate.
This is only to be considered if Secure Login Client sends compound username values.
Property Details
UseQualifiedName If true, the full received username value is taken for the user
certificate‟s CN field
If false, only the user ID part before the separator is taken,
and UserNameSeparator must be set to a non-blank value to
apply this property.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
46
Default value: true.
UserNameSeperator String of one or more characters that separates username and
Client identifier sent by the Secure Login Client. If configured,
DBColumnClientID must also be configured in the SQL JAAS
module.
Default value: None.
Sample: USER001#CLIENT999 is splitted to USER001 with
UseQualifiedName =”false” and UserNameSeperator=”#”.
‟ on page 183. Locate the SSL certificate and change the file extension to
*.pfx. For further information about the Administration Console refer to section
6.1 on page 119.
6. Now to enable SSL in SAP NetWeaver:
If there is more than one Server installed, this step has to be performed for each of the
Servers.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
47
Open the SAP Visual Administrator.
Select the Server(x)>Services>ConfigurationAdapter node from the tree in the left-
hand pane.
Select the Runtime tab and then the Display configuration tab.
Select the following node from the middle pane:
Conifgurations>cluster_data>dispatcher>cfg>services>Propertysheet.ssl-runtime
Figure 3-10 enable SSL – select Propertysheet.ssl-runtime node
Click the pencil icon (middle icon under the tab heading) to display the Change
Configuration dialog:
Figure 3-11 enable SSL – Change Configuration dialog
Select the property startup-mode and enter always into the field value (make
sure that the custom checkbox is unchecked).
Click OK.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
48
The same set of properties must also be changed at another Server node. Select
the following node from the middle pane:
Conifgurations>cluster_data>Server>cfg>services>Propertysheet.ssl-runtime
As above, select the property startup-mode and enter always into the field
value (make sure that the custom checkbox is unchecked).
Click OK.
7. Now that Secure Login has been deployed and SSL has been enabled the Server
must be restarted to make use of the new settings.
8. Now for certificate import and validation:
To enable Server authentication, the Server has to have an SSL Server certificate.
This certificate and the associated private key must be imported into SAP NetWeaver.
This is achieved by using the *.pfx file generated in step 5.
SAP NetWeaver only accepts PKCS#12 software token files with the extension *.pfx.
Open the SAP Visual Administrator.
Select the Server(x)>Services>KeyStorage node from the tree in the left-hand
pane.
Select the Runtime tab. The certificates are organized into sub-groups, so called
„Views‟. Each of the „Views‟ groups is purpose-based, and contains certificates
that suit the purpose, for example, TrustedCAs and the service_ssl Views, or
Views defined by the administrator:
Figure 3-12 certificate import – key storage
Click the service_ssl entry in the Views list.
Click Load.
Locate and open the SSL certificate created by the Administration Console in
step 5.
Before the SSL certificate can be verified, all certificates up to the root have to be
imported in the manner described above. Furthermore the root certificate must be
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
49
imported (loaded) into the TrustedCAs view. NetWeaver only accept certificates as
a trust anchor contained in this view.
Use the Load button to import a certificate.
The certificate file has to be base64-encoded with the file name extension *.crt.
9. Now for SSL configuration:
To enable Client authentication the SSL Provider must be configured to request the
Client certificates.
Open the SAP Visual Administrator.
Select the Server(x)>Services>SSL Provider node from the tree in the left-hand
pane.
Select the Runtime tab and then the Client Authentication tab in the bottom right-
hand pane.
Select Do not request Client certificate:
Figure 3-13 set SSL configuration
Click the Server Identity tab.
Click Add to browse for the credentials uploaded in step 9.
10. The configuration of SAP NetWeaver for Secure Login is now complete.
Next Steps
The next step is to configure the Authentication Servers for Secure Login. Please refer to
the next section - 3.5.2 on page 49.
When installing the signon&secure components for SAP ID-based logon (see section 6.1.12 '
SSS&JCO Installation’, on page 158), you can ignore the third step Install JCO because SAP
NetWeaver already has these components installed and set.
3.5.2 Configure the Authentication Server in SAP NetWeaver
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
50
Introduction
The JAAS module used by the SECUDE Secure Login Server must be configured directly
inside SAP NetWeaver. You have to create one JAAS module with a corresponding policy
and to add a configuration for each Authentication Server in the JAAS module.
The configuration process consists of the following steps:
Configure the LoginModuleClassLoader property.
Create a JAAS module.
Configure the first Authentication Server in the JAAS module.
Create a JAAS policy.
Configure an Authentication Server in JAAS module.
Configuration is performed in SAP Visual Administrator. The relevant configuration node is
the Security Provider node in the Services section.
Follow these steps to configure LoginModuleClassLoader:
1. Open the SAP Visual Administrator.
2. Select the Security Provider node from the left-hand pane and the Properties tab from
the right-hand pane.
3. Select the LoginModuleClassLoaders property from the list and enter the
following value into the field Value at the bottom of the window:
library:SECUDE-SecureLogin
Figure 3-14 SAP Visual Administrator – Configure the LoginModuleClassLoader
property
4. Click Update at the bottom of the window.
5. Now to create a JAAS module:
Select the Security Provider node from the left-hand pane and the Runtime tab
from the right-hand pane.
This will open a second row of tabs. Select the User Management tab.
Select the pencil icon above the top row to change to edit mode.
Click Manage Security Stores. The area for the login module administration is
displayed:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
51
Figure 3-15 SAP Visual Administrator – Configure the JAAS module
Click Add Login Module on the right-hand side of the window. The following window
appears:
Figure 3-16 SAP Visual Administrator – add login module
In the Class Name field enter the class name of the JAAS module:
For ADS:
com.secude.transfair.pepperbox.LdapJaasModule
For RSA/RADIUS:
com.secude.transfair.pepperbox.RsaRadiusJaasModule
For SAP-ID:
com.secude.transfair.pepperbox.SAPJaasModule
Enter descriptive strings in the fields Display Name and Description.
6. Now to configure the first Authentication Server in the JAAS module:
In the Add Login Module enter the names and values of the configurable module
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
52
properties for the first Authentication Server in the Options table.
For a description of the configurable properties for ADS, see section 9.2.4.1 „JAAS
Module Configuration Files for LDAP/ADS‟ on page 253.
For a description of the configurable properties for RSA/RADIUS, see section
9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟ on page 257.
Click OK.
7. Now to create a JAAS policy:
Select the Security Provider node from the left-hand pane and the Runtime tab
from the right-hand pane.
This will open a second row of tabs. Select the Policy Configuration tab.
Click Add under the component list.
A new dialog will open. Under Name, enter SLSJaasModule.
Click OK. The window now appears as follows:
Figure 3-17 SAP Visual Administrator – add JAAS module
8. Now to configure an Authentication Server in the JAAS module:
Select the newly created SLSJaasModule policy/login module configuration from
the Components list.
Click Add New from the bottom right-hand side of the window. The available login
modules are displayed.
Select the JAAS module you want to configure.
Click OK.
The Edit Login Module window opens:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
53
Figure 3-18 SAP Visual Administrator – edit login module
Enter the names and values of the configurable module properties of the added
Authentication Server (a list of property names and examples can be found in the
section covering Authentication Server configuration via the Administration
Console (see section 6.1.4 on page 128).
3.5.3 Test the SSL Connection
The following step describes how to test the Secure Login files deployed to the Server.
Make sure that file name and path notations used in this step are correct for the target
operating system.
1. In your browser, enter the following URL:
https://<URL-Where-Your-Servlet-Resides>/securelogin/ PseServer?op=Serverstatus
For example: https://SAPNetWeaverHost:50001/securelogin/ PseServer?op=Serverstatus
2. If the deployment has been successful the SECUDE Secure Login Administration
Console login page should appear as in section 6.1.1.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
54
3.6 Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and
Database Module
Introduction
This section details the initialization and configuration of the Secure Login Server
component using the Administration Console initialization wizard.
Contents
Section 3.6.1 „Step 1 - Initial Installation‟, on page 54
Section 3.6.3 „Step 2 – Multiple Authentication Server Initialization – Expert Mode
(Wizard)‟ on page 63
Section 3.6.4 „Step 3 - Configure Authentication Server Communication‟ on page 84
Section 3.6.5 „Step 4 - Test SECUDE Secure Login Server‟ on page 90
For reasons of security, the Secure Login Server component can only be initialized via
the Administration Console and only when the console is called from the same Server
computer on which the Secure Login resides. If however, you want to perform the
initialization and configuration from a remote location, then you must manually enable
this feature by editing the Secure Login Web.xml file. For further details please refer to
section 7.17 on page 229).
If you want to use Secure Login on an operating system that does not have a GUI (for
example Unix without X-Win), you must use SSH or Putty to tunnel to the Client Web-
browser (as long as an SSH Daemon is running on the Server).
3.6.1 Step 1 - Initial Installation
Introduction
This section describes the installation procedure and initial configuration of Secure Login.
This is necessary for all Authentication Server types.
1. If you have not already done so, enter the following URL in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
2. If the deployment has been successful the SECUDE Secure Login Administration
Console prerequisite check page should appear:
Figure 3-19 Administration Console – prerequisite check page
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
55
This page lists the prerequisites to run Secure Login successfully. Items with a green
“dot” in front of them indicate the correct availability and functionality. Items with a
red light in front of them indicate an error. Items with a yellow light in front of them
indicate an optional component that may be needed according to Server and setup
type (for example the SAP Adapter is needed for the SAP ID-based logon).
For further information about the Administration Console refer to section 6.1 on page 114.
3. Click Continue.
4. The scenario selection page will appear:
Figure 3-20 Server initialization– authentication selection page
Use this page to choose between either an Authentication Server-specific, quick
initialization, or a detailed multiple Authentication Server initialization.
Click on the logo next to one of the Server-specific methods Microsoft Windows
Domain Username and Password, Username and Password Stored in LDAP
Server, One-Time Password, or SAP Username and Password. For details about
the next step, refer to the next section.
If you click on the Multiple Authentication Methods (Expert Mode) logo, the next
step is in section 3.6.3 on page 63).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
56
3.6.2 Step 2 – Server-Specific Quick Initialization
1. After clicking the logo next to the desired authentication method (Microsoft Windows
Domain, SUN Directory Server or other LDAP Server, RSA SecureID or other One-Time-
Password solution, or SAP Netweaver – see previous section), the Company
Information page will appear:
Figure 3-21 Server Setup Wizard – company information page
Enter basic information about your company. The following options are available
(options marked with * are mandatory):
Option Details
Company Information Country
The abbreviation of your country. Click on the field to open
and select a country from the drop down menu.
Example: DE for Germany
Locality
The region in which your company is located.
Example: Darmstadt
Company name
Enter the name of your company in this field.
Example: SECUDE
Administrator Account Account name
The username for the account.
Password Information NOTE: The password will be used as the password for
Administration Console access!
Password
The password for this account
Confirm password
Confirm the password entered in the field above.
Click Next to continue.
2. According to which authentication method you selected in section 3.6.1, step 4, on
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
57
page 55, one of the following pages will appear:
For Microsoft Windows Domain authentication:
Figure 3-22 Server initialization – Microsoft Windows Domain authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure
Login…
Check this option if you want Secure Login to use a custom PKI
to establish trust between the user and Server. Enter a
password in the fields Certificate Password and Confirm
Certificate Password to be used for all automated PKI
operations (PSE file and TrustStore passwords).
Enter the Active
Directory Server…
The IP or URL of the Authentication Server. Click More to view
open the following options:
Use SSL
Check this option if you want to use secure
communication with the Server.
Port
The port number the Active Directory Server uses for
communication.
The communication
between…
Use this option to activate SSL communication between the
Secure Login Client, Secure Login Server, and the Active
Directory Server.
For SUN Directory Server/LDAP authentication:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
58
Figure 3-23 Server initialization – SUN Directory Server/LDAP authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure
Login…
Check this option if you want Secure Login to use a custom PKI
to establish trust between the user and Server. Enter the
certificate password in the fields Certificate Password and
Confirm Certificate Password.
Enter the LDAP
Server…
The URL of the Authentication Server. Click More to view open
the following options:
Use SSL (LDAPs)
Check this option if you want to use secure
communication with the Server.
NOTE: GetBaseDN will not work if SSL is enabled. If you
want to use the GetBaseDN feature it is recommended
you click it first and then enable SSL.
Port
The port number the SUN Directory Server/LDAP Server
uses for communication.
Enter or select the
LDAP search base
Manually enter the base dynamic name or click GetBaseDN to
try and automatically retrieve it from the LDAP Server.
The communication
between…
Use this option to activate SSL communication between the
Secure Login Client, Secure Login Server, and SUN DS/LDAP
Server.
For RSA SecurID authentication or other one-time password solutions:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
59
Figure 3-24 Server initialization – RSA SecurID authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE Secure
Login…
Check this option if you want Secure Login to use a custom PKI
to establish trust between the user and Server. Enter the
certificate password in the fields Certificate Password and
Confirm Certificate Password.
Enter the RSA
Server…
The URL of the RSA Server. Enter the password into the Shared
Secret field. Click More to view open the following options:
AuthPort
The authentication port at which the RSA Server expects to
be queried for authentication requests.
Authenticator
This is the authentication protocol for the RSA Server. The
possible options are:
CHAP
MSCHAP
PAP
NOTE: The RSA Authentication Manager only supports the
PAP authentication protocol.
The communication
between…
Use this option to activate SSL communication between the
Secure Login Client, Secure Login Server, and the RSA Server.
For SAP NetWeaver authentication:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
60
Figure 3-25 Server initialization – SAP NetWeaver authentication page
The following options are available (options marked with * are mandatory):
Option Details
Let SECUDE
Secure Login…
Check this option if you want Secure Login to use a custom PKI to
establish trust between the user and Server. Enter the certificate
password in the fields Certificate Password and Confirm Certificate
Password.
SAPID
authentication…
If necessary, use the following options to install signon&secure
and/or JCO for SAPID:
Install signon&secure
Setup File
Click Browse… to locate the signon&secure package (*.zip
file). The files can be located in the SSS+JCO sub-directory
of the file SECUDE51SecureLoginNativeComponents.zip
delivered with Secure Login.
License File
Click Browse… to locate the file ticket.snc (received
from SECUDE).
Install JCO for SAPID
sapco.jar
Click Browse… to locate and open the sapjco.jar file
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
61
(applies to both Windows and Linux/Sun).
sapco library 1
Click Browse… to locate and open one of the following files
(according to operating system):
For Windows: librfc32.dll
For Linux/Sun: librfccm.so
sapco library 2
Click Browse… to locate and open one of the following files
(according to operating system):
For Windows: sapjcorfc.dll
For Linux/Sun: libsapjcorfc.so
Enter the SAP
Server…
Enter the IP or URL of the SAP Server into the first (unmarked) field.
Enter the password into the Username field. Click More to view open
the following extra options:
Client
SAP System ID.
System Number
SAP System Number.
SNCServerName
The DN of the SAP Server, as stated in the Server certificate.
The subject DN of the X.509 certificate. This option is not
needed if you have selected the first option (let Secure Login
use a custom PKI to establish trust between the user and
Server). For example:
p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
The
communication
between…
Use this option to activate SSL communication between the Secure
Login Client, Secure Login Server, and SAP ID Server.
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery
package. For further information please contact SECUDE support.
Click Next to continue.
3. The Install Process page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
62
Figure 3-26 Server initialization – install process page
This page will display the status of the installation/initialization. Click Start. The
status of the installation will be displayed for each step. As soon as the step is
complete a green check-mark will appear next to the step:
Figure 3-27 Server initialization – status of initialization
4. Once the initialization is successful, the following information will appear:
Figure 3-28 Server initialization – procedure complete
5. Manually restart the application Server.
Next Steps
For information about how to login to the console and start using it, refer to section 6.1
„Administration Console‟ on page 119.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
63
3.6.3 Step 2 – Multiple Authentication Server Initialization – Expert Mode (Wizard)
This section will guide you through the steps necessary to perform a quick, Authentication
Server-specific initialization.
1. The Welcome page of wizard appears:
Figure 3-29 Server Setup Wizard – welcome page
This page introduces the wizard and displays the logical steps, necessary to initialize
the Server, on the left-hand side. Click Next to continue.
Some of the more complicated wizard pages will have an information bubble icon next to
the page header ( ). Click on the icon to open a pop-up dialog containing information
about the entries on the page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
64
2. The Create Administrator Account page will appear:
Figure 3-30 Server Setup Wizard – create administrator account
This page allows you to create an account username and password to be used to
logon to the console.
The following options are available:
Option Details
Account name The username of the account to be created.
Password The password for the account to be created. The password
must fulfill the following criteria:
Be between 5 to 10 characters (use a mix of characters,
numbers and special characters).
The password must contain at least one uppercase letter.
Confirm password Enter the password a second time in this field to confirm the
entry made in the field Password.
Click Next to continue.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
65
3. The Setup Type page will appear:
Figure 3-31 Server Setup Wizard – select setup type
The next page to appear will vary according to the selection made here. You can
choose between the following options:
Option Details and next steps
Create a new SECUDE Secure
Login Server
Select this option to start configuring a new Server.
Click Next to continue with section 3.6.3.1 on the
next page.
Migrate from an existing SECUDE
Secure Login Server
Select this option to migrate the configuration from
an existing Secure Login Server. Click Next to
continue with section 3.6.3.2 „Migrate from an
Existing SECUDE Secure Login Server‟, on page 82.
Restore from an existing backup
(*.zip) file
Select this option to restore the configuration from
a backup file. Click Next to continue with section
3.6.3.3 „Restore from an Existing Secure Login
Server Backup (*.zip) File‟, on page 83
NOTE: only backup files created using Secure Login
5.x and 4.3 are supported.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
66
3.6.3.1 Create a New SECUDE Secure Login Server
Continue with this section if you selected Create a new SECUDE Secure Login Server in
the previous section.
1. The Input root CA information page will appear:
Figure 3-32 Server Setup Wizard – Input root CA information
This page allows you to enter information about the root certificate authority for the
Secure Login Server.
The following options are available (entries marked with * are mandatory):
Option Details
Create a Root CA by
certificate information
Common name*
Enter the name of the root certificate authority in this field.
Example: SECUDE CA
Organization unit
Enter the division of the company in this field.
Example: Research+Development
Organization
Enter the company name in this field.
Example: SECUDE
Locality
Enter the regional information in this field.
Example: Darmstadt
Country
Enter the country abbreviation in this field.
Example: DE for Germany
Encryption key length
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
67
Option Details
Select the encryption key length for the Server (512,
1024, 1536, 2048, 3072, or 4096 bits).
Valid from*
Enter the date from which this certificate authority
information is valid in this field (YYYY-MM-DD).
Example: 2007-7-11
Validity period (months)*
Enter the number of months for which the certificate
authority information is valid.
Password*
Enter the password to be used for encryption in this field.
Check Save Password to store the password for this
certificate in a separate Secure Login password file. This
means that you do not need to remember the password
when editing this certificate at a later date.
Confirm password*
Confirm the encryption password entered in the field
above.
Import an existing
KeyStore file
Checking this option will display the following options:
Figure 3-33 Initialization Wizard – import existing keystore
KeyStore File
Click Browse… to locate and load an existing KeyStore
(PSE) file (*.pse).
Password
The password for the KeyStore (PSE) file.
Save Password
Check this option to store the password for this certificate
in a separate Secure Login password file. This means that
you do not need to remember the password when re-
loading the PSE file at a later date.
Skip this certificate Check this option if you do not want, or do not need, to enter
any information for this specific certificate at this time.
Skip all PKI
certificates
Check this option if you do not want, or do not need, to enter
information for any certificate at this time. This means you skip
all the PKI certificates, including the Root CA, SSL CA, SSL
Server and User CA certificates. You can create or add
certificate information at a later time via the „Certificate
Management‟ function of the Administration Console (see
section 6.3.2 on page 181).
If you select this option continue with the setup as from step 6
on page 70.
Click Next to continue.
2. The SSL Certificate Generation Type page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
68
Figure 3-34 Server Setup Wizard – SSL certificate generation type
This page allows you to configure the use of SSL certificates. To enable a higher level
of security, SSL is used to encrypt the communication channels, which requires a
special SSL certificate.
The following options are available:
Option Details
Generate SSL certificate using
Secure Login Administration
Console
If you select this option, the Secure Login Server will
be configured as a root CA, and a SSL CA (the next
two screens). This Root CA will then issue the SSL
CA a valid certificate; the SSL CA will in turn issue a
valid Server certificate to be installed on the Server.
You will need to download this certificate, and install
it according to your Server‟s particular configuration.
Proceed with the next step.
Generate SSL certificate to be
signed by an external CA
If you select this option, the Secure Login Server
generates a valid certificate request. You may
download this request, have it signed by an external
CA, and imported it back to the Server to enable SSL
connectivity. Proceed with the step 4 on page 69.
Skip all SSL certificates Check this option if you do not want, or do not need,
to enter any SSL certificate information at this time.
Proceed with step 5 on page 70.
Click Next to continue.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
69
3. The SSL CA Information page will appear:
Figure 3-35 Server Setup Wizard – input SSL CA information
This wizard page is for information about the certificate authority to be used for SSL.
The options available on this page are the same as in step 1 on page 66. Options
marked with a red * are mandatory. If you selected
Click Next to continue.
4. The SSL Server Information dialog appears:
Figure 3-36 Server Setup Wizard – input SSL Server information
This wizard page is for information about the Server to be used for SSL. For
information about the options available on this page refer to step 1 on page 66.
Options marked with * are mandatory.
Click Next to continue.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
70
5. The User CA Information page will appear:
Figure 3-37 Server Setup Wizard – input user CA information
This wizard page is for information about the user certificate authority to be used for
SSL. For information about the options available on this page refer to step 1 on page
66. Options marked with * are mandatory.
Click Next to continue.
6. The Server Configuration page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
71
Figure 3-38 Server Setup Wizard – Server configuration
This wizard page helps you to setup basic Server parameters. The following options
are available (options marked with * are mandatory):
Option Details
AuthConfigPath The path to the JAAS configuration file on the
Server‟s file system, for example:
D:\SECUDE Secure Login\SLSJAAS.login
PseName The User CA keystore file path. If you created a User CA in the
previous step, the file path will be shown here.
DN.Country Information for a temporary certificate: the country designation
(for example: DE for Germany).
DN.Locality Information for a temporary certificate: the regional
designation (for example: Darmstadt).
DN.Organization Information for a temporary certificate: the initializing
designation (for example: SECUDE).
DN.Organizational Unit Information for a temporary certificate: the department
designation (for example: Research and development).
ValidityMinutes* Information for a temporary certificate: the period of time (in
minutes) that the user certificate is valid.
DailyLogDir The path of the directory to which the daily log files are stored.
MonthlyLogDir The path of the directory to which the monthly log files are
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
72
stored.
doTrace This option determines whether to record the Server‟s
execution trace for problem analysis.
true (yes)= enable trace messages
false (no) = disable trace messages.
LockDir The path to which the lock file is saved. A lock file is created
when the Server encounters an internal error that requires
manual intervention.
Default value: the temporary directory of the java VM, a.k.a.,
the directory denoted by the java.io.tmpdir property.
Client Name/IP The hostname or IP address used for all Client policy files
within URLs connecting to SLS.
Click Next to continue.
7. The Authentication Server Configuration page will appear:
Figure 3-39 Server Setup Wizard – Authentication Server
If you want to add an Authentication Server click Add Server (if not click Next and go
to the next step).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
73
The specific settings for each type of the supported Authentication Server types are
covered in the following sections:
For further details about the settings for a servlet engine-based Server (such as
Apache Tomcat) refer to page 84.
For further details about the settings for a RSA Server refer to page 86.
For further details about the settings for a SAP NetWeaver-based Server for SAP ID-
based logon refer to page 87.
8. The Add Authentication Server page will appear:
Figure 3-40 Server Setup Wizard – add Authentication Server
Depending on which Server Type is selected; other options will appear/disappear in
the table. The following options are available (options marked with * are mandatory):
Options (general) Details
Application Name* An “application name” is the identifier of the group of
authentication modules associated with one instance of the
SECUDE Secure Login Server (SLS). There can be only one
instance of a particular authentication module residing in a
JVM. However, there maybe multiple SLS instances running on
the JVM. Therefore, the group of authentication modules used
by an instance of SLS is assigned a unique application name
for identification. Different SLS instances running on the same
Server must have different application names.
The default name is: SLSJaasModule
LoginModuleControlFl
ag
The flag controls the Server‟s behavior when it proceeds down
the authentication stack. For a detailed explanation, refer to the
documentation of
javax.security.auth.login.Configuration on the
Sun Website.
NOTE: this option cannot be changed.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
74
Server Type Server type selection (LDAP, AD, RADIUS, or SAPID). Other
options will appear/disappear in the table according to the
selection made via this option.
TestUserName Test user username. Use this option to setup a user to test the
Server parameters.
TestUserPwd Test user password. Use this option to setup a user to test the
Server parameters.
TryAllServers Determines when to try the next LDAP/ADS Server in the list.
Possible values:
FALSE (default): Try the next Server only if this Server cannot
be reached.
TRUE: Try the next Server if this Server cannot be reached, or
access is denied.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
75
Options (LDAP) Details
LdapHost* The address of the LDAP Server. This option is for the
configuration of the LDAP Server (including the Windows Active
Directory Server).
For example: ldap://my.host.com:389 (if SSL is used for
the communication, the protocol should be changed to
ldaps:// and the port number should be changed to 636).
NOTE: An SSL Server certificate must have been successfully
imported into the TrustStore for SSL to work. It is not possible
to import a certificate until after the initial Server setup.
LdapBaseDN Information that identifies a user in the user management
system, LDAP or Active Directory. Either enter the information
manually or click Get baseDN list to browse the LDAP directory
fro the correct Base distinguished name.
The following pop-up window will appear:
Figure 3-41 add Authentication Server – get baseDN
The following options are available (options marked with a red *
are mandatory):
Host name*
The host name of the LDAP Server.
Port*
The port of the LDAP Server.
Username*
The username used to communicate with the LDAP Server.
SSL
Check this option to use SSL protocol when communicating
with the LDAP Server. If you use SSL in the communication,
the protocol should be ldaps:// and a valid certificate is
required.
Anonymous bind
Use this function to query the LDAP Server without a
username (managerDN) and password (providing that the
LDAP Server is so configured).
managerDN
Specific username.
password
The password used to communicate with the LDAP Server.
Base DN
Click Get baseDN list to query the LDAP Server for a list of
based distinguished names to be displayed in the combo-
box.
Get baseDN list
After you have entered the above parameters click Get
baseDN list to obtain the base DN‟s from the LDAP Server.
LdapTimeout(ms) Determines how long a Client should wait for a response from
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
76
Options (LDAP) Details
an LDAP/ADS Server before trying to connect to the next one.
LdapProviderLanguag
e
Character set for the encoding of the characters when the
Server communicates with the LDAP/ADS Server.
For example: in the case of ADS, a possible character set is
ISO-8859-1.
PasswordExpiration
Attribute
Password expiry date (from the LDAP Server).
NOTE: If this option is used, the LdapBaseDN attribute must be
given in complete DN form.
PasswordExpiration-
GracePeriod
Defines the interval in days, inside which the password
expiration warning is sent to the Client prior to password expiry.
AuthServerID The warning message to be sent to the Client in the event of
password expiry.
Options (RADIUS) Details
RadiusServerIP* The IP address of the RADIUS Server.
AuthPort* The authentication port at which the RSA/RADIUS Server
expects to be queried for authentication requests.
SharedSecret* A word/phrase used to encrypt the user password.
Timeout(ms) Determines how long a request to a Server is to wait before
being sent to the next Server.
Authenticator Authentication protocol for the RSA/RADIUS Server. Possible
options:
CHAP
MSCHAP
PAP
PinMin Minimum PIN length for users choosing a new PIN. This
parameter is only used with RSA SecurID tokens.
Default value: 4
PinMax Maximum PIN length for users choosing a new PIN. This
parameter is only used with RSA SecurID tokens.
Default value: 8
PinAlphanumeric PIN format. This parameter is only used with RSA SecurID
tokens. Possible values:
true: the user can choose, and use, a PIN which contains only
alphanumeric characters (A-Z, a-z, 0-9).
false (default): the user can choose, and use, a PIN which
contains alphanumeric and special characters (such as !$%&).
The default password policy for RSA allows only numeric PIN's
which can not be setup via the Secure Login Server/Client policy
properties.
RSAServerIniFile If the RSA Server version is 6.1, a copy of the RSA Server RADIUS
message *.ini file (securid.ini) has to be present. Make sure you
enter the full path and file name, for example:
<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
77
Options (SAPID) Details
SAPServer IP or URL of the SAP Server.
Client SAP System ID.
SystemNo SAP System Number.
SNCServerName The DN of the SAP Server, as stated in the Server certificate.
The subject DN of the X.509 certificate.
For example:
p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
SAPaccount The SAP user account name for the SECUDE Secure Login
Server.
NativeLibraryPath The folder of the native libraries and the SECUDE signon&secure
package.
NOTE: This configuration is a global Server Configuration
property, which is also used by other JAAS modules.
PasswordMin This parameter is part of the password policy for Client side
policy consistency check, specifically the minimum number of
characters in the password to be used. This parameter must be
consistent with the SAP password policy.
Default value = 1
PasswordMax This parameter is part of the password policy for Client side
policy consistency check, specifically the maximum number of
characters in the password to be used. This parameter must be
consistent with the SAP password policy.
Default value = 30
PasswordAlphanumeric This parameter is part of the password policy for Client side
policy consistency check. Possible values:
true (default): the password can contain only alphanumeric
characters (A-Z, a-z, 0-9).
false: the password can contain alphanumeric and special
characters (such as !$%&).
This parameter must be consistent with the SAP password
policy.
Once you have selected the appropriate options click Test to check the validity of the
Server information. If the parameters are correct a message will appear confirming a
successful connection. If any parameter is incorrect an error message will appear.
Click Save to be returned to the Authentication Server page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
78
The Authentication Server page should now look something like this:
Figure 3-42 Server Setup Wizard – added Authentication Servers
As you can see, the page now contains an Authentication Server entry. You can now
either click Edit to change any Authentication Server options, or click Delete to
remove an entry from the Authentication Server list, or click Add Server to add
another Server to the configuration.
If the Server entries are correct and finished, click Next to continue.
9. The Client Policy Configuration page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
79
Figure 3-43 Server Setup Wizard – configure Client policy
This step will help you to enter Client policy information. A Client will need this
information to communicate with the SECUDE Secure Login Server. At the end of the
initial setup one Client policy file and two Windows registry files will be available for
download (see step 10 on page 79) to be implemented in each Client.
The following options are available (all mandatory):
Option Details
Policy URL* The URL of the Clientpolicy.xml. It may be downloaded and
installed to a Client system (see step 10 on page 79). For example:
http://<IP address>/SECUDE securelogin/ Clientpolicy.xml
Profile Name* The name of Client profile.
Enroll URL* The URL of the Secure Login Server to which the Client will connect.
For example:
https://<IP address>/SECUDE securelogin/PseServer
Key Length* The key length of the Client certificate.
Grace Period* The grace period of the Client connect the Server.
Inactivity Period* The maximum period of time the Client may be inactive.
Enter the Client policy details and click Next to continue.
10. The Setup Review page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
80
Figure 3-44 Server Setup Wizard – Finish configuration
The configuration and initialization of Secure Login is now complete.
If needed, click on each of the links and save the files to disk for further use:
PKI Certificate
Root CA Keystore (RootCA.pse)
Root CA Cert (RootCA.cer)
SSL CA Keystore (SSLCA.pse)
SSL Server Cert (SSLServer.cer)
SSL Server KeyStore(PKCS#12) (ServerKeyStore.p12)
SSL Server KeyStore(JKS) (SSLServer.jks). If you click this the Privatekey
Alias field will appear:
Figure 3-45 Server Setup Wizard – configure private key alias
Enter the private key and click OK to download the file.
Client Policy File (for import on each Client)
ClientPolicy.xml
customer.reg
customerAll.reg
Click Finish to complete the initialization.
11. The completion page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
81
Figure 3-46 Server Setup Wizard – completion
The wizard is now finished. Click Reload to reload the Secure Login application in the
application Server (e.g. Tomcat). For information about how to open the
Administration Console to perform further tasks refer to section 6.1 „Administration
Console‟, on page 119.
If the Administration Console login page does not appear, it may be necessary to restart the
application Server manually.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
82
3.6.3.2 Migrate from an Existing SECUDE Secure Login Server
Continue with this section if you selected Migrate from an existing SECUDE Secure Login
Server in step 3 of section 3.6.3 on page 65.
1. The Enter the Web Root Path of the Existing Server page will appear:
Figure 3-47 Server Setup Wizard – migrate existing Server #1
Enter the root path of the Web application into the field Web Application Root Path
and click Next to continue.
2. A success page will appear.
Figure 3-48 Server Setup Wizard – migrate existing Server #2
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
83
Click Reload to reload the Secure Login application in the application Server (e.g.
Tomcat). For information about how to open the Administration Console to perform
further tasks refer to section 6.1 „Administration Console‟, on page 119.
If the Administration Console login page does not appear, it may be necessary to restart the
application Server manually.
3.6.3.3 Restore from an Existing Secure Login Server Backup (*.zip) File
Continue with this section if you selected Restore from an existing backup (*.zip) file in
step 2 of section 3.6.3.1 on page 67.
Remember that this function only supports backup files created using Secure Login 5.x
and 4.3.
1. The Select the backup file (*.zip) page will appear:
Figure 3-49 Server Setup Wizard – restore from backup file #1
Either:
manually enter the path to the zipped backup file into the field Backup file or…
click Browse… to locate the zip file on the network or local drive.
Click Next to continue.
2. The Backup file information page will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
84
Figure 3-50 Server Setup Wizard – restore from backup file #2
Click Finish to restore the configuration.
3. If successful the following dialog will appear:
Figure 3-51 Server Setup Wizard – restore from backup file #3
Click Reload to reload the Secure Login application in the application Server (e.g.
Tomcat). For information about how to open the Administration Console to perform
further tasks refer to section 6.1 „Administration Console‟, on page 119.
If the Administration Console login page does not appear, it may be necessary to restart the
application Server manually.
3.6.4 Step 3 - Configure Authentication Server Communication
The next step is to configure the Server to communicate with the Authentication Server.
There are several different authentication methods to configure, depending on which type
of Authentication Server you want to use:
If you are going to use a servlet engine-based Server (such as Apache Tomcat) then
continue with the section below.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
85
If you are going to use a Radius/RSA Server continue with the Authentication Server
description in section 3.6.4.2 on page 86.
If you are going to use a SAP NetWeaver-based Server for SAP ID-based logon continue
with the Authentication Server description in section 3.6.4.3 on page 87.
3.6.4.1 Configure the Secure Login Server for ADS/LDAP
The SECUDE Secure Login Server must now be configured for the respective Authentication
Server, in this case for an Active Directory Server (ADS) or LDAP.
1. If you have not already done so, start the Administration Console and logon to Secure
Login by entering the following in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
2. If the LDAP connection between the SECUDE Secure Login Server and the Microsoft
ADS has to be secure, you have to establish trust between the SECUDE Secure Login
Server and ADS. The prerequisite for this is the certification authority (CA) certificate
of the issuing instance (usually root) of the ADS Server.
To establish trust the ADS Server CA certificate must be imported into the KeyStore
via one of two methods:
Either a signed certificate must be made available from the ADS administrator for
import directly into Secure Login (via TrustStore management - see section 6.1.6
on page 141) or…
…you can sign a certificate request for the Active Directory Server (SSL
connection) via the Administration Console (via Sign ITS certificate - see section
6.1.14 on page 163) and generate a *.p7b file. Convert the *.p7B file into a
certificate file (*.crt, *.cer). Now you must import the certificate into the
TrustStore (via TrustStore management - see section 6.1.6 on page 141).
Ask your Microsoft ADS administrator to send you an export file containing this certificate.
The public key infrastructure (PKI) on the ADS side is completely independent of the
SECUDE Secure Login PKI.
It is possible to convert the *.p7B file into a *.cer file via a number of tools. The
usage of these tools is not part of this manual. Please refer to the third-party
documentation.
3. The next step is to define the connection details between Secure Login and ADS.
Click the Authentication Management node in the Administration Console.
4. Click Add Server and enter at least the following details into the appropriate fields:
Server Type: ADS or LDAP
LdapHost: ldaps://<yourdomain>:636
For example: ldaps://testldap.secude.local:636
Test username: The username must include the domain name.
For example: [email protected]
Once you have entered the Server details click Save. For further information about the
Authentication Server parameters on this page refer to section 6.1.4 on page 128.
5. The Secure Login Server is now ready for ADS authentication.
6. Now to configure the Secure Login Client. Click the Client configuration node in the
Administration Console (see section 6.3.3 on page 183).
7. Click Applications and then Add application.
8. In the Add application page enter an Application name and PSEURI. A PSEURI may
not be needed if a SAP certificate already exists – in which case you need only select
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
86
the certificate from the SAP Server field and the PSEURI will automatically be entered.
Once you have entered the application details click Save (this will take you back to
the Client Policy management page).
For further information about the Add application page refer to section 6.3.3.1 on
page 184.
9. Click Profiles and then Add profile.
10. In the Add/Modify Client Profile page enter the profile details. Click Save.
For further information about the Add/Modify Client Profile page refer to section
6.3.3.2 on page 187.
11. Click Files download and download the Client files according to your Client setup:
Download the customerAll.reg file if you want a rollout a static policy to the
Clients (the customerAll.reg file contains a the information from the
ClientPolicy.xml file)
Download the customer.reg if you want a rollout a dynamic policy to the Clients
(customer.reg file only contains information about where to obtain the entries
in the ClientPolicy.xml file on a Server)
12. Rollout the customer.reg or customerAll.reg policy files to the Clients.
13. ADS can now be accessed using SSL.
NOTE: SSL is used whenever an LDAP host address with port 636 is specified (LDAPS).
14. Multiple Authentication Server setup / instance management [optional]
If you use more than one Authentication Server and not all Servers have the same
CA, you have to import the certificate of each CA to Secure Login Server.
For further information about instances refer to section 6.3.1 on page 179.
You have to use a unique alias for each CA certificate!
3.6.4.2 Configure the Secure Login Server for RADIUS/RSA
The SECUDE Secure Login Server must now be configured for the respective Authentication
Server, in this case for RADIUS/RSA.
1. If you have not already done so, start the Administration Console and logon to Secure
Login by entering the following in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
For advanced details about setting properties manually (not recommended), refer to section
9.2.3 ‘Configuration.properties’, on page 248.
2. If you are using RSA Server v.6.1 (version 6.0 is not affected) copy the
securid.ini file to the Secure Login WEB-INF directory. For example (Tomcat):
<Tomcat home>\Webapps\securelogin\WEB-INF
Every time a message text entry in the securid.ini file is changed the file must be
re-copied to the Secure Login WEB-INF directory.
The securid.ini file is not part of the Secure Login delivery package. It is part of
the RSA Server 6.1 software. For further information please refer to the proprietary
documentation.
Secure Login depends on the following message text entries in the securid.ini file:
InputMustChoose_S_S = \r\nEnter a new PIN having from 4 to 8
digits:
InputNextCode = \r\nWait for token to change,\r\nthen
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
87
enter the new tokencode:
InputReenterPin = \r\nPlease re-enter new PIN:
OutputChange = \r\nPIN Accepted.\r\nWait for the
token code to change,\r\nthen enter the new passcode:
For passwords to be handled properly between SLS and RSA/RADIUS, the
securid.ini file must be setup on both Servers. Follow these steps:
For the RSA/Radius Server: copy/update the securid.ini file to: C:\Program Files\RSA Security\RSA Radius\Service\securid.ini
…and then restart RSA/RADIUS services.
For the Secure Login Server (Windows): copy the securid.ini file to the path
setup in SLSJaasModule.login – RSAServerIniFile.
For example: <tomcat home>\Webapps\securelogin\WEB-INF
For the Secure Login Server (Linux): copy the securid.ini to the path setup in
SLSJaasModule.login – RSAServerIniFile.
For example: /var/lib/tomcat5.5/Webapps/securelogin/WEB-INF
By default the RSA/RADIUS services are not started automatically after a Server
restart. To start them:
open the RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr
Services.
Below Service Management check Start and stop RADIUS Server together with
authentication engine. [Edit…] Click Auto Start and check Automatically start
services on system startup.
Confirm and click Close.
3. The next step is to define the connection details between Secure Login and
RADIUS/RSA. Click the Authentication Management node in the Administration
Console (see section 6.1.4 on page 128).
4. Click Add Server and enter at least the following details into the appropriate fields:
Server Type: RADIUS
RadiusServerIP: Example: radius01.secudeTest.local
RSAServerIniFile: path to the securid.ini file (for example:
<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini).
Once you have entered the Server details click Save. For further information about the
Authentication Server parameters on this page refer to section 6.1.4 on page 128.
5. The Secure Login Server is now ready for RADIUS authentication.
6. Now to configure the Secure Login Client. Click the Client configuration node in the
Administration Console (see section 6.3.3 on page 183).
7. Click Applications and then Add application.
8. In the Add application page enter an Application name and PSEURI. A PSEURI may
not be needed if a SAP certificate already exists – in which case you need only select
the certificate from the SAP Server field and the PSEURI will automatically be entered.
Once you have entered the application details click Save (this will take you back to
the Client Policy management page).
9. For further information about the Add application page refer to section 6.3.3.1 on
page 184.
3.6.4.3 Configure the Secure Login Server for SAP ID-Based Logon
The SECUDE Secure Login Server must now be configured for the respective Authentication
Server, in this case SAP ID-based logon.
Make sure that the following has been installed and configured on the SAP Server side
before preceding with this section:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
88
SECUDE signon&secure is installed and configured.
Ensure that the SAP Server account is able to access the credentials and that the
credentials are set for the correct user account.
The user configured on the SAP Server for the SECUDE Secure Login Server access
must be configured for the following:
SNC access: Note that the SNC Distinguished Name of the user must be the same
as that used in the PSE files imported during the SSS&JCO installation.
A special set of privileges in their profile. These are:
S_A.SCON
S_A.SYSTEM
S_USER_ALL
S_USER_RFC
Z_TRANS_RFC
For details about how to set a profile refer to the SAP administrator documentation.
It is important to set the correct environment variables for SECUDE Signon&Secure. For
details about the settings for both Unix and Windows-based Servers refer to section 7.5 on
page 217.
1. If you have not already done so, start the Administration Console and logon to Secure
Login by entering the following in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
For advanced details about the properties that can be configured, refer to section
9.2.3 „Configuration‟, on page 248.
2. The next step is to install the SAP JCO libraries (one java library and two system-
dependent native libraries) - SAP-Jco-2.1.8-platforms.
The SAP JCO libraries are not part of the Secure Login delivery package. The libraries
can be downloaded from http://service.sap.com/connectors (requires SAP
account). For details about which library version is needed for Secure Login please
contact SECUDE support.
It has to be ensured that all referenced dynamic-linked libraries exist on the operating
system. For example, on a Linux platform the referenced gcc libraries have to be
present in the required version.
3. Click the SSS&JCO installation node in the Administration Console (see section
6.1.12 on page 158).
4. Install the SECUDE cryptolib package (in the delivery package ZIP file
SECUDE51SecureLoginNativeComponents.zip), ticket, JCO, and JCO PSE.
5. The next step is to define the connection details between Secure Login and SAP ID.
Click the Authentication Management node in the Administration Console (see
section 6.1.4 on page 128).
6. Click Add Server and enter the Server details into the appropriate fields. Once you
have finished click Save.
For details about setting the Authentication Server parameters via the Administration
Console refer to section 6.1.4 on page 128. For advanced details about each
parameter, plus optional parameters, see section 9.2.4.3 „
JAAS Module Configuration Files for SAP ID‟, on page 260.
7. The Secure Login Server is now ready for SAP ID-based logon.
8. Now to configure the Secure Login Client. Click the Client configuration node in the
Administration Console (see section 6.3.3 on page 183).
9. Click Applications and then Add application.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
89
10. In the Add application page enter an Application name and PSEURI. A PSEURI may
not be needed if a SAP certificate already exists – in which case you need only select
the certificate from the SAP Server field and the PSEURI will automatically be entered.
Once you have entered the application details click Save (this will take you back to
the Client Policy management page).
11. For further information about the Add application page refer to section 6.3.3.1 on
page 184.
3.6.4.4 Configure the Secure Login Server for SAP Logon Ticket-Based Logon
The SECUDE Secure Login Server must now be configured for the respective Authentication
Server, in this case SAP Logon Ticket-based logon.
1. If you have not already done so, start the Administration Console and logon to Secure
Login by entering the following in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
For advanced details about the properties that can be configured, refer to section
9.2.3 „Configuration‟, on page 248.
2. The next step is to install the SAP Verification PSE and the SAP SSOEXT libraries (two
system-dependent native libraries).
The SAP Verification PSE can be exported from SAP NetWeaver Portal, or by the STRUST
transaction in the ABAP Stack.
The SAP SSOEXT libraries are not part of the Secure Login delivery package. The
libraries can be downloaded from http://service.sap.com/connectors
(requires SAP account). For details about which library version is needed for Secure
Login please contact SECUDE support.
It has to be ensured that all referenced dynamic-linked libraries exist on the operating
system. For example, on a Linux platform the referenced gcc libraries have to be
present in the required version.
3. Click the SSS&JCO installation node in the Administration Console (see section
6.1.12 on page 158).
4. Install the SAP Verification PSE, SAPSECU, and SAPSSOEXT.
5. The next step is to define the connection details between Secure Login and SAP
Logon Ticket. Click the Authentication Management node in the Administration
Console (see section 6.1.4 on page 128).
6. Click Add Server and enter the Server details into the appropriate fields. Once you
have finished click Save.
For details about setting the Authentication Server parameters via the Administration
Console refer to section 6.1.4 on page 128. For advanced details about each
parameter, plus optional parameters, see section 9.2.4.3 „
JAAS Module Configuration Files for SAP ID‟, on page 260.
7. In the common Server configuration Native Library Path, the path to the SAPSECU,
and SAPSSOEXT libraries must be configured.
8. The Secure Login Server is now ready for SAP Logon Ticket-based login.
9. Now to configure the Secure Login Web Client. Click the Web Client configuration node
in the Administration Console (see section 6.1.16 on page 183).
3.6.4.5 Configure the Secude Login Server for SQL Database-Based Logon
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
90
The SECUDE Secure Login Server must now be configured for the respective Authentication
Server, in this case SQL Database-based logon.
1. If you have not already done so, start the Administration Console and logon to Secure
Login by entering the following in your Internet browser:
http://<URL-Where-Your-Servlet-Resides>/securelogin
For example: http://localhost:8080/securelogin
For advanced details about the properties that can be configured, refer to section
9.2.3 „Configuration‟, on page 248.
2. The next step is to install the fitting Java database driver for your database.
The Java database driver depends on the database system you have in use. Each
database vendor provides such Java libraries (JAR), e.g. for MySQL, the JAR file mysql-
connector-java-5.1.12 can be downloaded from
http://dev.mysql.com/downloads/connector/j/
On Tomcat, the connector libraries need to be copied manually into a shared library
folder.
On SAP NetWeaver, connector libraries need to be deployed and configured with Visual
Administrator.
3. The next step is to define the connection details between Secure Login and SAP
Logon Ticket. Click the Authentication Management node in the Administration
Console (see section 6.1.4 on page 128).
4. Click Add Server and enter the Server details into the appropriate fields. Once you
have finished click Save.
For details about setting the Authentication Server parameters via the Administration
Console refer to section 6.1.4 on page 128. For advanced details about each
parameter, plus optional parameters, see section 9.2.4.3 „
JAAS Module Configuration Files for SAP ID‟, on page 260.
5. The Secure Login Server is now ready for SQL Database-based logon.
6. Now to configure the Secure Login Client. Click the Client configuration node in the
Administration Console (see section 6.3.3 on page 183).
7. Click Applications and then Add application.
8. In the Add application page enter an Application name and PSEURI. A PSEURI may
not be needed if a SAP certificate already exists – in which case you need only select
the certificate from the SAP Server field and the PSEURI will automatically be entered.
Once you have entered the application details click Save (this will take you back to
the Client Policy management page).
9. For further information about the Add application page refer to section 6.3.3.1 on
page 184.
3.6.5 Step 4 - Test SECUDE Secure Login Server
The following step describes how to test the Secure Login files deployed to the Server.
Make sure that file name and path notations used in this step are correct for the target
operating system.
1. In your browser, enter the following URL:
http://<URL-Where-Your-Servlet-Resides>/securelogin/ admin/index.jsp
For example: http://localhost:8080/securelogin/admin/index.jsp
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
91
2. If the deployment has been successful the SECUDE Secure Login Administration
Console login page should appear:
Figure 3-52 Administration Console – login page
For further information about the Administration Console refer to section 6.1 on page
119.
If the location of the SECUDE Secure Login Server configuration file is not specified
correctly, the browser displays a red error message.
3.7 Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server
3.7.1 Remove SECUDE Secure Login Server - Tomcat
This section details the removal procedure for the Secure Login Server component from
ADS, LDAP, RADIUS, and SAP ID Servers.
It is recommended to backup the configuration and settings in case you want to use Secure
Login again. For further information refer to section 6.1.9.1 on page 151.
1. Stop your Web application Server.
2. Delete the following directories/files:
<application Server Web-apps directory>/securelogin/
<application Server Web-apps directory>/securelogin.war
If you want to use Secure Login again follow the procedure as from section 3.2.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
92
3.7.2 Remove SECUDE Login Server – BEA Weblogic
1. Stop and delete securelogin.war in Bea WebLogic console for Bea 9 and Bea 10.
2. Remove all files and directory under <BEA home>/Server/bin/myServer/stage/securelogin.war
3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver
This section details the removal procedure for the Secure Login Server component from
SAP NetWeaver Servers.
It is recommended to backup the configuration and settings in case you want to use Secure
Login again. For further information refer to section 6.1.9.1 on page 151.
1. Logon to SAP Visual Administrator.
2. Select Server(x)>Services>Deploy, from the tree in the left-hand pane.
3. Select the deployed secude.com/SecureLogin component from the Runtime tab in
the middle pane.
Figure 3-53 SAP Visual Administrator – locate Secure Login component
Click Remove on the right-hand side of the window.
4. A confirmation dialog will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
93
Figure 3-54 SAP Visual Administrator – removal confirmation dialog
Click OK.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
94
4 Client Installation, Configuration, and Removal
Introduction
This chapter describes the configuration and installation of the SECUDE Secure Login
Client. To save configuration time, install and rollout the Client AFTER you have fully
installed and configured the Secure Login Server.
Sections in
this Chapter
Section 4.1 „Prerequisites‟, on page 95
Section 4.2 „SECUDE Secure Login Client Preparation„, on page 96
Section 4.3 „Client Rollout‟, on page 97
Section 4.4 „Remove SECUDE Secure Login Client‟, on page 106
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
95
4.1 Prerequisites
Introduction
This section lists the hardware and software requirements.
Contents
Section 4.1.1 „Hardware Requirements for SECUDE Secure Login Client‟, on page 95
Section 4.1.2 „Software Requirements for SECUDE Secure Login Client‟, on page 95
You will need administrator access rights to install the Secure Login package.
4.1.1 Hardware Requirements for SECUDE Secure Login Client
Hardware Details
RAM 256 MB minimal, 512 MB optimal.
Hard disk 12 – 22 MB, depending on which SECUDE modules are
installed.
4.1.2 Software Requirements for SECUDE Secure Login Client
For the… …you require the following software
Operating System Windows XP (SP3)
Windows Vista
Windows 7
Citrix Terminal Server
Installation Software for unpacking the zip installation package
MSI 3.1 installer
Customizing MMC snap in, if customizing with group policies is to be
used (ADM templates are available)
System runtime
environment
SAP NetWeaver ABAP 6.4 or higher.
SECUDE Secure Login Server (unless existing PKI is used).
Correctly installed smart card or Microsoft Crypto Store for
respective authentication (see below).
Authentication
with a Smart
Card
As a precondition for authentication using smart cards, a smart card reader with a card
driver (PKCS#11 middleware) must be installed. If smart cards other than TCOS are to be
used, a card driver must also be available (TCOS cards are directly supported without an
additional driver).
Authentication
with Microsoft
Crypto API
As a precondition for authentication using Microsoft Crypto API, a certificate in a CSP must
be available by one of the following methods:
Import of PFX- or P12 file into the personal Microsoft Crypto Store
CSP on a smartcard
Online certificate (for example, VeriSign, Web.de)
Managed PKI software (for example, Entrust, Microsoft CA)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
96
4.2 SECUDE Secure Login Client Preparation
The SECUDE Secure Login Client is delivered as a zip archive. This archive contains all of
the files and data required to install the SECUDE Secure Login Client.
Follow these steps to install the Secure Login Client:
1. Unpack the zip archive SECUDE42securelogin.zip to any directory.
2. Check the \customer\sample\ directory (this directory contains samples of the
optional configuration files).
The optional configuration files can be configured manually (see below) using the sample
files.
The configuration file secude.xml contains smart card-specific configuration settings,
protocol settings, and the settings for the SECUDE crypto library. The secude.xml file is
configured automatically. For information about the configuration of this file, please contact
SECUDE technical support.
3. During installation, all of the files used to customize the product during installation
must be located in the customer directory next to the MSI installer. The
\customer\sample\ directory contains examples of all configurable files. The
customer can adapt the sample files to fit the PKI and environment of the company.
The MSI installer reads the following files in the customer folder during installation:
File Used for…
bridge.p7c,
bridge.p7s A list of trusted trust-center certificates (root CA‟s). This is
a digitally-signed set of DER-encoded certificates, which is
used automatically for each PSE which has its own root
CA stored in it.
For further details about the extensions, refer to the file
bridge.txt. For further details about the content, refer
to the file certs.txt.
Certs.p7c, certs.p7s
A list of certificates (CA‟s). This is a digitally-signed set of
DER-encoded certificates, which is used automatically for
each PSE where CA certificates are missing.
For further details about the content, refer to the file
certs.txt.
customer.reg All Microsoft registry settings the customer can configure
automatically (SECUDE tickets, group policies).
Psesvc.xml Overlay configuration for PSE Service smart card token,
provided by SECUDE.
Roots.p7b, root.cer Root CA certificates of SECUDE Secure Login Server‟s SSL
peer that are trusted automatically for machine and users.
For HTTPS trust, the SSL Server‟s Root CA certificate is
added to the user‟s personal certificate store or the
computer system certificate store, either „Trusted Root
Certification Authorities‟ or „Enterprise Trust‟.
Formats: A single certificate or PKCS#7 certificate list,
DER or base64 encoded.
ticket.snc Customer-specific SECUDE file ticket for SAP SNC/GSS.
Ticket.ssf (optional) Customer-specific SECUDE file ticket for SAP SSF
token_prompted.bmp Custom bitmap picture for all SECUDE Secure Login
profiles with password prompt in the login dialog box. It
overwrites the default bitmap and must be 200x90 pixels
and have a 24-bit color depth.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
97
File Used for…
Token_smartcard.bmp Custom bitmap picture for all smart card or Microsoft CAPI
profiles with PIN prompt in the login dialog box. It
overwrites the default bitmap and must be 200x90 pixels
and have a 24-bit color depth.
Token_soft.bmp Custom bitmap picture for all soft-token profiles with
password prompt in the login dialog box. It overwrites the
default bitmap and must be 200x90 pixels and have a 24-
bit color depth.
Token_windows.bmp Custom bitmap picture for all SECUDE Secure Login
profiles with Windows credentials in the login dialog box. It
overwrites the default bitmap and must be 200x90 pixels
and have a 24-bit color depth.
4. If necessary, you can now customize the Secure Login Client:
The SECUDE Secure Login Client (SLC) system service is a standard component of the
SECUDE Secure Login Client, which (among other things) is responsible for
communication with the SECUDE Secure Login Server for logging in using Windows
credentials.
Another task of the SLC system service is to obtain the latest Client policy. This could
be done, for example, by downloading a policy file from a given URL (the policy
Server) during start up or regularly via a configurable time interval. The XML formatted
policy file (see section 9.1.1 „ClientPolicy.xml File‟ on page 239) is translated into
Windows registry database keys and values after a successful verification.
If the policy download is not successful, the existing policy is kept.
The policy download from the policy Server can be replaced by configuring the
SECUDE Secure Login Client using Microsoft group policies (see section 9.1.4
„ClientPolicy.xml File‟ on page 245).
A combination of an XML file on the policy Server and MS group policies is not
recommended.
The properties for the SLC system service can be configured using the
customer.reg file or can be integrated in the company‟s group policies. The
property names are not case-sensitive. For further information about the registry
entries refer to section 9.3 „Secure Login Client Registry Values‟ on page 264.
4.3 Client Rollout
Introduction
The SECUDE Secure Login Client is usually installed on a large number of systems.
Therefore, the Client setup is usually performed as an unattended installation using
Microsoft MSI. The Client setup is implemented as an MSI 3.1 package.
During installation, all files used to customize the product during installation are stored in
the customer subfolder, which must be located in the same directory as the MSI setup.
The MSI setup reads and copies them during installation.
Contents
Section 4.3.1 „
Installation‟, on page 98
Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
98
4.3.1 Installation
Before proceeding with this section make sure that it is the stand-alone Client you want to
install and not the Web Client. For details about the Web Client installation refer to chapter
5 ‘Secure Login plus Web Client - Installation, Usage, and Removal’ on page 109.
The installation wizard is usually used for a single installation of the Group Policies.
1. Double-click the MSI installer SECUDE Secure Login.msi.
2. The welcome dialog will appear:
Figure 4-1 installation – welcome dialog
Click Next.
3. The program information appears:
Figure 4-2 installation – program information dialog
Click Next.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
99
4. The license agreement appears:
Figure 4-3 installation – license agreement dialog
Check I accept the terms of the license agreement and click Next.
5. The setup type dialog appears:
Figure 4-4 installation – setup type dialog
Check Complete if you want to install all of the features (go to step 7).
Check Custom if you want to install specific features (go to step 6).
The installer contains the following components (Components marked with * are pre-
selected by default):
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
100
Component Details/Value
Business Client
addins
SNC/GSS (primary) *
This installs primary the SAP Secure Network
Communication support addin for SAP Clients.
SNC/GSS (secondary)
This installs secondary the SAP Secure Network
Communication support addin for SAP Clients. (Only
required if another SNC library is already installed. The
primary SNC/GSS (primary) must be de-selected in this
case.)
SSF
This installs the SAP Secure Store and Forward support
addin for SAP Clients.
SECUDE Secure Login Secure Login system service:
Windows Network Provider addin*
Network provider addin for retrieving Windows credentials
for authentication against Active Directory.
Windows Kerberos addin
Secure Login addin to use local Windows Kerberos
authentication against a local Secure Login service for
CITRIX.
Profile Management* PSE Service*
Personal Security Environment user service.
Security Tokens:*
Smartcard support*
PKCS#11 and TCOS-based smart card token plugins.
CAPI support*
Microsoft CryptoAPI token plugin.
SECUDE CSP* SECUDE cryptographic service provider.
Group Policies Microsoft group policy templates (ADM files).
Notification Notification service and GUI for tracing purposes.
Once you have chosen a setup type click Next.
6. If you chose to install specific features in the previous dialog, the custom setup
dialog appears:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
101
Figure 4-5 installation – custom setup dialog
Select the features you wish to install and click Next.
If you want to prevent the installation of a component, click on the hard drive
symbol next to the component and select The feature will not be available from
the context menu:
Figure 4-6 installation – component selection
To return to the default selection click Reset.
Once you have made your selection click Next.
7. The ready to install appears:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
102
Figure 4-7 installation – ready to install dialog
Click Install.
8. The installation status dialog appears:
Figure 4-8 installation – installation status dialog
The installation my take a few minutes, so please be patient.
9. Once the installation is complete the following dialog appears:
Figure 4-9 installation – completion dialog
Click Finish. The installation is now complete.
10. It is necessary to restart the computer to start using Secure Login. Click
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
103
Start>Shutdown>Restart to restart.
Further
Information
Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103
4.3.2 Command Line Options to Influence the MSI Setup
Introduction
This section details command line options that can influence the Microsoft installer (MSI)
setup.
Contents
Section 4.3.2.1 „Standard MSI Options‟, on page 103
Section 4.3.2.2 „Secure Login MSI Options‟, on page 104
4.3.2.1 Standard MSI Options
To help you understand the MSI options, open a command shell and enter the following
syntax:
msiexec /?
The following dialog will be displayed:
Figure 4-10 installation – restart dialog
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
104
4.3.2.2 Secure Login MSI Options
To view the options specific to the SECUDE Secure Login setup, open a command shell
and enter the following syntax:
msiexec /i “<path>\SECUDE Secure Login.msi” HELP=1
For example:
msiexec /i “C:\SECUDE Secure Login.msi” HELP=1
The following dialog will be displayed:
Figure 4-11 installation – restart dialog
The components that can be installed individually have the following syntax and meaning
(features marked with * are installed by default if no specific components are selected):
Feature abbreviation for
command line syntax
Package name in
custom setup
Description
ProfileManagement Profile management User components.
PSE Service PSE Service User GUI and SSO process.
Token Security tokens Persistent security tokens.
Capi CAPI support* Microsoft Crypto API token
plug-in.
Smartcard Smartcard support* PKCS#11 and TCOS based
smartcard token plug-ins.
CSP SECUDE CSP* Cryptographic service provider
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
105
Feature abbreviation for
command line syntax
Package name in
custom setup
Description
plug-in for the Microsoft
Crypto API.
GroupPolicies Group Policies Group policies, ADM files.
Notification Notification Notification service and viewer
for SECUDE applications.
secure_login SECUDE Secure
Login*
Credentials-based certificate
enrollment
secure_login_Pepperbox n/a Basic non-persistent tokens
support.
secure_login_Kerberos Windows Kerberos
addin
Kerberos support.
secure_login_NetworkProvider Windows network
provider addin*
Network provider add-in for
retrieving Windows
credentials.
secure_login_Service Secure login system
service*
SECUDE Secure Login system
service for policy download
and Windows credentials
management.
signon_secure Business Client
addins
SAPGUI security component.
signon_secure_SNC SNC/GSS (primary)* SAP Secure Network
Communication support.
signon_secure_SSF SSF SAP Secure Store and
Forward support
For a full list of components installed by default (i.e. when no specific components are
installed) refer to section 4.3.1, step 5, on page 99.
Example
Installation
Syntax 1
This example has been put together to achieve the following:
Install SECUDE Secure Login without the user wizard but with the progress bar; do not
install the Windows login component (option qb).
Set the personal security environment (PSE) path to that of the subfolder SECUDE in the
user profile (option CREDDIR=$USERPROFILE$\SECUDE).
Install German language modules only (option SECUDE LANG=1031).
Install programs into the default folder; do not install ADM files for group policy support
(option qb).
Add massive logging (option l*v sl.log).
So, to achieve the above the syntax should be as follows:
msiexec.exe /i “C:\SECUDE Secure Login.msi” /qb /l*v sl.log
ADDLOCAL=ALL REMOVE=secure_login_NetworkProvider,GroupPolicies
CREDDIR=$USERPROFILE$\SECUDE LANG=1031
If you execute the above syntax then you will notice after the installation that both the
German and the English GUI have been installed. This is because English language
support cannot be de-selected as it is the fallback GUI. No reboot is required. The system
tray icon is displayed, and enrolment profiles are provided immediately.
Example
Installation
Syntax 2
This example has been put together to demonstrate a simple installation and feature
selection:
Msiexec /i "SECUDE Secure Login.msi" INSTALLDIR="C:\Program Files\SECUDE\SL" LAUNCH=1 LANG=0000 ADDLOCAL=ALL REMOVE=Notification,GroupPolicies,Smartcard,secure_login_Kerberos
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
106
In most cases, it is the easiest way to install all but a few features, which is best configured
by ADDLOCAL=ALL REMOVE=feat1,feat2,…
4.4 Remove SECUDE Secure Login Client
This section details the removal procedure for the Secure Login Client component.
It is recommended to backup any certificates you may have imported into the PSE service
before removing the Secure Login Client component.
1. Start the removal procedure via one of the following options:
Open a command box and enter msiexec /i “<path to msi file>SECUDE Secure Login.msi”
Double-click the SECUDE Secure Login.msi installer
Click Start>Control panel>Add and Remove Programs, select SECUDE Secure
Login from the list and click Remove
2. The Welcome dialog will appear:
Figure 4-12 removal – welcome dialog
Click Next.
3. The Program Maintenance dialog appears:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
107
Figure 4-13 removal – program maintenance dialog
Check Remove and click Next.
4. The Remove Program dialog appears:
Figure 4-14 removal – remove program dialog
Click Remove.
5. The status of the removal will be displayed:
Figure 4-15 removal – removal status dialog
6. If the removal is successful the following dialog will appear:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
108
Figure 4-16 removal – welcome dialog
Click Finish.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
109
5 Secure Login plus Web Client - Installation, Usage, and Removal
Introduction
This chapter details how to install, use, and remove the Secure Login Web Client.
The Web Client installation is not just the Web Client but rather the complete Secure Login
Server plus Web Client.
Make sure that it is this version of Secure Login (i.e. with Web Client) you want to deploy
before proceeding with this chapter. For details about the standard installation refer to
chapter 3 ‘Server Installation, Configuration, and Removal’ on page 32.
Currently, there is no version of the Web Client for BEA WebLogic.
The installation routine also differs slightly from the standard installation:
The Secure Login Web Client installation routine for Tomcat is similar to the standard
Secure Login installation to Tomcat but there are several extra steps:
deploy the Apache Axis2 Web service architecture within Tomcat
deploy the Secure Login Web service within Axis2.
The Secure Login Web Client installation routine for NetWeaver is the same as the
standard Secure Login installation to NetWeaver with the exception that a different archive
is deployed.
Contents of
Web Client
Delivery
Package
Within the main deliver package (SECUDE51secureloginServer.zip) the Web Client
directories for Tomcat and NetWeaver contain the following files:
For Apache Tomcat (Tomcat WS):
axis2.war - AXIS2 Web application from Apache (version 1.4).
shared.zip - All Secure Login JAR files (SECUDE+third party) as well as Server
message files.
iaik_jce_full.jar - Institute for Applied Information Processing and
Communication (IAIK) provider for the Java Cryptography Extension (JCE)
opencsv-1-7-1.jar - opencsv is a very simple csv (comma-separated
values) parser library for Java.
radClient3.jar – Radius Client application
SECUDE-JavaSDK.jar – SECUDE Java SDK
SECUDE-SecureLogin.jar – SECUDE Secure Login application
SECUDE-Transfair.jar – SECUDE Secure Login application framework
ServerMsg.properties – The file that contains the default Server
messages (will be duplicated when creating a new Server messages file in an
alternate language).
ServerMsg_de.properties - Server messages file in English.
ServerMsg_en.properties - Server messages file in German.
SlsWebClient.war – The Secure Login Web Client
securelogin.war - The main Secure Login file including the Administration
Console (but without JAR files und Server message files).
secureloginservice.aar - Secure Login AXIS2 Web Service
For SAP NetWeaver (NetWeaver WS):
secureloginservice.ear – Enterprise archive containing all of the necessary
components ready for deployment. This includes the Web Service and Web Client.
Sections in
this Chapter
Section 5.1 „Prerequisites‟ on page 110
Section 5.2 „Preparing the Server for Installation‟ on page 111
Section 5.3 „Install and Configure the Web Client‟, on page 112
Section 5.4 „Use the Web Client‟, on page 115
Section 5.5 „Remove the Web Client‟, on page 117
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
110
5.1 Prerequisites
This section lists the hardware and software requirements for Secure Login and the Web
Client.
Prerequisite for… Details
Secure Login Server The hardware/software requirements are the same as the
standard Secure Login installation. For a complete list of
requirements please refer to section 3.1 on page 33.
Secure Login Web Client Supported operating systems:
Windows
Linux
Mac OS X
Others (depending on the SECUDE C-SDK)
System requirements:
Java 1.5 or higher browser plug-in
SAPGUI for Java
SAPGUI for Windows (limited)
Supported Internet browsers:
Linux Konqueror
Mozilla Firefox 2.x, 3.x or any other Mozilla-based
Web browser
Microsoft Internet Explorer 6/7
Apple Safari 3.x
Supported Operating Systems for SAP-ID-based
authentication (SunOS/Solaris/HP-UX have no Web Client
support, Mac OSX has no Server support):
Linux-i686-2.2-GLIBC2.1-mt-32
Linux-i686-2.4-GLIBC2.2-mt-32
Linux-i686-2.6-GLIBC2.3-mt-32
Linux-i686-2.6-GLIBC2.7-mt-32
MacOSX10.4-mt-32
SunOS-sparc-5.10-mt-32
SunOS-sparc-5.10-mt-64
SunOS-sparc-5.8-mt-32
SunOS-sparc-5.8-mt-64
Windows-i686-VS7.1-mt-32
HP-UX 11.11 (PA-RISC)
HP-UX 11.23 (Itanium)
The native components for each OS are part of the
delivery package.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
111
5.2 Preparing the Server for Installation
Introduction
The Server must be prepared for the installation of Secure Login plus the Web Client. If
you have already prepared the Server go to the next section to start with the installation. If
you have not prepared the Server, the following list indicates what must be installed and
configured before starting with the installation of SECUDE Secure Login:
Install the operating system (plus updates if necessary).
Install Java (JCE will be automatically installed).
Install the application Server.
This manual does not detail the installation and configuration of the above mentioned
software. It is assumed that the knowledge and skills necessary to perform the Server
preparation is already present and must not be documented.
Contents of
Delivery
Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as
follows:
SECUDE51SecureLoginNativeComponents.zip
This file contains the necessary native Secure Login components for each supported
platform:
\extra
Example secude.xml file
\SSS+JCO
Native components for the Signon&Secure and JCO installation
\WebClient
Native components necessary to run the Web Client
SECUDE51SecureLoginServer.zip
\doc
This directory contains the documentation, license agreements, and readme files.
\SECUDE51SecureLoginServer.zip
Despite the fact this ZIP file has the same name as the file containing it, this file
contains the standard Secure Login applications as well as the Web Client
variants:
\NetWeaver\securelogin.ear
Standard Secure Login application for SAP NetWeaver to work with the Secure
Login Client.
\NetWeaver WS\secureloginservice.ear
The Web Client version of Secure Login for SAP NetWeaver.
\Tomcat\securelogin.war
Standard Secure Login application for Apache Tomcat to work with the Secure
Login Client.
\Tomcat WS\axis2.war, securelogin.war,
secureloginservice.aar, shared.zip, SlsWebClient.war
The Web Client version of Secure Login for Apache Tomcat plus secondary files
necessary for operation.
Prepare the
Files
In preparation for installation, it is recommended to unpack the ZIP archive
SECUDE51SecureLoginServer.zip to produce the four application sub-directories as
well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the
native components.
This manual contains steps in which it is necessary to choose and confirm passwords. For
reasons of security Secure Login will only allow you to choose passwords that are hard to
guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
112
5.3 Install and Configure the Web Client
The Web Client itself is delivered in two versions – one for Apache Tomcat and one for SAP
NetWeaver. The next two sub-sections detail the installation steps for the Secure Login
Web Client on both systems.
Sections
Section 5.3.1 „Web Client installation on Tomcat‟, on page 112
Section 5.3.2 „Web Client Installation on NetWeaver‟, on page 114
5.3.1 Web Client installation on Tomcat
1. If necessary, stop Tomcat.
2. Unpack the contents of the file shared.zip located in the directory <unzipped
location on hard disk>SECUDE51SecureLoginServer/Tomcat WS/ (in
the delivery package - see section 5.2 on page 111). This step differs according to
the version of Tomcat you use:
Tomcat 6: Unzip the content directly to the directory
<Tomcat home directory>\shared.
Tomcat 5:
Unzip the *.properties files to the directory:
<Tomcat home directory>\shared\classes
Unzip the *.jar files to the directory:
<Tomcat home directory>\shared\lib
Apache Tomcat 6.x does not use a ‘shared’ directory as standard and it must therefore not
only be created but also manually entered into the Tomcat configuration (failure to do so will
result in errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not implemented’ –
despite the fact that the components are in the correct directory):
Create the shared directory directly under the Tomcat home directory, for example:
<Tomcat home>\shared
Open the Tomcat properties file catalina.properties in the directory
<Tomcat home>\conf in a text editor.
Locate the following section:
# List of comma-separated paths defining the contents of the "shared"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
# the "common" loader will be used as Catalina's "shared" loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
# Please note that for single jars, e.g. bar.jar, you need the URL form
# starting with file:.
shared.loader=
Change the last line to read:
shared.loader=${catalina.home}/shared,${catalina.home}/shared/*.jar
Save the changes and close the text editor.
3. Copy the file securelogin.war from the delivery package to <Tomcat home directory>\Webapps.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
113
4. Start Tomcat to deploy the securelogin.war file.
5. Start the Administration Console and create your basic configuration (see section 6.1
on page 119). Once completed, logout of the console.
6. Deploy the file axis2.war by copying it from the delivery package to the directory
<Tomcat home directory>\Webapps. The deployment should be automatic but
if not, restart Tomcat.
When configuring an SAP-ID-based Authentication Server, the Administration Console will
usually take care of the signon&secure/JCO installation. This includes copying the file
sapjco.jar to the directory:
<Tomcat home>\Webapps\securelogin\WEB-INF\lib.
This also applies to the AXIS Web Client scenario. The file sapjco.jar will be copied to
the ‘shared’ directory:
For Tomcat 5.x: <Tomcat home directory>\shared\lib
For Tomcat 6.x: <Tomcat home directory>\shared
However, for the AXIS Web Client scenario, if you have not set the option TomcatSharedPath
in the Administration Console page Web Client Configuration, then you will have to copy the
sapjco.jar file manually to the respective Tomcat 5.x/6.x directory. For further details
about the Web Client Configuration node refer to section 6.1.16 on page 166.
7. Deploy the file secureloginservice.aar by copying it from the delivery package
to the directory <Tomcat home directory>\Webapps\axis2\WEB-
INF\services. The deployment should be automatic but if not, restart Tomcat.
8. Open the file <Tomcat home directory>\Webapps\axis2\WEB-
INF\Web.xml in a text editor. Locate and remove the line
<load-on-startup>XXX</load-on-startup>. Save the file and close the
editor.
9. Deploy the file SlsWebClient.war by copying it from the delivery package to the
directory <Tomcat home directory>\Webapps
The Tomcat Security Manager
Usually, after a fresh Tomcat installation, the Tomcat Security Manager is deactivated.
However, if it is active then errors such as ‘SecudeJavaSDK not found’ and ‘JRE Policy not
implemented’ may occur despite the fact that everything in the configuration appears to be
as it should. The Tomcat Security Manager must be deactivated:
For Tomcat 5.5 under Linux:
The following security manager option is located in the Tomcat start script in the
directory init.d :
#Use the Java security manager? (yes/no)
#TOMCATS_SECURITY=yes
Either comment it out or set it to no.
For Windows:
The security manager is usually started using the runtime option –security. Do
not use this option.
Change default Apache Axis2 administration account
Apache Axis2 also has an administration front-end. It is available via the URL:
http://localhost:8080/axis2/axis2-admin/
This allows the upload (and hence the change) of Web Service Archives and the
activation/deactivation of deployed services.
The front-end is shipped with a default account: user=admin, password=axis2. This of
course, presents a security issue and therefore it is recommended that the Secure Login
administrator change the password of the AXIS2 admin front-end. This can be accomplished
as follows:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
114
Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\
Locate the follow lines:
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>
Change the entries marked above - in red - accordingly.
10. Start the Administration Console and login. Click the Web Client Configuration node to
start configuring the Web Client (see section 6.1.16 on page 166).
Next Step
Configure the Secure Login Server using the Administration Console – see section 6.1
'Administration Console‟ on page 119
Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115
5.3.2 Web Client Installation on NetWeaver
The Web Client installation for NetWeaver is exactly the same as the standard Secure
Login installation detailed in section 3.7 on page 91. However, instead of deploying the
standard Secure Login application (securelogin.ear) you deploy the Web Service
application secureloginservice.ear (located in the NetWeaver WS directory in the
delivery package).
Next Step
Configure the Secure Login Server using the Administration Console – see section 6.1
'Administration Console‟ on page 119
Start and use the Web Client - see section 5.4 „Use the Web Client‟ on page 115
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
115
5.4 Use the Web Client
This section describes how to open and use the Secure Login Web Client.
Only use the Web Client once you have finished configuring not only the Secure Login
Server, but also the Web Client settings via the Administration Console (see sections 6.1 on
page 119, and 6.1.16 on page 166 respectively).
1. Enter the following URL in your Internet browser:
http://<hostname:port>/SlsWebClient
A security warning to confirm the digital signature of the Web Client Applet may appear. If
so, confirm the signature to proceed to load the Web Client. You can choose to either to
confirm the signature once or for always – choosing ‘always’ will mean that the security
warning will reappear the next time you want to logon to the Web Client.
2. The Web Client login page will appear:
Figure 5-1 Web Client – login page
3. Enter your Username and Password, and select a Server to logon to from the Server
combo-box. The next step will differ according to whichever Server you are about to
authenticate and logon to:
If you have configured the Web Client to start the SAP interface directly without
calling the SAP logon dialog first (Web Client Configuration node> SAP GUI
Management) then the next screen you should see is the SAP interface. The
procedure ends with this step.
If you have configured the Web Client to start the SAP logon dialog then the SAP
Logon dialog will appear. Go to the next step.
4. On Windows Clients only: The new user certificate is propagated into the Windows
Certificate Store in the background. Internet Explorer could use it for certificate based
authentication if an SSL protected Web page is opened.
5. The SAP Logon dialog/GUI will appear (if the SAP Logon GUI for Java is correctly
installed, it will take preference over the SAP Logon GUI for Windows):
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
116
Figure 5-2 Web Client – SAP Logon GUI (left: Windows, right: Java)
Web Client Logging
When logging-in via the SAP Logon dialog/GUI user information is stored in the local user
directory. For Windows this directory is:
C:\Documents and Settings\<user>\secudesnc.
The directory will contain some, or all, of the following files:
ComSecudeUtil.dll – SECUDE library copied over from the Server
cred_v2 – Credentials file
SapProfile.sap – SAP profile
secude.dll – SECUDE library copied over from the Server
SecudeSNCApplet.log – logfile of Web Client activity
SNC.pse – SNC personal security environment
ticket.snc – license file copied over from the Server
user.properties – user properties file containing the username, date+time, and
snc version.
version.txt – Native components version file copied over from the Server
It is possible to configure the Web Client to automatically delete the files in the secudesnc
directory. Use the Administration Console option Client Logging under the node Web Client
Configuration>Common Configuration. For further information see section 6.1.16.1 on page
168.
5.4.1 Configure SSL Trust for the Web Client Java Applet
This section details how to secure the communication between the Internet browser and
Web Client using SSL thus helping to eliminate the security warnings when calling the
Web Client (and any alarm this may cause – including extra hotline activity).
A normal call between Browser and the Web Client is established via Java over HTTP and
therefore how we establish the SSL trust is Browser-dependent:
Linux Konqueror and Mozilla Firefox 3 do not use their own certificate store but rather the
Java certificate store.
Microsoft Internet Explorer 6/7 and Apple Safari use their own certificate store.
Trust may be established in two ways:
No permanent certificate: this means that the user computer is left untouched and the
Web Client is called using an HTTPS URL. If SSL trust has not yet been established a Java
pop-up will appear prompting the user if they wish to trust the SSL Server.
Permanent certificate: this means that the user computer has an imported root
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
117
certificate (via remote distribution) and the Web Client is called using an HTTPS URL. This
can be configured so that no pop-ups will appear.
These are the three points of security configuration relevant to the Web Client, or rather
the three possible levels at which action may be taken – depending on how far you want
to go (all of which are for a permanent certificate only!):
SSL Trust between Browser and Application Server (for example, Tomcat).
This simply involves importing the Administration Console root certificate into the
Browser‟s certificate truststore.
SSL Trust between Java Applet and Application Server
This only applies to Linux Konqueror and Mozilla Firefox 3! This will import the
Administration Console root certificate into the Java environment. This can be
performed on a two levels – per machine for all users, or per user:
Per machine (all operating systems): Locate the Java truststore file cacerts
under the path jre\lib\security. Use the Java Keytool to import the
Administration Console root certificate into the Java truststore.
Per machine (alternative method): Use the Administration Console to export the
root certificate in JKS format. Rename the resulting keystore file in jssecacerts
(no extension!) and place the file under jre\lib\security.
Per user: Use the Administration Console to export the root certificate in JKS
format. Rename the resulting keystore file in trusted.jssecacerts (no
extension!) and place the file under:
Windows: %HOMEPATH%\Application Data\Sun\Java\Deployment\security
Linux/Mac: $HOME/.java/deployment/security
Execution rights for signed applet (i.e. user warning prompts)
This will import the Administration Console root certificate and suppress the user
warning prompts. The applet in the SSL Server SlsWebClient directory will always be
„trusted‟. This can be performed on a two levels – per machine for all users, or per
user:
Per machine: Open the Java Security Policy file java.policy in the directory
jre\lib\security. Add the following code:
grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" {
permission java.security.AllPermission;
};
Save and close the file.
Per user: Open an editor and enter the following code:
grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" {
permission java.security.AllPermission;
};
Save the file as .java.policy in the user home directory (all operating
systems).
5.5 Remove the Web Client
This section describes how to remove the Web Client from both Tomcat and NetWeaver
Servers.
Web Client
removal from
Tomcat
Before proceeding, if you have not already done so, stop the Tomcat Server.
Delete the following folders from the <Tomcat home>\Webapps directory:
axis2
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
118
Securelogin
SlsWebClient
Delete the following files from the <Tomcat home>\Webapps directory:
axis2.war
securelogin.war
SlsWebClient.war
For Tomcat 6.x only: delete the following files from the <Tomcat home> directory:
\shared\iaik_jce_full.jar
\shared\opencsv-1-7-1.jar
\shared\radClient3.jar
\shared\SECUDE-JavaSDK.jar
\shared\SECUDE-SecureLogin.jar
\shared\SECUDE-Transfair.jar
\shared\ServerMsg.properties
\shared\ServerMsg_<country abbreviation>.properties
For Tomcat 5.x only: delete the following files from the <Tomcat home> directory:
\shared\lib\iaik_jce_full.jar
\shared\lib\opencsv-1-7-1.jar
\shared\lib\radClient3.jar
\shared\lib\SECUDE-JavaSDK.jar
\shared\lib\SECUDE-SecureLogin.jar
\shared\lib\SECUDE-Transfair.jar
\shared\classes\ServerMsg.properties
\shared\classes\ServerMsg_<country abbreviation>.properties
Web Client
removal from
NetWeaver
To remove a Secure Login Web Client installation from NetWeaver, follow the same steps
as detailed in section 3.7.2 on page 92.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
119
6 Administration
Introduction
This chapter describes how to administrate the SECUDE Secure Login Server via either the
administration console or the XML interface.
Sections in
this Chapter
Section 6.1 „Administration Console‟, on page 119
Section 6.2 „
Email Report&Alert Configuration‟, on page 177
Section 6.3 „Instance Management‟, on page 178
Section 6.4 „
Console Users‟, on page 198
Section 6.5 „Other Administration Features‟, on page 206
6.1 Administration Console
Introduction
This section details the Administration Console for Secure Login. The console is based on
Java Server pages (JSP) technology and is controlled from within an Internet browser. It
makes administration tasks for SECUDE Secure Login easy. Every relevant administration
and configuration task for both the Client and Server side can be performed via the
console.
6.1.1 Open the Console
1. To open the console enter the following URL in a Web browser:
http://<Server IP address>/securelogin/admin/index.jsp
For example: http://localhost:8080/securelogin/admin/index.jsp
or for secure communication: https://localhost:8443/securelogin/admin/index.jsp
2. The login page will appear:
Figure 6-1 Administration Console – login page
Enter your SECUDE Secure Login administration username, password, and
authentication type (detailed below). Click Login. If you make a mistake entering any
details, just click Reset to clear the fields.
Authentication type Details
Local login Standard username/password combination authenticated via
the Administration Console database.
External login Username/password combination authenticated via the
Authentication Server database set in the JAAS module. If you
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
120
Authentication type Details
use this option you must also select the appropriate JAAS
module in the External Login Jaas Module combo-box.
NOTE: an Authentication Server must already be configured for
there to be any entries in the combo-box. For information about
configuring an Authentication Server refer to section 6.1.5 on
page Error! Bookmark not defined..
SSL certificate login Username/password combination authenticated via a
certificate imported into the Web-browser.
3. If login is successful the Welcome page will appear:
Figure 6-2 Administration Console – Home/welcome page
The Administration Console interface allows you to easily configure the Server to your
needs. The main area is split into three panes:
The top left-hand pane lists any tasks that have yet to be performed. For example,
“Connection should be https” refers to the missing SSL connection
between the console and the Secure Login Server, or “Server needs to be
restarted” informs you that the Server configuration has been changed and you
need to restart the Server for it to take effect.
The bottom left-hand pane is the main navigation tree. For easy reference, each
node represents tasks that can be performed within the Secure Login framework.
The right-hand pane displays the details of any node selected in the left-hand
pane.
In the top right-hand corner there are three entries that appear on every page in the
console:
Change password – This allows you to change the password for the current
administrator/user account. For further details refer to section 6.1.3 on page 122.
Logout – Use this link to logout of the console. The login page will reappear (see
previous page).
About – Click this to view version information about the console.
Click one of the nodes in the bottom left-hand pane to perform one of the following
tasks:
Node Details
Home Use this node to return to the administration console start
page (as seen above).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
121
Node Details
Server Configuration Use this node to view and change the configuration of the
whole Server. For further information see section 6.1.3.
Server Configuration>
Certificate Management
Use this node to view details about the Secure Login Server
certificate issuers and to add new issuers. For further
information see section 6.1.4
Server Configuration>
Authentication
Management
Use this node to view details about the Secure Login Server
JAAS module and to add a new Authentication Server. For
further information see section 6.1.5.
Server Configuration>
TrustStore Management
Use this node to view certificates in the TrustStore and add
certificates to the TrustStore. For further information see
section 6.1.6.
Server Configuration>
Certificate Template
Use this node to view and change certificate templates. For
further information see section 6.1.7.
Server Configuration>
System Check
Use this node to view the current status of Secure Login
components. For further information see section 6.1.8.
Server Configuration>
Backup/Restore
Use this node to backup and/or restore the current Server
configuration and PKI information of the administration
system. For further information see section 6.1.9.
Server Configuration>
Change Language
Use this node to change the GUI language. For further
information see section 6.1.10.
Server Configuration>
Message Setting
Use this node to change message content. For further
information see section 6.1.11.
Server Configuration>
SSS&JCO installation
Use this node to install the SECUDE signon&secure (SSS)
and JCO components necessary for SAPID JAAS login
module for Secure Login. For further information see section
6.1.12.
Server Configuration>
System Status
Use this node to view the status of the current Secure Login
Server. For further information see section 6.1.13.
Server Configuration>
Sign Certificate
Requests
Use this node to submit a certificate request to a certificate
authority. For further information see section 6.1.14.
Server Configuration>
Console log viewer
Use this node to view log entries of actions performed via
the Administration Console only. Log files can be viewed on
a monthly basis. For further information see section 6.1.15.
Server Configuration>
Locked Files
Management
Use this node to check if any files have been locked and, if
necessary, unlock them.
For further information see section 6.4.3 on page 205.
Server Configuration>
Web Client Configuration
Use this node to configure Web-Client parameters. For
further information see section 6.1.16.
NOTE: this node only appears if the Web Client has been
installed. For further details refer to section 5.3 on page
112.
Server Configuration>
Email Report&Alert
Configuration
Use this node to configure email notification and email alert
parameters. For further information see section 6.1.16.
Instance Management Use this node to administrate the Secure Login instances.
For further information see section 6.3.
Instance Management>
Instance Configuration
Use this node to display the configuration of current Secure
Login Server instance. For further information see section
6.3.1.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
122
Node Details
Instance Management>
Client Configuration
Use this node to view and change the Client configuration.
For further information see section 6.3.3.
Instance Management>
Instance Log
Management
Use this node to view log files on either a monthly or daily
basis, and download the log files for archiving. For further
information see section 6.3.4.
Instance Management>
Instance Check
Use this node to view the status of the components for
Client policies and PKI management. For further information
see section 6.3.5.
Instance Management>
Instance Status
Use this node to view the status of the current Secure Login
Server. For further information see section 6.3.6.
Console Users Use this node to view when an administrator logged-in to, or
logged-out of, the Administration Console. For further
information see section 6.4.
Console Users>
User Management
Use this node to display a list of the users/administrators
registered to the Administration Console as well as add a
new user, edit/delete a current user, and assign a role to a
user. For further information see section 6.4.1 on page 199.
Console Users>
Role Management
Use this node to configure the permissions for a new or
existing administrator role. For further information see
section 6.4.2 on page 202.
Console Users>
Locked Files
Management
Use this node to unlock console files that are locked by
dead operator sessions. For further information see section
6.4.2 on page 202.
You may be asked to re-enter your username and password if you leave the
administration console for too long (console timeout).
This page also appears when you click the Home node.
6.1.2 Change the Administrator/User Password
This section details how to change the account password for the Administration Console.
The user ‘Admin’ is a permanent user that has the role ‘super-user’ and cannot be deleted
(only the password changed) or altered in any way.
As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a
serious system error occurs), guaranteeing that there is at least one user that can always
access Secure Login to correct or configure the system.
1. Click Change Password in the title bar on any page.
2. The following page will appear:
Figure 6-3 Administration Console – Change Administrator/User Password
3. Enter the current password into the Old Password field.
4. Enter and confirm the new password into the fields New Password and Confirm New
Password respectively.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
123
5. Click OK.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
124
6.1.3 Server Configuration
This section details the Server Configuration page of the Administration Console.
The Server Configuration page allows you to:
View the Server configuration.
Edit some of the Server parameters (see section 6.1.3.1 on page 126).
Edit the type of authentication used to login to the Administration Console (see section
6.1.3.2 on page 127).
1. Click the Server Configuration node in the left-hand pane of the Administration
Console.
2. The following page will appear:
Figure 6-4 Administration Console – Server Configuration
The following options can be viewed on this page:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
125
Option Details/Value
Edit Click Edit to change the Administration Console description,
Trace Configuration, Server Lock Configuration, Client
Configuration, and SNC Configuration (see section 6.1.3.1 on
page 126).
Description The description of this Administration Console.
Console login type The current types of authentication available for login to the
Administration Console. For further information see section
6.1.4.2 on page
External Login Jaas
Module
The current JAAS module used for “external login”
authentication to the Administration Console. For further
information see section 6.1.3.2 on page 127.
The Authentication file
path
The authentication file (*.login) used by this Server
Trust Certificates
storage file
The TrustStore file (*.jks) used by this Server.
TrustStore password The password for the TrustStore file.
Console Log Directory The directory in which the console log file will be located.
Console Log Prefix The file prefix for the console log file.
Enable Server trace Display trace messages in the application Server console
(i.e. the Tomcat command box).
Path to the Server lock
file
The fall-back of the LockDir property in the
configuration.properties file. This property is stored
in the Web.xml file.
Lock the Server when
the logging function
encounters fatal errors
If set to No, the Server will not be locked if transaction
logging fails.
If set to Yes, the Server will be locked if transaction logging
fails.
If a full transaction log is important to you please set this
option to Yes.
Server name or IP to be
used
The hostname or IP of the computer from which the console
is being used for the Client configuration (i.e. for all Client
policy URLs).
NOTE: do not use localhost. If on a local machine set the
IP address or DNS/hostname.
CREDDIR The directory in which the credentials are stored by SECUDE
signon&secure.
NOTE: This option will overwrite any existing SAP ID-based
Server CREDDIR value (automatically generated during the
Authentication Server creation) with this value.
NativeLibraryPath The directory where native libraries, platform dependendt, are
landed.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
126
6.1.3.1 Edit the Server Configuration
This section details the editable properties of the Server Configuration page of the
Administration Console.
1. Click Edit to display the following information:
Figure 6-5 Administration Console – Edit Server Configuration
The following options can be set:
Option Details/Value
Description Here you can personalize the description for the
Administration Console.
Enable Server trace Yes: write trace messages to the application Server trace
file:
For Tomcat: folder logs, files catalina*.log / localhost*.log
For NetWeaver AS Java: defaultTrace_*.log
No: Do not display trace messages in the application Server
console
Lock the Server when
the logging function
encounters fatal errors
Yes: Lock the Server if transaction logging fails.
No: Do not lock the Server if transaction logging fails.
Server name or IP to be
used
The hostname or IP of the computer from which the console
is being used.
NOTE: do not use localhost. If on a local machine set the
IP address.
CREDDIR Use this option to define in which directory credentials will
be written by SECUDE signon&secure. Enter the full path of
the directory to be used, for example: C:\SSS
NOTE: This option will overwrite any existing SAP ID-based
Server CREDDIR value (automatically generated during the
Authentication Server creation) with this value.
NativeLibraryPath Use this option to define in which directory will be located
the native libraries to be used on verification of the SAP
Ticket.
2. Once you have changed any options, click Save to return to the Server Configuration
page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
127
6.1.3.2 Change Console Login Type
This section details how to modify the way you authenticate to the Administration
Console.
1. Click the Server Configuration node in the left-hand pane of the Administration
Console.
2. Click Edit next to the Console Login Type Configuration heading to view the following
information:
Figure 6-6 Administration Console – change login type
This page allows you to configure, delete, or add the following login types:
Local Login
Standard username/password combination authenticated via the Administration
Console database.
External Login
Username/password combination authenticated via the Authentication Server
database set in the JAAS module. If you use this option you must also select the
appropriate JAAS module in the External Login Jaas Module combo-box.
NOTE: an Authentication Server must already be configured for there to be any
entries in the combo-box. For information about configuring an Authentication
Server refer to section 6.1.5 on page Error! Bookmark not defined..
SSL-Certificate Login
Username/password combination authenticated via a certificate imported into the
Web-browser.
Add a
Login Type
1. To add a login option to the administration console login page, select a login type
from the ALL Login Type field and click >>Add (it will appear in the Current Login Type
field).
2. If necessary, use the Up and Down buttons to give a login option priority (the order of
appearance in the Login Type combo-box on the login page).
3. Click Save to confirm any changes.
Delete a
Login Type
1. To delete a login option from the administration console login page, select a login
type from the Current Login Type field and click <<Delete (it will appear in the ALL
Login Type field).
2. Click Save to confirm any changes.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
128
6.1.4 Certificate Management
This section details the Certificate Management page of the Administration console.
These features allow you to view, edit, export, import, and create certificates.
The first thing to do is to make a decision: Shall Secure Login Server create and manage
one or more Public Key Infrastructures, or is there an existing company PKI that shall be
used on top. Both is possible, even a mixture of it. You may want to have one Secure
Login Server PKI under your enterprise PKI, and two others independently created by
Secure Login Server.
However, because of the high flexibility of Secure Login Server, it is no problem to add,
replace, or delete PKIs at any time.
Follow these steps to open Certificate management:
1. If you have not already done so, click the Certificate management node from the tree
in the left-hand pane.
2. The following page will appear:
Figure 6-7 Administration Console – Certificate Management page
This page allows you to perform the following certificate tasks:
Create or import new PKIs or PKI sub trees
View certificates (see below).
Export certificates (refer to the next page).
Import certificates (refer to the next page).
Create SSL, SNC, login, and SAP certificates (refer to the page after next).
This page has the following details:
Option Details
PKI Structure One or more tree views of independent PKIs.
Create New Root CA Give a display name for the new PKI and create the top level
Certification Authority (Root CA)..
Certificate Information The name, file path, and password protection of the selected
certificate.
Mapping to Instance List of all Secure Login Server instances, and selection of all
instances that shall use this User CA.
Only available for User CAs.
More Details More X.509 name details and the certificate validity time frame.
PKI Info Display name of the PKI structure.
CA Operations Select specific Certification Authority of a PKI for further
management operations.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
129
Issue Create a new Certification Authority of this type.
Change Password Change password of selected CA.
Remove Password Remove password of selected CA. Password must be given for
each following management operation of this CA.
Export Certificate Export the selected certificate. Possible export types are:
*.crt, *.p12, *.pse, *.jks.
New Password Password of the exported certificate file store
Import New PKI Import the keystore into the certificate list.
NOTE: Only PSE files can be imported.
PKI Name Display name of new PKI where certificate shall be part of
The selection list allows associating the type of CA of the
certificate. Each type can be associated only once.
Browse Opens a file browser to select the certificate store file.
Open Passsword Password that protects the certificate store file.
Save Password Allow to save the password in the configuration.
View
Certificate
Details
1. Click on a certificate name in the list, for example SecureLogin Root CA.
2. If the selected CA has not saved its password, enter the password for the certificate
in the field Password and click View.
3. The following information will appear:
Figure 6-8 Administration Console – Certificate Management page
Create a new
PKI
Use this function to create a new internal PKI that has its own Root CA certificate.
1. Enter a display name for the new PKI, for example SECUDE.
2. Click the right-hand Create New Root CA button and continue to read at Create a
certificate.
3. A success message should appear and the new PKI will be shown in the list.
Import a new
PKI
Use this function to create a new PKI that uses external CA certificates. This way it is also
possible to create a PKI without having the issuing Root CA stored inside Secure Login
Server.
1. Enter a display name for the new PKI, for example SECUDE.
2. Select the type of CA that shall be imported
3. Click Browse… to open a file browser. Locate and open the PSE file.
4. Enter the password for the PSE file in the field Open password. As an option, you can
choose to save the password in the Secure Login system file by clicking Save
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
130
password? so you do not have to re-enter the password every time.
5. Click the right-hand Import button to complete the import.
6. A success message should appear and the new PKI will be shown in the list.
Export a
Certificate
1. Click on a certificate name in the list, for example SECUDE Root CA.
2. Select the format of the certificate from the Export type combo-box.
3. Enter a new certificate password into the field New password.
4. Click the right-hand Export button to open a save dialog. Save the certificate file to a
safe and secure location.
Import a
Certificate
If a certificate entry in the list is grayed-out it means this certificate is not present. Use
the Import function to load a new certificate.
1. Select the certificate entry from the list.
2. Click Browse… to open a file browser. Locate and open the PSE file.
3. Enter the password for the PSE file in the field Open password. As an option, you can
choose to save the password in the Secure Login system file by clicking Save
password? so you do not have to re-enter the password every time.
4. Click the right-hand Import button to complete the import.
5. A success message should appear and the entry in the list will no longer be greyed-
out.
Create a
Certificate
If the certificate shall be created internally instead of importing it, use the Issue function.
6. In CA Operations, click Issue (only available if a Root, SSL, or SAP CA is selected).
7. A page such as the following will appear (parameters may differ):
Figure 6-9 Administration Console – create certificate
This page allows you to enter the following certificate information:
Option Details
Common name The name of the certificate to be issued. Make sure you
choose a name that applies to CA at hand, for example,
SECUDE SAP-CA or SECUDE SSL-CA.
However, this property differs when creating SSL Server
certificates. In this case you must enter the hostname by
which the Server is accessed, for example,
user1.secude.local or www.myprivatehost.com.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
131
Option Details
Organization unit The division of the company.
Example: Sales
Organization The company name.
Example: SECUDE
Locality The regional information.
Example: Darmstadt
Country The country abbreviation.
Example: DE (for Germany)
Encryption key length The encryption key length for the Server (1024 bit or 512 bit).
SAP Server Type (only
available when creating
an SAP Server
certificate)
The type of keystore file (PSE file for ABAP Server, P12 file for
java Server).
Subject Alter Names
(DNS) (only available
when creating an SSL
Server certificate)
The host name or IP to be used for the „Subject Alternative
Name‟ in the certificate.
Subject Alter Names
(E_mail) (only available
when creating a login
certificate)
The E-mail address to be used for the „Subject Alternative
Name‟ in the certificate.
Valid from The date from which this certificate authority information is
valid (YYYY-MM-DD hh:mm:ss). Use the calendar box to
select a day.
Example: 2010-04-25 17:09:31
NOTE: The validity time frame of a new certificate must be
inside the time frame of the issuing CA
Valid to The date to which this certificate authority information is valid
(YYYY-MM- DD hh:mm:ss). Use the calendar box to select a
day.
Example: 2020-04-17 16:19:00
NOTE: The validity time frame of a new certificate must be
inside the time frame of the issuing CA
Password The password to be used for encryption (maximum of 20
characters).
Confirm password Confirmation of the encryption password entered in the field
Password.
Save password to file? Define if the encryption password stated in the field
Password should be saved in the keystore.xml file.
Issuer password Issuing CA´s password (only seen if this CA has not saved its
password).
8. Enter the relevant details and click Create (or for SAP certificates: Create SAP Server
certificate).
For further information about how to configure Tomcat for login certificates refer to section
3.3.3.1 and 3.3.3.2 on page 37.
6.1.5 Authentication Management
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
132
This section details the Authentication Management page of the Administration Console.
Use this page to add, configure, test, and delete Authentication Servers from the
configuration.
The following section applies only to Apache Tomcat and BEA WebLogic. The Authentication
Server configuration for NetWeaver should be performed in SAP Visual Administrator.
However, should you wish to test the Authentication Server connection you can create a
dummy JAAS module using the same module name as created in SAP Visual Administrator
(via the attribute Application Name).
1. Click the Authentication Management node in the left-hand pane of the Administration
Console.
2. The following page will appear:
Figure 6-10 Authentication Server Manager
This page allows you to:
Add new Authentication Servers
View and edit any current Server settings
Delete any Server from the Server list (select a Server entry and click Delete)
Change the order in which Servers are queried
Quick-test the username and password used for Authentication Server access
Select an application under Application Name (i.e. the SLSJaasModule application) to
display the Authentication Servers in the application under Servers in
SLSJaasModule. For further information refer to the following pages.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
133
View
Authentication
Server Details
1. To view the settings for any Server in the list click on one of the Server entries below
the Servers in SLSJaasModule heading and click Display.
NOTE: These values are required for configuring Secure Login Server modules inside
SAP NetWeaver.
2. The follow information will appear:
Figure 6-11 Authentication Server Manager – Display Server settings
Here you can Edit the Server settings (see below), or Delete the Server entry
completely from the Secure Login configuration.
Add/Edit an
Authentication
Server
Follow these steps to add an Authentication Server or edit the settings of a current
Authentication Server entry:
1. If you have not already done so, click the Authentication Management node from the
tree in the left-hand pane.
2. To add a new Server to the configuration click Add Server. The following information
will appear:
Figure 6-12 Authentication Server Manager – add new Server
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
134
..or if you want to edit the settings of a current Authentication Server click Edit.
The following information will appear:
Figure 6-13 Authentication Server Manager – edit Server
3. Enter/edit the Server details (for a detailed list of the Server parameters that can be
set in this page refer to the next page). If you want to check the validity of the Server
connection click Test. Once you have finished click Save.
4. Your Server should now appear in the Server list on the Authentication Management
page.
When editing Authentication Server parameters, some entries are grayed-out and cannot be
changed. This is normal. The only way to change such an entry is to add a new Server and
re-enter the correct Server details.
Authentication
Server
Parameters
Not all of the parameters in this list are immediately visible in the Administration Console
interface. Some options will appear/disappear in the table according to the selection
made via the option Server Type.
The following few pages detail the Authentication Server parameters according to common
parameters, and Server Type-specific parameters (those marked with * are mandatory):
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
135
Common
Parameters
Options (common) Details
Server Type Server type selection (AD, LDAP, RADIUS, SAP ID, SAP Logon
Ticket, or SQL Database).
LoginModuleControlFlag The flag controls the Server‟s behavior when it proceeds
down the authentication stack. For a detailed explanation,
refer to the documentation of
javax.security.auth.login.Configuration on the
Sun Website.
NOTE: this option cannot be changed.
Application Name* An “application name” is the identifier of the group of
authentication modules associated with one instance of the
SECUDE Secure Login Server (SLS). There can be only one
instance of a particular authentication module residing in a
JVM. However, there maybe multiple SLS instances running
on the JVM. Therefore, the group of authentication modules
used by an instance of SLS is assigned a unique application
name for identification. Different SLS instances running on
the same Server must have different application names.
The default name is: SLSJaasModule
TestUserName Test user username. Use this option to setup a user to test
the Server parameters.
TestUserPwd Test user password. Use this option to setup a user to test
the Server parameters.
TryAllServers Determines when to try the next LDAP/ADS Server in the list.
Possible values:
FALSE (default): Try the next Server only if this Server
cannot be reached.
TRUE: Try the next Server if this Server cannot be reached,
or access is denied.
LDAP/AD-
specific
Parameters
Options (LDAP/AD) Details
LdapHost* The address of the LDAP Server. This option is for the
configuration of the LDAP Server (including the Windows
Active Directory Server).
For example: ldap://my.host.com:389 (if SSL is used
for the communication, the protocol should be changed to
ldaps:// and the port number should be changed to 636).
NOTE: A TrustStore must exist for the SSL to be configured
properly.
LdapBaseDN
(LDAP only)
The domain name of the LDAP Server, for example:
my.domain.com (NOTE: The LdapBaseDN parameters are
not needed for Active Directory Servers – leave empty).
This specifies the base domain name that will be combined
with the user name before sending it to the Active Directory
Server.
Example 1 (domain part of UPN): If set to my.domain.com,
the user test is authenticated as [email protected]
with the respective Server.
Example 2 (complete DN): If set to… cn=$USERID,ou=Users,dc=domain,dc=com
…the user test is authenticated as…
cn=test,ou=Users, dc=domain,dc=com
…to the respective Server.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
136
Click Get baseDN list to browse the LDAP directory for the
correct Base Distinguished Name. The following pop-up
window will appear:
Figure 6-14 add Authentication Server – get baseDN
The following options are available (options marked with a
red * are mandatory):
Host name*
The host name of the LDAP Server.
Port*
The port of the LDAP Server.
Username*
The username used to communicate with the LDAP
Server.
SSL
Check this option to use SSL protocol when
communicating with the LDAP Server. If you use SSL in
the communication, the protocol should be ldaps://
and a valid certificate is required.
Anonymous bind
Check this option to query the LDAP Server without a
specific username (managerDN) and password
(providing that the LDAP Server is so configured).
managerDN (manager distinguished name)
Specific username.
password
The password used to communicate with the LDAP
Server.
Base DN (Base Distinguished Name)
Click Get baseDN list to query the LDAP Server for a list
of based distinguished names to be displayed in the
combo-box.
Get baseDN list
After you have entered the above parameters click Get
baseDN list to obtain the base DN‟s from the LDAP
Server.
LdapTimeout(ms) Determines how long a Client should wait for a response
from an LDAP/ADS Server before trying to connect to the
next one.
LdapProviderLanguage Character set for the encoding of the characters when the
Server communicates with the LDAP/ADS Server.
For example: in the case of ADS, a possible character set is
ISO-8859-1.
PasswordExpiration- Password expiry date (from the LDAP Server).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
137
Attribute NOTE: If this option is used, the LdapBaseDN attribute must
be given in complete DN form (see above).
PasswordExpiration-
GracePeriod
Defines the interval in days, inside which the password
expiration warning is sent to the Client prior to password
expiry.
AuthServerID The warning message to be sent to the Client in the event of
password expiry.
RADIUS-
specific
Parameters
Options (RADIUS) Details
RadiusServerIP* The IP address of the RADIUS Server.
AuthPort* The authentication port at which the RSA/RADIUS Server
expects to be queried for authentication requests.
SharedSecret* A word/phrase used to encrypt the user password.
Timeout(ms) Determines how long a request to a Server is to wait before
being sent to the next Server.
Authenticator Authentication protocol for the RSA/RADIUS Server. Possible
options:
CHAP
MSCHAP
PAP
PinMin Minimum PIN length for users choosing a new PIN. This
parameter is only used with RSA SecurID tokens.
Default value: 4
PinMax Maximum PIN length for users choosing a new PIN. This
parameter is only used with RSA SecurID tokens.
Default value: 8
PinAlphanumeric PIN format. This parameter is only used with RSA SecurID
tokens. Possible values:
true: the user can choose, and use, a PIN which contains
only alphanumeric characters (A-Z, a-z, 0-9).
false (default): the user can choose, and use, a PIN which
contains alphanumeric and special characters (such as
!$%&).
The default password policy for RSA allows only numeric
PIN's which can not be setup via the Secure Login
Server/Client policy properties.
RSAServerIniFile If the RSA Server version is 6.1, a copy of the RSA Server RADIUS
message *.ini file (securid.ini) has to be present. Make sure
you enter the full path and file name, for example:
<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini
Add new attributes
(button)
Use this option to enter any RADIUS attribute present in the
Client‟s dictionary and which the Server expects to be
included in the request. For further information refer to
section 9.2.4.2 on page 257.
SAP ID-
specific
Parameters
Options (SAPID) Details
SAP Server IP or URL of the SAP Server.
Client (System ID) SAP System ID.
SystemNo SAP System Number.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
138
SAPaccount The SAP user account name for the SECUDE Secure Login
Server.
SNCServerName The DN of the SAP Server, as stated in the Server certificate.
The subject DN of the X.509 certificate. For example: p:CN=SAP NetWeaver 2004, O=secude, C=DE
NativeLibraryPath The folder of the native libraries and the SECUDE
signon&secure package.
CREDDIR The credentials directory on the Server. The field is grayed-
out because it is automatically allocated by the system.
However, the credentials directory can be changed via the
Server Configuration node (see section 6.1.4.1 on page
126).
PasswordMin This parameter is part of the password policy for Client side
policy consistency check, specifically the minimum number
of characters in the password to be used. This parameter
must be consistent with the SAP password policy.
Default value = 1
PasswordMax This parameter is part of the password policy for Client side
policy consistency check, specifically the maximum number
of characters in the password to be used.
This parameter must be consistent with the SAP password
policy. Default value = 30
PasswordAlphanumeric This parameter is part of the password policy for Client side
policy consistency check. Possible values:
true (default): the password can contain only alphanumeric
characters (A-Z, a-z, 0-9).
false: the password can contain alphanumeric and special
characters (such as !$%&).
This parameter must be consistent with the SAP password
policy.
SAP ID-
specific
Parameters
Options (SAPID) Details
SAP Server IP or URL of the SAP Server.
Client (System ID) SAP System ID.
SystemNo SAP System Number.
SAPaccount The SAP user account name for the SECUDE Secure Login
Server.
SNCServerName The DN of the SAP Server, as stated in the Server certificate.
The subject DN of the X.509 certificate. For example: p:CN=SAP NetWeaver 2004, O=secude, C=DE
NativeLibraryPath The folder of the native libraries and the SECUDE
signon&secure package.
CREDDIR The credentials directory on the Server. The field is grayed-
out because it is automatically allocated by the system.
However, the credentials directory can be changed via the
Server Configuration node (see section 6.1.4.1 on page
126).
PasswordMin This parameter is part of the password policy for Client side
policy consistency check, specifically the minimum number
of characters in the password to be used. This parameter
must be consistent with the SAP password policy.
Default value = 1
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
139
PasswordMax This parameter is part of the password policy for Client side
policy consistency check, specifically the maximum number
of characters in the password to be used.
This parameter must be consistent with the SAP password
policy. Default value = 30
PasswordAlphanumeric This parameter is part of the password policy for Client side
policy consistency check. Possible values:
true (default): the password can contain only alphanumeric
characters (A-Z, a-z, 0-9).
false: the password can contain alphanumeric and special
characters (such as !$%&).
This parameter must be consistent with the SAP password
policy.
SAP Logon
Ticket-specific
Parameters
Options (SAP TICKET) Details
VerificationName Name of SAP Verification PSE that has been exported from
the SAP NetWeaver Portal.
VerificationPassword) Password of SAP Verification PSE.
PSEs usually have no password if exported from the portal.
However, enter any value here in this case, e.g. empty
SQL DB-
specific
Parameters
Options (SQL DB) Details
DBDriver Java Data Base Connection driver for the respective
database system.
DBURI Host, port, and name of the database to be used.
DBAuthUsername Database system user name to be used to send search
queries in configured table.
DBAuthPassowrd Database system user´s password.
SetDBScheme Select to use predefined names of table and columns or
custom values. If predefined values are used, the JAAS
module uses Java Precompiled Statements for the SQL
connection and queries, which may increase the
performance.
false (default): use predefined values as described in
following fields.
true: use custom values, more configuration fields are
shown then.
DBTable Database table name to be used.
Only available if SetDBScheme is true.
DBColumnUsername Database column name to store usernames in.
Only available if SetDBScheme is true.
DBColumnPassword Database column name to store passwords in.
Only available if SetDBScheme is true.
DBColumnClientID Database column name to store Client IDs in.
Only available if SetDBScheme is true.
PoolName Name of connection pool to be used. This can be any
unique string identifier, for example:
MYSECURELOGINPOOL
MaxConn Maximum number of connections to database that shall be
used in parallel.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
140
GrantAccessToUnknownIDs Turn on or off Positive False Authentication.
false (default): only exact matches of given credentials
return positive results.
true: combinations of usernames and Client IDs that are
not found in one row also return a positive result, the
password is ignored then.
TestUserName Test user username. Use this option to setup a user to test
the Server parameters.
TestUserPwd Test user password. Use this option to setup a user to test
the Server parameters.
Change the
Order in which
Servers are
Queried
1. If you have not already done so, click the Authentication Management node from the
tree in the left-hand pane.
2. Click the Server entry you wish to move below the Servers in SLSJaasModule
heading.
Figure 6-15 Authentication Server Manager – change Server query order
3. To move the Server entry up in the list (and therefore increase its priority) click Up. To
move a Server entry down in the list (and therefore decrease its priority) click Down.
4. Click Save.
Quick Test the
Communication
to the
Authentication
Server
1. If you have not already done so, click the Authentication Management node from the
tree in the left-hand pane.
2. Enter the username and password in the respective fields:
Figure 6-16 Authentication Server Manager – test Server
3. Click Test.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
141
4. A result (success/failure) will be displayed at the bottom of the page.
6.1.6 TrustStore Management
This section details how to add certificates to the TrustStore via the Administration
Console.
Open the
TrustStore
Management
Page
1. Click the TrustStore Management node in the left-hand pane of the Administration
Console.
2. The following page will appear:
Figure 6-17 Administration Console – TrustStore Management page
The TrustStore is used to declare a certificate as coming from a trusted source and
can be used with SECUDE Secure Login. You can use this page to view the TrustStore
file content, export a certificate, delete a certificate, and add new certificates.
This page will display the current state of the TrustStore, including the message „No
certificate currently in this TrustStore‟ to indicate that a certificate must still be added
to the TrustStore.
The following options are available (options marked with * are mandatory):
Option Details
Certificate
alias*
The alias by which this certificate will be imported into the Server‟s
TrustStore.
Certificate
location
The certificate location. Select one of the following locations (this will
cause the third option to change accordingly):
Localhost*: The path to a certificate in the local file system.
PublicURL*: The LDAP CA available via a public URL.
Add to
TrustStore
Add the certificate information to the TrustStore.
Delete Use this button to remove the selected certificate from the TrustStore
(only visible if a certificate has been added to the TrustStore).
Export Use this button to export the selected certificate from the TrustStore
(only visible if a certificate has been added to the TrustStore).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
142
Add a
Certificate to
the TrustStore
Follow these steps to add a certificate to the TrustStore:
1. Enter an alias for the certificate into the Certificate alias field.
2. Select the location on which the certificate is stored from the Certificate Location
combo-box. The field below will change according to your selection (Localhost or
PublicURL).
3. If you selected PublicURL in the previous step then enter the location manually into
the field. If you selected LocalHost in the previous step then click Browse… to locate
and open the certificate file.
4. Click Add to TrustStore. This will update the page to display the certificate information
under the Certificate Alias heading (if you have more then one certificate then select
a Certificate alias to display the certificate content).
You now have the option to add another certificate, delete any certificate selected in
the Certificate alias field, or export any selected certificate as a *.cer file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
143
6.1.7 Certificate Template
This section details the Certificate Template page of the Administration Console. Use the
functionality on this page to perform any certificate template-related task.
Open the
Certificate
Template
Page
1. Click the Certificate Template node in the left-hand pane of the Administration
Console.
2. The following page will appear:
Figure 6-18 Administration Console - Certificate template management
Existing certificate templates will automatically appear in the table. The following
options are available to help you perform certificate template-related tasks:
Option Details
Template name Templates created by the user, and available for use, are listed here.
Add Add a new certificate template. This will take you to the template
reation page (see section 6.1.7.1 „Create a New Certificate Template‟
on page 144).
Copy Duplicate the selected template. This will take you to the template
creation page (see section 6.1.7.1 „Create a New Certificate
Template‟ on page 144).
Edit Edit a selected template. This will take you to the template creation
page (see section 6.1.7.1 „Create a New Certificate Template‟ on
page 144).
Delete Delete a template selected in the list.
Mapping Map any template to another. For further information see section
6.1.7.2 „Template Mapping‟ on page 146).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
144
Option Details
Export Export the template(s) as an XML file. If you select more than one
template to export then all of the templates will be incorporated into a
single XML file. For further information see section 6.1.7.3 „Export
Certificate Templates‟ on page 147).
Import Import templates found on the local machine/network to the list. For
further information see section 6.1.7.4 „Import Certificate Templates‟
on page 148).
6.1.7.1 Create a New Certificate Template
This section details how to create a new certificate template.
Open the
Certificate
Template
Page
1. If you have not already done so, click the Certificate Template node in the left-hand
pane of the Administration Console.
2. Click Add. The following information will appear:
Figure 6-19 Certificate template management – create new certificate template
This page is used to select the properties a certificate template should use.
The following properties are available (options marked with * are mandatory):
Properties Details
Template name* The unique template identifier.
SubjectKeyIdentifier Use this option as a means of identifying the specific public key
used in an application.
AuthorityKeyIdentifier Use this option as a means of identifying the public key
corresponding to the private key that is used to sign a
certificate.
CertificatePolicies This option indicates the policy under which the certificate has
been issued and the purposes for which the certificate may be
used. Checking this option will open a mandatory field for the
policy ID (enter the ID and click Add under the
CertificatePolicies.OID field).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
145
Properties Details
KeyUsage This option defines the purpose of the key contained in the
certificate, for example, encipherment, signature, or certificate
signing.
ExtendedKeyUsage This option defines the extended purpose of the key contained in
the certificate. Check Is Critical? to make sure that any extended
key usage parameter is needed in the certificate for
communication to be successful.
BasicConstraints This option defines whether the subject of the certificate is a
certificate authority and how deep a certification path may exist
through that certificate authority.
Click this option to open the following sub-options:
Is critical?
Click Is Critical? to make sure that the basic constraints
parameter is needed in the certificate for communication to
be successful.
Is CA?
Click Is CA? to define if the subject of the certificate is a
certificate authority. When clicked, the path length field
opens – enter for how many levels the constraints are valid.
Private Extensions Add a user-specific extension to the template. Click Add open
the Create Private extension input page:
Figure 6-20 Certificate template creation – add private extensions
This page has the following options:
Extension name*
The unique name for this extension.
Base64/DER encoded data*
The content of the private extension in base64/DER
encoding.
Add
Add the information from the fields above to the certificate
template (this will also take you back to the Create
Certificate Template page).
Reset Clear the fields of any entries.
3. Select options that you wish to use in the template and click Save.
4. The certificate template page will reappear (see section 6.1.7 on page 143).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
146
6.1.7.2 Template Mapping
This section details how to map certificate templates on a Server instance.
1. If you have not already done so, click the Certificate Template node in the left-hand
pane of the Administration Console.
2. Select the template you wish to map.
3. Click Mapping. The following information appears:
Figure 6-21 Certificate template management – template mapping #1
Check the radio button of the template to which you wish to map to another template.
4. Click Mapping.
5. The following information appears:
Figure 6-22 Certificate template management – template mapping #2
The options on this page allow you to map templates and also delete a template
mapping. The following options are available:
Option Details
Server Instance (non-editable) The name of the current Server instance.
SAP Server certificate template The templates available for mapping to SAP
certificates.
User certificate template The templates available for mapping to user
certificates.
6. Select a certificate from the User certificate template combo-box (if a user certificate
has not yet been created then there will not be any certificates listed in the combo-
box).
7. Select a certificate from the SAP Server certificate template combo-box.
8. Click Save.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
147
Disable a
Certificate
Template
Mapping
Follow these steps to disable an existing certificate mapping:
1. Select the (Default) entry from the SAP Server certificate template and User
certificate template combo-boxes:
Figure 6-23 Certificate template management – disable template mapping
2. Click Save.
6.1.7.3 Export Certificate Templates
This section details how to export certificate templates as an XML file.
1. Click the Certificate template node in the Administration Console.
2. The Certificate template management page will appear.
3. Click Export to open further options:
Figure 6-24 Certificate template management – export template
The following options are available:
Option Details
[Combo-box] Select which template(s) to export:
Selected template: for single template export (the correct template
must be pre-selected from the list above).
All templates: Export every template in the list.
Export Execute the export procedure.
Cancel Close these options.
4. If you want to export a specific template preselect it from the list, select Selected
template from the combo-box, and click the bottommost Export button. If you want to
export all the templates select All templates from the combo-box, and click
bottommost Export button.
Only a single XML file will be exported. If you selected All templates from the combo-box the
certificate templates will be incorporated into this single XML file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
148
6.1.7.4 Import Certificate Templates
This section details how to import certificate templates into the Certificate template
management page.
1. Click the Certificate template node in the Administration Console.
2. The Certificate template management page will appear.
3. Click Import to open further options:
Figure 6-25 Certificate template management – import template
The following options are available:
Option Details
Browse… Open a file browser to locate a certificate template XML file.
Import Execute the import procedure.
Cancel Close these options.
4. Click Browse… to open a file browser. Locate a certificate template XML file and
open it.
5. Click bottommost Import button.
6. A success/error message will appear on the page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
149
6.1.8 System Check
This section details the System Check page of the Administration Console. This feature
will display the status of the system configuration (i.e. are the components necessary for
Secure Login functionality actually present?). This is similar to the initial page
(prerequisite check) when first configuring Secure Login.
1. Click the System Check node in the Administration Console.
2. The following page will appear:
Figure 6-26 Administration Console - System Check
This page displays the current status of the Secure Login system configuration for
Authentication, System components, SAP ID, Server list, and TrustStore. The status,
or version number, will be displayed next to an entry. For information about problems
with system components refer to chapter 7 „Troubleshooting‟, on page 211.
The following system components are listed on this page:
Component Sub-component/details
Authentication Is authentication configured correctly? OK = yes
Other System
Check
Files and folders
Does the file system have read/write permissions?
SECUDE SDK
Check for the location of the SECUDE SDK.
IAIK SDK
Check for the location of the IAIK SDK + display version number.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
150
Component Sub-component/details
PKCS#12 file creation
Check if a *.p12 certificate can be created.
PSE file creation
Check if the PSE certificate can be created.
JRE Crypto Policy
Check if a long password can be used to create a certificate. If the
check fails, you may need download Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction Policy Files from
http://java.sun.com/javase/downloads/ and replace
the local_policy.jar and US_export_policy.jar files in
the directory %JAVA_HOME%/jre/lib/security.
SAP ID Check SECUDE SNC runtime
Check for SECUDE Signon&Secure on the Server.
SAP JCO runtime
Check that the JCO can be found in the configuration. Sometimes,
this check does not show the real status of the system, especially
if SECUDE Signon&Secure and JCO are installed after a system
check is performed. The user may need to restart the Web Server
to receive a successful system check result.
Server List Does the Server List configuration have the correct integrity?
TrustStore Does the TrustStore configuration have the correct integrity?
6.1.9 Backup/Restore
Introduction
This section details the Backup/Restore page of the Administration Console. Use this
page to backup your Secure Login system configuration for safekeeping, or restore the
Secure Login system configuration from a backup file.
Sections
Backup (see below).
Restore (see section 6.1.9.2 „System Restore‟, on page 152).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
151
6.1.9.1 System Backup
This page allows you to make a backup of the current configuration and PKI information
and also to restore the configuration from a previous backup. The system backup page
will appear by default.
Follow these steps to create a backup of the configuration:
1. If you have not already done so, click the Backup/Restore node from the tree in the
left-hand pane (or if you are on the Restore page click Backup at the top of the page):
Figure 6-27 Administration Console - system backup
2. Click Go.
3. The following pop-up window appears:
Figure 6-28 System backup – file download
4. Click the backup.zip link at the bottom of the page and save the file to a safe,
secure location.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
152
6.1.9.2 System Restore
The Administration Console presents you with two methods to restore the system:
From a backup file (see below).
Directly from the automatic backups made by the Server (refer to the page after next).
The configuration can only be restored from a backup ZIP file created using version 5.0 of
the Secure Login Administration Console.
Restore from
a Backup File
Follow these steps to restore the configuration from a backup file:
1. If you have not already done so, click the Backup/Restore node from the tree in the
left-hand pane.
2. Click the Restore tab at the top of the page. The following page will appear:
Figure 6-29 System restore – from backup file
3. Click Browse… to open the file browser. Locate and open a backup.zip file (see
section 6.1.9.1 „System Backup‟ on page 151). The file path will appear next to the
Browse… button.
4. Click Select files to restore to display the log files within the ZIP file:
Figure 6-30 System restore – select exact files to restore
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
153
The files within the backup file will be displayed according to priority. Some files
cannot be deselected (must select files) because they will be needed if the
configuration is to work correctly. The following files are displayed:
File Mandatory
/optional
Details
Configuration.properties Mandatory This is the main configuration file.
Serverlist.xml Mandatory This file contains a list of the Server
instances and also which Server is
currently active.
SLSJaasModule.login Optional This file contains the configuration
details for the Authentication Servers.
Cert_template.xml Optional This file contains all of the certificate
templates and certificate template
mappings.
TrustStore.jks Optional This file contains the Secure Login
TrustStore mappings to certificates.
user.xml Optional This file contains a list of users.
role.xml Optional This file contains a list of Secure
Login administrator roles.
Instances Optional Any number of Server instances may
be visible under Instances. Check a
specific Server instance if you want to
restore information such as
Authentication Server configuration or
the Secure Login user CA KeyStore
etc.
According to whenever the last backup was created, the information in the backup files may
not be the same as the previously functioning version (e.g. the users and roles registered
with Secure Login at the time the backup may differ because newer roles have been added
since the backup was created).
5. Check the files you wish to restore.
6. Click Upload and restore. If successful, the message Restore configuration and PKI
information successful will appear at the bottom of the page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
154
Restore from
Automatic
Backups
Follow these steps to restore the configuration from automatic backups made by the
Server:
1. If you have not already done so, click the Backup/Restore node from the tree in the
left-hand pane.
2. Click the Restore tab at the top of the page. The following page will appear:
Figure 6-31 System restore – from system backup
The Select restore files button (at the bottom of the page) is only active if you have already
performed a backup to a file (every time a file backup is performed the Secure Login system
will automatically make a duplicate backup for direct-restore purposes).
3. Click Select restore files at the bottom of the page. The following options will appear:
Figure 6-32 System restore – select restore files from automatic backups
For information about each of the files refer to the previous page.
4. Check the files you wish to restore.
5. Click Restore directly to restore the files.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
155
6.1.10 Change Language
This section details the Change Language page of the Administration Console. This
feature only changes the GUI language of the Administration Console!
In order to change language it is necessary to select desired language from the drop-down
menu.
Figure 6-33 Administration Console - change language
Select a language from the list and click Change language. The changes will take effect
immediately.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
156
6.1.11 Message Setting
This section details the Message setting page of the Administration Console. The
message files are used to relay specific Server messages to a Secure Login administrator.
Use the Message setting page to:
view the current message files available in the configuration
create a new message file in an alternate language
edit the messages in an existing message file
Open the
Message
Settings
Page
1. If you have not already done so, click the Message setting node from the tree in the
left-hand pane.
2. The following page will appear:
Figure 6-34 Administration Console - message setting page
Use the option on this page to either edit an existing message file by selecting a
respective language from the list (ServerMsg_<country
abbreviation>.properties) and click Edit…, or create a new messages file in a
language of your choice by clicking New....
Create a new
Messages
File / Edit
Messages
Follow these steps to create a new Server messages language file:
1. Click New…
2. The following page will appear:
Figure 6-35 Message setting – create new Server messages language file
3. Select a language from the combo-box and click Create new file (take note of the file
extension in readiness for the next step – for example ‟fr„ for French).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
157
4. The message properties file will appear in the list.
5. Select the new entry from the list (take note of the file extension – see above) and
click Edit…
6. The following information will appear:
Figure 6-36 Message setting – edit new Server messages language file
The Server messages are listed alphabetically in the default language. Edit the
message text in each field to conform to the appropriate language.
7. Once the entries have been changed click Save.
8. Depending on which application Server you use, either stop and then restart the
Server, or stop and restart the Secure Login application.
Delete a
Server
Messages
File
Follow these steps to create a new Server messages language file:
1. The message settings files are stored in the Secure Login Web-applications directory
of the application Server – for example (Tomcat):
<Tomcat home>\Webapps\securelogin\WEB-INF\classes
2. Remove the desired Server messages file. For example: ServerMsg_af.properties
Only remove Server message property files that are either not currently in use or when
the application Server is not running.
Make sure you remove the correct message file (the extension denotes the language –
for example ServerMsg_af.properties for Afrikaans)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
158
6.1.12 SSS&JCO Installation
This section details the preparation for Secure Login to run with SAP ID- or SAP Logon
Ticket-based logon and authentication. This includes the installation of SECUDE
Signon&Secure crypto libraries (SSS), the SECUDE license file, the SAP libraries, and the
PSE files.
Follow these steps to install the necessary components for SAP ID-based logon:
1. If you have not already done so, click the SSS&JCO installation node from the tree in
the left-hand pane.
2. The following page will appear:
Figure 6-37 Administration Console - SSS&JCO installation > locate SSS package
This page informs you not only about the current status of the signon&secure
installation, but also represents the first step of five needed to prepare Secure Login
for SAP ID- or SAP Logon Ticket-based logon. If the bullet icons for each Setup Step
are green then signon&secure has already been successfully installed. If some, or all,
bullet points are red then the signon&secure installation has not yet been successful.
You can click each Setup Step to go directly to that step to perform any tasks. For example,
if you want to load a license file (ticket.snc) for Web Client ticket-management, but do
not need a signon&secure installation, you can click the step Install ticket to load the
license file onto the Server.
3. Click Browse… to locate and open the package (ZIP) file (delivered in the Native
Components package) applicable to your system.
4. Click Upload to deploy the package to Secure Login. A success message should
appear.
5. Click Next to move on to the ticket installation:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
159
Figure 6-38 SSS&JCO installation – locate ticket
6. Click Browse… to locate and open the ticket file (ticket.snc).
7. Click Upload to deploy the ticket to Secure Login. A success message will appear.
8. Click Next to move on to the JCO PSE configuration:
Figure 6-39 SSS&JCO installation – configure JCO PSE
9. This page allows you to install and configure the SNC PSE file (JCO/RFC connection
to the SAP Server). The following options are available:
Field Details
Setup type From local: load a PSE file generated by an application other than
the Administration Console.
From SLAC: load a PSE file generated by the Administration
Console
PSE file (From
local only)
The path to the PSE file. Click Browse… to locate and open the
PSE file.
PSE password The password for PSE file access.
10. Select a Setup type and locate the PSE file accordingly.
11. Click Upload to deploy the PSE to Secure Login. A success message should appear.
12. Click Next to move on to the SAP Logon Ticket configuration:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
160
Figure 6-40 SSS&JCO installation – configure SAP Login Ticket
13. Click Browse… next to each field to locate and open the following files:
Field File to locate…
Verification PSE Windows and Linux/UNIX: verify.pse (or similar). Usually, this file
can be downloaded from the SAP NetWeaver Portal:
or from the SAP ABAP STRUST transaction:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
161
Library file
SAPSECU (native)
For Windows: sapsecu.dll
For Linux/UNIX: libsapsecu.so
Library file
SAPSSOEXT
(native)
For Windows: sapssoext.dll
For Linux/UNIX: libsapssoext.so
Due to legal restrictions, the SAPSECU and SAPSSOEXT libraries are not part of the Secure
Login delivery package. The libraries can be downloaded from:
http://service.sap.com/connectors (requires SAP account).
For further information please contact SECUDE support.
14. Select a Setup type and locate the PSE file accordingly.
15. Click Upload to deploy PSE and libariy files to Secure Login. A success message
should appear.
16. Click Next to move on to the JCO installation (if you are using SAP NetWeaver ignore
this step, and move on to step 15):
Figure 6-41 SSS&JCO installation – install JCO
17. Click Browse… next to each field to locate and open the following files:
Field File to locate…
Library file
sapco.jar
Windows and Linux/UNIX: sapjco.jar
Library file LIBRFC
(native)
For Windows: librfc32.dll
For Linux/UNIX: librfccm.so
Library file SAPJCO
(native)
For Windows: sapjcorfc.dll
For Linux/UNIX: libsapjcorfc.so
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery
package. The libraries can be downloaded from:
http://service.sap.com/connectors (requires SAP account).
For further information please contact SECUDE support.
18. Click Upload to deploy the SAP JCO components to Secure Login. A success message
should appear.
19. Click Check to finish the signon&secure and JCO installation for Secure Login. This
will take you to the System Check page to verify the installation (see section 6.1.8 on
page 149).
20. Depending on which application Server you use, either stop and then restart the
Server, or stop and restart the Secure Login application.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
162
6.1.13 Server Status
This section details the System Status page of the Administration Console. Use this page
to view the current status of the PSE Server.
1. If you have not already done so, click the System Status node from the tree in the
left-hand pane of the Administration Console.
2. The following page will appear:
Figure 6-42 Administration Console - System status of PSE Server
The system status is displayed as a table containing the following details:
Criteria Details
Date Current date and time.
Version Version of SECUDE Secure Login Server being used.
Uptime The amount of time the Server has remained active and running.
Instance ID The identity of the current Server instance.
Configuration URL Location of the configuration.properties file.
Configuration
Status
configuration.properties file permission status (i.e.
readable or not readable). OK = readable.
Server Lock Server lock status. If the entry Yes appears, it means that Secure
Login has encountered a problem. In such a case, check the
Server Information pane in the top left-hand corner for tasks yet to
be performed as well as the log files for possible problems.
An Unlock button will appear next to the table entry (providing the
administrator role has the necessary permissions). Once any
problems have been resolved, click Unlock to start the Server.
PSE Server status OK = working.
Server Build SECUDE Secure Login Server version.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
163
6.1.14 Sign Certificate Requests
This section details how to submit a certificate request to a certificate authority via the
Administration Console.
This function is only valid for the default PKI and therefore for the default Server instance.
If you create a new PKI, including SSL CA, in a non-default instance, you cannot use the SSL
CA to sign certificates. You can only use the SSL CA of the default instance.
Follow these steps to submit a PKCS#10 certificate request to the CA:
1. If you have not already done so, click the Signed certificate requests node from the
tree in the left-hand pane.
2. The following page will appear:
Figure 6-43 Administration Console – Submit a Certificate Request page
The following options are available (options marked with * are mandatory):
Option Details
Base 64 encoded
certificate request
(PKCS #10)
The content of the private extension in base64/DER encoding.
There are two ways of filling this field:
Copy & paste: Paste the request into the Saved request field.
Enter a path to the certificate: Click Browse for a file to insert
to reveal the Full path name field. Click Browse…, to locate
and open a certificate request. Click Read.
Valid period of
Certificate*
The period of time for which the certificate is valid.
Certificate encoding
type
The encoding type for the certificate:
PEM encoding
DER encoding
NOTE: if you wish to sign the certificate for a WebLogic Server,
the encoding type must be PEM.
Issuer password The issuer password for the certificate file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
164
3. Enter the certificate request details as stated above and click Sign certificate (i.e.
send to the SSL CA).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
165
6.1.15 Console Log Viewer
This section details the Administration Console logging functionality. The log entries apply
only to the administration actions performed via the Administration Console.
1. If you have not already done so, click the Console log Viewer node from the tree in
the left-hand pane.
2. The Log management – console log page will appear:
Figure 6-44 Administration Console - Instance log management > main page/monthly
log page
This page displays all of the tasks performed via the Administration Console since
logging began. This page allows you to:
Select a period of time to view via the Log Month combo-box.
Export log files to a *.csv file via the Export logs function. NOTE: This entry is
only visible if log entries are present.
The monthly table contains the following information about the administration tasks:
Table column Details
Date The date the task was performed.
Time The time the task was performed.
Code The internal code of the task performed.
Level An abbreviated description of the message, i.e. INF for information,
or ERR for error.
User The name of the user/administrator that performed the action.
Action A quick description of the action, for example EDIT or OTHER.
Server The Server instance(s) to which the action was directed
Description A description of the message/task.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
166
6.1.16 Web Client Configuration
This section details the configuration settings for the Secure Login Web Client. For
information about how to install and use the Web Client refer to chapter 5 on page 109.
1. If you have not already done so, click the WebClient Configuration node from the tree
in the left-hand pane.
2. The WebClient Management page will appear, by default, displaying the Properties
Configuration tab:
Figure 6-45 Web Client configuration - main page/monthly log page
The following options apply to the Properties Configuration tab (options marked with *
are mandatory):
Option Details
Web Client
Application
Path
WebClientConfigPath*
The full path to the Secure Login Web Client directory. Click
Change to manually enter the full path.
Tomcat: <Tomcat home>\Webapps\SlsWebClient
NetWeaver: <NetWeaver home>\apps\secude.com\ SecureLogin\servlet_jsp\SlsWebClient\root
TomcatSharedPath
The path to the Tomcat shared directory. This is usually:
<Tomcat home>\shared
Click Save to confirm the entries.
NOTE: until a valid Web Client application path is entered the tabs
Message Settings, Package Management, and HTML Settings remain
hidden.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
167
Option Details
Common
Configuration
Click Edit to change the following properties:
WSURL
The URL of the Secure Login service.
Tomcat uses: http://<hostname:port>/axis2/ services/secureloginservice
NetWeaver uses: http://<hostname>:<port>/ SecureLoginService/Config1?style=document
LOGONURL
Address of SAP portal to perform a login with in case of SAP
Login Ticket authentication: http://<hostname:port>/irj/portal
PORTALURL
Address to be called after successful authentication, e.g. if
the Client certificate shall be used: https://<hostname:sslport>/irj/portal
AUTHENTICATIONSCHEME
The SAP Portal Scheme to be used for authentication.
ACTION
The Web Client's action to be performed after successful
authentication.
Start local SAPGUI (either SAPGUI for Windows or SAPGUI for
Java)
Open SAP Portal Web page
Both
Nothing
PackURL
The name of the directory in which the subfolders WIN32,
MAC_UNI etc. are stored. (the original files can be located in the
WebClient subdirectory of the delivery package
SECUDE51SecureLoginNativeComponents.zip).
Each of the subfolders contains the SECUDE libraries, licence file,
and version file. For example, the Windows files needed are:
ComSecudeUtil.dll, secude.dll, ticket.snc,
version.txt.
SAPLogon.slsinstance
The SLS instance identifier to be used for authentication when
launching only the SAPGUI - without login to a specific Server.
Cleanup Temporary Files
This option determines if the temporary files are deleted after the
Web session has ended. The following entries are possible:
no [default]: Do not delete files created on the Client side
after logout. Keep this value if the Web Client opens a new
Web page (PORTALURL is set).
user: All user files are deleted when the Web Client or the
browser is closed. This includes the user‟s soft-tokens.
full: This option will remove all Client files including the SNC
library and the user settings.
Client Logging
This option determines if logging is performed. The Web Client
logfile can be located under:
Windows XP: C:\Documents and Settings\<user>\secudesnc
Windows Vista and 7: C:\Users\<user>\secudesnc
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
168
Option Details
Mac OS: /Users/<user>/secudesnc
Linux: /home/<user>/secudesnc
The following entries are possible:
no [default]: No Client log file will be created and no logging is
performed.
temp: The Client creates a log file for each login session. The
log file is deleted when the Web Client is closed.
keep: The Client‟s log file is never deleted.
SAP GUI
Management
Use this part of the page to add new SAP Servers to the configuration,
view and edit current SAP Servers, and delete any Server from the
configuration. For further information refer to the next section.
Platform
Configuration
Configure the individual Web Client properties for each platform. For
further information refer to section 6.1.16.2 on page 169.
6.1.16.1 Web Client Management for SAP GUI
This section details the Web Client Management page of the Administration Console.
For information about how to install and use the Web Client refer to chapter 5 on page
109.
1. If you have not already done so, click the Web Client Configuration node from the tree
in the left-hand pane. The Web Client Management page will appear.
2. Either click Servers Management>Add to create a new Server entry, or select an
existing Server from the Servers Management list and click Edit. The following page
will appear:
Figure 6-46 Web Client configuration – Servers management page
The following options are available:
Option/parameter Details
SAP GUI for Java Label
Arbitrary text describing this Server.
Host
The SAP NetWeaver ABAP IP address or hostname.
Port
Port number used by the Server. Default ABAP stack is
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
169
3200.
SNCname
The SNC name. For example:
p:CN=sapnw01,OU=QA,O=SECUDE,C=DE
SAP GUI for
Windows
shortcut.Name
The SAP Server identifier used in multi-instance
configurations.
shortcut.Description
The name of the Server profile in the SAPGUI for Windows (in
SAPGUI this is the "description" field). This is THE essential
reference to the Server profile for Windows-SAPGUI.
Instance ID this
Server used
The instance identifier to be used by this Server.
Save Save any changes made via this page.
3. Enter the necessary values and click Save to confirm the entries.
6.1.16.2 Web Client - Platform Configuration
This section details the platform configuration page for the Secure Login Web Client.
For information about how to install and use the Web Client refer to chapter 5 on page
109.
1. If you have not already done so, click the Web Client Configuration node from the tree
in the left-hand pane. The Web Client Management page will appear.
2. Select a platform from the Platform Configuration list and click Edit.
3. The following page will appear:
Figure 6-47 Web Client configuration – platform configuration page
The Platform Configuration page may appear in slightly different forms according to
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
170
whichever platform was chosen under the Platform Configuration option in the main
Web Client Management page:
Windows: The options to select the SAP GUI for the Java-based Client as well as
the stand-alone Client are available.
Mac OSX/Linux: Only the option to select the SAP GUI for the Java-based Client is
available.
The following options are available:
Option Details
SAP GUI for
Java (appears
for all
platforms)
Binary name of SAP GUI tool
SAP.start.binary
The application name of the SAP GUI for Java.
Windows: guistart.bat
Mac OSX: SAPGUI
Linux: guistart
SAP.logon.binary
The application name of the SAP logon frontend.
Windows: guilogon.bat
Mac OSX: SAPGUI
Linux: guilogon
To enter a different binary name, simply enter a new name in
the respective field and click Save.
Search Path for SAP GUI
The path used by the Web Client to locate the Java binaries. Click
Add to open a secondary field and manually enter the path to the
Java binaries for each one. Click Save to confirm the entry.
SAP GUI for
Windows
(appears for
Windows only)
Binary name of SAP GUI tool
SAP.start.binary
The application name of the SAP GUI for Windows.
Windows: sapgui.exe
SAP.logon.binary
The application name of the SAP logon frontend.
Windows: saplogon.exe
To enter a different binary name, simply enter a new name in the
respective field and click Save.
Search Path for SAP GUI
The path used by the Web Client to locate the Java binaries. Click
Add to open a secondary field and manually enter the path to the
Java binaries for each one. Click Save to confirm the entry.
Supported OS The platforms for which the properties on this page are applicable. The
platform name will be listed along with the files required by each
platform to function correctly.
If you want to remove support for a specific platform (i.e. remove 64-bit
support from Windows) click Delete.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
171
6.1.16.3 Message Settings
This section details the message settings for the Secure Login Web Client. For information
about how to install and use the Web Client refer to chapter 5 on page 109.
1. If you have not already done so, click the Web Client Configuration node from the tree
in the left-hand pane. The Web Client Management page will appear.
2. Click the Message Settings tab:
Figure 6-48 Web Client configuration – message settings page
A list of language files for the messages will be displayed. You can now either:
Click New… to create a message file in a specific language (see below), or…
Select an existing message file from the list and click Edit… to alter the
messages for that language (refer to the next page).
Create a new
Message File
1. Click New… to create a message file in a specific language. A language selection bar
will appear below the message list:
Figure 6-49 Web Client configuration – create new message file
2. Select the language in which you want to create the messages from the combo-box
and click Create New file.
3. The message file will be created using proprietary messages (in English) and will
appear in the list:
Figure 6-50 Web Client configuration – new message file in list
Select the message file from the list and click Edit…
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
172
4. The message properties page will appear:
Figure 6-51 Web Client configuration – edit message properties
Translate or alter each message to the given context and click Save.
Edit an existing
Message File
1. Select a message file from the list and click Edit…
2. The message properties page will appear:
Figure 6-52 Web Client configuration – edit message properties
Translate or alter each message to the given context and click Save.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
173
6.1.16.4 Package Management
This section details package management for the Secure Login Web Client. Use this page
to consolidate the files necessary for Web Client operation.
For information about how to install and use the Web Client refer to chapter 5 on page
109.
1. If you have not already done so, click the Web Client Configuration node from the tree
in the left-hand pane. The Web Client Management page will appear.
2. Click the Package Management tab:
Figure 6-53 Web Client configuration – package management page
The following options are available:
Option /
table column
Details
Platform name Select the platforms for which you want to consolidate files. This
will display the appropriate processor-specific information for each
platform.
[Table] Package name
The name of the package corresponding to the processor type.
Version
The Web Client version.
Filename in the package
A list of files currently in the package.
Missing files
A list of missing files needed for the package to run.
File path Click Browse to locate and load each individual file for the package
preselected in the list.
Upload Load either the ZIP file containing the native components, or
individual native component files (located and opened via Browse)
into the platform-specific package.
Remove All Remove all of the Web Client files from a pre-selected package.
Synchronize
Ticket
Synchronize the license file (ticket.snc) used for the
signon&secure/JCO installation to all the operating system
packages. This applies even if you do not implement SAP ID
authentication. For further information refer to section 6.1.12 on
page 158.
3. Select a platform from the combo-box and click Browse… to locate either the
complete Native Components ZIP file, or any missing Native Component files for each
operating system/processor type necessary for the configuration.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
174
The SECUDE libraries (ComSecudeUtil, secude) and the version file can be
located in the file SECUDE51SecureLoginNativeComponents.zip delivered with
the Secure Login package (optionally, the license file (ticket.snc) can also be
loaded in this manner – see step 5 below).
4. Click Upload to load each file individually into the package.
5. As an optional step, to save time loading the license file (ticket.snc) into each of
the operating system packages, you can click Synchronize Ticket to automatically
perform this task.
6.1.16.5 HTML Settings
This section details the HTML settings for the Secure Login Web Client. Use this page to
customize the messages and/or look of the Web Client pages.
For information about how to install and use the Web Client refer to chapter chapter 5 on
page 109.
1. If you have not already done so, click the Web Client Configuration node from the tree
in the left-hand pane. The Web Client Management page will appear.
2. Click the HTML Settings tab:
Figure 6-54 Web Client configuration – HTML settings page
A list of language files for the GUI will be displayed. You can now either:
Click New… to create a message file in a specific language (see below), or…
Select an existing message file from the list and click Edit… to alter the
messages for that language (refer to the next page).
Create a new
Language File
1. Click New… to create a HTML pages for the Web Client. A language selection bar will
appear below the message list:
Figure 6-55 Web Client configuration – HTML settings > create new language file
2. Select the language in which you want to create the messages from the combo-box
and click Create New file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
175
3. The new language file will be created using proprietary files (in English) and will
appear in the list:
Figure 6-56 Web Client configuration – HTML settings > select language file to edit
Select the language file from the list and click Edit…
4. The HTML editor page will appear:
Figure 6-57 Web Client configuration – HTML settings > edit language files
The following options are available:
Option Details
[HTML pages] InitApplet.html
This is the initial page to be called by the Web Client. This page
performs a Java check as well as a communication timeout and
user preferences check.
SNCAppletAuth.html
This is the main Web Client page containing the logon form and
configurable Server-list. If you do not want to support direct login
to SAP Servers but rather only the launching of SAP logon, you can
change the HTML template of this main page.
SNCAppletNewpin.html
This is the page for new PIN entry applicable to RSA and SAP ID.
If Secure Login Server JAAS authentication modules of the types
RSA or SAP ID are configured, it may occur that users have to
change their passwords. This page is for this purpose.
SNCAppletNexttoken.html
This is the page for a new token entry applicable to RSA Server
requests.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
176
Option Details
If the Secure Login Server RSA JAAS authentication module is
configured, it may occur that the RSA Server will request a new
token code. This page is for this purpose.
SNCAppletSaplogon.html, SNCAppletSapstart.html
One of these pages will appear if the SAP GUI binary tools
configured on the Server-side cannot be found on the Client
computer. The pages will prompt the user to specify which SAP
GUI executable is to be used. Once specified this parameter is
then stored, together with the Client computer-hostname, in the
configuration file user.properties in the user‟s home
directory.
Save Save any changes made in the HTML editor pane.
Reset Reset any changes to those in the previously saved version of the
template.
Preview Preview the HTML code in your Web-browser.
5. Select the template you want to edit from the left-hand pane and edit the HTML code
as necessary. Repeat for any further templates (remember to click Save after
completing each template to save the changes for each one).
Edit an existing
Language File
1. Select a language from the list and click Edit…
2. The HTML editor page will appear:
Figure 6-58 Web Client configuration – HTML settings > edit language files
Refer to the previous page for a list of the options available on this page.
3. Select the template you want to edit from the left-hand pane and edit the HTML code
as necessary. Repeat for any further templates (remember to click Save after
completing each template to save the changes for each one).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
177
6.2 Email Report&Alert Configuration
1. Define settings of E-Mail Server account
Figure 6-59 Email Report&Alert configuration – Email Server Setting
Specify name or IP of SMTP Server.
Specify username and password of SMTP user.
Specify E-Mail address of the sender.
Specify E-Mail address of the default receiver.
Optional text signature to be appended to mails.
2. Select System Alert Settings and/or Log Alert Settings.
Figure 6-60 Email Report&Alert configuration – System Alert Setting
Select the Check and Send Email check box.
Define desired check interval.
Select the items to be monitored in order to provide report or check All.
Click on Send Email to Default in case receiver will be the default one already
defined or specify it on edit box.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
178
6.3 Instance Management
This section details the Instance management page of the Administration Console.
Instance management is the main hub that allows you to switch between Server instances
to configure each one (i.e. to configure a specific Server instance you must first open this
page and switch to it).
Follow these steps to configure Server instances:
1. If you have not already done so, click the Instance management node from the tree in
the left-hand pane.
2. The following page will appear:
Figure 6-61 Administration Console – instance management
This page displays all of the Server instances in the Secure Login configuration. The
red * next to the instance name depicts the current Server instance. This page has
the following options:
Area Options + details
Instance
information
list
ServerName: The name of the instance. Click Edit to change the Server
name.
ID: The ID of the instance. Also is the folder name where this instance's
configuration files stored.
Server Root Path: The path this instance's folder.
Status: The active status of this instance. The inactive instance will be
shown in gray.
Lock: The status of the Server instance (locked/unlocked).
Buttons Add: Add a new Server instance. This will start a wizard to help you
through the creation process. For further information about the creation
process refer to section 3.6.3 on page 63.
Edit: Edit the name of the selected Server instance.
To use this function check the Server instance you wish to edit to
and click Edit. Enter the new name in the new page and click Save.
Active: Activate a selected Server instance. If a Server instance entry is
grayed-out this means that it has been deactivated. Use the Active
function to re-activate the Server instance.
Inactive: Deactivate a selected Server instance. This function should
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
179
Area Options + details
only be used when a Server instance needs to be deactivated for
maintenance or for a temporary task.
Unlock
Unlock a Server instance. A Server instance may be locked if, for
example, log files can no longer be written.
Delete: Delete the selected Server instance. All the configuration files
of this instance will also be deleted.
6.3.1 Instance Configuration
This section details the Instance Configuration page of the Administration Console. The
node can be recognized as <Server name> Configuration or DefaultServer Configuration in
the navigation tree.
This page displays the configuration of current instance and allows you to:
View a Server configuration pre-selected in the Instance Management page.
Edit the Server configuration.
Follow these steps to view and configure Server instances:
1. If you have not already done so, click the Instance management node from the tree in
the left-hand pane to select the Server instance you wish to view/edit (see section
6.3).
2. The following page will appear:
Figure 6-62 Administration Console – Instance Configuration page (extract)
This page displays an overview of the Secure Login Server configuration properties.
Click Edit in the top right-hand corner to edit the following parameters:
Option Can be
edited?
Details/Value
Authentication
Server configuration
No JaasModule: The JAAS login module to be used with
this Server instance.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
180
Option Can be
edited?
Details/Value
SECUDE Secure
Login UserCA
KeyStore
No PseType Type of PSE used by the Server to sign the
generated certificates.
PseName: The path to the PSE file.
User Certificate
Configuration
Yes These values will be used to generate Client
certificates. As a result, all the Client certificates will
have the same country, locality, organization, and
organizational unit values. These certificates are
distinguished by different common name, which is not
set here:
DN.xxx: Information used to identify the Clients for the
SECUDE Secure Login Server. Use a mix of letters,
digits, and special characters.
ValidityMinutes: the amount of time, in minutes, for
which a Client certificate is valid.
ValidityOffset: Time offset in minutes relative to the
Server system time for the certificates to start being
valid.
UseUPN: Use the User Principle Name
Certificate Template
Configuration
No The following options cannot be edited in this page.
For details about how to set these options refer to
section 6.1.7 on page 143.
CertificateName
CertificateFormat
SerialNumberPolicy
StandardExtension
PrivateExtension
KeyUsage
ExtendedKeyUsage
Log Configuration No The following options cannot be edited in this page.
For details about how to set these options refer to
section 6.3.4.2, on page 195.
EnableLog: Is logging enabled?
DailyLogPrefix: The file prefix for daily logs.
DailyLogDir: The directory for daily log storage
MonthlyLogPrefix: The file prefix for monthly logs.
MonthlyLogDir: The directory to which the monthly log
files are saved.
LogMaxSize: The maximum size for the log file
directory (all log files) in gigabytes.
LogRotationSize: The maximum size a log file may be
before archiving.
LogCleanDays: The interval, in days, after which the
next log cleanup starts.
Other Server
Configuration
All
except
LockDir
are
editable
LockInstanceOnTransactionLogFailure
Lock the Server instance should the transaction
log fail (for example when the logfile can no
longer be written due to lack of disk space).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
181
Option Can be
edited?
Details/Value
Yes = lock the Server
No = Do not lock the Server
LockDir
The directory in which the lock file will be placed.
This requires a path to a valid folder to which the
Server has write access. If the value is a valid
directory path but the folder does not exist, then
one will be created (if the path is not valid, or the
Server has no write access, then no lock file can
be created and the Server cannot be locked).
NOTE: Changing the lock directory value requires
a Server restart.
maxSessionInactiveInterval
Specifies the time, in seconds, between Client
requests before the servlet container will
invalidate this session. This is applicable only in
challenge-mode (PIN change etc.).
AdminServletHeader
The header text to be displayed on the status
page (used by StandardServlet status page -
not used by the Administration Console GUI).
AdminServletTrailer
The footer text to be displayed on the status page
(used by StandardServlet status page - not
used by the Administration Console GUI).
User-defined
properties
Yes Any properties defined by the Server administrator will
be listed here. To add a new property click Edit,
navigate to the bottom of the page, click Add, then
enter the property name in the first field and a
false/true parameter in the second field. Click
Delete to remove an administrator-defined property
from the configuration.
3. Once you have made changes to the Server instance click Save to apply them to the
Server configuration.
6.3.2 Customizing With User-Defined Properties
This section details Secure Login features to assist an administrator by means of user-
defined properties.
Contents
Section 6.3.2.1 „Alternative User Name from LDAP Directory‟ page 181
Section 6.3.2.2 „
Length of Username in ‟ page 183
Section Error! Reference source not found. „Username Configuration For SQL JAAS
Module‟ page Error! Bookmark not defined.
6.3.2.1 Alternative User Name from LDAP Directory
This section details how to configure an LDAP or Active Directory Server attribute value to
be used instead of the user name given by the Client. This may be useful if the SAP SNC
user names and the authenticated user names (e.g. from a Windows domain) are not the
same.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
182
Each instance may have its own configuration.
1. Open the Instance configuration in Edit mode as described on page 179.
2. Scroll down to the bottom and add a set of User-defined properties:
Figure 6-63 User-defined properties – sample LDAP attribute configuration
The following properties are available (properties marked with * are mandatory):
Property Details
LdapReadServers* Number of LDAP Servers that are configured here. A numeric
value is expected that must be 1 or higher. The given value is
used as n to define an ordered list of Servers that are called in
a fail-over manner.
Keep empty to disable all configured Servers.
LdapReadAttributen* The LDAP attribute that shall be used instead of the given user
name. A simple text value is expected.
LdapReadUrln* The LDAP Server that shall be used to retrieve that attribute.
LdapReadTimeoutn Connection timeout in seconds.
LdapReadDomainn* For Active Directory: LDAP domain to be appended to the given
user name if it is not a User Principle Name. If the name is
already in UPN format, the property is ignored.
LdapReadUsern* LDAP user to open the LDAP session (bind user).
LdapReadPassn* LDAP password of bind user. Warning: This password is
displayed and stored in clear text. It is recommended to use an
LDAP user with read-only permissions.
LdapReadBaseDNn* LDAP search base / sub tree to be used to search for the given
user name.
The user certificate‟s common name part (CN) gets the value of LdapReadAttribute if
There is an LDAP entry for the given user, and
the attribute LdapReadAttribute exists and contains a text value.
Otherwise, the CN is generated as usual.
For a protected communication to the directory Server, LDAP/SSL may be configured.
In this case, the existing trust store of Secure Login Server is used.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
183
6.3.2.2 Length of Username in Certificate
SAP user IDs have a maximum length of 12 characters, which needs to be considered by SNC
X.509 certificates. The default behaviour of Secure Login Server 5.1 is to strip off any user
name value to this length in the CN field of issued certificates. This default length may be
customized.
Property Details
MaxUserNameLength Maximal number of characters a user name in the CN field may
have. If the given user name is longer, it is cut from the right
side.
Default value: 12.
Sample: SCHWARZENEGGER is cut off to SCHWARZENEGG with
default settings
UserNamePaddingLength If user names in the CN field need a fixed or minimum length,
padding can be turned on. The padding length sets the
minimum length of user names.
Default value: None.
UserNamePaddingChar The padding character is used to fill user names on the left side
if their size is smaller than the configured padding length.
Default value: None.
Sample: ARNOLD is extended to 00ARNOLD with
UserNamePaddingLength=”8” and UserNamePaddingChar=”0”.
6.3.2.3 Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, some special
configuration properties may be needed to define which user name is put into the certificate.
This is only to be considered if Secure Login Client sends compound username values.
Property Details
UseQualifiedName If true, the full received username value is taken for the user
certificate‟s CN field
If false, only the user ID part before the separator is taken,
and UserNameSeparator must be set to a non-blank value to
apply this property.
Default value: true.
UserNameSeperator String of one or more characters that separates username and
Client identifier sent by the Secure Login Client. If configured,
DBColumnClientID must also be configured in the SQL JAAS
module.
Default value: None.
Sample: USER001#CLIENT999 is splitted to USER001 with
UseQualifiedName =”false” and UserNameSeperator=”#”.
6.3.3 Client Configuration
This section details the Client configuration page of the administration console.
Follow these steps to open Client configuration:
1. If you have not already done so, click the Client configuration node from the tree in
the left-hand pane.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
184
2. The following page will appear:
Figure 6-64 Client configuration page
This page automatically opens on the Client Policy file management page.
The following options are available (options marked with * are mandatory):
Option Details/Value
Client Policy Opens the Client policy management page (the default page).
Applications Opens the Applications management page. For further information see
section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Opens the Profiles management page. For further information see
section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download Opens the Files download page. For further information see section
6.3.3.3 „Files Download‟ on page 190.
Global Client
Policy
Opens the Global Client Policy page. For further information see
section 6.3.3.4 „Global Client Policy‟ on page 191.
Policy URL* Network resource URL from which the latest SECUDE Secure Login
Client policy can be downloaded.
Example: http://proxyurl.secude.com:3128
Policy TTL* The time (in minutes) that a policy remains valid.
Network
Timeout (s)*
The elapsed time (in seconds) before a connection is closed if the
Server does not respond.
Disable update
policy on
startup
Turn off automatic policy download and registration when the system
service is started.
false = update policy enabled
true = update policy disabled
3. If necessary, edit the parameters and click Save to set the changes.
6.3.3.1 Application Management
This section details how to administrate applications for the Client.
1. If you have not already done so, click the Client configuration node from the tree in
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
185
the left-hand pane.
2. Click Applications. The following information will appear:
Figure 6-65 Client configuration – Application Management page
The following options are available (options marked with * are mandatory):
Option Details/Value
Client Policy Opens the Client policy management page. For further information see
section 6.3.3.1 „
Application Management‟ on page 184.
Applications Opens the Applications management page (this page).
Profiles Opens the Profiles management page. For further information see
section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download Opens the Files download page. For further information see section
6.3.3.3 „Files Download‟ on page 190.
Global Client
Policy
Opens the Global Client Policy page. For further information see
section 6.3.3.4 „Global Client Policy‟ on page 191.
Application
action
The action of the selected application. There are 3 types of action:
clean, replace, or keep. Click Save to set the application action.
Add Application Add a new application (see next page).
Edit Modify a selected application (only applicable if an application is
available in the Applications list). See below.
Delete Delete a selected application (only applicable if an application is
available in the Applications list).
Add/Edit an
Application
Follow these steps to add an application:
1. Click Add Application. The following information will appear:
Figure 6-66 Client configuration – add an application
The following options are available (options marked with * are mandatory):
Option Details/Value
Application name* The name of the application.
SAP Server Select the SAP Server certificate for this policy.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
186
NOTE: this field only appears if you have created an SAP CA, plus
certificate, in the Certificate Management page (see section
6.3.2.3 on page 183).
PSEURI* Application specific PSE URI that is matched when a fitting profile
is searched. For example:
SNC/cn=SAP, o=SECUDE, c=DE
SNC/CN=Server*, ou=Strong
The wildcards * and ? can be used.
Profile The name of the security profile to be used for the application.
The name must match the profile name in the profiles section.
The profile name * is used for the default security profile that is
configured by the user (for example, the smart card profile).
For further information about profiles see section 6.3.3.2 „Client
Profile Management‟ on page 187.
allowFavorite Allow the user to select another profile as „favorite‟ for this SNC
application context.
false (default) = always use configured profile
true = Do not use configured profile
2. Enter the application parameters and click Save. This will return you to the
Applications page (see section 6.3.3.1 „
3. Application Management‟ on page 184).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
187
6.3.3.2 Client Profile Management
This section details how to administrate profiles for the Client.
1. If you have not already done so, click the Client configuration node from the tree in
the left-hand pane.
2. Click Profiles. The following page will appear:
Figure 6-67 Client configuration – Client profiles page
The following options are available (options marked with * are mandatory):
Option Details/Value
Client Policy Click to open the Client Policy Management page (the default page). For
further information see section 6.3.3 „Client Configuration‟ on page 183.
Applications Click to open the Applications Management page For further information
see section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Click to open the Profiles Management page (this page).
Files
download
Opens the Files Download page. For further information see section
6.3.3.3 „Files Download‟ on page 190.
Global Client
Policy
Opens the Global Client Policy page. For further information see section
6.3.3.4 „Global Client Policy‟ on page 191.
Profile
action
The action of the profile. There are 3 types of action: clean, replace,
or keep. Click Save to set the application action.
Add Profile Add a new profile (see next page).
Edit Modify an application (only applicable if a profile is available in the Profile
list). See below.
Delete Delete an application (only applicable if a profile is available in the Profile
list).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
188
Add/Edit a
Client Profile
Follow these steps to add/edit a profile:
1. Click Add Profile.
2. The following page will appear:
Figure 6-68 Client configuration – add/modify Client profile
The following options are available (options marked with * are mandatory):
Option Details/Value
Profile name* The name of the profile
PSEType The type of profile. Possible values include:
promptedlogin
windowslogin
EnrollURL0* Secure Login URL that is used for authentication and certificate
enrolment. The URL locates the Server instance that is valid for
the Secure Login Client. For example: http://myServer.local/securelogin/PseServer?id=0001
EnrollURL1 Fallback Secure Login URL if URL 0 fails. The URL locates the
Server instance that is valid for the Secure Login Client. For
example: http://myServer.local/securelogin/PseServer?id=0002
HttpProxyURL HTTP proxy to be used with enrolment URLs. Only HTTP proxies
without authentication and without SSL to proxy are supported.
Example: http://example.address.com:8888
GracePeriod The number of seconds that will expire before a certificate will
automatically re-enroll.
Default: 0
InactivityTimeout The number of seconds until an automatic logout is performed
(due to mouse and keyboard inactivity). Possible values:
> 1: The number of seconds of inactivity.
-1: No single sign-on (SSO). Each SNC connection forces a new
login
0 (default): No timeout. SSO without constraints.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
189
Option Details/Value
AutoReenrollTries The number of failed authentications in a row until automatic re-
enrolment is stopped.
User name and password caching can be turned on to provide
the automatic re-enrolment of certificates that are going to
expire. Possible values:
0: Turn off (default): Do not re-enroll automatically; do not cache
user name and password. A re-enrolment must always be
performed manually by the user.
>0 (n): Turn on with n tries to succeed: Try to re-enroll a
maximum of n times before either a new certificate is received or
the user name and password cache are cleared.
The error counter is reset on success. A manual re-enrolment is
also possible. You can delete all cached credentials from
memory (except those stored in the Secure Login Client system
service) via the logout entry in the context menu of the SECUDE
PSE service in the system tray.
Deleting the cache of the windowslogin token has no effect as
the credentials can be retrieved from the Secure Login Client
system service.
KeySize Key size of the newly-generated RSA keys.
Range: 512 – 16384
Default: 512
ReUseKey Defines if the RSA key is kept for the profile. If true, the RSA
key is kept unless a manual logout is performed or the user
process psesvc.exe is shut down.
Default: false
UniqueClientID Customer-defined string
Default: NULL
Network timeout
(seconds)
Network timeout (in seconds) before the connection is closed if
the Server does not respond
Default: 45
SSLHostCommon-
NameCheck
This applies to the SSL Server certificate – this checks if the peer
host name is given in its common name.
Default: false
SSLHostAlternative-
NameCheck
This applies to the SSL Server certificate – this checks the
Server's SSL certificate for the correct DNS name in the
Subject Alternative Names Attribute.
Default: false
SSLHostExtension-
Check
This applies to the SSL Server certificate – this checks if the
peer‟s certificate has the extended key usage
ServerAuthentication set.
Default: false
UseSslPse If set to true, this parameter turns on the former SSL.PSE-
based TrustStore for HTTPS.
If set to false (default), the Microsoft CAPI is used for HTTPS
trust.
UserWarning-
Password
Turn on/off a warning dialog box that appears before the user
name and password are sent to the Secure Login Server.
Default: false
UserWarningMSIE Turn on/off a warning dialog box that appears after a new
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
190
Option Details/Value
certificate has been propagated to Microsoft Crypto Store.
NOTE: Microsoft Internet Explorer must be restarted.
Default: false
3. Enter the profile parameters and click Save. This will return you to the Profiles page
(see section 6.3.3.2 „Client Profile Management‟ on page 187).
6.3.3.3 Files Download
This section details how to download the relevant Client policy files for the Secure Login
Client. Use the files generated via this option (instead of the files generated via the Global
Client Policy option - section 6.3.3.4 on page 191), if you want to export the Client policy
files for the current (active) instance only.
1. If you have not already done so, click the Client configuration node from the tree in
the left-hand pane.
2. Click Files download.
3. The following page will appear:
Figure 6-69 Files download page
The following options are available (options marked with * are mandatory):
Option Details/Value
Client Policy Click to open the Client Policy Management page (the default
page). For further information see section 6.3.3 „Client
Configuration‟ on page 183.
Applications Click to open the Applications Management page For further
information see section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Opens the Profiles management page. For further information see
section 6.3.3.2 „Client Profile Management‟ on page 187.
Files download Opens the Files Download page (this page).
Global Client Policy Opens the Global Client Policy page. For further information see
section 6.3.3.4 „Global Client Policy‟ on page 191.
Download Download the selected policy file(s).
This dialog allows you to download the following files:
The ClientPolicy.xml file and customer.zip (which contains the root
certificate and simple registry file). This is used for dynamic Client policy retrieval
(via a policy Server).
The customerAll.reg registry file. This is a static Client policy written as
registry values to the Windows registry.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
191
4. To download, check the appropriate policy file and click download.
5. A download dialog will open. Click the download link at the bottom of the page,
browse for a download location, and save the file.
6. Close the download dialog.
6.3.3.4 Global Client Policy
This section details how to download the relevant Client policy files (including instances)
for the Secure Login Client. Use the files generated via this option (instead of the files
generated via the Files Download option - section 6.3.3.3 on page 190), if you want to
include the complete Secure Login Server configuration – including all instances - in the
Client policy files for the Secure Login Client.
1. If you have not already done so, click the Client configuration node from the tree in
the left-hand pane.
2. Click Global Client Policy.
3. The following page will appear:
Figure 6-70 Global Client policy page
The following options are available (options marked with * are mandatory):
Option Details/Value
Client Policy Click to open the Client Policy Management page (the default page). For
further information see section 6.3.3 „Client Configuration‟ on page 183.
Applications Click to open the Applications Management page For further information
see section 6.3.3.1 „
Application Management‟ on page 184.
Profiles Opens the Profiles management page. For further information see
section 6.3.3.2 „Client Profile Management‟ on page 187.
Files
download
Opens the Files Download page. For further information see section
6.3.3.3 „Files Download‟ on page 190.
Global Client
Policy
Opens the Global Client Policy page (this page).
Generate Generate Client policy files for the whole configuration.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
192
4. Click Generate to generate (or re-generate) the global Client policy files. If the
information in each of the Client policy instance files can be merged then a list of
files will appear below the Generate button:
This following files can be downloaded:
The GlobalClientPolicy.xml and GlobalCustomer.reg files are used for
dynamic Client policy retrieval (via a policy Server).
The GlobalCustomerAll.reg registry file is a static Client policy written as
registry values to the Windows registry.
To download, just click the appropriate file(s) to browse for a download location, and
save the file.
If the information in each of the Client policy instance files cannot be merged then a
message will appear stating which parameters are conflicting. Locate and change the
specific parameters via the Client Policy, Applications, and Profiles options.
5. Close the download dialog.
6.3.4 Instance Log Management
This section details the Server/instance logging functionality of the Administration
Console. The log entries apply only to Server actions.
1. If you have not already done so, click the Instance log management node from the
tree in the left-hand pane.
2. By default the Monthly log page will appear:
Figure 6-71 Instance log management - main page/monthly log page
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
193
This page displays all of the tasks performed via the Administration Console since
logging began as well as the Secure Login Server log. This page allows you to:
You can select a period of time to view via the Log Month or Log Day combo-box.
Change log settings.
Export log files to a *.csv file.
This page displays the following options:
Option Details
Monthly log View the monthly log (as in the figure above). For information about
the log entries refer to the table below.
Daily log Select this if the logging list is too long to view or if you just wish to
view the logging data from a specific day in the current month. For
further information see section 6.3.4.1 „Daily Log‟ on page 193.
Log analysis Provides graphical visualization of authentication operations.
Log settings Change the logging settings. For further information see section
6.3.4.2 „
Log Settings‟ on page 195.
Archived Log This option allows you to view archived log files. For further
information see section 6.3.4.3 „Archived Log‟ on page 196.
Log month View the log entries from a specific month via the combo-box.
Export logs Click to export the current page of log entries to a file (*.csv).
NOTE: This entry is only visible if log entries are present.
By default, the page will display the log entries from the current month in a table. The
monthly table contains the following information about the administration tasks:
Table column Details
Date The date the task was performed.
Time The time the task was performed.
Code The internal code of the task performed.
Level An abbreviated description of the message, i.e. INF for information,
or ERR for error.
Description A description of the message/task.
6.3.4.1 Daily Log
This section details how to view and export the daily log file entries from the Daily log
page of the Administration Console.
1. If you have not already done so, click the Instance log management node from the
tree in the left-hand pane.
2. The following information will appear:
Figure 6-72 Instance log management - daily log page
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
194
This page displays the log entries from the current day (going back a total of one
week) in a table. This page allows you to :
You can select a day to view via the Log date combo-box.
Change log settings.
Export log files to a *.csv file.
The following options are available:
Option Details
Monthly Log View the monthly log. For further information see section 6.3.4
„Instance Log Management‟ on page 192.
Daily Log View the daily log (as in the figure above). For information about the
log entries refer to the table on the next page.
Log settings Change the logging settings. For further information see section
6.3.4.2 „
Log Settings‟ on page 195.
Archived Log This option allows you to view archived log files. For further
information see section 6.3.4.3 „Archived Log‟ on page 196.
Log date View the log entries from a specific day via the combo-box.
Export logs Click to export the current page of log entries to a file (*.csv).
NOTE: This entry is only visible if log entries are present.
By default, the page will display the log entries from the current day in a table.
The table contains the following information about the administration tasks:
Table column Details
Time The time the administrative task occurred.
Client The Client computer from which the administrative task was initiated.
DNS/IP The DNS and IP of the Client computer from which the administrative
task was initiated.
View As NOTE: This field only appears if multiple sets of DNS/IP are configured
on the admin computer – the IP values of one set are displayed.
User The name of the user that initiated the administrative task.
Action The administrative task performed by the user.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
195
6.3.4.2 Log Settings
This section details the log file settings for the Instance log management page of the
Administration Console.
1. If you have not already done so, click the Instance log management node from the
tree in the left-hand pane.
2. The following information will appear:
Figure 6-73 Instance log management – log settings
This page allows you to change the logging parameters via the following options
(options marked with * are mandatory):
Option Details
Maximum log file size* The maximum size for the log file directory (all log
files) in gigabytes.
Maximum individual file size* The maximum size a log file may be before
archiving.
Daily log file cleanup interval* The interval, in days, after which the next log
cleanup starts.
Monthly log cleanup interval* The interval, in months, after which the next log
cleanup starts.
Daily log prefix* (non-editable) The file prefix for daily logs.
Directory for storing daily logs*
(non-editable)
The directory for daily log storage.
Monthly log prefix* (non-editable) The file prefix for monthly logs.
Directory for storing monthly logs*
(non-editable)
The directory to which the monthly log files are
saved.
Certificate and request archiving
directory (also known as
ArchivingDir in the configuration.properties
file)
The directory for storing all Client and Server
communication data (certificate and certificate
requests).
NOTE: Make sure that you enter a valid path! If
the path is invalid the error Internal Server
Error may occur when the Secure Login Client
tries to logon.
3. Enter the parameters for each option and click Save. You will be returned to the
Instance log management main page.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
196
6.3.4.3 Archived Log
This section details the Archive log file page of the Administration Console.
1. If you have not already done so, click the Instance Log Management node from the
tree in the left-hand pane.
2. Click Archived log. The following information will appear:
Figure 6-74 Instance log management - archived log files
The following options are available:
Option Details
Archived file name The name under which the Server has saved the log file(s).
Selected A radio button to indicate which file should be downloaded.
3. You now have the following options:
To download a log file archive, select an archive from the Selected column and
click Download. You will be prompted to choose a location. The log files are in ZIP
format.
To delete a log file archive, select an archive from the Selected column and click
Delete.
6.3.5 Instance Check
This section details the Instance Check page of the Administration Console.
1. If you have not already done so, click the Instance Check node from the tree in the
left-hand pane.
2. The following page will appear:
Figure 6-75 Instance Check page
This page displays the status of the Secure Login components Client policy, and PKI
structure.
For information about how to fix problems with system components either refer to
chapter 7 „Troubleshooting‟, on page 211 or contact SECUDE support.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
197
6.3.6 Instance Status
This section details the Instance Status page of the Administration Console.
1. If you have not already done so, click the Instance Check node from the tree in the
left-hand pane.
2. The following page will appear:
Figure 6-76 Instance Check page
The Instance status is displayed as a table containing the following details:
Criteria Details
Date Current date and time.
Version Version of SECUDE Secure Login Server being used.
Uptime The amount of time the Server has remained active and
running.
Instance ID The identity of the current Server instance.
Configuration URL Location of the configuration.properties file.
Configuration status configuration.properties file permission status (i.e.
readable or not readable).
Server locked Is the Server instance locked?
PSE Server status Alive = working.
Server build SECUDE Secure Login Server version.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
198
6.4 Console Users
This section details the Console Users page of the Administration Console. Use this node
to view when an administrator logged-in to, or logged-out of, the Administration Console.
1. If you have not already done so, click the Console Users node from the tree in the
left-hand pane.
2. The following page will appear:
Figure 6-77 Console Users page
This page displays the current login/logoff status for each administrator in
chronological order with the latest entry at the top of the table. No further actions can
be performed on this page.
Related
Information
For detailed information about any action performed by an administrator refer to:
the Console Log Viewer node (see section 6.1.15 on page 165)
the Instance Log Management node (see section 6.3.4 on page 192)
the Locked Files Management node (see section 6.4.3 on page 205)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
199
6.4.1 User Management
This section details the User Management node of the Administration Console.
This node displays a list of the users/administrators registered to the Administration
Console and allows you to add a new user, edit/delete a current user, and assign a role
to a user (for further information about roles refer to the next section).
1. If you have not already done so, click the User Management node from the tree in the
left-hand pane.
2. The User management page will appear:
Figure 6-78 Administration Console - user management page
The current list of roles in the database will appear in a table. The following options
are available:
Option Details
Add Add a new user/administrator to the Administration Console user database.
Edit Edit any entry preselected from the list. This will open the Create User page.
Delete Delete any entry preselected from the list.
Assign
Role
Assign a role to any preselected user in the list. For further information refer
to the next page.
It is only possible to delete users that have been added/configured by you. The user ‘Admin’
is a permanent user that has the role ‘super-user’ and cannot be deleted (only the password
changed) or altered in any way.
As a consequence, the ‘admin’ user can log onto the system regardless of state (i.e. when a
serious system error occurs), guaranteeing that there is at least one user that can always
access Secure Login to correct or configure the system.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
200
Add/Edit a
User
1. Click either Add or Edit to open the following page:
Figure 6-79 User management – add/edit a user
The following options are available (options marked with * are mandatory):
Option Details
ID* The unique identifier for the user inside of the Administration
Console.
Name* The username to be used for login.
NOTE: If you want to use either External login or SSL Certificate
Login make sure that this entry is consistent with the
respective certificate/database.
Change Password This option is only visible when editing a user entry in the list!
Check this option to change the password.
Password* The password to be used for local login.
NOTE: The password must be at least 8 characters in length
and contain a mix of uppercase/lowercase letters, special
characters and numbers.
Confirm Password* Confirm the password to be used for local login.
External login Use JAAS module-based login. This feature uses user
information stored in an Authentication Server database for
identification. Clicking this option will display the extra option
External Login ID.
NOTE: an Authentication Server must be pre-configured for this
feature to work correctly (see section Error! Reference source
not found. on page Error! Bookmark not defined.).
External Login ID The unique identifier (password) for JAAS module-based
authentication.
NOTE: This option is only visible when the option External login
is checked!
SSL Certificate Login Use certificate-based authentication. Clicking this option will
display the extra option Certificate Login ID.
Certificate Login ID The unique identifier (password) for certificate-based login.
This entry must be the same as the subject_alt_name
used during login certificate creation.
NOTE: This option is only visible when the option SSL
Certificate Login is checked!
For further information about login certificates refer to section
3.3.3.1 on page 37.
Disabled If checked, the user cannot log on to the console.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
201
NOTE: This option is not available for the default user (Admin).
If the options External login and SSL Certificate Login are both left unchecked, the default
method – local login – is used.
2. Enter information for each of the options and click Save.
Assign a Role
to a User
1. Select the user from the user list to which the role is to be assigned.
2. Click Assign Role to open the following page:
Figure 6-80 User management – assign role to a user
Select one or more roles from the left-hand pane (All Roles) and click >>Add to
transfer that role to the user (My Roles).
3. Click Save.
Delete a Role
from a User
1. Select the user from the user list from which the role is to be removed.
2. Click Assign Role to open the following page:
Figure 6-81 User management – assign role to a user
Select the role(s) from the right-hand pane (My Roles) and click >>Delete to remove
the role from the user.
3. Click Save.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
202
6.4.2 Role Management
This section details the Role Management node of the Administration Console. Use this
node to configure the permissions for each administrator role.
1. If you have not already done so, click the Role Management node from the tree in the
left-hand pane.
2. The Role Management page will appear:
Figure 6-82 Role management - main page
This page displays a list of roles available in the Administration Console, as well as
allowing you to configure the roles.
The following options are available:
Option Details
Add Add a new role to the Administration Console.
Copy Copy any entry preselected in the list. This will open the Create Role page.
For further details refer to the next page.
Edit Edit any entry preselected from the list. This will open the Create Role page.
For further details refer to the next page.
Delete Delete any entry preselected from the list.
It is only possible to edit and delete roles that have been added or copied. The default roles
(Super User, CA Administrator, User Administrator, Auditor, Operator) cannot be altered or
deleted.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
203
Add/Edit a
Role
1. Either click either Add to make a completely new role, or select the role on which you
want to base a similar role, and click Copy.
2. The Create Role page will appear:
Figure 6-83 Role management – add/copy a role
The following options are available (options marked with * are mandatory)
Option Details
ID* The unique identifier for the role.
Name* The name used to describe the role.
Permission
List
sssPermission
Perform signon&secure-related operations. If left unchecked, the
SSS&JCO Installation node will not appear in the navigation tree.
logROPermission
Permission to view the log file. If left unchecked, the Console Log
Viewer and Instance Log Management nodes will not appear in the
navigation tree (unless the option logRWPermission is checked).
logRWPermission
Permission to change the logging configuration and export log files. If
left unchecked, the Console Log Viewer and Instance Log
Management nodes will not appear in the navigation tree (unless the
option logROPermission is checked).
statusPermission
Permission to view the status of the Server as well as each instance
in the configuration. If left unchecked, the Server Status and
Instance Status nodes will not appear in the navigation tree (unless
the option statusUnlockPermission is checked).
statusUnlockPermission
Permissions to unlock a locked Server or instance.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
204
Option Details
localizationPermission
Permission to perform GUI language-related operations. If left
unchecked, the Change Language node will not appear in the
navigation tree.
lockFilePermission
Permissions to unlock locked files. If left unchecked, the Locked
Files Management node will not appear in the navigation tree.
WebClientPermission
Permission to configure the Web-Clients. If left unchecked, the Web
Client Configuration node will not appear in the navigation tree.
confRWPermission
Permission to edit the Server configuration or instance configuration.
If left unchecked, the Server Configuration and DefaultServer
Configuration nodes will not appear in the navigation tree (unless the
option confROPermission is checked).
confROPermission
Permission only to view the Server configuration or instance
configuration. If left unchecked, the Server Configuration and
DefaultServer Configuration nodes will not appear in the navigation
tree (unless the option confRWPermission is checked).
multiRWPermission
Permission to add, edit, and delete instances. If left unchecked, the
Instance Management node will not appear in the navigation tree
(unless the option multiViewPermission is checked).
sysAnalyzePermission
Permission to check the system for missing or faulty components. If
left unchecked, the System Check and Instance Check nodes will not
appear in the navigation tree.
backRestorePermission
Permission to perform backup and restore operations. If left
unchecked, the Backup/Restore node will not appear in the
navigation tree.
userPermission
Permission to perform user-related operations, such as creating a
new user. If left unchecked, the User Management node will not
appear in the navigation tree.
rolePermission
Permission to perform role-related operations, such as creating a
new role. If left unchecked, the Role Management node will not
appear in the navigation tree.
multiViewPermission
Permission only to view instance details. If left unchecked, the
Instance Management node will not appear in the navigation tree
(unless the option multiRWPermission is checked).
caPermission
Permission to perform certificate authority-related tasks. If left
unchecked, the Certificate Template, Sign Certificate Requests, and
Certificate Management nodes will not appear in the navigation tree.
authPermission
Permission to perform authentication and Truststore operations. If
left unchecked, the Authentication Management and Truststore
Management nodes will not appear in the navigation tree.
ClientPermission
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
205
Option Details
Permission to perform Client policy operations. If left unchecked, the
Client Configuration node will not appear in the navigation tree.
3. Enter a unique identifier for the role into the field ID and enter a description of the
role into field Name.
4. Check each of the options appropriate fro the intended role and click Save.
6.4.3 Locked Files Management
This section details how to check if any Secure Login-specific system files have been
locked and, if necessary, unlock them (providing the necessary rights have been granted
to the administrator role – see section 6.4.2 on page 202).
Files are locked in the following scenarios:
When multiple administrators try to configure Secure Login at the same time. When this
happens one administrator will receive a message informing them to contact the specific
administrator to unlock the file. This message may appear under several nodes.
When a user closes the Internet browser window without clicking Logout first.
1. If you have not already done so, click the Locked Files Management node from the
tree in the left-hand pane.
2. The Locked Files Management page will appear:
Figure 6-84 Instance log management - main page/monthly log page
This page displays any files that have been locked. The following files may appear in
the list:
Web.xml
Configuration.properties
Clientpolicy.xml
Cert_template.xml
Keystore.xml
Role.xml
User.xml
Serverlist.xml
SLSJaasModule.login
3. Select the file(s) that you want to unlock and click Release.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
206
6.5 Other Administration Features
This section details Secure Login features to assist an administrator – without the need to
use the Administration Console.
The most useful function for an administrator is the ability to view the Server or Server
instance status in a quick manner. To this end, Secure Login can be queried via HTTP
POST (see next section) or HTTP GET (via a browser). The HTTP POST method returns
an XML formatted back, HTTP GET can return both HTTP and XML formats. The status
information returned via both methods is the same.
Contents
Section 6.5.1 „Status Query via an Internet Browser‟ on page 206
Section 6.5.2 „Secure Login Web Service Status Query‟ on page 209
Section 6.5.3 „
XML Interface‟ on page 209
6.5.1 Status Query via an Internet Browser
This section details how to quickly retrieve the Server status via an Internet browser.
Parameters
The following parameters can be applied to obtain the Server status, or can be mixed to
retrieve the status of a specific Server/Server instance:
op = add an option
Possible values:
status = retrieve the status of the default Server instance
Serverstatus = retrieve the status of the Server (all other parameters will be
ignored)
id = add a Server ID
Possible values:
<InstanceIDs> = retrieve the status of a specific Server instance (use in
combination with status)
xml = retrieve status information in XML format
Possible values:
on : (only for HTTP GET)
Example 1:
Retrieve the
Status of the
Default Server
Instance
Use the following example to quickly retrieve the status of the default Server instance:
http://<application Server Web-apps directory>/securelogin/ PseServer?op=status
For example:
http://localhost:8080/securelogin/PseServer?op=status
Example 2:
Retrieve the
Status of a
Specific
Server
Instance
Use the following example to quickly retrieve the status of a specific Server instance:
http://<application Server Web-apps directory>/securelogin/PseServer? op=status&id=0001
For example:
http://localhost:8080/securelogin/PseServer?op=status&id=0001
Example 3:
Retrieve the
Status of the
Server
Use the following example to quickly retrieve the status of the Server:
http://<application Server Web-apps directory>/securelogin/ PseServer?op=Serverstatus
For example:
http://localhost:8080/securelogin/PseServer?op=Serverstatus
Example 4:
Retrieve
Status
informaTion
Use the following example to retrieve status information:
http://<application Server Web-apps directory>/securelogin/ PseServer?<options>&<ServerID>
For example, to retrieve the status of a specific Server instance:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
207
http://localhost:8080/securelogin/PseServer?op=status&id=0001
Example Reply
Figure 6-85 Direct Server query – Server instance query
6.5.2 Secure Login Web Service Status Query
Introduction
This section details, in brief, how to query the Secure Login Web Service for status and
available operations. This section applies only to Servers to which Secure Login - with the
Web service - have been deployed. For further information refer to chapter 5 on page 109.
The Web Service query will vary according to application Server:
On Tomcat, the Secure Login Web Service is deployed to Apache Axis2 Web-service provider
and therefore it is Apache Axis2 that will be queried.
On NetWeaver, the Secure Login Web Service can be queried directly.
Before proceeding Make sure that you have deployed the Secure Login Web Client
application to either Tomcat or NetWeaver and the application Server has been started.
Web Service
Query using
Tomcat
To view the Web service status enter the following URL in your Internet browser:
To view the Axis2 main page:
http://<host:port>/axis2/axis2-Web/index.jsp
This page enables you to view any services deployed to Axis2 as well as to perform
any administration tasks and system checks.
To view the status of all running Web services:
http://<host:port>/axis2/services/listServices
To view the Web service directly:
http://<host:port>/axis2/services/secureloginservice?wsdl
Here is an example of the Axis2 Available services page:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
208
Figure 6-86 Web Service – Axis2 available services
Click the secureloginservice link to view the status of the service in XML format.
Web Service
Query using
NetWeaver
Enter the following URL in your Internet browser to view the Web service status:
http://<host:port>/SecureLoginService/Config1?style=document
Apache Axis2 also has an administration front-end. It is available via the URL:
http://localhost:8080/axis2/axis2-admin/
This allows the upload (and hence the change) of Web Service Archives and the
activation/deactivation of deployed services.
The front-end is shipped with a default account: user=admin, password=axis2. This of
course, presents a security issue and therefore it is recommended that the Secure Login
administrator change the password of the AXIS2 admin front-end. This can be accomplished
as follows:
Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\
Locate the follow lines:
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>
Change the entries marked in red above accordingly.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
209
6.5.3 XML Interface
Introduction
In addition to the Administration Console, SECUDE Secure Login Server provides an XML
interface to automate monitoring using your own or a third-party program, e.g. to
incorporate monitoring into administrative tools.
SECUDE Secure Login Server has to be called with a specific request in XML format. The
Secure Login Server then returns an XML reply with the status information.
Contents
Section 6.5.3.1 „Status Request‟, on page 209
Section 6.5.3.2 „Status Reply‟, on page 209
6.5.3.1 Status Request
Request
Format
<TransFairGram>
<Control>
<Version>Pepperbox 2.0.0</Version>
<ActionRequest>
STATUS_REQUEST_ACTION
</ActionRequest>
</Control>
</TransFairGram>
Use HTTP
POST to get
a Status
Request
To post a status request send the XML request to the address:
http://<Servlet URL>/securelogin/PseServer
Example
http://localhost:8080/securelogin/PseServer
6.5.3.2 Status Reply
Reply Format
<TransFairGram>
<Control>
<ActionRequest>STATUS_ACTION</ActionRequest>
<Version>Pepperbox 2.0.0</Version>
<ServerBuild>$Name: SLS_5-1-1-0 $</ServerBuild>
</Control>
<Content>
<Data>
<Status>
<ConfigURL>
file:C:/Program Files/Apache Software Foundation/
Tomcat 6.0/Webapps/securelogin/WEB-INF/Instances/
Configuration.properties
</ConfigURL>
<ConfigurationStatus>OK</ConfigurationStatus>
<Date>Mon Jan 28 12:02:54 CET 2010</Date>
<ID>Instance 00020</ID>
<LockFile/>
<LockStatus>false</LockStatus>
<PseServerStatus>OK</PseServerStatus>
<ServerBuild>SLS_5-1-1-0</ServerBuild>
</Status>
<Message>
The current Server status is enclosed with this
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
210
transfairgram (only for diagnostic purpose)
</Message>
<MessageCode>0701</MessageCode>
</Data>
<DataType>application/xml</DataType>
</Content>
</TransFairGram>
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
211
7 Troubleshooting
Introduction
This chapter describes the SECUDE Secure Login Server features for logging and error
recovery.
Sections in
this Chapter
Section 7.1 „How to use Unlimited Key Length Policies‟, on page 212
Section 7.2 „Log Files‟ on page 213
Section 7.3 „Turning Tracing On/Off‟, on page 215
Section 7.4 „SECUDE Secure Login Server Lock and Unlock‟, on page 216
Section 7.5 „Setting the Correct Environment Variables for SAP ID-Based Logon‟ on page
217
Section 7.6 „Problems with the Client URL‟ on page 218
Section 7.7 „Implement an SSL.PSE-Based TrustStore for HTTPS‟ on page 218
Section 7.8 „Access Denied‟ Replies‟ on page 219
Section 7.9 „Why the Secure Login Instance/Server is Locked‟ on page 219
Section 7.10 „Password Expiry Warnings on Sun LDAP (1)‟ on page 220
Section 7.11 „Password Expiry Warnings on Sun LDAP (2)‟ on page 220
Section 7.12 „Secure Login Server Cannot Establish an SNC Connection to the SAP
Server‟ on page 221
Section 7.13 „Administration Console Pages Appear „broken‟‟ on page 221
Section 7.14 „Problem Loading the GSS Library (SAP-ID Module)‟ on page 222
Section 7.16 „Users Cannot be Successfully Authenticated to any JAAS Module‟ on page
227
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
212
7.1 How to use Unlimited Key Length Policies
This section details how to solve any problems with key length restrictions for several
algorithms.
Problem
The creation of PKCS#12 files using passwords longer than 7 characters is not possible
in the Administration Console.
Solution
The standard JCE settings restrict the key length for several algorithms. Follow these
steps to disable the restrictions:
1. Browse to the Java lib\security sub-directory (for example: <Java home>\
jdk1.5.0_08\jre\lib\security)
2. Locate the files local_policy.jar and US_export_policy.jar.
3. Make duplicates of both files and give them the file extension *.bak (this means
that you can return to the original files if you need to).
4. Delete local_policy.jar.
5. Duplicate US_export_policy.jar and rename it to local_policy.jar.
To check that both the files US_export_policy.jar and local_policy.jar are
unrestricted, unzip them and open the file default_US_export.policy in a text editor.
If the following text is displayed the check is successful and the policies are unrestricted:
// Manufacturing policy file.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
If the JCE files local_policy.jar and US_export_policy.jar are not present
in the directory jre\lib\security, download the ‘Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files’ from one of the following locations
(depending on which Java version you use):
http://java.sun.com/javase/downloads/index_jdk5.jsp (for Java 5)
http://java.sun.com/javase/downloads/index.jsp (for Java 6)
(These will work for all JCE versions.)
Extract the contents of the ZIP file to the Java lib\security directory (for example
<Java home>\jre\lib\security). These files already have necessary
permissions.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
213
7.2 Log Files
Introduction
For the SECUDE Secure Login Server, log files for daily and monthly logging are created.
The location and log file names can be specified using one of these methods:
Manually in the SECUDE Secure Login Server configuration properties (see section 9.2.3
„Configuration‟ on page 248).
Via the Administration Console (see section 6.3.4 „Instance Log Management‟ on page
177).
Contents
Section 7.2.1 „Daily Log File‟, on page 213
Section 7.2.2 „Monthly Log File‟, on page 215
7.2.1 Daily Log File
Introduction
The daily log file has an entry for each transaction. An entry contains the following
information (if available):
Time and date of the transaction
ID of the Client
Instance ID
IP address and DNS entry as sent by the Client
Client IP address and DNS entry as seen by the Server
Name of the user making the request
Action code of the request
Result of the transaction
Result Codes
The following table describes the possible result codes in alphabetical order:
Result Code Details
ACM_ACCESS_DENIED Authentication failed
ACE_INVALID_ARG Invalid PIN
ACM_NEXT_CODE_REQUIRED Next token code required to continue
authentication
ACM_NEW_PIN_ACCEPTED New PIN accepted
ACM_NEW_PIN_REJECTED New PIN not accepted
ACM_NEW_PIN_REQUIRED User needs a new PIN
ACM_OK User could be authenticated
ACE_UNDEFINED_NEXT_PASSCODE Empty or invalid token code
ACE_UNDEFINED_PASSCODE Empty or invalid password
ACE_UNDEFINED_USERNAME Empty or invalid user name
INTERNAL_SERVER_ERROR (plus error
description)
Server error
INVALID_MESSAGE_FORMAT (plus error
description)
Invalid or incomplete Client message
OK Transaction successful
Sample Daily
08/15/2008, 11:47:34 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1,
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
214
Log File action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 11:47:42 (CEST), Client: unknown, pc-duke.SECUDE.COM/
10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: AUTH_ACTION, result: ACM_OK, instance: -Default-
08/15/2008, 11:49:17 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 11:49:29 (CEST), Client: unknown, pc-duke.SECUDE.COM/
10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser7, action: AUTH_ACTION, result: ACM_OK, instance: -Default-
08/15/2008, 11:50:43 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 11:50:51 (CEST), Client: unknown, pc-duke.SECUDE.COM/
10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser5, action: AUTH_ACTION, result: ACM_OK, instance: -Default-
08/15/2008, 14:30:06 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 14:30:14 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5,
action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-
08/15/2008, 14:30:18 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: - Default-
08/15/2008, 14:30:32 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_REJECTED, instance: -Default-
08/15/2008, 14:33:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser3, action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 14:33:50 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: - Default-
08/15/2008, 14:33:56 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_ACCEPTED, instance: -Default-
08/15/2008, 14:41:57 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default-
08/15/2008, 14:42:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-
08/15/2008, 14:42:46 (CEST), Client: unknown, PC-BM2.SECUDE.COM/
10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: -Default-
08/15/2008, 14:42:51 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: - Default-
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
215
7.2.2 Monthly Log File
Introduction
Monthly log files contain system events and errors. An entry contains the following
information:
Time and date of the event or error
Event or error code (see section 8 „Error and Return Codes‟ on page 231)
Error level
Description of the event or error
Error level
Instance ID
Result Codes
The following table describes the possible error levels in alphabetical order:
Error Level Details
ERR Fatal error
INF Information
WAR Warning
Sample
Monthly
Log File
08/15/2008, 13:15:40 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
08/15/2008, 13:16:39 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default-
08/15/2008, 14:00:37 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default-
08/15/2008, 14:20:24 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Unknown-
08/15/2008, 14:21:21 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
08/15/2008, 14:22:25 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default-
08/15/2008, 14:23:05 (CEST), INVALID_MESSAGE_FORMAT, ERR, “Received NEW_PIN_ACTION while not in challenge mode.” -Default-
08/15/2008, 14:56:40 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default-
08/15/2008, 16:12:46 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
08/15/2008, 16:14:49 (CEST), PSE_STARTUP, INF, “Admin servlet startup.” -Default-
08/15/2008, 16:14:50 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default-
08/15/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers.” -Default-
08/16/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, “Could not reach the Authentication Servers .” -Default-
08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, “Admin servlet shutdown.” -Default-
08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default-
08/17/2007, 17:47:09 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No certificate chain found in key store.” -Default-
08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, “No root certificate found in key store.” -Default-
08/18/2007, 14:32:36 (CEST), PSE_SHUTDOWN, INF, “Standard servlet shutdown.” -Default-
08/18/2007, 15:14:54 (CEST), PSE_STARTUP, INF, “Standard servlet startup.” -Default-
7.3 Turning Tracing On/Off
Introduction
This section details how enable and disable trace messages.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
216
The trace options can be changed via the Administration Console (see section 6.1.3
‟Server Configuration‟ on page 124).
Turn Tracing
On
1. In the Server Configuration page of the Administration Console click Edit.
2. Under the option Show trace on the console Select Yes.
3. Click Save.
Turn Tracing
Off
1. In the Server Configuration page of the Administration Console click Edit.
2. Under the option Show trace on the console Select No.
3. Click Save.
SECUDE Secure Login Server can generate a large amount of trace output. For test systems,
it is recommended to enable tracing. For production systems it is recommended to disable
tracing as this might result in unnecessary log files and impede performance.
7.4 SECUDE Secure Login Server Lock and Unlock
Introduction
The SECUDE Secure Login Server locks itself when it detects a serious problem such as
Authentication Server failure that affects all Clients.
Lock Files
SECUDE Secure Login uses the following files to lock the Server/ Server instance:
PseServer.lock
This file is used to lock the complete Server. The Server lock will only be applied if
the Configuration.properties file cannot be read. The LockDir property in
the Web.xml file is used to apply the Server lock.
<Server Instance>.lock
If the Configuration.properties file can be read by Secure Login and a lock
becomes necessary, Secure Login will create an instance-based lock. The directory for
the instance-based lock is specified by the property LockDir in
Configuration.properties, but LockDir in Web.xml will work as a fallback.
The filename of the instance lock file will be based on the following parameters
(example):
LOCK_FILE_PREFIX = "PseInstance";
LOCK_FILE_SUFFIX = ".lock";
Two lock files will be created from these parameters. A „normal‟ lock file that includes
the instance ID and a fallback lock file, for example:
PseInstance001.lock
PseInstanceDefault.lock
What
happens
when the
Server
Locks?
If a SECUDE Secure Login Server lock occurs:
The lock file PseServer.lock / <ServerInstance>.lock is created (also contains
the time of its creation). The location of the lock file can be configured in the Web.xml
file via the LockDir parameter.
The SECUDE Secure Login Server responds to SECUDE Secure Login Client requests with
the HTTP status code 404. This indicates that the Server is not available.
The Client fails over to the next Server/instance in the Server list.
The Administration Console Status page contains an entry that indicates that the Server
is locked (see section 7.9 on page 219).
Unlock the
Server
Use the unlock functionality of the Administration Console (see section 6.1 on page 119).
It is not necessary to shutdown the Server to perform this task.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
217
7.5 Setting the Correct Environment Variables for SAP ID-Based Logon
Introduction
The information in this section applies to SAP ID-based logon only. The variables USER,
HOME or CREDDIR have no relevance - in terms of environment variables - for SECUDE
Secure Login Server 5.0.
Furthermore, NetWeaver Application Server Java (regardless of platform) is precluded
because the environment variables described below are exclusively for SAP JCO. In any
case, with NetWeaver the JCO libraries are already available system-wide (i.e. for Windows
this means that the JCO libraries sapjcorfc.dll and librfc32.dll are located in
the directory windows\system32).
If JCO has been manually set as a system-wide variable (not via the Secure Login
Administration Console), this will also bypass all Secure Login components. The
environment variables are no longer needed (i.e. there will then be no need to perform the
steps in this section).
Variables
For SECUDE signon&secure to make a successful SNC connection for SAP ID-based
authentication, the correct credentials/variables are needed. According to platform these
are:
Linux+Solaris: LD_LIBRARY_PATH
Windows: PATH
Both of these should point to the SSS (Signon&Secure) directory within the Secure Login
Web application. They should be set either system-wide or in the start script of the
Application Server/Container Engine.
Follow these steps to set the correct environment variables for SECUDE Signon&Secure
(according to platform):
Linux/Solaris
4. Enter the following syntax in a command shell to set the parameter for the variable
LD_LIBRARY_PATH:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/lib/tomcat5/ Webapps/securelogin/WEB-INF/SSS
5. To check if it was successful, open the Administration Console and navigate to the
node Server Configuration>System Check. Under the SAP ID Check header the
SECUDE SNC runtime entry should read as OK.
Windows
Using Tomcat 5.x as an example, enter the following syntax in a command shell to set the
parameter for the variable PATH:
set PATH=%PATH%;<Tomcat home>\Webapps\securelogin\WEB-INF\SSS
As an alternative you can use the following method to set the variable:
1. Open Control Panel>System.
2. Click the Advanced tab.
3. Click Environment Variables.
4. Under the System Variables heading click New.
5. Enter PATH into the Variable Name field and <application Server Web-app
directory>\securelogin\WEB-INF\SSS in the field Variable Value.
For example: <Tomcat home>\Webapps\securelogin\WEB-INF\SSS
6. Click OK.
7. If the application Server is running, restart it.
8. To check if it was successful, open the Administration Console and navigate to the
node Server Configuration>System Check. Under the SAP ID Check header the
SECUDE SNC runtime entry should read as OK.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
218
7.6 Problems with the Client URL
Problem
The URL entered by the Client returns the error Internal Server Error. This is a
necessary error message to indicate an invalid Server instance (in a multiple instance
environment) or other Server problems.
Solution
The first thing to check is that the Secure Login URL points to the correct Server instance.
It is likely that the instance referred in the URL is invalid.
For example: http://myServer.local/securelogin/PseServer?id=0001
For details about how to alter the URL see section 6.3.3.2 on page 187.
7.7 Implement an SSL.PSE-Based TrustStore for HTTPS
Problem
You want to use an SSL.PSE-based TrustStore for HTTPS instead of the Microsoft CAPI
TrustStore.
Prerequisites
Knowledge of the SECUDE shell (secude.exe). The secude.exe is available only as part
of the Signon&Secure package. For further information contact SECUDE support.
Make sure that you have already performed the procedure on the certificate before
starting the solution below:
1. Import the root certificate using the Administration Console as a *.crt file. The
certificate will be stored in a PEM-encoded format.
2. Open the file in an editor and remove the first and last line of the file:
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
respectively. Save the file.
3. Open a SECUDE shell and enter the following command to convert the base64
encoded contents of the file into a binary file:
secude decode <path where the file is located>\ROOT_CA.crt root.der
Solution
Follow these steps to enable an SSL.PSE-based TrustStore for HTTPS:
1. Create a PSE (Personal Security Environment) and name it ssl.pse. To do this,
open a SECUDE shell and enter the following command:
secude psecrt –p ssl.pse "CN=dummy"
The Dname (Distinguished Name) used for this is irrelevant. The example here uses
CN=dummy. Enter the PIN 1234 twice (this value is mandatory). After a short period
of time the PSE file ssl.pse will be generated and saved to your Signon&Secure
directory.
2. The resulting PSE must be changed by creating the root certificate. Enter the following
commands in the SECUDE shell (press Return after each line and change the parts
marked in red accordingly – see below):
> secude psemaint –p ssl.pse
<Enter the PIN>
> import xxx <path where the file is located>\root.der
> cert2pkroot xxx PKRoot
> yes (to overwrite the old PKRoot)
> delete xxx
> q
The first command will open the SECUDE shell the other commands are entered. The
xxx is an alias - replace it with a specific name of your choice. The command q will
close the command prompt.
3. Copy the SSL.PSE file to the Secure Login Client in the directory:
C:\Program Files\SECUDE\OfficeSecurity\.
This file can be distributed with the Secure Login Client installation, via the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
219
customer folder.
4. Open the Windows Registry Editor and create the following registry key (REG_DWORD):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]
"useSslPse"=dword:00000001
5. Restart the SECUDE securelogin COM Service (the Microsoft ADS profile will
be missing) or reboot the computer.
7.8 ‘Access Denied’ Replies
Problem
The Secure Login Server is returning a large amount of "access denied" replies to the
Secure Login Client during heavy load.
Target OS
Windows Server
Explanation
The reason for this behavior is that after a TCP/IP socket has been used for
communication, and this connection is closed-down after the communication has taken
place, the OS „keeps‟ this socket for some time until it releases it again for it‟s next use.
This means that the parameter TcpTimedWaitDelay is set to high and must be
changed. For further information refer to the following Microsoft page: http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3-
473c-84e8-e657c0c619d11033.mspx):
Solution
Open regedit and locate the parameter TcpTimedWaitDelay under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the value for TcpTimedWaitDelay to 30 seconds
7.9 Why the Secure Login Instance/Server is Locked
Problem
The Secure Login instance/Server is locked.
Target OS
All
Explanation/
Solution
The Server may be locked because:
The configuration.properties file cannot be read. Solution: Check the
integrity and path of the configuration.properties file.
The parameter LockServerOnEventLogFailure is set to true and..
the hard disk is full. Solution: Increase the hard disk capacity/delete
unnecessary files.
the file permissions are incorrect. Solution: Check the file permissions of the
user under which the Secure Login Server processes run.
the log folder does not exist. Solution: Re-define/check the log settings in the
Administration Console (section 6.3.4.2 on page 195).
The Server instance may be locked because:
The ArchivingDir property is set to a non-existent directory.
Solution: Check the log settings in the Administration Console (section 6.3.4.2 on
page 195).
User CA PSE cannot be opened by the Secure Login Server. Solution: Check the
validity and integrity of the certificate authority PSE file.
The configuration.properties file cannot be read. Solution: Check the
integrity and path of the configuration.properties file.
The parameter LockInstanceOnTransactionLogFailure is set to true
and..
the hard disk is full. Solution: Increase the hard disk capacity/delete
unnecessary files.
the file permissions are incorrect. Solution: Check the file permissions of the
user under which the Secure Login Server processes run.
the log folder does not exist. Solution: Re-define/check the log settings in the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
220
Administration Console (section 6.3.4.2 on page 195).
Under heavy load the Server may lock because the user has a limitation on the maximum
number of files they can have open at the same time.
Solution: Check the Secure Login Server event log for java_io_file_exception
stating “too many open files”. If so this means that Secure Login was not
allowed to open log files for writing resulting in the lock state. Allow the “user” that
starts/owns the Secure Login Server process to open more files than configured in
the default configurations set in some system property (limits.conf).
7.10 Password Expiry Warnings on Sun LDAP (1)
Problem
Password expiration warning is shown regardless of password policy setting on Sun LDAP.
Effected
Systems
Sun ONE Directory Server v5.2
Sun Java System Directory Server v5.2
Sun Java System Directory Server v6.0
Explanation
When the LDAP attribute passwordExpirationTime was set (for example, via a
password policy and the password policy was later removed), the attribute still exists and
causes useless expiry messages in the Secure Login Client, such as:
“Attention: Your password will expire on 12.07.2004” (expiry date in the past)
Solution
This is a problem caused by the directory Server and not by Secure Login Server. Please
refer to the Sun Directory Server release notes for details.
7.11 Password Expiry Warnings on Sun LDAP (2)
Problem
A password expiry message is displayed on the Secure Login Client, even though Sun ONE
LDAP is configured so that the password does not expire.
Effected
Systems
Sun ONE Directory Server v5.2
Sun Java System Directory Server v5.2
Sun Java System Directory Server v6.0
Explanation
This is a Sun ONE password policy problem, due to an enabled password policy No5.
Solution
Please refer to the Sun ONE Directory Server release notes for details.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
221
7.12 Secure Login Server Cannot Establish an SNC Connection to the SAP Server
Problem
The Secure Login Server cannot establish an SNC connection to the SAP Server.
Effected
Systems
-
Explanation/
Solution
The Secure Login Server SNC PSE is not valid: There will be no working SNC connection
(JCO trace reads only "SNC connection cannot be established, empty
answer"). This may be due to the following:
The credentials cannot be found: There will be no working SNC connection (JCO trace says
only "No credentials supplied")
The Ticket.snc file cannot be found: If the ticket is not installed correctly or cannot be
found by the SECUDE signon&secure/SECUDE library, it occurs that no error log output can
be found but connections to the backend just stop. If Tomcat is used as the container
engine, it might happen that the Tomcat process is terminated when the ticket cannot be
found but SAP-ID logon is used.
The SNC name of the Server is incorrect: In the SAP Logon Client software the Server SNC
name is equal to the SNCServerName parameter in the Secure Login Server SAP-ID
module. This parameter value has to correspond with the DN of the PSE on the SAP
Server.
The SNC names of users are incorrect: The SNC name of SAP users (see SAP transaction
su01) must correspond with the DN of the user certificates coming from the Secure Login
Server.
The user for the SLS (e.g., SLSSNC) must also have an SNC name which
corresponds with the DN in SLSSNC's PSE (can be generated in the
Administration Console; this is called the JCO PSE which is used by Secure Login
Server for the SNC connection to the SAP Server).
A valid SNC Server connection: Requires a valid PSE from the Server PKI (e.g., the user
certificate must be from the same root).
A valid SNC user connection: Requires a valid certificate of the Server PKI and a
registered user account at the SAP Server.
The Secure Login Server SAP-ID uses the user account credentials at the SAP
Server for JAAS authentication. The SAP Server uses the DN of the user certificate
as SNC name of the corresponding SAP account to verify the user.
7.13 Administration Console Pages Appear ‘broken’
Problem
The Administration Console pages have an odd appearance/appear to be „broken‟. This
may include, but not limited to:
Missing icons
Missing items in combo-boxes
Buttons do not work. For example, the Start button of the initialization wizard batch
creation page or, the Upload button in the Web Client platform configuration.
Effected
Systems
-
Explanation/
Solution
The most likely cause for Administration Console pages that have an odd appearance
(especially during the initialization wizard), is that a previous version of Secure Login
Server has been removed from the same Tomcat Server but the Tomcat JSP cache has
not been removed or has not been automatically updated.
The solution to this problem is to stop Tomcat, and delete all old securelogin folders
from the Webapps directory. Also delete the Tomcat cache directory:
<Tomcat ROOT>/work
Restart Tomcat. The Administration Console pages should now be OK.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
222
7.14 Problem Loading the GSS Library (SAP-ID Module)
Problem
Problems occur when configuring the SAP-ID module so that no Server connection exists.
In the Application Server trace SNC errors exist (as the following examples):
[Thr 168] Fri Jul 18 09:34:33 2008
[Thr 168] *** ERROR => SncPDLInit():
DlLoadLib("<PATH>\secude.dll")=DLEINV
AL
[Thr 168] [sncxxdl.0340][Thr 168] *** ERROR =>
SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded
[Thr 168] [sncxxdl.0604]Exception in thread "main"
com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to
SAP gateway failed
Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00
LOCATION CPIC (TCP/IP) on local host
ERROR SNCERR_INIT
Resource problem or gssapi library invalid/missing
sec_avail="false"
TIME Fri Jul 18 09:34:33 2008
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -1
MODULE sncxx.c
DETAIL SncInit
COUNTER 2
Or...
[Thr 5008] Fri Jul 18 09:42:10 2008
[Thr 5008] *** ERROR => SncPDLInit():
DlLoadLib("<PATH>\secude.dll")=DLEINVAL
[Thr 5008] [sncxxdl.0340][Thr 5008] *** ERROR =>
SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded
[Thr 5008] [sncxxdl.0604]Exception in thread "main"
com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to
SAP gateway failed
Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00
LOCATION CPIC (TCP/IP) on local host
ERROR Unable to load the GSS-API DLL
named
"<PATH>\secude.dll"
TIME Fri Jul 18 09:42:10 2008
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -1
MODULE sncxxdl.c
Effected
Systems
-
Explanation/
Solution
Possible causes and solutions:
The SECUDE SNC library does not exist at the given path.
Solution: Locate the SECUDE SNC library and move it to the correct directory.
The SECUDE SNC library is incorrect for this platform (i.e. 32bit vs. 64bit, C-runtime
version, etc.).
Solution: Delete the incorrect components, locate the SECUDE SNC library suitable
for the Server environment and move it to the correct directory.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
223
If the above causes do not apply, then the problem may be the length of the path (i.e. the
number of characters) to the SECUDE SNC library. This is a problem caused by JCO. JCO is
not capable of loading the GSS library when the length of the path is more than 100
characters.
Solution: Move the SSS package as well as the SECUDE library to a directory with a
shorter path, and configure the SAP-ID module accordingly (NativeLibraryPath).
7.15 Blank Page when Logging into the Secure Login Administration Console
Problem
When logging into the Secure Login Administration Console the GUI does not appear – only
a blank page appears. The following example error appears in the defaulttrace of the
NetWeaver Application Server:
#1.5#001AA00E3F65004E0000028E0000111C00045224BE3B94F3#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###java.lang.NullPointerException#
#1.5#001AA00E3F65004E0000028F0000111C00045224BE3B982E#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.Web.framework.login.impl.UserManager.getUserById
(UserManager.java:52)#
#1.5#001AA00E3F65004E000002900000111C00045224BE3B98A5#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.util.AdminAccount.canLogin
(AdminAccount.java:178)#
#1.5#001AA00E3F65004E000002910000111C00045224BE3B9916#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.adminui.AdminAccountHandler.
tryLogin(AdminAccountHandler.java:162)#
#1.5#001AA00E3F65004E000002920000111C00045224BE3B9986#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.adminui
.AdminAccountHandler.process(AdminAccountHandler.java:63)#
#1.5#001AA00E3F65004E000002930000111C00045224BE3B99F7#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.adminui.NavigationServlet.
process(NavigationServlet.java:170)#
#1.5#001AA00E3F65004E000002940000111C00045224BE3B9A67#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.adminui.NavigationServlet.
doPost(NavigationServlet.java:89)#
#1.5#001AA00E3F65004E000002950000111C00045224BE3B9AD8#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
javax.servlet.http.HttpServlet.service(HttpServlet.java:760)#
#1.5#001AA00E3F65004E000002960000111C00045224BE3B9B45#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)#
#1.5#001AA00E3F65004E000002970000111C00045224BE3B9BB3#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.servlets_jsp.Server.runtime.
FilterChainImpl.runServlet(FilterChainImpl.java:117)#
#1.5#001AA00E3F65004E000002980000111C00045224BE3B9C23#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.servlets_jsp.Server.runtime.
FilterChainImpl.doFilter(FilterChainImpl.java:62)#
#1.5#001AA00E3F65004E000002990000111C00045224BE3B9C95#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
224
(ConsoleFilter.java:29)#
#1.5#001AA00E3F65004E0000029A0000111C00045224BE3B9D04#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.servlets_jsp.Server.runtime.
FilterChainImpl.doFilter(FilterChainImpl.java:58)#
#1.5#001AA00E3F65004E0000029B0000111C00045224BE3B9D75#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.
runServlet(HttpHandlerImpl.java:373)#
#1.5#001AA00E3F65004E0000029C0000111C00045224BE3B9DF5#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.
handleRequest(HttpHandlerImpl.java:264)#
#1.5#001AA00E3F65004E0000029D0000111C00045224BE3B9E67#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.RequestAnalizer.
startServlet(RequestAnalizer.java:347)#
#1.5#001AA00E3F65004E0000029E0000111C00045224BE3B9ED8#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.RequestAnalizer.
startServlet(RequestAnalizer.java:325)#
#1.5#001AA00E3F65004E0000029F0000111C00045224BE3B9F49#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.RequestAnalizer.
invokeWebContainer(RequestAnalizer.java:887)#
#1.5#001AA00E3F65004E000002A00000111C00045224BE3B9FBB#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.RequestAnalizer.
handle(RequestAnalizer.java:241)#
#1.5#001AA00E3F65004E000002A10000111C00045224BE3BA02B#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.Client.handle
(Client.java:92)#
#1.5#001AA00E3F65004E000002A20000111C00045224BE3BA09A#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.services.httpServer.Server.Processor.request
(Processor.java:148)#
#1.5#001AA00E3F65004E000002A30000111C00045224BE3BA109#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.core.service630.context.cluster.session.
ApplicationSessionMessageListener.process(ApplicationSessionMessageListen
er.java:33)#
#1.5#001AA00E3F65004E000002A40000111C00045224BE3BA17F#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run
(MessageRunner.java:41)#
#1.5#001AA00E3F65004E000002A50000111C00045224BE3BA1EE#1216217670546#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.core.thread.impl3.ActionObject.run
(ActionObject.java:37)#
#1.5#001AA00E3F65004E000002A60000111C00045224BE3BA262#1216217670562#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
java.security.AccessController.doPrivileged(Native Method)#
#1.5#001AA00E3F65004E000002A70000111C00045224BE3BA2D1#1216217670562#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.core.thread.impl3.SingleThread.execute
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
225
(SingleThread.java:100)#
#1.5#001AA00E3F65004E000002A80000111C00045224BE3BA33F#1216217670562#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###at
com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)#
#1.5#001AA00E3F65004E000002A90000111C00045224BE3BB6B7#1216217670562#Syste
m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application
_Thread[impl:3]_8##0#0#Error##Plain###com.sap.engine.services.servlets_js
p.Server.exceptions.WebServletException: Error in JSP.at
com.sap.engine.services.servlets_jsp.Server.jsp.
PageContextImpl.handleErrorPage(PageContextImpl.java:707)
at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.
handlePageException(PageContextImpl.java:702)
at
jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav
a:65535)
at
com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j
ava:112)
at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service
(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service
(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl
.
doWork(RequestDispatcherImpl.java:321)
at
com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl
.
forward(RequestDispatcherImpl.java:377)
at
com.secude.transfair.pepperbox.adminui.ErrorHandler.process(ErrorHandler.
java:27)
at com.secude.transfair.pepperbox.adminui.NavigationServlet.process
(NavigationServlet.java:179)
at com.secude.transfair.pepperbox.adminui.NavigationServlet.doPost
(NavigationServlet.java:89)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.runSe
rvlet
(FilterChainImpl.java:117)
at
com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil
ter
(FilterChainImpl.java:62)
at
com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter(ConsoleFilter.
java:29)
at
com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil
ter
(FilterChainImpl.java:58)
at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet
(HttpHandlerImpl.java:373)
at
com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.handleRequest
(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet
(RequestAnalizer.java:347)
at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet
(RequestAnalizer.java:325)
at
com.sap.engine.services.httpServer.Server.RequestAnalizer.invokeWebContai
ner
(RequestAnalizer.java:887)
at com.sap.engine.services.httpServer.Server.RequestAnalizer.handle
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
226
(RequestAnalizer.java:241)
at
com.sap.engine.services.httpServer.Server.Client.handle(Client.java:92)
at
com.sap.engine.services.httpServer.Server.Processor.request(Processor.jav
a:148)
at com.sap.engine.core.service630.context.cluster.session.
ApplicationSessionMessageListener.process(ApplicationSessionMessageListen
er.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run
(MessageRunner.java:41)
at
com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1
00)
at
com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by:
com.sap.engine.services.servlets_jsp.Server.exceptions.WebServletExceptio
n: Error in JSP.
at
com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.handleErr
orPage
(PageContextImpl.java:744)
at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.
handlePageException(PageContextImpl.java:702)
at jsp_top1216110529928._jspService(jsp_top1216110529928.java:65535)
at
com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j
ava:112)
at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service
(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service
(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl
.
doWork(RequestDispatcherImpl.java:321)
at
com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl
.include
(RequestDispatcherImpl.java:473)
at
com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.include
(PageContextImpl.java:165)
at
jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav
a:10)
... 29 more
Caused by:
com.sap.engine.services.servlets_jsp.Server.exceptions.WebIllegalStateExc
eption: The stream has already been committed.
at
com.sap.engine.services.servlets_jsp.Server.runtime.Client.HttpServletRes
ponseFacade.sendRedirect(HttpServletResponseFacade.java:997)
at jsp_top1216110529928._jspService(jsp_top1216110529928.java:11)
... 37 more
Effected
Systems
NetWeaver Application Server only.
Explanation/
Solution
There is no current workaround for this sporadic problem. To solve the problem re-deploy
Secure Login to NetWeaver.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
227
7.16 Users Cannot be Successfully Authenticated to any JAAS Module
Problem
After Secure Login has been successfully deployed to NetWeaver, no user can
authenticate successfully to any JAAS module.
The following example error appears in the files security_*.log and default_*.trc
of the NetWeaver AS Java:
#1.5#001AA02C2EA0002B000003A80000039800897B2BD532EEFC#1216364672406#Syste
m.err#secude.com/SecureLogin#System.err#Guest#2464####c59e8c80549711ddb8f
5001aa02c2ea0#HTTP Worker
[1]##0#0#Error##Plain###com.sap.engine.services.security.exceptions.BaseL
oginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run
(ModulesProcessAction.java:177)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login
(FastLoginContext.java:216)
at com.sap.engine.system.SystemLoginModule.login
(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0
(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000
(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv
(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login
(LoginContext.java:579)
at com.secude.transfair.pepperbox.JaasRsaRadiusAuthenticationManager.
authenticate(JaasRsaRadiusAuthenticationManager.java:186)
at com.secude.transfair.pepperbox.ServerMessageHandler.handleAuthAction
(ServerMessageHandler.java:889)
at com.secude.transfair.pepperbox.ServerMessageHandler.handleInMessage
(ServerMessageHandler.java:223)
at com.secude.transfair.framework.LocalTFManager.handleInMessage
(LocalTFManager.java:211)
at com.secude.transfair.pepperbox.SlsKernel.doSls(SlsKernel.java:360)
at com.secude.transfair.pepperbox.StandardServlet.doPost
(StandardServlet.java:155)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke
(Invokable.java:66)
at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke
(Invokable.java:32)
at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet
(HttpHandlerImpl.java:431)
at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.
handleRequest(HttpHandlerImpl.java:289)
at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet
(RequestAnalizer.java:387)
at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet
(RequestAnalizer.java:376)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process
(ServletSelector.java:85)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.
process(ApplicationSelector.java:160)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.httpServer.filters.WebContainerInvoker.process
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
228
(WebContainerInvoker.java:67)
at com.sap.engine.services.httpServer.chain.HostFilter.process
(HostFilter.java:9)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.httpServer.filters.ResponseLogWriter.process
(ResponseLogWriter.java:60)
at com.sap.engine.services.httpServer.chain.HostFilter.process
(HostFilter.java:9)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.httpServer.filters.DefineHostFilter.process
(DefineHostFilter.java:27)
at com.sap.engine.services.httpServer.chain.ServerFilter.process
(ServerFilter.java:12)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.httpServer.filters.MonitoringFilter.process
(MonitoringFilter.java:29)
at com.sap.engine.services.httpServer.chain.ServerFilter.process
(ServerFilter.java:12)
at com.sap.engine.services.httpServer.chain.AbstractChain.process
(AbstractChain.java:71)
at com.sap.engine.services.httpServer.Server.Processor.chainedRequest
(Processor.java:309)
at com.sap.engine.services.httpServer.Server.
Processor$FCAProcessorThread.run(Processor.java:222)
at com.sap.engine.core.thread.impl3.ActionObject.run
(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1
52)
at com.sap.engine.core.thread.impl3.SingleThread.run
(SingleThread.java:247)
Caused by: javax.security.auth.login.LoginException: Error: Callback
com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not
supported.
at com.secude.transfair.pepperbox.LdapJaasModule.login
(LdapJaasModule.java:208)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.
login(LoginModuleLoggingWrapperImpl.java:220)
at com.sap.engine.services.security.login.ModulesProcessAction.run
(ModulesProcessAction.java:70)
Error: Callback
com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not
supported.null#
Effected
Systems
NetWeaver
Explanation/
Solution
This problem occurs especially while updating the complete Secure Login Server EAR-
package when an existing Secure Login installation already uses the AS Java on the
Server.
The error entry marked in red in the example above is the cause that should be looked for.
It usually appears as the last line in the stack trace.
Unfortunately you must completely restart the Application Server Java. A restart of the
Secure Login application will not help. There is currently no other workaround.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
229
7.17 Enable Remote Access to Initialize and Configure Secure Login Server
Problem
After installing Secure Login Server the initialization/configuration cannot be performed
from a remote location (only directly on the Server).
Effected
Systems
All.
Explanation/
Solution
For reasons of security, the Secure Login Server component can only be initialized via the
Administration Console and only when the console is called from the same Server
computer on which the Secure Login resides (see section 3.6 on page 54). If however, you
want to perform the initialization and configuration from a remote location, then you must
manually enable this feature by editing the Secure Login Web.xml file directly on the
application Server:
1. Locate the Web.xml file in your application Server Web application directory:
securelogin\WEB-INF\Web.xml
2. Open the Web.xml file in an editor.
3. locate the following section:
<servlet-name>Navigation</servlet-name>
<servlet-class>com.secude.transfair.pepperbox.adminui. NavigationServlet</servlet-class>
…
<init-param>
<param-name>remoteAccess</param-name>
<param-value>false</param-value>
</init-param>
4. Edit the remoteAccess parameter value (marked in red above) to true.
5. Save the Web.xml file.
After you have completed the initialization and configuration of Secure Login Server it is
recommended to reinstate security by changing the remoteAccess parameter value back
to false.
7.18 Problems Accessing the Administration Console or the Web Client via Firefox
Problem
Errors are displayed when accessing the Administration Console or the Web Client using
Mozilla Firefox (SSL connection).
Effected
Systems
The error occurs when a combination of the following components are used:
Server: Tomcat 5 or 6 (Java 1.4 or above, all platforms) with an SSL connector
Client: Firefox 2 + 3 (all platforms)
Secure Login components: Secure Login Administration Console or Web Client
Explanation/
Solution
The best workaround for this is to configure the Tomcat SSL connector port accordingly.
Tomcat's Server.xml file has to be modified as follows to use a fixed list of ciphers
only. The following example applies to Tomcat 5 and 5.5:
<Connector port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"
ClientAuth="false" sslProtocol="TLS" keystorePass="123456" keystoreFile="C:\SSL_SERVER.p12" keystoreType="PKCS12"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
230
/>
The solution for Tomcat 6 is the same as above but it also requires an additional attribute
for its SSL connector. Change the attribute SSLEnabled to true.
7.19 Error Message when viewing Certificate Details using Firefox 3
Problem
An error message appears when using the Administration Console in Firefox 3 to view
certificate details.
Effected
Systems
All systems using Firefox 3
The Secure Login Administration Console is installed and configured (Certificate)
Explanation
This error occurs when the Firefox password manager is used to store the Administration
Console username/password. The error can be repeated as follows:
1. Start the Administration Console in Firefox 3, enter the username and password, and
click Login.
2. Firefox will now prompt you to store the username/password in the Firefox password
manager (a promt bar will appear at the top of the page). Click Remember.
3. The Administration Console will appear as normal.
4. From the main page, go to any Instance Configuration/Certificate Manager.
5. Under Certificate name, select a certificate and click View.
6. The error message Open password is incorrect will appear.
Solution
1. Open the Firefox Menu Tools > Options.
2. The Options dialog will appear. Click the Security tab and then click Saved Passwords
3. The Saved Passwords dialog will appear. Select the Secure Login Administration
Console site or hostname from the list and click Remove. Close the Saved Passwords
and Options dialogs.
4. Re-login to the Administration Console. The prompt bar will reappear. Click Never for
this site. The Secure Login host will now appear in a list of exceptions (Menu Tools >
Options > Security tab > Exceptions…)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
231
8 Error and Return Codes
Introduction
This chapter details the error codes and return codes, their meaning and possible
corrections. In each section, the codes are listed in alphabetical order.
Sections
Section 8.1 „ADS Authentication Errors‟, on page 232
Section 8.2 „RSA Authentication Errors‟, on page 232
Section 8.3 „SAP ID Error Codes and Return Codes‟, on page 232
Section 8.4 „Stacktrace Error Codes‟, on page 234
Section 8.5 „Common Errors‟, on page 236
Section 8.6 „CERT Errors‟, on page 237
Section 8.7 „PSE Errors‟, on page 237
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
232
8.1 ADS Authentication Errors
Error code Description Solution
JAAS_LDAP
_ERROR Authentication fails due to
configuration errors of the JAAS
module for ADS or timing
problems on the network.
Make sure that at least one Server is
specified in the configuration (and is
running) and that the Server names
are specified correctly in the
configuration file.
If the Server is accessed via port
636, make sure that its CA certificate
is imported into the keystore of
SECUDE Secure Login.
8.2 RSA Authentication Errors
Error code Description Solution
JAAS_RADI
US_ERROR Authentication fails due to configuration
errors of the JAAS module for
RSA/RADIUS or timing problems on the
network.
Make sure that the ACE
Server is running.
8.3 SAP ID Error Codes and Return Codes
This section details the return codes for SAP ID-based login, and the error codes caused
by the JAAS module.
Contents
Section 8.3.1 „Authentication-based Codes‟, on page 232
Section 8.3.2 „Password Change Related Codes‟, on page 233
Section 8.3.3 „Connectivity Related Codes‟, on page 233
8.3.1 Authentication-based Codes
Error code Description Solution
AUTH_RESULT_
ACTION_OK_MS
G
(Return code)
Authentication successful. The
AUTH_RESULT_ACTION_OK_MSG defined in the file
ServerMsg.properties will be sent to the SECUDE
Secure Login Client along with the created certificate.
-
AUTH_RESULT_
ACTION_DENIE
D_MSG (Return
code)
Authentication denied. The
AUTH_RESULT_ACTION_DENIED_ MSG variable
defined in the file ServerMsg.properties will be
sent to the SECUDE Secure Login Client.
This message may be combined with the variable
$SERVERMSG to present the user with a reason for the
denial. The $SERVERMSG variable is an option to
forward the raw Authentication Server message to the
Secure Login Client.
For example:
Access denied because..$SERVERMSG
The $SERVERMSG variable should only be used with Sun
directory Servers and SAP-ID. If used with RSA no
messages will be sent by default, and if used with ADS
a cryptic text message will be sent.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
233
8.3.2 Password Change Related Codes
Error code Description Solution
NEW_PIN_R
EPLY_ACCEPTED_MSG
(Return
code)
For a succeeded password change the NEW_PIN_REPLY_ACCEPTED
_MSG defined in the file ServerMsg.properties will
be sent to the SECUDE Secure Login Client.
-
NEW_PIN_REPLY_REJECTED_MSG
(Return
code)
If the SAP Server denies the new password. A new
password-rejected state will be the result and the
NEW_PIN_REPLY_REJECTED_MSG defined in the file
ServerMsg.properties will be sent to the SECUDE
Secure Login Client.
The corresponding trace and error log for the entry is
“Password not conform to password rules” followed by the
stacktrace information of the return code.
8.3.3 Connectivity Related Codes
Error/Return
code
Description Solution
AUTH_SERVER_
TIMEOUT_M
SG
(Error code)
If the JAAS module cannot
establish a connection to the SAP
Server a timeout error will be set
and the error AUTH_SERVER_
TIMEOUT_MSG defined in the file
ServerMsg.properties will be
sent to the SECUDE Secure Login
Client.
The corresponding trace and error
log for this entry is:
“No connection to SAP system can be
established” followed by the
stacktrace information for this
code.
Possible reasons for this error may
be one of the following (no
differentiation between the
SECUDE Secure Login Server or the
Client):
Unable to establish a SNC
connection to the SAP Server:
SECUDE Secure Login
Server SAP user is not
properly configured.
SECUDE Secure Login
Server SAP user does not
have required permissions.
Faulty SNC configuration
for the SECUDE Secure
Login Server.
Timeout in the network
connection.
SAP Server is down.
For a list of stacktrace codes refer
to section 8.4 „Stacktrace Error
Codes‟ on page 234.
For a list of common error reasons
refer to section 8.5 „Common
Errors‟ on page 236.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
234
8.4 Stacktrace Error Codes
This section lists the possible SAP exceptions that can be logged in the stacktrace.
Runtime error code Description
CALL_BACK_ENTRY_NOT_FOUND The called function module is not released for
RFC.
CALL_FUNCTION_DEST_TYPE The type of the destination is not allowed.
CALL_FUNCTION_NO_SENDER Current function is not called remotely.
CALL_FUNCTION_DESTINATION_NO_T
Missing communication type (I for internal
connection, 3 for ABAP) when executing an
asynchronous RFC.
CALL_FUNCTION_NO_DEST The specified destination does not exist.
CALL_FUNCTION_OPTION_OVERFL
OW Maximum length of options for the destination
exceeded.
CALL_FUNCTION_NO_LB_DEST The specified destination (in load distribution
mode) does not exist.
CALL_FUNCTION_NO_RECEIVER Data received for unknown CPI-C connection.
CALL_FUNCTION_NOT_REMOTE The function module being called is not flagged
as being “remotely” callable.
CALL_FUNCTION_REMOTE_ERROR While executing an RFC, an error occurred that
has been logged in the calling system.
CALL_FUNCTION_SIGNON_INCOMPL
Logon data for the user is incomplete.
CALL_FUNCTION_SIGNON_INTRUDER
Logon attempt in the form of an internal call in a
target system not allowed.
CALL_FUNCTION_SIGNON_INVALID
RFC from external program without valid user ID.
CALL_FUNCTION_SIGNON_REJECT
ED Logon attempt in target system without valid
user ID. This error code may have any of the
following meanings:
Incorrect password or invalid user ID.
User locked.
Too many login attempts.
Error in authorization buffer (internal error).
No external user check.
Invalid user type.
Validity period of the user exceeded.
CALL_FUNCTION_SINGLE_LOGIN_REJ
No authorization to log on as Trusted System.
The error code may have any of the following
meanings:
Incorrect logon data for valid security ID.
Calling system is not a Trusted System or
security ID is invalid.
Either the user does not have RFC authorization
(authorization object S_RFCACL), or a logon was
performed using one of the protected users
DDIC or SAP*.
Time stamp of the logon data is invalid.
CALL_FUNCTION_SYSCALL_ONLY RFC without valid user ID only allowed when
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
235
Runtime error code Description
calling a system function module. The meaning
of the error codes is the same as for
CALL_FUNCTION_SINGLE_LOGIN_REJ.
CALL_FUNCTION_TABINFO Data error (info internal table) during a RFC.
CALL_FUNCTION_TABLE_NO_MEMORY
No memory available for table being imported.
CALL_FUNCTION_TASK_IN_USE For asynchronous RFC only: task name is
already being used.
CALL_FUNCTION_TASK_YET_OPEN For asynchronous RFC only: the specified task is
already open.
CALL_FUNCTION_NO_AUTH No RFC authorization.
CALL_RPERF_SLOGIN_AUTH_ERRO
R No trusted authorization for RFC caller and
trusted system.
CALL_RPERF_SLOGIN_READ_ERRO
R No valid trusted entry for the calling system.
RFC_NO_AUTHORITY No RFC authorization for user.
CALL_FUNCTION_BACK_REJECTED Destination “BACK” is not permitted in current
program.
CALL_XMLRFC_BACK_REJECTED Destination “BACK” is not permitted in current
program.
CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.
CALL_FUNCTION_DEST_SCAN Error while evaluating RFC destination.
CALL_FUNCTION_CONFLICT_TAB_TYP
Type conflict while transferring table.
CALL_FUNCTION_CREATE_TABLE No memory available for creating a local internal
table.
CALL_FUNCTION_UC_STRUCT Type conflict while transferring structure.
CALL_FUNCTION_DEEP_MISMATCH Type conflict while transferring structure.
CALL_FUNCTION_WRONG_VALUE_LENG
Invalid data type while transferring parameters.
CALL_FUNCTION_PARAMETER_TYP
E Invalid data type while transferring parameters.
CALL_FUNCTION_ILLEGAL_DATA_TYP
Invalid data type while transferring parameters.
CALL_FUNCTION_ILLEGAL_INT_L
EN Type conflict while transferring an integer.
CALL_FUNCTION_ILL_INT2_LENG Type conflict while transferring an integer.
CALL_FUNCTION_ILL_FLOAT_FOR
MAT Type conflict while transferring a floating point
number.
CALL_FUNCTION_ILL_FLOAT_LEN
G Type conflict while transferring a floating point
number.
CALL_FUNCTION_ILLEGAL_LEAVE Invalid LEAVE statement on RFC Server.
CALL_FUNCTION_OBJECT_SIZE Type conflict while transferring a reference.
CALL_FUNCTION_ROT_REGISTER Type conflict while transferring a reference.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
236
8.5 Common Errors
Runtime error code Description
The credentials are not set for the
user account the SECUDE Secure
Login Server runs in.
SNC is not properly configured on the SECUDE
Secure Login Server side.
The credentials are not set for the
user account the SAP Server runs in.
SNC is not properly configured on the SAP
Server side.
The user configured on the SAP
Server for SECUDE Secure Login
Server access is not properly
configured (for example, not all
required profiles are set).
Check the user profile.
The JVM on the SECUDE Secure Login
Server can not load the required
libraries (both SECUDE and SAP).
The directory wherein the libraries reside is not
included in the PATH or the LD_LIBRARY_PATH
environment variable of the operating system.
The JVM on the SECUDE Secure Login
Server cannot load the required SAP
jar library.
The directory wherein the sapjco.jar file
resides is not included in the CLASSPATH
variable for the Java installation.
The sapjco library displays link
errors although the shipped libraries
are installed in the correct places.
If installed on UNIX/Linux systems it must be
ensured that all of the required libraries are built
for the same architecture (all 32Bit or all 64Bit).
How to find
out what the
Problem is
Enabling trace messages for the SECUDE Secure Login Server in the Web.xml file will
provide detailed information about possible errors. The SAP library error trace is enabled
automatically. The SAP library trace file dev_rfc.trc will be created in the same
directory from which the whole SECUDE Secure Login Server process is started.
As an example, if the SECUDE Secure Login Server is deployed on Apache Tomcat, the SAP
trace files will be created in the /tomcat-installation-path/bin/ directory in
which the 236nitiali.bat/sh resides.
For details about how to enable tracing refer to the following sections:
For manual configuration see section 7.3 „Turning Tracing On/Off‟ on page 215.
Via the Administration Console – see section 6.1.3 ‟Server Configuration‟ on page 124.
Enabling the SECUDE SNC tracing will provide information about the SNC certificate
handshake and the key exchange. If the handshake fails, an additional error trace file will
be created. For details about how to enable tracing refer to the SECUDE signon&secure
documentation.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
237
8.6 CERT Errors
Error/Return
code
Description Solution
CERT_CREA
TE_ERROR An error occurred while
trying to create a new
certificate.
-
CERT_INIT
_ERROR An error occurred while
accessing the resources
needed for this process, i.e.
the PSE used.
Make sure that the configuration file
contains the correct name, password,
and aliases for the specific PSE.
If the SECUDE SDK is used to access the
PSE, it is also necessary that the
libComSecude.so library is contained
in the library path.
For hardware PSE‟s, the PseType in the
configuration.properties file has
to be set to NativePSE.
8.7 PSE Errors
Error/Return
code
Description Solution
PSE_ADMIN_ERROR
An error occurred inside the PSE
admin Server.
-
PSE_ARCHIVE_ERROR
This code may be due to insufficient
disk space when writing/creating the
log file due to insufficient disk space,
or no write access etc.
Make sure the application has
the access rights to write to, or
create the specified log
directory, and that there is
enough disk space.
PSE_CREAT
E_ERROR This code can indicate a problem
while creating an outgoing message.
A possible cause is a missing motto-
of-the-day or disclaimer message
(ClientMotd, ClientDisc) in the
configuration file.
Make sure that the
configuration file contains all
mandatory entries.
PSE_HANDLING_ERROR
An error occurred while handling a
Client request.
-
PSE_INIT_
ERROR May be caused when initializing the
servlets. This is usually the case
when the SECUDE Secure Login
configuration could not be read,
either because the configuration URL
is not set in the configuration file of
the servlet engine or the file could
not be found under the specified URL.
Make sure the URL is set
correctly to the configuration.
properties file.
PSE_IO_ER
ROR Occurs when the servlet cannot send
its response to the Client due to
network problems.
Make sure the network is
configured correctly and
running.
PSE_SERVE
R_ERROR An error occurred with the PSE
Server.
-
PSE_SERVE
R_TIMEOUT The Client session timed out. Check in the servlet
configuration that the timeout
value is high enough.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
238
9 Appendix
Introduction
This chapter contains various advanced details ad administrator may need to configure
Secure Login.
Contents
Section 9.1 „Client Policy‟ on page 239
Section 9.2 „Configurable Properties‟ on page 246
Section 9.3 „Secure Login Client Registry Values‟ on page 264
Section 9.4 „
Key Usage Reference‟ on page 266
Most of the information in this section is provided purely as extra information for debugging.
It is not recommended to alter any Secure Login system file manually! Doing so may result
in a corrupted configuration! Please use the Administration Console at all times!
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
239
9.1 Client Policy
Introduction
This section contains detailed information about the Client policy for Secure Login.
Contents
Section 9.1.1 „ClientPolicy.xml File Registry Keys and Values‟, on page 239
Section 9.1.2 „ClientPolicy.xml File Example‟, on page 240
Section 9.1.4 „Configuring Secure Login with Microsoft Group Policies‟, on page 245
9.1.1 ClientPolicy.xml File Registry Keys and Values
Registry Keys
and Values
When the Secure Login Client system service is started (on the Client side) the XML-
formatted policy file is translated into the following Windows registry keys and values
(providing that the ClientPolicy.xml file is dynamic!):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\appication\<aplication name>]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
240
9.1.2 ClientPolicy.xml File Example
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<secude> <securelogin> <machine> <applications action=“clean“> <application name=”SAP Server Strong Authentication”> <attributes> <attribute name=”pseURI” value=”ou=Strong Authentication” type=”string”/> <attribute name=”profile” value=”SAP with RSA SecurID” type=”string”/> </attributes> </application> <application name=”SAP Server ADS”> <attributes> <attribute name=”pseURI” value=”SNC/cn=SAPServer,o=SECUDE,ou=Support,c=DE” type=”string”/> <attribute name=”profile” value=”SAP with Windows Logon” type=”string”/> </attributes> </application> <application name=”DEFAULT”> <attributes> <attribute name=”pseURI” value=”*” type=”string”/> <attribute name=”profile” value=”*” type=”string”/> </attributes> </application> </applications> <profiles action=“replace“> <profile name=”SAP with RSA SecurID”> <attributes> <attribute name=”pseType” value=”promptedlogin” type=”string”/> <attribute name=”enrollURL0=” value=”https://rsalogin:8443/securelogin/PseServer?=0001” type=”string”/> <attribute name=”autoReenrollTries=” value=”0” type=”integer”/> <attribute name=”sslHostCommonNameCheck=” value=”true” type=”240nitial”/> </attributes> </profile> <profile name=”SAP with Windows Logon”> <attributes> <attribute name=”pseType” value=”windowslogin” type=”string”/> <attribute name=”enrollURL0” value=”https://adslogin:8443/securelogin/PseServer?=0003” type=”string”/> <attribute name=”enrollURL1” value=”https://adsloginbackup:8443/securelogin/PseServer?=0003” type=”string”/> <attribute name=”enrollURL2” value=”https://192.168.47.47:8443/securelogin/ PseServer?=0005” type=”string”/> <attribute name=”httpProxyURL” value=”http://10.49.48.47:3128” type=”string”/> <attribute name=”autoReenrollTries” value=”3” type=”integer”/> <attribute name=”reUseKey” value=”true” type=”240nitial”/> <attribute name=”gracePeriod” value=”10” type=”integer”/> </attributes> </profile> </profiles> </machine> </securelogin> </secude>
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
241
ClientPolicy.xml
File Elements
and Attributes
The following table details each of the elements of the ClientPolicy.xml file.
XML Elements and
Attribute names (A-Z)
Mandatory
/Optional
Description, Example
Action optional Existing registry keys are handled as configured
by action.
clean
Delete all existing profiles in the selected
policy key before the given ones are written.
replace
Replace any existing profiles of the same
name in the selected policy key by a given
one.
keep
Keep any existing profiles of the same
name in the selected policy, do not write
the given one (default).
AllowFavourite mandatory Allow the user to select another profile as
„favorite‟ for this SNC application context.
false (default) = always use configured profile
true = Do not use configured profile
Application mandatory Start of application element, the element is
repeated for each application.
Applications mandatory Start of application section, which contains the
unsorted list of application contexts.
AutoReenrollTries optional Number of failed authentications in a sequence
until automatic re-enrollment is stopped.
User name and password caching can be turned
on to provide the automatic re-enrollment of
certificates that are going to expire.
0
Turn off (default): Do not re-enroll
automatically; do not cache user name and
password. A re-enrollment must always be
performed by the user interactively.
N
Turn on with n tries to succeed: Try to re-
enroll max. n times before either a new
certificate is received or the user name and
password cache are cleared.
The error counter is reset on success. A manual
re-enrollment is also possible.
You can delete all cached credentials from
memory (except those stored in the SLC system
service) with the Logout context menu of the
SECUDE PSE service in the system tray.
Deleting the cache of the Windows login token
has no effect as the credentials can be retrieved
from the SLC system service.
EnrollURL0 mandatory Secure Login URL that is used for authentication
and certificate enrolment. The URL locates the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
242
XML Elements and
Attribute names (A-Z)
Mandatory
/Optional
Description, Example
Server instance that is valid for the Secure Login
Client. For example: http://myServer.local/securelogin/PseServer?id=0001
EnrollURL<n> optional URL of fallback SECUDE Secure Login Server, if
URL n-1 fails (with n>1).
The counter n must be a positive integer without
leading 0‟s. The sequence must be strictly
increasing by one. A gap stops the sequence, all
remaining URLs are ignored. Empty URLs are
ignored and skipped.
GracePeriod optional Seconds before expiration of this certificate to
re-enroll automatically.
(default: 0)
HttpProxyURL optional HTTP proxy to be used with enroll URLs. Only
HTTP proxies without authentication and without
SSL to proxy are supported.
Example: http://proxy.secude.com:3128
InactivityTimeout optional Seconds until an automatic logout is performed.
Mouse and keyboard events are checked for
inactivity.
> 0 :Seconds of inactivity
-1 :No single sign on (SSO), each SNC
connection forces new login
0 :No timeout, SSO without limitation
(default)
KeySize optional Size in bits of the newly-generated RSA keys.
Range: 512 – 16384 (default: 512)
machine mandatory Machine policy node.
Subnodes inside this node are written to: [HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\SECUDE]
User policies are not supported.
Name mandatory Name of application context which also builds
the registry key name.
The special name “*” is used for the default
application entry, for which no PSEURI has to be
defined. It comprises automatically all SNC
names which are not defined explicitly or with
wildcards (see PSEURI attribute).
NetworkTimeout optional Network timeout in seconds before connection
is closed if the Server does not respond
(default: 45).
Profile mandatory Name of the security profile to be used for the
application, the name must match the profile
name in the profiles section.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
243
XML Elements and
Attribute names (A-Z)
Mandatory
/Optional
Description, Example
The profile name “*” is used for the default
security profile that is configured by the user (for
example, the smart card profile).
Profiles mandatory Start of profile section, which contains the
unsorted list of security profiles.
PSEType mandatory Type of profile:
promptedlogin
For authentication using an RSA Server.
windowslogin
For authentication using an ADS Server.
PSEURI mandatory Application-specific PSE URI (full qualified SNC
name, or substring of SNC name or *), that is
matched when a fitting profile is searched.
The wildcards “*” and “?” can be used.
Examples:
“SNC/cn=SAP, o=SECUDE, c=DE”
“SNC/CN=Server*, ou=Strong”
For further examples, see section 9.1.3
„Wildcards in Distinguished Names for the
PSEURI Attribute‟on page 244.
ReUseKey optional If true, the RSA key is kept unless a manual
logout is performed or the user process
psesvc.exe is shut down (default: false).
secude mandatory Root node
securelogin mandatory SECUDE Secure Login policy node
SSLHostAlternative-NameCheck
optional SSL Server certificate: Check if peer host name
is given in its subject alternative names (default:
false).
SSLHostCommon-NameCheck
optional SSL Server certificate: Check if peer host name
is given in its subject common name (default:
false).
SSLHostExtension-Check
optional SSL Server certificate: Check if the peer‟s
certificate has extended key usage
ServerAuthentication set (default:
false).
UniqueClientID optional Customer-defined string (default: NULL).
useSslPse optional If true, turns on the former SSL PSE based
trust store for HTTPS. If false (default), the
Microsoft CAPI is used for HTTPS trust.
UserWarningPassword
optional Warning dialog box before user name and
password are sent to SLS (default: false).
UserWarningMSIE optional Display of warning dialog box after a new
certificate has been propagated to Microsoft
Crypto Store: MSIE must be restarted (default:
false).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
244
9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute
Introduction
The PSEURI attribute allows you to use wildcards to identify an SAP system by its SNC
name. The SNC name is given as a printed X.500 distinguished name. The wildcards are
as follows:
Use “*” for many characters
Use “?” for just one character
Rules
There are a few rules to follow for the use of wildcards:
Do not use wildcards if you want to select a distinguished Server.
Make the patterns as long as possible.
Should there be more than one pattern matching a Server, than the longest pattern wins
(and with equal length, the one with lesser wildcards).
Example
The following example assumes that the following Servers exist:
Server-A: “SNC/CN=Server-A, CN=Low-Security, C=DE”
Server-B: “SNC/CN=Server-B, CN=High-Security, C=DE”
Server-C: “SNC/CN=Server-C, CN=High-Security, C=DE”
Server-D: “SNC/CN=Server-D, CN=High-Security, C=DE”
Pattern for PSEURI Matching…
* Any Server.
SNC/* Any Server.
SNC/CN=Server-*,CN=*-Security,C=DE Any Server.
SNC/*,CN=High-Security,* Only high security Servers (B,C,D).
Assuming, you have used the last pattern for all high security Servers, but you need
another treatment for Server D, you may use the following patterns:
Pattern for PSEURI Matching…
SNC/CN=Server-D,CN=High-Security,C=DE Only Server D.
SNC/CN=Server-D,CN=High-Security,* Only Server D.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
245
9.1.4 Configuring Secure Login with Microsoft Group Policies
Introduction
SECUDE Secure Login allows you to integrate the registry keys and values for the SECUDE
Secure Login Client in your company‟s group policies.
1. If you have not already installed the Secure Login group policy file supplied with the
installer package, double-click the package and follow the instructions until you get to
the Custom Setup dialog:
Figure 9-1 installer – custom setup – group policies
2. Deselect all of the components except Group Policies. Click Next and continue until
the installation is finished.
The SECUDEsecurelogin.ADM file will be copied to the following directory:
Windows\inf
When edited by the policy editor they will be copied to the following directory:
Windows\system32\GroupPolicies\adm
The SECUDEsecurelogin.ADM file contains the keys used to configure the SECUDE
security profiles.
In addition to installing the ADM file, selecting Group Policies
installs the full group policy documentation (HTML) to the
directory:
C:\Program Files\Common Files\SECUDE\officesecurity\ADM-DOC
As well as a link in the start menu:
Start > All Programs > SECUDE > officesecurity > ADM Documentation.
For a description of the keys and values, refer to the explanations provided by the group
policy editor.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
246
9.2 Configurable Properties
Introduction
This chapter describes the Secure Login properties that can be configured via a number of
files.
Sections
Section 9.2.1 „Files‟, on page 246
Section 9.2.2 „Web.xml‟, on page 247
Section 9.2.3 „Configuration.properties‟, on page 248
Section 9.2.4 „JAAS Module Configuration‟, on page 253
9.2.1 Files that Contain Configurable Properties
Introduction
This section details the configuration files needed by Secure Login.
Files
SECUDE Secure Login Server is configured in the following files (these files are included in
the installation package):
File to be configured Details
Web.xml
This file contains deployment information for the
SECUDE Secure Login servlet.
For further information refer to 9.2.2 „Web.xml‟, on
page 247.
Configuration.properties This is the main SECUDE Secure Login Server
configuration file.
For further information refer to section 9.2.3
„Configuration.properties‟ on page 248.
JAAS module configuration files This file defines specific properties for
authentication.
NOTE: for each authentication method used
(LDAP/ADS, RADIUS/RSA/SAP-ID), there is a
special JAAS module configuration file.
For further information refer to section 9.2.4 „JAAS
Module Configuration‟ on page 253.
Server message property files These files contain localized messages for the
Clients.
For further information refer to section 0 „Error!
Reference source not found.‟, on page Error!
Bookmark not defined..
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
247
9.2.2 Web.xml File
Introduction
The Web.xml file contains the deployment information for the SECUDE Secure Login
servlet. This information is required by the servlet engine to map the URL to a specific
servlet and it also contains further information for the operation of SECUDE Secure Login
Server.
You can configure the following parameters in the Web.xml file:
The location of the SECUDE Secure Login Server configuration.properties file.
The location of the lock file
Configure configuration
.properties File Location
Locate the following code snippet in the Web.xml file to set the file path:
<init-param>
<param-name>ConfigURL</param-name>
<param-value>URL</param-value>
</init-param>
Parameter Details
URL Change the property URL to that of the configuration.properties
file. For example:
<Tomcat home>\Webapps\securelogin\WEB-INF\Instances\
Configuration.properties
Configure Lock
File Location
Locate the following code snippet in the Web.xml file to set the lock file path:
<init-param>
<param-name>LockDir</param-name>
<param-value>path</param-value>
</init-param>
Parameter Details
path Path of the PseServer.lock file. By default the file is stored in the
standard temporary directory of the Java VM. For example:
<Tomcat home>\Webapps\securelogin\WEB-INF\Instances
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
248
9.2.3 Configuration.properties File
Introduction
The SECUDE Secure Login Server is configured via a set of properties stored in a standard
Java property file. The name of this file is configuration.properties.
The configuration.properties file does not contain authentication-specific
properties. It does contain the parameter AuthConfigPath which specifies the location
of the separate JAAS module configuration file. For further information refer to section
9.2.4 „JAAS Module Configuration‟ on page 253.
Multiple
SECUDE
Secure Login
Server
Instances
If several SECUDE Secure Login Server instances are to run on the same application
Server, all SECUDE Secure Login Server instances have to use the same JAAS module
configuration file.
In other words, the AuthConfigPath parameter must contain the same value for all
Server instances.
If you want to use different authentication-specific properties for different SECUDE Secure
Login Server instances, you have to use different JAAS module names using the
JaasModule configuration property.
Configurable
Properties
The following table details the SECUDE Secure Login Server configuration properties (in
alphabetical order):
Property Mandatory
/Optional
Details
AdminServletHeader
Optional Header displayed above the results on the result page
of the administrative servlet.
AdminServletTrailer
Optional Trailer displayed below the results on the result page of
the administrative servlet.
ArchivingDir
Optional Name of the directory in which certificate requests and
certificates are archived. If set, this enables the
archiving of all certificate requests and all issued
certificates.
Certificate requests are archived as BASE64 encoded
PKCS#10 files.
Certificates are archived as BASE64 encoded PKCS#7
files.
The file naming convention for both certificates and
certificate requests is as follows:
[date][user][ServerURL].ext, where:
date is in the form: yyyymmddhhmmssmm.
user is the name of the authenticated user.
ServerURL is derived from the URL of the SECUDE
Secure Login Server, by replacing all sequences of
characters other than A-Z, a-z, 0-9, and dots (.) with one
underscore (_). The ServerURL is empty if the user los
in via the Web Client.
.ext is p10 or p7c for PKCS#10 or PKCS#7 files,
respectively.
AuthConfigP
ath Mandatory URL of the JAAS module configuration file.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
249
Property Mandatory
/Optional
Details
Certificate
Format Optional Type of the generated certificate. Possible values:
V1 (default) for a version 1 certificate
For version 1 certificates the following properties
are ignored:
PrivateExtension
PrivateExtension.name
StandardExtension
CertificatePolicies.OID
V3 for a version 3 certificate
For version 3 certificates, the following standard
extensions are always added to the certificate:
BasicConstraints
KeyUsage
Note: V3 has a negative performance impact
because the V3 format is more complicated than
the V1 format.
Certificate
Name Optional The Case of the character for the user name included
as the DN in the certificate. Possible values:
Uppercase
Lowercase
Default value: The user name is entered as it is
received from the Client.
Certificate
Policies.OID
Optional If CertificatePolicies is specified in the
StandardExtension property, this entry is used to
list the object identifiers (separated by spaces) to be
contained in the extension.
Default value: The CertificatePolicies extensions
are not included in the certificate.
DailyLogDir Mandatory Directory in which the daily log files are stored.
DailyLogPrefix
Mandatory Prefix for the daily log files. The generated log file name
is: prefix_yyyy_mm_dd.log
y, m, and d are as specified in the Java SDK API class
java.text.SimpleDateFormat.
DN.country Mandatory Country part of the DN for the certificate.
DN.locality Optional Locality part of the DN for the certificate.
DN.organiza
tion Optional Organization part of the DN for the certificate.
DN.organizationalUnit
Optional Organizational unit part of the DN for the certificate.
JaasModule Optional Name of the JAAS module. The default value is:
SLSJaasModule
LockServerOnEventLog-
Failure
Optional Defines if the Server should be locked if transaction
logging fails.
False = do not lock the Server
True = lock the Server
LockInstanceOn-Transaction
LogFailure
Defines if the Server instance should be locked if
transaction logging fails.
False = do not lock the Server
True = lock the Server
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
250
Property Mandatory
/Optional
Details
MonthlyLogD
ir Mandatory Directory in which the monthly log files are stored.
MonthlyLogPrefix
Mandatory Prefix for the monthly log files. The generated log file
name is: prefix _yyyy_mm.log
y and m are as specified in the Java SDK API class
java.text.SimpleDateFormat.
PrivateExte
nsion Optional Contains a list of names (separated by spaces) of
private extensions to be included in the certificate. For
each name in the list, there has to be a property
PrivateExtension.name.
PrivateExtension.name
Optional A Base64 encoded extension to be included in the
certificate.
Name must be one of the extension names specified in
PrivateExtension.
PseName Mandatory Name or URL of the PSE to be used.
If PseType is configured to NativePSE , PseName
has to be entered in the following form (follow the
punctuation exactly):
p11sc:,pkcs11 interface
(vendor interface name
„pkcs11 library name‟):
PsePassword Mandatory Password of the PSE. The PSE password is encrypted
with a standard 256 bit AES key via the Administration
Console and is decrypted by Secure Login before being
read.
PsePasswordIsUnencrypted
Optional Manually set the User CA PSE password (password is
not encrypted).
true : Do not encrypt the password.
false : Encrypt the password.
This feature is NOT recommended! It should only be
used if you do not want to use the Administration
Console.
PseType Mandatory Type of PSE used by the Server to sign the generated
certificates. Possible values:
FilePSE for using a file PSE.
NativePSE for using the native SECUDE core
component for PSE access.
SerialNumbe
rPolicy Optional This parameter can be used to select serial number
generation algorithms. Possible value:
Hash: The serial number is the hashed subject name
(which is always the same for the same user but unique
for different users). The property
CertificateName=Uppercase must be entered as
well.
Default value: If empty or not entered, each new issued
certificate receives the current time stamp as the serial
number (which is, in a way, unique).
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
251
Property Mandatory
/Optional
Details
StandardExt
ension Optional List of additional standard extensions to be contained in
the certificate. Possible values:
AuthorityKeyIdentifier
SubjectKeyIdentifier
CertificatePolicies
In the case of CertificatePolicies, the policy
OIDs have to be specified via the property
CertificatePolicies.OID.
Other values are ignored.
UseUPN Optional Determines the UPN (User Principal Name) for the user
certificate. Possible values:
true : (default) Use the complete UPN.
false : Use the user name component of the UPN.
ValidityMin
utes Mandatory Time period in minutes that the generated certificate is
valid.
ValidityOffset
Mandatory Time offset in minutes relative to the Server system
time for the certificates to start being valid.
Sample configuration
.properties
File
#This is the SecureLogin configuration file
#Last Modified:Wed Jan 16 18:05:38 CET 2008
# These properties are the global settings
AdminUser=SECUDEAdmin
AdminPassword=7ZUHN9miuh7nuhoO98HGZo\=\=
AuthConfigPath=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLSJaasModule.login
TrustStore=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\TrustStore.jks
TrustStorePassword=HJU7hg1tkjU/hj8U/onli8HJgZ7H\=\=
Localization=en
doTrace=true
ActiveInstances=00020
LastServerID=00020
# The default settings for the Server instance
PseType=FilePSE
PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLS_USERCA_PSE.pse
PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\=
DN.country=DE
DN.locality=Darmstadt
DN.organization=SECUDE
DN.organizationalUnit=
ValidityMinutes=480
ValidityOffset=-5
CertificateFormat=V3
CertificateName=Uppercase
UseUPN=true
StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier
KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment
ExtendedKeyUsage=
PrivateExtension=
SerialNumberPolicy=Hash
ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system,
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
252
including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose.
ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a
newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days.
ClientInactivityTimeout=300
maxSessionInactiveInterval=640
DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log
DailyLogPrefix=Transaction
MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log
MonthlyLogPrefix=Event
LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\
AdminServletHeader=<p>The status of the PSE Server in the Hybury facility is as follows\:<p>
AdminServletTrailer=<p>Should a problem arise, please contact the support desk: <b>0100 203040</b> or send an email to <a
href\="mailto\:[email protected]">mailto\:[email protected]</a><p>
EnableLog=false
DN.commonName=
# The settings of the instance 00020
00020.PseType=FilePSE
00020.PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\SLS_USERCA_PSE.pse
00020.PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\=
00020.DN.country=DE
00020.DN.locality=Darmstadt
00020.DN.organization=SECUDE
00020.DN.organizationalUnit=
00020.ValidityMinutes=480
00020.ValidityOffset=-5
00020.CertificateFormat=V3
00020.CertificateName=Uppercase
00020.UseUPN=true
00020.StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier
00020.KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment
00020.ExtendedKeyUsage=
00020.PrivateExtension=
00020.SerialNumberPolicy=Hash
00020.ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system, including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose.
00020.ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If
you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days.
00020.ClientInactivityTimeout=300
00020.maxSessionInactiveInterval=640
00020.DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log
00020.DailyLogPrefix=Transaction
00020.MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log
00020.MonthlyLogPrefix=Event
00020.LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020
00020.AdminServletHeader=<p>The status of the PSE Server in the Hybury
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
253
facility is as follows\:<p>
00020.AdminServletTrailer=<p>Should a problem arise, please contact the support desk: <b>0100 203040</b> or send an email to <a href\="mailto\:[email protected]">mailto\:[email protected]</a><p>
00020.EnableLog=false
00020.DN.commonName=
9.2.4 JAAS Module Configuration Files
Introduction
For each authentication method, a specific JAAS module has to be configured.
Contents
Section 9.2.4.1 „JAAS Module Configuration Files for LDAP/ADS‟, on page 253
Section 9.2.4.2 „JAAS Module Configuration Files for RADIUS/RSA‟, on page 257
Section 9.2.4.3 „
JAAS Module Configuration Files for SAP ID‟, on page 260
9.2.4.1 JAAS Module Configuration Files for LDAP/ADS
Introduction
The JAAS module configuration file for LDAP/ADS contains the authentication specific
properties for LDAP authentication. The JAAS module class name for the LDAP module is:
com.secude.transfair.pepperbox.LdapJaasModule
Multiple
Authentication
Servers
Each LDAP Server has its own section in the JAAS module configuration file. If the first
Server cannot be reached, the next Server in the list is used (providing that more than one
Server is specified in the configuration file).
The order in which the Servers are entered in the configuration file defines the priority the
Servers have in the authentication process.
By default, the first Server in the list that can be reached ends the authentication
process, regardless of the type of response (OK or Access Denied). However, if the
parameter TryAllServers is set to true, all of the Servers are queried until the first
OK response is received.
Configurable
Properties
The following table details the properties within the JAAS module configuration file for
LDAP/ADS (in alphabetical order):
Property Mandatory
/Optional
Details
LdapBaseDN optional Specifies the base domain name that is combined with
the user name before sending it to the Active Directory
Server. The following formats are valid:
Domain part of UPN:
The domain part is appended to the user name,
using the @ separator.
Example: If set to…
my.domain.com
…the user test is authenticated as…
…with the respective Server.
Complete DN:
The variable $USERID is replaced with the user
name.
Example: If set to…
cn=$USERID,cn=Users,dc=domain,dc=com,
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
254
Property Mandatory
/Optional
Details
…the user test is authenticated as…
cn=test,cn=Users,dc=domain,dc=com
…with the respective Server.
NOTE: If a password expiry warning message is
configured, only the second form can be used. For
further information refer to section 9.2.5.2 „Password
Expiry Warning Message‟ on page 264.
LdapHost mandatory URL of the Active Directory Server used to authenticate
the user.
The LdapHost value is passed to JNDI, therefore the
interpretation of the protocol to be used is performed
entirely by the JVM.
To use LDAP over SSL the protocol has to be ldaps.
For example: ldaps://my.host.com:636
LdapProviderLanguage
optional Character set encoding for communication between the
Secure Login Server and the LDAP/ADS Server.
For example: ISO-8859-1 (for ADS)
LdapTimeout optional Period of time the Secure Login Server waits for a
response before trying the next LDAP/ADS Server (in
milliseconds).
PasswordExpiration-
Attribute
optional The expiry date of the password. For the LDAP
Authentication Server, the date must be in one of the
following formats:
UMT:
0060727081914Z
Or..
0060727081914+0700Z
GMT in ADS format:
0060727081914.0Z
Or..
0060727081914.0+0700Z
MS Gregorian calendar (the number of milliseconds
since 01/01/1601). For example:
127984619236406250
If a password expiry warning message is configured, the
LdapBaseDN property must be given in complete DN
form.
The PasswordExpirationAttribute value is used
for the password expiry warning only.
For further information refer to section 9.2.5.2
„Password Expiry Warning Message‟ on page 264.
PasswordExp
iration-GracePeriod
optional The interval (in days) a password expiry warning is sent
to the Client prior to password expiry.
For further information refer to section 9.2.5.2
„Password Expiry Warning Message‟ on page 264.
ServerID optional Determines which password expiry warning is used. This
value is used for the password expiry warning only.
For further information refer to section 9.2.5.2
„Password Expiry Warning Message‟ on page 264.
TrustStore optional Path to the CA certificates keystore used for Server
authentication when using LDAP over SSL. Used globally
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
255
Property Mandatory
/Optional
Details
for all LDAP modules in a TrustStore.
Use of the Java keystore (*.jks) is mandatory when
using LDAP over SSL.
TryAllServe
rs optional Determines when to try the next Server in the list.
Values:
false (default): Try the next Server only if this Server
cannot be reached.
true: Try the next Server if this Server cannot be
reached or answers Access Denied.
All Servers have to be configured to either false or
true.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
256
Sample JAAS
Module
Configuration
File for
LDAP/ADS
SLSJaasModule
{
com.secude.transfair.pepperbox.LdapJaasModule sufficient
LdapHost=”ldaps://10.49.0.150:636”
LdapBaseDN=”secude.com”
LdapTimeout=”100”
LdapProviderLanguage=”en-US”
TryAllServers=”true”;
com.secude.transfair.pepperbox.LdapJaasModule sufficient
LdapHost=”ldap://10.49.3.166:389”
LdapBaseDN=”uid=$USERID,ou=people,÷
dc=neptun,d=secude,dc=com”
LdapTimeout=”100”
LdapProviderLanguage=”en-US”
ServerID=”LDAP1”
PasswordExpirationAttribute=”passwordRenew”
PasswordExpirationGracePeriod=”20”;
TryAllServers=”true”;
com.secude.transfair.pepperbox.LdapJaasModule ÷
sufficient
LdapHost=”ldaps://10.49.0.151:636”
LdapBaseDN=”secude.com”
LdapTimeout=”100”
LdapProviderLanguage=”en-US”
TryAllServers=”true”;
};
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
257
9.2.4.2 JAAS Module Configuration Files for RADIUS/RSA
Introduction
The JAAS module configuration file for RADIUS/RSA contains the authentication specific
properties for RADIUS authentication. The JAAS module class name for the LDAP module
is: com.secude.transfair.pepperbox.RsaRadiusJaasModule
Multiple
Authentication
Servers
Each RADIUS/RSA Server has its own section in the JAAS module configuration file. If the
first Server cannot be reached, the next Server in the list is used (providing that more
than one Server is specified in the configuration file).
The order in which the Servers are entered in the configuration file defines the priority the
Servers have in the authentication process.
By default, the first Server in the list that can be reached ends the authentication
process, regardless of the type of response (OK or Access Denied). However, if the
parameter TryAllServers is set to true, all of the Servers are queried until the first
OK response is received.
Configurable
Properties
The following table details the properties within the JAAS module configuration file for
RADIUS/RSA (in alphabetical order):
Property Mandatory
/Optional
Details
Authenticat
or mandatory Authentication method for the RADIUS/RSA Server.
Possible values:
CHAP
MSCHAP
PAP
NOTE: The RSA Authentication Manager only supports
the PAP authentication protocol.
AuthPort mandatory The port number used by the RADIUS/RSA Server for
authentication requests.
PinAlphanum
eric optional PIN format. This parameter is only used with RSA
SecurID tokens. Possible values:
true: the user can choose, and use, a PIN which
contains only alphanumeric characters (A-Z, a-z, 0-9).
false (default): the user can choose, and use, a PIN
which contains alphanumeric and special characters
(such as !$%&).
The default password policy for RSA allows only numeric
PIN's which can not be setup via the Secure Login
Server/Client policy properties.
PinMax optional Maximum PIN length for a new PIN. This parameter is
only used with RSA SecurID tokens.
Default value: 8
PinMin optional Minimum PIN length for a new PIN. This parameter is
only used with RSA SecurID tokens.
Default value: 4
RadiusServe
rIP mandatory Host address of the RADIUS/RSA Server (used for user
authentication).
RSAServerIn
iFile optional For configuring RSA Server messages. If the RSA Server
version is 6.1, a copy of the RSA Server RADIUS message
*.ini file (securid.ini) has to be present. Make sure you
enter the full path and file name, for example:
<Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini
SharedSecre mandatory Shared secret used by the RADIUS/RSA Server to
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
258
Property Mandatory
/Optional
Details
t encrypt the user password.
TimeOut mandatory Period of time the Secure Login Server waits for a
response before trying the next RADIUS/RSA Server (in
milliseconds).
TryAllServe
rs optional Determines when to try the next Server in the list.
Values:
false (default): Try the next Server only if this Server
cannot be reached.
true: Try the next Server if this Server cannot be
reached or answers Access Denied.
All Servers have to be configured to either false or
true.
Other attributes
optional Any RADIUS attribute present in the Clients dictionary
and which the Server expects to be included in the
request.
For example:
NAS-IP-Address
NAS-Port
Sample JAAS
Module
Configuration
File for
RADIUS / RSA
– Example 1
SLSJaasModule
{
com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient
RadiusServerIP=”10.49.7.15”
AuthPort=”1812”
SharedSecret=”ActivPack”
TimeOut=”5000”
Authenticator=”pap”
NAS-IP-Address=”213.188.106.173”
NAS-Port=”235”;
TryAllServers=”true”;
com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient
RadiusServerIP=”10.49.2.5”
AuthPort=”1645”
SharedSecret=”secret”
TimeOut=”5000”
Authenticator=”pap”
PinMin=”6”
PinMax=”8”
PinAlphanumeric=”true”;
TryAllServers=”true”;
};
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
259
Example 2
The following configuration is for a scenario in which the Authentication Servers are
configured for failover and share the same user database. To prevent the counter for
failed logins to be incremented by 3, TryAllServers is set to false. When a user
enters the wrong password, only the first reachable Server answers Access Denied,
and increments the counter for failed logins by 1:
SLSJaasModule
{
com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient
RadiusServerIP=”10.49.7.15”
AuthPort=”1812”
SharedSecret=”ActivPack”
TimeOut=”5000”
Authenticator=”pap”
NAS-IP-Address=”213.188.106.173”
NAS-Port=”235”;
TryAllServers=”false”;
com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient
RadiusServerIP=”10.49.7.16”
AuthPort=”1812”
SharedSecret=”ActivPack”
TimeOut=”5000”
Authenticator=”pap”
NAS-IP-Address=”213.188.106.173”
NAS-Port=”235”;
TryAllServers=”false”;
com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient
RadiusServerIP=”10.49.7.17”
AuthPort=”1812”
SharedSecret=”ActivPack”
TimeOut=”5000”
Authenticator=”pap”
NAS-IP-Address=”213.188.106.173”
NAS-Port=”235”;
TryAllServers=”false”;
};
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
260
9.2.4.3 JAAS Module Configuration Files for SAP ID
Introduction
The JAAS module configuration file SLSsap.login must be configured if you want to use
SAP ID-based authentication.
Example
Configuration
File
Here is an example of a finished configuration file:
SLSJaasModule
{
com.secude.transfair.pepperbox.SAPJaasModule sufficient
SAPServer=”10.49.7.3”
Client=”000”
SystemNo=”00”
SNCServerName=”p:CN=SAP NetWeaver 2004, O=secude.local, C=DE”
SAPaccount=”SLSServer”
NativeLibraryPath=”C:\\SECUDE”;
} ;
Configurable
Properties
The following table details the properties within the JAAS module configuration file for SAP
ID (in alphabetical order):
Property Mandatory
/Optional
Details
Client Mandatory SAP System ID
NativeLibraryPath
Mandatory The fully qualified path to the native files (SECUDE SNC
plus, if needed, SAP JCO)
PasswordAlphanumeric
Optional This parameter is part of the password policy for Client
side policy consistency check. Possible values:
true (default): the password can contain only
alphanumeric characters (A-Z, a-z, 0-9).
false: the password can contain alphanumeric and
special characters (such as !$%&).
This parameter must be consistent with the SAP
password policy.
PasswordMax Optional This parameter is part of the password policy for Client
side policy consistency check, specifically the maximum
number of characters in the password to be used.
This parameter must be consistent with the SAP
password policy.
Default value = 30
PasswordMin Optional This parameter is part of the password policy for Client-
side policy consistency check, specifically the minimum
number of characters in the password to be used.
This parameter must be consistent with the SAP
password policy.
Default value = 1
SAPaccount Mandatory The SAP user account name for the SECUDE Secure
Login Server.
SAPServer Mandatory IP or URL of the SAP Server
SNCServerName
Mandatory The DN of the SAP Server, as stated in the Server
certificate. The subject DN of the X.509 certificate.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
261
Property Mandatory
/Optional
Details
For example:
p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
SystemNo Mandatory SAP System Number
TryAllServers
optional Determines when to try the next Server in the list.
Values:
false (default): Try the next Server only if this Server
cannot be reached.
true: Try the next Server if this Server cannot be
reached or answers Access Denied.
All Servers have to be configured to either false or
true.
Please contact the SAP Server administrator to make sure that the password policy
information in the configuration file is correct.
Related
Information
For information about SECUDE Secure Login Server error codes that may be produced by
the JAAS module, refer to section 8.3 „SAP ID Error Codes and Return Codes‟ on page
232.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
262
9.2.5 Files for Server Message Configuration
Introduction
The SECUDE Secure Login Server can provide localized messages for the Clients. This is
done by creating property files for all required languages.
It is recommended to use the Administration Console to edit any messages (see section
6.1.11 on page 156).
Location of
the Message
Property Files
The property files have to be provided in the classes subdirectory of the application
Server‟s Webapps directory. For example (Tomcat):
<Tomcat home>\Webapps\ securelogin\WEB-INF\classes
Message
Property File
Names
The property files for the Server messages are as follows:
ServerMsg.properties
ServerMsg_language.properties
ServerMsg_<language>_<country>.properties
The naming convention for the ServerMsg_ files varies according to the
following:
<language>
ISO 636 language code, consisting of two lower case letters
<country>
ISO 3166 country code, consisting of two upper case letters
The Server provides the messages in the language requested by the Client, if
available, or else uses a more generic language.
For example, if the Client requests language de_CH, then the Server provides
messages configured for de_CH, if available. If de_CH is not available, the Server
provides messages configured for de, if available. If de is also not available, the
Server provides messages configured in the generic ServerMsg.properties file.
Message
Format
The message format can be either plain text or rich text. Rich text messages are
contained in a body element. You can use the following codes:
Code Details
<body>message</body> The whole rich text message has to be enclosed
in body start and end tags.
\r\n Inserts a line break.
<b>text</b> Uses bold formatting for text.
<i>text</i> Uses italics formatting for text.
<any color=”red”>text<any> Uses the color red for text (red is the only color
supported).
<a href=”URL”>anchor</a> Inserts a link to the destination URL with the link
text anchor.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
263
9.2.5.1 Configurable Messages
A property file for Server messages contains pairs of message code and message values.
Every property file must contain all message codes, but the message value part may be
left empty.
It is recommended to use the Administration Console to edit any messages (see section
6.1.11 on page 156).
To split long messages in the property file to span several lines, use backslash (\)
escaped line endings.
The configurable messages are as follows (the values shown are the messages as
delivered with Secure Login):
Message Entry
AUTH_EMPTY_CREDENTI
AL_ERROR_MSG
No empty usernames or passwords are
allowed.
AUTH_LDAP_NAMING_ER
ROR_MSG
The LDAP Server denied the retrieval of
data with the entered username and
password.
AUTH_RESULT_ACTION_DENIED_MSG
The authentication failed.
This message can be combined with the variable
$SERVERMSG to present the user with a reason for the
denial. The $SERVERMSG variable is an option to forward
the raw Authentication Server message to the Secure Login
Client. For example:
Access denied because..$SERVERMSG
The $SERVERMSG variable should only be used with Sun
directory Servers and SAP-ID. If used with RSA no
messages will be sent by default, and if used with ADS a
cryptic text message will be sent.
AUTH_RESULT_ACTION_
OK_MSG
The authentication process has finished
successfully.
AUTH_SERVER_CANT_RE
SOLVE_MSG
The Authentication Server name cannot be
resolved.
AUTH_SERVER_TIMEOUT_MSG
While trying to reach the Authentication Server, a timeout occurred.
CONFIG_ACTION_DISCL
AIMER_MSG
The disclaimer message.
CONFIG_ACTION_MSG The salutatory message.
ERROR_ACTION_FORMAT_MSG
An error occurred due to a message sent by the Client, which the Server can not
interpret.
ERROR_ACTION_INTERNAL_MSG
A fatal error occurred due to Server problems.
<ServerID>_WARN_MSG <body><b>Attention!</b>Your password will
expire on $EXPDATE</body>
NEW_PIN_REPLY_ACCEPTED_MSG
The newly selected PIN has been accepted by the Server.
NEW_PIN_REPLY_REJEC
TED_MSG
The newly selected PIN has been rejected by
the Server.
NEW_PIN_REQUIRED_ACTION_MSG
The user has to enter a new PIN for a Server forced PIN change.
SEND_NEXT_TOKEN_CODE_ACTION_MSG
The user has to enter the next token code displayed on the RSA SecureID token.
STATUS_ACTION_MSG The current Server status is enclosed with
this transfairgram (only for diagnostic
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
264
Message Entry
purpose)
In addition, optional password expiration messages for LDAP Authentication Servers can
be included in this file. For further information refer to section 9.2.5.2 „Password Expiry
Warning Message‟ on page 264.
9.2.5.2 Password Expiry Warning Message
Introduction
The property file for Server messages may optionally contain password expiry warning
messages for any LDAP Authentication Server.
Examples
An entry for such a message has the following structure:
ServerID_WARN_MSG = <body><b>Attention!</b> Your password will expire on $EXPDATE.</body>
The following list details the variables in the warning message:
Variable Details
ServerID Determines which password expiry warning is used for which Server.
Corresponds to the ServerID property in the JAAS module
configuration file (see section 9.2.4.1 „JAAS Module Configuration Files
for LDAP/ADS‟ on page 253).
$EXPDATE You can use the $EXPDATE variable in the password expiry warning to
state the expiry date in the message.
The date is retrieved from the LDAP/ADS Server using the
PasswordExpirationAttribute property in the JAAS module
configuration file.
The date is formatted according to the local settings of the Client.
9.3 Secure Login Client Registry Values
Introduction
The properties for the Secure Login Client system service can be configured using the
customer.reg file or can be integrated in the company‟s group policies. The property
names are not case-sensitive.
Location
The following properties:
HttpProxyUrl
SSLHostCommonNameCheck
SSLHostAlternativenameCheck
SSlHostExtentionCheck
UseSslPse
…can be located under the registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>]
The other properties can be loacted under the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System
The following properties can be created/edited:
Property Data Type Description, Example
DisableUpdatePolicyOnS
BOOLEAN This sets whether the Client policy file is automatically
downloaded and registered from an XML file when the
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
265
Property Data Type Description, Example
tartup system service is started.
true = disable automatic policy download.
false (default) = enable automatically policy download.
HttpProxyURL
STRING HTTP proxy to be used with PolicyURL. Only HTTP
proxies without authentication and without SSL to proxy
are supported.
Example: http://proxy.secude.com:3128
NetworkTimeout
DWORD Network timeout in seconds before connection is closed
if the Server does not respond (default: 45).
PolicyRetri
es
DWORD The number of times the Client tries to retrieve the
Clientpolicy.xml file from the policy Server before
giving up.
PolicyTTL DWORD „Policy time-to-live‟. The lifetime, in minutes, of the
SECUDE Secure Login Client policy before retrieving the
Clientpolicy.xml file from the policy Server.
PolicyURL STRING Network resource where the latest SECUDE Secure Login
Client policy can be downloaded from.
Mandatory, if an XML file is used for the policy Server,
see section 9.1.1 „ClientPolicy.xml File‟ on page 239.
Example: https://securelogin.secude. com:8443/securelogin/ClientPolicy.xml
SSLHostCommonNameCheck
BOOLEAN SSL Server certificate: Check if peer host name is given
in its subject common name (default: false).
SSLHostAlternativeNameCheck
BOOLEAN SSL Server certificate: Check if peer host name is given
in its subject alternative names (default: false).
SSLHostExtensionCheck
BOOLEAN SSL Server certificate: Check if the peer‟s certificate
has extended key usage ServerAuthentication set
(default: false).
useSslPse BOOLEAN If true, turns on the former SSL PSE based trust store
for HTTPS.
If false (default), the Microsoft CAPI is used for HTTPS
trust.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
266
9.4 Key Usage Reference
Key usage extensions define the purpose of the public key contained in a certificate. You
can use them to restrict the public key to as few or as many operations as needed. For
example, if you have a key used only for signing, enable the digital signature and/or non-
repudiation extensions. Alternatively, if a key is used only for key management, enable key
encipherment.
The following table describes the key usage extensions available for keys created using
the CA process.
Key Usage Extension Details
Digital signature Use when the public key is used with a digital signature
mechanism to support security services other than non-
repudiation, certificate signing, or CRL signing. A digital
signature is often used for entity authentication and data origin
authentication with integrity.
Non-repudiation Use when the public key is used to verify digital signatures
used to provide a non-repudiation service. Non-repudiation
protects against the signing entity falsely denying some action
(excluding certificate or CRL signing).
Key encipherment Use when a certificate will be used with a protocol that encrypts
keys. An example is S/MIME enveloping, where a fast
(symmetric) key is encrypted with the public key from the
certificate. SSL protocol also performs key encipherment.
Data encipherment Use when the public key is used for encrypting user data, other
than cryptographic keys.
Key agreement
Use when the sender and receiver of the public key need to
derive the key without using encryption. This key can then be
used to encrypt messages between the sender and receiver.
Key agreement is typically used with Diffie-Hellman ciphers.
Encipher only Use only when key agreement is also enabled. This enables the
public key to be used only for enciphering data while performing
key agreement.
Decipher only Use only when „key agreement‟ is also enabled. This enables
the public key to be used only for deciphering data while
performing key agreement.
Client authentication Enable only for „Digital signature‟ and/or „Key agreement‟
E-mail protection
Enable only for „Digital signature‟, „Non-repudiation‟, and/or
„Key encipherment‟ or „Key agreement‟.
Encrypted filesystem This key usage is defined by Microsoft. The certificate can be
used to encrypt files by using the Encrypting File Systems. For
further information refer to:
http://msdn2.microsoft.com/en-gb/library/aa378132.aspx
Smart card login This key usage is defined by Microsoft. The certificate enables
an individual to log on to a computer via a smart card.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
267
10 List of Abbreviations
Abbreviation Meaning
ADS Active Directory Service
CA Certification Authority
CAPI Microsoft Crypto API
CSP Cryptographic Service Provider
DN Distinguished Name
EAR Enterprise Application Archive
HTTP Hyper Text Transport Protocol
HTTPS Hyper Text Transport Protocol with Secure Socket Layer (SSL)
JAAS Java Authentication and Authorization Service
LDAP Lightweight Directory Access Protocol
PIN Personal Identification Number
PKCS Public Key Cryptography Standards
PKCS#11 Cryptographic Token Interface Standard
PKCS#12 Personal Information Exchange Syntax Standard
PKI Public Key Infrastructure
PSE Personal Security Environment
RFC Remote function call (SAP NetWeaver term)
RSA Rivest, Shamir and Adleman
SLAC Secure Login Administration Console
SLC SECUDE Secure Login Client
SLS SECUDE Secure Login Server
SNC Secure Network Communication
SSL Secure Socket Layer
UPN User Principal Name
WAR Web Archive
WAS Web Application Server
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
268
Glossary
A
Authentication
A process that checks whether a person is really who they are. In a multi-user or network
system, authentication means the validation of a user‟s logon information. A user‟s name
and password are compared against an authorized list.
B
Base64 encoding
The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of
64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other
uses include HTTP Basic Authentication Headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient
C
CAPI
See „Cryptographic Application Programming Interface’
Certificate
A digital identity card. A certificate typically includes:
The public key being signed.
A name, which can refer to a person, a computer or an organization.
A validity period.
The location (URL) of a revocation center.
The digital signature of the certificate produced by the CA‟s private key.
The most common certificate standard is the ITU-T X.509.
Certification Authority (CA)
An entity which issues and verifies digital certificates for use by other parties.
Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.
CREDDIR
A directory on the Server in which information is placed that goes beyond the PSE
(personal security environment).
Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be
self-issued, or issued by a trusted third party; in many cases the only criterion for
issuance is unambiguous association of the credential with a specific, real individual or
other entity. Cryptographic credentials are often designed to expire after a certain period,
although this is not mandatory.
Credentials have a defined time to live (TTL) that is configured by a policy and managed by
a Client service process.
Cryptographic Application Programming Interface (CAPI)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
269
The Cryptographic Application Programming Interface (also known variously as CryptoAPI,
Microsoft Cryptography API, or simply CAPI) is an application programming interface
included with Microsoft Windows operating systems that provides services to enable
developers to secure Windows-based applications using cryptography. It is a set of
dynamically-linked libraries that provides an abstraction layer which isolates programmers
from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that
perform cryptographic functions.
D
Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (e.g. a
X.500 or LDAP directory).
Distinguished Name (DN)
A name pattern that is used to create a globally unique identifier for a person. This name
ensures that a certificate is never created for different people with the same name. The
uniqueness of the certificate is additionally ensured by the name of the issuer of the
certificate (that is, the certification authority) and the serial number. All PKI users require
a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
K
Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You
can use them to restrict the public key to as few or as many operations as needed. For
example, if you have a key used only for signing, enable the digital signature and/or non-
repudiation extensions. Alternatively, if a key is used only for key management, enable key
encipherment.
Key Usage (extended)
Extended key usage further refines key usage extensions. An extended key is either
critical or non-critical. If the extension is critical, the certificate must be used only for the
indicated purpose or purposes. If the certificate is used for another purpose, it is in
violation of the CA's policy.
If the extension is non-critical, it indicates the intended purpose or purposes of the key
and may be used in finding the correct key/certificate of an entity that has multiple
keys/certificates. The extension is then only an informational field and does not imply that
the CA restricts use of the key to the purpose indicated. Nevertheless, applications that
use certificates may require that a particular purpose be indicated in order for the
certificate to be acceptable.
L
Lightweight Directory Access Protocol (LDAP)
A network protocol designed to extract information such as names and e-mail addresses
from a hierarchical directory such as X.500.
P
PKCS#11
“PKCS” refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. “PKCS#11” is an API defining a generic interface to cryptographic tokens.
PEM
See Privacy Enhanced Mail.
Personal Identification Number (PIN)
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
270
A unique code number assigned to the authorized user.
Personal Information Exchange Syntax Standard
Specifies a portable format for saving or transporting a user‟s private keys, certificates,
and other secret information.
Personal Security Environment
The PSE is a personal security area that every user requires to work with SECUDE. A PSE
contains security-related information. This includes the certificate and its secret private
key. The PSE can be either an encrypted file or a smart card and is protected with a
password.
PIN
See Personal Identification Number.
Privacy-Enhanced Mail (PEM)
The first known use of Base 64 encoding for electronic data transfer was the Privacy-
enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a
"printable encoding" scheme that uses Base 64 encoding to transform an arbitrary
sequence of octets to a format that can be expressed in short lines of 7-bit characters, as
required by transfer protocols such as SMTP.
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet
consisting of upper- and lower-case Roman alphabet characters (A–Z, a–z), the numerals
(0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.
The original specification additionally used the "*" symbol to delimit encoded but
unencrypted data within the output stream.
Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.
Public Key Cryptography Standards
A collection of standards published by RSA Security Inc. for the secure exchange of
information over the Internet.
Public Key Infrastructure
Comprises the hardware, software, people, guidelines, and methods that are involved in
creating, administering, saving, distributing, and revoking certificates based on
asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root
certificate at the top, representing a CA that does not need to be authenticated by a
trusted third party.
R
Root certification authority
The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate
is signed with a private key. There can be any amount of CAs between a user certificate
and the root certification authority. To check foreign certificates, a user requires the
certificate path as well as the root certificate.
Root certification
The certificate of the root CA.
RSA
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
271
An asymmetric, cryptographical procedure, developed by Rivest, Shamir, and Adleman in
1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: key
lengths of 1024 bits or higher are regarded as secure.
S
Secure Network Communications
A module in the SAP NetWeaver system that deals with the communication with external,
cryptographical libraries. The library is addressed using GSS API functions and provides
NetWeaver components with access to the security functionality of SECUDE.
Secure Sockets Layer
A protocol developed by Netscape Communications for setting up secure connections over
insecure channels. Ensures the authorization of communication partners and the
confidentiality, integrity, and authenticity of transferred data.
Single sign-on
A system that administrates authentication information allowing a user to logon to
systems and open programs without the need to enter authentication every time
(automatic authentication).
T
Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-card-based USB tokens (which contain a smart card chip inside) provide the
functionality of both USB tokens and smart cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional smart card without requiring
a unique input device (smart card reader). From the computer operating system‟s point of
view such a token is a USB-connected smart card reader with one non-removable smart
card present.
Tokens provide access to a private key that allows performing cryptographic operations.
The private key may be persistent (like a PSE file, smart card, and CAPI container) or non-
persistent (like temporary SECUDE Secure Login keys).
W
Windows Credentials
A unique set of information authorizing the user to access the Windows operating system
on a computer. The credentials usually comprise a user name, a password, and a domain
name (optional).
X
X.500
A standardized format for a tree-structured directory service.
X.509
A standardized format for certificates and blocking list.
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
272
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
273
Index
A
About this manual ...................... 7
Active Directory Server (ADS)
authentication ....................... 23
administration ........................ 119
administration console ............ 119
administration console -
application management ...... 184
administration console -
authentication management . 131
administration console -
certificate management ....... 128
administration console -
certificate template ............. 143
administration console - change
language ............................ 155
administration console - change
the administrator password .. 122
administration console - client
configuration ....................... 183
administration console - client
profile management ............ 187
administration console - console
log viewer ........................... 165
administration console - files
download ............................ 190
administration console - instance
check ................................. 196
administration console - instance
configuration ....................... 179
administration console - instance
log management ................. 192
administration console - instance
management....................... 178
administration console - message
settings .............................. 156
administration console - open .. 119
administration console - server
configuration ....................... 124
administration console – server
instance status ................... 197
administration console - server
status ................................ 162
administration console - signed
certificate requests ............. 163
administration console -
SSS&JCO installation .......... 158
administration console - system
backup ............................... 151
administration console - system
check ................................. 149
administration console - system
restore ............................... 152
administration console -
TrustStore management ...... 141
ADS/LDAP - configure ............... 85
application management ......... 184
archived log ........................... 196
authentication management .... 131
authentication method (PKI) ...... 13
C
certificate management .......... 128
certificate template ................ 143
certificate template – create new144
certificate template - export ..... 147
certificate template - import .... 148
certificate template - mapping . 146
change language .................... 155
client authentication ............... 266
client configuration ................. 183
client policy ............................ 239
client profile management ....... 187
client URL - troubleshooting ..... 218
ClientPolicy.xml - registry keys . 239
configurable messages ........... 263
configurable properties ........... 246
configuration.properties .......... 248
Configure Authentication Server
Communication ..................... 84
Configure SSL in Tomcat ........... 36
console log viewer .................. 165
Contacting Technical Support .... 10
Conventions used in this manual . 9
D
daily log ................................. 193
daily log file ........................... 213
data encipherment ................. 266
decipher only ......................... 266
digital signature ..................... 266
download files secure login
client.................................. 190
E
e-mail protection .................... 266
encipher only ......................... 266
encrypted filesystem ............... 266
environment variables - SAP ID-
based logon ........................ 217
error and return codes ............ 231
F
files download ........................ 190
files download - global client
policy ................................. 191
G
global client policy .................. 191
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
274
I
Icons used in this manual ......... 10
instance check ....................... 196
instance configuration ............. 179
instance log management ....... 192
instance management ............ 178
instance status ...................... 197
Instances - global client policy . 191
instances - overview.................. 18
J
JAAS module - configuration files253
JAAS module - LDAP/ADS ........ 253
JAAS module - RADIUS/RSA .... 257
JAAS module - SAP ID ............. 260
JCO - installation .................... 158
K
key agreement ....................... 266
key encipherment ................... 266
Key Length Policies................. 212
key usage - reference ...... 238, 266
L
LD_LIBRARY_PATH.................. 217
log files ................................. 213
log settings ............................ 195
logging - archived log files ....... 196
logging - daily log .................... 193
logging - daily log file ............... 213
logging – instance log
management....................... 192
logging - log settings ............... 195
logging - monthly log file .......... 215
logging – view console logs ..... 165
M
message settings ................... 156
messages - configure .............. 263
Microsoft crypto store ............... 12
Microsoft group policies .......... 245
Migrate from an Existing SECUDE secure login Server .................. 82
monthly log file ....................... 215
N
non-repudiation ...................... 266
O
other administration features .. 206
P
password expiry - warning
message ............................ 264
password expiry warnings ........ 220
PKI certificate ........................... 12
policy server overview ............... 30
PseServer.lock ....................... 216
R
RADIUS / RSA authentication .... 24
RADIUS/RSA - configure ............ 86
registry values - secure login
client.................................. 264
Related documentation ............... 7
Restore from an Existing secure
login Server Backup (*.zip) File83
return codes .......................... 231
S
SAP ID authentication ............... 25
SAP ID-based logon - configure .. 87
SAP Logon Ticket authentication 28
SAP Logon Ticket-based logon -
configure .............................. 89
SAP NetWeaver ........................ 49
SAP NetWeaver - installation 40, 42
SECUDE50secureloginServer.zip109
secure login - authentication
Method (PKI) ......................... 13
secure login - authentication
methods ............................... 22
secure login - instance/server
lock.................................... 219
secure login - server lock and
unlock ................................ 216
secure login - system overview .. 16
secure login – what is it? .......... 11
secure login client - registry
values ................................ 264
secure login client - remove ..... 106
secure login client installation94, 98
secure login client installation –
MSI options ........................ 103
secure login client rollout .......... 97
secure login components .......... 13
secure login server – remove
(ADS, LDAP, Radius, SAP ID) .. 91
secure login server – remove
(SAP NetWeaver) ................... 92
server configuration ................ 124
server installation ..................... 32
server lock and unlock ............ 216
server message configuration -
files ................................... 262
Server Setup Wizard ..... 43, 54, 63
server status .......................... 162
signed certificate requests ...... 163
signon&secure - installation .... 158
smart card login ..................... 266
SNC connection - troublrshooting221
SQL Database Table
authentication ................. 22, 28
SQL Database-based logon -
configure .............................. 89
SSL.PSE ................................ 218
SSL.PSE-based TrustStore for
HTTPS ................................ 218
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
275
SSS&JCO installation .............. 158
status query - internet browser 206
Support ................................... 10
system backup ....................... 151
system check ......................... 149
system overview ................. 12, 16
system overview - PKI ............... 13
system restore ....................... 152
T
Target audience.......................... 7
Technical Support, contacting .... 10
Tomcat - configure SSL ............. 36
trace messages – enable/disable215
tracing ................................... 215
Troubleshooting ..................... 211
TrustStore management .......... 141
W
warnings - password expiry ...... 220
Web Client ............................. 109
web.xml ................................. 247
what is SECUDE secure login? ... 11
X
XML Interface ......................... 209