SPNEGO-Based Single Sign-On Using Secure Login Server X.509 Client .
PUBLIC SPNEGO-Based Single Sign-On Using Secure Login Server X.509 Client Certificates
TABLE OF CONTENTS SCENARIO . 3 IMPLEMENTATION STEPS . 4 PREREQUISITES . 4 STEP-BY-STEP GUIDE . 5 1. Configure Administrator for the Secure Login Administration Console . 5 2. Secure Login Server Initialization . 7 3. Enable SPNEGO-Based Single Sign-On Using Secure Login Server . 10 3.1 Configure a Service User for SPNEGO in the Microsoft Active Directory . 10 3.2 Configure SPNEGO Authentication for the Secure Login Server . 13 3.3 SSL Configuration based on Certificate Signed by Secure Login Server . 15 3.4 Secure Login Client Configuration . 20 2
SCENARIO Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to the SAP and non-SAP business systems across your landscape. Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates. After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that requires short lived X.509 client certificates, where these users have been granted authorizations. 3
IMPLEMENTATION STEPS PREREQUISITES 1. You have your SAP Application Server JAVA installed and configured with running SSL. For more details how to install SAP Application Server JAVA, see: Installation & Implementation SAP NetWeaver 7.5 For more details how to configure SSL see: Configuring Transport Layer Security on SAP NetWeaver AS for Java 2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see: Secure Login Server Installation Note: Always refer to the PRODUCT AVAILABILITY MATRIX for SAP SSO 3.0 for more information about currently supported components and platforms. 3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client see: Secure Login Client Installation 4
STEP-BY-STEP GUIDE 1. Configure Administrator for the Secure Login Administration Console Explanation Screenshot 1. Log on to SAP NetWeaver Administrator at https:// host : port /nwa. 2. Navigate to Configuration Identity Management Click “Create User”. 3. Provide a Logon ID (for example “SLAC ADMIN”), password and Last Name for the user. 5
4. Navigate to tab “Assigned Roles” and search in the “Available Roles” (on the left side) for the role “SLAC SUPERADMIN”. 5. Select the role and click “Add” to assign this role to the SLAC ADMIN user. 6. Click “Save” to save the info about “SLAC ADMIN” UserID. 7. As a result, you will have a new administrative user with access to the Secure Login Administration Console (SLAC). 6
2. Secure Login Server Initialization Explanation Screenshot 8. Log on to Secure Login Administration Console (SLAC) at https:// host : port /slac using the new administrative account “SLAC ADMIN”. Note: The system will require a reset of the initial password if this is the first time you are logging in with this user. 9. Start the “Initialization” with option “Manual”. Note: If the default option for your Secure Login Server installation is “Automatic”, you will get a confirmation message. Click “Yes” to confirm that you want to proceed with this change. 10. On the “Root CA” step provide the Country Name (in our example “DE”) and the Organizational Name (in our example “ABC”). 11. Click “Next”. 7
12. On the step “User CA” click “Next”. 13. On the step “SAP CA” click “Next”. 14. On the step “SSL CA” click “Next”. 8
15. On the step “User Certificate Configuration” provide the “Country Name” (in our example “DE”). 16. Click “Finish”. 17. After finishing the configuration, the initialization will start and when it is completed you will receive the following message: “Secure Login Server has been initialized”. 18. Click “Go” button. 9
3. Enable SPNEGO-Based Single Sign-On Using Secure Login Server 3.1 Configure a Service User for SPNEGO in the Microsoft Active Directory Explanation Screenshot Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory 19. Open the tool “Active Directory Users and Computers” on the Active Directory Server (ADS) and go to the “Users” branch. 20. Click the right mouse button to create “New” “User”. 10
21. Provide for the new user “First Name” (example “Kerberos”), “Last Name” (example “A01”) and “User logon name” (example “KerberosA01”, where A01 is your Application Server SID). 22. Click “Next”. 23. Provide a password for the new user. 24. Select “User cannot change password” and “Password never expires”. 25. Click “Next”. 26. To complete the creation of the new user, click “Finish”. 11
Step 2: Setup servicePrincipalName for the New Service User 27. Find your new user (example “Kerberos A01”) in the list with users and double click to open the user properties. 28. Go to the tab “Attribute Editor” Note: If you don’t see the “Attribute Editor” tab, alternatively you may start adsiedit.msc in the start menu of Microsoft Windows. 29. Search for the attribute with name “servicePrincipalName”, select it and click “Edit”. 30. Add as new value “HTTP/ fully qualified name of the Application Server Java ” (example HTTP/mo1339aa6dc.mo.sap.corp). Click “Add” and the value will appear in the list with “Values”. 31. Click “OK” to save the new setting. 12
3.2 Configure SPNEGO Authentication for the Secure Login Server Explanation Screenshot 32. Log on to SAP NetWeaver Administrator at https:// host : port /nwa 33. Navigate to “Configuration” “Authentication and Single SignOn” tab “SPNEGO”. 34. Click “Add” and select “Manually” to add a new KeyTab. Enter the realm name of your Microsoft Active Directory domain (example CI1.SAPSSO.DEV). 35. Click “Next”. 36. Provide the “Principal Name” and the password of the service user, created previously in the Microsoft Active Directory domain (in our example “KerberosA01”). 13
37. Click “Next”. 38. Choose from the drop-down list of the “Mapping Mode” the value “Principal@REALM” and select “virtual user” as a “Source” value. 39. Click “Finish”. 40. Click “Enable” for your new Service User KeyTab. 41. Your Service User KeyTab is now activated. 14
3.3 SSL Configuration based on Certificate Signed by Secure Login Server Explanation Screenshot Step 1: Check the Host Name of the Client Authentication Profile 42. Log on to Secure Login Administration Console (SLAC) at https:// host : port /slac using the administrative account (“SLAC ADMIN”). 43. Navigate to “ Authentication Profiles”. 44. Select Authentication Profile “Windows Authentication (SPNEGO)” 45. Go to tab “Secure Login Client Settings” and make sure that the host name of the “Enrollment URL” is the fully qualified name (example mo1339aa6dc.mo.sap.corp) and that the “Port” is correct (in our example 443). 15
Step 2: Generate SSL Server Certificate 46. Navigate to “Certificate Management” tab and make sure that the status of your “Root CA” is green. 47. Expand “Root CA” and select “SSL Sub CA” 48. Click on “Issue Entry” button. 49. Provide as an “Entry Name” the fully qualified name of the Application Server Java. (for example mo1339aa6dc.mo.sap.corp) 50. Set this fully qualified name of the Application Server Java also as “DNS Name” (for example mo1339aa6dc.mo.sap.corp) in the “Subject Alternative Names”. 51. Click “Next”. 52. On the step with “Subject Properties” setup provide “Country Name” (for example ”DE”) and “Common Name” – the fully qualified name of the Application Server Java (for example mo1339aa6dc.mo.sap.corp). 53. Click “Next. 16
54. Click “Finish” to complete the certificate generation. 55. Your certificate will appear under the “SSL Sub CA” and it will be of type “SSL SERVER”. 17
Step 3: Import Secure Login Server Certificate to the SSL Configuration 56. Log on again to SAP NetWeaver Administrator at https:// host : port /nwa 57. Navigate to Configuration SSL Configuration. Click “Edit” 58. Go to the “Details of port xxxx”. 59. Click “Copy Entry”. 60. Select from the drop-down list of the “Form View” the value “SecureLoginServer”. 61. Select from the drop-down list of the “From Entry” the respective certificate created in the SLAC under “SSL Sub CA” (in our example mo1339aa6dc.mo.sap.corp). 62. Make sure that the “To Entry” will be the one from the selected SAP Java Instance. 63. Click “Import”. 64. Select and delete the default identity “ssl-credentials”. 65. Click “OK” to confirm the deletion. 18
66. Click “Save” to confirm the configuration. 67. A restart is required. Click “Restart Now” (You can also select “Restart Later” if it is necessary but your configuration will be completed only after the restart). 68. You have to wait for the restart to finish and afterwards your SSL configuration will be ready. 19
3.4 Secure Login Client Configuration Explanation Screenshot Step 1: Export Root CA certificate from the Secure Logon Server 69. Log on to Secure Login Administration Console (SLAC) at https:// host : port /slac using the administrative account (“SLAC ADMIN”). 70. Navigate to “Certificate Management”. Select “Root CA” and click “Export Entry”. 71. Choose the export format “X.509 Certificate”. The dialog box displays the file name, type, size, and the download link. 72. Choose “Download” button and save it in a location of your choice (for example in a folder on your Domain Controller). (Optional: Rename the file so that it indicates the origin of the root CA certificate). 20
Step 2: Installing Root CA Certificates on a Windows Client To ensure secure communication and a trust relationship, you should install root CA certificates on Windows clients. There are three options how to perform this step: Option 1: Distribute the Secure Login Server root CA certificates on Microsoft Domain Server: 73. Log on as an administrator to your Domain Controller and start command prompt in Microsoft Windows. 74. Use the following command: certutil –dsPublish –f root CA file RootCA 75. You will get as a result: “CertUtil: -dsPublish command completed successfully.” 76. Restart your client. (After a restart the group policies are updated. This pushes the certificates to the client. To do so, you can also use the command gpupdate/force.) As an alternative of this installation (Option 1) you can perform also these two types of installations: Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more details see: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies Option 3: Installing Root CA Certificates on a Windows Client. For more details see: Installing Root CA Certificates on a Windows Client Step 3: Setup Policy Update Interval If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure Login Client after a defined time – “Policy Update Interval” configurable in minutes. The default value for the Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours. 77. Log on to Secure Login Administration Console (SLAC) at https:// host : port /slac using the administrative account (“SLAC ADMIN”). 21
78. Navigate to the List of Profile Groups. Select the respective profile group and click “Edit” to change the details of the group. 79. Change the “Policy Update Interval (minutes)” value to the number of minutes you need (in our example 480 minutes). 80. Check the “IP Address/Host Name” field – it must contain the correct fully-qualified name of the server (in our example mo1339aa6dc.mo.sap.corp). Click “Save”. Step 4: Download Profile Group Policy 81. Log on to Secure Login Administration Console (SLAC) at https:// host : port /slac using the administrative account (“SLAC ADMIN”). 22
82. Navigate to Profile Management User Profile Groups. 83. Select the Profile Group that you want to distribute to Secure Login Clients. Click “Download Policy” 84. Download the Registry File with the Policy URL that specifies the resource file, which includes the latest configuration of all client authentication profiles in the group (in our example ProfileDownloadPolicy SecureLo ginDefaultGroup.reg). Save the file in a location of your choice on the client machine. Step 5: Import Profile Group Policy on the client machine 85. Make sure that the registry file, downloaded on the previous step, is available on the client machine, where Secure Login Client is installed. 86. Double click on the registry file. 87. Click “Yes” to the message in order to confirm the change on the computer. 88. Click “Yes” to confirm again and to add the policy to the registry. 89. Click “OK” to the confirmation message, informing that the *.reg file has been successfully imported to the registry. Note: Alternatively, a companywide group policy can be used to deploy the profile groups. 23
Step 6: Restart the Secure Login Service 90. On the client machine navigate to “Computer Management” “Services and Applications” ”Services”. 91. Search for “Secure Login Service”. Double click on this service to display the service properties. 92. Click “Stop” to stop the service. 93. Wait for Windows to stop the service. 94. Click “Start” to start the service again. 24
95. Wait for Windows to start the service. 96. Now when you open the Secure Login Client you will have the certificate issued by the Secure Login Server. Note: Alternatively, a machine restart or workstation re-login may be needed to upload the profile group. 25
www.sap.com/contactsap 2021 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
For more details how to install Secure Login Server see: Secure Login Server Installation Note: Always refer to the PRODUCT AVAILABILITY MATRIX for SAP SSO 3.0 for more information about currently supported components and platforms. 3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client see:
AWS Single Sign-On User Guide AWS SSO features What is AWS Single Sign-On? AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. Specifically, it helps you manage SSO
Tin Sign: Allis Chalmers Farm Tractor Sign TD1134 MSRP 12.95 Tin Sign: 1956 John Deere sign TD670 MSRP 12.95 Tin Sign: Allis Chalmers farm tractor sign TD1133 MSRP 12.95 Tin Sign: IH Farm Tractor Sign TD1279 MSRP 12.95 Farm Tractor w/ Trailer (Asstd.) 321/4 MSRP 120.00 RC2 ERTL John D
IBM Software Data Sheet By providing integrated single sign-on and access management capabilities, IBM Security Access Manager for Enterprise Single Sign-On addresses these needs and more. Security Access Manager for Enterprise Single Sign-On combines single sign-on, strong two-factor authentication, session management,
street name sign - street name sign on double support post street name sign - street name sign on single support post street name sign - general configuration layout (sheet 3 of 3) street name sign - general configuration layout (sheet 2 of 3) street name sign - general configuration layout (sheet 1 of 3) cycling path cycling track lighting .
1. Cloud-based Single Sign-On Software As we all know, one of the major reasons to choose Single Sign-On as a solution is to ensure that your users get instant access to all the applications they need, with one single click. This means that the vendor should have native support for multiple applications failing which giving Single Sign-On
sign industry By R eg a n Dickinson 20 February 2013 SIGN & DIGITAL GRAPHICS The new 75-foot tall st. Petersburg sign built by Thomas sign & awning and internally lit with the beB-rite induction sign Lighter pulls only 38 amps to light it, says kevin Hunsicker, national programs director for Thomas sign & awning. SBFEB.indd 20 1/16/13 2 .
EQUIPMENT DESCRIPTION SIGN EXTERIOR 8EZVIEW X MODULAR CASE 20MM AND 23MM PITCH SIGN INSTALLATION MANUAL (PN 1709610101 REV.A) Top, side, and rear views Figure 2. External views of a sign with multiple case's, other sizes are similar. Item Name Description A SIGN SUB-STRUCTURE The 2"x 3" x 0.14" steel angle along the back of the sign (top and bottom) is used to install the sign.
Prohibited sign types Permitted sign types Time, place and manner limits that apply to the permitted sign types -Area, height, setbacks, number, lighting, spacing -Prohibitions or special rules for new billboards Sign types that are exempt from permitting (or regulation altogether) Sign permit procedures
