-
20
Applies To:
SAP NetWeaver Engine
? NetWeaver 04 (6.40)
? NetWeaver 04S (7.00)
? NetWeaver 04S EhP1 (7.01)
? NetWeaver 04S EhP2 (7.02)
Summary:
This document contains detailed instructions on installation and
configuration of the newSPNego add-on.
Author: Dimitar Dimkin
Company: SAP AG
2010
SPNEGO CONFIGURATION GUIDE
-
2SAP AG 2007
Table of Contents
1. Introduction ........................... 3
2. Prerequisites ....... 4
3. Deployment . 9
4. Access to the user interface 10
5. Creating a new realm 11
6. Configuring the user mapping . 12
7. Configuring the encryption keys .. 16
8. Enabling the realm . 17
9. Adjusting the policy configuration 18
10. Troubleshooting 19
-
3SAP AG 2007
The SPNego add-ons purpose is to provide a possible solution to
problems caused by thenew releases of Windows platforms (Windows
Vista, Windows 7, Windows 2008 R2) which nolonger support DES as
the default encryption mechanism. This causes the
oldSPNegoLoginModule login module to fail because it cannot decrypt
the Kerberos token received inthe request. The current solution
supports both DES and RC4-HMAC encryption algorithms.
A workaround provided by Microsoft exists which enables DES
encryption on the DomainController and forces it to behave in the
same way as in the older Windows versions. Moreinformation can be
found in SAP Note 1396724.
This document is targeted specifically at the add-on solution,
but chapters 5 through 9 canbe used for configuring the new SPNego
in its official release when it becomes available.
1. INTRODUCTION
-
4SAP AG 2007
Depending on whether you have a working configuration of the old
SPNegoLoginModule ornot, there can be several prerequisites that
must be met before the new configuration can befinished
successfully.
I. A working configuration exists
In this case all the prerequisites have already been met. When
configuring the realm in theconfiguration UI, you can select the
already existing keytab file while configuring the encryptionkeys
(located on your central instance under
/usr/sap//SYS/global/kerberos) (if you used theSPNego Wizard to
configure the old SPNego authentication).
II. A working configuration does not exist
In this case you must make sure you follow several procedures in
order to configure theother parties in the SPNego mechanism
properly.
1. Service user you must create a valid service user in the
Active Directory. A service useris considered to be valid when:
a) The password of this user never expiresb) The URL of the J2EE
engine which is to use SPNego authentication is registered
as an SPN (Service Principal Name) with this user. For example,
if the name of the user is"sapdemo" and the URL of the J2EE engine
is "testspnego.sap.com", you can set the SPN byexecuring the Active
Directory command
"setspn -A HTTP/testspnego.sap.com sapdemo".
c) All of the user's SPNs are unique whithin the whole Active
Directory (i.e. only thisuser has them). You can check if this is
true by executing the Active Directory command
"ldifde -r (serviceprincipalname=HTTP/) -f out.txt".
The output must contain only one entry the service user which
has this SPN registered to them.
In addition, if you want to use DES as encryption mechanism, you
must select the Use DESencryption check in the service users
properties.
2. Keytab file you must create a valid keytab file which
contains encryption keys for therealm you are going to configure. A
new keytab file must be created every time the service user
ischanged, therefore it is a good idea to keep the number of such
changes as low as possible.
The two Kerberos configuration files created by the old SPNego
wizard are no longerneeded. You do not need to keep anything in
\usr\sap\\SYS\global\kerberos. The purpose
2. PREREQUISITES
-
5SAP AG 2007
of the keytab file is to transport the encryption keys from the
domain controller to the J2EE engineand once it is uploaded in the
new Configuration UI, the file is no longer needed.
Keytab files are created via tools provided by the specific
Active Directory vendor, for moreinformation contact your Active
Directory administrator. One tool provided by the JDK itself
hasbeen tested to work. It is called ktab and you can use the
following syntax:
ktab a @ -k
For more information on its full syntax, you can run
ktab help
This tool creates encryption keys for all encryption mechanisms
that it supports. If you wantto create a key for DES, you must use
ktab provided by JDK1.5 or higher. If you need a key forRC4-HMAC,
you have to use the tool that comes with JDK1.6.
3. Browser the browser must be configured so that it can
communicate with the KeyDistribution Center and obtain a valid
Kerberos token from it
-
6SAP AG 2007
a) Internet Explorer
? enable "Windows Integrated Authentication" Tools ->
Internet Options-> Advanced -> Security
-
7SAP AG 2007
? enable automatic logon in intranet zone Tools -> Internet
Options ->Security -> Local Intranet -> Custom level ->
"Automatic logon only in Intranet Zone"
-
8SAP AG 2007
? add the J2EE engine host name to the list of local intranet
sites Tools -> Internet Options -> Security -> Local
Intranet -> Sites -> Advanced
? bypass the proxy server (if present) for the J2EE engine Tools
->Internet Options -> Connections -> LAN Settings ->
Proxy server -> Advanced -> Exceptions
-
9SAP AG 2007
b) Mozilla Firefox
? bypass the proxy server (if present) for the J2EE engine Tools
->Options -> Advanced -> Network -> Settings -> "No
proxy for:"
? adjust the negotiation properties for integrated
authentication:o enter the URL "about:config" in the address baro
filter the properties using "nego"o set the values of the
properties "network.negotiate-auth.delegation-
uris" and "network.negotiate-auth.trusted-uris" to"http://"
-
10
SAP AG 2007
There are three deployable components:
? spnego.cfg.sda - This is a J2EE library which contains basic
functionalityneeded by the login module and the configuration
UI
? spnego.lm.sda - This is a J2EE library which contains
theSPNEGOLoginModule
? sap.com~spnego.cfg.wd.ear - This is a WebDynpro application
which is usedfor configuration of the new SPNEGOLoginModule
The three archives have internal dependencies, but they are only
available runtime, notdeploy-time. That's why they must be deployed
in a strict order:
1. Firstly, deploy spnego.cfg.sda2. Secondly, deploy
spnego.lm.sda3. Lastly, deploy sap.com~spnego.cfg.wd.ear
NB! When deploying, do not select all of the archives.
Deployment will fail if thecomponents are not selected as specified
above.
These components are deployed online and do not require a server
restart.
3. DEPLOYMENT
-
11
SAP AG 2007
The configuration UI is accessible under:
http://:/spnego2/cfg
If for some reason this does not work, you can also use the
whole URL:
http://:/webdynpro/dispatcher/sap.com/spnego.cfg.wd/SPNEGO
You must log in with a user with administrator privileges.
4. ACCESS TO THE USER INTERFACE
-
12
SAP AG 2007
Click the "Add" button and fill in the name and the description
of the realm you want to add.The names of all realms must be
unique. The description field is not mandatory.
This creates a new realm which is not configured and is
inactive. If you want to use it youmust configure its user mapping
and encryption keys and then activate it.
5. CREATING A NEW REALM
-
13
SAP AG 2007
This step corresponds to the resolution mode definition in the
old SPNego configuration UI.
Make sure the realm you want to modify is selected and click the
"Edit" button. The "UserMapping" tab below the realms table becomes
active. You must select both a user mapping modeand a user mapping
source - the combination of the two determines the user mapping for
theselected realm. Do not forget to save the changes when done.
You can define the namespace of a user attribute if applicable.
Should you choose to omit it,the default UME attribute namespace
will be used.
Suppose we have a user named "sapdemo" that belongs to the
domain"SPNEGO.SAP.COM". This user will be used in the examples
below.
Possible user mappings:
I. Mode = "principal only", Source = "logon id"
This means that the user in the user store must have their
"logonid" attribute equal to"sapdemo"
6. CONFIGURING THE USER MAPPING
-
14
SAP AG 2007
II. Mode = "principal only", Source = "logon alias"
This means that the user in the user store must have their
"logonalias" attribute equal to"sapdemo". This mapping can be used
when the data source is ABAP or LDAP
III. Mode = "principal only", Source = "user attribute"
In this case you must specify the user attribute which is to
contain the name of the user. Thisattribute refers to the data
source configuration file and not the actual user store - meaning
that youeither have to map this attribute to a physical one, or
leave it as it is and fill it in for every singleuser manually.
For instance, if we specify "email" as the user attribute, this
means that the user in the userstore must have their "email" (or
mapped) attribute equal to "sapdemo"
IV. Mode = "principal@REALM", Source = "logon id"
This means that the user in the user store must have their
"logonid" attribute equal [email protected]"
-
15
SAP AG 2007
V. Mode = "principal@REALM", Source = "logon alias"
This means that the user in the user store must have their
"logonalias" attribute equal to"[email protected]". This
mapping can be used when the data source is ABAP orLDAP
VI. Mode = "principal@REALM ", Source = "user attribute"
In this case you must specify the user attribute which is to
contain the name of the user. Thisattribute refers to the data
source configuration file and not the actual user store - meaning
that youeither have to map it to a physical one, or leave it as it
is and fill it in for every single user manually.
For instance, if we specify "email" as the user attribute, this
means that the user in the userstore must have their "email" (or
mapped) attribute equal to [email protected]
VII. Mode = " principal and REALM", Source = "ADS Data
Source"
This mapping can be used when the data source is LDAP. By
default the data sourceconfiguration files provided by SAP contain
two user account attributes named "principal" and"realm". The first
one is mapped to the physical attribute "samaccountname" and the
second one -to nothing. This can be changed, but if you choose not
to map any attribute to a physical userattribute, you are going to
have to maintain the value of this attribute manually for every
singleuser.
This means that the user in the user store must have their
"principal" (or mapped) attributeequal to "sapdemo" and their
"realm" (or mapped) attribute equal to "SPNEGO.SAP.COM"
-
16
SAP AG 2007
VIII. Mode = " principal and REALM", Source = "user
attributes"
In this case you must specify the user attributes which are to
contain the principal and therealm of the user. These attribute
refers to the data source configuration file and not the actual
userstore - meaning that you either have to map them to physical
ones, or leave them as it is and fillthem in for every single user
manually.
For instance, if we specify "email" as the user attribute for
the principal and "city" as the userattribute for the realm, this
means that the user in the user store must have their "email"
(ormapped) attribute equal to "sapdemo" and their "city" (or
mapped) attribute equal to"SPNEGO.SAP.COM"
-
17
SAP AG 2007
This step is new compared to the old SPNego configuration UI,
but it eliminates the need tocreate a connection to the KDC.
Make sure the realm you want to modify is selected and click the
"Edit" button. The "Keys"tab below the realms table becomes active.
Navigate to a valid keytab file that contains encryptionkeys for
the selected realm and upload it. You will be presented with a list
of all the valid encryptionkeys available in this keytab file.
Select the ones you want and click the "OK" button. Do not forgetto
save the changes when done.
Note that if you used to have a working SPNego configuration
which was completed with thehelp of the SPNego Wizard, you can take
the keytab file created by the Wizard. It is located onyour central
instance under /usr/sap//SYS/global/kerberos.
7. CONFIGURING THE ENCRYPTION KEYS
-
18
SAP AG 2007
Once you configure the realms user mapping and encryption keys,
you have to activate it inorder to use it. If you do not activate
the realm it will not be used during authentication even thoughthe
rest of its configuration might be correct.
Make sure the realm you want to enable is selected and click the
"Edit" button, followed bythe Enable button. Do not forget to save
the changes when done.
8. ENABLING THE REALM
-
19
SAP AG 2007
As with the old SPNegoLoginModule, if you want certain
applications to use Kerberosauthentication, you have to adjust
their policy configurations. In order to configure the
newSPNEGOLoginModule for the Portal and all WebDynpro applications,
do the following:
1. Log on to the Visual Administrator2. Navigate to ServerXXX
-> Services -> Security Provider3. Select the "ticket"
template and make sure it does not have a reference to another
policy
configuration4. Add the SPNEGOLoginModule login module to the
list of login modules
4.1. If the old SPNegoLoginModule is present, remove it and put
the newSPNEGOLoginModule in its position. Normally its flag should
be OPTIONAL
4.2. If the old SPNegoLoginModule is not present, simply add the
newSPNEGOLoginModule to the list. Normally its position should be 2
and its flag OPTIONAL. You also need to add the
CreateTicketLoginModule module right afterit - with position 3 and
flag SUFFICIENT
In case you want to use Kerberos authentication for a specific
application, you have to findits policy configuration and add the
module there as well.
9. ADJUSTING THE POLICY CONFIGURATION
-
20
SAP AG 2007
Deploy the Web diagtool from SAP Note 1045019 on the J2EE
server, run it and perform thefollowing steps:
1. Select "Component" = "security" and "Activity" = "all"2.
Click the "Go" button, followed by the "Add All" button3. Select
"Component" = "All" and in the "Search pattern" field write
"com.sap.security.spnego"4. Click the "Go" button, followed by the
"Add All" button5. Start the tool
Then reproduce the problem and stop the tool. The generated zip
file will contain traces thatmight help you figure out what is
going wrong. If you are unable to do so, report a message in
theBC-JAS-SEC component and attach this archive. Don't forget to
include details about how youreproduce the problem along with the
exact version of your engine.
10. TROUBLESHOOTING