Configuring Winshuttle SAP Integration Server for X509 certificate-based SAP Netweaver SSO logon
The X509 certificate-based SAP Netweaver SSO logon method does not include the ‘RunWithSapCreds’ method when consuming a Web service. Only one authentication method is used.
On this page
- Creating an extended SNC name
- Configuring Winshuttle Server for X509 SSO
- Configuring 32-bit Worker and FormWorker
- Configuring 64-bit Worker and FormWorker
X509 certificate-based SAP SSO logon involves two types of certificates:
- SAP server certificate
- User client certificate.
Each SAP user must install the client certificate on their machine.
For Winshuttle Server, multiple users can access SAP server simultaneously. However, installing a client certificate for each SAP user on every machine where Winshuttle Worker is installed is impractical -- so there are 2 options for using X509 certificate-based SAP SSO with Winshuttle Server:
- System Post: Only one SAP user is responsible for uploading downloading data to/from SAP. The client certificate for this user only needs to be installed on the Winshuttle Worker machine along with the SAP server certificate.
- Extended SNC Name: Each user in SAP must have the same extended SNC name along with their normal SNC names. Only one client certificate is required for the extended SNC name, and it needs to be installed on the Winshuttle Worker machines along with the SAP server certificate.
In this section, we have used following naming conventions:
- C:\SLL – The folder that contains all DLLs required for X509 certificate based logon.
- secgss.dll – DLL responsible for X509 certificate based logon. This name can be different according to the user’s environment.
- SAP_Server.p12 – SAP server side certificate. Name can be different in user’s environment.
- Common_Cert.p12 – Client certificate for the common user. That can be a system post user or an extended SNC name. Name can be different in user’s environment.
- Open the required SAP server in SAP GUI.
- Enter transaction code SM30.
- Enter table as USRACLEXT.
- Click Display.
- Enter the extended SNC name for each user.
Back to top
To enable X509 certificate-based SSO Login, do the following:
- Open the Server Administrator Tool.
- Under Integrated Logon, select Enabled.
- Select X509 SSO.
- In the SNC MyName field, type the SNC MyName parameter (Note: This does not apply to Server 10.6.1)
Note: SNC MyName field is obsolete in 10.6. This setting is now controlled by application server settings in Winshuttle Central.
- Click Apply Changes.
To configure SAP SSO on a 32-bit Winshuttle Worker machine, do the following. (Note that the same will be required for configuring SAP SSO for FormWorker because Winshuttle FormWorker is available only in a 32-bit configuration.)
Note: The SNC_LIB file name in the following screenshots is for reference only. The name can differ in your environment.
- Deploy SAP SSO logon on the machine where Winshuttle Worker or FormWorker is deployed.
- The SAP SSO logon deployment creates an environment variable named ‘SNC_LIB’ for users environment variable.
- Create the same environment variable in ‘System Variables’. (Winshuttle Worker is a windows service and services use System environment variables).
- Restart the machine.
- Copy required DLLs for certificate-based SSO logon to the folder C:\SLL.
- Create an environment variable named SNC_LIB in both user variables and system variables.
- Set its value to the path of 64-bit secgss.dll as shown at right.
Note: A 32-bit specific user variable is used by Winshuttle FormWorker and SAP GUI. If the system only has 64-bit Winshuttle Worker and does not have FormWorker or SAP GUI, then 32-bit DLLs are not required. You need to set the path of 64-bit DLL in system variable only.
- Create a folder C:\SECUDIR.
- Copy user and SAP server certificates to C:\SECUDIR.
- Create a system environment variable SECUDIR and set its value to C:\SECUDIR.
- Open a command prompt.
- Type CD C:\SLL\64-bit to change to the C:\SLL\64-bit directory.
- Run the following commands from the command prompt:
Creates a .ZIP file named PSE.
snc register –f C:\SECUDIR\SAP_SERVER.p12
Registers the SAP server certificate.
snc register –f C:\SECUDIR\Common_Cert.p12
Registers a common SNC certificate for all users.
snc status –v
Verifies that all certificates are registered
- Grant full permission to C:\SLL and C:\SECUDIR folders to the user that represents the identity of the WinshuttleWorker service (by default it is Network Service). For FormWorker, it is the identity of logged-in user.
- Restart the machine.