NW SSO system with Client- backend encryption and SSO
Make sure that sapcrypto.dll and relevant profile parameters exist.
|
Installing the SAP Cryptographic Library on the SAP Web AS
|
Download secure login library and client
- https://service.sap.com/swdc Support Packages and PatchesàSAP NetWeaver and complementary productsàSAP NW SINGLE SIGN ONàSAP NW SINGLE SIGN ON 1.0àComprised Software Component Versions:
SECURE LOGIN LIBRARY 1.0
SECURE LOGIN CLIENT 64BIT 1.0
SECURE LOGIN CLIENT 32BIT 1.0
|
 |
Extract SLLIBRARY04_5-10010553.SAR
to a temporary folder.
|
 |
Extract SECURELOGINLIB.SAR to folder SLL in the application server instance directory
<Drive>\usr\sap\<SID>\<Instance>\SLL
|
 |
Test secure login library.
From command prompt in SLL directory run
- snc.exe
|
 |
Maintain instance profile parameters.
Snc at this time is not enabled.
SPN of service user for Kerberos logon procedure is determined by the parameter
snc/ identity/as
|
snc/force_login_screen = 0
snc/permit_insecure_start = 1
snc/data_protection/use = 3
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/enable = 0
snc/identity/as = p:CN=SAPService<SID>
snc/gssapi_lib = C:\usr\sap\<SID>\D30\SLL\secgss.dll
|
Create pse.zip
- Set SECUDIR parameter to sec directory
- Create pse.zip with password
|


|
Restart the application server
|
 |
Transaction STRUST
Verify that system PSE is active
|
 |
|
|
Transaction STRUST
Create SNC SAPCryptolib PSE
|


|
Create key tab in pse.zip for Active Directory service user
|
 |
Add SPN for Active Directory User.
The prefix is “SAP/” (without quotes)
The suffix is the same as the parameter snc/identity/as = p:CN=SAPService<SID>
|
 |
Install Secure Login Client.
x64/x32 bit depends on the client PC
and reboot the workstation
|







|
Maintain workstation registry settings
Under:
[HKEY_CURRENT_USER\Software\SAP\SecureLogin[
“TokenType“=”Kerberos
|
 |
If you want to hide the client’s tray icon:
|
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\Common[
“HideTrayIcon”=dword:00000001
|
Maintain users CN.
For mass maintenance use TCODE SNC1
To update all users, uncheck “Users without SNC names only”
Execute and don’t forget to save!
|


|
Enable snc and restart the application server
|
snc/enable = 1
|
Using self-signed certificates with secure login client may require SAP Note 1687748 – SNC error “A2200210” when using prototype certificates
|

Verify with snc.exe

|
Requesting CA certificate. After completing the process, create a certificate request
|
 |
Copy all the text including
—–BEGIN CERTIFICATE REQUEST—–
And
—–END CERTIFICATE REQUEST—–
|
 |
Send the request to CA server (in this example, SAP test CA) and choose the certificate type
|
 |
Import the CA server response
|

|
|
|