03-21-2013 10:36 AM
Hello,
we are trying to implement Single Sign-on using AIX kerberos and Windows Active Directory, but we are facing some dificulties.
Here's our landscape
AIX Server: vbtrmz00.telecom.pt
AD: vmqptp02.ptp-qa.corppt-qa.local
We created the user on active directory and created the keytab file with the following parameters:
C:\>setspn -A SSOTRM/vbtrmz00.telecom.pt PTP-QA\trmadm
Registering ServicePrincipalNames for CN=trmadm,OU=Service Accounts,OU=SAP,OU=LS
B-PIC,OU=DC_PT,DC=ptp-qa,DC=corppt-qa,DC=local
SSOTRM/vbtrmz00.telecom.pt
Updated object
C:\>ktpass -princ SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL -mapuser PTP-QA\trmadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass XXXXXXX -out sap.keytab
Targeting domain controller: VMQPTP02.ptp-qa.corppt-qa.local
Using legacy password setting method
Successfully mapped SSOTRM/vbtrmz00.telecom.pt to trmadm.
Key created.
Output keytab to sap.keytab:
Keytab version: 0x502
keysize 84 SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL ptype 1 (KRB5_NT_PR
INCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0417ecfdd84a80184ccfca8eb02
169d4)
-------------------------------------------------------------------------------------------------------------------------------------------------------
On SAP profile we added the following parameters:
snc/enable 1
snc/identity/as p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL
snc/data_protection/max 1
snc/data_protection/min 1
snc/data_protection/use 1
snc/gssapi_lib /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
snc/accept_insecure_cpic 1
snc/accept_insecure_gui 1
snc/accept_insecure_rfc 1
snc/permit_insecure_start 1
snc/force_login_screen 1
rdisp/dynamic_wp_check FALSE
rdisp/configurable_wp_no 0
rdisp/wp_no_restricted 0
rslg/new_layout 9
ssf/ssfapi_lib /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
ssf/name SAPSECULIB
sec/libsapsecu /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
------------------------------------------------------------------------------------------------------------------------------------------
On AIX we have the following on krb5.conf
[libdefaults]
default_realm = PTP-QA.CORPPT-QA.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
PTP-QA.CORPPT-QA.LOCAL = {
kdc = vmqptp02.ptp-qa.corppt-qa.local:88
admin_server = vmqptp02.ptp-qa.corppt-qa.local:749
default_domain = ptp-qa.corppt-qa.local
}
[domain_realm]
.ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL
vmqptp02.ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
[appdefaults]
autologin=true
forward=true
forwardable=true
renewable=true
encrypt=true
--------------------------------------------------------------------------------------------------
on AIX using ktutil we imported successfully the keytab.
When we try to generate initial ticket using kinit we have 2 results:
OK -
[root@vbtrmz00: /usr/krb5/bin ]# kinit trmadm
Password for trmadm@PTP-QA.CORPPT-QA.LOCAL:
XXXXXXXXXXXXXXXXX
java.io.IOException: Primary principals do not match
Done!
New ticket is stored in cache file /root/krb5cc_root
NOT OK -
[root@vbtrmz00: /usr/krb5/bin ]# kinit -k SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL
com.ibm.security.krb5.KrbException, status code: 6
message: Client not found in Kerberos database
at com.ibm.security.krb5.KrbAsRep.<init>(KrbAsRep.java:38)
at com.ibm.security.krb5.KrbAsReq.getReply(KrbAsReq.java:79)
at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:12)
at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:156)
at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:98)
com.ibm.security.krb5.KrbException, status code: 6
message: Client not found in Kerberos database
When we start SAP with parameter snc/enable = 1 the system stops with thw following error on dev_w0 file:
SncInit(): Initializing Secure Network Communication (SNC)
N IBM RS/6000 with AIX (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/TRM/SYS/exe/run/libsapcrypto.o
N File "/usr/sap/TRM/SYS/exe/run/libsapcrypto.o" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N *** ERROR => SncPGSSImportName()==SNCERR_GSSAPI [sncxxall.c 2630]
N GSS-API(maj): An invalid name was supplied
N Import of a name failed
N name="p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL"
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11329]
Can anyone help?
03-21-2013 11:31 PM
snc/gssapi_lib = /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
That is at least one problem. The SAP Cryptographic Library is not a GSS-API implementation.
03-22-2013 9:50 AM
Hello,
I saw that info on help.sap:
http://help.sap.com/saphelp_nw04/helpdata/en/19/164442c1a1c353e10000000a1550b0/content.htm
And the log show's the the lib was loaded...
03-22-2013 3:24 PM
Yes, SAP Cryptographic Library can be used for SNC and encryption and should be used for example in case of X.509 certificates but it will not provide you with Kerberos based SSO. In your case, since you are running a heterogeneous landscape (Windows, UNIX) you will have to license NWSSO or a 3rd party product to get SSO for SAP GUI. Another way is to setup SPNEGO on AS JAVA and use SAP Logon Tickets to logon to ECC.