Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaempfer
Advisor
Advisor
Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. Overall the concept of SAP NW SSO in combination with certificates (this use case) is still the same. There is a complete new option available for Kerberos (SPNego for ABAP).

http://scn.sap.com/docs/DOC-40178

Introduction

SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.

The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.

If you are only interested to configure the first option in the picture above, please use this guide:

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sig...

The option with certificates is supporting the following clients for Single Sign-On (SSO)

SAP GUI

SAP Portal

SAP NetWeaver Business Client (NWBC)

SAP Web based applications (SAP NetWeaver ABAP and Java)

non-SAP WEb application server supporting certificates for authentication

....

Main components

Secure Login Client

  • SNC Client Library for SAP GUI application
  • Support for digital signatures in SAP applications (SSF Interface)
  • Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)

Secure Login Server

  • Out-of-the-box PKI
  • Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)

In this demo session the SAPCRYPTOLIB will be used on the SAP system.

Prerequisites and information

  • SAP NetWeaver Java system for the deployment of the secure login server
  • Please download SAP NetWeaver SIngle Sign-On
  • This how to guide is based on SAP NetWeaver Single Sign-On 1.0
  • You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
  • SAPCRYPTOLIB is installed
  • Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)

Goal of this how-to-guide:

Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.

End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.

This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).

Demo overview

STEP 1

FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy SECURE_LOGIN_SERVERXX_X.sca. You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.

Start Microsoft Internet Explorer and enter the URL  http://localhost:50000/securelogin.

On the Welcome screen press the button Continue .

Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt  for the parameter Server File.

Define the Administrator account

Choose the option: Import an Existing Key Store File and define the password.

Important: if you don't have existing root CA you can also use secure login server to generate them.

Choose the option "Skip all SSL certificates" if you have already SSL certificates. Otherwise you can generate them for SSL.


Choose the option "Import an Existing Key Store File". If you don't have already a root CA for the user certificates you can generate them.

On the server configuration page press the button: Next

On the Setup Review page press the button: Finish

Start the SAP Management Console and restart the component sap.com/SecureLoginServer.

Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.

In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.

Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module

SecureLoginModuleLDAP

Choose the button Edit

For the parameter LdapBaseDN
define the value:
$USERID@FAIR.SAP.CORP 

For the parameter LdapHostdefine the value:
ldap://dc1emea:389

--> Please use here your enviroment specific values

STEP 2: Install Secure Login Client

Please use the wizard to install secure login client on the end user PC.

After the installation: In taskbar click on the blue icon.

The Secure Login Client Console should be displayed

Double-click on the default profile

Press the OK button

Enter username and password.Then press the OK button

REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.

As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.

STEP 3: Configure SNC for SAP ABAP Server

Start transaction RZ10
Import the profiles of the active servers

Select the Instance profile

Choose the option Extended maintenance and press the Change button

Change the following SNC parameters:

snc/gssapi_lib

snc/identity/asand verify the other SNC parameters

Configuration details are described in the following table

HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!

Parameter

Value

snc/force_login_screen

0

snc/permit_insecure_start

1

snc/accept_insecure_rfc

1

snc/accept_insecure_gui

1

snc/accept_insecure_cpic

1

snc/r3int_rfc_qop

8

snc/r3int_rfc_secure

0

snc/data_protection/use

3

snc/data_protection/min

2

snc/data_protection/max

3

snc/enable

0

snc/gssapi_lib

D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll

snc/identity/as

p:CN=TDI, OU=TechEd 2011, O=SAP AG

After the configuration, save the profile configuration and activate the profile.

Restart the SAP NetWeaver Application Server.

Please logon again to the SAP NetWeaver ABAP server with your admin user.

Start transaction STRUST

Choose in menu PSE-->Import

--> here we import the server certificates 

Choose the option SNC SAPCryptolib and confirm the message box .

On the bottom of the screen, the message "data saved successfully" should be displayed and an entry for SNC SAPCryptolib should be available.

Start the transaction /nRZ10

Select the Instance profile

Choose the option "Extended maintenance" and press the Change button

Define the value 1 for the parameter snc/enable (activate SNC)

After the configuration, save the profile configuration and activate the profile

Restart the SAP NetWeaver Application Server.

STEP 4: Enable SNC in SAP GUI Application --> on the client

Define a new system in SAP GUI and maintain the SNC information.

STEP 5: Configure SNC User Mapping in SAP User Management

Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).

Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).

Maintain the SNC entries.

 

Log off.

Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).


Additional information

Web access is not working yet (BSP applications ...) -> so you need to do some additional configuration

In addition the user mapping (External User ID) needs to be configured.

Start the transaction SM30

Enter the value VUSREXTID and press the button Maintain

Define DN for the work area

Please ensure that your SSL(https) is configured.



54 Comments