Best Practice Secure Login X.509-Based Solution

For SAP NetWeaver

Single Sign-On 1.0 Jan 24th 2013

Best practice – X.509 based solution

Jan 2013

2

Best practice – X.509 based solution

Table of contents PART 1: INTRODUCTION .........................................................................................................5 1 Introduction ..........................................................................................................................6 1.1 Customer Requirements .............................................................................................6 1.1.1 Current environment ...............................................................................................6 1.1.2 Expectation .............................................................................................................6 1.2 X.509 Solution from SAP ............................................................................................6 2 Network Communication .....................................................................................................7 3 Prerequisite Check ..............................................................................................................9 3.1 Check Microsoft Active Directory Server ....................................................................9 3.2 Check SAP AS Java ...................................................................................................9 3.3 Check SAP AS ABAP .................................................................................................9 3.4 Check Client Machine (Secure Login Client) ..............................................................9 3.4.1 Verify that the following SAP Applications have already been installed .................9 3.4.2 Configure SAP GUI (SAP Logon) ........................................................................ 10 3.4.3 Configure SAP NetWeaver Business Client ........................................................ 11 3.4.4 Configure SAP Business Explorer (BEx) ............................................................. 12 3.4.5 Configure for Web Browser ................................................................................. 13 PART 2: HOW TO SETUP THE SYSTEM .............................................................................. 21 1 Install and Configure Secure Login Server on SAP AS JAVA System ............................ 22 1.1 Install Secure Login Server ..................................................................................... 22 1.1.1 Deploy Secure Login Server Software ................................................................ 22 1.1.2 Configure Secure Login Server ........................................................................... 22 1.2 Create a Technical User (including SPN) for the Secure Login Server (SPNego) in Microsoft Active Directory .................................................................................................... 29 1.2.1 Create a Service User Account on Microsoft Active Directory ............................ 29 1.2.2 Define the Service Principle Name ...................................................................... 30 1.3 Configure SPNEGO (keyTab) ................................................................................. 32 2 Install and Configure Secure Login Client ........................................................................ 36 2.1 Prepare Installation .................................................................................................. 36 2.1.1 Verify Client Configuration of Default Instance .................................................... 36 2.1.2 Download and import the Client Policy on the Secure Login Client machine ..... 41 2.1.3 Export and Install Secure Login Root CA Certificate ........................................... 45 2.2 Install Secure Login Client ....................................................................................... 47 2.2.1 Install Secure Login Client ................................................................................... 47 2.2.2 Verify that user certificate is provided in Secure Login Client ............................. 49 3 Install & Configure Secure Login Library .......................................................................... 51 3.1 SAPCRYPTOLIB Precondition ................................................................................ 51 3.1.1 Verify SAPCRYPTOLIB is installed at operating system level on the SAP AS ABAP host. ....................................................................................................................... 51 3.1.2 Verify SAPCRYPTOLIB parameters are configured ........................................... 52 3.1.3 Use transaction STRUST to verify that several PSE containers are available ... 56 3.2 Copy Secure Login Library files to SAP AS ABAP System ..................................... 57 3.2.1 Extract Secure Login Library installation package file using sapcar ................... 57 3.2.2 Extract Secure Login Library using sapcar .......................................................... 58 3.3 Configure SNC Instance Profile Parameters (RZ10) ............................................... 60 3.3.1 Verify that all SNC instance profile parameters are defined correctly ................. 61 3.3.2 Edit SNC instance profile parameters ................................................................. 65 Jan 2013

3

Best practice – X.509 based solution

3.4 Create AS ABAP SNC X.509 Certificate and Import ............................................... 68 3.4.1 Issue SAP_SERVER certificate ........................................................................... 68 3.4.2 Export SAP Server certificate in PSE format ....................................................... 71 3.4.3 Import SAP server certificate into ABAP system using transaction STRUST ..... 72 3.4.4 Troubleshooting ................................................................................................... 75 4 Configure User Mapping in SAP AS ABAP/JAVA ............................................................ 76 4.1 Verify the Authentication for SAP AS ABAP Using SAP Logon .............................. 76 4.1.1 Activate Secure Network Communication on SAP AS ABAP ............................. 76 4.1.2 Check whether or not user authentication works ................................................ 78 4.1.3 Configure SNC User Mapping for SAP AS ABAP ............................................... 79 4.1.4 Verify the authentication for SAP AS ABAP using SAP Logon ........................... 81 4.2 Verify the Authentication for SAP AS ABAP Using SAP Business Explorer (BEx) . 83 4.3 Verify the Authentication for SAP AS ABAP Using a Web Browser ........................ 85 4.3.1 Verify whether SSL for SAP AS ABAP is configured .......................................... 85 4.3.2 Configure SSL for ABAP ...................................................................................... 86 4.3.3 Verify whetherexternal ID user mapping information is configured ..................... 93 4.3.4 Configure external ID user mapping for SAP AS ABAP ...................................... 93 4.3.5 Verify the authentication for SAP AS ABAP using a Web browser ..................... 94 4.4 Verify the Authentication for SAP AS JAVA Using a Web Browser ........................ 95 4.4.1 Verify whether SSL for AS JAVA is configured. .................................................. 95 4.4.2 Configure SSL for Java ........................................................................................ 95 4.4.3 Configure User Mapping for SAP AS JAVA ...................................................... 100 4.4.4 Verify the authentication for SAP AS Java using the Web Portal ..................... 102 4.5 Verify the Authentication for SAP AS ABAP using SAP NetWeaver Business Client 102 4.6 Verify the Authentication for SAP AS JAVA Using SAP NetWeaver Business Client 104 5 Configure User Mapping for Thousands of Users in AS ABAP ..................................... 105 5.1 Configure SNC User Mapping Information (Background Mode) ........................... 105 5.2 Verify SNC Name of a User After Configuring User Mapping ............................... 108 5.3 Configure External ID User Mapping Information (Background Mode) ................. 109

Jan 2013

4

Best practice – X.509 based solution

PART 1: INTRODUCTION

Jan 2013

5

Best practice – X.509 based solution

1 Introduction Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure Single Sign-On to the SAP environment. 1.1 Customer Requirements 1.1.1

Current environment

A Microsoft Windows user authenticates to a Microsoft Windows domain. SAP users use the following applications to access SAP AS Java and SAP AS ABAP:  SAP GUI (SAP Logon)  Web GUI (Browser)  SAP NetWeaver Business Client  SAP Business Explorer (BEx) 1.1.2

Expectation

Secure communication and Single Sign-On using SAP GUI and Web GUI (SAP AS Java/ABAP).  Single user authentication only  Microsoft user authentication controls SAP user authentication  Access to SAP environment with security token only 1.2 X.509 Solution from SAP Install Secure Login Client, Secure Login Server, and Secure Login Library or SAPCRYPTOLIB. Kerberos technology is used to verify user authentication to Secure Login Server (using SPNEGO standard Login Module). After successful user authentication, an X.509 user certificate (one day token) is provided automatically (Microsoft Windows Logon Process) to establish SSO and secure communication to AS ABAP and AS Java.

Jan 2013

6

Best practice – X.509 based solution

2 Network Communication

SECURE LOGIN CLIENT

SAP AS ABAP abap.demo.sso.local CN=ABAP-ABC, OU=SAP Security

client.demo.sso.local SAPGUI CLIENT

SAP BEx SAP BC

Web GUI customer.reg SLC Secure Login Root CA X.509 (validity = 10h)

SNC

DIAG/RFC

X.509

SSL

ICM

X.509

CN = CN=ABAP ABC SSL, OU=3rd Party PKI SA = abap.demo.sso.local (SubjectAlternative) SLL SAPCrypto

SPN: HTTP/java.demo.sso.local

Active Directory MSADS.demo.sso.local

For example, JAVA-C73

SL-

SSL

DNS

Jan 2013

SAP AS JAVA java.demo.sso.local ICM X.509

TestSSO = SPN | Password CN = JAVA SSL, OU=3rd Party PKI SA = java.demo.sso.local (SubjectAlternative) EP (Enterprise Portal) SAP CryptoLib SPNego keyTab UME SLS

7

Best practice – X.509 based solution

Jan 2013

8

Best practice – X.509 based solution

3 Prerequisite Check 3.1 Check Microsoft Active Directory Server Make sure that the DNS is configured correctly.  FQDN = MSADS.demo.sso.local  Domain Name = demo.sso.local 3.2 Check SAP AS Java Make sure this server joins the domain “demo.sso.local”  FQDN = java.demo.sso.local 3.3 Check SAP AS ABAP Make sure this server joins the domain “demo.sso.local”  FQDN = abap.demo.sso.local 3.4 Check Client Machine (Secure Login Client) Make sure this server joins the domain “demo.sso.local”  FQDN = client.demo.sso.local 3.4.1

  

Jan 2013

Verify that the following SAP Applications have already been installed

SAP GUI (SAP Logon) SAP NetWeaver Business Client SAP Business Explorer (BEx)

9

Best practice – X.509 based solution

3.4.2

Configure SAP GUI (SAP Logon)

1. Create the connection “ABC” as follows:

2. Properties of the “ABC” connection

Jan 2013

10

Best practice – X.509 based solution

3.4.3

Configure SAP NetWeaver Business Client

1.   

Add a new Java connection on SAP NetWeaver Business Client Name = AS JAVA URL = https://java.demo.sso.local:50000/irj/portal Type = Portal

2.     

Add a new ABAP connection on SAP NetWeaver Business Client Name = AS ABAP URL = https://abap.demo.sso.local:8001/sap/bc/gui/sap/its/webgui Type = ABAP Client = 001 SAP GUI Logon Description = ABC (must match SAP Logon description in SAP GUI Logon)

Jan 2013

11

Best practice – X.509 based solution

3.4.4

Configure SAP Business Explorer (BEx)

1. Make sure the “TestSSO” user has the profile “S_BW_RFC”.

2. All connections from SAP GUI are imported into Business Explorer

Jan 2013

12

Best practice – X.509 based solution

3.4.5 3.4.5.1

Configure for Web Browser Verify the active services using transaction SMICM

1. Start transaction SMICM ICM = Internet Communication Manager

2. Click the “Services” button

Jan 2013

13

Best practice – X.509 based solution

3. The list of active services appears. Now ABAP is ready to use with HTTP and HTTPS

3.4.5.2 3.4.5.2.1

Activate the webgui service to access ABAP through HTTP/HTTPS using transaction SICF Activate the webgui service

1. Start transaction SICF

Jan 2013

14

Best practice – X.509 based solution

2. In the Hierarchy Type field, enter “SERVICE”. Click the “Execute” button (or

press F8) 3. Choose the node: default_host →→ sap →→ bc →→ gui →→ sap →→ its →→ webgui

Jan 2013

15

Best practice – X.509 based solution

4. Right-click “webgui” and choose “Activate Service”

4. To activate the webgui service, choose the second “Yes” button. Notes: The first “Yes” button means activate only the webgui service The second “Yes” button means activate the webgui service and all subservices

Jan 2013

16

Best practice – X.509 based solution

Jan 2013

17

Best practice – X.509 based solution

3.4.5.2.2

Test the webgui Service

1. Right-click “webgui” and choose “Test Service”

Jan 2013

18

Best practice – X.509 based solution

2. The web browser displays an error message. It says that the related services need to be activated

3. Go to default_host → sap → public. Right-click the “bc” node and choose “Activate Service”

Jan 2013

19

Best practice – X.509 based solution

4. Right-click “webgui” and choose “Test Service” again. →A logon page appears. This is correct.

Jan 2013

20

Best practice – X.509 based solution

PART 2: HOW TO SETUP THE SYSTEM Check list

Check/Uncheck

On SAP NW AS Java (Secure Login Server)

1. Install & Configure Secure Login Server on SAP AS Java System 1.1. Install Secure Login Server On Microsoft Active Directory

1.2. Create a Technical User (including SPN) for Secure Login Server (SPNEGO) in Microsoft Active Directory 1.3. Configure SPNEGO (keyTab) On the Client Machine (Secure Login Client)

2. Install Secure Login Client 2.1. Prepare Installation 2.2. Install Secure Login Client On SAP NW AS ABAP

3. Install & Configure Secure Login Library on an SAP AS ABAP System 3.1. Preconditions for SAPCRYPTOLIB 3.2. Copy Secure Login Library files to the SAP AS ABAP System 3.3. Configure the SNC Instance Profile Parameter (RZ10) 3.4. Create an AS ABAP SNC X.509 Certificate and Import On the Client Machine (Secure Login Client)

4. Configure User Mapping in SAP AS ABAP/JAVA 5. How to Configure User Mapping for Thousands of Users

Jan 2013

Optional

21

Best practice – X.509 based solution

1 Install and Configure Secure Login Server on SAP AS JAVA System This is a checklist of the actions required to install and configure Secure Login Server on an SAP AS JavaSystem.

1.1

Install Secure Login Server

1.1.1

Deploy Secure Login Server Software

Login to the SAP AS Java and deploy Secure Login Server

1.1.2 1.1.2.1

Configure Secure Login Server Precondition for the configuration of Secure Login Server

1. Create an encryption key file a. Create a keyfile.txt in the following folder and remember to back up this file: d:\urs\sap\C73\SYS\global\SecureLoginServer\KeyFile\

Jan 2013

22

Best practice – X.509 based solution

b. Enter any value into the keyfile.txt

1.1.2.2

Initialize Secure Login Server

After deploying, browse to http://localhost:50000/securelogin and perform the next steps to finish the initialization wizard. The following information is required for initialization: 1. Enter the path of the key file

2. Create an administrator account Use this administrator account to log in to SLAC (for example: Admin/******).

Jan 2013

23

Best practice – X.509 based solution

3. Define a public-key infrastructure (PKI) as below

3.1. Create a root CA

Jan 2013

24

Best practice – X.509 based solution

3.2. Skip all SSL certificates

3.3. Create a user CA

Jan 2013

25

Best practice – X.509 based solution

3.4. Configure the user certificate

3.5. Finish the initialization wizard

Jan 2013

26

Best practice – X.509 based solution

3.6. Restart the Secure Login Server application

3.7. Reload and login to the Secure Login Administration Console

Jan 2013

27

Best practice – X.509 based solution

Review the checklist. You have completed the first step.

Jan 2013

28

Best practice – X.509 based solution

1.2

Create a Technical User (including SPN) for the Secure Login Server (SPNego) in Microsoft Active Directory To verify Kerberos user authentication, the Secure Login Library requires a Kerberos keyTab, which can be created using the command line tool provided by Secure Login Library. The Kerberos keyTab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. A Microsoft Windows account in Microsoft Active Directory is therefore required. 1.2.1

Create a Service User Account on Microsoft Active Directory

1. To create the service user, you must be authenticated in the Microsoft Active Directory.

2. On the Active Directory Server (ADS), create a Service User Account (for example: “SL-JAVA-C73”)

Jan 2013

29

Best practice – X.509 based solution

3. Enter a password and select the “User cannot change password” and “Password never expires” checkboxes.

1.2.2

1. 2. 3. 4. 5.

Define the Service Principle Name

On the ADS, open ADSI edit. Go to “CN=Users” node. Right-click “CN= SL-JAVA-C73”, choose “Properties” Select “ServicePrincipalName”, and click the Edit button Add the SPN as following:

http/java.demo.sso.local (java.demo.sso.local is the FQDN name of NW Java server )

Notes: Jan 2013

30

Best practice – X.509 based solution

In Microsoft Windows 2008, you can enable “Advanced Features” and configure the ServicePrincipalName value on the “Attribute Editor” tab

Jan 2013

31

Best practice – X.509 based solution

Review the checklist. You have completed the second step

1.3

Configure SPNEGO (keyTab)

Create keyTab in SPNEGO using the service user (SL-JAVA-C73) information

1. Browse to NetWeaver Admin page (http://java.demo.sso.local:50000/nwa ) 2. Login and choose “Configuration” → “Authentication and Single Sign-On” → “SPNego” 3. Click the “Add” button. Choose “Manually” option 4. Enter the correct Realm Name (for example: DEMO.SSO.LOCAL)

Jan 2013

32

Best practice – X.509 based solution

5. Enter a Principle Name (for a example: SL-JAVA-C73) and a Password. Click the “Next” button.

6. Review all keys and click the “Next” button

Jan 2013

33

Best practice – X.509 based solution

7. Choose the Mapping mode “Principal and REALM”, and the Source “ADS Data Source”. Click “Next”.

8. Finish all steps, and click the “Enable” button.

Jan 2013

34

Best practice – X.509 based solution

Review the checklist. You have done the third step. →This completes “Install and Configure Secure Login Server on an SAP AS Java System”

Jan 2013

35

Best practice – X.509 based solution

2 Install and Configure Secure Login Client This is a checklist of the actions required to install and configure Secure Login Client.

2.1

Prepare Installation

2.1.1

Verify Client Configuration of Default Instance

1. Log in on the client machine with administrator privilege.

2. Log in to SLAC as Admin (http://java.demo.sso.local:50000/securelogin)

3. Choose “Instance Management” → “DefaultServer Configuration”. Verify that “Default Instance” is using “SPNegoLoginModule”

Jan 2013

36

Best practice – X.509 based solution

4. Go to “Instance Management” → “DefaultServer Configuration → Client Configuration”.

5. On the “Client Policy” tab, make sure that the Policy URL is correctly configured, with the appropriate protocol (HTTPS), host name, and port specified.

Jan 2013

37

Best practice – X.509 based solution

6. On the “Profiles” tab, choose the default profile and make sure that Enroll URL is correctly configured, with the appropriate protocol (HTTPS), host name, and port specified.

Jan 2013

38

Best practice – X.509 based solution

Jan 2013

39

Best practice – X.509 based solution

7. Define the Profile Name

8. Set the key size to “1024”

9. Save the client configuration. Jan 2013

40

Best practice – X.509 based solution

2.1.2

Download and import the Client Policy on the Secure Login Client machine

1. Go to the “Download Files” tab and click the “Download” button.

2. To download the policy file (customer.zip), click the link.

3. Save the policy file in the INSTALL folder: “C:\INSTALL\customer.zip”

Jan 2013

41

Best practice – X.509 based solution

4. Extract and verify the contents of the policy file

Jan 2013

42

Best practice – X.509 based solution

5. Import the client policy file (customer.reg).

Jan 2013

43

Best practice – X.509 based solution

Jan 2013

44

Best practice – X.509 based solution

2.1.3

Export and Install Secure Login Root CA Certificate

1. Export the Secure Login Root CA certificate

2. Install Secure Login Root CA Certificate into “Trusted Root Certificate Authorities”

Jan 2013

45

Best practice – X.509 based solution

Jan 2013

46

Best practice – X.509 based solution

Review the checklist. You have completed the first step.

2.2

Install Secure Login Client

2.2.1

Install Secure Login Client

1. Double-click the installation file (“Secure Login Client x64.msi”)

Jan 2013

47

Best practice – X.509 based solution

2. Choose the “Custom” option and select the components shown below:

3. Finish the installation.

4. Restart the Secure Login Client machine.

Jan 2013

48

Best practice – X.509 based solution

2.2.2

Verify that user certificate is provided in Secure Login Client

1. Login to the Secure Login Client machine again with a domain user (for example, DEMO\TestSSO)

2. Verify that a user certificate is displayed in Secure Login Client.

Jan 2013

49

Best practice – X.509 based solution

3. Double-click the certificate to view the detail. The user certificate is valid for 10 hours (as configured in Secure Login Server).

Review the checklist. You have completed the second step.  This completes “Install and Configure Secure Login Client”.

Jan 2013

50

Best practice – X.509 based solution

3 Install & Configure Secure Login Library This is a checklist of the steps to install and configure Secure Login Library.

3.1

SAPCRYPTOLIB Precondition

3.1.1

Verify SAPCRYPTOLIB is installed at operating system level on the SAP AS ABAP host.

1. Log on to the operating system of the SAP AS ABAP host.

2. Make sure that SAPCRYPTOLIB is installed (sapcrypto.dll is available).

Jan 2013

51

Best practice – X.509 based solution

3. Make sure that the license file (ticket) for SAPCRYPTOLIB is available.

3.1.2

Verify SAPCRYPTOLIB parameters are configured

1. Use SAP Logon to log on to the AS ABAP system with the Admin user.

Jan 2013

52

Best practice – X.509 based solution

2. Start transaction RZ11 to verify the relevant parameters.

3. Verify that parameter sec/libsapsecu is configured (SAPCRYPTOLIB).

Jan 2013

53

Best practice – X.509 based solution

4. Verify that parameter ssf/name is configured (SAPSECULIB).

Jan 2013

54

Best practice – X.509 based solution

5. Verify that parameter ssf/ssfapi_lib is configured (SAPCRYPTOLIB).

Jan 2013

55

Best practice – X.509 based solution

3.1.3

Use transaction STRUST to verify that several PSE containers are available

1. Start transaction STRUST.

2. Verify that several PSE containers are available.

Review the checklist. You have completed the first step.

Jan 2013

56

Best practice – X.509 based solution

3.2

Copy Secure Login Library files to SAP AS ABAP System

3.2.1

Extract Secure Login Library installation package file using sapcar

1. Log on to the operating system of the SAP AS ABAP host.

2. Extract the Secure Login Library installation package file using sapcar by executing the following command at the command prompt: sapcar –xvf D:\Install\SLLIBRARY03_1-19919553.SAR –R D:\Install\

Jan 2013

57

Best practice – X.509 based solution

3. Once extraction is complete, verify that there are six files in the folder “D:\Install\window-x86-64” .

3.2.2

Extract Secure Login Library using sapcar

1. Create a folder for Secure Login Library.

2. Extract the Secure Login Library file using sapcar.

Jan 2013

58

Best practice – X.509 based solution

3. Once extraction is complete, verify that there are 60 files in the folder “D:\usr\sap\ABC\SLL” .

Review the checklist. You have completed the second step.

Jan 2013

59

Best practice – X.509 based solution

3.3

Configure SNC Instance Profile Parameters (RZ10)

Use RZ10 to configure the SNC instance profile parameters as listed below:

Jan 2013

60

Best practice – X.509 based solution

The most important parameter is snc/identity/as. This example shows an X.509 solution; this means that you need to configure this parameter as follows:

3.3.1

Verify that all SNC instance profile parameters are defined correctly

1. Use SAP Logon to log on to the AS ABAP system with the Admin user.

2. Start transaction RZ10.

Jan 2013

61

Best practice – X.509 based solution

3. To choose the correct profile, click the button next to “Profile” list.

4. Select “Extended maintenance” mode and click “Change”.

Jan 2013

62

Best practice – X.509 based solution

Jan 2013

63

Best practice – X.509 based solution

5. To find “snc” parameters, press “Ctrl-F” and enter “snc” as the text you want to find.

6. Verify that all SNC instance profile parameters are correctly defined.

Jan 2013

64

Best practice – X.509 based solution

3.3.2

Edit SNC instance profile parameters

1. Edit all SNC instance profile parameters directly in the table and click the Back button.

2. A warning message appears. Click the Yes button.

Jan 2013

65

Best practice – X.509 based solution

3. Save the configuration.

4. A dialog box appears, the system and asks if you want to display new values. Click the “No” button.

5. A dialog box appears, and the system asks if you want to activate the profile. Click the “Yes” button.

6. To save and activate the profile, choose Continue.

Jan 2013

66

Best practice – X.509 based solution

7. A warning message appears. Choose Continue again.

8. Restart the AS ABAP server Review the checklist. You have completed the third step.

Jan 2013

67

Best practice – X.509 based solution

3.4 Create AS ABAP SNC X.509 Certificate and Import 3.4.1

Issue SAP_SERVER certificate

1. Log on to SLAC

2. Issue SAP_CA certificate 2.1. Choose “Server Configuration → Certificate Management”.

2.2. Choose “Secure Login Root CA”.

Jan 2013

68

Best practice – X.509 based solution

2.3. From the “CA Operations” dropdown list, select “SAP_CA” and click the “Issue” button.

2.4. Enter the required information and click “Create” button

Jan 2013

69

Best practice – X.509 based solution

3. Issue the SAP_SERVER certificate. 3.1. Choose “Server Configuration → Certificate Management”

3.2. Choose “Secure Login Sub CA CAP”.

3.3. From the “CA Operations” dropdown list, select “SAP_SERVER” and click the “Issue” button.

Jan 2013

70

Best practice – X.509 based solution

3.4. Enter the required information and click the “Create” button.

3.4.2

Export SAP Server certificate in PSE format

1. Choose the certificate for the SAP server.

2. From the “Export Type” dropdown list, select pse and enter a password for the certificate. Click the “Export” button.

3. Save the SAP server certificate as a file called “SAP_SERVER_ABC.pse”. 4. Log out of SLAC. Jan 2013

71

Best practice – X.509 based solution

3.4.3

Import SAP server certificate into ABAP system using transaction STRUST

1. Use SAP Logon to log on to the AS ABAP system with the Admin user.

2. Start transaction STRUST.

3. Select “PSE → Import”

Jan 2013

72

Best practice – X.509 based solution

4. Browse to the “SAP_SERVER_ABC.pse” file.

5. Enter the certificate password.

Jan 2013

73

Best practice – X.509 based solution

6. To view details of the certificate, as shown below, double-click the entry for Owner under Own Certificate.

7. To store the certificate, choose “PSE → Save as”.

8. To store the certificate in the SNC SAPCryptolib container, select “SNC SAPCryptolib” and choose Continue .

Jan 2013

74

Best practice – X.509 based solution

9. Verify that the certificate is stored correctly in the SNC SAPCryptolib container. Choose “Save” and then restart the SAP AS ABAP system.

Review the checklist. You have completed the fourth step. This completes “Install & Configure Secure Login Library”.

3.4.4 Troubleshooting Remember that STRUST will verify the value of the parameter snc/identity/as before importing the SNC X.509 certificate. snc/identity/as

p:CN=ABAP-ABC, OU=SAP Security

If SNC is still enabled with a different SNC name and you want to use the new X.509 certificate, proceed as follows:

      Jan 2013

Disable SNC (snc/enable=0). Change the SNC name (snc/identity/as = ). Reboot the AS ABAP system. In transction STRUST, import the new X.509 certificate. Enable SNC (snc/enable=1). Reboot AS ABAP system. 75

Best practice – X.509 based solution

4 Configure User Mapping in SAP AS ABAP/JAVA 4.1

Verify the Authentication for SAP AS ABAP Using SAP Logon

4.1.1

Activate Secure Network Communication on SAP AS ABAP

1. Login Secure Login Client machine and verify that the X.509 User Certificate is available.

2. Start SAP Logon.

3. Right-click the “ABC” connection and choose “Properties”.

Jan 2013

76

Best practice – X.509 based solution

4. Verify the connection properties.

5. Choose the “Network” tab. Check “Activate Secure Network Communication”. Choose “OK”.

Jan 2013

77

Best practice – X.509 based solution

4.1.2

Check whether or not user authentication works

1. To check if the user authentication works, double-click the “ABC” connection.



A logon screen appears with the warning message: “No user exists with SNC name “p:CN=TESTSSO, OUSAP Security” In the bottom-right corner, there is a lock icon with the message “Secure Network Communication is enabled”.



This means that the X.509 certificate was accepted but no user mapping information has been configured.

Jan 2013

78

Best practice – X.509 based solution

4.1.3

Configure SNC User Mapping for SAP AS ABAP

1. Use SAP Logon to log on to the AS ABAP system with the Admin user.

2. Start transaction SU01.

3. Enter “TESTSSO” as the user and choose “Edit” button.

Jan 2013

79

Best practice – X.509 based solution

4. Check whether the user mapping information is missing.

5. Configure the SNC Name using the certificate name displayed in Secure Login Client. Note: we recommend using copy & paste to avoid mistakes.

Jan 2013

80

Best practice – X.509 based solution

6. Save the configuration and log off.

4.1.4

Verify the authentication for SAP AS ABAP using SAP Logon

1. Double-click the “ABC” connection.

Jan 2013

81

Best practice – X.509 based solution



Jan 2013

Log on successfully with the “TestSSO” user without entering a user name/password.

82

Best practice – X.509 based solution

4.2

Verify the Authentication for SAP AS ABAP Using SAP Business Explorer (BEx) 1. Launch SAP Business Explorer.

2. Double-click the “ABC” connection.

3. The Password field is grayed out. To log on, click “OK”.

Jan 2013

83

Best practice – X.509 based solution



Jan 2013

Login to SAP Business Explorer successfully without entering a user name/password.

84

Best practice – X.509 based solution

4.3

Verify the Authentication for SAP AS ABAP Using a Web Browser

4.3.1

Verify whether SSL for SAP AS ABAP is configured

1. Open Internet Explorer. Choose Tools → Internet Options. Choose the Content tab and click the Certificates button. 2. Verify that the X.509 user certificate exists.

3. Verify whether or not webgui works with HTTPS worksby calling: https://abap.demo.sso.local:8001/sap/bc/gui/sap/its/webgui  It does not work. You need to configure SSL for AS ABAP.

Jan 2013

85

Best practice – X.509 based solution

4.3.2 4.3.2.1

Configure SSL for ABAP Verify certificate in SSL server standard container using transaction STRUST

1. Use SAP Logon to log on to the AS ABAP system with the Admin user.

2. Verify the certificate in the SSL Server Standard container using transaction STRUST.

Jan 2013

86

Best practice – X.509 based solution

3. Double-click the certificate in the SSL Server Standard container and enter the certificate password.

4. To view the certificate details, double-click the Own Certificate.  In this case, the SSL server certificate was created by another PKI, and therefore the trust relationship for the Secure Login PKI is missing.

Jan 2013

87

Best practice – X.509 based solution



4.3.2.2

To enable the trust relationship, import the Secure Login root CA certificates. Export Secure Login Root CA using Secure Login Client

1. Open Secure Login Client, double-click the User Certificate (TestSSO) and go to the Certificate Path tab.

2. Double-click “Secure Login Root CA”. The certificate dialog appears. 3. Go to the “Details” tab. Click the “Copy to File” button. Jan 2013

88

Best practice – X.509 based solution

4. Select the “Base-64 encoded X.509 (.CER) option.

5. To export “SLS_Root_CA.cer”, perform the subsequent steps.

Jan 2013

89

Best practice – X.509 based solution

4.3.2.3

Import Secure Login Root CA Certificate into Certificate List of SSL Server Certificate

1. Click the “Import Certificate” button at the bottom of the page.

2. Click the Browse button for the“File path” field.

3. Browse to the “SLS_Root_CA.cer“ file.

Jan 2013

90

Best practice – X.509 based solution

4. Select the “Base64” option and choose Continue.

5. To add the Secure Login Root CA to the list, click the “Add to Certificate List” button.

Jan 2013

91

Best practice – X.509 based solution

6. Save the configuration.

Jan 2013

92

Best practice – X.509 based solution

4.3.3

Verify whetherexternal ID user mapping information is configured

1. Launch webgui with HTTPS again by calling the URL: https://abap.demo.sso.local:8001/sap/bc/gui/sap/its/webgui  It still does not work because of missing user mapping information

4.3.4

Configure external ID user mapping for SAP AS ABAP

1. Use transaction EXTID_DN to check the list of external ID user mapping information.



Jan 2013

There are no users in the list.

93

Best practice – X.509 based solution

2. Click the “New Entries” button.

3. Enter the required information to configure external ID user mapping information (for the TestSSO user).

4. Save the configuration. 4.3.5

Verify the authentication for SAP AS ABAP using a Web browser

1. Launch webgui with HTTPS again by calling the URL: https://abap.demo.sso.local:8001/sap/bc/gui/sap/its/webgui

Jan 2013

94

Best practice – X.509 based solution

4.4

Verify the Authentication for SAP AS JAVA Using a Web Browser

4.4.1

Verify whether SSL for AS JAVA is configured.

Launch the Web portal. https://java.demo.sso.local:500001/irj/portal

 

4.4.2

The logon page appears. It means that SSL for AS Java has not been configured yet.

Configure SSL for Java

1. Log on to SAP NetWeaver Administrator: https://java.demo.sso.local:500001/nwa

2. To check the SSL configuration, choose Configuration → Security → SSL.

Jan 2013

95

Best practice – X.509 based solution

3. SSL Certificate was created by a third party PKI. This means that the trust relationship is missing.

Jan 2013

96

Best practice – X.509 based solution

4. Choose the “Trusted CA” tab. You can see that the Secure Login Root CA certificate is not trusted. 5. Choose “Edit”.

6. To import the Secure Login Root CA certificate, click the “Import Entry” button.

Jan 2013

97

Best practice – X.509 based solution

7. Browse to the “SLS_Root_CA.cer” file and import it.

8. Check that the Secure Login Root CA certificate is correct.

9. Save the configuration.

Jan 2013

98

Best practice – X.509 based solution

10. A warning message appears. Click the “Restart Now” button.

11. Enter the user name and password for SAP NetWeaver Administrator and choose OK.

This means that the certificate trust relationship is enabled.

Jan 2013

99

Best practice – X.509 based solution

4.4.3

Configure User Mapping for SAP AS JAVA

1. Choose Configuration → Security → Authentication and Single Sign-On.

2. Go to “Authentication → Components”. Select “ticket” and click the “Edit” button.

Jan 2013

100

Best practice – X.509 based solution

3. Click the “Add” button and select ClientCertLoginModule from the list.

4. In the Flag column, configure the value “Optional”. 5. Move “ClientCertLoginModule” up to the second position. 6. Define rule-based configuration: a. Rule1.getUserFrom = SubjectName b. Rule1.attributeName = CN

7. Save the configuration. Jan 2013

101

Best practice – X.509 based solution

4.4.4

Verify the authentication for SAP AS Java using the Web Portal

Launch the Web Portal https://java.demo.sso.local:500001/irj/portal



4.5

Launch the Web Portal successfully .

Verify the Authentication for SAP AS ABAP using SAP NetWeaver Business Client 1. Launch SAP NetWeaver Business Client.

2. Select the “AS ABAP” connection and choose “Logon”.

Jan 2013

102

Best practice – X.509 based solution



Log on successfully.

3. Log off.

Jan 2013

103

Best practice – X.509 based solution

4.6

Verify the Authentication for SAP AS JAVA Using SAP NetWeaver Business Client 1. Select the “AS JAVA” connection and choose “Logon”.



Log on successfully.

2. Log off.

Jan 2013

104

Best practice – X.509 based solution

5 Configure User Mapping for Thousands of Users in AS ABAP Option1 Integration with Identity Management solution like SAP NetWeaver IDM SAP NetWeaver IDM manages user mapping information automatically. For example, if a new employee joins the company (new user), leaves the company, or a mass roll out is required. For more information, see http://scn.sap.com/community/netweaver-idm Option 2 Work with reports like RSUSR300 (transaction SNC1)



Configure user mapping information in script mode for SAP GUI users

Work with report RSUSREXTID to configure External ID user mapping (Web GUI interface)



Configure user mapping information in script mode for Web GUI users

This example shows Option 2.

5.1 Configure SNC User Mapping Information (Background Mode) You can use transaction SNC1 (or report RSUSR300) to distribute the user DName (Distinguished Name) to all SAP users with less effort. With this tool you can choose all SAP Users (*), a list of SAP users, or SAP user groups. 1. Log on to SAP GUI as the Admin user.

Jan 2013

105

Best practice – X.509 based solution

2. Start transaction SNC1.

3. Perform the configuration as described in the previous sections. Note: if you want to configure for all users, enter * in the Users text box.

In this example, we want to configure for TestSSO2 to TestSSO9

a. b. c. d.

Users: From: TestSSO2 To: TestSSO9 Previous character string: p:CN= Following character string: , OU=SAP Security If you select the option “Users without SNC names only”, it is possible to overwrite SNC names.

This background processing tool selects an SAP user and uses the components Jan 2013

106

Best practice – X.509 based solution

to build the SNC name.

4. Choose “Execute”.

5. View the result and save the configuration.

Jan 2013

107

Best practice – X.509 based solution

5.2

Verify SNC Name of a User After Configuring User Mapping 1. Start transaction SU01.

2. Enter “TestSSO2” in the User field and choose “Display”.

3. Verify the SNC Name of the TestSSO2 user. Jan 2013

108

Best practice – X.509 based solution

5.3

Configure External ID User Mapping Information (Background Mode) 1. Start transaction SE38.

2. Enter “RSUSREXTID” in the Program field and choose Execute.

Jan 2013

109

Best practice – X.509 based solution

3. Enter information as listed below and choose “Execute”. In this example, you want to configure for TestSSO2 to TestSSO9. a. Users: From: TestSSO2 To: TestSSO9 b. External ID DN c. Previous character string : CN= d. Following character string: , OU=SAP Security e. Deselect the “Test Mode” checkbox.

Jan 2013

110

Best practice – X.509 based solution

The result displays as shown below:

6. Start transaction EXTID_DN to review the result.

Jan 2013

111

Best practice – X.509 based solution

Jan 2013

112

www.sap.com

© 2013 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.