SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES TABLE OF CONTENTS SCENARIO... 2 IMPLEMENTATION STEPS... 2 PREREQUISITES... 3 1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE... 4 2. SECURE LOGIN SERVER INITIALIZATION... 6 3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER... 9 3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY... 9 3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER... 12 3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER... 14 3.4 SECURE LOGIN CLIENT CONFIGURATION... 19
SCENARIO Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to the SAP and non-sap business systems across your landscape. Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates. After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-sap system, that requires short lived X.509 client certificates, where these users have been granted authorizations. IMPLEMENTATION STEPS 2
PREREQUISITES 1. You have your SAP Application Server JAVA installed and configured with running SSL. For more details how to install SAP Application Server JAVA, see: HTTPS://SERVICE.SAP.COM/~FORM/HANDLER?_APP=00200682500000002672&_EVENT=DISPLAY&_S CENARIO=&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000179415&_HIER_K EY=601100035870000249638&_HIER_KEY=701100035871000575782& For more details how to configure SSL see: HTTP://HELP.SAP.COM/SAPHELP_NW74/HELPDATA/EN/4A/015CC68D863132E10000000A421937/CONTENT.HTM? FRAMESET=/EN/BC/2EE9A2D023D64EAC961745EA2CB503/FRAMESET.HTM&CURRENT_TOC=/EN/CD/A3937849B 043509786C5B42171E5D3/PLAIN.HTM&NODE_ID=146&SHOW_CHILDREN=FALSE 2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/DD/12ECCDEFD04C01A4EAB86BB2E59F10/CONTENT.H TM?FRAMESET=/EN/B3/35DF9CB6C04CFC8D7E4DF994878B42/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222B F5DA4ED3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=163&SHOW_CHILDREN=FALSE Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 2.0 for more information about currently supported components and platforms. 3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/DA/610FD072E4409BAA8B6A96973B5C67/CONTENT.HTM?F RAMESET=/EN/BA/21970855064E54A9246B6C6DE67FB2/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4ED3 A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=26&SHOW_CHILDREN=FALSE 3
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE Explanation Screenshot 1. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa. 2. Navigate to Configuration > Identity Management > Click Create User. 3. Provide a Logon ID (for example SLAC_ADMIN ), password and Last Name for the user. 4
4. Navigate to tab Assigned Roles and search in the Available Roles (on the left side) for the role SLAC_SUPERADMIN. 5. Select the role and click Add to assign this role to the SLAC_ADMIN user. 6. Click Save to save the info about SLAC_ADMIN UserID. 7. As a result you will have a new administrative user with access to the Secure Login Administration Console (SLAC). 5
2. SECURE LOGIN SERVER INITIALIZATION Explanation Screenshot 8. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the new administrative account SLAC_ADMIN. Note: The system will require a reset of the initial password if this is the first time you are logging in with this user. 9. Start the Initialization with option Manual. Note: If the default option for your Secure Login Server installation is Automatic, you will get a confirmation message. Click Yes to confirm that you want to proceed with this change. 10. On the Root CA step provide the Country Name (in our example DE ) and the Organizational Name (in our example ABC ). 11. Click Next. 6
12. On the step User CA click Next. 13. On the step SAP CA click Next. 14. On the step SSL CA click Next. 7
15. On the step User Certificate Configuration provide the Country Name (in our example DE ). 16. Click Finish. 17. After finishing the configuration the initialization will start and when it is completed you will receive the following message: Secure Login Server has been initialized. 18. Click Go button. 8
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER 3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY Explanation Screenshot Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory 19. Open the tool Active Directory Users and Computers on the Active Directory Server (ADS) and go to the Users branch. 20. Click the right mouse button to create New > User. 9
21. Provide for the new user First Name (example Kerberos ), Last Name (example A01 ) and User logon name (example KerberosA01, where A01 is your Application Server SID). 22. Click Next. 23. Provide a password for the new user. 24. Select User cannot change password and Password never expires. 25. Click Next. 26. To complete the creation of the new user click Finish. 10
Step 2: Setup serviceprincipalname for the New Service User 27. Find your new user (example Kerberos A01 ) in the list with users and double click to open the user properties. 28. Go to the tab Attribute Editor Note: If you don t see the Attribute Editor tab, alternatively you may start adsiedit.msc in the start menu of Microsoft Windows. 29. Search for the attribute with name serviceprincipalname, select it and click Edit. 30. Add as new value HTTP/<fully qualified name of the Application Server Java> (example HTTP/vepo13023.dhcp.wdf.sap.c orp). Click Add and the value will appear in the list with Values. 31. Click OK to save the new setting. 11
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER Explanation Screenshot 32. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa 33. Navigate to Configuration > Authentication and Single Sign- On > tab SPNEGO. 34. Click Add and select Manually to add a new KeyTab. 35. Enter the realm name of your Microsoft Active Directory domain (example CSISC01.LOCAL). 36. Click Next. 37. Provide the Principal Name and the password of the service user, created previously in the Microsoft Active Directory domain (in our example KerberosA01 ). 12
38. Click Next. 39. Choose from the drop-down list of the Mapping Mode the value Principal@REALM and select virtual user as a Source value. 40. Click Finish. 41. Click Enable for your new Service User KeyTab. 42. Your Service User KeyTab is now activated. 13
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER Explanation Screenshot Step 1: Check the Host Name of the Client Authentication Profile 43. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 44. Navigate to Client Authentication Profiles. 45. Select Client Authentication Profile Windows Authentication (SPNEGO) 46. Go to tab Secure Login Client Settings and make sure that the host name of the Enrollment URL is the fully qualified name (example vepo13023.dhcp.wdf.sap.corp) and that the Port is correct (in our example 50001). 14
Step 2: Generate SSL Server Certificate 47. Navigate to Certificate Management tab and make sure that the status of your Root CA is green. 48. Expand Root CA and select SSL Sub CA 49. Click on Issue Entry button. 50. Provide as an Entry Name the fully qualified name of the Application Server Java. (for example vepo13023.dhcp.wdf.sap.corp) 51. Set this fully qualified name of the Application Server Java also as DNS Name (for example vepo13023.dhcp.wdf.sap.corp) in the Subject Alternative Names. 52. Click Next. 53. On the step with Subject Properties setup provide Country Name (for example DE ) and Common Name the fully qualified name of the Application Server Java (for example vepo13023.dhcp.wdf.sap.corp). 54. Click Next. 15
55. Click Finish to complete the certificate generation. 56. Your certificate will appear under the SSL Sub CA and it will be of type SSL SERVER. 16
Step 3: Import Secure Login Server Certificate to the SSL Configuration 57. Log on again to SAP NetWeaver Administrator at https://<host>:<port>/nwa 58. Navigate to Configuration>SSL Configuration. Click Edit 59. Go to the Details of port xxxx. 60. Click Copy Entry. 61. Select from the drop-down list of the Form View the value SecureLoginServer. 62. Select from the drop-down list of the From Entry the respective certificate created in the SLAC under SSL Sub CA (in our example vepo13023.dhcp.wdf.sap.corp). 63. Make sure that the To Entry will be the one from the selected SAP Java Instance. 64. Click Import. 65. Select and delete the default identity ssl-credentials. 66. Click OK to confirm the deletion. 17
67. Click Save to confirm the configuration. 68. A restart is required. Click Restart Now (You can also select Restart Later if it is necessary but your configuration will be completed only after the restart). 69. You have to wait for the restart to finish and afterwards your SSL configuration will be ready. 18
3.4 SECURE LOGIN CLIENT CONFIGURATION Explanation Screenshot Step 1: Export Root CA certificate from the Secure Logon Server 70. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 71. Navigate to Certificate Management. Select Root CA and click Export Entry. 72. Choose the export format X.509 Certificate. The dialog box displays the file name, type, size, and the download link. 73. Choose Download button and save it in a location of your choice (for example in a folder on your Domain Controller). (Optional: Rename the file so that it indicates the origin of the root CA certificate). 19
Step 2: Installing Root CA Certificates on a Windows Client To ensure secure communication and a trust relationship, you should install root CA certificates on Windows clients. There are three options how to perform this step: Option 1: Distribute the Secure Login Server root CA certificates on Microsoft Domain Server: 74. Log on as an administrator to your Domain Controller and start command prompt in Microsoft Windows. 75. Use the following command: certutil dspublish f <root_ca_file> RootCA 76. You will get as a result: CertUtil: -dspublish command completed successfully. 77. Restart your client. (After a restart the group policies are updated. This pushes the certificates to the client. To do so, you can also use the command gpupdate/force.) As an alternative of this installation (Option 1) you can perform also these two types of installations: Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more details see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/C0/EDD891A3E949CA80E00A469700652A/CONTENT.HTM?FRAMESET=/EN/33/EEA915735D4360AC698CA2F0AAA7ED/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4 ED3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=36&SHOW_CHILDREN=FALSE Option 3: Installing Root CA Certificates on a Windows Client. For more details see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/0F/7D75FBE5264371B476210C57D18657/CONTENT.HTM? FRAMESET=/EN/C0/EDD891A3E949CA80E00A469700652A/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4E D3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=34 20
Step 3: Setup Policy Update Interval If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure Login Client after a defined time Policy Update Interval configurable in minutes. The default value for the Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours. 78. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 79. Navigate to the List of Profile Groups. Select the respective profile group and click Edit to change the details of the group. 80. Change the Policy Update Interval (minutes) value to the number of minutes you need (in our example 480 minutes). 81. Check the IP Address/Host Name field it has to contain the correct fully-qualified name of the server (in our example vepo13023.dhcp.wdf.sap.corp). Click Save. 21
Step 4: Download Profile Group Policy 82. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 83. Navigate to Client Management > Profile Groups. 84. Select the Profile Group that you want to distribute to Secure Login Clients. Click Download Policy 85. Download the Registry File with the Policy URL that specifies the resource file, which includes the latest configuration of all client authentication profiles in the group (in our example ProfileDownloadPolicy_SecureLo gindefaultgroup.reg). Save the file in a location of your choice on the client machine. Step 5: Import Profile Group Policy on the client machine 86. Make sure that the registry file, downloaded on the previous step, is available on the client machine, where Secure Login Client is installed. 87. Double click on the registry file. 88. Click Yes to the message in order to confirm the change on the computer. 89. Click Yes to confirm again and to add the policy to the registry. 90. Click OK to the confirmation message, informing that the *.reg file has been successfully imported to the registry. Note: Alternatively, a companywide group policy can be use to deploy the profile groups. 22
Step 6: Restart the Secure Login Service 91. On the client machine navigate to Computer Management > Services and Applications > Services. 92. Search for Secure Login Service. Double click on this service to display the service properties. 93. Click Stop to stop the service. 94. Wait for Windows to stop the service. 95. Click Start to start the service again. 23
96. Wait for Windows to start the service. 97. Now when you open the Secure Login Client you will have the certificate issued by the Secure Login Server. Note: Alternatively a machine restart may be needed to upload the profile group. 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. 24
Copyright 2015 SAP SE SE or an SAP SE affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE and its affiliated companies ( SAP SE Group ) for informational purposes only, without representation or warranty of any kind, and SAP SE Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP SE and other SAP SE products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.