SSL Exercises

SINGLE SIGN-ON FOR THE ABAP WORLD

USING SAP NETWEAVER SINGLE SIGN-ON

SIS265

Configuration of Single Sign-On based on Kerberos Stefanie Garcia-Laule, Jens Koster

SIS265

Page 2, SAP TechEd 2013

TABLE OF CONTENTS

Before you start ......................................................................................................................................... 3

Chapter 1: Setting up Trust between Active Directory and Application Server ABAP .............................. 4

Exercise 1.1 - Verify Kerberos Service User in Active Directory ............................................................. 4

Exercise 1.2 - Install Secure Login Library (SLL), Create PSE and cred_v2 .......................................... 8

Chapter 2: Preparing the Application Server for Single Sign-On .............................................................. 13

Exercise 2.1: Set Profile Parameters ....................................................................................................... 13

Exercise 2.2: Restart the SAP System .................................................................................................... 21

Chapter 3: Configuring the Client .............................................................................................................. 23

Exercise 3.1: Install Secure Login Client (SLC) ...................................................................................... 23

Exercise 3.2: Configure SAP Logon Entry .............................................................................................. 26

Chapter 4: Configuring User Mapping ....................................................................................................... 27

Exercise 4: Configure User Mapping ....................................................................................................... 27

Chapter 5: Testing Single Sign-On for SAPGUI Access ........................................................................... 30

Exercise 5: Test Single Sign-On for SAPGUI Access ............................................................................. 30

Chapter 6: Configuring Single Sign-On for Web Access ........................................................................... 32

Exercise 6: Configure SPNEGO .............................................................................................................. 32

Chapter 7: Testing Single Sign-On for Web Access ................................................................................. 35

Exercise 7: Test Single Sign-On for Web Access ................................................................................... 35

Appendix .................................................................................................................................................... 37

Troubleshooting ....................................................................................................................................... 37

Appendix A1 - Server start error .............................................................................................................. 37

Copyright ................................................................................................................................................... 39

SIS265

SAP TechEd 2013, Page 3

BEFORE YOU START

BEFORE YOU START Make sure that you log on to your TechEd Laptop with user FAIR\SIS265 with password abcd1234 Do not use user student!

SIS265


CHAPTER 1: SETTING UP TRUST BETWEEN ACTIVE DIRECTORY AND

APPLICATION SERVER ABAP

Estimated time: 10 minutes Objective In this exercise you will verify that the Kerberos Service User (KerberosTDI) has been set up correctly on the Active Directory. You will then configure the same information of the Kerberos Service User on the Application Server ABAP. Active Directory:

Use Tool adsiedit.msc to verify the ServicePrincipalName (s)

Application Server ABAP:

Extract the Single Sign-On software (Secure Login Library) to the target directory

Create a container to store the information of the Kerberos Service User. This container is called PSE (personal security environment)

Create a file that the Application Server can use to access the PSE during runtime. This file is called cred_v2.

Exercise 1.1 - Verify Kerberos Service User in Active Directory

Explanation Screenshot

1. Open the ADSI Edit tool: Start - Administrative Tools - ADSI Edit

2. Click on ADSI Edit with the right mouse button. 3. Click the Connect to... menu item to execute it.

SIS265



The path that is displayed might vary depending on the TechEd location. 4. Click OK.

5. Click Default naming context.

Again, the server name that is displayed in brackets might vary depending on the TechEd location.

6. Open the folder by clicking the Open folder icon.

Navigate down to the following node (You need to click on an entry once before you can expand it): Default naming context - Events - TechEd - Sessions - SIS265 - Systems - CN=KerberosTDI

SIS265



7. Click on CN=KerberosTDI with the right mouse button. 8. Click the Properties menu item to execute it.

9. Select the entry servicePrincipalName by clicking it. 10. Click View.

SIS265



You will see 2 entries for the trust relationship with the Application Server ABAP. The entry HTTP/local.abap is used for the Web access trust and the entry SAP/KerberosTDI is used for the trust using the SAPGUI connection. 11. Click OK.

12. Click Cancel.

13. You can close the tool again.

SIS265


Exercise 1.2 - Install Secure Login Library (SLL), Create PSE and cred_v2


1. Open the command prompt window: Press Start Enter cmd Select Program "cmd"

SIS265



You can copy most of the following commands from the SIS265_commands.txt file that is located in \\TEfile.fair.sap.corp\Studentshare\SIS265

shortcut on desktop 2. To extract the content of the Secure Login Library archive into the Secure Login Library target folder, enter the following command: D:\usr\sap\TDI\DVEBMGS00\exe\sapcar -xvf \\TEfile.fair.sap.corp\Studentshare\SIS265\Software\SECURELOGINLIB.SAR -R d:\usr\sap\TDI\DVEBMGS00\SLL

3. Go to Secure Login Library directory: cd d:\usr\sap\TDI\DVEBMGS00\SLL After that, switch to d: Enter d: 4. Now, you define the target folder for the security information to be stored to. Set environment variable SECUDIR (temporarily): set SECUDIR=d:\usr\sap\TDI\DVEBMGS00\sec

SIS265



You need to create a PSE file which will contain a keytab, representing the password of the Kerberos Service User. 5. Create the PSE file using the following command: sapgenpse keytab -p d:\usr\sap\TDI\DVEBMGS00\sec\SAPSNCSKERB.pse -a [email protected] Option -p defines file name and location for the PSE file, option -a defines the Kerberos Service User name to be used for the trust relationship.

6. Enter and confirm the PIN for the PSE file (that you will define in this step): Test123$

This PIN is used to protect the access to the PSE file content.

7. Enter and confirm the password of the Kerberos Service User (that is the same as for the user in the Active Directory), which is called keytab password in this dialog: secret123

A success message is displayed, which also lists the content of the keytab.

SIS265



8. Create the cred_v2 file that is used for the server to access the Keytab during runtime: sapgenpse seclogin -p d:\usr\sap\TDI\DVEBMGS00\sec\SAPSNCSKERB.pse -O SAPServiceTDI

Option -p defines the path to the PSE file, option -O (capital "O") defines the user that the SAP Application Server runs on, so that the Application Server can access the PSE file during runtime.

9. Provide the PSE PIN that you did define in a previous step to access the PSE: Test123$

Credentials file has been added. Using the credentials file, the SAP system can access the keys, stored in the PSE file during runtime.

SIS265



10. To verify that the files SAPSNCSKERB.pse and cred_v2 have been created, go to folder d:\usr\sap\TDI\DVEBMGS00\sec\ in Windows Explorer.

SIS265


CHAPTER 2: PREPARING THE APPLICATION SERVER FOR SINGLE SIGN-

ON

Estimated time: 15 minutes Objective In this exercise you will prepare the Application Server for Single Sign-On. You will set the profile parameters to enable SNC (Single Sign-On for SAPGUI) and SPNEGO (Single Sign-On for Web access). If you want to look up the documentation for each profile parameter, you can use transaction RZ11.

Exercise 2.1: Set Profile Parameters


1. Double click on the entry SAP Logon to select it.

2. Double click on the entry TDI [localhost] to select it.

3. Logon with user admin, password abc123

SIS265



4. Enter transaction code rz10 and press the Enter key.

5. Click . 6. Click the Import Profiles - Of active servers menu item to execute it.

7. You can ignore the error messages. Click .

SIS265



8. Click .

9. Double-click on TDI_DVEBMGS00_AMS... Profile.

10. Select

11. Click .

SIS265



12. Click in the area below the scroll bar to scroll down.

13 Click .

14. Click .

SIS265



15. Enter the parameter snc/enable into the Parameter Field. 16. Enter value 1 into the Parameter value field.

17. Click twice.

18. Click .

SIS265



19. Repeat steps 14 - 18 to set the following Profile Parameters:

snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll snc/identity/as = p:CN=KerberosTDI spnego/enable = 1 spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll Hint: You can copy the parameters and parameter values from the SIS265_commands.txt file that is located in \\TEfile.fair.sap.corp\Studentshare\SIS265

As you can see in the parameter list, other parameters related to SNC have been preconfigured in the system. These additional parameters allow you to still use unsecured connections into the system.

20. Click .

With this step you confirm the complete list of parameters that you added.

SIS265



21. Click .

22. Click .

23. Click .

24. Check if the parameters and parameter values that you entered are correct. Click .

SIS265



25. Click .

26. Click .

27. Click .

28. Click twice to log off.

SIS265


Exercise 2.2: Restart the SAP System


1. Double click on the entry SAP Management Console to open it. It might take a while for the console to start. Stay tuned.

2. Click on with the right mouse button. 3. Click the Restart... menu item to execute it.

. Click OK .

SIS265



5. Enter password abcd1234 6. Click OK .

Wait some minutes for the Application Server to start up again. You can continue with the next exercise in the meantime.

SIS265


CHAPTER 3: CONFIGURING THE CLIENT

Estimated time: 5 minutes Objective In this exercise you will install the required software on the client (Secure Login Client). This client is required for single sign-on using the SAPGUI. In order to enable single sign-on for a SAPGUI connection, you need to specify the SNC name of the SAP System (which is the Kerberos Service User name with prefix p:CN=) for the connection.

Exercise 3.1: Install Secure Login Client (SLC)


1. Double click on the entry Student (Share) to select it.

2. Navigate to folder \\TEfile.fair.sap.corp\Studentshare\SIS265\Software Double click on the entry SAPSetupSLC... to select it.

3. Click Run .

SIS265



4. Click Next > .

5. Click .

SIS265



6. Click Next > .

7. Click Close .

SIS265


Exercise 3.2: Configure SAP Logon Entry


1. Double click on the entry SAP Logon to open it.

2. Click on TDI [localhost] with the right mouse button. 3. Click the Properties... menu item to execute it.

4. Click the Network tab to select it. 5. Select the check box Activate Secure Network Communication. 6. Enter p:CN=KerberosTDI in the SNC Name box. 7. Click OK .

SIS265


CHAPTER 4: CONFIGURING USER MAPPING

Estimated time: 5 minutes Objective In this exercise you will map the Active Directory user name of the end user to the user name in the SAP Application Server. This is done in transaction SU01 in the user's master record.

Exercise 4: Configure User Mapping


1. Double click on the entry SAP Logon to open it. Note: You need to restart SAP GUI at this point so that the required modules can be loaded.

2. Click on TDI [localhost] with the right mouse button. 3. Click the SNC Logon Without Single Sign-On menu item to execute it.

4. Logon with user admin and password abc123

SIS265



5. Enter su01 in the transaction code box. Confirm your entry by pressing the Enter key.

6. Enter sis265 in the user field. .

7. Click Change .

8. Click . 9. Enter value p:[email protected] (use capital letters!) Important: Confirm your entry by pressing the Enter key.

SIS265



10. Verify the message "Canonical name determined" that should have appeared after hitting the return key in the previous step.

Click .

11. Click twice to log off.

SIS265


CHAPTER 5: TESTING SINGLE SIGN-ON FOR SAPGUI ACCESS

Estimated time: 1 minute Objective In this exercise you will test if single sign-on works using the SAPGUI.

Exercise 5: Test Single Sign-On for SAPGUI Access


1. Double click on the entry TDI [localhost] to select it.

You can see in the status bar that SNC is enabled.

2. Click . 3. Click the Status... menu item to execute it.

SIS265



You can see that the user SIS265 is logged on to the system. 4. Click Cancel .

SIS265


CHAPTER 6: CONFIGURING SINGLE SIGN-ON FOR WEB ACCESS

Estimated time: 5 minutes Objective In this exercise you will set up the trust between the Active Directory (already verified in previous exercise) and the Application Server FOR THE WEB ACCESS. For this, the same information (user, domain, password) of the Kerberos Service User needs to be maintained in transaction SPNEGO.

Exercise 6: Configure SPNEGO


1. Enter spnego in the transaction code box. Confirm your entry by pressing the Enter key.

2. Click Display/Change .

3. Click Continue .

SIS265



4. Click .

5. Enter [email protected] in the Service Name Field. 6. Enter secret123 in the box. Confirm your entry by pressing the Tab key. 7. Enter the same password in the confirm password field

8. Click Continue .

SIS265



9. Click .

10. Click to leave the transaction.

SIS265


CHAPTER 7: TESTING SINGLE SIGN-ON FOR WEB ACCESS

Estimated time: 2 minutes Objective In this exercise you will test if single sign-on works for the Web access to the Application Server. You will do the test using the Internet Explorer and the SAP NetWeaver Business Client.

Exercise 7: Test Single Sign-On for Web Access


1. Double click on the entry IE (32-bit) to select it.

2. Click WebGui .

3. Click Menu. Select System. 4. Click Status... .

SIS265



User SIS265 has been logged on automatically!

5. Click Close.

6. Double click on the entry NetWeaver Business Client 4.0 to open it.

7. Select the entry TDI SSO and click Log On.

User SIS265 is also logged on automatically to the Application Server using SAP NetWeaver Business Client.

SIS265


APPENDIX

Troubleshooting

Appendix A1 - Server start error


1. In the SAP Management Console, open the folder by clicking the Open folder icon. 2. Click Process List.

You can see that the Dispatcher Status is "stopped".

Open Windows Explorer. Navigate to D:\usr\sap\TDI\DVEBMGS00\work Open file dev_w0

3. Select the entry Notepad by clicking it. 4. Click OK.

SIS265



5. Click the Edit menu item to execute it. 6. Click the Find... menu item to execute it.

7. Enter sncerr in the Find what: box. 8. Click Find Next .

You can see that the issue was caused by a typo in the profile parameter value.

SIS265


COPYRIGHT

2013 by SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Date post:	23-Nov-2015
Category:	Documents
Upload:	fsf02
View:	47 times
Download:	11 times

SSL Exercises

Documents