Single Sign On ( SSO) Configuration For Hana DB Using Kerberos
This blog explain the steps on setting up of Single Sign On ( SSO) Configuration For Hana Database With Kerberos .
SSO allows a user to log on only once and provide access to multiple systems and services without being asked to produce credentials again.
Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).
Configuration File | Description |
---|---|
<sidadm home>/etc/krb5_hdb.conf | Configuration of the Kerberos realm to be used with the SAP HANA server installed under <sidadm> |
<sidadm home>/etc/krb5_hdb.keytab | List of service keys required to authenticate the services on the Kerberos server |
<sidadm home>/etc/krb5_host.keytab | One entry only to authenticate the host on the Kerberos server for the purpose of delegation |
Step-by-Step Procedure
We have to create a Service User representing SAP HANA database in Active Directory, being mapped by a Service Principal Name(SPN), then we have to create a keytab file for this SPN on the DB server. On the DB server, we also need a krb5.conf file. Finally, we have to create an externally-mapped SAP HANA database user.
Prerequisite:
Make sure that the Kerberos client and server libraries are already installed on Hana database server , to verify that the software requirements are met, please run below command:
rpm -qa | grep krb5*
The version numbers don’t have to match exactly, but should be above 1.6.3-132 to include important security patches.
Configuration steps:
1-> Hostname Resolution
On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig, host, nslookup), while others (hostname)
To verify , on the Db server run below command
>hostname –fqdn (This command gives the FQDN of the DB server.)
> hostname –ip-address(This command gives the respective IP address)
2->Setup a configuration file for the MIT Kerberos libraries, krb5.conf on database server shown as below example
Standard Kerberos configuration:
#> cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mykdc1.mydomain.com
kdc = mykdc2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
The [domain_realm] covers only the mapping for the DB server domain (it has nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP HANA database client tries to authenticate the SAP HANA database server.
The domain part in the [domain_realm] mapping must consist of the domain name in its full length. In case the FQDN of the DB server is hdbserver.subdomain.domain.com,
then the [domain_realm] entry has to be
subdomain.domain.com = DOMAIN.COM
subdomain.domain.com = DOMAIN.COM
3->Create Active Directory user for the Kerberos authentication or use existing one.
The user should be created with “password never expires” option.
( This may change based on your organization structure)
In my case I have raised request to the Windows Service Team
- SPN for HANA Studio:
setspn -S hdb/<server_name_fqdn> <user>
- SPN for HANA XS (web access):
setspn -S HTTP/<server_name_fqdn> <user>
4->Verify Kerberos configuration using <SID>adm user:
When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create a TGT:
/usr/bin/kinit <SPN_user>@MYDOMAIN.COM
If it succeed it will ask for password of the SPN_user
- The next command should be used immediate after the kinit command (it will show the ticket of the previous login).
Using klist we can see this ticket:
>klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: SPN_user@MYDOMAIN.COM
Valid starting Expires Service principal
02/18/13 15:25:58 02/19/13 01:26:02 krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58
5->Create the keytab file. We will use ktutil from the Linux server (the HANA server).
Ktutil can be used to edit the keytab file.
First we need to discover the kvno number to use. In order to know the kvno number run the commands:
- run kinit command to get the TGT for the user (SPN_user):
For example: /usr/bin/kinit <SPN_user>@MYDOMAIN.COM
Next run kvno command to get the kvno number:
kvno hdb/<server_name_fqdn>@MYDOMAIN.COM
In the output we can see kvno= value.
->If kvno value is 3 , then in that case while creating keytab file we will use kvno value as 3
6->The commands for creating the keytab file (it requires root as a result of the keytab directory /etc permission):
- Keytab for HANA STUDIO:
In shell run:
/usr/bin/ktutil
In ktutil run:
addent -password -p hdb/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac
wkt /etc/krb5.keytab
q
- Keytab for HANA XS (web access):
In shell run:
/usr/bin/ktutil
addent -password -p HTTP/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac
wkt /etc/krb5.keytab
q
7->Securing the keytab file. This step is mandatory, without it the SSO will not work (requires root)
- Change ownership of the file to <sid>adm:sapsys:
8->Verify The Keytab File using <SID>adm
- Run klist command:
klist -k /etc/krb5.keytab -etK
The output should return both SPNs
- Run kinit command to get the TGT for the user from step 3 (SPN_user):
/usr/bin/kinit <SPN_user>@FQDN
For example: kinit <SPN_user>@MYDOMAIN.COM
- Next run the kvno command:
/usr/lib/mit/bin/kvno -k /etc/krb5.keytab hdb/<hostname_fqdn>@MYDOMAIN.COM
/usr/lib/mit/bin/kvno -k /etc/krb5.keytab HTTP/<hostname_fqdn>@MYDOMAIN.COM
9->Create/Change user in HANA
In authentication, check the Kerberos checkbox and in external ID fill the value <user_name_AD>@FQDN
10->Create connection in HANA Studio with SSO
Create system in HANA Studio. In the phase of the user and password – choose Authenticated by current OS user.
11->Try to login using the connection created in the previous step
For Reference:
Kerberos/ Active Directory
Any background information on Kerberos or Active Directory troubleshooting, the following web sites may be helpful:
- Designing an Authentication System: a Dialogue in Four Scenes (MIT): http://web.mit.edu/kerberos/dialogue.html
- Kerberos FAQ: http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
- MS AD Troubleshooting:
Whitepaper AD/Kerberos Troubleshooting: https://wiki.wdf.sap.corp/wiki/download/attachments/1180221073/Troubleshooting_Kerberos_Errors.DOC?version=1&modificationDate=1355764274996
Switch on Windows System Event Log for Kerberos: http://support.microsoft.com/kb/262177/en-us
Things to check when Kerberos authentication fails using IIS/IE…: http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx
SAP HANA Database
- SAP HANA Security Guide: http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
- SAP HANA Administration Guide: http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf
- SAP HANA Developer Guide: http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf
- SAP Note 181372: SAP HANA database Kerberos/ AD configuration and validation script hdbkrbconf.py
Regards,
Sumit
Thanks a lot for this guide, Sumit!
Let me add an hint:
You can set environment variable KRB5_CONFIG, pointing to your krb5.conf, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.conf,
and variable KRB5_KTNAME, pointing to your keytab file, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.keytab,
for user <sid>adm to perform the configuration without using the root account. This makes it more flexible for us in terms of operations.
Best regards
Joe
Thanks so much for your blog, Submit!
Could you please share the link to download How-To Guide 2018 version for "Single Sign-On with SAP HANA Database using Kerberos and Microsoft Active Directory" .
I just can find the old version in 2014.
Thanks again,
Penny
Hi Penny,
Sorry for the late reply.
You can download the latest version from the note 1837331 - HowTo configure Kerberos SSO to SAP HANA DB using Microsoft Windows Active Directory
Hope it is useful.
Regards,
Sumit
Hi Sumit,
Thanks for this document.
I would appreciate If you can also explain SSO using CryptoLib? I did not find any document for this on SAP SDN
https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5/doc/krb5-install/The-Keytab-File.html
->
"if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root"
You shouldn't put sapsys group to /etc/krb5.keytab
Dear all,
Find the latest revision of the document HowTo_HANA_SSO_Kerberos_*.pdf describing how to configure Kerberos SSO to SAP HANA DB in
SAP Note 1837331 – HowTo configure Kerberos SSO to SAP HANA DB using Microsoft Windows Active Directory
This how-to guide describes the steps necessary to set up Single Sign-On (SSO) with SAP HANA database using Kerberos and Microsoft Active Directory (AD).
Each step is accompanied by one or more verification steps allowing a systematic completion of the process.
Starting from HANA 1 SPS12 and HANA 2 there is a new naming and location of the Kerberos configuration and Kerberos keytab files. Additionally, the required Kerberos libraries are installed within the SAP HANA DB server installation.
Best regards
Axel Utz