Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO : Kerberos configuration

Former Member
0 Kudos
459

Hi,

I've installed Kerberos v.5 1.5.4, for solaris 10. After that I would like to change the instance profile parameters, but I don't know whats the correct value for the parameter : snc/gssapi_lib.

I've read several documents where the value should be : /usr/local/lib/snckrb5.so

but this file doens't exist in my operative system.

Thank's in advanced

14 REPLIES 14

tim_alsop
Active Contributor
0 Kudos
214

Francesc,

I don't know if you are aware, but the use of open source Kerberos libraries for SAP SNC is not supported by SAP. Instead, SAP recommend that you use Kerberos libraries available from a SAP partner company, so that the libraries are SAP certified and supported by the vendor.

To get a list of vendors who provide such a solution, you can visit http://www.sap.com/eapcatalog and search for "Kerberos SNC".

Take care,

Tim

Former Member
0 Kudos
214

As per note :

Note 150380 - Is MIT Kerberos 5 supported for use with SNC ?

I think that is possible to use MIT Kerberos 5.

Thank's

Francesc

tim_alsop
Active Contributor
0 Kudos
214

Francesc,

I have worked with a very large number of companies who have (like yourself) attempted to use MIT Kerberos for SAP SNC. It often takes many weeks, or many months to get it working (sometimes they don't get it working and give up), and then they realise that they are not going to be supported by anybody. e.g. if a vulnerability is discovered in MIT Kerberos which needs to be fixed, there is nobody available in the company who has the skills or availability to patch the code and fix it. Also, if users cannot logon to SAP due to some issue with the MIT Kerberos library not working with Active Directory, there is nobody to ask for help, and get the system so that users can logon again...

Of course, the commercially available solutions don't suffer from the problems mentioned above, and they also have additional features which you can take advantage of (e.g. supporting workstations which are joined to domains which are untrusted, being able to logon to SAP using a different account to the account you initially logged onto Windows with ...).

So, in response to your last comment - yes, it is technically possible, but there are other issues to consider.

I hope this is useful.

Regards,

Tim

0 Kudos
214

I see...

that thread is from 2004 - the links are no more valid. I'm on the way writing a blog about how to set that up and where to find the necessary software.

Markus

tim_alsop
Active Contributor
0 Kudos
214

> I see...

>

> that thread is from 2004 - the links are no more valid. I'm on the way writing a blog about how to set that up and where to find the necessary software.

>

>

> Markus

Markus,

Which thread is from 2004 ? I don't see any mention of a thread ?

The software I refer to is commercially available, SAP certified and supported, not open source.

Thanks,

Tim

0 Kudos
214

Sorry for confusion - a similar thread was pointing to

http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html

If yours is commercial software I would contact the vendor how to set it up, he developed the interface between the kerberos and the SAP software and he should be able to tell you how to configure the kerberos realms.

Markus

Former Member
0 Kudos
214

I've download the soft and follow the next steps :

2.2 Configuration of the external SAP SNC Adapter

-


1. Download bc_snc_adapter_101.zip from

http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx

2. Unzip it:

unzip bc_snc_adapter_101.zip

3. Modify the provided sncadapt/Makefile:

XNAME = snckrb5

4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:

VENLIB="-L/usr/local/lib -lgssapi_krb5"

5. Compile it:

cd sncadapt

make

6. Copy the resulting file snckrb5.so to /usr/local/lib:

cp snckrb5.so /usr/local/lib

7. You may need to comment out the function "sapgss_inquire_mechs_for_name"

in snckrb5.c because of compilation problems. Then repeat steps 5.-6.

But I've some problems with the compilation. Could you send me the file "snckrb5.so" for SOLARIS platform, please ?

Thank's in advanced

tim_alsop
Active Contributor
0 Kudos
214

> Sorry for confusion - a similar thread was pointing to

>

> http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html

>

> If yours is commercial software I would contact the vendor how to set it up, he developed the interface between the kerberos and the SAP software and he should be able to tell you how to configure the kerberos realms.

>

> Markus

I think you might have been confused. Perhaps you posted this into wrong thread ? In this thread I was answering questions from Francesc. I am not the person who needs help with realms or Kerberos - I am the person providing the help and advice to the person who posted the question. I simply gave some reasons to Francesc why he should consider commercially available solution instead of wasting his time trying to make an open source solution work.

0 Kudos
214

Hi Tim,

you're right - the original poster has various threads open with almost the same topic - I posted to the wrong thread and clicked "reply" at the wrong post - apologize.

Markus

0 Kudos
214

> But I've some problems with the compilation. Could you send me the file "snckrb5.so" for SOLARIS platform, please ?

What problem do you have?

If you want to really go that way and use open source software, you (or someone close) should have an idea about makefiles and a bit of C knowledge - otherwise it's becoming quickly very cumbersome.

Markus

Former Member
0 Kudos
214

I think that's try to compile with cc compiler and I've gcc compiler.

srv-desar1# make

./build."`uname -s`" make do-all

/opt/SUNWspro/bin/cc -Kpic -Xa -g -DXDEBUG=1 -c snckrb5.c

sh: /opt/SUNWspro/bin/cc: not found

      • Error code 1

make: Fatal error: Command failed for target `snckrb5.o'

Current working directory /sapinst/sncadapt

      • Error code 1

make: Fatal error: Command failed for target `all'

0 Kudos
214

> I think that's try to compile with cc compiler and I've gcc compiler.

>

> srv-desar1# make

> ./build."`uname -s`" make do-all

> /opt/SUNWspro/bin/cc -Kpic -Xa -g -DXDEBUG=1 -c snckrb5.c

> sh: /opt/SUNWspro/bin/cc: not found

> *** Error code 1

> make: Fatal error: Command failed for target `snckrb5.o'

> Current working directory /sapinst/sncadapt

> *** Error code 1

> make: Fatal error: Command failed for target `all'

I'm not sure if gcc works. SAP libraries are compiled using cc/CC (Suns platform compiler). If only C is used in the libraries (which I don't know) it is possible that it works, if C++ comes into place you're pretty much lost.

I used Suns compiler (they are free, you can download and install them).

Markus

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
214

>

> As per note :

>

> Note 150380 - Is MIT Kerberos 5 supported for use with SNC ?

>

> I think that is possible to use MIT Kerberos 5.

>

> Thank's

> Francesc

"Possible" - maybe.

But definitely "not supported by SAP" (in terms of "(7x24h) guaranteed service" - of course we will try to assist you if you run into problems which you cannot resolve yourself; but such (consulting) service will be charged separately).

Former Member
0 Kudos
214

Did you consider using a PKI? If so, you can use the SAP CryptoLib on your SAP servers. This route is well supported by SAP. You can then obtain the client software from [Secude|http://www.secude.com/]. Secude and SAP together developed the SNC interface...