Manager Security Guide 9.1 en-US

Security Guide

SAP® Workforce Performance Builder

Manager

Target Audience

■ Administrators

Public Document version 29/02/2012

© Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight and

Visual Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, z10, z/VM, z/OS,

OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems,

POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale,

PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS,

HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX,

Intelligent Miner, WebSphere, Tivoli, Informix and Smarter Planet are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle and Java are registered trademarks of Oracle and/or its

affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-

Touch, Objective-C, Retina, Safari, Siri and Xcode are trademarks or

registered trademark of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,

BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry

Storm2, BlackBerry PlayBook, and BlackBerry App World are

trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data

API, Google Maps, Google Mobile Ads, Google Mobile Updater,

Google Mobile, Google Store, Google Sync, Google Updater, Google

Voice, Google Mail, Gmail, YouTube, Dalvik and Android are

trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies

Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings,

LLC.

Computop is a registered trademark of Computop

Wirtschaftsinformatik GmbH

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. Business Objects is an SAP company.

SAP AG

Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Disclaimer

Some components of this product are based on Java™. Any code

change in these components may cause unpredictable and severe

malfunctions and is therefore expressly prohibited, as is any

decompilation of these components.

Any Java™ Source Code delivered with this product is only to be used

by SAP’s Support Services and may not be modified or altered in any

way.

Documentation in the SAP Service Marketplace

You can find this documentation at the following address:

http://service.sap.com/<xxxxxxxx>

Terms for Included Open

Source Software

This SAP software contains also the third party open source software

products listed below. Please note that for these third party products

the following special terms and conditions shall apply.

1. This software was developed using ANTLR.

2. gSOAP

Part of the software embedded in this product is gSOAP software.

Portions created by gSOAP are Copyright (C) 2001-2004 Robert A.

van Engelen, Genivia inc. All Rights Reserved.

THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED

BY GENIVIA INC AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

SUCH DAMAGE.

3. SAP License Agreement for STLport SAP License Agreement for

STLPort between SAP Aktiengesellschaft Systems, Applications,

Products in Data Processing Neurottstrasse 16 69190 Walldorf,

Germany (hereinafter: SAP) and you (hereinafter: Customer)

a) Subject Matter of the Agreement

A) SAP grants Customer a non-exclusive, non-transferrable, royalty-

free license to use the STLport.org C++ library (STLport) and its

documentation without fee.

B) By downloading, using, or copying STLport or any portion thereof

Customer agrees to abide by the intellectual property laws, and to all

of the terms and conditions of this Agreement.

C) The Customer may distribute binaries compiled with STLport

(whether original or modified) without any royalties or restrictions.

D) Customer shall maintain the following copyright and permissions

notices on STLport sources and its documentation unchanged:

Copyright 2001 SAP AG

E) The Customer may distribute original or modified STLport sources,

provided that:

o The conditions indicated in the above permissions notice are met;

o The following copyright notices are retained when present, and

conditions provided in accompanying permission notices are met:

Coypright 1994 Hewlett-Packard

Company

Copyright 1996,97 Silicon Graphics

Computer Systems Inc.

Copyright 1997 Moscow Center for

SPARC Technology.

Copyright 1999,2000 Boris Fomitchev

Copyright 2001 SAP AG

Permission to use, copy, modify, distribute and sell this software and

its documentation for any purposes is hereby granted without fee,

provided that the above copyright notice appear in all copies and that

both that copyright notice and this permission notice appear in

supporting documentation. Hewlett-Packard Company makes no

representations about the suitability of this software for any purpose.

It is provided “as is” without express or implied warranty.


its documentation for any purpose is hereby granted without fee,



supporting documentation. Silicon Graphics makes no representations

about the suitability of this software for any purpose. It is provided “as

is” without express or implied warranty.





supporting documentation. Moscow Center for SPARC makes no

representations about the suitability of this software for any purpose. It

is provided “as is” without express or implied warranty.

Boris Fomitchev makes no representations about the suitability of this

software for any purpose. This material is provided "as is", with

absolutely no warranty expressed or implied.

Any use is at your own risk. Permission to use or copy this software

for any purpose is hereby granted without fee, provided the above

notices are retained on all copies.

Permission to modify the code and to distribute modified code is

granted, provided the above notices are retained, and a notice that the

code was modified is included with the above copyright notice.





supporting documentation. SAP makes no representations about the

suitability of this software for any purpose. It is provided with a

limited warranty and liability as set forth in the License Agreement

distributed with this copy.

SAP offers this liability and warranty obligations only towards its

customers and only referring to its modifications.

b) Support and Maintenance SAP does not provide software

maintenance for the STLport. Software maintenance of the STLport

therefore shall be not included.

All other services shall be charged according to the rates for services

quoted in the SAP List of Prices and Conditions and shall be subject to

a separate contract.

c) Exclusion of warranty

As the STLport is transferred to the Customer on a loan basis and free

of charge, SAP cannot guarantee that the STLport is error-free,

without material defects or suitable for a specific application under

third-party rights. Technical data, sales brochures, advertising text and

quality descriptions produced by SAP do not indicate any assurance of

particular attributes.

d) Limited Liability

A) Irrespective of the legal reasons, SAP shall only be liable for

damage, including unauthorized operation, if this (i) can be

compensated under the Product Liability Act or (ii) if caused due to

gross negligence or intent by SAP or (iii) if based on the failure of a

guaranteed attribute.

B) If SAP is liable for gross negligence or intent caused by employees

who are neither agents or managerial employees of SAP, the total

liability for such damage and a maximum limit on the scope of any

such damage shall depend on the extent to which its occurrence ought

to have anticipated by SAP when concluding the contract, due to the

circumstances known to it at that point in time representing a typical

transfer of the software.

C) In the case of Art. 4.2 above, SAP shall not be liable for indirect

damage, consequential damage caused by a defect or lost profit.

D) SAP and the Customer agree that the typical foreseeable extent of

damage shall under no circumstances exceed EUR 5,000.

E) The Customer shall take adequate measures for the protection of

data and programs, in particular by making backup copies at the

minimum intervals recommended by SAP. SAP shall not be liable for

the loss of data and its recovery, notwithstanding the other limitations

of the present Art. 4 if this loss could have been avoided by observing

this obligation.

F) The exclusion or the limitation of claims in accordance with the

present Art. 4 includes claims against employees or agents of SAP.

4. Adobe Document Services Adobe, the Adobe logo, Acrobat,

PostScript, and Reader are either registered trademarks or trademarks

of Adobe Systems Incorporated in the United States and / or other

countries. For information on Third Party software delivered with

Adobe document services and Adobe LiveCycle Designer, see SAP

Note 854621.

Security Guide: mySAP Manager

6 02 2012

Contents

Security settings .............................................................................. 7

Individualising the initial login .............................................................. 8

Origin restrictions for administrative roles ......................................... 9

Separating content and administrative tasks ................................... 10

Password restrictions .......................................................................... 11

Applying restrictions to Excel import ....................................................... 11

Communication encryption via SSL certificate ................................ 12

Creating a Tomcat keystore ...................................................................... 12 Preparing the keystore ......................................................................................................... 14

Creating an internal certificate .................................................................. 14

Installing an external certificate ................................................................ 14 Creating a Certification Signing Request (CSR) .................................................................. 14 Importing the certificate ........................................................................................................ 15

Adjusting the configuration file ................................................................ 16 Only allowing encrypted connections .................................................................................. 17

Displaying certificates ............................................................................... 18

SSL secured LDAP connection .......................................................... 19

Single sign-on using Kerberos ........................................................... 20

Configuration .............................................................................................. 20

Settings for Mozilla Firefox ....................................................................... 22

Settings for Internet Explorer .................................................................... 22

Adjusting the HTTP header size ............................................................... 23

Technical Support ................................................................................ 24

Individualising the initial login

02 2012 7

Security settings The Manager gives you various options for tailoring work with the web application and communication between the client and server to your individual security requirements. There are also already security functions implemented by default that prevent unauthorized access or manipulation of your content. These include, for example, a function that detects malicious code implemented in content as well as a function that grants workarea-specific read and write access.

The following sub-chapters describe various options that you can use individually or in combination to achieve the best possible data security to meet your needs.

Individualising the initial login

8 02 2012

Individualising the initial login With the shipping of the Manager you get separate credentials to enter for installation assistant and server import. This credentials can be adjusted freely after installation.

To adjust the initial credentials please follow these steps:

1. Go to the webapps folder of your Manager.

2. Go to folder WEB-INF -> classes and open file config.properties with the text editor of your choice.

3. Search for these phrases and adjust them as your prefer:

1. init.adminPassword=xxx

2. init.adminUser=admin

4. Save and close the file.

5. Open the Tomcat Manager in your browser (/manager) and do a Reload on respective Manager authority or reboot the Tomcat server itself.

You can now use your adjusted initial credentials to gain access to special protected areas in Manager.

Note:

To adjust new credentials you must have access to the respective webapps folder on your Tomcat server as well as you need local administrator privileges on server machine or at least specially adapted privileges permitting you to do changes to files within access protected storage of the web application.

Origin restrictions for administrative roles

02 2012 9

Origin restrictions for administrative roles The Administrator IP Ranges server setting lets you restrict access to specific network addresses/address ranges from roles with admin permissions. This allows you, for example, to permit access from these types of roles only from within the internal company network.

Enter the IP address as described below: As a list of IP addresses Enter individual IP addresses separated by a comma, e.g.

The following additional options are also available when entering IP origin ranges.

Entry of sub-networks You can specify sub-networks by entering the length notation, e.g.

Using wildcards You can structure IP addresses dynamically using the wildcard character, e.g.

192.168.1.1, 192.168.1.2, 192.168.1.3

192.168.1.10/24

192.168.1.10*

Note:

Please keep in mind that if this function is activated, users can only access the server from specified origin IP addresses once they have been assigned admin permissions.

Separating content and administrative tasks

10 02 2012

Separating content and administrative tasks The server-side detection and removal of malicious code implemented in content can also be supported by separating content and administrative tasks. In this case, after the Filter content permissions if user has admin permissions function has been activated, the workarea view is no longer displayed for users with admin permissions (e.g. administration of server settings and meta information such as status, milestones, etc.). If the user still needs access to content, a second user account without admin permissions must be created for this user. The user then logs in separately with this profile to view or edit content.

Note:

If the user account is issued admin permissions when content separation is activated, the Producer-side connection to the login data of this user account is prevented. As a result, make sure that if you activate this function at a later time, you inform users with admin permissions that it is necessary to return write permissions to prevent data inconsistencies resulting from write permissions kept in local workarea copies. These can then no longer be returned or are lost when the user logs in with another user account.

Password restrictions

02 2012 11

Password restrictions User login information is more difficult for attackers to elicit if different character sets are used in longer character sequences. If you use password restrictions, you require users to comply with predefined security criteria when entering a password and prevent passwords that are easy to remember and also easy to crack from being used. The following restrictions are available to you in the server settings: Minimum password length: Indicates the minimum character length of the password. If you enter 0, user accounts may be created without passwords. Password must contain number: Indicates that the password to be entered must contain at least one numeric character (0-9). Password must contain special character: Indicates that the password to be entered must contain at least one special character (&,$,...). Password must contain lower and upper case letters: Indicates that the password to be entered must contain at least one upper and one lower case letter.

Applying restrictions to Excel import Password restrictions can also be applied when importing user data in an Excel file. To do this, activate the use password policy option above the path entered for the Excel file. As a result, all users whose passwords violate the restrictions in the Excel file are imported as inactive users. They must be manually activated and a new password issued.

Note:

The password restrictions do not apply for passwords from LDAP-supported user profiles because, in this case, the Active Directory server administrates the user profiles and their security criteria.

Note:

The password restrictions do not affect passwords in user profiles that have already been created. The restrictions only apply to these profiles when the user changes the password.

Communication encryption via SSL certificate

12 02 2012

Communication encryption via SSL certificate The Tomcat server environment supports the creation of self-certified SSL certificates and the import of certified SSL certificates (Trusted Third Party, e.g. VeriSign, TC TrustCenter, Signtrust, TeleSec, Thawte Consulting). You can use these types of security certificates to encrypt the communication between users and the Manager. Access then occurs using the address prefix https://.

To prepare the Tomcat server for SSL encryption, please follow the steps described in the sub-chapters. You can find more information in the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.

Creating a Tomcat keystore The keystore of the Tomcat server is a protected repository that contains the security certificates and encrypted keys. It is not created manually during installation but must be created manually. To create the Tomcat keystore, open your server's command display. (Start > Run > "cmd")

1. Enter the following command:

Note:

Keep in mind that the validity of an SSL certificate is limited to a single IP address. If you make the server accessible via tunnels or technically similar communication channels, remember that the IP address can change as a result and the certificate is then displayed as invalid.

Note:

To make it possible to access your server using an encrypted connection, it may be necessary for you to configure the ports provided for this purpose in your firewall accordingly.

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

Note:

If the command line displays the message that the location of the file is unknown, it is possible that the %JAVA_HOME% system variable is not declared in your system. If this is the case, replace the string with the installation path of your Java instance, e.g. C:\Progra~1\Java\jre6.

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html


02 2012 13

2. You are now prompted to specify a password to encrypt the protected area. Your entry is not shown in the command line for security reasons. Confirm your entry by clicking Enter. Enter the password again for verification.

3. You are then prompted to enter data that is used to create an initial certificate in the keystore. Confirm every entry by clicking Enter.

4. Now enter an individual password for your certificate instance with the <tomcat> alias. Use the same password here that you previously used for the keystore because otherwise the Tomcat server cannot access the keystore later on.

The file for the keystore ('.keystore') has now been created in the specified directory.

Note:

The command creates the keystore file in the home directory of the user creating the keystore. If you want to store the file in a different directory, add the following to the command:

[...] -keystore /path/to/my/file

Note:

Please keep in mind that when using a system with user account management (Windows Vista/Windows 7), the command line and server are executed by different users. Your home directory is not available for the server as a result. Copy the created keystore file in this case to the respective home directory, e.g. for system under C:\windows\system32\config\systemprofile.


14 02 2012

Preparing the keystore

Tomcat supports keystores in the formats JKS, PKCS11 and PKCS12. Here, the JKS format represents the standard Java keystore format which is also created by the keytool command line program contained in the Java JDK. PKCS12 represents an Internet standard that can be created and changed using various programs (OpenSSL, Microsoft KeyManager,...).

To import a signed certificate, please read the documentation relevant for the tools you are using.

Creating an internal certificate You can create your own local certificates for data encryption for your server. The disadvantage, however, is that these certificates are only valid for a short time and they are not verified by a public body. When your users visit the server from within a browser, a warning appears that the certificate was not able to be authenticated and it has to be manually added to the user's trusted sites.

Enter the following command in the command line program to create your own certificate:

The values of the certificate you created are then listed. The certificate is now available.

Installing an external certificate Using digital SSL certificates from public certification bodies your web application is given authenticated, unique keys and additional information from your service provider to encrypt and decrypt the transfer of confidential data and to authenticate the origin on your side. Using this type of certificate is particularly necessary when you want to make encrypted access to your server possible outside of internal networks, i.e. over the Internet.

Creating a Certification Signing Request (CSR)

Note:

Every entry in the keystore is opened via an alias. To prevent conflicts, we do not recommend using different aliases that are the same except for upper and lower case letters because, e.g. the PKCS11 format only recognizes upper case letters.

%JAVA_HOME\bin\keytool -selfcert -v -alias tomcat -storepass

<password>

Note:

The initial connection of the Producer to an SSL-protected server with a local certificate may fail. In this case, open the Manager instance with Internet Explorer and confirm the trustworthiness of the certificate when prompted. Try to establish a connection in the Producer again.


02 2012 15

To create a certificate from a public certification body, you have to create what is known as a Certification Signing Request (CSR) beforehand. This is required by the certification body to identify your web application as "secure".

1. Create a local certificate by entering the following command in the command line (Start > Run > cmd):

2. Enter your personal data for the respective prompts and confirm your entries by clicking Enter.

3. Now create the CSR by entering the following command:

4. Send the file you created in step 2 certreq.csr to the certification body you selected. It can now create and send you a certificate.

Importing the certificate

Once you have received the certificate created by the certification body, you can implement it to your locally created keystore. To do this, you have to import what is known as a chain certificate or a root certificate to the keystore prior to importing the certificate. You can download this certificate from the page set up by your chosen certification body for this purpose.

Import the downloaded root certificate by entering the following command in the command line (Start > Run > cmd):

%JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA \

-keystore <your_keystore_file_name>

Note:

Some certification bodies require the domain of the web pages to be entered for the first and last name prompt. Find out if this is necessary for the certification body you have chosen here.

%JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias tomcat -file

certreq.csr \

-keystore <your_keystore_file_name>

%JAVA_HOME%\bin\keytool -import -alias root -keystore

<your_keystore_file_name> \

-trustcacerts -file <file_name_of_the_root_certificate>

16 02 2012

Now import the SSL certificate you received by entering the following command:

Restart the Tomcat server to load the certificate

Adjusting the configuration file To implement SSL, it is necessary to define a Java (JSSE) connector. Support is not provided for implementation via the APR connector which is also available.

To carry out implementation, proceed as follows:

1. Use a text editor to open the file server.xml in the conf directory of your Tomcat installation directory.

2. This file already contains an example of a commented out <connector> element for operation with SSL. It should look as follows:

3. Remove the  tags so that the element is no longer commented out and the connector is activated.

4. Adjust the parameters to your specifications in line with the table below or add them if they do not exist. Depending on your server specifications, it may be necessary to enter additional parameters. You can find a list of all other parameters in the Tomcat reference.

Parameter Description

port Specifies the TCP/IP port on which the Tomcat server responds to inquiries for a secure connection. You can change the default port 8443 to any one you want. If you change the value, please also change it in other defined connectors in the redirectPort parameter to reroute users accordingly.

keystoreFile Enter the path to the keystore file. This file is created by default in the home directory of the user creating the keystore - if you change this value, you should have stored your keystore file in a different location. Please keep in mind that the Tomcat instance must have access rights to this

%JAVA_HOME%\bin\keytool -import -alias tomcat -keystore

<your_keystore_file_name> \

-file <file_name_of_the_ssl_certificate>

02 2012 17

directory

keystorePass Enter the password necessary to access the keystore file. You defined this password in the steps described in the chapter Creating a Tomcat keystore.


6. Restart the Tomcat server to reload the changed settings.

7. Your web applications running on the Tomcat server are now available via secure HTTP communication and can be accessed as in the following example: https://my server:8443/Manager

Only allowing encrypted connections

To make your installation of the Manager available exclusively via SSL-encrypted communication, several additional settings are necessary.

1. Deactivate access via the HTTP standard port 80. Comment out the respective connector by inserting the text blocks shown in red in the following example:

2. Assign the port number 443 (standard Apache) to the SSL connector. If you prefer to use a different port number, you have to configure routing via a proxy server or a port forwarding application (e.g. Iptables).

3. Adjust any other connectors in use accordingly in the redirectPort parameter.

4. Save the file.

5. Restart the Tomcat server.

Your Tomcat server is now available exclusively via the following address:

https://myserver or https://myserver/myManager

Browser inquiries to the address http://myserver are now ignored by the server - the respective browser displays a connection error to the user.



Attention:

If you have installed the Tomcat server in addition to a web server like Apache or IIS, inquiries are handled by this server instead. An inquiry sent to port 443 would produce an error message in this case. Change the port number in the server.xml file to 8443 and forward the inquiry from the Apache web server using the mod_jk connector.


18 02 2012

Displaying certificates To display the certificates stored in your keystore, proceed as follows:

1. Open command line.

2. Enter the following command:

3. Confirm your entry by clicking Enter.

Note:

After deactivating the standard HTTP port, you have to specify the connection address in the connection settings of the Producer with the prefix https and the port entry 443, e.g.: https://myserver:443/Manager.

%JAVA_HOME%\bin\keytool -list -v -storepass <password>

SSL secured LDAP connection

02 2012 19

SSL secured LDAP connection By using LDAPS instead of LDAP it is possible to secure the connection to the Active Directory server with SSL protocol. This basically needs some preparation on side of Active Directory server. On side of Manager there is only the server address to be changed.

LDAPs connections to your Active Directory server will be directly available after having installed the Certification Authority and integrated a CA certificate in your Active Directory. This certificate can be created by your own or provided by a Trust Authority Service like Verisign, Thawte or other.

Setting up Certification Authority (CA) On Active Directory server you have to install the Enterprise Root Certification Authority as well as you have to integrate an CA certificate into it. Please read linked documentations to install and configure CA on a Microsoft Windows based Active Directory server.

For Microsoft Windows Server 2003:

For Microsoft Windows Server 2008:

Setting up LDAPs connection in Manager To connect to an Active Directory server supporting SSL-secured connections enter the ldap server address as follows. Replace the red colored part with correct server name:

http://technet.microsoft.com/en-us/library/cc700804.aspx

http://social.technet.microsoft.com/wiki/contents/articles/2980.as

px

ldaps://myADserver:636

Note:

The port number suffix 636 is the default port number for ldaps connections. It's mainly not necessary to add this to address. You have to, if your Active Directory server is setup to use another port for ldaps connections. Please contact your network administrator to gain details about deviant port allocations.

http://technet.microsoft.com/en-us/library/cc700804.aspx

http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx

http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx

Single sign-on using Kerberos

20 02 2012

Single sign-on using Kerberos In combination with an Active Directory server available in the network, the Manager grants your users access with a single sign-on. This means that they don't have to log in every time but are given immediate access to the areas assigned to them through automatic authentication.

Configuration Follow the steps below to configure server-side single sign-on in your installation of the Manager:

1. Create a user account in the Active Directory (LDAP). The account should be created on a top level domain server which contains the global catalog and must be different from the host name of the server on which the Manager is installed.

2. Open the command line interpreter on the Active Directory server and enter the following commands, replacing the placeholders marked in red with the appropriate values. These create the key tab file necessary for the functionality. To specify an output path, enter it in the /out parameter along with the file name. Otherwise the key tab file will be created in the current directory.

*Placeholders shown in upper case letters must be also written in upper case letters.

Attention:

It is not possible to use single sign-on in combination with Microsoft Server 2008 and its Service Pack 1 due to a system-specific error interpretation. Consequently, Service Pack 2 is needed forMicrosoft Server 2008 to guarantee proper operation.

Attention:

It is not possible to play navigations (*.dnt) from the Manager when the single sign-on is activated and Internet Explorer 6 is in use due to a technical problem with the browser.

ktpass /pass <password> /mapuser <username> /princ

HTTP/<Manager_hostname>.<domain>@<DOMAIN> /ptype KRB5_NT_PRINCIPAL

/Target <DOMAIN>

ktpass /out (<path>)<coll.HTTP.keytab> /princ

HTTP/<Manager_hostname>.<domain>@<DOMAIN> /ptype KRB5_NT_PRINCIPAL

/Target <DOMAIN> /pass <password> /mapuser <username>


02 2012 21

3. Place the key tab file somewhere on the Manager server (e.g.: C:\Manager\Managerpc.HTTP.keytab). Avoid placing the file in the webapp directory of the Manager because it will be deleted if the program is updated.

Now enter the appropriate data in the configuration wizard of the Manager. This data is explained in brief below.

# Description

Path to krb5.conf file If there is already a Kerberos service set up in your network and a config file regulates service access, enter the path to the respective file here. Fields 5 and 6 do not need to be filled out in this case. You can find more information at: http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html

Service Principal* Enter the service authentication with the complete service description and domain ID of the Manager server here, e.g.

Attention:

Please keep in mind that the princ HTTP parameter absolutely has to be entered in the following format:

<lower_case_letters>@<upper_case_letters>.

Note:

If you want to reference a DNS alias name created for this purpose instead of the native host name of the server, please keep in mind that this alias name must be defined in the table of the resource record as a referencing CNAME. If the host name defined as the address alias (A record) is entered, this results in an invalid key tab file.

Note:

Kerberos ktpass is not a native part of Windows Server 2000 and non-server systems such as XP or Vista. For operation on these systems, first install ktpass utilities.

Note:

If you are using a jdk version higher than Version 1.6.0u20, use the SP1 system tools to create the key tab file with ktpass. Otherwise the key table file is not successfully validated.

http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html




22 02 2012

http/[email protected]

Keytab file path* Enter the path to the key tab file stored in step 3 here. Use "/" to separate the path.

Use ticket cache Define whether client tickets that have been created should be saved in the server cache when users log in.

Server name* Enter the host name of the Active Directory server here, e.g. master.

Realm* Enter your domain here, e.g. mycompany.de

4. Now click the <Save and go on> button to save the data you entered and go to the configuration of the user import from the LDAP server. For more information, see the chapter on importing an LDAP directory structure.

Settings for Mozilla Firefox Open the advanced browser configuration by entering about:config in the address bar. Search for the setting network.negotiate-auth.trusted-uris and enter the name of the server or the server domain.

Settings for Internet Explorer Open the browser settings by clicking Tools > Internet settings and make the following changes:

1. Open the Advanced tab. Activate the option Integrated Windows Authentication under Security.

2. Open the Security tab and click Local intranet. Click the Custom level button and select Automatic logon only Intranet zone under User Authentication > Logon. Close the dialog box and click OK.

3. Click the Sites button in the dialog window that opens and select Advanced. Enter the IP address of the host name of the server where Manager is installed in the upper input box. If the input box is not available for entry, contact your network administrator to add it to the listed values.

Note:

Single sign-on based on Kerberos does not work by accessing the local host. You have to address your instance of Manager from a different computer to make use of the single sign-on.


02 2012 23

Adjusting the HTTP header size In case of users which are assigned to a big amount of groups it may happen, that the length of the http header exceeds the maximum size as permitted by Tomcat server. This happens because of the need to send all group dependencies inside the header. In this case the Tomcat server unfortunately discards the authentication, resulting in a server error message which is display to the user after calling Manager. To solve this issue, an adaption of the default value (8Kb) within the Tomcat configuration will be necessary.

Do as following to adapt your Tomcat configuration:

1. Start your favorite text editor and open file server.xml which is located within directory conf of your Tomcat installation directory.

2. Scroll to the part of the Connector definitions and add the parameter maxHttpHeader to each definition of an active connector. In box below you see an example of an adapted connector element. The added parameter is marked red.

*Input value has to be defined in Bytes. The example given matches 64KB.


4. Restart the Tomcat server service.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

keystoreFile="/.keystore" keystorePass="changeit" maxThreads="150"

scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"

maxHttpHeaderSize="65536" />

Technical Support

24 02 2012

Technical Support

Please use the SAP Message Wizard on the SAP Service Marketplace to submit your incidents on the following components:

KW-WPB // Workforce Performance Builder

KW-WPB-PRO // Workforce Performance Builder – Producer

KW-WPB-IPR // Workforce Performance Builder – Instant Producer

KW-WPB-MGR // Workforce Performance Builder - Manager

KW-WPB-NAV // Workforce Performance Builder - Navigator

If you are not familiar with the SAP Service Marketplace, please read the following information:

To access the SAP Support Portal you need an S-user ID and password. You can request access data from your SAP Super Administrator or register online on the SAP Service Marketplace page under ‘Registration‘.

With this user, you have read-access to all the contents of the SAP Support Portal, you can use the SAP Community Network and SAP Help Portal, and you can also book courses under SAP Education.

If you want to work with the support applications (Message Wizard, license key request, system data maintenance, software download and so on), you need the corresponding authorizations, which your SAP Super Administrator can give you.

You can find information for new users and about support applications on the Support Portal Homepage under ‘Learn More‘. There you can also register for a personal overview demonstration of the SAP Support Portal.

Manager Security Guide 9.1 en-US

Documents

Transcript of Manager Security Guide 9.1 en-US