SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17

Believe in a higher level of IT security SECUDE Secure Login 5.
1
Installation, Administration and Usage Manual
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual
Copyright
2010 SECUDE AG. All Rights Reserved. This SECUDE-branded software and its corresponding documentation is the exclusive property of SECUDE AG of Emmetten, Switzerland and is protected under the various copyright laws around the world and by various other intellectual property laws. Use of this software and/or its documentation and any copying thereof by end users is subject to the terms of a license agreement with SECUDE AG. The wrongful use or copying of this software and/or documentation subjects infringers to both criminal and civil liabilities. The SECUDE and FinallySecure trademarks are owned by SECUDE AG, protected internationally and used by SECUDE AG pursuant to an exclusive license. All other trademarks, service marks, and trade names referenced herein are the property of their respective owners. ANY USE, COPYING, REPRODUCTION, ALTERATION, TRANSMISSION, OR TRANSLATION OF THESE MATERIALS, IN WHOLE OR IN PART, IN ANY FORM OR BY ANY MEANS, IS STRICTLY PROHIBITED WITHOUT THE PRIOR WRITTEN PERMISSION OF SECUDE AG. IF THIS MATERIAL IS PROVIDED WITH SOFTWARE LICENSED BY SECUDE, THE INFORMATION HEREIN IS PROVIDED SUBJECT TO THE TERMS OF THE WARRANTY PROVIDED WITH THE PRODUCT LICENSE. IF THIS MATERIAL IS NOT PROVIDED WITH LICENSED SOFTWARE, THE INFORMATION HEREIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN EITHER CASE, THERE ARE NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR QUALITY. IN NO EVENT SHALL SECUDE AG OR ANY OF ITS AFFILIATES BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE MATERIALS AND/OR INFORMATION CONTAINED HEREIN. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you. SECUDE AG takes reasonable measures to ensure the quality of the data and other information produced herein. However, these materials may contain technical inaccuracies or typographical errors, and are not guaranteed to be error-free. Information may be changed or updated without notice. SECUDE AG has no obligation to update these materials based on changes to its products or services or those of third parties. SECUDE AG may also make improvements or changes to the products or services described in this information at any time without notice. SECUDE AG frequently releases new versions of its software and updates them. Therefore, images shown in this document may be slightly different from what you see on your screen. As with any security product, SECUDE AG highly recommends the back up of data as well as passwords on a regular basis. SECUDE AG is not responsible for the loss of passwords or data that cannot be retrieved based upon a users failure to adhere to stringent backup and safe-keeping conventions.
SECUDE
SECUDE AG Bergegg 1 6376 Emmetten, NW Switzerland P: +41 (0) 44 575 19-00 F: +41 (0) 44 575 19-75 SECUDE IT Security GmbH Goebelstrasse 21 64293 Darmstadt Germany P: +49 (0)6151 82897-0 F: +49 (0)6151 82897-26 SECUDE IT Security, LLC 380 Sundown Drive Dawsonville, GA 30524 USA P: +1 (706) 216 8609 F: +1 (706) 216 4696
Sales Europe: info@secude.com Support Europe: support@secude.com Documentation: documentation@secude.com www.secude.com www.finallysecure.com
Sales US: info@usa.secude.com Support US: support@usa.secude.com
Table of Contents
1 2
2.1
What is SECUDE Secure Login? System Overview

System Overview with PKI 2.1.1 Main System Components 2.1.2 Authentication Method 2.1.3 Workflow 2.1.4 Secured Communication for SAP System Overview with SECUDE Secure Login Server 2.2.1 Main System Components 2.2.2 Authentication Method 2.2.3 Instances 2.2.4 PKI Structure 2.2.5 Workflow 2.2.6 Secure Communication Methods of Authentication in SECUDE Secure Login 2.3.1 Active Directory Server (ADS) Authentication 2.3.2 RADIUS / RSA Authentication 2.3.3 SAP ID Authentication 2.3.4 SAP Logon Ticket Authentication 2.3.5 SQL Database Authentication Policy Server Overview Secure Login Web Client
11 12
13 13 13 14 15 16 16 17 18 19 20 21 22 23 24 25 28 28 30 31
2.2
2.3
2.4 2.5
3
3.1
Server Installation, Configuration, and Removal

Prerequisites 3.1.1 Hardware Requirements 3.1.2 Software Requirements Preparing the Server for Installation Installation Procedure for Apache Tomcat-based Server Installations 3.3.1 Option to Configure SSL in Tomcat 3.3.2 Test the SSL Connection for Tomcat 3.3.3 Single Sign-On for the Administration Console (Tomcat Only) Installation Procedure for BEA Weblogic-based Server Installations Installation Procedure for SAP NetWeaver-based Server Installations 3.5.1 Configure the System Environment (only for SAP ID-Based Logon) 3.5.2 Configure the Authentication Server in SAP NetWeaver 3.5.3 Test the SSL Connection Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module 3.6.1 Step 1 - Initial Installation 3.6.2 Step 2 Server-Specific Quick Initialization 3.6.3 Step 2 Multiple Authentication Server Initialization Expert Mode (Wizard) 3.6.4 Step 3 - Configure Authentication Server Communication 3.6.5 Step 4 - Test SECUDE Secure Login Server Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server 3.7.1 Remove SECUDE Secure Login Server - Tomcat 3.7.2 Remove SECUDE Login Server BEA Weblogic
32
33 33 33 34 35 36 36 37 40 42 43 49 53 54 54 56 63 84 90 91 91 92
3
3.2 3.3
3.4 3.5
3.6
3.7
3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver
92
4
4.1
Client Installation, Configuration, and Removal

Prerequisites 4.1.1 Hardware Requirements for SECUDE Secure Login Client 4.1.2 Software Requirements for SECUDE Secure Login Client SECUDE Secure Login Client Preparation Client Rollout 4.3.1 Installation 4.3.2 Command Line Options to Influence the MSI Setup Remove SECUDE Secure Login Client
94
95 95 95 96 97 98 103 106
4.2 4.3
4.4
5
5.1 5.2 5.3
Secure Login plus Web Client - Installation, Usage, and Removal 109
Prerequisites Preparing the Server for Installation Install and Configure the Web Client 5.3.1 Web Client installation on Tomcat 5.3.2 Web Client Installation on NetWeaver Use the Web Client 5.4.1 Configure SSL Trust for the Web Client Java Applet Remove the Web Client 110 111 112 112 114 115 116 117
5.4 5.5
6
6.1
Administration
Administration Console 6.1.1 Open the Console 6.1.2 Change the Administrator/User Password 6.1.3 Server Configuration 6.1.4 Certificate Management 6.1.5 Authentication Management 6.1.6 TrustStore Management 6.1.7 Certificate Template 6.1.8 System Check 6.1.9 Backup/Restore 6.1.10 Change Language 6.1.11 Message Setting 6.1.12 SSS&JCO Installation 6.1.13 Server Status 6.1.14 Sign Certificate Requests 6.1.15 Console Log Viewer 6.1.16 Web Client Configuration Email Report&Alert Configuration Instance Management 6.3.1 Instance Configuration 6.3.2 Customizing With User-Defined Properties 6.3.3 Client Configuration 6.3.4 Instance Log Management 6.3.5 Instance Check 6.3.6 Instance Status Console Users 6.4.1 User Management 6.4.2 Role Management
119
119 119 122 124 128 131 141 143 149 150 155 156 158 162 163 165 166 177 178 179 181 183 192 196 197 198 199 202
6.2 6.3
6.4
6.5
6.4.3 Other 6.5.1 6.5.2 6.5.3
Locked Files Management Administration Features Status Query via an Internet Browser Secure Login Web Service Status Query XML Interface
205 206 206 207 209
7
7.1 7.2
Troubleshooting
How to use Unlimited Key Length Policies Log Files 7.2.1 Daily Log File 7.2.2 Monthly Log File Turning Tracing On/Off SECUDE Secure Login Server Lock and Unlock Setting the Correct Environment Variables for SAP ID-Based Logon Problems with the Client URL Implement an SSL.PSE-Based TrustStore for HTTPS Access Denied Replies Why the Secure Login Instance/Server is Locked Password Expiry Warnings on Sun LDAP (1) Password Expiry Warnings on Sun LDAP (2) Secure Login Server Cannot Establish an SNC Connection to the SAP Server Administration Console Pages Appear broken Problem Loading the GSS Library (SAP-ID Module) Blank Page when Logging into the Secure Login Administration Console Users Cannot be Successfully Authenticated to any JAAS Module Enable Remote Access to Initialize and Configure Secure Login Server Problems Accessing the Administration Console or the Web Client via Firefox 229 Error Message when viewing Certificate Details using Firefox 3
211
212 213 213 215 215 216 217 218 218 219 219 220 220 221 221 222 223 227 229
7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19
230
8
8.1 8.2 8.3
Error and Return Codes

ADS Authentication Errors RSA Authentication Errors SAP ID Error Codes and Return Codes 8.3.1 Authentication-based Codes 8.3.2 Password Change Related Codes 8.3.3 Connectivity Related Codes Stacktrace Error Codes Common Errors CERT Errors PSE Errors
231
232 232 232 232 233 233 234 236 237 237
8.4 8.5 8.6 8.7
9
9.1
Appendix
Client Policy 9.1.1 ClientPolicy.xml File Registry Keys and Values 9.1.2 ClientPolicy.xml File Example 9.1.3 Wildcards in Distinguished Names for the PSEURI Attribute 9.1.4 Configuring Secure Login with Microsoft Group Policies Configurable Properties 9.2.1 Files that Contain Configurable Properties 9.2.2 Web.xml File 9.2.3 Configuration.properties File
238
239 239 240 244 245 246 246 247 248
5
9.2
9.3 9.4
9.2.4 JAAS Module Configuration Files 9.2.5 Files for Server Message Configuration Secure Login Client Registry Values Key Usage Reference
253 262 264 266
10
List of Abbreviations
267
Preface
About this Manual

This manual describes the administration tasks necessary to install, configure, and run SECUDE Secure Login 5.1.1.
Target Audience
This manual is targeted at the system and security administrators responsible for the installation and maintenance of Secure Login. It is necessary to have the following knowledge to complete the tasks set in this manual: Security knowledge! For a list of hardware and software requirements for the Secure Login Client installation, refer to section 4.1 on page 95. For a list of hardware and software requirements for the Secure Login Server installation, refer to section 3.1 on page 33.
Related Documentation
The following documentation is available for SECUDE Secure Login: This manual. The SECUDE signon&secure Server installation manual. SECUDE Secure Login 5.1 Release notes Secure Network Communications, SNC User Manual, version 1.2; SAP AG; Walldorf.
Contents
This manual contains the following chapters: Chapter 1 What is SECUDE Secure Login?, on page 11 This chapter presents Secure Login. Chapter 2 System Overview, on page 12 This chapter provides an overview of the overall system architecture and the principal workflow. It also details the specific system architecture and workflow for the authentication methods supported by Secure Login: ADS, RADIUS/RSA, and SAP IDbased logon. Chapter 3 Server Installation, Configuration, and Removal, on page 32 This chapter describes the installation of the SECUDE Secure Login Server. Chapter 4 Client Installation, Configuration, and Removal, on page 94 This chapter describes the configuration and installation of the SECUDE Secure Login Client. Chapter 5 Secure Login plus Web Client - Installation, Usage, and Removal, on page 109 This chapter details the SECUDE Secure Login Web Client. Chapter 6 Administration, on page 119 This chapter details how to monitor the SECUDE Secure Login Server. Chapter 7 Troubleshooting, on page 211 This chapter describes the SECUDE Secure Login Server features for logging and error recovery. Chapter 8 Error and Return Codes, on page 231 This chapter describes error and return codes, their meaning, and possible corrections. Chapter 9 Appendix, on page 238 This chapter contains various advanced details an administrator may need to configure Secure Login. Chapter 10 List of Abbreviations, on page 267 This chapter lists the abbreviation used in the manual.
A glossary and index are provided at the end of this manual.
Conventions used in this Manual

Style Bold Italics Meaning Emphasis Defined terms References especially when referring to another manuals title Application or company names such as Windows or SECUDE Important information appearing in notes, warnings, and Hints Monospace Package names Filenames and directory names XML element names and attribute names Method names Variables Parameters Code examples Replaceable elements within user input Main element in a syntax description Tool names Product names Code elements (i.e. XML) Options within a syntax description or within a syntax description Elements of the graphical user interface Action sequences such as Menu>Submenu or select Option X Internet links Cross references such as see section 2.1
Monospace italics Monospace bold Initial Capital Letters <Pointed brackets> [Square brackets] | Blue text
Icons and Step Indication in this Manual

Notes
Notes contain detailed information about a topic and are of direct importance to the subject at hand. Notes are displayed in italic text, with a pen/paper icon to the left of the text body.
Warnings
A warning will contain information about circumstances, parameters, and so on that MUST be fulfilled. Failure to comply will have consequences for the current operation. Warnings are displayed in italic text with a warning icon to the left of the text body.
Hints
Hints contain useful information about the operation of the application. Hints are displayed in italic text, with a light bulb icon to the left of the text body. Steps/Procedures Procedures indicate the steps necessary to perform a task. They are displayed in normal text, with a light grey background.
Contacting Technical Support

For technical assistance contact SECUDE Support: Phone Fax E-mail Web +49 (0)6151 82897 33 +49 (0)6151 82897 26 support@secude.com (Europe and Asia), support@usa.secude.com (USA) http://www.secude.com/htm/338/en/Support.htm When you want to open a support case, please provide as much of the following information as possible (error information needed by support will vary between products): Name (customer or partner) and contract number Name of SECUDE product plus version and service pack Involved and relevant third-party products plus versions The hardware on which the product is running plus Operating System + service pack Date, time, and description of the error Is the error reproducible? If yes, state the steps necessary to reproduce the error Corresponding log files generated during operation Any other information necessary to reproduce the error Error priority: Priority Critical Major Normal Minor Trivial Enhancement
10
Description Loss of data within SECUDE application, severe memory leak, application crashes. The SECUDE application has a major loss of functionality. The SECUDE application loses some functionality without a severe impact on the overall stability or data integrity. The SECUDE application suffers minor functionality loss, or other problems in which an easy workaround is present. Look and feel problems such as misspelled words or misaligned text. Request for an enhancement to the SECUDE application.
1
Introduction
What is SECUDE Secure Login?

SECUDE Secure Login is an innovative software solution created specifically to improve user and IT productivity and to protect business-critical data in SAP business solutions through secure single sign-on to the SAP environment. SECUDE Secure Login, together with SECUDE signon&secure, provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components, including but not limited to: SAPGUI and SAP NetWeaver platform via Secure Network Communications (SNC) Web browsers and SAP Portal (via Secure Socket Layer SSL) Other SAP components such as SAP NetWeaver Java, SAP ITS, SAP Router, SAP LPD In a standard SAP setup, users enter their SAP user name and password into the SAPGUI logon screen. SAP user names and passwords are transferred through the network without encryption. To help secure networks, SAP provides a Secure Network Communications module (SNC) that enables users to login to SAP systems without entering a user name or password. The SNC module can also pass calls through a third-party crypto-library to encrypt all communication between the SAPGUI and SAP Server, thus providing secure single sign-on to SAP. SECUDE Secure Login is the third-party crypto-library of choice for SAP. It uses session keys to encrypt the communication, and digital user certificates (X.509) for user authentication.
Scope of secure communication
Authentication mechanisms
SECUDE Secure Login allows you to benefit from the advantages of SNC without the need to setup a Public Key Infrastructure (PKI). SECUDE Secure Login allows users to authenticate via one of the following authentication mechanisms: Windows logon information Radius and RSA Token (one-time password) LDAP SAP user ID and password SAP Logon Ticket SQL Database Smart card and PIN If a PKI has already been set up, then the digital user certificates of the PKI can also be used by SECUDE Secure Login. Further authentication mechanisms can be supported on request please contact SECUDE support.
Access methods
SECUDE Secure Login also helps save time insofar that, through the use of the optional single sign-on, a user does not need to re-authenticate every time a new SAP application is opened or a different SAP Server is used. It also provides single sign-on for Web browser access to the SAP Portal (and other HTTPS-enabled Web applications) via SSL.
11
2
Introduction The product
System Overview
This chapter describes the SECUDE Secure Login architecture and concepts that are valid for all product variants. SECUDE Secure Login is a Client/Server software system integrated with SAP software to facilitate single sign-on, alternative user authentication, and enhanced security for distributed SAP environments. The SECUDE Secure Login Client is split into two variants: A stand-alone Client (Windows only). The SECUDE Secure Login Client can either be used with an existing public key infrastructure (PKI) or together with the SECUDE Secure Login Server it can be used for certificate-based authentication without having to set up a PKI. The stand-alone SECUDE Secure Login Client can use the following authentication methods: - Smart cards and USB tokens with an existing PKI certificate SECUDE Secure Login Server and Authentication Server are not necessary. - Microsoft Crypto Store SECUDE Secure Login Server and Authentication Server are not necessary. - Windows credentials (without user interaction) The user is authenticated via their Windows credentials (user name, domain, password), which the user entered during Windows login. No SECUDE Secure Login dialog box appears to ask for these values. - Username and password The Client prompts for user name and password (e.g. with RSA SecurID) and authenticates with these credentials via the SECUDE Secure Login Server. All of these authentication methods can be used in parallel. A policy Server provides profiles that specify how to log in to the intended SAP system. A Web Client (via an Internet browser on almost any system). At the heart of the Web Client is a signed Java applet. This means that the Internet browser will display a Java warning prompting you to confirm the applet signed-certificate. If you decide not to trust the certificate, the applet will still run but the warning will reappear when you next logon. If you decide to trust the certificate the warning will not reappear. The SECUDE Secure Login Web Client has the same authentication methods as the stand-alone Client but with the following limited functionality: - No single sign-on to SAP - No policy configuration - Only one instance can be used at any one time
Sections in this chapter
Section Section Section Section
2.1 2.2 2.3 2.4
System Overview with PKI on page 13 System Overview with SECUDE Secure Login Server on page 16 Methods of Authentication in SECUDE Secure Login on page 22 Policy Server Overview on page 30
12
2.1
System Overview with PKI

The SECUDE Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. An existing PKI structure can be used to create certificates for user authentication.
2.1.1
Main System Components

The following figure shows the SECUDE Secure Login system environment with the main system components if an existing PKI structure is used:
Figure 2-1 SECUDE Secure Login system environment with existing PKI Client The SECUDE Secure Login Client is responsible for the certificate-based login to the SAP application Server and encryption of the SAP Client/Server communication. The policy Server provides profiles that specify how to log in to the intended SAP system.
Policy Server
2.1.2
Authentication Method
In a system environment without SECUDE Secure Login Server, the SECUDE Secure Login Client supports the following authentication methods: Smart cards and USB tokens with an existing PKI certificate Microsoft Crypto Store
13
2.1.3
Workflow
The following figure shows the principal workflow and communication between the individual components:
Figure 2-2 Principal workflow between components 1. 2. 3. 4. 5. 6. Upon connection start, the SECUDE Secure Login Client retrieves the SNC name from the SAP Server. The SECUDE Secure Login Client uses the authentication profile for this SNC name. The SECUDE Secure Login Client receives the authentication data from the user login token. The user unlocks the login token by entering the PIN. The SECUDE Secure Login Client provides the authentication data for SAP single signon and secure communication between SAP Client and Server. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client and SAP EP Server/SAP WAS use SSL for secure communication.
14
2.1.4
Secured Communication for SAP

Secure communication is established between all system components.
Figure 2-3 Secure communication for SAP Secure communication between SAP GUI and SAP Server Communication between the SAP GUI and the SAP NetWeaver Platform is protected using the SECUDE Secure Login Client. This product integrates itself into the network interface of any SAP process through the SAP SNC (Secure Network Communication) module. It enables certificate-based authentication among SAP components. For example, an SAP Client can authenticate itself using its certificate on the SAP application Server, and vice versa. Communication takes place over a secure channel. The communication between Microsoft Internet Explorer and a Web Server can be secured using SSL. The Web Server has to authenticate the Web browser with its Server certificate (Server authentication). In addition, the Web browser has to authenticate the Web Server with its user certificate (Client authentication). Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party cryptoengines. The SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the user keys to all CAPI-enabled applications.
Secure communication between Internet Explorer and Web Server
15
2.2
Introduction
System Overview with SECUDE Secure Login Server

SECUDE Secure Login Client/Server system is combined with an Authentication Server and the SAP system to facilitate authentication and to enhance security. Using the SECUDE Secure Login Client/Server system, it is possible to use certificatebased authentication without having to set up a PKI.
Contents
Section Section Section Section Section Section
2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6
Main System Components, on page 16 Authentication Method, on page 17 Instances, on page 18 PKI Structure, on page 19 Workflow, on page 20 Secure Communication, on page 21
2.2.1
Main System Components

The following figure shows the SECUDE Secure Login system environment with the main system components:
Figure 2-4 SECUDE Secure Login system environment Client The SECUDE Secure Login Client is the Client part of the Client/Server system. It is responsible for the certificate-based login to the SAP application Server and encryption of the SAP Client/Server communication. The SECUDE Secure Login Server is the central Server component that connects all parts of the system. It enables authentication against an Authentication Server and provides the SECUDE Secure Login Client with a temporary certificate. This certificate contains the user data and the public key to authenticate the user to the SAP application Server. The SECUDE Secure Login Server is a pure Java application. It consists of a servlet and a set of associated classes and shared libraries. It runs in a Server environment in combination with an application Server (such as SAP NetWeaver) or a Web Server with a servlet engine (such as Tomcat). The policy Server provides profiles that specify how to log in to the intended SAP system.
Server
Policy Server
16
2.2.2
Introduction
Authentication Method
SECUDE Secure Login supports several authentication methods. It uses the Java Authentication and Authorization Service (JAAS) as a generic interface for the different authentication methods. For each supported method, there is a corresponding configurable JAAS module. The following authentication methods are supported: Microsoft Active Directory Service (ADS) RSA SecurID Token RADIUS SAP ID-based logon SAP Logon Tickets SQL Database Tables Third-party JAAS module For information on how to use a specific third-party JAAS module, refer to the proprietary documentation.
Supported Authentication Methods
Figure 2-5 SECUDE Secure Login Server with JAAS interface
17
2.2.3
Instances
The SECUDE Secure Login instances feature allows multiple instances of Secure Login to run on the same Server. The main advantage of using instances is that the time spent on maintaining Secure Login is reduced to a minimum. If you want the single-Server functionality of Secure Login version 4.2 you need only use a single instance. SECUDE Secure Login Server instances can use a common PSE file for one or more instances, or you can set an individual PSE for each instance. The SECUDE Secure Login Client authentication profiles can be configured to use different SECUDE Secure Login Server instances for different authentication methods, or different user groups can be assigned to a Server instance according to access rights/type. For example:
Figure 2-6 Instances example Failover It is still possible to use several SECUDE Secure Login Servers and/or Authentication Servers for failover. SECUDE Secure Login Server can connect to more than one Authentication Server (all of which use the same authentication method). For details about how to configure instances via the Administration Console see section 6.2 on page 177.
Further Information
18
2.2.4
Introduction
PKI Structure
SECUDE Secure Login creates standard X.509 certificates to authenticate users to the SAP application Server and to encrypt the Client/Server communication. These user certificates are generated on demand and have only a limited lifetime. Therefore, it is not necessary to set up and administrate a standard PKI. Nevertheless, SECUDE Secure Login needs two PKIs for the following two scenarios: Secure communication between the SECUDE Secure Login Server and Client: The Web Server needs a certificate for the SSL connection between the SECUDE Secure Login Client and Server. The SECUDE Secure Login Client must verify the certificate of the Web Server. Secure communication between the SAP Client and SAP Server The SAP Server needs a certificate to communicate securely with the SAP GUI. The recommended simple PKI can be setup via the Administration Console. Many possible PKI hierarchies meet the SECUDE Secure Login demands. The following figure shows the simplest approach. It also complies with the convention that one CA should only issue one kind of certificate.
Simple PKI Structure
Figure 2-7 Simple PKI structure Trust Hierarchy Each application Server (such as Tomcat or SAP NetWeaver) with a running SECUDE Secure Login Server needs an SSL Server certificate (SSL CA, as shown in the previous figure) and a corresponding key pair. With this SSL certificate, the Server can be authenticated by the SECUDE Secure Login Client and the communication between the SECUDE Secure Login Server and Client can be encrypted. The SECUDE Secure Login Client must have a copy of the SSL certificate in order to verify the SECUDE Secure Login Server certificate. Each SAP application Server needs a key pair and a certificate from the SAP CA. This Server certificate is used to encrypt the SNC channel between the SAP application Server and the SAP GUI Client. The SAP GUI must have a copy of the root CA certificate in order to verify the Server CA certificate provided to it by the SAP application Server. The User CA (which generates each of the Client certificates: User 1, User 2, , User n) is included as part of the SECUDE Secure Login Server. The user CA key pair and certificate, from which each Client certificate is derived, is stored in a personal security environment (PSE).
19
2.2.5
Workflow
The following figure shows the principal workflow and communication between the individual components:
Figure 2-8 Principal workflow 1. 2. Upon connection start, the SECUDE Secure Login Client gets the SNC name from the SAP Server. The SECUDE Secure Login Client uses the Client policy for this SNC name. The Client policy is either static (i.e. the Client policy information is set in the Windows registry), or the policy information is retrieved dynamically from the Secure Login Server. For further information about how to download the relevant files for a static or dynamic Client policy see section 6.3.3 Client Configuration on page 183. The SECUDE Secure Login Client receives the user login as authentication data. In addition, the SECUDE Secure Login Client generates an RSA key pair. The SECUDE Secure Login Client sends the authentication data and the certification request for the public key of the RSA key pair to the SECUDE Secure Login Server. This connection is secured using SSL. The SECUDE Secure Login Server forwards the authentication data to the Authentication Server using a secure connection. The Authentication Server informs the SECUDE Secure Login Server whether authentication has been successful. If authentication is successful, the SECUDE Secure Login Server generates a temporary user certificate based on the users public key and identification. The certification reply is transferred from the SECUDE Secure Login Server to the SECUDE Secure Login Client. The certification reply also contains necessary additional certificates from the certificate chain. The SECUDE Secure Login Client provides the certificate for SAP single sign-on and secure communication between SAP Client and Server. SAP GUI and NetWeaver Platform use SNC for secure communication. SAP Web Client and SAP EP Server/SAP WAS use SSL for secure communication.
3. 4. 5.
6.
7.
8. 9.
20
2.2.6
Secure Communication
Secure communication is established between all system components:
Figure 2-9 Secure communication Communication Between SECUDE Secure Login Client and Server Format Security The communication between the Client and the Server uses SSL. The administrator must configure the URL, including the port number of the Server, on the Clients. An SSL connection is necessary for secure communication. The SSL connection is established using the certificate of the SECUDE Secure Login Server (Server authentication). For an SSL connection, the SECUDE Secure Login Client must be configured to trust the Server certificate. A list of SECUDE Secure Login Servers can be configured. If the Client cannot reach a Server after a configurable time, it tries to connect to the next Server on the list. Communication Between SECUDE Secure Login Server and Authentication Server Security The communication between SECUDE Secure Login Server and Authentication Server must be secured. This is important because the authentication data of the user is on the network. A list of Authentication Servers can be configured in the SECUDE Secure Login Server. If the SECUDE Secure Login Server cannot reach an Authentication Server after a configurable time, it tries to connect to the next Server on the list. Communication Between SAP GUI and SAP Server Security Communication between SAP GUI and the SAP NetWeaver Platform is protected using the SECUDE Secure Login Client. This product integrates itself into the network interface of any SAP process through the SAP SNC (Secure Network Communication) module. It enables certificate-based authentication among SAP components. For example, an SAP Client can authenticate itself using its certificate on the SAP application Server, and vice versa. Communication takes place over a secure channel.
Reliability
Reliability
21
Communication Between Internet Explorer and Web Server Security The communication between Microsoft Internet Explorer and a Web Server can be secured using SSL. The Web Server has to authenticate the Web browser with its Server certificate (Server authentication). In addition, the Web browser has to authenticate the Web Server with its user certificate (Client authentication). Microsoft Internet Explorer uses the Microsoft Crypto API (CAPI) for cryptographic operations. The Microsoft Crypto API has a plug-in mechanism for third-party crypto engines. SECUDE Crypto Service Provider (SECUDE CSP) is such a plug-in. It provides the user keys to all CAPI-enabled applications.
2.3
Introduction Contents
Methods of Authentication in SECUDE Secure Login

This chapter details each of the authentication methods supported by Secure Login. Section Section Section Section Section 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 Active Directory Server (ADS) Authentication, on page 23 RADIUS / RSA, on page 24 'SAP ID, on page 25 SAP Logon Ticket Authentication, on page 28 SQL Database Authentication This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SQL database-based authentication method. System Architecture for SQL DBbased Logon
The following figure shows the SECUDE Secure Login system environment for SQL DBbased logon:
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon
JAAS Module The SQL DB variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SQL database. For this method of authentication to work, additional third-party SQL driver librarie are needed for the SECUDE Secure Login Server to function correctly: For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar. - SQL Database
- The JAAS module uses standard SQL queries to find the given user ID and password in a table. This table and its column names could either be random configured, or predefined names are used for higher performance. The simplest form is to have usernames and passwords stored in two columns. For
22
given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client ident This could be a Client machine identification value or some application defined d
This Client ID is transported in the username field of the protocol, and requires a separator string definition. Positive False Authentication Another configuration allows using the database as combination of white and bla list. In this scenario, all exact matches in the database return a positive result, a well as all username values that are not found in the table at all. It is recommended to implement this feature only if Client identifiers are used tha are sufficient to protect this kind of positive false authentication.
2.3.1
Active Directory Server (ADS) Authentication

This section describes the specific system architecture and workflow for the SECUDE Secure Login Active Directory Server (ADS) authentication method.
System Architecture for ADS
The following figure shows the SECUDE Secure Login system environment for ADS:
Figure 2-10 SECUDE Secure Login system environment for ADS Client The SECUDE Secure Login Client is integrated into the Windows logon process. It sends the domain, user ID, and password entered by a user to the SECUDE Secure
23
Login Server to authenticate the user. The SECUDE Secure Login Client is represented by a small icon in the system tray that shows the status of the login. Server The SECUDE Secure Login Server receives the authentication data sent by the Client and forwards it to the Microsoft Active Directory Service (ADS). If the authentication on ADS is successful, the SECUDE Secure Login Server certifies the users public key. The certification reply is generated and transferred to the Client. If ADS cannot authenticate the user, the SECUDE Secure Login Server informs the Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web Server. The SECUDE Secure Login Server provides the service of an online certification authority (CA). ADS The Microsoft ADS verifies the authentication data sent by the Client (domain, user ID, password). It informs the SECUDE Secure Login Server about whether the user could be authenticated. Secure Login Process 1. 2. A user logs on to Microsoft Windows as usual. The SECUDE Secure Login Server receives the authentication information of the users Windows logon. It forwards the information via an SSL secured connection to the Microsoft Active Directory Server and requests confirmation. If the Microsoft Active Directory Server is able to authenticate the user successfully, a temporary certificate is created for the user. This certificate is sent to the Client workstation and made available to the SAP GUI for Windows. Thus, a certificate-based login to the SAP application Server is performed without a corporate PKI. When users start the SAP GUI for Windows, they are automatically logged on to the SAP applications for which they have authorization. The connection to these SAP applications is secure.
3.
4.
2.3.2
RADIUS / RSA Authentication

This chapter describes the specific system architecture and workflow for the SECUDE Secure Login RADIUS/RSA authentication method.
System Architecture for RSA
The following figure shows the SECUDE Secure Login system environment for RADIUS/RSA:
24
Figure 2-11 SECUDE Secure Login system environment for RADIUS/RSA Client The SECUDE Secure Login Client is a stand-alone Windows application. The SECUDE Secure Login Client provides a user interface to enter a user name and a SecurID password. The SecurID password is composed of a PIN which the user has to provide and the one-time password generated by the RSA SecurID token. Server The SECUDE Secure Login Server receives the authentication data sent by the Client and forwards it to the RSA Authentication Manager or another RADIUS Server. If the authentication is successful, the SECUDE Secure Login Server certifies the users public key. The certification reply is generated and transferred to the Client. If authentication fails, the SECUDE Secure Login Server informs the Client. The user can access neither the SNC-secured SAP NetWeaver Server nor the SSL-secured Web Server, but can repeat authentication. RSA Authentication. Manager The RSA Authentication Manager verifies the authentication data sent by the Client. It informs the SECUDE Secure Login Server about whether the user could be authenticated. Secure Login Process 1. 2. A user enters his/her credentials using the SECUDE Secure Login Client user interface. The SECUDE Secure Login Server receives the authentication information. It forwards the information to the RSA Authentication Manager or RADIUS Server and requests confirmation. If the RSA Authentication Manager or RADIUS Server is able to authenticate the user successfully, a temporary certificate is created for the user. This certificate is sent to the Client workstation and made available to the SAP GUI for Windows. Thus, a certificate-based login to the SAP application Server is performed without a corporate PKI.
3.
2.3.3
SAP ID Authentication
This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SAP ID-based authentication method.
System Architecture for SAP IDbased Logon
The following figure shows the SECUDE Secure Login system environment for SAP ID-based logon:
Figure 2-12 SECUDE Secure Login system environment for SAP ID-based logon
25
JAAS Module The SAP ID variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SAP Server. The JAAS module uses two ABAP functions on the SAP Server via SNC secured RFC. To use these RFC calls, the SAP Server version has to be at least 6.2. For this method of authentication to work, several libraries are needed for the SECUDE Secure Login Server to function correctly: - The native RFC library - An additional native library required for the JNI (Java Native Interface) access - The Java JCO library For details about how to install these libraries refer to chapter 3 Server Installation, on page 32. SAP System User An SAP system user is an individual with access rights beyond those of a normal user. These rights can be used to check the logon details of a normal user. The SAP System user profile must contain the following entries for this method of authentication to work: - S_A.SCON - S_A.SYSTEM - S_USER_ALL - S_USER_RFC - Z_TRANS_RFC Mode of Operation The SECUDE Secure Login Server acts on behalf of the SAP system user and obtains the normal SAP user logon data via the SECUDE Secure Login Client. Password Policy The SAP Server has a special password policy that can force the immediate change of the user password under the following circumstances: - For newly created users during their initial logon to the SAP system - Password expiration date - SAP user administrator forced password changes These changes are (and can only be) triggered by the SAP Server. The SECUDE Secure Login Server and Client cannot force a change. The confidentiality of the SAP user password is ensured by using SNC to protect the connection between the SAP Server and the SECUDE Secure Login Server. Password Rejection In the password change process the new password might be rejected by the SAP Server for the following reasons: - Password does not comply with password policy (length, complexity) - Password is already present in password history - The wrong password has been entered too many times As with the password policy, password rejection is controlled by the SAP Server.
26
Secure Login Process
The following figure shows the SECUDE Secure Login process for SAP ID-based logon:
SAP server
secure login server
secure login client
Initialization request Initialization reply Logon request Logon reply Logon request
New password request New password reply
Authentication reply
Figure 2-13 SECUDE Secure Login process for SAP ID-based logon 1. 2. 3. 4. In the first step, a process initialization request is sent from the SECUDE Secure Login Client to the SECUDE Secure Login Server. The SECUDE Secure Login Server replies that initialization can start. The SECUDE Secure Login Client sends a logon request (plus unsigned certificate) to the SAP Server via the SECUDE Secure Login Server. The SAP Server will reply with one of the following: - Reject the password (see previous section) - Force a password change (initial logon, password expired etc.) - Password OK > authentication successful When logon is successful the SECUDE Secure Login Server will send the Client a signed certificate and is made available to the SAP GUI for Windows.
5.
27
2.3.4
SAP Logon Ticket Authentication

This section describes the specific system architecture and workflow for the SECUDE Secure Login SAP Logon Ticket authentication method.
System Architecture for SAP Logon Ticket
The following figure shows the SECUDE Secure Login system environment for SAP Logon Ticket:
Figure 2-14 SECUDE Secure Login system environment for SAP Logon Ticket Client This authentication module only applies to the Secure Login Web Client. It sends the user ID and password entered by a user or a program to the SAP NetWeaver Portal URL to call its user login procedure. If successful, the portal returns with a SAP Logon Ticket in form of a HTTP Cookie, which is handed over to the Web browser where the Secure Login Web Client is running. Alternatively, the SAP Logon Ticket could be handed over to the Secure Login Web Client by other means, e.g. a browser script. This allows having the Web Client running in unattended and invisible mode. The Secure Login Web Client then sends the SAP Logon Ticket to the SECUDE Secure Login Server to authenticate the user. Server The SECUDE Secure Login Server receives the SAP Logon Ticket sent by the Client and performs offline verification. If the authentication is successful, the SECUDE Secure Login Server certifies the users public key. The certification reply is generated and transferred to the Client.
2.3.5
SQL Database Authentication

This chapter describes the specific system architecture and workflow for the SECUDE Secure Login SQL database-based authentication method.
System Architecture for SQL DBbased Logon
The following figure shows the SECUDE Secure Login system environment for SQL DBbased logon:
28
Figure 2-15 SECUDE Secure Login system environment for SQL DB-based logon JAAS Module The SQL DB variant of the SECUDE Secure Login Server consists of the normal SECUDE Secure Login Server core components plus a special JAAS module to communicate with the SQL database. For this method of authentication to work, additional third-party SQL driver libraries are needed for the SECUDE Secure Login Server to function correctly: - For MySQL, this is e.g. mysql-connector-java-5.1.7-bin.jar. SQL Database The JAAS module uses standard SQL queries to find the given user ID and password in a table. This table and its column names could either be randomly configured, or predefined names are used for higher performance. The simplest form is to have usernames and passwords stored in two columns. For given username and password, a row is searched that fits:
If the Client side supports it, a third value can be given to qualify the Client identifier. This could be a Client machine identification value or some application defined data:
This Client ID is transported in the username field of the protocol, and requires a separator string definition. Positive False Authentication Another configuration allows using the database as combination of white and black list. In this scenario, all exact matches in the database return a positive result, as well as all username values that are not found in the table at all. It is recommended to implement this feature only if Client identifiers are used that are sufficient to protect this kind of positive false authentication.
29
2.4
Introduction
Policy Server Overview

SECUDE Secure Login Client configuration is profile-based. To provide a mechanism for automatic application-based profile selection, application contexts can be configured. They are then searched for specific personal security environment universal resource identifiers (PSE URIs). If no matching PSE URI is found, a default application context can be defined that links to a default profile.
Figure 2-16 Default application context and profile The application contexts and profiles are stored in the Windows registry of the Client (including other internal keys for the Client). These parameters are defined within the XML policy file (ClientPolicy.xml). You can also integrate the values for the SECUDE Secure Login Client in your companys group policies via an ADM file. Further Information For further information about how to download the relevant files for a static or dynamic Client policy see section 6.3.3 Client Configuration on page 183. For further information about how to integrate the policy values for the SECUDE Secure Login Client into your companys group policies (ADM file), refer to section 9.1.4 Configuring Secure Login with Microsoft Group Policies on page 245. Advanced details about the Client policy file XML syntax can be found in section 9.1.1 ClientPolicy.xml File on page 239 along with the use of wildcards in section 9.1.3 on page 244.
30
2.5
Introduction
Secure Login Web Client

A new feature of SECUDE Secure Login 5.1 is the Web Service and Web Client. The Web Client is an SNC provider developed mainly for SAP Logon GUI for Java making the most of Windows as well as non-Windows platforms. It is a Web-based solution to authenticate users via Web-browsers (i.e. in portal scenarios) on a variety of platforms and to launch the SAPGUI with SECUDE SNC security. This means that the Client is no longer exclusively for Windows, but also Mac OS X and a range of Linux-based systems (due to differences between the SAPGUI for Java and SAPGUI for Windows the Web Client for Windows only has limited functionality). Moreover, in contrast to SECUDE Secure Login stand-alone Client for Windows (SLC) the Web Client has no SSL Client-authentication. The Web Client can be deployed to Apache Tomcat and SAP NetWeaver but, currently, not to BEA WebLogic.
Main Features
Browser-based authentication against Secure Login Server (all back-ends are supported including RSA and challenge-mode functions such as password changes) Download and prepare the SECUDE SNC library (simple to update the native libraries when a new version is available). Soft-token provider via Secure Login Server - Create credentials for crypto-token Launch SAPGUI for Java/Windows with SNC parameters and crypto-token - Launch SAPGUI or directly login to SAP Server (AS ABAP) - Specify search path for SAPGUI binaries either centrally on the Server side, or by the user on the Client side (host-specific) Localization and customization of HTML pages and Applet messages - Stylesheet (CSS) support, preconfigured for NetWeaver Portal Optional clean-up of temporary files when browser is closed (such as soft-tokens and credentials). Chapter 5 Secure Login plus Web Client - Installation, Usage, and Removal, on page 109
Further Information
31
3
Introduction
Server Installation, Configuration, and Removal

This chapter describes the SECUDE Secure Login Server installation. It is necessary to install and configure Secure Login Server BEFORE installing Secure Login Client. This chapter details the installation and configuration procedure for various target systems, for example, Servers that use servlet engines such as Apache Tomcat or SAP NetWeaver. If you want to install Secure Login with the Web Client then refer directly to chapter 5. This is because the Web Client installation is not just the Web Client but rather the complete Secure Login Server plus Web Client. The installation routine is quite different for Tomcat and only slightly different for NetWeaver.
Sections in this Chapter
Section 3.1 Prerequisites, on page 33 Section 3.2 Preparing the Server for Installation, on page 34 Section 3.3 Installation Procedure for Apache Tomcat-based Server Installations, on page 35 Section 3.4 Installation Procedure for BEA Weblogic-based Server Installations on page 40 Section 3.5 Installation Procedure for SAP NetWeaver-based Server Installations, on page 42 Section 3.6 Initialization and Configuration for ADS, LDAP RADIUS, SAP ID, SAP Ticket, , and Database Module, on page 54 Section 3.7 Remove SECUDE Secure Login Server, on page 91
32
3.1
Prerequisites
This section lists the hardware and software requirements.
3.1.1
Hardware Requirements
Hardware Hard disk space RAM Details 20-50MB plus space for log files 1GB
3.1.2
Software Requirements
For the Operating System for Secure Login Server you require the following software One of the following: Windows 2003 Server - R2 (x86) Windows XP Professional - SP2 (x86) Suse Linux Enterprise Server 9 or 10 (x86) Solaris 8, 9, or 10 (SPARC) HP-UX 11.11 (PA-RISC) HP-UX 11.23 (Itanium) JDK 1.5. with the Java Cryptography Extension (JCE) JCE Unlimited Strength Jurisdiction Policy files (usually part of the JDK or JRE). BEA WebLogic 8.1, 9.0, 10.0 Apache Tomcat version 5.x/6.x with JDK 1.4-1.6 (make sure that the optional components Service Setup and Native are selected in the setup). In case RSA ACE 6.1.2 is installed on Solaris it is mandatory to have JDK maximum 1.5. SAP NetWeaver Java 6.4 7.0 with: - SAP Java connector 2.1.8 (necessary for SAP-ID based logon. Please contact SAP for these libraries.) - SAP Java Cryptographic Toolkit - A running and configured SSL service provider openLDAP Sun ONE LDAP Microsoft Active Directory Server (ADS) 2000 or 2003 Sun Java System Directory Server freeRADIUS RSA Authentication Manager 6.0 or higher The following SAP application Server versions are supported: SAP Server 6.20 SAP NetWeaver ABAP 7.00 Support for additional platforms or versions may be available on request. Please contact SECUDE for further information.
Java http://java.sun.com/ Supported Application Servers
Server supporting LDAP/ADS authentication
Server supporting RADIUS/RSA authentication Server supporting SAP ID-based login
33
3.2
Introduction
Preparing the Server for Installation

The Server must be prepared for the installation of Secure Login. If you have already prepared the Server go to the next section below. If you have not prepared the Server, the following list indicates what must be installed and configured before starting with the installation of SECUDE Secure Login: Install the operating system (plus updates if necessary). Install Java (JCE will be automatically installed). Install the application Server. This manual does not detail the installation and configuration of the above mentioned software. It is assumed that the knowledge and skills necessary to perform the Server preparation is already present and must not be documented.
Contents of Delivery Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as follows: SECUDE51SecureLoginNativeComponents.zip This file contains the necessary native Secure Login components for each supported platform. SECUDE51SecureLoginServer.zip \doc This directory contains the documentation, license agreements, and readme files. \SECUDE51SecureLoginServer.zip Despite the fact this ZIP file has the same name as the file containing it, this file contains the standard Secure Login applications as well as the Web Client variants: - \NetWeaver 70\securelogin.ear Standard Secure Login application for SAP NetWeaver to work with the Secure Login Client. - \NetWeaver 70 WS\secureloginservice.ear The Web Client version of Secure Login for SAP NetWeaver. - \Tomcat\securelogin.war Standard Secure Login application for Apache Tomcat to work with the Secure Login Client. - \Tomcat WS\axis2.war, securelogin.war, secureloginservice.aar, shared.zip, SlsWebClient.war The Web Client version of Secure Login for Apache Tomcat plus secondary files necessary for operation.
Prepare the Files
In preparation for installation, it is recommended to unpack the ZIP archive SECUDE51SecureLoginServer.zip to produce the four application sub-directories: \NetWeaver 70 \NetWeaver 70 WS \Tomcat \Tomcat WS as well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the native components. This manual contains steps in which it is necessary to choose and confirm passwords. For reasons of security Secure Login will only allow you to choose passwords that are hard to guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
34
3.3
Introduction
Installation Procedure for Apache Tomcat-based Server Installations

This section describes the installation procedure for an environment using Apache Tomcat. These steps assume that Tomcat and the necessary runtime components are already installed. 1. 2. Locate the unzipped Tomcat deployment file (see section 3.2 on page 34): SECUDE51SecureLoginServer\Tomcat\securelogin.war Deploy the securelogin.war file: This step describes how to deploy the files to the Server using Tomcat 6.0 as an example (you can also use the Tomcat Manager to deploy Secure Login). Make sure that file name and path notations used in this step are correct for the target operating system. These bulleted steps describe how to transfer the WAR file and configuration files to the target servlet engine: Stop the servlet engine (Tomcat) if it is running. If necessary, remove the existing SECUDE Secure Login Web application directories and securelogin.war file: - <Tomcat home>\Webapps\securelogin\ - <Tomcat home>\Webapps\securelogin.war Copy the new securelogin.war file into the directory: <Tomcat home>\Webapps\ Start the servlet engine (Tomcat). 3. Now to test the deployment. In your Internet browser, enter the following URL: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin
Make sure that file name and path notations used in this step are correct for the target operating system. 4. If the deployment has been successful, the SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-1 Administration Console prerequisite check page This page lists the prerequisites to run Secure Login successfully. Items with a
35
green dot in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP IDbased logon). 5. Use the Adminstration Console initialization wizard to create the Secure Login environment (see section 3.6 on page 54).
3.3.1
Option to Configure SSL in Tomcat

If you are remotely administrating Secure Login over a network it is recommended to use an SSL connection. This means that SSL must be activated in Tomcat. Follow these steps to activate SSL in Tomcat (this example details SSL for Tomcat v.6.0): 1. 2. 3. If Tomcat is running, stop and exit it. Open the Server.xml file from the directory <Tomcat home>\conf. Copy the following code behind the commented-out SSL configuration example in the Server.xml file (edit the information in the following example syntax accordingly): <Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https SSLEnabled=true secure=true ClientAuth=false sslProtocol=TLS keystorePass=123456 keystoreFile=<Tomcat home>\Webapps\ securelogin\WEB-INF\Instances\<optional instance directory>\ <SSLServer_*>.p12 keystoreType=PKCS12/>
The PKCS12 (*.p12) file should already have been generated via the Administration Console during the Server setup. If not use the Certificate management function of the Administration Console to generate one (see section 6.3.2 on page 181). 4. 5. Save and close the Server.xml file. Start Tomcat.
Despite using HTTPS for the URLs in policies and generating SSL Server certificates (both via the Administration Console) you still need to manually activate SSL in Tomcat.
3.3.2
Test the SSL Connection for Tomcat

1. To test the SSL connection enter the following URL in your browser: https://URL-Where-Your-Servlet-Resides/securelogin For example: https://localhost:8443/securelogin This should open the Administration Console login page (see section 6.1 Administration Console on page 119).
2.
36
3.3.3
Single Sign-On for the Administration Console (Tomcat Only)

This section details how to setup Tomcat to: Use a login certificate generated via the Administration Console for SSL-based authentication (refer to the next section below). Trust only those certificates created via the Administration Console as well as using single sign-on authentication to the Administration Console (refer to section 3.3.3.2 below). Setup a single SSL port in Tomcat for both the Secure Login Administration Console and the Secure Login Client to share (refer to section 3.3.3.1 below).
3.3.3.1
Use a Login Certificate Generated via the Administration Console for SSL-based Authentication
This section details how to setup Tomcat to use a SSL login certificates, generated using the Administration Console, for authentication (the Administration Console offers the option to login to the Secure Login Server using certificate-based SSL authentication). The following steps assume that you have already: Created a user via the User Management node (see section 6.4.1 on page 199) that uses the subject alternative name in the certificate for the option Certificate Login ID. Created a login certificate (under SAP CA) via the Certificate Management node. The subject alternative name provided in the certificate creation must match the entry in the option Certificate Login ID for the user created in User Management. The resulting certificate has been exported as a *.p12 file and imported into Internet Explorer or Firefox. By default, Tomcat uses the Java trust store to perform the authentication. This means, all CAs that are trusted by the Java VM could be used to create Administration Console login certificates as long as the subject_alt_name in the certificate matches an Administration Console user account. If you decide to use the JVM truststore (jre\lib\security\cacerts), the Adminstration Console root certificate or SAP-CA certificate must be imported into it using Java's keytool. For further information refer to section 5.4.1 Configure SSL Trust for the Web Client Java Applet on page 116.
3.3.3.2
Setup Tomcat to Trust Only Administration Console-Generated Certificates

This section details how to setup Tomcat to trust only those certificates created via the Administration Console and also how to create a truststore (and set ports) specifically for the purpose of single sign-on to the Administration Console. To use only those certificates created via the Administration Console you must configure the Tomcat SSL connector must to use a truststore other than the Java VM. This can be achieved by either creating a new truststore or using the Secure Login Administration Console truststore. To setup single sign-on it is necessary to create and use a trustore specifically for the purpose of single sign-on (refer to the next page). The following example creates two ports one for the Administration Console and one for the Secure Login Client.
37
Create a New Truststore
1.
As a first step we must create a new truststore that contains only the Administration Console root certificate: Open a command box and enter the following: keytool import v trustcacerts -alias my_root_ca file C:\root.crt keypass 123456 keystore C:\myTruststoreFile storepass 123456 Press Return.
2.
Now to configure a Tomcat SSL connector to use this truststore only (for single signon): - Open the Server.xml file from the directory <Tomcat home>\conf. - The following example code should be entered behind the commented-out SSL configuration example in the Server.xml file (edit the information marked in red in the following example syntax accordingly): <Connector port=4443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true ClientAuth=false sslProtocol=TLS keystoreType=pkcs12 keystoreFile=C:\SSL_SERVER.p12 keystorePass=123456 /> <Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true ClientAuth=true sslProtocol=TLS keystoreType=pkcs12 keystoreFile=C:\SSL_SERVER.p12 keystorePass=123456 truststoreFile=C:\myTruststoreFile.jks truststoreType=jks truststorePass=123456 /> In this example note that there are two connectors one for the Secure Login Client (port 4443 in the example) and one only to be used for the single sign-on to the Administration Console (port 8443 in the example). This is to avoid any possible access conflicts. As you can see by the parameters/values marked in blue, the connector to be used for single sign-on has the following specifics: - A different port number - The parameter ClientAuth is set to true. - The truststore file (*.jks) is stated.
38
3.3.3.3
Setup Tomcat for Single SSL Port Usage for both the Administration Console and Secure Login Client
This section details how to setup a single SSL port in Tomcat for both the Secure Login Administration Console and the Secure Login Client to share. This means it is possible to perform: certificate-based single sign-on via the Secure Login Administration Console as well as standard login for the Secure Login Client using the same port.
Create a Single SSL Port
1. 2.
Open the Server.xml file from the directory <Tomcat home>\conf. The following example code should be entered behind the commented-out SSL configuration example in the Server.xml file (edit the information marked in red in the following example syntax accordingly): <Connector port=4443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true ClientAuth=want sslProtocol=TLS keystoreType=pkcs12 keystoreFile=C:\SSL_SERVER.p12 keystorePass=123456 truststoreFile=C:\myTruststoreFile.jks truststoreType=jks truststorePass=123456 /> As you can see by the parameter marked in blue (ClientAuth=want), Client authentication is now optional.
39
3.4
Introduction
Installation Procedure for BEA Weblogic-based Server Installations

This section describes the installation procedure for an environment using BEA Weblogic. These steps assume that BEA WebLogic and the necessary runtime components are already installed. 1. This first step applies to BEA WebLogic 8.1 only. If you are using BEA WebLogic 9 or 10 please start with step 5. Before deploying the application you must check the readiness of the Server for application deployment by setting the Staging Mode. If you have already performed this task then go to step 5. Start the WebLogic Server and open the BEA WebLogic console: http://<hostname or IP:port>/console Select <domain>Server>myServer from the navigation tree. Select the tabs Configuration>Deployment:
2. 3.
Figure 3-2 BEA console check staging mode Make sure that the Staging Mode is set to stage. If not, select stage from the combobox and click Apply. 4. 5. 6. 7. Close the console and restart the WebLogic Server. Create a new directory: <BEA home>/Server/bin/myServer/stage/securelogin.war Unzip the contents of the securelogin.war file to the directory stated in the previous step. Now to deploy the Secure Login application. Open the BEA WebLogic console: http://<hostname or IP:port>/console
40
8.
The BEA WebLogic Server Home page will appear:
Figure 3-3 BEA console WebLogic Server Home page Click Web Application Modules. 9. The Web Applications page will appear.
Figure 3-4 BEA console Web applications page Click Deploy a new Web Application Module
41
10. The Deploy a new Web Application Module page will appear:
Figure 3-5 BEA console deploy Web application page Use Location to navigate to the stage Server directory (do not use the upload your files link). For example: 10.49.13.169/opt/bea/Weblogic81/Server/bin/myServer/stage 11. Select the securelogin.war application and click Target Module. 12. Start the Secure Login application in BEA WebLogic. 13. After Secure Login has been successfully deployed, open your Internet browser and enter the Secure Login Administration Console URL: http://<host:port>/securelogin 14. Use the Adminstration Console initialization wizard to create the Secure Login environment (refer to the next section).
3.5
Introduction
Installation Procedure for SAP NetWeaver-based Server Installations

This section describes the installation procedure for an environment with SAP NetWeaver. After unpacking the installation package, the installation of the SECUDE Secure Login Server comprises the following tasks: Create SSL certificates Configure the SECUDE Secure Login Server Deploy the files on SAP NetWeaver Configure the Authentication Server in SAP NetWeaver Test the SECUDE Secure Login Server Configure SSL Test the SSL connection
42
3.5.1
Configure the System Environment (only for SAP ID-Based Logon)

This section details the steps necessary to pre-configure the system for the respective environment. 1. Configure NetWeaver (prerequisite to run the Secure Login Administration Console): Change the password of the Guest user via NetWeaver user management. Select Server0 > services > Security provider from the tree in the left-hand pane. Select the Runtime tab and then the User Management tab. Open the Users tab and locate the entry Guest. Enter a new password in the field Change password, check No password change required, and click Change. A password confirmation dialog will appear:
Figure 3-6 Confirm password change Re-enter the new password and click OK. 2. Now it is time to deploy the Secure Login enterprise archive to NetWeaver. The archive is located in the directory already unzipped in section 3.2 on page 34: SECUDE51SecureLoginServer\NetWeaver\securelogin.ear The easiest method of deploying the archive is to use either the SAP Software Deployment Tool or SAP Visual Administrator. For further details please refer to the proprietary documentation.
Make sure that file name and path notation is correct for the target operating system. 3. Open and logon to the Administration Console: In your browser, enter the following URL: http://<URL-Where-Your-Servlet-Resides>/securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/
43
The SECUDE Secure Login Administration Console prerequisite check page should appear:
Figure 3-7 Administration Console prerequisite check page This page lists the prerequisites to run Secure Login successfully. Items with a green dot in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP IDbased logon). Click Continue to go through the setup wizard as described in section 3.6.3 'Step 2 Multiple Authentication Server Initialization Expert Mode (Wizard) on page 63. 4. After completing the initial setup, the Web.xml file in the WEB-INF directory must be updated (re-read). This is achieved via the SAP Visual Administrator: Open the SAP Visual Administrator. Select the Server(x)>Services>Deploy node from the tree in the left-hand pane. Select the deployed secude.com/SecureLogin component from the Runtime tab in the middle pane.
44
Click Single File Update on the right-hand side. The following dialog will appear:
Figure 3-8 Update Web.xml file Click OK. 5. Open and logon to the Administration Console: In your browser, enter the following URL: http://<URL-Where-Your-Servlet-Resides>/securelogin/ For example: http://SAPNetWeaverHost:50000/securelogin/ The login page should appear:
Figure 3-9 Administration Console login page Generate the SSL certificates as a *.p12 file as described in section 6.3.2.3 Username Configuration for SQL JAAS Module
Depending on the username/Client ID schema used for database authentication, som configuration properties may be needed to define which user name is put into the cer This is only to be considered if Secure Login Client sends compound username values Property UseQualifiedName Details
If true, the full received username value is taken for th certificates CN field If false, only the user ID part before the separator is t and UserNameSeparator must be set to a non-blank va apply this property.
45
Default value: true. UserNameSeperator
String of one or more characters that separates userna Client identifier sent by the Secure Login Client. If config DBColumnClientID must also be configured in the SQL J module. Default value: None. Sample: USER001#CLIENT999 is splitted to USER001 UseQualifiedName =false and UserNameSeperator
on page 183. Locate the SSL certificate and change the file extension to *.pfx. For further information about the Administration Console refer to section 6.1 on page 119. 6. Now to enable SSL in SAP NetWeaver:
If there is more than one Server installed, this step has to be performed for each of the Servers.
46
Open the SAP Visual Administrator. Select the Server(x)>Services>ConfigurationAdapter node from the tree in the lefthand pane. Select the Runtime tab and then the Display configuration tab. Select the following node from the middle pane: Conifgurations>cluster_data>dispatcher>cfg>services>Propertysheet.ssl-runtime
Figure 3-10 enable SSL select Propertysheet.ssl-runtime node Click the pencil icon (middle icon under the tab heading) to display the Change Configuration dialog:
Figure 3-11 enable SSL Change Configuration dialog Select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked). Click OK.
47
The same set of properties must also be changed at another Server node. Select the following node from the middle pane: Conifgurations>cluster_data>Server>cfg>services>Propertysheet.ssl-runtime As above, select the property startup-mode and enter always into the field value (make sure that the custom checkbox is unchecked). Click OK. 7. 8. Now that Secure Login has been deployed and SSL has been enabled the Server must be restarted to make use of the new settings. Now for certificate import and validation: To enable Server authentication, the Server has to have an SSL Server certificate. This certificate and the associated private key must be imported into SAP NetWeaver. This is achieved by using the *.pfx file generated in step 5.
SAP NetWeaver only accepts PKCS#12 software token files with the extension *.pfx. Open the SAP Visual Administrator. Select the Server(x)>Services>KeyStorage node from the tree in the left-hand pane. Select the Runtime tab. The certificates are organized into sub-groups, so called Views. Each of the Views groups is purpose-based, and contains certificates that suit the purpose, for example, TrustedCAs and the service_ssl Views, or Views defined by the administrator:
Figure 3-12 certificate import key storage Click the service_ssl entry in the Views list. Click Load. Locate and open the SSL certificate created by the Administration Console in step 5. Before the SSL certificate can be verified, all certificates up to the root have to be imported in the manner described above. Furthermore the root certificate must be
48
imported (loaded) into the TrustedCAs view. NetWeaver only accept certificates as a trust anchor contained in this view. Use the Load button to import a certificate. The certificate file has to be base64-encoded with the file name extension *.crt. 9. Now for SSL configuration: To enable Client authentication the SSL Provider must be configured to request the Client certificates. Open the SAP Visual Administrator. Select the Server(x)>Services>SSL Provider node from the tree in the left-hand pane. Select the Runtime tab and then the Client Authentication tab in the bottom righthand pane. Select Do not request Client certificate:
Figure 3-13 set SSL configuration Click the Server Identity tab. Click Add to browse for the credentials uploaded in step 9. 10. The configuration of SAP NetWeaver for Secure Login is now complete. Next Steps The next step is to configure the Authentication Servers for Secure Login. Please refer to the next section - 3.5.2 on page 49. When installing the signon&secure components for SAP ID-based logon (see section 6.1.12 ' SSS&JCO Installation, on page 158), you can ignore the third step Install JCO because SAP NetWeaver already has these components installed and set.
3.5.2
Configure the Authentication Server in SAP NetWeaver

49
Introduction
The JAAS module used by the SECUDE Secure Login Server must be configured directly inside SAP NetWeaver. You have to create one JAAS module with a corresponding policy and to add a configuration for each Authentication Server in the JAAS module. The configuration process consists of the following steps: Configure the LoginModuleClassLoader property. Create a JAAS module. Configure the first Authentication Server in the JAAS module. Create a JAAS policy. Configure an Authentication Server in JAAS module. Configuration is performed in SAP Visual Administrator. The relevant configuration node is the Security Provider node in the Services section. Follow these steps to configure LoginModuleClassLoader: 1. 2. 3. Open the SAP Visual Administrator. Select the Security Provider node from the left-hand pane and the Properties tab from the right-hand pane. Select the LoginModuleClassLoaders property from the list and enter the following value into the field Value at the bottom of the window: library:SECUDE-SecureLogin
Figure 3-14 SAP Visual Administrator Configure the LoginModuleClassLoader property 4. 5. Click Update at the bottom of the window. Now to create a JAAS module: Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane. This will open a second row of tabs. Select the User Management tab. Select the pencil icon above the top row to change to edit mode.
Click Manage Security Stores. The area for the login module administration is displayed:
50
Figure 3-15 SAP Visual Administrator Configure the JAAS module Click Add Login Module on the right-hand side of the window. The following window appears:
Figure 3-16 SAP Visual Administrator add login module In the Class Name field enter the class name of the JAAS module: - For ADS: com.secude.transfair.pepperbox.LdapJaasModule - For RSA/RADIUS: com.secude.transfair.pepperbox.RsaRadiusJaasModule - For SAP-ID: com.secude.transfair.pepperbox.SAPJaasModule Enter descriptive strings in the fields Display Name and Description. 6. Now to configure the first Authentication Server in the JAAS module: In the Add Login Module enter the names and values of the configurable module
51
properties for the first Authentication Server in the Options table. For a description of the configurable properties for ADS, see section 9.2.4.1 JAAS Module Configuration Files for LDAP/ADS on page 253. For a description of the configurable properties for RSA/RADIUS, see section 9.2.4.2 JAAS Module Configuration Files for RADIUS/RSA on page 257. Click OK. 7. Now to create a JAAS policy: Select the Security Provider node from the left-hand pane and the Runtime tab from the right-hand pane. This will open a second row of tabs. Select the Policy Configuration tab. Click Add under the component list. A new dialog will open. Under Name, enter SLSJaasModule. Click OK. The window now appears as follows:
Figure 3-17 SAP Visual Administrator add JAAS module 8. Now to configure an Authentication Server in the JAAS module: Select the newly created SLSJaasModule policy/login module configuration from the Components list. Click Add New from the bottom right-hand side of the window. The available login modules are displayed. Select the JAAS module you want to configure. Click OK.
The Edit Login Module window opens:
52
Figure 3-18 SAP Visual Administrator edit login module Enter the names and values of the configurable module properties of the added Authentication Server (a list of property names and examples can be found in the section covering Authentication Server configuration via the Administration Console (see section 6.1.4 on page 128).
3.5.3
Test the SSL Connection

The following step describes how to test the Secure Login files deployed to the Server. Make sure that file name and path notations used in this step are correct for the target operating system. 1. In your browser, enter the following URL: https://<URL-Where-Your-Servlet-Resides>/securelogin/ PseServer?op=Serverstatus For example: https://SAPNetWeaverHost:50001/securelogin/ PseServer?op=Serverstatus If the deployment has been successful the SECUDE Secure Login Administration Console login page should appear as in section 6.1.1.
2.
53
3.6
Initialization and Configuration for ADS, LDAP, RADIUS, SAP ID, SAP Ticket, and Database Module
This section details the initialization and configuration of the Secure Login Server component using the Administration Console initialization wizard. Section 3.6.1 Step 1 Section 3.6.3 Step 2 (Wizard) on page 63 Section 3.6.4 Step 3 Section 3.6.5 Step 4 - Initial Installation, on page 54 Multiple Authentication Server Initialization Expert Mode - Configure Authentication Server Communication on page 84 - Test SECUDE Secure Login Server on page 90
For reasons of security, the Secure Login Server component can only be initialized via the Administration Console and only when the console is called from the same Server computer on which the Secure Login resides. If however, you want to perform the initialization and configuration from a remote location, then you must manually enable this feature by editing the Secure Login Web.xml file. For further details please refer to section 7.17 on page 229). If you want to use Secure Login on an operating system that does not have a GUI (for example Unix without X-Win), you must use SSH or Putty to tunnel to the Client Webbrowser (as long as an SSH Daemon is running on the Server).
3.6.1
Introduction
Step 1 - Initial Installation

This section describes the installation procedure and initial configuration of Secure Login. This is necessary for all Authentication Server types. 1. If you have not already done so, enter the following URL in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin If the deployment has been successful the SECUDE Secure Login Administration Console prerequisite check page should appear:
2.
Figure 3-19 Administration Console prerequisite check page

54
This page lists the prerequisites to run Secure Login successfully. Items with a green dot in front of them indicate the correct availability and functionality. Items with a red light in front of them indicate an error. Items with a yellow light in front of them indicate an optional component that may be needed according to Server and setup type (for example the SAP Adapter is needed for the SAP ID-based logon). For further information about the Administration Console refer to section 6.1 on page 114. 3. 4. Click Continue. The scenario selection page will appear:
Figure 3-20 Server initialization authentication selection page Use this page to choose between either an Authentication Server-specific, quick initialization, or a detailed multiple Authentication Server initialization. Click on the logo next to one of the Server-specific methods Microsoft Windows Domain Username and Password, Username and Password Stored in LDAP Server, One-Time Password, or SAP Username and Password. For details about the next step, refer to the next section. If you click on the Multiple Authentication Methods (Expert Mode) logo, the next step is in section 3.6.3 on page 63).
55
3.6.2
Step 2 Server-Specific Quick Initialization

1. After clicking the logo next to the desired authentication method (Microsoft Windows Domain, SUN Directory Server or other LDAP Server, RSA SecureID or other One-TimePassword solution, or SAP Netweaver see previous section), the Company Information page will appear:
Figure 3-21 Server Setup Wizard company information page Enter basic information about your company. The following options are available (options marked with * are mandatory): Option Company Information Details Country The abbreviation of your country. Click on the field to open and select a country from the drop down menu. Example: DE for Germany Locality The region in which your company is located. Example: Darmstadt Company name Enter the name of your company in this field. Example: SECUDE Account name The username for the account. NOTE: The password will be used as the password for Administration Console access! Password The password for this account Confirm password Confirm the password entered in the field above.
Administrator Account Password Information
Click Next to continue.
2.
56
According to which authentication method you selected in section 3.6.1, step 4, on
page 55, one of the following pages will appear: For Microsoft Windows Domain authentication:
Figure 3-22 Server initialization Microsoft Windows Domain authentication page The following options are available (options marked with * are mandatory): Option Let SECUDE Secure Login Details Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter a password in the fields Certificate Password and Confirm Certificate Password to be used for all automated PKI operations (PSE file and TrustStore passwords). The IP or URL of the Authentication Server. Click More to view open the following options: Use SSL Check this option if you want to use secure communication with the Server. Port The port number the Active Directory Server uses for communication. Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the Active Directory Server.
Enter the Active Directory Server
The communication between
For SUN Directory Server/LDAP authentication:

57
Figure 3-23 Server initialization SUN Directory Server/LDAP authentication page The following options are available (options marked with * are mandatory): Option Let SECUDE Secure Login Details Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password. The URL of the Authentication Server. Click More to view open the following options: Use SSL (LDAPs) Check this option if you want to use secure communication with the Server. NOTE: GetBaseDN will not work if SSL is enabled. If you want to use the GetBaseDN feature it is recommended you click it first and then enable SSL. Port The port number the SUN Directory Server/LDAP Server uses for communication. Manually enter the base dynamic name or click GetBaseDN to try and automatically retrieve it from the LDAP Server. Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SUN DS/LDAP Server.
Enter the LDAP Server
Enter or select the LDAP search base The communication between
For RSA SecurID authentication or other one-time password solutions:

58
Figure 3-24 Server initialization RSA SecurID authentication page The following options are available (options marked with * are mandatory): Option Let SECUDE Secure Login Details Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password. The URL of the RSA Server. Enter the password into the Shared Secret field. Click More to view open the following options: AuthPort The authentication port at which the RSA Server expects to be queried for authentication requests. Authenticator This is the authentication protocol for the RSA Server. The possible options are: CHAP MSCHAP PAP NOTE: The RSA Authentication Manager only supports the PAP authentication protocol. The communication between Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and the RSA Server.
Enter the RSA Server
For SAP NetWeaver authentication:

59
Figure 3-25 Server initialization SAP NetWeaver authentication page The following options are available (options marked with * are mandatory): Option Let SECUDE Secure Login Details Check this option if you want Secure Login to use a custom PKI to establish trust between the user and Server. Enter the certificate password in the fields Certificate Password and Confirm Certificate Password. If necessary, use the following options to install signon&secure and/or JCO for SAPID: Install signon&secure - Setup File Click Browse to locate the signon&secure package (*.zip file). The files can be located in the SSS+JCO sub-directory of the file SECUDE51SecureLoginNativeComponents.zip delivered with Secure Login. - License File Click Browse to locate the file ticket.snc (received from SECUDE). Install JCO for SAPID - sapco.jar Click Browse to locate and open the sapjco.jar file
60
SAPID authentication
(applies to both Windows and Linux/Sun). - sapco library 1 Click Browse to locate and open one of the following files (according to operating system): - For Windows: librfc32.dll - For Linux/Sun: librfccm.so - sapco library 2 Click Browse to locate and open one of the following files (according to operating system): - For Windows: sapjcorfc.dll - For Linux/Sun: libsapjcorfc.so Enter the SAP Server Enter the IP or URL of the SAP Server into the first (unmarked) field. Enter the password into the Username field. Click More to view open the following extra options: Client SAP System ID. System Number SAP System Number. SNCServerName The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. This option is not needed if you have selected the first option (let Secure Login use a custom PKI to establish trust between the user and Server). For example:
p:CN=SAP NetWeaver 2004, O=secude.local, C=DE
The communication between
Use this option to activate SSL communication between the Secure Login Client, Secure Login Server, and SAP ID Server.
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery package. For further information please contact SECUDE support. Click Next to continue.
3.
The Install Process page will appear:
61
Figure 3-26 Server initialization install process page This page will display the status of the installation/initialization. Click Start. The status of the installation will be displayed for each step. As soon as the step is complete a green check-mark will appear next to the step:
Figure 3-27 Server initialization status of initialization 4. Once the initialization is successful, the following information will appear:
Figure 3-28 Server initialization procedure complete 5. Next Steps Manually restart the application Server.
For information about how to login to the console and start using it, refer to section 6.1 Administration Console on page 119.
62
3.6.3
Step 2 Multiple Authentication Server Initialization Expert Mode (Wizard)

This section will guide you through the steps necessary to perform a quick, Authentication Server-specific initialization. 1. The Welcome page of wizard appears:
Figure 3-29 Server Setup Wizard welcome page This page introduces the wizard and displays the logical steps, necessary to initialize the Server, on the left-hand side. Click Next to continue. Some of the more complicated wizard pages will have an information bubble icon next to the page header ( ). Click on the icon to open a pop-up dialog containing information about the entries on the page.
63
2.
The Create Administrator Account page will appear:
Figure 3-30 Server Setup Wizard create administrator account This page allows you to create an account username and password to be used to logon to the console. The following options are available: Option Account name Password Details The username of the account to be created. The password for the account to be created. The password must fulfill the following criteria: Be between 5 to 10 characters (use a mix of characters, numbers and special characters). The password must contain at least one uppercase letter. Enter the password a second time in this field to confirm the entry made in the field Password.
Confirm password
64
3.
The Setup Type page will appear:
Figure 3-31 Server Setup Wizard select setup type The next page to appear will vary according to the selection made here. You can choose between the following options: Option Create a new SECUDE Secure Login Server Migrate from an existing SECUDE Secure Login Server Details and next steps Select this option to start configuring a new Server. Click Next to continue with section 3.6.3.1 on the next page. Select this option to migrate the configuration from an existing Secure Login Server. Click Next to continue with section 3.6.3.2 Migrate from an Existing SECUDE Secure Login Server, on page 82. Select this option to restore the configuration from a backup file. Click Next to continue with section 3.6.3.3 Restore from an Existing Secure Login Server Backup (*.zip) File, on page 83 NOTE: only backup files created using Secure Login 5.x and 4.3 are supported.
Restore from an existing backup (*.zip) file
65
3.6.3.1
Create a New SECUDE Secure Login Server

Continue with this section if you selected Create a new SECUDE Secure Login Server in the previous section. 1. The Input root CA information page will appear:
Figure 3-32 Server Setup Wizard Input root CA information This page allows you to enter information about the root certificate authority for the Secure Login Server. The following options are available (entries marked with * are mandatory): Option Create a Root CA by certificate information Details Common name* Enter the name of the root certificate authority in this field. Example: SECUDE CA Organization unit Enter the division of the company in this field. Example: Research+Development Organization Enter the company name in this field. Example: SECUDE Locality Enter the regional information in this field. Example: Darmstadt Country Enter the country abbreviation in this field. Example: DE for Germany Encryption key length
66
Option
Details Select the encryption key length for the Server (512, 1024, 1536, 2048, 3072, or 4096 bits). Valid from* Enter the date from which this certificate authority information is valid in this field (YYYY-MM-DD). Example: 2007-7-11 Validity period (months)* Enter the number of months for which the certificate authority information is valid. Password* Enter the password to be used for encryption in this field. Check Save Password to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when editing this certificate at a later date. Confirm password* Confirm the encryption password entered in the field above. Checking this option will display the following options:
Import an existing KeyStore file
Figure 3-33 Initialization Wizard import existing keystore KeyStore File Click Browse to locate and load an existing KeyStore (PSE) file (*.pse). Password The password for the KeyStore (PSE) file. Save Password Check this option to store the password for this certificate in a separate Secure Login password file. This means that you do not need to remember the password when reloading the PSE file at a later date. Skip this certificate Skip all PKI certificates Check this option if you do not want, or do not need, to enter any information for this specific certificate at this time. Check this option if you do not want, or do not need, to enter information for any certificate at this time. This means you skip all the PKI certificates, including the Root CA, SSL CA, SSL Server and User CA certificates. You can create or add certificate information at a later time via the Certificate Management function of the Administration Console (see section 6.3.2 on page 181). If you select this option continue with the setup as from step 6 on page 70.
2.
The SSL Certificate Generation Type page will appear:

67
Figure 3-34 Server Setup Wizard SSL certificate generation type This page allows you to configure the use of SSL certificates. To enable a higher level of security, SSL is used to encrypt the communication channels, which requires a special SSL certificate. The following options are available: Option Generate SSL certificate using Secure Login Administration Console Details If you select this option, the Secure Login Server will be configured as a root CA, and a SSL CA (the next two screens). This Root CA will then issue the SSL CA a valid certificate; the SSL CA will in turn issue a valid Server certificate to be installed on the Server. You will need to download this certificate, and install it according to your Servers particular configuration. Proceed with the next step. If you select this option, the Secure Login Server generates a valid certificate request. You may download this request, have it signed by an external CA, and imported it back to the Server to enable SSL connectivity. Proceed with the step 4 on page 69. Check this option if you do not want, or do not need, to enter any SSL certificate information at this time. Proceed with step 5 on page 70.
Generate SSL certificate to be signed by an external CA
Skip all SSL certificates
68
3.
The SSL CA Information page will appear:
Figure 3-35 Server Setup Wizard input SSL CA information This wizard page is for information about the certificate authority to be used for SSL. The options available on this page are the same as in step 1 on page 66. Options marked with a red * are mandatory. If you selected Click Next to continue. 4. The SSL Server Information dialog appears:
Figure 3-36 Server Setup Wizard input SSL Server information This wizard page is for information about the Server to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory. Click Next to continue.
69
5.
The User CA Information page will appear:
Figure 3-37 Server Setup Wizard input user CA information This wizard page is for information about the user certificate authority to be used for SSL. For information about the options available on this page refer to step 1 on page 66. Options marked with * are mandatory. Click Next to continue. 6. The Server Configuration page will appear:
70
Figure 3-38 Server Setup Wizard Server configuration This wizard page helps you to setup basic Server parameters. The following options are available (options marked with * are mandatory): Option AuthConfigPath Details The path to the JAAS configuration file on the Servers file system, for example: D:\SECUDE Secure Login\SLSJAAS.login The User CA keystore file path. If you created a User CA in the previous step, the file path will be shown here. Information for a temporary certificate: the country designation (for example: DE for Germany). Information for a temporary certificate: the regional designation (for example: Darmstadt). Information for a temporary certificate: the initializing designation (for example: SECUDE). Information for a temporary certificate: the department designation (for example: Research and development). Information for a temporary certificate: the period of time (in minutes) that the user certificate is valid. The path of the directory to which the daily log files are stored. The path of the directory to which the monthly log files are
71
PseName DN.Country DN.Locality DN.Organization DN.Organizational Unit ValidityMinutes* DailyLogDir MonthlyLogDir
stored. doTrace This option determines whether to record the Servers execution trace for problem analysis. true (yes)= enable trace messages false (no) = disable trace messages. The path to which the lock file is saved. A lock file is created when the Server encounters an internal error that requires manual intervention. Default value: the temporary directory of the java VM, a.k.a., the directory denoted by the java.io.tmpdir property. The hostname or IP address used for all Client policy files within URLs connecting to SLS.
LockDir
Client Name/IP Click Next to continue.
7.
The Authentication Server Configuration page will appear:
Figure 3-39 Server Setup Wizard Authentication Server If you want to add an Authentication Server click Add Server (if not click Next and go to the next step).
72
The specific settings for each type of the supported Authentication Server types are covered in the following sections: For further details about the settings for a servlet engine-based Server (such as Apache Tomcat) refer to page 84. For further details about the settings for a RSA Server refer to page 86. For further details about the settings for a SAP NetWeaver-based Server for SAP IDbased logon refer to page 87. 8. The Add Authentication Server page will appear:
Figure 3-40 Server Setup Wizard add Authentication Server Depending on which Server Type is selected; other options will appear/disappear in the table. The following options are available (options marked with * are mandatory): Options (general) Application Name* Details An application name is the identifier of the group of authentication modules associated with one instance of the SECUDE Secure Login Server (SLS). There can be only one instance of a particular authentication module residing in a JVM. However, there maybe multiple SLS instances running on the JVM. Therefore, the group of authentication modules used by an instance of SLS is assigned a unique application name for identification. Different SLS instances running on the same Server must have different application names. The default name is: SLSJaasModule The flag controls the Servers behavior when it proceeds down the authentication stack. For a detailed explanation, refer to the documentation of javax.security.auth.login.Configuration on the Sun Website. NOTE: this option cannot be changed.
LoginModuleControlFl ag
73
Server Type
Server type selection (LDAP, AD, RADIUS, or SAPID). Other options will appear/disappear in the table according to the selection made via this option. Test user username. Use this option to setup a user to test the Server parameters. Test user password. Use this option to setup a user to test the Server parameters. Determines when to try the next LDAP/ADS Server in the list. Possible values: FALSE (default): Try the next Server only if this Server cannot be reached. TRUE: Try the next Server if this Server cannot be reached, or access is denied.
TestUserName TestUserPwd TryAllServers
74
Options (LDAP) LdapHost*
Details The address of the LDAP Server. This option is for the configuration of the LDAP Server (including the Windows Active Directory Server). For example: ldap://my.host.com:389 (if SSL is used for the communication, the protocol should be changed to ldaps:// and the port number should be changed to 636). NOTE: An SSL Server certificate must have been successfully imported into the TrustStore for SSL to work. It is not possible to import a certificate until after the initial Server setup. Information that identifies a user in the user management system, LDAP or Active Directory. Either enter the information manually or click Get baseDN list to browse the LDAP directory fro the correct Base distinguished name. The following pop-up window will appear:
LdapBaseDN
Figure 3-41 add Authentication Server get baseDN The following options are available (options marked with a red * are mandatory): Host name* The host name of the LDAP Server. Port* The port of the LDAP Server. Username* The username used to communicate with the LDAP Server. SSL Check this option to use SSL protocol when communicating with the LDAP Server. If you use SSL in the communication, the protocol should be ldaps:// and a valid certificate is required. Anonymous bind Use this function to query the LDAP Server without a username (managerDN) and password (providing that the LDAP Server is so configured). managerDN Specific username. password The password used to communicate with the LDAP Server. Base DN Click Get baseDN list to query the LDAP Server for a list of based distinguished names to be displayed in the combobox. Get baseDN list After you have entered the above parameters click Get baseDN list to obtain the base DNs from the LDAP Server. LdapTimeout(ms) Determines how long a Client should wait for a response from
75
Options (LDAP) LdapProviderLanguag e
Details an LDAP/ADS Server before trying to connect to the next one. Character set for the encoding of the characters when the Server communicates with the LDAP/ADS Server. For example: in the case of ADS, a possible character set is ISO-8859-1. Password expiry date (from the LDAP Server). NOTE: If this option is used, the LdapBaseDN attribute must be given in complete DN form. Defines the interval in days, inside which the password expiration warning is sent to the Client prior to password expiry. The warning message to be sent to the Client in the event of password expiry. Details The IP address of the RADIUS Server. The authentication port at which the RSA/RADIUS Server expects to be queried for authentication requests. A word/phrase used to encrypt the user password. Determines how long a request to a Server is to wait before being sent to the next Server. Authentication protocol for the RSA/RADIUS Server. Possible options: CHAP MSCHAP PAP Minimum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 4 Maximum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 8 PIN format. This parameter is only used with RSA SecurID tokens. Possible values: true: the user can choose, and use, a PIN which contains only alphanumeric characters (A-Z, a-z, 0-9). false (default): the user can choose, and use, a PIN which contains alphanumeric and special characters (such as !$%&). The default password policy for RSA allows only numeric PIN's which can not be setup via the Secure Login Server/Client policy properties.
PasswordExpiration Attribute PasswordExpirationGracePeriod AuthServerID Options (RADIUS) RadiusServerIP* AuthPort* SharedSecret* Timeout(ms) Authenticator
PinMin
PinMax
PinAlphanumeric
RSAServerIniFile
If the RSA Server version is 6.1, a copy of the RSA Server RADIUS message *.ini file (securid.ini) has to be present. Make sure you enter the full path and file name, for example: <Tomcat home>\Webapps\securelogin\WEBINF\securid.ini
76
Options (SAPID) SAPServer Client SystemNo SNCServerName
Details IP or URL of the SAP Server. SAP System ID. SAP System Number. The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. For example:
SAPaccount NativeLibraryPath
The SAP user account name for the SECUDE Secure Login Server. The folder of the native libraries and the SECUDE signon&secure package. NOTE: This configuration is a global Server Configuration property, which is also used by other JAAS modules. This parameter is part of the password policy for Client side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1 This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30 This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
PasswordMin
PasswordMax
PasswordAlphanumeric
Once you have selected the appropriate options click Test to check the validity of the Server information. If the parameters are correct a message will appear confirming a successful connection. If any parameter is incorrect an error message will appear. Click Save to be returned to the Authentication Server page.
77
The Authentication Server page should now look something like this:
Figure 3-42 Server Setup Wizard added Authentication Servers As you can see, the page now contains an Authentication Server entry. You can now either click Edit to change any Authentication Server options, or click Delete to remove an entry from the Authentication Server list, or click Add Server to add another Server to the configuration. If the Server entries are correct and finished, click Next to continue. 9. The Client Policy Configuration page will appear:
78
Figure 3-43 Server Setup Wizard configure Client policy This step will help you to enter Client policy information. A Client will need this information to communicate with the SECUDE Secure Login Server. At the end of the initial setup one Client policy file and two Windows registry files will be available for download (see step 10 on page 79) to be implemented in each Client. The following options are available (all mandatory): Option Policy URL* Details The URL of the Clientpolicy.xml. It may be downloaded and installed to a Client system (see step 10 on page 79). For example: http://<IP address>/SECUDE securelogin/ Clientpolicy.xml The name of Client profile. The URL of the Secure Login Server to which the Client will connect. For example: https://<IP address>/SECUDE securelogin/PseServer The key length of the Client certificate. The grace period of the Client connect the Server. The maximum period of time the Client may be inactive.
Profile Name* Enroll URL*
Key Length* Grace Period* Inactivity Period*
Enter the Client policy details and click Next to continue. 10. The Setup Review page will appear:
79
Figure 3-44 Server Setup Wizard Finish configuration The configuration and initialization of Secure Login is now complete. If needed, click on each of the links and save the files to disk for further use: PKI Certificate - Root CA Keystore (RootCA.pse) - Root CA Cert (RootCA.cer) - SSL CA Keystore (SSLCA.pse) - SSL Server Cert (SSLServer.cer) - SSL Server KeyStore(PKCS#12) (ServerKeyStore.p12)
- SSL Server KeyStore(JKS) (SSLServer.jks). If you click this the Privatekey Alias field will appear:
Figure 3-45 Server Setup Wizard configure private key alias Enter the private key and click OK to download the file. Client Policy File (for import on each Client) - ClientPolicy.xml - customer.reg - customerAll.reg Click Finish to complete the initialization. 11. The completion page will appear:
80
Figure 3-46 Server Setup Wizard completion The wizard is now finished. Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 Administration Console, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
81
3.6.3.2
Migrate from an Existing SECUDE Secure Login Server

Continue with this section if you selected Migrate from an existing SECUDE Secure Login Server in step 3 of section 3.6.3 on page 65. 1. The Enter the Web Root Path of the Existing Server page will appear:
Figure 3-47 Server Setup Wizard migrate existing Server #1 Enter the root path of the Web application into the field Web Application Root Path and click Next to continue. 2. A success page will appear.
Figure 3-48 Server Setup Wizard migrate existing Server #2

82
Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 Administration Console, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
3.6.3.3
Restore from an Existing Secure Login Server Backup (*.zip) File

Continue with this section if you selected Restore from an existing backup (*.zip) file in step 2 of section 3.6.3.1 on page 67. Remember that this function only supports backup files created using Secure Login 5.x and 4.3. 1. The Select the backup file (*.zip) page will appear:
Figure 3-49 Server Setup Wizard restore from backup file #1 Either: - manually enter the path to the zipped backup file into the field Backup file or - click Browse to locate the zip file on the network or local drive. Click Next to continue. 2. The Backup file information page will appear:
83
Figure 3-50 Server Setup Wizard restore from backup file #2 Click Finish to restore the configuration. 3. If successful the following dialog will appear:
Figure 3-51 Server Setup Wizard restore from backup file #3 Click Reload to reload the Secure Login application in the application Server (e.g. Tomcat). For information about how to open the Administration Console to perform further tasks refer to section 6.1 Administration Console, on page 119. If the Administration Console login page does not appear, it may be necessary to restart the application Server manually.
3.6.4
Step 3 - Configure Authentication Server Communication

The next step is to configure the Server to communicate with the Authentication Server. There are several different authentication methods to configure, depending on which type of Authentication Server you want to use: If you are going to use a servlet engine-based Server (such as Apache Tomcat) then continue with the section below.
84
If you are going to use a Radius/RSA Server continue with the Authentication Server description in section 3.6.4.2 on page 86. If you are going to use a SAP NetWeaver-based Server for SAP ID-based logon continue with the Authentication Server description in section 3.6.4.3 on page 87.
3.6.4.1
Configure the Secure Login Server for ADS/LDAP

The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case for an Active Directory Server (ADS) or LDAP. 1. If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin If the LDAP connection between the SECUDE Secure Login Server and the Microsoft ADS has to be secure, you have to establish trust between the SECUDE Secure Login Server and ADS. The prerequisite for this is the certification authority (CA) certificate of the issuing instance (usually root) of the ADS Server. To establish trust the ADS Server CA certificate must be imported into the KeyStore via one of two methods: Either a signed certificate must be made available from the ADS administrator for import directly into Secure Login (via TrustStore management - see section 6.1.6 on page 141) or you can sign a certificate request for the Active Directory Server (SSL connection) via the Administration Console (via Sign ITS certificate - see section 6.1.14 on page 163) and generate a *.p7b file. Convert the *.p7B file into a certificate file (*.crt, *.cer). Now you must import the certificate into the TrustStore (via TrustStore management - see section 6.1.6 on page 141). Ask your Microsoft ADS administrator to send you an export file containing this certificate. The public key infrastructure (PKI) on the ADS side is completely independent of the SECUDE Secure Login PKI. It is possible to convert the *.p7B file into a *.cer file via a number of tools. The usage of these tools is not part of this manual. Please refer to the third-party documentation. 3. 4. The next step is to define the connection details between Secure Login and ADS. Click the Authentication Management node in the Administration Console. Click Add Server and enter at least the following details into the appropriate fields: Server Type: ADS or LDAP LdapHost: ldaps://<yourdomain>:636 For example: ldaps://testldap.secude.local:636 Test username: The username must include the domain name. For example: user01@testldap.secude.local Once you have entered the Server details click Save. For further information about the Authentication Server parameters on this page refer to section 6.1.4 on page 128. 5. 6. 7. 8. The Secure Login Server is now ready for ADS authentication. Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183). Click Applications and then Add application. In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists in which case you need only select
85
2.
the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). For further information about the Add application page refer to section 6.3.3.1 on page 184. 9. Click Profiles and then Add profile. 10. In the Add/Modify Client Profile page enter the profile details. Click Save. For further information about the Add/Modify Client Profile page refer to section 6.3.3.2 on page 187. 11. Click Files download and download the Client files according to your Client setup: Download the customerAll.reg file if you want a rollout a static policy to the Clients (the customerAll.reg file contains a the information from the ClientPolicy.xml file) Download the customer.reg if you want a rollout a dynamic policy to the Clients (customer.reg file only contains information about where to obtain the entries in the ClientPolicy.xml file on a Server) 12. Rollout the customer.reg or customerAll.reg policy files to the Clients. 13. ADS can now be accessed using SSL. NOTE: SSL is used whenever an LDAP host address with port 636 is specified (LDAPS). 14. Multiple Authentication Server setup / instance management [optional] If you use more than one Authentication Server and not all Servers have the same CA, you have to import the certificate of each CA to Secure Login Server. For further information about instances refer to section 6.3.1 on page 179. You have to use a unique alias for each CA certificate!
3.6.4.2
Configure the Secure Login Server for RADIUS/RSA

The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case for RADIUS/RSA. 1. If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin
For advanced details about setting properties manually (not recommended), refer to section 9.2.3 Configuration.properties, on page 248. 2. If you are using RSA Server v.6.1 (version 6.0 is not affected) copy the securid.ini file to the Secure Login WEB-INF directory. For example (Tomcat): <Tomcat home>\Webapps\securelogin\WEB-INF Every time a message text entry in the securid.ini file is changed the file must be re-copied to the Secure Login WEB-INF directory. The securid.ini file is not part of the Secure Login delivery package. It is part of the RSA Server 6.1 software. For further information please refer to the proprietary documentation. Secure Login depends on the following message text entries in the securid.ini file: InputMustChoose_S_S = \r\nEnter a new PIN having from 4 to 8 digits: InputNextCode = \r\nWait for token to change,\r\nthen
86
enter the new tokencode: InputReenterPin = \r\nPlease re-enter new PIN: OutputChange = \r\nPIN Accepted.\r\nWait for the token code to change,\r\nthen enter the new passcode: For passwords to be handled properly between SLS and RSA/RADIUS, the securid.ini file must be setup on both Servers. Follow these steps: For the RSA/Radius Server: copy/update the securid.ini file to: C:\Program Files\RSA Security\RSA Radius\Service\securid.ini and then restart RSA/RADIUS services. For the Secure Login Server (Windows): copy the securid.ini file to the path setup in SLSJaasModule.login RSAServerIniFile. For example: <tomcat home>\Webapps\securelogin\WEB-INF For the Secure Login Server (Linux): copy the securid.ini to the path setup in SLSJaasModule.login RSAServerIniFile. For example: /var/lib/tomcat5.5/Webapps/securelogin/WEB-INF By default the RSA/RADIUS services are not started automatically after a Server restart. To start them: open the RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr Services. Below Service Management check Start and stop RADIUS Server together with authentication engine. [Edit] Click Auto Start and check Automatically start services on system startup. Confirm and click Close.
3.
The next step is to define the connection details between Secure Login and RADIUS/RSA. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128). Click Add Server and enter at least the following details into the appropriate fields: Server Type: RADIUS RadiusServerIP: Example: radius01.secudeTest.local RSAServerIniFile: path to the securid.ini file (for example: <Tomcat home>\Webapps\securelogin\WEB-INF\securid.ini). Once you have entered the Server details click Save. For further information about the Authentication Server parameters on this page refer to section 6.1.4 on page 128.
4.
5. 6. 7. 8.
The Secure Login Server is now ready for RADIUS authentication. Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183). Click Applications and then Add application. In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). For further information about the Add application page refer to section 6.3.3.1 on page 184.
9.
3.6.4.3
Configure the Secure Login Server for SAP ID-Based Logon

The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SAP ID-based logon. Make sure that the following has been installed and configured on the SAP Server side before preceding with this section:
87
SECUDE signon&secure is installed and configured. Ensure that the SAP Server account is able to access the credentials and that the credentials are set for the correct user account. The user configured on the SAP Server for the SECUDE Secure Login Server access must be configured for the following: SNC access: Note that the SNC Distinguished Name of the user must be the same as that used in the PSE files imported during the SSS&JCO installation.
A special set of privileges in their profile. These are: - S_A.SCON - S_A.SYSTEM - S_USER_ALL - S_USER_RFC - Z_TRANS_RFC For details about how to set a profile refer to the SAP administrator documentation. It is important to set the correct environment variables for SECUDE Signon&Secure. For details about the settings for both Unix and Windows-based Servers refer to section 7.5 on page 217. 1. If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 Configuration, on page 248. The next step is to install the SAP JCO libraries (one java library and two systemdependent native libraries) - SAP-Jco-2.1.8-platforms. The SAP JCO libraries are not part of the Secure Login delivery package. The libraries can be downloaded from http://service.sap.com/connectors (requires SAP account). For details about which library version is needed for Secure Login please contact SECUDE support. It has to be ensured that all referenced dynamic-linked libraries exist on the operating system. For example, on a Linux platform the referenced gcc libraries have to be present in the required version. 3. 4. 5. Click the SSS&JCO installation node in the Administration Console (see section 6.1.12 on page 158). Install the SECUDE cryptolib package (in the delivery package ZIP file SECUDE51SecureLoginNativeComponents.zip), ticket, JCO, and JCO PSE. The next step is to define the connection details between Secure Login and SAP ID. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128). Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 JAAS Module Configuration Files for SAP ID, on page 260. The Secure Login Server is now ready for SAP ID-based logon. Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183). Click Applications and then Add application.
2.
6.
7. 8. 9.
88
10. In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). 11. For further information about the Add application page refer to section 6.3.3.1 on page 184.
3.6.4.4
Configure the Secure Login Server for SAP Logon Ticket-Based Logon
The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SAP Logon Ticket-based logon. 1. If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 Configuration, on page 248. The next step is to install the SAP Verification PSE and the SAP SSOEXT libraries (two system-dependent native libraries). The SAP Verification PSE can be exported from SAP NetWeaver Portal, or by the STRUST transaction in the ABAP Stack. The SAP SSOEXT libraries are not part of the Secure Login delivery package. The libraries can be downloaded from http://service.sap.com/connectors (requires SAP account). For details about which library version is needed for Secure Login please contact SECUDE support. It has to be ensured that all referenced dynamic-linked libraries exist on the operating system. For example, on a Linux platform the referenced gcc libraries have to be present in the required version. 3. 4. 5. Click the SSS&JCO installation node in the Administration Console (see section 6.1.12 on page 158). Install the SAP Verification PSE, SAPSECU, and SAPSSOEXT. The next step is to define the connection details between Secure Login and SAP Logon Ticket. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128). Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 JAAS Module Configuration Files for SAP ID, on page 260. In the common Server configuration Native Library Path, the path to the SAPSECU, and SAPSSOEXT libraries must be configured. The Secure Login Server is now ready for SAP Logon Ticket-based login. Now to configure the Secure Login Web Client. Click the Web Client configuration node in the Administration Console (see section 6.1.16 on page 183).
2.
6.
7. 8. 9.
3.6.4.5
Configure the Secude Login Server for SQL Database-Based Logon

89
The SECUDE Secure Login Server must now be configured for the respective Authentication Server, in this case SQL Database-based logon. 1. If you have not already done so, start the Administration Console and logon to Secure Login by entering the following in your Internet browser: http://<URL-Where-Your-Servlet-Resides>/securelogin For example: http://localhost:8080/securelogin For advanced details about the properties that can be configured, refer to section 9.2.3 Configuration, on page 248. The next step is to install the fitting Java database driver for your database. The Java database driver depends on the database system you have in use. Each database vendor provides such Java libraries (JAR), e.g. for MySQL, the JAR file mysqlconnector-java-5.1.12 can be downloaded from http://dev.mysql.com/downloads/connector/j/ On Tomcat, the connector libraries need to be copied manually into a shared library folder. On SAP NetWeaver, connector libraries need to be deployed and configured with Visual Administrator. 3. The next step is to define the connection details between Secure Login and SAP Logon Ticket. Click the Authentication Management node in the Administration Console (see section 6.1.4 on page 128). Click Add Server and enter the Server details into the appropriate fields. Once you have finished click Save. For details about setting the Authentication Server parameters via the Administration Console refer to section 6.1.4 on page 128. For advanced details about each parameter, plus optional parameters, see section 9.2.4.3 JAAS Module Configuration Files for SAP ID, on page 260. The Secure Login Server is now ready for SQL Database-based logon. Now to configure the Secure Login Client. Click the Client configuration node in the Administration Console (see section 6.3.3 on page 183). Click Applications and then Add application. In the Add application page enter an Application name and PSEURI. A PSEURI may not be needed if a SAP certificate already exists in which case you need only select the certificate from the SAP Server field and the PSEURI will automatically be entered. Once you have entered the application details click Save (this will take you back to the Client Policy management page). For further information about the Add application page refer to section 6.3.3.1 on page 184.
2.
4.
5. 6. 7. 8.
9.
3.6.5
Step 4 - Test SECUDE Secure Login Server

The following step describes how to test the Secure Login files deployed to the Server. Make sure that file name and path notations used in this step are correct for the target operating system. 1. In your browser, enter the following URL: http://<URL-Where-Your-Servlet-Resides>/securelogin/ admin/index.jsp For example: http://localhost:8080/securelogin/admin/index.jsp
90
2.
If the deployment has been successful the SECUDE Secure Login Administration Console login page should appear:
Figure 3-52 Administration Console login page For further information about the Administration Console refer to section 6.1 on page 119. If the location of the SECUDE Secure Login Server configuration file is not specified correctly, the browser displays a red error message.
3.7
3.7.1
Remove SECUDE Secure Login ServerRemove SECUDE Secure Login Server

Remove SECUDE Secure Login Server - Tomcat
This section details the removal procedure for the Secure Login Server component from ADS, LDAP, RADIUS, and SAP ID Servers. It is recommended to backup the configuration and settings in case you want to use Secure Login again. For further information refer to section 6.1.9.1 on page 151. 1. 2. Stop your Web application Server. Delete the following directories/files:
<application Server Web-apps directory>/securelogin/ <application Server Web-apps directory>/securelogin.war If you want to use Secure Login again follow the procedure as from section 3.2.
91
3.7.2
Remove SECUDE Login Server BEA Weblogic

1. 2. Stop and delete securelogin.war in Bea WebLogic console for Bea 9 and Bea 10. Remove all files and directory under <BEA home>/Server/bin/myServer/stage/securelogin.war
3.7.3
Remove SECUDE Secure Login Server - SAP NetWeaver

This section details the removal procedure for the Secure Login Server component from SAP NetWeaver Servers. It is recommended to backup the configuration and settings in case you want to use Secure Login again. For further information refer to section 6.1.9.1 on page 151. 1. 2. 3. Logon to SAP Visual Administrator. Select Server(x)>Services>Deploy, from the tree in the left-hand pane. Select the deployed secude.com/SecureLogin component from the Runtime tab in the middle pane.
Figure 3-53 SAP Visual Administrator locate Secure Login component Click Remove on the right-hand side of the window.
4.
92
A confirmation dialog will appear:
Figure 3-54 SAP Visual Administrator removal confirmation dialog Click OK.
93
4
Introduction
Client Installation, Configuration, and Removal

This chapter describes the configuration and installation of the SECUDE Secure Login Client. To save configuration time, install and rollout the Client AFTER you have fully installed and configured the Secure Login Server. Section Section Section Section 4.1 4.2 4.3 4.4 Prerequisites, on page 95 SECUDE Secure Login Client Preparation, on page 96 Client Rollout, on page 97 Remove SECUDE Secure Login Client, on page 106
94
4.1
Prerequisites
This section lists the hardware and software requirements. Section 4.1.1 Hardware Requirements for SECUDE Secure Login Client, on page 95 Section 4.1.2 Software Requirements for SECUDE Secure Login Client, on page 95 You will need administrator access rights to install the Secure Login package.
4.1.1
Hardware Requirements for SECUDE Secure Login Client

Hardware RAM Hard disk Details 256 MB minimal, 512 MB optimal. 12 22 MB, depending on which SECUDE modules are installed.
4.1.2
Software Requirements for SECUDE Secure Login Client

For the Operating System you require the following software Windows XP (SP3) Windows Vista Windows 7 Citrix Terminal Server Software for unpacking the zip installation package MSI 3.1 installer MMC snap in, if customizing with group policies is to be used (ADM templates are available) SAP NetWeaver ABAP 6.4 or higher. SECUDE Secure Login Server (unless existing PKI is used). Correctly installed smart card or Microsoft Crypto Store for respective authentication (see below).
Installation Customizing System runtime environment
Authentication with a Smart Card Authentication with Microsoft Crypto API
As a precondition for authentication using smart cards, a smart card reader with a card driver (PKCS#11 middleware) must be installed. If smart cards other than TCOS are to be used, a card driver must also be available (TCOS cards are directly supported without an additional driver). As a precondition for authentication using Microsoft Crypto API, a certificate in a CSP must be available by one of the following methods: Import of PFX- or P12 file into the personal Microsoft Crypto Store CSP on a smartcard Online certificate (for example, VeriSign, Web.de) Managed PKI software (for example, Entrust, Microsoft CA)
95
4.2
SECUDE Secure Login Client Preparation

The SECUDE Secure Login Client is delivered as a zip archive. This archive contains all of the files and data required to install the SECUDE Secure Login Client. Follow these steps to install the Secure Login Client: 1. 2. Unpack the zip archive SECUDE42securelogin.zip to any directory. Check the \customer\sample\ directory (this directory contains samples of the optional configuration files).
The optional configuration files can be configured manually (see below) using the sample files. The configuration file secude.xml contains smart card-specific configuration settings, protocol settings, and the settings for the SECUDE crypto library. The secude.xml file is configured automatically. For information about the configuration of this file, please contact SECUDE technical support. 3. During installation, all of the files used to customize the product during installation must be located in the customer directory next to the MSI installer. The \customer\sample\ directory contains examples of all configurable files. The customer can adapt the sample files to fit the PKI and environment of the company. The MSI installer reads the following files in the customer folder during installation: Used for A list of trusted trust-center certificates (root CAs). This is a digitally-signed set of DER-encoded certificates, which is used automatically for each PSE which has its own root CA stored in it. For further details about the extensions, refer to the file bridge.txt. For further details about the content, refer to the file certs.txt. Certs.p7c, certs.p7s A list of certificates (CAs). This is a digitally-signed set of DER-encoded certificates, which is used automatically for each PSE where CA certificates are missing. For further details about the content, refer to the file certs.txt. All Microsoft registry settings the customer can configure automatically (SECUDE tickets, group policies). Overlay configuration for PSE Service smart card token, provided by SECUDE. Root CA certificates of SECUDE Secure Login Servers SSL peer that are trusted automatically for machine and users. For HTTPS trust, the SSL Servers Root CA certificate is added to the users personal certificate store or the computer system certificate store, either Trusted Root Certification Authorities or Enterprise Trust. Formats: A single certificate or PKCS#7 certificate list, DER or base64 encoded. ticket.snc Ticket.ssf (optional) token_prompted.bmp Customer-specific SECUDE file ticket for SAP SNC/GSS. Customer-specific SECUDE file ticket for SAP SSF Custom bitmap picture for all SECUDE Secure Login profiles with password prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth.
File bridge.p7c, bridge.p7s
customer.reg Psesvc.xml Roots.p7b, root.cer
96
File Token_smartcard.bmp
Used for Custom bitmap picture for all smart card or Microsoft CAPI profiles with PIN prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth. Custom bitmap picture for all soft-token profiles with password prompt in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24bit color depth. Custom bitmap picture for all SECUDE Secure Login profiles with Windows credentials in the login dialog box. It overwrites the default bitmap and must be 200x90 pixels and have a 24-bit color depth.
Token_soft.bmp
Token_windows.bmp
4.
If necessary, you can now customize the Secure Login Client: The SECUDE Secure Login Client (SLC) system service is a standard component of the SECUDE Secure Login Client, which (among other things) is responsible for communication with the SECUDE Secure Login Server for logging in using Windows credentials. Another task of the SLC system service is to obtain the latest Client policy. This could be done, for example, by downloading a policy file from a given URL (the policy Server) during start up or regularly via a configurable time interval. The XML formatted policy file (see section 9.1.1 ClientPolicy.xml File on page 239) is translated into Windows registry database keys and values after a successful verification. If the policy download is not successful, the existing policy is kept. The policy download from the policy Server can be replaced by configuring the SECUDE Secure Login Client using Microsoft group policies (see section 9.1.4 ClientPolicy.xml File on page 245).
A combination of an XML file on the policy Server and MS group policies is not recommended. The properties for the SLC system service can be configured using the customer.reg file or can be integrated in the companys group policies. The property names are not case-sensitive. For further information about the registry entries refer to section 9.3 Secure Login Client Registry Values on page 264.
4.3
Introduction
Client Rollout
The SECUDE Secure Login Client is usually installed on a large number of systems. Therefore, the Client setup is usually performed as an unattended installation using Microsoft MSI. The Client setup is implemented as an MSI 3.1 package. During installation, all files used to customize the product during installation are stored in the customer subfolder, which must be located in the same directory as the MSI setup. The MSI setup reads and copies them during installation. Section 4.3.1 Installation, on page 98 Section 4.3.2 Command Line Options to Influence the MSI Setup, on page 103
Contents
97
4.3.1
Installation
Before proceeding with this section make sure that it is the stand-alone Client you want to install and not the Web Client. For details about the Web Client installation refer to chapter 5 Secure Login plus Web Client - Installation, Usage, and Removal on page 109. The installation wizard is usually used for a single installation of the Group Policies. 1. 2. Double-click the MSI installer SECUDE Secure Login.msi. The welcome dialog will appear:
Figure 4-1 installation welcome dialog Click Next. 3. The program information appears:
Figure 4-2 installation program information dialog Click Next.
98
4.
The license agreement appears:
Figure 4-3 installation license agreement dialog Check I accept the terms of the license agreement and click Next. 5. The setup type dialog appears:
Figure 4-4 installation setup type dialog - Check Complete if you want to install all of the features (go to step 7). - Check Custom if you want to install specific features (go to step 6).
The installer contains the following components (Components marked with * are preselected by default):
99
Component Business Client addins
Details/Value SNC/GSS (primary) * This installs primary the SAP Secure Network Communication support addin for SAP Clients. SNC/GSS (secondary) This installs secondary the SAP Secure Network Communication support addin for SAP Clients. (Only required if another SNC library is already installed. The primary SNC/GSS (primary) must be de-selected in this case.) SSF This installs the SAP Secure Store and Forward support addin for SAP Clients. Secure Login system service: Windows Network Provider addin* Network provider addin for retrieving Windows credentials for authentication against Active Directory. Windows Kerberos addin Secure Login addin to use local Windows Kerberos authentication against a local Secure Login service for CITRIX. PSE Service* Personal Security Environment user service. Security Tokens:* - Smartcard support* PKCS#11 and TCOS-based smart card token plugins. - CAPI support* Microsoft CryptoAPI token plugin. SECUDE cryptographic service provider. Microsoft group policy templates (ADM files). Notification service and GUI for tracing purposes.
SECUDE Secure Login
Profile Management*
SECUDE CSP* Group Policies Notification
Once you have chosen a setup type click Next.
6.
If you chose to install specific features in the previous dialog, the custom setup dialog appears:
100
Figure 4-5 installation custom setup dialog - Select the features you wish to install and click Next. - If you want to prevent the installation of a component, click on the hard drive symbol next to the component and select The feature will not be available from the context menu:
Figure 4-6 installation component selection - To return to the default selection click Reset. - Once you have made your selection click Next.
7.
The ready to install appears:
101
Figure 4-7 installation ready to install dialog Click Install. 8. The installation status dialog appears:
Figure 4-8 installation installation status dialog The installation my take a few minutes, so please be patient. 9. Once the installation is complete the following dialog appears:
Figure 4-9 installation completion dialog Click Finish. The installation is now complete. 10. It is necessary to restart the computer to start using Secure Login. Click
102
Start>Shutdown>Restart to restart. Further Information Section 4.3.2 Command Line Options to Influence the MSI Setup, on page 103
4.3.2
Command Line Options to Influence the MSI Setup

This section details command line options that can influence the Microsoft installer (MSI) setup. Section 4.3.2.1 Standard MSI Options, on page 103 Section 4.3.2.2 Secure Login MSI Options, on page 104
4.3.2.1
Standard MSI Options

To help you understand the MSI options, open a command shell and enter the following syntax: msiexec /? The following dialog will be displayed:
Figure 4-10 installation restart dialog
103
4.3.2.2
Secure Login MSI Options

To view the options specific to the SECUDE Secure Login setup, open a command shell and enter the following syntax: msiexec /i <path>\SECUDE Secure Login.msi HELP=1 For example: msiexec /i C:\SECUDE Secure Login.msi HELP=1 The following dialog will be displayed:
Figure 4-11 installation restart dialog The components that can be installed individually have the following syntax and meaning (features marked with * are installed by default if no specific components are selected): Feature abbreviation for command line syntax
ProfileManagement PSE Service Token Capi
Package name in custom setup Profile management PSE Service Security tokens CAPI support* Smartcard support* SECUDE CSP*
Description User components. User GUI and SSO process. Persistent security tokens. Microsoft Crypto API token plug-in. PKCS#11 and TCOS based smartcard token plug-ins. Cryptographic service provider
Smartcard
CSP
104
Feature abbreviation for command line syntax
Package name in custom setup
Description plug-in for the Microsoft Crypto API.
GroupPolicies Notification
Group Policies Notification SECUDE Secure Login* n/a Windows Kerberos addin Windows network provider addin* Secure login system service*
Group policies, ADM files. Notification service and viewer for SECUDE applications. Credentials-based certificate enrollment Basic non-persistent tokens support. Kerberos support. Network provider add-in for retrieving Windows credentials. SECUDE Secure Login system service for policy download and Windows credentials management. SAPGUI security component. SAP Secure Network Communication support. SAP Secure Store and Forward support
secure_login
secure_login_Pepperbox
secure_login_Kerberos
secure_login_NetworkProvider
secure_login_Service
signon_secure
Business Client addins SNC/GSS (primary)* SSF
signon_secure_SNC
signon_secure_SSF
For a full list of components installed by default (i.e. when no specific components are installed) refer to section 4.3.1, step 5, on page 99. Example Installation Syntax 1 This example has been put together to achieve the following: Install SECUDE Secure Login without the user wizard but with the progress bar; do not install the Windows login component (option qb). Set the personal security environment (PSE) path to that of the subfolder SECUDE in the user profile (option CREDDIR=$USERPROFILE$\SECUDE). Install German language modules only (option SECUDE LANG=1031). Install programs into the default folder; do not install ADM files for group policy support (option qb). Add massive logging (option l*v sl.log). So, to achieve the above the syntax should be as follows: msiexec.exe /i C:\SECUDE Secure Login.msi /qb /l*v sl.log ADDLOCAL=ALL REMOVE=secure_login_NetworkProvider,GroupPolicies CREDDIR=$USERPROFILE$\SECUDE LANG=1031 If you execute the above syntax then you will notice after the installation that both the German and the English GUI have been installed. This is because English language support cannot be de-selected as it is the fallback GUI. No reboot is required. The system tray icon is displayed, and enrolment profiles are provided immediately. Example Installation Syntax 2 This example has been put together to demonstrate a simple installation and feature selection:
Msiexec /i "SECUDE Secure Login.msi" INSTALLDIR="C:\Program Files\SECUDE\SL" LAUNCH=1 LANG=0000 ADDLOCAL=ALL REMOVE=Notification,GroupPolicies,Smartcard,secure_login_Kerberos 105
In most cases, it is the easiest way to install all but a few features, which is best configured by ADDLOCAL=ALL REMOVE=feat1,feat2,
4.4
Remove SECUDE Secure Login Client

This section details the removal procedure for the Secure Login Client component. It is recommended to backup any certificates you may have imported into the PSE service before removing the Secure Login Client component. 1. Start the removal procedure via one of the following options: Open a command box and enter msiexec /i <path to msi file>SECUDE Secure Login.msi Double-click the SECUDE Secure Login.msi installer Click Start>Control panel>Add and Remove Programs, select SECUDE Secure Login from the list and click Remove 2. The Welcome dialog will appear:
Figure 4-12 removal welcome dialog Click Next. 3. The Program Maintenance dialog appears:
106
Figure 4-13 removal program maintenance dialog Check Remove and click Next. 4. The Remove Program dialog appears:
Figure 4-14 removal remove program dialog Click Remove. 5. The status of the removal will be displayed:
Figure 4-15 removal removal status dialog 6. If the removal is successful the following dialog will appear:
107
Figure 4-16 removal welcome dialog Click Finish.
108
5
Introduction
Secure Login plus Web Client - Installation, Usage, and Removal

This chapter details how to install, use, and remove the Secure Login Web Client. The Web Client installation is not just the Web Client but rather the complete Secure Login Server plus Web Client. Make sure that it is this version of Secure Login (i.e. with Web Client) you want to deploy before proceeding with this chapter. For details about the standard installation refer to chapter 3 Server Installation, Configuration, and Removal on page 32. Currently, there is no version of the Web Client for BEA WebLogic. The installation routine also differs slightly from the standard installation: The Secure Login Web Client installation routine for Tomcat is similar to the standard Secure Login installation to Tomcat but there are several extra steps: - deploy the Apache Axis2 Web service architecture within Tomcat - deploy the Secure Login Web service within Axis2. The Secure Login Web Client installation routine for NetWeaver is the same as the standard Secure Login installation to NetWeaver with the exception that a different archive is deployed.
Contents of Web Client Delivery Package
Within the main deliver package (SECUDE51secureloginServer.zip) the Web Client directories for Tomcat and NetWeaver contain the following files: For Apache Tomcat (Tomcat WS): - axis2.war - AXIS2 Web application from Apache (version 1.4). - shared.zip - All Secure Login JAR files (SECUDE+third party) as well as Server message files. - iaik_jce_full.jar - Institute for Applied Information Processing and Communication (IAIK) provider for the Java Cryptography Extension (JCE) - opencsv-1-7-1.jar - opencsv is a very simple csv (comma-separated values) parser library for Java. - radClient3.jar Radius Client application - SECUDE-JavaSDK.jar SECUDE Java SDK - SECUDE-SecureLogin.jar SECUDE Secure Login application - SECUDE-Transfair.jar SECUDE Secure Login application framework - ServerMsg.properties The file that contains the default Server messages (will be duplicated when creating a new Server messages file in an alternate language). - ServerMsg_de.properties - Server messages file in English. - ServerMsg_en.properties - Server messages file in German. - SlsWebClient.war The Secure Login Web Client - securelogin.war - The main Secure Login file including the Administration Console (but without JAR files und Server message files). - secureloginservice.aar - Secure Login AXIS2 Web Service For SAP NetWeaver (NetWeaver WS): - secureloginservice.ear Enterprise archive containing all of the necessary components ready for deployment. This includes the Web Service and Web Client. Section Section Section Section Section 5.1 5.2 5.3 5.4 5.5 Prerequisites on page 110 Preparing the Server for Installation on page 111 Install and Configure the Web Client, on page 112 Use the Web Client, on page 115 Remove the Web Client, on page 117
109
5.1
Prerequisites
This section lists the hardware and software requirements for Secure Login and the Web Client. Prerequisite for Secure Login Server Details The hardware/software requirements are the same as the standard Secure Login installation. For a complete list of requirements please refer to section 3.1 on page 33. Supported operating systems: - Windows - Linux - Mac OS X - Others (depending on the SECUDE C-SDK) System requirements: - Java 1.5 or higher browser plug-in - SAPGUI for Java - SAPGUI for Windows (limited) Supported Internet browsers: - Linux Konqueror - Mozilla Firefox 2.x, 3.x or any other Mozilla-based Web browser - Microsoft Internet Explorer 6/7 - Apple Safari 3.x Supported Operating Systems for SAP-ID-based authentication (SunOS/Solaris/HP-UX have no Web Client support, Mac OSX has no Server support): - Linux-i686-2.2-GLIBC2.1-mt-32 - Linux-i686-2.4-GLIBC2.2-mt-32 - Linux-i686-2.6-GLIBC2.3-mt-32 - Linux-i686-2.6-GLIBC2.7-mt-32 - MacOSX10.4-mt-32 - SunOS-sparc-5.10-mt-32 - SunOS-sparc-5.10-mt-64 - SunOS-sparc-5.8-mt-32 - SunOS-sparc-5.8-mt-64 - Windows-i686-VS7.1-mt-32 - HP-UX 11.11 (PA-RISC) - HP-UX 11.23 (Itanium) The native components for each OS are part of the delivery package.
Secure Login Web Client
110
5.2
Introduction
Preparing the Server for Installation

The Server must be prepared for the installation of Secure Login plus the Web Client. If you have already prepared the Server go to the next section to start with the installation. If you have not prepared the Server, the following list indicates what must be installed and configured before starting with the installation of SECUDE Secure Login: Install the operating system (plus updates if necessary). Install Java (JCE will be automatically installed). Install the application Server. This manual does not detail the installation and configuration of the above mentioned software. It is assumed that the knowledge and skills necessary to perform the Server preparation is already present and must not be documented.
Contents of Delivery Package
Secure Login is delivered as a series of ZIP files. The contents of each ZIP file is as follows: SECUDE51SecureLoginNativeComponents.zip This file contains the necessary native Secure Login components for each supported platform: \extra Example secude.xml file \SSS+JCO Native components for the Signon&Secure and JCO installation \WebClient Native components necessary to run the Web Client SECUDE51SecureLoginServer.zip \doc This directory contains the documentation, license agreements, and readme files. \SECUDE51SecureLoginServer.zip Despite the fact this ZIP file has the same name as the file containing it, this file contains the standard Secure Login applications as well as the Web Client variants: - \NetWeaver\securelogin.ear Standard Secure Login application for SAP NetWeaver to work with the Secure Login Client. - \NetWeaver WS\secureloginservice.ear The Web Client version of Secure Login for SAP NetWeaver. - \Tomcat\securelogin.war Standard Secure Login application for Apache Tomcat to work with the Secure Login Client. - \Tomcat WS\axis2.war, securelogin.war, secureloginservice.aar, shared.zip, SlsWebClient.war The Web Client version of Secure Login for Apache Tomcat plus secondary files necessary for operation.
Prepare the Files
In preparation for installation, it is recommended to unpack the ZIP archive SECUDE51SecureLoginServer.zip to produce the four application sub-directories as well as SECUDE51SecureLoginNativeComponents.zip to produce the files for the native components. This manual contains steps in which it is necessary to choose and confirm passwords. For reasons of security Secure Login will only allow you to choose passwords that are hard to guess (i.e. a mix of uppercase/lowercase letters, digits, and special characters).
111
5.3
Install and Configure the Web Client

The Web Client itself is delivered in two versions one for Apache Tomcat and one for SAP NetWeaver. The next two sub-sections detail the installation steps for the Secure Login Web Client on both systems.
Sections
Section 5.3.1 Web Client installation on Tomcat, on page 112 Section 5.3.2 Web Client Installation on NetWeaver, on page 114
5.3.1
Web Client installation on Tomcat

1. 2. If necessary, stop Tomcat. Unpack the contents of the file shared.zip located in the directory <unzipped location on hard disk>SECUDE51SecureLoginServer/Tomcat WS/ (in the delivery package - see section 5.2 on page 111). This step differs according to the version of Tomcat you use: - Tomcat 6: Unzip the content directly to the directory <Tomcat home directory>\shared. - Tomcat 5: - Unzip the *.properties files to the directory: <Tomcat home directory>\shared\classes - Unzip the *.jar files to the directory: <Tomcat home directory>\shared\lib
Apache Tomcat 6.x does not use a shared directory as standard and it must therefore not only be created but also manually entered into the Tomcat configuration (failure to do so will result in errors such as SecudeJavaSDK not found and JRE Policy not implemented despite the fact that the components are in the correct directory): Create the shared directory directly under the Tomcat home directory, for example: <Tomcat home>\shared Open the Tomcat properties file catalina.properties in the directory <Tomcat home>\conf in a text editor. Locate the following section:
# List of comma-separated paths defining the contents of the "shared" # classloader. Prefixes should be used to define what is the repository type. # Path may be relative to the CATALINA_BASE path or absolute. If left as blank, # the "common" loader will be used as Catalina's "shared" loader. # Examples: # "foo": Add this folder as a class repository # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository # Please note that for single jars, e.g. bar.jar, you need the URL form # starting with file:. shared.loader=
Change the last line to read:

shared.loader=${catalina.home}/shared,${catalina.home}/shared/*.jar
Save the changes and close the text editor. 3. Copy the file securelogin.war from the delivery package to <Tomcat home directory>\Webapps.
112
4. 5. 6.
Start Tomcat to deploy the securelogin.war file. Start the Administration Console and create your basic configuration (see section 6.1 on page 119). Once completed, logout of the console. Deploy the file axis2.war by copying it from the delivery package to the directory <Tomcat home directory>\Webapps. The deployment should be automatic but if not, restart Tomcat.
When configuring an SAP-ID-based Authentication Server, the Administration Console will usually take care of the signon&secure/JCO installation. This includes copying the file sapjco.jar to the directory: <Tomcat home>\Webapps\securelogin\WEB-INF\lib. This also applies to the AXIS Web Client scenario. The file sapjco.jar will be copied to the shared directory: For Tomcat 5.x: <Tomcat home directory>\shared\lib For Tomcat 6.x: <Tomcat home directory>\shared However, for the AXIS Web Client scenario, if you have not set the option TomcatSharedPath in the Administration Console page Web Client Configuration, then you will have to copy the sapjco.jar file manually to the respective Tomcat 5.x/6.x directory. For further details about the Web Client Configuration node refer to section 6.1.16 on page 166. 7. Deploy the file secureloginservice.aar by copying it from the delivery package to the directory <Tomcat home directory>\Webapps\axis2\WEBINF\services. The deployment should be automatic but if not, restart Tomcat. 8. Open the file <Tomcat home directory>\Webapps\axis2\WEBINF\Web.xml in a text editor. Locate and remove the line <load-on-startup>XXX</load-on-startup>. Save the file and close the editor. 9. Deploy the file SlsWebClient.war by copying it from the delivery package to the directory <Tomcat home directory>\Webapps
The Tomcat Security Manager

Usually, after a fresh Tomcat installation, the Tomcat Security Manager is deactivated. However, if it is active then errors such as SecudeJavaSDK not found and JRE Policy not implemented may occur despite the fact that everything in the configuration appears to be as it should. The Tomcat Security Manager must be deactivated: For Tomcat 5.5 under Linux: The following security manager option is located in the Tomcat start script in the directory init.d : #Use the Java security manager? (yes/no) #TOMCATS_SECURITY=yes Either comment it out or set it to no. For Windows: The security manager is usually started using the runtime option security. Do not use this option.
Change default Apache Axis2 administration account

Apache Axis2 also has an administration front-end. It is available via the URL: http://localhost:8080/axis2/axis2-admin/ This allows the upload (and hence the change) of Web Service Archives and the activation/deactivation of deployed services. The front-end is shipped with a default account: user=admin, password=axis2. This of course, presents a security issue and therefore it is recommended that the Secure Login administrator change the password of the AXIS2 admin front-end. This can be accomplished as follows:
113
Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\ Locate the follow lines: <parameter name="userName">admin</parameter> - <parameter name="password">axis2</parameter> Change the entries marked above - in red - accordingly. 10. Start the Administration Console and login. Click the Web Client Configuration node to start configuring the Web Client (see section 6.1.16 on page 166). Next Step Configure the Secure Login Server using the Administration Console see section 6.1 'Administration Console on page 119 Start and use the Web Client - see section 5.4 Use the Web Client on page 115
5.3.2
Web Client Installation on NetWeaver

The Web Client installation for NetWeaver is exactly the same as the standard Secure Login installation detailed in section 3.7 on page 91. However, instead of deploying the standard Secure Login application (securelogin.ear) you deploy the Web Service application secureloginservice.ear (located in the NetWeaver WS directory in the delivery package).
Next Step
Configure the Secure Login Server using the Administration Console see section 6.1 'Administration Console on page 119 Start and use the Web Client - see section 5.4 Use the Web Client on page 115
114
5.4
Use the Web Client

This section describes how to open and use the Secure Login Web Client. Only use the Web Client once you have finished configuring not only the Secure Login Server, but also the Web Client settings via the Administration Console (see sections 6.1 on page 119, and 6.1.16 on page 166 respectively). 1. Enter the following URL in your Internet browser: http://<hostname:port>/SlsWebClient
A security warning to confirm the digital signature of the Web Client Applet may appear. If so, confirm the signature to proceed to load the Web Client. You can choose to either to confirm the signature once or for always choosing always will mean that the security warning will reappear the next time you want to logon to the Web Client. 2. The Web Client login page will appear:
Figure 5-1 Web Client login page 3. Enter your Username and Password, and select a Server to logon to from the Server combo-box. The next step will differ according to whichever Server you are about to authenticate and logon to: If you have configured the Web Client to start the SAP interface directly without calling the SAP logon dialog first (Web Client Configuration node> SAP GUI Management) then the next screen you should see is the SAP interface. The procedure ends with this step. If you have configured the Web Client to start the SAP logon dialog then the SAP Logon dialog will appear. Go to the next step. 4. On Windows Clients only: The new user certificate is propagated into the Windows Certificate Store in the background. Internet Explorer could use it for certificate based authentication if an SSL protected Web page is opened. The SAP Logon dialog/GUI will appear (if the SAP Logon GUI for Java is correctly installed, it will take preference over the SAP Logon GUI for Windows):
5.
115
Figure 5-2 Web Client SAP Logon GUI (left: Windows, right: Java)
Web Client Logging

When logging-in via the SAP Logon dialog/GUI user information is stored in the local user directory. For Windows this directory is: C:\Documents and Settings\<user>\secudesnc. The directory will contain some, or all, of the following files: ComSecudeUtil.dll SECUDE library copied over from the Server cred_v2 Credentials file SapProfile.sap SAP profile secude.dll SECUDE library copied over from the Server SecudeSNCApplet.log logfile of Web Client activity SNC.pse SNC personal security environment ticket.snc license file copied over from the Server user.properties user properties file containing the username, date+time, and snc version. version.txt Native components version file copied over from the Server It is possible to configure the Web Client to automatically delete the files in the secudesnc directory. Use the Administration Console option Client Logging under the node Web Client Configuration>Common Configuration. For further information see section 6.1.16.1 on page 168.
5.4.1
Configure SSL Trust for the Web Client Java Applet

This section details how to secure the communication between the Internet browser and Web Client using SSL thus helping to eliminate the security warnings when calling the Web Client (and any alarm this may cause including extra hotline activity). A normal call between Browser and the Web Client is established via Java over HTTP and therefore how we establish the SSL trust is Browser-dependent: Linux Konqueror and Mozilla Firefox 3 do not use their own certificate store but rather the Java certificate store. Microsoft Internet Explorer 6/7 and Apple Safari use their own certificate store. Trust may be established in two ways: No permanent certificate: this means that the user computer is left untouched and the Web Client is called using an HTTPS URL. If SSL trust has not yet been established a Java pop-up will appear prompting the user if they wish to trust the SSL Server. Permanent certificate: this means that the user computer has an imported root
116
certificate (via remote distribution) and the Web Client is called using an HTTPS URL. This can be configured so that no pop-ups will appear. These are the three points of security configuration relevant to the Web Client, or rather the three possible levels at which action may be taken depending on how far you want to go (all of which are for a permanent certificate only!): SSL Trust between Browser and Application Server (for example, Tomcat). This simply involves importing the Administration Console root certificate into the Browsers certificate truststore. SSL Trust between Java Applet and Application Server This only applies to Linux Konqueror and Mozilla Firefox 3! This will import the Administration Console root certificate into the Java environment. This can be performed on a two levels per machine for all users, or per user: - Per machine (all operating systems): Locate the Java truststore file cacerts under the path jre\lib\security. Use the Java Keytool to import the Administration Console root certificate into the Java truststore. - Per machine (alternative method): Use the Administration Console to export the root certificate in JKS format. Rename the resulting keystore file in jssecacerts (no extension!) and place the file under jre\lib\security. - Per user: Use the Administration Console to export the root certificate in JKS format. Rename the resulting keystore file in trusted.jssecacerts (no extension!) and place the file under: - Windows: %HOMEPATH%\Application Data\Sun\Java\Deployment\security - Linux/Mac: $HOME/.java/deployment/security Execution rights for signed applet (i.e. user warning prompts) This will import the Administration Console root certificate and suppress the user warning prompts. The applet in the SSL Server SlsWebClient directory will always be trusted. This can be performed on a two levels per machine for all users, or per user: - Per machine: Open the Java Security Policy file java.policy in the directory jre\lib\security. Add the following code:
grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" { permission java.security.AllPermission; };
Save and close the file. - Per user: Open an editor and enter the following code:
grant codeBase "https://<SLS-HOSTNAME WITHOUT PORT>/SlsWebClient/*" { permission java.security.AllPermission; };
Save the file as .java.policy in the user home directory (all operating systems).
5.5
Remove the Web Client

This section describes how to remove the Web Client from both Tomcat and NetWeaver Servers.
Web Client removal from Tomcat
Before proceeding, if you have not already done so, stop the Tomcat Server. Delete the following folders from the <Tomcat home>\Webapps directory: - axis2
117
- Securelogin - SlsWebClient Delete the following files from the <Tomcat home>\Webapps directory: - axis2.war - securelogin.war - SlsWebClient.war For Tomcat 6.x only: delete the following files from the <Tomcat home> directory: - \shared\iaik_jce_full.jar - \shared\opencsv-1-7-1.jar - \shared\radClient3.jar - \shared\SECUDE-JavaSDK.jar - \shared\SECUDE-SecureLogin.jar - \shared\SECUDE-Transfair.jar - \shared\ServerMsg.properties - \shared\ServerMsg_<country abbreviation>.properties For Tomcat 5.x only: delete the following files from the <Tomcat home> directory: - \shared\lib\iaik_jce_full.jar - \shared\lib\opencsv-1-7-1.jar - \shared\lib\radClient3.jar - \shared\lib\SECUDE-JavaSDK.jar - \shared\lib\SECUDE-SecureLogin.jar - \shared\lib\SECUDE-Transfair.jar - \shared\classes\ServerMsg.properties - \shared\classes\ServerMsg_<country abbreviation>.properties Web Client removal from NetWeaver To remove a Secure Login Web Client installation from NetWeaver, follow the same steps as detailed in section 3.7.2 on page 92.
118
6
Introduction Sections in this Chapter
Administration
This chapter describes how to administrate the SECUDE Secure Login Server via either the administration console or the XML interface. Section 6.1 Administration Console, on page 119 Section 6.2 Email Report&Alert Configuration, on page 177 Section 6.3 Instance Management, on page 178 Section 6.4 Console Users, on page 198 Section 6.5 Other Administration Features, on page 206
6.1
Introduction
Administration Console
This section details the Administration Console for Secure Login. The console is based on Java Server pages (JSP) technology and is controlled from within an Internet browser. It makes administration tasks for SECUDE Secure Login easy. Every relevant administration and configuration task for both the Client and Server side can be performed via the console.
6.1.1
Open the Console

1. To open the console enter the following URL in a Web browser: http://<Server IP address>/securelogin/admin/index.jsp For example: http://localhost:8080/securelogin/admin/index.jsp or for secure communication: https://localhost:8443/securelogin/admin/index.jsp The login page will appear:
2.
Figure 6-1 Administration Console login page Enter your SECUDE Secure Login administration username, password, and authentication type (detailed below). Click Login. If you make a mistake entering any details, just click Reset to clear the fields. Authentication type Local login External login Details Standard username/password combination authenticated via the Administration Console database. Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you
119
Authentication type
Details use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box. NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined.. Username/password combination authenticated via a certificate imported into the Web-browser.
SSL certificate login
3.
If login is successful the Welcome page will appear:
Figure 6-2 Administration Console Home/welcome page The Administration Console interface allows you to easily configure the Server to your needs. The main area is split into three panes: The top left-hand pane lists any tasks that have yet to be performed. For example, Connection should be https refers to the missing SSL connection between the console and the Secure Login Server, or Server needs to be restarted informs you that the Server configuration has been changed and you need to restart the Server for it to take effect. The bottom left-hand pane is the main navigation tree. For easy reference, each node represents tasks that can be performed within the Secure Login framework. The right-hand pane displays the details of any node selected in the left-hand pane. In the top right-hand corner there are three entries that appear on every page in the console: Change password This allows you to change the password for the current administrator/user account. For further details refer to section 6.1.3 on page 122. Logout Use this link to logout of the console. The login page will reappear (see previous page). About Click this to view version information about the console. Click one of the nodes in the bottom left-hand pane to perform one of the following tasks: Node Home Details Use this node to return to the administration console start page (as seen above).
120
Node Server Configuration Server Configuration> Certificate Management Server Configuration> Authentication Management Server Configuration> TrustStore Management Server Configuration> Certificate Template Server Configuration> System Check Server Configuration> Backup/Restore Server Configuration> Change Language Server Configuration> Message Setting Server Configuration> SSS&JCO installation
Details Use this node to view and change the configuration of the whole Server. For further information see section 6.1.3. Use this node to view details about the Secure Login Server certificate issuers and to add new issuers. For further information see section 6.1.4 Use this node to view details about the Secure Login Server JAAS module and to add a new Authentication Server. For further information see section 6.1.5. Use this node to view certificates in the TrustStore and add certificates to the TrustStore. For further information see section 6.1.6. Use this node to view and change certificate templates. For further information see section 6.1.7. Use this node to view the current status of Secure Login components. For further information see section 6.1.8. Use this node to backup and/or restore the current Server configuration and PKI information of the administration system. For further information see section 6.1.9. Use this node to change the GUI language. For further information see section 6.1.10. Use this node to change message content. For further information see section 6.1.11. Use this node to install the SECUDE signon&secure (SSS) and JCO components necessary for SAPID JAAS login module for Secure Login. For further information see section 6.1.12. Use this node to view the status of the current Secure Login Server. For further information see section 6.1.13. Use this node to submit a certificate request to a certificate authority. For further information see section 6.1.14. Use this node to view log entries of actions performed via the Administration Console only. Log files can be viewed on a monthly basis. For further information see section 6.1.15. Use this node to check if any files have been locked and, if necessary, unlock them. For further information see section 6.4.3 on page 205. Use this node to configure Web-Client parameters. For further information see section 6.1.16. NOTE: this node only appears if the Web Client has been installed. For further details refer to section 5.3 on page 112. Use this node to configure email notification and email alert parameters. For further information see section 6.1.16. Use this node to administrate the Secure Login instances. For further information see section 6.3. Use this node to display the configuration of current Secure Login Server instance. For further information see section 6.3.1.
121
Server Configuration> System Status Server Configuration> Sign Certificate Requests Server Configuration> Console log viewer Server Configuration> Locked Files Management Server Configuration> Web Client Configuration
Server Configuration> Email Report&Alert Configuration Instance Management Instance Management> Instance Configuration
Node Instance Management> Client Configuration Instance Management> Instance Log Management Instance Management> Instance Check Instance Management> Instance Status Console Users
Details Use this node to view and change the Client configuration. For further information see section 6.3.3. Use this node to view log files on either a monthly or daily basis, and download the log files for archiving. For further information see section 6.3.4. Use this node to view the status of the components for Client policies and PKI management. For further information see section 6.3.5. Use this node to view the status of the current Secure Login Server. For further information see section 6.3.6. Use this node to view when an administrator logged-in to, or logged-out of, the Administration Console. For further information see section 6.4. Use this node to display a list of the users/administrators registered to the Administration Console as well as add a new user, edit/delete a current user, and assign a role to a user. For further information see section 6.4.1 on page 199. Use this node to configure the permissions for a new or existing administrator role. For further information see section 6.4.2 on page 202. Use this node to unlock console files that are locked by dead operator sessions. For further information see section 6.4.2 on page 202.
Console Users> User Management
Console Users> Role Management Console Users> Locked Files Management
You may be asked to re-enter your username and password if you leave the administration console for too long (console timeout). This page also appears when you click the Home node.
6.1.2
Change the Administrator/User Password

This section details how to change the account password for the Administration Console. The user Admin is a permanent user that has the role super-user and cannot be deleted (only the password changed) or altered in any way. As a consequence, the admin user can log onto the system regardless of state (i.e. when a serious system error occurs), guaranteeing that there is at least one user that can always access Secure Login to correct or configure the system. 1. 2. Click Change Password in the title bar on any page. The following page will appear:
Figure 6-3 Administration Console Change Administrator/User Password 3. 4. Enter the current password into the Old Password field. Enter and confirm the new password into the fields New Password and Confirm New Password respectively.
122
5.
Click OK.
123
6.1.3
Server Configuration
This section details the Server Configuration page of the Administration Console. The Server Configuration page allows you to: View the Server configuration. Edit some of the Server parameters (see section 6.1.3.1 on page 126). Edit the type of authentication used to login to the Administration Console (see section 6.1.3.2 on page 127). 1. 2. Click the Server Configuration node in the left-hand pane of the Administration Console. The following page will appear:
Figure 6-4 Administration Console Server Configuration
The following options can be viewed on this page:

124
Option Edit
Details/Value Click Edit to change the Administration Console description, Trace Configuration, Server Lock Configuration, Client Configuration, and SNC Configuration (see section 6.1.3.1 on page 126). The description of this Administration Console. The current types of authentication available for login to the Administration Console. For further information see section 6.1.4.2 on page The current JAAS module used for external login authentication to the Administration Console. For further information see section 6.1.3.2 on page 127. The authentication file (*.login) used by this Server The TrustStore file (*.jks) used by this Server. The password for the TrustStore file. The directory in which the console log file will be located. The file prefix for the console log file. Display trace messages in the application Server console (i.e. the Tomcat command box). The fall-back of the LockDir property in the configuration.properties file. This property is stored in the Web.xml file. If set to No, the Server will not be locked if transaction logging fails. If set to Yes, the Server will be locked if transaction logging fails. If a full transaction log is important to you please set this option to Yes. The hostname or IP of the computer from which the console is being used for the Client configuration (i.e. for all Client policy URLs). NOTE: do not use localhost. If on a local machine set the IP address or DNS/hostname.
Description Console login type
External Login Jaas Module The Authentication file path Trust Certificates storage file TrustStore password Console Log Directory Console Log Prefix Enable Server trace Path to the Server lock file Lock the Server when the logging function encounters fatal errors
Server name or IP to be used
CREDDIR
The directory in which the credentials are stored by SECUDE signon&secure. NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value. The directory where native libraries, platform dependendt, are landed.
NativeLibraryPath
125
6.1.3.1
Edit the Server Configuration

This section details the editable properties of the Server Configuration page of the Administration Console. 1. Click Edit to display the following information:
Figure 6-5 Administration Console Edit Server Configuration The following options can be set: Option Description Enable Server trace Details/Value Here you can personalize the description for the Administration Console. Yes: write trace messages to the application Server trace file: - For Tomcat: folder logs, files catalina*.log / localhost*.log - For NetWeaver AS Java: defaultTrace_*.log No: Do not display trace messages in the application Server console Yes: Lock the Server if transaction logging fails. No: Do not lock the Server if transaction logging fails. The hostname or IP of the computer from which the console is being used. NOTE: do not use localhost. If on a local machine set the IP address. CREDDIR Use this option to define in which directory credentials will be written by SECUDE signon&secure. Enter the full path of the directory to be used, for example: C:\SSS NOTE: This option will overwrite any existing SAP ID-based Server CREDDIR value (automatically generated during the Authentication Server creation) with this value. NativeLibraryPath Use this option to define in which directory will be located the native libraries to be used on verification of the SAP Ticket.
Lock the Server when the logging function encounters fatal errors Server name or IP to be used
2.
Once you have changed any options, click Save to return to the Server Configuration page.
126
6.1.3.2
Change Console Login Type

This section details how to modify the way you authenticate to the Administration Console. 1. 2. Click the Server Configuration node in the left-hand pane of the Administration Console. Click Edit next to the Console Login Type Configuration heading to view the following information:
Figure 6-6 Administration Console change login type This page allows you to configure, delete, or add the following login types: Local Login Standard username/password combination authenticated via the Administration Console database. External Login Username/password combination authenticated via the Authentication Server database set in the JAAS module. If you use this option you must also select the appropriate JAAS module in the External Login Jaas Module combo-box. NOTE: an Authentication Server must already be configured for there to be any entries in the combo-box. For information about configuring an Authentication Server refer to section 6.1.5 on page Error! Bookmark not defined.. SSL-Certificate Login Username/password combination authenticated via a certificate imported into the Web-browser. Add a Login Type 1. To add a login option to the administration console login page, select a login type from the ALL Login Type field and click >>Add (it will appear in the Current Login Type field). If necessary, use the Up and Down buttons to give a login option priority (the order of appearance in the Login Type combo-box on the login page). Click Save to confirm any changes. To delete a login option from the administration console login page, select a login type from the Current Login Type field and click <<Delete (it will appear in the ALL Login Type field). Click Save to confirm any changes.
2. 3. Delete a Login Type 1.
2.
127
6.1.4
Certificate Management
This section details the Certificate Management page of the Administration console. These features allow you to view, edit, export, import, and create certificates. The first thing to do is to make a decision: Shall Secure Login Server create and manage one or more Public Key Infrastructures, or is there an existing company PKI that shall be used on top. Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI under your enterprise PKI, and two others independently created by Secure Login Server. However, because of the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time. Follow these steps to open Certificate management: 1. 2. If you have not already done so, click the Certificate management node from the tree in the left-hand pane. The following page will appear:
Figure 6-7 Administration Console Certificate Management page This page allows you to perform the following certificate tasks: Create or import new PKIs or PKI sub trees View certificates (see below). Export certificates (refer to the next page). Import certificates (refer to the next page). Create SSL, SNC, login, and SAP certificates (refer to the page after next). This page has the following details: Option PKI Structure Create New Root CA Certificate Information Mapping to Instance Details One or more tree views of independent PKIs. Give a display name for the new PKI and create the top level Certification Authority (Root CA).. The name, file path, and password protection of the selected certificate. List of all Secure Login Server instances, and selection of all instances that shall use this User CA. Only available for User CAs. More X.509 name details and the certificate validity time frame. Display name of the PKI structure. Select specific Certification Authority of a PKI for further management operations.
More Details PKI Info CA Operations
128
Issue Change Password Remove Password Export Certificate New Password Import New PKI PKI Name
Create a new Certification Authority of this type. Change password of selected CA. Remove password of selected CA. Password must be given for each following management operation of this CA. Export the selected certificate. Possible export types are: *.crt, *.p12, *.pse, *.jks. Password of the exported certificate file store Import the keystore into the certificate list. NOTE: Only PSE files can be imported. Display name of new PKI where certificate shall be part of The selection list allows associating the type of CA of the certificate. Each type can be associated only once.
Browse Open Passsword Save Password View Certificate Details 1. 2. 3.
Opens a file browser to select the certificate store file. Password that protects the certificate store file. Allow to save the password in the configuration.
Click on a certificate name in the list, for example SecureLogin Root CA. If the selected CA has not saved its password, enter the password for the certificate in the field Password and click View. The following information will appear:
Figure 6-8 Administration Console Certificate Management page
Create a new PKI
Use this function to create a new internal PKI that has its own Root CA certificate. 1. 2. 3. Enter a display name for the new PKI, for example SECUDE. Click the right-hand Create New Root CA button and continue to read at Create a certificate. A success message should appear and the new PKI will be shown in the list.
Import a new PKI
Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing Root CA stored inside Secure Login Server. 1. 2. 3. 4. Enter a display name for the new PKI, for example SECUDE. Select the type of CA that shall be imported Click Browse to open a file browser. Locate and open the PSE file. Enter the password for the PSE file in the field Open password. As an option, you can choose to save the password in the Secure Login system file by clicking Save
129
password? so you do not have to re-enter the password every time. 5. 6. Export a Certificate 1. 2. 3. 4. Import a Certificate Click the right-hand Import button to complete the import. A success message should appear and the new PKI will be shown in the list. Click on a certificate name in the list, for example SECUDE Root CA. Select the format of the certificate from the Export type combo-box. Enter a new certificate password into the field New password. Click the right-hand Export button to open a save dialog. Save the certificate file to a safe and secure location.
If a certificate entry in the list is grayed-out it means this certificate is not present. Use the Import function to load a new certificate. 1. 2. 3. Select the certificate entry from the list. Click Browse to open a file browser. Locate and open the PSE file. Enter the password for the PSE file in the field Open password. As an option, you can choose to save the password in the Secure Login system file by clicking Save password? so you do not have to re-enter the password every time. Click the right-hand Import button to complete the import. A success message should appear and the entry in the list will no longer be greyedout.
4. 5.
Create a Certificate
If the certificate shall be created internally instead of importing it, use the Issue function. 6. 7. In CA Operations, click Issue (only available if a Root, SSL, or SAP CA is selected). A page such as the following will appear (parameters may differ):
Figure 6-9 Administration Console create certificate This page allows you to enter the following certificate information: Option Common name Details The name of the certificate to be issued. Make sure you choose a name that applies to CA at hand, for example, SECUDE SAP-CA or SECUDE SSL-CA. However, this property differs when creating SSL Server certificates. In this case you must enter the hostname by which the Server is accessed, for example, user1.secude.local or www.myprivatehost.com.
130
Option Organization unit Organization Locality Country Encryption key length SAP Server Type (only available when creating an SAP Server certificate) Subject Alter Names (DNS) (only available when creating an SSL Server certificate) Subject Alter Names (E_mail) (only available when creating a login certificate) Valid from
Details The division of the company. Example: Sales The company name. Example: SECUDE The regional information. Example: Darmstadt The country abbreviation. Example: DE (for Germany) The encryption key length for the Server (1024 bit or 512 bit). The type of keystore file (PSE file for ABAP Server, P12 file for java Server).
The host name or IP to be used for the Subject Alternative Name in the certificate.
The E-mail address to be used for the Subject Alternative Name in the certificate.
The date from which this certificate authority information is valid (YYYY-MM-DD hh:mm:ss). Use the calendar box to select a day. Example: 2010-04-25 17:09:31 NOTE: The validity time frame of a new certificate must be inside the time frame of the issuing CA
Valid to
The date to which this certificate authority information is valid (YYYY-MM- DD hh:mm:ss). Use the calendar box to select a day. Example: 2020-04-17 16:19:00 NOTE: The validity time frame of a new certificate must be inside the time frame of the issuing CA
Password Confirm password Save password to file? Issuer password
The password to be used for encryption (maximum of 20 characters). Confirmation of the encryption password entered in the field Password. Define if the encryption password stated in the field Password should be saved in the keystore.xml file. Issuing CAs password (only seen if this CA has not saved its password).
8.
Enter the relevant details and click Create (or for SAP certificates: Create SAP Server certificate).
For further information about how to configure Tomcat for login certificates refer to section 3.3.3.1 and 3.3.3.2 on page 37.
6.1.5
Authentication Management
131
This section details the Authentication Management page of the Administration Console. Use this page to add, configure, test, and delete Authentication Servers from the configuration. The following section applies only to Apache Tomcat and BEA WebLogic. The Authentication Server configuration for NetWeaver should be performed in SAP Visual Administrator. However, should you wish to test the Authentication Server connection you can create a dummy JAAS module using the same module name as created in SAP Visual Administrator (via the attribute Application Name). 1. 2. Click the Authentication Management node in the left-hand pane of the Administration Console. The following page will appear:
Figure 6-10 Authentication Server Manager This page allows you to: Add new Authentication Servers View and edit any current Server settings Delete any Server from the Server list (select a Server entry and click Delete) Change the order in which Servers are queried Quick-test the username and password used for Authentication Server access Select an application under Application Name (i.e. the SLSJaasModule application) to display the Authentication Servers in the application under Servers in SLSJaasModule. For further information refer to the following pages.
132
View Authentication Server Details
1.
To view the settings for any Server in the list click on one of the Server entries below the Servers in SLSJaasModule heading and click Display. NOTE: These values are required for configuring Secure Login Server modules inside SAP NetWeaver. The follow information will appear:
2.
Figure 6-11 Authentication Server Manager Display Server settings Here you can Edit the Server settings (see below), or Delete the Server entry completely from the Secure Login configuration. Add/Edit an Authentication Server Follow these steps to add an Authentication Server or edit the settings of a current Authentication Server entry: 1. 2. If you have not already done so, click the Authentication Management node from the tree in the left-hand pane. To add a new Server to the configuration click Add Server. The following information will appear:
Figure 6-12 Authentication Server Manager add new Server
133
..or if you want to edit the settings of a current Authentication Server click Edit. The following information will appear:
Figure 6-13 Authentication Server Manager edit Server 3. Enter/edit the Server details (for a detailed list of the Server parameters that can be set in this page refer to the next page). If you want to check the validity of the Server connection click Test. Once you have finished click Save. Your Server should now appear in the Server list on the Authentication Management page.
4.
When editing Authentication Server parameters, some entries are grayed-out and cannot be changed. This is normal. The only way to change such an entry is to add a new Server and re-enter the correct Server details. Authentication Server Parameters Not all of the parameters in this list are immediately visible in the Administration Console interface. Some options will appear/disappear in the table according to the selection made via the option Server Type. The following few pages detail the Authentication Server parameters according to common parameters, and Server Type-specific parameters (those marked with * are mandatory):
134
Common Parameters
Options (common) Server Type LoginModuleControlFlag
Details Server type selection (AD, LDAP, RADIUS, SAP ID, SAP Logon Ticket, or SQL Database). The flag controls the Servers behavior when it proceeds down the authentication stack. For a detailed explanation, refer to the documentation of javax.security.auth.login.Configuration on the Sun Website. NOTE: this option cannot be changed. An application name is the identifier of the group of authentication modules associated with one instance of the SECUDE Secure Login Server (SLS). There can be only one instance of a particular authentication module residing in a JVM. However, there maybe multiple SLS instances running on the JVM. Therefore, the group of authentication modules used by an instance of SLS is assigned a unique application name for identification. Different SLS instances running on the same Server must have different application names. The default name is: SLSJaasModule Test user username. Use this option to setup a user to test the Server parameters. Test user password. Use this option to setup a user to test the Server parameters. Determines when to try the next LDAP/ADS Server in the list. Possible values: FALSE (default): Try the next Server only if this Server cannot be reached. TRUE: Try the next Server if this Server cannot be reached, or access is denied.
Application Name*
TestUserName TestUserPwd TryAllServers
LDAP/ADspecific Parameters
Options (LDAP/AD) LdapHost*
Details The address of the LDAP Server. This option is for the configuration of the LDAP Server (including the Windows Active Directory Server). For example: ldap://my.host.com:389 (if SSL is used for the communication, the protocol should be changed to ldaps:// and the port number should be changed to 636). NOTE: A TrustStore must exist for the SSL to be configured properly. The domain name of the LDAP Server, for example: my.domain.com (NOTE: The LdapBaseDN parameters are not needed for Active Directory Servers leave empty). This specifies the base domain name that will be combined with the user name before sending it to the Active Directory Server. Example 1 (domain part of UPN): If set to my.domain.com, the user test is authenticated as test@my.domain.com with the respective Server. Example 2 (complete DN): If set to cn=$USERID,ou=Users,dc=domain,dc=com the user test is authenticated as cn=test,ou=Users, dc=domain,dc=com to the respective Server.
135
LdapBaseDN (LDAP only)
Click Get baseDN list to browse the LDAP directory for the correct Base Distinguished Name. The following pop-up window will appear:
Figure 6-14 add Authentication Server get baseDN The following options are available (options marked with a red * are mandatory): Host name* The host name of the LDAP Server. Port* The port of the LDAP Server. Username* The username used to communicate with the LDAP Server. SSL Check this option to use SSL protocol when communicating with the LDAP Server. If you use SSL in the communication, the protocol should be ldaps:// and a valid certificate is required. Anonymous bind Check this option to query the LDAP Server without a specific username (managerDN) and password (providing that the LDAP Server is so configured). managerDN (manager distinguished name) Specific username. password The password used to communicate with the LDAP Server. Base DN (Base Distinguished Name) Click Get baseDN list to query the LDAP Server for a list of based distinguished names to be displayed in the combo-box. Get baseDN list After you have entered the above parameters click Get baseDN list to obtain the base DNs from the LDAP Server. LdapTimeout(ms) Determines how long a Client should wait for a response from an LDAP/ADS Server before trying to connect to the next one. Character set for the encoding of the characters when the Server communicates with the LDAP/ADS Server. For example: in the case of ADS, a possible character set is ISO-8859-1. Password expiry date (from the LDAP Server).
LdapProviderLanguage
PasswordExpiration136
Attribute PasswordExpirationGracePeriod AuthServerID
NOTE: If this option is used, the LdapBaseDN attribute must be given in complete DN form (see above). Defines the interval in days, inside which the password expiration warning is sent to the Client prior to password expiry. The warning message to be sent to the Client in the event of password expiry. Details The IP address of the RADIUS Server. The authentication port at which the RSA/RADIUS Server expects to be queried for authentication requests. A word/phrase used to encrypt the user password. Determines how long a request to a Server is to wait before being sent to the next Server. Authentication protocol for the RSA/RADIUS Server. Possible options: CHAP MSCHAP PAP Minimum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 4 Maximum PIN length for users choosing a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 8 PIN format. This parameter is only used with RSA SecurID tokens. Possible values: true: the user can choose, and use, a PIN which contains only alphanumeric characters (A-Z, a-z, 0-9). false (default): the user can choose, and use, a PIN which contains alphanumeric and special characters (such as !$%&). The default password policy for RSA allows only numeric PIN's which can not be setup via the Secure Login Server/Client policy properties.
RADIUSspecific Parameters
Options (RADIUS) RadiusServerIP* AuthPort* SharedSecret* Timeout(ms) Authenticator
PinMin
PinMax
PinAlphanumeric
RSAServerIniFile
If the RSA Server version is 6.1, a copy of the RSA Server RADIUS message *.ini file (securid.ini) has to be present. Make sure you enter the full path and file name, for example: <Tomcat home>\Webapps\securelogin\WEBINF\securid.ini
Add new attributes (button)
Use this option to enter any RADIUS attribute present in the Clients dictionary and which the Server expects to be included in the request. For further information refer to section 9.2.4.2 on page 257. Details IP or URL of the SAP Server. SAP System ID. SAP System Number.
SAP IDspecific Parameters
Options (SAPID) SAP Server Client (System ID) SystemNo
137
SAPaccount SNCServerName
The SAP user account name for the SECUDE Secure Login Server. The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. For example:
p:CN=SAP NetWeaver 2004, O=secude, C=DE
NativeLibraryPath CREDDIR
The folder of the native libraries and the SECUDE signon&secure package. The credentials directory on the Server. The field is grayedout because it is automatically allocated by the system. However, the credentials directory can be changed via the Server Configuration node (see section 6.1.4.1 on page 126). This parameter is part of the password policy for Client side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1 This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30 This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
PasswordMin
PasswordMax
SAP IDspecific Parameters
Options (SAPID) SAP Server Client (System ID) SystemNo SAPaccount SNCServerName
Details IP or URL of the SAP Server. SAP System ID. SAP System Number. The SAP user account name for the SECUDE Secure Login Server. The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate. For example:
p:CN=SAP NetWeaver 2004, O=secude, C=DE
NativeLibraryPath CREDDIR
The folder of the native libraries and the SECUDE signon&secure package. The credentials directory on the Server. The field is grayedout because it is automatically allocated by the system. However, the credentials directory can be changed via the Server Configuration node (see section 6.1.4.1 on page 126). This parameter is part of the password policy for Client side policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1
PasswordMin
138
PasswordMax
This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30 This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
SAP Logon Ticket-specific Parameters
Options (SAP TICKET) VerificationName VerificationPassword)
Details Name of SAP Verification PSE that has been exported from the SAP NetWeaver Portal. Password of SAP Verification PSE. PSEs usually have no password if exported from the portal. However, enter any value here in this case, e.g. empty Details Java Data Base Connection driver for the respective database system. Host, port, and name of the database to be used. Database system user name to be used to send search queries in configured table. Database system users password. Select to use predefined names of table and columns or custom values. If predefined values are used, the JAAS module uses Java Precompiled Statements for the SQL connection and queries, which may increase the performance. false (default): use predefined values as described in following fields. true: use custom values, more configuration fields are shown then.
SQL DBspecific Parameters
Options (SQL DB) DBDriver DBURI DBAuthUsername DBAuthPassowrd SetDBScheme
DBTable DBColumnUsername DBColumnPassword DBColumnClientID PoolName
Database table name to be used. Only available if SetDBScheme is true. Database column name to store usernames in. Only available if SetDBScheme is true. Database column name to store passwords in. Only available if SetDBScheme is true. Database column name to store Client IDs in. Only available if SetDBScheme is true. Name of connection pool to be used. This can be any unique string identifier, for example: MYSECURELOGINPOOL Maximum number of connections to database that shall be used in parallel.
139
MaxConn
GrantAccessToUnknownIDs
Turn on or off Positive False Authentication. false (default): only exact matches of given credentials return positive results. true: combinations of usernames and Client IDs that are not found in one row also return a positive result, the password is ignored then.
TestUserName TestUserPwd Change the Order in which Servers are Queried
Test user username. Use this option to setup a user to test the Server parameters. Test user password. Use this option to setup a user to test the Server parameters.
1. 2.
If you have not already done so, click the Authentication Management node from the tree in the left-hand pane. Click the Server entry you wish to move below the Servers in SLSJaasModule heading.
Figure 6-15 Authentication Server Manager change Server query order 3. 4. Quick Test the Communication to the Authentication Server 1. 2. To move the Server entry up in the list (and therefore increase its priority) click Up. To move a Server entry down in the list (and therefore decrease its priority) click Down. Click Save. If you have not already done so, click the Authentication Management node from the tree in the left-hand pane. Enter the username and password in the respective fields:
Figure 6-16 Authentication Server Manager test Server 3.

140
Click Test.
4.
A result (success/failure) will be displayed at the bottom of the page.
6.1.6
TrustStore Management
This section details how to add certificates to the TrustStore via the Administration Console.
Open the TrustStore Management Page
1. 2.
Click the TrustStore Management node in the left-hand pane of the Administration Console. The following page will appear:
Figure 6-17 Administration Console TrustStore Management page The TrustStore is used to declare a certificate as coming from a trusted source and can be used with SECUDE Secure Login. You can use this page to view the TrustStore file content, export a certificate, delete a certificate, and add new certificates. This page will display the current state of the TrustStore, including the message No certificate currently in this TrustStore to indicate that a certificate must still be added to the TrustStore. The following options are available (options marked with * are mandatory): Option Certificate alias* Certificate location Details The alias by which this certificate will be imported into the Servers TrustStore. The certificate location. Select one of the following locations (this will cause the third option to change accordingly): Localhost*: The path to a certificate in the local file system. PublicURL*: The LDAP CA available via a public URL. Add the certificate information to the TrustStore. Use this button to remove the selected certificate from the TrustStore (only visible if a certificate has been added to the TrustStore). Use this button to export the selected certificate from the TrustStore (only visible if a certificate has been added to the TrustStore).
141
Add to TrustStore Delete
Export
Add a Certificate to the TrustStore
Follow these steps to add a certificate to the TrustStore: 1. 2. Enter an alias for the certificate into the Certificate alias field. Select the location on which the certificate is stored from the Certificate Location combo-box. The field below will change according to your selection (Localhost or PublicURL). If you selected PublicURL in the previous step then enter the location manually into the field. If you selected LocalHost in the previous step then click Browse to locate and open the certificate file. Click Add to TrustStore. This will update the page to display the certificate information under the Certificate Alias heading (if you have more then one certificate then select a Certificate alias to display the certificate content). You now have the option to add another certificate, delete any certificate selected in the Certificate alias field, or export any selected certificate as a *.cer file.
3.
4.
142
6.1.7
Certificate Template
This section details the Certificate Template page of the Administration Console. Use the functionality on this page to perform any certificate template-related task.
Open the Certificate Template Page
1. 2.
Click the Certificate Template node in the left-hand pane of the Administration Console. The following page will appear:
Figure 6-18 Administration Console - Certificate template management Existing certificate templates will automatically appear in the table. The following options are available to help you perform certificate template-related tasks: Option Template name Add Details Templates created by the user, and available for use, are listed here. Add a new certificate template. This will take you to the template reation page (see section 6.1.7.1 Create a New Certificate Template on page 144). Duplicate the selected template. This will take you to the template creation page (see section 6.1.7.1 Create a New Certificate Template on page 144). Edit a selected template. This will take you to the template creation page (see section 6.1.7.1 Create a New Certificate Template on page 144). Delete a template selected in the list. Map any template to another. For further information see section 6.1.7.2 Template Mapping on page 146).
Copy
Edit
Delete Mapping
143
Option Export
Details Export the template(s) as an XML file. If you select more than one template to export then all of the templates will be incorporated into a single XML file. For further information see section 6.1.7.3 Export Certificate Templates on page 147). Import templates found on the local machine/network to the list. For further information see section 6.1.7.4 Import Certificate Templates on page 148).
Import
6.1.7.1
Create a New Certificate Template

This section details how to create a new certificate template.
Open the Certificate Template Page
1. 2.
If you have not already done so, click the Certificate Template node in the left-hand pane of the Administration Console. Click Add. The following information will appear:
Figure 6-19 Certificate template management create new certificate template This page is used to select the properties a certificate template should use. The following properties are available (options marked with * are mandatory): Properties Template name* SubjectKeyIdentifier AuthorityKeyIdentifier Details The unique template identifier. Use this option as a means of identifying the specific public key used in an application. Use this option as a means of identifying the public key corresponding to the private key that is used to sign a certificate. This option indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used. Checking this option will open a mandatory field for the policy ID (enter the ID and click Add under the CertificatePolicies.OID field).
CertificatePolicies
144
Properties KeyUsage
Details This option defines the purpose of the key contained in the certificate, for example, encipherment, signature, or certificate signing. This option defines the extended purpose of the key contained in the certificate. Check Is Critical? to make sure that any extended key usage parameter is needed in the certificate for communication to be successful. This option defines whether the subject of the certificate is a certificate authority and how deep a certification path may exist through that certificate authority. Click this option to open the following sub-options: Is critical? Click Is Critical? to make sure that the basic constraints parameter is needed in the certificate for communication to be successful. Is CA? Click Is CA? to define if the subject of the certificate is a certificate authority. When clicked, the path length field opens enter for how many levels the constraints are valid. Add a user-specific extension to the template. Click Add open the Create Private extension input page:
ExtendedKeyUsage
BasicConstraints
Private Extensions
Figure 6-20 Certificate template creation add private extensions This page has the following options: Extension name* The unique name for this extension. Base64/DER encoded data* The content of the private extension in base64/DER encoding. Add Add the information from the fields above to the certificate template (this will also take you back to the Create Certificate Template page). Reset 3. 4. Clear the fields of any entries.
Select options that you wish to use in the template and click Save. The certificate template page will reappear (see section 6.1.7 on page 143).
145
6.1.7.2
Template Mapping
This section details how to map certificate templates on a Server instance. 1. 2. 3. If you have not already done so, click the Certificate Template node in the left-hand pane of the Administration Console. Select the template you wish to map. Click Mapping. The following information appears:
Figure 6-21 Certificate template management template mapping #1 Check the radio button of the template to which you wish to map to another template. 4. 5. Click Mapping. The following information appears:
Figure 6-22 Certificate template management template mapping #2 The options on this page allow you to map templates and also delete a template mapping. The following options are available: Option Server Instance (non-editable) SAP Server certificate template User certificate template Details The name of the current Server instance. The templates available for mapping to SAP certificates. The templates available for mapping to user certificates.
6.
Select a certificate from the User certificate template combo-box (if a user certificate has not yet been created then there will not be any certificates listed in the combobox). Select a certificate from the SAP Server certificate template combo-box. Click Save.
7. 8.
146
Disable a Certificate Template Mapping
Follow these steps to disable an existing certificate mapping: 1. Select the (Default) entry from the SAP Server certificate template and User certificate template combo-boxes:
Figure 6-23 Certificate template management disable template mapping 2. Click Save.
6.1.7.3
Export Certificate Templates

This section details how to export certificate templates as an XML file. 1. 2. 3. Click the Certificate template node in the Administration Console. The Certificate template management page will appear. Click Export to open further options:
Figure 6-24 Certificate template management export template The following options are available: Option [Combo-box] Details Select which template(s) to export: Selected template: for single template export (the correct template must be pre-selected from the list above). All templates: Export every template in the list. Execute the export procedure. Close these options.
Export Cancel 4.
If you want to export a specific template preselect it from the list, select Selected template from the combo-box, and click the bottommost Export button. If you want to export all the templates select All templates from the combo-box, and click bottommost Export button.
Only a single XML file will be exported. If you selected All templates from the combo-box the certificate templates will be incorporated into this single XML file.
147
6.1.7.4
Import Certificate Templates

This section details how to import certificate templates into the Certificate template management page. 1. 2. 3. Click the Certificate template node in the Administration Console. The Certificate template management page will appear. Click Import to open further options:
Figure 6-25 Certificate template management import template The following options are available: Option Browse Import Cancel 4. 5. 6. Details Open a file browser to locate a certificate template XML file. Execute the import procedure. Close these options.
Click Browse to open a file browser. Locate a certificate template XML file and open it. Click bottommost Import button. A success/error message will appear on the page.
148
6.1.8
System Check
This section details the System Check page of the Administration Console. This feature will display the status of the system configuration (i.e. are the components necessary for Secure Login functionality actually present?). This is similar to the initial page (prerequisite check) when first configuring Secure Login. 1. 2. Click the System Check node in the Administration Console. The following page will appear:
Figure 6-26 Administration Console - System Check This page displays the current status of the Secure Login system configuration for Authentication, System components, SAP ID, Server list, and TrustStore. The status, or version number, will be displayed next to an entry. For information about problems with system components refer to chapter 7 Troubleshooting, on page 211. The following system components are listed on this page: Component Authentication Other System Check Sub-component/details Is authentication configured correctly? OK = yes Files and folders Does the file system have read/write permissions? SECUDE SDK Check for the location of the SECUDE SDK. IAIK SDK Check for the location of the IAIK SDK + display version number.
149
Component
Sub-component/details PKCS#12 file creation Check if a *.p12 certificate can be created. PSE file creation Check if the PSE certificate can be created. JRE Crypto Policy Check if a long password can be used to create a certificate. If the check fails, you may need download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from http://java.sun.com/javase/downloads/ and replace the local_policy.jar and US_export_policy.jar files in the directory %JAVA_HOME%/jre/lib/security. SECUDE SNC runtime Check for SECUDE Signon&Secure on the Server. SAP JCO runtime Check that the JCO can be found in the configuration. Sometimes, this check does not show the real status of the system, especially if SECUDE Signon&Secure and JCO are installed after a system check is performed. The user may need to restart the Web Server to receive a successful system check result. Does the Server List configuration have the correct integrity? Does the TrustStore configuration have the correct integrity?
SAP ID Check
Server List TrustStore
6.1.9
Introduction
Backup/Restore
This section details the Backup/Restore page of the Administration Console. Use this page to backup your Secure Login system configuration for safekeeping, or restore the Secure Login system configuration from a backup file. Backup (see below). Restore (see section 6.1.9.2 System Restore, on page 152).
Sections
150
6.1.9.1
System Backup
This page allows you to make a backup of the current configuration and PKI information and also to restore the configuration from a previous backup. The system backup page will appear by default. Follow these steps to create a backup of the configuration: 1. If you have not already done so, click the Backup/Restore node from the tree in the left-hand pane (or if you are on the Restore page click Backup at the top of the page):
Figure 6-27 Administration Console - system backup 2. 3. Click Go. The following pop-up window appears:
Figure 6-28 System backup file download 4. Click the backup.zip link at the bottom of the page and save the file to a safe, secure location.
151
6.1.9.2
System Restore
The Administration Console presents you with two methods to restore the system: From a backup file (see below). Directly from the automatic backups made by the Server (refer to the page after next). The configuration can only be restored from a backup ZIP file created using version 5.0 of the Secure Login Administration Console.
Restore from a Backup File
Follow these steps to restore the configuration from a backup file: 1. 2. If you have not already done so, click the Backup/Restore node from the tree in the left-hand pane. Click the Restore tab at the top of the page. The following page will appear:
Figure 6-29 System restore from backup file 3. Click Browse to open the file browser. Locate and open a backup.zip file (see section 6.1.9.1 System Backup on page 151). The file path will appear next to the Browse button. Click Select files to restore to display the log files within the ZIP file:
4.
Figure 6-30 System restore select exact files to restore

152
The files within the backup file will be displayed according to priority. Some files cannot be deselected (must select files) because they will be needed if the configuration is to work correctly. The following files are displayed: File Configuration.properties Serverlist.xml Mandatory /optional Mandatory Mandatory Details This is the main configuration file. This file contains a list of the Server instances and also which Server is currently active. This file contains the configuration details for the Authentication Servers. This file contains all of the certificate templates and certificate template mappings. This file contains the Secure Login TrustStore mappings to certificates. This file contains a list of users. This file contains a list of Secure Login administrator roles. Any number of Server instances may be visible under Instances. Check a specific Server instance if you want to restore information such as Authentication Server configuration or the Secure Login user CA KeyStore etc.
SLSJaasModule.login Cert_template.xml
Optional Optional
TrustStore.jks user.xml role.xml Instances
Optional Optional Optional Optional
According to whenever the last backup was created, the information in the backup files may not be the same as the previously functioning version (e.g. the users and roles registered with Secure Login at the time the backup may differ because newer roles have been added since the backup was created). 5. 6. Check the files you wish to restore. Click Upload and restore. If successful, the message Restore configuration and PKI information successful will appear at the bottom of the page.
153
Restore from Automatic Backups
Follow these steps to restore the configuration from automatic backups made by the Server: 1. 2. If you have not already done so, click the Backup/Restore node from the tree in the left-hand pane. Click the Restore tab at the top of the page. The following page will appear:
Figure 6-31 System restore from system backup The Select restore files button (at the bottom of the page) is only active if you have already performed a backup to a file (every time a file backup is performed the Secure Login system will automatically make a duplicate backup for direct-restore purposes). 3. Click Select restore files at the bottom of the page. The following options will appear:
Figure 6-32 System restore select restore files from automatic backups For information about each of the files refer to the previous page. 4. 5. Check the files you wish to restore. Click Restore directly to restore the files.
154
6.1.10
Change Language
This section details the Change Language page of the Administration Console. This feature only changes the GUI language of the Administration Console! In order to change language it is necessary to select desired language from the drop-down menu.
Figure 6-33 Administration Console - change language Select a language from the list and click Change language. The changes will take effect immediately.
155
6.1.11
Message Setting
This section details the Message setting page of the Administration Console. The message files are used to relay specific Server messages to a Secure Login administrator. Use the Message setting page to: view the current message files available in the configuration create a new message file in an alternate language edit the messages in an existing message file
Open the Message Settings Page
1. 2.
If you have not already done so, click the Message setting node from the tree in the left-hand pane. The following page will appear:
Figure 6-34 Administration Console - message setting page Use the option on this page to either edit an existing message file by selecting a respective language from the list (ServerMsg_<country abbreviation>.properties) and click Edit, or create a new messages file in a language of your choice by clicking New.... Create a new Messages File / Edit Messages Follow these steps to create a new Server messages language file: 1. 2. Click New The following page will appear:
Figure 6-35 Message setting create new Server messages language file 3. Select a language from the combo-box and click Create new file (take note of the file extension in readiness for the next step for example fr for French).
156
4. 5. 6.
The message properties file will appear in the list. Select the new entry from the list (take note of the file extension see above) and click Edit The following information will appear:
Figure 6-36 Message setting edit new Server messages language file The Server messages are listed alphabetically in the default language. Edit the message text in each field to conform to the appropriate language. 7. 8. Once the entries have been changed click Save. Depending on which application Server you use, either stop and then restart the Server, or stop and restart the Secure Login application.
Delete a Server Messages File
Follow these steps to create a new Server messages language file: 1. The message settings files are stored in the Secure Login Web-applications directory of the application Server for example (Tomcat): <Tomcat home>\Webapps\securelogin\WEB-INF\classes Remove the desired Server messages file. For example: ServerMsg_af.properties Only remove Server message property files that are either not currently in use or when the application Server is not running. Make sure you remove the correct message file (the extension denotes the language for example ServerMsg_af.properties for Afrikaans)
2.
157
6.1.12
SSS&JCO Installation
This section details the preparation for Secure Login to run with SAP ID- or SAP Logon Ticket-based logon and authentication. This includes the installation of SECUDE Signon&Secure crypto libraries (SSS), the SECUDE license file, the SAP libraries, and the PSE files. Follow these steps to install the necessary components for SAP ID-based logon: 1. 2. If you have not already done so, click the SSS&JCO installation node from the tree in the left-hand pane. The following page will appear:
Figure 6-37 Administration Console - SSS&JCO installation > locate SSS package This page informs you not only about the current status of the signon&secure installation, but also represents the first step of five needed to prepare Secure Login for SAP ID- or SAP Logon Ticket-based logon. If the bullet icons for each Setup Step are green then signon&secure has already been successfully installed. If some, or all, bullet points are red then the signon&secure installation has not yet been successful. You can click each Setup Step to go directly to that step to perform any tasks. For example, if you want to load a license file (ticket.snc) for Web Client ticket-management, but do not need a signon&secure installation, you can click the step Install ticket to load the license file onto the Server. 3. 4. 5. Click Browse to locate and open the package (ZIP) file (delivered in the Native Components package) applicable to your system. Click Upload to deploy the package to Secure Login. A success message should appear. Click Next to move on to the ticket installation:
158
Figure 6-38 SSS&JCO installation locate ticket 6. 7. 8. Click Browse to locate and open the ticket file (ticket.snc). Click Upload to deploy the ticket to Secure Login. A success message will appear. Click Next to move on to the JCO PSE configuration:
Figure 6-39 SSS&JCO installation configure JCO PSE 9. This page allows you to install and configure the SNC PSE file (JCO/RFC connection to the SAP Server). The following options are available:
Field Setup type
Details From local: load a PSE file generated by an application other than the Administration Console. From SLAC: load a PSE file generated by the Administration Console
PSE file (From local only) PSE password
The path to the PSE file. Click Browse to locate and open the PSE file. The password for PSE file access.
10. Select a Setup type and locate the PSE file accordingly. 11. Click Upload to deploy the PSE to Secure Login. A success message should appear. 12. Click Next to move on to the SAP Logon Ticket configuration:
159
Figure 6-40 SSS&JCO installation configure SAP Login Ticket 13. Click Browse next to each field to locate and open the following files: Field Verification PSE File to locate Windows and Linux/UNIX: verify.pse (or similar). Usually, this file can be downloaded from the SAP NetWeaver Portal:
or from the SAP ABAP STRUST transaction:
160
Library file SAPSECU (native) Library file SAPSSOEXT (native)
For Windows: sapsecu.dll For Linux/UNIX: libsapsecu.so For Windows: sapssoext.dll For Linux/UNIX: libsapssoext.so
Due to legal restrictions, the SAPSECU and SAPSSOEXT libraries are not part of the Secure Login delivery package. The libraries can be downloaded from: http://service.sap.com/connectors (requires SAP account). For further information please contact SECUDE support. 14. Select a Setup type and locate the PSE file accordingly. 15. Click Upload to deploy PSE and libariy files to Secure Login. A success message should appear. 16. Click Next to move on to the JCO installation (if you are using SAP NetWeaver ignore this step, and move on to step 15):
Figure 6-41 SSS&JCO installation install JCO 17. Click Browse next to each field to locate and open the following files: Field Library file sapco.jar Library file LIBRFC (native) Library file SAPJCO (native) File to locate Windows and Linux/UNIX: sapjco.jar For Windows: librfc32.dll For Linux/UNIX: librfccm.so For Windows: sapjcorfc.dll For Linux/UNIX: libsapjcorfc.so
Due to legal restrictions, the SAP JCO libraries are not part of the Secure Login delivery package. The libraries can be downloaded from: http://service.sap.com/connectors (requires SAP account). For further information please contact SECUDE support. 18. Click Upload to deploy the SAP JCO components to Secure Login. A success message should appear. 19. Click Check to finish the signon&secure and JCO installation for Secure Login. This will take you to the System Check page to verify the installation (see section 6.1.8 on page 149). 20. Depending on which application Server you use, either stop and then restart the Server, or stop and restart the Secure Login application.
161
6.1.13
Server Status
This section details the System Status page of the Administration Console. Use this page to view the current status of the PSE Server. 1. 2. If you have not already done so, click the System Status node from the tree in the left-hand pane of the Administration Console. The following page will appear:
Figure 6-42 Administration Console - System status of PSE Server The system status is displayed as a table containing the following details: Criteria Date Version Uptime Instance ID Configuration URL Configuration Status Server Lock Details Current date and time. Version of SECUDE Secure Login Server being used. The amount of time the Server has remained active and running. The identity of the current Server instance. Location of the configuration.properties file. configuration.properties file permission status (i.e. readable or not readable). OK = readable. Server lock status. If the entry Yes appears, it means that Secure Login has encountered a problem. In such a case, check the Server Information pane in the top left-hand corner for tasks yet to be performed as well as the log files for possible problems. An Unlock button will appear next to the table entry (providing the administrator role has the necessary permissions). Once any problems have been resolved, click Unlock to start the Server. OK = working. SECUDE Secure Login Server version.
PSE Server status Server Build
162
6.1.14
Sign Certificate Requests

This section details how to submit a certificate request to a certificate authority via the Administration Console. This function is only valid for the default PKI and therefore for the default Server instance. If you create a new PKI, including SSL CA, in a non-default instance, you cannot use the SSL CA to sign certificates. You can only use the SSL CA of the default instance.
Follow these steps to submit a PKCS#10 certificate request to the CA: 1. 2. If you have not already done so, click the Signed certificate requests node from the tree in the left-hand pane. The following page will appear:
Figure 6-43 Administration Console Submit a Certificate Request page The following options are available (options marked with * are mandatory): Option Base 64 encoded certificate request (PKCS #10) Details The content of the private extension in base64/DER encoding. There are two ways of filling this field: Copy & paste: Paste the request into the Saved request field. Enter a path to the certificate: Click Browse for a file to insert to reveal the Full path name field. Click Browse, to locate and open a certificate request. Click Read. The period of time for which the certificate is valid. The encoding type for the certificate: PEM encoding DER encoding NOTE: if you wish to sign the certificate for a WebLogic Server, the encoding type must be PEM. Issuer password The issuer password for the certificate file.
Valid period of Certificate* Certificate encoding type
163
3.
Enter the certificate request details as stated above and click Sign certificate (i.e. send to the SSL CA).
164
6.1.15
Console Log Viewer

This section details the Administration Console logging functionality. The log entries apply only to the administration actions performed via the Administration Console. 1. 2. If you have not already done so, click the Console log Viewer node from the tree in the left-hand pane. The Log management console log page will appear:
Figure 6-44 Administration Console - Instance log management > main page/monthly log page This page displays all of the tasks performed via the Administration Console since logging began. This page allows you to: Select a period of time to view via the Log Month combo-box. Export log files to a *.csv file via the Export logs function. NOTE: This entry is only visible if log entries are present. The monthly table contains the following information about the administration tasks: Table column Date Time Code Level User Action Server Description Details The date the task was performed. The time the task was performed. The internal code of the task performed. An abbreviated description of the message, i.e. INF for information, or ERR for error. The name of the user/administrator that performed the action. A quick description of the action, for example EDIT or OTHER. The Server instance(s) to which the action was directed A description of the message/task.
165
6.1.16
Web Client Configuration This section details the configuration settings for the Secure Login Web Client. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1. 2. If you have not already done so, click the WebClient Configuration node from the tree in the left-hand pane. The WebClient Management page will appear, by default, displaying the Properties Configuration tab:
Figure 6-45 Web Client configuration - main page/monthly log page The following options apply to the Properties Configuration tab (options marked with * are mandatory): Option Web Client Application Path Details WebClientConfigPath* The full path to the Secure Login Web Client directory. Click Change to manually enter the full path. - Tomcat: <Tomcat home>\Webapps\SlsWebClient - NetWeaver: <NetWeaver home>\apps\secude.com\ SecureLogin\servlet_jsp\SlsWebClient\root TomcatSharedPath The path to the Tomcat shared directory. This is usually: <Tomcat home>\shared Click Save to confirm the entries. NOTE: until a valid Web Client application path is entered the tabs Message Settings, Package Management, and HTML Settings remain hidden.
166
Option Common Configuration
Details Click Edit to change the following properties: WSURL The URL of the Secure Login service. - Tomcat uses: http://<hostname:port>/axis2/ services/secureloginservice - NetWeaver uses: http://<hostname>:<port>/ SecureLoginService/Config1?style=document LOGONURL - Address of SAP portal to perform a login with in case of SAP Login Ticket authentication: http://<hostname:port>/irj/portal PORTALURL - Address to be called after successful authentication, e.g. if the Client certificate shall be used: https://<hostname:sslport>/irj/portal AUTHENTICATIONSCHEME The SAP Portal Scheme to be used for authentication. ACTION The Web Client's action to be performed after successful authentication. - Start local SAPGUI (either SAPGUI for Windows or SAPGUI for Java) - Open SAP Portal Web page - Both - Nothing PackURL The name of the directory in which the subfolders WIN32, MAC_UNI etc. are stored. (the original files can be located in the WebClient subdirectory of the delivery package SECUDE51SecureLoginNativeComponents.zip). Each of the subfolders contains the SECUDE libraries, licence file, and version file. For example, the Windows files needed are: ComSecudeUtil.dll, secude.dll, ticket.snc, version.txt. SAPLogon.slsinstance The SLS instance identifier to be used for authentication when launching only the SAPGUI - without login to a specific Server. Cleanup Temporary Files This option determines if the temporary files are deleted after the Web session has ended. The following entries are possible: - no [default]: Do not delete files created on the Client side after logout. Keep this value if the Web Client opens a new Web page (PORTALURL is set). - user: All user files are deleted when the Web Client or the browser is closed. This includes the users soft-tokens. - full: This option will remove all Client files including the SNC library and the user settings. Client Logging This option determines if logging is performed. The Web Client logfile can be located under: - Windows XP: C:\Documents and Settings\<user>\secudesnc - Windows Vista and 7: C:\Users\<user>\secudesnc
167
Option
Details - Mac OS: /Users/<user>/secudesnc - Linux: /home/<user>/secudesnc The following entries are possible: - no [default]: No Client log file will be created and no logging is performed. - temp: The Client creates a log file for each login session. The log file is deleted when the Web Client is closed. - keep: The Clients log file is never deleted. Use this part of the page to add new SAP Servers to the configuration, view and edit current SAP Servers, and delete any Server from the configuration. For further information refer to the next section. Configure the individual Web Client properties for each platform. For further information refer to section 6.1.16.2 on page 169.
SAP GUI Management Platform Configuration
6.1.16.1
Web Client Management for SAP GUI

This section details the Web Client Management page of the Administration Console. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1. 2. If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear. Either click Servers Management>Add to create a new Server entry, or select an existing Server from the Servers Management list and click Edit. The following page will appear:
Figure 6-46 Web Client configuration Servers management page The following options are available: Option/parameter SAP GUI for Java Details Label Arbitrary text describing this Server. Host The SAP NetWeaver ABAP IP address or hostname. Port Port number used by the Server. Default ABAP stack is
168
3200. SNCname The SNC name. For example: p:CN=sapnw01,OU=QA,O=SECUDE,C=DE SAP GUI for Windows shortcut.Name The SAP Server identifier used in multi-instance configurations. shortcut.Description The name of the Server profile in the SAPGUI for Windows (in SAPGUI this is the "description" field). This is THE essential reference to the Server profile for Windows-SAPGUI. The instance identifier to be used by this Server. Save any changes made via this page.
Instance ID this Server used Save 3.
Enter the necessary values and click Save to confirm the entries.
6.1.16.2
Web Client - Platform Configuration

This section details the platform configuration page for the Secure Login Web Client. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1. 2. 3. If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear. Select a platform from the Platform Configuration list and click Edit. The following page will appear:
Figure 6-47 Web Client configuration platform configuration page The Platform Configuration page may appear in slightly different forms according to
169
whichever platform was chosen under the Platform Configuration option in the main Web Client Management page: Windows: The options to select the SAP GUI for the Java-based Client as well as the stand-alone Client are available. Mac OSX/Linux: Only the option to select the SAP GUI for the Java-based Client is available. The following options are available: Option SAP GUI for Java (appears for all platforms) Details Binary name of SAP GUI tool - SAP.start.binary The application name of the SAP GUI for Java. - Windows: guistart.bat - Mac OSX: SAPGUI - Linux: guistart - SAP.logon.binary The application name of the SAP logon frontend. - Windows: guilogon.bat - Mac OSX: SAPGUI - Linux: guilogon To enter a different binary name, simply enter a new name in the respective field and click Save. Search Path for SAP GUI The path used by the Web Client to locate the Java binaries. Click Add to open a secondary field and manually enter the path to the Java binaries for each one. Click Save to confirm the entry. Binary name of SAP GUI tool - SAP.start.binary The application name of the SAP GUI for Windows. - Windows: sapgui.exe - SAP.logon.binary The application name of the SAP logon frontend. - Windows: saplogon.exe To enter a different binary name, simply enter a new name in the respective field and click Save. Search Path for SAP GUI The path used by the Web Client to locate the Java binaries. Click Add to open a secondary field and manually enter the path to the Java binaries for each one. Click Save to confirm the entry. The platforms for which the properties on this page are applicable. The platform name will be listed along with the files required by each platform to function correctly. If you want to remove support for a specific platform (i.e. remove 64-bit support from Windows) click Delete.
SAP GUI for Windows (appears for Windows only)
Supported OS
170
6.1.16.3
Message Settings
This section details the message settings for the Secure Login Web Client. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1. 2. If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear. Click the Message Settings tab:
Figure 6-48 Web Client configuration message settings page A list of language files for the messages will be displayed. You can now either: - Click New to create a message file in a specific language (see below), or - Select an existing message file from the list and click Edit to alter the messages for that language (refer to the next page). Create a new Message File 1. Click New to create a message file in a specific language. A language selection bar will appear below the message list:
Figure 6-49 Web Client configuration create new message file 2. 3. Select the language in which you want to create the messages from the combo-box and click Create New file. The message file will be created using proprietary messages (in English) and will appear in the list:
Figure 6-50 Web Client configuration new message file in list Select the message file from the list and click Edit
171
4.
The message properties page will appear:
Figure 6-51 Web Client configuration edit message properties Translate or alter each message to the given context and click Save. Edit an existing Message File 1. 2. Select a message file from the list and click Edit The message properties page will appear:
Figure 6-52 Web Client configuration edit message properties Translate or alter each message to the given context and click Save.
172
6.1.16.4
Package Management
This section details package management for the Secure Login Web Client. Use this page to consolidate the files necessary for Web Client operation. For information about how to install and use the Web Client refer to chapter 5 on page 109. 1. 2. If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear. Click the Package Management tab:
Figure 6-53 Web Client configuration package management page The following options are available: Option / table column Platform name Details Select the platforms for which you want to consolidate files. This will display the appropriate processor-specific information for each platform. Package name The name of the package corresponding to the processor type. Version The Web Client version. Filename in the package A list of files currently in the package. Missing files A list of missing files needed for the package to run. Click Browse to locate and load each individual file for the package preselected in the list. Load either the ZIP file containing the native components, or individual native component files (located and opened via Browse) into the platform-specific package. Remove all of the Web Client files from a pre-selected package. Synchronize the license file (ticket.snc) used for the signon&secure/JCO installation to all the operating system packages. This applies even if you do not implement SAP ID authentication. For further information refer to section 6.1.12 on page 158.
[Table]
File path Upload
Remove All Synchronize Ticket
3.
Select a platform from the combo-box and click Browse to locate either the complete Native Components ZIP file, or any missing Native Component files for each operating system/processor type necessary for the configuration.
173
The SECUDE libraries (ComSecudeUtil, secude) and the version file can be located in the file SECUDE51SecureLoginNativeComponents.zip delivered with the Secure Login package (optionally, the license file (ticket.snc) can also be loaded in this manner see step 5 below). 4. 5. Click Upload to load each file individually into the package. As an optional step, to save time loading the license file (ticket.snc) into each of the operating system packages, you can click Synchronize Ticket to automatically perform this task.
6.1.16.5
HTML Settings
This section details the HTML settings for the Secure Login Web Client. Use this page to customize the messages and/or look of the Web Client pages. For information about how to install and use the Web Client refer to chapter chapter 5 on page 109. 1. 2. If you have not already done so, click the Web Client Configuration node from the tree in the left-hand pane. The Web Client Management page will appear. Click the HTML Settings tab:
Figure 6-54 Web Client configuration HTML settings page A list of language files for the GUI will be displayed. You can now either: - Click New to create a message file in a specific language (see below), or - Select an existing message file from the list and click Edit to alter the messages for that language (refer to the next page). Create a new Language File 1. Click New to create a HTML pages for the Web Client. A language selection bar will appear below the message list:
Figure 6-55 Web Client configuration HTML settings > create new language file 2. Select the language in which you want to create the messages from the combo-box and click Create New file.
174
3.
The new language file will be created using proprietary files (in English) and will appear in the list:
Figure 6-56 Web Client configuration HTML settings > select language file to edit Select the language file from the list and click Edit 4. The HTML editor page will appear:
Figure 6-57 Web Client configuration HTML settings > edit language files The following options are available: Option [HTML pages] Details InitApplet.html This is the initial page to be called by the Web Client. This page performs a Java check as well as a communication timeout and user preferences check. SNCAppletAuth.html This is the main Web Client page containing the logon form and configurable Server-list. If you do not want to support direct login to SAP Servers but rather only the launching of SAP logon, you can change the HTML template of this main page. SNCAppletNewpin.html This is the page for new PIN entry applicable to RSA and SAP ID. If Secure Login Server JAAS authentication modules of the types RSA or SAP ID are configured, it may occur that users have to change their passwords. This page is for this purpose. SNCAppletNexttoken.html This is the page for a new token entry applicable to RSA Server requests.
175
Option
Details If the Secure Login Server RSA JAAS authentication module is configured, it may occur that the RSA Server will request a new token code. This page is for this purpose. SNCAppletSaplogon.html, SNCAppletSapstart.html One of these pages will appear if the SAP GUI binary tools configured on the Server-side cannot be found on the Client computer. The pages will prompt the user to specify which SAP GUI executable is to be used. Once specified this parameter is then stored, together with the Client computer-hostname, in the configuration file user.properties in the users home directory. Save any changes made in the HTML editor pane. Reset any changes to those in the previously saved version of the template. Preview the HTML code in your Web-browser.
Save Reset Preview 5.
Select the template you want to edit from the left-hand pane and edit the HTML code as necessary. Repeat for any further templates (remember to click Save after completing each template to save the changes for each one). Select a language from the list and click Edit The HTML editor page will appear:
Edit an existing Language File
1. 2.
Figure 6-58 Web Client configuration HTML settings > edit language files Refer to the previous page for a list of the options available on this page. 3. Select the template you want to edit from the left-hand pane and edit the HTML code as necessary. Repeat for any further templates (remember to click Save after completing each template to save the changes for each one).
176
6.2
Email Report&Alert Configuration

1. Define settings of E-Mail Server account
Figure 6-59 Email Report&Alert configuration Email Server Setting 2. Specify name or IP of SMTP Server. Specify username and password of SMTP user. Specify E-Mail address of the sender. Specify E-Mail address of the default receiver. Optional text signature to be appended to mails.
Select System Alert Settings and/or Log Alert Settings.
Figure 6-60 Email Report&Alert configuration System Alert Setting Select the Check and Send Email check box. Define desired check interval. Select the items to be monitored in order to provide report or check All. Click on Send Email to Default in case receiver will be the default one already defined or specify it on edit box.
177
6.3
Instance Management
This section details the Instance management page of the Administration Console. Instance management is the main hub that allows you to switch between Server instances to configure each one (i.e. to configure a specific Server instance you must first open this page and switch to it). Follow these steps to configure Server instances: 1. 2. If you have not already done so, click the Instance management node from the tree in the left-hand pane. The following page will appear:
Figure 6-61 Administration Console instance management This page displays all of the Server instances in the Secure Login configuration. The red * next to the instance name depicts the current Server instance. This page has the following options: Area Instance information list Options + details ServerName: The name of the instance. Click Edit to change the Server name. ID: The ID of the instance. Also is the folder name where this instance's configuration files stored. Server Root Path: The path this instance's folder. Status: The active status of this instance. The inactive instance will be shown in gray. Lock: The status of the Server instance (locked/unlocked). Add: Add a new Server instance. This will start a wizard to help you through the creation process. For further information about the creation process refer to section 3.6.3 on page 63. Edit: Edit the name of the selected Server instance. To use this function check the Server instance you wish to edit to and click Edit. Enter the new name in the new page and click Save. Active: Activate a selected Server instance. If a Server instance entry is grayed-out this means that it has been deactivated. Use the Active function to re-activate the Server instance. Inactive: Deactivate a selected Server instance. This function should
178
Buttons
Area
Options + details only be used when a Server instance needs to be deactivated for maintenance or for a temporary task. Unlock Unlock a Server instance. A Server instance may be locked if, for example, log files can no longer be written. Delete: Delete the selected Server instance. All the configuration files of this instance will also be deleted.
6.3.1
Instance Configuration
This section details the Instance Configuration page of the Administration Console. The node can be recognized as <Server name> Configuration or DefaultServer Configuration in the navigation tree. This page displays the configuration of current instance and allows you to: View a Server configuration pre-selected in the Instance Management page. Edit the Server configuration. Follow these steps to view and configure Server instances: 1. If you have not already done so, click the Instance management node from the tree in the left-hand pane to select the Server instance you wish to view/edit (see section 6.3). The following page will appear:
2.
Figure 6-62 Administration Console Instance Configuration page (extract) This page displays an overview of the Secure Login Server configuration properties.
Click Edit in the top right-hand corner to edit the following parameters: Option Authentication Server configuration Can be edited? No Details/Value JaasModule: The JAAS login module to be used with this Server instance.
179
Option SECUDE Secure Login UserCA KeyStore User Certificate Configuration
Can be edited? No
Details/Value PseType Type of PSE used by the Server to sign the generated certificates. PseName: The path to the PSE file. These values will be used to generate Client certificates. As a result, all the Client certificates will have the same country, locality, organization, and organizational unit values. These certificates are distinguished by different common name, which is not set here: DN.xxx: Information used to identify the Clients for the SECUDE Secure Login Server. Use a mix of letters, digits, and special characters. ValidityMinutes: the amount of time, in minutes, for which a Client certificate is valid. ValidityOffset: Time offset in minutes relative to the Server system time for the certificates to start being valid. UseUPN: Use the User Principle Name The following options cannot be edited in this page. For details about how to set these options refer to section 6.1.7 on page 143. CertificateName CertificateFormat SerialNumberPolicy StandardExtension PrivateExtension KeyUsage ExtendedKeyUsage The following options cannot be edited in this page. For details about how to set these options refer to section 6.3.4.2, on page 195. EnableLog: Is logging enabled? DailyLogPrefix: The file prefix for daily logs. DailyLogDir: The directory for daily log storage MonthlyLogPrefix: The file prefix for monthly logs. MonthlyLogDir: The directory to which the monthly log files are saved. LogMaxSize: The maximum size for the log file directory (all log files) in gigabytes. LogRotationSize: The maximum size a log file may be before archiving. LogCleanDays: The interval, in days, after which the next log cleanup starts.
Yes
Certificate Template Configuration
No
Log Configuration
No
Other Server Configuration
All except LockDir are editable
LockInstanceOnTransactionLogFailure Lock the Server instance should the transaction log fail (for example when the logfile can no longer be written due to lack of disk space).
180
Option
Can be edited?
Details/Value - Yes = lock the Server - No = Do not lock the Server LockDir The directory in which the lock file will be placed. This requires a path to a valid folder to which the Server has write access. If the value is a valid directory path but the folder does not exist, then one will be created (if the path is not valid, or the Server has no write access, then no lock file can be created and the Server cannot be locked). NOTE: Changing the lock directory value requires a Server restart. maxSessionInactiveInterval Specifies the time, in seconds, between Client requests before the servlet container will invalidate this session. This is applicable only in challenge-mode (PIN change etc.). AdminServletHeader The header text to be displayed on the status page (used by StandardServlet status page not used by the Administration Console GUI). AdminServletTrailer The footer text to be displayed on the status page (used by StandardServlet status page - not used by the Administration Console GUI).
User-defined properties
Yes
Any properties defined by the Server administrator will be listed here. To add a new property click Edit, navigate to the bottom of the page, click Add, then enter the property name in the first field and a false/true parameter in the second field. Click Delete to remove an administrator-defined property from the configuration.
3.
Once you have made changes to the Server instance click Save to apply them to the Server configuration.
6.3.2
Customizing With User-Defined Properties

This section details Secure Login features to assist an administrator by means of userdefined properties.
Contents
Section 6.3.2.1 Alternative User Name from LDAP Directory page 181 Section 6.3.2.2 Length of Username in page 183 Section Error! Reference source not found. Username Configuration For SQL JAAS Module page Error! Bookmark not defined.
6.3.2.1
Alternative User Name from LDAP Directory

This section details how to configure an LDAP or Active Directory Server attribute value to be used instead of the user name given by the Client. This may be useful if the SAP SNC user names and the authenticated user names (e.g. from a Windows domain) are not the same.
181
Each instance may have its own configuration. 1. 2. Open the Instance configuration in Edit mode as described on page 179. Scroll down to the bottom and add a set of User-defined properties:
Figure 6-63 User-defined properties sample LDAP attribute configuration The following properties are available (properties marked with * are mandatory): Property LdapReadServers* Details Number of LDAP Servers that are configured here. A numeric value is expected that must be 1 or higher. The given value is used as n to define an ordered list of Servers that are called in a fail-over manner. Keep empty to disable all configured Servers. The LDAP attribute that shall be used instead of the given user name. A simple text value is expected. The LDAP Server that shall be used to retrieve that attribute. Connection timeout in seconds. For Active Directory: LDAP domain to be appended to the given user name if it is not a User Principle Name. If the name is already in UPN format, the property is ignored. LDAP user to open the LDAP session (bind user). LDAP password of bind user. Warning: This password is displayed and stored in clear text. It is recommended to use an LDAP user with read-only permissions. LDAP search base / sub tree to be used to search for the given user name.
LdapReadAttributen* LdapReadUrln* LdapReadTimeoutn LdapReadDomainn*
LdapReadUsern* LdapReadPassn*
LdapReadBaseDNn*
The user certificates common name part (CN) gets the value of LdapReadAttribute if There is an LDAP entry for the given user, and the attribute LdapReadAttribute exists and contains a text value. Otherwise, the CN is generated as usual. For a protected communication to the directory Server, LDAP/SSL may be configured. In this case, the existing trust store of Secure Login Server is used.
182
6.3.2.2
Length of Username in Certificate

SAP user IDs have a maximum length of 12 characters, which needs to be considered by SNC X.509 certificates. The default behaviour of Secure Login Server 5.1 is to strip off any user name value to this length in the CN field of issued certificates. This default length may be customized. Property MaxUserNameLength Details Maximal number of characters a user name in the CN field may have. If the given user name is longer, it is cut from the right side. Default value: 12. Sample: SCHWARZENEGGER is cut off to SCHWARZENEGG with default settings UserNamePaddingLength If user names in the CN field need a fixed or minimum length, padding can be turned on. The padding length sets the minimum length of user names. Default value: None. The padding character is used to fill user names on the left side if their size is smaller than the configured padding length. Default value: None. Sample: ARNOLD is extended to 00ARNOLD with UserNamePaddingLength=8 and UserNamePaddingChar=0.
UserNamePaddingChar
6.3.2.3
Username Configuration for SQL JAAS Module

Depending on the username/Client ID schema used for database authentication, some special configuration properties may be needed to define which user name is put into the certificate. This is only to be considered if Secure Login Client sends compound username values. Property UseQualifiedName Details If true, the full received username value is taken for the user certificates CN field If false, only the user ID part before the separator is taken, and UserNameSeparator must be set to a non-blank value to apply this property. Default value: true. String of one or more characters that separates username and Client identifier sent by the Secure Login Client. If configured, DBColumnClientID must also be configured in the SQL JAAS module. Default value: None. Sample: USER001#CLIENT999 is splitted to USER001 with UseQualifiedName =false and UserNameSeperator=#.
UserNameSeperator
6.3.3
Client Configuration
This section details the Client configuration page of the administration console. Follow these steps to open Client configuration: 1. If you have not already done so, click the Client configuration node from the tree in the left-hand pane.
183
2.
The following page will appear:
Figure 6-64 Client configuration page This page automatically opens on the Client Policy file management page. The following options are available (options marked with * are mandatory): Option Client Policy Applications Details/Value Opens the Client policy management page (the default page). Opens the Applications management page. For further information see section 6.3.3.1 Application Management on page 184. Opens the Profiles management page. For further information see section 6.3.3.2 Client Profile Management on page 187. Opens the Files download page. For further information see section 6.3.3.3 Files Download on page 190. Opens the Global Client Policy page. For further information see section 6.3.3.4 Global Client Policy on page 191. Network resource URL from which the latest SECUDE Secure Login Client policy can be downloaded. Example: http://proxyurl.secude.com:3128 The time (in minutes) that a policy remains valid. The elapsed time (in seconds) before a connection is closed if the Server does not respond. Turn off automatic policy download and registration when the system service is started. false = update policy enabled true = update policy disabled
Profiles Files download Global Client Policy Policy URL*
Policy TTL* Network Timeout (s)* Disable update policy on startup
3.
If necessary, edit the parameters and click Save to set the changes.
6.3.3.1
Application Management
This section details how to administrate applications for the Client. 1. If you have not already done so, click the Client configuration node from the tree in
184
the left-hand pane. 2. Click Applications. The following information will appear:
Figure 6-65 Client configuration Application Management page The following options are available (options marked with * are mandatory): Option Client Policy Details/Value Opens the Client policy management page. For further information see section 6.3.3.1 Application Management on page 184. Opens the Applications management page (this page). Opens the Profiles management page. For further information see section 6.3.3.2 Client Profile Management on page 187. Opens the Files download page. For further information see section 6.3.3.3 Files Download on page 190. Opens the Global Client Policy page. For further information see section 6.3.3.4 Global Client Policy on page 191. The action of the selected application. There are 3 types of action: clean, replace, or keep. Click Save to set the application action. Add a new application (see next page). Modify a selected application (only applicable if an application is available in the Applications list). See below. Delete a selected application (only applicable if an application is available in the Applications list).
Applications Profiles Files download Global Client Policy Application action Add Application Edit Delete Add/Edit an Application
Follow these steps to add an application: 1. Click Add Application. The following information will appear:
Figure 6-66 Client configuration add an application The following options are available (options marked with * are mandatory): Option Application name* SAP Server Details/Value The name of the application. Select the SAP Server certificate for this policy.
185
NOTE: this field only appears if you have created an SAP CA, plus certificate, in the Certificate Management page (see section 6.3.2.3 on page 183). PSEURI* Application specific PSE URI that is matched when a fitting profile is searched. For example: SNC/cn=SAP, o=SECUDE, c=DE SNC/CN=Server*, ou=Strong The wildcards * and ? can be used. The name of the security profile to be used for the application. The name must match the profile name in the profiles section. The profile name * is used for the default security profile that is configured by the user (for example, the smart card profile). For further information about profiles see section 6.3.3.2 Client Profile Management on page 187. Allow the user to select another profile as favorite for this SNC application context. false (default) = always use configured profile true = Do not use configured profile
Profile
allowFavorite
2. 3.
Enter the application parameters and click Save. This will return you to the Applications page (see section 6.3.3.1 Application Management on page 184).
186
6.3.3.2
Client Profile Management

This section details how to administrate profiles for the Client. 1. 2. If you have not already done so, click the Client configuration node from the tree in the left-hand pane. Click Profiles. The following page will appear:
Figure 6-67 Client configuration Client profiles page The following options are available (options marked with * are mandatory): Option Client Policy Applications Details/Value Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 Client Configuration on page 183. Click to open the Applications Management page For further information see section 6.3.3.1 Application Management on page 184. Click to open the Profiles Management page (this page). Opens the Files Download page. For further information see section 6.3.3.3 Files Download on page 190. Opens the Global Client Policy page. For further information see section 6.3.3.4 Global Client Policy on page 191. The action of the profile. There are 3 types of action: clean, replace, or keep. Click Save to set the application action. Add a new profile (see next page). Modify an application (only applicable if a profile is available in the Profile list). See below. Delete an application (only applicable if a profile is available in the Profile list).
Profiles Files download Global Client Policy Profile action Add Profile Edit Delete
187
Add/Edit a Client Profile
Follow these steps to add/edit a profile: 1. 2. Click Add Profile. The following page will appear:
Figure 6-68 Client configuration add/modify Client profile The following options are available (options marked with * are mandatory): Option Profile name* PSEType Details/Value The name of the profile The type of profile. Possible values include: promptedlogin windowslogin Secure Login URL that is used for authentication and certificate enrolment. The URL locates the Server instance that is valid for the Secure Login Client. For example:
http://myServer.local/securelogin/PseServer?id=0001
EnrollURL0*
EnrollURL1
Fallback Secure Login URL if URL 0 fails. The URL locates the Server instance that is valid for the Secure Login Client. For example:
http://myServer.local/securelogin/PseServer?id=0002
HttpProxyURL
HTTP proxy to be used with enrolment URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://example.address.com:8888 The number of seconds that will expire before a certificate will automatically re-enroll. Default: 0 The number of seconds until an automatic logout is performed (due to mouse and keyboard inactivity). Possible values: > 1: The number of seconds of inactivity. -1: No single sign-on (SSO). Each SNC connection forces a new login 0 (default): No timeout. SSO without constraints.
GracePeriod
InactivityTimeout
188
Option AutoReenrollTries
Details/Value The number of failed authentications in a row until automatic reenrolment is stopped. User name and password caching can be turned on to provide the automatic re-enrolment of certificates that are going to expire. Possible values: 0: Turn off (default): Do not re-enroll automatically; do not cache user name and password. A re-enrolment must always be performed manually by the user. >0 (n): Turn on with n tries to succeed: Try to re-enroll a maximum of n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. A manual re-enrolment is also possible. You can delete all cached credentials from memory (except those stored in the Secure Login Client system service) via the logout entry in the context menu of the SECUDE PSE service in the system tray. Deleting the cache of the windowslogin token has no effect as the credentials can be retrieved from the Secure Login Client system service.
KeySize
Key size of the newly-generated RSA keys. Range: 512 16384 Default: 512 Defines if the RSA key is kept for the profile. If true, the RSA key is kept unless a manual logout is performed or the user process psesvc.exe is shut down. Default: false Customer-defined string Default: NULL Network timeout (in seconds) before the connection is closed if the Server does not respond Default: 45 This applies to the SSL Server certificate this checks if the peer host name is given in its common name. Default: false This applies to the SSL Server certificate this checks the Server's SSL certificate for the correct DNS name in the Subject Alternative Names Attribute. Default: false This applies to the SSL Server certificate this checks if the peers certificate has the extended key usage ServerAuthentication set. Default: false If set to true, this parameter turns on the former SSL.PSEbased TrustStore for HTTPS. If set to false (default), the Microsoft CAPI is used for HTTPS trust.
ReUseKey
UniqueClientID Network timeout (seconds) SSLHostCommonNameCheck SSLHostAlternativeNameCheck
SSLHostExtensionCheck
UseSslPse
UserWarningPassword UserWarningMSIE
Turn on/off a warning dialog box that appears before the user name and password are sent to the Secure Login Server. Default: false Turn on/off a warning dialog box that appears after a new
189
Option
Details/Value certificate has been propagated to Microsoft Crypto Store. NOTE: Microsoft Internet Explorer must be restarted. Default: false
3.
Enter the profile parameters and click Save. This will return you to the Profiles page (see section 6.3.3.2 Client Profile Management on page 187).
6.3.3.3
Files Download
This section details how to download the relevant Client policy files for the Secure Login Client. Use the files generated via this option (instead of the files generated via the Global Client Policy option - section 6.3.3.4 on page 191), if you want to export the Client policy files for the current (active) instance only. 1. 2. 3. If you have not already done so, click the Client configuration node from the tree in the left-hand pane. Click Files download. The following page will appear:
Figure 6-69 Files download page The following options are available (options marked with * are mandatory): Option Client Policy Details/Value Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 Client Configuration on page 183. Click to open the Applications Management page For further information see section 6.3.3.1 Application Management on page 184. Opens the Profiles management page. For further information see section 6.3.3.2 Client Profile Management on page 187. Opens the Files Download page (this page). Opens the Global Client Policy page. For further information see section 6.3.3.4 Global Client Policy on page 191. Download the selected policy file(s).
Applications
Profiles Files download Global Client Policy Download
This dialog allows you to download the following files: The ClientPolicy.xml file and customer.zip (which contains the root certificate and simple registry file). This is used for dynamic Client policy retrieval (via a policy Server). The customerAll.reg registry file. This is a static Client policy written as registry values to the Windows registry.
190
4. 5. 6.
To download, check the appropriate policy file and click download. A download dialog will open. Click the download link at the bottom of the page, browse for a download location, and save the file. Close the download dialog.
6.3.3.4
Global Client Policy

This section details how to download the relevant Client policy files (including instances) for the Secure Login Client. Use the files generated via this option (instead of the files generated via the Files Download option - section 6.3.3.3 on page 190), if you want to include the complete Secure Login Server configuration including all instances - in the Client policy files for the Secure Login Client. 1. 2. 3. If you have not already done so, click the Client configuration node from the tree in the left-hand pane. Click Global Client Policy. The following page will appear:
Figure 6-70 Global Client policy page The following options are available (options marked with * are mandatory): Option Client Policy Applications Details/Value Click to open the Client Policy Management page (the default page). For further information see section 6.3.3 Client Configuration on page 183. Click to open the Applications Management page For further information see section 6.3.3.1 Application Management on page 184. Opens the Profiles management page. For further information see section 6.3.3.2 Client Profile Management on page 187. Opens the Files Download page. For further information see section 6.3.3.3 Files Download on page 190. Opens the Global Client Policy page (this page). Generate Client policy files for the whole configuration.
Profiles Files download Global Client Policy Generate
191
4.
Click Generate to generate (or re-generate) the global Client policy files. If the information in each of the Client policy instance files can be merged then a list of files will appear below the Generate button:
This following files can be downloaded: The GlobalClientPolicy.xml and GlobalCustomer.reg files are used for dynamic Client policy retrieval (via a policy Server). The GlobalCustomerAll.reg registry file is a static Client policy written as registry values to the Windows registry. To download, just click the appropriate file(s) to browse for a download location, and save the file. If the information in each of the Client policy instance files cannot be merged then a message will appear stating which parameters are conflicting. Locate and change the specific parameters via the Client Policy, Applications, and Profiles options. 5. Close the download dialog.
6.3.4
Instance Log Management

This section details the Server/instance logging functionality of the Administration Console. The log entries apply only to Server actions. 1. 2. If you have not already done so, click the Instance log management node from the tree in the left-hand pane. By default the Monthly log page will appear:
Figure 6-71 Instance log management - main page/monthly log page
192
This page displays all of the tasks performed via the Administration Console since logging began as well as the Secure Login Server log. This page allows you to: You can select a period of time to view via the Log Month or Log Day combo-box. Change log settings. Export log files to a *.csv file. This page displays the following options: Option Monthly log Daily log Details View the monthly log (as in the figure above). For information about the log entries refer to the table below. Select this if the logging list is too long to view or if you just wish to view the logging data from a specific day in the current month. For further information see section 6.3.4.1 Daily Log on page 193. Provides graphical visualization of authentication operations. Change the logging settings. For further information see section 6.3.4.2 Log Settings on page 195. This option allows you to view archived log files. For further information see section 6.3.4.3 Archived Log on page 196. View the log entries from a specific month via the combo-box. Click to export the current page of log entries to a file (*.csv). NOTE: This entry is only visible if log entries are present.
Log analysis Log settings
Archived Log Log month Export logs
By default, the page will display the log entries from the current month in a table. The monthly table contains the following information about the administration tasks: Table column Date Time Code Level Description Details The date the task was performed. The time the task was performed. The internal code of the task performed. An abbreviated description of the message, i.e. INF for information, or ERR for error. A description of the message/task.
6.3.4.1
Daily Log
This section details how to view and export the daily log file entries from the Daily log page of the Administration Console. 1. 2. If you have not already done so, click the Instance log management node from the tree in the left-hand pane. The following information will appear:
Figure 6-72 Instance log management - daily log page
193
This page displays the log entries from the current day (going back a total of one week) in a table. This page allows you to : You can select a day to view via the Log date combo-box. Change log settings. Export log files to a *.csv file. The following options are available: Option Monthly Log Daily Log Log settings Details View the monthly log. For further information see section 6.3.4 Instance Log Management on page 192. View the daily log (as in the figure above). For information about the log entries refer to the table on the next page. Change the logging settings. For further information see section 6.3.4.2 Log Settings on page 195. This option allows you to view archived log files. For further information see section 6.3.4.3 Archived Log on page 196. View the log entries from a specific day via the combo-box. Click to export the current page of log entries to a file (*.csv). NOTE: This entry is only visible if log entries are present.
Archived Log Log date Export logs
By default, the page will display the log entries from the current day in a table. The table contains the following information about the administration tasks: Table column Time Client DNS/IP View As User Action Details The time the administrative task occurred. The Client computer from which the administrative task was initiated. The DNS and IP of the Client computer from which the administrative task was initiated. NOTE: This field only appears if multiple sets of DNS/IP are configured on the admin computer the IP values of one set are displayed. The name of the user that initiated the administrative task. The administrative task performed by the user.
194
6.3.4.2
Log Settings
This section details the log file settings for the Instance log management page of the Administration Console. 1. 2. If you have not already done so, click the Instance log management node from the tree in the left-hand pane. The following information will appear:
Figure 6-73 Instance log management log settings This page allows you to change the logging parameters via the following options (options marked with * are mandatory): Option Maximum log file size* Maximum individual file size* Daily log file cleanup interval* Monthly log cleanup interval* Daily log prefix* (non-editable) Directory for storing daily logs* (non-editable) Monthly log prefix* (non-editable) Directory for storing monthly logs* (non-editable) Certificate and request archiving directory (also known as ArchivingDir in the configuration.properties file) Details The maximum size for the log file directory (all log files) in gigabytes. The maximum size a log file may be before archiving. The interval, in days, after which the next log cleanup starts. The interval, in months, after which the next log cleanup starts. The file prefix for daily logs. The directory for daily log storage. The file prefix for monthly logs. The directory to which the monthly log files are saved. The directory for storing all Client and Server communication data (certificate and certificate requests). NOTE: Make sure that you enter a valid path! If the path is invalid the error Internal Server Error may occur when the Secure Login Client tries to logon.
3.
Enter the parameters for each option and click Save. You will be returned to the Instance log management main page.
195
6.3.4.3
Archived Log
This section details the Archive log file page of the Administration Console. 1. 2. If you have not already done so, click the Instance Log Management node from the tree in the left-hand pane. Click Archived log. The following information will appear:
Figure 6-74 Instance log management - archived log files The following options are available: Option Archived file name Selected 3. Details The name under which the Server has saved the log file(s). A radio button to indicate which file should be downloaded.
You now have the following options: To download a log file archive, select an archive from the Selected column and click Download. You will be prompted to choose a location. The log files are in ZIP format. To delete a log file archive, select an archive from the Selected column and click Delete.
6.3.5
Instance Check
This section details the Instance Check page of the Administration Console. 1. 2. If you have not already done so, click the Instance Check node from the tree in the left-hand pane. The following page will appear:
Figure 6-75 Instance Check page This page displays the status of the Secure Login components Client policy, and PKI structure. For information about how to fix problems with system components either refer to chapter 7 Troubleshooting, on page 211 or contact SECUDE support.
196
6.3.6
Instance Status
This section details the Instance Status page of the Administration Console. 1. 2. If you have not already done so, click the Instance Check node from the tree in the left-hand pane. The following page will appear:
Figure 6-76 Instance Check page The Instance status is displayed as a table containing the following details: Criteria Date Version Uptime Instance ID Configuration URL Configuration status Server locked PSE Server status Server build Details Current date and time. Version of SECUDE Secure Login Server being used. The amount of time the Server has remained active and running. The identity of the current Server instance. Location of the configuration.properties file. configuration.properties file permission status (i.e. readable or not readable). Is the Server instance locked? Alive = working. SECUDE Secure Login Server version.
197
6.4
Console Users
This section details the Console Users page of the Administration Console. Use this node to view when an administrator logged-in to, or logged-out of, the Administration Console. 1. 2. If you have not already done so, click the Console Users node from the tree in the left-hand pane. The following page will appear:
Figure 6-77 Console Users page This page displays the current login/logoff status for each administrator in chronological order with the latest entry at the top of the table. No further actions can be performed on this page. Related Information For detailed information about any action performed by an administrator refer to: the Console Log Viewer node (see section 6.1.15 on page 165) the Instance Log Management node (see section 6.3.4 on page 192) the Locked Files Management node (see section 6.4.3 on page 205)
198
6.4.1
User Management
This section details the User Management node of the Administration Console. This node displays a list of the users/administrators registered to the Administration Console and allows you to add a new user, edit/delete a current user, and assign a role to a user (for further information about roles refer to the next section). 1. 2. If you have not already done so, click the User Management node from the tree in the left-hand pane. The User management page will appear:
Figure 6-78 Administration Console - user management page The current list of roles in the database will appear in a table. The following options are available: Option Add Edit Delete Assign Role Details Add a new user/administrator to the Administration Console user database. Edit any entry preselected from the list. This will open the Create User page. Delete any entry preselected from the list. Assign a role to any preselected user in the list. For further information refer to the next page.
It is only possible to delete users that have been added/configured by you. The user Admin is a permanent user that has the role super-user and cannot be deleted (only the password changed) or altered in any way. As a consequence, the admin user can log onto the system regardless of state (i.e. when a serious system error occurs), guaranteeing that there is at least one user that can always access Secure Login to correct or configure the system.
199
Add/Edit a User
1.
Click either Add or Edit to open the following page:
Figure 6-79 User management add/edit a user The following options are available (options marked with * are mandatory): Option ID* Name* Details The unique identifier for the user inside of the Administration Console. The username to be used for login. NOTE: If you want to use either External login or SSL Certificate Login make sure that this entry is consistent with the respective certificate/database. This option is only visible when editing a user entry in the list! Check this option to change the password. The password to be used for local login. NOTE: The password must be at least 8 characters in length and contain a mix of uppercase/lowercase letters, special characters and numbers. Confirm Password* External login Confirm the password to be used for local login. Use JAAS module-based login. This feature uses user information stored in an Authentication Server database for identification. Clicking this option will display the extra option External Login ID. NOTE: an Authentication Server must be pre-configured for this feature to work correctly (see section Error! Reference source not found. on page Error! Bookmark not defined.). The unique identifier (password) for JAAS module-based authentication. NOTE: This option is only visible when the option External login is checked! Use certificate-based authentication. Clicking this option will display the extra option Certificate Login ID. The unique identifier (password) for certificate-based login. This entry must be the same as the subject_alt_name used during login certificate creation. NOTE: This option is only visible when the option SSL Certificate Login is checked! For further information about login certificates refer to section 3.3.3.1 on page 37. Disabled
200
Change Password Password*
External Login ID
SSL Certificate Login Certificate Login ID
If checked, the user cannot log on to the console.
NOTE: This option is not available for the default user (Admin). If the options External login and SSL Certificate Login are both left unchecked, the default method local login is used. 2. Assign a Role to a User 1. 2. Enter information for each of the options and click Save. Select the user from the user list to which the role is to be assigned. Click Assign Role to open the following page:
Figure 6-80 User management assign role to a user Select one or more roles from the left-hand pane (All Roles) and click >>Add to transfer that role to the user (My Roles). 3. Delete a Role from a User 1. 2. Click Save. Select the user from the user list from which the role is to be removed. Click Assign Role to open the following page:
Figure 6-81 User management assign role to a user Select the role(s) from the right-hand pane (My Roles) and click >>Delete to remove the role from the user. 3. Click Save.
201
6.4.2
Role Management This section details the Role Management node of the Administration Console. Use this node to configure the permissions for each administrator role. 1. 2. If you have not already done so, click the Role Management node from the tree in the left-hand pane. The Role Management page will appear:
Figure 6-82 Role management - main page This page displays a list of roles available in the Administration Console, as well as allowing you to configure the roles. The following options are available: Option Add Copy Edit Delete Details Add a new role to the Administration Console. Copy any entry preselected in the list. This will open the Create Role page. For further details refer to the next page. Edit any entry preselected from the list. This will open the Create Role page. For further details refer to the next page. Delete any entry preselected from the list.
It is only possible to edit and delete roles that have been added or copied. The default roles (Super User, CA Administrator, User Administrator, Auditor, Operator) cannot be altered or deleted.
202
Add/Edit a Role
1. 2.
Either click either Add to make a completely new role, or select the role on which you want to base a similar role, and click Copy. The Create Role page will appear:
Figure 6-83 Role management add/copy a role The following options are available (options marked with * are mandatory) Option ID* Name* Permission List Details The unique identifier for the role. The name used to describe the role. sssPermission Perform signon&secure-related operations. If left unchecked, the SSS&JCO Installation node will not appear in the navigation tree. logROPermission Permission to view the log file. If left unchecked, the Console Log Viewer and Instance Log Management nodes will not appear in the navigation tree (unless the option logRWPermission is checked). logRWPermission Permission to change the logging configuration and export log files. If left unchecked, the Console Log Viewer and Instance Log Management nodes will not appear in the navigation tree (unless the option logROPermission is checked). statusPermission Permission to view the status of the Server as well as each instance in the configuration. If left unchecked, the Server Status and Instance Status nodes will not appear in the navigation tree (unless the option statusUnlockPermission is checked). statusUnlockPermission Permissions to unlock a locked Server or instance.
203
Option
Details localizationPermission Permission to perform GUI language-related operations. If left unchecked, the Change Language node will not appear in the navigation tree. lockFilePermission Permissions to unlock locked files. If left unchecked, the Locked Files Management node will not appear in the navigation tree. WebClientPermission Permission to configure the Web-Clients. If left unchecked, the Web Client Configuration node will not appear in the navigation tree. confRWPermission Permission to edit the Server configuration or instance configuration. If left unchecked, the Server Configuration and DefaultServer Configuration nodes will not appear in the navigation tree (unless the option confROPermission is checked). confROPermission Permission only to view the Server configuration or instance configuration. If left unchecked, the Server Configuration and DefaultServer Configuration nodes will not appear in the navigation tree (unless the option confRWPermission is checked). multiRWPermission Permission to add, edit, and delete instances. If left unchecked, the Instance Management node will not appear in the navigation tree (unless the option multiViewPermission is checked). sysAnalyzePermission Permission to check the system for missing or faulty components. If left unchecked, the System Check and Instance Check nodes will not appear in the navigation tree. backRestorePermission Permission to perform backup and restore operations. If left unchecked, the Backup/Restore node will not appear in the navigation tree. userPermission Permission to perform user-related operations, such as creating a new user. If left unchecked, the User Management node will not appear in the navigation tree. rolePermission Permission to perform role-related operations, such as creating a new role. If left unchecked, the Role Management node will not appear in the navigation tree. multiViewPermission Permission only to view instance details. If left unchecked, the Instance Management node will not appear in the navigation tree (unless the option multiRWPermission is checked). caPermission Permission to perform certificate authority-related tasks. If left unchecked, the Certificate Template, Sign Certificate Requests, and Certificate Management nodes will not appear in the navigation tree. authPermission Permission to perform authentication and Truststore operations. If left unchecked, the Authentication Management and Truststore Management nodes will not appear in the navigation tree. ClientPermission
204
Option
Details Permission to perform Client policy operations. If left unchecked, the Client Configuration node will not appear in the navigation tree.
3. 4.
Enter a unique identifier for the role into the field ID and enter a description of the role into field Name. Check each of the options appropriate fro the intended role and click Save.
6.4.3
Locked Files Management

This section details how to check if any Secure Login-specific system files have been locked and, if necessary, unlock them (providing the necessary rights have been granted to the administrator role see section 6.4.2 on page 202). Files are locked in the following scenarios: When multiple administrators try to configure Secure Login at the same time. When this happens one administrator will receive a message informing them to contact the specific administrator to unlock the file. This message may appear under several nodes. When a user closes the Internet browser window without clicking Logout first. 1. 2. If you have not already done so, click the Locked Files Management node from the tree in the left-hand pane. The Locked Files Management page will appear:
Figure 6-84 Instance log management - main page/monthly log page This page displays any files that have been locked. The following files may appear in the list: - Web.xml - Configuration.properties - Clientpolicy.xml - Cert_template.xml - Keystore.xml - Role.xml - User.xml - Serverlist.xml - SLSJaasModule.login 3. Select the file(s) that you want to unlock and click Release.
205
6.5
Other Administration Features

This section details Secure Login features to assist an administrator without the need to use the Administration Console. The most useful function for an administrator is the ability to view the Server or Server instance status in a quick manner. To this end, Secure Login can be queried via HTTP POST (see next section) or HTTP GET (via a browser). The HTTP POST method returns an XML formatted back, HTTP GET can return both HTTP and XML formats. The status information returned via both methods is the same.
Contents
Section 6.5.1 Status Query via an Internet Browser on page 206 Section 6.5.2 Secure Login Web Service Status Query on page 209 Section 6.5.3 XML Interface on page 209
6.5.1
Parameters
Status Query via an Internet Browser

This section details how to quickly retrieve the Server status via an Internet browser. The following parameters can be applied to obtain the Server status, or can be mixed to retrieve the status of a specific Server/Server instance: op = add an option Possible values: - status = retrieve the status of the default Server instance - Serverstatus = retrieve the status of the Server (all other parameters will be ignored) id = add a Server ID Possible values:
- <InstanceIDs> = retrieve the status of a specific Server instance (use in

combination with status) xml = retrieve status information in XML format Possible values:
- on : (only for HTTP GET)

Example 1: Retrieve the Status of the Default Server Instance Example 2: Retrieve the Status of a Specific Server Instance Example 3: Retrieve the Status of the Server Use the following example to quickly retrieve the status of the default Server instance:
http://<application Server Web-apps directory>/securelogin/ PseServer?op=status
For example: http://localhost:8080/securelogin/PseServer?op=status Use the following example to quickly retrieve the status of a specific Server instance:
http://<application Server Web-apps directory>/securelogin/PseServer? op=status&id=0001
For example: http://localhost:8080/securelogin/PseServer?op=status&id=0001 Use the following example to quickly retrieve the status of the Server:
http://<application Server Web-apps directory>/securelogin/ PseServer?op=Serverstatus
For example: http://localhost:8080/securelogin/PseServer?op=Serverstatus Use the following example to retrieve status information:
http://<application Server Web-apps directory>/securelogin/ PseServer?<options>&<ServerID>
Example 4: Retrieve Status informaTion

206
For example, to retrieve the status of a specific Server instance:
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual http://localhost:8080/securelogin/PseServer?op=status&id=0001
Example Reply
Figure 6-85 Direct Server query Server instance query
6.5.2
Introduction
Secure Login Web Service Status Query

This section details, in brief, how to query the Secure Login Web Service for status and available operations. This section applies only to Servers to which Secure Login - with the Web service - have been deployed. For further information refer to chapter 5 on page 109. The Web Service query will vary according to application Server: On Tomcat, the Secure Login Web Service is deployed to Apache Axis2 Web-service provider and therefore it is Apache Axis2 that will be queried. On NetWeaver, the Secure Login Web Service can be queried directly. Before proceeding Make sure that you have deployed the Secure Login Web Client application to either Tomcat or NetWeaver and the application Server has been started.
Web Service Query using Tomcat
To view the Web service status enter the following URL in your Internet browser: To view the Axis2 main page: http://<host:port>/axis2/axis2-Web/index.jsp This page enables you to view any services deployed to Axis2 as well as to perform any administration tasks and system checks. To view the status of all running Web services: http://<host:port>/axis2/services/listServices To view the Web service directly: http://<host:port>/axis2/services/secureloginservice?wsdl
Here is an example of the Axis2 Available services page:
207
Figure 6-86 Web Service Axis2 available services Click the secureloginservice link to view the status of the service in XML format. Web Service Query using NetWeaver Enter the following URL in your Internet browser to view the Web service status: http://<host:port>/SecureLoginService/Config1?style=document Apache Axis2 also has an administration front-end. It is available via the URL: http://localhost:8080/axis2/axis2-admin/ This allows the upload (and hence the change) of Web Service Archives and the activation/deactivation of deployed services. The front-end is shipped with a default account: user=admin, password=axis2. This of course, presents a security issue and therefore it is recommended that the Secure Login administrator change the password of the AXIS2 admin front-end. This can be accomplished as follows: Open the axis2.xml file in the Server directory Webapps\axis2\WEB-INF\conf\ Locate the follow lines: <parameter name="userName">admin</parameter> - <parameter name="password">axis2</parameter> Change the entries marked in red above accordingly.
208
6.5.3
Introduction
XML Interface
In addition to the Administration Console, SECUDE Secure Login Server provides an XML interface to automate monitoring using your own or a third-party program, e.g. to incorporate monitoring into administrative tools. SECUDE Secure Login Server has to be called with a specific request in XML format. The Secure Login Server then returns an XML reply with the status information. Section 6.5.3.1 Status Request, on page 209 Section 6.5.3.2 Status Reply, on page 209
Contents
6.5.3.1
Request Format
Status Request
<TransFairGram> <Control> <Version>Pepperbox 2.0.0</Version> <ActionRequest> STATUS_REQUEST_ACTION </ActionRequest> </Control> </TransFairGram> To post a status request send the XML request to the address: http://<Servlet URL>/securelogin/PseServer
Use HTTP POST to get a Status Request Example
http://localhost:8080/securelogin/PseServer
6.5.3.2
Reply Format
Status Reply
<TransFairGram> <Control> <ActionRequest>STATUS_ACTION</ActionRequest> <Version>Pepperbox 2.0.0</Version> <ServerBuild>$Name: SLS_5-1-1-0 $</ServerBuild> </Control> <Content> <Data> <Status> <ConfigURL> file:C:/Program Files/Apache Software Foundation/ Tomcat 6.0/Webapps/securelogin/WEB-INF/Instances/ Configuration.properties </ConfigURL> <ConfigurationStatus>OK</ConfigurationStatus> <Date>Mon Jan 28 12:02:54 CET 2010</Date> <ID>Instance 00020</ID> <LockFile/> <LockStatus>false</LockStatus> <PseServerStatus>OK</PseServerStatus> <ServerBuild>SLS_5-1-1-0</ServerBuild> </Status> <Message> The current Server status is enclosed with this
209
transfairgram (only for diagnostic purpose) </Message> <MessageCode>0701</MessageCode> </Data> <DataType>application/xml</DataType> </Content> </TransFairGram>
210
7
Introduction Sections in this Chapter
Troubleshooting
This chapter describes the SECUDE Secure Login Server features for logging and error recovery. Section Section Section Section Section 217 Section Section Section Section Section Section 7.1 7.2 7.3 7.4 7.5 How to use Unlimited Key Length Policies, on page 212 Log Files on page 213 Turning Tracing On/Off, on page 215 SECUDE Secure Login Server Lock and Unlock, on page 216 Setting the Correct Environment Variables for SAP ID-Based Logon on page
7.6 Problems with the Client URL on page 218 7.7 Implement an SSL.PSE-Based TrustStore for HTTPS on page 218 7.8 Access Denied Replies on page 219 7.9 Why the Secure Login Instance/Server is Locked on page 219 7.10 Password Expiry Warnings on Sun LDAP (1) on page 220 7.11 Password Expiry Warnings on Sun LDAP (2) on page 220
Section 7.12 Secure Login Server Cannot Establish an SNC Connection to the SAP Server on page 221 Section 7.13 Administration Console Pages Appear broken on page 221 Section 7.14 Problem Loading the GSS Library (SAP-ID Module) on page 222 Section 7.16 Users Cannot be Successfully Authenticated to any JAAS Module on page 227
211
7.1
How to use Unlimited Key Length Policies

This section details how to solve any problems with key length restrictions for several algorithms.
Problem Solution
The creation of PKCS#12 files using passwords longer than 7 characters is not possible in the Administration Console. The standard JCE settings restrict the key length for several algorithms. Follow these steps to disable the restrictions: 1. 2. 3. 4. 5. Browse to the Java lib\security sub-directory (for example: <Java home>\ jdk1.5.0_08\jre\lib\security) Locate the files local_policy.jar and US_export_policy.jar. Make duplicates of both files and give them the file extension *.bak (this means that you can return to the original files if you need to). Delete local_policy.jar. Duplicate US_export_policy.jar and rename it to local_policy.jar.
To check that both the files US_export_policy.jar and local_policy.jar are unrestricted, unzip them and open the file default_US_export.policy in a text editor. If the following text is displayed the check is successful and the policies are unrestricted: // Manufacturing policy file. grant { // There is no restriction to any algorithms. permission javax.crypto.CryptoAllPermission; }; If the JCE files local_policy.jar and US_export_policy.jar are not present in the directory jre\lib\security, download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from one of the following locations (depending on which Java version you use): http://java.sun.com/javase/downloads/index_jdk5.jsp (for Java 5) http://java.sun.com/javase/downloads/index.jsp (for Java 6) (These will work for all JCE versions.) Extract the contents of the ZIP file to the Java lib\security directory (for example <Java home>\jre\lib\security). These files already have necessary permissions.
212
7.2
Introduction
Log Files
For the SECUDE Secure Login Server, log files for daily and monthly logging are created. The location and log file names can be specified using one of these methods: Manually in the SECUDE Secure Login Server configuration properties (see section 9.2.3 Configuration on page 248). Via the Administration Console (see section 6.3.4 Instance Log Management on page 177). Section 7.2.1 Daily Log File, on page 213 Section 7.2.2 Monthly Log File, on page 215
Contents
7.2.1
Introduction
Daily Log File

The daily log file has an entry for each transaction. An entry contains the following information (if available): Time and date of the transaction ID of the Client Instance ID IP address and DNS entry as sent by the Client Client IP address and DNS entry as seen by the Server Name of the user making the request Action code of the request Result of the transaction The following table describes the possible result codes in alphabetical order: Result Code ACM_ACCESS_DENIED ACE_INVALID_ARG ACM_NEXT_CODE_REQUIRED ACM_NEW_PIN_ACCEPTED ACM_NEW_PIN_REJECTED ACM_NEW_PIN_REQUIRED ACM_OK ACE_UNDEFINED_NEXT_PASSCODE ACE_UNDEFINED_PASSCODE ACE_UNDEFINED_USERNAME INTERNAL_SERVER_ERROR (plus error description) INVALID_MESSAGE_FORMAT (plus error description) OK Details Authentication failed Invalid PIN Next token code required to continue authentication New PIN accepted New PIN not accepted User needs a new PIN User could be authenticated Empty or invalid token code Empty or invalid password Empty or invalid user name Server error Invalid or incomplete Client message Transaction successful
Result Codes
Sample Daily
08/15/2008, 11:47:34 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1,
213
Log File
action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:47:42 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 11:49:17 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:49:29 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser7, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 11:50:43 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 11:50:51 (CEST), Client: unknown, pc-duke.SECUDE.COM/ 10.49.7.22, seen as: 10.49.7.22/10.49.7.22, user: testuser5, action: AUTH_ACTION, result: ACM_OK, instance: -Default08/15/2008, 14:30:06 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:30:14 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default08/15/2008, 14:30:18 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: Default08/15/2008, 14:30:32 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser5, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_REJECTED, instance: -Default08/15/2008, 14:33:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser3, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:33:50 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: AUTH_ACTION, result: ACM_NEW_PIN_REQUIRED, instance: Default08/15/2008, 14:33:56 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser2, action: NEW_PIN_ACTION, result: ACM_NEW_PIN_ACCEPTED, instance: -Default08/15/2008, 14:41:57 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser1, action: INIT_ACTION, result: OK, instance: -Default08/15/2008, 14:42:41 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default08/15/2008, 14:42:46 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: -Default08/15/2008, 14:42:51 (CEST), Client: unknown, PC-BM2.SECUDE.COM/ 10.49.7.84, seen as: 10.49.7.84/10.49.7.84, user: testuser6, action: AUTH_ACTION, result: ACM_ACCESS_DENIED, instance: Default-
214
7.2.2
Introduction
Monthly Log File

Monthly log files contain system events and errors. An entry contains the following information: Time and date of the event or error Event or error code (see section 8 Error and Return Codes on page 231) Error level Description of the event or error Error level Instance ID The following table describes the possible error levels in alphabetical order: Error Level ERR INF WAR Details Fatal error Information Warning
Result Codes
Sample Monthly Log File
08/15/2008, 13:15:40 (CEST), PSE_STARTUP, INF, Standard servlet startup. -Default08/15/2008, 13:16:39 (CEST), INVALID_MESSAGE_FORMAT, ERR, Received NEW_PIN_ACTION while not in challenge mode. -Default08/15/2008, 14:00:37 (CEST), INVALID_MESSAGE_FORMAT, ERR, Received NEW_PIN_ACTION while not in challenge mode. -Default08/15/2008, 14:20:24 (CEST), PSE_SHUTDOWN, INF, Standard servlet shutdown. -Unknown08/15/2008, 14:21:21 (CEST), PSE_STARTUP, INF, Standard servlet startup. -Default08/15/2008, 14:22:25 (CEST), INVALID_MESSAGE_FORMAT, ERR, Received NEW_PIN_ACTION while not in challenge mode. -Default08/15/2008, 14:23:05 (CEST), INVALID_MESSAGE_FORMAT, ERR, Received NEW_PIN_ACTION while not in challenge mode. -Default08/15/2008, 14:56:40 (CEST), PSE_SHUTDOWN, INF, Standard servlet shutdown. -Default08/15/2008, 16:12:46 (CEST), PSE_STARTUP, INF, Standard servlet startup. -Default08/15/2008, 16:14:49 (CEST), PSE_STARTUP, INF, Admin servlet startup. -Default08/15/2008, 16:14:50 (CEST), JAAS_LDAP_ERROR, ERR, Could not reach the Authentication Servers. -Default08/15/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, Could not reach the Authentication Servers. -Default08/16/2008, 16:14:51 (CEST), JAAS_LDAP_ERROR, ERR, Could not reach the Authentication Servers . -Default08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, Admin servlet shutdown. -Default08/16/2008, 16:24:16 (CEST), PSE_SHUTDOWN, INF, Standard servlet shutdown. -Default08/17/2007, 17:47:09 (CEST), PSE_STARTUP, INF, Standard servlet startup. -Default08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, No certificate chain found in key store. -Default08/17/2007, 17:47:25 (CEST), CERT_CREATE_ERROR, WAR, No root certificate found in key store. -Default08/18/2007, 14:32:36 (CEST), PSE_SHUTDOWN, INF, Standard servlet shutdown. -Default08/18/2007, 15:14:54 (CEST), PSE_STARTUP, INF, Standard servlet startup. -Default-
7.3
Introduction
Turning Tracing On/Off

This section details how enable and disable trace messages.
215
The trace options can be changed via the Administration Console (see section 6.1.3 Server Configuration on page 124). Turn Tracing On 1. 2. 3. Turn Tracing Off 1. 2. 3. In the Server Configuration page of the Administration Console click Edit. Under the option Show trace on the console Select Yes. Click Save. In the Server Configuration page of the Administration Console click Edit. Under the option Show trace on the console Select No. Click Save.
SECUDE Secure Login Server can generate a large amount of trace output. For test systems, it is recommended to enable tracing. For production systems it is recommended to disable tracing as this might result in unnecessary log files and impede performance.
7.4
Introduction Lock Files
SECUDE Secure Login Server Lock and Unlock

The SECUDE Secure Login Server locks itself when it detects a serious problem such as Authentication Server failure that affects all Clients. SECUDE Secure Login uses the following files to lock the Server/ Server instance: PseServer.lock This file is used to lock the complete Server. The Server lock will only be applied if the Configuration.properties file cannot be read. The LockDir property in the Web.xml file is used to apply the Server lock. <Server Instance>.lock If the Configuration.properties file can be read by Secure Login and a lock becomes necessary, Secure Login will create an instance-based lock. The directory for the instance-based lock is specified by the property LockDir in Configuration.properties, but LockDir in Web.xml will work as a fallback. The filename of the instance lock file will be based on the following parameters (example): - LOCK_FILE_PREFIX = "PseInstance"; - LOCK_FILE_SUFFIX = ".lock"; Two lock files will be created from these parameters. A normal lock file that includes the instance ID and a fallback lock file, for example: - PseInstance001.lock - PseInstanceDefault.lock If a SECUDE Secure Login Server lock occurs: The lock file PseServer.lock / <ServerInstance>.lock is created (also contains the time of its creation). The location of the lock file can be configured in the Web.xml file via the LockDir parameter. The SECUDE Secure Login Server responds to SECUDE Secure Login Client requests with the HTTP status code 404. This indicates that the Server is not available. The Client fails over to the next Server/instance in the Server list. The Administration Console Status page contains an entry that indicates that the Server is locked (see section 7.9 on page 219). Use the unlock functionality of the Administration Console (see section 6.1 on page 119). It is not necessary to shutdown the Server to perform this task.
What happens when the Server Locks?
Unlock the Server
216
7.5
Introduction
Setting the Correct Environment Variables for SAP ID-Based Logon

The information in this section applies to SAP ID-based logon only. The variables USER, HOME or CREDDIR have no relevance - in terms of environment variables - for SECUDE Secure Login Server 5.0. Furthermore, NetWeaver Application Server Java (regardless of platform) is precluded because the environment variables described below are exclusively for SAP JCO. In any case, with NetWeaver the JCO libraries are already available system-wide (i.e. for Windows this means that the JCO libraries sapjcorfc.dll and librfc32.dll are located in the directory windows\system32). If JCO has been manually set as a system-wide variable (not via the Secure Login Administration Console), this will also bypass all Secure Login components. The environment variables are no longer needed (i.e. there will then be no need to perform the steps in this section). For SECUDE signon&secure to make a successful SNC connection for SAP ID-based authentication, the correct credentials/variables are needed. According to platform these are: Linux+Solaris: LD_LIBRARY_PATH Windows: PATH Both of these should point to the SSS (Signon&Secure) directory within the Secure Login Web application. They should be set either system-wide or in the start script of the Application Server/Container Engine. Follow these steps to set the correct environment variables for SECUDE Signon&Secure (according to platform):
Variables
Linux/Solaris
4.
Enter the following syntax in a command shell to set the parameter for the variable LD_LIBRARY_PATH: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/lib/tomcat5/ Webapps/securelogin/WEB-INF/SSS
5. To check if it was successful, open the Administration Console and navigate to the node Server Configuration>System Check. Under the SAP ID Check header the SECUDE SNC runtime entry should read as OK. Windows Using Tomcat 5.x as an example, enter the following syntax in a command shell to set the parameter for the variable PATH: set PATH=%PATH%;<Tomcat home>\Webapps\securelogin\WEB-INF\SSS As an alternative you can use the following method to set the variable: 1. 2. 3. 4. 5. Open Control Panel>System. Click the Advanced tab. Click Environment Variables. Under the System Variables heading click New. Enter PATH into the Variable Name field and <application Server Web-app directory>\securelogin\WEB-INF\SSS in the field Variable Value. For example: <Tomcat home>\Webapps\securelogin\WEB-INF\SSS Click OK. If the application Server is running, restart it. To check if it was successful, open the Administration Console and navigate to the node Server Configuration>System Check. Under the SAP ID Check header the SECUDE SNC runtime entry should read as OK.
6. 7. 8.
217
7.6
Problem
Problems with the Client URL

The URL entered by the Client returns the error Internal Server Error. This is a necessary error message to indicate an invalid Server instance (in a multiple instance environment) or other Server problems. The first thing to check is that the Secure Login URL points to the correct Server instance. It is likely that the instance referred in the URL is invalid. For example: http://myServer.local/securelogin/PseServer?id=0001 For details about how to alter the URL see section 6.3.3.2 on page 187.
Solution
7.7
Problem Prerequisites
Implement an SSL.PSE-Based TrustStore for HTTPS

You want to use an SSL.PSE-based TrustStore for HTTPS instead of the Microsoft CAPI TrustStore. Knowledge of the SECUDE shell (secude.exe). The secude.exe is available only as part of the Signon&Secure package. For further information contact SECUDE support. Make sure that you have already performed the procedure on the certificate before starting the solution below: 1. 2. Import the root certificate using the Administration Console as a *.crt file. The certificate will be stored in a PEM-encoded format. Open the file in an editor and remove the first and last line of the file: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----respectively. Save the file. Open a SECUDE shell and enter the following command to convert the base64 encoded contents of the file into a binary file:
secude decode <path where the file is located>\ROOT_CA.crt root.der
3.
Solution
Follow these steps to enable an SSL.PSE-based TrustStore for HTTPS: 1. Create a PSE (Personal Security Environment) and name it ssl.pse. To do this, open a SECUDE shell and enter the following command: secude psecrt p ssl.pse "CN=dummy" The Dname (Distinguished Name) used for this is irrelevant. The example here uses CN=dummy. Enter the PIN 1234 twice (this value is mandatory). After a short period of time the PSE file ssl.pse will be generated and saved to your Signon&Secure directory. The resulting PSE must be changed by creating the root certificate. Enter the following commands in the SECUDE shell (press Return after each line and change the parts marked in red accordingly see below): > secude psemaint p ssl.pse <Enter the PIN> > import xxx <path where the file is located>\root.der > cert2pkroot xxx PKRoot > yes (to overwrite the old PKRoot) > delete xxx > q The first command will open the SECUDE shell the other commands are entered. The xxx is an alias - replace it with a specific name of your choice. The command q will close the command prompt. 3. Copy the SSL.PSE file to the Secure Login Client in the directory: C:\Program Files\SECUDE\OfficeSecurity\. This file can be distributed with the Secure Login Client installation, via the
2.
218
customer folder. 4. Open the Windows Registry Editor and create the following registry key (REG_DWORD):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System] "useSslPse"=dword:00000001
5.
Restart the SECUDE securelogin COM Service (the Microsoft ADS profile will be missing) or reboot the computer.
7.8
Problem Target OS Explanation
Access Denied Replies

The Secure Login Server is returning a large amount of "access denied" replies to the Secure Login Client during heavy load. Windows Server The reason for this behavior is that after a TCP/IP socket has been used for communication, and this connection is closed-down after the communication has taken place, the OS keeps this socket for some time until it releases it again for its next use. This means that the parameter TcpTimedWaitDelay is set to high and must be changed. For further information refer to the following Microsoft page:
http://technet2.microsoft.com/windowsServer/en/library/38b8bf76-b7d3473c-84e8-e657c0c619d11033.mspx):
Solution
Open regedit and locate the parameter TcpTimedWaitDelay under: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Set the value for TcpTimedWaitDelay to 30 seconds
7.9
Problem Target OS Explanation/ Solution
Why the Secure Login Instance/Server is Locked

The Secure Login instance/Server is locked. All The Server may be locked because: The configuration.properties file cannot be read. Solution: Check the integrity and path of the configuration.properties file. The parameter LockServerOnEventLogFailure is set to true and.. - the hard disk is full. Solution: Increase the hard disk capacity/delete unnecessary files. - the file permissions are incorrect. Solution: Check the file permissions of the user under which the Secure Login Server processes run. - the log folder does not exist. Solution: Re-define/check the log settings in the Administration Console (section 6.3.4.2 on page 195). The Server instance may be locked because: The ArchivingDir property is set to a non-existent directory. Solution: Check the log settings in the Administration Console (section 6.3.4.2 on page 195). User CA PSE cannot be opened by the Secure Login Server. Solution: Check the validity and integrity of the certificate authority PSE file. The configuration.properties file cannot be read. Solution: Check the integrity and path of the configuration.properties file. The parameter LockInstanceOnTransactionLogFailure is set to true and.. - the hard disk is full. Solution: Increase the hard disk capacity/delete unnecessary files. - the file permissions are incorrect. Solution: Check the file permissions of the user under which the Secure Login Server processes run. - the log folder does not exist. Solution: Re-define/check the log settings in the
219
Administration Console (section 6.3.4.2 on page 195). Under heavy load the Server may lock because the user has a limitation on the maximum number of files they can have open at the same time. Solution: Check the Secure Login Server event log for java_io_file_exception stating too many open files. If so this means that Secure Login was not allowed to open log files for writing resulting in the lock state. Allow the user that starts/owns the Secure Login Server process to open more files than configured in the default configurations set in some system property (limits.conf).
7.10
Problem Effected Systems Explanation
Password Expiry Warnings on Sun LDAP (1)

Password expiration warning is shown regardless of password policy setting on Sun LDAP. Sun ONE Directory Server v5.2 Sun Java System Directory Server v5.2 Sun Java System Directory Server v6.0 When the LDAP attribute passwordExpirationTime was set (for example, via a password policy and the password policy was later removed), the attribute still exists and causes useless expiry messages in the Secure Login Client, such as: Attention: Your password will expire on 12.07.2004 (expiry date in the past) This is a problem caused by the directory Server and not by Secure Login Server. Please refer to the Sun Directory Server release notes for details.
Solution
7.11
Problem Effected Systems Explanation Solution
Password Expiry Warnings on Sun LDAP (2)

A password expiry message is displayed on the Secure Login Client, even though Sun ONE LDAP is configured so that the password does not expire. Sun ONE Directory Server v5.2 Sun Java System Directory Server v5.2 Sun Java System Directory Server v6.0 This is a Sun ONE password policy problem, due to an enabled password policy No5. Please refer to the Sun ONE Directory Server release notes for details.
220
7.12
Problem Effected Systems Explanation/ Solution
Secure Login Server Cannot Establish an SNC Connection to the SAP Server
The Secure Login Server cannot establish an SNC connection to the SAP Server. The Secure Login Server SNC PSE is not valid: There will be no working SNC connection (JCO trace reads only "SNC connection cannot be established, empty answer"). This may be due to the following: The credentials cannot be found: There will be no working SNC connection (JCO trace says only "No credentials supplied") The Ticket.snc file cannot be found: If the ticket is not installed correctly or cannot be found by the SECUDE signon&secure/SECUDE library, it occurs that no error log output can be found but connections to the backend just stop. If Tomcat is used as the container engine, it might happen that the Tomcat process is terminated when the ticket cannot be found but SAP-ID logon is used. The SNC name of the Server is incorrect: In the SAP Logon Client software the Server SNC name is equal to the SNCServerName parameter in the Secure Login Server SAP-ID module. This parameter value has to correspond with the DN of the PSE on the SAP Server. The SNC names of users are incorrect: The SNC name of SAP users (see SAP transaction su01) must correspond with the DN of the user certificates coming from the Secure Login Server. - The user for the SLS (e.g., SLSSNC) must also have an SNC name which corresponds with the DN in SLSSNC's PSE (can be generated in the Administration Console; this is called the JCO PSE which is used by Secure Login Server for the SNC connection to the SAP Server). A valid SNC Server connection: Requires a valid PSE from the Server PKI (e.g., the user certificate must be from the same root). A valid SNC user connection: Requires a valid certificate of the Server PKI and a registered user account at the SAP Server. - The Secure Login Server SAP-ID uses the user account credentials at the SAP Server for JAAS authentication. The SAP Server uses the DN of the user certificate as SNC name of the corresponding SAP account to verify the user.
7.13
Problem
Administration Console Pages Appear broken

The Administration Console pages have an odd appearance/appear to be broken. This may include, but not limited to: Missing icons Missing items in combo-boxes Buttons do not work. For example, the Start button of the initialization wizard batch creation page or, the Upload button in the Web Client platform configuration.
Effected Systems Explanation/ Solution
The most likely cause for Administration Console pages that have an odd appearance (especially during the initialization wizard), is that a previous version of Secure Login Server has been removed from the same Tomcat Server but the Tomcat JSP cache has not been removed or has not been automatically updated. The solution to this problem is to stop Tomcat, and delete all old securelogin folders from the Webapps directory. Also delete the Tomcat cache directory: <Tomcat ROOT>/work Restart Tomcat. The Administration Console pages should now be OK.
221
7.14
Problem
Problem Loading the GSS Library (SAP-ID Module)

Problems occur when configuring the SAP-ID module so that no Server connection exists. In the Application Server trace SNC errors exist (as the following examples):
[Thr 168] Fri Jul 18 09:34:33 2008 [Thr 168] *** ERROR => SncPDLInit(): DlLoadLib("<PATH>\secude.dll")=DLEINV AL [Thr 168] [sncxxdl.0340][Thr 168] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded [Thr 168] [sncxxdl.0604]Exception in thread "main" com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00 LOCATION ERROR CPIC (TCP/IP) on local host SNCERR_INIT Resource problem or gssapi library invalid/missing sec_avail="false" Fri Jul 18 09:34:33 2008 710 SNC (Secure Network Communication) 5 -1 sncxx.c SncInit 2
TIME RELEASE COMPONENT VERSION RC MODULE DETAIL COUNTER
Or...
[Thr 5008] Fri Jul 18 09:42:10 2008 [Thr 5008] *** ERROR => SncPDLInit(): DlLoadLib("<PATH>\secude.dll")=DLEINVAL [Thr 5008] [sncxxdl.0340][Thr 5008] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) <PATH>\secude.dll not loaded [Thr 5008] [sncxxdl.0604]Exception in thread "main" com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM GWHOST=000, GWSERV=sapgw00, SYSNR=00 LOCATION ERROR CPIC (TCP/IP) on local host Unable to load the GSS-API DLL named "<PATH>\secude.dll" Fri Jul 18 09:42:10 2008 710 SNC (Secure Network Communication) 5 -1 sncxxdl.c
TIME RELEASE COMPONENT VERSION RC MODULE
Possible causes and solutions: The SECUDE SNC library does not exist at the given path. Solution: Locate the SECUDE SNC library and move it to the correct directory. The SECUDE SNC library is incorrect for this platform (i.e. 32bit vs. 64bit, C-runtime version, etc.). Solution: Delete the incorrect components, locate the SECUDE SNC library suitable for the Server environment and move it to the correct directory.
222
If the above causes do not apply, then the problem may be the length of the path (i.e. the number of characters) to the SECUDE SNC library. This is a problem caused by JCO. JCO is not capable of loading the GSS library when the length of the path is more than 100 characters. Solution: Move the SSS package as well as the SECUDE library to a directory with a shorter path, and configure the SAP-ID module accordingly (NativeLibraryPath).
7.15
Problem
Blank Page when Logging into the Secure Login Administration Console
When logging into the Secure Login Administration Console the GUI does not appear only a blank page appears. The following example error appears in the defaulttrace of the NetWeaver Application Server:
#1.5#001AA00E3F65004E0000028E0000111C00045224BE3B94F3#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###java.lang.NullPointerException# #1.5#001AA00E3F65004E0000028F0000111C00045224BE3B982E#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.Web.framework.login.impl.UserManager.getUserById (UserManager.java:52)# #1.5#001AA00E3F65004E000002900000111C00045224BE3B98A5#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.util.AdminAccount.canLogin (AdminAccount.java:178)# #1.5#001AA00E3F65004E000002910000111C00045224BE3B9916#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.AdminAccountHandler. tryLogin(AdminAccountHandler.java:162)# #1.5#001AA00E3F65004E000002920000111C00045224BE3B9986#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui .AdminAccountHandler.process(AdminAccountHandler.java:63)# #1.5#001AA00E3F65004E000002930000111C00045224BE3B99F7#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.NavigationServlet. process(NavigationServlet.java:170)# #1.5#001AA00E3F65004E000002940000111C00045224BE3B9A67#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.adminui.NavigationServlet. doPost(NavigationServlet.java:89)# #1.5#001AA00E3F65004E000002950000111C00045224BE3B9AD8#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)# #1.5#001AA00E3F65004E000002960000111C00045224BE3B9B45#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)# #1.5#001AA00E3F65004E000002970000111C00045224BE3B9BB3#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.runServlet(FilterChainImpl.java:117)# #1.5#001AA00E3F65004E000002980000111C00045224BE3B9C23#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.doFilter(FilterChainImpl.java:62)# #1.5#001AA00E3F65004E000002990000111C00045224BE3B9C95#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter 223
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (ConsoleFilter.java:29)# #1.5#001AA00E3F65004E0000029A0000111C00045224BE3B9D04#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.runtime. FilterChainImpl.doFilter(FilterChainImpl.java:58)# #1.5#001AA00E3F65004E0000029B0000111C00045224BE3B9D75#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. runServlet(HttpHandlerImpl.java:373)# #1.5#001AA00E3F65004E0000029C0000111C00045224BE3B9DF5#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. handleRequest(HttpHandlerImpl.java:264)# #1.5#001AA00E3F65004E0000029D0000111C00045224BE3B9E67#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. startServlet(RequestAnalizer.java:347)# #1.5#001AA00E3F65004E0000029E0000111C00045224BE3B9ED8#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. startServlet(RequestAnalizer.java:325)# #1.5#001AA00E3F65004E0000029F0000111C00045224BE3B9F49#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. invokeWebContainer(RequestAnalizer.java:887)# #1.5#001AA00E3F65004E000002A00000111C00045224BE3B9FBB#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.RequestAnalizer. handle(RequestAnalizer.java:241)# #1.5#001AA00E3F65004E000002A10000111C00045224BE3BA02B#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.Client.handle (Client.java:92)# #1.5#001AA00E3F65004E000002A20000111C00045224BE3BA09A#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.services.httpServer.Server.Processor.request (Processor.java:148)# #1.5#001AA00E3F65004E000002A30000111C00045224BE3BA109#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.service630.context.cluster.session. ApplicationSessionMessageListener.process(ApplicationSessionMessageListen er.java:33)# #1.5#001AA00E3F65004E000002A40000111C00045224BE3BA17F#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.cluster.impl6.session.MessageRunner.run (MessageRunner.java:41)# #1.5#001AA00E3F65004E000002A50000111C00045224BE3BA1EE#1216217670546#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.ActionObject.run (ActionObject.java:37)# #1.5#001AA00E3F65004E000002A60000111C00045224BE3BA262#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at java.security.AccessController.doPrivileged(Native Method)# #1.5#001AA00E3F65004E000002A70000111C00045224BE3BA2D1#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.SingleThread.execute 224
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (SingleThread.java:100)# #1.5#001AA00E3F65004E000002A80000111C00045224BE3BA33F#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)# #1.5#001AA00E3F65004E000002A90000111C00045224BE3BB6B7#1216217670562#Syste m.err#secude.com/SecureLogin#System.err#Guest#0#####SAPEngine_Application _Thread[impl:3]_8##0#0#Error##Plain###com.sap.engine.services.servlets_js p.Server.exceptions.WebServletException: Error in JSP.at com.sap.engine.services.servlets_jsp.Server.jsp. PageContextImpl.handleErrorPage(PageContextImpl.java:707) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl. handlePageException(PageContextImpl.java:702) at jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav a:65535) at com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j ava:112) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:544) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:186) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . forward(RequestDispatcherImpl.java:377) at com.secude.transfair.pepperbox.adminui.ErrorHandler.process(ErrorHandler. java:27) at com.secude.transfair.pepperbox.adminui.NavigationServlet.process (NavigationServlet.java:179) at com.secude.transfair.pepperbox.adminui.NavigationServlet.doPost (NavigationServlet.java:89) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.runSe rvlet (FilterChainImpl.java:117) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil ter (FilterChainImpl.java:62) at com.secude.transfair.pepperbox.util.ConsoleFilter.doFilter(ConsoleFilter. java:29) at com.sap.engine.services.servlets_jsp.Server.runtime.FilterChainImpl.doFil ter (FilterChainImpl.java:58) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet (HttpHandlerImpl.java:373) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.handleRequest (HttpHandlerImpl.java:264) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:347) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:325) at com.sap.engine.services.httpServer.Server.RequestAnalizer.invokeWebContai ner (RequestAnalizer.java:887) at com.sap.engine.services.httpServer.Server.RequestAnalizer.handle 225
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (RequestAnalizer.java:241) at com.sap.engine.services.httpServer.Server.Client.handle(Client.java:92) at com.sap.engine.services.httpServer.Server.Processor.request(Processor.jav a:148) at com.sap.engine.core.service630.context.cluster.session. ApplicationSessionMessageListener.process(ApplicationSessionMessageListen er.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run (MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1 00) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) Caused by: com.sap.engine.services.servlets_jsp.Server.exceptions.WebServletExceptio n: Error in JSP. at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.handleErr orPage (PageContextImpl.java:744) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl. handlePageException(PageContextImpl.java:702) at jsp_top1216110529928._jspService(jsp_top1216110529928.java:65535) at com.sap.engine.services.servlets_jsp.Server.jsp.JspBase.service(JspBase.j ava:112) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:544) at com.sap.engine.services.servlets_jsp.Server.servlet.JSPServlet.service (JSPServlet.java:186) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl . doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.Server.runtime.RequestDispatcherImpl .include (RequestDispatcherImpl.java:473) at com.sap.engine.services.servlets_jsp.Server.jsp.PageContextImpl.include (PageContextImpl.java:165) at jsp_ErrorPage_11216120837756._jspService(jsp_ErrorPage_11216120837756.jav a:10) ... 29 more Caused by: com.sap.engine.services.servlets_jsp.Server.exceptions.WebIllegalStateExc eption: The stream has already been committed. at com.sap.engine.services.servlets_jsp.Server.runtime.Client.HttpServletRes ponseFacade.sendRedirect(HttpServletResponseFacade.java:997) at jsp_top1216110529928._jspService(jsp_top1216110529928.java:11)
... 37 more Effected Systems Explanation/ Solution NetWeaver Application Server only. There is no current workaround for this sporadic problem. To solve the problem re-deploy Secure Login to NetWeaver.
226
7.16
Problem
Users Cannot be Successfully Authenticated to any JAAS Module

After Secure Login has been successfully deployed to NetWeaver, no user can authenticate successfully to any JAAS module. The following example error appears in the files security_*.log and default_*.trc of the NetWeaver AS Java:
#1.5#001AA02C2EA0002B000003A80000039800897B2BD532EEFC#1216364672406#Syste m.err#secude.com/SecureLogin#System.err#Guest#2464####c59e8c80549711ddb8f 5001aa02c2ea0#HTTP Worker [1]##0#0#Error##Plain###com.sap.engine.services.security.exceptions.BaseL oginException: Cannot authenticate the user. at com.sap.engine.services.security.login.ModulesProcessAction.run (ModulesProcessAction.java:177) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.services.security.login.FastLoginContext.login (FastLoginContext.java:216) at com.sap.engine.system.SystemLoginModule.login (SystemLoginModule.java:90) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000 (LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv (LoginContext.java:680) at javax.security.auth.login.LoginContext.login (LoginContext.java:579) at com.secude.transfair.pepperbox.JaasRsaRadiusAuthenticationManager. authenticate(JaasRsaRadiusAuthenticationManager.java:186) at com.secude.transfair.pepperbox.ServerMessageHandler.handleAuthAction (ServerMessageHandler.java:889) at com.secude.transfair.pepperbox.ServerMessageHandler.handleInMessage (ServerMessageHandler.java:223) at com.secude.transfair.framework.LocalTFManager.handleInMessage (LocalTFManager.java:211) at com.secude.transfair.pepperbox.SlsKernel.doSls(SlsKernel.java:360) at com.secude.transfair.pepperbox.StandardServlet.doPost (StandardServlet.java:155) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke (Invokable.java:66) at com.sap.engine.services.servlets_jsp.Server.Invokable.invoke (Invokable.java:32) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl.runServlet (HttpHandlerImpl.java:431) at com.sap.engine.services.servlets_jsp.Server.HttpHandlerImpl. handleRequest(HttpHandlerImpl.java:289) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:387) at com.sap.engine.services.httpServer.Server.RequestAnalizer.startServlet (RequestAnalizer.java:376) at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process (ServletSelector.java:85) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector. process(ApplicationSelector.java:160) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.WebContainerInvoker.process 227
SECUDE Secure Login 5.1 Installation, Administration and Usage Manual (WebContainerInvoker.java:67) at com.sap.engine.services.httpServer.chain.HostFilter.process (HostFilter.java:9) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.ResponseLogWriter.process (ResponseLogWriter.java:60) at com.sap.engine.services.httpServer.chain.HostFilter.process (HostFilter.java:9) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.DefineHostFilter.process (DefineHostFilter.java:27) at com.sap.engine.services.httpServer.chain.ServerFilter.process (ServerFilter.java:12) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.filters.MonitoringFilter.process (MonitoringFilter.java:29) at com.sap.engine.services.httpServer.chain.ServerFilter.process (ServerFilter.java:12) at com.sap.engine.services.httpServer.chain.AbstractChain.process (AbstractChain.java:71) at com.sap.engine.services.httpServer.Server.Processor.chainedRequest (Processor.java:309) at com.sap.engine.services.httpServer.Server. Processor$FCAProcessorThread.run(Processor.java:222) at com.sap.engine.core.thread.impl3.ActionObject.run (ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1 52) at com.sap.engine.core.thread.impl3.SingleThread.run (SingleThread.java:247) Caused by: javax.security.auth.login.LoginException: Error: Callback com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not supported. at com.secude.transfair.pepperbox.LdapJaasModule.login (LdapJaasModule.java:208) at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl. login(LoginModuleLoggingWrapperImpl.java:220) at com.sap.engine.services.security.login.ModulesProcessAction.run (ModulesProcessAction.java:70) Error: Callback com.secude.transfair.pepperbox.RsaRadiusChallengeCallback@1dc98d4 not supported.null#
NetWeaver This problem occurs especially while updating the complete Secure Login Server EARpackage when an existing Secure Login installation already uses the AS Java on the Server. The error entry marked in red in the example above is the cause that should be looked for. It usually appears as the last line in the stack trace. Unfortunately you must completely restart the Application Server Java. A restart of the Secure Login application will not help. There is currently no other workaround.
228
7.17
Problem Effected Systems Explanation/ Solution
Enable Remote Access to Initialize and Configure Secure Login Server

After installing Secure Login Server the initialization/configuration cannot be performed from a remote location (only directly on the Server). All. For reasons of security, the Secure Login Server component can only be initialized via the Administration Console and only when the console is called from the same Server computer on which the Secure Login resides (see section 3.6 on page 54). If however, you want to perform the initialization and configuration from a remote location, then you must manually enable this feature by editing the Secure Login Web.xml file directly on the application Server: 1. 2. 3. Locate the Web.xml file in your application Server Web application directory: securelogin\WEB-INF\Web.xml Open the Web.xml file in an editor. locate the following section:
<servlet-name>Navigation</servlet-name> <servlet-class>com.secude.transfair.pepperbox.adminui. NavigationServlet</servlet-class> <init-param> <param-name>remoteAccess</param-name> <param-value>false</param-value> </init-param>
4. 5.
Edit the remoteAccess parameter value (marked in red above) to true. Save the Web.xml file.
After you have completed the initialization and configuration of Secure Login Server it is recommended to reinstate security by changing the remoteAccess parameter value back to false.
7.18
Problem Effected Systems
Problems Accessing the Administration Console or the Web Client via Firefox
Errors are displayed when accessing the Administration Console or the Web Client using Mozilla Firefox (SSL connection). The error occurs when a combination of the following components are used: Server: Tomcat 5 or 6 (Java 1.4 or above, all platforms) with an SSL connector Client: Firefox 2 + 3 (all platforms) Secure Login components: Secure Login Administration Console or Web Client The best workaround for this is to configure the Tomcat SSL connector port accordingly. Tomcat's Server.xml file has to be modified as follows to use a fixed list of ciphers only. The following example applies to Tomcat 5 and 5.5: <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" ClientAuth="false" sslProtocol="TLS" keystorePass="123456" keystoreFile="C:\SSL_SERVER.p12" keystoreType="PKCS12" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
229
Explanation/ Solution
/> The solution for Tomcat 6 is the same as above but it also requires an additional attribute for its SSL connector. Change the attribute SSLEnabled to true.
7.19
Problem Effected Systems Explanation
Error Message when viewing Certificate Details using Firefox 3

An error message appears when using the Administration Console in Firefox 3 to view certificate details. All systems using Firefox 3 The Secure Login Administration Console is installed and configured (Certificate) This error occurs when the Firefox password manager is used to store the Administration Console username/password. The error can be repeated as follows: 1. 2. 3. 4. 5. 6. Start the Administration Console in Firefox 3, enter the username and password, and click Login. Firefox will now prompt you to store the username/password in the Firefox password manager (a promt bar will appear at the top of the page). Click Remember. The Administration Console will appear as normal. From the main page, go to any Instance Configuration/Certificate Manager. Under Certificate name, select a certificate and click View. The error message Open password is incorrect will appear. Open the Firefox Menu Tools > Options. The Options dialog will appear. Click the Security tab and then click Saved Passwords The Saved Passwords dialog will appear. Select the Secure Login Administration Console site or hostname from the list and click Remove. Close the Saved Passwords and Options dialogs. Re-login to the Administration Console. The prompt bar will reappear. Click Never for this site. The Secure Login host will now appear in a list of exceptions (Menu Tools > Options > Security tab > Exceptions)
Solution
1. 2. 3.
4.
230
8
Introduction Sections
Error and Return Codes

This chapter details the error codes and return codes, their meaning and possible corrections. In each section, the codes are listed in alphabetical order. Section Section Section Section Section Section Section 8.1 8.2 8.3 8.4 8.5 8.6 8.7 ADS Authentication Errors, on page 232 RSA Authentication Errors, on page 232 SAP ID Error Codes and Return Codes, on page 232 Stacktrace Error Codes, on page 234 Common Errors, on page 236 CERT Errors, on page 237 PSE Errors, on page 237
231
8.1
ADS Authentication Errors

Error code JAAS_LDAP _ERROR Description Authentication fails due to configuration errors of the JAAS module for ADS or timing problems on the network. Solution Make sure that at least one Server is specified in the configuration (and is running) and that the Server names are specified correctly in the configuration file. If the Server is accessed via port 636, make sure that its CA certificate is imported into the keystore of SECUDE Secure Login.
8.2
RSA Authentication Errors

Error code JAAS_RADI US_ERROR Description Authentication fails due to configuration errors of the JAAS module for RSA/RADIUS or timing problems on the network. Solution Make sure that the ACE Server is running.
8.3
SAP ID Error Codes and Return Codes

This section details the return codes for SAP ID-based login, and the error codes caused by the JAAS module.
Contents
Section 8.3.1 Authentication-based Codes, on page 232 Section 8.3.2 Password Change Related Codes, on page 233 Section 8.3.3 Connectivity Related Codes, on page 233
8.3.1
Authentication-based Codes
Error code AUTH_RESULT_ ACTION_OK_MS G (Return code) AUTH_RESULT_ ACTION_DENIE D_MSG (Return code) Description Authentication successful. The AUTH_RESULT_ACTION_OK_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client along with the created certificate. Authentication denied. The AUTH_RESULT_ACTION_DENIED_ MSG variable defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. This message may be combined with the variable $SERVERMSG to present the user with a reason for the denial. The $SERVERMSG variable is an option to forward the raw Authentication Server message to the Secure Login Client. For example:
Access denied because..$SERVERMSG
Solution -
The $SERVERMSG variable should only be used with Sun directory Servers and SAP-ID. If used with RSA no messages will be sent by default, and if used with ADS a cryptic text message will be sent.
232
8.3.2
Password Change Related Codes

Error code NEW_PIN_R EPLY_ACCE PTED_MSG (Return code) NEW_PIN_R EPLY_REJE CTED_MSG (Return code) Description For a succeeded password change the NEW_PIN_REPLY_ACCEPTED _MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. If the SAP Server denies the new password. A new password-rejected state will be the result and the NEW_PIN_REPLY_REJECTED_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. The corresponding trace and error log for the entry is Password not conform to password rules followed by the stacktrace information of the return code. Solution -
8.3.3
Connectivity Related Codes

Error/Return code AUTH_SERV ER_ TIMEOUT_M SG (Error code) Description If the JAAS module cannot establish a connection to the SAP Server a timeout error will be set and the error AUTH_SERVER_ TIMEOUT_MSG defined in the file ServerMsg.properties will be sent to the SECUDE Secure Login Client. The corresponding trace and error log for this entry is: No connection to SAP system can be established followed by the stacktrace information for this code. Solution Possible reasons for this error may be one of the following (no differentiation between the SECUDE Secure Login Server or the Client): Unable to establish a SNC connection to the SAP Server: - SECUDE Secure Login Server SAP user is not properly configured. - SECUDE Secure Login Server SAP user does not have required permissions. - Faulty SNC configuration for the SECUDE Secure Login Server. Timeout in the network connection. SAP Server is down. For a list of stacktrace codes refer to section 8.4 Stacktrace Error Codes on page 234. For a list of common error reasons refer to section 8.5 Common Errors on page 236.
233
8.4
Stacktrace Error Codes

This section lists the possible SAP exceptions that can be logged in the stacktrace. Runtime error code CALL_BACK_ENTRY_NOT_FOUND CALL_FUNCTION_DEST_TYPE CALL_FUNCTION_NO_SENDER CALL_FUNCTION_DESTINATION_N O_T CALL_FUNCTION_NO_DEST CALL_FUNCTION_OPTION_OVERFL OW CALL_FUNCTION_NO_LB_DEST CALL_FUNCTION_NO_RECEIVER CALL_FUNCTION_NOT_REMOTE CALL_FUNCTION_REMOTE_ERROR CALL_FUNCTION_SIGNON_INCOMP L CALL_FUNCTION_SIGNON_INTRUD ER CALL_FUNCTION_SIGNON_INVALI D CALL_FUNCTION_SIGNON_REJECT ED Description The called function module is not released for RFC. The type of the destination is not allowed. Current function is not called remotely. Missing communication type (I for internal connection, 3 for ABAP) when executing an asynchronous RFC. The specified destination does not exist. Maximum length of options for the destination exceeded. The specified destination (in load distribution mode) does not exist. Data received for unknown CPI-C connection. The function module being called is not flagged as being remotely callable. While executing an RFC, an error occurred that has been logged in the calling system. Logon data for the user is incomplete. Logon attempt in the form of an internal call in a target system not allowed. RFC from external program without valid user ID. Logon attempt in target system without valid user ID. This error code may have any of the following meanings: Incorrect password or invalid user ID. User locked. Too many login attempts. Error in authorization buffer (internal error). No external user check. Invalid user type. Validity period of the user exceeded. No authorization to log on as Trusted System. The error code may have any of the following meanings: Incorrect logon data for valid security ID. Calling system is not a Trusted System or security ID is invalid. Either the user does not have RFC authorization (authorization object S_RFCACL), or a logon was performed using one of the protected users DDIC or SAP*. Time stamp of the logon data is invalid. CALL_FUNCTION_SYSCALL_ONLY RFC without valid user ID only allowed when
CALL_FUNCTION_SINGLE_LOGIN_ REJ
234
Runtime error code
Description calling a system function module. The meaning of the error codes is the same as for CALL_FUNCTION_SINGLE_LOGIN_REJ. Data error (info internal table) during a RFC. No memory available for table being imported. For asynchronous RFC only: task name is already being used. For asynchronous RFC only: the specified task is already open. No RFC authorization. No trusted authorization for RFC caller and trusted system. No valid trusted entry for the calling system. No RFC authorization for user. Destination BACK is not permitted in current program. Destination BACK is not permitted in current program. Error while evaluating RFC destination. Error while evaluating RFC destination. Type conflict while transferring table. No memory available for creating a local internal table. Type conflict while transferring structure. Type conflict while transferring structure. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Invalid data type while transferring parameters. Type conflict while transferring an integer. Type conflict while transferring an integer. Type conflict while transferring a floating point number. Type conflict while transferring a floating point number. Invalid LEAVE statement on RFC Server. Type conflict while transferring a reference. Type conflict while transferring a reference.
CALL_FUNCTION_TABINFO CALL_FUNCTION_TABLE_NO_MEMO RY CALL_FUNCTION_TASK_IN_USE CALL_FUNCTION_TASK_YET_OPEN CALL_FUNCTION_NO_AUTH CALL_RPERF_SLOGIN_AUTH_ERRO R CALL_RPERF_SLOGIN_READ_ERRO R RFC_NO_AUTHORITY CALL_FUNCTION_BACK_REJECTED CALL_XMLRFC_BACK_REJECTED CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_DEST_SCAN CALL_FUNCTION_CONFLICT_TAB_ TYP CALL_FUNCTION_CREATE_TABLE CALL_FUNCTION_UC_STRUCT CALL_FUNCTION_DEEP_MISMATCH CALL_FUNCTION_WRONG_VALUE_L ENG CALL_FUNCTION_PARAMETER_TYP E CALL_FUNCTION_ILLEGAL_DATA_ TYP CALL_FUNCTION_ILLEGAL_INT_L EN CALL_FUNCTION_ILL_INT2_LENG CALL_FUNCTION_ILL_FLOAT_FOR MAT CALL_FUNCTION_ILL_FLOAT_LEN G CALL_FUNCTION_ILLEGAL_LEAVE CALL_FUNCTION_OBJECT_SIZE CALL_FUNCTION_ROT_REGISTER
235
8.5
Common Errors
Runtime error code The credentials are not set for the user account the SECUDE Secure Login Server runs in. The credentials are not set for the user account the SAP Server runs in. The user configured on the SAP Server for SECUDE Secure Login Server access is not properly configured (for example, not all required profiles are set). The JVM on the SECUDE Secure Login Server can not load the required libraries (both SECUDE and SAP). The JVM on the SECUDE Secure Login Server cannot load the required SAP jar library. The sapjco library displays link errors although the shipped libraries are installed in the correct places. Description SNC is not properly configured on the SECUDE Secure Login Server side.
SNC is not properly configured on the SAP Server side. Check the user profile.
The directory wherein the libraries reside is not included in the PATH or the LD_LIBRARY_PATH environment variable of the operating system. The directory wherein the sapjco.jar file resides is not included in the CLASSPATH variable for the Java installation. If installed on UNIX/Linux systems it must be ensured that all of the required libraries are built for the same architecture (all 32Bit or all 64Bit).
How to find out what the Problem is
Enabling trace messages for the SECUDE Secure Login Server in the Web.xml file will provide detailed information about possible errors. The SAP library error trace is enabled automatically. The SAP library trace file dev_rfc.trc will be created in the same directory from which the whole SECUDE Secure Login Server process is started. As an example, if the SECUDE Secure Login Server is deployed on Apache Tomcat, the SAP trace files will be created in the /tomcat-installation-path/bin/ directory in which the 236nitiali.bat/sh resides. For details about how to enable tracing refer to the following sections: For manual configuration see section 7.3 Turning Tracing On/Off on page 215. Via the Administration Console see section 6.1.3 Server Configuration on page 124. Enabling the SECUDE SNC tracing will provide information about the SNC certificate handshake and the key exchange. If the handshake fails, an additional error trace file will be created. For details about how to enable tracing refer to the SECUDE signon&secure documentation.
236
8.6
CERT Errors
Error/Return code CERT_CREA TE_ERROR CERT_INIT _ERROR Description An error occurred while trying to create a new certificate. An error occurred while accessing the resources needed for this process, i.e. the PSE used. Solution -
Make sure that the configuration file contains the correct name, password, and aliases for the specific PSE. If the SECUDE SDK is used to access the PSE, it is also necessary that the libComSecude.so library is contained in the library path. For hardware PSEs, the PseType in the configuration.properties file has to be set to NativePSE.
8.7
PSE Errors
Error/Return code PSE_ADMIN _ERROR PSE_ARCHI VE_ERROR Description An error occurred inside the PSE admin Server. This code may be due to insufficient disk space when writing/creating the log file due to insufficient disk space, or no write access etc. This code can indicate a problem while creating an outgoing message. A possible cause is a missing mottoof-the-day or disclaimer message (ClientMotd, ClientDisc) in the configuration file. An error occurred while handling a Client request. May be caused when initializing the servlets. This is usually the case when the SECUDE Secure Login configuration could not be read, either because the configuration URL is not set in the configuration file of the servlet engine or the file could not be found under the specified URL. Occurs when the servlet cannot send its response to the Client due to network problems. An error occurred with the PSE Server. The Client session timed out. Solution Make sure the application has the access rights to write to, or create the specified log directory, and that there is enough disk space. Make sure that the configuration file contains all mandatory entries.
PSE_CREAT E_ERROR
PSE_HANDL ING_ERROR PSE_INIT_ ERROR
Make sure the URL is set correctly to the configuration. properties file.
PSE_IO_ER ROR PSE_SERVE R_ERROR PSE_SERVE R_TIMEOUT
Make sure the network is configured correctly and running. Check in the servlet configuration that the timeout value is high enough.
237
9
Appendix
This chapter contains various advanced details ad administrator may need to configure Secure Login. Section 9.1 Client Policy on page 239 Section 9.2 Configurable Properties on page 246 Section 9.3 Secure Login Client Registry Values on page 264 Section 9.4 Key Usage Reference on page 266 Most of the information in this section is provided purely as extra information for debugging. It is not recommended to alter any Secure Login system file manually! Doing so may result in a corrupted configuration! Please use the Administration Console at all times!
238
9.1
Client Policy
This section contains detailed information about the Client policy for Secure Login. Section 9.1.1 ClientPolicy.xml File Registry Keys and Values, on page 239 Section 9.1.2 ClientPolicy.xml File Example, on page 240 Section 9.1.4 Configuring Secure Login with Microsoft Group Policies, on page 245
9.1.1
Registry Keys and Values
ClientPolicy.xml File Registry Keys and Values

When the Secure Login Client system service is started (on the Client side) the XMLformatted policy file is translated into the following Windows registry keys and values (providing that the ClientPolicy.xml file is dynamic!):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\appication\<aplication name>] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System]
239
9.1.2
ClientPolicy.xml File Example

<?xml version=1.0 encoding=ISO-8859-1?> <secude> <securelogin> <machine> <applications action=clean> <application name=SAP Server Strong Authentication> <attributes> <attribute name=pseURI value=ou=Strong Authentication type=string/> <attribute name=profile value=SAP with RSA SecurID type=string/> </attributes> </application> <application name=SAP Server ADS> <attributes> <attribute name=pseURI value=SNC/cn=SAPServer,o=SECUDE,ou=Support,c=DE type=string/> <attribute name=profile value=SAP with Windows Logon type=string/> </attributes> </application> <application name=DEFAULT> <attributes> <attribute name=pseURI value=* type=string/> <attribute name=profile value=* type=string/> </attributes> </application> </applications> <profiles action=replace> <profile name=SAP with RSA SecurID> <attributes> <attribute name=pseType value=promptedlogin type=string/> <attribute name=enrollURL0= value=https://rsalogin:8443/securelogin/PseServer?=0001 type=string/> <attribute name=autoReenrollTries= value=0 type=integer/> <attribute name=sslHostCommonNameCheck= value=true type=240nitial/> </attributes> </profile> <profile name=SAP with Windows Logon> <attributes> <attribute name=pseType value=windowslogin type=string/> <attribute name=enrollURL0 value=https://adslogin:8443/securelogin/PseServer?=0003 type=string/> <attribute name=enrollURL1 value=https://adsloginbackup:8443/securelogin/PseServer?=0003 type=string/> <attribute name=enrollURL2 value=https://192.168.47.47:8443/securelogin/ PseServer?=0005 type=string/> <attribute name=httpProxyURL value=http://10.49.48.47:3128 type=string/> <attribute name=autoReenrollTries value=3 type=integer/> <attribute name=reUseKey value=true type=240nitial/> <attribute name=gracePeriod value=10 type=integer/> </attributes> </profile> </profiles> </machine> </securelogin> </secude>
240
ClientPolicy.xml File Elements and Attributes
The following table details each of the elements of the ClientPolicy.xml file.
XML Elements and Attribute names (A-Z)

Action
Mandatory /Optional optional
Description, Example Existing registry keys are handled as configured by action. clean Delete all existing profiles in the selected policy key before the given ones are written. replace Replace any existing profiles of the same name in the selected policy key by a given one. keep Keep any existing profiles of the same name in the selected policy, do not write the given one (default). Allow the user to select another profile as favorite for this SNC application context. false (default) = always use configured profile true = Do not use configured profile Start of application element, the element is repeated for each application. Start of application section, which contains the unsorted list of application contexts. Number of failed authentications in a sequence until automatic re-enrollment is stopped. User name and password caching can be turned on to provide the automatic re-enrollment of certificates that are going to expire. 0 Turn off (default): Do not re-enroll automatically; do not cache user name and password. A re-enrollment must always be performed by the user interactively. N Turn on with n tries to succeed: Try to reenroll max. n times before either a new certificate is received or the user name and password cache are cleared. The error counter is reset on success. A manual re-enrollment is also possible. You can delete all cached credentials from memory (except those stored in the SLC system service) with the Logout context menu of the SECUDE PSE service in the system tray. Deleting the cache of the Windows login token has no effect as the credentials can be retrieved from the SLC system service.
AllowFavourite
mandatory
Application Applications AutoReenrollTries
mandatory mandatory optional
EnrollURL0
mandatory
Secure Login URL that is used for authentication and certificate enrolment. The URL locates the
241
Mandatory /Optional
Description, Example Server instance that is valid for the Secure Login Client. For example:
http://myServer.local/securelogin/PseSe rver?id=0001
EnrollURL<n>
optional
URL of fallback SECUDE Secure Login Server, if URL n-1 fails (with n>1). The counter n must be a positive integer without leading 0s. The sequence must be strictly increasing by one. A gap stops the sequence, all remaining URLs are ignored. Empty URLs are ignored and skipped.
GracePeriod
optional
Seconds before expiration of this certificate to re-enroll automatically. (default: 0) HTTP proxy to be used with enroll URLs. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://proxy.secude.com:3128 Seconds until an automatic logout is performed. Mouse and keyboard events are checked for inactivity. > 0 :Seconds of inactivity -1 :No single sign on (SSO), each SNC connection forces new login 0 :No timeout, SSO without limitation (default)
HttpProxyURL
optional
InactivityTimeout
optional
KeySize
optional mandatory
Size in bits of the newly-generated RSA keys. Range: 512 16384 (default: 512) Machine policy node. Subnodes inside this node are written to: [HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\SECUDE] User policies are not supported. Name of application context which also builds the registry key name. The special name * is used for the default application entry, for which no PSEURI has to be defined. It comprises automatically all SNC names which are not defined explicitly or with wildcards (see PSEURI attribute). Network timeout in seconds before connection is closed if the Server does not respond (default: 45).
machine
Name
mandatory
NetworkTimeout
optional
Profile
mandatory
Name of the security profile to be used for the application, the name must match the profile name in the profiles section.
242
Mandatory /Optional
Description, Example The profile name * is used for the default security profile that is configured by the user (for example, the smart card profile).
Profiles PSEType
mandatory mandatory
Start of profile section, which contains the unsorted list of security profiles. Type of profile: promptedlogin For authentication using an RSA Server. windowslogin For authentication using an ADS Server. Application-specific PSE URI (full qualified SNC name, or substring of SNC name or *), that is matched when a fitting profile is searched. The wildcards * and ? can be used. Examples: SNC/cn=SAP, o=SECUDE, c=DE SNC/CN=Server*, ou=Strong For further examples, see section 9.1.3 Wildcards in Distinguished Names for the PSEURI Attributeon page 244. If true, the RSA key is kept unless a manual logout is performed or the user process psesvc.exe is shut down (default: false). Root node SECUDE Secure Login policy node SSL Server certificate: Check if peer host name is given in its subject alternative names (default: false). SSL Server certificate: Check if peer host name is given in its subject common name (default: false). SSL Server certificate: Check if the peers certificate has extended key usage ServerAuthentication set (default: false). Customer-defined string (default: NULL). If true, turns on the former SSL PSE based trust store for HTTPS. If false (default), the Microsoft CAPI is used for HTTPS trust. Warning dialog box before user name and password are sent to SLS (default: false). Display of warning dialog box after a new certificate has been propagated to Microsoft Crypto Store: MSIE must be restarted (default: false).
PSEURI
mandatory
ReUseKey
optional
secude securelogin SSLHostAlternative -NameCheck
mandatory mandatory optional
SSLHostCommonNameCheck
optional
SSLHostExtensionCheck
optional
UniqueClientID useSslPse
optional optional
UserWarningPasswor d UserWarningMSIE
optional optional
243
9.1.3
Introduction
Wildcards in Distinguished Names for the PSEURI Attribute

The PSEURI attribute allows you to use wildcards to identify an SAP system by its SNC name. The SNC name is given as a printed X.500 distinguished name. The wildcards are as follows: Use * for many characters Use ? for just one character There are a few rules to follow for the use of wildcards: Do not use wildcards if you want to select a distinguished Server. Make the patterns as long as possible. Should there be more than one pattern matching a Server, than the longest pattern wins (and with equal length, the one with lesser wildcards).
Rules
Example
The following example assumes that the following Servers exist: Server-A: SNC/CN=Server-A, CN=Low-Security, C=DE Server-B: SNC/CN=Server-B, CN=High-Security, C=DE Server-C: SNC/CN=Server-C, CN=High-Security, C=DE Server-D: SNC/CN=Server-D, CN=High-Security, C=DE Pattern for PSEURI * SNC/* SNC/CN=Server-*,CN=*-Security,C=DE SNC/*,CN=High-Security,* Matching Any Server. Any Server. Any Server. Only high security Servers (B,C,D).
Assuming, you have used the last pattern for all high security Servers, but you need another treatment for Server D, you may use the following patterns: Pattern for PSEURI SNC/CN=Server-D,CN=High-Security,C=DE SNC/CN=Server-D,CN=High-Security,* Matching Only Server D. Only Server D.
244
9.1.4
Introduction
Configuring Secure Login with Microsoft Group Policies

SECUDE Secure Login allows you to integrate the registry keys and values for the SECUDE Secure Login Client in your companys group policies. 1. If you have not already installed the Secure Login group policy file supplied with the installer package, double-click the package and follow the instructions until you get to the Custom Setup dialog:
Figure 9-1 installer custom setup group policies 2. Deselect all of the components except Group Policies. Click Next and continue until the installation is finished. The SECUDEsecurelogin.ADM file will be copied to the following directory: Windows\inf When edited by the policy editor they will be copied to the following directory: Windows\system32\GroupPolicies\adm The SECUDEsecurelogin.ADM file contains the keys used to configure the SECUDE security profiles.
In addition to installing the ADM file, selecting Group Policies installs the full group policy documentation (HTML) to the directory:
C:\Program Files\Common Files\SECUDE\officesecurity\ADM-DOC
As well as a link in the start menu: Start > All Programs > SECUDE > officesecurity > ADM Documentation. For a description of the keys and values, refer to the explanations provided by the group policy editor.
245
9.2
Introduction Sections
Configurable Properties
This chapter describes the Secure Login properties that can be configured via a number of files. Section Section Section Section 9.2.1 9.2.2 9.2.3 9.2.4 Files, on page 246 Web.xml, on page 247 Configuration.properties, on page 248 JAAS Module Configuration, on page 253
9.2.1
Introduction Files
Files that Contain Configurable Properties

This section details the configuration files needed by Secure Login. SECUDE Secure Login Server is configured in the following files (these files are included in the installation package): File to be configured Web.xml Details This file contains deployment information for the SECUDE Secure Login servlet. For further information refer to 9.2.2 Web.xml, on page 247. This is the main SECUDE Secure Login Server configuration file. For further information refer to section 9.2.3 Configuration.properties on page 248. This file defines specific properties for authentication. NOTE: for each authentication method used (LDAP/ADS, RADIUS/RSA/SAP-ID), there is a special JAAS module configuration file. For further information refer to section 9.2.4 JAAS Module Configuration on page 253. Server message property files These files contain localized messages for the Clients. For further information refer to section 0 Error! Reference source not found., on page Error! Bookmark not defined..
Configuration.properties
JAAS module configuration files
246
9.2.2
Introduction
Web.xml File
The Web.xml file contains the deployment information for the SECUDE Secure Login servlet. This information is required by the servlet engine to map the URL to a specific servlet and it also contains further information for the operation of SECUDE Secure Login Server. You can configure the following parameters in the Web.xml file: The location of the SECUDE Secure Login Server configuration.properties file. The location of the lock file
Configure
configuration .properties
File Location
Locate the following code snippet in the Web.xml file to set the file path: <init-param> <param-name>ConfigURL</param-name> <param-value>URL</param-value> </init-param> Parameter URL Details Change the property URL to that of the configuration.properties file. For example: <Tomcat home>\Webapps\securelogin\WEB-INF\Instances\ Configuration.properties
Configure Lock File Location
Locate the following code snippet in the Web.xml file to set the lock file path: <init-param> <param-name>LockDir</param-name> <param-value>path</param-value> </init-param> Parameter path Details Path of the PseServer.lock file. By default the file is stored in the standard temporary directory of the Java VM. For example: <Tomcat home>\Webapps\securelogin\WEB-INF\Instances
247
9.2.3
Introduction
Configuration.properties File
The SECUDE Secure Login Server is configured via a set of properties stored in a standard Java property file. The name of this file is configuration.properties. The configuration.properties file does not contain authentication-specific properties. It does contain the parameter AuthConfigPath which specifies the location of the separate JAAS module configuration file. For further information refer to section 9.2.4 JAAS Module Configuration on page 253. If several SECUDE Secure Login Server instances are to run on the same application Server, all SECUDE Secure Login Server instances have to use the same JAAS module configuration file. In other words, the AuthConfigPath parameter must contain the same value for all Server instances. If you want to use different authentication-specific properties for different SECUDE Secure Login Server instances, you have to use different JAAS module names using the JaasModule configuration property.
Multiple SECUDE Secure Login Server Instances
The following table details the SECUDE Secure Login Server configuration properties (in alphabetical order): Property AdminServle tHeader AdminServle tTrailer ArchivingDi r Mandatory /Optional Optional Optional Optional Details Header displayed above the results on the result page of the administrative servlet. Trailer displayed below the results on the result page of the administrative servlet. Name of the directory in which certificate requests and certificates are archived. If set, this enables the archiving of all certificate requests and all issued certificates. Certificate requests are archived as BASE64 encoded PKCS#10 files. Certificates are archived as BASE64 encoded PKCS#7 files. The file naming convention for both certificates and certificate requests is as follows: [date][user][ServerURL].ext, where: date is in the form: yyyymmddhhmmssmm. user is the name of the authenticated user. ServerURL is derived from the URL of the SECUDE Secure Login Server, by replacing all sequences of characters other than A-Z, a-z, 0-9, and dots (.) with one underscore (_). The ServerURL is empty if the user los in via the Web Client. .ext is p10 or p7c for PKCS#10 or PKCS#7 files, respectively. AuthConfigP ath Mandatory URL of the JAAS module configuration file.
248
Property Certificate Format
Mandatory /Optional Optional
Details Type of the generated certificate. Possible values: V1 (default) for a version 1 certificate For version 1 certificates the following properties are ignored: - PrivateExtension - PrivateExtension.name - StandardExtension - CertificatePolicies.OID V3 for a version 3 certificate For version 3 certificates, the following standard extensions are always added to the certificate: - BasicConstraints - KeyUsage Note: V3 has a negative performance impact because the V3 format is more complicated than the V1 format. The Case of the character for the user name included as the DN in the certificate. Possible values: Uppercase Lowercase Default value: The user name is entered as it is received from the Client.
Certificate Name
Optional
Certificate Policies.OI D
Optional
If CertificatePolicies is specified in the StandardExtension property, this entry is used to list the object identifiers (separated by spaces) to be contained in the extension. Default value: The CertificatePolicies extensions are not included in the certificate.
DailyLogDir DailyLogPre fix
Mandatory Mandatory
Directory in which the daily log files are stored. Prefix for the daily log files. The generated log file name is: prefix_yyyy_mm_dd.log y, m, and d are as specified in the Java SDK API class java.text.SimpleDateFormat.
DN.country DN.locality DN.organiza tion DN.organiza tionalUnit JaasModule LockServerO nEventLogFailure
Mandatory Optional Optional Optional Optional Optional
Country part of the DN for the certificate. Locality part of the DN for the certificate. Organization part of the DN for the certificate. Organizational unit part of the DN for the certificate. Name of the JAAS module. The default value is: SLSJaasModule Defines if the Server should be locked if transaction logging fails. False = do not lock the Server True = lock the Server Defines if the Server instance should be locked if transaction logging fails. False = do not lock the Server True = lock the Server
249
LockInstanc eOnTransaction LogFailure
Property MonthlyLogD ir MonthlyLogP refix
Mandatory /Optional Mandatory Mandatory
Details Directory in which the monthly log files are stored. Prefix for the monthly log files. The generated log file name is: prefix _yyyy_mm.log y and m are as specified in the Java SDK API class java.text.SimpleDateFormat. Contains a list of names (separated by spaces) of private extensions to be included in the certificate. For each name in the list, there has to be a property PrivateExtension.name. A Base64 encoded extension to be included in the certificate. Name must be one of the extension names specified in PrivateExtension. Name or URL of the PSE to be used. If PseType is configured to NativePSE , PseName has to be entered in the following form (follow the punctuation exactly): p11sc:,pkcs11 interface (vendor interface name pkcs11 library name):
PrivateExte nsion
Optional
PrivateExte nsion.name
Optional
PseName
Mandatory
PsePassword
Mandatory
Password of the PSE. The PSE password is encrypted with a standard 256 bit AES key via the Administration Console and is decrypted by Secure Login before being read. Manually set the User CA PSE password (password is not encrypted). true : Do not encrypt the password. false : Encrypt the password. This feature is NOT recommended! It should only be used if you do not want to use the Administration Console.
PsePasswordI sUnencrypted
Optional
PseType
Mandatory
Type of PSE used by the Server to sign the generated certificates. Possible values: FilePSE for using a file PSE. NativePSE for using the native SECUDE core component for PSE access.
SerialNumbe rPolicy
Optional
This parameter can be used to select serial number generation algorithms. Possible value: Hash: The serial number is the hashed subject name (which is always the same for the same user but unique for different users). The property CertificateName=Uppercase must be entered as well. Default value: If empty or not entered, each new issued certificate receives the current time stamp as the serial number (which is, in a way, unique).
250
Property StandardExt ension
Mandatory /Optional Optional
Details List of additional standard extensions to be contained in the certificate. Possible values: AuthorityKeyIdentifier SubjectKeyIdentifier CertificatePolicies In the case of CertificatePolicies, the policy OIDs have to be specified via the property CertificatePolicies.OID. Other values are ignored. Determines the UPN (User Principal Name) for the user certificate. Possible values: true : (default) Use the complete UPN. false : Use the user name component of the UPN. Time period in minutes that the generated certificate is valid. Time offset in minutes relative to the Server system time for the certificates to start being valid.
UseUPN
Optional
ValidityMin utes ValidityOff set Sample configuration .properties File
Mandatory Mandatory
#This is the SecureLogin configuration file #Last Modified:Wed Jan 16 18:05:38 CET 2008 # These properties are the global settings AdminUser=SECUDEAdmin AdminPassword=7ZUHN9miuh7nuhoO98HGZo\=\= AuthConfigPath=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLSJaasModule.login TrustStore=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\TrustStore.jks TrustStorePassword=HJU7hg1tkjU/hj8U/onli8HJgZ7H\=\= Localization=en doTrace=true ActiveInstances=00020 LastServerID=00020 # The default settings for the Server instance PseType=FilePSE PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\SLS_USERCA_PSE.pse PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\= DN.country=DE DN.locality=Darmstadt DN.organization=SECUDE DN.organizationalUnit= ValidityMinutes=480 ValidityOffset=-5 CertificateFormat=V3 CertificateName=Uppercase UseUPN=true StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment ExtendedKeyUsage= PrivateExtension= SerialNumberPolicy=Hash ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system,
251

including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose. ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days. ClientInactivityTimeout=300 maxSessionInactiveInterval=640 DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log DailyLogPrefix=Transaction MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\log MonthlyLogPrefix=Event LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\ AdminServletHeader=The status of the PSE Server in the Hybury facility is as follows\: AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to <a href\="mailto\:support@SECUDE.com">mailto\:support@SECUDE.com</a> EnableLog=false DN.commonName= # The settings of the instance 00020 00020.PseType=FilePSE 00020.PseName=file\:C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\SLS_USERCA_PSE.pse 00020.PsePassword=7ZUHN9miuh7nuhoO98HGZo\=\= 00020.DN.country=DE 00020.DN.locality=Darmstadt 00020.DN.organization=SECUDE 00020.DN.organizationalUnit= 00020.ValidityMinutes=480 00020.ValidityOffset=-5 00020.CertificateFormat=V3 00020.CertificateName=Uppercase 00020.UseUPN=true 00020.StandardExtension=AuthorityKeyIdentifier SubjectKeyIdentifier 00020.KeyUsage=DigitalSignature NonRepudiation KeyEncipherment DataEncipherment 00020.ExtendedKeyUsage= 00020.PrivateExtension= 00020.SerialNumberPolicy=Hash 00020.ClientDisc=This is a private computer facility. Access to it for any reason must be specifically authorized.\r\n\r\nAuthorized users must use company systems in accordance with company policies and guidelines. Unauthorized access to this computer facility will expose you to criminal and/or civil proceedings.\r\n\r\nAll information contained in this computer system, including messages, is the property of the company. Subject to applicable law, the company reserves the right to access and disclose all information sent through or stored in this computer system, for any purpose. 00020.ClientMotd=System Administrative Broadcast\:\r\nWe have determined that a newer version of the Secude PSE Manager is available for your computer. If you have a high speed WAN link to the main installation point, installations can be executed from main Server download directory. Please update your system within 5 business days. 00020.ClientInactivityTimeout=300 00020.maxSessionInactiveInterval=640 00020.DailyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log 00020.DailyLogPrefix=Transaction 00020.MonthlyLogDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020\\Log 00020.MonthlyLogPrefix=Event 00020.LockDir=C\:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\Webapps\\securelogin\\WEB-INF\\Instances\\00020 00020.AdminServletHeader=The status of the PSE Server in the Hybury
252

facility is as follows\: 00020.AdminServletTrailer=Should a problem arise, please contact the support desk: 0100 203040 or send an email to <a href\="mailto\:support@SECUDE.com">mailto\:support@SECUDE.com</a> 00020.EnableLog=false 00020.DN.commonName=
9.2.4
JAAS Module Configuration Files

For each authentication method, a specific JAAS module has to be configured. Section 9.2.4.1 JAAS Module Configuration Files for LDAP/ADS, on page 253 Section 9.2.4.2 JAAS Module Configuration Files for RADIUS/RSA, on page 257 Section 9.2.4.3 JAAS Module Configuration Files for SAP ID, on page 260
9.2.4.1
Introduction
JAAS Module Configuration Files for LDAP/ADS

The JAAS module configuration file for LDAP/ADS contains the authentication specific properties for LDAP authentication. The JAAS module class name for the LDAP module is: com.secude.transfair.pepperbox.LdapJaasModule Each LDAP Server has its own section in the JAAS module configuration file. If the first Server cannot be reached, the next Server in the list is used (providing that more than one Server is specified in the configuration file). The order in which the Servers are entered in the configuration file defines the priority the Servers have in the authentication process. By default, the first Server in the list that can be reached ends the authentication process, regardless of the type of response (OK or Access Denied). However, if the parameter TryAllServers is set to true, all of the Servers are queried until the first OK response is received.
Multiple Authentication Servers
The following table details the properties within the JAAS module configuration file for LDAP/ADS (in alphabetical order): Property LdapBaseDN Mandatory /Optional optional Details Specifies the base domain name that is combined with the user name before sending it to the Active Directory Server. The following formats are valid: Domain part of UPN: The domain part is appended to the user name, using the @ separator. Example: If set to my.domain.com the user test is authenticated as test@my.domain.com with the respective Server. Complete DN: The variable $USERID is replaced with the user name. Example: If set to cn=$USERID,cn=Users,dc=domain,dc=com,
253
Property
Mandatory /Optional
Details the user test is authenticated as cn=test,cn=Users,dc=domain,dc=com with the respective Server. NOTE: If a password expiry warning message is configured, only the second form can be used. For further information refer to section 9.2.5.2 Password Expiry Warning Message on page 264.
LdapHost
mandatory
URL of the Active Directory Server used to authenticate the user. The LdapHost value is passed to JNDI, therefore the interpretation of the protocol to be used is performed entirely by the JVM. To use LDAP over SSL the protocol has to be ldaps. For example: ldaps://my.host.com:636
LdapProvide rLanguage LdapTimeout
optional
Character set encoding for communication between the Secure Login Server and the LDAP/ADS Server. For example: ISO-8859-1 (for ADS) Period of time the Secure Login Server waits for a response before trying the next LDAP/ADS Server (in milliseconds). The expiry date of the password. For the LDAP Authentication Server, the date must be in one of the following formats: UMT: - 0060727081914Z Or.. - 0060727081914+0700Z GMT in ADS format: - 0060727081914.0Z Or.. - 0060727081914.0+0700Z MS Gregorian calendar (the number of milliseconds since 01/01/1601). For example: 127984619236406250 If a password expiry warning message is configured, the LdapBaseDN property must be given in complete DN form. The PasswordExpirationAttribute value is used for the password expiry warning only. For further information refer to section 9.2.5.2 Password Expiry Warning Message on page 264. The interval (in days) a password expiry warning is sent to the Client prior to password expiry. For further information refer to section 9.2.5.2 Password Expiry Warning Message on page 264. Determines which password expiry warning is used. This value is used for the password expiry warning only. For further information refer to section 9.2.5.2 Password Expiry Warning Message on page 264. Path to the CA certificates keystore used for Server authentication when using LDAP over SSL. Used globally
optional
PasswordExp irationAttribute
optional
PasswordExp irationGracePeriod ServerID
optional
optional
TrustStore
optional
254
Property
Mandatory /Optional
Details for all LDAP modules in a TrustStore. Use of the Java keystore (*.jks) is mandatory when using LDAP over SSL.
TryAllServe rs
optional
Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
255
Sample JAAS Module Configuration File for LDAP/ADS
SLSJaasModule { com.secude.transfair.pepperbox.LdapJaasModule sufficient LdapHost=ldaps://10.49.0.150:636 LdapBaseDN=secude.com LdapTimeout=100 LdapProviderLanguage=en-US TryAllServers=true; com.secude.transfair.pepperbox.LdapJaasModule sufficient LdapHost=ldap://10.49.3.166:389 LdapBaseDN=uid=$USERID,ou=people, dc=neptun,d=secude,dc=com LdapTimeout=100 LdapProviderLanguage=en-US ServerID=LDAP1 PasswordExpirationAttribute=passwordRenew PasswordExpirationGracePeriod=20; TryAllServers=true; com.secude.transfair.pepperbox.LdapJaasModule sufficient LdapHost=ldaps://10.49.0.151:636 LdapBaseDN=secude.com LdapTimeout=100 LdapProviderLanguage=en-US TryAllServers=true; };
256
9.2.4.2
Introduction
JAAS Module Configuration Files for RADIUS/RSA

The JAAS module configuration file for RADIUS/RSA contains the authentication specific properties for RADIUS authentication. The JAAS module class name for the LDAP module is: com.secude.transfair.pepperbox.RsaRadiusJaasModule Each RADIUS/RSA Server has its own section in the JAAS module configuration file. If the first Server cannot be reached, the next Server in the list is used (providing that more than one Server is specified in the configuration file). The order in which the Servers are entered in the configuration file defines the priority the Servers have in the authentication process. By default, the first Server in the list that can be reached ends the authentication process, regardless of the type of response (OK or Access Denied). However, if the parameter TryAllServers is set to true, all of the Servers are queried until the first OK response is received.
Multiple Authentication Servers
The following table details the properties within the JAAS module configuration file for RADIUS/RSA (in alphabetical order): Property Authenticat or Mandatory /Optional mandatory Details Authentication method for the RADIUS/RSA Server. Possible values: CHAP MSCHAP PAP NOTE: The RSA Authentication Manager only supports the PAP authentication protocol. The port number used by the RADIUS/RSA Server for authentication requests. PIN format. This parameter is only used with RSA SecurID tokens. Possible values: true: the user can choose, and use, a PIN which contains only alphanumeric characters (A-Z, a-z, 0-9). false (default): the user can choose, and use, a PIN which contains alphanumeric and special characters (such as !$%&). The default password policy for RSA allows only numeric PIN's which can not be setup via the Secure Login Server/Client policy properties. Maximum PIN length for a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 8 Minimum PIN length for a new PIN. This parameter is only used with RSA SecurID tokens. Default value: 4 Host address of the RADIUS/RSA Server (used for user authentication).
For configuring RSA Server messages. If the RSA Server version is 6.1, a copy of the RSA Server RADIUS message *.ini file (securid.ini) has to be present. Make sure you enter the full path and file name, for example: <Tomcat home>\Webapps\securelogin\WEBINF\securid.ini
AuthPort PinAlphanum eric
mandatory optional
PinMax
optional
PinMin
optional
RadiusServe rIP RSAServerIn iFile
mandatory optional
SharedSecre
mandatory
Shared secret used by the RADIUS/RSA Server to

257
Property t TimeOut
Mandatory /Optional
Details encrypt the user password.
mandatory
Period of time the Secure Login Server waits for a response before trying the next RADIUS/RSA Server (in milliseconds). Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
TryAllServe rs
optional
Other attributes
optional
Any RADIUS attribute present in the Clients dictionary and which the Server expects to be included in the request. For example: NAS-IP-Address NAS-Port
Sample JAAS Module Configuration File for RADIUS / RSA Example 1
SLSJaasModule { com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=10.49.7.15 AuthPort=1812 SharedSecret=ActivPack TimeOut=5000 Authenticator=pap NAS-IP-Address=213.188.106.173 NAS-Port=235; TryAllServers=true; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=10.49.2.5 AuthPort=1645 SharedSecret=secret TimeOut=5000 Authenticator=pap PinMin=6 PinMax=8 PinAlphanumeric=true; TryAllServers=true; };
258
Example 2
The following configuration is for a scenario in which the Authentication Servers are configured for failover and share the same user database. To prevent the counter for failed logins to be incremented by 3, TryAllServers is set to false. When a user enters the wrong password, only the first reachable Server answers Access Denied, and increments the counter for failed logins by 1: SLSJaasModule { com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=10.49.7.15 AuthPort=1812 SharedSecret=ActivPack TimeOut=5000 Authenticator=pap NAS-IP-Address=213.188.106.173 NAS-Port=235; TryAllServers=false; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=10.49.7.16 AuthPort=1812 SharedSecret=ActivPack TimeOut=5000 Authenticator=pap NAS-IP-Address=213.188.106.173 NAS-Port=235; TryAllServers=false; com.secude.transfair.pepperbox.RsaRadiusJaasModule sufficient RadiusServerIP=10.49.7.17 AuthPort=1812 SharedSecret=ActivPack TimeOut=5000 Authenticator=pap NAS-IP-Address=213.188.106.173 NAS-Port=235; TryAllServers=false; };
259
9.2.4.3
Introduction Example Configuration File
JAAS Module Configuration Files for SAP ID

The JAAS module configuration file SLSsap.login must be configured if you want to use SAP ID-based authentication. Here is an example of a finished configuration file: SLSJaasModule { com.secude.transfair.pepperbox.SAPJaasModule sufficient SAPServer=10.49.7.3 Client=000 SystemNo=00 SNCServerName=p:CN=SAP NetWeaver 2004, O=secude.local, C=DE SAPaccount=SLSServer NativeLibraryPath=C:\\SECUDE; } ; The following table details the properties within the JAAS module configuration file for SAP ID (in alphabetical order): Property Client NativeLibra ryPath Mandatory /Optional Mandatory Mandatory Details SAP System ID The fully qualified path to the native files (SECUDE SNC plus, if needed, SAP JCO)
PasswordAlp hanumeric
Optional
This parameter is part of the password policy for Client side policy consistency check. Possible values: true (default): the password can contain only alphanumeric characters (A-Z, a-z, 0-9). false: the password can contain alphanumeric and special characters (such as !$%&). This parameter must be consistent with the SAP password policy.
PasswordMax
Optional
This parameter is part of the password policy for Client side policy consistency check, specifically the maximum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 30 This parameter is part of the password policy for Clientside policy consistency check, specifically the minimum number of characters in the password to be used. This parameter must be consistent with the SAP password policy. Default value = 1 The SAP user account name for the SECUDE Secure Login Server. IP or URL of the SAP Server The DN of the SAP Server, as stated in the Server certificate. The subject DN of the X.509 certificate.
PasswordMin
Optional
SAPaccount SAPServer SNCServerNa me

260
Mandatory Mandatory Mandatory
Property
Mandatory /Optional
Details For example:

SystemNo TryAllServe rs
Mandatory optional
SAP System Number Determines when to try the next Server in the list. Values: false (default): Try the next Server only if this Server cannot be reached. true: Try the next Server if this Server cannot be reached or answers Access Denied. All Servers have to be configured to either false or true.
Please contact the SAP Server administrator to make sure that the password policy information in the configuration file is correct. Related Information For information about SECUDE Secure Login Server error codes that may be produced by the JAAS module, refer to section 8.3 SAP ID Error Codes and Return Codes on page 232.
261
9.2.5
Introduction
Files for Server Message Configuration

The SECUDE Secure Login Server can provide localized messages for the Clients. This is done by creating property files for all required languages. It is recommended to use the Administration Console to edit any messages (see section 6.1.11 on page 156).
Location of the Message Property Files Message Property File Names
The property files have to be provided in the classes subdirectory of the application Servers Webapps directory. For example (Tomcat): <Tomcat home>\Webapps\ securelogin\WEB-INF\classes The property files for the Server messages are as follows: ServerMsg.properties ServerMsg_language.properties ServerMsg_<language>_<country>.properties - The naming convention for the ServerMsg_ files varies according to the following: - <language> ISO 636 language code, consisting of two lower case letters - <country> ISO 3166 country code, consisting of two upper case letters The Server provides the messages in the language requested by the Client, if available, or else uses a more generic language. For example, if the Client requests language de_CH, then the Server provides messages configured for de_CH, if available. If de_CH is not available, the Server provides messages configured for de, if available. If de is also not available, the Server provides messages configured in the generic ServerMsg.properties file. The message format can be either plain text or rich text. Rich text messages are contained in a body element. You can use the following codes: Code <body>message</body> \r\n text text <any color=red>text<any> <a href=URL>anchor</a> Details The whole rich text message has to be enclosed in body start and end tags. Inserts a line break. Uses bold formatting for text. Uses italics formatting for text. Uses the color red for text (red is the only color supported). Inserts a link to the destination URL with the link text anchor.
Message Format
262
9.2.5.1
Configurable Messages
A property file for Server messages contains pairs of message code and message values. Every property file must contain all message codes, but the message value part may be left empty. It is recommended to use the Administration Console to edit any messages (see section 6.1.11 on page 156). To split long messages in the property file to span several lines, use backslash (\) escaped line endings. The configurable messages are as follows (the values shown are the messages as delivered with Secure Login): Message AUTH_EMPTY_CREDENTI AL_ERROR_MSG AUTH_LDAP_NAMING_ER ROR_MSG AUTH_RESULT_ACTION_ DENIED_MSG Entry No empty usernames or passwords are allowed. The LDAP Server denied the retrieval of data with the entered username and password. The authentication failed. This message can be combined with the variable $SERVERMSG to present the user with a reason for the denial. The $SERVERMSG variable is an option to forward the raw Authentication Server message to the Secure Login Client. For example:
Access denied because..$SERVERMSG
The $SERVERMSG variable should only be used with Sun directory Servers and SAP-ID. If used with RSA no messages will be sent by default, and if used with ADS a cryptic text message will be sent. AUTH_RESULT_ACTION_ OK_MSG AUTH_SERVER_CANT_RE SOLVE_MSG AUTH_SERVER_TIMEOUT _MSG CONFIG_ACTION_DISCL AIMER_MSG CONFIG_ACTION_MSG ERROR_ACTION_FORMAT _MSG ERROR_ACTION_INTERN AL_MSG <ServerID>_WARN_MSG NEW_PIN_REPLY_ACCEP TED_MSG NEW_PIN_REPLY_REJEC TED_MSG NEW_PIN_REQUIRED_AC TION_MSG SEND_NEXT_TOKEN_COD E_ACTION_MSG STATUS_ACTION_MSG The authentication process has finished successfully. The Authentication Server name cannot be resolved. While trying to reach the Authentication Server, a timeout occurred. The disclaimer message. The salutatory message. An error occurred due to a message sent by the Client, which the Server can not interpret. A fatal error occurred due to Server problems. <body>Attention!Your password will expire on $EXPDATE</body> The newly selected PIN has been accepted by the Server. The newly selected PIN has been rejected by the Server. The user has to enter a new PIN for a Server forced PIN change. The user has to enter the next token code displayed on the RSA SecureID token. The current Server status is enclosed with this transfairgram (only for diagnostic
263
Message
Entry purpose)
In addition, optional password expiration messages for LDAP Authentication Servers can be included in this file. For further information refer to section 9.2.5.2 Password Expiry Warning Message on page 264.
9.2.5.2
Introduction Examples
Password Expiry Warning Message

The property file for Server messages may optionally contain password expiry warning messages for any LDAP Authentication Server. An entry for such a message has the following structure: ServerID_WARN_MSG = <body>Attention! Your password will expire on $EXPDATE.</body> The following list details the variables in the warning message: Variable ServerID Details Determines which password expiry warning is used for which Server. Corresponds to the ServerID property in the JAAS module configuration file (see section 9.2.4.1 JAAS Module Configuration Files for LDAP/ADS on page 253). You can use the $EXPDATE variable in the password expiry warning to state the expiry date in the message. The date is retrieved from the LDAP/ADS Server using the PasswordExpirationAttribute property in the JAAS module configuration file. The date is formatted according to the local settings of the Client.
$EXPDATE
9.3
Introduction
Secure Login Client Registry Values

The properties for the Secure Login Client system service can be configured using the customer.reg file or can be integrated in the companys group policies. The property names are not case-sensitive. The following properties: HttpProxyUrl SSLHostCommonNameCheck SSLHostAlternativenameCheck SSlHostExtentionCheck UseSslPse can be located under the registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\Profiles\<profile name>]
Location
The other properties can be loacted under the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SECUDE\SecureLogin\System
The following properties can be created/edited: Property DisableUpda tePolicyOnS

264
Data Type BOOLEAN
Description, Example This sets whether the Client policy file is automatically downloaded and registered from an XML file when the
Property tartup
Data Type
Description, Example system service is started. true = disable automatic policy download. false (default) = enable automatically policy download. HTTP proxy to be used with PolicyURL. Only HTTP proxies without authentication and without SSL to proxy are supported. Example: http://proxy.secude.com:3128 Network timeout in seconds before connection is closed if the Server does not respond (default: 45). The number of times the Client tries to retrieve the Clientpolicy.xml file from the policy Server before giving up. Policy time-to-live. The lifetime, in minutes, of the SECUDE Secure Login Client policy before retrieving the Clientpolicy.xml file from the policy Server. Network resource where the latest SECUDE Secure Login Client policy can be downloaded from. Mandatory, if an XML file is used for the policy Server, see section 9.1.1 ClientPolicy.xml File on page 239. Example: https://securelogin.secude. com:8443/securelogin/ClientPolicy.xml SSL Server certificate: Check if peer host name is given in its subject common name (default: false). SSL Server certificate: Check if peer host name is given in its subject alternative names (default: false). SSL Server certificate: Check if the peers certificate has extended key usage ServerAuthentication set (default: false). If true, turns on the former SSL PSE based trust store for HTTPS. If false (default), the Microsoft CAPI is used for HTTPS trust.
HttpProxyUR L
STRING
NetworkTime out PolicyRetri es PolicyTTL
DWORD DWORD
DWORD
PolicyURL
STRING
SSLHostComm onNameCheck SSLHostAlte rnativeName Check SSLHostExte nsionCheck useSslPse
BOOLEAN BOOLEAN
BOOLEAN
BOOLEAN
265
9.4
Key Usage Reference

Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or nonrepudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment. The following table describes the key usage extensions available for keys created using the CA process. Key Usage Extension Digital signature Details Use when the public key is used with a digital signature mechanism to support security services other than nonrepudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity. Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment. Use when the public key is used for encrypting user data, other than cryptographic keys. Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers. Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement. Enable only for Digital signature and/or Key agreement Enable only for Digital signature, Non-repudiation, and/or Key encipherment or Key agreement. This key usage is defined by Microsoft. The certificate can be used to encrypt files by using the Encrypting File Systems. For further information refer to:
http://msdn2.microsoft.com/en-gb/library/aa378132.aspx
Non-repudiation
Key encipherment
Data encipherment Key agreement
Encipher only
Decipher only
Client authentication E-mail protection Encrypted filesystem
Smart card login
This key usage is defined by Microsoft. The certificate enables an individual to log on to a computer via a smart card.
266
10
List of Abbreviations
Abbreviation ADS CA CAPI CSP DN EAR HTTP HTTPS JAAS LDAP PIN PKCS PKCS#11 PKCS#12 PKI PSE RFC RSA SLAC SLC SLS SNC SSL UPN WAR WAS Meaning Active Directory Service Certification Authority Microsoft Crypto API Cryptographic Service Provider Distinguished Name Enterprise Application Archive Hyper Text Transport Protocol Hyper Text Transport Protocol with Secure Socket Layer (SSL) Java Authentication and Authorization Service Lightweight Directory Access Protocol Personal Identification Number Public Key Cryptography Standards Cryptographic Token Interface Standard Personal Information Exchange Syntax Standard Public Key Infrastructure Personal Security Environment Remote function call (SAP NetWeaver term) Rivest, Shamir and Adleman Secure Login Administration Console SECUDE Secure Login Client SECUDE Secure Login Server Secure Network Communication Secure Socket Layer User Principal Name Web Archive Web Application Server
267
Glossary
A B
Authentication A process that checks whether a person is really who they are. In a multi-user or network system, authentication means the validation of a users logon information. A users name and password are compared against an authorized list. Base64 encoding The Base64 encoding is a three-byte to four-characters encoding based on an alphabet of 64 characters. This encoding has been introduced in PEM (RFC1421) and MIME. Other uses include HTTP Basic Authentication Headers and general binary-to-text encoding applications. Note: Base64 encoding expands binary data by 33%, which is quite efficient CAPI See Cryptographic Application Programming Interface Certificate A digital identity card. A certificate typically includes: The public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate produced by the CAs private key. The most common certificate standard is the ITU-T X.509. Certification Authority (CA) An entity which issues and verifies digital certificates for use by other parties. Certificate Store Sets of security certificates belonging to user tokens or certification authorities. CREDDIR A directory on the Server in which information is placed that goes beyond the PSE (personal security environment). Credentials Used to establish the identity of a party in communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. Credentials have a defined time to live (TTL) that is configured by a policy and managed by a Client service process.
Cryptographic Application Programming Interface (CAPI)

268
The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically-linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. Cryptographic Token Interface Standard A standardized crypto-interface for devices that contain cryptographic information or that perform cryptographic functions.
Directory Service Provides information in a structured format. Within a PKI: Contains information about the public key of the user of the security infrastructure, similar to a telephone book (e.g. a X.500 or LDAP directory). Distinguished Name (DN) A name pattern that is used to create a globally unique identifier for a person. This name ensures that a certificate is never created for different people with the same name. The uniqueness of the certificate is additionally ensured by the name of the issuer of the certificate (that is, the certification authority) and the serial number. All PKI users require a unique name. Distinguished Names are defined in the ISO/ITU X.500 standard.
Key Usage Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the digital signature and/or nonrepudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment. Key Usage (extended) Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy. If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable.
L P
Lightweight Directory Access Protocol (LDAP) A network protocol designed to extract information such as names and e-mail addresses from a hierarchical directory such as X.500. PKCS#11 PKCS refers to a group of Public Key Cryptography Standards devised and published by RSA Security. PKCS#11 is an API defining a generic interface to cryptographic tokens. PEM See Privacy Enhanced Mail. Personal Identification Number (PIN)
269
A unique code number assigned to the authorized user. Personal Information Exchange Syntax Standard Specifies a portable format for saving or transporting a users private keys, certificates, and other secret information. Personal Security Environment The PSE is a personal security area that every user requires to work with SECUDE. A PSE contains security-related information. This includes the certificate and its secret private key. The PSE can be either an encrypted file or a smart card and is protected with a password. PIN See Personal Identification Number. Privacy-Enhanced Mail (PEM) The first known use of Base 64 encoding for electronic data transfer was the Privacyenhanced Electronic Mail (PEM) protocol, proposed by RFC 989 in 1987. PEM defines a "printable encoding" scheme that uses Base 64 encoding to transform an arbitrary sequence of octets to a format that can be expressed in short lines of 7-bit characters, as required by transfer protocols such as SMTP. The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (AZ, az), the numerals (09), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream. Public FSD Public file system device. An external storage device that uses the same file system as the operating system. Public Key Cryptography Standards A collection of standards published by RSA Security Inc. for the secure exchange of information over the Internet. Public Key Infrastructure Comprises the hardware, software, people, guidelines, and methods that are involved in creating, administering, saving, distributing, and revoking certificates based on asymmetric cryptography. Is often structured hierarchically. In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that does not need to be authenticated by a trusted third party.
Root certification authority The highest certification authority in a PKI. All users of the PKI must trust it. Its certificate is signed with a private key. There can be any amount of CAs between a user certificate and the root certification authority. To check foreign certificates, a user requires the certificate path as well as the root certificate. Root certification The certificate of the root CA. RSA
270
An asymmetric, cryptographical procedure, developed by Rivest, Shamir, and Adleman in 1977. It is the most widely-used algorithm for encryption and authentication. Is used in many common browsers and mail tools. Security depends on the length of the key: key lengths of 1024 bits or higher are regarded as secure.
Secure Network Communications A module in the SAP NetWeaver system that deals with the communication with external, cryptographical libraries. The library is addressed using GSS API functions and provides NetWeaver components with access to the security functionality of SECUDE. Secure Sockets Layer A protocol developed by Netscape Communications for setting up secure connections over insecure channels. Ensures the authorization of communication partners and the confidentiality, integrity, and authenticity of transferred data. Single sign-on A system that administrates authentication information allowing a user to logon to systems and open programs without the need to enter authentication every time (automatic authentication).
Token A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Smart-card-based USB tokens (which contain a smart card chip inside) provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device (smart card reader). From the computer operating systems point of view such a token is a USB-connected smart card reader with one non-removable smart card present. Tokens provide access to a private key that allows performing cryptographic operations. The private key may be persistent (like a PSE file, smart card, and CAPI container) or nonpersistent (like temporary SECUDE Secure Login keys). Windows Credentials A unique set of information authorizing the user to access the Windows operating system on a computer. The credentials usually comprise a user name, a password, and a domain name (optional). X.500 A standardized format for a tree-structured directory service. X.509 A standardized format for certificates and blocking list.
W X
271
272
Index
A
About this manual ...................... 7 Active Directory Server (ADS) authentication ....................... 23 administration ........................ 119 administration console ............ 119 administration console application management ...... 184 administration console authentication management . 131 administration console certificate management ....... 128 administration console certificate template ............. 143 administration console - change language ............................ 155 administration console - change the administrator password .. 122 administration console - client configuration ....................... 183 administration console - client profile management ............ 187 administration console - console log viewer ........................... 165 administration console - files download ............................ 190 administration console - instance check ................................. 196 administration console - instance configuration ....................... 179 administration console - instance log management ................. 192 administration console - instance management....................... 178 administration console - message settings .............................. 156 administration console - open .. 119 administration console - server configuration ....................... 124 administration console server instance status ................... 197 administration console - server status ................................ 162 administration console - signed certificate requests ............. 163 administration console SSS&JCO installation .......... 158 administration console - system backup ............................... 151 administration console - system check ................................. 149 administration console - system restore ............................... 152 administration console TrustStore management ...... 141 ADS/LDAP - configure ............... 85 application management ......... 184 archived log ........................... 196 authentication management .... 131 authentication method (PKI) ...... 13
C
certificate management .......... 128 certificate template ................ 143 certificate template create new144 certificate template - export ..... 147 certificate template - import .... 148 certificate template - mapping . 146 change language .................... 155 client authentication ............... 266 client configuration ................. 183 client policy ............................ 239 client profile management ....... 187 client URL - troubleshooting ..... 218 ClientPolicy.xml - registry keys . 239 configurable messages ........... 263 configurable properties ........... 246 configuration.properties .......... 248 Configure Authentication Server Communication ..................... 84 Configure SSL in Tomcat ........... 36 console log viewer .................. 165 Contacting Technical Support .... 10 Conventions used in this manual . 9
D
daily log ................................. 193 daily log file ........................... 213 data encipherment ................. 266 decipher only ......................... 266 digital signature ..................... 266 download files secure login client.................................. 190
E
e-mail protection .................... 266 encipher only ......................... 266 encrypted filesystem ............... 266 environment variables - SAP IDbased logon ........................ 217 error and return codes ............ 231
F
files download ........................ 190 files download - global client policy ................................. 191
G
global client policy .................. 191
273
I
Icons used in this manual ......... 10 instance check ....................... 196 instance configuration............. 179 instance log management ....... 192 instance management ............ 178 instance status ...................... 197 Instances - global client policy . 191 instances - overview.................. 18
R
RADIUS / RSA authentication .... 24 RADIUS/RSA - configure ............ 86 registry values - secure login client.................................. 264 Related documentation ............... 7 Restore from an Existing secure login Server Backup (*.zip) File83 return codes .......................... 231
J
JAAS module - configuration files253 JAAS module - LDAP/ADS ........ 253 JAAS module - RADIUS/RSA .... 257 JAAS module - SAP ID ............. 260 JCO - installation .................... 158
S
SAP ID authentication ............... 25 SAP ID-based logon - configure .. 87 SAP Logon Ticket authentication 28 SAP Logon Ticket-based logon configure .............................. 89 SAP NetWeaver ........................ 49 SAP NetWeaver - installation 40, 42 SECUDE50secureloginServer.zip109 secure login - authentication Method (PKI) ......................... 13 secure login - authentication methods ............................... 22 secure login - instance/server lock.................................... 219 secure login - server lock and unlock ................................ 216 secure login - system overview .. 16 secure login what is it? .......... 11 secure login client - registry values ................................ 264 secure login client - remove ..... 106 secure login client installation94, 98 secure login client installation MSI options ........................ 103 secure login client rollout .......... 97 secure login components .......... 13 secure login server remove (ADS, LDAP, Radius, SAP ID) .. 91 secure login server remove (SAP NetWeaver) ................... 92 server configuration ................ 124 server installation ..................... 32 server lock and unlock ............ 216 server message configuration files ................................... 262 Server Setup Wizard ..... 43, 54, 63 server status.......................... 162 signed certificate requests ...... 163 signon&secure - installation .... 158 smart card login ..................... 266 SNC connection - troublrshooting221 SQL Database Table authentication................. 22, 28 SQL Database-based logon configure .............................. 89 SSL.PSE ................................ 218 SSL.PSE-based TrustStore for HTTPS ................................ 218
K
key agreement ....................... 266 key encipherment ................... 266 Key Length Policies................. 212 key usage - reference ...... 238, 266
L
LD_LIBRARY_PATH.................. 217 log files ................................. 213 log settings ............................ 195 logging - archived log files ....... 196 logging - daily log .................... 193 logging - daily log file............... 213 logging instance log management....................... 192 logging - log settings ............... 195 logging - monthly log file .......... 215 logging view console logs ..... 165
M
message settings ................... 156 messages - configure .............. 263 Microsoft crypto store ............... 12 Microsoft group policies .......... 245 Migrate from an Existing SECUDE secure login Server .................. 82 monthly log file ....................... 215
N
non-repudiation ...................... 266
O
other administration features .. 206
P
password expiry - warning message ............................ 264 password expiry warnings ........ 220 PKI certificate ........................... 12 policy server overview ............... 30 PseServer.lock ....................... 216
274
SSS&JCO installation .............. 158 status query - internet browser 206 Support ................................... 10 system backup ....................... 151 system check ......................... 149 system overview ................. 12, 16 system overview - PKI ............... 13 system restore ....................... 152
tracing ................................... 215 Troubleshooting ..................... 211 TrustStore management.......... 141
W
warnings - password expiry ...... 220 Web Client ............................. 109 web.xml ................................. 247 what is SECUDE secure login? ... 11
T
Target audience.......................... 7 Technical Support, contacting .... 10 Tomcat - configure SSL ............. 36 trace messages enable/disable215
X
XML Interface ......................... 209
275

SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SECUDE Secure Login 5.1 Installation Administration and Usage Manual en r17

Hochgeladen von

Copyright:

Verfügbare Formate

Believe in a higher level of IT security SECUDE Secure Login 5.

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Sales US: info@usa.secude.com Support US: support@usa.secude.com

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

What is SECUDE Secure Login? System Overview

Server Installation, Configuration, and Removal

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

3.7.3 Remove SECUDE Secure Login Server - SAP NetWeaver

Client Installation, Configuration, and Removal

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

6.4.3 Other 6.5.1 6.5.2 6.5.3

205 206 206 207 209

Error and Return Codes

8.4 8.5 8.6 8.7

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

253 262 264 266

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

About this Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

A glossary and index are provided at the end of this manual.

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Conventions used in this Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Icons and Step Indication in this Manual

Contacting Technical Support

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

What is SECUDE Secure Login?

Scope of secure communication

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Sections in this chapter

Section Section Section Section

2.1 2.2 2.3 2.4

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

System Overview with PKI

Main System Components

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Secured Communication for SAP

Secure communication between Internet Explorer and Web Server

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

System Overview with SECUDE Secure Login Server

Section Section Section Section Section Section

2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6

Main System Components

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Supported Authentication Methods

Figure 2-5 SECUDE Secure Login Server with JAAS interface

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Simple PKI Structure

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

Methods of Authentication in SECUDE Secure Login

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

given username and password, a row is searched that fits:

Active Directory Server (ADS) Authentication

System Architecture for ADS

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

RADIUS / RSA Authentication

System Architecture for RSA

SECUDE Secure Login 5.1 Installation, Administration and Usage Manual

System Architecture for SAP IDbased Logon