Currently Being Moderated
Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. Overall the concept of SAP NW SSO in combination with certificates (this use case) is still the same. There is a complete new option available for Kerberos (SPNego for ABAP).

http://scn.sap.com/docs/DOC-40178

 

 

 

Introduction

 

SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.

 

Capture.PNG

The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.

 

If you are only interested to configure the first option in the picture above, please use this guide:

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

 

The option with certificates is supporting the following clients for Single Sign-On (SSO)

SAP GUI

SAP Portal

SAP NetWeaver Business Client (NWBC)

SAP Web based applications (SAP NetWeaver ABAP and Java)

non-SAP WEb application server supporting certificates for authentication

....

 

Main components

 

Secure Login Client

  • SNC Client Library for SAP GUI application
  • Support for digital signatures in SAP applications (SSF Interface)
  • Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)

Secure Login Server

  • Out-of-the-box PKI
  • Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)

 

In this demo session the SAPCRYPTOLIB will be used on the SAP system.

 

 

Prerequisites and information

  • SAP NetWeaver Java system for the deployment of the secure login server
  • Please download SAP NetWeaver SIngle Sign-On
  • This how to guide is based on SAP NetWeaver Single Sign-On 1.0
  • You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
  • SAPCRYPTOLIB is installed
  • Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)

 

Goal of this how-to-guide:

Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.

End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.

 

This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).

 

Demo overview

SCN.png

 

 

 

STEP 1

SCN.png

 

FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy SECURE_LOGIN_SERVERXX_X.sca. You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.

 

 

Start Microsoft Internet Explorer and enter the URL  http://localhost:50000/securelogin.

On the Welcome screen press the button Continue .

 

Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt  for the parameter Server File.

 

SCN.png

Define the Administrator account

 

SCN.png

 

Choose the option: Import an Existing Key Store File and define the password.

Important: if you don't have existing root CA you can also use secure login server to generate them.

 

SCN.png

 

Choose the option "Skip all SSL certificates" if you have already SSL certificates. Otherwise you can generate them for SSL.

 

SCN.png


Choose the option "Import an Existing Key Store File". If you don't have already a root CA for the user certificates you can generate them.

SCN.png

 

On the server configuration page press the button: Next

On the Setup Review page press the button: Finish

 

SCN.png

 

Start the SAP Management Console and restart the component sap.com/SecureLoginServer.

 

SCN.png

 

 

Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.

 

 

In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.

 

Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module

SecureLoginModuleLDAP

 

Choose the button Edit

 

SCN.png

 

 

For the parameter LdapBaseDN
define the value:
$USERID@FAIR.SAP.CORP 

For the parameter LdapHostdefine the value:
ldap://dc1emea:389

 

--> Please use here your enviroment specific values

 

SCN.png

 

STEP 2: Install Secure Login Client

 

SCN.png

 

Please use the wizard to install secure login client on the end user PC.

 

After the installation: In taskbar click on the blue icon.

 

SCN.png

 

The Secure Login Client Console should be displayed

Double-click on the default profile

Press the OK button

Enter username and password.Then press the OK button

 

 

REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.

 

SCN.png

 

As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.

 

SCN.png

 

STEP 3: Configure SNC for SAP ABAP Server

 

Start transaction RZ10
Import the profiles of the active servers

Select the Instance profile

Choose the option Extended maintenance and press the Change button

 

SCN.png

 

Change the following SNC parameters:

snc/gssapi_lib

snc/identity/asand verify the other SNC parameters

Configuration details are described in the following table

HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!

 

 

 

 

Parameter

Value

snc/force_login_screen

0

snc/permit_insecure_start

1

snc/accept_insecure_rfc

1

snc/accept_insecure_gui

1

snc/accept_insecure_cpic

1

snc/r3int_rfc_qop

8

snc/r3int_rfc_secure

0

snc/data_protection/use

3

snc/data_protection/min

2

snc/data_protection/max

3

snc/enable

0

snc/gssapi_lib

D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll

snc/identity/as

p:CN=TDI, OU=TechEd 2011, O=SAP AG

 

 

 

After the configuration, save the profile configuration and activate the profile.

 

SCN.png

 

 

Restart the SAP NetWeaver Application Server.

 

Please logon again to the SAP NetWeaver ABAP server with your admin user.

 

Start transaction STRUST

Choose in menu PSE-->Import

 

--> here we import the server certificates 

SCN.png

 

 

Choose the option SNC SAPCryptolib and confirm the message box .

 

SCN.png

 

On the bottom of the screen, the message "data saved successfully" should be displayed and an entry for SNC SAPCryptolib should be available.

 

 

Start the transaction /nRZ10

Select the Instance profile

Choose the option "Extended maintenance" and press the Change button

Define the value 1 for the parameter snc/enable (activate SNC)

After the configuration, save the profile configuration and activate the profile

 

SCN.png

 

Restart the SAP NetWeaver Application Server.

 

STEP 4: Enable SNC in SAP GUI Application --> on the client

 

Define a new system in SAP GUI and maintain the SNC information.

 

SCN.png

 

 

 

 

 

STEP 5: Configure SNC User Mapping in SAP User Management

 

 

Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).

Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).

Maintain the SNC entries.

 

SCN.png 

 

 

Log off.

Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).

 


Additional information

Web access is not working yet (BSP applications ...) -> so you need to do some additional configuration

 

In addition the user mapping (External User ID) needs to be configured.

Start the transaction SM30

Enter the value VUSREXTID and press the button Maintain

Define DN for the work area

 

 

SCN.png

 

Please ensure that your SSL(https) is configured.

 



Comments

Actions

Filter Blog

By author: By date:
By tag: