2008 Jun 17 10:14 AM
Hi,
I've installed Kerberos v.5 1.5.4, for solaris 10. After that I would like to change the instance profile parameters, but I don't know whats the correct value for the parameter : snc/gssapi_lib.
I've read several documents where the value should be : /usr/local/lib/snckrb5.so
but this file doens't exist in my operative system.
Thank's in advanced
2008 Jun 17 11:11 AM
Francesc,
I don't know if you are aware, but the use of open source Kerberos libraries for SAP SNC is not supported by SAP. Instead, SAP recommend that you use Kerberos libraries available from a SAP partner company, so that the libraries are SAP certified and supported by the vendor.
To get a list of vendors who provide such a solution, you can visit http://www.sap.com/eapcatalog and search for "Kerberos SNC".
Take care,
Tim
2008 Jun 17 11:24 AM
As per note :
Note 150380 - Is MIT Kerberos 5 supported for use with SNC ?
I think that is possible to use MIT Kerberos 5.
Thank's
Francesc
2008 Jun 17 11:31 AM
Francesc,
I have worked with a very large number of companies who have (like yourself) attempted to use MIT Kerberos for SAP SNC. It often takes many weeks, or many months to get it working (sometimes they don't get it working and give up), and then they realise that they are not going to be supported by anybody. e.g. if a vulnerability is discovered in MIT Kerberos which needs to be fixed, there is nobody available in the company who has the skills or availability to patch the code and fix it. Also, if users cannot logon to SAP due to some issue with the MIT Kerberos library not working with Active Directory, there is nobody to ask for help, and get the system so that users can logon again...
Of course, the commercially available solutions don't suffer from the problems mentioned above, and they also have additional features which you can take advantage of (e.g. supporting workstations which are joined to domains which are untrusted, being able to logon to SAP using a different account to the account you initially logged onto Windows with ...).
So, in response to your last comment - yes, it is technically possible, but there are other issues to consider.
I hope this is useful.
Regards,
Tim
2008 Jun 18 3:09 PM
I see...
that thread is from 2004 - the links are no more valid. I'm on the way writing a blog about how to set that up and where to find the necessary software.
Markus
2008 Jun 18 3:14 PM
> I see...
>
> that thread is from 2004 - the links are no more valid. I'm on the way writing a blog about how to set that up and where to find the necessary software.
>
>
> Markus
Markus,
Which thread is from 2004 ? I don't see any mention of a thread ?
The software I refer to is commercially available, SAP certified and supported, not open source.
Thanks,
Tim
2008 Jun 18 3:31 PM
Sorry for confusion - a similar thread was pointing to
http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
If yours is commercial software I would contact the vendor how to set it up, he developed the interface between the kerberos and the SAP software and he should be able to tell you how to configure the kerberos realms.
Markus
2008 Jun 18 3:36 PM
I've download the soft and follow the next steps :
2.2 Configuration of the external SAP SNC Adapter
-
1. Download bc_snc_adapter_101.zip from
http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx
2. Unzip it:
unzip bc_snc_adapter_101.zip
3. Modify the provided sncadapt/Makefile:
XNAME = snckrb5
4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:
VENLIB="-L/usr/local/lib -lgssapi_krb5"
5. Compile it:
cd sncadapt
make
6. Copy the resulting file snckrb5.so to /usr/local/lib:
cp snckrb5.so /usr/local/lib
7. You may need to comment out the function "sapgss_inquire_mechs_for_name"
in snckrb5.c because of compilation problems. Then repeat steps 5.-6.
But I've some problems with the compilation. Could you send me the file "snckrb5.so" for SOLARIS platform, please ?
Thank's in advanced
2008 Jun 18 3:36 PM
> Sorry for confusion - a similar thread was pointing to
>
> http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
>
> If yours is commercial software I would contact the vendor how to set it up, he developed the interface between the kerberos and the SAP software and he should be able to tell you how to configure the kerberos realms.
>
> Markus
I think you might have been confused. Perhaps you posted this into wrong thread ? In this thread I was answering questions from Francesc. I am not the person who needs help with realms or Kerberos - I am the person providing the help and advice to the person who posted the question. I simply gave some reasons to Francesc why he should consider commercially available solution instead of wasting his time trying to make an open source solution work.
2008 Jun 18 3:41 PM
Hi Tim,
you're right - the original poster has various threads open with almost the same topic - I posted to the wrong thread and clicked "reply" at the wrong post - apologize.
Markus
2008 Jun 18 3:45 PM
> But I've some problems with the compilation. Could you send me the file "snckrb5.so" for SOLARIS platform, please ?
What problem do you have?
If you want to really go that way and use open source software, you (or someone close) should have an idea about makefiles and a bit of C knowledge - otherwise it's becoming quickly very cumbersome.
Markus
2008 Jun 18 3:55 PM
I think that's try to compile with cc compiler and I've gcc compiler.
srv-desar1# make
./build."`uname -s`" make do-all
/opt/SUNWspro/bin/cc -Kpic -Xa -g -DXDEBUG=1 -c snckrb5.c
sh: /opt/SUNWspro/bin/cc: not found
Error code 1
make: Fatal error: Command failed for target `snckrb5.o'
Current working directory /sapinst/sncadapt
Error code 1
make: Fatal error: Command failed for target `all'
2008 Jun 18 4:01 PM
> I think that's try to compile with cc compiler and I've gcc compiler.
>
> srv-desar1# make
> ./build."`uname -s`" make do-all
> /opt/SUNWspro/bin/cc -Kpic -Xa -g -DXDEBUG=1 -c snckrb5.c
> sh: /opt/SUNWspro/bin/cc: not found
> *** Error code 1
> make: Fatal error: Command failed for target `snckrb5.o'
> Current working directory /sapinst/sncadapt
> *** Error code 1
> make: Fatal error: Command failed for target `all'
I'm not sure if gcc works. SAP libraries are compiled using cc/CC (Suns platform compiler). If only C is used in the libraries (which I don't know) it is possible that it works, if C++ comes into place you're pretty much lost.
I used Suns compiler (they are free, you can download and install them).
Markus
2008 Jun 19 11:11 AM
>
> As per note :
>
> Note 150380 - Is MIT Kerberos 5 supported for use with SNC ?
>
> I think that is possible to use MIT Kerberos 5.
>
> Thank's
> Francesc
"Possible" - maybe.
But definitely "not supported by SAP" (in terms of "(7x24h) guaranteed service" - of course we will try to assist you if you run into problems which you cannot resolve yourself; but such (consulting) service will be charged separately).
2008 Jun 24 1:11 PM
Did you consider using a PKI? If so, you can use the SAP CryptoLib on your SAP servers. This route is well supported by SAP. You can then obtain the client software from [Secude|http://www.secude.com/]. Secude and SAP together developed the SNC interface...