Single Sign On ( SSO) Configuration For Hana DB Using Kerberos
This blog explain the steps on setting up of Single Sign On ( SSO) Configuration For Hana Database With Kerberos .
SSO allows a user to log on only once and provide access to multiple systems and services without being asked to produce credentials again.
Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).
Step-by-Step Procedure
We have to create a Service User representing SAP HANA database in Active Directory, being mapped by a Service Principal Name(SPN), then we have to create a keytab file for this SPN on the DB server. On the DB server, we also need a krb5.conf file. Finally, we have to create an externally-mapped SAP HANA database user.
Prerequisite:
Make sure that the Kerberos client and server libraries are already installed on Hana database server , to verify that the software requirements are met, please run below command:
rpm -qa | grep krb5*
The version numbers don’t have to match exactly, but should be above 1.6.3-132 to include important security patches.
Configuration steps:
1-> Hostname Resolution
On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig, host, nslookup), while others (hostname)
To verify , on the Db server run below command
>hostname --fqdn (This command gives the FQDN of the DB server.)
> hostname --ip-address(This command gives the respective IP address)
2->Setup a configuration file for the MIT Kerberos libraries, krb5.conf on database server shown as below example
Standard Kerberos configuration:
#>
cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mykdc1.mydomain.com
kdc = mykdc2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
The
[domain_realm] covers only the mapping for the DB server domain (it has nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP HANA database client tries to authenticate the SAP HANA database server.
The domain part in the
[domain_realm] mapping must consist of the domain name in its full length. In case the FQDN of the DB server is hdbserver.subdomain.domain.com,
then the [domain_realm] entry has to be
subdomain.domain.com = DOMAIN.COM
subdomain.domain.com = DOMAIN.COM
3->Create Active Directory user for the Kerberos authentication or use existing one.
The user should be created with “password never expires” option.
( This may change based on your organization structure)
In my case I have raised request to the Windows Service Team
setspn -S hdb/<server_name_fqdn> <user>
- SPN for HANA XS (web access):
setspn -S HTTP/<server_name_fqdn> <user>
4->Verify Kerberos configuration using
<SID>adm user:
When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create a TGT:
/usr/bin/kinit <SPN_user>@MYDOMAIN.COM
If it succeed it will ask for password of the SPN_user
- The next command should be used immediate after the kinit command (it will show the ticket of the previous login).
Using klist we can see this ticket:
>klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: SPN_user@MYDOMAIN.COM
Valid starting Expires Service principal
02/18/13 15:25:58 02/19/13 01:26:02 krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58
5->Create the keytab file. We will use ktutil from the Linux server (the HANA server).
Ktutil can be used to edit the keytab file.
First we need to discover the kvno number to use. In order to know the kvno number run the commands:
- run kinit command to get the TGT for the user (SPN_user):
For example: /usr/bin/kinit <SPN_user>@MYDOMAIN.COM
Next run kvno command to get the kvno number:
kvno hdb/<server_name_fqdn>@MYDOMAIN.COM
In the output we can see kvno= value.
->If kvno value is 3 , then in that case while creating keytab file we will use kvno value as 3
6->The commands for creating the keytab file (it requires
root as a result of the keytab directory /etc permission):
In shell run:
/usr/bin/ktutil
In ktutil run:
addent -password -p hdb/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac
wkt /etc/krb5.keytab
q
- Keytab for HANA XS (web access):
In shell run:
/usr/bin/ktutil
addent -password -p HTTP/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac
wkt /etc/krb5.keytab
q
7->
Securing the keytab file. This step is mandatory, without it the SSO will not work (requires root)
- Change ownership of the file to <sid>adm:sapsys:
8->Verify The Keytab File using
<SID>adm
klist -k /etc/krb5.keytab -etK
The output should return both SPNs
- Run kinit command to get the TGT for the user from step 3 (SPN_user):
/usr/bin/kinit <SPN_user>@FQDN
For example: kinit <SPN_user>@MYDOMAIN.COM
- Next run the kvno command:
/usr/lib/mit/bin/kvno -k /etc/krb5.keytab hdb/<hostname_fqdn>@MYDOMAIN.COM
/usr/lib/mit/bin/kvno -k /etc/krb5.keytab HTTP/<hostname_fqdn>@MYDOMAIN.COM
9->Create/Change user in HANA
In authentication, check the Kerberos checkbox and in external ID fill the value <user_name_AD>@FQDN
10->Create connection in HANA Studio with SSO
Create system in HANA Studio. In the phase of the user and password – choose Authenticated by current OS user.
11->
Try to login using the connection created in the previous step
For Reference:
Kerberos/ Active Directory
Any background information on Kerberos or Active Directory troubleshooting, the following web sites may be helpful:
Whitepaper AD/Kerberos Troubleshooting:
https://wiki.wdf.sap.corp/wiki/download/attachments/1180221073/Troubleshooting_Kerberos_Errors.DOC?v...
Switch on Windows System Event Log for Kerberos:
http://support.microsoft.com/kb/262177/en-us
Things to check when Kerberos authentication fails using IIS/IE…:
http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-...
SAP HANA Database
Regards,
Sumit