Matthias comment on 15.04.2013
SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. Overall the concept of SAP NW SSO in combination with certificates (this use case) is still the same. There is a complete new option available for Kerberos (SPNego for ABAP).
SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.
The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.
If you are only interested to configure the first option in the picture above, please use this guide:
The option with certificates is supporting the following clients for Single Sign-On (SSO)
SAP NetWeaver Business Client (NWBC)
SAP Web based applications (SAP NetWeaver ABAP and Java)
non-SAP WEb application server supporting certificates for authentication
Secure Login Client
- SNC Client Library for SAP GUI application
- Support for digital signatures in SAP applications (SSF Interface)
- Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)
Secure Login Server
- Out-of-the-box PKI
- Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)
In this demo session the SAPCRYPTOLIB will be used on the SAP system.
Prerequisites and information
- SAP NetWeaver Java system for the deployment of the secure login server
- Please download SAP NetWeaver SIngle Sign-On
- This how to guide is based on SAP NetWeaver Single Sign-On 1.0
- You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
- SAPCRYPTOLIB is installed
- Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)
Goal of this how-to-guide:
Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.
End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.
This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).
FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy SECURE_LOGIN_SERVERXX_X.sca. You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin.
On the Welcome screen press the button Continue .
Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt for the parameter Server File.
Define the Administrator account
Choose the option: Import an Existing Key Store File and define the password.
Important: if you don't have existing root CA you can also use secure login server to generate them.
Choose the option "Skip all SSL certificates" if you have already SSL certificates. Otherwise you can generate them for SSL.
Choose the option "Import an Existing Key Store File". If you don't have already a root CA for the user certificates you can generate them.
On the server configuration page press the button: Next
On the Setup Review page press the button: Finish
Start the SAP Management Console and restart the component sap.com/SecureLoginServer.
Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.
In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.
Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module
Choose the button Edit
For the parameter LdapBaseDN
define the value:
For the parameter LdapHostdefine the value:
STEP 2: Install Secure Login Client
Please use the wizard to install secure login client on the end user PC.
After the installation: In taskbar click on the blue icon.
The Secure Login Client Console should be displayed
Double-click on the default profile
Press the OK button
Enter username and password.Then press the OK button
REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.
As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.
STEP 3: Configure SNC for SAP ABAP Server
Start transaction RZ10
Import the profiles of the active servers
Select the Instance profile
Choose the option Extended maintenance and press the Change button
Change the following SNC parameters:
snc/identity/asand verify the other SNC parameters
Configuration details are described in the following table
HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!
p:CN=TDI, OU=TechEd 2011, O=SAP AG
After the configuration, save the profile configuration and activate the profile.
Restart the SAP NetWeaver Application Server.
Please logon again to the SAP NetWeaver ABAP server with your admin user.
Start transaction STRUST
Choose in menu PSE-->Import
--> here we import the server certificates
Choose the option SNC SAPCryptolib and confirm the message box .
On the bottom of the screen, the message "data saved successfully" should be displayed and an entry for SNC SAPCryptolib should be available.
Start the transaction /nRZ10
Select the Instance profile
Choose the option "Extended maintenance" and press the Change button
Define the value 1 for the parameter snc/enable (activate SNC)
After the configuration, save the profile configuration and activate the profile
Restart the SAP NetWeaver Application Server.
STEP 4: Enable SNC in SAP GUI Application --> on the client
Define a new system in SAP GUI and maintain the SNC information.
STEP 5: Configure SNC User Mapping in SAP User Management
Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).
Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).
Maintain the SNC entries.
Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).
Web access is not working yet (BSP applications ...) -> so you need to do some additional configuration
In addition the user mapping (External User ID) needs to be configured.
Start the transaction SM30
Enter the value VUSREXTID and press the button Maintain
Define DN for the work area
Please ensure that your SSL(https) is configured.