Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 - Secure Login Client PDF

Installation, Configuration, and Administration Guide
SAP NetWeaver Single Sign-On SP1

Secure Login Client

PUBLIC
Document Version: 1.1 October 2011

Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. in the United States and in other
countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.

These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.

Disclaimer
Some components of this product are based on Java. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com

Any Java Source Code delivered with this product is
only to be used by SAPs Support Services and may not be
modified or altered in any way.

Terms for Included Open
Source Software
This SAP software contains also the third party open source software
products listed below. Please note that for these third party products
the following special terms and conditions shall apply.

Windows Template Library (WTL) http://wtl.sourceforge.net

Microsoft Public License (MS-PL)

This license governs use of the accompanying software. If you use the
software, you accept this license. If you do not accept the license, do
not use the software.

1. Definitions
The terms "reproduce," "reproduction," "derivative works," and
"distribution" have the same meaning here as under U.S. copyright
law. A "contribution" is the original software or any additions or
changes to the software. A "contributor" is any person that distributes
its contribution under this license. "Licensed patents" are a
contributor's patent claims that read directly on its contribution.

2. Grant of Rights
(A) Copyright Grant- Subject to the terms of this license, including the
license conditions and limitations in section 3, each contributor grants
you a non-exclusive, worldwide, royalty-free copyright license to
reproduce its contribution, prepare derivative works of its contribution,
and distribute its contribution or any derivative works that you create.
(B) Patent Grant- Subject to the terms of this license, including the
license conditions and limitations in section 3, each contributor grants
you a non-exclusive, worldwide, royalty-free license under its licensed
patents to make, have made, use, sell, offer for sale, import, and/or
otherwise dispose of its contribution in the software or derivative
works of the contribution in the software.

3. Conditions and Limitations
(A) No Trademark License- This license does not grant you rights to
use any contributors' name, logo, or trademarks.
(B) If you bring a patent claim against any contributor over patents
that you claim are infringed by the software, your patent license from
such contributor to the software ends automatically.
(C) If you distribute any portion of the software, you must retain all
copyright, patent, trademark, and attribution notices that are present in
the software.
(D) If you distribute any portion of the software in source code form,
you may do so only under this license by including a complete copy of
this license with your distribution. If you distribute any portion of the
software in compiled or object code form, you may only do so under a
license that complies with this license.
(E) The software is licensed "as-is." You bear the risk of using it. The
contributors give no express warranties, guarantees or conditions. You
may have additional consumer rights under your local laws which this
license cannot change. To the extent permitted under your local laws,
the contributors exclude the implied warranties of merchantability,
fitness for a particular purpose and non-infringement.

zlib http://www.zlib.net

zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.5, April 19th, 2010

Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.

Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must
not claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would
be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must
not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source
distribution.

Jean-Loup Gailly
Mark Adler

Typographic Conventions

Type Style Description
Example Text Words or characters quoted from
the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation
Example text Emphasized words or phrases in
body text, graphic titles, and
table titles
EXAMPLE TEXT Technical names of system
objects. These include report
names, program names,
transaction codes, table names,
and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.
Example text Output on the screen. This
includes file and directory names
and their paths, messages,
names of variables and
parameters, source text, and
names of installation, upgrade
and database tools.
Example text Exact user entry. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example text> Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library
documentation to help you identify different
types of information at a glance. For more
information, see Help on Help General
Information Classes and Information Classes
for Business Information Warehouse on the
first page of any version of SAP Library.
Installation Guide: Secure Login Client

6 06/2011
Contents

1 What is Secure Login? ....................................................................... 7
1.1 System Overview .................................................................................... 8
1.2 Main System Components .................................................................... 9
1.3 Authentication Methods ........................................................................ 9
1.4 Workflow with X.509 Certificate .......................................................... 10
1.5 Workflow with Kerberos Token ........................................................... 11
1.6 Workflow with X.509 Certificate Request ........................................... 12
2 Secure Login Client Installation ...................................................... 13
2.1 Prerequisites ........................................................................................ 13
2.2 Installation ............................................................................................ 15
2.3 Unattended Installation ........................................................................ 17
2.4 Custom Installation .............................................................................. 20
2.5 Updating the Secure Login Client to SP1 ........................................... 22
2.6 Uninstallation........................................................................................ 23
3 Secure Login Client Console ........................................................... 26
3.1 Secure Login Server Integration ......................................................... 28
3.2 Use Profile for SAP Applications ........................................................ 29
4 Configuration Options ...................................................................... 35
4.1 Enable SNC in SAP GUI ....................................................................... 35
4.2 User Mapping........................................................................................ 37
4.3 Registry Configuration Options .......................................................... 40
4.4 Smart Card Integration ........................................................................ 44
4.5 Digital Signature (SSF) ........................................................................ 44
5 Secure Login Client for Citrix XenApp ............................................ 48
5.1 Secure Login Client with a Published Desktop ................................. 48
5.2 Secure Login Client with a Published SAP Logon ............................ 48
5.3 Other Features ...................................................................................... 49
6 Troubleshooting ................................................................................ 50
6.1 Error in SNC .......................................................................................... 50
6.2 User Name Not Found .......................................................................... 51
6.3 Invalid Security Token ......................................................................... 51
6.4 Wrong SNC Library Configured .......................................................... 52
7 List of Abbreviations ........................................................................ 54
8 Glossary ............................................................................................. 56

1 What is Secure Login?

06/2011 7
Secure Login is an innovative software solution specifically created for improving user and IT
productivity and for protecting business-critical data in SAP business solutions by means of
secure single sign-on to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between
a wide variety of SAP components.

Examples:
SAP GUI and SAP NetWeaver platform with Secure Network Communications (SNC)
Web GUI and SAP NetWeaver platform with Secure Socket Layer SSL (HTTPS)
Third party application server supporting X.509 certificates

In a default SAP setup, users enter their SAP user name and password on the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption.
To secure networks, SAP provides a Secure Network Communications interface (SNC) that
enables users to log on to SAP systems without entering a user name or password. The SNC
interface can also direct calls through the Secure Login Library to encrypt all communication
between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.

Secure Login allows you to benefit from the advantages of SNC without being obliged to set
up a public-key infrastructure (PKI). Secure Login allows users to authenticate with one of the
following authentication mechanisms:

Windows Domain (Active Directory Server)
RADIUS server
LDAP server
SAP NetWeaver server
Smart card authentication

If a PKI has already been set up, the digital user certificates of the PKI can also be used by
Secure Login.

Secure Login also provides single sign-on for Web browser access to the SAP Portal (and
other HTTPS-enabled Web applications) with SSL.


8 06/2011
1.1 System Overview
Secure Login is a client/server software system integrated with SAP software to facilitate
single sign-on, alternative user authentication, and enhanced security for distributed SAP
environments.
The Secure Login solution includes several components:

Secure Login Server
Central service that provides X.509v3 certificates (out-of-the-box PKI) to users and
application servers. The Secure Login Web Client is an additional function.
Secure Login Library
Cryptographic library for an SAP NetWeaver ABAP system. The Secure Login Library
supports both X.509 and Kerberos technology.
Secure Login Client
Client application that provides security tokens (Kerberos and X.509 technology) for a
variety of applications.

You do not need to install all of the components. This depends on your use case scenario.
For more information about Secure Login Server and Secure Login Library, see
Installation, Configuration and Administration Guide.

The Secure Login Client is integrated with SAP software to provide single sign-on capability
and enhanced security. Secure Login Client can be used with Kerberos technology, an
existing public key infrastructure (PKI), or together with the Secure Login Server for
certificate-based authentication without having to set up a PKI.

The Secure Login Client can use the following authentication methods:

- Smart cards and USB tokens with an existing PKI certificate
Secure Login Server and authentication server are not necessary.
- Microsoft Crypto Store with an existing PKI certificate
Secure Login Server and Authentication Server are not necessary.
- Microsoft Windows Credentials
The Microsoft Windows Domain credentials (Kerberos token) can be used for
authentication.The Microsoft Windows credentials can also be used to receive a user
X.509 certificate with the Secure Login Server.
- User name and password (several authentication mechanisms)
The Secure Login Client prompts you for your user name and password and
authenticates with these credentials using the Secure Login Server in order to receive
a user X.509 certificate.

All of these authentication methods can be used in parallel. A policy server provides
authentication profiles that specify how to log on to the desired SAP system.


06/2011 9
1.2 Main System Components
The following figure shows the Secure Login system environment with the main system
components:

Secure Login Client PKI Infrastructure
Smart Card, USB Token
Microsoft Crypto Store
Authentication and
secure communication
SAP GUI
Web GUI
SAP NetWeaver Platform
Security Token
Kerberos Infrastructure
Kerberos Token
Kerberos

Figure: Secure Login System Environment with existing PKI and Kerberos

The Secure Login Client is responsible for the certificate-based and Kerberos-based
authentication to the SAP application server.

1.3 Authentication Methods
In a system environment without Secure Login Server, the Secure Login Client supports the
authentication methods listed in the table below:

Authentication Method Details
Authentication with X.509
certificates
The certificate provider sends the X.509 certificates
through secure network communication (SNC). The
following certificate providers work with X.509
certificates:

Smart card and USB tokens with an existing PKI
certificate
Microsoft Crypto Store (Certificate Store)

In SNC the Secure Login Client can perform
authentication with encryption and digital signing

10 06/2011
certificates. The Secure Login Client supports RSA
and DSA keys.
Authentication with
Kerberos tokens
For more information about the authentication with a
Kerberos token, see 1.5 Workflow with Kerberos
Token.

1.4 Workflow with X.509 Certificate
The following figure shows the principal workflow and communication between the individual
components:

1
Start connection and
get SNC name
Client maps
SNC name to
authentication
profile
Secure Login Client
Security Token
2
4
PKI Infrastructure
6
SAP NetWeaver Platform
Client provides certificate
to SAP GUI application
Authentication and
secure communication
Smart Card, USB Token
Microsoft Crypto Store
5
Unlock Security Token
3

Figure: Principal Workflow for X.509 Certificate Authentication

1. When the connection starts, the Secure Login Client retrieves the SNC name from the
desired SAP server system.
2. The Secure Login Client uses the authentication profile for this SNC name.
3. The user unlocks the security token by entering the PIN or password.
4. The Secure Login Client receives the X.509 certificate from the user security token.
5. The Secure Login Client provides the X.509 certificate for SAP single sign-on and
secure communication between SAP client and SAP server.
6. The user is authenticated and the communication is secured.


06/2011 11

Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic
operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto-
engines. The Crypto Service Provider (CSP) of SAP is a plug-in of this type. It provides
the user keys to all CAPI-enabled applications.

1.5 Workflow with Kerberos Token
components:

Figure: Principal Workflow for Kerberos Authentication

1. When the connection starts, the Secure Login Client retrieves the SNC name (Service
Principal Name) from the desired SAP server system.
2. At the Ticket Granting Service the Secure Login Client starts a request for a Kerberos
Service Token.
3. The Secure Login Client receives the Kerberos Service Token.
4. The Secure Login Client provides the Kerberos Service Token for SAP single sign-on
and secure communication between SAP client and SAP server.
5. The user is authenticated and the communication is secured.


12 06/2011
1.6 Workflow with X.509 Certificate Request
components:

Figure: Principal Workflow

1. When the connection starts, the Secure Login Client gets the SNC name from the
desired SAP server system.
2. Secure Login Client uses the client policy for this SNC name.
3. Secure Login Client receives the user login credentials.
4. Secure Login Client generates a certificate request.
5. Secure Login Client sends the user credentials and the certification request to the
Secure Login Server.
6. Secure Login Server forwards the user credentials to the authentication server and
receives an answer that indicates whether the user credentials are valid.
7. If the user credentials are valid; the Secure Login Server generates a user certificate
(certificate reply) and sends it to the Secure Login Client.
8. Secure Login Client provides the certificate to SAP GUI.
9. The user certificate is used to perform authentication, single sign-on, and secure
communication between SAP client and server.

2 Secure Login Client Installation

06/2011 13
This section explains how to install Secure Login Client.

2.1 Prerequisites
This section deals with the prerequisites and requirements for the installation of Secure Login
Client. An installation of the Secure Login Client in a Citrix XenApp environment does not
require any special steps or settings.

You can download the SAP NetWeaver Single Sign-On software from the SAP Service
Marketplace. Go to https://service.sap.com/swdc and choose Support Package and Patches
> Browse our Download Catalog > SAP NetWeaver and complementary products > SAP
NetWeaver Single Sign-On > SAP NetWeaver Single Sign-On 1.0 > Comprised Software
Component Versions > Secure Login Client 1.0 (32-bit or 64-bit).

Hardware Requirements
Secure Login Client Details
Hard disk space 20 MB hard disk space
Random access memory Min. 256 MB RAM
Smart card reader Any PC/SC smart card reader can be used

Software Requirements
Secure Login Client Details
Operating systems Microsoft Windows 7 64-bit
Microsoft Windows 7 32-bit
Microsoft Windows Vista 64-bit
Microsoft Windows Vista 32-bit
Microsoft Windows XP 32-bit
Microsoft Windows Server 2008 R2 64-bit
Microsoft Windows Server 2008 64-bit
Microsoft Windows Server 2003 64-bit
Citrix support Microsoft Windows Server 2003 x64 / Citrix XenApp 5
Microsoft Windows Server 2008 R2 x64 / Citrix
XenApp 6
SAP GUI SAP GUI for Windows 7.10 and higher
SAP GUI for JAVA 7.10 and higher
Smart card support For smart card support the relevant smart card
middleware needs to be installed. For more
information, contact your vendor.
Secure Login Client supports smart cards through the
Microsoft Crypto API (CSP) or PKCS#11 interface.

14 06/2011

If you are using Microsoft Windows Server 2003 64-bit refer to the Microsoft Knowledge
Base article KB960077 http://support.microsoft.com/kb/960077.


06/2011 15
2.2 Installation
This section explains how to install Secure Login Client. The installation is performed using
the MSI Installer.

If a smart card is to be used in Secure Login Client, install the smart card reader and
smart card middleware software. For more information, contact the vendor.

Start Installation
Use the appropriate MSI Installer for your operating system.

Secure Login Client Software Package
Type File Name
Microsoft Windows 32Bit SecureLoginClientx86.msi
Microsoft Windows 64Bit SecureLoginClientx64.msi

Administrative rights are required to install the Secure Login Client software.

To continue, choose the Next button.

To install all components, choose the Complete option.
To define the installation components, choose the Custom option.

If you choose the Custom option, the following features appear.

Feature Value
Secure Login Client Components This feature installs the basic components of
Secure Login Client. This feature is mandatory.
Options:
Start during Microsoft Windows login
Crypto & Certificate Store Providers
Policy Download Agent
Options for an installation under Citrix XenApp.
See Secure Login Client for Citrix XenApp.
Secure Login Server Support This feature installs authentication support with
Secure Login Server. Based on the provided user
credentials, the Secure Login Server provides
user certificates to the Secure Login Client.
Kerberos Single Sign-On This feature installs the Kerberos authentication
support.
Smart Card Support This feature installs smart card authentication
support.

16 06/2011

To continue, choose the Install button.

To complete the installation, choose the Finish button.

Logging Service This feature installs the trace and logging option.
We recommend that you install this option only for
problem analysis.


06/2011 17
2.3 Unattended Installation
Use the MSI installation option to deploy the Secure Login Client software with software
distribution tools.

In the case of a Secure Login Server integration, remember to deploy the Root CA
certificate and Client Policy URL as well. For more information, see section 2.4 Custom
Installation.

Standard MSI Options
To help you understand the MSI options, open a command shell and enter the following
command:

msiexec /?

Secure Login Client MSI Options
To display the Secure Login Client MSI installation options, enter the following command:

Microsoft Windows 32-bit
msiexec /i <source_path>\SecureLoginClientx86.msi HELP=1

Microsoft Windows 64-bit
msiexec /i <source_path>\SecureLoginClient x64.msi HELP=1


18 06/2011

Entries marked with * are mandatory.

Feature Value
Base_Components
SAP_SecureLogin_base* Basic components of Secure Login Client.
*This option is mandatory and cannot be changed.
SAP_SecureLogin_sbus* Secure Login Client service.
SAP_SecureLogin_i18n International language files support.
Standard feature.
SAP_SecureLogin_pki* X.509 Cryptographic support.
SAP_Security
SAP_SecureLogin_sap_gss*
SAP Secure Network Communication (SNC) support.
SAP_Security
SAP_SecureLogin_sap_ssf
SAP Secure Store and Forward (SSF) support.
Standard feature.
SAP_SecureLogin_capi Support for Microsoft Crypto API token plug-in.
Use exisiting certificates in Secure Login Client.
Standard feature.
SAP_SecureLogin_csp*
SAP_SecureLogin_store*
Cryptographic service provider plug-in for the Microsoft
Crypto API.
Secure Login Client provides certificates to the
Microsoft Crypto API.
*These options are mandatory and cannot be
changed.
SAP_SecureLogin_securelogin Component to interact with Secure Login Server.
SAP_SecureLogin_kerberos_token Kerberos support.
SAP_SecureLogin_smartcard Smart card support
SAP_SecureLogin_notify Trace and logging option.
We recommend that you install this option only for
problem analysis.


06/2011 19
Unattended Installation Examples

Example 1
This example shows you how to install the Secure Login Client software without the logging
service.

msiexec /norestart /qb /i "SecureLoginClientx86.msi" ADDLOCAL=ALL
REMOVE=SAP_SecureLogin_notify

The recommended installation is to install all components without the logging service.

Example 2
service and Secure Login Server support.

REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin

Example 3
service, Secure Login Server support, and Kerberos support.

REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure
Login_kerberos_token

Example 4
service, Secure Login Server support, and smart card support.

REMOVE=SAP_SecureLogin_notify,SAP_SecureLogin_securelogin,SAP_Secure
Login_smartcard

Example 5
This example shows you how to uninstall the Secure Login Client software.

msiexec /qb /x "SecureLoginClientx86.msi"


20 06/2011
2.4 Custom Installation
This section describes how to integrate the installation of the Root CA certificate (Microsoft
Certificate Store) and client policy URL (Registry Key) for the Secure Login Client into
software distribution tools.

The customized aspects of this installation are associated only with the integration with

Install Root CA Certificate
You need to install the Root CA certificate from Secure Login Server in the client
environment. The Root CA certificate is used to establish secure communication to the

Use the Microsoft CertMgr tool; which is part of the Microsoft Windows Software
Development Kit (SDK,) to import certificates. Use the following command to import a
certificate:

certmgr.exe /add /all /c <RootCA_file> /s ROOT /r localMachine

The Root CA certificate is provided by the Secure Login Server.

Install Client Policy URL
The client policy URL (registry key) defines the connection information for the Secure Login
Server. Use this client policy URL to retrieve authentication profiles for the Secure Login
Client Console.

Use the following command to import a registry file:

reg.exe import customer.reg

The registry file customer.reg can be provided by the Secure Login Server.

Example: Registry file customer.reg

customer.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]
"PolicyURL"="http://<IP/FQDN>:<Port>/securelogin/admin/Navigation?op=downloadFile&na
me=ClientPolicy.xml"
"PolicyTTL"=dword:00000000
"NetworkTimeout"=dword:0000002d
"DisableUpdatePolicyOnStartup"=dword:00000000

06/2011 21

For more information about registry configuration options, see section 4.3 Registry
Configuration Options.
For more information about registry settings, provided by Secure Login Server, see
Installation, Configuration and Administration Guide for Secure Login Server.

Parameter Description
PolicyURL Network resource (Secure Login Server) from which
the most recent Secure Login Client policy can be
downloaded.
The following types of client policies are available:
ClientPolicy.xml
Client Policy defined in default instance of the Secure
Login Server.
ClientPolicy.xml&path=000xx
Client Policy defined in instance xx (instance number)
of the Secure Login Server.
GlobalClientPolicy.xml
Global Client Policy includes all available instances of
the Secure Login Server.

For more information, see the Secure Login Server
PolicyTTL The lifetime in minutes; verifying (update) for a new
client policy on the Secure Login Server.
Default is 0 minutes.
By default, the Secure Login Client verifies a new
client policy during system start of the client PC.
NetworkTimeout Network timeout in seconds before connection is
closed if the Secure Login Server does not respond.
Default is 45 seconds (hex value: 2d).
DisableUpdatePolicyOnStartup By default the Secure Login Client looks for a new
client policy during the system startup of the client PC.
You can use this parameter to disable this feature.
1
Disable automatic policy download.
0
Enable automatical policy download.
Default value is 0.


22 06/2011
2.5 Updating the Secure Login Client to SP1

You can download the Support Package software from the SAP Service Marketplace. Go to
https://service.sap.com/swdc and choose Support Package and Patches > Browse our
Download Catalog > SAP NetWeaver and complementary products > SAP NetWeaver Single
Sign-On > SAP NetWeaver Single Sign-On 1.0.

You do not need to uninstall the existing version of the Secure Login Client. You simply run
the installation software as described in 2.2 Installation and overwrite your existing Secure
Login Client.

To display the version number of your software, right-click the blue diamond of the Secure
Login Client in the Microsoft Windows notification area and choose About. The version
number is displayed in the About screen of the Secure Login Client.


06/2011 23
2.6 Uninstallation
Use the appropriate MSI file for your operating system. You can also use the Software
Management Tool in Microsoft Windows.

Secure Login Client Software Package
Type File Name
Microsoft Windows 32-Bit SecureLoginClientx86.msi
Microsoft Windows 64-Bit SecureLoginClientx64.msi

Administration rights are required to uninstall the Secure Login Client software.

If you want to use the software management tool in Microsoft Windows; choose Control
Panel Uninstall a Program right-click Secure Login Client and choose the Uninstall
option from the context menu.

Another option is to start the Secure Login Client MSI software package.



24 06/2011
Select the Remove option and choose the Next button to continue.

To continue, choose the Remove button.


06/2011 25
To complete the uninstallation, choose the Finish button.

You can remove the Secure Login Client software in unattended mode using the MSI
options described in section 2.3 Unattended Installation.

3 Secure Login Client Console

26 06/2011
This section describes the Secure Login Client Console.

The system tray contains a blue diamond icon.

To open the Secure Login Client Console, click this icon.
In this example, no Kerberos token is available, because this user is not authenticated in the
Microsoft domain.

Kerberos Token
If the user is authenticated in the Microsoft domain, the Kerberos token is displayed.


06/2011 27
You can switch users in the Microsoft domain.
Right-click the Kerberos profile and choose the Log In option.

Enter the Microsoft domain user name and password.

The new Kerberos token is displayed.


28 06/2011
Certificate from Microsoft Certificate Store
If an X.509 certificate is available in the Microsoft Certificate Store; this certificate is displayed
in the Secure Login Client Console and can be used in SAP GUI.

3.1 Secure Login Server Integration
If a Secure Login Server is used to provide user certificates, client profiles are available in the
Secure Login Client Console.

Client profiles from Secure Login Server are available only if the option Secure Login
Server Support is installed and if the Client Policy URL (registry value) is defined.
For more information about the Client Policy URL, see section 2.4 Custom Installation.

Certificates requested using Secure Login Server and available in Secure Login Client
Console; are provided to the Microsoft Certificate Store (for example, to use when
logging on to SAP Enterprise Portal).


06/2011 29

Automatic Provisioning of Certificates
The Secure Login Client supports profiles that enable users to automatically get X.509
certificates when the Secure Login Client starts up during a Microsoft Windows
authentication. In the configuration of the Secure Login Server you can optionally set that the
respective profile is provided.

Manual Provisioning of Certificates
If you right-click the profile in the Secure Login screen, you can choose the menu item Log In
(while being logged on in a domain) to automatically get a certificate without being forced to
enter your user name and password, or the system prompts you for your user credentials.

With this setting, you get the additional menu item Log In as. When you choose Log In as (or
if you are a local user), the system prompts you for your user name and password. Having
entered both, you are provided with a certificate by the Secure Login Client.

3.2 Use Profile for SAP Applications
You can configure which profile is used for which SAP server system. It is possible to do this
by right-clicking a profile and choosing Use Profile for SAP Applications.

If you choose this option, the position of the icon changes and this profile is used for SAP
GUI. For example if you need to switch the profiles manually, this can be done using this
feature.

You can inactivate this menu item in the client policy provided by the Secure Login
Server.


30 06/2011

Log Console
If the option Logging Service was installed, the Log Console is available in the Secure Login
Client Console.
The log console (Secure Login Client Notification Viewer) is a support analysis tool that
displays advanced information about the Secure Login and Enterprise Single Sign-On
actions. The information is constantly updated (live).

We recommend that you use this installation option only for problem analysis to help
support teams with troubleshooting.

Open the console as follows:
1. Choose the menu entry View > Log Console in the Secure Login dialog. The Live Trace
pane is displayed:


06/2011 31

2. The Live Trace pane automatically scrolls down whenever a component performs a task
and the task details are captured by the log console.

Menu Item Submenu Item/Details
File Open
Opens trace files (*.xml) and contains trace messages that have
previously been exported (cut) from the Live Trace pane.
Explore Trace Files
Use this option to open the folder on the local drive that contains the
trace (*.xml) files.
Save as
Saves the current trace list as an XML file.
Close
Closes the current pane open in the log console.
Exit
Exits the log console.
View Live Trace
Opens the Live Trace pane to display the log messages.
Live Trace Copy
The live trace messages file is duplicated into a new, static, XML file.
The path of the file is visible in the title bar of the viewer.
Live Trace Cut
Cut the message information from the current live trace message feed,
effectively clearing the Live Trace pane. The cut messages are
automatically saved to an XML file and opened in a new pane in the log
console window. The path of the file is visible in the title bar of the
viewer.
Tools Options
This opens the Options dialog for the logging service (sbustrace.exe)
component:

32 06/2011

You can specify the following options in this dialog:
Service
These options allow you to install or remove the logging service
component from Microsoft Windows, and to start/stop the service if it is
installed (options not currently available are grayed-out). The current
state of the service is displayed in the fields above the respective
buttons.
Live-Trace
Caution:
This option is for advanced users only.
This option enables you to filter the messages when you click View and
Live Trace Copy. You can do this by cutting and pasting an XML
fragment into the field.
TraceLevel
Use this option to define the granularity of the live trace messages.
Log Rotate
Use this option to define the maximum size for a log file before it is
archived and a new log file is started.
Filter
Use this option to filter trace messages. The filter must be manually
defined with the help of the support team.
Click OK to set any changes and close the window.
Window Tile Horizontally
Sort any open panes so that they are displayed equally/ horizontally
across the log viewer window.
Tile Vertically
Sort any open panes so that they are displayed equally/vertically across
the log viewer window.
Cascade
Sort the open panes so that they are displayed in a stack.

The column headers, which are located at the top of the Live Trace pane, are defined as
follows:

06/2011 33

Live Trace
Header
Details
L This defines the message type:
A yellow warning sign ( ) means that something may be wrong and
needs to be checked.
A red error icon ( ) means that the task could not be performed.
A blue information icon ( ) refers to a successful task or informational
message
Time The time the task was performed.
PID Process ID
TID Thread ID
App The component that performed the task
Mod The application module from which the task originated
Msg Information about the task performed


34 06/2011
Version Information
Choose the SAP icon in Secure Login Console or right-click the system tray icon and choose
the About Secure Login option. The version information is displayed.

4 Configuration Options

06/2011 35
This section describes how to enable SNC in SAP GUI and how to define the user mapping
in SAP user management.

4.1 Enable SNC in SAP GUI
To establish secure communication between SAP GUI and SAP NetWeaver application
server; you need to enable the SNC option.
Start the SAP GUI application; enable the SNC option, and define the SNC name of the SAP
NetWeaver application server.

Kerberos SNC Name
Choose the option Activate Secure Network Communication and define the SNC Name.

Example SNC Name:
p:CN=SAP/KerberosABC@DEMO.LOCAL

The SNC name is provided by your SAP NetWeaver Administrator. For more information,
about how to install the SNC library on the SAP NetWeaver application server, see the
Secure Login Library Installation, Configuration, and Administration Guides.
Note that the definition of the SNC name is case-sensitive.

36 06/2011
X.509 Certificate SNC Name
Choose the option Activate Secure Network Communication and define the SNC name.

Example SNC Name:
p:CN=ABC, OU=SAP Security

The SNC name is provided by your SAP NetWeaver administrator. For more information
about how to install the SNC library on the SAP NetWeaver application server, see the
Secure Login Library Installation, Configuration, and Administration Guides.
Note that the definition of the SNC Name is case-sensitive.


06/2011 37
4.2 User Mapping
This section describes how to define the user mapping in SAP user management. For the
user authentication using security tokens (X.509 certificate or Kerberos token), this mapping
is required to define which security token belongs to which SAP user.

For smooth and straightforward integration, we recommend that you use the SAP
NetWeaver Identity Management solution to manage user mapping.

Manual Configuration
Start the user management tooly by calling transaction SU01. Choose the SNC tab.
If you are using Kerberos authentication, enter the Kerberos user name in the SNC name
field.
If you are using X.509 certificate based authentication, enter the X.509 certificate
Distinguished Name in the SNC name field.

Note that the definition of the SNC name is case-sensitive.

Kerberos Example
In this example, the SNC name p:CN=MICROSOFTUSER@DEMO.LOCAL belongs to the
user SAPUSER.


38 06/2011
X.509 Certificate Example
In this example the SNC name p:CN=SAPUSER, OU=SAP Security belongs to the user
SAPUSER.

For more information about how to perform user mapping, see the Secure Login Library


06/2011 39
Set External Security Name for All Users
You can use transaction SNC1 (report RSUSR300) to configure the SNC name in batch
mode.

Note that the definition of the string is case-sensitive.

With this tool you can choose all SAP Users *, a list of SAP users or SAP user groups.
You can use the option Users without SNC names only to overwrite SNC names.
This batch tool takes an SAP user and uses the components
<previous_character_string><SAP_user_name><next_character_string>
to build the SNC name.

Kerberos Example
In this example SNC names are generated with the following string for all users without an
SNC name:
p:CN=SAP/<user_name>@DEMO.LOCAL

X.509 Certificate Example
In this example SNC names are generated with the following string for all users without an
SNC name:
p:CN=<user_name>, OU= SAP Security


40 06/2011

4.3 Registry Configuration Options
This section describes further configuration options in registry for the Secure Login Client.

Common Settings

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common]
Parameter Type Description
Locale STRING Language setting for Secure Login Client.
The language is usually automatically
recognized. Use this parameter for
customizing.
Possible values are:
en_US (English)
de_DE (German)
fr_FR (French)
ja_JP (Japanese)
pt_BR (Portuguese)
ru_RU (Russian)
zh_CN (Chinese)
HideTrayIcon DWORD Use this option to remove the Secure Login
Client tray icon.
To display the tray icon, set the value 0.
To hide the tray icon, set the value 1.
The default setting is that the tray icon is
displayed.
TrustDB STRING Use this option to define where Secure
Login Client searches for trusted root
certificates.
The following values are possible:
capi (default)
Get trust from Microsoft Certificate Store
token
Use root certificates on tokens
Get trust from files (.crt,.p7c,) in a single
directory
ResourcePath STRING Use this option to specify an alternate
location for the language files (.res).
Default value is <install_path>/etc.

06/2011 41
PCSC Settings
The options in this section allow you to select which PCSC smart card readers are used or
ignored. You can specify multiple patterns by separating the patterns with , or ;
Wildcards (* and ?) are allowed.

CAPI Settings
The options in these sections allow you to select which certificates from third party CSPs may
be used.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\pcsc]
IgnoredReadersPattern STRING Use this option to disable some PCSC
smart card readers.
The default value is <empty> (do not
disable any PCSC smart card reader).
AllowedReadersPattern STRING Use this option the use only some specified
PCSC smart card readers.
This option is evaluated after
IgnoredReadersPattern.
The default value is * (use every PCSC
smart card reader)
Important: If you use an empty string (), all
readers are used (same as *).
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi]
CAPIProviderFilter STRING Use this option to use only certificates
provided by specific CSPs (the CSP name
must begin with this string).
Example:
Microsoft
Use only certificates provided by CSPs
from Microsoft
CAPIFilterValidOnly DWORD Use this option to use only certificates that
are valid (issued in the past and not
expired).
CAPIFilterIssuerDN STRING Use this option to use only certificates that
have an issuers Distinguished Name that
contains CAPIFilterIssuerDN.
Example:
CN=My Companies CA
CAPIFilterSubjectDN STRING Use this option to use only certificates that

42 06/2011
have a subject Distinguished Name that
contains CAPIFilterSubjectDN.
Example:
O=My Org Unit
CAPIFilterExcludeIssuerDN STRING Use this option to disable certificates that
have an issuers Distinguished Name that
contains CAPIFilterExcludeIssuerDN.
Example:
CN=Test CA
CAPIFilterExcludeSubjectDN
STRING
STRING Use this option to disable certificates that
have a subject Distinguished Name that
contains CAPIFilterExcludeSubjectDN.
Example:
O=Testing only
CAPIFilterKeyUsage STRING Use this option to use only certificates that
have a specific key usage.
The CAPIFilterKeyUsage may contain the
following strings (you can specify multiple
strings)
+KEYUSAGE
Use only certificates that have the specified
key usage.
-KEYUSAGE
Do not use certificates that have the
specified key usage
Where KEYUSAGE can be one of the
following:
dataEncipherment
Data encipherment key usage
digitalSignature
Digital-Signature Key-Usage
keyAgreement
Key agreement key usage
keyEncipherment
Key encipherment key usage
nonRepudiation
Non-repudiation key usage
cRLSign
CRL signature key usage
CAPIFilterExtendedKeyUsage STRING Use this option to use only certificates that
have a specific key usage.
The syntax of this option is similar to
CAPIFilterKeyUsage.
The CAPIFilterExtendedKeyUsage may
contain the following strings:
+EXTKEYUSAGE
Use only certificates that have the specified
extended key usage
-EXTKEYUSAGE

06/2011 43

Client Trace Setting

For more information about registry settings provided by Secure Login Server, see the
Installation, Configuration and Administration Guide for Secure Login Server.

Do not use certificates that have the
specified extended key usage
Where EXTKEYUSAGE can be one of the
following:
ServerAuthentication (1.3.6.1.5.5.7.3.1)
ClientAuthentication (1.3.6.1.5.5.7.3.2)
CodeSigning (1.3.6.1.5.5.7.3.3)
EmailProtection (1.3.6.1.5.5.7.3.4)
IpsecEndSystem (1.3.6.1.5.5.7.3.5)
IpsecTunnel (1.3.6.1.5.5.7.3.6)
IpsecUser (1.3.6.1.5.5.7.3.7)
TimestampSigning (1.3.6.1.5.5.7.3.8)
OcspSigning (1.3.6.1.5.5.7.3.9)
MicrosoftEfs (1.3.6.1.4.1.311.10.3.4)
MicrosoftEfsRecovery
(1.3.6.1.4.1.311.10.3.4.1)
MicrosoftKeyRecovery
(1.3.6.1.4.1.311.10.3.11)
MicrosoftDocumentSigning
(1.3.6.1.4.1.311.10.3.12)
MicrosoftSmartcardLogon
(1.3.6.1.4.1.311.20.2.2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\traces]
TraceLevel DWORD Use this option to enable/disable traces and to
configure the trace level
Possible values:
0 disable traces
1 only errors
2 errors and warnings
3 errors, warnings and information
4 errors, warnings, information, and log
5 errors, warnings, information, log, and
debug

44 06/2011
4.4 Smart Card Integration
The Secure Login Client can use X.509 certificates stored in smart cards and supports 64-bit
CSP.
For smart card support, you need to install the relevant smart card middleware. Secure Login
Client supports smart cards through the Microsoft Crypto API (CSP) or the PKCS#11
interface.
These interfaces are typically also supported by the smart card middleware software.
Checklist for smart card support:

If required install smart card reader hardware and PC/SC driver. Typically the smart card
reader is usually automatically recognized by the operating system.
Install smart card middleware software. This middleware software should support the
desired smart card. Some smart card vendors provide their own middleware software,
and there are some middleware software vendors available who support different kinds of
smart cards.

PIN management is handled by the middleware software. A typical situation is a user logging
on to a Microsoft operating system using the smart card. This user needs to re-enter the PIN
in the browser or in SAP GUI.
Whether the user is able to do this depends on the smart card middleware, which might close
the smart card after the logon to Microsoft Windows. For more information, contact your
smart card middleware vendor.

4.5 Digital Signature (SSF)
The Secure Login Client can use X.509 certificates for digital signatures in an SAP
environment. The supported interface is Secure Store and Forward (SSF).
This option is part of the default installation.
The prerequisite for using SSF is that SSF is configured in the SAP instance profile.

How to test SSF Client Signature
Log on to the SAP system using SAP GUI and start transaction SE38.
Enter the program name SSF01 and execute this program.
Choose a desired function you want test, for example, Signing.
For the parameter RFC destination, enter the value SAP_SSFATGUI.
For the parameter SSF format, enter the value PKCS7.
There are two configuration cases described as following.

Case 1 Use smart card or existing certificate
In the ID field, enter the distinguished name of the smart card certificate.
Example: CN=Smartcard User, OU=SAP Security


06/2011 45

Case 2 Use Secure Login Client Profile provided by Secure Login Server
In the ID field, enter the distinguished name of the user certificate.
Example: CN=Username, OU=SAP Security

In the SSF Profile field, enter the Secure Login Client profile configuration.
Example: toksw:mem://securelogin/<profile_name>

<profile_name> is the profile name defined in Secure Login Server. In this example the profile
name is SSF.

In parameter Input data, enter the file to be signed.
In the parameter Output data, enter the path and file name for the signed file.

Execute the program and choose the Sign button.
The system prompts you for a password, which is not required. Choose the green OK button.


46 06/2011

The file should be signed.


06/2011 47
SSF User Configuration
Use this configuration step to define which Secure Login Client profile is used for the SSF
interface. This is defined for each SAP user.
Log on to the SAP system using SAP GUI and start transaction SU01.
Edit the desired user and, on the Address tab, choose the Other Communication button.
Choose the SSF option and define the desired parameter.

For more information, see the SAP Help Portal.

Parameter Description
SSF-ID Define the Distinguished Name of the user certificate.
Example: CN=Username, OU=SAP Security
SSF-ID Part 2 Define an additional Distinguished Name of the user
certificate.
SSF profile Define the Secure Login Client profile. There are three
options available.
Use Secure Login Client Profile
The desired certificate is used for SSF, based on the
Secure Login Client profile name.
Example:
toksw:mem://securelogin/<profile_name>

Use Secure Login Client Profile and Re-authentication
Adding the [reauth option] means that the user needs to
authenticate again to the Secure Login Client profile,
before a certificate is provided.
Example:
[reauth]toksw:mem://securelogin/<profile_
name>

<empty>
If no SSF profile is defined, the SSF-ID can be used to
search the certificate in Secure Login Client.
Destination The RFC destination (logical destination) where the SSF
RFC server program has been defined.
Enter the value SAP_SSFATGUI (SSF for digital
signatures on the front ends).
5 Secure Login Client for Citrix XenApp

48 06/2011
This section describes how to use the Secure Login Client in a Citrix XenApp environment.
The Secure Login Client supports only 64-bit Microsoft Windows operating systems. The
following platforms are supported:

Microsoft Windows Server 2003 x64 / Citrix XenApp 5
Microsoft Windows Server 2008 R2 x64 / Citrix XenApp 6

Use Case
The customer wants to run Secure Login Client in a Citrix XenApp environment.

5.1 Secure Login Client with a Published
Desktop
A published desktop behaves similarly to a standard Microsoft Windows desktop. You can
install the Secure Login Client in the same way as on a local Microsoft Windows operating
system. To minimize memory and CPU consumption, we recommend unselecting the feature
Start during Windows login. Unselect Crypto & Certificate Store Provider and Policy
Download Agent during the installation if you do not use them.

5.2 Secure Login Client with a Published SAP
Logon
The Secure Login Client does not start automatically when a user logs on to a published SAP
Logon in a Citrix XenApp environment. When installing you may unselect the features Start
during Windows login and Crypto & Certificate Store Provider.

How to Enable Automatic Startup with a Published SAP
Logon
To automatically start the Secure Login Client, create a user login script called
usrlogon_slc.cmd in the Microsoft Windows directory and insert it into the Microsoft
Windows Registry.

1. Install the Secure Login Client.
2. Create the file usrlogon_slc.cmd in the Microsoft Windows directory.
3. Insert the following content:

usrlogon_slc.cmd
@ECHO OFF
rem starting Secure Login Client, remove the next line if you do not
want the SLC to start automatically
start "Launch SLC"
"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\bin\sbus.exe"

06/2011 49
rem register CSP, remove the next two lines if no CSP/CAPI support
is required
regsvr32.exe /s
"%ProgramFiles(x86)%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"
regsvr32.exe /s
"%ProgramFiles%\SAP\FrontEnd\SecureLogin\lib\sbussto.dll"

4. Add the script to the Microsoft Windows Registry to make sure that the Secure Login
Client starts automatically at startup. Open the Microsoft Windows Registry and go to
the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon

5. Open the key AppSetup and append the reference to the file usrlogon_slc.cmd to the
value with a simple comma as a separator (without any space).

Example:
Registry value name:
AppSetup
Registry value:
ctxhide.exe usrlogon.cmd,cmstart.exe,usrlogon_slc.cmd

You must keep the sequence as shown in the example above because, when starting up, the
system proceeds from one file to the next.

5.3 Other Features
Start during Windows login
The Secure Login Client starts automatically when a user logs on to a Microsoft Windows
operating system. Remember that this automatic startup increases memory and CPU
consumption.
If you unselect the installation option Start during Windows login, the Secure Login Client
does not start automatically.

Using Certificates for CAPI Applications
You only need this feature if you want to use certificates issued for CAPI applications by the
Secure Login Server, such as for a client authentication with Internet Explorer. The
CSP/CAPI service is registered during the installation.

Downloading Policies from the Secure Login Server
To automatically download client policies from the Secure Login Server, install the Policy
Download Agent feature.

6 Troubleshooting

50 06/2011
6 Troubleshooting
This section describes some troubleshooting issues and how to solve them.

If you need to contact SAP support, provide the Secure Login Client trace information
described in section 3 Secure Login Client Console Log Console

6.1 Error in SNC
Use Case
SAP GUI user wants to authentice to SAP server using Kerberos token or X.509 user
certificate.

Error Message
Miscellaneous failure. Error in SNC.

Checklist

If you are using a Kerberos token
Verify if the user is authenticated in the Microsoft domain.
Verify if Kerberos token is displayed in Secure Login Client Console.
If you are using an X.509 certificate
Verify if X.509 certificate is displayed in Secure Login Client Console.
Verify if the security token (Kerberos or certificate) is used.
Try with the option Use Profile for SAP Applications if the desired profile is used.
Verify if SNC is enabled in SAP GUI for the desired SAP server
Verify if the SNC name of the desired SAP server is configured in SAP GUI
(saplogon.ini).
Is the name correct? (Kerberos name / X.509 certificate name)
Note that the SNC name is case-sensitive.
Verify if the environment variable SNC_LIB is configured to use secgss.dll.
Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

6 Troubleshooting

06/2011 51
6.2 User Name Not Found
Use Case
SAP GUI user wants to authenticate to SAP server using Kerberos token or X.509 user
certificate.

Error Message
No user exists with SNC name.

Checklist

If this message appears, the user mapping is not available or not configured correctly.
Compare the user certificate distinguished name with the SNC name in SAP User
Management (SU01).
Note that SNC name is case-sensitive.

There may also be another reason for this error. For more information, see SAP Note
1635019.

6.3 Invalid Security Token
Use Case 1
SAP GUI wants to authenticate to SAP server using a Kerberos token or X.509 user
certificate.

Error Message
SAP system message S.

Checklist

Verify if SNC is configured in the SAP ABAP server.
6 Troubleshooting

52 06/2011
If the Secure Login Library is installed on the SAP ABAP server and used for SNC,
enable the trace and verify the results. For more information see the Installation,
Configuration and Administration Guide for Secure Login Library.

Use Case 2
The Secure Login Client requests a service ticket from the domain server.

Error Message
The system displays the following error message:

Supplied credentials not accepted by the server.

In the trace log of the Secure Login Client, you find the error code A2600202.

Checklist

If the Secure Login Client does not get a service ticket from the domain server, you have
to check whether the Service Principal Name used was assigned several times in the
Active Directory system. To check this, you enter the following command:

setspn T * -T foo -X

6.4 Wrong SNC Library Configured
Use Case
An SAP GUI user wants to authenticate to a SAP server using Kerberos token or X.509 user
certificate.

Error Message
Unable to load GSS-API DLL named sncgss32.dll.

Checklist

The wrong SNC library (in this example sncgss32.dll) is assigned to SAP GUI. Verify the
environment variable SNC_LIB.
6 Troubleshooting

06/2011 53
For Secure Login Client the SNC library secgss.dll is used.
Example: C:\Program Files\SAP\FrontEnd\SecureLogin\lib\secgss.dll

7 List of Abbreviations

54 06/2011

Abbreviation Meaning
ADS Active Directory Service
CA Certification Authority
CAPI Microsoft Crypto API
CSP Cryptographic Service Provider
DN Distinguished Name
EAR Enterprise Application Archive
HTTP Hypertext Transport Protocol
HTTPS Hypertext Transport Protocol with Secure Socket Layer (SSL)
IAS Internet Authentication Service (Microsoft Windows Server 2003)
JAAS Java Authentication and Authorization Service
JSPM Java Support Package Manager
LDAP Lightweight Directory Access Protocol
NPA Network Policy and Access Services (Microsoft Windows Server
2008)
PIN Personal Identification Number
PKCS Public Key Cryptography Standards
PKCS#10 Certification Request Standard
PKCS#11 Cryptographic Token Interface Standard
PKCS#12 Personal Information Exchange Syntax Standard
PKI Public Key Infrastructure
PSE Personal Security Environment
RADIUS Remote Authentication Dial In User Service
RFC Remote function call (SAP NetWeaver term)
RSA Rivest, Shamir and Adleman
SAR SAP Archive
SCA Software Component Archive
SLAC Secure Login Administration Console
SLC Secure Login Client
SLL Secure Login Library
SLS Secure Login Server
SLWC Secure Login Web Client
SNC Secure Network Communication (SAP term)
SSL Secure Socket Layer

06/2011 55
UPN User Principal Name
WAR Web Archive
WAS Web Application Server

8 Glossary

56 06/2011
8 Glossary
Authentication
A process that checks whether a person who logs on is really the person corresponding to
the respective user. In a multi-user or network system, authentication means the
validation of a users logon information. A users name and password are compared
against an authorized list.

Base64 encoding
Base64 encoding is three-byte to four-character encoding based on an alphabet of 64
characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses
include HTTP Basic Authentication headers and general binary-to-text encoding
applications.
Note: Base64 encoding expands binary data by 33%, which is quite efficient.

CAPI
See Cryptographic Application Programming Interface

Certificate
A digital identity card. A certificate typically includes the following:

A public key being signed.
A name, which can refer to a person, a computer or an organization.
A validity period.
A location (URL) of a revocation center.
A digital signature of the certificate produced by the private key of th CA.

The most common certificate standard is the ITU-T X.509.

Certification Authority (CA)
An entity that issues and verifies digital certificates to be used by other parties.

Certificate Store
Sets of security certificates belonging to user tokens or certification authorities.

CREDDIR
A directory on the server where information is placed that goes beyond the PSE (personal
security environment).

Credentials
Used to establish the identity of a party in communication. Usually they take the form of
machine-readable cryptographic keys and/or passwords. Cryptographic credentials may
be self-issued, or issued by a trusted third party; in many cases the only reason for
issuance is unambiguous association of the credential with a specific, real individual or
8 Glossary

06/2011 57
other entity. Cryptographic credentials are often designed to expire after a certain period,
although this is not mandatory.
Credentials have a defined time to live (TTL) that is configured by a policy and managed
by a client service process.

Cryptographic Application Programming Interface (CAPI)
The Cryptographic Application Programming Interface (also known variously as
CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming
interface included with Microsoft Windows operating systems that provides services to
enable developers to secure Microsoft Windows-based applications using cryptography. It
is a set of dynamically-linked libraries that provides an abstraction layer that isolates
programmers from the code used to encrypt the data.
Cryptographic Token Interface Standard
A standardized crypto-interface for devices that contain cryptographic information or that
perform cryptographic functions.

Directory Service
Provides information in a structured format. Within a PKI: Contains information about the
public key of the user of the security infrastructure, similar to a telephone book (for example:
an X.500 or LDAP directory).

Distinguished Name (DN)
A name pattern that is used to create a globally unique identifier for a person. This name
ensures that identifal certificates are never created for different people with the same name.
The uniqueness of the certificate is additionally ensured by the name of the issuer of the
certificate (the certification authority) and a serial number. All PKI users require a unique
name. Distinguished Names are defined in the ISO/ITU X.500 standard.

Key Usage
Key usage extensions define the purpose of the public key contained in a certificate. You can
use them to restrict the public key to as few or as many operations as needed. For instance,
if you have a key used only for signing, enable the digital signature and/or non-repudiation
extensions. Alternatively, if a key is used only for key management, enable key enciphering.

Key Usage (Extended)
Extended key usage further refines key usage extensions. An extended key is either critical
or non-critical. If the extension is critical, the certificate must be used only for the indicated
purpose or purposes. If the certificate is used for another purpose, it is in violation of the
policy from the CA.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and
may be used in finding the correct key/certificate of an entity that has multiple
keys/certificates. The extension is only an information field and does not imply that the CA
restricts the use of the key to the purpose indicated. Nevertheless, applications that use
certificates may require that a particular purpose should be indicated for the certificate to be
acceptable.

8 Glossary

58 06/2011
Lightweight Directory Access Protocol (LDAP)
A network protocol designed to extract information such as names and e-mail addresses
from a hierarchical directory such as X.500.

PKCS#11
PKCS refers to a group of Public Key Cryptography Standards devised and published by
RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens.

PEM
See Privacy Enhanced Mail.

Personal Identification Number (PIN)
A unique code number assigned to the authorized user.

Personal Information Exchange Syntax Standard
Specifies a portable format for saving or transporting a users private keys, certificates,
and other secret information.

Personal Security Environment
The PSE is a personal security area that every user requires to work with. A PSE contains
security-related information. This includes the certificate and its secret private key. The
PSE can be either an encrypted file or a smart card and is protected with a password.

PIN
See Personal Identification Number.

Privacy-Enhanced Mail (PEM)
The first known use of Base 64 encoding for electronic data transfer was the Privacy-
Enhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a
printable encoding scheme that uses Base 64 encoding to transform an arbitrary
sequence of octets to a format that can be expressed in short lines of 7-bit characters, as
required by transfer protocols such as SMTP.
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet
consisting of upper-case and lower-case Roman alphabet characters (AZ, az), the
numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special
suffix code. The original specification additionally used the "*" symbol to delimit encoded
but unencrypted data within the output stream.

Public FSD
Public file system device. An external storage device that uses the same file system as
the operating system.

8 Glossary

06/2011 59
Public Key Cryptography Standards
A collection of standards published by RSA Security Inc. for the secure exchange of
information over the Internet.

Public Key Infrastructure
Comprises the hardware, software, people, guidelines, and methods that are involved in
creating, administering, saving, distributing, and revoking certificates based on
asymmetric cryptography. Is often structured hierarchically.
In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root
certificate at the top, representing a CA that does not need to be authenticated by a
trusted third party.

Root certification authority
The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate
is signed with a private key. There can be any number of CAs between a user certificate
and the root certification authority. To check foreign certificates, a user requires the
certificate path as well as the root certificate.

Root certification
The certificate of the root CA.

RSA
An asymmetric, cryptographically procedure, developed by Rivest, Shamir, and Adleman
in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in
many common browsers and mail tools. Security depends on the length of the key: Key
lengths of 1024 bits or higher are regarded as secure.

Secure Network Communications
A module in the SAP NetWeaver system that deals with the communication with external,
cryptographic libraries. The library is addressed using GSS API functions and provides
NetWeaver components with access to the security functions.

Secure Sockets Layer
A protocol developed by Netscape Communications for setting up secure connections
over insecure channels. Ensures the authorization of communication partners and the
confidentiality, integrity, and authenticity of transferred data.

Single Sign-On
A system that administrates authentication information allowing a user to logon to
systems and open programs without the need to enter authentication every time
(automatic authentication).

8 Glossary

60 06/2011
Token
A security token (or sometimes a hardware token, authentication token or cryptographic
token) may be a physical device that an authorized user of computer services is given to
aid in authentication. The term may also refer to software tokens.
Smart-Card-based USB tokens (which contain a smart card chip inside) provide the
functionality of both USB tokens and smart cards. They enable a broad range of security
solutions and provide the abilities and security of a traditional smart card without requiring
a unique input device (smart card reader). From the point of view of the computer
operating system, a token of this type is a USB-connected smart card reader with one
non-removable smart card present.
Tokens provide access to a private key that allows the user to perform cryptographic
operations. The private key can be persistent (like a PSE file, smart card, and CAPI
container) or non-persistent (like temporary keys provided by Secure Login).

Windows Credentials
A unique set of information authorizing the user to access the Microsoft Windows
operating system on a computer. The credentials usually comprise a user name, a
password, and a domain name (optional).

X.500
A standardized format for a tree-structured directory service.

X.509
A standardized format for certificates and blocking list.

Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 - Secure Login Client PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 - Secure Login Client PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Installation, Configuration, and Administration Guide

SAP NetWeaver Single Sign-On SP1

S-ar putea să vă placă și