Skip to Content
author's profile photo Former Member
0
Former Member
Dec 01, 2007 at 09:42 PM

Kerberos Authentication (SPNego) on J2ee Cluster

108 Views

Hello,

I am checking configuration of authentication kerberos (SPNego) in Webas Java (Nw2004s, 7.00 SP11).

We have a cluster, two machines (j2ee1.domain) and j2ee2.domain.

Cluster name is j2eecluster.domain.

Instance name is WDD.

KDC is on a machine called kdc.domain, and Microsoft ADS is on a cluster (ads1.domain and ads2.domain).

ON J2ee machine we have installed SUN SDK 1.4.2_13 ( I read the was problem with 1.4.2_14, 15 and 16).

We follow instructions on SAP documentacion and some blogs in SDN.

These are the steps we did:

-Created a user on ADS called SAPJ2EEWDD (password never expire, etc,..)

-created keytab file with the script

ktpass –princ host/j2eecluster.domain@DOMAIN -pass **** –out keytabWDD.keytab –mapUser SAPJ2EEWDD +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

(here I put the name of teh cluster , j2eecluster.domain)

-Register Principal with script

setspn –A HTTP/s- j2eecluster.domain SAPJ2EEWDD

(also use cluster name)

Should I alse register for the two nodes, j2ee1 and j2ee2u00BF?

-copied keytab file two both servers, j2ee1 and j2ee2.

-Created krb5.conf file on both servers; here is teh content

[domain_realm]

domain = DOMAIN

[libdefaults]

default_keytab_name =


j2eecluster.domain\SAPMNT\WDD\kerberos\keytabWSP.keytab

default_realm = DOMAIN

dns_lookup_kdc = true

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

[logging]

[realms]

DOMAIN = {

admin_server = kdc.domain

kdc = kdc.domain

}

Also, I did check keytab file is correct, I did teh test:

C:\j2sdk1.4.2_13>

C:\j2sdk1.4.2_13\bin\klist -e -f -k -K C:\j2sdk1.4.2_13\keytabWDD.keytab

Key tab: C:\j2sdk1.4.2_13\keytabWDD.keytab, 1 entry found.

[1] Service principal: host/j2eecluster.domain@DOMAIN

KVNO: 1

Key type: 3

Key: 0xfedf5843edc49b3

Test OK u00A1.

-added java parameters on server nodes in Config Tool

-Djavax.security.auth.useSubjectCredsOnly=false

-Djava.security.krb5.conf=D:\usr\sap\WDD\kerberos\krb5.conf

-Dsun.security.krb5.debug=true

Should I put here -Djava.security.krb5.conf=
j2eeclsuter\sapmnt\WDD\kerberos\krb5.conf u00BF? I am not sure...

Then I modified xml configuration file, dataSourceConfiguration_ads_readonly_db_with_krb5.xml

I added parameters indicated in SAP documentation

<attribute name="kpnprefix"/>

<attribute name="krb5principalname"/>

<attribute name="dn" />

...

<attribute name="kpnprefix">

<physicalAttribute name="samaccountname"/>

</attribute>

<attribute name="krb5principalname">

<physicalAttribute name="userprincipalname"/>

</attribute>

<attribute name="dn">

<physicalAttribute name="distinguishedname"/>

Finally adjusted loginmodules as documentation says.

Added SPNegoLoginModule in ticket policy configuration, with OPTIONAL flag,

com.sap.spnego.uid.resolution.mode=simple

com.sap.spnego.jdss.name=host/j2eecluster.domain@DOMAIN

com.sap.spnego.creds_in_thread= true

- created login module Krb5LoginModule and MappingModule ;

-created policy group com.sun.securuty.jgss.accept and added to it Krb5LoginModule and MappingModule ;

Finally configured Iexplorer browser with options indicated in SAP documentation.

When I call J2ee URL, login pop up appearsu00BF?

What is wrongu00BF?

Any ideau00BF?

Thanks and Regards

Noemi