cancel
Showing results for 
Search instead for 
Did you mean: 

What does seclogin do?

0 Kudos

Why is the purpose of the seclogin parameter of sapgenpse? This step that is shown in online help to add credentials after a pse is created: sapgenpse seclogin -p <pse name> -O DOMAIN\SID_admin_id ?

We have forgotten to run this step and it didn't seem to make any difference if we run this or not. Would like to understand the consequences if we choose not to run this command anymore when we create pses.

Accepted Solutions (1)

Accepted Solutions (1)

LutzR
Active Contributor
0 Kudos

Hi Jordan, to make Filipe Santos' answer clearer: this is not about user SSO. It is about enabling the operating system user on the SAP server to open a PIN-protected PSE on system startup without storing the PIN somewhere in clear text. So seclogin does some "magic" to build a kind of key to the PSE that can only be used by DOMAIN\SID_admin_id and which is not helpful to anybody else who steals it. I cannot explain how this "magic" exactly works.

Find some documentation here: https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.5.8/en-US/32ce2e3ad962a51ae10000000a1...

Cheers, Lutz

Answers (1)

Answers (1)

former_member202592
Participant

Hi Jordan,

You can always check the sapgenpse documentation/help using the "-h" option after the function:

$ sapgenpse seclogin -h 
Create, display or delete Single Sign-On (SSO) credentials
or alternatively change the PIN/passphrase on a PSE
  ! Changing a PIN of a PSE will not auto-update the SSO-credential!
  ! Adding a new credential will not auto-update an existing credential!

seclogin is used to create SSO credentials for PIN-protected PSEs. If the mentioned PSE does not have a PIN assigned to it, this step is not required.

Be aware that for most scenarios a PIN-protected PSE is a good security practice.

Cheers,
Filipe

Thank you, Filipe. That does help.

Could you clarify what is meant by single sign on in the case of a pse? For example, sapgui single sign on means you no longer have to enter a username and password when logging into SAP with sapgui. What username and password would be associated with a pse, such that single sign on would help? Does sso in this case mean that the user specified in the seclogin command can access the pse without entering a pin?