Skip to Content
avatar image
Former Member

Kerberos on WAS

Can someone tell high level how to setup Kerberos on WAS?

I have setup Kerberos on other J2ee containers such Weblogic and Websphere but when it come to WAS. I a little lost. I have referencing the SAP document but totally confuse...Help..

Using Kerberos Authentication for Single Sign-On

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c

5e5f34e10000000a1553f6/content.htm

I know that in normal Kerbero implementation

You need to have

Krb5.ini or Krb5.con --> like a tns file Oracle or host file for DNS

UME--Data source mapping KPN within WAS

SPNEDOlogin module--> outline the principlename between host node and KDC.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Dec 17, 2006 at 03:28 AM

    My next question. I still have Isproxy in place. From what I recall in other J2EE container I had disable iis and enable the main j2ee server to run port 80 so support Kerberos..

    Where application I use use to test Kerberos? I have a couple web applcation specific for testing Krb5login Module and Kerberos authenication but they are in war format and was requires ear. Can anyone tell how to convert war format to ear format?

    Add comment
    10|10000 characters needed characters exceeded

    • Richard,

      Kerberos 5 uses port 88 for ticket requests between Kerberos client and KDC, not port 80. Port 80 is for HTTP traffic.

      I beleive you can deploy both ear and war format files into J2EE engine using SDM. I am sure somebody from SAP will correct me if this is wrong, but I beleive I remember (I might be mistaken) installing a war file last year, on one of our systems.

      Thanks,

      Tim

  • avatar image
    Former Member
    Dec 17, 2006 at 02:49 AM

    I configuring ticket SPNegoLoginModule and there section metion KPN?

    Is KPN the same is SPN? I know what my spn service principle name but KPN is Kerberos principle name? Do I just put the spn or just put KPN?

    SPNegoLoginModule

    REQUISITE

    com.sap.spnego.jgss.name=<KPN>

    Procedure

    ..

    1. Create a new policy configuration and add the SPNegoLoginModule to the list of login modules as shown below. For more information, see Managing Policy Configurations.

    a. To configure authentication with the SPNegoLoginModule without a fallback mechanism, you can arrange the login module stack of the policy configuration as shown in the table below.

    Login Modules

    Flag

    Options

    EvaluateTicketLoginModule

    SUFFICIENT

    ume.configuration.active=true

    SPNegoLoginModule

    REQUISITE

    com.sap.spnego.jgss.name=<KPN>

    CreateTicketLoginModule

    OPTIONAL

    ume.configuration.active=true

    b. To configure authentication with the SPNegoLoginModule with basic authentication fallback, you can arrange the login module stack of the policy configuration as shown in the table below.

    Login Modules

    Flag

    Options

    EvaluateTicketLoginModule

    SUFFICIENT

    ume.configuration.active=true

    SPNegoLoginModule

    OPTIONAL

    com.sap.spnego.jgss.name=<KPN>

    CreateTicketLoginModule

    SUFFICIENT

    ume.configuration.active=true

    BasicPasswordLoginModule

    REQUISITE

    CreateTicketLoginModule

    OPTIONAL

    ume.configuration.active=true

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Rich,

      would like to explain me what is terminology "logon on ticket" is this first screen of entering user ID and password. If it is true then how to configure Logon on ticket.

      Next things is that how to make one enterprise portal as ticket issuing machine and other application is accepting this ticket. A application login is created for this application which is added into accepting machine. When I see visual administrator of administrator I see login module of applicaiton. And the Ticket issuing enterprise portal is taking AD as user store.

      Taking this senario would like discribe me how to set up AD directory what are the steps and what are the prerequite I need to take care and what are precaution I need to take.

      On the other hand what are the setting I need fixed at applicaiton site this application has its own portal. Would please describe me this in detail and show in step by step manner please

      thanks

      happy

  • avatar image
    Former Member
    Dec 17, 2006 at 03:25 AM

    Ok I think I found my answer. It look it specific to SUN JDK so I have to

    put the syntax

    com.sap.spnego.creds_in_thread with value true and create a Krb5Login module and MappingModule. Now it start to look familiar.

    . Configure the SPNegoLoginModule options for the user resolution mode you use.

    User resolution mode none

    a. Choose the value none for the option com.sap.spnego.uid.resolution.mode

    User resolution mode simple

    ...

    a. Choose the value simple for the option com.sap.spnego.uid.resolution.mode

    User Resolution mode prefixbased

    ...

    a. Choose the value prefixbased for the option com.sap.spnego.uid.resolution.mode

    b. Choose the value kpnprefix for the option com.sap.spnego.uid.resolution.attr.

    If using Sun JDK, add the option com.sap.spnego.creds_in_thread with value true.

    4. When using Sun JDK, perform the following steps to register necessary login modules and policy configuration with the Security Provider service in the Visual Administrator of the J2EE Engine. For more information about adding login modules and policy configurations, see Managing Login Modules and Managing Policy Configurations.

    a. Add a login module with name Krb5LoginModule and class name com.sun.security.auth.module.Krb5LoginModule

    b. Add a login module with name MappingModule and class name com.sap.security.core.server.jaas.SPNegoMappingLoginModule

    c. Create a policy configuration com.sun.security.jgss.accept and add the login modules Krb5LoginModule and MappingModule to the login module stack for the policy configuration.

    d. Configure the login module options for the created policy configuration com.sun.security.jgss.accept as shown in the table below. For more information, see Managing Policy Configurations.

    Login Modules

    Flag

    Options

    Krb5LoginModule

    REQUISITE

    debug=true,

    doNotPrompt=true,

    keyTab=<keytab_filename_with_full_path>,

    principal=<KPN>,

    storeKey=true,

    useKeyTab=true,

    useTicketCache=true

    MappingModule

    OPTIONAL

    com.sap.spnego.uid.resolution.attr=krb5principalname

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 10, 2007 at 10:35 PM
    • I fully share your opinion - and only want to add that many SAP employees use SDN to gain some "outside ideas" (there are many more "silent readers" than "active participants").

      Yes, SDN is a complimentary service - a communication platform.

      Cheers, Wolfgang