Skip to Content

NW SSO system with Client- backend encryption and SSO

October 8, 2013 | 341 Views |
Follow

NW SSO system with Client- backend encryption and SSO

Make sure that sapcrypto.dll and relevant profile parameters exist.

Installing the SAP Cryptographic Library on the SAP Web AS

Download secure login library and client

  1. https://service.sap.com/swdc Support Packages and PatchesàSAP NetWeaver and complementary productsàSAP NW SINGLE SIGN ONàSAP NW SINGLE SIGN ON 1.0àComprised Software Component Versions:

SECURE LOGIN LIBRARY 1.0

SECURE LOGIN CLIENT 64BIT 1.0

SECURE LOGIN CLIENT 32BIT 1.0

Extract SLLIBRARY04_5-10010553.SAR

to a temporary folder.

Extract SECURELOGINLIB.SAR to folder SLL in the application server instance directory

<Drive>\usr\sap\<SID>\<Instance>\SLL

Test secure login library.

From command prompt in SLL directory run

  1. snc.exe

Maintain instance profile parameters.

Snc at this time is not enabled.

SPN of service user for Kerberos logon procedure is determined by the parameter

snc/ identity/as

snc/force_login_screen = 0

snc/permit_insecure_start = 1

snc/data_protection/use = 3

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/r3int_rfc_qop = 8

snc/r3int_rfc_secure = 0

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/enable = 0

snc/identity/as = p:CN=SAPService<SID>

snc/gssapi_lib = C:\usr\sap\<SID>\D30\SLL\secgss.dll

 
 

Create pse.zip

  1. Set SECUDIR parameter to sec directory
  2. Create pse.zip with password

Restart the application server

Transaction STRUST

Verify that system PSE is active

 
 

Transaction STRUST

Create SNC SAPCryptolib PSE

Create key tab in pse.zip for Active Directory service user

Add SPN for Active Directory User.

The prefix is “SAP/” (without quotes)

The suffix is the same as the parameter snc/identity/as = p:CN=SAPService<SID>

Install Secure Login Client.

x64/x32 bit depends on the client PC

and reboot the workstation

Maintain workstation registry settings

Under:

[HKEY_CURRENT_USER\Software\SAP\SecureLogin[

TokenType“=”Kerberos

If you want to hide the client’s tray icon:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\Common[

HideTrayIcon”=dword:00000001

Maintain users CN.

For mass maintenance use TCODE SNC1

To update all users, uncheck “Users without SNC names only”

Execute and don’t forget to save!

Enable snc and restart the application server

snc/enable = 1

 
 

Using self-signed certificates with secure login client may require SAP Note 1687748 – SNC error “A2200210” when using prototype certificates

Verify with snc.exe

Requesting CA certificate. After completing the process, create a certificate request

Copy all the text including

—–BEGIN CERTIFICATE REQUEST—–

And

—–END CERTIFICATE REQUEST—–

Send the request to CA server (in this example, SAP test CA) and choose the certificate type

Import the CA server response

 
 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply