Search This Blog

Wednesday, April 2, 2014

SAP Note 550742 - FAQ: General questions about Single Sign-On

Symptom
FAQ

Other Terms
FAQ, security, Single Sign-On, SSO

Reason and Prerequisites

Solution

[1] Question: What is Single Sign-On (SSO)?

[2] Question: How do I implement Single Sign-On?

[3] Question: Why does Single Sign-On no longer work after one year?

[4] Question: Do all system have to have the same password?

[5] Question: Where can I find further documentation on SSO?



[1] Question: What is Single Sign-On (SSO)?

Answer:
The term Single Sign-ON (SSO) describes a solution that enables the system to determine the identity of a user without the user having to explicitly specify a user name and password in each application. It is a one-time logon to the system. However, there may be different technical conversions. Several different SSO solutions also exist for SAP.


[2] Question: How do I implement Single Sign-On?

Answer:
Different technical options are available to implement SSO.
Some of the solutions that are available in SAP systems include:
-Logon tickets (Workplace)
-Client certificate
-NTLM SSP
-PAS
For more information, see note 138498.


[3] Question: Why does Single Sign-On no longer work after one year?

Answer:
You are using a certificate that was issued by SAP_CA. For more information, see note 389186. These types of certificates are issued with a validity period of one (1) year only. Logon tickets are still issued after the validity period expires; however, an error is triggered when the logon tickets received are checked. In principle, the problem is not restricted to CA certificates; however, "self-signed" certificates are generated with a considerably longer validity period (up to the year 2038).


[4] Question: Do all systems have to have the same password?

Answer:
The current SSO methods enable you to assign different passwords for different systems.


[5] Question: Where can I find further documentation on SSO?

Answer:
Further documentation is available in the SAP Marketplace:
http://service.sap.com/security


This document refers to:
SAP Notes
1257108 Collective Note: Analyzing issues with Single Sign On (SSO)
114045 Consulting: Technical system security

This document is referenced by:SAP Notes (1)
1257108 Collective Note: Analyzing issues with Single Sign On (SSO)

Posted by at 4 comments:

SAP Note 434918 - Configuration for fully qualified host names for BSP

Symptom
A BSP is started that contains a shortened URL (no domain name) is started from SE80. This problem can be solved with the new profile parameter icm/host_name_full.

Other Terms
DNS
Domains
Domain
FQHN: full qualified host name

Reason and Prerequisites
If the host name only specifies the host and port but not the domain (including the extension), the shortened URL of a BSP application appears as follows:
<protocol>://<hostname>:<port>/sap/...
Example: http://pwdf0487:1080/sap/bc/bsp/sap/it00/default.htm

In contrast, the full URL should be as follows:
<protocol>://<host name>.<domain> <extension>:<port>/sap/...
Example: http://pwdf0487.wdf.sap-ag.de:1080/sap/bc/bsp/sap/it00/default.htm

When you display the page (that is, the BSP) in the browser, an error message is issued because the domain is not specified.
You can determine whether the specifications of the domain are missing by branching to one of your BSP applications in the SAP System: Call the development environment in the SAP System (transaction SE80).
Select BSP Application in the pull-down menu in the left column and enter the name of your BSP application in the field underneath. Select Display (the glasses symbol).
Double-click on a BSP under Pages.
Select the Attributes tab.
Check whether the path specification in the URL field next to the host also contains the domain, as described under Cause and Prerequisites.
If the domain specifications are missing, proceed as described in the Solution section and use the icm/host_name_full profile parameter.

Solution
You require the latest kernel patch (ICM patch collection (VIII) and patch level 510 or higher) as well as the icm/host_name_full parameter. You can use this parameter to specify the fully qualified host name of the host on which the ICM is running and which can be accessed for requests, for example, ls3022.wdf.sap-ag.de rather than ls3022.
If several application servers are operated with one instance profile, you could consider the following procedure: Set the value icm/host_name_full = $(SAPLOCALHOST).domain.ext.


Posted by at 8 comments:

SAP Note 510007 - Setting up SSL on Web Application Server ABAP

Symptom
This note concerns the setting up of Secure Sockets Layer (SSL) on the SAP Web Application Server ABAP.

Other Terms
SSL, TLS, Transport Layer Security, HTTPS, encryption, trust manager, STRUST, cipher suites

Reason and Prerequisites
This note provides a brief description of the steps required to set up SSL on the Web Application Server ABAP.
    1. Install the SAPCRYPTOLIB on all application servers into the $DIR_EXECUTABLE directory. Note 397175 describes the prerequisites for downloading the library. If you are using a 6.10 kernel, copy the license ticket SAPCRYPTOLIB (file "ticket") into the $DIR_INSTANCE/sec directory on all application servers. As of kernel release 6.20, the license ticket is automatically generated at the system start.  As of SAPCRYPTOLIB pl32, you no longer require a license ticket file.  On all application servers, set the environment variable SECUDIR to the directory $DIR_INSTANCE/sec. If you want to protect the PSEs (key files) with a password, set the environment variable USER on all UNIX systems to the name of the UNIX user under whom the SAP system is running.
    2. Set the following profile parameters in the instance profile of all application servers and start the system:

      ssf/name          = SAPSECULIB
      ssf/ssfapi_lib    = <Path and file name of the SAPCRYPTOLIB>
      sec/libsapsecu    = <Path and file name of the SAPCRYPTOLIB>
      ssl/ssl_lib       = <Path and file name of the SAPCRYPTOLIB>
      icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>

    If you want to suppress/permit/enforce user logon by client certificate in the SSL log:

      icm/HTTPS/verify_client = 0 / 1 (default) / 2

    If you want to use a key length of 1024 bits (only with kernel release 6.20 and higher, see Note 509495): sec/rsakeylengthdefault = 1024
    3. Call transaction STRUST (trust manager) to create the SSL server PSEs.
    a) Create the default PSE (serves as a fallback for all instances without their own PSE).
    Choose "Create" in the context menu of the "SSL server" node. As far as possible, the trust manager provides the correct entries so that you can then send the certificates to the SAP Trust Center Service for signing. In particular, set the following values:

    Name = *.<WebAS domain>

    Do not replace the "*" with a host name. The default PSE must also exist even if PSEs are created for all instances.
    b) Create individual PSEs for all instances: A list of all active instances is displayed in a second dialog box. The default Distinguished Name (DN) contains the following entry:

    CN = <host name>.<WebAS domain>

    Make sure that each instance is assigned the fully qualified host name that is used in the HTTPS log. You can assign a DN to several instances simultaneously, for example, when using a Network Address Translator (then, you must specify the fully qualified host name of the NAT as CN). All instances with empty an DN will use the default PSE (in Release 6.10, the "Create" parameter determines if the instance is assigned its own PSE). Note that no DNs must be more than 255 characters long.
    c) Create certificate requests for all instance PSEs. Expand the "SSL server" node in the tree control, double-click to load the instance PSE into the relevant node and select the "Generate certificate request" function. For the default PSE, you must only create a certificate request if there are instances without their own PSEs (in this case, double-click to load the default PSE into the "SSL server" node). Send the certificate requests to a CA, for example, the SAP Trust Center Service (http://service.sap.com/tcs ).

    The certificate response must either be a PKCS#7 package with a complete upward path or a text file that contains a list of all required certificates in PEM format (that is, with a "-----BEGIN CERTIFICATE-----" header line and an "-----END CERTIFICATE-----" footer). As of Release 6.20, you can also import the certificate response as an individual PEM certificate if the CA certificate is saved in the database (to search for certificates, select "Import certificate", category = "Server CA"). Using the SAP Trust Center Service ensures that the certificate response has a valid format. Always import the certificate response into the PSE from which the original certificate request was generated (double-click on the corresponding nodes and call the "Import certificate response" function) and save the changes.
    d) If you want to allow logon via the client certificate, import the root certificate of the CA user into one of the SSL server PSEs. When saving, the system updates the certificate list of all SSL server PSEs. The certificate list contains the root certificates of those CAs whose user certificates are to be accepted.
    4. Creating the SSL client PSE (default).

    This PSE is used in the SSL log if the WebAS issues a HTTPS request as client. For technical reasons, there must always be a SSL client PSE even if the system does not issue any client requests (the SSL implementation cannot be started if the PSE is missing). When creating the PSE, you can specify the following name:

    Name = <system SID> SSL client default

    If the system is to issue client requests, create a certificate request from the PSE and import the certificate response of the CA into the PSE. Then import the root certificates of the server CAs into the PSE certificate list whose certificates are to be accepted. To load the root certificate of the SAP Trust Center Service, select "Import certificate", database, Trust Center (short name) = "SAPTRUST", category = "Server CA". To import the certificate into the PSE, select "Import into certificate list".
    5. Creating additional SSL client PSEs (optional)

    With a SSL client PSE (anonymous), the system can issue HTTPS requests without client authentification. If you require this PSE, only maintain the PSE certificate list. You can also define additional SSL client identities (Environment -> SSL client-> Identities). If you create new identities, they are displayed in the trust manager. You can now create the relevant PSEs, have the certificates signed by a CA and maintain the PSE certificate list.

    Note that the changes made to SSL PSEs in the trust manager (for example, implementing the response of a CA and the certificate list changes) in a SAP WebAS before NetWeaver 710 will only take effect after you restart the ICMAN process (transaction SMICM, Administration -> ICMAN -> Exit Soft).

    When, as of NetWeaver 710, you save or overwrite an SSL PSE, STRUST signals the PSE change to the icman, whereby the PSEs used for SSL are reloaded at runtime.  Existing communication connections are not impaired as a result. However, all SSL session caches are emptied in icman so that all new SSL connections go through a complete SSL Handshake. On servers with a very large number of simultaneous connections, this could lead to an increase in the CPU load and increased response times.
    6. (Optional) Configuration of available SSL cipher suites

    You can change the available "SSL cipher suites" for SAP WebAS ( icman, sapwebdisp, msg_server und sap_http) and (as of Release 710) the incoming SSL-secured connections of the SAP AS Java using the SAP profile parameter

        ssl/ciphersuites=

    as a process-wide or system-wide default (and therefore control the compiled default value).  When searching  for a shared ciphersuite using the client, the preference sequence of the server is important for SAPCRYPTOLIB.

    For inbound SSL connections (SSL server), you can also define the available cipher suites individually for each service in the SSL configuration icm/ssl_config_<xx> for an ICM server port definition icm/server_port_<xx> using the string parameter CIPHERS:

       icm/server_port_<xx>= ..., SSLCONFIG=ssl_config_<yy>
       icm/ssl_config_<yy>=  ..., CIPHERS=...

    The same rules apply to the value or content of the parameter CIPHERS as apply to the profile parameter ssl/ciphersuites.

    The following table displays an overview of the SAPCRYPTOLIB ciphersuites that are currently available in order of preference. Ciphersuites marked with (+) were added with SAPCRYPTOLIB pl28:

       Category  Position        Name of SSL ciphersuite
      ----------------------------------------------------
      MEDIUM        1.      SSL_RSA_WITH_RC4_128_SHA
      MEDIUM        2.      SSL_RSA_WITH_RC4_128_MD5
    (+)HIGH          3.      TLS_RSA_WITH_AES128_CBC_SHA
    (+)HIGH          4.      TLS_RSA_WITH_AES256_CBC_SHA
      HIGH          5.      SSL_RSA_WITH_3DES_EDE_CBC_SHA
      LOW           6.      SSL_RSA_WITH_DES_CBC_SHA
      EXPORT        7.      SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
      EXPORT        8.      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
      EXPORT        9.      SSL_RSA_EXPORT_WITH_RC4_40_MD5
      EXPORT       10.       SSL_RSA_WITH_NULL_SHA
      EXPORT       11.      SSL_RSA_WITH_NULL_MD5

    The above list (in the specified sequence) is the compiled default setting for SAP BASIS 640 and corresponds to the profile parameter value:

        ssl/ciphersuites=MEDIUM:HIGH:LOW:EXPORT

    The compiled default setting for SAP BASIS 700 is:

        ssl/ciphersuites=MEDIUM:HIGH:LOW:EXPORT:!eNULL

    and contains only ciphersuites 1 to 9 from the above list.

    With the kernel correction described in SAP Note 1433874, the compiled default setting for SAP BASIS 700 or higher was changed to:

        ssl/ciphersuites=HIGH:MEDIUM:+e3DES:LOW:EXPORT:!aNULL:!eNULL

    and a new profile parameter was added:

        ssl/client_ciphersuites=

    If required, you can also configure the SSL cipher suites for outgoing SSL-secured connections of SAP AS ABAP regardless of the incoming connections.   If you do not set this parameter, the default value of the profile parameter ssl/ciphersuites also applies for outgoing SSL-secured connections.

    The aforementioned kernel correction results in the following sequence of SSL cipher suites, whereby the AES-based cipher suites require a SAPCRYPTOLIB pl28+.

       Category  Position        Name of SSL ciphersuite
      -----------------------------------------------------------
      HIGH          1.      TLS_RSA_WITH_AES128_CBC_SHA
      HIGH          2.      TLS_RSA_WITH_AES256_CBC_SHA
      MEDIUM        3.      SSL_RSA_WITH_RC4_128_SHA
      MEDIUM        4.      SSL_RSA_WITH_RC4_128_MD5
      HIGH          5.      SSL_RSA_WITH_3DES_EDE_CBC_SHA
      LOW           6.      SSL_RSA_WITH_DES_CBC_SHA
      EXPORT        7.      SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
      EXPORT        8.      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
      EXPORT        9.      SSL_RSA_EXPORT_WITH_RC4_40_MD5

    If you want the cipher suite with 3DES coding to be in first position of the preferred cipher suites, and if you do not want to use any EXPORT cipher suites, LOW cipher suites, and cipher suites with MD5 as the hash function, you can use the following value for the configuration:

        ssl/ciphersuites=HIGH:MEDIUM:!mMD5.

    and you obtain a list with the four cipher suites (1), (2),(5) and (3) from the list displayed above as the result.

    The parameter parts for the configuration of the ciphersuites are based on a combination of simple set theory and the preferred ciphersuites sequence.  The syntax of this ciphersuites parameter is based on a previous version of OpenSSL and less flexible than the current OpenSSL versions.

    You can use the category to define which ciphersuites are relevant and you can use the category sequence to define which are the preferred ciphersuites; you can specify

       "!mMD5", "!mSHA1", or "!eNULL", "!eRC4", "!eDES", "!eRC2"

    to remove specific ciphersuites from the selected categories in the list of selectable ciphersuites.
    7. (Optional) Configuration of available TLS protocol versions

    Depending on the version, SAPCRYPTOLIB supports the following protocol versions of the SSL protocol or TLS protocol:

        SAPCRYPTOLIB <= pl26    SSLv3,          "BC"
        SAPCRYPTOLIB >= pl28     SSLv3, TLSv1.0, "BC"

    The new protocol Version TLSv1. introduced with Version pl28+ is proposed by default or used if the communication parner also supports it.

    There is also the protocol option "BC" for "Backwards Compatibility" that permits a Version 2.0 CLIENT-HELLO as the first message of an SSLv3 or TLS handshake, see

        http://tools.ietf.org/html/rfc6176#section-3
        http://tools.ietf.org/html/rfc5246#page-89

    A configuration option for the supported TLS protocol version was added to the kernel correction described in SAP Note 1433874.  A single number must be placed before the configuration parameter for the SSL cipher suites, which is added from the following bit value:

        Value    Meaning
      -----------------------------------------------------------
          1      "BC" option (allow version 2.0 CLIENT-HELLO)
          64      SSLv3
        128       TLSv1.0

    Both protocol versions and the BC option are active in the default setting, which results in a value of (128+64+1) = 193 for the protocol version flags (pvflags).

    If you want an FIPS-compliant SSL configuration, that is, only TLSv1.0 (128+1)=129 and only SSL cipher suites with 3DES or AES encryption (HIGH), you can achieve this with the following setting:

        ssl/ciphersuites=129:HIGH

    8. Information about interoperability with SSL and TLS
    a) The protocol option "BC" (Backwards Compatibility) is required for interoperability with Microsoft Internet Explorer (MSIE) Version 6 on Windows XP and Windows 2003, Firefox up to Version 3.0 and possibly other, mostly older, browser and SSL clients.

    Background: XP and 2003 were delivered with MSIE Version 6 and SSLv2 is activated and TLSv1.0 is deactivated there by default.  When you upgrade MSIE to Version 7 or 8, SSLv2 is deactivated and TLSv1.0 is activated. However, the basic attributes of the "SChannel" component of the underlying Windows version are not changed by an MSIE upgrade.
    b) The attributes that can be used by Microsoft Internet Explorer for SSL or TLS are determined by the capabilities and attributes of the underlying operating system version, especially the security provider "SChannel" and the Microsoft CryptoAPI -- regardless of which browser version you have installed.

    Some attributes are available on older platforms only after a Microsoft HotFix has been installed manually:

    SChannel support for AES cipher suites:
      XP 32-bit:        ---
      2003, XP 64-bit:  http://support.microsoft.com/kb/948963

    MS CryptoAPI support for SHA256-based digital signatures, includes SSL server certificates:

      XP 32+64, 2003:   http://support.microsoft.com/kb/968730

    Microsoft "SChannel" supports the use of AES-based cipher suite (rfc3268) of SAPCRYTPOLIB pl28+ only in connection with the protocol Version TLSv1.0 and only as of Vista (and Windows 2003 after manually installing HotFix 948963).

    Firefox 3+, Google Chrome and OpenSSL 0.9.8+ support AES-based cipher suites both on Windows XP as well as in connection with SSLv3.

References
This document refers to:
SAP Notes
1901252 PT Web Services- Online communication to AT:Solution Details
1901250 PT Web Services- Online communication to AT : Technical Req
1896961 HTTP/HTTPS Configuration for SAP NetWeaver Gateway
1872926 Obsolete Note: PT Web Service: LC Online communication with Tax Authorities
1841573 SAPCRYPTOLIB 555pl36: bugfixes, error details, new features
1688545 OAuth 2.0 Server in AS ABAP Troubleshooting
1619442 Error when automatically reloading changed SSL PSEs
1553301 7.20 EXT Kernel - Usage
1531399 Enabling SSL for Session Protection
1452833 Prerequisites for analyzing support messages on STRUST
1433874 SapSSLReloadCred fix, SSLv3/TLSv1.0 configurability, GOST
1408879 ELENA: Set Up HTTP(S) Connection for Communication Server
1375378 Select the right version of an SAP security toolkit
1257108 Collective Note: Analyzing issues with Single Sign On (SSO)
1178155 Replacing PSEs in productive SSL Servers
1175193 Login ticket and ICM information is missing in SSO profile
834039 Certificate extension problems, Verisign (Japan)
758667 iSeries: Installing sapcrypto library for R/3
745103 Problemanalyse bei HTTPS-Kommunikation
700659 Security Guide: mySAP Supply Chain Management
698459 Trust manager: New root certificates
662340 SSF Encryption Using the SAPCryptolib
599270 Portal Content performance - composite SAP Note
597959 Portal content performance on EP 5.0 SP 6 - Sammelhinweis
578377 Digital signatures with SAPCRYPTOLIB
517860 Logging on to BSP applications
509495 Trust manager: Generating PSEs with a key length > 512 bits
508307 Trust Manager: Problems importing certificate responses
455033 SAPCRYPTOLIB versions, bugs and fixes
397175 SAP Cryptographic Software - Export control
354819 Collective note SAPSECULIB
This document is referenced by:
SAP Notes (35)
1901250 PT Web Services- Online communication to AT : Technical Req
1896961 HTTP/HTTPS Configuration for SAP NetWeaver Gateway
1920429 PT Web Services:process hist. doc., global delivery, BOM
834039 Certificate extension problems, Verisign (Japan)
508307 Trust Manager: Problems importing certificate responses
509495 Trust manager: Generating PSEs with a key length > 512 bits
1553301 7.20 EXT Kernel - Usage
1433874 SapSSLReloadCred fix, SSLv3/TLSv1.0 configurability, GOST
597959 Portal content performance on EP 5.0 SP 6 - Sammelhinweis
517860 Logging on to BSP applications
599270 Portal Content performance - composite SAP Note
1688545 OAuth 2.0 Server in AS ABAP Troubleshooting
1175193 Login ticket and ICM information is missing in SSO profile
965076 Using HTTPS with the IGS
1619442 Error when automatically reloading changed SSL PSEs
1375378 Select the right version of an SAP security toolkit
1422864 CGsprint 1.x: Installation or upgrade
1408879 ELENA: Set Up HTTP(S) Connection for Communication Server
578377 Digital signatures with SAPCRYPTOLIB
397175 SAP Cryptographic Software - Export control
354819 Collective note SAPSECULIB
455033 SAPCRYPTOLIB versions, bugs and fixes
698459 Trust manager: New root certificates
700659 Security Guide: mySAP Supply Chain Management
1452833 Prerequisites for analyzing support messages on STRUST
662340 SSF Encryption Using the SAPCryptolib
1841573 SAPCRYPTOLIB 555pl36: bugfixes, error details, new features
1178155 Replacing PSEs in productive SSL Servers
758667 iSeries: Installing sapcrypto library for R/3
1844549 CGsprint 2.x: Installation/Upgrade
1636252 Installing a 7.20 kernel in SAP Web AS 7.00/7.01/7.10/7.11
1901252 PT Web Services- Online communication to AT:Solution Details
1529546 Troubleshooting note for QC Enterprise Integration issues
1257108 Collective Note: Analyzing issues with Single Sign On (SSO)
1531399 Enabling SSL for Session Protection
Posted by at 1 comment:

SAP Note 1175193 - Login ticket and ICM information is missing in SSO profile

Symptom

Login ticket and ICM information is missing from the SSO profile.

Other Terms

ICM, Login, SSO, Process Controls

Reason and Prerequisites

Solution

Parameters are maintained in RZ10 for login tickets and ICM.  See related notes below.


Posted by at No comments:

SAP Note 817529 - Checking the SSO configuration

Symptom
You want to use Single Sign-On tickets in the BW Web reporting environment. This note contains indicators and options such as how the system must be configured to be able to use SSO or to check the configuration.
For example, SSO must be configured correctly if (as recommended in Note 498936) you want to use the SAP logon 'SYSTEM/login.htm'.

Other Terms
SSO, SSO2, cookie, BSP, sso2test.htm, SYSTEM, login.htm.

Reason and Prerequisites
The Internet browser must accept cookies. You can set this in Internet Explorer 6 by selecting the 'Tools' --> 'Internet Options...' --> 'Privacy' menu option.

Solution
System parameter/settings
  • login/accept_sso2_ticket    = 1.
  • login/create_sso2_ticket    = 2 (recommended) or 1.
  • icm/host name full.
           To enable the Internet browser accept the SSO2 cookie, you must enter a fully qualified host name in accordance with Notes 434918 and 654982.
  • SAPSECULIB / SAPCRYPTOLIB
           You must use the SAP Security Library or the SAP Cryptographic Library.
  • Transaction STRUST
           In this transaction, you define which systems are meant to accept logon tickets. This is necessary, for example, if you want to access data from one system of a BW application to another application of another system, without having to log on again.

  • Documentation
  • http://help.sap.com/saphelp_webas620/helpdata/en/17/ f8973814eb481fe10000009b38f8cf/frameset.htm
  • http://service.sap.com/security


Configuration check

SAP delivers the sso2test.htm BSP application.
You can use this application to check whether an SSO2 cookie can be created.
Start Transaction SE80
--> 'SYSTEM' BSP application
  --> Pages with flow logic
    --> Right-click sso2test.htm
      --> Test
        --> Follow the instructions on the screen


You can also execute the following JavaScript command from the address bar of your Internet browser to check whether an SSO2 cookie currently exists: javascript:alert(document.cookie);
As a result, all current cookies are issued in an alert box.
If an SSO2 cookie exists, an entry would have to exist that begins with 'MYSAPSSO2=....'.


If you cannot display an SSO2 cookie despite this information, check the logon as described in Note 495911 and if necessary, open a message under the component BC-SEC-SSF.

Posted by at No comments:

SAP Note 900000 - Netweaver Business Client - FAQ

Symptom
NetWeaver Business Client FAQ

Other Terms
Documentation, Troubleshooting and FAQ:

Solution
Introduction on SAP NetWeaver Business Client
  • http://www.youtube.com/watch?v=AAQRzKbNa1s
  • http://scn.sap.com/community/netweaver-business-client
  • https://experience.sap.com/post/show/51
  • http://goo.gl/5CcgS
  • http://scn.sap.com/docs/DOC-53471

Which FRONTEND-Platforms does the NWBC run on:
See
  • PAM (product availability matrix):

  • further requirements/limitations/restrictions:
    • NWBC 4.0 Desktop version:
      https://service.sap.com/sap/support/notes/1754946
    • NWBC 3.5 Desktop version:
      https://service.sap.com/sap/support/notes/1620514
    • NWBC HTML version:
      https://service.sap.com/sap/support/notes/1620576
  • Additional Information:

Where to download the NWBC-CLIENT:

The most recent NWBC for Desktop versions and patches can be downloaded from the SAP Support Portal (service.sap.com/support). In the "Software Downloads" area, you will find the NWBC in "Support Packages and Patches", "A-Z Index", via keyword "NETWEAVER BUSINESS CLIENT"

DIREKT LINKS:
  • NWBC 3.5:
    http://goo.gl/9dfVv
    release dates:
    https://service.sap.com/sap/support/notes/1593491
  • NWBC 4.0:
    http://goo.gl/saiyA
    • release dates:
      https://service.sap.com/sap/support/notes/1707623
    • what´s new:
      http://youtu.be/V9dFB9qsYIo
      http://goo.gl/7VoNc
      http://goo.gl/5CcgS
Which BACKEND release is necessary to establish a NWBC connection:
See
  • Important: apply runtime (server) patches to it:
    • SAP_BASIS =<7.40
      https://service.sap.com/sap/support/notes/1353538

Does NWBC 3.5 & 4.0 run as well against the "old" 3.0 runtime (http://<full qualified server>:<port>/nwbc)?
    • check your version:
      https://service.sap.com/sap/support/notes/1864151
      follow note 1353538 to increase your version

Yes, but:
  • not the entire NEW (additional) feature set of NWBC 3.5/4.0 will work:
    • pure client depended features will work - yes
  • examples of such features of NWBC 3.5 which will NOT work on lower backends (or without downports) are:
    • sidepanel
    • easy access
    • favorites
    • ...
    • further limitations for NWBC 3.5 see at the end of this note.
  • UPDATE: Full feature set-downports for 3.5 & 4.0 are now available starting from (SAP_BASIS)+note 1353538:
    • 7.00 SP28
    • 7.01 SP12
    • 7.02 SP12
    • 7.11 SP11
    • 7.20 SP08
    • 7.30 SP09
    • 7.31 SP03 (standard delivery = no downport any longer)
      but 7.31 SP00-02 is NOT supported for ANY of the NWBC clients
Can NWBC 4.0 and 3.5 be installed on the same pc?
Yes
special case BAIO:
To use BAIO (BUSINESS All-IN-ONE):
  • first access the Enablement Kit for ERP 6.0 EHP3 in the Help Portal:
                       http://help.sap.com
                        > Best Practices
                         > Cross-industry packages
                          > Enablement Kit
                           > Installation and Upgrade
  • https://service.sap.com/sap/support/notes/1400383
SSO with NWBC:
http://scn.sap.com/community/netweaver-business-client/blog/2013/06/07/authentication-and-single-sign-on-with-sap-netweaver-business-client-nwbc


CONFIGURATION/DOCUMENTATION:
TROUBLESHOOTING:
  • known issues:
    https://service.sap.com/sap/support/notes/1378659
  • popups like warning & error descriptions have been moved from note 900000 -> 1378659
    https://service.sap.com/sap/support/notes/1378659
  • SSO related errors:
    this topic has been moved from note 900000 to
    https://service.sap.com/sap/support/notes/1638715
  • server patches:
    https://service.sap.com/sap/support/notes/1353538
  • current client release:
    • NWBC 3.5 download:
      http://goo.gl/9dfVv
    • NWBC 4.0 download:
      http://goo.gl/saiyA
Posted by at 1 comment:

SAP Note 1257108 - Collective Note: Analyzing issues with Single Sign On (SSO)

Symptom

You are having problems with your implementation of Single Sign-On (SSO).

Other Terms

logon, login, Single Sign-On, SSO, authentication, SNC, Kerberos, Logon Tickets, X.509 Client Certificates, Java Add-In, Dual Stack, Diagtool, password

Reason and Prerequisites

This note should help you identify the cause of logon problems when a solution for SSO is implemented. There are a number of different technical solutions available for providing SSO, so this note contains several chapters, one each for the technical means used to implement SSO.

This note concentrates on problem analysis, but also mentions some of the most common specific issues. This note will not list all known issues that are related to SSO, as there are simply too many possible details involved. Unfortunately, even though the note concentrates only on the most common cases and how to analyze them, it is rather long.

Keep in mind that SSO solutions may appear quite complicated, especially if they span over a broad variety of system types that may exist in your system landscape.

Differentiate the possible implementations/solutions

The initial step to approach problems in SSO, of course, is to identify what SSO solution actually is being used. A first indicator is the client software: do you use a Web browser for accessing your servers, or do you use SAP's "classical" client program SAPGUI (sometimes called WinGUI)?
Attention: Newer client development and the related use of words make it easy to mix up certain versions of the Web browser-based clients with SAP's standalone client SAPGUI for ABAP servers. In the context of this note, the term SAPGUI will not be used for those Web-browser based clients.

Web browser-based clients can use either of the following mechanisms for implementing SSO:
  • SAP logon tickets (covered in this note) or
  • X.509 client certificates (covered in this note) or
  • SAML Browser/Artifact Profile (AS Java since NW 2004, AS ABAP since NetWeaver 7.10) (NOT covered in this note)

The SAPGUI always requires Secure Network Communications (SNC) for SSO.

Typical Scenarios

The most common situation where SSO is used are system landscapes that are made accessible by an SAP Enterprise Portal.
Here, usually SAP logon tickets are used, because they are easily available and can be created and accepted by all SAP server products. In a typical portal landscape, the SAP Enterprise Portal issues the user a logon ticket after the initial logon, which is then used for further authentication purposes, both in the portal itself as well as in all SAP back-end systems that are being made accessible from the portal. Some third party services can also use the SAP logon ticket for authentication through the use of SAPSSOEXT (a Java-based toolkit for verifying SAP logon tickets).

A completely different situation exists when the client software for accessing ABAP-based SAP servers is SAPGUI. With SAPGUI, the only
way to implement SSO is to install SNC. SNC, in turn, can be implemented in a number of ways - but it always makes use of the GSS interface provided by SAPGUI and the ABAP-based SAP servers.

For more general information about SSO, see SAP Notes 138498 and 550742.

In the following, we refer to the servers involved as the AS ABAP and the AS Java for ABAP-based and Java-based system, respectively.

Solution

In the following, you will find hints on how to analyze problems with logon and Single Sign-On, ordered by the technical means for authentication that are being used.

1. SSO based on SAP Logon Tickets

SAP logon tickets are messages that confirm a successful (primary) logon. They are created on the SAP server and are passed to the user's client. From there, they are also passed to the intended target system(s) (in newer implementations also directly to the target system). SAP logon tickets provide a "simple", but proprietary solution for Single Sign-On.

The actual strategy for analyzing problems with SAP logon tickets is to follow the path of the SAP logon ticket from its creation, and then along the paths it takes in the network, until it is finally received and verified in the destination server.

The (now outdated) note 356691 is intended to help with this, but it refers to older releases, where the "standalone Internet Transaction Server (ITS)" was common for Web-based access. This note may still be useful though in some situations, especially when you try to access SAP systems of older releases.

To assert the authenticity of a user, SAP logon tickets make use of digital signatures based on the DSA algorithms. (These functions fall under the SAP component for Secure Store and Forward BC-SEC-SSF.) As a consequence, Secure Store and Forward (SSF) needs to be configured correctly to be able to verify the logon tickets. This includes the configuration for trusting the SAP logon ticket issuer (in terms of SSF), which is done by storing the logon ticket issuer's public key (certificate) in the target system's certificate store. (The target system is the system that verifies the incoming logon ticket.) Additionally, the logon ticket issuer needs to be entered into an access control list (ACL). The required steps differ between the involved system's base technology (ABAP or Java), but from the SSF point of view, they serve the same purpose.

In general, tracing SAP logon tickets will follow the same pattern, which is independent from the base technology:
    1. Check whether the initial logon was successful.
    2. Check whether a SAP logon ticket was issued after the initial logon.
    3. Check whether the SAP logon ticket was passed to the client software (Web browser).
    4. Check whether the same SAP logon ticket was forwarded to the target system for authentication.
    5. Check whether the SAP logon ticket was processed for authentication purposes on the target system.
    6. Check whether the SAP logon ticket was successfully verified on the target system.

As you see, after the SAP logon ticket is created, it is forwarded through several layers within the ticket-creating system and then passed to the user's Web browser (or to the receiving system directly). The Web browser then needs to decide whether to forward the ticket (a cookie named MYSAPSSO2) to the target server(s). There the logon ticket is received, and again forwarded through some internal layers of the server to finally be verified in the programs responsible for authentication. Each of these steps can fail, and in most cases, the result will be just another popup asking for the user's logon ID and password. Unfortunately, only rarely a significant error message can be displayed.

1.1. SAP logon ticket creation and verification on the AS ABAP

On the AS ABAP, the profile parameters login/create_sso2_ticket and login/accept_sso2_ticket control the creating and receiving of SAP logon tickets on the server. See the online documentation for details.

Since SAP logon tickets make use of SSF, also the correct setup of SSF on the AS ABAP is required. To check the version of the installed security toolkit for SSF (and whether a security toolkit is available at all), run the report SSF02, using the default selection "Determine version". For further configuration of SSF for SAP logon tickets, which includes maintaining the Personal Security Environments (PSEs) of the server and maintaining the ACL, use the transaction STRUSTSSO2. Keep in mind that the maintenance here depends on the configuration of your system. Therefore, you may be required to run STRUSTSSO2 in both the working client (the one you are logged on to) and client 000. If you configure your system as recommended by SAP, the PSE used for handling SAP logon tickets is the system PSE, and in this case, all PSE and ACL maintenance can be done in the actual logon client.

Note: If you need to replace a certificate for use with SAP logon tickets, make sure that you not only replace the certificate in the certificate list of the related PSE in the target system, but also that you replace the ACL entry, even if the new certificate uses the same subject name as the one to be replaced.

The transaction SSO2 originally was set up to configure SAP logon tickets on mySAP Workplace systems. Keeping this in mind, you will find that SSO2 can still provide helpful information in analyzing SSO with logon tickets, but unfortunately is no longer so helpful in modern landscapes where an AS Java creates the SAP logon tickets for users (such as the portal).
In current landscapes, there is a configuration wizard available with the SAP NetWeaver Administrator that replaces the old SSO2 transaction. For more information, see SAP Notes 1083421 and 1014077.

The most important procedure for analyzing problems when creating, accepting, or verifying SAP logon tickets on the AS ABAP is described in note 495911.
Codes and error messages that are reported in the logon trace according to note 495911 are explained in note 320991.

Also see note 1055856 for several common issues related to using SAP logon tickets.

The corrections from note 1159962 extend the AS ABAP's error messages with a message that refers to the specific issue that can occur when a Java-based system issues incomplete tickets (most probably due to configuration mistakes).

Inside the AS ABAP, the Internet Connectivity Framework (ICF) is responsible for cookie handling. The SAP logon ticket is no exception, so you also need to check the security settings for applications in transaction SICF. The settings in SICF can be maintained differently for each Web service being offered.

1.2. SAP logon ticket creation and verification on the AS Java

On the AS Java, the creation and receiving of SAP logon tickets is configured in the login module stack of the service being called. Usually, it is sufficient to run the SSO2 wizard in the SAP NetWeaver Administrator to enable the use of SAP logon tickets (note 1083421).

For storing the 'SAPLogonTicketKeypair', which is used to sign its SAP logon tickets, and for storing the public-key certificates of other ticket-issuing systems, the AS Java reserves a special view in the Key Storage service named 'TicketKeystore'. If you have to re-create the logon ticket key pair manually, make sure you create it in the 'TicketKeystore' view and give it the name 'SAPLogonTicketKeypair'. Also keep in mind that the key pair must use the DSA algorithm, and (for the time being) the validity of the certificate can not exceed January 1st, 2038. SAP Note 912229 describes how to replace the key pair and certificate on your AS Java.

Also see the online documentation for your product for specific instructions.

The most important checks for settings are summarized in note 701205. If checking these (static) settings does not help, use the diagnostic tool described in notes 1045019 and 957707 for further analysis.

Finally, see note 1159962, which refers to a common configuration issue in the AS Java's login module stack and related error messages on the (receiving) AS ABAP.

1.3. SAP logon tickets on a dual-stack system

For the analysis of logon issues with SAP logon tickets on a dual-stack system, basically the two previous chapters apply at the same time.

In addition, see the attachment to note 701205, named 'Add-InDoku.zip', which refers to settings that are specific for Add-In and dual-stack installations.

1.4. Tracing the SAP logon ticket on the client (Web browser)

On the client side, SAP logon tickets are stored as non-persistent cookies named MYSAPSSO2. This means the cookies are stored in the main memory of the Web browser process only. Of course, this main memory is volatile, which makes SAP logon tickets difficult to detect. In the most simple case, if you enter 'javascript:alert(document.cookie);' as an URL, the Web browser reveals the cookies that are currently known, but unfortunately this method of detecting cookies is not always helpful.

A lot more information can be obtained from an HTTP trace, like URLs being used; names, domains and content of COOKIEs; or Web page content.
We recommended using an HTTP proxy tool to trace the HTTP traffic
directly at the client. SAP uses HttpWatch (http://www.simtec.ltd.uk or http://www.httpwatch.com). There is a free version that you can use to provide a trace file ('*.hwl' file) that can also be
analyzed/read in SAP support. Please ZIP before uploading!

1.5. Considering COOKIE properties

Since SAP logon tickets are handed over to the client (Web browser) in the form of a cookie, all cookie properties apply. This means that they are assigned a name ('MYSAPSSO2'), and the Web browsers will most likely only forward them to URLs inside the same DNS domain as that where they were created. Also, only one cookie with a given name can exist for a single domain.

Keep in mind that SAP has no influence on the way cookies are handled inside Web browsers, as the Web browser's behaviour is defined by the respective vendor's programming.

For further information related to cookies and Internet standards, see note 654982.

1.6. Special cases

There is a very specific situation where so-called reentrance tickets (a version of SAP logon tickets) can be used to log on to an HTTP-based session from an already existing SAPGUI session on the same application server. The solution described in note 612670 works for this specific situation. The use of this ticket for authentication on other servers (other instances or other systems) is neither intended nor supported.

For integrating non-SAP components into an SSO landscape that uses SAP logon tickets, SAP provides an interface named SAPSSOEXT, which can be used to evaluate and verify SAP logon tickets and return the data contained. For more information, see note 304450 and its referenced notes. Note 1040335 contains information about how to trace the activities of SAPSSOEXT.

2. SSO based on X.509 client certificates

Based on Internet standards, X.509 client certificates offer a nonproprietary solution to implement SSO. The use of X.509 client certificates for authentication requires the target system to offer HTTPS/SSL (see notes 510007, 739043 or 1019634, resp.).

In all cases, authentication using client certificates has two
prerequisites: the client certificate needs to be mapped to a user ID (logon name) that already exists in the system, and the client certificate needs to be accepted in terms of trust.

Note that trust can only be configured for certificates that are issued by a Certification Authority (CA). You cannot exchange individual X.509 client certificates to establish trust in this case.

2.1. X.509 Client Certificates on the AS ABAP

The AS ABAP uses the PSE maintenance in transaction STRUST for establishing trust. The certificate(s) of the CA that has issued the client certificates need to be present in the certificate list of the SSL server PSE that is being used to handle incoming HTTPS/SSL requests.

The mapping of the client certificate to the internal user ID is provided in the table USREXTID (maintenance view VUSREXTID). It takes the external identity type (here 'DN'), the subject name from the client certificate, and the internal user ID (that is, USR02-BNAME) as field values. Note that some encodings of the DN are interpreted differently in the kernel than in the ABAP layer. We recommend using plain ASCII for Distinguished Names (DN).

The setting of the profile parameter icm/HTTPS/verify_client determines whether the AS ABAP generally accepts or requires X.509 client certificates. As with accepting SAP logon tickets, the actual ICF service's security settings (transaction SICF) may influence the system's behavior.

For problem analysis when using X.509 client certificate authentication, see the developer traces provided with the procedure described in note 495911. In addition, the ICM traces can be helpful. For displaying the certificates that are exchanged between the client and server during SSL negotiation, set the trace level to 3. For all other SSL related messages, trace level=1 should be sufficient. (High trace levels reduce readability!).

2.1.1. SAP Passport

SAP offers the SAP Passport as a comfortable solution to provide X.509 client certificates to users of SAP systems. For more information, see the SAP Support Portal at http://service.sap.com/TCS and follow the links "SAP Trust Center Services in Detail ==> SAP Passports in your SAP solution" and/or "==> Single Sign-On with SAP Passports".

In addition to the items already mentioned, when doing problem analysis, you need to keep an eye on the validity of the system's Registration Authority (RA) certificate. (This certificate is the server's own certificate and it is in the system PSE of your AS ABAP. It is signed by the SAP DSA CA).

2.1.2. The general case

In the case that you are not using SAP Passports, you need to provide the required system settings mentioned manually. In particular, the user mapping in VUSREXTID can be tricky if your client certificates contain non-ASCII characters. In this case, to get the correct representation of the subject name (owner name) from the client certificate, open the certificate in STRUST (menu "Certificate --> Import") and copy the content of the field "Owner".


2.2. X.509 client certificates on the AS Java

The AS Java uses the Keystore service for maintaining encryption keys, certificates, and therefore, to establish trust. The certificate(s) of the CA that has issued the client certificates need to be present in the Keystore view named 'TrustedCAs'.

On the AS Java, the SSL service is where you configure whether a client certificate is accepted or required for authentication. For the published services, the configured login module stacks define the authentication options. If you want to accept X.509 client certificates for authentication, the 'ClientCertLoginModule' needs to be configured accordingly.

It is also the ClientCertLoginModule that defines the rule(s) to use to map the client certificate to the user'd ID on the AS Java. Certificates can be stored directly with the user account (and thus are explicitly mapped), or the rule extracts the actual user name from the SubjectName or SubjectAlternativeName attributes contained in the X.509 client certificate.

In case of issues, check the "Troubleshooting" topics in the online documentation for the User Management Engine (UME).

3. SSO based on SNC

With one exception (*), SSO can be considered a by-product when implementing message encryption with SNC on the AS ABAP. Encrypting the data traffic of DIAG (SAPGUI<-->server) and RFC (server<--->server) protocols requires that each partner possesses keys to use for encryption, and these keys are also used for mutual authentication. Therefore, when using SNC for encryption, everything is in place for providing SSO.

(*) The one exception is when implementing SSO by using the NTLM from the Microsoft Windows System Security Provider Interface. NTLM can only provide client-side authentication (which suffices for user-side SSO), but no encryption.

Note 66687 gives a summary about SNC in general. More detailed generic information is contained in the online documentation.

When analyzing SNC issues, you should always look into the traces that are written by the involved executables, that is, the SAPGUI trace if the SNC issue is on the client side, and the developer traces 'dev_w##' if the server side is concerned (display using transaction ST11).
Error messages related to SNC use the terms 'SNC' and/or 'GSS', so it is a good idea to search the server's work directory for occurrences of these terms using tools like 'grep' (UNIX) or 'find' (Windows).

3.1. Third-party security products

SNC uses 'Generic Security Service' (GSS). These GSS functions that are available for use with SNC are implemented in an "external security product", and not in the SAP kernel itself. This means that the functions themselves must be made available through dynamically loaded libraries (DLLs, shared libraries or shared objects) from a separate product.

SAP does provide libraries that are licensed for use with server-to-server communications, however, not for use on the client side. So, SNC for SSO will always require in a third-party product. For issues with the SNC implementation of your chosen product, refer to the support organization of your respective vendor.

3.2. SNC for Windows

To make the security products that are available with the Microsoft Windows operating system (SSPI = System Security Provider Interface) available for the GSS interface used by SAP programs, SAP does provide "wrapper libraries" for either NTLM or Kerberos on Windows 32bit or 64bit platforms.

See note 352295 for the libraries themselves as well as a description of the known issues with this SNC implementation.

3.3. Unsupported solutions

While the wrapper libraries attached to note 352295 make the Kerberos implementation coming with Microsoft Windows available, these are only available for pure Microsoft Windows landscapes. Other implementations of Kerberos may be interoperable, but SAP neither tests for interoperability, nor is SAP able to provide support for those Kerberos
implementations.

See note 150380 for a more detailed discussion.

4. Related issues

Finally, here are some additional issues that are more or less related to SSO.

4.1. Password-based logon

Password-based logon can behave like SSO if the password is being stored on the client side (example: destinations in transaction SM59).

Note 622464 discusses the relation between user types and password expiration. For user types in general, see note 327917.

In Releases beginning with 7.00, the AS ABAP offers new password rules (distinguishing upper and lower case, and an extended password length). In system landscapes where older and newer systems exist side by side, there may be issues when components that provide the "old" policies need to access newer systems. Note 1023437 discusses the use of downward-compatible passwords.

Often, SSO is mistaken for solutions that provide identical passwords throughout a large number of systems. From our experience, such attemps for password synchronization can not work completely successfully and also reduce the level of individual password security. Hence, password synchronization is not supported, as note 376856 describes.

4.2. SPNego

This is a special initial login on AS Java that does not require a user to enter a password to access the server. It is based on the user's login to the Microsoft Windows domain. It makes use of the Windows APIs called 'SPNego'.

The central note for issues related to SPNego (note 968191) unfortunately may contain some obsolete references and may also miss some of the newest related notes. However, it still offers a valid entry point for problem analysis and an overview of the concepts use. In addition, see the online documentation.

In new releases of the AS ABAP, SPNego is also supported with SAP NetWeaver Single Sign-On release 2.0 (or newer). Downports exist also for older (supported) releases, please see note 1798979.

4.3. SAP Shortcuts

SAP Shortcuts can store the user's password and therefore simulate SSO. Nevertheless, because the 'normal' password authentication is being used, it is not regarded as a "true" SSO implementation.

4.4. Other (third-party) products

Other third-party products for SSO (for example CA's SiteMinder) may be functional, but since SAP's support does not have any experience or information available, therefore, contact the respective vendor's support channels if you have any questions or issues.

4.5. Additional tips/common problems

Several common error messages and issues that occur when setting up Single Sign-On are addressed in note 1055856.

When using some implementations of SSO, it may be cumbersome to continue to keep your passwords valid. On the AS ABAP, you can set the profile parameter login/password_change_for_SSO to set whether passwords that have become invalid need to be updated. Note 869218 contains some corrections that need to be in place to make the API available for checking this profile parameter. Keep in mind that some front-end and middleware components may still require a related correction to make the concept finally work.

A list of all error codes that may be recorded in the developer trace during processing logon attempts is provided in note 320991.
Posted by at No comments:
Subscribe to: Posts (Atom)