SecurID CardSAP IT
IT Documentation

SecurID Card: Documentation

1. Using a SecurID Card

2. Initializing a SecurID Card

2.1. Initializing the SecurID Card from Your Workplace (Long Text)

2.2. Initializing the SecurID Card via Windows Terminal Server (Long Text)

2.3. Initializing the SecurID Card from a Partner of SAP AG (Long Text)

2.4. Initializing the SecurID Card (Short Guide)

3. Generating the Passcode (Password)

4. Security Recommendations

1. Using a SecurID Card

First, you must initialize your new SecurID card. You do this only once to activate the card. Your card is then ready for use.

If you want to use the card for dial-in, you must generate a passcode every time you dial in.

2. Initializing a SecurID Card

You can initialize the SecurID card from your workplace, via Windows Terminal Server (Citrix Secure Gateway) or from an SAP partner’s site. Detailed instructions are provided in this document for all three methods. Please read the description that applies to you. However, you should refer to the short guide at the end of this section when you initialize your SecurID card, because in some of the steps there are timeouts that you might exceed when reading the long text.

2.1. Initializing the SecurID Card from Your Workplace (Long Text)

Use

You must assign a PIN for your SecurID card from your workplace at SAP. For this, use the server sapgate2.wdf.sap-ag.de.

Requirements

No PIN has been assigned for your SecurID card to date.

Procedure

  1. Log on to the server sapgate2 using telnet: On your PC, choose StartRun enter:

telnet sapgate2.wdf.sap-ag.de  OK  a dialog box appears.

  1. In the Login field, enter your <user ID> (= personnel number, for example d004711)

NOTE
You are now on a UNIX computer. If you make a typing error, you cannot use the usual correction keys. Instead, choose Enter repeatedly until you can make a new entry.
  1. Press the [P] button on your SecurID card to reset it to normal mode.
    If all the numbers on the display are deleted, a new code will appear in less than a minute.
  1. On your PC, enter the <code > that is displayed on your SecurID card.
    Ensure that you do not make any mistakes when you enter the numbers because the backspace or delete key generally does not work with this telnet connection. The code you enter is not displayed on the screen.
  1. Choose Enter.
    If you make a typing error, the message Access Denied appears, and the system requests you to enter your password again. Enter the code that is now displayed on the SecurID card.
  1. When you have correctly made your entries, you are requested to assign your own secure PIN.
    The PIN must consist of four to six digits, and must not start with zero.
    Commit your PIN to memory because as you will need it later. However, never write your PIN on your SecurID card.
    Your PIN is not displayed on the screen when you enter it.
    You are requested to enter your PIN again.
  1. Enter your <PIN> again.
    The system checks your entry.
  1. Enter your <PIN> on the SecurID card using the built-in number field.
    The PIN appears in the display. If you make an error, you can delete the entry by pressing the P button.
  1. Press the [] (rhombus) button.
    The predetermined code is linked to the PIN and the passcode is generated. In the top right-hand corner of the LCD, a one (1) appears, indicating that the passcode has been activated.
  1. As soon as your computer requests you to enter your password, enter the <passcode> that is displayed on your SecurID card. Check whether enough time remains for you to make your entry (number of bars remaining on the left-hand side of the LCD); if there is not enough time, wait until a new code is generated and all the bars are visible again.
  1. Choose Enter.

Result

When you have successfully logged on, the following message appears:

PASSCODE Accepted

Welcome on

sapgate2

the SecurID Initialization Server

We hope you had success initializing

your SecurID card

You will be logged out within the next 15 seconds

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 logout

Connection closed by foreign host.

The 'sapgate2' server logs you off automatically after 15 seconds. Initialization of your SecurID card with your secure PIN is now complete.

2.2. Initializing the SecurID Card via Windows Terminal Server (Long Text)

Use

Employees which are not have the possibility to initialize their SecurID cards within the SAP Network are able to do this step via a Windows Terminal Server (Citrix Secure Gateway) connection.

Requirements

  • No PIN has been assigned for your SecurID card to date
  • An internet connection is established
  • Employee is permitted to use the Windows Terminal Server (group “dial-in” is necessary)

Procedure

  1. Logon to the Citrix Secure Gateway via (then choose Walldorf  Windows Terminal Services)
  1. Click on Citrix Secure Gateway in the Office-Area
  2. Enter the following information:
    “Username” SAP UserID, for example c5051234
    “SAP_ALL Domain Password” enter your SAP network password (for the very first login this will be Initial1)
    ”SecurID PASSCODE”  wait until all bars in the left hand side of the display are there, then enter the digits which are displayed there as “SecurID PASSCODE”
  1. At the next logon screen you are asked for your PIN (The PIN must consist of four to six digits, and must not start with zero).
    Commit your PIN to memory because as you will need it later. However, never write your PIN on your SecurID card.
    You are requested to enter your PIN again in the field “New PIN”.
    If the initialization process was successful you’ll get a message within the Message-Center-Area „Your PIN has been set successfully. Please login with your new PIN.“
  1. Now you’ll get a logon screen once again. Please enter there the same information as mentioned in step nr. 3. But as a passcode you have now to generate a valid passcode with your SecurID card (enter your determined PIN on the card  press the diamond button on your card  enter the displayed passcode from the card at the field “SecurID PASSCODE”)

Once you have successfully logged on to the Citrix Secure Gateway you’ll prompted to change your SAP_ALL domain password. After doing that you are successful logged on at the WTS@SAP. Please choose there your preferred application (normally this will be ICA desktop 6.xx).

2.3. Initializing the SecurID Card from a Partner of SAP AG (Long Text)

Employees of partners of SAP AG also require a SecurID card for telnet or ftp access to SAP servers.

Use

You must assign a PIN for your SecurID card from your workplace at the partner company. You do this using the server sapgate1 in Europe or sapgate 4 in USA.

Requirements

  • The partner company must have a remote (SAPNet – R/3 Frontend) connection to SAP AG.
  • You must have telnet access to the server sapgate1 (IP address: 147.204.2.232) or sapgate 4 (IP address: 204.79.199.5). If you cannot reach sapgate1 or sapgate 4 directly because firewalls exist in the partner network, ask your administrator how you can connect to sapgate1 or sapgate 4 with telnet.
  • A user must be set up for you on sapgate1 or sapgate 4.
  • No PIN has been assigned for your SecurID card to date.

Procedure

The following description refers to sapgate 1. The procedure for sapgate 4 is the same.

  1. Connect to sapgate1 with telnet. The following dialog box appears:

SAP proxy telnet server sapgate1

THIS IS PRIVATE PROPERTY

KEEP OUT

unless you are authorized to use this service

Username:

  1. Under Username:, enter your <user ID> (= personnel number, for example d004711)
  2. Choose Enter.
    The system requests you to enter your PASSCODE (password).
    If the prompt Challenge appears here, contact your IT HelpDesk.
  3. Press the [P] button on your SecurID card to reset it to normal mode.
    If all the numbers on the display are deleted, a new code will appear in less than a minute.
  4. On your PC, enter the <code > that is now displayed on the SecurID card.
    Ensure that you do not make any mistakes when you enter the numbers because the backspace or delete key generally does not work with this Telnet connection. The code you enter is not displayed on the screen.
  5. Choose Enter.
    If you make a typing error, the message Access Denied appears, and the system requests you to enter your password again. Enter the code that is now displayed on the SecurID card.
  6. When you have correctly made your entries, you are asked if you want to assign a new PIN. Enter y.
  1. You are now asked to assign a PIN of your own. This must consist of four to six digits, and must not start with zero.
    Commit your PIN to memory because as you will need it later. However, never write your PIN on your SecurID card.
    Your PIN is not displayed on the screen when you enter it.
    You are requested to enter your PIN again.
  2. Enter your <PIN> again.
    The system checks the function.
  3. Under Username:, enter your <user ID>.
  4. Enter your <PIN> on the SecurID card using the built-in number field.
  5. Press the [] (rhombus) button.
    The predetermined code is linked with the PIN and the passcode is generated. In the top right-hand corner of the LCD, a one (1) appears, indicating that the passcode has been activated.
  6. As soon as your computer requests you to enter your password, enter the <passcode> that is displayed on your SecurID card. Check whether enough time remains for you to make your entry (number of bars remaining on the left-hand side of the LCD); if there is not enough time, wait until a new code is generated and all the bars are visible again.
  7. Choose Enter.
Result

When you have successfully logged on, the message Login accepted appears.

Username: cxxxxxxx
Enter PASSCODE: ######
New PIN required; do you wish to continue? (y/n) [n]: y
Enter your new PIN, containing 4 to 6 digits
or
Press RETURN to generate a new PIN and display it on the screen
or
Ctrl D to cancel the operation: #####
Please re-enter new PIN: #####
Wait for the code on your card to change, then log in with your new PIN
Username: cxxxxxxx
Enter PASSCODE:
Login Accepted

2.4. Initializing the SecurID Card (Short Guide)

Use

Before you can use your new SecurID card, you must first initialize it. We recommend you proceed as described in this short guide when you are working through the steps. However, you must observe the differences between the procedures for initializing your SecurID card from your workplace or using a modem. The differences are described in the detailed instructions above.

Requirement

No PIN has been assigned for your SecurID card to date.

Procedure

  1. Reset the card to normal mode with the [P] button.
    The number one (1) must not be displayed in the top right-hand corner of the LCD. You may have to wait for another code to appear.
  1. If you are initializing the card from your workplaceSTART  RUN  entertelnet sapgate2 OK
    If you are initializing the card via WTS establish the internet connection to
    If you are initializing the card from a partner of SAPestablish a connection to sapgate1 in Europe or sapgate 4 in USA with telnet.
  1. Enter your <user ID> (=personnel number, for example d004711)  ENTER
  1. As the password on your PC, enter the <code> that is displayed on your SecurID card  ENTER
  1. Enter your secure <PIN>. This must consist of four to six digits and must not start with zero  ENTER
  1. Enter your secure <PIN> again  ENTER
  1. Enter your secure <PIN> on the SecurID card. Then press the rhombus [] button to activate the SecurID card. This generates a passcode.
  1. Enter this <passcode> on your PC  ENTER

Result

Your SecurID card is succesfully initialized.

3. Generating the Passcode (Password)

Use

To get access with your SecurID card you need a password, which your SecurID card supplies (Passcode).

Requirements

You must have initialized your SecurID card.

Procedure

WARNING
Make sure that nobody can read your PIN when you are entering it on your SecurID card.
  1. Enter your <PIN> on your SecurID card using the built-in number field.
    Your PIN is displayed in the LCD. If you make an error, you can delete the entry by pressing the P button.
  1. Press the [] (rhombus) button.
    This generates the passcode. In the top right-hand corner of the LCD, a number one (1) appears. As long as this is visible, the code displayed is a valid password (provided you have entered the correct PIN).

Result

The passcode appears in the LCD of your SecurID card. You can now enter it on your PC.

NOTE
Ensure that several bars are visible on the left-hand side of the LCD (= indicates how much longer the password will be valid). Otherwise, the passcode might change while you are entering it, without your noticing.

4. Security Recommendations

  • Do not make a note of your PIN and never write it on the SecurID card itself.
  • You are not allowed to pass on your SecurID card or PIN to anyone else.
  • Deactivate your card after every successful logon by pressing the [P] button (even if activation is to be deleted automatically after two minutes).
  • Make sure that nobody can read your PIN when you are entering it on the SecurID card.
  • If you suspect that somebody knows your secure PIN, contact your local IT HelpDesk immediately to have your PIN deleted.
  • If you lose your SecurID card, or if the card is stolen, inform your local IT HelpDesk immediately to have your card blocked.
  • You must handle your SecurID card with care. Do not keep your card in your wallet or trouser pocket. Never use an object (such as a pencil or pen) to operate the built-in number field on the SecurID card.

Feb 2005

Page 1