Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

This blog explain the steps on setting up of Single Sign On ( SSO) Configuration For Hana Database With Kerberos .

SSO allows a user to log on only once and provide access to multiple systems and services without being asked to produce credentials again.

Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).

Configuration File	Description
<sidadm home>/etc/krb5_hdb.conf	Configuration of the Kerberos realm to be used with the SAP HANA server installed under <sidadm>
<sidadm home>/etc/krb5_hdb.keytab	List of service keys required to authenticate the services on the Kerberos server
<sidadm home>/etc/krb5_host.keytab	One entry only to authenticate the host on the Kerberos server for the purpose of delegation

Step-by-Step Procedure

We have to create a Service User representing SAP HANA database in Active Directory, being mapped by a Service Principal Name(SPN), then we have to create a keytab file for this SPN on the DB server. On the DB server, we also need a krb5.conf file. Finally, we have to create an externally-mapped SAP HANA database user.

Prerequisite:

Make sure that the Kerberos client and server libraries are already installed on Hana database server , to verify that the software requirements are met, please run below command:

rpm -qa | grep krb5*

The version numbers don’t have to match exactly, but should be above 1.6.3-132 to include important security patches.

Configuration steps:

1-> Hostname Resolution

On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig, host, nslookup), while others (hostname)

To verify , on the Db server run below command

>hostname –fqdn (This command gives the FQDN of the DB server.)

> hostname –ip-address(This command gives the respective IP address)

2->Setup a configuration file for the MIT Kerberos libraries, krb5.conf on database server shown as below example

Standard Kerberos configuration:

#> cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mykdc1.mydomain.com
kdc = mykdc2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

The [domain_realm] covers only the mapping for the DB server domain (it has nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP HANA database client tries to authenticate the SAP HANA database server.

The domain part in the [domain_realm] mapping must consist of the domain name in its full length. In case the FQDN of the DB server is hdbserver.subdomain.domain.com,

then the [domain_realm] entry has to be

subdomain.domain.com = DOMAIN.COM
subdomain.domain.com = DOMAIN.COM

3->Create Active Directory user for the Kerberos authentication or use existing one.

The user should be created with “password never expires” option.

( This may change based on your organization structure)

In my case I have raised request to the Windows Service Team

SPN for HANA Studio:

setspn -S hdb/<server_name_fqdn> <user>

SPN for HANA XS (web access):

setspn -S HTTP/<server_name_fqdn> <user>

4->Verify Kerberos configuration using <SID>adm user:

When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create a TGT:

/usr/bin/kinit <SPN_user>@MYDOMAIN.COM

If it succeed it will ask for password of the SPN_user

The next command should be used immediate after the kinit command (it will show the ticket of the previous login).

Using klist we can see this ticket:

>klist

Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: SPN_user@MYDOMAIN.COM

Valid starting Expires Service principal
02/18/13 15:25:58 02/19/13 01:26:02 krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58

5->Create the keytab file. We will use ktutil from the Linux server (the HANA server).

Ktutil can be used to edit the keytab file.

First we need to discover the kvno number to use. In order to know the kvno number run the commands:

run kinit command to get the TGT for the user (SPN_user):

For example: /usr/bin/kinit <SPN_user>@MYDOMAIN.COM

Next run kvno command to get the kvno number:

kvno hdb/<server_name_fqdn>@MYDOMAIN.COM

In the output we can see kvno= value.

->If kvno value is 3 , then in that case while creating keytab file we will use kvno value as 3

6->The commands for creating the keytab file (it requires root as a result of the keytab directory /etc permission):

Keytab for HANA STUDIO:

In shell run:

/usr/bin/ktutil

In ktutil run:

addent -password -p hdb/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab

Keytab for HANA XS (web access):

In shell run:

/usr/bin/ktutil

addent -password -p HTTP/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab

7->Securing the keytab file. This step is mandatory, without it the SSO will not work (requires root)

Change ownership of the file to <sid>adm:sapsys:

8->Verify The Keytab File using <SID>adm

Run klist command:

klist -k /etc/krb5.keytab -etK

The output should return both SPNs

Run kinit command to get the TGT for the user from step 3 (SPN_user):

/usr/bin/kinit <SPN_user>@CORP.AMDOCS.COM

For example: kinit <SPN_user>@MYDOMAIN.COM

Next run the kvno command:

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab hdb/<hostname_fqdn>@MYDOMAIN.COM

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab HTTP/<hostname_fqdn>@MYDOMAIN.COM

9->Create/Change user in HANA

In authentication, check the Kerberos checkbox and in external ID fill the value <user_name_AD>@CORP.AMDOCS.COM

10->Create connection in HANA Studio with SSO

Create system in HANA Studio. In the phase of the user and password – choose Authenticated by current OS user.

11->Try to login using the connection created in the previous step

For Reference:

Kerberos/ Active Directory

Any background information on Kerberos or Active Directory troubleshooting, the following web sites may be helpful:

Designing an Authentication System: a Dialogue in Four Scenes (MIT): http://web.mit.edu/kerberos/dialogue.html
Kerberos FAQ: http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
MS AD Troubleshooting:

Whitepaper AD/Kerberos Troubleshooting: https://wiki.wdf.sap.corp/wiki/download/attachments/1180221073/Troubleshooting_Kerberos_Errors.DOC?version=1&modificationDate=1355764274996

Switch on Windows System Event Log for Kerberos: http://support.microsoft.com/kb/262177/en-us

Things to check when Kerberos authentication fails using IIS/IE…: http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx

SAP HANA Database

SAP HANA Security Guide: http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
SAP HANA Administration Guide: http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf
SAP HANA Developer Guide: http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf
SAP Note 181372: SAP HANA database Kerberos/ AD configuration and validation script hdbkrbconf.py

Regards,

Sumit

1 Comment

You must be Logged on to comment or reply to a post.

Former Member February 28, 2018 at 10:25 am

Thanks a lot for this guide, Sumit!

Let me add an hint:

You can set environment variable KRB5_CONFIG, pointing to your krb5.conf, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.conf,

and variable KRB5_KTNAME, pointing to your keytab file, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.keytab,

for user <sid>adm to perform the configuration without using the root account. This makes it more flexible for us in terms of operations.

Best regards

Joe

like (0)