cancel
Showing results for 
Search instead for 
Did you mean: 

Secure Login and trust between BO/BW

stanislav_sidnev
Explorer
0 Kudos
695

Hi.

We configured server-side trust between BO and BW using libsapcrypto library. All works fine.

Now we installing Secure Login (SAP NetWeaver Single Sign-On) for SSO from SAP GUI based on Kerberos token. To configure Secure Login we need to modify profile parameters like

  snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU

  snc/gssapi_lib=/sapmnt/QBW/exe/libsapcrypto.so

which were in use by server-side trust between BO and BW. So when we modify them like in installation guide for Secure Login to this:

  snc/identity/as=p:CN=SAP/KerberosSSO@OAO.SNG

  snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl

we can use SAP GUI SSO to BW but can't run reports from BO since we broke server-side trust.

We tried many different variations of using these two libraries (including fully regenerating certificates both on BW and BO for server-side trust) but they all failed.

Any suggestions of how we can activate SAP NetWeaver Single Sign-On on our BW systems, without breaking server-side trust between BW and BO?

Thanks in advance

wbr

Stanislav

View Entire Topic
frane_milicevic
Advisor
Advisor
0 Kudos

Hi Stanislav,

Secure Login Library (SAP NW SSO) is able to support Kerberos and X.509 technology in parallel.
So therefore it is a standard product feature of SAP NW SSO to enable Client-to-Server and Server-to-Server communication encryption using Kerberos Token and/or X.509 Certificates.
Please use the configuration as used for SAPCRYPTOLIB (snc/identity/as) but with Secure Login Library (snc/gssapi_lib).

snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU 

snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl

Secure Login Library is 100% compatible to SAPCRYPTOLIB. So if you want to setup an easy test use the SAPCRYPTOLIB at BO side and Secure Login Library at BW side.

This scenario is supported too.

Best regards,

Frane

stanislav_sidnev
Explorer
0 Kudos

Hi Frane,

first of all - thanks. We tested this scheme with SLL on BW and it works. I mean BO still can run reports.

But anyway - how can we configure our BW parameters now for using SSO based on Kerberos token?

SL Library guide tells to use some specific snc/identity/as and we use this p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU.

We have user KerberosSSO to provide SSO on all our systems with servicePrincipalNames

SAP/KerberosSSO

SAP/KerberosSSO@OAO.SNG

And we have user qasbo under which we run BO.

What else we need to modify to provide SSO for BW without breaking server-side trust BO/BW?

Thanks in advance

wbr

Stanislav

frane_milicevic
Advisor
Advisor
0 Kudos

Hi Stanislav,

good to hear it works 🙂

The only thing left is to konfigure the Kerberos keyTab in Secure Login Library.

If not created, please create (on AS ABAP - BW) the Security Token Container (PSE.ZIP) with the command (OS) snc crtpse -x <password for the Security Token Container>

The next step is to create the keyTab for the servicePrincipalName SAP/KerberosSSO@OAO.SNG

Please use the following command to create keyTab snc crtkeytab -s SAP/KerberosSSOOAO.SNG -p <password of your Service Account KerberosSSO>

Please keep in mind you have created Service Account KerberosSSO and create a servicePrincipalName for this account SAP/KerberosSSO@OAO.SNG

I assume you have done this 🙂

If not done please install Secure Login Client on the client OS and configure SAP GUI SNC for Kerberos connection (SNC Name = p:CN=SAP/KerberosSSO@OAO.SNG).

Last isue is to configure SNC Name User Mapping in AS ABAP --> SU01.

please configure here the Kerberos User Name (e.g. p:CN=MicrosoftUser@OAO.SNG).

--> For correct Kerberos User Name you can check the name displayed in Secure Login Client 🙂

Further details are described in the Secure Login Library manual.

Cheers,

Frane

stanislav_sidnev
Explorer
0 Kudos

Hi Frane,

we installed SAP NW SSO on like 8 systems, so all the steps you described of course we did them.

But here is the problem. We created Kerberos keytab for servicePrincipalName=SAP/KerberosSSOatOAO.SNG

and you intend to use same SNC Name in SAP GUI SNC, but in profile we still got distinguished name:

p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU

and I think that's why we have error with this text:

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"

So that's and was a question. Do we need to modify our profile parameter (maybe we should write SAP/KerberosSSOatOAO.SNG in X.509 format there and then remake all the trust connection between BO/BW)? Or do we need to add servicePrincipalNames to our Active Directory service user?

Thanks in advance,

wbr

Stanislav

frane_milicevic
Advisor
Advisor
0 Kudos

Hi Stanislav,

yes if you want to use the Kerberos technology for SAP GUI to AS ABAP System, you need to configure the Kerberos SNC name of ther desired AS ABAP system in SAP GUI configuration.

Best regards,

Frane

stanislav_sidnev
Explorer
0 Kudos

Hello Frane.

As I said we configured SAP NW SSO already. Including SAP GUI SNC.

But when we started configuring SSO in BW system, we faced with the fact that some of the profile parameters that we need to change, have been used. Including snc/identity/as. So now we have SAP GUI SNC=p:CN=SAP/KerberosSSO@OAO.SNG as you wrote above, but in our BW profile we still have snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU (this needed for BO) and upon entering to the system error occurs

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"

wbr,

Stanislav

frane_milicevic
Advisor
Advisor
0 Kudos

Hi Stanislav,

are you able to create a support ticket (verify your configuration in complete)?

From my point of view we should verify your configuration.

Here some further hints (to be checked):

- The error message was provided by (SAP GUI / ASW ABAP trace)?

- At Secure Login Client, are you using X.509 certificates in parallel?

  Maybe try to choose right-click on Kerberos profile (maybe an existing X.509 will be used)?

- What are the versions you are using (Secure Login Client and Secure login Library).

Please provide these information to the support ticket too?

Best regards,

Frane

stanislav_sidnev
Explorer
0 Kudos

Hi Frane,

I opened a ticket already and your colleague (if I can say so) has sent me to the forum.

Message №371804.

What's about questions.

1)

2) Don't understand this. I can only choose 1 type of profiles for using for SAP applications. Selected Kerberos token.

3) Secure Login Client Version: 1.0 Support Package: 3

    Secure Login Library Version: 1.0 Support Package: 2

wbr,

Stanislav

frane_milicevic
Advisor
Advisor
0 Kudos

Hi Stanislav,

thank you for the information. I send you an email with further questions.

Afterwards we can provide the results here in forum.

Best regards,

Frane

former_member266497
Discoverer
0 Kudos

Hi Frane, Do we have a solution for the issue?

stanislav_sidnev
Explorer
0 Kudos

Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.

He described the possibility of Secure Login Client that I did not know.

"

Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).

Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/KerberosSSO@OAO.SNG).

  1. This means if the X.509 certificate SNC name is p:CN=KerberosSSO à Secure Login Client will rebuild p:CN=SAP/KerberosSSO@OAO.SNG

This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU

Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.

"

Thanks again, Frane.