NW SSO system with Client- backend encryption and SSO
|
Make sure that sapcrypto.dll and relevant profile parameters exist. |
|
|
Download secure login library and client
SECURE LOGIN LIBRARY 1.0 SECURE LOGIN CLIENT 64BIT 1.0 SECURE LOGIN CLIENT 32BIT 1.0 |
 |
|
Extract SLLIBRARY04_5-10010553.SAR to a temporary folder. |
 |
|
Extract SECURELOGINLIB.SAR to folder SLL in the application server instance directory <Drive>\usr\sap\<SID>\<Instance>\SLL |
 |
|
Test secure login library. From command prompt in SLL directory run
|
 |
|
Maintain instance profile parameters. Snc at this time is not enabled. SPN of service user for Kerberos logon procedure is determined by the parameter snc/ identity/as |
snc/force_login_screen = 0 snc/permit_insecure_start = 1 snc/data_protection/use = 3 snc/data_protection/max = 3 snc/data_protection/min = 2 snc/r3int_rfc_qop = 8 snc/r3int_rfc_secure = 0 snc/accept_insecure_r3int_rfc = 1 snc/accept_insecure_gui = 1 snc/accept_insecure_rfc = 1 snc/accept_insecure_cpic = 1 snc/enable = 0 snc/identity/as = p:CN=SAPService<SID> snc/gssapi_lib = C:\usr\sap\<SID>\D30\SLL\secgss.dll |
|
Create pse.zip
|
|
|
Restart the application server |
 |
|
Transaction STRUST Verify that system PSE is active |
 |
|
Transaction STRUST Create SNC SAPCryptolib PSE |
|
|
Create key tab in pse.zip for Active Directory service user |
 |
|
Add SPN for Active Directory User. The prefix is “SAP/” (without quotes) The suffix is the same as the parameter snc/identity/as = p:CN=SAPService<SID> |
 |
|
Install Secure Login Client. x64/x32 bit depends on the client PC and reboot the workstation |
|
|
Maintain workstation registry settings Under: [HKEY_CURRENT_USER\Software\SAP\SecureLogin[ “TokenType“=”Kerberos |
 |
|
If you want to hide the client’s tray icon: |
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\Common[ “HideTrayIcon”=dword:00000001 |
|
Maintain users CN. For mass maintenance use TCODE SNC1 To update all users, uncheck “Users without SNC names only” Execute and don’t forget to save! |
|
|
Enable snc and restart the application server |
snc/enable = 1 |
|
Using self-signed certificates with secure login client may require SAP Note 1687748 – SNC error “A2200210” when using prototype certificates |
Verify with snc.exe
|
|
Requesting CA certificate. After completing the process, create a certificate request |
 |
|
Copy all the text including —–BEGIN CERTIFICATE REQUEST—– And —–END CERTIFICATE REQUEST—– |
 |
|
Send the request to CA server (in this example, SAP test CA) and choose the certificate type |
 |
|
Import the CA server response |
|
