09-09-2013 2:51 PM
All,
So I followed this document (yes, one of my own creation) to implement SNC on our QA system. Unlike our development/sandbox systems, our QA system has multiple application instances (two, to be exact).
The first instance starts up just fine. The second one had this problem:
N SncInit(): Initializing Secure Network Communication (SNC)
N Solaris on SPARCV9 CPU (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/EQ1/D21/SLL/libsecgss.so
N File "/usr/sap/<SID>/DXX/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=SAP/Kerberos<SID>@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAP/Kerberos<SID>@<DOMAIN>"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 235]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 238]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11292]
Of note: I used the same value for "snc/identity/as" in each application instance. They are also both using the same "Service Principal Name" in the Active Directory.
I read somewhere in my reading (I can't find where now) that you had to follow a different convention for "snc/identity/as" on systems where you have multiple instances. Any ideas on this or the resolution to this problem?
09-11-2013 3:11 PM
This problem is resolved via OSS.
Guilherme helped me realize I did not follow my own documentation. This line was missing from the START profile of the second instance.
SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec
09-09-2013 2:53 PM
By the way, the log snippet comes from /usr/sap/<SID>/<Instance>/work/dev_w0. Sorry I forgot to specify this in the OP.
09-09-2013 5:09 PM
See the attached link for a similar discussion thread, there are several points to check.
09-09-2013 6:31 PM
Thank you for the reference. I see the thread has some good discussion, but no resolution =\
09-10-2013 8:00 AM
Hi Philip,
did you specifiy SAP/Kerberos<SID>@<DOMAIN>" literally or did you replace it to keep the info private.
If the latter, you at least forgot to hide the sid completely 😉
In you case I would have expected to see something like
CN=SAP/KerberosEQ1@<YOUR_AD_DOMAIN>
To my knowledge a system uses the same service principle for all instances. However the config has to be created for each one, just as outlined in your document.
Regards,
Patrick
09-10-2013 3:20 PM
Hi Patrick.
I appreciate the reply. Yes, <SID> and <DOMAIN> both contain appropriate values (and are all caps) but have been redacted by me -- although it appears I missed <SID> on one occasion
09-11-2013 3:11 PM
This problem is resolved via OSS.
Guilherme helped me realize I did not follow my own documentation. This line was missing from the START profile of the second instance.
SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec