Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

This blog explain the steps on setting up of Single Sign On ( SSO) Configuration For Hana Database With Kerberos .

SSO allows a user to log on only once and provide access to multiple systems and services without being asked to produce credentials again.

Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).

Step-by-Step Procedure

We have to create a Service User representing SAP HANA database in Active Directory, being mapped by a Service Principal Name(SPN), then we have to create a keytab file for this SPN on the DB server. On the DB server, we also need a krb5.conf file. Finally, we have to create an externally-mapped SAP HANA database user.

Prerequisite:

Make sure that the Kerberos client and server libraries are already installed on Hana database server , to verify that the software requirements are met, please run below command:

rpm -qa | grep krb5*

The version numbers don’t have to match exactly, but should be above 1.6.3-132 to include important security patches.

Configuration steps:

1-> Hostname Resolution

On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig, host, nslookup), while others (hostname)

To verify , on the Db server run below command

>hostname –fqdn (This command gives the FQDN of the DB server.)

> hostname –ip-address(This command gives the respective IP address)

2->Setup a configuration file for the MIT Kerberos libraries, krb5.conf on database server shown as below example

Standard Kerberos configuration:

#> cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mykdc1.mydomain.com
kdc = mykdc2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

The [domain_realm] covers only the mapping for the DB server domain (it has nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP HANA database client tries to authenticate the SAP HANA database server.

The domain part in the [domain_realm] mapping must consist of the domain name in its full length. In case the FQDN of the DB server is hdbserver.subdomain.domain.com,

then the [domain_realm] entry has to be

subdomain.domain.com = DOMAIN.COM
subdomain.domain.com = DOMAIN.COM

 

3->Create Active Directory user for the Kerberos authentication or use existing one.

The user should be created with “password never expires” option.

( This may change based on your organization structure)

In my case I have raised request to the Windows Service Team

• SPN for HANA Studio:

setspn -S hdb/<server_name_fqdn> <user>

• SPN for HANA XS (web access):

setspn -S HTTP/<server_name_fqdn> <user>

 

4->Verify Kerberos configuration using <SID>adm user:

When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create a TGT:

/usr/bin/kinit <SPN_user>@MYDOMAIN.COM

If it succeed it will ask for password of the SPN_user

• The next command should be used immediate after the kinit command (it will show the ticket of the previous login).

Using klist we can see this ticket:

>klist

Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: SPN_user@MYDOMAIN.COM

Valid starting Expires Service principal
02/18/13 15:25:58 02/19/13 01:26:02 krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58

 

5->Create the keytab file. We will use ktutil from the Linux server (the HANA server).

Ktutil can be used to edit the keytab file.

First we need to discover the kvno number to use. In order to know the kvno number run the commands:

• run kinit command to get the TGT for the user (SPN_user):

For example: /usr/bin/kinit <SPN_user>@MYDOMAIN.COM

Next run kvno command to get the kvno number:

kvno hdb/<server_name_fqdn>@MYDOMAIN.COM

In the output we can see kvno= value.

->If kvno value is 3 , then in that case while creating keytab file we will use kvno value as 3

 

6->The commands for creating the keytab file (it requires root as a result of the keytab directory /etc permission):

• Keytab for HANA STUDIO:

In shell run:

/usr/bin/ktutil

In ktutil run:

addent -password -p hdb/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab

q

• Keytab for HANA XS (web access):

In shell run:

/usr/bin/ktutil

addent -password -p HTTP/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab

q

 

7->Securing the keytab file. This step is mandatory, without it the SSO will not work (requires root)

• Change ownership of the file to <sid>adm:sapsys:

8->Verify The Keytab File using <SID>adm

• Run klist command:

klist -k /etc/krb5.keytab -etK

The output should return both SPNs

• Run kinit command to get the TGT for the user from step 3 (SPN_user):

/usr/bin/kinit <SPN_user>@FQDN

For example: kinit <SPN_user>@MYDOMAIN.COM

• Next run the kvno command:

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab hdb/<hostname_fqdn>@MYDOMAIN.COM

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab HTTP/<hostname_fqdn>@MYDOMAIN.COM

 

9->Create/Change user in HANA

In authentication, check the Kerberos checkbox and in external ID fill the value <user_name_AD>@FQDN

10->Create connection in HANA Studio with SSO

Create system in HANA Studio. In the phase of the user and password – choose Authenticated by current OS user.

 

11->Try to login using the connection created in the previous step

 

For Reference:

Kerberos/ Active Directory

Any background information on Kerberos or Active Directory troubleshooting, the following web sites may be helpful:

• Designing an Authentication System: a Dialogue in Four Scenes (MIT): http://web.mit.edu/kerberos/dialogue.html
• Kerberos FAQ: http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
• MS AD Troubleshooting:

Whitepaper AD/Kerberos Troubleshooting:        https://wiki.wdf.sap.corp/wiki/download/attachments/1180221073/Troubleshooting_Kerberos_Errors.DOC?version=1&modificationDate=1355764274996

Switch on Windows System Event Log for Kerberos: http://support.microsoft.com/kb/262177/en-us

Things to check when Kerberos authentication fails using IIS/IE…: http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx

 

SAP HANA Database

• SAP HANA Security Guide: http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• SAP HANA Administration Guide: http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf
• SAP HANA Developer Guide: http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf
• SAP Note 181372: SAP HANA database Kerberos/ AD configuration and validation script hdbkrbconf.py

 

Regards,

Sumit