on 03-22-2016 9:30 PM
Hello Team
We are in process to implement SAP NW SSO using Kerberos in our SAP environment. I am looking for recommendation on some of the setup requirement in following scenarios
SAP Production CI + 10 Application Server
1. Service user id - I understand everyone recommend to create service id for each SAP instance to reduce the impact with service id credentials issues.
- But anyone have tried to create Service user id for each Production Application server for single Production. For e.g. - 10 SAP Application servers will have 10 service id but one SPN. With this setup, we have to create separate SAPSNCKERB.pse for each application server.
2. We are sharing the Kernel directory but not "SEC". Each application server has /usr/sap/SID/D<Instance no>/sec ( /usr/sap/ABC/D00/sec)
- Should we create Kerberos Keytab PSE for one server and copy them to rest of in "secudir" path.
3. Should we setup SNC parameters in Default or Instance profile ( we are not using SNCWIZARD but I have noticed SAP updated all SNC in default if I use the Wizard)
Let me know if you have any further recommendation.
Thank you
Santosh.
Hi Santosh,
you asked for recommendation. My recommendation is to create a AD service account for any SID as well as Donka already correctly said, separate SPNs SAP/<ServiceAccount> for each account. Creating the SNC PSE, the keytab and credentials is 3 CLI commands and max. some minute effort per server. I don't see the problem Configure the snc/identity_as in the instance profile. SAP recommends to set this parameters in the instance profile of an SAP system, at the end it will work with default also, but instance will overrule the default one. You or your SAP-Hoster based on your landscape should decide this as you require.
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Donka and Carsten
Thanks for your recommendation.
1. We have created Separate Service id and SPN ( SAP/Serviceacount<SID> for each Instance ( SID)
2. But My question is - Should we create separate Service account for each application server or just one service account per SID. I am concern if Service account locked then entire SID will not be available but let m know what you suggest.
3. Instead of creating PSE for each SAP server ( within SID), we have copied Central instance PSE to application instance SEC directory. add credentials ( seclogin -O). It worked with same PSE across the Dialog instance.
Is this approach okay or have better suggestions?
Thank you
Santosh
Hello Santosh,
You can create only one Service Account but you have to create separate servicePrincipalName (SPN) for every instance following this example SAP/SAPService<SID> where the <SID> will be the instance.
The best is to use the sncwizard. See the details here: Using the Single Sign-On Wizard to Configure SNC and SPNego - What Is Secure Login? - SAP Library
Regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.