cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NW SSO with RSA Authentication

S0007586158
Participant

on ‎07-20-2014 8:09 PM

0 Kudos


Hi,

We are trying to configure NW SSO with the RSA token based authentication. Configured the RSA RADIUS Server Destination in the Secure Login Server, verified the TEST connection. Activated the RADIUS Server authentication [In Client Authentication profiles].

What will be the next steps?

Regards,

Sam

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎07-21-2014 8:09 AM
0 Kudos

Hi Sam,

Did you want to use Radius Server Authentication profile with Secure Login Client?

If the configuration and the test work, you can create a Profile Group, add your Radius Server Authentication profile in the groupe and download the policy for your Secure Login Client.You can get more information under the implementation guide: 2.4.2 Downloading Policies to Secure Login Client Using the Policy Download Agent

After the download, you will have your Secure Login Server profile in Secure Login Client and you can then log in to your Radius Server Authentication profile.

KR

Valerie

Show replies
Show replies
S0007586158
Participant
‎07-21-2014 8:55 AM
0 Kudos

Hi Valerie.

Thanks for the reply, do i need to do any additional steps on the backend ABAP / JAVA systems as part of this configuration[already done the secure login library setup,instance parameter changes  and mapping in SNC tab for the abap system].

Regards,

Sam

S0007586158
Participant
‎07-21-2014 12:00 PM
0 Kudos

Hi,

When i try to login from the secure login client - RADIUS Server authentication, i am getting "Error connecting to SSL Server - The SSL server certificate doesn't contain the servers domain name."

Please advice

Regards,

Sam

Former Member
‎07-21-2014 12:08 PM
0 Kudos

Hi Sam,

Please check the following configuration attributes in the implementation guide:

sslHostCommonNameCheck and sslHostAlternativeNameCheck. Check which values are configured in your client policy and check if your SSL server certificate complies to your configuration.

KR

Valerie

S0007586158
Participant
‎07-21-2014 12:30 PM
0 Kudos

Hi Valerie,

Both sslHostCommonNameCheck and sslHostAlternativeNameCheck are checked in the authrntication profiles. CAn you please let me know how to check which values are configured in your client policy?

Regards,

Sam

Former Member
‎07-21-2014 2:19 PM
0 Kudos

Hi Sam,

Check the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<Profile Name>]. There you have your client policy configuration downloadedfrom your group policy.

What do you want to verify in your SSL server certificate? How did your SSL server certificate DName lookslike?

How is the CN part? Like CN=FQDN (Fully Qualified Dinstinguish Name)? If yes, you should let the sslHostCommonNameCheck checked. Did you have a Subject Alternative Name in your SSL server certificate? If not, uncheck this configuration in the Client Authentication profile and download your group policy again. Repeat the certificate enrollment again.

KR

Valerie

S0007586158
Participant
‎07-22-2014 9:33 AM
0 Kudos


Hi Valerie,

Thanks for the valid answer.

Can you please answer my below queries.

If we want to integrate Radius server authentication for the Portal systems what configuration needs to be done.

Is it because of the existance of Secure login client - Radius Server authentication profile , the system forces you to do RSA login? or is there any otherway i can force the RSA login.

Is it possibile to group a set of users to login via Radius Server authentication and another set of users with kerberos authentication?

Regards,
Sam

S0007586158
Participant
‎07-22-2014 9:35 AM
0 Kudos


Hi Valerie,

Thanks for the valid answer.

Can you please answer my below queries.

If we want to integrate Radius server authentication for the Portal systems what configuration needs to be done.

Is it because of the existance of Secure login client - Radius Server authentication profile , the system forces you to do RSA login? or is there any otherway i can force the RSA login.

Is it possibile to group a set of users to login via Radius Server authentication and another set of users with kerberos authentication?

Regards,
Sam

Former Member
‎07-22-2014 10:21 AM
0 Kudos


Hi Sam,

Did you want to login to the portal using client authentication with certificate?  Secure Login Client from 2.0 SP03 has implemented an ActiveX control feature. Please refer to SAP note: 1970832 - Secure Login Client ActiveX Control for Secure Login Server Profiles.

Kerberos authentication means for you login using SPNego to generate User certificate?

In Secure Login Server Administration Console, there is the option to create different group policies for different use cases on the client side. In your case you can create a groupe policy for Radius autentication for RADIUS users and create a groupe policy for SPNego users. You can then deploy the policy depending of your use case.

KR

Valerie

S0007586158
Participant
‎07-22-2014 11:15 AM
0 Kudos

Hi Valerie,

Unfotunatley i was unable to open the note 1970832, i t says "Document is not released".

Is it the group policy deployed on the client determines what authentication mechanicms to be used for the user?

For a user who doesn't have the secure login client/group policy on the client, how can we stop him acecssing the SAP system?

Regards,

Sam

S0007586158
Participant
‎07-22-2014 11:15 AM
0 Kudos

Hi Valerie,

Unfotunatley i was unable to open the note 1970832, i t says "Document is not released".

Is it the group policy deployed on the client determines what authentication mechanicms to be used for the user?

For a user who doesn't have the secure login client/group policy on the client, how can we stop him acecssing the SAP system?

Regards,

Sam

donka_dimitrova
Contributor
‎07-22-2014 11:49 AM
0 Kudos

Hello Sam,

Please, try with this link:

http://service.sap.com/sap/support/notes/1970832

I hope it will be possible to open it. I can open it via the link.

Best regards,

Donka Dimitrova

Former Member
‎07-22-2014 12:13 PM
0 Kudos

Hello,

the SAP note 1970832 is only visible for pilot customer, so you will not see it.

But I have already documented the basic ActiveX functions in another SCN message:

http://scn.sap.com/thread/3564402

The offical Secure Login documentation has been internally updated for that ActiveX APIs but its not replicated to the offical servers yet.

BTW: This will only work with Internet Explorer on windows. If you need also other client Browser/OS suuport you must use the web client feature build in the portal as a IView.

best regards

Alexander Gimbel

Former Member
‎07-22-2014 12:53 PM
0 Kudos

Hi Sam,

I want to understand you use case. You want to use the NW Java portal with certificate base login right? And depending on the security requierment allow the login with RSA token or with SPNego.

If this is your case, you can use the download policy and Alexander link for the activX control support.

I need mor details for the following question:For a user who doesn't have the secure login client/group policy on the client, how can we stop him acecssing the SAP system?

Secure Login is only for authentication and not for authorization.

KR

Valerie

S0007586158
Participant
‎07-22-2014 1:42 PM
0 Kudos

Hi Valerie,

Yes, i was talking about authenication only. What i wan to clarify is ex: for an ABAP system where the RADIUS authication is configured for a user , and his PC secure login client/group policy has been installed/applied and the authentication works with the RSA token. What happens if the same user try to login from a pc where your don't have the secure login client installed? Whether he will be able to login with his abap system credentials?

Regards,

Sam

Former Member
‎07-22-2014 1:51 PM
0 Kudos

Hi Sam,

This configuration should be made in your ABAP instance profile configuration.

This is done by the parameter snc/accept_insecure_gui. Please refer to the documentation under snc/accept_insecure_gui - The Application Server's Personal Security Environments - SAP Library

KR

Valerie

S0007586158
Participant
‎07-22-2014 2:26 PM
0 Kudos

Hi Valerie,

Thanks for the answer. One more question on your previuos reply. Yes we can have different policies, one for Radius, one for spnego, Is this policy on the PC determines which authenication method to be used for a user or this can be also controlled by some configurations on the backend systems?

Regards,

Sam

Former Member
‎07-23-2014 6:34 AM
0 Kudos

Hi Sam,

If you want to authenticate again ABAP using SNC you have the option to bind a profie to a backend application: please refer to chapter 6.2.3.2 Applications and Profiles of the implementation guide.

This configuration is made in the Secure Login Administration console and is download with the group policy.

BTW you now can access the SAP note http://service.sap.com/sap/support/notes/1970832.

KR

Valerie

 

 

 

 

 


Ask a Question