Installation of Single-Sign-On SSO

(for SAP internal use of SAPGui and Secude) Last upate: 05.10.2006

Getting PSE Files

Request the PSE-Files either via email (to our network colleagues) or by using SISM. Search for your system and check the generate pse file box

SSO on Windows
Copy PSE File from \\pse\server.pse$\<SID>.pse to C:\temp on the host. Copy from admin Citrix R:\progs\tools\ssoinst.exe onto the host and start it using the user-id sidadm, enter the path to PSE File.

If the snc-profile parameter are not yet entered, set the check for Modify Profiles.If you do not check the box, the necessary parameters are copied to the file
\\<host>\sapmnt\<SID>_SSO.txt

Make sure that the environment variable SECUDIR is available in environment and the SAP Servers registry. You can ensure this by logging off and logging on again and restarting the SAP service (eg. by means of mmc: All Tasks -> Restart service). For those who want to do everything manually please follow these steps; everyone else can ignore this. 1. Get the latest version of sapgenpse.exe and sapcrypto.dll for your platform (e.g. NtIA64) from 2. 3. 4. 5. 6. 7. 8. 9.
Service Marketplace (you may have to use S-User for logon). Get <SID>.pse from another application server in your system or from \\pse\server.pse$. Log on to R/3 server with <SID>adm. Create directory D:\usr\sap\<SID>\D<Nr>\sec and place <SID>.pse into this directory Remove variable CREDDIR from environment and registry. Define environment variable SECUDIR = D:\usr\sap\<SID>\D<Nr>\sec (environment and registry) Copy sapgenpse.exe and sapcrypto.dll to DIR_EXECUTABLE, DIR_CT_RUN, and c:\windows\system32 Profile parameter snc/gssapi_lib has to point to $(DIR_EXECUTABLE)\sapcrypto.dll Create credentials sapgenpse as follows: open cmd prompt in D:\usr\sap\<SID>\D<Nr>\sec set SECUDIR=D:\usr\sap\<SID>\D<Nr>\sec sapgenpse seclogin -p <SID>.pse -x <PIN> (if SAP service is installed with user SAPService<SID> you have to type: sapgenpse seclogin -p <SID>.pse -O SAPService<SID> -x <PIN>) PIN is 2bs4<SID>

SSO on Unix
Create the directory sec in the home directory of <sid>adm. Example:
/usr/sap/<SID>/home/sec

Copy the corresponding file for your platform from droth990 R:\transports\SSO\<platform>.CAR to the host.(Current files can be downloaded when logging on to service market place with an S-User under alias swdc, SAP cryptographic Software). Unpack the archive with:
SAPCAR -xvf <platform>.CAR

Copy the library libsapcrypto.* and sapgenpse to /sapmnt/SID/exe (watch for different kernel directories on different platforms) and copy the file <SID>.pse and the file ticket into /usr/sap/<SID>/home/<sid>adm/sec. Enter:
sapgenpse seclogin p <SID>.pse -x 2bs4<SID>

Log off and log on again.

Adjustments in SAP System

Transaction RZ10: Import the instance profile and save it. (Activate the instance profile.) Utilities -> import profiles -> of active server Check R/3 instance profile for these parameters
# Following parameters enable the application server to handle # SNC (Secure Network Communications) # In case of problems disable SSO by setting snc/enable = 0 snc/enable = 1 snc/data_protection/min = 1 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/gssapi_lib = /usr/local/lib/libsapcrypto.so snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1 snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/permit_insecure_start = 1 snc/identity/as = p/secude:CN=SID, O=SAP-AG, C=DE snc/extid_login_diag = 1 snc/extid_login_rfc = 1 # New with SAP BASIS rel. >= 7.0

login/create_sso2_ticket = 2

Following parameters have to be checked:

Adapt snc/identity/as according to your SID! (e.g. snc/identity/as = p/secude:CN=KCD, O=SAP-AG, C=DE for SID KCD) Check snc/gssapi_lib; it should point to the library you have copied before (check extension!). (For Windows these entries are generated by the SSOinst program which was executed in step 3 and will be set to c:\winnt\system32\sapcrypto.dll)

Save profile and activate. Restart system. Process the following only for customer systems, not SAP internal systems: 1. Import the transport request: 1. for non-Unicode systems: WCGK900004 2. for Unicode systems: CMDK902103 Both are located in R:\transports\sso on droth990 2. For non Unicode systems logon to R/3 and execute ZSUSREXT and ZSUSRACL, for Unicode systems execute report ZSUSREXT_UC and ZSUSRACL_UC using SE38.Specify the parameters as shown below:

SSO State can be checked using the transaktion SMLG | Goto SNC state. SNC-State has to be green.

Troubleshooting
For trouble shooting see note 95810