SAP will introduce solution for Secure Login Client for Mac OS as of SAP NW SSO 2.0 SP3.

This document will show you the step by step instructions to install and implement it.

System requirement for SLC for Mac OS is

OS X 10.7 or higher

SAP GUI for Java 7.20 or higher

Login to Mac OS using AD credentials

Note:   For Secure Login Client for Windows see URL below:

http://scn.sap.com/docs/DOC-40178

Most of the steps in this document have counterpart in document DOC-40178.

The steps below are performed in the following test environment:

Company Name: ABC

SAP ABAP System (SBX) (DVEBMGS02)

ERP 6.0 EHP5 (702 SP12)

Solaris SPARC 10.0 64bit Unicode

SAP Kernel 720 Unicode 64bit Patch 401

Host Name: sandbox

FQDN: sandbox.abc.com

SAP Login ID: JDOE

Active Directory Server (SC)

Windows 2008 R2

Domain Name: ABC.COM

AD Login ID: JOHN_DOE

Mac Client OS

OS 10.8.5

Client Login: JOHN_DOE

A- Install & Configure Secure Login Library

A.1- Create Service User for SAP AS ABAP in MS-ADS

Login to MS-Ads as administrator

Create a new user with complex password and options (“User Cannot change password” and “Password never expire”)

User ID Naming convention: SL-ABAP-<SID> (i.e. SL-ABAP-SBX)


/wp-content/uploads/2014/05/ldap_1_407166.jpg     /wp-content/uploads/2014/05/ldap_2_407167.jpg

A.2- Define SPNs for this user (one for SNC and one for SPNEGO)

          For SNC à SAP/SL-ABAP-SBX

          For SPNEGO à HTTP/sandbox.abc.com SL-ABAP-SBX

C:\Windows\system32> setspn –a HTTP/sandbox.abc.com SL-ABAP-SBX

C:\Windows\system32> setspn –a SAP/SL-ABAP-SBX SL-ABAP-SBX

Verify entries.

C:\Windows\system32> setspn –L SL-ABPA-SBX

Note:         HTTP is required for ABAP Access via web.

It is not required if your ABAP system does not comply with

note 1798979 or you do not want Web access to ABAP system.

SAP Note 1798979 – SPNego ABAP: Downport


/wp-content/uploads/2014/05/ldap_3_407168.jpg

B – Download NW SSO2.0 software from SAP Marketplace

       (You need a valid license)

      Login to SMP with your ‘S’ ID and download NW SSO2.0 software from location as shown below.    

/wp-content/uploads/2014/05/smp_1_407170.jpg

/wp-content/uploads/2014/05/smp_2_407177.jpg

C- Copy Secure Login Library files to SAP AS ABAP System (sandbox)

C.1- Login to your ABAP server (sandbox) as sbxadm account.

C.2- Go to DIR_INSTANCE and create a directory called SLL.

sandbox:sbxadm 67% cd /usr/sap/SBX/DVEBMGS02

sandbox:sbxadm 68% mkdir SLL

C.3- Extract SLLIBRARY00_1.SAR under the following path

<Path to 51045122 CD > 

        DATA_UNITS

SECURE_LOGIN_LIBRARY_20

SOLARIS_SPARC64

sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY00_1.SAR

Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory

sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL  (all in one line)

C.4- Verify the Secure Login Library status using the command sapgenpse

sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 72% pwd

sandbox:sbxadm 73% ./sapgenpse

/wp-content/uploads/2014/05/term_1_407178.jpg

C.5- Download SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3 and install it.

C.6- Extract SLLIBRARY02_3-10012577.SAR

sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY02_3-10012577.SAR

Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory

sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL  (all in one line)

C.7- Verify the Secure Login Library status using the command sapgenpse

sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 72% pwd

sandbox:sbxadm 73% ./sapgenpse

/wp-content/uploads/2014/05/term_2_407179.jpg

D- Define SAP instance profile parameters

D.1- Add all parameters as below into SBX instance profile

/wp-content/uploads/2014/05/term_3_407183.jpg

E- Create Kerberos KeyTab for SNC (SAP GUI à SAP AS ABAP)

E.1- Check for environment variable SECUDIR is set for <SID>adm user (sbxadm)

        If not, set it as below

sandbox:sbxadm 130% setenv SECUDIR /usr/sap/SBX/DVEBMGS02/sec

E.2- Create PSE file with KeyTab included

Go to /usr/sap/SBX/DVEBMGS02/SLL directory. Run the following command.

sandbox:sbxadm 131% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 132% pwd

sandbox:sbxadm 133% ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SBX@ABC.COM  (all in one line)

First you should give a password for this PSE file. Then password for SL-ABAP-SBX user, which you have created in Active Directory earlier.

/wp-content/uploads/2014/05/term_4_407184.jpg

E.3- Create Credential file (cred_v2)

sandbox:sbxadm 135% pwd    

sandbox:sbxadm 136% ./sapgenpse seclogin -p SAPSNCSKERB.pse -O sbxadm

/wp-content/uploads/2014/05/term_5_407185.jpg

E.4- Verify Entries in credential file using the command

sandbox:sbxadm 138% pwd

sandbox:sbxadm 139% sapgenpse seclogin -l

/wp-content/uploads/2014/05/term_6_407189.jpg

Note:   See SAP Note 1798979 for SPNEGO usage on SAP required versions,

            otherwise skip step F and continue with step G.

SAP Note 1798979 – SPNego ABAP: Downport

  

F- Create Kerberos keyTab for SPNEGO (Web GUI à SAP AS ABAP)

F.1- Login to ABAP system and run new transaction code SPNEGO

/wp-content/uploads/2014/05/sap_1_407190.jpg

Go to change mode

/wp-content/uploads/2014/05/sap_2_407191.jpg

Click on Add icon

/wp-content/uploads/2014/05/sap_3_407192.jpg

Create Kerberos keyTab using User Principal Name SL-ABA-SBX@ABC.COM

/wp-content/uploads/2014/05/sap_4_407193.jpg

Click on checkmark and Save

G- Restart SAP AS ABAP system for all these changes to take affect.


H- Client Installation and User Mapping


     Note: This step has to be repeated in all clients.

     Note: Your system has to bind to your Active Directory Domain.

          You can check it under “System Preferences” –> “Usrs & Groups”

          /wp-content/uploads/2014/05/mac_1_407198.jpg

You should login to your Mac system using your Active directory credentials

If you login to your system using a local account, please follow the steps in the following document from Apple to switch from a local user to a network user.

http://support.apple.com/kb/ht5338

Your system admin can help you on these settings.

H.1-     Download Secure Login Client from SMP (SecureLoginClient.pkg)

            Note: Available for General Access on May 12, 2014.

H.2-     Install it by double clicking the package

/wp-content/uploads/2014/05/mac_2_407200.jpg     /wp-content/uploads/2014/05/mac_3_407201.jpg


/wp-content/uploads/2014/05/mac_4_407202.jpg     /wp-content/uploads/2014/05/mac_5_407203.jpg


Verify installation

/wp-content/uploads/2014/05/mac_6_407204.jpg     /wp-content/uploads/2014/05/mac_7_407205.jpg

H.3-     Close SAP GUI and open it again for changes to take effect.

Note: Restart your Mac and login with AD credentials if it doesn’t work.

H.4-     Enable SNC in SAP GUI Application

/wp-content/uploads/2014/05/sap_5_407206.jpg

Highlight SBX and click on change icon

SBX setting before SNC enabled:


/wp-content/uploads/2014/05/sap_6_407207.jpg



SBX setting after SNC enabled:

/wp-content/uploads/2014/05/sap_7_407209.jpg

Now try it. Click on SBX icon in your SAP GUI for Java

/wp-content/uploads/2014/05/sap_8_407215.jpg


H.5-  Configure User Mapping for AS ABAP

         Login with your credentials to SBX system

         Go to transaction SU01 and modify SAP user JDOE

         Change to SNC tab.

/wp-content/uploads/2014/05/sap_9_407219.jpg

Save your changes.

Note:   Step H.5 should be repeated for all users.

If your AD and SAP user IDs are in sync, you can use transaction SNC1 to populate SNC data for all of your users.

Example:

/wp-content/uploads/2014/05/sap_10_407220.jpg

     Otherwise, you should do it manually or use SCAT to create script for it.

     Your developers can also help to create a custom report using report RSUSR300 as a template.

I- Now try it again.

/wp-content/uploads/2014/05/sap_11_407221.jpg


Done.


To report this post you need to login first.

21 Comments

You must be Logged on to comment or reply to a post.

  1. Ray Vand Post author

    Hi Carsten,

    I saw your video. Do you have steps for setting it up with X.509 certificate? I am having issue with that. Do you have steps which you can share?

    Thanks,

    Ray

    (0) 
  2. Ray Vand Post author

    Alexander, thank you for you reply.

    I want to configure it without binding to LDAP. I have verified it with that it is doable and supported. But there is no documentation for this scenario. I have to create a user certificate and import it into Keychain. Then SecureLogin Client for Mac and use this certificate for SSO.

    I don’t know how to set it up without LDAP binding.

    Regards,

    Ray

    (0) 
    1. Alexander Gimbel

      Hi Ray,

      I do not fully understand what you mean with “LDAP binding”. Do you mean the membership to a Active Directory Domain (Kerberos)?

      In 2.0 SP03 the Secure Login Client for Mac does not have Secure Login Server Profile support.
      So it can only use a X.509 certificate which already exists in the Keychain.

      best regards

      Alex

      (0) 
  3. Ray Vand Post author

    Hi Alex,

    I know that 2.0 SP03 Secure CLient for Mac does not support SLS profile.

    We login to our mac using our local ID. My X.509 certificate list is empty in my Keychain.

    I want to know how I can get a certificate from our AD and import it to Keychain. Our AD admin does not know any thing about it.

    We don’t have and PKI infrastructure in place if that is something must to have.

    Regards,

    Ray

    (0) 
    1. Carsten Olt

      Hi Ray,

      it is as simple as for Windows. What you require is a PKCS#12 container (.p12 or .pfx file) which contains your user certificate incl. the CA chain, this you will need from your Windows PKI. To setup ADCS (certificate services) isn’t a big thing.. If no one can provide you support with this, you are able to test X.509 SSO also with your certificate from SAP Service Marketplace. You can import this on the MAC and the SAP Passport CA on the Mac too as well as on the SAP backend (SNC trusted certificates). 

      On the MAC all you need to do is to double click a certificate and install it to the keychain. You will find it at My Certificates. You open the certs and select “always trust”. You need to make sure your backend works and is configured properly for X.509 SSO first, test it on a windows client PC. Good luck

      Carsten

      (0) 
    2. Alexander Gimbel

      Hi Ray,

      I do not know how to push/request certificates into the Mac OSX keychain automatically via Active Directory/Microsoft Domain Server.
      I found something on the Apple documentation side for “request a certificate from a Microsoft Certificate Authority using DCE/RPC…”, but I do not know if this is helping you.
      Please check the Apple Support/Documentation if there are options to enroll certificates from a Microsoft Domain like the Group Policy features on Microsoft client.
      It would be nice if something is available.

      best regards

      Alexander Gimbel

      (0) 
    1. Lutz Rottmann

      Hi Igor, it would be most interesting if you told us what is wrong. Most probably this is only a copy/paste problem. Check the minuses in notepad.

      Regards,

      Lutz

      (0) 
      1. Igor Kostylev

        Hi Lutz, I don’t know why, but in my case it didn’t work without DOMAIN\

        SETSPN -A HTTP/my-solman.domain.local  DOMAIN\SL-ABAP-SM1 (it works)

        and SETSPN -a SAP/ did’t work in any case 🙁

        (0) 
          1. Igor Kostylev

            I’m facing with the problem

            ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SM1@DOMAIN.LOCAL


            Please enter PIN: ********

            Please reenter PIN: ********

            keytab: No keyTab content stored.


            I have only SAPGENPSE 2.0 Patch 1 (Mar 21 2013). Should I search for SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3?

            (0) 
            1. Lutz Rottmann

              Hi Igor, today you should use the most current CommonCryptolib (CCL). Do NOT use SLL anymore (as long as CCL is supported for your system).

              (0) 
                  1. Igor Kostylev

                    Lutz, I updated the CommonCryptolib, but faced with the same problem on step E.2:


                    Please enter PIN: ********

                    Please reenter PIN: ********

                    keytab: No keyTab content stored.


                    Help me please 🙂


                    (0) 
                    1. Lutz Rottmann

                      Hi Igor, I think we should move to a separate discussion thread. Last answers here:

                      Do you really do this with <SID>adm user? Did you check SECUDIR variable?

                      To avoid problems with environment variables pointing to wrong libraries or security environments I always use absolute paths both for sapgenpse and for SAPSNCSKERB.pse.

                      So my example for the (windows) command line looks like this:

                      <DIR_EXECUTABLE>\sapgenpse keytab -p <DIR_INSTANCE>\sec\SAPSNCSKERB.pse -k “AES256 AES128” -a abc@XYZ.COM

                      (we decided to retire RC4 and therefore always activate both AES flags on windows account level and only generate AES keys.)

                      In the past there were problems with strange local language characters in the domain account’s password producing strange error messages like your’s. Since then we only use ASCII characters for passwords.

                      More questions: open a discussion thread please.

                      Regards,

                      Lutz

                      (0) 

Leave a Reply