Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connection to a double-stack system when the TGT is expired

Go to solution
Former Member

‎12-08-2009 7:32 PM

0 Kudos

Hi all,

In a double-stack system with kernel 7.0 running on an IBM i platform, I implemented the following:

- Kerberos for SAP GUI authentication

and

- Kerberos Authentication for Single Sign-On on the SAP Web AS Java (using SAP note 994791 - SPNego Wizard).

The user SAPJSF was enabled for SNC since the the JAVA AS connects to the ABAP AS using this user. The SNC identity for SAPJSF was set as the service principal name used for the SAP system (i.e., p:SAPService<SID>/<domain>@<REALM>).

The 'kinit' command was added to the START profile as follows:

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/bin/kinit' '-k' '-r' '7d' 'SAPService<SID>/<domain>@<REALM>')) JOB(KINIT) USER(<SID><nn>)

When the system is started (and the 'kinit' command added to the START profile is executed), the users can login to ABAP (via SAP GUI / SNC) and Java (via the browser) without entering the user and password.

But, 10 hours after the system is started, the users trying to login to Java are prompted to enter their credentials. The ABAP users can still connect without entering their credentials.

The 'Maximum lifetime for user ticket' kerberos policy is set to 10. I assumed the TGT expires after this value is reached.

To circunvent the issue on the java stack, I scheduled the 'kinit' command so the TGTs be renewed every 8 hours. As follows:

CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/bin/kinit' '-R' 'SAPService<SID>/<domain>@<REALM>')

Anyone out there that can tell me why the expired TGTs affect only to the connection to the Java stack? Why SSO is still working for the ABAP stack even after the TGT is expired?

I have this problem with double-stack systems only. For ABAP systems, kinit is scheduled just once a day. For standalone Java systems, kinit is not required.

The following is the cache file content in the /var/krb5/security/creds directory:

Ticket cache: FILE:krb5cc_1151

Default principal: SAPService<SID>/<domain>@<REALM>

Valid starting Expires Service principal

12/08/09 06:00:01 12/08/09 16:00:01 krbtgt/<domain>@<REALM>

Renew until 12/13/09 15:23:55, Flags: RIA

Addresses: (none)

12/08/09 06:04:49 12/08/09 16:00:01 SAPService<SID>/<domain>@<REALM>

Renew until 12/13/09 15:23:55, Flags: RA

Addresses: (none)

Thanks in advance.

Regards,

Hugo

Edited by: Hugo Villa Romero on Dec 8, 2009 8:34 PM

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎12-08-2009 7:50 PM

0 Kudos

Hugo,

I have a few comments for you, which may help:

1. When using Kerberos with SNC you do not need to use kinit, since the work process will initialize and call GSS-API functions to acquire a TGT using the key in the keytab file. If the Kerberos library has correct implementation of GSS token lifetime, then the work process will get a new TGT when it re-initializes. This TGT is requested and cached on server, but not used when user logs onto SAP via SAP GUI. When user logs on via SAP GUI, the TGT is used on Windows workstation, and server only needs to access the key in keytab to decrypt the users GSS token sent by SAP GUI.

2. If you are using SPNEGO to logon to Java stack, then this also will not require a TGT on server. In this case, the TGT is cached on worsktation and browser uses it to get a HTTP/<hostname> service ticket from the domain when a user logs on via browser.

3. If you are using SNC between Java and ABAP and this is where you are having problems, I am wondering why you don't let the GSS-API library which is used by Java engine get this TGT "on demand" so that you don't need to get the TGT outside of Java stack.

Thanks,

Tim

8 REPLIES 8

Go to solution
tim_alsop
Active Contributor

‎12-08-2009 7:50 PM

0 Kudos

Hugo,

I have a few comments for you, which may help:

1. When using Kerberos with SNC you do not need to use kinit, since the work process will initialize and call GSS-API functions to acquire a TGT using the key in the keytab file. If the Kerberos library has correct implementation of GSS token lifetime, then the work process will get a new TGT when it re-initializes. This TGT is requested and cached on server, but not used when user logs onto SAP via SAP GUI. When user logs on via SAP GUI, the TGT is used on Windows workstation, and server only needs to access the key in keytab to decrypt the users GSS token sent by SAP GUI.

2. If you are using SPNEGO to logon to Java stack, then this also will not require a TGT on server. In this case, the TGT is cached on worsktation and browser uses it to get a HTTP/<hostname> service ticket from the domain when a user logs on via browser.

3. If you are using SNC between Java and ABAP and this is where you are having problems, I am wondering why you don't let the GSS-API library which is used by Java engine get this TGT "on demand" so that you don't need to get the TGT outside of Java stack.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎12-08-2009 8:29 PM

0 Kudos

Hi Tim,

Thanks for you prompt answer.

1. If i don't use kinit at the start, all wps are killed with the following error:

N SncInit(): Initializing Secure Network Communication (SNC)

N IBM iSeries with OS400 (st,ascii,SAP_UC/size_t/void* = 8/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

N File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPService<SID>/<domain>@<REALM>

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): Permission denied

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPService<SID>/<domain>@<REALM>"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10527]

How can I get the wps call the GSS-API functions to acquire a TGT? What is missing in the keytab file?

3. How do I let let the GSS-API library get the TGT "on demand" from the Java stack?

FYI, I followed the following 2 IBM documents to implement the SSO for SAP on IBM i systems (ABAP and Java, respectively):

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101228

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101127

Thanks and regards,

Hugo

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎12-08-2009 8:32 PM

0 Kudos

Hugo,

The "permission denied" error suggests that the <sid>adm user does not have read access to the keytab file. This is why the work process init is not able to get a TGT using keytab.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎12-09-2009 3:25 PM

0 Kudos

Hi Tim,

I added access to the adm user to the keytab file. Then, I removed kinit from the START profile and restarted the system. Now I am getting the following error and the wps are killed:

N SncInit(): Initializing Secure Network Communication (SNC)

N IBM iSeries with OS400 (st,ascii,SAP_UC/size_t/void* = 8/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

N File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPService<SID>/<domain>@<REALM>

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No credentials cache found

N Could't acquire INITIATING credentials for

N

N name="p:SAPService<SID>/<domain>@<REALM>"

N SncInit(): Fatal -- Initiating Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10591]

The wp crashes because it cannot find the credential cache file with name 'krb5cc_<UID>' under the /var/krb5/security/creds directory. When kinit is added to the START profile the file krb5cc_<UID> is created and the TGT is cached in it.

You stated in 1. "If the Kerberos library has correct implementation of GSS token lifetime, then the work process will get a new TGT when it re-initializes. This TGT is requested and cached on server, but not used when user logs onto SAP via SAP GUI".

Without using kinit, how the TGT is requested and cached on the server? Or kinit should be executed at least once to make sure the 'krb5cc_<UID>' exists?

Thank you in advance.

Regards,

Hugo

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎12-09-2009 3:32 PM

0 Kudos

Hugo,

The wp is now getting a TGT (if you captured network traffic during wp startup you would see the AS-REQ and AS-REP which contains the TGT) but the TGT cannot be put into a cache, for some reason. This might be because of permissions - maybe the <sid>adm user does not have file create permissions for files in /var/krb5/security/creds ?

The GSS library whcih is used for SNC will get the TGT (as it is doing now you fixed the keytab permission issue) so you don't need to use kinit.

You might want to logon as <sid>adm and try a command such as:

echo hello > /var/krb5/security/creds/test.file

I suspect above will fail because <sid>adm cannot create a file in this dir. This is why the cache is not being created to put the TGT into.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎12-09-2009 5:16 PM

0 Kudos

Hi Tim,

I added file create permissions to <SID>ADM in /var/krb5/security/creds. I logged as adm and verified that 'test.file' is created when executing the command:

echo hello > /var/krb5/security/creds/test.file

After that, the wps are still getting the following error:

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No credentials cache found

N Could't acquire INITIATING credentials for

N

N name="p:SAPService<SID>/<domain>@<REALM>"

Perhaps the wps cannot create cache files on the IBM i platform. The below text was extracted from the IBM document (page 19) I followed to configure SNC on IBM i (http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101228) :

"Start Profile

Once SNC is enabled, your SAP system will require a Kerberos ticket in order to start.

This is very important and worth repeating, SAP applications will not start if a valid

Kerberos ticket for the SAP application SPN is not available. This ticket is acquired by

running the kinit command for the SPN created for SAP applications. The user

requesting the credentials must be the i5/OS user under which the SAP application runs.

This user will always be <sid><nn>, where <sid> is the SAP system ID and <nn> is the

instance number. This user has limited capabilities and cannot be used to start an

interactive session. To request a ticket using <sid><nn>, the following SBMJOB

command can be used."

Anyway, the <SID>ADM and <sid><nn> users have file create permissions in /var/krb5/security/creds.

Any idea?

Thanks and regards,

Hugo

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎12-09-2009 5:29 PM

0 Kudos

Hugo,

The Kerberos library included with PASE environment is not the best implementation of Kerberos, and I think you are experiencing some issues/bugs in this implementation. I recommend using a commercially supported and SAP certified implementation of Kerberos, instead of open source of the implementation included with UNIX distribution (which is often very old and not compliant with MS AD KDC expectations).

Perhaps you can try creating an environment variable called KRB5CCNAME and set this to:

KRB5CCNAME=FILE:/tmp/krb5cc_sap

Now, when the wp tries to store the TGT in the cache, it will use the cache name given in the environment variable, and won't try to construct the cache file name and get an error due to the user id.

I have worked with a number of System i (i5/OS) installs of SAP and made them work with Kerberos auth, and didn't need to use kinit, and didn't get the problems you are gettitng. I didn't use the IBM Kerberos libraries, but used commercially supported Kerberos libraries instead.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎11-23-2013 2:26 PM

0 Kudos

Hi Tim,

While starting production system work process goes into ended state.

I found following error in work process log  as

ERROR -> sncFAcquirecred()==sncerr_gssapi

       no crentials found

      key table not found

      could't acquire accepting credentials

Our PRD is configured for SSO.

Please suggest on this to resolve the issue.

Thanks,

Bharath