Kerberos on WAS

Former Member · ‎12-17-2006

Can someone tell high level how to setup Kerberos on WAS?

I have setup Kerberos on other J2ee containers such Weblogic and Websphere but when it come to WAS. I a little lost. I have referencing the SAP document but totally confuse...Help..

Using Kerberos Authentication for Single Sign-On

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c

5e5f34e10000000a1553f6/content.htm

I know that in normal Kerbero implementation

You need to have

Krb5.ini or Krb5.con --> like a tns file Oracle or host file for DNS

UME--Data source mapping KPN within WAS

SPNEDOlogin module--> outline the principlename between host node and KDC.

Former Member · ‎12-17-2006

I configuring ticket SPNegoLoginModule and there section metion KPN?

Is KPN the same is SPN? I know what my spn service principle name but KPN is Kerberos principle name? Do I just put the spn or just put KPN?

SPNegoLoginModule

REQUISITE

com.sap.spnego.jgss.name=<KPN>

Procedure

..

1. Create a new policy configuration and add the SPNegoLoginModule to the list of login modules as shown below. For more information, see Managing Policy Configurations.

a. To configure authentication with the SPNegoLoginModule without a fallback mechanism, you can arrange the login module stack of the policy configuration as shown in the table below.

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

SPNegoLoginModule

REQUISITE

com.sap.spnego.jgss.name=<KPN>

CreateTicketLoginModule

OPTIONAL

ume.configuration.active=true

b. To configure authentication with the SPNegoLoginModule with basic authentication fallback, you can arrange the login module stack of the policy configuration as shown in the table below.

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

SPNegoLoginModule

OPTIONAL

com.sap.spnego.jgss.name=<KPN>

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

REQUISITE

CreateTicketLoginModule

OPTIONAL

ume.configuration.active=true

tim_alsop · ‎04-18-2007

> b. To configure

> authentication with the SPNegoLoginModule with basic

> authentication fallback, you can arrange the login

> module stack of the policy configuration as shown in

> the table below.

>

> Login Modules

> Flag

> Options

>

> EvaluateTicketLoginModule

> SUFFICIENT

> ume.configuration.active=true

>

> SPNegoLoginModule

> OPTIONAL

> com.sap.spnego.jgss.name=<KPN>

>

> CreateTicketLoginModule

> SUFFICIENT

> ume.configuration.active=true

>

> BasicPasswordLoginModule

> REQUISITE

>

> CreateTicketLoginModule

> OPTIONAL

> ume.configuration.active=true

I am interested to hear from anybody who has a login stack configured as shown above what happens if they access the application using an IP address in the URL instead of a host.domain in the URL, e.g. http://192.10.238.15 instead of http://portal.domain.com. In theory the SPNEGO authentication should not be able to authenticate since the IP address is used instead of a domain name, and this will cause the BasicPasswordLoginModule to be invoked, so you should see a signon screen. When we do this test we see the signon screen, but it has UNKNOWN_ERROR at the top of the screen, and we cannot find a way to remove this UNKNOWN_ERROR. The login screen works since we can enter a SAP userid and password at this time, but we just want to find a way to stop the UNKNOWN_ERROR appearing and confusing the user trying to logon.

Thanks,

Tim

tim_alsop · ‎04-27-2007

I am wondering why nobody has responded to my last question. Surely somebody has experienced the same problem ? I would be surprised if we were the only ones who find this to be an issue. I look forward to hearing from other SAP users/partners.

Former Member · ‎07-15-2007

Hi Rich,

would like to explain me what is terminology "logon on ticket" is this first screen of entering user ID and password. If it is true then how to configure Logon on ticket.

Next things is that how to make one enterprise portal as ticket issuing machine and other application is accepting this ticket. A application login is created for this application which is added into accepting machine. When I see visual administrator of administrator I see login module of applicaiton. And the Ticket issuing enterprise portal is taking AD as user store.

Taking this senario would like discribe me how to set up AD directory what are the steps and what are the prerequite I need to take care and what are precaution I need to take.

On the other hand what are the setting I need fixed at applicaiton site this application has its own portal. Would please describe me this in detail and show in step by step manner please

thanks

happy

Former Member · ‎12-17-2006

Ok I think I found my answer. It look it specific to SUN JDK so I have to

put the syntax

com.sap.spnego.creds_in_thread with value true and create a Krb5Login module and MappingModule. Now it start to look familiar.

. Configure the SPNegoLoginModule options for the user resolution mode you use.

User resolution mode none

a. Choose the value none for the option com.sap.spnego.uid.resolution.mode

User resolution mode simple

...

a. Choose the value simple for the option com.sap.spnego.uid.resolution.mode

User Resolution mode prefixbased

...

a. Choose the value prefixbased for the option com.sap.spnego.uid.resolution.mode

b. Choose the value kpnprefix for the option com.sap.spnego.uid.resolution.attr.

If using Sun JDK, add the option com.sap.spnego.creds_in_thread with value true.

4. When using Sun JDK, perform the following steps to register necessary login modules and policy configuration with the Security Provider service in the Visual Administrator of the J2EE Engine. For more information about adding login modules and policy configurations, see Managing Login Modules and Managing Policy Configurations.

a. Add a login module with name Krb5LoginModule and class name com.sun.security.auth.module.Krb5LoginModule

b. Add a login module with name MappingModule and class name com.sap.security.core.server.jaas.SPNegoMappingLoginModule

c. Create a policy configuration com.sun.security.jgss.accept and add the login modules Krb5LoginModule and MappingModule to the login module stack for the policy configuration.

d. Configure the login module options for the created policy configuration com.sun.security.jgss.accept as shown in the table below. For more information, see Managing Policy Configurations.

Login Modules

Flag

Options

Krb5LoginModule

REQUISITE

debug=true,

doNotPrompt=true,

keyTab=<keytab_filename_with_full_path>,

principal=<KPN>,

storeKey=true,

useKeyTab=true,

useTicketCache=true

MappingModule

OPTIONAL

com.sap.spnego.uid.resolution.attr=krb5principalname

Former Member · ‎12-17-2006

My next question. I still have Isproxy in place. From what I recall in other J2EE container I had disable iis and enable the main j2ee server to run port 80 so support Kerberos..

Where application I use use to test Kerberos? I have a couple web applcation specific for testing Krb5login Module and Kerberos authenication but they are in war format and was requires ear. Can anyone tell how to convert war format to ear format?

tim_alsop · ‎12-17-2006

Richard,

Kerberos 5 uses port 88 for ticket requests between Kerberos client and KDC, not port 80. Port 80 is for HTTP traffic.

I beleive you can deploy both ear and war format files into J2EE engine using SDM. I am sure somebody from SAP will correct me if this is wrong, but I beleive I remember (I might be mistaken) installing a war file last year, on one of our systems.

Thanks,

Tim

Former Member · ‎07-10-2007

Hi Tim watch this document (Page 25), seems that the problems is solved on SP12.

<a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/905b3146-e6c8-2910-b0a9-90929b46ee71">https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/905b3146-e6c8-2910-b0a9-90929b46ee71</a>

Regards!!

tim_alsop · ‎07-11-2007

Jorge,

Thankyou. Since I didn't get a reply to my question I opened a msg on service marketplace and I was given details of the fix for both nw2004 and nw2004s versions of NetWeaver. We have tested and the problem is indeed fixed as expected.

Take care,

Tim

WolfgangJanzen · ‎07-11-2007

Well, that's the way to get "official" answers from SAP.

SAP employees posting in SDN forum articles only express their own private opinion; you cannot rely on such information as it is not "official". SDN, however, is supposed to support partners and other developers by providing additional (background) information - and to get to know about their ideas (outside-in communication).

Cheers, Wolfgang

(I'm <u>not</u> scanning SDN regularily)

tim_alsop · ‎07-11-2007

Wolfgang,

Thankyou. It may not be official, but is often very useful - especially when we need to find out of other people are getting the same problem as ourselves, which in this case was all we wanted. SDN has the advantage that we can gain from other partners/customers experiences, and we do not see it is a replacement for the normal SAP support channel - rather a complimentary service.

Take care,

Tim

WolfgangJanzen · ‎07-11-2007

I fully share your opinion - and only want to add that many SAP employees use SDN to gain some "outside ideas" (there are many more "silent readers" than "active participants").

Yes, SDN is a complimentary service - a communication platform.

Cheers, Wolfgang