How to configure SAP NetWeaver Single Sign-On for SAP GUI for Java with Kerberos Base solution using SNC
SAP will introduce solution for Secure Login Client for Mac OS as of SAP NW SSO 2.0 SP3.
This document will show you the step by step instructions to install and implement it.
System requirement for SLC for Mac OS is
OS X 10.7 or higher
SAP GUI for Java 7.20 or higher
Login to Mac OS using AD credentials
Note: For Secure Login Client for Windows see URL below:
http://scn.sap.com/docs/DOC-40178
Most of the steps in this document have counterpart in document DOC-40178.
The steps below are performed in the following test environment:
Company Name: ABC
SAP ABAP System (SBX) (DVEBMGS02)
ERP 6.0 EHP5 (702 SP12)
Solaris SPARC 10.0 64bit Unicode
SAP Kernel 720 Unicode 64bit Patch 401
Host Name: sandbox
FQDN: sandbox.abc.com
SAP Login ID: JDOE
Active Directory Server (SC)
Windows 2008 R2
Domain Name: ABC.COM
AD Login ID: JOHN_DOE
Mac Client OS
OS 10.8.5
Client Login: JOHN_DOE
A- Install & Configure Secure Login Library
A.1- Create Service User for SAP AS ABAP in MS-ADS
Login to MS-Ads as administrator
Create a new user with complex password and options (“User Cannot change password” and “Password never expire”)
User ID Naming convention: SL-ABAP-<SID> (i.e. SL-ABAP-SBX)
A.2- Define SPNs for this user (one for SNC and one for SPNEGO)
For SNC à SAP/SL-ABAP-SBX
For SPNEGO à HTTP/sandbox.abc.com SL-ABAP-SBX
C:\Windows\system32> setspn –a HTTP/sandbox.abc.com SL-ABAP-SBX
C:\Windows\system32> setspn –a SAP/SL-ABAP-SBX SL-ABAP-SBX
Verify entries.
C:\Windows\system32> setspn –L SL-ABPA-SBX
Note: HTTP is required for ABAP Access via web.
It is not required if your ABAP system does not comply with
note 1798979 or you do not want Web access to ABAP system.
SAP Note 1798979 – SPNego ABAP: Downport
B – Download NW SSO2.0 software from SAP Marketplace
(You need a valid license)
Login to SMP with your ‘S’ ID and download NW SSO2.0 software from location as shown below.
C- Copy Secure Login Library files to SAP AS ABAP System (sandbox)
C.1- Login to your ABAP server (sandbox) as sbxadm account.
C.2- Go to DIR_INSTANCE and create a directory called SLL.
sandbox:sbxadm 67% cd /usr/sap/SBX/DVEBMGS02
sandbox:sbxadm 68% mkdir SLL
C.3- Extract SLLIBRARY00_1.SAR under the following path
<Path to 51045122 CD >
DATA_UNITS
SECURE_LOGIN_LIBRARY_20
SOLARIS_SPARC64
sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY00_1.SAR
Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory
sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL (all in one line)
C.4- Verify the Secure Login Library status using the command sapgenpse
sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 72% pwd
sandbox:sbxadm 73% ./sapgenpse
C.5- Download SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3 and install it.
C.6- Extract SLLIBRARY02_3-10012577.SAR
sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY02_3-10012577.SAR
Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory
sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL (all in one line)
C.7- Verify the Secure Login Library status using the command sapgenpse
sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 72% pwd
sandbox:sbxadm 73% ./sapgenpse
D- Define SAP instance profile parameters
D.1- Add all parameters as below into SBX instance profile
E- Create Kerberos KeyTab for SNC (SAP GUI à SAP AS ABAP)
E.1- Check for environment variable SECUDIR is set for <SID>adm user (sbxadm)
If not, set it as below
sandbox:sbxadm 130% setenv SECUDIR /usr/sap/SBX/DVEBMGS02/sec
E.2- Create PSE file with KeyTab included
Go to /usr/sap/SBX/DVEBMGS02/SLL directory. Run the following command.
sandbox:sbxadm 131% cd /usr/sap/SBX/DVEBMGS02/SLL
sandbox:sbxadm 132% pwd
sandbox:sbxadm 133% ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SBX@ABC.COM (all in one line)
First you should give a password for this PSE file. Then password for SL-ABAP-SBX user, which you have created in Active Directory earlier.
E.3- Create Credential file (cred_v2)
sandbox:sbxadm 135% pwd
sandbox:sbxadm 136% ./sapgenpse seclogin -p SAPSNCSKERB.pse -O sbxadm
E.4- Verify Entries in credential file using the command
sandbox:sbxadm 138% pwd
sandbox:sbxadm 139% sapgenpse seclogin -l
Note: See SAP Note 1798979 for SPNEGO usage on SAP required versions,
otherwise skip step F and continue with step G.
SAP Note 1798979 – SPNego ABAP: Downport
F- Create Kerberos keyTab for SPNEGO (Web GUI à SAP AS ABAP)
F.1- Login to ABAP system and run new transaction code SPNEGO
Go to change mode
Click on Add icon
Create Kerberos keyTab using User Principal Name SL-ABA-SBX@ABC.COM
Click on checkmark and Save
G- Restart SAP AS ABAP system for all these changes to take affect.
H- Client Installation and User Mapping
Note: This step has to be repeated in all clients.
Note: Your system has to bind to your Active Directory Domain.
You can check it under “System Preferences” –> “Usrs & Groups”
You should login to your Mac system using your Active directory credentials
If you login to your system using a local account, please follow the steps in the following document from Apple to switch from a local user to a network user.
http://support.apple.com/kb/ht5338
Your system admin can help you on these settings.
H.1- Download Secure Login Client from SMP (SecureLoginClient.pkg)
Note: Available for General Access on May 12, 2014.
H.2- Install it by double clicking the package
Verify installation
H.3- Close SAP GUI and open it again for changes to take effect.
Note: Restart your Mac and login with AD credentials if it doesn’t work.
H.4- Enable SNC in SAP GUI Application
Highlight SBX and click on change icon
SBX setting before SNC enabled:
SBX setting after SNC enabled:
Now try it. Click on SBX icon in your SAP GUI for Java
H.5- Configure User Mapping for AS ABAP
Login with your credentials to SBX system
Go to transaction SU01 and modify SAP user JDOE
Change to SNC tab.
Save your changes.
Note: Step H.5 should be repeated for all users.
If your AD and SAP user IDs are in sync, you can use transaction SNC1 to populate SNC data for all of your users.
Example:
Otherwise, you should do it manually or use SCAT to create script for it.
Your developers can also help to create a custom report using report RSUSR300 as a template.
I- Now try it again.
Done.
Thanks for sharing
Hi folks,
great news! And that is how it looks like when using SAP GUI SSO based on SNC with X.509 AND Kerberos – have fun! 😎
https://www.youtube.com/watch?v=g-7hLkWqamE
Regards,
Carsten
Hi Carsten,
I saw your video. Do you have steps for setting it up with X.509 certificate? I am having issue with that. Do you have steps which you can share?
Thanks,
Ray
Hello Ray,
what kind of Problem do you have ?
What steps do you have made which does not work?
best regrads
Alex
Alexander, thank you for you reply.
I want to configure it without binding to LDAP. I have verified it with that it is doable and supported. But there is no documentation for this scenario. I have to create a user certificate and import it into Keychain. Then SecureLogin Client for Mac and use this certificate for SSO.
I don’t know how to set it up without LDAP binding.
Regards,
Ray
Hi Ray,
I do not fully understand what you mean with “LDAP binding”. Do you mean the membership to a Active Directory Domain (Kerberos)?
In 2.0 SP03 the Secure Login Client for Mac does not have Secure Login Server Profile support.
So it can only use a X.509 certificate which already exists in the Keychain.
best regards
Alex
Hi Alex,
I know that 2.0 SP03 Secure CLient for Mac does not support SLS profile.
We login to our mac using our local ID. My X.509 certificate list is empty in my Keychain.
I want to know how I can get a certificate from our AD and import it to Keychain. Our AD admin does not know any thing about it.
We don’t have and PKI infrastructure in place if that is something must to have.
Regards,
Ray
Hi Ray,
it is as simple as for Windows. What you require is a PKCS#12 container (.p12 or .pfx file) which contains your user certificate incl. the CA chain, this you will need from your Windows PKI. To setup ADCS (certificate services) isn’t a big thing.. If no one can provide you support with this, you are able to test X.509 SSO also with your certificate from SAP Service Marketplace. You can import this on the MAC and the SAP Passport CA on the Mac too as well as on the SAP backend (SNC trusted certificates).
On the MAC all you need to do is to double click a certificate and install it to the keychain. You will find it at My Certificates. You open the certs and select “always trust”. You need to make sure your backend works and is configured properly for X.509 SSO first, test it on a windows client PC. Good luck
Carsten
Hi Ray,
I do not know how to push/request certificates into the Mac OSX keychain automatically via Active Directory/Microsoft Domain Server.
I found something on the Apple documentation side for “request a certificate from a Microsoft Certificate Authority using DCE/RPC…”, but I do not know if this is helping you.
Please check the Apple Support/Documentation if there are options to enroll certificates from a Microsoft Domain like the Group Policy features on Microsoft client.
It would be nice if something is available.
best regards
Alexander Gimbel
There is an error in line C:\Windows\system32> setspn –L SL-ABPA-SBX
And the arguments of execution setspn is wrong:
C:\Windows\system32> setspn –a SAP/SL-ABAP-SID SL-ABAP-SID
Hi Igor, it would be most interesting if you told us what is wrong. Most probably this is only a copy/paste problem. Check the minuses in notepad.
Regards,
Lutz
Hi Lutz, I don’t know why, but in my case it didn’t work without DOMAIN\
SETSPN -A HTTP/my-solman.domain.local DOMAIN\SL-ABAP-SM1 (it works)
and SETSPN -a SAP/ did’t work in any case 🙁
Thanks Lutz, the problem was in minuses 🙂
I’m facing with the problem
./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SM1@DOMAIN.LOCAL
Please enter PIN: ********
Please reenter PIN: ********
keytab: No keyTab content stored.
I have only SAPGENPSE 2.0 Patch 1 (Mar 21 2013). Should I search for SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3?
Hi Igor, today you should use the most current CommonCryptolib (CCL). Do NOT use SLL anymore (as long as CCL is supported for your system).
Hi Lutz, so this instruction about SSO 2.0 is out of date ? 😥
No. Only concerning this detail.
Lutz, I updated the CommonCryptolib, but faced with the same problem on step E.2:
Please enter PIN: ********
Please reenter PIN: ********
keytab: No keyTab content stored.
Help me please 🙂
Hi Igor, I think we should move to a separate discussion thread. Last answers here:
Do you really do this with <SID>adm user? Did you check SECUDIR variable?
To avoid problems with environment variables pointing to wrong libraries or security environments I always use absolute paths both for sapgenpse and for SAPSNCSKERB.pse.
So my example for the (windows) command line looks like this:
(we decided to retire RC4 and therefore always activate both AES flags on windows account level and only generate AES keys.)
In the past there were problems with strange local language characters in the domain account’s password producing strange error messages like your’s. Since then we only use ASCII characters for passwords.
More questions: open a discussion thread please.
Regards,
Lutz
OMG, I can’t believe in it! It works!!!! 😆 Thanks Lutz!!! I tried to implement SSO three times.