NW SSO system with Client- backend encryption and SSO
Make sure that sapcrypto.dll and relevant profile parameters exist. | |
Download secure login library and client
SECURE LOGIN LIBRARY 1.0 SECURE LOGIN CLIENT 64BIT 1.0 SECURE LOGIN CLIENT 32BIT 1.0 | |
Extract SLLIBRARY04_5-10010553.SAR to a temporary folder. | |
Extract SECURELOGINLIB.SAR to folder SLL in the application server instance directory <Drive>\usr\sap\<SID>\<Instance>\SLL | |
Test secure login library. From command prompt in SLL directory run
| |
Maintain instance profile parameters. Snc at this time is not enabled. SPN of service user for Kerberos logon procedure is determined by the parameter snc/ identity/as | snc/force_login_screen = 0 snc/permit_insecure_start = 1 snc/data_protection/use = 3 snc/data_protection/max = 3 snc/data_protection/min = 2 snc/r3int_rfc_qop = 8 snc/r3int_rfc_secure = 0 snc/accept_insecure_r3int_rfc = 1 snc/accept_insecure_gui = 1 snc/accept_insecure_rfc = 1 snc/accept_insecure_cpic = 1 snc/enable = 0 snc/identity/as = p:CN=SAPService<SID> snc/gssapi_lib = C:\usr\sap\<SID>\D30\SLL\secgss.dll |
Create pse.zip
| |
Restart the application server | |
Transaction STRUST Verify that system PSE is active | |
Transaction STRUST Create SNC SAPCryptolib PSE | |
Create key tab in pse.zip for Active Directory service user | |
Add SPN for Active Directory User. The prefix is "SAP/" (without quotes) The suffix is the same as the parameter snc/identity/as = p:CN=SAPService<SID> | |
Install Secure Login Client. x64/x32 bit depends on the client PC and reboot the workstation | |
Maintain workstation registry settings Under: [HKEY_CURRENT_USER\Software\SAP\SecureLogin[ "TokenType"="Kerberos | |
If you want to hide the client's tray icon: | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\Common[ "HideTrayIcon"=dword:00000001 |
Maintain users CN. For mass maintenance use TCODE SNC1 To update all users, uncheck "Users without SNC names only" Execute and don't forget to save! | |
Enable snc and restart the application server | snc/enable = 1 |
Using self-signed certificates with secure login client may require SAP Note 1687748 - SNC error "A2200210" when using prototype certificates | Verify with snc.exe |
Requesting CA certificate. After completing the process, create a certificate request | |
Copy all the text including -----BEGIN CERTIFICATE REQUEST----- And -----END CERTIFICATE REQUEST----- | |
Send the request to CA server (in this example, SAP test CA) and choose the certificate type | |
Import the CA server response | |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
14 | |
10 | |
9 | |
7 | |
5 | |
4 | |
4 | |
4 | |
4 |