cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO for SAP SAP ECC 6.0 with application servers on AIX 6.1

Go to solution
Former Member

on ‎06-27-2013 6:43 PM

0 Kudos

Hello,

i've made the configuration of SSO on SAP SAP ECC 6.0 (AIX) successfully for Central instace. Now I would like to do the same thing for the application servers.

I would like to know If I have to follow the same steps I did for the configuration of the CI.

The steps I mean are the following:

- create service user in MS AD

- create SPN

- create keytab

- Install Kerberos on AIX

- Import ketytab into AIX

- Add the SAP parameters to the application server profile

Can anyone help me?

Regards,

Pedro

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nelis
Active Contributor
‎06-28-2013 7:20 AM
0 Kudos

Hi Pedro,

There should be no need to create another service user, SPN or keytab for the dialog instances, you can use the same service user you used for your CI. Just copy across the keytab and add it to your dialog instances. You would create a new service user for each separate SAP system eg SAPserviceDEV, SAPservicePRD etc

You will still need to add the parameters though to each instance as well as install and configure Kerberos so that each instance can authenticate to AD using the same service for that particular SAP system.

Regards,

Nelis

Show replies
Show replies
Former Member
‎06-28-2013 10:46 AM
0 Kudos

Hi Nelis,

thanks for your answer.

For the CI, we did the following:

create setspn and ktpass using AD user, AD service and the hostname of the CI (in the case server_CI)

created an entry on crontab like this: kinit -k SAPSERVICE/server_CI.fdqn

added SAP parameters.

example:
snc/identity/as - p/krb5:SAPSERVICE/server_CI.fdqn@DOMANIN_NAME

how should we do for the application servers (server1)?

Regards,

Pedro

nelis
Active Contributor
‎06-28-2013 2:47 PM
0 Kudos

Hi,

Do the application servers in the same way using the same keytab copied(no need to import again) from CI and same parameter snc/identity/as

Even though you have created it using the CI hostname it should still work fine on your application servers. Also copy across the Kerberos config from CI to application server.

The crontab entry for your TGT should be in the format kinit -k SAPSERVICE/server_CI.fdqn@<DOMAIN-NAME>

Use kinit with -V for initial testing from command line to see response.

Regards,

Nelis

Answers (5)

Answers (5)

Former Member
‎07-12-2013 12:05 PM
0 Kudos

Hello,

I've managed to solve problem using transaction LSMW.

Regards,

Pedro

Show replies
Show replies
Former Member
‎07-08-2013 3:09 PM
0 Kudos

Hi Nelis,

Thats a good idea, but would't we had a problem with the field HNAME (Hash value for canonical names) from table USRACL?

Regards,

Pedro

Show replies
Show replies
Former Member
‎07-08-2013 12:50 PM
0 Kudos

Hi,

I don't understand very well how the report works or if it's usefull for my configuration.

Imagine the following case:

userSAP1 that has userAD1 - Configurarion for SU01 (SNC tab) p:userAD1@DOMANIN_NAME

userSAP2 that has userAD2 - Configurarion for SU01 (SNC tab) p:userAD2@DOMANIN_NAME

userSAP3 that has userAD3 - Configurarion for SU01 (SNC tab) p:userAD3@DOMANIN_NAME

How can I change massively more thar 3000 users SAP that also have 3000 AD users?

Regards,

Pedro

Show replies
Show replies
nelis
Active Contributor
‎07-08-2013 2:24 PM
0 Kudos

If your SAP user accounts are different to the domain user accounts you will have to change that part  manually. The domain can be set for each user automatically.

Another option would be to write your own report to add/map the SAP users to the SNC data which is stored in table USRACL.

Nelis

Former Member
‎07-04-2013 9:40 AM
0 Kudos

Hello Nelis,


thaks for your answer I've tested and It worked!


Another issue now, I need to add for more then 3000 users on S01 information regarding AD users (SNC name), do I have to change it one by one, is there any easier way?


I've tried reports RSUSREXTID and RSUSR300, also transactions SNC1, SNC2, SNC3...

Regards,

Pedro

Show replies
Show replies
nelis
Active Contributor
‎07-08-2013 7:16 AM
0 Kudos

Hi,

RSUSR300 is the correct report to use for mapping multiple SNC users.

Regards,

Nelis

Nibu
Contributor
‎06-27-2013 9:04 PM
0 Kudos

Yes, you need to do same for application server instances too . Hope its not tough for you since its already done for CI .

Below can be useful stuffs

http://www.saptechies.com/create-ssosingle-sign-sap-sysetm/

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266...

Show replies
Show replies
Former Member
‎06-27-2013 10:19 PM
0 Kudos

Hi Antony,

thanks for your answer.

Correct if I'm wrong. For example for server1 we should do the following:

- create service_server1 user_server1 in MS AD

- create SPN_server1

- create keytab_server1

- Install Kerberos on AIX (server1)

- Import ketytab_server1 into AIX (server1)

- Add the SAP parameters to the application server profile

     p/krb5:service_server1/server1@FDQN

Is it correct?

Regards and Thanks!

Pedro

Ask a Question