10/15/2012

How to configure SAP NetWeaver Single Sign-On with certificates out-of-the box!

Introduction
SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.
Capture.PNG
The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.
If you are only interested to configure the first option in the picture above, please use this guide:
The option with certificates is supporting the following clients for Single Sign-On (SSO)
SAP GUI
SAP Portal
SAP NetWeaver Business Client (NWBC)
SAP Web based applications (SAP NetWeaver ABAP and Java)
non-SAP WEb application server supporting certificates for authentication
....
Main components
Secure Login Client
  • SNC Client Library for SAP GUI application
  • Support for digital signatures in SAP applications (SSF Interface)
  • Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)
Secure Login Server
  • Out-of-the-box PKI
  • Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)
In this demo session the SAPCRYPTOLIB will be used on the SAP system.
Prerequisites and information
  • SAP NetWeaver Java system for the deployment of the secure login server
  • Please download SAP NetWeaver SIngle Sign-On
  • This how to guide is based on SAP NetWeaver Single Sign-On 1.0
  • You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
  • SAPCRYPTOLIB is installed
  • Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)
Goal of this how-to-guide:
Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.
End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.
This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).
Demo overview
SCN.png
STEP 1
SCN.png
FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy SECURE_LOGIN_SERVERXX_X.sca. You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.
Start Microsoft Internet Explorer and enter the URL  http://localhost:50000/securelogin.
On the Welcome screen press the button Continue .
Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt  for the parameter Server File.
SCN.png
Define the Administrator account
SCN.png
Choose the option: Import an Existing Key Store File and define the password.
Important: if you don't have existing root CA you can also use secure login server to generate them.
SCN.png
Choose the option "Skip all SSL certificates" if you have already SSL certificates. Otherwise you can generate them for SSL.
SCN.png

Choose the option "Import an Existing Key Store File". If you don't have already a root CA for the user certificates you can generate them.
SCN.png
On the server configuration page press the button: Next
On the Setup Review page press the button: Finish
SCN.png
Start the SAP Management Console and restart the component sap.com/SecureLoginServer.
SCN.png
Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.
In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.
Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module
SecureLoginModuleLDAP
Choose the button Edit
SCN.png
For the parameter LdapBaseDN 
define the value: 
$USERID@FAIR.SAP.CORP  

For the parameter LdapHostdefine the value: 
ldap://dc1emea:389
--> Please use here your enviroment specific values
SCN.png
STEP 2: Install Secure Login Client
SCN.png
Please use the wizard to install secure login client on the end user PC.
After the installation: In taskbar click on the blue icon.
SCN.png
The Secure Login Client Console should be displayed
Double-click on the default profile
Press the OK button
Enter username and password.Then press the OK button
REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.
SCN.png
As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.
SCN.png
STEP 3: Configure SNC for SAP ABAP Server
Start transaction RZ10
Import the profiles of the active servers
Select the Instance profile
Choose the option Extended maintenance and press the Change button
SCN.png
Change the following SNC parameters:
snc/gssapi_lib
snc/identity/asand verify the other SNC parameters

Configuration details are described in the following table
HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!
Parameter
Value
snc/force_login_screen
0
snc/permit_insecure_start
1
snc/accept_insecure_rfc
1
snc/accept_insecure_gui
1
snc/accept_insecure_cpic
1
snc/r3int_rfc_qop
8
snc/r3int_rfc_secure
0
snc/data_protection/use
3
snc/data_protection/min
2
snc/data_protection/max
3
snc/enable
0
snc/gssapi_lib
D:\usr\sap\TDI\ASCS01\exe\sapcrypto.dll
snc/identity/as
p:CN=TDI, OU=TechEd 2011, O=SAP AG
After the configuration, save the profile configuration and activate the profile.
SCN.png
Restart the SAP NetWeaver Application Server.
Please logon again to the SAP NetWeaver ABAP server with your admin user.
Start transaction STRUST
Choose in menu PSE-->Import
--> here we import the server certificates 
SCN.png
Choose the option SNC SAPCryptolib and confirm the message box .
SCN.png
On the bottom of the screen, the message "data saved successfully" should be displayed and an entry for SNC SAPCryptolib should be available.
Start the transaction /nRZ10
Select the Instance profile
Choose the option "Extended maintenance" and press the Change button
Define the value 1 for the parameter snc/enable (activate SNC)
After the configuration, save the profile configuration and activate the profile
SCN.png
Restart the SAP NetWeaver Application Server.
STEP 4: Enable SNC in SAP GUI Application --> on the client
Define a new system in SAP GUI and maintain the SNC information.
SCN.png
STEP 5: Configure SNC User Mapping in SAP User Management
Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).
Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).
Maintain the SNC entries.
SCN.png 
Log off.
Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).

Additional information
Web access is not working yet (BSP applications ...).
In addition the user mapping (External User ID) needs to be configured.
Start the transaction SM30
Enter the value VUSREXTID and press the button Maintain
Define DN for the work area
SCN.png
Please ensure that your SSL(https) is configured.

No comments:

Post a Comment

Popular Posts