on 05-07-2013 11:40 AM
Hi Team,
We have configured SAP Netweaver SSO 1.0(using X.509 certificate) on our SAP system. We have used only secure login library and secure login client( Without secure login server) . We are about to complete the configuration but stuck with up X.509 certificate. SNC is activated on SAP system.
As of now, we have completed below steps:
Install Secure login library:
1. Installed SLL on SAP application server
2.Environment variable SECUDIR is set properly
3.Test Secure login library is working fine. Output of snc is shown below.
Product version : Secure Login Library 1.0 SP 4 Patch 3
: CryptoLib 8.3.7.11
: aix-6.1-ppc-64
GSS library : available
GSS library name : libsecgss.so
PSE directory : (existing) /usr/sap/GO0/DVEBMGS00/sec
PSE file : (existing) /usr/sap/GO0/DVEBMGS00/sec/pse.zip
STRUST cred file : (existing) /usr/sap/GO0/DVEBMGS00/sec/cred_v2
SNC config file : (existing) /usr/sap/GO0/DVEBMGS00/SLL/gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials : MasterPassword SystemDefault
Kerberos keyTab : Not existing
------------------------------------------------------------------------------
SNC keys registered : 1 entries
1: STRUST certificate CN=GO0, OU=SAP Security, O=SAP Trust Community
Trusted certificates:
from STRUST :
1: CN=GO0, OU=SAP Security, O=SAP Trust Community
4. SAP Parameter configuration
5.Import X.509 Certificate
We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE. Is this correct way of importing X.509 certificate into SAP system?
Install secure login client:
1.Installed SLC
2.Configured X.509 Certificate SNC Name in SAP GUI
3.User mapping in SU01 - X.509 Certificate
I assume that X.509 certificate to be available to all user station and it should be visible in secure login client. Do I need to provide SAP server certificate( .cer) to CA team to publish to all users station. ie Microsoft Certificate Store
Is both SAP server certificate signed by CA and X.509 certificate same?
While importing X.509 certificate into SAP system, I have followed below steps. Is it correct?
We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE.
Please advice.
Thanks !
Hi All,
We are also going to configure the SSO with X.509 certificate. Windows IIS to SAP Portal system.
Could you please share your knowledge or documents.
Thanks
Srini T.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I think there are some terminology issues here. CAs sign certificate requests, not responses. A certificate response is already signed by the CA. Yes, you will have to find a way to distribute the X.509 certificates on the clients since you are not using the Secure Login Server to create the certificates. Notice that the certificates you distribute on the clients have to be trusted by the SAP system meaning the root CA used to sign them must exist in the SAP system.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Provide a screenshot to clarify your question. By default there is no certificate called "SAP server certificate". If you refer to the System PSE, a X.509 certificate is contained in it and it identifies the AS ABAP. The X.509 certificates stored in clients are refered to as X.509 client certificates and they are not the same as the certificate in the System PSE. You use X.509 client certificates to identify users on AS ABAP. See the attached link for details on how to use X.509 client certificates on AS ABAP.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4e/125e0a1e3d2287e10000000a15822b/frameset.htm
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.