spnego based single sign-on using secure login...

SPNEGO SINGLE SIGN-ON USING

SECURE LOGIN SERVER X.509

CLIENT CERTIFICATES

TABLE OF CONTENTS

SCENARIO ................................................................................................................................... 2

IMPLEMENTATION STEPS .......................................................................................................... 2

PREREQUISITES .......................................................................................................................... 3

1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE ...... 4

2. SECURE LOGIN SERVER INITIALIZATION ............................................................................. 6

3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER ........................ 9

3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY .... 9

3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER ................. 12

3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER ..... 14

3.4 SECURE LOGIN CLIENT CONFIGURATION...................................................................... 19

SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

2

SCENARIO

Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to the SAP and non-SAP business systems across your landscape. Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates.

After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that requires short lived X.509 client certificates, where these users have been granted authorizations.

IMPLEMENTATION STEPS


3

PREREQUISITES

1. You have your SAP Application Server JAVA installed and configured with running SSL.

For more details how to install SAP Application Server JAVA, see:

INSTALLATION & IMPLEMENTATION SAP NETWEAVER 7.5

For more details how to configure SSL see:

CONFIGURING THE USE OF SSL ON THE AS JAVA

2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see:

SECURE LOGIN SERVER INSTALLATION

Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 3.0 for more information about currently

supported components and platforms.

3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client see:

SECURE LOGIN CLIENT INSTALLATION

https://service.sap.com/~form/handler?_APP=00200682500000002672&_EVENT=DISPLAY&_SCENARIO=01100035870000000122&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000179415&_HIER_KEY=601200252310000011323&

https://help.sap.com/saphelp_nw74/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm?frameset=/en/bc/2ee9a2d023d64eac961745ea2cb503/frameset.htm&current_toc=/en/cd/a3937849b043509786c5b42171e5d3/plain.htm&node_id=146&show_children=false

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/dd12eccdefd04c01a4eab86bb2e59f10.html

https://apps.support.sap.com/sap/support/pam?hash=pvnr%3D67837800100900008795%26pt%3Dg%257Cd

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/da610fd072e4409baa8b6a96973b5c67.html


4

1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE

Explanation Screenshot

1. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa.

2. Navigate to Configuration > Identity Management > Click “Create User”.

3. Provide a Logon ID (for example “SLAC_ADMIN”), password and Last Name for the user.


5

4. Navigate to tab “Assigned Roles” and search in the “Available Roles” (on the left side) for the role “SLAC_SUPERADMIN”.

5. Select the role and click “Add” to assign this role to the SLAC_ADMIN user.

6. Click “Save” to save the info about “SLAC_ADMIN” UserID.

7. As a result you will have a new administrative user with access to the Secure Login Administration Console (SLAC).


6

2. SECURE LOGIN SERVER INITIALIZATION


8. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the new administrative account “SLAC_ADMIN”. Note: The system will require a reset of the initial password if this is the first time you are logging in with this user.

9. Start the “Initialization” with option “Manual”. Note: If the default option for your Secure Login Server installation is “Automatic”, you will get a confirmation message. Click “Yes” to confirm that you want to proceed with this change.

10. On the “Root CA” step provide the Country Name (in our example “DE”) and the Organizational Name (in our example “ABC”).

11. Click “Next”.


7

12. On the step “User CA” click “Next”.

13. On the step “SAP CA” click “Next”.

14. On the step “SSL CA” click “Next”.


8

15. On the step “User Certificate Configuration” provide the “Country Name” (in our example “DE”).

16. Click “Finish”.

17. After finishing the configuration the initialization will start and when it is completed you will receive the following message: “Secure Login Server has been initialized”.

18. Click “Go” button.


9

3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER 3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY


Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory

19. Open the tool “Active Directory Users and Computers” on the Active Directory Server (ADS) and go to the “Users” branch.

20. Click the right mouse button to create “New” > “User”.


10

21. Provide for the new user “First Name” (example “Kerberos”), “Last Name” (example “A01”) and “User logon name” (example “KerberosA01”, where A01 is your Application Server SID).


23. Provide a password for the new user.

24. Select “User cannot change password” and “Password never expires”.


26. To complete the creation of the new user click “Finish”.


11

Step 2: Setup servicePrincipalName for the New Service User

27. Find your new user (example “Kerberos A01”) in the list with users and double click to open the user properties.

28. Go to the tab “Attribute Editor” Note: If you don’t see the “Attribute Editor” tab, alternatively you may start adsiedit.msc in the start menu of Microsoft Windows.

29. Search for the attribute with name “servicePrincipalName”, select it and click “Edit”.

30. Add as new value “HTTP/<fully qualified name of the Application Server Java>” (example HTTP/mo-1339aa6dc.mo.sap.corp). Click “Add” and the value will appear in the list with “Values”.

31. Click “OK” to save the new setting.


12

3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER


32. Log on to SAP NetWeaver Administrator at https://<host>:<port>/nwa

33. Navigate to “Configuration” > “Authentication and Single Sign-On” > tab “SPNEGO”.

34. Click “Add” and select “Manually” to add a new KeyTab.

Enter the realm name of your

Microsoft Active Directory

domain (example

CI1.SAPSSO.DEV). 35. Click “Next”.

36. Provide the “Principal Name” and the password of the service user, created previously in the Microsoft Active Directory domain (in our example “KerberosA01”).


13


38. Choose from the drop-down list of the “Mapping Mode” the value “Principal@REALM” and select “virtual user” as a “Source” value.

39. Click “Finish”.

40. Click “Enable” for your new Service User KeyTab.

41. Your Service User KeyTab is now activated.


14

3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER


Step 1: Check the Host Name of the Client Authentication Profile

42. Log on to Secure Login Administration Console (SLAC) at https://<host>:<port>/slac using the administrative account (“SLAC_ADMIN”).

43. Navigate to “ Authentication Profiles”.

44. Select Authentication Profile “Windows Authentication (SPNEGO)”

45. Go to tab “Secure Login Client Settings” and make sure that the host name of the “Enrollment URL” is the fully qualified name (example mo-1339aa6dc.mo.sap.corp) and that the “Port” is correct (in our example 443).


15

Step 2: Generate SSL Server Certificate

46. Navigate to “Certificate Management” tab and make sure that the status of your “Root CA” is green.

47. Expand “Root CA” and select “SSL Sub CA”

48. Click on “Issue Entry” button. 49. Provide as an “Entry Name” the

fully qualified name of the Application Server Java. (for example mo-1339aa6dc.mo.sap.corp)

50. Set this fully qualified name of the Application Server Java also as “DNS Name” (for example mo-1339aa6dc.mo.sap.corp) in the “Subject Alternative Names”.


52. On the step with “Subject Properties” setup provide “Country Name” (for example ”DE”) and “Common Name” – the fully qualified name of the Application Server Java (for example mo-1339aa6dc.mo.sap.corp).

53. Click “Next.


16

54. Click “Finish” to complete the certificate generation.

55. Your certificate will appear under the “SSL Sub CA” and it will be of type “SSL SERVER”.


17

Step 3: Import Secure Login Server Certificate to the SSL Configuration

56. Log on again to SAP NetWeaver Administrator at https://<host>:<port>/nwa

57. Navigate to Configuration>SSL Configuration. Click “Edit”

58. Go to the “Details of port xxxx”. 59. Click “Copy Entry”.

60. Select from the drop-down list of the “Form View” the value “SecureLoginServer”.

61. Select from the drop-down list of the “From Entry” the respective certificate created in the SLAC under “SSL Sub CA” (in our example mo-1339aa6dc.mo.sap.corp).

62. Make sure that the “To Entry” will be the one from the selected SAP Java Instance.

63. Click “Import”.

64. Select and delete the default identity “ssl-credentials”.

65. Click “OK” to confirm the deletion.


18

66. Click “Save” to confirm the configuration.

67. A restart is required. Click “Restart Now” (You can also select “Restart Later” if it is necessary but your configuration will be completed only after the restart).

68. You have to wait for the restart to finish and afterwards your SSL configuration will be ready.


19

3.4 SECURE LOGIN CLIENT CONFIGURATION


Step 1: Export Root CA certificate from the Secure Logon Server


70. Navigate to “Certificate Management”. Select “Root CA” and click “Export Entry”.

71. Choose the export format “X.509 Certificate”. The dialog box displays the file name, type, size, and the download link.

72. Choose “Download” button and save it in a location of your choice (for example in a folder on your Domain Controller). (Optional: Rename the file so that it indicates the origin of the root CA certificate).


20

Step 2: Installing Root CA Certificates on a Windows Client

To ensure secure communication and a trust relationship, you should install root CA certificates on Windows clients. There are three options how to perform this step:

Option 1: Distribute the Secure Login Server root CA certificates on Microsoft Domain Server: 73. Log on as an administrator to

your Domain Controller and start command prompt in Microsoft Windows.

74. Use the following command: certutil –dsPublish –f <root_CA_file> RootCA

75. You will get as a result: “CertUtil: -dsPublish command completed successfully.”

76. Restart your client. (After a restart the group policies are updated. This pushes the certificates to the client. To do so, you can also use the command gpupdate/force.)

As an alternative of this installation (Option 1) you can perform also these two types of installations: Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more details see: DISTRIBUTE SECURE LOGIN SERVER ROOT CA CERTIFICATES USING MICROSOFT GROUP POLICIES Option 3: Installing Root CA Certificates on a Windows Client. For more details see:

INSTALLING ROOT CA CERTIFICATES ON A WINDOWS CLIENT

Step 3: Setup Policy Update Interval

If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure Login Client after a defined time – “Policy Update Interval” configurable in minutes. The default value for the Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours.


https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/c0edd891a3e949ca80e00a469700652a.html

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/0f7d75fbe5264371b476210c57d18657.html


21

78. Navigate to the List of Profile Groups. Select the respective profile group and click “Edit” to change the details of the group.

79. Change the “Policy Update Interval (minutes)” value to the number of minutes you need (in our example 480 minutes).

80. Check the “IP Address/Host Name” field – it must contain the correct fully-qualified name of the server (in our example mo-1339aa6dc.mo.sap.corp). Click “Save”.

Step 4: Download Profile Group Policy



22

82. Navigate to Profile Management >User Profile Groups.

83. Select the Profile Group that you want to distribute to Secure Login Clients. Click “Download Policy”

84. Download the Registry File with the Policy URL that specifies the resource file, which includes the latest configuration of all client authentication profiles in the group (in our example ProfileDownloadPolicy_SecureLoginDefaultGroup.reg). Save the file in a location of your choice on the client machine.

Step 5: Import Profile Group Policy on the client machine

85. Make sure that the registry file, downloaded on the previous step, is available on the client machine, where Secure Login Client is installed.

86. Double click on the registry file. 87. Click “Yes” to the message in

order to confirm the change on the computer.

88. Click “Yes” to confirm again and to add the policy to the registry.

89. Click “OK” to the confirmation message, informing that the *.reg file has been successfully imported to the registry. Note: Alternatively, a companywide group policy can be use to deploy the profile groups.


23

Step 6: Restart the Secure Login Service

90. On the client machine navigate to “Computer Management” > “Services and Applications”>”Services”.

91. Search for “Secure Login Service”. Double click on this service to display the service properties.

92. Click “Stop” to stop the service.

93. Wait for Windows to stop the service.

94. Click “Start” to start the service again.


24

95. Wait for Windows to start the service.

96. Now when you open the Secure Login Client you will have the certificate issued by the Secure Login Server. Note: Alternatively a machine restart or workstation re-login may be needed to upload the profile group.


25

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

http://global.sap.com/corporate-en/legal/copyright/index.epx

spnego based single sign-on using secure login...

Documents