Skip to Content
Technical Articles

SAP Secure Login Server – your own CA on Hand …

Last Changed: 16th of November 2020

Motivation and Overview

After some time, I thought it is time to update the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud especially the topics for SAP Analytics Cloud and the SAP Analytic Cloud Connector which is necessary to overcome the Firewall Issues.

While I was configuring the SAP Cloud Connector (again on Azure Hyperscaler) there is a task – Configure a CA Certificate for Principal Propagation which I came to a interesting Side Note:

So: what is the (SAP) Secure Login Server (3.0) and what can it do for me?

Since I’m working since several Years with Azure Hyperscaler, my biggest Challenge was always to get a CA response for the server with the DNS *.azure.com. For SAP System which belongs to the *.sap.corp DNS we can create an own CA for these systems.

So I was trying to find a “transparent Solution” for this annoying issue and “Self-Signed” Certificates is not an Option for me at all, and that is the only suggestion you will get from SAP on many, many SAP Help Documentation.

In the End, I always ended by a Community Colleague Gregor Wolf (GitHub, Paasport – Gregor Wolf) who is one of the “real SAP Mentors” outside SAP. He let his mojo play on the systems and created the CA response based on let’s encrypt (honestly I never got the whole story so far … ;-))

See also Gregor Wolf Blog – Use a Let’s Encrypt certificate for SAP HANA or SAP NetWeaver AS ABAP

source%20-%20lets%20encrypt

source – let’s encrypt

Here we can see, what the SAP Secure Server can do for me – Out-of-the-Box PKI Login Server and PKI Integration.

source%20-%20SAP%20Help

source – SAP Help

SAP Help – SAP Cloud Platform Connectivity – Recommendations for Secure Setup


Implementation of the Secure Login Server 3.0

Nevertheless the SAP Help says using SWPM to install, you can also use the SUM to apply the necessary *.SCA files to a new or existing SAP 7.50 Java Application Server.

SAP HelpInstallation and Installation File Names

Don’t be surprised that you will not find a lot Blogs or additional Articles in the SAP Community. It seems we find again a hidden treasure here.

Components%20of%20the%20SAP%20Secure%20Server

Components of the “SAP Secure Server”

Don’t be to astonished about the latest updates of the files. It seems especially here, you will see where SAP is shifted there invests: everything goes Cloud.

necessary%20SCA%20components%20in%20addition

necessary SCA components in addition

SAP%20NetWeaver%20Administrator%20-%20list%20of%20the%20components

SAP NetWeaver Administrator – list of the components

 

Even there are only a few SCA files has to be applied, you might pick into a wasp nest, jumping from one problem to another, so I list some SAP Notes to read before you apply the SCA files.

  • pick only SECURE_LOGON_SERVER, SSOAUTHLIB and SSPEXTLIB SCA to avoid that the SUM process fails due to the already applied versions
  • always finish a SUM update process properly, otherwise “reverting the system” might get complicated (no restore necessary)
  • apply SAP JVM and UDDI patches first if needed.
  • add the role SLAC_SUPERADMIN to your user.

Note 2373829 – Deployment error : Deployment of archive xxx for component xxx is rejected because it is already deployed
Note 2444424 – Release Note SAP Single Sign-On 3.0 SP02
Note 2569954 – “Some SSO inconsistencies have been found” message in Trusted Systems configuration
Note 2730532 – SAP SSO Fixes for Secure Login Server 3.0 SP 02 Patch 10
Note 2780347 – Update the JAVA patches during updating system
Note 2845709 – Error during Solution Manager Upgrade 7.1 -> 7.2 SPS09
Note 2856691 – SAP Single Sign-On SCAs were unsigned
Note 2951691 – Upgrade of SAPJVM to SAP JVM(8.1.064) fails / Installation of “Application Server Java” based on SAP JVM(8.1.064) fails
Note 2953651 – Deployment of UDDI component fails during SUM upgrade – SOLMAN – AS JAVA


using the SAP Secure Server Interface

start the SAP Secure Server URL as follows:

https://server.domain.ext:5<nr>01/slac

Components: BC-IAM-SSO-SL, BC-IAM-SL

additional%20configuration%20in%20NWA%20-%201

additional configuration in NWA – 1

additional%20configuration%20in%20NWA%20-%202

additional configuration in NWA – 2

Note 2810511 – 500 Internal Server Error occurs when select Certificate Management in Secure Login Administration Console

SAP%20Secure%20Server%20-%20create%20CA%20response

SAP Secure Server – create CA response


 

SAP Help – Digital Signing with Secure Store and Forward (SSF)

SAP Community – SAP Single Sign-On – Enterprise Security Overview

SAP Wiki – ABAP Security and Identity Management at SAP

 


Roland Kramer, SAP Platform Architect for Analytics SAP SE
@RolandKramer

 

 

“I have no special talent, I am only passionately curious.”

Be the first to leave a comment
You must be Logged on to comment or reply to a post.