Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego configuration with Active Directory as UME datasource

rdiger_hckel
Participant
0 Kudos

Hello,

just like described in the blog of Mr. Holger Bruchelt

[https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8235] [original link is broken] [original link is broken] [original link is broken];

I would like to connect an Active Directory server (running on Windows Server 2003)

as a UME datasource to a J2EE Engine NW7.0 (running on iSeries) in order to enable SSO login.

In the step "Connect the UME" I have the problem that the desired configuration

file "dataSourceConfiguration_ads_readonly_db_with_krb5.xml" cannot be selected as the appropriate fields are greyish.

SAP note 994791 is known.

Kind regards

Ru00FCdiger Hu00F6ckel

apetito AG

8 REPLIES 8

rdiger_hckel
Participant
0 Kudos

Here are some additional informations:

According to SAP note 718383 changing an existing datasource configuration "dataSourceConfiguration_abap.xml" is not possible.

But my aim is to connect an ADS server as datasource

(dataSourceConfiguration_ads_readonly_db_with_krb5.xml).

Can I use my existing J2EE Engine at all?

The system has evolved like this:

BW 3.5 installation, upgrade to NW2004s, then Java Add In-Installation.

Or is it necessary to install an additional java instance?

I have just experiemented a bit:

In the Offline-Configtool the UME Property "Global server configuration ->

services -> com.sap.security.core.ume.service ->

ume.persistence.data_source_configuration" changed like this:

OLD: dataSourceConfiguration_abap.xml

NEW: dataSourceConfiguration_ads_readonly_db_with_krb5.xml

Then I restarted the J2EE cluster.

Result: the server0 process does not start anymore.

But at least now I could enter same values for the LDAP server (in the Offline-Configtool),

choose values from the drilldown list for the several configuration files and so on...

-> but is this the correct way at all?

Kind regards

Rüdiger Höckel

apetito AG

0 Kudos

Hi,

have you check SAP Note 1082560 - SAP AS Java can not start after running SPNego wizard ?

Have you check this blog : ?

Fabien.

0 Kudos

Hello Fabien,

thanks for your quick reply.

The problem is that I don't want to start the SPNego wizard before I can enter the LDAP information in the offline configtool.

It's not the SPNego wizard that has an error.

I can't use the "Part 2" of the blog (Configuring and troubleshooting SPNego)

[]

because nothing has been set up so far.

First of all I need to know whether I can use my existing system or not.

Kind regards

Rüdiger Höckel

0 Kudos

Ok.

What i would do is to cancel the step that make your system dysfuncionned, and try to set up the wizard without this step.

The krb5 xml file is here if you use Active directory as a datasource no ? i am not sure that you have to use this xml file as your data source is java, but i am not 100% sure.

Fabien.

0 Kudos

Hi Rüdiger,

Did you only change the data source configuration file? What does the guest user exist in either the database or on the LDAPß Did you configure the LDAP communication user?

According to SAP, you should actually reinstall your AS Java, then follow the procedure for changing the data source to LDAP. You will have a cleaner install that way.

-Michael

rdiger_hckel
Participant
0 Kudos

Hi Michael,

thanks for your answer.

I think I have found the reason for my problem:

The AS Java was installed as an Add-On into an existing AS-ABAP.

According to

Selecting the UME Data Source

I didn't have the choice to select the database of the AS Java as a usage type (AS-Java).

So: "once you have selected a data source other than the AS Java database, you cannot change the data source of the UME."

And that is basically what is written in SAP note 718383:

"dataSourceConfiguration_abap.xml

No change is possible.

This configuration supports all usages (especially SAP Exchange Infrastructure and SAP Enterprise Portal) by making ABAP users and ABAP roles available as users and groups in the UME, and supports the creation of new groups in the UME (which are then stored in the local database) as well.

...

Changes different from those explicitly described above are not supported."

-

-


OK, so is there still a way to connect an LDAP server to my (Add-on) AS Java with usage type AS-ABAP?

Can I install a second AS Java?

I can't re-install the existing AS Java as it is already in productive Use (EP Portal).

Maybe someone directly from SAP can shed a little light on this?

Kind regards,

Rüdiger Höckel

0 Kudos

Hi Rüdiger,

It all depends on what you want to do. You installed the AS Java as an Add-in to take adavantage of the existing user base in your AS ABAP and to access the resource from the AS ABAP from a portal.

OK, but now you want to do something about SSO and enable kerberos logon. For this you need the kerberos principal name from your ADS. OK, authentication is not my strong suit, but here are some ideas you can try. By the way in SAP NetWeaver 7.1 there is a configuration to log on to the AS Java using logon data from an LDAP, but still use the backend AS ABAP. See Configuring the UME for Directory Service Sync with AS ABAP for details. However, since you are still using 7.0, let's stick with that for now.

1. Use the LDAP Sync of the AS ABAP function to synchronize the user data of the AS ABAP and your ADS. You must populate the AS ABAP user records with the kerberos principal name. Which ABAP field you populate with this value I am not sure. You would then have to adapt the following procedure to get this data into your AS Java: Configuring the UME when Using Non-ADS Data Sources.

2. Set up a second AS Java and portal with the ADS as the datasource. Then migrate your users from the old one to the new one. Unfortunately, the users have different user IDs on the AS Java and the AS ABAP, so you would have to maintain user mapping between the two systems.

3. Use SAP NetWeaver Identity Management Identity Center to distribute the user data between the systems.

Unfortunately this kind of configuration is not well documented. I will see if I can find someone who can comment on this kind of setup.

-Michael

rdiger_hckel
Participant
0 Kudos

Hello,

it seems like I have found the correct blog for me (also by Holger Bruchelt):

So I will try to do these steps.

Kind regards,

Rüdiger Höckel