on 06-17-2014 10:42 AM
Hi,
Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.
After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file
*** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED
"Unable to find library 'sncgss.so'." [dlux.c 445]
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c 731]
Yes, the file is not available in the system, how to get the snc related files/libraries?
Regards,
Sam
Hello Sam,
As per the trace you've pasted, I assume that you have snc/gssapi_lib parameter set pointing to a sncgss.so (which is not the SLL library for NWSSO2.0 product).
Therefore, first thing is to ensure that you have indeed downloaded the correct product (NWSSO2.0 -> check SAP Note 1876552) and correct point snc/gssapi_lib parameter to sapcryptolib.so.
NOTE: Such error can occurs also if the file is not in the same path of parameter or if the user running your system has no authorization to access it.
Best Regards,
Guilherme de Oliveira
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Sam,
I supposed you have already restarted the system after correctly setting the snc/gssapi_lib parameter right? Are you also installing NWSSO in the SLL folder, right?
Therefore, could you kindly:
1. Go to your SLL folder;
2. Ensure to use the sapgenpse from NWSSO product:
./sapgenpse seclogin -p SAPSNCSKERB.pse
does it still results in can't add credentials? If it does, could you kindly provide me the results of sapgenpse command?
Best Regards,
Guilherme de Oliveira
Dear Guilherme,
Thanks for the reply, the above was resolved. it was basically due to the missing environment variable SECUDIR. After maitaining this, i was able to add the credentials.
But now when i try to start the instance i get the belwo error in the trace file
N SncInit(): found snc/gssapi_lib=/usr/sap/SOD/DVEBMGS00/SLL/libsapcrypto.sl
N File "/usr/sap/SOD/DVEBMGS00/SLL/libsapcrypto.sl" dynamically loaded as GSS-API v2 library.
N SECUDIR="/usr/sap/users/sodadm/sec" (from HOME)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Secure Login Library
N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.18 pl40 (Apr 14 2014) MT-safe
N SncInit(): found snc/identity/as=p:CN=SAP-SSO-SOD
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAP-SSO-SOD"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11345]
Kindly advice, thanks for the extended support.
Regards,
Sam
Hello Sam,
Now the current error needs more detailed investigation:
1. In your AD, could you kindly ensure that you have set your Service User and maintained its Service Principal Name as SAP-SSO-SOD?
2. Have you created the keytab to this service user?
3. If you're using kerberos implementation only, please change the parameter and settings to include the domain part as well (i.e. snc/identity/as = SAP-SSO-SOD@<DOMAIN>).
4. Ensure that your credentials is correctly created for sodadm user.
I hope this helps.
Best Regards,
Guilherme de Oliveira
Hi Guiherme,
1. Yes service user has been maintained in ADS, but Service Principle name has been maintained as SAP/SAP-SSO-SOD as per the document which i referred earlier.
2.Keytab has been created for the user.
3. tried changing the vallue for snc/identity/as to include domain - but the same error.
4.credentials are correctly created for sodadm.
Regards,
Sam
Hello Guiherme,
Thnaks for the suggestion, developer trace has been activated for the secure login library.
Found below errorrs in sec-dev_w0.trc file.
[2014.06.18 18:17:45.570417][ERROR][ ][PSE ][ 1] ERROR(0xA1D5012C) in TOKEN_PSE module. Function open_token_and_login failed: Wrong PIN
[2014.06.18 18:17:45.570475][ERROR][ ][PSE ][ 1] ERROR(0xA1D5012C) in TOKEN_PSE module. Function add_token failed: Wrong PIN
[2014.06.18 18:17:45.571344][ERROR][ ][TOKPSE ][ 1] ERROR(0xA1D50108) in TOKEN_PSE module. Function sec_SecToken_getCardPIN failed: Token application not existing
[2014.06.18 18:17:45.571423][ERROR][ ][PSE ][ 1] ERROR(0xA1D50108) in TOKEN_PSE module. Function open_token_and_login failed: Token application not existing
[2014.06.18 18:17:45.571482][ERROR][ ][PSE ][ 1] ERROR(0xA1D50108) in TOKEN_PSE module. Function add_token failed: Token application not existing
[2014.06.18 18:17:45.572430][ERROR][ ][GSS ][ 1] Didn't found a keyTab
Regards,
Sam
Hello Sam,
Thanks for the traces. As per them, it seems that your keytab is the issue. Fast solution? Re-create it:
1. Delete the SAPSNCSKERB.pse and the cred_v2 files;
2. Re-create the keytab (and therefore the PSE);
3. Re-create the credentials.
Ensure to use the correct password when re-creating the keytab (specially for your service user, the password must match your AD's password).
Best Regards,
Guilherme de Oliveira
Hi Guilherme,
As suggested by you i recreated the keytab and the credentials and now i was able to start the application. Thanks for that.
Now when i try to login i am gettin the message "No user exists with the SNC name "p:CN=xxx@xxxxx"
i already did the user mapping in su01, please advice.
Regards,
Sam
Sam,
You need to enter su01 and visit the SNC tab, change the SNC name, and save it. Then change it back, and save it again. Then it will work.
The problem is that you enabled SNC after adding the SNC name into SU01. When you do this, the SNC name mapping doesn't work until you re save the change.
Thanks
Tim
Good news. When using the SAP SSO product's SNC library the SNC name has p:CN= prefix. I understand SAP decided to use this prefix because their SNC library supports both Kerberos principal names and x.509 certificates for user authentication. Other SNC libraries that support Kerberos are using SNC name of p:<user principal name> (without CN= prefix).
Enjoy !!
Hello Sam,
In the SAP SSO 2.0 implementation guide here:
in chapter 4.7.2 you will be able to find the procedure for implementing SNC Kerberos Configuration.
There is also a Note there that could be helpful "The Secure Login Library always uses a PSE file called SAPSNCSKERB.pse file for the keytab. The server does not start if the file has a different name."
Check the implementation steps in the guide to see if you missed any.
Best regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Sam,
Have you installed successfully the Secure Login Library (SAP SSO 2.0)?
Procedures are available under chapter 4.2.1 and 4.2.3.
Your problem could be because of missing authorizations for the user, wrong paths to the libraries or missing implementation steps.
What is the documentation where you see the steps you have described?
Best regards,
Donka
Hello Sam,
You can try to test the Secure Login Library as described in step 5 of the procedure 4.2.3:
"To verify Secure Login Library, use the sapgenpse command" (detils in the guide).
If you have followed the steps 1 to 4 properly then the test will be successful and you will be able to see the path to the libsapcrypto.so (in the SLL directory). Please, make sure the extraction of the file
SECURELOGINLIB.SAR is performed successfully in the proper folder.
Best regards,
Donka Dimitrova
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.