on 2012 May 31 4:35 AM
Hi.
We configured server-side trust between BO and BW using libsapcrypto library. All works fine.
Now we installing Secure Login (SAP NetWeaver Single Sign-On) for SSO from SAP GUI based on Kerberos token. To configure Secure Login we need to modify profile parameters like
snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
snc/gssapi_lib=/sapmnt/QBW/exe/libsapcrypto.so
which were in use by server-side trust between BO and BW. So when we modify them like in installation guide for Secure Login to this:
snc/identity/as=p:CN=SAP/KerberosSSO@OAO.SNG
snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl
we can use SAP GUI SSO to BW but can't run reports from BO since we broke server-side trust.
We tried many different variations of using these two libraries (including fully regenerating certificates both on BW and BO for server-side trust) but they all failed.
Any suggestions of how we can activate SAP NetWeaver Single Sign-On on our BW systems, without breaking server-side trust between BW and BO?
Thanks in advance
wbr
Stanislav
Request clarification before answering.
Hi Stanislav,
Secure Login Library (SAP NW SSO) is able to support Kerberos and X.509 technology in parallel.
So therefore it is a standard product feature of SAP NW SSO to enable Client-to-Server and Server-to-Server communication encryption using Kerberos Token and/or X.509 Certificates.
Please use the configuration as used for SAPCRYPTOLIB (snc/identity/as) but with Secure Login Library (snc/gssapi_lib).
snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl
Secure Login Library is 100% compatible to SAPCRYPTOLIB. So if you want to setup an easy test use the SAPCRYPTOLIB at BO side and Secure Login Library at BW side.
This scenario is supported too.
Best regards,
Frane
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Frane,
first of all - thanks. We tested this scheme with SLL on BW and it works. I mean BO still can run reports.
But anyway - how can we configure our BW parameters now for using SSO based on Kerberos token?
SL Library guide tells to use some specific snc/identity/as and we use this p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU.
We have user KerberosSSO to provide SSO on all our systems with servicePrincipalNames
SAP/KerberosSSO
And we have user qasbo under which we run BO.
What else we need to modify to provide SSO for BW without breaking server-side trust BO/BW?
Thanks in advance
wbr
Stanislav
Hi Stanislav,
good to hear it works 🙂
The only thing left is to konfigure the Kerberos keyTab in Secure Login Library.
If not created, please create (on AS ABAP - BW) the Security Token Container (PSE.ZIP) with the command (OS) snc crtpse -x <password for the Security Token Container>
The next step is to create the keyTab for the servicePrincipalName SAP/KerberosSSO@OAO.SNG
Please use the following command to create keyTab snc crtkeytab -s SAP/KerberosSSOOAO.SNG -p <password of your Service Account KerberosSSO>
Please keep in mind you have created Service Account KerberosSSO and create a servicePrincipalName for this account SAP/KerberosSSO@OAO.SNG
If not done please install Secure Login Client on the client OS and configure SAP GUI SNC for Kerberos connection (SNC Name = p:CN=SAP/KerberosSSO@OAO.SNG).
Last isue is to configure SNC Name User Mapping in AS ABAP --> SU01.
please configure here the Kerberos User Name (e.g. p:CN=MicrosoftUser@OAO.SNG).
--> For correct Kerberos User Name you can check the name displayed in Secure Login Client 🙂
Further details are described in the Secure Login Library manual.
Cheers,
Frane
Hi Frane,
we installed SAP NW SSO on like 8 systems, so all the steps you described of course we did them.
But here is the problem. We created Kerberos keytab for servicePrincipalName=SAP/KerberosSSOatOAO.SNG
and you intend to use same SNC Name in SAP GUI SNC, but in profile we still got distinguished name:
p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
and I think that's why we have error with this text:
GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"
So that's and was a question. Do we need to modify our profile parameter (maybe we should write SAP/KerberosSSOatOAO.SNG in X.509 format there and then remake all the trust connection between BO/BW)? Or do we need to add servicePrincipalNames to our Active Directory service user?
Thanks in advance,
wbr
Stanislav
Hello Frane.
As I said we configured SAP NW SSO already. Including SAP GUI SNC.
But when we started configuring SSO in BW system, we faced with the fact that some of the profile parameters that we need to change, have been used. Including snc/identity/as. So now we have SAP GUI SNC=p:CN=SAP/KerberosSSO@OAO.SNG as you wrote above, but in our BW profile we still have snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU (this needed for BO) and upon entering to the system error occurs
GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"
wbr,
Stanislav
Hi Stanislav,
are you able to create a support ticket (verify your configuration in complete)?
From my point of view we should verify your configuration.
Here some further hints (to be checked):
- The error message was provided by (SAP GUI / ASW ABAP trace)?
- At Secure Login Client, are you using X.509 certificates in parallel?
Maybe try to choose right-click on Kerberos profile (maybe an existing X.509 will be used)?
- What are the versions you are using (Secure Login Client and Secure login Library).
Please provide these information to the support ticket too?
Best regards,
Frane
Hi Frane,
I opened a ticket already and your colleague (if I can say so) has sent me to the forum.
Message №371804.
What's about questions.
1)
2) Don't understand this. I can only choose 1 type of profiles for using for SAP applications. Selected Kerberos token.
3) Secure Login Client Version: 1.0 Support Package: 3
Secure Login Library Version: 1.0 Support Package: 2
wbr,
Stanislav
Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.
He described the possibility of Secure Login Client that I did not know.
"
Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).
Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/KerberosSSO@OAO.SNG).
This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU
Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.
"
Thanks again, Frane.
User | Count |
---|---|
90 | |
10 | |
9 | |
8 | |
6 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.