AW: AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO
Barbat, Calin
c.barbat at osram.de
Wed Nov 3 04:08:28 EST 2004
Juan,
the SAP external adapter isn't really necessary, but - without it, the protocol used is an older one. So, it's highly recommended you use it. I had a mail discussion with Martin Rex (Designer & Developer of the whole SNC stuff at SAP) and he recommends it's use.
Calin.
-----Ursprüngliche Nachricht-----
Von: Juan Manuel Sestelo [mailto:eltoken02 at yahoo.com.ar]
Gesendet: Dienstag, 2. November 2004 20:43
An: Barbat, Calin
Betreff: Re: AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO
Calin, I just saved the notes and I'm going to configure the components again.
What is the role of the SNC adapter? is it really necesary in the SAP SSO Implementation?
Thanks again.
--- "Barbat, Calin" <c.barbat at osram.de> escribió:
> Hi Juan,
>
> Well, now it seems you didn't do a kinit for the server identity...
> see section 2.3 step 3 below.
>
> I sent you my notes on SSO. If you get further than I, let me know.
> I'm interested in any advance on this topic.
>
> Calin.
>
> Notes for the configuration of single sign-on (SSO) from Windows clients to a
> SAP server on UNIX using SNC with the MIT Kerberos V libgssapi_krb5.so
> *****************************************************************************
> Date: 2004.11.02
>
> It is recommended that you do a search and replace on this file, using the
> correct values for your setup. Below you find an example, to illustrate what
> they could look like:
>
> <domain_controller> = dc01.example.com
> <sap_service_password> = topsecret
> <host> = sapsrv
> <ou> = lab
> <my.org> = example.com
> <MY.ORG> = EXAMPLE.COM
> <sid> = c00
> <SID> = C00
>
>
> I. Configuration of the Windows 2000/2003 Server Active Directory DC
> ====================================================================
>
> 1. Create service user account SAPService<SID> on the <domain_controller> of
> the AD <my.org> with password <sap_service_password>.
>
> 2. Export the keytab for this account:
>
> ktpass.exe -princ SAPService<SID>/<my.org>@<MY.ORG>
> -mapuser SAPService<SID>
> -pass <sap_service_password>
> -out SAPService<SID>.keytab
>
> 3. Transfer the generated SAPService<SID>.keytab securely to the Unix host,
> in the home directory of <sid>adm.
>
> 4. PROBLEM: Authentication by SSO doesn't work always.
>
> TODO: There are some issues with AD and Unix clients to be resolved, e.g.
> PAC field and UDP fragmentation, they still need resolution/description.
> Any help or hint appreciated.
>
>
> II. Configuration of the Unix/Oracle/SAP WAS <host>.<ou>.<my.org>
> ===============================================================
>
> I will assume that you already installed UNIX, Oracle and SAP on the machine
> <host>.<ou>.<my.org> and I will only describe the Kerberos and the SNC Adapter
> part.
>
>
> 2.1 Configuration of Kerberos
> -----------------------------
>
> 1. Download krb5-1.3.4.tgz from
>
> http://web.mit.edu/kerberos/www/
>
> (Read the security advisories for the known vulnerabilities. Newer releases
> than 1.3.4 may also work.)
>
> 2. Untar and compile it as a shared library:
>
> tar xvzf krb5-1.3.4.tgz
> cd krb5-1.3.4/src
> ./configure --enable-shared
> make
>
> then do as root:
>
> make install
>
> 3. Edit /etc/krb5.conf:
>
> [libdefaults]
> default_realm = <MY.ORG>
> [realms]
> <MY.ORG> = {
> kdc = <domain_controller>:88
> admin_server = <domain_controller>:749
> default_domain = <my.org>
> }
> [domain_realm]
> <ou>.<my.org> = <MY.ORG>
> .<ou>.<my.org> = <MY.ORG>
> <my.org> = <MY.ORG>
> .<my.org> = <MY.ORG>
>
>
> 2.2 Configuration of the external SAP SNC Adapter
> -------------------------------------------------
>
> 1. Download bc_snc_adapter_101.zip from
>
> http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx
>
> 2. Unzip it:
>
> unzip bc_snc_adapter_101.zip
>
> 3. Modify the provided sncadapt/Makefile:
>
> XNAME = snckrb5
>
> 4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:
>
> VENLIB="-L/usr/local/lib -lgssapi_krb5"
>
> 5. Compile it:
>
> cd sncadapt
> make
>
> 6. Copy the resulting file snckrb5.so to /usr/local/lib:
>
> cp snckrb5.so /usr/local/lib
>
> 7. You may need to comment out the function "sapgss_inquire_mechs_for_name"
> in snckrb5.c because of compilation problems. Then repeat steps 5.-6.
>
>
> 2.3 Configuration of the SAP Server as <sid>adm
> -----------------------------------------------
>
> 1. You will need to have an Oracle user OPS$<sid>adm.
>
> 2. Set LD_LIBRARY_PATH to contain /usr/local/lib. Preferably in some place
> like .profile that automatically gets executed everytime upon login.
>
> 3. Get a ticket before starting the server (one line):
>
> /usr/local/bin/kinit -k
> -t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>
>
> Could also be added to .profile to get executed automatically after login.
>
> 4. Edit the crontab, in order to automate the process of getting fresh kerberos
> tickets for the server:
>
> crontab -e
>
> Then type the following (one long line):
>
> 0 0,6,12,18 * * * /usr/local/bin/kinit -k
> -t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>
>
> This will get fresh tickets every six hours.
>
> 5. Logon to the SAP server as usual, using the SAP GUI.
>
> 6. Use transaction RZ10 (Edit Profiles), then edit the "Instance profile".
> For "Edit Profile" click on "Extended Maintenance" then click the button
> "Change".
> Set the following values:
>
> snc/enable = 1
> snc/identity/as = p:SAPService<SID>/<my.org>@<MY.ORG>
> snc/gssapi_lib = /usr/local/lib/snckrb5.so
>
> Save.
>
> 7. Edit now the "Default profile".
> Set the following values:
>
> snc/extid_login_diag = 1
> snc/extid_login_rfc = 1
> snc/accept_insecure_cpic = 1
> snc/accept_insecure_gui = 1
> snc/accept_insecure_r3int_rfc = 1
> snc/accept_insecure_rfc = 1
> snc/permit_insecure_start = 1
> snc/data_protection/min = 1
> snc/data_protection/max = 3
> snc/data_protection/use = 3
>
> While testing and debugging it is recommended that you use
>
> snc/*_insecure_* 1
>
> Save.
>
> 8. Use transaction SU01 to assign SNC identities to a SAP user. After choosing
> the SAP user, you will see that the SNC tab has been activated. Click on it
> and for the Windows <user> in the AD domain <my.org> type into the
> "SNC Name" the principal p:<user>@<MY.ORG>
> Save.
>
> 9. Re-/Start the server to activate SSO:
>
> stopsap r3 && startsap r3
>
>
> 2.4 Configuration of a Windows client to use SSO with the Unix SAP Server
> -------------------------------------------------------------------------
>
> 1. If you want to use the command line (cmd.exe) to start the SAP GUI (for
> testing, debugging, etc.) do:
>
> set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
>
> then (in one line):
>
> sapgui.exe /H/<host>.<ou>.<my.org>/S/3200
> /snc="p:SAPService<SID>/<my.org>@<MY.ORG>"
>
> 2. Copy gsskrb5.dll to %systemroot%\SYSTEM32\sncgss32.dll, as this is the
> default location where SAP Logon and SAP GUI will look for it:
>
> copy gsskrb5.dll %systemroot%\SYSTEM32\sncgss32.dll
>
> Alternatively, you can also set the global environment variable:
>
> SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
>
> 3. Choose from SAP Logon the entry for the machine running the Unix
> SAP Server. Click on "Properties", then "More..." and activate the
> "Secure-Network-Communication" checkbox.
>
> 4. In the "SNC-Name" field, type "p:SAPService<SID>/<my.org>@<MY.ORG>".
>
> 5. Finally, choose the "Max. available" radio-button.
>
=====
Saludos.
JuanM.
___________________________________
¡Llevate a Yahoo! en tu Unifón!
Ahora podés usar Yahoo! Messenger en tu Unifón, en cualquier momento y lugar.
Encontrá más información en: http://ar.mobile.yahoo.com/sms.html
More information about the Kerberos
mailing list