How To Setup SAP N/W SSO With X/509 Certificates

How to Implement the X.
509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 2 of 34
Page 3 of 34
Page 4 of 34
Page 5 of 34
Page 6 of 34
Page 7 of 34
Preparations: Copy Installation Files

2 Minutes 1. Logon with the user name SCI266 and password welcome to domain FAIR Username and password are only specific for this demo.
2. Copy the files from folder Session (TechEd File Server) \\Fairfile.fair.sap.corp\session\SCI266\ to folder Session (Local Folder) D:\Files\Session\SCI266\ This is specific to the demo environment of SAP
Page 8 of 34
Exercise 1: Install and Configure Secure Login Server

25 Minutes 3. Logon with the user name SCI266 and password welcome to domain FAIR
4. Start cmd.exe and enter the command telnet localhost 50008
5. Logon with the user name Admin and password abc123
Page 9 of 34
6. Start the command deploy D:\Files\Session\SCI266\SLS\ SECURE_LOGIN_SERVER00_0.sca
7. After deployment, close the windows or enter the command exit twice
8. Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin
9. On the Welcome screen press the button Continue
Page 10 of 34
10. Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt for the parameter Server File and press the button: Next 11. For the account name Admin define the password 1qay!QAY Please confirm the password and press the button Next (Watch out for upper/lower case) 12. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\ROOT_CA.pse Define the password 1qay!QAY Please use another password! Check the option Save Password and press the button: Next 13. Choose the option Skip all SSL certificates and press the button: Next
14. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\USER_CA.pse Define the password 1qay!QAY Check the option Save Password and press the button Next
Page 11 of 34
15. On the Server Configuration page press the button: Next
16. On the Setup Review page press the button: Finish
17. Start the SAP Management Console (Desktop Icon) Navigate to AS Java Components
Search for the application sap.com/SecureLoginServer
Page 12 of 34
Right-click on application sap.com/SecureLoginServer and choose the option Restart
Maybe user credentials are requested: Logon with the user name FAIR\SCI266 and password welcome
18. Verify that the logon to the Secure Login Administration Console is successful Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard Logon with user Admin and password 1qay!QAY
Page 13 of 34
19. In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa Logon with user Admin and password abc123
20. Choose Configuration tab
Security Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module SecureLoginModuleLDAP
Choose the button Edit
Page 14 of 34
For the parameter LdapBaseDN define the value: $USERID@FAIR.SAP.CORP For the parameter LdapHost define the value: ldap://dc1emea:389 Save the configuration and log off the user Admin
Page 15 of 34
Exercise 2: Install Secure Login Client

5 Minutes 1. Start Windows Explorer and change to the folder D:\Files\Session\SCI266\SLC\ Start the unattended Secure Login Client installation with double-click on UnattendedSetup_SLC_SCI266.cmd Please install the software based on the documentation at help.sap.com -> SAP NetWeaver Single Sign-on -> Secure Login Client
After installation the blue icon should be available in the taskbar 2. Log off user SCI266
In case the message box Save console settings to sapmmc.msc will appear, press the button No
Logon with the user name SCI266 and password welcome to domain FAIR
3. In taskbar click on the blue icon
Page 16 of 34
4. The Secure Login Client Console should be displayed Double-click on the default profile
Press the OK button
Enter username SCI266 and password welcome. Then press the OK button
5. Press the OK button In case the authentication failed, verify the user credentials (SCI266 / welcome) or check the configuration in Login Module (SAP NetWeaver Administrator) for typing errors REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary
Page 17 of 34
As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided
Page 18 of 34
Exercise 3: Configure SNC for SAP ABAP Server

30 Minutes 1. Start the SAP Logon application
Choose TDI system Local SAP ABAP Server
Logon with username admin and password abc123
2. Start transaction RZ10
Import the profiles of the active servers by selecting Utilities Import profiles Of active servers Press the exit (yellow) button
Page 19 of 34
Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW
Choose the option Extended maintenance and press the Change button
3. Change the following SNC parameters: snc/gssapi_lib snc/identity/as and verify the other SNC parameters Configuration details are described in the following table (next page) HINT 1: Values are case sensitive! HINT 2: SNC will be enabled later!
How to implement the X.509 certificate based Single Sign-On solution from SAP Parameter snc/force_login_screen snc/permit_insecure_start snc/accept_insecure_rfc snc/accept_insecure_gui snc/accept_insecure_cpic snc/r3int_rfc_qop snc/r3int_rfc_secure snc/data_protection/use snc/data_protection/min snc/data_protection/max snc/enable snc/gssapi_lib snc/identity/as Value 0 1 1 1 1 8 0 3 2 3 0 D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll p:CN=TDI, OU=TechEd 2011, O=SAP AG
Page 20 of 34 Remarks Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined To Be Changed To Be Changed
Parameter snc/enable
Description Set this parameter to activate SNC on the AS ABAP. 1: SNC is activated 0: SNC is not activated Specify the path and file name of the GSS-API V2 shared library. D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll Specify the SNC name of the AS ABAP with this parameter. Format: <name type>:<external name> or <name type>/<product>:<external name> p:CN=TDI, OU=TechEd 2011, O=SAP AG
snc/gssapi_lib
snc/identity/as
4. After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow)
Press the Save button
Page 21 of 34
On the next screen (Incorrect parameter values detected. Display values?) select the No button
On the next screen select Yes to activate the profile
The next version of the instance profile is saved and activated Confirm this message box (green tick)
Confirm this message box (green tick) Log off SAP Logon application
5. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon)
Click on SAP System TDI and with the right-click choose the option Restart
Page 22 of 34
Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: The SAP ABAP Stack will be available in about 2-3 minutes 6. Start the SAP Logon application
Choose TDI system Local SAP ABAP Server
Logon with username admin and password abc123
Start transaction STRUST
Choose in menu PSE
Import
Open the file: D:\Files\Session\SCI266\Certificates_ SCI266\SAP_SERVER_TDI.pse
Choose the option Allow this one time and press OK button
Page 23 of 34
Enter the password 1qay!QAY and confirm the message box (green tick)
Choose in menu PSE
Save as
Choose the option SNC SAPCryptolib and confirm the message box (green tick)
On the bottom of the screen, the message Data saved successfully should be displayed and an entry for SNC SAPCryptolib should be available
Start the transaction /nRZ10
Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW
Choose the option Extended maintenance and press the Change button
Page 24 of 34
Define the value 1 for the parameter snc/enable ( activate SNC)
After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow)
On the next screen (Incorrect parameter values detected. Display values?) select No button
Select Yes to activate the profile
The next version of the instance profile is saved and activated Confirm this message box (green tick)
Confirm this message box (green tick) Log off SAP Logon application
Page 25 of 34
7. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon)
Click on SAP System TDI and with mouse right-click choose the option Restart
Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: During restart of the SAP NetWeaver application server starts with the next configuration step (Enable SNC in SAP GUI)
Page 26 of 34
Exercise 4: Enable SNC in SAP GUI Application

5 Minutes 1. Click on the SAP Logon Icon on the Desktop and press the New Button
2. Press the Next button
3. Define the following parameter: Description: Local SAP Server (SNC) Application Server: localhost Instance Number: 00 System ID: TDI and press the button Next
4. Activate Secure Network Communication (checkmark) Define the value p:CN=TDI, OU=TechEd 2011, O=SAP AG for the parameter SNC Name and press the button Finish
Page 27 of 34
Exercise 5: Configure SNC User Mapping in SAP User Management

5 minutes 1. Start SAP GUI application and logon to the Local SAP ABAP Server with username admin and password abc123
2. Start transaction SU01 and enter SCI266 for the User Press the Change button
3. Choose tab SNC For the parameter SNC name define the value p:CN=SCI266, O=SAP, L=Walldorf, C=DE and save the configuration
4. Log off the user Admin 5. Start the SAP GUI application and use the SNC enabled connection Local SAP Server (SNC)
Page 28 of 34
6. If there are no configuration errors, you are directly logged on with the user SCI266 without using a password
Maybe a SAP license message will appear In this case press the OK button
HINT: If no certificate is available, the Windows user credentials are requested In this case enter username SCI266 and password welcome and press the OK button
Page 29 of 34
Exercise 6: Additional Single Sign-On Scenarios

15 Minutes (Optional) 1. SSO to SAP Enterprise Portal Start Microsoft Internet Explorer and enter the URL: https://localhost:50001/irj/portal or use the shortcut link in: D:\Files\Session\SCI266\Shortcut s\ X.509 Based Login SAP Enterprise Portal
As a result the user SCI266 will be authenticated automatically to SAP Enterprise Portal
How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST In order to verify the certificate, start SAP Logon application and logon with username Admin and password abc123 Start the transaction STRUST and choose the SSL server Standard certificate The password for the certificate is 1qay!QAY
Page 30 of 34
In addition the user mapping for the SAP Enterprise Portal was configured in the ClientCertLoginModule Logon to SAP NetWeaver Administrator http://localhost:50000/nwa Choose Configuration Security Authentication and Single Sign-On
Choose Components
ticket
In this login module stack (ticket) the login module ClientCertLoginModule is configured to use the CN field of the certificate distinguished name to map the SAP user
2. SAP GUI for HTML (ABAP Stack) Start Microsoft Internet Explorer and enter the URL: https://localhost:50001/sap/bc/gui / sap/its/webgui
Page 31 of 34
or use the shortcut link in: D:\Files\Session\SCI266\Shortcut s\ X.509 Based Login SAP ABAP Web GUI
As a result the user SCI266 will be authenticated automatically to SAP ABAP Web Application Server How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST (as described before) In addition the user mapping (External User ID) needs to be configured In order to verify user mapping, start SAP Logon application and logon with username Admin and password abc123 Start the transaction SM30 Enter the value VUSREXTID and press the button Maintain Define DN for the work area
In this table the External ID CN=SCI266, O=SAP, L=Walldorf, C=DE is assigned to the SAP User SCI266
Page 32 of 34
3. SSO for Business Explorer Select Start Programs SAP SAP Business Explorer Query Designer
Choose Local SAP Server (SNC) and press the OK button
Define the following parameter: Client 001 User SCI266 Language EN and press the OK button
HINT: It takes some time, Business Explorer Client (Query Designer) will be started
How it was configured? As the Business Explorer Client is using the SAP Logon (SAP GUI) configuration, no further configuration for the SSO functionality is required
Page 33 of 34
4. Secure Login Web Client In taskbar click on the blue icon Log Out the user certificate (right-click on default profile).
Close SAP GUI and Microsoft Internet Explorer application.
Start Microsoft Internet Explorer and enter the URL: http://localhost:50000/SlsWebClient
Enter username SCI266 and password welcome and press the button Log On
Page 34 of 34
SAP Logon application will be started automatically. Choose SNC enabled connection Local SAP Server (SNC)
If there are no configuration errors, you are directly logged on with the user SCI266 without using a password
How it was configured? With Secure Login Server deployment, per default the Secure Login Web Client is configured for LDAP authentication. As the SecureLoginModuleLDAP is configured for the Microsoft Active Directory System (configured in SAP NetWeaver Administrator), this configuration is used by the Secure Login Web Client too. Additional client profiles can be configured in Secure Login Administration Console.
2012 by SAP AG. All rights reserved. SAP and the SAP logo are registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.Sybase and the Sybase logo are registered trademarks of Sybase Inc. Sybase is an SAP company such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

How To Setup SAP N/W SSO With X/509 Certificates

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

How To Setup SAP N/W SSO With X/509 Certificates

Cargado por

Copyright:

Formatos disponibles

How to Implement the X.

Preparations: Copy Installation Files

Exercise 1: Install and Configure Secure Login Server

4. Start cmd.exe and enter the command telnet localhost 50008

5. Logon with the user name Admin and password abc123

6. Start the command deploy D:\Files\Session\SCI266\SLS\ SECURE_LOGIN_SERVER00_0.sca

8. Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin

9. On the Welcome screen press the button Continue

15. On the Server Configuration page press the button: Next

16. On the Setup Review page press the button: Finish

Search for the application sap.com/SecureLoginServer

Right-click on application sap.com/SecureLoginServer and choose the option Restart

20. Choose Configuration tab

Security Authentication and Single Sign-On

Choose the option Login Modules

Choose the Login Module SecureLoginModuleLDAP

Choose the button Edit

Exercise 2: Install Secure Login Client

3. In taskbar click on the blue icon

Press the OK button

Exercise 3: Configure SNC for SAP ABAP Server

Choose TDI system Local SAP ABAP Server

Logon with username admin and password abc123

2. Start transaction RZ10

Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW

Press the Save button

On the next screen select Yes to activate the profile

Choose TDI system Local SAP ABAP Server

Logon with username admin and password abc123

Start transaction STRUST

Choose in menu PSE

Open the file: D:\Files\Session\SCI266\Certificates_ SCI266\SAP_SERVER_TDI.pse

Choose in menu PSE

Start the transaction /nRZ10

Select the Instance profile (double-click) TDI_DVEBMGS00_MADR9EL187NW

Define the value 1 for the parameter snc/enable ( activate SNC)

Select Yes to activate the profile

Exercise 4: Enable SNC in SAP GUI Application

2. Press the Next button

Exercise 5: Configure SNC User Mapping in SAP User Management

Exercise 6: Additional Single Sign-On Scenarios

Choose Local SAP Server (SNC) and press the OK button

Close SAP GUI and Microsoft Internet Explorer application.

Start Microsoft Internet Explorer and enter the URL: http://localhost:50000/SlsWebClient

También podría gustarte