secude

Believe in

a higher level

of IT-Security

��

��

SECUDE secure login Client 4.2.10 Release Notes

Copyright

Copyright SECUDE AG 2008

SECUDE is registered trademarks of SECUDE AG.

The passing on and duplication of this manual or any sections within, for whatever purpose and in whatever form, is not permitted without the express written permission by SECUDE AG. Information contained in this manual may be modified or supplemented without prior notification.

Microsoft is a registered trademark of the Microsoft Corporation.

Other product and company names mentioned herein serve for clarification purposes and may be trademarks of their respective owners.

SECUDE

SECUDE International AG SECUDE IT Security GmbH

Althardstrasse 10 Göbelstrasse 21

8105 Regensdorf Zurich 64293 Darmstadt

Switzerland Germany

+41 (0) 44 575 19-00 +49 (0)6151 82897-0

Sales: [email protected]

Technical support: [email protected]

Documentation: [email protected]

www.secude.com

SLC4210_RN1_en_200809


��

1 Product Description 7

1.1 Features & Benefits 7

1.2 Components of SECUDE Secure Login 8

1.3 More Information 9

2 What’s In this Version 10

2.1 New Features 10

2.1.1 Policy to Hide PSE Service System Tray Icon (BUGZ1351) 10

2.1.2 Policy to Filter Certificate Subject Names in Microsoft Store (BUG1370) 10

2.1.3 New Language Pack for Simplified Chinese (BUG1372) 10

2.2 Changes in the Product 10

2.3 Obsolete Features 10

2.4 Bug Fixes 10

2.4.1 SAP Smartcard Login Failed With Slow Network Connections Under Citrix (BUGZ1435) 10

2.5 Migration Aspects 10

3 System Requirements 11

3.1 SECUDE Secure Login Server and SECUDE Secure Login Administration Console 11

3.1.1 Supported OS Platforms 11

3.1.2 Supported Java Versions 11

3.1.3 Supported Web Application Servers 11

3.1.4 Available Language Options for SECUDE Secure Login Server 11

3.1.5 Available Language Options for SECUDE Secure Login Administration Console 11

3.2 SECUDE Secure Login Client 11


3.2.2 Supported SAP User Interfaces 11

3.2.3 Available Language Options for SECUDE Secure Login Client 11

3.3 SECUDE Secure Login Web Client 12


3.3.2 Supported Web Browsers 12

3.3.3 Supported SAP User Interfaces 12

3.3.4 Available Language Options for SECUDE Secure Login Web Client 12

3.4 SECUDE Signon&Secure Server 12

3.4.1 Supported SAP Applications 12


4 Software License Agreement 14

5 Installation 16

6 Known Issues 17

6.1 Known Bugs 17

7 About SECUDE 18


��

About this Document

This manual provides important information for the patch release version 4.2.10 of SECUDE Secure Login Client. For information about the last major release 4.2 of SECUDE Secure Login Client and 5.0 of SECUDE Secure Login Server, please check the corresponding Release Notes document.

It is not the main product manual for SECUDE Secure Login – please refer to SECUDE Secure Login 5.0 Administrator Manual for information about the installation, administration and use of SECUDE secure login.

Target Audience

This guide is targeted mainly at IT and SAP security administrators, but also anyone with an interest in using this product.

Related Documentation

This document supplements the following SECUDE Secure Login manuals:

• For an overview of the product and for detailed instructions about how to install and

configure SECUDE Secure Login and its components, please refer to the SECUDE Secure Login 5.0 Administrator Manual and the SECUDE Secure Login 4.3 Administrator Manual. These are the base manuals for the SECUDE Secure Login product and should always be read first.

• For information about the installation and configuration of the SECUDE component running on the SAP server, please refer to the SECUDE signon&secure Administrator Manual.


Conventions used in this Manual

Style Meaning

Bold • Emphasis

• Defined terms

Italics • References – especially when referring to another

manuals title

• Program or company names – such as Windows or SECUDE

• Important information appearing in notes, warnings, and Hints

Initial Capital Letters • Tool names

• Product names

Blue text • Elements of the graphical user interface

• Action sequences such as “Menu>Submenu” or

“select Option X”

• Internet links

• Cross references such as “see section 2.1”


��

SECUDE Secure Login enhances the security and end user productivity in your distributed SAP environment. It replaces the standard SAP login mechanism - using an SAP username and password - with alternative user authentication and certificate-based single sign-on.

SECUDE Secure Login efficiently handles the certificate management, so that no separate company-wide PKI is required, and it supports a flexible mix and match of different levels of authentication for different SAP applications.

Certificate-based single sign-on is available both for the SAPGUI (via a plug-in to SAP’s Secure Communications Network (SNC) interface) and for web-based SAP applications (via a plug-in to the Microsoft Crypto Service Provider, that allows Microsoft Internet Explorer to perform a SSL client authentication).

�� Key features of SECUDE Secure Login are:

• Single Sign-On

After a user has been authenticated once, a certificate-based login to one or multiple SAP systems is possible without having to enter SAP user name and password multiple times. Certificate expiration policies can be defined to ensure that users have to

authenticate again after a certain time interval.

• Alternative User Authentication

Login using an SAP username and password can be replaced with alternative user authentication mechanisms, thus making authentication either more convenient or

stronger (2-factor authentication). Multiple authentication mechanisms are supported, including, but not limited to:

- Microsoft Windows credentials (Windows login & password; Kerberos) - LDAP credentials

- One-time password (OTP) token & password (e.g. RSA SecurID, Secure Computing) - Smartcards & PIN from various vendors - SAP user name & password All supported authentication mechanisms can be mixed and matched for different SAP systems, depending on the security demands and the value of the information in your

SAP environment.

• Confidentiality

In a standard SAP environment the network traffic is not encrypted. Consequently all data which is transmitted between client and server can be read with little effort from

third parties. SECUDE Secure Login encrypts all network traffic to remove this risk.

• Data Integrity and Proof of Origin

A message authentication code confirms to the recipient, that all received data is unmodified and from the intended sender.


��

SECUDE Secure Login Server (SLS)

The SECUDE Secure Login Server is the central server component that connects all parts of the complete system. It is implemented in the form of Java servlets and thereby available on multiple OS platforms. A web application server or a web server with a servlet engine is

required to run the SECUDE Secure Login Server. SECUDE supports multiple servlet engines, including Apache Tomcat, BEA WebLogic and SAP NetWeaver® (SAP WebAS Java).

The authentication data sent to the SECUDE Secure Login Server by the SECUDE Secure Login Client is passed on to an authentication server, which is usually a 3rd-party application (e.g. Microsoft Active Directory Server, RSA Server, and SAP Server). If the authentication on the authentication server is successful, the SECUDE Secure Login Server issues an X.509 certificate for the specific user and transfers it to the SECUDE Secure Login Client.

SECUDE Secure Login Client (SLC)

The SECUDE Secure Login Client is a software component on the user’s desktop system. The SECUDE Secure Login Client takes the user authentication data, sends it to the SECUDE Secure Login Server, and receives the user certificate back from the SECUDE Secure Login Server (providing the user could be successfully authenticated).

The SECUDE Secure Login Client then provides the user certificate to the SAPGUI to establish an SNC (Secure Network Communications) connection to SAP servers, and to the Microsoft Internet Explorer to establish an SSL client authentication connection to SAP servers.

With this release, SECUDE Secure Login Client supersedes the SECUDE Signon&Secure Client. Tokens with persistent keys such as smartcards, USB tokens, and Microsoft CSPs are now supported. However, SECUDE Secure Login Client is still in version 4.2.

SECUDE Secure Login Web Client (SLWC)

The SECUDE Secure Login Web Client is a zero footprint software component which can be installed with SECUDE Secure Login Server. The SECUDE Secure Login Web Client runs on the user’s desktop system but does not require an installation; it runs as a Java applet

inside the user’s Web browser. It loads the SAP SNC libraries necessary for this platform, takes the user authentication data and sends it to the SECUDE Secure Login Server, and receives the user certificate from the SECUDE Secure Login Server, if the user could be authenticated successfully.

The SECUDE Secure Login Web Client then provides the user certificate to the SAPGUI to establish an SNC (Secure Network Communications) connection to SAP servers.

SECUDE Secure Login Web Client supports the SAPGUI for Java on all popular client platforms including Windows, Linux, and Mac OS X. No software rollout is necessary, and no software is installed permanently. SAPGUI for Windows is also supported. However, this support is limited to the fact that SAPGUI for Windows must first be launched by the SECUDE Secure Login Web Client.

SECUDE Secure Login Administration Console (SLAC)

SECUDE Secure Login Administration Console is a new component for SECUDE Secure Login that allows you create the initial configuration for, and to maintain the configuration parameters of, SECUDE Secure Login Server from within a web-based user interface. Besides the PKI management and configuration capabilities, it provides features for the


ongoing operation of SECUDE Secure Login Server such as backup and restore, a server event and transaction log viewer, and the server status overview.

SECUDE Secure Login Native Components (SLNC)

These specific components have to be installed on the SECUDE Secure Login Server if the SAP authentication JAAS module or the SECUDE Secure Login Web Client is to be used. The components cover the required native libraries for all supported platforms.

SECUDE Signon&Secure Server (SSS)

This component has to be installed on the SAP server on which SAP NetWeaver or an older version of the SAP R/3® Enterprise platform is running. The package contains a set of libraries and the SECUDE Shell. The SECUDE Library will be loaded from the SAP Network Interface to implement the SNC functionality. The SECUDE Shell will be used to generate login credentials or to perform PKCS#12 operations.

�� If you would like to receive more information about the SECUDE Secure Login product, please go to www.secude.com/sap or contact SECUDE or your authorized SECUDE partner.


�� ! ! "#$%&' (# )%*+ ",- ,+./%&+ ,'0(+1 2.3' 4&#5 6789:!;<!=

A new policy can be used to hide the system tray icon of PSE Service. This is useful if no user shall be able to open PSE Service dialogs and menus manually. � ! �

"#$%&' (# >%$(+. ?+.(%@%&3(+ ,ABC+&( D31+0 %5 E%&.#0#@( ,(#.+ 6789!;FG=In addition to the existing CAPI filters, now the subject names of user certificates found in the personal certificate store can be filtered. � ! ;

D+H I35JA3J+ "3&K @#. ,%1L$%@%+* ?M%5+0+ 6789!;F�=With this version, simplified Chinese GUI support can be installed. �� N�� N� O��P��N�� N� O��P��N�� N� O��P��N�� N� O��P��No previously existing functionality of SECUDE Secure Login Client has been changed.

�� QR��S�� QR��S�� QR��S�� QR��S�� No previously existing features of SECUDE Secure Login Client have been removed.

��T��T��T��T �� U�� U�� U�� U�� V ! ,W" ,13.(&3.* I#J%5 >3%$+* X%(M ,$#H D+(H#.K ?#55+&(%#50 85*+. ?%(.%Y 6789:!V;<=

If SECUDE Secure Login Client was used in a Citrix environment with very slow network connection in combination with PKCS#11 based smartcards, a SAPGUI logon process took

very long or even failed.

This version has optimized the PKCS#11 client operations.

However, it is also recommended to turn on the SAPGUI connection network setting “Low Speed Connection (Reduced Network Traffic)” in such cases.

��Z��Z��Z��Z � �� [�� [�� [�� [��Customers can migrate from any officially supported previous SECUDE Secure Login version to this release. SECUDE Secure Login allows for the parallel installation of different SECUDE Secure Login servers, and a phased re-configuration of SECUDE Secure Login clients to move from the old to the new version of SECUDE Secure Login server. Please ensure that client – server compatibility is checked.


��

The following sections provide an overview of the system requirements for the various

SECUDE Secure Login components.

SECUDE Secure Login is a distributed software solution built to run in enterprise IT environments. Your specific environment may not be reflected in the list below. If you have

questions about official support of your specific environment, please contact your SECUDE or partner representative.

�� \�� P��\�� P��\�� P��\�� P �� [P� � �� S�[P� � �� S�[P� � �� S�[P� � �� S�; ! !

,ALL#.(+* ], "$3(@#.10• Microsoft Windows 2003 Server, R2 (x86)

• Microsoft Windows XP Professional, SP2 (x86)

• SuSE Linux Enterprise Server 9, 10.3 (x86)

• Debian Linux 4.0 (x86)

• Sun Solaris 8, 9, 10 (SPARC) ; ! � ,ALL#.(+* ^3/3 _+.0%#50

• JDK 1.4.2, 1.5, 1.6 ; ! ; ,ALL#.(+* X+B WLL$%&3(%#5 ,+./+.0

• SAP Web Application Server / SAP AS Java 6.40 or later

• BEA WebLogic 8.1, 9, 10

• Tomcat 5.x, 6.x with servlet engine 2.3 ; ! V

W/3%$3B$+ I35JA3J+ ]L(%#50 @#. ,-?8`- ,+&A.+ I#J%5 ,+./+.• English (United States)

• German (Standard) ; ! <

W/3%$3B$+ I35JA3J+ ]L(%#50 @#. ,-?8`- ,+&A.+ I#J%5 W*1%5%0(.3(%#5 ?#50#$+• English (United States)

• German (Standard)

• Chinese (Simplified)

�� S ��S ��S ��S ��The following information applies to SECUDE Secure Login Client 4.2, which is currently the recommended version of Client software to be used with SECUDE Secure Login Server 5.0: ; � !

,ALL#.(+* ], "$3(@#.10• Microsoft Windows 2000, SP4

• Microsoft Windows XP, SP1/SP2

• Microsoft Windows Vista Enterprise, Business, Ultimate editions

• Citrix Terminal Server (for use with Microsoft Internet Explorer) ; � � ,ALL#.(+* abc 80+. 45(+.@3&+0

• SAPGUI 4.6D or higher

• Microsoft Internet Explorer 5.5 or higher ; � ;

W/3%$3B$+ I35JA3J+ ]L(%#50 @#. ,-?8`- ,+&A.+ I#J%5 ?$%+5(• English (United States)



• Czech

• French (Standard)

• Spanish (Spain)

• Hungarian

• Italian

• Portuguese (Brazil)

• Chinese (Simplified)

�� d�Rd�Rd�Rd�R �S ��S ��S ��S ��The following information applies to SECUDE Secure Login Web Client 5.0: ; ; !

,ALL#.(+* ], "$3(@#.10• Microsoft Windows XP, SP1/SP2

• Microsoft Windows Vista Enterprise, Business, Ultimate editions

• Linux i686 2.2 glibc 2.1, 32bit



• Mac OS X 10.4 (Universal Binaries) ; ; � ,ALL#.(+* efg hijklfil

• Microsoft Internet Explorer 6.0 or higher

• Firefox 2.0, 3.0

• Safari 3.0

• Konqueror 3.5.5 ; ; ; ,ALL#.(+* abc 80+. 45(+.@3&+0

• SAPGUI for Java 7.0 or higher ; ; V

W/3%$3B$+ I35JA3J+ ]L(%#50 @#. ,-?8`- ,+&A.+ I#J%5 X+B ?$%+5(• English (United States)


��T��T��T��T �� \��\��\��\��The following information applies to SECUDE Signon&Secure Server 4.2, which is currently the recommended version to be used with SECUDE Secure Login Server 5.0: ; V !

,ALL#.(+* abc WLL$%&3(%#50• SAP R/3 3.1G or higher

• SAP NetWeaver ; V � ,ALL#.(+* ], "$3(@#.10

• AIX 5.1, 32bit

• AIX 5.1, 5.2, 5.3 64bit

• HP-UX 9000 800 B.11.11, 32bit

• HP-UX 9000 800 B.11.11, 64bit

• HP-UX IA64 B.11.23, 32bit

• HP-UX IA64 B.11.23, 64bit

• HP-UX IA64 B.11.31, 64bit






• Linux IA64 2.6 glibc 2.3, 64bit

• Linux PPC64 2.6 glibc 2.3, 64bit

• Linux s390x 2.6 glibc 2.3, 32bit

• Linux x86_64 2.6 glibc 2.3, 64bit

• SunOS i86pc 5.10, 32bit

• SunOS sparc 5.8, 5.9, 5.10, 32bit

• SunOS sparc 5.8, 5.9, 5.10 64bit

• Tru64 / OSF1 V 4.0, 64bit

• Tru64 / OSF1 V 5.1, 64bit

• Windows i686, 32bit

• Windows IA64, 64bit

• Windows x86_64, 64bit


�� !"�� !"�� !"�� !"��

IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING!

Do not use or load this software until you have carefully read the following terms and conditions. By loading or using the software, you agree to the terms of this agreement. If you do not wish to

agree, do NOT INSTALL or use the software.

LICENSE

You may copy the software on computer systems owned, leased, or otherwise controlled

by your organization in your own facilities, and you may make one back-up copy of the software, subject to these conditions: You may not copy, modify, rent, sell, distribute or

transfer any part of the software except as provided in this agreement, and you agree to

prevent unauthorized copying of the software. You may not reverse engineer, decompile, or disassemble the software. You may not sublicense or permit simultaneous use of the

software by more than one user. You may not copy the documentation about the software or put it at somebody else’s disposal, neither free of charge nor against payment.

COPYRIGHT AND OTHER INTELLECTUAL PROPERTY RIGHTS

The software is protected by copyright. All copyrights, trademarks and other intellectual property stay with the licensor. The notices on copyrights or trademarks of the licenser and/or SECUDE AG may not be changed.

OWNERSHIP OF SOFTWARE AND COPYRIGHTS

Title to all copies of the software and/or the corresponding documentation remains with

the licensor and/or SECUDE AG. You agree that you do not acquire any claims to ownership on the software and/or the documentation connected to it by signing this

license agreement.

COPYRIGHT OF CONTAINED SOFTWARE

The software contains open source packets which are listed in another place. The copyright on the open source parts depends on the license agreement provided for them.

The free usability does not affect the above mentioned copyrights.

LIMITED WARRANTY

The licensor guarantees that the software will function satisfactorily if operated correctly. You are obliged to inform the licensor immediately of any faults. If problems with SECUDE products arise, or if you identify faults/defects, you must contact the company which

supplied the software to you immediately. Please contact the helpline as well.

Any changes or a repair of SECUDE software on your own initiative or from having such work carried out by unauthorized third parties is prohibited. In case of faulty software the faulty product will be replaced. The warranty is limited to replacing the faulty software

product.

If the cause of the defect is the result of other software products used by you there is no obligation for replacement. There is no guarantee that the software will meet in all

respects your expectation or that it will operate without error with all applications and combinations of other programs selected by you.


LIMITATION OF LIABILITY

In no event there will be liability whatsoever for any damages (immediate, mediate, resultant damage, damage to third parties including lost profits, interruption of service

and/or loss of information) as long as the limitation is in accordance with the law.

CONDITIONS FOR EXPORT

This software contains cryptographic elements and in some countries is therefore subject to import and export regulations. Once you have acquired the software it is your

responsibility to observe these regulations. You will be fully liable in case of violating these

regulations.

TERMINATION OF THIS AGREEMENT

This agreement can be terminated at any time if its terms are violated. Upon termination,

you will immediately destroy the software or return all copies of the software.

AMENDMENTS AND SUPPLEMENTS

Alterations and supplements have to be in writing. This includes the alteration of this

clause.

SAVING CLAUSE

Should any provision of this agreement turn out to be invalid, the binding force of all other

provisions shall not be affected thereby. The agreement is to be interpreted and applied in

such a way that the purpose of the provision which has become invalid can still be achieved as far as possible.

APPLICABLE LAWS

This agreement is governed by Swiss law.

CIVIL JURISDICTION

For litigation resulting from this agreement the courts at the registered office of the

licensor have jurisdiction. Alternatively, the licensor can claim the use of the courts at the registered office of the licensee.


#### ��$$��$$��$$��$$��

Please refer to SECUDE Secure Login 5.0 Administrator Manual and the latest SECUDE Signon&Secure Administrator Manual for the required steps to install SECUDE Secure Login 5.0.


%%%% &��&��&��&��m��m��m��m�� n�� n�� n�� n�� None specific to SECUDE Secure Login Client 4.2.10.


'''' !(��)*+ )!(��)*+ )!(��)*+ )!(��)*+ )��

SECUDE is a market leader in the areas of authentication & authorization, encryption, data integrity and the management of digital identities, delivering end-to-end IT security solutions to organizations around the world. We offer solutions in single sign-on, full disk

encryption, and the security of documents, applications and transactions.

SECUDE is a member of SECUDE AG and was formed in 1996 from a partnership between SAP AG and the Fraunhofer Institute in Darmstadt, Germany. This partnership resulted in the Secure Network Communication (SNC) module for SAP AG. SECUDE is headquartered in Zurich, Switzerland, and has offices in Switzerland, the USA, Germany, Netherlands, Spain and United Arab Emirates.

secude

Documents