This solution has been tested on Windows 2003 Domain Controller with Active Directory as a KDC and EP 6.0 SP15. SPNegoLoginModule is by default delivered with SP15, however if you need to implement Kerberos in Portal running < SP15 then you have to deploy the spnegoauthlib.sda file.
Step 1: Configuration steps on Domain Controller which is your KDC
1.1. Create a Service user whose password should never expire
1.2. Configuration of the Keytab file
After this step, a file will be generated with the extension “.keytab”. Now execute this command
Step 2: J2EE Engine configuration for Kerberos (perform these steps where your WebAS JAVA is installed)
2.1 Importing Kerberos Configuration Files to the J2EE Engine. I copied the file in “\usr\sap\EPD” folder
2.2 Create another file ‘krb5.conf’ in the same folder as follows:-
2.3 Configure J2EE engine properties as:-
[Do the same configurations on all the Server nodes]
2.4 UME Configuration
[We have used user resolution mode as ‘simple ‘]
2.5 Configuring LoginModule Stacks
[Add SPNegoLoginModule to the component ‘Ticket’ in the Security Provider service in Visual Admin.]
2.6 Create a new policy configuration ‘com.sun.security.jgss.accept’ and add 2 Login Modules
1. Krb5LoginModule
2. MappingModule
2.7 Login Module(s) in the policy configuration ’com.sun.security.jgss.accept’
1.) Mapping Login Module
2.) Krb5LoginModule
Step 3: Access J2EE Engine with Kerberos Authentication
3.1 Enable Windows Integrated Authentication in your Web browser
Access the Portal.
Life is good .. 🙂
Step 1: Configuration steps on Domain Controller which is your KDC
1.1. Create a Service user whose password should never expire
1.2. Configuration of the Keytab file
After this step, a file will be generated with the extension “.keytab”. Now execute this command
Step 2: J2EE Engine configuration for Kerberos (perform these steps where your WebAS JAVA is installed)
2.1 Importing Kerberos Configuration Files to the J2EE Engine. I copied the file in “\usr\sap\EPD” folder
2.2 Create another file ‘krb5.conf’ in the same folder as follows:-
2.3 Configure J2EE engine properties as:-
[Do the same configurations on all the Server nodes]
2.4 UME Configuration
[We have used user resolution mode as ‘simple ‘]
2.5 Configuring LoginModule Stacks
[Add SPNegoLoginModule to the component ‘Ticket’ in the Security Provider service in Visual Admin.]
2.6 Create a new policy configuration ‘com.sun.security.jgss.accept’ and add 2 Login Modules
1. Krb5LoginModule
2. MappingModule
2.7 Login Module(s) in the policy configuration ’com.sun.security.jgss.accept’
1.) Mapping Login Module
2.) Krb5LoginModule
Step 3: Access J2EE Engine with Kerberos Authentication
3.1 Enable Windows Integrated Authentication in your Web browser
Access the Portal.
Life is good .. 🙂
17 Comments
