Currently Being Moderated
Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. Overall the concept of SAP NW SSO in combination with certificates (this use case) is still the same. There is a complete new option available for Kerberos (SPNego for ABAP).






SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.



The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.


If you are only interested to configure the first option in the picture above, please use this guide:


The option with certificates is supporting the following clients for Single Sign-On (SSO)


SAP Portal

SAP NetWeaver Business Client (NWBC)

SAP Web based applications (SAP NetWeaver ABAP and Java)

non-SAP WEb application server supporting certificates for authentication



Main components


Secure Login Client

  • SNC Client Library for SAP GUI application
  • Support for digital signatures in SAP applications (SSF Interface)
  • Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)

Secure Login Server

  • Out-of-the-box PKI
  • Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)


In this demo session the SAPCRYPTOLIB will be used on the SAP system.



Prerequisites and information

  • SAP NetWeaver Java system for the deployment of the secure login server
  • Please download SAP NetWeaver SIngle Sign-On
  • This how to guide is based on SAP NetWeaver Single Sign-On 1.0
  • You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
  • SAPCRYPTOLIB is installed
  • Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)


Goal of this how-to-guide:

Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.

End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.


This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).


Demo overview








FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.



Start Microsoft Internet Explorer and enter the URL  http://localhost:50000/securelogin.

On the Welcome screen press the button Continue .


Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt  for the parameter Server File.



Define the Administrator account




Choose the option: Import an Existing Key Store File and define the password.

Important: if you don't have existing root CA you can also use secure login server to generate them.




Choose the option "Skip all SSL certificates" if you have already SSL certificates. Otherwise you can generate them for SSL.



Choose the option "Import an Existing Key Store File". If you don't have already a root CA for the user certificates you can generate them.



On the server configuration page press the button: Next

On the Setup Review page press the button: Finish




Start the SAP Management Console and restart the component





Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.



In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.


Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module



Choose the button Edit





For the parameter LdapBaseDN
define the value:

For the parameter LdapHostdefine the value:


--> Please use here your enviroment specific values




STEP 2: Install Secure Login Client




Please use the wizard to install secure login client on the end user PC.


After the installation: In taskbar click on the blue icon.




The Secure Login Client Console should be displayed

Double-click on the default profile

Press the OK button

Enter username and password.Then press the OK button



REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.




As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.




STEP 3: Configure SNC for SAP ABAP Server


Start transaction RZ10
Import the profiles of the active servers

Select the Instance profile

Choose the option Extended maintenance and press the Change button




Change the following SNC parameters:


snc/identity/asand verify the other SNC parameters

Configuration details are described in the following table

HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!
































p:CN=TDI, OU=TechEd 2011, O=SAP AG




After the configuration, save the profile configuration and activate the profile.





Restart the SAP NetWeaver Application Server.


Please logon again to the SAP NetWeaver ABAP server with your admin user.


Start transaction STRUST

Choose in menu PSE-->Import


--> here we import the server certificates 




Choose the option SNC SAPCryptolib and confirm the message box .




On the bottom of the screen, the message "data saved successfully" should be displayed and an entry for SNC SAPCryptolib should be available.



Start the transaction /nRZ10

Select the Instance profile

Choose the option "Extended maintenance" and press the Change button

Define the value 1 for the parameter snc/enable (activate SNC)

After the configuration, save the profile configuration and activate the profile




Restart the SAP NetWeaver Application Server.


STEP 4: Enable SNC in SAP GUI Application --> on the client


Define a new system in SAP GUI and maintain the SNC information.








STEP 5: Configure SNC User Mapping in SAP User Management



Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).

Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).

Maintain the SNC entries.





Log off.

Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).


Additional information

Web access is not working yet (BSP applications ...) -> so you need to do some additional configuration


In addition the user mapping (External User ID) needs to be configured.

Start the transaction SM30

Enter the value VUSREXTID and press the button Maintain

Define DN for the work area





Please ensure that your SSL(https) is configured.




Filter Blog

By author:
By date:
By tag: