Solved: Kerberos in AS/400

Hi experts,

I want configure the SSO with kerberos and SAP Gui.

The server is AS/400 and I can not configure correctly, my steps are:

- Configure NAS (Network Authentication Service)

- Execute the bat in Domain

- Try to register with kinit -k krbsvr400/<host>:<domain>@<DOMAIN> but it appear the error:

EUVF06014E Unable to obtain initial credentials.

Status 0x96c73adb - Security server is not defined for requested realm.

Any idea?

Thanks in advance,

Regards,

SAP Managed Tags:
IBM Db2 for i

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Looking at that message, the resolution is stated as

"Ensure the security server is defined in either the LDAP directory or the Kerberos configuration file and then retry the request."

Have you done that?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi,

Yes, the host was created in the LDAP like Computer, with the name <host>, but I have the error.

Regards,

ok, I think the problem I wrote the KDC wrong... now, it is working!!

My problem is, where is the lib libgssapi_krb5 ?

Regards,

Hi Victor,

Hope you are doing good.

Not sure what error you are getting, but usually the file library files are in the location: /usr/lib64.

Please also check SAP Note 1732610 for more hints on this.

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

I have not the directory /usr/lib64...

I have not clear, what is the library necessary? ibsapcrypto.so or libgssapi_krb5 ??

Hi Victor, Just to clarify?, is it ibsapcrypto.so or libsapcrypto.so that you are referring to?

I need the library for the parameter snc/gssapi_lib

I understood that it was the libgssapi_krb5, but in the SAP Note comment the library libsapcrypto.so (I missing the "l")

So, what is necessary?

Regards,

Hi Victor,

Yes, the parameter snc/gssapi_lib is usually set to the libsapcrypto.<ext> which is part of the SAP Cryptographic Library.

For example:

snc/gssapi_lib /usr/sap/BWD/SYS/exe/run/libsapcrypto.so

Please see this sample file:

Sample Profile Parameter Settings for SNC - Secure Network Communications (SNC) - SAP Library

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

Just another point: Since NWSSO 2.0 (the official supported solution), the SAP SNC library is called libsapcrypto.so.If you get any errors, start the server with snc/enable = 1 and the dev_w<nr> trace should have more details about the error.

Ok, I execute the command correctly:

kinit -k krbsvr400/<host_with_domain>@<DOMAIN>

I add the library libsapcrypto.o

But, when I try to start SAP, appear the error:

*** ERROR => SncPGSSImportName()==SNCERR_GSSAPI [sncxxall.c 2699]

GSS-API(maj): An invalid name was supplied

Import of a name failed

name="p:krbsvr400/<host_with_domain>@<DOMAIN>"

(debug hint: default acceptor = "p:CN=DummyCredential")

<<- SncInit()==SNCERR_GSSAPI

sec_avail = "false"

***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238]

*** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]

in_ThErrHandle: 1

*** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c

11560]

I checked with the command klit that the krbsvr400/<host_with_domain>@<DOMAIN> appear it.

Any idea?

Thanks in advance,

Regards,

Hi Victor,

Just to clarify, is your SNC now configured to use Kerberos or SAPCryptolib? What is "snc/gssapi_lib" parameter set to now (Kerberos or to SAPCRYPTOLIB). If it is to kerberos, then SNC PSE won't be created and you will get such an error.

A configuration will need more steps ( just a parameter change is not enough). The best option is to choose the SNC product you want to configure in your system and configure it accordingly to its guide. For example for Kerberos SNC in AIX, the SAP solution(SAP Single Sign On 2.0) is available:

< http://help.sap.com/nwsso>

More info is available in SAP Note 150380 - Is Kerberos 5 supported for use with SNC?

Are you following any particular guide?

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

Hi,

I configured all with Kerberos, that why I have doubts with the library.

At this moment point to libsapcrypto, is it correct?

Regards,

Hi Victor,

ok, then you do have mismatch ;-((

Kerberos supports SNC & SSO, but is no longer officially supported (but works great) ...

the free version with the sapcryptolib does support SNC, but NO SSO, but is supported ...

So, depending on your needs, you have to use the correct setup ... either with kerberos or with sapcryptolib ... we did the kerberos setup pretty often. It is sometimes a bit tricky, but in the end it always works fine 😉

Regards,

Volker Gueldenpfennig, consolut international ag

ok, but what is the problem? The library?

I configured all:

- Configure NAS (Network Authentication Service)

- Execute the bat in Domain

- kinit -k krbsvr400/<host_with_domain>@<DOMAIN>

What library I should add? libsapcrypto or libgssapi_krb5

Hi Victor,

if you do have the keytab from the domain, you should copy it to the iSeries and try the following with qsecofr:

1. Start the PASE shell interpreter

CALL QP2TERM

2. Check the contents of the new keytab before installation

/QOpenSys/usr/bin/klist -e -k /tmp/kerberos/xxxx_SAPService.keytab

3. Check the authentication of the new keytab

/QOpenSys/usr/bin/kinit -k -t /tmp/Kerberos/xxxx_SAPService.keytab SAPService/xxxx.domain.com

The question would be, what happens here ...

I never added any "special library" here ... this is "pure" Kerberos and not the connection to SAP ...

Regards,

Volker Gueldenpfennig, consolut international ag

mmmm, so strange...

- If I execute qsh and klist or kinit, works fine

- If I execute CALL QP2TERM appear an error:

/QOpenSys/usr/bin/-sh: klist: 0403-006 execute permission denied

Why?

Regards,

Hi Victor,

in my eyes, both should work - at least QP2TERM as it is all AIX executables ...

Do you see the error during start of CALL QP2TERM already or when then starting klist or kinit?

If you cannot even start QP2TERM, the setup of your iSeries is wrong ;-((

Now, it sounds like becoming consulting ...

Regards,

Volker Gueldenpfennig, consolut international ag

Hi Volker,

A colleague told me that if someone solves it's you, I think you know the forums:):)

However, I can execute CALL QP2TERM without problem, the problem is inside QP2TERM...

I can execute ls, mkdir, or similar, but, when I try to execute the kinit, klist appear the error:

/QOpenSys/usr/bin/-sh: klist: 0403-006 execute permission denied

Some checks...

- klist, kinit is not in /QOpenSys/usr/bin/klist,kinit

- klist, kinit is in /usr/bin/klist,kinit

Any idea?

Thanks in advance,

Regards,

Hi Victor,

I would hope, that I could solve this issue 😉

(at least it would be the first kerberos setup, that would fail ...)

But: Such stuff is not possible for free ;-((

A last idea from my site:

Do you have NAE & 5733SC1 installed ?

V5R4: 5722NAE
V6R1: 5761NAE
V7R1: 5770NAE

V7R2: 5770NAE

5733SC1 - IBM Portable Utilities for i5/OS

I would guess, that 5733SC1 is missing ...

The stuff in QOpenSys is the AIX stuff, that you do need and the other stuff is the iSeries stuff.

At least it is clear now, that no permission is missing, just the files are not there and then the error shows up 😉

Regards,

Volker Gueldenpfennig, consolut international ag

Hi,

I have not installed NAE... but I have installed 5733SC1 - IBM Portable Utilities for i5/OS

But I do not understand, why it is work by qsh and it is not work by QP2TERM? are libraries differents?

Regards,

Hi Victor,

ok, I do not know, which docu you use to setup this, but NAE is required in my eyes.

I'm sorry, that this is (hopefully) my last reply to this topic ...

Regards,

Volker Gueldenpfennig, consolut international ag

Hi Victor,

Unfortunately this issue requires checking the documentation and analysis by the application provider. If you by any chance get an option to migrate to SAP Single Sign-On 3.0, we can push this internally and help you with the configuration. All teh installation steps are mentioned here:

http://help.sap.com/download/sapsso30/sapsso_master_guide_en.pdf

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

I think the problem is the library and the utilities... I have not installed NAE.

I will install and I will comments the results.

Regards,

Answers (0)

Ask a Question

Top Q&A Solution Author

User

Count

101

Kerberos in AS/400

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

Re: SAP Build Work Zone Content Explorer Can't Sho...

Re: Flexible Workflow for PR

Integrate an external task system to Cloud ALM.

Dropdown scripting

What is Capacity Units for SAP Build Code?