How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 2 of 34

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 3 of 34

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 4 of 34

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 5 of 34

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 6 of 34

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 7 of 34 Preparations: Copy Installation Files 2 Minutes 1. Logon with the user name SCI266 and password welcome to domain FAIR Username and password are only specific for this demo. 2. Copy the files from folder Session (TechEd File Server) \\Fairfile.fair.sap.corp\session\SCI266\ to folder Session (Local Folder) D:\Files\Session\SCI266\ This is specific to the demo environment of SAP

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 8 of 34 Exercise 1: Install and Configure Secure Login Server 25 Minutes 3. Logon with the user name SCI266 and password welcome to domain FAIR 4. Start cmd.exe and enter the command telnet localhost 50008 5. Logon with the user name Admin and password abc123

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 9 of 34 6. Start the command deploy D:\Files\Session\SCI266\SLS\ SECURE_LOGIN_SERVER00_0.sca 7. After deployment, close the windows or enter the command exit twice 8. Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin 9. On the Welcome screen press the button Continue

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 10 of 34 10. Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt for the parameter Server File and press the button: Next 11. For the account name Admin define the password 1qay!QAY Please confirm the password and press the button Next (Watch out for upper/lower case) 12. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\ROOT_CA.pse Define the password 1qay!QAY Please use another password! Check the option Save Password and press the button: Next 13. Choose the option Skip all SSL certificates and press the button: Next 14. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\USER_CA.pse Define the password 1qay!QAY Check the option Save Password and press the button Next

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 11 of 34 15. On the Server Configuration page press the button: Next 16. On the Setup Review page press the button: Finish 17. Start the SAP Management Console (Desktop Icon) Navigate to AS Java Components Search for the application sap.com/secureloginserver

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 12 of 34 Right-click on application sap.com/secureloginserver and choose the option Restart Maybe user credentials are requested: Logon with the user name FAIR\SCI266 and password welcome 18. Verify that the logon to the Secure Login Administration Console is successful Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard Logon with user Admin and password 1qay!QAY

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 13 of 34 19. In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa Logon with user Admin and password abc123 20. Choose Configuration tab Security Authentication and Single Sign-On Choose the option Login Modules Choose the Login Module SecureLoginModuleLDAP Choose the button Edit

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 14 of 34 For the parameter LdapBaseDN define the value: $USERID@FAIR.SAP.CORP For the parameter LdapHost define the value: ldap://dc1emea:389 Save the configuration and log off the user Admin

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 15 of 34 Exercise 2: Install Secure Login Client 5 Minutes 1. Start Windows Explorer and change to the folder D:\Files\Session\SCI266\SLC\ Start the unattended Secure Login Client installation with double-click on UnattendedSetup_SLC_SCI266.cmd Please install the software based on the documentation at help.sap.com -> SAP NetWeaver Single Sign-on -> Secure Login Client After installation the blue icon should be available in the taskbar 2. Log off user SCI266 In case the message box Save console settings to sapmmc.msc will appear, press the button No Logon with the user name SCI266 and password welcome to domain FAIR 3. In taskbar click on the blue icon

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 16 of 34 4. The Secure Login Client Console should be displayed Double-click on the default profile Press the OK button Enter username SCI266 and password welcome. Then press the OK button 5. Press the OK button In case the authentication failed, verify the user credentials (SCI266 / welcome) or check the configuration in Login Module (SAP NetWeaver Administrator) for typing errors REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 17 of 34 As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 18 of 34 Exercise 3: Configure SNC for SAP ABAP Server 30 Minutes 1. Start the SAP Logon application Choose TDI system Local SAP ABAP Server Logon with username admin and password abc123 2. Start transaction RZ10 Import the profiles of the active servers by selecting Utilities Import profiles Of active servers Press the exit (yellow) button

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 19 of 34 Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW Choose the option Extended maintenance and press the Change button 3. Change the following SNC parameters: snc/gssapi_lib snc/identity/as and verify the other SNC parameters Configuration details are described in the following table (next page) HINT 1: Values are case sensitive! HINT 2: SNC will be enabled later!

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 20 of 34 Parameter Value Remarks snc/force_login_screen 0 Predefined snc/permit_insecure_start 1 Predefined snc/accept_insecure_rfc 1 Predefined snc/accept_insecure_gui 1 Predefined snc/accept_insecure_cpic 1 Predefined snc/r3int_rfc_qop 8 Predefined snc/r3int_rfc_secure 0 Predefined snc/data_protection/use 3 Predefined snc/data_protection/min 2 Predefined snc/data_protection/max 3 Predefined snc/enable 0 Predefined snc/gssapi_lib D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll To Be Changed snc/identity/as p:cn=tdi, OU=TechEd 2011, O=SAP AG To Be Changed Parameter snc/enable snc/gssapi_lib snc/identity/as Description Set this parameter to activate SNC on the AS ABAP. 1: SNC is activated 0: SNC is not activated Specify the path and file name of the GSS-API V2 shared library. D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll Specify the SNC name of the AS ABAP with this parameter. Format: <name type>:<external name> or <name type>/<product>:<external name> p:cn=tdi, OU=TechEd 2011, O=SAP AG 4. After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow) Press the Save button

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 21 of 34 On the next screen (Incorrect parameter values detected. Display values?) select the No button On the next screen select Yes to activate the profile The next version of the instance profile is saved and activated Confirm this message box (green tick) Confirm this message box (green tick) Log off SAP Logon application 5. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon) Click on SAP System TDI and with the right-click choose the option Restart

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 22 of 34 Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: The SAP ABAP Stack will be available in about 2-3 minutes 6. Start the SAP Logon application Choose TDI system Local SAP ABAP Server Logon with username admin and password abc123 Start transaction STRUST Choose in menu PSE Import Open the file: D:\Files\Session\SCI266\Certificates_ SCI266\SAP_SERVER_TDI.pse Choose the option Allow this one time and press OK button

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 23 of 34 Enter the password 1qay!QAY and confirm the message box (green tick) Choose in menu PSE Save as Choose the option SNC SAPCryptolib and confirm the message box (green tick) On the bottom of the screen, the message Data saved successfully should be displayed and an entry for SNC SAPCryptolib should be available Start the transaction /nrz10 Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW Choose the option Extended maintenance and press the Change button

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 24 of 34 Define the value 1 for the parameter snc/enable ( activate SNC) After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow) On the next screen (Incorrect parameter values detected. Display values?) select No button Select Yes to activate the profile The next version of the instance profile is saved and activated Confirm this message box (green tick) Confirm this message box (green tick) Log off SAP Logon application

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 25 of 34 7. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon) Click on SAP System TDI and with mouse right-click choose the option Restart Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: During restart of the SAP NetWeaver application server starts with the next configuration step (Enable SNC in SAP GUI)

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 26 of 34 Exercise 4: Enable SNC in SAP GUI Application 5 Minutes 1. Click on the SAP Logon Icon on the Desktop and press the New Button 2. Press the Next button 3. Define the following parameter: Description: Local SAP Server (SNC) Application Server: localhost Instance Number: 00 System ID: TDI and press the button Next 4. Activate Secure Network Communication (checkmark) Define the value p:cn=tdi, OU=TechEd 2011, O=SAP AG for the parameter SNC Name and press the button Finish

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 27 of 34 Exercise 5: Configure SNC User Mapping in SAP User Management 5 minutes 1. Start SAP GUI application and logon to the Local SAP ABAP Server with username admin and password abc123 2. Start transaction SU01 and enter SCI266 for the User Press the Change button 3. Choose tab SNC For the parameter SNC name define the value p:cn=sci266, O=SAP, L=Walldorf, C=DE and save the configuration 4. Log off the user Admin 5. Start the SAP GUI application and use the SNC enabled connection Local SAP Server (SNC)

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 28 of 34 6. If there are no configuration errors, you are directly logged on with the user SCI266 without using a password Maybe a SAP license message will appear In this case press the OK button HINT: If no certificate is available, the Windows user credentials are requested In this case enter username SCI266 and password welcome and press the OK button

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 29 of 34 Exercise 6: Additional Single Sign-On Scenarios 15 Minutes (Optional) 1. SSO to SAP Enterprise Portal Start Microsoft Internet Explorer and enter the URL: https://localhost:50001/irj/portal or use the shortcut link in: D:\Files\Session\SCI266\Shortcut s\ X.509 Based Login SAP Enterprise Portal As a result the user SCI266 will be authenticated automatically to SAP Enterprise Portal How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST In order to verify the certificate, start SAP Logon application and logon with username Admin and password abc123 Start the transaction STRUST and choose the SSL server Standard certificate The password for the certificate is 1qay!QAY

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 30 of 34 In addition the user mapping for the SAP Enterprise Portal was configured in the ClientCertLoginModule Logon to SAP NetWeaver Administrator http://localhost:50000/nwa Choose Configuration Security Authentication and Single Sign-On Choose Components ticket In this login module stack (ticket) the login module ClientCertLoginModule is configured to use the CN field of the certificate distinguished name to map the SAP user 2. SAP GUI for HTML (ABAP Stack) Start Microsoft Internet Explorer and enter the URL: https://localhost:50001/sap/bc/gui / sap/its/webgui

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 31 of 34 or use the shortcut link in: D:\Files\Session\SCI266\Shortcut s\ X.509 Based Login SAP ABAP Web GUI As a result the user SCI266 will be authenticated automatically to SAP ABAP Web Application Server How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST (as described before) In addition the user mapping (External User ID) needs to be configured In order to verify user mapping, start SAP Logon application and logon with username Admin and password abc123 Start the transaction SM30 Enter the value VUSREXTID and press the button Maintain Define DN for the work area In this table the External ID CN=SCI266, O=SAP, L=Walldorf, C=DE is assigned to the SAP User SCI266

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 32 of 34 3. SSO for Business Explorer Select Start Programs SAP SAP Business Explorer Query Designer Choose Local SAP Server (SNC) and press the OK button Define the following parameter: Client 001 User SCI266 Language EN and press the OK button HINT: It takes some time, Business Explorer Client (Query Designer) will be started How it was configured? As the Business Explorer Client is using the SAP Logon (SAP GUI) configuration, no further configuration for the SSO functionality is required

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 33 of 34 4. Secure Login Web Client In taskbar click on the blue icon Log Out the user certificate (right-click on default profile). Close SAP GUI and Microsoft Internet Explorer application. Start Microsoft Internet Explorer and enter the URL: http://localhost:50000/slswebclient Enter username SCI266 and password welcome and press the button Log On

How to implement the X.509 certificate based Single Sign-On solution from SAP Page 34 of 34 SAP Logon application will be started automatically. Choose SNC enabled connection Local SAP Server (SNC) If there are no configuration errors, you are directly logged on with the user SCI266 without using a password How it was configured? With Secure Login Server deployment, per default the Secure Login Web Client is configured for LDAP authentication. As the SecureLoginModuleLDAP is configured for the Microsoft Active Directory System (configured in SAP NetWeaver Administrator), this configuration is used by the Secure Login Web Client too. Additional client profiles can be configured in Secure Login Administration Console. 2012 by SAP AG. All rights reserved. SAP and the SAP logo are registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.sybase and the Sybase logo are registered trademarks of Sybase Inc. Sybase is an SAP company such products and services, if any. Nothing herein should be construed as constituting an additional warranty.