Thanks to everyone for the great support, help and assistance!
Calin Barbat
c.barbat at osram.de
Thu Sep 9 10:17:28 EDT 2004
Draft Notes for the configuration of single sign-on (SSO) from Windows
clients to a SAP Linux server using SNC with the MIT Kerberos V
libgssapi_krb5.so
========================================================================================================================================================
As the title implies, these instructions are not yet polished. If you
have suggestions for improvement, feel free to contact me. The discussions
with the following people out there on the internet were of great help
to me while struggling with the caveats of AD, Kerberos and SNC, as I was
familiar with none of them before doing this task:
The kerberos at mit.edu mailing list - was the right place to post my
request for kerberos related help.
Martin Rex of SAP (designer and maintainer of SNC) provided me with
insight into the history of SNC-Kerberos interoperability and suggested
the use of the SNC Adapter snckrb5.so
Cevat Gürsoy improved the settings for the snc/protection/* parameters
Norbert Klasen made a remark that helped me make the esential
break-through. He suggested playing around with the sample
gss-server/-client apps
from the Kerberos distribution, so that I was able to figure out what
was still missing from my setup.
Various colleagues of mine here at work were of great help. I thank them
all. One of them brought the problem to my attention and set the Linux box,
Oracle db and the SAP Web Application Server up and running; the
sysadmins provided me with all things I needed from the AD,
certificates, keytabs,
etc. Others helped me when - small, but nevertheless annoying - things
wouldn't turn up as expected by me. I am also greatly indebted to a SAP R/3
BW consultant for R/3 specific help and discussions. One colleague was
always good at cheering me up - he has some sticker around saying
"It's never too late to have a happy childhood" and other nice gadgets.
Remarks on the usage of these notes: all errors are mine.
The TODO??? show that I did the described things, but I'm not sure if
it's really needed for having things working.
All names enclosed in <> have to be replaced according to your setup.
Before doing anything read these instructions twice or more times, as
needed - to ensure you understand what you have to do.
It helps to do a search and replace with your <domain>, etc.
Date: 2004.09.09
Configuration of the Windows 2000 Server Active Directory Domain Controller
---------------------------------------------------------------------------
TODO???: Create computer account for <fqdn>, Export the keytab.
1. Create service user account <sap_service> on the
<domain_controller> in the AD <domain> with password <sap_service-pass>.
2. Export the keytab for this account:
ktpass -princ <sap_service>/<fqdn>@<DOMAIN> -mapuser <sap_service>
-pass <sap_service-pass> -out <sap_service>.keytab
Configuration of the Linux/Oracle/SAP Web Application Server <fqdn>
-------------------------------------------------------------------
I assume that you already installed Linux, Oracle and SAP on the
machine and I will only describe the Kerberos and the SNC Adapter part.
Configuration of Kerberos
-------------------------
1. Download krb5-1.3.4.tgz from http://web.mit.edu/kerberos/www/
(Read security advisories for the known vulnerabilities, newer
releases than 1.3.4 may also work.)
2. Untar it:
tar xvzf krb5-1.3.4.tgz
3. Compile the MIT Kerberos V package (it is important to compile it
as a shared library):
cd krb5-1.3.4/src
./configure --enable-shared
make
and as root do:
make install
4. Edit /etc/krb5.conf:
[libdefaults]
default_realm = <DOMAIN>
[realms]
<DOMAIN> = {
kdc = <domain_controller>.<domain>:88
admin_server = <domain_controller>.<domain>:749
default_domain = <domain>
}
[domain_realm]
<domain1>.<domain> = <DOMAIN>
.<domain1>.<domain> = <DOMAIN>
<domain> = <DOMAIN>
.<domain> = <DOMAIN>
5. Transfer the generated <sap_service>.keytab (see 2. of Win2k AD
Configuration above) securely to the Linux box.
6. As root import <sap_service>.keytab:
/usr/local/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: rkt <sap_service>.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: l (shows a list of Kerberos principals)
ktutil: q
Configuration of the external SAP SNC Adapter
---------------------------------------------
1. Download bc_snc_adapter_101.zip from
http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx
2. Unzip it:
unzip bc_snc_adapter_101.zip
3. Create a sncadapt/build.Linux with the following content:
#!/bin/sh
OBJ=".o"
CC="cc"
CFLAGS="-g -DXDEBUG=1"
RM="rm -f"
EXE=""
LD="$CC"
LDFLAGS="-ldl -lnsl -lpthread -lc"
LDTARGET='-o $@'
XD=""
LDLIBS="-ldl"
SHEXT=".so"
SHFLAGS="-fPIC"
LINK_SHARED='$(CC) -shared -Wl,-export-dynamic -Wl,-soname,$@'
LINK_SHARED_END=""
VENLIB="-lgssapi_krb5"
if [ "$VENLIB" = "" ] ; then
echo "***"
echo "*** Please edit $0 and define VENLIB to link your"
echo "*** GSS-API v2 shared library"
echo "***"
exit 1
fi
export OBJ CC CFLAGS RM EXE LDLIBS LD LDTARGET LDFLAGS XD
export SHEXT SHFLAGS LINK_SHARED LINK_SHARED_END VENLIB
"$@"
5. Change "XNAME = sncntlm" to "XNAME = snckrb5" in sncadapt/Makefile.
TODO???: comment out the function "sapgss_inquire_mechs_for_name" in
snckrb5.c
6. Compile it:
cd sncadapt
make
7. Copy the resulting file snckrb5.so to /usr/local/lib:
cp snckrb5.so /usr/local/lib
Configuration of the SAP Server (as user <SID>adm = <sap_service> for
me)
-------------------------------------------------------------------------
1. Set LD_LIBRARY_PATH to contain /usr/local/lib.
2. Logon to the server as usual.
3. Use transaction RZ10 (Edit Profiles), in "Profile" choose the
"Instance profile".
For "Edit Profile" click on "Extended Maintenance" then click the
button "Change".
Set "snc/gssapi_lib" to the value "/usr/local/lib/snckrb5.so".
Save.
4. Edit now the "Default profile" using RZ10.
Set the following values:
snc/enable 1
snc/identity/as p:<sap_service>@<fqdn>
snc/protection/min 1
snc/protection/max 3
snc/protection/use 9
TODO???: more of them needed
While testing and debugging it is recommended that you use
snc/*_insecure_* 1
5. Use now transaction STRUST to go into the SNC PSE folder there and
export certificate. Send this to your AD admin to request
a certificate to insert into "Import Certificate Response".
You may have to assign a password here, to use when changing these
settings.
6. Use transaction SU01 to assign SNC identities to a SAP user. After
choosing the SAP user, you will see that the SNC tab has been activated.
Click on it and for the Windows <user> in the AD <domain> type
into the "SNC Name" the principal "p:<user>@<DOMAIN>"
7. Start the server:
kinit <sap_service>/<fqdn>
Enter <sap_service-pass> when asked for a password. Then:
startsap r3
Configuration of a Windows client to use SSO with the Linux SAP Server
----------------------------------------------------------------------
1. Copy gsskrb5.dll to %systemroot%\SYSTEM32\SNCGSS32.DLL, as this is
the default location where SAP Logon will look for it:
copy gsskrb5.dll %systemroot%\SYSTEM32\SNCGSS32.DLL
Alternatively, you can also set the global environment
variable SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
2. Choose from SAP Logon the entry for the machine running the
Linux SAP Server.
Click on "Properties", then "More..." and activate the
"Secure-Network-Communication" checkbox.
3. In the "SNC-Name" field, type "p:<sap_service>/<fqdn>@<DOMAIN>".
4. Finally, choose the "Max. available" radio-button.
If you want to use the command line (cmd.exe):
----------------------------------------------
2'. If SNCGSS32.DLL isn't in the default location (see 1.):
set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
The environment variable SNC_LIB is then only set locally in this
shell.
3'. Start the SAP Gui:
C:\Program Files\SAP\FrontEnd\SAPgui\sapgui.exe /H/<fqdn>/S/3200
/snc="p:<sap_service>/<fqdn>@<DOMAIN>"
More information about the Kerberos
mailing list