PROBLEM

If two Secure Login Server instances are running independently, i.e. not in a NetWeaver cluster, their configuration is not synchronized. While Secure Login Server Administrator Console allows to maintain the same X.509 PKI by exporting and importing Certificate Authority objects, it is not possible to create exactly the same Client Authentication Profiles and Policy Groups, as they get a random GUID as part of their URLs, even if the same display names are chosen. This leads to compatibility issues if such independent SLS instances shall be used for load balancing or fail-over.

SOLUTION

A manual export and import of all configuration items except the PKI objects can be done with AS Java Config-Tool, as illustrated in this blog.

PREREQUISITES

1. AS Java SourceSystem is up and running, Secure Login Server configuration is complete and tested.
2. AS Java TargetSystem is up and running, no Secure Login Server deployed yet, or Secure Login Server deployed but not configured yet.
3. On both systems, you are able to launch AS Java Config-Tool, which may require a remote desktop or X session:
   • LINUX:        cd /usr/sap/SID/INST/j2ee/configtool ; ./configtool.sh
   • WINDOWS: cd D:\usr\sap\SID\INST\j2ee\configtool && configtool.bat
4. There is a file share available in both systems that allows to write and read from both systems, because AS Java Config-Tool uses files on the remote system only.
5. On both systems, SAP JVM is running with the same Java JCE Security Policy; recommended is JCE Unlimited Strength Jurisdiction Policy Files if applicable for your country: Download the Java 1.6 policy files and extract them here (rename the original files):
   • LINUX:        /usr/sap/SID/SYS/exe/jvm/OS/sapjvm_6.xxx/sapjvm_6/jre/lib/security/
   • WINDOWS: D:\usr\sap\SID\SYS\exe\jvm\OS\sapjvm_6.xxx\sapjvm_6\jre\lib\security\
6. The Secure Store Key Phrase must be the same on both systems; change it with AS Java Config-Tool if this is not the case.
   
   Note: Changing the JCE Security Policy requires to shut down AS Java, and to restart AS Java Config-Tool before changing the Key Phrase; changing the Secure Store Key Phrase is effective only if "Apply Changes" is performed. Do not start AS Java before all these steps are successfully done in this order. The target system can be kept stopped until the export/import procedure is completed.

EXPORT FROM SOURCE SYSTEM

1. Launch AS Java Config-Tool
2. Switch to configuration editor mode
3. Switch between view and edit mode
4. Select node "SecureLoginServer"
5. Select menu item "Export"
6. Give a valid file name in the file share, press "Start export". Occurring errors may be caused by missing write permissions in the file share.
7. If exporting is successful, press "Close window"
8. Close AS Java Config-Tool with its "Exit" menu

IMPORT INTO TARGET SYSTEM

1. Launch AS Java Config-Tool
2. Switch to configuration editor mode
3. Switch between view and edit mode
4. Select root node "Configurations"
5. Select menu item "Create sub-node"
6. Enter name "SecureLoginServer"
7. Press "Create", then "Close window"
8. Select the new node "SecureLoginServer"
9. Select menu item "Import"
10. Select the exported configuration from the file share
11. Press "Start import"
12. Press "Close window"
13. Close AS Java Config-Tool with its "Exit" menu

FINALIZING TARGET SYSTEM

1. Once the configuration import was successfully done, AS Java can be started (or must be restarted, if already up and running).
2. Now Secure Login Server can be deployed according to the product guide.
3. Don´t forget to associate the SLAC_SUPERUSER role to your NetWeaver administrator.
4. Open NetWeaver Administrator > Configuration > Authentication and Single Sign-On.
5. Create all Policy Configurations and Login Modules as in the source system.
6. Now Secure Login Administrator Console can be opened.
7. In Certificate Management, create your target system PKI by importing the PKI objects from your source system (e.g. by having both SLAC browser windows open and using your Desktop as import/export share).
8. Edit all profiles in Client Management > Client Authentication Profiles, open User Authentication, and select the correct "Policy Configuration" values.
9. Edit all profiles in Client Management > Client Authentication Profiles, open User Certificate Configuration, and select the correct "User CA" values.
10. Edit all profiles in Client Management > Client Authentication Profiles, open Secure Login Client Settings, and select the correct "Host Name" and "Port" values.
11. Edit all profile groups in Client Management > Profile Groups > General, and select the correct "Host Name" and "Port" values.
12. In Client Management, enable all profiles that are eventually locked.

CONCLUSION

That´s it. Now your target system´s Secure Login Server will look like the source system, except its hostname.

Be aware that any changes in one of the systems are still not synchronized after this procedure. Adding a client profile in one system requires a similar export/import with AS Java Config-Tool.