Just providing another configuration example for connecting an internally signed corporate LDAPS server for authentication of Cloud Connector administrators.
Example Note:
- This task will restart the Cloud Connector
- LDAPS certificate signed by an internal CA. The current LDAPS server corp-ldap.myDomain.com:636 have this trust chain
- load only the RootCA and IntermediateCA certificates to the Java Keystore
- Export the RootCA and the IntermediateCA certs into .PEM files.
Steps:
- Make a backup of the SCC settings file first before starting. The file is /opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml
- Request a LDAP user created from your corporate LDAP admins. This is so that the SCC can login to ldap.
In this example, the user create is ldapuser
cn=ldapuser,dc=myDomain,dc=com
- Request a LDAP group sccadmin for SAP Cloud Connector in corporate LDAP and assigned the Administrator users.
In this example the group created:
cn=sccadmin,ou=Groups,dc=myDomain,dc=com
- Logon to SCC and click About to find where is the JRE. In this example, it is in /USR/SAP/sap_jvm_7.1.042/jre
- Login to the SCC operating system with an id with sudo access
- Switch to su
sudo su –
- go to the location of the cacert file :
cd /usr/java/sapjvm_7.1.042/jre/lib/security
- backup the cacert file
cp cacerts cacerts.bak
- Import the certificates with these commands. Change the alias for each file.
Eg:
Adding RootCA
/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias RootCA -keystore /usr/java/sapjvm_7.1.042/jre/lib/security/cacerts -storepass "changeit" -file <certificateRootfile>
Adding Intermediate CA
/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias IntermediateCA -keystore /usr/java/ sapjvm_7.1.042/jre/lib/security/cacerts -storepass "changeit" -file <certificateIntermediatefile>
- Restart SCC to load the cacerts (this will disconnect SCC)
service scc_daemon restart
- Login to the SCC admin page and go to
- Click Authentication and check LDAP enter the following info and click save.
Host: corp-ldap.myDomain.com:636 (ldap hostname and LDAPS port)
Check the Secure button next to the host field to enable LDAPS.
User Name: cn=ldapuser,dc=myDomain,dc=com
Password: xxxxx
Configuration: roleBase="ou=Groups,dc=myDomain,dc=com" roleName="cn"
roleSearch="(uniqueMember={0})"
userPattern="uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com"
Make sure you enter the ldapuser password too.
Notes about configuration section:
You need to know how your ldap attributes are setup for your sccadmin role and your user
attributes. You can find out using ldp query or other ldap query tools or check with your ldap
administrator since each setup my be different from the example above.
eg: my ldap group and it’s unique members (USERA,USERB,USERC):
roleBase = “ou=Groups,dc=myDomain,dc=com”
roleName = “cn” (because it’s looking for a match for value = sccadmin)
roleSearch = “uniqueMember={0}”
This may be unique based on your ldap attributes, mine is uniqueMember but yours might be MemberUID or members or etc. You need to validate your ldap attributes for the members in the group. This is to search for the ldap user id who is logging into the system from the role.
userPattern=”uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com”
This matches the pattern for my user eg:
"uid=USERA,ou=Internal,ou=Users,dc=myDomain,dc=com”
If you are using custom role instead of sccadmin, you need to make sure your roleBase is
matches your custom role, then add the new role name to the custom role section.
eg: if your new custom role is cn=scccustom,ou=newGroups,dc=myDomain,dc=com
Then it would be
roleBase = “ou=newGroups,dc=myDomain,dc=com”
roleName = “cn”
And enter "scccustom" in Administer Role field.
Please see below for more info on custom role
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...
- Click ok when prompted this.
- Validate by logging in to Sap Cloud Connector with the user id that's in the sccadmin group.
Troubleshooting
To check the logs for errors, for example, SSL certs errors. Login to SCC and go to logs and select ljs_trace.log in the view.
Example trace of trust chain error:
Switching Cloud Connector Back to File-Based User Store without Administration UI
Reference:
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...
In case the LDAP settings do not work as expected, you can revert back the settings. To activate the file based user store, you’ll need to restart the cloud connector after changing the file.
Make a backup of the file first then manually edit the default-server.xml configuration file located at
/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml
To revert to file-based user management, replace the file
/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml with the one that was backed up previously.
If no backup then edit the file and replace the Realmsection with the following:
<Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.CombinedRealm"> <Realm X509UsernameRetrieverClassName="com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever" className="org.apache.catalina.realm.UserDatabaseRealm" digest="SHA-256" resourceName="UserDatabase"/> <Realm X509UsernameRetrieverClassName="com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever" className="org.apache.catalina.realm.UserDatabaseRealm" digest="SHA-1" resourceName="UserDatabase"/> </Realm></Realm>
Restart the cloud connectorservice,
Execute command:
service scc_daemon restart
Reference
Cloud Connector help:
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588...
Frank Schuler have good blog on this:
https://blogs.sap.com/2016/08/19/secure-your-hana-cloud-connector-with-openssl-certificates-part-2/
https://blogs.sap.com/2017/03/12/use-ldap-for-your-sap-cloud-connector-authentication/