on 06-19-2007 5:19 PM
Dears,
My boss asks me if we can support SAP GUI SSO between Windows 2003 AD and SAP 6.4c based on SUN Solaris 9.
I searched a lot of websites and found some possible ways. Here, my big concern is Whether or not our SUN support Kerbors 5 for SAP. This is what I only need to purchase if SUN doesn't support it.
Does any here can help me or give me a confirmation that I can build SSO on SUN without purchasing another Kerbors 5 module?
Meanwhile, if you have implemented this solution, can you share any idea to me?
Thanks a lot!
Sam
Hello,
you should check certified SNC products from SAP partners, to have supported solution.
This is unsupported sollution.
I did for customer on Tru64 and Linux (Itanimu).
But had some problems on other platforms.
I did not do it SUN.
Here is what you have to do:
Create user in AD like <sidadm>. Then create mapping for kerberos
Ktpass -princ <cihost>/<cihost>.<ad.domain>@<ad.domain> -mapuser <DOMAIN>\<sidadm> -pass <password> -out <SID>.keytab
More or less done on AD.
Now compile kerberos using shared library (if it is already shared than it is ok)
./configure --enable-shared --prefix=[path] --sysconfdir=[where krb5.conf will be] - add others if you want
make ...
cd <prefix path>/lib
chown root:sapsys libk*
Now create krb5.conf in sysconfdir. Minimum conf file:
Start krb5.conf ####
[libdefaults]
default_realm = <AD.DOMAIN>
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
<AD.DOMAIN> = {
kdc = <DOMAIN.CONTROLER.HOST>:88
kdc = <SECONDDOMAIN.CONTROLER.HOST>
admin_server = <DOMAIN.CONTROLER.HOST>
}
[domain_realm]
.<ad.domain> = <AD.DOMAIN>
<ad.domain> = <AD.DOMAIN>
End krb5.conf ####
import keytab for user:
/usr/local/sbin/ktutil
ktutil: rkt /<path to keytab file>/<SID>.keytab
ktutil: wkt <sysconf path>/krb5.keytab
ktutil: q
cd <sysconf path>/
chown root:sapsys krb5*
chmod 660 krb5*
Now test if you can authenticate to AD with:
<prefix path>/kinit <cihost>/<cihost>.<ad.domain>
In sap profile you have to load this library
snc/gssapi_lib = <prefix path>/lib/libgssapi_krb5.so
Identity:
snc/identity/as = p:<cihost>/<cihost>.<ad.domain>@<AD.DOMAIN>
add other snc parameters.
Before starting application server you always have to authenticate with <sid>adm user to AD. So what I did here is - modify startsap script
enter line like this:
<prefix path>/bin/kinit <cihost>/<cihost>.<ad.domain> < passwordfile
passwordfile - must have password for AD <sid>adm user in plain text. (If you find beter solution please let me know)
Also you can test configuration with gsstest - SAP Note 150380.
Check also SAP Note 352295.
Some work must be done on client pc - some libs have to be added and environment parameters set. This is described in every Installation manual of SAP system ABAP on Windows.
Best regards,
Peter
Message was edited by:
Peter Kalan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have dumped the Kerberos information from SUN.
system SUNWgssk kernel GSSAPI V2
system SUNWgsskx kernel GSSAPI V2 (64-bit)
system SUNWkdcr Kerberos V5 KDC (root)
system SUNWkdcu Kerberos V5 Master KDC (user)
system SUNWkrbr Kerberos version 5 support (Root)
system SUNWkrbu Kerberos version 5 support (Usr)
system SUNWkrbux Kerberos version 5 support (Usr) (64-bit)
Thanks,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Sam,
Any luck with this ? Our SAP application servers are running on UNIX - Solaris 10. I am also looking into this and have some documentation but its proving to be cumbersome & are having problems. The following steps have been identified to do:
1. Setup the kerberos key distribution Center
2. Configure the W2K/Unix - Solaris 10 SSO
3.Verify SSO functions between W2K/Unix
Enabling SSO for SAP - identifying the GSS library (SUN supplied) and seting the SNC parameters, snc/gssapi_lib, snc/identity/as & snc/enable.
Regards, Neeta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.