AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO
Barbat, Calin
c.barbat at osram.de
Tue Nov 2 11:00:11 EST 2004
Hi Juan,
Well, now it seems you didn't do a kinit for the server identity...
see section 2.3 step 3 below.
I sent you my notes on SSO. If you get further than I, let me know.
I'm interested in any advance on this topic.
Calin.
Notes for the configuration of single sign-on (SSO) from Windows clients to a
SAP server on UNIX using SNC with the MIT Kerberos V libgssapi_krb5.so
*****************************************************************************
Date: 2004.11.02
It is recommended that you do a search and replace on this file, using the
correct values for your setup. Below you find an example, to illustrate what
they could look like:
<domain_controller> = dc01.example.com
<sap_service_password> = topsecret
<host> = sapsrv
<ou> = lab
<my.org> = example.com
<MY.ORG> = EXAMPLE.COM
<sid> = c00
<SID> = C00
I. Configuration of the Windows 2000/2003 Server Active Directory DC
====================================================================
1. Create service user account SAPService<SID> on the <domain_controller> of
the AD <my.org> with password <sap_service_password>.
2. Export the keytab for this account:
ktpass.exe -princ SAPService<SID>/<my.org>@<MY.ORG>
-mapuser SAPService<SID>
-pass <sap_service_password>
-out SAPService<SID>.keytab
3. Transfer the generated SAPService<SID>.keytab securely to the Unix host,
in the home directory of <sid>adm.
4. PROBLEM: Authentication by SSO doesn't work always.
TODO: There are some issues with AD and Unix clients to be resolved, e.g.
PAC field and UDP fragmentation, they still need resolution/description.
Any help or hint appreciated.
II. Configuration of the Unix/Oracle/SAP WAS <host>.<ou>.<my.org>
===============================================================
I will assume that you already installed UNIX, Oracle and SAP on the machine
<host>.<ou>.<my.org> and I will only describe the Kerberos and the SNC Adapter
part.
2.1 Configuration of Kerberos
-----------------------------
1. Download krb5-1.3.4.tgz from
http://web.mit.edu/kerberos/www/
(Read the security advisories for the known vulnerabilities. Newer releases
than 1.3.4 may also work.)
2. Untar and compile it as a shared library:
tar xvzf krb5-1.3.4.tgz
cd krb5-1.3.4/src
./configure --enable-shared
make
then do as root:
make install
3. Edit /etc/krb5.conf:
[libdefaults]
default_realm = <MY.ORG>
[realms]
<MY.ORG> = {
kdc = <domain_controller>:88
admin_server = <domain_controller>:749
default_domain = <my.org>
}
[domain_realm]
<ou>.<my.org> = <MY.ORG>
.<ou>.<my.org> = <MY.ORG>
<my.org> = <MY.ORG>
.<my.org> = <MY.ORG>
2.2 Configuration of the external SAP SNC Adapter
-------------------------------------------------
1. Download bc_snc_adapter_101.zip from
http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx
2. Unzip it:
unzip bc_snc_adapter_101.zip
3. Modify the provided sncadapt/Makefile:
XNAME = snckrb5
4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:
VENLIB="-L/usr/local/lib -lgssapi_krb5"
5. Compile it:
cd sncadapt
make
6. Copy the resulting file snckrb5.so to /usr/local/lib:
cp snckrb5.so /usr/local/lib
7. You may need to comment out the function "sapgss_inquire_mechs_for_name"
in snckrb5.c because of compilation problems. Then repeat steps 5.-6.
2.3 Configuration of the SAP Server as <sid>adm
-----------------------------------------------
1. You will need to have an Oracle user OPS$<sid>adm.
2. Set LD_LIBRARY_PATH to contain /usr/local/lib. Preferably in some place
like .profile that automatically gets executed everytime upon login.
3. Get a ticket before starting the server (one line):
/usr/local/bin/kinit -k
-t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>
Could also be added to .profile to get executed automatically after login.
4. Edit the crontab, in order to automate the process of getting fresh kerberos
tickets for the server:
crontab -e
Then type the following (one long line):
0 0,6,12,18 * * * /usr/local/bin/kinit -k
-t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>
This will get fresh tickets every six hours.
5. Logon to the SAP server as usual, using the SAP GUI.
6. Use transaction RZ10 (Edit Profiles), then edit the "Instance profile".
For "Edit Profile" click on "Extended Maintenance" then click the button
"Change".
Set the following values:
snc/enable = 1
snc/identity/as = p:SAPService<SID>/<my.org>@<MY.ORG>
snc/gssapi_lib = /usr/local/lib/snckrb5.so
Save.
7. Edit now the "Default profile".
Set the following values:
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/data_protection/min = 1
snc/data_protection/max = 3
snc/data_protection/use = 3
While testing and debugging it is recommended that you use
snc/*_insecure_* 1
Save.
8. Use transaction SU01 to assign SNC identities to a SAP user. After choosing
the SAP user, you will see that the SNC tab has been activated. Click on it
and for the Windows <user> in the AD domain <my.org> type into the
"SNC Name" the principal p:<user>@<MY.ORG>
Save.
9. Re-/Start the server to activate SSO:
stopsap r3 && startsap r3
2.4 Configuration of a Windows client to use SSO with the Unix SAP Server
-------------------------------------------------------------------------
1. If you want to use the command line (cmd.exe) to start the SAP GUI (for
testing, debugging, etc.) do:
set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
then (in one line):
sapgui.exe /H/<host>.<ou>.<my.org>/S/3200
/snc="p:SAPService<SID>/<my.org>@<MY.ORG>"
2. Copy gsskrb5.dll to %systemroot%\SYSTEM32\sncgss32.dll, as this is the
default location where SAP Logon and SAP GUI will look for it:
copy gsskrb5.dll %systemroot%\SYSTEM32\sncgss32.dll
Alternatively, you can also set the global environment variable:
SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
3. Choose from SAP Logon the entry for the machine running the Unix
SAP Server. Click on "Properties", then "More..." and activate the
"Secure-Network-Communication" checkbox.
4. In the "SNC-Name" field, type "p:SAPService<SID>/<my.org>@<MY.ORG>".
5. Finally, choose the "Max. available" radio-button.
More information about the Kerberos
mailing list