Technical Articles
SAP Secure Login Server – your own CA on Hand …
Last Changed: 16th of November 2020
Motivation and Overview
After some time, I thought it is time to update the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud especially the topics for SAP Analytics Cloud and the SAP Analytic Cloud Connector which is necessary to overcome the Firewall Issues.
While I was configuring the SAP Cloud Connector (again on Azure Hyperscaler) there is a task – Configure a CA Certificate for Principal Propagation which I came to a interesting Side Note:
So: what is the (SAP) Secure Login Server (3.0) and what can it do for me?
Since I’m working since several Years with Azure Hyperscaler, my biggest Challenge was always to get a CA response for the server with the DNS *.azure.com. For SAP System which belongs to the *.sap.corp DNS we can create an own CA for these systems.
So I was trying to find a “transparent Solution” for this annoying issue and “Self-Signed” Certificates is not an Option for me at all, and that is the only suggestion you will get from SAP on many, many SAP Help Documentation.
In the End, I always ended by a Community Colleague Gregor Wolf (GitHub, Paasport – Gregor Wolf) who is one of the “real SAP Mentors” outside SAP. He let his mojo play on the systems and created the CA response based on let’s encrypt (honestly I never got the whole story so far … ;-))
See also the Blog from Gregor Wolf – Use a Let’s Encrypt certificate for SAP HANA or SAP NetWeaver AS ABAP
source – let’s encrypt
Here we can see, what the SAP Secure Server can do for me – Out-of-the-Box PKI Login Server and PKI Integration.
source – SAP Help
SAP Help – SAP Cloud Platform Connectivity – Recommendations for Secure Setup
Implementation of the Secure Login Server 3.0
Nevertheless the SAP Help says using SWPM to install, you can also use the SUM to apply the necessary *.SCA files to a new or existing SAP 7.50 Java Application Server.
SAP Help – Installation and Installation File Names
Components of the “SAP Secure Server”
Don’t be to astonished about the latest updates of the files. It seems especially here, you will see where SAP is shifted there invests: everything goes Cloud.
necessary SCA components in addition
SAP NetWeaver Administrator – list of the components
- pick only SECURE_LOGON_SERVER, SSOAUTHLIB and SSPEXTLIB SCA to avoid that the SUM process fails due to the already applied versions
- always finish a SUM update process properly, otherwise “reverting the system” might get complicated (no restore necessary)
- apply SAP JVM and UDDI patches first if needed.
- add the role SLAC_SUPERADMIN to your user.
Note 2373829 – Deployment error : Deployment of archive xxx for component xxx is rejected because it is already deployed
Note 2444424 – Release Note SAP Single Sign-On 3.0 SP02
Note 2569954 – “Some SSO inconsistencies have been found” message in Trusted Systems configuration
Note 2730532 – SAP SSO Fixes for Secure Login Server 3.0 SP 02 Patch 10
Note 2780347 – Update the JAVA patches during updating system
Note 2845709 – Error during Solution Manager Upgrade 7.1 -> 7.2 SPS09
Note 2856691 – SAP Single Sign-On SCAs were unsigned
Note 2951691 – Upgrade of SAPJVM to SAP JVM(8.1.064) fails / Installation of “Application Server Java” based on SAP JVM(8.1.064) fails
Note 2953651 – Deployment of UDDI component fails during SUM upgrade – SOLMAN – AS JAVA
using the SAP Secure Server Interface
start the SAP Secure Server URL as follows:
https://server.domain.ext:5<nr>01/slac
Components: BC-IAM-SSO-SL, BC-IAM-SL
additional configuration in NWA – 1
additional configuration in NWA – 2
SAP Secure Server – create CA response
SAP Help – Digital Signing with Secure Store and Forward (SSF)
SAP Community – SAP Single Sign-On – Enterprise Security Overview
SAP Wiki – ABAP Security and Identity Management at SAP
Roland Kramer, SAP Platform Architect for Analytics SAP SE
@RolandKramer
“I have no special talent, I am only passionately curious.”