Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Laurence
Product and Topic Expert
Product and Topic Expert
4,112
Just providing another configuration example for connecting an internally signed corporate LDAPS server for authentication of Cloud Connector administrators.

 

Example Note:

  • This task will restart the Cloud Connector

  • LDAPS certificate signed by an internal CA. The current LDAPS server corp-ldap.myDomain.com:636 have this trust chain




  • load only the RootCA and IntermediateCA certificates to the Java Keystore

  • Export the RootCA and the IntermediateCA certs into .PEM files.


 

Steps:



  1. Make a backup of the SCC settings file first before starting. The file is /opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml



  1. Request a LDAP user created from your corporate LDAP admins. This is so that the SCC can login to ldap.
    In this example, the user create is ldapuser


           cn=ldapuser,dc=myDomain,dc=com

 

  1. Request a LDAP group sccadmin for SAP Cloud Connector in corporate LDAP and assigned the Administrator users.


           In this example the group created:

           cn=sccadmin,ou=Groups,dc=myDomain,dc=com

 

  1. Logon to SCC and click About to find where is the JRE. In this example, it is in /USR/SAP/sap_jvm_7.1.042/jre


         

  1. Login to the SCC operating system with an id with sudo access


 

  1. Switch to su


          sudo su –

 

  1. go to the location of the cacert file :


          cd /usr/java/sapjvm_7.1.042/jre/lib/security

 

  1. backup the cacert file


          cp cacerts cacerts.bak

 

  1. Import the certificates with these commands. Change the alias for each file.


         Eg:

         Adding RootCA
/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias RootCA -keystore /usr/java/sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateRootfile>

 

Adding Intermediate CA
         
/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias IntermediateCA -keystore /usr/java/ sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateIntermediatefile> 

 

  1. Restart SCC to load the cacerts (this will disconnect SCC)


          service scc_daemon restart

 

  1. Login to the SCC admin page and go to


         

  1. Click Authentication and check LDAP enter the following info and click save.


         Host:                  corp-ldap.myDomain.com:636      (ldap hostname and LDAPS port)

         Check the Secure button next to the host field to enable LDAPS.

         User Name:        cn=ldapuser,dc=myDomain,dc=com

         Password:           xxxxx

         Configuration:     roleBase="ou=Groups,dc=myDomain,dc=com" roleName="cn"

          roleSearch="(uniqueMember={0})"

          userPattern="uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com"

 

         

        Make sure you enter the ldapuser  password too.

 

Notes about configuration section:

       You need to know how your ldap attributes are setup for your sccadmin role and your user

       attributes. You can find out using ldp query or other ldap query tools or check with your ldap       

       administrator since each setup my be different from the example above.

eg: my ldap group and it’s unique members (USERA,USERB,USERC):   

     


       roleBase = “ou=Groups,dc=myDomain,dc=com”

       roleName = “cn” (because it’s looking for a match for value = sccadmin)

       roleSearch = “uniqueMember={0}”

      This may be unique based on your ldap attributes, mine is uniqueMember but yours might be            MemberUID or members or etc. You need to validate your ldap attributes for the members in the        group. This is to search for the ldap user id who is logging into the system from the role.

 

      userPattern=”uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com”

     This matches the pattern for my user eg:                                                                                           

      "uid=USERA,ou=Internal,ou=Users,dc=myDomain,dc=com”

 

     If you are using custom role instead of sccadmin, you need to make sure your roleBase is             

     matches your custom role, then add the new role name to the custom role section.  

     eg: if your new custom role is cn=scccustom,ou=newGroups,dc=myDomain,dc=com

    Then it would be

    roleBase = “ou=newGroups,dc=myDomain,dc=com”

    roleName = “cn”


    And enter "scccustom" in Administer Role field.

   


 

Please see below for more info on custom role

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...

  1. Click ok when prompted this.


         

  1. Validate by logging in to Sap Cloud Connector with the user id that's in the sccadmin group.



Troubleshooting


 

To check the logs for errors, for example, SSL certs errors. Login to SCC and go to logs and select ljs_trace.log in the view.

Example trace of trust chain error:



Switching Cloud Connector Back to File-Based User Store without Administration UI


Reference:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...

 

In case the LDAP settings do not work as expected, you can revert back the settings.  To activate the file based user store, you’ll need to restart the cloud connector after changing the file.

Make a backup of the file first then manually edit the default-server.xml configuration file located at

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

 

To revert to file-based user management, replace the file

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml with the one that was backed up previously.

 

If no backup then edit the file and  replace the Realmsection with the following:

<Realm className="org.apache.catalina.realm.LockOutRealm">  <Realm className="org.apache.catalina.realm.CombinedRealm">    <Realm X509UsernameRetrieverClassName="com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever" className="org.apache.catalina.realm.UserDatabaseRealm" digest="SHA-256" resourceName="UserDatabase"/>    <Realm X509UsernameRetrieverClassName="com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever" className="org.apache.catalina.realm.UserDatabaseRealm" digest="SHA-1" resourceName="UserDatabase"/>   </Realm></Realm>

 

Restart the cloud connectorservice,

Execute command: service scc_daemon restart

 

 

Reference


Cloud Connector help:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...

Frank Schuler have good blog on this:

https://blogs.sap.com/2016/08/19/secure-your-hana-cloud-connector-with-openssl-certificates-part-2/

https://blogs.sap.com/2017/03/12/use-ldap-for-your-sap-cloud-connector-authentication/

 

 

 
2 Comments