SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

Similar documents
SAP Business One Integration Framework

Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1 Support Package 2

Visual Business Configuration with SAP TM

Single Sign-On Extensions Library THE BEST RUN. PUBLIC SAP Single Sign-On 3.0 SP02 Document Version:

Automated Java System Post-Copy Configuration Using SAP Landscape Management 3.0, Enterprise Edition

SAP HANA Authorization (HA2)

opensap How-to Guide for Exercise Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

SAP Workforce Performance Builder 9.5

Business Add-Ins (BAdIs) for SD Jam Integration Document Version:

SAP Single Sign-On 2.0 Overview Presentation

Symantec Managed PKI. Integration Guide for ActiveSync

SAP Workforce Performance Builder 9.5

Afaria Document Version: Windows Phone Enterprise Client Signing

SAP Enable Now. Desktop Components (Cloud Edition)

How-To Guide SAP 3D Visual Enterprise Author 8.0 Document Version: How To Part Replace

Using SAP NetWeaver Business Intelligence in the universe design tool SAP BusinessObjects Business Intelligence platform 4.1

SAP NetWeaver Identity Management Identity Center. Implementation guide. Version 7.2 Rev 4. - Extension Framework

edocument for Hungary Invoice Registration - SAP Cloud Platform Integration Guide (SAP S/ 4HANA Cloud)

SAP 3D Visual Enterprise 9.0: Localization of Authoring Content

Authentication of a WS Client Using a SAP Logon Ticket

Configure SSO in an SAP NetWeaver 2004s Dual Stack

SAP Business One Upgrade Strategy Overview

SAP IoT Application Enablement Best Practices Authorization Guide

How to Enable Single Sign-On for Mobile Devices?

How-To Guide SAP 3D Visual Enterprise Author Document Version: Markups and Measurements

SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface

HA215 SAP HANA Monitoring and Performance Analysis

Product Blueprints User's Guide SAP Data Services 4.2 (14.2.0)

INTERNAL USE ONLY SAP BusinessObjects EPM Add-in for Microsoft Office Support Package 17 / Patch XX Installation Procedure

SAP Business One Upgrade Strategy Overview

SAP Global Track and Trace Onboarding Guide

Manual Instructions for SAP Note CRA: Configuration for the CRA report

Secure Login for SAP Single Sign-On Sizing Guide

SAP Landscape Transformation Replication Server

SAP NetWeaver Identity Management Virtual Directory Server. Tutorial. Version 7.0 Rev 4. - Accessing LDAP servers

SAP BusinessObjects Live Office User Guide SAP BusinessObjects Business Intelligence platform 4.1 Support Package 2

Custom Functions User's Guide SAP Data Services 4.2 (14.2.0)

SAP Workforce Performance Builder

Setting Up an Environment for Testing Applications in a Federated Portal Network

Complementary Demo Guide

SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

Text Data Processing Entity Extraction Dictionary File Generator User's Guide SAP Data Services 4.2 (14.2.0)

SAP Landscape Transformation for SAP HANA (HA1)

SAP NETWEAVER DECISION SERVICE MANAGEMENT A PARADIGM SHIFT

CA611 Testing with ecatt

Enterprise Integration Module for SAP Solution Manager 7.2

What's New in SAP Landscape Transformation Replication Server 2.0 SP13

edocument for Italy - SAP Cloud Platform Integration Guide

SAP NetWeaver Master Data Management

RemoteWare. Guide for Using NetOp with RemoteWare Version 4.3 SP4

Kerberos Authentication User Resolution Example issues and suggested solutions

HP Operations Orchestration Software

SAP Hybris Billing, Pricing Simulation Extended Functions Release 2.0, SP03

Security Information for SAP Asset Strategy and Performance Management

SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee

Getting Started with SAP Business One 9.2, version for SAP HANA

How to Package and Deploy SAP Business One Extensions for Lightweight Deployment

How-to Guide for Exercise Access the Demo Appliance Landscape (Week 1, Unit 6, Part 1)

configure an anonymous access to KM

Single Sign-on For SAP NetWeaver Mobile PDA Client

opensap TEXT ANALYTICS WITH SAP HANA PLATFORM WEEK 1

BOD410 SAP Lumira 2.0 Designer

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

SAP EarlyWatch Alert. SAP HANA Deployment Best Practices Active Global Support, SAP AG 2015

Onboarding Guide THE BEST RUN. IMPLEMENTATION GUIDE PUBLIC Document Version:

SAP Plant Connectivity Configuration Guide for

Creating Application Definitions in Hana Cloud Platform Mobile Services

BOCRC. SAP Crystal Reports Compact Course COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

Deleting SAP HANA Delivery Units and Products

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SAP HANA tailored data center integration Frequently Asked Questions

Getting Started with FPM BOPF Integration (FBI)

Exercise 1: Adding business logic to your application

HPE Enterprise Integration Module for SAP Solution Manager 7.1

How to Set Up and Use the SAP OEE Custom UI Feature

BC414. Programming Database Updates COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Implementing High Availability for SAP Business Objects CMS Repository and Audit Database

How To Troubleshoot SSL with BPC Version 1.01 May 2009

Data Protection and Privacy for Fraud Watch

How To Generate XSD Schemas from Existing MDM Repositories

DoD Common Access Card Authentication. Feature Description

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

Integrate a Forum into a Collaboration Room

How To Protect your Intellectual Property

Ariba Network Configuration Guide

SAP BusinessObjects Explorer API Guide SAP BusinessObjects Explorer XI 3.2 SP2

HA215 SAP HANA Monitoring and Performance Analysis

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

Ariba Network Configuration Guide

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 16 Course Duration: 3 Day(s)

FAQs Data Workbench SAP Hybris Cloud for Customer PUBLIC

How To Recover Login Module Stack when login to NWA or Visual Administrator is impossible

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

What's New in SAP Landscape Transformation Replication Server 2.0 SP15

Configuring Embedded LDAP Authentication

SDN Contribution HOW TO CONFIGURE XMII BUILD 63 AND IIS 6.0 FOR HTTPS

BW305. SAP Business Warehouse Query Design and Analysis COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

How To Set up NWDI for Creating Handheld Applications in SAP NetWeaver Mobile 7.1

Transcription:

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES TABLE OF CONTENTS SCENARIO... 2 IMPLEMENTATION STEPS... 2 PREREQUISITES... 3 1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE... 4 2. SECURE LOGIN SERVER INITIALIZATION... 6 3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER... 9 3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY... 9 3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER... 12 3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER... 14 3.4 SECURE LOGIN CLIENT CONFIGURATION... 19

SCENARIO Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to the SAP and non-sap business systems across your landscape. Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates. After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-sap system, that requires short lived X.509 client certificates, where these users have been granted authorizations. IMPLEMENTATION STEPS 2

PREREQUISITES 1. You have your SAP Application Server JAVA installed and configured with running SSL. For more details how to install SAP Application Server JAVA, see: HTTPS://SERVICE.SAP.COM/~FORM/HANDLER?_APP=00200682500000002672&_EVENT=DISPLAY&_S CENARIO=&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000179415&_HIER_K EY=601100035870000249638&_HIER_KEY=701100035871000575782& For more details how to configure SSL see: HTTP://HELP.SAP.COM/SAPHELP_NW74/HELPDATA/EN/4A/015CC68D863132E10000000A421937/CONTENT.HTM? FRAMESET=/EN/BC/2EE9A2D023D64EAC961745EA2CB503/FRAMESET.HTM&CURRENT_TOC=/EN/CD/A3937849B 043509786C5B42171E5D3/PLAIN.HTM&NODE_ID=146&SHOW_CHILDREN=FALSE 2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/DD/12ECCDEFD04C01A4EAB86BB2E59F10/CONTENT.H TM?FRAMESET=/EN/B3/35DF9CB6C04CFC8D7E4DF994878B42/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222B F5DA4ED3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=163&SHOW_CHILDREN=FALSE Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 2.0 for more information about currently supported components and platforms. 3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/DA/610FD072E4409BAA8B6A96973B5C67/CONTENT.HTM?F RAMESET=/EN/BA/21970855064E54A9246B6C6DE67FB2/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4ED3 A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=26&SHOW_CHILDREN=FALSE 3

1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE Explanation Screenshot 1. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa. 2. Navigate to Configuration > Identity Management > Click Create User. 3. Provide a Logon ID (for example SLAC_ADMIN ), password and Last Name for the user. 4

4. Navigate to tab Assigned Roles and search in the Available Roles (on the left side) for the role SLAC_SUPERADMIN. 5. Select the role and click Add to assign this role to the SLAC_ADMIN user. 6. Click Save to save the info about SLAC_ADMIN UserID. 7. As a result you will have a new administrative user with access to the Secure Login Administration Console (SLAC). 5

2. SECURE LOGIN SERVER INITIALIZATION Explanation Screenshot 8. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the new administrative account SLAC_ADMIN. Note: The system will require a reset of the initial password if this is the first time you are logging in with this user. 9. Start the Initialization with option Manual. Note: If the default option for your Secure Login Server installation is Automatic, you will get a confirmation message. Click Yes to confirm that you want to proceed with this change. 10. On the Root CA step provide the Country Name (in our example DE ) and the Organizational Name (in our example ABC ). 11. Click Next. 6

12. On the step User CA click Next. 13. On the step SAP CA click Next. 14. On the step SSL CA click Next. 7

15. On the step User Certificate Configuration provide the Country Name (in our example DE ). 16. Click Finish. 17. After finishing the configuration the initialization will start and when it is completed you will receive the following message: Secure Login Server has been initialized. 18. Click Go button. 8

3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER 3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY Explanation Screenshot Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory 19. Open the tool Active Directory Users and Computers on the Active Directory Server (ADS) and go to the Users branch. 20. Click the right mouse button to create New > User. 9

21. Provide for the new user First Name (example Kerberos ), Last Name (example A01 ) and User logon name (example KerberosA01, where A01 is your Application Server SID). 22. Click Next. 23. Provide a password for the new user. 24. Select User cannot change password and Password never expires. 25. Click Next. 26. To complete the creation of the new user click Finish. 10

Step 2: Setup serviceprincipalname for the New Service User 27. Find your new user (example Kerberos A01 ) in the list with users and double click to open the user properties. 28. Go to the tab Attribute Editor Note: If you don t see the Attribute Editor tab, alternatively you may start adsiedit.msc in the start menu of Microsoft Windows. 29. Search for the attribute with name serviceprincipalname, select it and click Edit. 30. Add as new value HTTP/<fully qualified name of the Application Server Java> (example HTTP/vepo13023.dhcp.wdf.sap.c orp). Click Add and the value will appear in the list with Values. 31. Click OK to save the new setting. 11

3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER Explanation Screenshot 32. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa 33. Navigate to Configuration > Authentication and Single Sign- On > tab SPNEGO. 34. Click Add and select Manually to add a new KeyTab. 35. Enter the realm name of your Microsoft Active Directory domain (example CSISC01.LOCAL). 36. Click Next. 37. Provide the Principal Name and the password of the service user, created previously in the Microsoft Active Directory domain (in our example KerberosA01 ). 12

38. Click Next. 39. Choose from the drop-down list of the Mapping Mode the value Principal@REALM and select virtual user as a Source value. 40. Click Finish. 41. Click Enable for your new Service User KeyTab. 42. Your Service User KeyTab is now activated. 13

3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER Explanation Screenshot Step 1: Check the Host Name of the Client Authentication Profile 43. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 44. Navigate to Client Authentication Profiles. 45. Select Client Authentication Profile Windows Authentication (SPNEGO) 46. Go to tab Secure Login Client Settings and make sure that the host name of the Enrollment URL is the fully qualified name (example vepo13023.dhcp.wdf.sap.corp) and that the Port is correct (in our example 50001). 14

Step 2: Generate SSL Server Certificate 47. Navigate to Certificate Management tab and make sure that the status of your Root CA is green. 48. Expand Root CA and select SSL Sub CA 49. Click on Issue Entry button. 50. Provide as an Entry Name the fully qualified name of the Application Server Java. (for example vepo13023.dhcp.wdf.sap.corp) 51. Set this fully qualified name of the Application Server Java also as DNS Name (for example vepo13023.dhcp.wdf.sap.corp) in the Subject Alternative Names. 52. Click Next. 53. On the step with Subject Properties setup provide Country Name (for example DE ) and Common Name the fully qualified name of the Application Server Java (for example vepo13023.dhcp.wdf.sap.corp). 54. Click Next. 15

55. Click Finish to complete the certificate generation. 56. Your certificate will appear under the SSL Sub CA and it will be of type SSL SERVER. 16

Step 3: Import Secure Login Server Certificate to the SSL Configuration 57. Log on again to SAP NetWeaver Administrator at https://<host>:<port>/nwa 58. Navigate to Configuration>SSL Configuration. Click Edit 59. Go to the Details of port xxxx. 60. Click Copy Entry. 61. Select from the drop-down list of the Form View the value SecureLoginServer. 62. Select from the drop-down list of the From Entry the respective certificate created in the SLAC under SSL Sub CA (in our example vepo13023.dhcp.wdf.sap.corp). 63. Make sure that the To Entry will be the one from the selected SAP Java Instance. 64. Click Import. 65. Select and delete the default identity ssl-credentials. 66. Click OK to confirm the deletion. 17

67. Click Save to confirm the configuration. 68. A restart is required. Click Restart Now (You can also select Restart Later if it is necessary but your configuration will be completed only after the restart). 69. You have to wait for the restart to finish and afterwards your SSL configuration will be ready. 18

3.4 SECURE LOGIN CLIENT CONFIGURATION Explanation Screenshot Step 1: Export Root CA certificate from the Secure Logon Server 70. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 71. Navigate to Certificate Management. Select Root CA and click Export Entry. 72. Choose the export format X.509 Certificate. The dialog box displays the file name, type, size, and the download link. 73. Choose Download button and save it in a location of your choice (for example in a folder on your Domain Controller). (Optional: Rename the file so that it indicates the origin of the root CA certificate). 19

Step 2: Installing Root CA Certificates on a Windows Client To ensure secure communication and a trust relationship, you should install root CA certificates on Windows clients. There are three options how to perform this step: Option 1: Distribute the Secure Login Server root CA certificates on Microsoft Domain Server: 74. Log on as an administrator to your Domain Controller and start command prompt in Microsoft Windows. 75. Use the following command: certutil dspublish f <root_ca_file> RootCA 76. You will get as a result: CertUtil: -dspublish command completed successfully. 77. Restart your client. (After a restart the group policies are updated. This pushes the certificates to the client. To do so, you can also use the command gpupdate/force.) As an alternative of this installation (Option 1) you can perform also these two types of installations: Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more details see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/C0/EDD891A3E949CA80E00A469700652A/CONTENT.HTM?FRAMESET=/EN/33/EEA915735D4360AC698CA2F0AAA7ED/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4 ED3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=36&SHOW_CHILDREN=FALSE Option 3: Installing Root CA Certificates on a Windows Client. For more details see: HTTP://HELP.SAP.COM/SAPHELP_NWSSO20/HELPDATA/EN/0F/7D75FBE5264371B476210C57D18657/CONTENT.HTM? FRAMESET=/EN/C0/EDD891A3E949CA80E00A469700652A/FRAMESET.HTM&CURRENT_TOC=/EN/BA/A0222BF5DA4E D3A655EAEF1E4A3B60/PLAIN.HTM&NODE_ID=34 20

Step 3: Setup Policy Update Interval If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure Login Client after a defined time Policy Update Interval configurable in minutes. The default value for the Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours. 78. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 79. Navigate to the List of Profile Groups. Select the respective profile group and click Edit to change the details of the group. 80. Change the Policy Update Interval (minutes) value to the number of minutes you need (in our example 480 minutes). 81. Check the IP Address/Host Name field it has to contain the correct fully-qualified name of the server (in our example vepo13023.dhcp.wdf.sap.corp). Click Save. 21

Step 4: Download Profile Group Policy 82. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account ( SLAC_ADMIN ). 83. Navigate to Client Management > Profile Groups. 84. Select the Profile Group that you want to distribute to Secure Login Clients. Click Download Policy 85. Download the Registry File with the Policy URL that specifies the resource file, which includes the latest configuration of all client authentication profiles in the group (in our example ProfileDownloadPolicy_SecureLo gindefaultgroup.reg). Save the file in a location of your choice on the client machine. Step 5: Import Profile Group Policy on the client machine 86. Make sure that the registry file, downloaded on the previous step, is available on the client machine, where Secure Login Client is installed. 87. Double click on the registry file. 88. Click Yes to the message in order to confirm the change on the computer. 89. Click Yes to confirm again and to add the policy to the registry. 90. Click OK to the confirmation message, informing that the *.reg file has been successfully imported to the registry. Note: Alternatively, a companywide group policy can be use to deploy the profile groups. 22

Step 6: Restart the Secure Login Service 91. On the client machine navigate to Computer Management > Services and Applications > Services. 92. Search for Secure Login Service. Double click on this service to display the service properties. 93. Click Stop to stop the service. 94. Wait for Windows to stop the service. 95. Click Start to start the service again. 23

96. Wait for Windows to start the service. 97. Now when you open the Secure Login Client you will have the certificate issued by the Secure Login Server. Note: Alternatively a machine restart may be needed to upload the profile group. 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. 24

Copyright 2015 SAP SE SE or an SAP SE affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE and its affiliated companies ( SAP SE Group ) for informational purposes only, without representation or warranty of any kind, and SAP SE Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP SE and other SAP SE products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback