Setup of SAP NetWeaver AS Java for Server-to-Server Single Sign-On using Kerberos
Tags:
This is step 2 of a document series about setting up SAP Mobile Documents (based on SAP NetWeaver AS Java) to connect to Microsoft Sharepoint using Kerberos.
General remarks upfront:
SAP NetWeaver Administrator (NWA) is started using url
http://<host where AS Java is installed>:<port - usually 50000>/nwa
In the following, this URL is being referred to "go to NWA"
The system ID of thesystem that has been used for the screenshots is SBX
This is described with an AS Java System running on Windows
See also the high-level overview about this scenario. The official documentation is also linked there.
Deploy SSOExt Library
See official docu as reference: http://help.sap.com/saphelp_nwsso20/helpdata/en/80/d057adb7244181b2dbd17e4f485097/content.htm
Follow the download steps described on the official docu link.
Download latest version
Rename the file extension from .zip to .sca
The official way is to deploy AS Java using the Software Update Manager (SUM).
However, I did the deployment using the unsupported option Telnet (as I am not a Java expert) and this is just for demo purposes. So please only use the following method for testing purposes - otherwise use SUM:
If you do not have Telnet available on your Windows Server, you can activate it: http://technet.microsoft.com/en-us/library/cc770501(v=ws.10).aspx
Open cmd with admin rights on the machine where the Java System is running.
Enter the following command: telnet localhost 50008
Enter AS Java admin and password
Enter command: deploy <full path to sca file>
Enable SSOExt Library
Go to NWA - search for applications - click Java Applications - search for name "ssoext".
Select the application ssoext_krb5 - click more Actions - View Application Properties
Select property "enabled" - click modify - enter value "true" - click Set
Click Save
Restart SAP Mobile Documents application
After deploying SSOEXT, you need to restart the SAP Mobile Documents application:
Go to NWA - search for applications - click Java Applications - search for Name "mcm":
Run SPNego Wizard
As a reference, see also official docu: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/21/bff93c7dcd458e9d71539a6d50dbbe/frameset.htm
Go to NWA - Search for SPNego - Click SPNego
Click Add - Manually
Enter the Realm Name (this is the name of your Windows domain) - you find it in the Active Directory Users and Computers :
In the next step, use the user that you created before:
In the next step, you can ignore the AES warning (for testing purposes):
Use the settings as shown below - then click Finish
Enable the configuration (the light will turn green):
Configure the krb5.conf File
See official docu as reference: http://help.sap.com/saphelp_nwsso20/helpdata/en/25/62d09a26634803aee7aa9f4068f211/content.htm
Create krb5.conf file with the following content (replace values accordingly) in <drive>:\usr\sap\<SID>\SYS\global\security:
----------------------------------------------------------------------------------------------------
[realms]
DEMO.MOBILEDOCS.CORP = {
kdc = mobiledocs.demo.mobiledocs.corp
cname = jee-sbx
spn = HTTP/mobiledocs.demo.mobiledocs.corp
}
----------------------------------------------------------------------------------------------------
Remark: Use upper case letters for the domain entry (as shown above)!
Restart the SSOExt application
Go to NWA - search for applications - click Java Applications - search for Name "sso":
Now your SAP NetWeaver AS Java should be properly configured for so-called Kerberos Constrained Delegation.
Continue with step 3 of the document series.
