on 05-29-2016 6:37 PM
Hi SAP Experts,
We are planing to implement SSO Configuration in my company
Below are the details of SAP system
SAP CRM ABAP 702 Release
Linux 2.6.32-504.3.3.el6.x86_64
Kernel Release 722 SP Level 101
Microsoft windows server 2012 R2 standard (ADS)
Could you please provide us the simple method for SSO configuration and softwares required.
And also please let us know the profile parameters which need to be enabled.
Please let us know if you need any further information.
Thank You,
Mohammad Nahid,
SAP Basis Consultant.
Dear SAP Experts
We have stuck due to the below error. If any one can help to resolve the issue will be helpful.
Below the command and error details.
When we run >sapgenpse keytab -p SAPSNCSKERB.pse -y **** -a sso@GULFMEDICAL.COM
############################################################################# License Disclaimer
SAP Single Sign-On You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for SAP Single Sign-On. As exception,
the usage of SNC Client Encryption only without SSO is free as described in SAP Note 1643878.
#############################################################################
Please enter PSE PIN/Passphrase: ********** Please reenter PSE PIN/Passphrase: ********** !!! WARNING:
For security reasons it is recommended to use a PIN/passphrase !!! WARNING: which is at least 8 characters long and contains characters in !!! WARNING:
upper and lower case, numbers and non-alphanumeric symbols. keytab: Created new keyTab entry. keytab: KeyTab content stored:
Version Time stamp KeyType Kerberos name 1 Sat Jun 18 17:12:24 2016 DES sso@GULFMEDICAL.COM 1 Sat Jun 18 17:12:24 2016 AES128 sso@GULFMEDICAL.COM 1 Sat Jun 18 17:12:24 2016 AES256 sso@GULFMEDICAL.COM 1 Sat Jun 18 17:12:24 2016 RC4 sso@GULFMEDICAL.COM !!! WARNING: You have successfully managed the keyTab to accept kerberos based connections !!! WARNING: but you don't have a SNC server PSE containing an X.509 server certificate yet. !!! WARNING: Please create the PSE 'SNC SAPCRYPTOLIB' with ABAP Trust Manager. keytab: Created PSE /usr/sap/CRR/DVEBMGS55/sll/SAPSNCSKERB.pse. When we run > sapgenpse seclogin -l running seclogin with USER="crradm" 0 (LPS:OFF): (LPS:OFF): /usr/sap/CRR/DVEBMGS55/sll/SAPSNCSKERB.pse
1 readable SSO-Credentials available
When we set the below parameter in /sapmnt/CRR/profile/CRR_DVEBMGS55_crm-ro:
snc/enable = 1 snc/gssapi_lib = $(DIR_INSTANCE)/exe/libsapcrypto.
so snc/identity/as = p:CN=sso@GULFMEDICAL.COM snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/permit_insecure_start = 1
snc/r3int_rf_qop = 8
snc/r3int_rf_secure = 0
snc/force_login_screen = 0
spnego/enable = 1
spnego/krbspnego_lib = $(DIR_INSTANCE)/exe/libsapcrypto.
so The system fails to start and we find the below in dev_w0:
N UserId="crradm" (502), envvar USER="crradm" N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level) N SncInit():
found snc/data_protection/min=2, using 2 (Integrity Level) N SncInit():
found snc/data_protection/use=9, using 3 (Privacy Level) N SncInit():
found snc/gssapi_lib=/usr/sap/CRR/DVEBMGS55/exe/libsapcrypto.so N
File "/usr/sap/CRR/DVEBMGS55/exe/libsapcrypto.so"
dynamically loaded as GSS-API v2 library. N SECUDIR="/usr/sap/CRR/DVEBMGS55/sec" (from APPLICATION) N
The internal Adapter for the loaded GSS-API mechanism identifies as: N
Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.48 pl40 (Jan 26 2016) MT-safe N SncInit():
found: snc/identity/as=p:CN=sso@GULFMEDICAL.COM N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1465] N
GSS-API(maj): No credentials were supplied N Could't acquire ACCEPTING credentials for N N name="p:CN=sso@GULFMEDICAL.COM" N
FATAL SNCERR -- Accepting Credentials: "sapsso" (0x0003) not available! N (debug hint: default acceptor = "p:CN=CRR, OU=I0020645532, O=SAP Web AS") N <<- SncInit()==SNCERR_GSSAPI N sec_avail = "false" M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238] M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240] M in_ThErrHandle: 1 M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c
Thank You,
Mohammad Nahid
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have done few changes and now i am facing different problem again and instance is not started again
Fri Jun 24 19:11:38 2016
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N UserId="crradm" (502), envvar USER="crradm"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/CRR/DVEBMGS55/exe/libseccrypt.so
M *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/usr/sap/CRR/DVEBMGS55/exe/libseccrypt.so") FAILED
"/usr/sap/CRR/DVEBMGS55/exe/libseccrypt.so: cannot open shared object file: No such file or directory" [dlux.c 445
]
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (/usr/sap/CRR/DVEBMGS55/exe/libseccrypt.so) not loaded [sncxxdl.c 72
7]
N <<- SncInit()==SNCERR_INIT
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 238]
M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 240]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11687]
M
Thank You,
Mohammad Nahid
Hi ,
you have to set two below parameters to configure sso as mentioned below :-
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
Please check guide also .
Regards ,
Arpit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
100 | |
12 | |
11 | |
6 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.