Hi Cybertch,
I probably can't help with the web dispatcher side of things since we aren't using it, but as far as setting things with SSO 3.0, here's an overview of the process we've used and is working with our environment, which includes pretty much all of SAP's products (ECC, BI, CRM, etc).
Configuring SAP on AIX with SAP SSO 3.0 for Kerberos and SPNEGO
1.Download latest SAPCRYPTOLIB, uncar it and put the files into the kernel directory on the SAP system. Make sure files are owned by <sid>adm:sapsys
2.Edit /home/<sid>adm/.login and add the following environment variable, if not already present: setenv SECUDIR /usr/sap/<SID>/DVEBMGS<XX>/sec
3.Create service user(s) in Active Directory -
Set ‘User cannot change password’ & ‘Password never expires’
Open the Properties of the user you just created and click the Account tab.Scroll to the bottom of ‘Account options’ and enable ‘This account supports Kerberos AES 128 bit encryption’ & ‘This account supports Kerberos AES 256 bit encryption’ then click Apply
Now click the ‘Attribute Editor’ tab and edit the ‘servicePrincipalName’ attribute to add the SPNs and click OK.
SPNs are entered as:
HTTP/<fully qualified hostname of SAP system>
SAP/<SID>
4.Logon to the SAP system and add the following parameters to the DEFAULT profile via RZ10 (*NOTE – Check instance profiles for these parameters and if there, remove them):
Parameter Name
Value snc/enable 0(disable)/1(enable) –
Initially set this value to ‘0’ snc/gssapi_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so snc/identity/as p:CN=<service_User_Principal_Name> Example - p:CN=sap_svc_<sid>@<DOMAIN> (this is strictly for Kerberos &
upper case for domain) snc/data_protection/max 3 snc/data_protection/min 2 snc/data_protection/use 3 snc/r3int_rfc_secure 0 snc/r3int_rfc_qop 8 snc/accept_insecure_cpic 1 snc/accept_insecure_gui 1 snc/accept_insecure_rfc 1 snc/permit_insecure_start 1 snc/force_login_screen 0 spnego/enable 1 spnego/krbspnego_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so
Save and activate the new profile. Logon to the SAP system at the OS level and restart SAP
5.Once the system is back online, login and run STRUSTSSO2.Expand the SNC SAPCryptolib PSE. If there is already a certificate there, delete it. If not, then select Create.
When you click create, the value you entered in RZ10 for snc/identity/as should match what gets created and shown in the ‘Owner’ field. If this value does not match, there is a problem and further configuration will not work, so this must be resolved before continuing.
Once the certificate has been created, double click it and add it to both the certificate list and the ACL (both the logon client and client 000)
Save and exit STRUSTSSO2.
6.Run SPNEGO transaction to create the keytab file. Select Display/Change and Add
Enter the service account username, password, and select all the encryption algorithms
Save and exit this screen and the SAPGUI.
7.Create the keytab file at the OS level. Logon to the server OS and su - <sid>adm
Navigate to /usr/sap/<SID>/DVEBMGS<xx>/sec
Enter the following, with capitalized domain:
sapgenpse keytab -p SAPSNCSKERB.pse -a <service_ID>@<DOMAIN>
You will then be prompted create a PSE PIN/Passphrase. It looks like the following:
#############################################################################
License Disclaimer SAP Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
Please enter PSE PIN/Passphrase: *********
Please reenter PSE PIN/Passphrase: *********
Please enter keyTab password: *********
Please reenter keyTab password: *********
keytab: Created new keyTab entry.
keytab: KeyTab content stored:
VersionTime stampKeyTypeKerberos name
1Wed Feb1 20:46:48 2017DES<service_ID>@<DOMAIN>
1Wed Feb1 20:46:48 2017AES128<service_ID>@<DOMAIN>
1Wed Feb1 20:46:48 2017AES256<service_ID>@<DOMAIN>
1Wed Feb1 20:46:48 2017RC4<service_ID>@<DOMAIN>
keytab: Created PSE /usr/sap/<SID>/DVEBMGS<xx>/sec/SAPSNCSKERB.pse.
Lastly, execute:
sapgenpse seclogin -p /usr/sap/<SID>/DVEBMGS<xx>/sec/SAPSNCSKERB.pse -x <password> -O <sid>adm [where <password> is the service account ID's password, NOT <sid>adm's password]
sapgenpse get_my_name -p /usr/sap/<SID>/DVEBMGS<xx>/sec/SAPSNCSKERB.pse [this is to verify all the encryption methods were assigned]
8.Log back on to the system via SAPGUI to enable SNC and map your SAP ID to your AD account as follows:
Execute RZ10 and change the snc/enable parameter from 0 to 1, then save and activate the profile.
Now execute SU01 and open your ID and set your SNC Name in the format of p:CN=<YOUR_USER_ID>@<DOMAIN>
When the canonical name is correct, the red ‘x’ will turn to the green check mark. Save your ID and exit the SAPGUI.
9.Restart SAP.
10.Install the SAP Secure Login Client (SAP SLC) software on your workstation and restart as needed.
11.SAP SLC should be running in your system tray
12.Open the SAP SLC and you should see your Kerberos token listed. Right click on this entry and select the option Use Profile for SAP Applications. You can now close the SLC.
13.In the SAPGUI Logon Pad, SNC communication needs to be enabled for the system. Right click on the system and select Properties – Network and select Activate Secure Network Communication and ensure the SNC name matches the snc/identity/as value.
14.Done! You should now be able to SSO into SAP.
Hope this helps! Good luck!
Tom
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.