Configuring SPNego with ABAP datasource
After writing three blogs about configuring and troubleshooting SPNego (Configuring and troubleshooting SPNego — Part 1, Configuring and troubleshooting SPNego — Part 2 and Configuring and troubleshooting SPNego — Part 3) I got several questions about what steps are necessary to use SPNego if your J2EE Engine is connected to an ABAP backend.
In this blog I will try to explain just that.
In general the setup is similar to the one mentioned in the video for dataSourceConfiguration_DB attached to the SPNego Wizard.
As in “Configuring and troubleshooting SPNego — Part 1“ the first thing to do is to create a service user in the ADS (even if you are using the ABAP System as the userstore for the J2EE Engine, the ADS still plays an important part).
Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expires and
* Use DES encryption types for this account
are set. (in the following screenshots I will use j2ee-hbr as the service-user.)
Then run the setspn command to assign the ServicePrincipalName to the user. (this was the URL that you use to access the J2EE Engine — all these steps are explained in detail in the first blog).
A short ldifde reveals some important parameters that we are going to use later:
Now, if not already done connect the J2EE to the ABAP System:
In the next screen I also used the user j2ee-hbr to connect the J2EE to the ABAP system (for this I had to created this user in the ABAP system as well). You could also use a service user as mentioned here (Requirements for the System User for UME-ABAP Communication and here Configuring the UME to Use an AS ABAP as Data Source)
Now start the configtool and add the krb5principalname as an additional ume attribute
After a restart this property will be available to all user objects in the UME. Search for your service user (j2ee-hbr, which will now be found in the ABAP system) and set the krb5principalname to the same name as the userPrincipalName of the ADS user (see above) [this can be a little confusing: you now have two users j2ee-hbr. One in the ADS and one in the ABAP system]
Now we can start the SPNego Wizard:
Make sure that krb5principalname is used for Mapping Attribute and continue:
In the next screen make sure that the KPN Prefix is set to uniquename (which is defined in the ABAP dataSourceConfiguration file.)
After testing the resolution mode continue with the next step. I always prefer to create a new template and assign this template later on to my ticket component:
Restart the J2EE Engine and you should be done with the wizard.
Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator:
That should be it!
Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the previous blogs mentioned above…