Documentos de Académico
Documentos de Profesional
Documentos de Cultura
509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 2 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 3 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 4 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 5 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 6 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 7 of 34
2. Copy the files from folder Session (TechEd File Server) \\Fairfile.fair.sap.corp\session\SCI266\ to folder Session (Local Folder) D:\Files\Session\SCI266\ This is specific to the demo environment of SAP
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 8 of 34
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 9 of 34
7. After deployment, close the windows or enter the command exit twice
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 10 of 34
10. Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt for the parameter Server File and press the button: Next 11. For the account name Admin define the password 1qay!QAY Please confirm the password and press the button Next (Watch out for upper/lower case) 12. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\ROOT_CA.pse Define the password 1qay!QAY Please use another password! Check the option Save Password and press the button: Next 13. Choose the option Skip all SSL certificates and press the button: Next
14. Choose the option Import an Existing Key Store File Browse for the file D:\Files\Session\SCI266\Certificates_ SCI266\USER_CA.pse Define the password 1qay!QAY Check the option Save Password and press the button Next
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 11 of 34
17. Start the SAP Management Console (Desktop Icon) Navigate to AS Java Components
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 12 of 34
Maybe user credentials are requested: Logon with the user name FAIR\SCI266 and password welcome
18. Verify that the logon to the Secure Login Administration Console is successful Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard Logon with user Admin and password 1qay!QAY
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 13 of 34
19. In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa Logon with user Admin and password abc123
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 14 of 34
For the parameter LdapBaseDN define the value: $USERID@FAIR.SAP.CORP For the parameter LdapHost define the value: ldap://dc1emea:389 Save the configuration and log off the user Admin
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 15 of 34
After installation the blue icon should be available in the taskbar 2. Log off user SCI266
In case the message box Save console settings to sapmmc.msc will appear, press the button No
Logon with the user name SCI266 and password welcome to domain FAIR
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 16 of 34
4. The Secure Login Client Console should be displayed Double-click on the default profile
Enter username SCI266 and password welcome. Then press the OK button
5. Press the OK button In case the authentication failed, verify the user credentials (SCI266 / welcome) or check the configuration in Login Module (SAP NetWeaver Administrator) for typing errors REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 17 of 34
As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 18 of 34
Import the profiles of the active servers by selecting Utilities Import profiles Of active servers Press the exit (yellow) button
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 19 of 34
Choose the option Extended maintenance and press the Change button
3. Change the following SNC parameters: snc/gssapi_lib snc/identity/as and verify the other SNC parameters Configuration details are described in the following table (next page) HINT 1: Values are case sensitive! HINT 2: SNC will be enabled later!
How to implement the X.509 certificate based Single Sign-On solution from SAP Parameter snc/force_login_screen snc/permit_insecure_start snc/accept_insecure_rfc snc/accept_insecure_gui snc/accept_insecure_cpic snc/r3int_rfc_qop snc/r3int_rfc_secure snc/data_protection/use snc/data_protection/min snc/data_protection/max snc/enable snc/gssapi_lib snc/identity/as Value 0 1 1 1 1 8 0 3 2 3 0 D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll p:CN=TDI, OU=TechEd 2011, O=SAP AG
Page 20 of 34 Remarks Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined Predefined To Be Changed To Be Changed
Parameter snc/enable
Description Set this parameter to activate SNC on the AS ABAP. 1: SNC is activated 0: SNC is not activated Specify the path and file name of the GSS-API V2 shared library. D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll Specify the SNC name of the AS ABAP with this parameter. Format: <name type>:<external name> or <name type>/<product>:<external name> p:CN=TDI, OU=TechEd 2011, O=SAP AG
snc/gssapi_lib
snc/identity/as
4. After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow)
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 21 of 34
On the next screen (Incorrect parameter values detected. Display values?) select the No button
The next version of the instance profile is saved and activated Confirm this message box (green tick)
Confirm this message box (green tick) Log off SAP Logon application
5. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon)
Click on SAP System TDI and with the right-click choose the option Restart
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 22 of 34
Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: The SAP ABAP Stack will be available in about 2-3 minutes 6. Start the SAP Logon application
Import
Choose the option Allow this one time and press OK button
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 23 of 34
Enter the password 1qay!QAY and confirm the message box (green tick)
Save as
Choose the option SNC SAPCryptolib and confirm the message box (green tick)
On the bottom of the screen, the message Data saved successfully should be displayed and an entry for SNC SAPCryptolib should be available
Choose the option Extended maintenance and press the Change button
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 24 of 34
After the configuration, save the profile configuration (Button Yes) and press the Exit button (yellow)
On the next screen (Incorrect parameter values detected. Display values?) select No button
The next version of the instance profile is saved and activated Confirm this message box (green tick)
Confirm this message box (green tick) Log off SAP Logon application
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 25 of 34
7. Restart the SAP NetWeaver Application Server Start the SAP Management Console (Desktop Icon)
Click on SAP System TDI and with mouse right-click choose the option Restart
Maybe user credentials are requested Logon with the user name FAIR\SCI266 and password welcome HINT: During restart of the SAP NetWeaver application server starts with the next configuration step (Enable SNC in SAP GUI)
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 26 of 34
3. Define the following parameter: Description: Local SAP Server (SNC) Application Server: localhost Instance Number: 00 System ID: TDI and press the button Next
4. Activate Secure Network Communication (checkmark) Define the value p:CN=TDI, OU=TechEd 2011, O=SAP AG for the parameter SNC Name and press the button Finish
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 27 of 34
2. Start transaction SU01 and enter SCI266 for the User Press the Change button
3. Choose tab SNC For the parameter SNC name define the value p:CN=SCI266, O=SAP, L=Walldorf, C=DE and save the configuration
4. Log off the user Admin 5. Start the SAP GUI application and use the SNC enabled connection Local SAP Server (SNC)
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 28 of 34
6. If there are no configuration errors, you are directly logged on with the user SCI266 without using a password
Maybe a SAP license message will appear In this case press the OK button
HINT: If no certificate is available, the Windows user credentials are requested In this case enter username SCI266 and password welcome and press the OK button
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 29 of 34
As a result the user SCI266 will be authenticated automatically to SAP Enterprise Portal
How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST In order to verify the certificate, start SAP Logon application and logon with username Admin and password abc123 Start the transaction STRUST and choose the SSL server Standard certificate The password for the certificate is 1qay!QAY
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 30 of 34
In addition the user mapping for the SAP Enterprise Portal was configured in the ClientCertLoginModule Logon to SAP NetWeaver Administrator http://localhost:50000/nwa Choose Configuration Security Authentication and Single Sign-On
Choose Components
ticket
In this login module stack (ticket) the login module ClientCertLoginModule is configured to use the CN field of the certificate distinguished name to map the SAP user
2. SAP GUI for HTML (ABAP Stack) Start Microsoft Internet Explorer and enter the URL: https://localhost:50001/sap/bc/gui / sap/its/webgui
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 31 of 34
or use the shortcut link in: D:\Files\Session\SCI266\Shortcut s\ X.509 Based Login SAP ABAP Web GUI
As a result the user SCI266 will be authenticated automatically to SAP ABAP Web Application Server How it was configured? In this configuration the SSL Server Certificate was issued by the Secure Login Server and imported via transaction STRUST (as described before) In addition the user mapping (External User ID) needs to be configured In order to verify user mapping, start SAP Logon application and logon with username Admin and password abc123 Start the transaction SM30 Enter the value VUSREXTID and press the button Maintain Define DN for the work area
In this table the External ID CN=SCI266, O=SAP, L=Walldorf, C=DE is assigned to the SAP User SCI266
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 32 of 34
3. SSO for Business Explorer Select Start Programs SAP SAP Business Explorer Query Designer
Define the following parameter: Client 001 User SCI266 Language EN and press the OK button
HINT: It takes some time, Business Explorer Client (Query Designer) will be started
How it was configured? As the Business Explorer Client is using the SAP Logon (SAP GUI) configuration, no further configuration for the SSO functionality is required
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 33 of 34
4. Secure Login Web Client In taskbar click on the blue icon Log Out the user certificate (right-click on default profile).
Enter username SCI266 and password welcome and press the button Log On
How to implement the X.509 certificate based Single Sign-On solution from SAP
Page 34 of 34
SAP Logon application will be started automatically. Choose SNC enabled connection Local SAP Server (SNC)
If there are no configuration errors, you are directly logged on with the user SCI266 without using a password
How it was configured? With Secure Login Server deployment, per default the Secure Login Web Client is configured for LDAP authentication. As the SecureLoginModuleLDAP is configured for the Microsoft Active Directory System (configured in SAP NetWeaver Administrator), this configuration is used by the Secure Login Web Client too. Additional client profiles can be configured in Secure Login Administration Console.
2012 by SAP AG. All rights reserved. SAP and the SAP logo are registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.Sybase and the Sybase logo are registered trademarks of Sybase Inc. Sybase is an SAP company such products and services, if any. Nothing herein should be construed as constituting an additional warranty.