SAP will introduce solution for Secure Login Client for Mac OS as of SAP NW SSO 2.0 SP3.
This document will show you the step by step instructions to install and implement it.
System requirement for SLC for Mac OS is
OS X 10.7 or higher
SAP GUI for Java 7.20 or higher
Login to Mac OS using AD credentials
Note: For Secure Login Client for Windows see URL below:
http://scn.sap.com/docs/DOC-40178
Most of the steps in this document have counterpart in document DOC-40178.
The steps below are performed in the following test environment:
Company Name: ABC
SAP ABAP System (SBX) (DVEBMGS02)
ERP 6.0 EHP5 (702 SP12)
Solaris SPARC 10.0 64bit Unicode
SAP Kernel 720 Unicode 64bit Patch 401
Host Name: sandbox
FQDN: sandbox.abc.com
SAP Login ID: JDOE
Active Directory Server (SC)
Windows 2008 R2
Domain Name: ABC.COM
AD Login ID: JOHN_DOE
Mac Client OS
OS 10.8.5
Client Login: JOHN_DOE
A- Install & Configure Secure Login Library
A.1- Create Service User for SAP AS ABAP in MS-ADS
Login to MS-Ads as administrator
Create a new user with complex password and options (“User Cannot change password” and “Password never expire”)
User ID Naming convention: SL-ABAP-<SID> (i.e. SL-ABAP-SBX)
A.2- Define SPNs for this user (one for SNC and one for SPNEGO)
For SNC à SAP/SL-ABAP-SBX
For SPNEGO à HTTP/sandbox.abc.com SL-ABAP-SBX
C:\Windows\system32> setspn –a HTTP/sandbox.abc.com SL-ABAP-SBX
C:\Windows\system32> setspn –a SAP/SL-ABAP-SBX SL-ABAP-SBX
Verify entries.
C:\Windows\system32> setspn –L SL-ABPA-SBX
Note: HTTP is required for ABAP Access via web.
It is not required if your ABAP system does not comply with
note 1798979 or you do not want Web access to ABAP system.
SAP Note 1798979 - SPNego ABAP: Downport
B – Download NW SSO2.0 software from SAP Marketplace
(You need a valid license)
Login to SMP with your ‘S’ ID and download NW SSO2.0 software from location as shown below.
C- Copy Secure Login Library files to SAP AS ABAP System (sandbox)
C.1- Login to your ABAP server (sandbox) as sbxadm account.
C.2- Go to DIR_INSTANCE and create a directory called SLL.
sandbox:sbxadm 67% cd /usr/sap/SBX/DVEBMGS02
sandbox:sbxadm 68% mkdir SLL
C.3- Extract SLLIBRARY00_1.SAR under the following path
<Path to 51045122 CD >
DATA_UNITS
SECURE_LOGIN_LIBRARY_20
SOLARIS_SPARC64
sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY00_1.SAR
Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory
sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL (all in one line)
C.4- Verify the Secure Login Library status using the command sapgenpse
sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 72% pwd
sandbox:sbxadm 73% ./sapgenpse
C.5- Download SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3 and install it.
C.6- Extract SLLIBRARY02_3-10012577.SAR
sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY02_3-10012577.SAR
Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory
sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL (all in one line)
C.7- Verify the Secure Login Library status using the command sapgenpse
sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 72% pwd
sandbox:sbxadm 73% ./sapgenpse
D- Define SAP instance profile parameters
D.1- Add all parameters as below into SBX instance profile
E- Create Kerberos KeyTab for SNC (SAP GUI à SAP AS ABAP)
E.1- Check for environment variable SECUDIR is set for <SID>adm user (sbxadm)
If not, set it as below
sandbox:sbxadm 130% setenv SECUDIR /usr/sap/SBX/DVEBMGS02/sec
E.2- Create PSE file with KeyTab included
Go to /usr/sap/SBX/DVEBMGS02/SLL directory. Run the following command.
sandbox:sbxadm 131% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 132% pwd
sandbox:sbxadm 133% ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SBX@ABC.COM (all in one line)
First you should give a password for this PSE file. Then password for SL-ABAP-SBX user, which you have created in Active Directory earlier.
E.3- Create Credential file (cred_v2)
sandbox:sbxadm 135% pwd
sandbox:sbxadm 136% ./sapgenpse seclogin -p SAPSNCSKERB.pse -O sbxadm
E.4- Verify Entries in credential file using the command
sandbox:sbxadm 138% pwd
sandbox:sbxadm 139% sapgenpse seclogin -l
Note: See SAP Note 1798979 for SPNEGO usage on SAP required versions,
otherwise skip step F and continue with step G.
SAP Note 1798979 - SPNego ABAP: Downport
F- Create Kerberos keyTab for SPNEGO (Web GUI à SAP AS ABAP)
F.1- Login to ABAP system and run new transaction code SPNEGO
Go to change mode
Click on Add icon
Create Kerberos keyTab using User Principal Name SL-ABA-SBX@ABC.COM
Click on checkmark and Save
G- Restart SAP AS ABAP system for all these changes to take affect.
H- Client Installation and User Mapping
Note: This step has to be repeated in all clients.
Note: Your system has to bind to your Active Directory Domain.
You can check it under "System Preferences" --> "Usrs & Groups"
You should login to your Mac system using your Active directory credentials
If you login to your system using a local account, please follow the steps in the following document from Apple to switch from a local user to a network user.
http://support.apple.com/kb/ht5338
Your system admin can help you on these settings.
H.1- Download Secure Login Client from SMP (SecureLoginClient.pkg)
Note: Available for General Access on May 12, 2014.
H.2- Install it by double clicking the package
Verify installation
H.3- Close SAP GUI and open it again for changes to take effect.
Note: Restart your Mac and login with AD credentials if it doesn't work.
H.4- Enable SNC in SAP GUI Application
Highlight SBX and click on change icon
SBX setting before SNC enabled:
SBX setting after SNC enabled:
Now try it. Click on SBX icon in your SAP GUI for Java
H.5- Configure User Mapping for AS ABAP
Login with your credentials to SBX system
Go to transaction SU01 and modify SAP user JDOE
Change to SNC tab.
Save your changes.
Note: Step H.5 should be repeated for all users.
If your AD and SAP user IDs are in sync, you can use transaction SNC1 to populate SNC data for all of your users.
Example:
Otherwise, you should do it manually or use SCAT to create script for it.
Your developers can also help to create a custom report using report RSUSR300 as a template.
I- Now try it again.
Done.