Centrify Suite
DirectControl for NetWeaver AS JavaApril 2016
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.
© 2004-2016 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify User Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify for SaaS, Centrify for Mac, DirectManage, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103 B2; 9,112,846; 9,197,670; and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide 6
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How this manual is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Full PDF search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Where to find more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
NetWeaver AS Java authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Operating systems and Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1 Product Overview 9
Summary of features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How the NetWeaver connection to DirectControl works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How authentication flow works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Overview of user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring single sign-on for SAP cloud-based applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How to proceed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Installation and Configuration 14
Understand the procedural basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SAP naming conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Checking that applications have loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Install DirectControl Agent on the NetWeaver host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Set library path for SAP administrator – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Set Java and library paths – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Install and deploy DirectControl for NetWeaver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure the NetWeaver classloader to load Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . 22
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3
Load and Configure Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Login Module Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Authentication scheme options and behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure the Centrify login module stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 3 Final Steps 33
Set up user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup for mapping by Active Directory attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup for direct mapping from Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Setup for mapping by SAP custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Create a UME custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Reference example: user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Make optional adjustments to single sign-on behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the password-change functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure logout for NetWeaver AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Set up browsers for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Set up Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring Firefox to allow silent authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring Safari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 4 Logging and Troubleshooting 44
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Log configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
For SAP 7.3/7.4/7.5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Log viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Viewing developer traces for SAP 7.3/7.4/7.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Command not found – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
DirectControl for NetWeaver AS Java 4
Command not found – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Library not found – UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Library or NetWeaver AS Java not found – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Deployment errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Authentication errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
User mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Login module stack does not work as intended. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Appendix A Mixed Authentication 57
How redirection works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Set up mixed authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure login module options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
User procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Appendix B Clustered Environments 61
Centrify software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configure a clustered environment with a reverse proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configure a clustered environment with a load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Index 67
5
About this guide
This document describes DirectControl for NetWeaver, which enables NetWeaver J2EE applications to use DirectControl as their authentication mechanism, provides users with single sign-on (SSO) capability, and enables the administrator to disable user accounts centrally in Active Directory (AD). Where applicable, separate instructions are provided for SAP 7.0 and SAP 7.3/7.4/7.5.
Intended audienceThis manual is intended for NetWeaver AS Java administrators and application developers who have appropriate permissions in and working knowledge of the NetWeaver AS Java environment.
This manual also assumes that the DirectControl Management Tools and DirectControl Agent are installed on at least one computer in your environment.
How this manual is organizedThis chapter explains documentation conventions, where to find further information, and how to contact Centrify Corporation.
Chapter 1, “Product Overview” outlines how DirectControl and SAP NetWeaver AS Java are integrated for single sign-on, authentication, and so on. The chapter also summarizes how the integrated environment is set up.
Chapter 2, “Installation and Configuration” explains the steps to take after installing the DirectControl Agent on the NetWeaver server.
Chapter 3, “Final Steps” explains how user mapping works, how to set up users for user mapping, and optional adjustments to make so that single sign-on works seamlessly.
Chapter 4, “Logging and Troubleshooting” describes where to find DirectControl for NetWeaver AS Java log files and how to interpret them; the most common error scenarios and how to fix them; and what information to gather and send to Centrify customer support to expedite problem resolution.
Appendix A, “Mixed Authentication” describes how to install the supplemental redirect application included in the package that gives you the ability to have some NetWeaver users log in using their Active Directory account and others who use just their UME account.
Appendix B, “Clustered Environments” describes how to install DirectControl for NetWeaver in a clustered environment.
6
Document conventions
This guide includes an index.
Document conventionsThe following conventions are used in this guide: Unless otherwise noted, the term UNIX refers to all supported versions of the UNIX,
Linux, and Macintosh OS X operating systems.
Fixed-width font is used for sample code, program names, program output, file names, and command-line commands. Italicized fixed-width font indicates variables such as version numbers. In command-line reference information, square brackets ([ ]) indicate optional arguments.
Bold text is used to emphasize commands, buttons or user interface text, and to introduce new terms.
Italic text is used for book titles, and to emphasize specific words or terms.
The variable release indicates a specific release number in file names. For example, centrifydc-release-sol8-sparc-local.tgz refers to a release version of the DirectControl for NetWeaver Agent for Solaris 8 on SPARC. For example, if this file is for version 4.1.2, the file name is centrifydc-4.1.2-sol8-sparc-local.tgz.
Full PDF searchBesides an index, the PDF version of documentation offers a comprehensive search capability. To access it, open the drop-down list available to the right of the Find text box () and select Open Full Reader Search. You can search multiple documents by putting them in one folder and browsing to that folder for your search. The page number appears if you let the cursor hover over a results line.
Where to find more informationBe sure to refer to the package release notes before proceeding with installation and configurations
If you are unfamiliar with the Centrify Suite in general or DirectControl in particular the following books provide introductory and in-depth instructions and configuration information relevant to DirectControl for NetWeaver AS Java installation and use: Centrify Suite Evaluation Guide describes how to set up an evaluation environment and use
DirectControl to test typical authentication and authorization scenarios, such creating zones, adding UNIX users, creating groups and assigning user privileges.
Centrify Suite Administrator’s Guide describes how to use the DirectControl Administrator Console and command line programs to manage UNIX computers, users, groups and
About this guide 7
Contacting Centrify
zones through Active Directory. This guide focuses on managing the environment after deployment.
Centrify Suite 2012 Planning and Deployment Guide provides guidelines, strategies, and best practices to set up DirectControl to run in a production environment. Use this guide in conjunction with the DirectControl Administrator’s Guide.
NetWeaver AS Java authentication
SAP makes documents available on help.sap.com, including the NetWeaver AS Java Security Guide. Refer in particular to the section titled “Authentication Mechanisms and Single Sign-On Integration.”
Operating systems and Microsoft Active Directory
You may also want to consult documentation for Windows, UNIX, Linux or Mac OS X, as well as the documentation for Microsoft Active Directory.
Contacting CentrifyIf you have a problem during DirectControl for NetWeaver software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and login for the Technical Support contact information.
DirectControl for NetWeaver AS Java 8
C h a p t e r 1
Product Overview
This chapter summarizes the features of DirectControl for NetWeaver AS Java, how it works, and how it is set up.
The following topics are covered: Summary of features
How the NetWeaver connection to DirectControl works
How authentication flow works
Overview of user mapping
Configuring single sign-on for SAP cloud-based applications
Summary of featuresDirectControl for NetWeaver AS Java provides seamless user authentication methods for NetWeaver applications via Active Directory user credentials, including Kerberos, NTLM, BASIC or FORM. A user who has been configured with a UME/ABAP account can access NetWeaver business applications with single sign-on (SSO). This capability increases user satisfaction and reduces support desk calls to reset passwords and unlock accounts. In addition, the administrator can use Active Directory to disable users’ NetWeaver accounts centrally, immediately removing access to SAP NetWeaver, including Portal.
With Centrify’s SAP-certified login modules and DirectControl for NetWeaver AS Java authentication, you can: Allow users to leverage their Active Directory credentials to access NetWeaver
Centrally manage and enforce consistent passwords and other security policies
Deploy single sign-on without intrusive changes to Active Directory
Simplify compliance with regulatory requirements
Maximize your investment in Active Directory
How the NetWeaver connection to DirectControl worksDirectControl provides an integration layer between Active Directory and non-Windows operating system environments. The integration layer is the DirectControl Agent installed on each UNIX server.
9
How the NetWeaver connection to DirectControl works
When a UNIX computer with the DirectControl Agent joins the Active Directory domain, it becomes an Active Directory client for authentication, authorization, policy management and directory services. To extend authentication services to NetWeaver servers and clients, you then install login modules, and configure NetWeaver applications to handle login requests via those modules. The login modules in turn handle authentication requests via the DirectControl Agent.
After logging in (1 in the following figure) to a Windows Active Directory client, or a UNIX box equipped with DirectControl, the user requests and receives a Kerberos ticket. Using this ticket, the desktop client, via the browser, requests (2) a service ticket from the Kerberos Key Distribution Center (KDC). This service ticket is forwarded to the login module of the application that the user is trying to access (3). The DirectControl Agent on the server validates the authentication request via Active Directory (4), and forwards the response to the login module. The authenticated username is provided to the NetWeaver server. The NetWeaver server compares this user ID with the UME data source, and if it is valid (5), grants access to the user.
DirectControl for NetWeaver AS Java 10
How authentication flow works
How authentication flow worksIn production, the authentication flow for the DirectControl for NetWeaver solution has four primary steps, as shown in the following figure.
1 The web browser uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to request access to the NetWeaver server. NetWeaver login module and browser negotiate the appropriate level and type of authentication.
Note Kerberos is shown. SPNEGO also supports NTLM. DirectControl for NetWeaver also implements HTTP BASIC and FORM authentication.
2 For Kerberos, the browser client requests a service ticket using the built-in Kerberos Security Service Provider (SSP) from the Active Directory KDC or local cache. The web browser presents this service ticket to the NetWeaver server.
3 The Netweaver server validates the request ticket via the login module and the DirectControl Agent. Once the request is successfully authenticated with Active Directory, the authenticated username, group information and other attributes are extracted.
4 The login module maps the authenticated user to the appropriate UME account and grants access to the user.
The requested content is returned to the user based on Active Directory credentials and NetWeaver AS Java, without the need for a username or password.
Product Overview 11
Overview of user mapping
Overview of user mappingAfter a user is authenticated with Active Directory (AD), DirectControl for NetWeaver maps the user's AD name to an SAP username in NetWeaver UME based on the settings in the Centrify login modules and the login module stack. Mapping proceeds in this order:
Step 1: Mapping by Active Directory attribute. DirectControl for NetWeaver first checks a Centrify login module (or login module stack) option you can set to designate a user attribute in Active Directory whose value could match the UME user name. (This step enables you to override direct mapping from Active Directory attributes.)
Step 2: Direct mapping from Active Directory. If the mapping in step 1 fails for any reason, DirectControl for NetWeaver tries to match the AD user name to a UME user name.
Step 3: Mapping by SAP custom attribute. If the mapping in step 2 fails for any reason, DirectControl for NetWeaver tries to match the value of the AD user’s userPrincipalName (in AD) to the name of a UME custom attribute specified by the values of Centrify login module (or login module stack) options. If the match succeeds, the AD user’s name is mapped to the corresponding UME user name.
The next chapter (Chapter 2, “Installation and Configuration”) describes how to set up Centrify login modules and the login module stack to use these mapping methods. The chapter after that (Chapter 3, “Final Steps”) describes how to set up Active Directory and UME attributes and values to implement the mapping. That chapter also contains a reference example illustrating how all the options, AD attributes, UME custom attributes and UME user names work together to map AD users to UME users.
Configuring single sign-on for SAP cloud-based applicationsIf your users access SAP servers through the SAP cloud-based applications: SAP NetWeaver Application Server ABAP or SAP NetWeaver Application Server Java, you can use Centrify Identity Service for single sign-on (SSO) as an alternative to using Centrify Server Suite as discussed in the current document.
Centrify Identify Service (CIS) is a comprehensive cloud service that secures access to cloud, mobile, and on-premises apps via single sign-on, user provisioning and multi-factor authentication.
CIS allows you to choose where to store the directory — either on-premises (within corporate control) or in the cloud. Centrify integrates the Centrify Cloud with Active Directory or LDAP without poking extra holes in the firewall or adding devices in the DMZ.
In the web-portal interface to CIS, you configure NetWeaver AS ABAP and NetWeaver AS Java for SSO by enabling SAML (Security Assertion Markup Language)-based authentication for these applications.
DirectControl for NetWeaver AS Java 12
How to proceed
SAP NetWeaver ABAP and NetWeaver Java offer both IdP-initiated SAML SSO (for SSO access through the CIS web-based management portal) and SP-initiated SAML SSO (for SSO access directly through the NetWeaver ABAP or Java web application). You can configure these applications for either or both types of SSO. Enabling both methods ensures that users can log in to SAP NetWeaver ABAP or NetWeaver Java in different situations such as clicking through a notification email.
To configure the SAP NetWeaver Java web application for SSO, you need the following: A subscription to Centrify Identify Service
SAP NetWeaver Java or NetWeaver ABAP.
An active SAP NetWeaver Java or NetWeaver ABAP account with administrator rights for your organization.
You can find complete instructions for configuring SSO for NetWeaver ABAP and NetWeaver Java in the application configuration help included in the web-portal interface to CIS.
How to proceedThis guide assumes you have already taken the following steps in a standard Active Directory environment: Installed the DirectControl Agent on the NetWeaver AS Java server or servers in a
cluster.
Joined the NetWeaver server or servers in a cluster (see Appendix B, Clustered Environments for the join requirements) to the Active Directory domain, so the Java server can present valid credentials for authentication.
If you have not already installed the DirectControl Agent, go to the Centrify Suite Administrator’s Guide for the instructions.
After the DirectControl Agent is installed on the NetWeaver server(s), proceed to the next chapter to deploy the DirectControl for NetWeaver package and then load and configure the Centrify login module.
Product Overview 13
C h a p t e r 2
Installation and Configuration
This chapter describes the procedures for installing and configuring DirectControl for NetWeaver. If you are installing DirectControl for NetWeaver in a clustered environment, see Appendix B, “Clustered Environments,” for additional information.
The topics in this chapter include: Understand the procedural basics
Install DirectControl Agent on the NetWeaver host
Set library path for SAP administrator – UNIX
Set Java and library paths – Windows
Install and deploy DirectControl for NetWeaver
Configure the NetWeaver classloader to load Centrify login module
Install and deploy DirectControl for NetWeaver
Configure the Centrify login module stack
Set up browsers for authentication
Understand the procedural basics
SAP naming conventions
The typical installation directory descriptions in the instructions below use the following variable definitions: SID is the system ID. The SID must be three, alphanumeric characters only. When you
include the system ID in a path specification is must be in UPPER CASE.
Instance is the application server instance name. The instance has two components in the form Tnn
T: Indicates the instance type. There are four types:
JC: Java Central (deprecated)
J: Java Central or Dialog
DVEBMGS: ABAP/DoubleStack Central
D:ABAP/DoubleStack Dialog
nn: Indicates the instance number. The default is 00. This number is always two-digits.
14
Understand the procedural basics
For example, the typical installation directory for an instance with the system ID NWS, instance type ABAP/DoubleStack Central and number 13:
UNIX: /usr/sap/NWS/DVEBMGS13Windows: C:\usr\sap\NWS\DVEBMGS13
The system ID for the SAP instance administrator has user name sidadm and home directory /home/sidadm/. In this case, the system ID sid is always in lower case. For example, if the SAP system ID is NWS, the SAP administrator name is nwsadm and the UNIX home directory is /home/nwsadm.
Checking that applications have loaded
Loading and deploying applications in SAP can take several minutes. Confirm that the applications have loaded using the procedure corresponding to your server platform:
UNIX
1 Login as the sidadm and enter the following commandsapcontrol -nr instancenumber -function GetProcessList
where instancenumber is the two-digit number the instance (do not preface the number with the instance type).
2 The following figure illustrates the display when the applications:
If the dispstatus is GREEN (see the last line in the display), the server is ready. If you see YELLOW, it means “starting” or “warning;” GREY means “unavailable” and RED means “error.”
Windows
To check that all applications have loaded in the SAP server from a Windows system, run C:\Windows\sapmmc.msc, the SAP Microsoft Management Console. Navigate in the tree
Installation and Configuration 15
Install DirectControl Agent on the NetWeaver host
view to Console Root > SAP Systems > sid > instance_name. If after several minutes the circle to the left of Process List turns green, deployment succeeded.
Install DirectControl Agent on the NetWeaver hostThe NetWeaver server UNIX host must use DirectControl version 4.4.x (part of the Centrify Suite) or later. The NetWeaver server should be joined to a DirectControl zone (the default zone, unless you designate another) in the Active Directory. For detailed installation and domain-joining instructions, refer to the Centrify Suite Administrator’s Guide. For version-specific information, refer to the release notes.
If you need single sign-on for AD users of SAP systems but do not require wider Centrify features, you can join a UNIX server to Active Directory without creating any Active Directory zones. To do this, use the adjoin option -z NULL:
adjoin --user AD_user --password xxx --zone NULL -V domain --container DN
The value DN stands for the domain name or container name for the organizational unit or container where the computer is to be created.
Note If you install NetWeaver in a clustered environment, the adjoin command is executed at a different point in the procedure and requires additional arguments (next section).
Set library path for SAP administrator – UNIXThis section explains how to set up a library path for DirectControl for NetWeaver on a UNIX machine. To set up the required paths on a Windows machine, go to the next section.
UNIX environments require a library path pointing to SAP NetWeaver AS Java so it can be found and started. Add the appropriate line below to the end of the shell startup configuration file (.cshrc for C-shell, etc.) of the SAP administrator: In a Linux or Solaris 32-bit environment:
setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib:${LD_LIBRARY_PATH}
In a Linux 64-bit environment:setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib64:${LD_LIBRARY_PATH}
DirectControl for NetWeaver AS Java 16
Set Java and library paths – Windows
In a Solaris 64-bit environment:setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib/sparcv9:${LD_LIBRARY_PATH}
In an AIX environment:setenv LIBPATH /usr/share/centrifydc/java/lib/64:${LIBPATH}
In an HP-UX IA64 environment:setenv SHLIB_PATH /usr/share/centrifydc/java/lib/hpux64:{SHLIB_PATH}
In an HP-UX PA-RISC environment:setenv SHLIB_PATH /usr/share/centrifydc/java/lib:{SHLIB_PATH}
Save the .cshrc file, exit from user root, and issue the command:su – sidadm
You should not see any error messages before the prompt reappears.
Set Java and library paths – WindowsThis section explains how to set up the required paths for DirectControl for NetWeaver on a Windows machine. To set up paths on a UNIX machine, go back to the previous section.
On Windows systems, you need to configure library and Java paths via system properties:
1 Left-click on Start in the taskbar, right-click on My Computer, and select Properties.
2 Click the Advanced tab, and click Environment Variables.
3 Highlight the variable name Path in the system variables list, and click Edit.
4 Place the cursor at the beginning of the Variable value line, and add this string:C:\Centrify\DirectControl\java\lib;
Installation and Configuration 17
Set Java and library paths – Windows
Note The string must end with a semicolon.
5 Click OK to store the changed variable value.
6 Click New below the system variables list, near the bottom of the window.
7 In the New System Variable dialog box, type JAVA_HOME for the variable name and C:\j2sdk1.4.2_28-x64 for the variable value.
8 Click OK to store the new variable value.
9 Click OK to exit from the System Properties window.
DirectControl for NetWeaver AS Java 18
Install and deploy DirectControl for NetWeaver
Install and deploy DirectControl for NetWeaver
For SAP 7.0
To install the DirectControl login module library on the NetWeaver host for SAP 7.0:
1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the centrify-netweaver-release.zip (Windows) corresponding to the host’s processor architecture (32- or 64-bit) from the Centrify Download Center.
Note For the location and filename of the package suitable for your operating environment, refer to the release notes.
2 Expand the downloaded package in a temporary directory. For example, in UNIX:# cd ~/desktop
# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz
# ls
centrifydc-netweaver-noarch.tar
# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar
CentrifyLoginModuleLibrary.sda
centrifyRedirectApp.ear
Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as described in the next steps. You use centrifyRedirectApp.ear when you have mixed authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for the description and installation instructions.
3 Transfer the CentrifyLoginModuleLibrary.sda file to a place on the SAP server system where sidadm can read it, such as /home/sidadm/.
4 Log in as sidadm and run the Software Deployment Manager (SDM):UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.shWindows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat
The Software Deployment Manager - GUI window appears.
5 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.
Installation and Configuration 19
Install and deploy DirectControl for NetWeaver
Note This password might be different from the SAP administrator password.
6 Click the Deployment tab.
7 Click the clipboard-plus-sign icon ( ) in the upper left corner of the Deployment tab.
8 Navigate to the place where you stored CentrifyLoginModuleLibrary.sda, select it, and click the Choose button. Wait for the choosing process to complete.
9 Click Next at the bottom to advance to Step 2. Because no changes are required in this step, click Next again, and then click the Start Deployment button at the bottom of the window.
When the deployment is complete, the Overall Deployment Progress bar in the lower right of the window shows 100% and a “Finished successfully” message appears. If deployment does not succeed, refer to the Troubleshooting section (page 52).
In a Windows system, you can run C:\Windows\sapmmc.msc, and navigate to Console Root > SAP Systems > sid > instance_name. Under it, the dot to the left of Process List turns green when the deployment process is complete. It may take up to ten minutes after deployment for this color change to occur.
Note You also can check that deployment was successful by selecting the Undeployment tab and verifying that centrify.com/CentrifyLoginModuleLibrary is somewhere on the Vendor/Name list.
10 Restart the SAP server so the changes take effect, and wait for all applications to start:
DirectControl for NetWeaver AS Java 20
Install and deploy DirectControl for NetWeaver
stopsap [Linux: stopsap j2ee]
startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
For SAP 7.3/7.4/7.5
To install the DirectControl login module library on the NetWeaver host for SAP 7.3/7.4/7.5:
1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the centrify-netweaver-release.zip (Windows) corresponding to the host’s processor architecture (32- or 64-bit) from the Centrify Download Center.
Note For the location and filename of the package suitable for your operating environment, refer to the release notes.
2 Expand the downloaded package in a temporary directory. For example, in UNIX:# cd ~/desktop
# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz
# ls
centrifydc-netweaver-noarch.tar
# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar
CentrifyLoginModuleLibrary.sda
centrifyRedirectApp.ear
Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as described in the next steps. You use centrifyRedirectApp.ear when you have mixed authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for the description and installation instructions.
3 Copy the CentrifyLoginModuleLibrary.sda file to /usr/sap/trans/EPS/in.
4 Create a new text file, deploylist.txt file in /usr/sap/trans/EPS/in.
5 Add the path of the CentrifyLoginModuleLibrary.sda file to the deploylist.txt file, for example:/usr/sap/trans/EPS/in/CentrifyLoginModuleLibrary.sda
6 Start telnet in a shell window by entering the command:telnet localhost 50008
7 Sign in as administrator.
8 Enter the command:deploy list=/usr/sap/trans/EPS/in/deploylist.txt
9 When the deployment operation finishes, restart SAP.
Installation and Configuration 21
Configure the NetWeaver classloader to load Centrify login module
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
Note Use Software Update Manager (SUM) for NetWeaver 7.4. If you are using NetWeaver 7.3, you can use JSPM as an alternative.
This concludes the installation and deployment of the CentrifyLoginModuleLibrary.sda.
In the next steps, you configure the NetWeaver classloader to load the Centrify login modules and then configure the NetWeaver login stack to use them.
Configure the NetWeaver classloader to load Centrify login module
For SAP 7.0
Once the Centrify login modules have been added to NetWeaver, make the NetWeaver classloader load the library:
1 Log in as the SAP administrator sidadm and run Visual Administrator.UNIX: /usr/sap/SID/instance/j2ee/admin/goWindows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view on the left, select the Global Configuration tab and the Server tab. Then navigate to Services > Security Provider.
3 In the Properties tab in the right pane.In the Key column, click the row the LoginModuleClassLoaders row.
4 In the Value field near the bottom, add the following text:library:centrify.com~CentrifyLoginModuleLibrary
and click the Update button.
Note Separate multiple entries with commas but no spaces.
DirectControl for NetWeaver AS Java 22
Configure the NetWeaver classloader to load Centrify login module
5 The value for the LoginModuleClassLoaders key is now set. To save the classloader configuration, click the disk icon.
6 The Visual Administrator prompts you to confirm. Leave the Server ... box checked and click Yes.
For SAP 7.3/7.4/7.5
Once the Centrify login modules have been added to NetWeaver, make the NetWeaver classloader load the library:
1 Run the AS Java Config Tool by typing this command in a shell window:/usr/sap/<SID>/<instance>/j2ee/configtool/configtool.sh
2 In the pane on the left side of the Config Tool window, open the folder: cluster-data > template - Usage_Type_All_in-One > instance <INSTID> > services > security
3 Add this value to the LoginModuleClassLoaders key:library:centrify.com~CentrifyLoginModuleLibrary
Installation and Configuration 23
Load and Configure Centrify login module
Note If the LoginModuleClassLoaders key already has a value, separate it from the value you are adding with a comma and no spaces.
4 (7.3/7.4) Click Save.
5 (7.5 only) Click Set Custom Value.
6 Restart SAP Java.
Load and Configure Centrify login moduleFor details about using the Centrify login module, see the section for the version of SAP you are using: “For SAP 7.0” on page 24
“For SAP 7.3/7.4/7.5” on page 26
For SAP 7.0
Use the following steps to load the Centrify login module CentrifySpnegoLoginModule and set the options. If you have multiple clusters, you must load and configure CentrifySpnegoLoginModule individually on each cluster.
To see how the options you set on this page interact with UME, AD and other settings, refer to “Set up user mapping” on page 33 in the next chapter.
1 If you are not yet running the Visual Administrator, log in as sidadm and start it:UNIX: /usr/sap/SID/instance/j2ee/admin/goWindows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view in the left pane, select the Cluster tab. Then, navigate to the Server server_name> Services > Security Provider. The right pane is now populated with set of tabs.
3 Click the Runtime tab and the User Management subtab in the right pane.
4 Click the pencil icon (the Switch to Edit Mode button) above the Runtime tab. This activates the Manage Security Stores button in the lower right corner.
DirectControl for NetWeaver AS Java 24
Load and Configure Centrify login module
Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 Click the Manage Security Stores button. This updates the User Management pane to show the current User Stores on the left and the current Login Modules.
6 If the UME User Store is not already selected, select it.
Click the Add Login Module button near the lower right.
7 In the Choose editor for login module options window, leave Use a specific editor for the login module options unchecked. You do not need to fill in an editor class name. Click OK.
8 Add the Centrify login module in the Add Login Module window. Enter the following for the corresponding parameter.
Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule
Display Name: CentrifySpnegoLoginModule
Description: Centrify SPNEGO Login Module
Installation and Configuration 25
Load and Configure Centrify login module
So far the Add Login Module window should look like this.
9 Set the CentrifySpnegoLoginModule options. The Login Module Options table lists the options. For all options that have a default you do not need to enter them unless you want to change the default value.
10 Enter the authentication scheme options and click the OK button to add the module.The Authentication scheme options and behavior table lists all valid enableAuthSchemes combinations for specifying browser and Centrify plug-in behavior.
For SAP 7.3/7.4/7.5
Use the following steps to load the Centrify login module CentrifySpnegoLoginModule and set the options. If you have multiple clusters, you must load and configure CentrifySpnegoLoginModule individually on each cluster.
To see how the options you set on this page interact with UME, AD and other settings, refer to “Set up user mapping” on page 33 in the next chapter.
1 Go to the NetWeaver Administration page of the SAP Java system.Go to Configuration > Security > Authentication and Single Sign-on.
2 On the Login Modules subtab, click Create.
. . .
DirectControl for NetWeaver AS Java 26
Load and Configure Centrify login module
3 In the New Login Modules window, enter these values:
The Login Module Options table lists all the options. For all options that have a default you do not need to enter them unless you want to change the default value.
4 Enter the authentication scheme options and click the OK button to add the module.The Authentication scheme options and behavior table lists all valid enableAuthSchemes combinations for specifying browser and Centrify plug-in behavior.
5 Click Save.
Display Name: CentrifySpnegoLoginModule
Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule
Description: Centrify SPNEGO Login Module
Installation and Configuration 27
Load and Configure Centrify login module
Login Module Options
Authentication scheme options and behavior
Login ModuleOption
Default Value Description
realmName centrify.dc.realm Value of the realm attribute (see RFC 1945 and RFC 2617) in HTTP BASIC authentication. This value is used only if BASIC is one of the values set in enableAuthSchemes (next option).
enableAuthSchemes Negotiate, NTLM,BASIC
Lists which authentication methods the module uses. See the table Authentication scheme options and behavior for the authentication method options. Browsers typically try the available schemes in order from most secure (Negotiate) to least secure (BASIC).
numReprompts 3 Specifies the number of login retries. The number of retries is one less than the number set. For example, if the Kerberos ticket is invalid or the password is incorrect, the default gives the user two more attempts.
ADMappingVariable [no default value] Name of Active Directory attribute in which to find the user’s SAP username. If this is set, the named attribute in the user’s Active Directory entry is used to map to the SAP user. If this is not set, or if the AD attribute of the user’s AD entry is not set or does not map to an existing SAP user, the value of usernameConfig is used to map the AD user to the SAP user. (See “Setup for mapping by SAP custom attribute” on page 35.)
usernameConfig CdcUserName Name of the SAP user profile custom attribute used to map Active Directory users to SAP users. You need to add this custom attribute to the SAP User Management Engine (UME) Custom attributes of the user profile. (See “Setup for mapping by SAP custom attribute” on page 35.)
namespace com.sap.security.core.usermanagement
Centrify login modules use the same default namespace for SAP user profile custom attributes as SAP uses. To use a different namespace, set its name here, and add the custom attribute to the UME. (See “Setup for mapping by SAP custom attribute” on page 35.) The attribute path is of the form <namespace>:<usernameConfig>.
errorUrl [no default value] URL to go to if an error occurs. Used by CentrifyRedirectApp.ear.
unauthorizedUrl [no default value] URL to go to if authorization fails. Used by CentrifyRedirectApp.ear.
redirectUrl [no default value] URL to go to if authentication succeeds. Used by CentrifyRedirectApp.ear.
enableAuthSchemes Browser and Centrify plug-in behavior
Negotiate Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials
Plug-in: accepts only Kerberos credentials
Negotiate, NTLM, BASIC Browser: sends Kerberos, NTLM or BASIC credentials
Plug-in: accepts Kerberos, NTLM or BASIC credentials
Negotiate, NTLM Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials
Plug-in: accepts Kerberos or NTLM credentials, but not BASIC credentials
DirectControl for NetWeaver AS Java 28
Configure the Centrify login module stack
Configure the Centrify login module stack For details about using the Centrify stack, see the section for the version of SAP you are using: “For SAP 7.0” on page 29
“For SAP 7.3/7.4/7.5” on page 32
For SAP 7.0
When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules to authenticate a user for each requested application. To accommodate the use of DirectControl authentication, the login stack needs to be modified to include the Centrify CentrifySpnegoLoginModule login module. Use the following steps to configure NetWeaver Portal login stack:
1 If you are not in the Visual Administrator, Log in as sidadm and start it using the following: UNIX: /usr/sap/SID/instance/j2ee/admin/go
Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view on the left, navigate to Server server_name > Services > Security Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.
Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 In the components list on the left, select the ticket template; on the right, select No for the Authentication template.
6 Select each login module currently configured for ticket and click the Remove button at the bottom of the window.
Negotiate, BASIC Browser: sends Kerberos, NTLM or BASIC credentials
Plug-in: accepts Kerberos or BASIC credentials, but not NTLM credentials
NTLM Browser: sends only NTLM credentials
Plug-in: accepts only NTLM credentials
NTLM, BASIC Browser: sends either NTLM or BASIC credentials
Plug-in: accepts NTLM or BASIC credentials, but not Kerberos credentials
BASIC Browser: sends only BASIC credentials
Plug-in: accepts only BASIC credentials
enableAuthSchemes Browser and Centrify plug-in behavior
Installation and Configuration 29
Configure the Centrify login module stack
7 Add Centrify and SAP ticket login modules as follows:
a Click the Add New button at the bottom of the screen.
b In the Available Login Modules window, click EvaluateTicketLoginModule and click OK.
c Repeat Substep a and Substep b for the following login modules:
CentrifySpnegoLoginModuleCreateTicketLoginModuleBasicPasswordLoginModuleCreateTicketLoginModule [a second time]
d After you have added all login modules, for each login module click the Modify button to modify the Flag and to add Option names and values.
Login modules stack
e The final login stack should look like the following figure.
Login Modules Flag Options
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true, enableAuthSchemes= Negotiate, Basic}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE { }
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
DirectControl for NetWeaver AS Java 30
Configure the Centrify login module stack
Note If you set ume.configuration.active=true, the logon ticket configuration settings are taken from the UME property sheet rather than from the login module options.
With this login module stack setup, users are authenticated in priority order as listed in the table below.
The enableAuthSchemes option in the CentrifySpnegoLoginModule of this login module stack can be modified (for example) to bypass BASIC authentication if Kerberos fails. See the enableAuthSchemes row in the table on page 28 for more information on that option.
Note If you plan to use mixed authentication—that is, some users will be authenticated using their Active Directory account and others will not have an Active Directory account and be authenticated solely by UME—you need to do two things:
Skip Step 8.
After you restart the SAP server and confirm Active Directory authentication is working, go to Appendix A, Mixed Authentication and deploy the CentrifyRedirectApp application included in the package.
8 If you do NOT plan to use mixed authentication set the sap.com/irj*irj Authentication Template to “ticket” in the Visual Administrator. On the left side of the right frame, scroll down and click on sap.com/irj*irj (iView Runtime for Java). On the right side, for Authentication template, select ticket.
9 Click the glasses icon above the Runtime tab to switch to read-only mode.
Method In the following case
Kerberos Ticket is valid and user maps to a user in the NetWeaver UME.
HTTP BASIC Kerberos fails, and Active Directory username and password are valid.
NetWeaver UME BASIC fails, and the user can be authenticated by username and password from the NetWeaver UME on the default NetWeaver login page.
Installation and Configuration 31
Configure the Centrify login module stack
Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
10 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
After SAP restarts, authentication to the Portal proceeds as described in the table above.
Note If you are logged in as an Active Directory user and want to access the SAP NetWeaver Administrator role, make sure your Active Directory username is mapped to a user in the NetWeaver UME with administrator privileges. If your Active Directory username is not mapped to a UME user with administrator privileges, allow that AD authentication to fail and then log in again as a UME user with administrator privileges.
For SAP 7.3/7.4/7.5
When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules to authenticate a user for each requested application. To accommodate the use of DirectControl authentication, the login stack needs to be modified to include the Centrify CentrifySpnegoLoginModule login module. Use the following steps to configure NetWeaver Portal login stack:
1 Go to the NetWeaver Administration page of the SAP Java System.
2 Go to Configuration > Security >Authentication and Single Sign-on.
3 Select the Components tab.
4 Select ticket and click the Edit button.
5 Change the order of the Login Module Flag Options to this:
6 Click Save.
Login Modules Flag Options
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE { }
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
DirectControl for NetWeaver AS Java 32
Final Steps
This chapter describes the final steps to integrate SAP NetWeaver with Active Directory using DirectControl for NetWeaver, and to verify that authentication and user mapping take place as intended.
This chapter discusses the following topics: Set up user mapping
Make optional adjustments to single sign-on behavior
Verify the installation
Set up user mappingThe Centrify DirectControl login modules follow a three-step user mapping procedure, as described in “Overview of user mapping” on page 12, that depends on attributes and values you set in Active Directory and in NetWeaver UME. Recall that the three steps are, in order: Mapping by Active Directory attribute
Direct mapping from Active Directory
Mapping by SAP custom attribute
The subsections that follow explain how to set up options, attributes and values to cause the desired mapping to occur.
Setup for mapping by Active Directory attribute
If an Active Directory attribute is specified in the ADMappingVariable option in the Centrify login module or the login module stack, DirectControl for NetWeaver checks whether the user's AD attribute is set to an SAP username in the UME. If so, the user is mapped to this username, provided the name in the user’s AD attribute matches the SAP username in UME.
To use mapping by Active Directory attribute:
1 If no Active Directory users exist, create one.
2 In the ADMappingVariable option in the Centrify login module or the login module stack, specify the name of the AD user entry attribute to use for the mapping.
To configure the Centrify login module in SAP 7.0, see Step 9 on page 26; for SAP 7.3/7.4/7.5, see Step 4 on page 27.
33
Setup for direct mapping from Active Directory
To configure the login module stack in SAP 7.0, see Substep d on page 30; for SAP 7.3/7.4/7.5, see Substep e on page 32.
3 Make sure the name contained in the specified AD user entry attribute is the same as the user name in the UME.
Setup for direct mapping from Active Directory
For SAP 7.0
If an SAP username is not found in the attempt to map by AD attribute, DirectControl for NetWeaver checks whether any username in the UME exactly matches the user's Active Directory login name. If so, the user is mapped to this username.
To use direct mapping from Active Directory, create an SAP user with the same name in the UME as the Active Directory user. To do this:
1 Go to this location:http://sap_server_system:50000/nwa
2 Log in as administrator.
3 Go to the System Management tab, Administration subtab.
4 Click Identity Management on the left side.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.
7 Click Save All Changes.
For SAP 7.3/7.4/7.5
To use direct mapping from Active Directory, create an SAP user with a different name in the UME from the Active Directory user. The SAP username may not match the AD username. To do this:
1 Go to this location:http://sap_server_system:50000/nwa
2 Log in as administrator.
3 Go to the Configuration> Identity Management on the left side.
4 Click the Configuration button.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.
DirectControl for NetWeaver AS Java 34
Setup for mapping by SAP custom attribute
7 Click Save All Changes.
Setup for mapping by SAP custom attributeIf an SAP username is not found in the attempt to map directly from AD, DirectControl for NetWeaver checks whether a UME user profile has a custom attribute set to the user's Active Directory userPrincipalName (UPN). If so, the user is mapped to the UME user name of the user with this UPN. The name of the custom attribute in the UME user's profile is specified in the usernameConfig option, or by a concatenation of the usernameConfig and namespace (if set) options of the Centrify login module (see Step 9 on page 26) or the login module stack (see Substep d on page 30). The custom attribute also needs to be added to the user's profile. (See Create a UME custom attribute, below.)
1 Create the custom attribute in the UME (next section).
2 Restart the SAP server so the updates take effect. Log in as sidadm and run:stopsap [Linux: stopsap j2ee]
startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
3 Find the custom attribute in the user's profile.
4 Set the user's custom attribute in the UME to the user’s UPN in Active Directory.
Create a UME custom attribute
While configuring Centrify login module, you set options (page 28) to designate a custom variable in the UME. This variable, visible in the SAP user profile, maps Active Directory users to SAP users. You need to add this custom attribute to an appropriate place in the UME.
The location of the custom UME attribute is specified in one of three ways: The usernameConfig option is at its default value (CdcUserName), and the namespace
option is at its default value (com.sap.security.core.usermanagement). The login module looks for the UME custom attribute at com.sap.security.core.usermanagement:CdcUserName
The usernameConfig option is set to a different value (for example, altAttribute), but the namespace option is left at its default value. The login module looks for the UME custom attribute at com.sap.security.core.usermanagement:altAttribute.
The usernameConfig option is at its default value, but the namespace option is set to a different value (for example, com.a.b.c) to distinguish the Centrify instance of CdcUserName from the SAP instance of CdcUserName. The login module looks for the UME custom attribute at com.a.b.c:CdcUserName.
Final Steps 35
Setup for mapping by SAP custom attribute
For SAP 7.0:
1 Go to the NetWeaver Administrator web page:http://sap_server_system:50000/nwa
2 Log in as the SAP administrator (sidadm).
3 Go to the System Management tab and the Administration subtab. Click the Identity Management button on the left.
4 Click the Configuration button.
5 Click User Admin UI and then the Modify Configuration button.
6 For Administrator-managed Custom Attributes, enter CdcUserName or some other value for userNameConfig in the Login Module options.
If you entered a value for the namespace option in the login module stack, specify the pair of values in the form:namespace_option_value:usernameConfig_option_value
For example, if you entered mynamespace for the namespace option and use the default value CdcUserName for usernameConfig in the Login Module stack, specify:mynamespace:CdcUserName
7 Click Save All Changes.
8 Log out and restart SAP so the updates take effect:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
When you sign back in to the NetWeaver Administrator Web page, you find a field called CdcUserName in the Customized Information section. Set this field to the Active Directory user login ID or the user's UPN in Active Directory. When someone signs in to an SAP Web application using an Active Directory user name, the application identifies that person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
3 Click the Administration tab.
4 Click Identity Management.
5 In Search Criteria, enter the user name and click Go.
6 If the correct user is listed, select that user’s row. Details of the user will appear.
DirectControl for NetWeaver AS Java 36
Setup for mapping by SAP custom attribute
7 Click the Modify button just under Details of User username.
8 Click the Customized Information tab.
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.
For SAP 7.3/7.4/7.5:
1 Go to the NetWeaver Administrator web page:http://sap_server_system:50000/nwa
2 Log in as the SAP administrator (sidadm).
3 Go to the Configuration tab and the Security subtab, then click the Identity Management link on the left.
4 Click the Configuration button.
5 Click User Admin UI and then the Modify Configuration button.
6 For Administrator-Managed Custom Attributes, enter CdcUserName or some other value for userNameConfig in the Login Module options.
If you entered a value for the namespace option in the login module stack, specify the pair of values in the form:namespace_option_value:usernameConfig_option_value
For example, if you entered mynamespace for the namespace option and use the default value CdcUserName for usernameConfig in the Login Module stack, specify:mynamespace:CdcUserName
7 Click Save All Changes.
8 Log out and restart SAP so the updates take effect:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
When you sign back in to the NetWeaver Administrator Web page, you find a field called CdcUserName in the Customized Information section. Set this field to the Active Directory user login ID or the user's UPN in Active Directory. When someone signs in to an SAP Web application using an Active Directory user name, the application identifies that person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
Final Steps 37
Setup for mapping by SAP custom attribute
3 Click the Configuration tab and the Security subtab.
4 Click Identity Management.
5 In Search Criteria, enter the user name and click Go.
6 If the correct user is listed, select that user’s row. Details of the user will appear.
7 Click the Modify button just under Details of User username.
8 Click the Customized Information tab.
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.
DirectControl for NetWeaver AS Java 38
Reference example: user mapping
Reference example: user mappingThis section interrupts the procedural flow to give a specific example of how the mapping algorithm works.
Sample values (V) in the table below show the three-step mapping sequence applied to a user who logs in with AD user name jeandoe. Abbreviations O, A, N and C are spelled out in the table headings. Each connecting line indicates a match.
Make optional adjustments to single sign-on behaviorYou can take a few simple steps to fine-tune the single-sign-on experience so that users do not need to change SAP account passwords created by administrators, and do not get automatically redirected to a login page when they log out from NetWeaver.
StepCentrify login module or login
module stack option (O)AD user entry attribute
(A) for jeandoeUME user name (N) or custom attribute (C) Outcome
1 If O ADMappingVariableV firstNameHireNum
A firstNameHireNumV jean10256
N jean10256 AD user jeandoe mapsto jean10256
but if O ADMappingVariableV firstNameHireNum
A firstNameHireNumV jean10256
N [no match] goes to step 2
or if O ADMappingVariableV firstNameHireNum
A firstNameHireNumV [attr absent or not set]
goes to step 2
or if O ADMappingVariableV [default state: not set]
goes to step 2
2 If A sAMAccountNameV jeandoe
N jeandoe AD user jeandoe mapsto jeandoe
but if A sAMAccountNameV jeandoe
N [no match] goes to step 3
3 Specify C with
O usernameConfigV CdcUserName or [empty]
A userPrincipalNameV [email protected]
N jean999C CdcUserNameV [email protected]
AD user jeandoe mapsto jean999
or with O usernameConfigV altAttribute
A userPrincipalNameV [email protected]
N jean999C altAttributeV [email protected]
AD user jeandoe mapsto jean999
or with O usernameConfigV CdcUserNameO namespaceV com.a.b.c
A userPrincipalNameV [email protected]
N jean999C com.a.b.c : CdcUserNameV [email protected]
AD user jeandoe mapsto jean999
but if [for any of the options] C [whichever UME target]V [no match]
AD user mapping fails
Final Steps 39
Make optional adjustments to single sign-on behavior
Modify the password-change functionality
If users consistently use SSO through DirectControl for NetWeaver, the SAP UME default security policy still forces them to change SAP account passwords created by an SAP administrator (such as for new SAP users). So by default the user must authenticate to DirectControl and then to NetWeaver AS Java before being able to change the password.
To eliminate this type of scenario, configure the SAP UME so it does not require password changes for single sign-on:
1 Start the configuration tool configtool.bat (typically found in AS_Java_installation\j2ee\configtool\).
2 Navigate to Cluster-data > Global Server Configuration > Services > com.sap.security.core.ume.service.
3 Locate the key ume.logon.force_password_change_on_sso and set the value to FALSE.
4 Apply the change by selecting File > Apply.
5 Click OK, and click OK again.
6 Restart the SAP server so the updates take effect. To do this, log in as sidadm and run:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
To verify the change, create a new SAP user account; log in as that user; when requested to change the account password, see if you can change it without first authenticating to DirectControl.
Configure logout for NetWeaver AS Java
To ensure a seamless experience for users, it may be advisable to adjust the logout URL. For example, users logging out of SAP Portal are typically redirected to the login: with SSO configured they are then automatically logged back in (when in fact they probably wanted to remain logged out). To change the logout URL, follow these steps:
1 Start the configuration tool configtool.bat (typically found in AS_Java_installation\j2ee\configtool\).
2 In the tree, navigate to Global Server Configuration > Services > com.sap.security.core.ume.service.
3 Scroll to the ume.logoff.redirect.url property and configure the fully qualified logout URL.
4 Click the Apply Changes icon (which looks like a floppy disk).
5 Restart the SAP server so the updates take effect. Log in as sidadm and run:
DirectControl for NetWeaver AS Java 40
Set up browsers for authentication
stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
To verify the change after configuring and deploying DirectControl for NetWeaver, log in to SAP Portal as a NetWeaver user and log out again. Make sure you are not automatically logged back in.
Set up browsers for authenticationThis section explains how to set up Internet Explorer and Firefox for Kerberos and NTLM authentication.
Set up Internet Explorer
To prepare Internet Explorer for Kerberos and NTLM authentication, you need to understand IE security zones and then make appropriate modifications.
Understand Internet Explorer security zones
For users to be authenticated silently when they use Internet Explorer to access an application on the Web server with Kerberos or NTLM authentication, the Web server must be in the local intranet Internet Explorer security zone, or explicitly configured as part of the local intranet security zone.
For Internet Explorer, a server is recognized as part of the local intranet security zone in one of two ways: When the user specifies a URL that is not a fully qualified DNS domain name – for
example, http://admin-server/index.html – Internet Explorer interprets the URL as a site in the local intranet security zone.
When the user specifies a URL with a fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer – for example, http://admin-server.mycompany.com/index.html – Internet Explorer interprets the URL as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.
Depending on which type of URL the user specifies, silent authentication may require that you modify the local intranet security zone in Internet Explorer.
Modify the local intranet security zone
If users log on to Web applications using a fully-qualified path in the URL, they may need to modify the settings for the local intranet security zone in Internet Explorer to enable silent authentication. To do this:
Final Steps 41
Set up browsers for authentication
1 Open Internet Explorer and select Tools > Internet Options.
2 Click the Security tab.
3 Click the Local intranet icon.
4 Click Sites and then click Advanced.
5 Type the URL for the Web site you want to make part of the local intranet, and click Add. You can use wildcards in the site address, for example, *://*.mycompany.com. When you are finished adding URLs or URL patterns, click OK.
6 Click OK to accept the local intranet configuration settings, and click OK to close the Internet Options dialog box.
Once you have configured the local intranet security zone, you can log on to Web or Java applications through Kerberos or NTLM without being prompted for a user name and password.
Configuring Firefox to allow silent authentication
By default, Firefox supports “prompted NTLM authentication.” To enable “silent NTLM authentication” (no prompts), open Firefox and configure the browser to trust sites:
1 Type about:config as the target URL and press Return.
2 Click the I’ll be careful button. Type ntlm in the Filter field.
3 Open network.automatic-ntlm-auth.trusted-uris.
4 Type a comma-separated list of partner URLs or domain names and click OK.
Note You can use wildcards (for example, *.company.com); however, for the sake of security, make this list as restrictive as possible.
DirectControl for NetWeaver AS Java 42
Verify the installation
Mozilla Firefox supports negotiated (SPNEGO) authentication, but not by default. To enable silent SPNEGO authentication, continue as follows:
5 Type neg in the Filter field.
6 Open network.negotiate-auth.delegation-uris, type a comma-separated list of partner URLs or domain names as string values, and click OK.
Note For security reasons, make this list as restrictive as possible. If your Web server uses SSL, be sure to include https:// in the string.
7 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner URLs or domain names, and click OK.
Configuring Safari
Safari does not require any configuration to work with DirectControl for NetWeaver.
Verify the installationTo verify that user authentication and mapping work as intended:
1 Create an Active Directory user if one does not yet exist.
2 Go to the NetWeaver Portal:http://sap_server_system:50000/irj
3 Log in as an AD user, and note the login behavior of the system when you attempt to use NetWeaver.
4 To test individual user mapping, log in as an Active Directory user and verify that the expected mapping occurs (page 12) in each scenario you expect users to encounter; for example:
Change Active Directory attributes and values, and UME default and custom attributes, and verify that the expected mapping occurs in each case.
Change values in the login modules the login module stack (page 29), and check for expected outcomes in each scenario.
A list of troubleshooting scenarios and solutions can be found on page 55.
5 To check Kerberos authentication in a clustered environment behind a reverse proxy (page 62) or load balancer (page 63), ask IT to create both routine and edge conditions for the cluster, and then verify expected outcomes.
If problems occur, refer to the troubleshooting section (page 52) in the next chapter. If problems persist go to www.centrify.com/support and login for the Technical Support contact information.
Final Steps 43
C h a p t e r 4
Logging and Troubleshooting
This chapter discusses the following topics: Log Files
Troubleshooting
Log FilesSAP NetWeaver separates log files from trace files: Log files are operation log messages that are written to categories. Categories have
names that start with a slash (/) and are specific to an area; for example, /System/Network.
Trace files are debug log messages that are written to locations. Locations have names made up of components separated by dots (.); for example, com.sap.tc.security.
In both cases the names are hierarchical; for example, if the log level for com.centrify.dc.netweaver is not set, it inherits the log level for com.centrify.dc.
DirectControl for NetWeaver creates a category called /System/Security/Centrify and a location for each class. The location name is the name of the class.
Log configuration For details about log configuration, see the section for the version of SAP you are using: “For SAP 7.0” on page 44
“For SAP 7.3/7.4/7.5:” on page 47
For SAP 7.0
You can configure logging in one of three ways: With your own configuration file
Using Visual Administrator
Logging in from a browser, using NetWeaver Administrator (the preferred method because you can configure all server nodes from one place).
44
Log configuration
Before configuring logging, you need to deploy and configure DirectControl for NetWeaver, and restart NetWeaver. When DirectControl for NetWeaver is loaded, the following categories and locations are automatically created in the Visual Administrator.
Configure log level for categories using the Visual Administrator:
1 Open the Visual Administrator and log in as an administrator.
2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.
3 Click the Categories tab and open ROOT CATEGORY > System > Security > Centrify.
4 Select the severity level and click Apply (the floppy-disk icon).
Configure log level for locations using the Visual Administrator:
1 Open the Visual Administrator and login as an administrator.
2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.
3 Click the Locations tab and open ROOT CATEGORY > com > centrify > common (or dc, or anything below it).
Default Severity Level Description
Categories
/System/Security/Centrify Info Messages info level and higher from all classes
Locations
com.centrify.dc.netweaver Debug Messages from NetWeaver plug-in classes
com.centrify.dc.wbase Debug Messages from base authentication classes
com.centrify.dc.common Debug Messages from common utility classes
com.centrify.dc.common.logging Debug Messages from logging classes
Logging and Troubleshooting 45
Log configuration
4 Select the severity level and click Apply (the floppy-disk icon).
Configure log level for categories using the NetWeaver Administrator:
1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Click Configuration > Log configuration.
3 In Show, select Logging Categories and open ROOT CATEGORY > System > Security > Centrify.
4 Select the severity level and click Save Configuration.
DirectControl for NetWeaver AS Java 46
Log configuration
Configure log level for locations using the NetWeaver Administrator:
1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Click Configuration > Log configuration.
3 In Show, select Tracing Locations and open ROOT LOCATION > com > centrify > common (or dc, or anything below it).
4 Select the severity level and click Save Configuration.
For SAP 7.3/7.4/7.5:
You can configure logging in one of two ways: With your own configuration file
Logging in from a browser, using NetWeaver Administrator (the preferred method because you can configure all server nodes from one place).
Note Visual Administrator is deprecated in NetWeaver 7.3/7.4/7.5.
Before configuring logging, you need to deploy and configure DirectControl for NetWeaver, and restart NetWeaver.
Configure log level for categories using the NetWeaver Administrator:
1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Goto Troubleshooting> Logs and Traces > Log Configuration.
3 In Show, select Logging Categories and open ROOT CATEGORY > System > Security > Centrify.
Logging and Troubleshooting 47
Log configuration
4 Select the severity level and click Save Configuration.
Configure log level for locations using the NetWeaver Administrator:
1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Goto Troubleshooting> Logs and Traces > Log Configuration.
3 In Show, select Tracing Locations and open ROOT LOCATION > com > centrify.
4 Select the severity level.Use the Copy to Subtree button to propagate the settings, if required.
5 Click Save Configuration.
Log viewing
You can view log messages from category and locations in two ways: using a text editor, or using NetWeaver Administrator Log Viewer (the easiest way to see the logs from a GUI).
Note Centrify log messages are always preceded by a timestamp in the format yyyy.mm.dd hh:mm:ss:sss zone so that an ordinary text editor can see the time the message was logged.
Viewing logs using a text editor
To view logs using a text editor such as vi (UNIX/Linux) or Notepad (Windows), do the following:
1 Change directory to /usr/sap/SID/JCinstance_#/j2ee/cluster/servern/log (where n is the server node number)
2 Open the latest defaultTrace.nn.trc file – for example, defaultTrace.17.trc – in the text editor.
3 To see log messages for a category, search for its directory path; for example, /System/Security/Centrify.
4 To see trace messages for a location, search for the location or class name; for example, com.centrify.dc.netweaver.CentrifySpnegoLoginModule.
The following text is an example of a log file.#1.5^H#000C29A1D5CF0078000000C90000497B0004967437B0D8BE#1291325801552#com.centrify.dc.netweaver.CentrifySpnegoLoginModule#sap.com/com.sap.security.core.admin#com.centrify.dc.netweaver.CentrifySpnegoLoginModule#Guest#0##n/a##40682e60fe5c11df8984000c29a1d5cf#SAPEngine_Application_Thread[impl:3]_7##0#0#Info#1#/System/Security/Centrify#Plain###2010.12.02 13:36:41:552 PST login: Got status : ERROR from CentrifyAuth.authenticate()#
DirectControl for NetWeaver AS Java 48
Log configuration
#1.5^H#000C29A1D5CF006C0000003A0000497B0004967581F005ED#1291331342173#com.centrify.dc.netweaver.CentrifyLoginModule#sap.com/tc~wd~dispwda#com.centrify.dc.netweaver.CentrifyLoginModule#Guest#0##n/a##26e0c490fe6911df8daa000c29a1d5cf#SAPEngine_Application_Thread[impl:3]_0##0#0#Debug##Plain###2010.12.02 15:09:02:173 PST exiting method: commit#
The first line shows a message logged to both the category /System/Security/Centrify and the location com.centrify.dc.netweaver.CentrifySpnegoLoginModule at severity INFO. The message is the string 2010.12.02 13:36:41:552 PST login: Got status : ERROR from CentrifyAuth.authenticate().
The second line shows a message logged at severity DEBUG to location com.centrify.dc.netweaver.CentrifyLoginModule. The message is 2010.12.02 15:09:02:173 PST, exiting method: commit.
Viewing category log messages using NetWeaver Administrator Log Viewer
To view category log messages using NetWeaver Administrator Log Viewer, do the steps in this section for the version of SAP you are using.
Viewing category log messages for SAP 7.0:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-server>:50000/nwa and log in as an administrator.
2 Click Monitoring > Logs and Traces.
3 In Show, select Predefined View.
4 Next to Predefined View, select SAP Logs.
Logging and Troubleshooting 49
Log configuration
5 To see logs in /System/Security/Centrify, click Open Search and in Search By enter select Category and equals, and type /System/Security/Centrify.
Viewing category log messages for SAP 7.3/7.4/7.5:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Goto Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > SAP Logs.
4 Enter *centrify* (with the asterisks) in the Category filter.
The log displays so that you can review it.
Viewing location log messages using NetWeaver Administrator Log Viewer
To view location log messages using NetWeaver Administrator Log Viewer, do the steps in this section for the version of SAP you are using.
Viewing location log messages for SAP 7.0:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-server>:50000/nwa and log in as an administrator.
2 Click on Monitoring > Logs and Traces.
3 In Show, select Predefined View.
4 Next to Predefined View, select Default Trace.
DirectControl for NetWeaver AS Java 50
Log configuration
5 To see messages in a specific location, in Search By select Location, select equals, and type (for example) com.centrify.dc.netweaver.CentrifySpnegoLoginModule.
Viewing location log messages for SAP 7.3/7.4/7.5:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<netweaver-host>:50000/nwa and log in as an administrator.
2 Go to Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > SAP Logs.
4 Enter *centrify* (with the asterisks) in the Location filter.
The log displays so that you can review it.
Viewing developer traces for SAP 7.3/7.4/7.5
To view developer trace messages using NetWeaver Administrator Log Viewer, do the following:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<java-host>:java-port/nwa and log in as an administrator.
2 Go to Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > Developer Traces.
4 Enter *centrify* (with the asterisks) in the Location filter.
The log displays so that you can review it.
Logging and Troubleshooting 51
Troubleshooting
TroubleshootingThis section describes the most commonly encountered error conditions and solutions.
Command not found – UNIX
Symptom: You type a command to open Visual Administrator or Software Deployment Manager and the system returns the message, Command not found.
Cause: Different versions of NetWeaver can have different directory trees. The path to the command you typed is incorrect.
Solution: Use this table to help locate the command.
Command not found – Windows
Symptom: You type a command to open Visual Administrator or Software Deployment Manager and the system cannot find the application.
Cause: Different versions of NetWeaver can organize files into different folders and subfolders. The path to the command you typed is incorrect.
Solution: Use this table to help locate the command.
Library not found – UNIX
Symptom: The DirectControl for NetWeaver library is not found.
Cause: All of the UNIX-like operating systems require an environment variable (LIB_PATH, SHLIB_PATH or LD_LIBRARY_PATH) in the shell startup configuration file. The environment variable is not set or not found.
Solution: Check the following: Make sure both the environment variable name and the path are correct for the
operating environment on the machine (32-bit vs. 64-bit, Solaris vs. AIX, etc).
To find type this and then this
Visual Administrator cd /usr/sap find . -name go
Software Deployment Manager (SDM) GUI
cd /usr/sap find . -name RemoteGui.sh
To find navigate to this folder and search for this
Visual Administrator C:\usr\sap go.bat
Software Deployment Manager (SDM) GUI
C:\usr\sap RemoteGui.bat
SAP Management Console C:\Windows sapmmc.msc
DirectControl for NetWeaver AS Java 52
Troubleshooting
Make sure the environment variable name is being set in the startup configuration file (.cshrc, .bashrc, etc.) that corresponds to the shell the SAP administrator will be using.
Library or NetWeaver AS Java not found – Windows
Symptom: The DirectControl for NetWeaver library or NetWeaver AS Java is not found.
Cause: Environment variables are not properly set.
Solution: Go to Start > My Computer > Properties, Advanced tab, and click Environment Variables. In the system variables (lower) list, check for the following: A variable named JAVA_HOME exists and has the value C:\j2sdk1.4.2_28-x64.
The value for the Path variable begins with C:\Centrify\DirectControl\java\lib, followed by a semicolon separator.
Note Although C:\Program Files\centrify\directcontrol is the default directory when installing CentrifyDC_Java.msi, the space in Program Files does not work for SAP in Windows. Change from the default directory to a directory path with no spaces in it.
Deployment errors
Symptom: You click the Start Deployment button in the Software Deployment Manager, and deployment succeeds for the .sda file, but then fails for the .ear file.=================================================
Deployment started Fri Dec 10 10:59:22 PST 2010
=================================================
Starting Deployment of CentrifyLoginModuleLibrary
Finished successfully: development component
'CentrifyLoginModuleLibrary'/'centrify.com'/'localhost'/'2010.03.02.13.49.33'/'0'
Deployment of CentrifyLoginModuleLibrary finished successfully (Duration 6223ms)
Starting Deployment of CentrifyRedirectApp
Aborted: development component...
Cause: You select both the .sda and the .ear for deployment at the same time.
Solution: Be sure to stop and restart SAP after deploying a module and before deploying any other module.
Logging and Troubleshooting 53
Troubleshooting
Symptom: If you click Next to advance from Step 2 to Step 3 in the Software Deployment Manager, the following error message appears.
Cause: The CentrifyLoginModuleLibrary.sda has already been installed.
Solution: Skip the deployment step – it is not needed.
Authentication errors
Authentication errors result from failures in the login module (“Load and Configure Centrify login module” on page 24)
Symptom Causes and solutions
User authentication fails. Check that all of the following conditions have been met:• Make sure you installed and configured the login module stack to use the Centrify
login module for the types of authentication you want to apply (page 29).
• If you are using the CentrifySpnegoLoginModule and BASIC is the authentication scheme, make sure the realm attribute (realmName) is set to the correct value in the login module stack.
The wrong type of user authentication is applied to users.
• Make sure the enableAuthSchemes login module option lists the correct types of user authentication, and lists them in the correct order.
DirectControl for NetWeaver AS Java 54
Troubleshooting
User mapping errors
For a description of the user mapping algorithm, refer to Chapter 3, “Final Steps,” and in particular the table on page 39.
Login module stack does not work as intended
Symptom: The login module stack does not have the expected effects.
Cause: Possibly the ordering of login modules, or the flags applied to each instance of a login module, is incorrect.
Note If a module cannot be found or cannot be opened, it is ignored.
Symptom Causes and solutions
You set ADMappingVariable, but instead of mapping to the value of the attribute named in ADMappingVariable, the AD user is mapped to a different username, or mapping fails.
Check the following:• Make sure the UME user name value matches the value in the AD
user entry attribute named in ADMappingVariable.
• Make sure the AD user entry attribute named in ADMappingVariable is present and set.
• Make sure the ADMappingVariable is not in its default state (that is, not set).
The user named in sAMAccountName in Active Directory did not map to the same user name in UME.
Note the following:• If ADMappingVariable is set, and its value matches the name
of a user entry attribute in Active Directory, and the value of that attribute matches the value of a UME user name, the AD user is mapped to the matching value. This mapping takes precedence over direct mapping from Active Directory.
• It may be that no match was found between a value of sAMAccountName in Active Directory and a value for a user name in UME.
You set the usernameConfig or namespace option, or both, in a Centrify login module or in the login module stack, but the AD user fails to map to a UME user name via the custom attribute designated by those options.
Note the following:• If ADMappingVariable is set, its value matches the name of a
user entry attribute in Active Directory, and the value of that attribute matches the value of a UME user name, that mapping takes precedence over mapping via SAP custom attribute.
• If a match is found between a value of sAMAccountName in Active Directory and a value for a user name in UME, that mapping takes precedence over mapping via SAP custom attribute.
• If no match is found between an Active Directory sAMAccountName value and a value in the custom attribute designated in a Centrify login module or in the login module stack, the AD user fails to map to a UME user name in the UME custom attribute.
Logging and Troubleshooting 55
Troubleshooting
Solution: Check the following table, which summarizes the effects of control flags on the stack.
Flags Condition Action taken
REQUISITE The module fails. Control immediately returns to the application with “failure” status, along with the error value from this module.
The module passes. Control moves to the next module in the stack.
REQUIRED The module fails. If this is the first REQUIRED module in the stack to fail, its error value is stored for later forwarding to the application. Control moves to the next module in the stack.
The module passes. Control moves to the next module in the stack. If this is the last module and all REQUIRED modules have passed, control returns to the application with “success” status. If one or more REQUIRED modules has failed, control returns to the application with “failure” status, along with the error value from the first failed REQUIRED module.
No REQUISITE or REQUIRED flag is present in the stack.
At least one SUFFICIENT or OPTIONAL module must pass for control to return to the application with “success” status. If none pass, control returns to the application with “failure” status, along with the error value from the first module that failed.
SUFFICIENT The module passes. “Sufficient modules have been executed.” Control returns to the application, with “success” status if all previous REQUIRED modules have passed, or with “failure” status if one or more REQUIRED modules have failed, with the error value from the first REQUIRED module that failed.
The module fails. Control moves to the next module in the stack.
OPTIONAL The module passes or fails. Control moves to the next module in the stack.
The last module has been processed.
If and when the last module in the stack has been processed, if at least one REQUISITE or REQUIRED module was present and all have passed, control returns to the application with “success” status; and SUFFICIENT and OPTIONAL error values are ignored. If one or more REQUIRED modules have failed, control returns to the application with “failure” status, along with the error value from the first failed REQUIRED module.
DirectControl for NetWeaver AS Java 56
Appendix A
Mixed Authentication
DirectControl for NetWeaver supports mixed authentication, in which some users are authenticated by Active Directory and some by NetWeaver UME. One such scenario is a phased roll-out of DirectControl for NetWeaver; for example, in the first phase only engineering would be authenticated by Active Directory while others still would authenticate using the previous method. In the second phase, engineering and support would be authenticated by AD while others remain authenticated by the previous method and in the last phase, everyone would be converted to Active Directory authentication.
This appendix explains how to install the CentrifyRedirectApp.ear application to support mixed authentication.
Note If mixed authentication is not used, after the Centrify login module has been added users who are not migrated to Active Directory get an “Authentication Failed” error message when they try to login to the NetWeaver portal.
How redirection worksWhen it is deployed the CentrifyRedirectApp.ear enforces the following behavior: It authenticates users based on the value for the enableAuthSchemes option (the default is
Kerberos, NTLM or BASIC). (See on page 28 for other options.)
If authentication succeeds and the user is mapped to user in the UME, the user is redirected to the NetWeaver portal page set in the redirectUrl option.
If authentication succeeds but the AD user is not mapped to a user in the UME, the user is redirected to the NetWeaver portal login page set in the unauthorizedUrl option.
If authentication still fails, the user is redirected to the page set in the unauthorizedUrl option.
Note If authentication fails because the Kerberos ticket is invalid or the password is incorrect, the user can try authentication to Active Directory using her Active Directory username and password twice more before being redirected to unauthorizedurl. (You can change the number of retries using numReprompts.)
If an internal error occurs, the user is redirected to the page set in the errorUrl option.
The following figure shows the behavior of CentrifyRedirectApp. when the options are set.
57
Set up mixed authentication
Set up mixed authenticationYou deploy CentrifyRedirectApp.ear after you have installed and deployed DirectControl for NetWeaver, configured the NetWeaver classloader to load the Centrify login module library, and added and configured the CentrifySpnegoLoginModule module, as described in Chapter 2, “Installation and Configuration.”
Load
In the following steps you load CentrifyRedirectApp.ear into the SAP Software Deployment Manager and configure the module to enforce a systematic authentication process using Active Directory and/or UME.
Note You use the same procedure to load CentrifyRedirectApp.ear as you did to load CentrifyLoginModuleLibrary.sda.
1 Log in as sidadm and run the Software Deployment Manager (SDM):UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.sh
Windows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat
The Software Deployment Manager - GUI window appears.
2 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.Note This password might be different from the SAP administrator password.
DirectControl for NetWeaver AS Java 58
Set up mixed authentication
3 Click the Deployment tab and then the clipboard-plus-sign icon ( ).
4 Navigate to the directory in which you stored CentrifyRedirectApp.ear, select it and click the Choose button. Wait for the choosing process to complete.
5 Click Next at the bottom to advance to Step 2. Because no changes are required in this step, click Next again, and then click the Start Deployment button at the bottom of the window.
The Overall Deployment Progress bar in the lower right of the window shows 100% and “Finished successfully” message appears when you can proceed to the next steps. If deployment does not succeed, refer to the Troubleshooting section (page 52).Note You can check that deployment was successful by selecting the Undeployment tab and verifying that CentrifyRedirectApp is in the Vendor/Name list (see the Note on page 20 for an example).
6 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]
startsap [Linux: startsap j2ee]
Configure login module options
1 Log in as sidadm and run the Visual Administrator:UNIX: /usr/sap/SID/instance/j2ee/admin/go
Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view on the left, navigate to Server server_name > Services > Security Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 In the components list on the left, select the ticket template
6 Select the CentrifySpnegoLoginModule and click the Modify button. The table Authentication scheme options and behavior describes all of the options. Three options are associated with the mixed authentication. They specify the redirect URLs for different conditions:
Mixed Authentication 59
User procedures
CentrifySpnegoLoginModule options
7 Click the glasses icon above the Runtime tab to switch to read-only mode.Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
8 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.
User proceduresAfter SAP restarts, the system is set up to accommodate AD users who are already mapped to UME users, and those who are not mapped: Users to be authenticated by UME (not using Active Directory) should use the standard
portal URL to access the NetWeaver portal.
Users to be authenticated by AD should use the URL of the Centrify redirect application to access NetWeaver: http://sap_server_system:50000/centrifydc-redirect.
Note External users accessing the portal from Internet Explorer may see an NTLM pop-up if the URL is not added to Internet Explorer's local intranet security zone, among other reasons. For details, refer to “Set up Internet Explorer” on page 41.
Login ModuleOption
Default Value Description
errorUrl [no default value] Redirects user to this URL when there is an internal error during authentication. Set to the NetWeaver portal login page URL.
unauthorizedUrl [no default value] Redirects user to this URL if all authentication attempts failed. Set to the NetWeaver portal login page URL.
redirectUrl [no default value] Redirects user to this URL if the user is authenticated by Active Directory but is not mapped to an UME user. Set to the NetWeaver portal page URL.
DirectControl for NetWeaver AS Java 60
Appendix B
Clustered Environments
This appendix explains how to install the DirectControl for NetWeaver package in a clustered environment.
The following topics are covered: Centrify software requirements
Configure a clustered environment with a reverse proxy
Configure a clustered environment with a load balancer
Centrify software requirementsWhen you set up NetWeaver servers in a cluster, each server and, if you are using a reverse proxy the reverse proxy computer as well, must have the following Centrify software installed: All UNIX-based systems: The DirectControl agent (adclient) must be installed. Run
adinfo on each server to confirm that the agent is installed. (Windows-based servers do not require adclient.)
All UNIX- and Windows-based systems: The DirectControl for NetWeaver software must be installed.
Note A load balancer is an exception to this rule. If you are using a load balancer, do not install the DirectControl agent or the DirectControl for NetWeaver software on the load balancer.
In addition, the Kerberos keytabs for each server must be the same. The following instructions tell you how to copy the keytab across systems.
The next two sections provide sample, step-by-step instructions you can customize for your environment to set up Active Directory authentication in a clustered environment with a reverse proxy and then with a load balancer.
61
Configure a clustered environment with a reverse proxy
Configure a clustered environment with a reverse proxyThis section assumes that you are installing the DirectControl for NetWeaver package in a cluster that has a reverse proxy with multiple servers on the back end.
In the following example, the reverse proxy is running on a machine named A, internal back-end NetWeaver servers are running on machines named B and C, and the domain is domain.com. The figure summarizes the steps and where they are carried out.
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for NetWeaver package installed as required.
2 If the servers are joined to the domain controller (run adinfo to find out), run adleave on each UNIX machine to “unjoin.”
3 On machine A, run the following command to join machine A to the domain with aliases for B and C:adjoin -a B -a B.domain.com -a C -a C.domain.com domain.com
Add another -a (--alias) option for each additional application server. (See the Centrify Suite Administrator’s Guide for the description of the adjoin command.)
4 If A has more than one hostname, use the following command to add hostnames:adkeytab -a -P http/other_host_name
5 On machine A, run the following commands to replicate the keytabs from machine A onto machines B and C:cd /tar cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*scp cluster.tgz B:/scp cluster.tgz C:/
If you have additional servers, run scp to copy cluster.tgz to each one.
Application server (B)(1) Confirm Centrify software installation(2) adleave (if joined)(6) untar keytabs received from A ;
start adclient with centrifydc start
Application server (C)(1) Confirm Centrify software installation(2) adleave (if joined)(6) untar keytabs received from A ;
start adclient with centrifydc start
Reverse proxy (A)
(1) Confirm Centrify software installation(2) adleave (if joined)(3) adjoin -a B -a B.domain.com \
-a C -a C.domain.com \domain.com
(4) adkeytab -a -P \http/other_host_name
(5) cd /tar cvfz cluster .tgz \
/etc/krb5.keytab \/var/centrifydc/kset.*
scp cluster.tgz B:/scp cluster.tgz C:/
rem
ote
(in
tern
et)
clie
nt
Domain Controllerdomain.com
Active Directory
DirectControl for NetWeaver AS Java 62
Configure a clustered environment with a load balancer
6 On machines B and C (and each additional server), run the following commands to install the keytabs from machine A and to start adclient:cd /tar xvfz cluster.tgz/usr/share/centrifydc/bin/centrifydc start
Note If the password for machine A is changed, run Step 5 and Step 6 after every change. This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts the DirectControl agent for a new account password on an interval defined in the DirectControl adclient.krb5.password.change.interval configuration parameter (see the Configuration Parameters Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.
Configure a clustered environment with a load balancerThis section describes how to configure a clustered environment with a load balancer. To provide authentication across all of the servers, you need to create a service account for the load balancer on the domain controller, create a new keytab based on that account, and then merge that keytab on each application server.
Note To create new service accounts, you need permission to the container in which you are creating or deleting the account. See Understanding object permissions for using adkeytab in the Using adkeytab description in the Centrify Suite Administrator’s Guide for the description of the permissions required.
In this demonstration: the DirectControl agent and DirectControl for NetWeaver software are already installed
on servers B and C (do not install either software package on the load balancer)
the load balancer hostname is LB
the servers behind the load balancer are named B and C
the domain is ace.com.
The following figure summarizes the steps for a two-server configuration. For each additional machine, perform Step 8 once more on B, and Step 9 through Step 16 on each additional machine.
This procedure requires users who have the following permissions: Create user account on Active Directory on the domain controller
Add a new service principal name to the user account on the domain controller
Change service account password from the UNIX computer.
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for NetWeaver package installed as required.
Clustered Environments 63
Configure a clustered environment with a load balancer
Unless they are already joined to the domain controller, run adjoin on machines B and C (and all other application servers) to join them to the domain controller.
2 Create a new Active Directory account called centrifyprod. Verify that the user principal name (UPN) is [email protected].
Note To have setspn available to run in Step 3 and Step 4, you need to install Windows Support Tools
3 From a Windows system with Windows Support Tools installed, run the setspn command to add a new service principal name (SPN) to the user account:setspn -a HTTP/LB.ace.com centrifyprod
4 Confirm that the SPN was created correctly:setspn -l centrifyprod
You should see the SPN HTTP/LB.ace.com.
Perform Step 5 through Step 8 on machine B only.
5 Use the following adkeytab command with the --adopt option to create the keytab for the new centrifyprod account and have DirectControl take over the management of the keytab:adkeytab --adopt --principal HTTP/LB.ace.com \--encryption-type arcfour-hmac-md5 \--encryption-type des-cbc-md5 \--encryption-type des-cbc-crc \--keytab /etc/krb5/centrifyprod.keytab centrifyprod
Notes To run this adkeytab command the user must have write permission to change the password for the service account and read/write permission to the userAccountControl
Application server (B)(1) adjoin(5) adkeytab (create keytab on new service account)(6) klist -kt (verify that keytab was created correctly )(7) kinit -kt (verify that keytab works )(8) copy keytab to machine C (and others in cluster)(9-16) merge keytabs; check for connected state
with adinfo and adclient
Application server (C)(1) adjoin
(9-16) merge keytabs; check for connected statewith adinfo and adclient
Domain Controller ace.com
Active Directory(2) create account = centrifyprod
UPN = [email protected]+ SPN = HTTP/LB.ace.com
Windows Support Tools(3, 4) setspn command
loa
d ba
lanc
er
(LB
)
clie
nt
ma
chin
es
DirectControl for NetWeaver AS Java 64
Configure a clustered environment with a load balancer
attribute on the Active Directory domain controller. (See Understanding object permissions for using adkeytab in the Using adkeytab description in the Centrify Suite Administrator’s Guide for the description of the permissions required.) Often, this is NOT the case for the UNIX administrator running adkeytab.
Use the following adkeytab option to work around this problem. This does require, however, the UNIX admin to know and then expose the password in the command line. (The alternative would be to give the Active Directory admin root privileges on the UNIX computer or the UNIX admin password reset privileges on the domain controller.) The Active Directory administrator creates the new AD account and adds the SPN to the
account as above but then provides the password to the UNIX admin.
The UNIX admin uses the following adkeytab command instead of the command in Step 5. In this example the new user created by the AD admin is again [email protected] and the password is ABC123xyz:adkeytab --adopt --user [email protected] \--local --newpassword ABC123xyz \--encryption-type arcfour-hmac-md5 \--encryption-type des-cbc-md5 \--encryption-type des-cbc-crc \--keytab /etc/krb5/centrifyprod.keytab [email protected]
The --user option specifies the new account created by the AD admin; --local updates the keytab file on the computer (in this case, machine B) without changing the password in AD and --newpassword specifies the new password (required by the --local option). (This example uses the same sample encryption types as above.) See the adkeytab description in the Centrify Suite Administrator’s Guide for the full explanation of each option.
6 Verify that the keytab was created correctly:/usr/share/centrifydc/kerberos/bin/klist \
-kt /etc/krb5/centrifyprod.keytab
You should see the SPN http/LB.domain.com.
7 Verify that the keytab works:/usr/share/centrifydc/kerberos/bin/kinit \
-kt /etc/krb5/centrifyprod.keytab centrifyprod
You should see no output if everything worked correctly.
8 Copy the keytab /etc/krb5/centrifyprod.keytab to machine C.
Perform Step 9 through Step 16 on both machine B and machine C.
9 Disable DirectControl to prepare for merging keytabs:svcadm disable centrifydc
10 Back up the existing keytab:cp /etc/krb5/krb5.keytab \
/etc/krb5/krb5.keytab.todaysdate
Clustered Environments 65
Configure a clustered environment with a load balancer
11 Merge the keytabs:/usr/bin/ktutilrkt /etc/krb5/krb5.keytabrkt /etc/krb5/centrifyprod.keytabwkt /etc/krb5/krb5.keytab.newq
12 Verify that the new keytab was created correctly:/usr/share/centrifydc/kerberos/bin/klist \
-kt /etc/krb5/krb5.keytab.new
13 Copy the new keytab to the default location with the appropriate name:cp /etc/krb5/krb5.keytab.new /etc/krb5/krb5.keytab
14 Verify that the new keytab works:/usr/share/centrifydc/kerberos/bin/kinit -kt centrifyprod
You should see no output if everything worked correctly.
15 Enable DirectControl:svcadm enable centrifydc
16 Run adinfo and check that adclient goes into a connected state. If adclient reports that it is disconnected, something has gone wrong in the setup.
Note If the password for the centrifyprod Active Directory account is changed, run Step 5 through Step 16 after every change.This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts for a new account password on an interval defined in the DirectControl adclient.krb5.password.change.interval configuration parameter (see the Configuration Parameters Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.
DirectControl for NetWeaver AS Java 66
Index
Symbols.cshrc file 16, 17
AActive Directory attributes
SAP 7.0 34SAP 7.3/7.4/7.5 34
adjoin 62adkeytab 62adleave 62ADMappingVariable 28, 33, 39, 55AIX environment 17authentication 10authentication errors 54authentication flow 11Authentication template, Visual Administrator
SAP 7.0 31authorization 10
Bbase authentication classes
SAP 7.0 45bashrc 53BASIC 9, 11, 54, 57
SAP 7.0 31BASIC (authorization scheme setting) 28BASIC authentication 28BasicPasswordLoginModule
SAP 7.0 30SAP 7.3/7.4/7.5 32
Ccategories 44category log messages 48, 49CdcUserName 28, 35, 36, 37, 39Centrify login module 33Centrify login module usage 35Centrify ticket login module
SAP 7.0 30centrify.dc.realm 28CentrifyDC_Java.msi 53
centrifydc-netweaver-release.tgzSAP 7.0 19SAP 7.3/7.4/7.5 21
CentrifyLoginModule 49CentrifyLoginModuleLibrary 54
SAP 7.0 22CentrifyLoginModuleLibrary.sda 21, 59
SAP 7.0 19, 20SAP 7.3/7.4/7.5 21
CentrifyRedirectApp.ear 57centrifyRedirectApp.ear 57
SAP 7.0 19SAP 7.3/7.4/7.5 21
CentrifySpnegoLoginModule 30, 48, 49load and configure 24, 26SAP 7.0 24, 30, 31, 51SAP 7.3/7.4/7.5 26, 32
Class NameSAP 7.0 25SAP 7.3/7.4/7.5 27
classloaderSAP 7.0 22SAP 7.3/7.4/7.5 23
Cluster tabSAP 7.0 45
Cluster-data 40com.centrify.dc.netweaver
SAP 7.0 30SAP 7.3/7.4/7.5 32
com.sap.security.core.server.jaasSAP 7.0 30SAP 7.3/7.4/7.5 32
com.sap.security.core.usermanagement 35Command not found 52common utility classes
SAP 7.0 45configtool.bat 40configure Java path 17configure library path 17configure log level 47
SAP 7.0 45, 46
67
SAP 7.3/7.4/7.5 47, 48configure logging
SAP 7.0 44SAP 7.3/7.4/7.5 47
conventions, documentation 7core.ume.service 40CreateTicketLoginModule
SAP 7.0 30SAP 7.3/7.4/7.5 32
cshrc 53custom attribute 35, 55Customized Information section 36, 37
Ddebug log messages 44debug logs
SAP 7.0 45default NetWeaver login page
SAP 7.0 31default security policy 40Default Trace
SAP 7.0 50default zone 16defaultTrace.nn.trc file 48Deployment tab 59
SAP 7.0 20Description
SAP 7.3/7.4/7.5 27direct mapping from Active Directory
SAP 7.0 34SAP 7.3/7.4/7.5 34
DirectControl Agent 6, 9, 10, 11, 13DirectControl Management Tools 6DirectControl version 16DirectControl zone 16directory services 10directory trees 52Display Name
SAP 7.0 25SAP 7.3/7.4/7.5 27
documentationconventions 7
Ee 31ear file 53enableAuthSchemes 28, 54, 57
SAP 7.0 26, 27, 30, 31environment variable 52Environment Variables 53errorUrl 28, 57, 60EvaluateTicketLoginModule
SAP 7.0 30SAP 7.3/7.4/7.5 32
example of a log file 48
FFirefox
configuring silent authentication 42fixed-width font 7floppy-disk icon
SAP 7.0 46force_password_change_on_sso 40FORM 9, 11
Ggo.bat 52
Hhelp.sap.com URL 8HLIB_PATH 17HP-UX IA64 environment 17HP-UX PA-RISC environment 17HTTP BASIC
SAP 7.0 31HTTP BASIC authentication 28
IIdentity Management 36, 37, 38
SAP 7.0 34SAP 7.3/7.4/7.5 34
info level logsSAP 7.0 45
instanceNumber 14Internet Explorer
local intranet zone 41security zones 41
Internet Explorer security zones 41irj 43
JJ2EE 6JAVA_HOME 53
DirectControl for NetWeaver AS Java 68
KKDC 10, 11Kerberos 9, 11, 57
Internet Explorer security zones 41SAP 7.0 31
Kerberos Key Distribution Center 10Kerberos Security Service Provider 11Kerberos ticket 10Key Distribution Center 10
LLD_LIBRARY_PATH 16, 52LIB_PATH 52LIBPATH 17library
centrify.comSAP 7.0 22
library not found 52Linux
naming convention 7Linux 32-bit environment 16Linux 64-bit environment 16location log messages 48, 50locations 44Log configuration 48
SAP 7.0 46, 47SAP 7.3/7.4/7.5 47
Log ConfiguratorSAP 7.0 45
log file categories 44log files 44log messages 48Log Viewer 48, 49, 50log viewing 48Logging Categories
SAP 7.0 46SAP 7.3/7.4/7.5 47
logging classesSAP 7.0 45
Login Mod 28login module
SAP 7.0 19SAP 7.3/7.4/7.5 21, 32
login module options 28, 60login module stack 55LoginModuleClassLoaders
SAP 7.0 22
SAP 7.3/7.4/7.5 23logout URL 40Logs and Traces
SAP 7.0 49, 50SAP 7.3/7.4/7.5 50, 51
MMacintosh OS X operating system 7Manage Security Stores
SAP 7.0 24map AD users to SAP users 28mapping by AD attribute 33Monitoring
SAP 7.0 49
Nnamespace 28, 35, 36, 37, 39, 55Negotiate (authorization scheme setting) 28Negotiate authentication 28NetWeaver AS Java not found 53NetWeaver AS Java Security Guide 8NetWeaver classloader
SAP 7.0 22SAP 7.3/7.4/7.5 23
NetWeaver J2EE applications 6NetWeaver login page
SAP 7.0 31NetWeaver plug-in classes
SAP 7.0 45NetWeaver UME
SAP 7.0 31ng 52Notepad 48NTLM 9, 11NTLM (authorization scheme setting) 28NTLM authentication
Internet Explorer security zones 41numReprompts 28nwa 36, 37
SAP 7.0 34SAP 7.3/7.4/7.5 34
OOpen View
SAP 7.3/7.4/7.5 50operation log messages 44OPTIONAL flag 56
Index 69
Ppassword changes for SSO 40Path variable 53policy management 10Portal 9Predefined View
SAP 7.0 49, 50Program Files 53Properties tab
SAP 7.0 22
RrealmName 28redirectUrl 28, 57, 60release notes 16release variable 7RemoteGui.bat 52REQUIRED flag 56REQUISITE flag 56RFC 1945 28RFC 2617 28root
SAP 7.0 17ROOT CATEGORY
SAP 7.0 45, 46SAP 7.3/7.4/7.5 47
ROOT LOCATIONSAP 7.0 47SAP 7.3/7.4/7.5 48
Runtime tabSAP 7.0 24
SsAMAccountName 55SAP documentation 8SAP Logs
SAP 7.0 49SAP Management Console 52SAP Portal 40SAP ticket login module 30SAP UME 40SAP user profile custom attribute 28SAP username 28sap.com/irj*irj
SAP 7.0 31SAP-certified login modules 9sapmmc.msc 52
scp 62sda file 53SDM 52
SAP 7.0 19Security Provider
SAP 7.0 24Security Service Provider 11semicolon separator 53server cluster 13severity debug 49severity info 49severity level
SAP 7.0 45, 46SAP 7.3/7.4/7.5 48
shell startup configuration file 16SHLIB_PATH 52sid 14sidadm 15, 17, 35, 40, 58
SAP 7.0 19Single Sign-On
configuring security zones 41Software Deployment Manager 52, 58
SAP 7.0 19Solaris 32-bit environment 16Solaris 64-bit environment 17space in "Program Files" path 53sparcv9 17SPNEGO 11SSO 6, 40SSP 11Start Deployment button 59
SAP 7.0 20startsap 21, 32, 35, 36, 37, 40, 41, 59, 60startsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP 7.0 21, 32startup configuration file 52stopsap 21, 32, 35, 36, 37, 40, 41, 59, 60stopsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP 7.0 21, 32su – command 17SUFFICIENT flag 56System/Security/Centrify 44, 48, 49
SAP 7.0 50
Ttar command 62tar file, untarring
DirectControl for NetWeaver AS Java 70
SAP 7.0 19SAP 7.3/7.4/7.5 21
tgz file, unzippingSAP 7.0 19SAP 7.3/7.4/7.5 21
ticketSAP 7.0 31
timestamp 48trace file locations 44trace files 44trace messages 48Trace Viewer
SAP 7.3/7.4/7.5 51Tracing Locations 47
SAP 7.3/7.4/7.5 48Troubleshooting 52
SAP 7.3/7.4/7.5 50, 51
UUME 10, 11, 12, 28, 33, 35, 40, 57
SAP 7.0 31, 34UME custom attribute 35UME default security policy 40UME user name 55ume.configuration.active
SAP 7.0 30SAP 7.3/7.4/7.5 32
ume.logoff.redirect.url 40ume.logon key 40unauthorizedUrl 28, 57, 60UNIX
naming convention 7UNIX servers 9UPN 35, 36, 37, 39User Management subtab
SAP 7.0 24, 25user profile custom attribute 28user's UPN 36, 37userNameConfig 36, 37usernameConfig 28, 35, 36, 37, 39, 55userPrincipalName 39users
silent authentication 41usr/sap 52usrsap 52
Vvi editor 48Visual Administrator
SAP 7.0 22, 44, 45
Wwbase
SAP 7.0 45web applications
local intranet zone 41silent authentication 41
Zzone 16
Index 71