Download SAP Single Sign-On Und Secure Connections via SNC Adapter Basierend Auf Kerberosv5 En PDF

TitleSAP Single Sign-On Und Secure Connections via SNC Adapter Basierend Auf Kerberosv5 En
File Size410.4 KB
Total Pages14
Table of Contents
                            1 Introduction
	1.1 General Notes
		1.1.1 Scenario
		1.1.2 Important SAP Notes
		1.1.3 Helpful links
	1.2 Prerequisites
2 Setup Windows-Server
	2.1 Create service user
	2.2 Set Service Principal Name
	2.3 Export Keytab from Microsoft ADS
3 Setup Linux-Server
	3.1 Configuration Kerberos
	3.2 Time synchronization
	3.3 Key import to Linux
	3.4 Initialize Kerberos: Ticket Granting Ticket (TGT)
		3.4.1 Set permissions
		3.4.2 Automatic renewal of the Kerberos TGT
	3.5 Configurate SAP
		3.5.1 Compile SNC Adapter
		3.5.2 Configure profile parameters
4 Setup Windows-Client
	4.1 Time synchronization
	4.2 Installation of the wrapper DLLs
		4.2.1 Manually
		4.2.2 Automatically
	4.3 Configure SAP Logon
5 Map users
6 Appendix
	6.1 How Kerberos works
	6.2 ktpass
                        
Document Text Contents
Page 1

Single Sign-On via SNC Adapter Page 1 of 14



SAP SINGLE SIGN-ON

AND SECURE CONNECTIONS

VIA SNC ADAPTER

BASED ON KERBEROS V5




Project name : SSO SNC ABAP

Our reference : REALTECH

Project management : Manfred Stein, SAP AG

[email protected]

Document type : Whitepaper

Author : Matthias Schlarb, RE ALTECH system consulting GmbH

[email protected]





REALTECH system consulting GmbH

Industriestrasse 39c

69190 Walldorf

mailto:[email protected]
mailto:[email protected]

Page 2

Single Sign-On via SNC Adapter Page 2 of 14

Index

1 Introduction .....................................................................................................................................3
1.1 General Notes ........................................................................................................................3

1.1.1 Scenario ...................................................................................................................3
1.1.2 Important SAP Notes ..............................................................................................3
1.1.3 Helpful links .............................................................................................................3

1.2 Prerequisites ..........................................................................................................................4
2 Setup Windows-Server...................................................................................................................4

2.1 Create service user................................................................................................................4
2.2 Set Service Principal Name ..................................................................................................5
2.3 Export Keytab from Microsoft ADS .....................................................................................5

3 Setup Linux-Server .........................................................................................................................6
3.1 Configuration Kerberos ........................................................................................................6
3.2 Time synchronization............................................................................................................7
3.3 Key import to Linux ...............................................................................................................7
3.4 Initialize Kerberos: Ticket Granting Ticket (TGT)...............................................................8

3.4.1 Set permissions.......................................................................................................8
3.4.2 Automatic renewal of the Kerberos TGT ..............................................................8

3.5 Configurate SAP ....................................................................................................................9
3.5.1 Compile SNC Adapter .............................................................................................9
3.5.2 Configure profile parameters...............................................................................10

4 Setup Windows-Client..................................................................................................................10
4.1 Time synchronization..........................................................................................................10
4.2 Installation of the wrapper DLLs........................................................................................10

4.2.1 Manually .................................................................................................................10
4.2.2 Automatically.........................................................................................................11

4.3 Configure SAP Logon .........................................................................................................11
5 Map users ......................................................................................................................................12
6 Appendix........................................................................................................................................12

6.1 How Kerberos works...........................................................................................................12
6.2 ktpass 14

Page 7

Single Sign-On via SNC Adapter Page 7 of 14

3.2 Time synchronization

The kerberos protocol marks every ticket as invalid which has more than 2 minutes (by default) time

difference based on the server time. This is valid for the linux server as well as for the windows client!

Both have to be synchronized to the windows server which has - as a PDC - an NTP service running by

default.



Under Linux this happens with ntpd - the Network Time Protocol Daemon. The easiest way to install and

configure it is via YaST.

3.3 Key import to Linux

The key from n4s.keytab will now be imported to /etc/krb5.keytab. For this the tool ktutil under user

root is used.


ktutil executes the program

? help

rkt /tmp/n4s.keytab reads the key of the imported file

l -e list extended


The output should look like:


slot KVNO Principal

---- ---- -------------------------------------------------------------

1 3 SAPService/[email protected] (DES cbc mode with

RSA-MD5)



Compare the value in the column KVNO with your number from 2.3: it should be the same. If

not, you probably have exported the key from windows multiple times with ktpass and are

now using an older version. In brackets you see the encryption type.



wkt /etc/krb5.keytab writes the key into the key table of the system

q quit

Page 8

Single Sign-On via SNC Adapter Page 8 of 14

3.4 Initialize Kerberos: Ticket Granting Ticket (TGT)

Get your first TGT with:
kinit –V –k <ServiceName>/<hostname_linux_server>.<domain_name>@<DOMAIN_NAME>



eg:
kinit –V –k SAPService/[email protected]

Authenticated to Kerberos v5

3.4.1 Set permissions
Under the user root change the permissions for the key table of the system. Else <sid>adm can't get a

valid ticket.


chgrp sapsys /etc/krb5.keytab

chmod 640 /etc/krb5.keytab



Now a (manual) kinit (see 3.4) should also be possible under user <sid>adm.



Should the permissions not have been set correclty, you will receive following error on your SAP instance

in the developer trace of the work process:
N GSS-API(maj): Miscellaneous failure

N GSS-API(min): Permission denied

3.4.2 Automatic renewal of the Kerberos TGT
Kerberos tickets have a limited lifetime (10 hours by default) and therefore have to be renewed. The

easiest way is to setup a cron job. In this example the ticket will be renewed every 6th hour:


crontab –e

01 0,6,12,18 * * * /usr/bin/kinit -k

SAPService/[email protected]



Should the renewal of the ticket fail for any reason and therefore the linux server not possess a valid TGT,

you will find following error on your SAP instance in the developer trace of the work process:
N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No credentials cache found

Page 13

Single Sign-On via SNC Adapter Page 13 of 14




Step 5:
A sends the ticket to server B and adds a timestamp encrypted with the session key.

Step 6:
Server B checks the timestamp and acknowledges the connection by returning timestamp+1 encrypted
with the session key.





Now both partners are sure that the other one is authentic and they have a secret key for the
communication through the network.

Page 14

Single Sign-On via SNC Adapter Page 14 of 14

6.2 ktpass

Command line options:

------------------most useful args
[- /] out : Keytab to produce
[- /] princ : Principal name ([email protected])
[- /] pass : password to use
use "*" to prompt for password.
[- +] rndPass : ... or use +rndPass to generate a random password
[- /] minPass : minimum length for random password (def:15)
[- /] maxPass : maximum length for random password (def:256)

------------------less useful stuff
[- /] mapuser : map princ (above) to this user account (default: don't)
[- /] mapOp : how to set the mapping attribute (default: add it)
[- /] mapOp : is one of:
[- /] mapOp : add : add value (default)
[- /] mapOp : set : set value
[- +] DesOnly : Set account for des-only encryption (default:don't)
[- /] in : Keytab to read/digest

------------------options for key generation
[- /] crypto : Cryptosystem to use
[- /] crypto : is one of:
[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : for compatibliity
[- /] crypto : RC4-HMAC-NT : default 128-bit encryption
[- /] ptype : principal type in question
[- /] ptype : is one of:
[- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /] ptype : KRB5_NT_SRV_INST : user service instance
[- /] ptype : KRB5_NT_SRV_HST : host service instance
[- /] kvno : Override Key Version Number
Default: query DC for kvno. Use /kvno 1 for Win2K compat
[- +] Answer : +Answer answers YES to prompts. -Answer answers NO.
[- /] Target : Which DC to use. Default:detect
[- /] RawSalt : raw salt to use when generating key (not needed)
[- +] DumpSalt : show us the MIT salt being used to generate the key
[- +] SetUpn : Set the UPN in addition to the SPN. Default DO.
[- +] SetPass : Set the user's password if supplied.

------------------options for trust attributes (Windows Server 2003 Sp1 Only
[- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
[- /] TrustEncryp : Trust Encryption to use; DES is default
[- /] TrustEncryp : is one of:
[- /] TrustEncryp : RC4 : RC4 Realm Trusts (default)
[- /] TrustEncryp : DES : go back to DES

Similer Documents