========================================================================================================================================================
As the title implies, these instructions are not yet polished. If you have suggestions for improvement, feel free to contact me. The discussions
with the following people out there on the internet were of great help to me while struggling with the caveats of AD, Kerberos and SNC, as I was
familiar with none of them before doing this task:
The [EMAIL PROTECTED] mailing list - was the right place to post my request for kerberos related help.
Martin Rex of SAP (designer and maintainer of SNC) provided me with insight into the history of SNC-Kerberos interoperability and suggested
the use of the SNC Adapter snckrb5.so
Cevat Gürsoy improved the settings for the snc/protection/* parameters
Norbert Klasen made a remark that helped me make the esential break-through. He suggested playing around with the sample gss-server/-client apps
from the Kerberos distribution, so that I was able to figure out what was still missing from my setup.
Various colleagues of mine here at work were of great help. I thank them all. One of them brought the problem to my attention and set the Linux box,
Oracle db and the SAP Web Application Server up and running; the sysadmins provided me with all things I needed from the AD, certificates, keytabs,
etc. Others helped me when - small, but nevertheless annoying - things wouldn't turn up as expected by me. I am also greatly indebted to a SAP R/3
BW consultant for R/3 specific help and discussions. One colleague was always good at cheering me up - he has some sticker around saying
"It's never too late to have a happy childhood" and other nice gadgets.
Remarks on the usage of these notes: all errors are mine.
The TODO??? show that I did the described things, but I'm not sure if it's really needed for having things working.
All names enclosed in <> have to be replaced according to your setup.
Before doing anything read these instructions twice or more times, as needed - to ensure you understand what you have to do.
It helps to do a search and replace with your <domain>, etc.
Date: 2004.09.09
Configuration of the Windows 2000 Server Active Directory Domain Controller ---------------------------------------------------------------------------
TODO???: Create computer account for <fqdn>, Export the keytab.
1. Create service user account <sap_service> on the <domain_controller> in the AD <domain> with password <sap_service-pass>.
2. Export the keytab for this account:
ktpass -princ <sap_service>/<fqdn>@<DOMAIN> -mapuser <sap_service> -pass <sap_service-pass> -out <sap_service>.keytab
Configuration of the Linux/Oracle/SAP Web Application Server <fqdn> -------------------------------------------------------------------
I assume that you already installed Linux, Oracle and SAP on the machine and I will only describe the Kerberos and the SNC Adapter part.
Configuration of Kerberos -------------------------
1. Download krb5-1.3.4.tgz from http://web.mit.edu/kerberos/www/
(Read security advisories for the known vulnerabilities, newer releases than 1.3.4 may also work.)
2. Untar it:
tar xvzf krb5-1.3.4.tgz
3. Compile the MIT Kerberos V package (it is important to compile it as a shared library):
cd krb5-1.3.4/src
./configure --enable-shared
makeand as root do:
make install
4. Edit /etc/krb5.conf:
[libdefaults]
default_realm = <DOMAIN>
[realms]
<DOMAIN> = {
kdc = <domain_controller>.<domain>:88
admin_server = <domain_controller>.<domain>:749
default_domain = <domain>
}
[domain_realm]
<domain1>.<domain> = <DOMAIN>
.<domain1>.<domain> = <DOMAIN>
<domain> = <DOMAIN>
.<domain> = <DOMAIN>5. Transfer the generated <sap_service>.keytab (see 2. of Win2k AD Configuration above) securely to the Linux box.
6. As root import <sap_service>.keytab:
/usr/local/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: rkt <sap_service>.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: l (shows a list of Kerberos principals)
ktutil: q
Configuration of the external SAP SNC Adapter ---------------------------------------------
1. Download bc_snc_adapter_101.zip from http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx
2. Unzip it:
unzip bc_snc_adapter_101.zip
3. Create a sncadapt/build.Linux with the following content:
#!/bin/sh
OBJ=".o"
CC="cc"
CFLAGS="-g -DXDEBUG=1"
RM="rm -f"
EXE=""
LD="$CC"
LDFLAGS="-ldl -lnsl -lpthread -lc"
LDTARGET='-o $@'
XD=""
LDLIBS="-ldl"
SHEXT=".so"
SHFLAGS="-fPIC"
LINK_SHARED='$(CC) -shared -Wl,-export-dynamic -Wl,-soname,$@'
LINK_SHARED_END=""
VENLIB="-lgssapi_krb5"
if [ "$VENLIB" = "" ] ; then
echo "***"
echo "*** Please edit $0 and define VENLIB to link your"
echo "*** GSS-API v2 shared library"
echo "***"
exit 1
fi
export OBJ CC CFLAGS RM EXE LDLIBS LD LDTARGET LDFLAGS XD
export SHEXT SHFLAGS LINK_SHARED LINK_SHARED_END VENLIB
"$@"5. Change "XNAME = sncntlm" to "XNAME = snckrb5" in sncadapt/Makefile.
TODO???: comment out the function "sapgss_inquire_mechs_for_name" in snckrb5.c
6. Compile it:
cd sncadapt
make7. Copy the resulting file snckrb5.so to /usr/local/lib:
cp snckrb5.so /usr/local/lib
Configuration of the SAP Server (as user <SID>adm = <sap_service> for me)
------------------------------------------------------------------------- 1. Set LD_LIBRARY_PATH to contain /usr/local/lib.
2. Logon to the server as usual.
3. Use transaction RZ10 (Edit Profiles), in "Profile" choose the "Instance profile".
For "Edit Profile" click on "Extended Maintenance" then click the button "Change".
Set "snc/gssapi_lib" to the value "/usr/local/lib/snckrb5.so".
Save.
4. Edit now the "Default profile" using RZ10.
Set the following values:
snc/enable 1
snc/identity/as p:<sap_service>@<fqdn>
snc/protection/min 1
snc/protection/max 3
snc/protection/use 9TODO???: more of them needed
While testing and debugging it is recommended that you use
snc/*_insecure_* 1
5. Use now transaction STRUST to go into the SNC PSE folder there and export certificate. Send this to your AD admin to request
a certificate to insert into "Import Certificate Response".
You may have to assign a password here, to use when changing these settings.
6. Use transaction SU01 to assign SNC identities to a SAP user. After choosing the SAP user, you will see that the SNC tab has been activated.
Click on it and for the Windows <user> in the AD <domain> type into the "SNC Name" the principal "p:<user>@<DOMAIN>"
7. Start the server:
kinit <sap_service>/<fqdn>Enter <sap_service-pass> when asked for a password. Then:
startsap r3
Configuration of a Windows client to use SSO with the Linux SAP Server ----------------------------------------------------------------------
1. Copy gsskrb5.dll to %systemroot%\SYSTEM32\SNCGSS32.DLL, as this is the default location where SAP Logon will look for it:
copy gsskrb5.dll %systemroot%\SYSTEM32\SNCGSS32.DLL
Alternatively, you can also set the global environment variable SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
2. Choose from SAP Logon the entry for the machine running the Linux SAP Server.
Click on "Properties", then "More..." and activate the "Secure-Network-Communication" checkbox.
3. In the "SNC-Name" field, type "p:<sap_service>/<fqdn>@<DOMAIN>".
4. Finally, choose the "Max. available" radio-button.
If you want to use the command line (cmd.exe): ----------------------------------------------
2'. If SNCGSS32.DLL isn't in the default location (see 1.):
set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
The environment variable SNC_LIB is then only set locally in this shell.
3'. Start the SAP Gui:
C:\Program Files\SAP\FrontEnd\SAPgui\sapgui.exe /H/<fqdn>/S/3200 /snc="p:<sap_service>/<fqdn>@<DOMAIN>"
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
