cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign-On with Kerberos

Go to solution
S0007586158
Participant

on ‎06-17-2014 10:42 AM

0 Kudos

Hi,

Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.

After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file

  *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED

  "Unable to find library 'sncgss.so'."  [dlux.c       445]

N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c  731]

Yes, the file is not available in the system, how to get the snc related files/libraries?

Regards,
Sam

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

guilherme_deoliveira
Participant
‎06-17-2014 5:21 PM
0 Kudos

Hello Sam,

As per the trace you've pasted, I assume that you have snc/gssapi_lib parameter set pointing to a sncgss.so (which is not the SLL library for NWSSO2.0 product).

Therefore, first thing is to ensure that you have indeed downloaded the correct product (NWSSO2.0 -> check SAP Note 1876552) and correct point snc/gssapi_lib parameter to sapcryptolib.so.

NOTE: Such error can occurs also if the file is not in the same path of parameter or if the user running your system has no authorization to access it.

Best Regards,
Guilherme de Oliveira

Show replies
Show replies
S0007586158
Participant
‎06-17-2014 5:37 PM
0 Kudos

Dear Guilherme,

You have correctly pointed out, yes the parameter snc/gssapi_lib was not set, i added that parameter with the value libsapcrypto.sl.

Now when i run

sapgenpse seclogin -p <> -O <>

it gives

seclogin:can't add credentials

any clue?

Regards,

Sam

guilherme_deoliveira
Participant
‎06-17-2014 6:08 PM
0 Kudos

Hello Sam,

I supposed you have already restarted the system after correctly setting the snc/gssapi_lib parameter right? Are you also installing NWSSO in the SLL folder, right?

Therefore, could you kindly:
1. Go to your SLL folder;
2. Ensure to use the sapgenpse from NWSSO product:

./sapgenpse seclogin -p SAPSNCSKERB.pse

does it still results in can't add credentials? If it does, could you kindly provide me the results of sapgenpse command?

Best Regards,
Guilherme de Oliveira

S0007586158
Participant
‎06-17-2014 6:30 PM
0 Kudos

Dear Guilherme,

Thanks for the reply, the above was resolved. it was basically due to the missing environment variable SECUDIR. After maitaining this, i was able to add the credentials.

But now when i try to start the instance i get the belwo error in the trace file

N  SncInit(): found  snc/gssapi_lib=/usr/sap/SOD/DVEBMGS00/SLL/libsapcrypto.sl

N    File "/usr/sap/SOD/DVEBMGS00/SLL/libsapcrypto.sl" dynamically loaded as GSS-API v2 library.

N    SECUDIR="/usr/sap/users/sodadm/sec" (from HOME)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to Secure Login Library

N    Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.18 pl40 (Apr 14 2014) MT-safe

N  SncInit():   found snc/identity/as=p:CN=SAP-SSO-SOD

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N

N      name="p:CN=SAP-SSO-SOD"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    240]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11345]

Kindly advice, thanks for the extended support.

Regards,

Sam

guilherme_deoliveira
Participant
‎06-17-2014 7:35 PM
0 Kudos

Hello Sam,


Now the current error needs more detailed investigation:


1. In your AD, could you kindly ensure that you have set your Service User and maintained its Service Principal Name as SAP-SSO-SOD?

2. Have you created the keytab to this service user?
3. If you're using kerberos implementation only, please change the parameter and settings to include the domain part as well (i.e. snc/identity/as = SAP-SSO-SOD@<DOMAIN>).
4. Ensure that your credentials is correctly created for sodadm user.

I hope this helps.

Best Regards,
Guilherme de Oliveira

S0007586158
Participant
‎06-18-2014 6:01 AM
0 Kudos

Hi Guiherme,

1. Yes service user has been maintained in ADS, but Service Principle name has been maintained as SAP/SAP-SSO-SOD as per the document which i referred earlier.

2.Keytab has been created for the user.

3. tried changing the vallue for  snc/identity/as to include domain - but the same error.

4.credentials are correctly created for sodadm.

Regards,

Sam

guilherme_deoliveira
Participant
‎06-18-2014 1:14 PM
0 Kudos

Hello Sam,

In that case, could you kindly reproduce the issue and collect the Secure Login Library and Secure Login Client traces? You may want to refer to implementation guide (found in SAP Marketplace) to understand how to collect them.

Best Regards,
Guilherme de Oliveira

S0007586158
Participant
‎06-18-2014 7:26 PM
0 Kudos

Hello Guiherme,

Thnaks for the suggestion, developer trace has been activated for the secure login library.

Found below errorrs in sec-dev_w0.trc file.

[2014.06.18 18:17:45.570417][ERROR][                    ][PSE         ][     1] ERROR(0xA1D5012C) in TOKEN_PSE module. Function open_token_and_login failed: Wrong PIN

[2014.06.18 18:17:45.570475][ERROR][                    ][PSE         ][     1] ERROR(0xA1D5012C) in TOKEN_PSE module. Function add_token failed: Wrong PIN

[2014.06.18 18:17:45.571344][ERROR][                    ][TOKPSE      ][     1] ERROR(0xA1D50108) in TOKEN_PSE module. Function sec_SecToken_getCardPIN failed: Token application not existing

[2014.06.18 18:17:45.571423][ERROR][                    ][PSE         ][     1] ERROR(0xA1D50108) in TOKEN_PSE module. Function open_token_and_login failed: Token application not existing

[2014.06.18 18:17:45.571482][ERROR][                    ][PSE         ][     1] ERROR(0xA1D50108) in TOKEN_PSE module. Function add_token failed: Token application not existing

[2014.06.18 18:17:45.572430][ERROR][                    ][GSS         ][     1] Didn't found a keyTab

Regards,

Sam

guilherme_deoliveira
Participant
‎06-18-2014 7:45 PM
0 Kudos

Hello Sam,

Thanks for the traces. As per them, it seems that your keytab is the issue. Fast solution? Re-create it:

1. Delete the SAPSNCSKERB.pse and the cred_v2 files;
2. Re-create the keytab (and therefore the PSE);
3. Re-create the credentials.

Ensure to use the correct password when re-creating the keytab (specially for your service user, the password must match your AD's password).

Best Regards,
Guilherme de Oliveira

Former Member
‎06-19-2014 8:59 AM
0 Kudos

Hello Sam,

SECUDIR="/usr/sap/users/sodadm/sec" (from HOME)

please add the startprofile(s)  SETENV_03 = SECUDIR=$(DIR_INSTANCE)/sec

Note: if you do not have start profile then to instance profile SETENV_XX depends on how many SETENV have you in your profile parameter.

Best Regards

Zsolt

S0007586158
Participant
‎06-19-2014 11:27 AM
0 Kudos

Hi Guilherme,

As suggested by you i recreated the keytab and the credentials and now i was able to start the application. Thanks for that.

Now when i try to login i am gettin the message "No user exists with the SNC name "p:CN=xxx@xxxxx"

i already did the user mapping in su01, please advice.

Regards,

Sam

tim_alsop
Active Contributor
‎06-19-2014 11:31 AM
0 Kudos

Sam,

You need to enter su01 and visit the SNC tab, change the SNC name, and save it. Then change it back, and save it again. Then it will work.

The problem is that you enabled SNC after adding the SNC name into SU01. When you do this, the SNC name mapping doesn't work until you re save the change.

Thanks

Tim

S0007586158
Participant
‎06-19-2014 11:38 AM
0 Kudos

Hi Tim,

I tried this, but still the same.

Regards,

Sam

tim_alsop
Active Contributor
‎06-19-2014 11:45 AM
0 Kudos

The SNC name is case sensitive. Did you enter it in SU01 exactly as it is shown in the error message including p: prefix ?

S0007586158
Participant
‎06-19-2014 11:50 AM
0 Kudos


Yes, correclty said, that fixed the issue.

Regards,

Sam

tim_alsop
Active Contributor
‎06-19-2014 11:55 AM
0 Kudos

Good news. When using the SAP SSO product's SNC library the SNC name has p:CN= prefix. I understand SAP decided to use this prefix because their SNC library supports both Kerberos principal names and x.509 certificates for user authentication. Other SNC libraries that support Kerberos are using SNC name of p:<user principal name> (without CN= prefix).

Enjoy !!

S0007586158
Participant
‎06-19-2014 12:07 PM
0 Kudos

Hi Guilherme,

Thanks for all your support, points awarded..:)

Can you please provide some details on how to achive 2 factor authentication with nwsso?

Regards,

Sam

Answers (1)

Answers (1)

donka_dimitrova
Contributor
‎06-17-2014 1:42 PM
0 Kudos

Hello Sam,

In the SAP SSO 2.0 implementation guide here:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70412b93-c972-3010-6a94-da49f9ba5...

in chapter 4.7.2 you will be able to find the procedure for implementing SNC Kerberos Configuration.

There is also a Note there that could be helpful "The Secure Login Library always uses a PSE file called SAPSNCSKERB.pse file for the keytab. The server does not start if the file has a different name."

Check the implementation steps in the guide to see if you missed any.

Best regards,

Donka Dimitrova

Show replies
Show replies
S0007586158
Participant
‎06-17-2014 2:14 PM
0 Kudos

Hi Donka,

Thanks for the reply, as the error says "unable to find 'sncgss.so' file" how the creation of the pse file help?

Please advice.

Regards,

Sam

donka_dimitrova
Contributor
‎06-17-2014 2:59 PM
0 Kudos

Hello Sam,

Have you installed successfully the Secure Login Library (SAP SSO 2.0)?

Procedures are available under chapter 4.2.1 and 4.2.3.

Your problem could be because of missing authorizations for the user, wrong paths to the libraries or missing implementation steps.

What is the documentation where you see the steps you have described?

Best regards,

Donka

S0007586158
Participant
‎06-17-2014 3:56 PM
0 Kudos


Hello Donka,

I was following the steps as in

I have followed the same steps as what you have mentioned in chapter 4.2.1 & 4.2.3, but what i have seen is i was not able to see the file libsapcrypto.so in the SLL directory. do we need to install the sapcryptolib seperately?

Regards,

Sam

donka_dimitrova
Contributor
‎06-17-2014 4:43 PM
0 Kudos


Hello Sam,

You can try to test the Secure Login Library as described in step 5 of the procedure 4.2.3:

"To verify Secure Login Library, use the sapgenpse command" (detils in the guide).

If you have followed the steps 1 to 4 properly then the test will be successful and you will be able to see the path to the libsapcrypto.so (in the SLL directory). Please, make sure the extraction of the file

SECURELOGINLIB.SAR  is performed successfully in the proper folder.

Best regards,

Donka Dimitrova

Ask a Question