cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NW-SSO with Kerberos - Recommendation for Multiple Application server & RAC

Former Member

on ‎03-22-2016 9:30 PM

0 Kudos

Hello Team

We are in process to implement SAP NW SSO using Kerberos in our SAP environment.  I am looking for recommendation on some of the setup requirement in following scenarios

SAP Production CI + 10 Application Server

1.  Service user id   - I understand everyone recommend to create service id for each SAP instance to reduce the impact with service id credentials issues. 

        -  But anyone have tried to create Service user id for each Production Application server for single Production.  For e.g. - 10 SAP Application servers will have 10 service id  but one SPN.  With this setup, we have to create separate SAPSNCKERB.pse for each application server.

2.  We are sharing the Kernel directory but not "SEC".  Each application server has /usr/sap/SID/D<Instance no>/sec ( /usr/sap/ABC/D00/sec)

     -  Should we create Kerberos Keytab PSE for one server and copy them to rest of in "secudir" path.

3.   Should we setup SNC parameters in Default or Instance profile ( we are not using SNCWIZARD but I have noticed SAP updated all SNC in default if I use the Wizard)

Let me know if you have any further recommendation.

Thank you


Santosh.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-24-2016 10:23 AM
0 Kudos

Hi Santosh,

you asked for recommendation. My recommendation is to create a AD service account for any SID as well as Donka already correctly said, separate SPNs SAP/<ServiceAccount> for each account. Creating the SNC PSE, the keytab and credentials is 3 CLI commands and max. some minute effort per server. I don't see the problem Configure the snc/identity_as in the instance profile. SAP recommends to set this parameters in the instance profile of an SAP system, at the end it will work with default also, but instance will overrule the default one. You or your SAP-Hoster based on your landscape should decide this as you require.

Carsten

Show replies
Show replies
Former Member
‎03-24-2016 4:24 PM
0 Kudos

Hi Donka and Carsten

Thanks for your recommendation.

1. We have created Separate Service id and SPN ( SAP/Serviceacount<SID> for each Instance ( SID)

2.  But My question is - Should we create separate Service account for each application server or just one service account per SID.  I am concern if Service account locked then entire SID will not be available but let m know what you suggest.

3. Instead of creating PSE for each SAP server ( within SID), we have copied Central instance PSE to application instance SEC directory.  add credentials ( seclogin -O). It worked with same PSE across the Dialog instance.

Is this approach okay or have better suggestions?

Thank you

Santosh

donka_dimitrova
Contributor
‎03-25-2016 11:43 AM
0 Kudos

Hello Santosh,

You can create one service account or several, both variants will work. In both cases, you have to make sure these accounts are not locked and this depends on you administrative operation procedures.

Regards,

Donka Dimitrova

donka_dimitrova
Contributor
‎03-23-2016 3:47 PM
0 Kudos

Hello Santosh,

You can create only one Service Account but you have to create separate servicePrincipalName (SPN) for every instance following this example SAP/SAPService<SID> where the <SID> will be the instance.

The best is to use the sncwizard. See the details here: Using the Single Sign-On Wizard to Configure SNC and SPNego - What Is Secure Login? - SAP Library

Regards,

Donka Dimitrova

Show replies
Show replies
Ask a Question