Step to configure SS0 using SAP NW SSO

1) Download SAP Netweaver SS0 1.0 SP3 from service market place

https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/swdc/sps/index.do?pvnr=01200314690900004187&session_id=saS000979435220120824014022SID%3aANON%3apwdf4971_OW2_01%3av41MaAKuV4_TXf6S9090uBZqQRsUMxXDEwITL3cb-ATT

Secure Login Library: SLLIBRARY03_2-10010513.SAR

Secure Login Server: SLCLIENT03_2-10010508

2) Create folder SLL under /usr/sap/<SID>/<Inst No>/SLL

Copy secure login library file to this location

Uncar the SLLIBRARY03_2-10010513.SAR using command

SAPCAR –xvf SLLIBRARY03_2-10010513.SAR

Select the correct OS. In our case it is AIX 6.1

Uncar SECURELOGINLIB.SAR

3) Use SNC command to check the version of libraryMake sure env variable SECUDIR is set to /usr/sap/SID/<inst>/sec

4) Create PSE file using snc command linesnc crtpse –x 1234567890

Snc command, should look like this.

5) For cluster environment

Library files must be deployed in each application servers (ASCS excluded)Copy PSE.zip file from one server1 to server2 and then execute below command in server2

snc cred –x <PSE passwd> -s <server2 host name>

6) Check if SID adm user has access to pse and its credentialsnc –o ersadm status –v

7) Create user in Windiows AD For non-prod environment user:KerberosERS is used.For prod it is recommended to create users Kerberos<SID>

8) Define service principle name in ADUse ADSIEDIT tool to map created user to SPN

For non prod SAP/KerberosERS will be used.For PRD SAP/Kerberos<SID> will have to be created in AD

9) Create keytab in SAP application serversnc crtkeytab –s SAP/KerberosERS@TCP_CENTRAL.TCPCORP.LOCAL.COM -p <AD user passwd>

10) Enable SNC in SAP ABAPChange/create following parameters

a. snc/identity/as = p:CN=SAP/KerberosERS@TCP_CENTRAL.TCPCORP.LOCAL.COMb. snc/enable = 1c. snc/gssapi_lib = /usr/sap/ERS/DVEBMGS00/SLL/aix-6.1-ppc-64/libsecgss.so

(Instance specific)d. snc/data_protection/max = 1e. snc/data_protection/min = 1f. snc/data_protection/use = 9g. snc/accept_insecure_cpic = 1h. snc/accept_insecure_gui = 1 (This parameter will have to be made 0 once

user mapping is complete)i. snc/accept_insecure_r3int_rfc = 1j. snc/accept_insecure_rfc = 1k. snc/permit_insecure_start = 0l. snc/extid_login_diag = 1m. snc/extid_login_rfc = 1

11) Install SAPsecure login clientNote: SAPGUI must be 720Start Installation Use the appropriate MSI Installer for your operating system

Type File NameMicrosoft Windows 32Bit SecureLoginClient x86.msiMicrosoft Windows 64Bit SecureLoginClient x64.msi

After installation you will find at taskbar in your pc.

Double click on the icon and user must have been authenticated by AD.

12) Activate SNC in saplogon padSelect the system and goto change mode Network tabCheck Activate Secure Network Communication

13) User mappingLogon to system go to SU01 transaction select the user SNC tab assign SNC Namep:CN=<USERNAME>@ TCP_CENTRAL.TCPCORP.LOCAL.COM

SNC1 transaction can be used to activate mass users.

14) Once user mapping is done. User must be able to logon without passwd prompt

Reference: Note 1711367 - Release Note SAP NetWeaver Single Sign-On 1.0 SP03

1696840 1678616 1662544 1677641 1687748 1672003 16969051635019

http://scn.sap.com/community/securityhttp://help.sap.com/nwsso10/#section2https://websmp208.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000740254&