Security Guide
Workforce Performance Builder
Document Version: 1.0 2013-10-11
CUSTOMER
SAP Workforce Performance Builder 9.2 Manager
2
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Typographic Conventions
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
SAP Workforce Performance Builder 9.2
Table of Contents
Customer
2013 SAP AG. All rights reserved. 3
Table of Contents
1 Security settings ........................................................................................................................................... 4 1.1 Individualising the initial login ................................................................................................................................. 5 1.2 Origin restrictions for administrative roles ............................................................................................................ 6 1.3 Separating content and administrative tasks ....................................................................................................... 7 1.4 Password restrictions .............................................................................................................................................. 7
1.4.1 Applying restrictions to Excel import .................................................................................................... 8 1.5 Communication encryption via SSL certificate .................................................................................................... 8
1.5.1 Creating a Tomcat keystore ................................................................................................................... 9 1.5.2 Creating an internal certificate ............................................................................................................ 10 1.5.3 Installing an external certificate ............................................................................................................ 11 1.5.4 Adjusting the configuration file ............................................................................................................ 12 1.5.5 Displaying certificates ........................................................................................................................... 15
1.6 SSL secured LDAP connection ............................................................................................................................. 16 1.7 Single sign-on using Kerberos .............................................................................................................................. 17
1.7.1 Configuration ......................................................................................................................................... 17 1.7.2 Settings for Mozilla Firefox .................................................................................................................. 20 1.7.3 Settings for Internet Explorer .............................................................................................................. 20 1.7.4 Adjusting the HTTP header size .......................................................................................................... 20 1.7.5 Troubleshooting .................................................................................................................................... 21
4
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1 Security settings
The Manager gives you various options for tailoring work with the web application and communication between
the client and server to your individual security requirements.
There are also already security functions implemented by default that prevent unauthorized access or
manipulation of your content. These include, for example, a function that detects malicious code implemented in
content as well as a function that grants workarea-specific read and write access.
The following sub-chapters describe various options that you can use individually or in combination to achieve the
best possible data security to meet your needs.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 5
1.1 Individualising the initial login
With the shipping of the Manager you get separate credentials to enter for installation assistant and server
import. This credentials can be adjusted freely after installation.
Note
To adjust new credentials you must have access to the respective webapps folder on your Tomcat server
as well as you need local administrator privileges on server machine or at least specially adapted
privileges permitting you to do changes to files within access protected storage of the web application.
To adjust the initial credentials please follow these steps:
1. Go to the webapps folder of your Manager.
2. Go to folder WEB-INF -> classes and open file config.properties with the text editor of your choice.
3. Search for these phrases and adjust them as your prefer:
1. init.adminPassword=xxx
2. init.adminUser=admin
4. Save and close the file.
5. Open the Tomcat Manager in your browser (/manager) and do a Reload on respective Manager authority
or reboot the Tomcat server itself.
You can now use your adjusted initial credentials to gain access to special protected areas in Manager.
6
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.2 Origin restrictions for administrative roles
The Administrator IP Ranges server setting lets you restrict access to specific network addresses/address ranges
from roles with admin permissions. This allows you, for example, to permit access from these types of roles only
from within the internal company network.
Enter the IP address as described below:
As a list of IP addresses
Enter individual IP addresses separated by a comma, e.g.
Syntax
192.168.1.1, 192.168.1.2, 192.168.1.3
The following additional options are also available when entering IP origin ranges.
Entry of sub-networks
You can specify sub-networks by entering the length notation, e.g.
Syntax
192.168.1.10/24
Using wildcards
You can structure IP addresses dynamically using the wildcard character, e.g.
Syntax
192.168.1.10*
Note
Please keep in mind that if this function is activated, users can only access the server from specified
origin IP addresses once they have been assigned admin permissions.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 7
1.3 Separating content and administrative tasks
The server-side detection and removal of malicious code implemented in content can also be supported by
separating content and administrative tasks.
In this case, after the Filter content permissions if user has admin permissions function has been activated, the
workarea view is no longer displayed for users with admin permissions (e.g. administration of server settings and
meta information such as status, milestones, etc.). If the user still needs access to content, a second user account
without admin permissions must be created for this user. The user then logs in separately with this profile to view
or edit content.
Note
If the user account is issued admin permissions when content separation is activated, the Producer-side
connection to the login data of this user account is prevented. As a result, make sure that if you activate
this function at a later time, you inform users with admin permissions that it is necessary to return write
permissions to prevent data inconsistencies resulting from write permissions kept in local workarea
copies. These can then no longer be returned or are lost when the user logs in with another user account.
1.4 Password restrictions
User login information is more difficult for attackers to elicit if different character sets are used in longer character
sequences. If you use password restrictions, you require users to comply with predefined security criteria when
entering a password and prevent passwords that are easy to remember and also easy to crack from being used.
The following restrictions are available to you in the server settings:
o Minimum password length:
Indicates the minimum character length of the password. If you enter 0, user accounts may be created
without passwords.
o Password must contain number:
Indicates that the password to be entered must contain at least one numeric character (0-9).
o Password must contain special character:
Indicates that the password to be entered must contain at least one special character (&,$,...).
o Password must contain lower and upper case letters:
Indicates that the password to be entered must contain at least one upper and one lower case letter.
Note
o The password restrictions do not apply for passwords from LDAP-supported user profiles because, in
this case, the Active Directory server administrates the user profiles and their security criteria.
o The password restrictions do not affect passwords in user profiles that have already been created.
The restrictions only apply to these profiles when the user changes the password.
8
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.4.1 Applying restrictions to Excel import
Password restrictions can also be applied when importing user data in an Excel file. To do this, activate the use
password policy option above the path entered for the Excel file.
As a result, all users whose passwords violate the restrictions in the Excel file are imported as inactive users. They
must be manually activated and a new password issued.
1.5 Communication encryption via SSL certificate
The Tomcat server environment supports the creation of self-certified SSL certificates and the import of certified
SSL certificates (Trusted Third Party, e.g. VeriSign, TC TrustCenter, Signtrust, TeleSec, Thawte Consulting). You
can use these types of security certificates to encrypt the communication between users and the Manager.
Access then occurs using the address prefix https://.
To prepare the Tomcat server for SSL encryption, please follow the steps described in the sub-chapters. You can
find more information in the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-7.0-doc/ssl-
howto.html.
Note
o Keep in mind that the validity of an SSL certificate is limited to a single IP address. If you make the
server accessible via tunnels or technically similar communication channels, remember that the IP
address can change as a result and the certificate is then displayed as invalid.
o To make it possible to access your server using an encrypted connection, it may be necessary for you
to configure the ports provided for this purpose in your firewall accordingly.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 9
1.5.1 Creating a Tomcat keystore
The keystore of the Tomcat server is a protected repository that contains the security certificates and encrypted
keys. It is not created manually during installation but must be created manually.
To create the Tomcat keystore, open your server's command display. (Start > Run > "cmd")
1. Enter the following command:
Syntax
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
Note
o If the command line displays the message that the location of the file is unknown, it is possible that
the %JAVA_HOME% system variable is not declared in your system. If this is the case, replace the
string with the installation path of your Java instance, e.g. C:\Progra~1\Java\jre7.
o The command creates the keystore file in the home directory of the user creating the keystore. If you
want to store the file in a different directory, add the following to the command:
[...] -keystore /path/to/my/file
2. You are now prompted to specify a password to encrypt the protected area. Your entry is not shown in the
command line for security reasons. Confirm your entry by clicking Enter. Enter the password again for
verification.
3. You are then prompted to enter data that is used to create an initial certificate in the keystore. Confirm
every entry by clicking Enter.
4. Now enter an individual password for your certificate instance with the alias. Use the same
password here that you previously used for the keystore because otherwise the Tomcat server cannot
access the keystore later on.
The file for the keystore ('.keystore') has now been created in the specified directory.
10
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
Note
Please keep in mind that when using a system with user account management (Windows Vista/Windows
7), the command line and server are executed by different users. Your home directory is not available for
the server as a result. Copy the created keystore file in this case to the respective home directory, e.g. for
system under C:\windows\system32\config\systemprofile.
1.5.1.1 Preparing the keystore
Tomcat supports keystores in the formats JKS, PKCS11 and PKCS12. Here, the JKS format represents the
standard Java keystore format which is also created by the keytool command line program contained in the Java
JDK.
PKCS12 represents an Internet standard that can be created and changed using various programs (OpenSSL,
Microsoft KeyManager,...).
To import a signed certificate, please read the documentation relevant for the tools you are using.
Note
Every entry in the keystore is opened via an alias. To prevent conflicts, we do not recommend using
different aliases that are the same except for upper and lower case letters because, e.g. the PKCS11
format only recognizes upper case letters.
1.5.2 Creating an internal certificate
You can create your own local certificates for data encryption for your server. The disadvantage, however, is that
these certificates are only valid for a short time and they are not verified by a public body. When your users visit
the server from within a browser, a warning appears that the certificate was not able to be authenticated and it
has to be manually added to the user's trusted sites.
Enter the following command in the command line program to create your own certificate:
Syntax
%JAVA_HOME\bin\keytool -selfcert -v -alias tomcat -storepass
The values of the certificate you created are then listed. The certificate is now available.
Note
The initial connection of the Producer to an SSL-protected server with a local certificate may fail. In this
case, open the Manager instance with Internet Explorer and confirm the trustworthiness of the certificate
when prompted. Try to establish a connection in the Producer again.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 11
1.5.3 Installing an external certificate
Using digital SSL certificates from public certification bodies your web application is given authenticated, unique
keys and additional information from your service provider to encrypt and decrypt the transfer of confidential data
and to authenticate the origin on your side. Using this type of certificate is particularly necessary when you want
to make encrypted access to your server possible outside of internal networks, i.e. over the Internet.
1.5.3.1 Creating a Certification Signing Request (CSR)
To create a certificate from a public certification body, you have to create what is known as a Certification Signing
Request (CSR) beforehand. This is required by the certification body to identify your web application as "secure".
1. Create a local certificate by entering the following command in the command line (Start > Run > cmd):
Syntax
%JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA \
-keystore
2. Enter your personal data for the respective prompts and confirm your entries by clicking Enter.
Note
Some certification bodies require the domain of the web pages to be entered for the first and last name
prompt. Find out if this is necessary for the certification body you have chosen here.
3. Now create the CSR by entering the following command:
Syntax
%JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr \
-keystore
4. Send the file you created in step 2 certreq.csr to the certification body you selected. It can now create and
send you a certificate.
12
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.5.3.2 Importing the certificate
Once you have received the certificate created by the certification body, you can implement it to your locally
created keystore. To do this, you have to import what is known as a chain certificate or a root certificate to the
keystore prior to importing the certificate. You can download this certificate from the page set up by your chosen
certification body for this purpose.
1. Import the downloaded root certificate by entering the following command in the command line (Start >
Run > cmd):
Syntax
%JAVA_HOME%\bin\keytool -import -alias root -keystore
\
-trustcacerts -file
2. Now import the SSL certificate you received by entering the following command:
Syntax
%JAVA_HOME%\bin\keytool -import -alias tomcat -keystore
\
-file
3. Restart the Tomcat server to load the certificate
1.5.4 Adjusting the configuration file
To implement SSL, it is necessary to define a Java (JSSE) connector. Support is not provided for implementation
via the APR connector which is also available.
To carry out implementation, proceed as follows:
1. Use a text editor to open the file server.xml in the conf directory of your Tomcat installation directory.
2. This file already contains an example of a commented out element for operation with SSL. It
should look as follows:
Syntax
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 13
3. Remove the tags so that the element is no longer commented out and the connector is
activated.
4. Adjust the parameters to your specifications in line with the table below or add them if they do not exist.
Depending on your server specifications, it may be necessary to enter additional parameters. You can find
a list of all other parameters in the Tomcat reference.
Parameter Description
port Specifies the TCP/IP port on which the Tomcat server
responds to inquiries for a secure connection. You can
change the default port 8443 to any one you want. If
you change the value, please also change it in other
defined connectors in the redirectPort parameter to
reroute users accordingly.
keystoreFile Enter the path to the keystore file. This file is created
by default in the home directory of the user creating
the keystore - if you change this value, you should
have stored your keystore file in a different location.
Please keep in mind that the Tomcat instance must
have access rights to this directory
keystorePass Enter the password necessary to access the keystore
file. You defined this password in the steps described
in the chapter Creating a Tomcat keystore.
5. Save and close the file.
6. Restart the Tomcat server to reload the changed settings.
7. Your web applications running on the Tomcat server are now available via secure HTTP communication
and can be accessed as in the following example:
https://my server:8443/Manager
14
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.5.4.1 Allow encrypted connections only
To make your installation of the Manager available exclusively via SSL-encrypted communication, several
additional settings are necessary.
1. Deactivate access via the HTTP standard port 80. Comment out the respective connector by inserting
"" after the connector block:
Syntax
2. Assign the port number 443 (standard Apache) to the SSL connector. If you prefer to use a different port
number, you have to configure routing via a proxy server or a port forwarding application (e.g. Iptables).
3. Adjust any other connectors in use accordingly in the redirectPort parameter.
4. Save the file.
5. Restart the Tomcat server.
Your Tomcat server is now available exclusively via the following address:
https://myserver
or
https://myserver/myManager
Browser inquiries to the address http://myserver are now ignored by the server - the respective browser displays
a connection error to the user.
Caution
If you have installed the Tomcat server in addition to a web server like Apache or IIS, inquiries are handled
by this server instead. An inquiry sent to port 443 would produce an error message in this case. Change
the port number in the server.xml file to 8443 and forward the inquiry from the Apache web server using
the mod_jk connector.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 15
Note
After deactivating the standard HTTP port, you have to specify the connection address in the connection
settings of the Producer with the prefix https and the port entry 443, e.g.:
https://myserver:443/Manager.
1.5.5 Displaying certificates
To display the certificates stored in your keystore, proceed as follows:
1. Open command line.
2. Enter the following command:
Syntax
%JAVA_HOME%\bin\keytool -list -v -storepass
3. Confirm your entry by clicking Enter.
16
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.6 SSL secured LDAP connection
By using LDAPS instead of LDAP it is possible to secure the connection to the Active Directory server with SSL
protocol. This basically needs some preparation on side of Active Directory server. On side of Manager there is
only the server address to be changed.
LDAPs connections to your Active Directory server will be directly available after having installed the Certification
Authority and integrated a CA certificate in your Active Directory. This certificate can be created by your own or
provided by a Trust Authority Service like Verisign, Thawte or other.
Setting up Certification Authority (CA)
On Active Directory server you have to install the Enterprise Root Certification Authority as well as you have to
integrate an CA certificate into it. Please read linked documentations to install and configure CA on a Microsoft
Windows based Active Directory server.
http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx
Setting up LDAPs connection in Manager
To connect to an Active Directory server supporting SSL-secured connections enter the ldap server address as
follows. Replace the placeholder with correct server name:
Syntax
ldaps://:636
Note
The port number suffix 636 is the default port number for ldaps connections. It's mainly not necessary to
add this to address. You have to, if your Active Directory server is setup to use another port for ldaps
connections. Please contact your network administrator to gain details about deviant port allocations.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 17
1.7 Single sign-on using Kerberos
In combination with an Active Directory server available in the network, the Manager grants your users access
with a single sign-on. This means that they don't have to log in every time but are given immediate access to the
areas assigned to them through automatic authentication.
Caution
o It is not possible to use single sign-on in combination with Microsoft Server 2008 and its Service Pack
1 due to a system-specific error interpretation. Consequently, Service Pack 2 is needed for Microsoft
Server 2008 to guarantee proper operation.
o It is not possible to play navigations (*.dnt) from the Manager when the single sign-on is activated and
Internet Explorer 6 is in use due to a technical problem with the browser.
Note
o In case that some of your Active Directory Server objects have a large amount of group memberships
or that you have groups with very long names you should consider to adjust the size of HTTP headers.
This will avoid errors while transferring the credentials of those objects. Read the chapter Adjusting
the HTTP header size to learn more about.
Note
This function is not supported in the Oracle Edition.
1.7.1 Configuration
Note
o If you want to reference a DNS alias name created for this purpose instead of the native host name of
the server, please keep in mind that this alias name must be defined in the table of the resource
record as a referencing CNAME. If the host name is entered as an address alias (A record) an invalid
keytab file will be generated.
o Ensure that the version of ktpass is at least the same as your Active Directory version. To check right-
click on the file ktpass.exe and select Properties > Details within the context menu. Now you can see
the version number.
If necessary update your system by downloading the Windows Support Tools in a version as same as
your system version. Consider that there might be two different versions of ktpass (32bit and 64bit) if
you run a 64bit system.
18
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
Follow the steps below to configure server-side single sign-on in your installation of the Manager:
1. Create a user account in the Active Directory (LDAP). The account should be created on a top level
domain server which contains the global catalog and must be different from the host name of the server
on which the Manager is installed. Ensure that the password of the account used for the SSO connection
won't expire. Enable the option "Password never expires" when creating the according account.
2. Open the command line interpreter on the Active Directory server and enter the following commands,
replacing the placeholders with the appropriate values. These create the keytab file necessary for the
functionality. To specify an output path, enter it in the /out parameter along with the file name. Otherwise
the keytab file will be created in the current directory.
Firstly use this command to set SPN for created user account. Replace text in left and right angle brackets
by your individual parameters:
Syntax
ktpass /pass /mapuser /princ
HTTP/.@ /ptype KRB5_NT_PRINCIPAL /Target
*Placeholders shown in upper case letters must be also written in upper case letters.
**Use DNS name for domain. NetBIOS names are not supported.
Following use this command to create the key tab file. Again replace text in left and right angle brackets
with your individual parameters:
Syntax
ktpass /out () /princ
HTTP/.@ /ptype KRB5_NT_PRINCIPAL /Target
/pass /mapuser
*Placeholders shown in upper case letters must be also written in upper case letters.
**Use DNS name for domain. NetBIOS names are not supported.
Caution
Keep in mind that the princ HTTP parameter has to be entered in the following format:
@.
3. Place the keytab file somewhere on the Manager server (e.g.: C:\Manager\Managerpc.HTTP.keytab).
Avoid placing the file in the webapp directory of the Manager because it will be deleted if the program is
updated.
Now enter the appropriate data in the LDAP import wizard of the Manager. This data is explained in brief below.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 19
Parameter Description
Enable SSO Activate SSO for the LDAP import. To activate SSO for
your users additionally activate Single Sign-on within
the Server Settings. Note that SSO Will only work for
accounts imported by LDAP.
Service Principal*
Enter the service authentication with the complete
service description and domain ID of the Manager
server here, e.g.
HTTP/[email protected]
Keytab File Name If there is already a Kerberos service set up in your
network and a config file regulates service access,
select the according file by clicking Select Keytab File.
The fields Server name and Realm do not need to be
filled out in this case. You can find more information
at:
http://download.oracle.com/javase/1.5.0/docs/guid
e/security/jgss/tutorials/KerberosReq.html
Server name* Enter the host name of the Active Directory server
here, e.g. master.
Realm* Enter your domain here, e.g. MYCOMPANY.DE
4. Now click Save LDAP Access to save the data you entered. You may now select the data to be imported by
clicking the button Select or leave the assistant by clicking Close.
5. To activate Single sign-on for your users go to Administration -> Server Settings and activate the Setting
Enable Single sign-on within the section Single sign-on.
Note
Single sign-on based on Kerberos does not work by accessing the local host. You have to address your
instance of Manager from a different computer to make use of the single sign-on.
20
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
1.7.2 Settings for Mozilla Firefox
Open the advanced browser configuration by entering about:config in the address bar. Search for the setting
network.negotiate-auth.trusted-uris and enter the name of the server or the server domain.
1.7.3 Settings for Internet Explorer
Open the browser settings by clicking Tools > Internet settings and make the following changes:
1. Open the Advanced tab. Activate the option Integrated Windows Authentication under Security.
2. Open the Security tab and click Local intranet. Click the Custom level button and select Automatic logon
only Intranet zone under User Authentication > Logon. Close the dialog box and click OK.
3. Click the Sites button in the dialog window that opens and select Advanced. Enter the IP address of the
host name of the server where Manager is installed in the upper input box. If the input box is not available
for entry, contact your network administrator to add it to the listed values.
1.7.4 Adjusting the HTTP header size
In case of users which are assigned to a big amount of groups it may happen, that the length of the http header
exceeds the maximum size as permitted by Tomcat server. This happens because of the need to send all group
dependencies inside the header. In this case the Tomcat server unfortunately discards the authentication,
resulting in a server error message which is display to the user after calling Manager. To solve this issue, an
adaption of the default value (8Kb) within the Tomcat configuration will be necessary.
Do as following to adapt your Tomcat configuration:
1. Start your favorite text editor and open file server.xml which is located within directory conf of your
Tomcat installation directory.
2. Scroll to the part of the Connector definitions and add the parameter maxHttpHeader to each definition of
an active connector. In box below you see an example of an adapted connector element. The added
parameter is marked red.
Syntax
Input value has to be defined in Bytes. The example given matches 64KB.
3. Save and close the file.
4. Restart the Tomcat server service.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 21
1.7.5 Troubleshooting
Having trouble with your Single Sign-on configuration may have several reasons. To investigate what might be the
reason for the error you will need to read out the server logs and the client-server communication.
Log files
The log files are written to Tomcats default log path - individualize text in left and right angle brackets according to
your scenario. You will need a text viewer application to open the log files.
\logs\-
manager_exceptions.log
Track communication
To track the communication between client and server we highly recommend the use of Wireshark
(http://www.wireshark.org) or an appropriate application.
1.7.5.1 Exception log messages and possible reasons
Exception message
Syntax
java.io.EOFException: DEF length 84 object truncated by 46 - Additional A
Pointer or duplicate SPN
Possible reasons
1. Check your DNS server if an additional A record has been set for the server hosting the Manager. Use
CName instead.
2. Use command setspn -X on your Domain Controller to find duplicate SPN's. If duplicates exist, you
should either delete the user account which has the same SPN or use command setspn -d
"\" to delete the duplicate SPN from that account.
22
Customer
2013 SAP AG. All rights reserved.
SAP Workforce Performance Builder 9.2
Security settings
Exception message
Syntax
javax.security.auth.login.LoginException: No CallbackHandler available to garner
authentication information from the user
Possible reasons
1. The account holding the SPN might be disabled. Re-enable that account in the Active Directory server.
2. Check with the command setspn -L "\" if the proper SPN has been set for
that account. If not, use ktpass to do so.
Exception message
Syntax
"0x6 - KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database" OR
"0x7 - KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database"
Possible reasons
1. These two errors usually indicate that an SPN has not been set correctly. Check with the command
setspn -L "\" if the proper SPN has been set for that account. If not, use
ktpass to do so.
1.7.5.2 Recreate kerberos file after Java update
If you update the Oracle JRE environment from version 6 to version 7 your currently running SSO scenario will fail.
This a result of the incompatibility of the JRE generated kerberos files between both major versions. To fix this
issue you have to regenerate the kerberos file with new JRE version.
Proceed as following to do so:
1. Open your browser and enter URL to access your Manager instance.
2. Logon to Manager.
3. Go to Administration > Server Import.
4. Enter the credentials of the initial user account when asked for.
5. On page Manager Import click LDAP.
6. Select one data source you are using for your SSO scenario and click edit.
7. On page Import LDAP Data ensure to have specified keytab file and service principal.
8. Click Save LDAP Access.
SAP Workforce Performance Builder 9.2
Security settings
Customer
2013 SAP AG. All rights reserved. 23
9. Close the browser.
The kerberos file now has been regenerated using the newer JRE version. Your SSO scenario will run flawless
again.
Note
If you run multiple Manager instances you will have to do this procedure only for each keytab file you are
using, not for each Manager instance itself. Once the kerberos file is regenerated, it will work for all other
Manager instances as well.
1.7.5.3 Additional troubleshooting
o Make sure the Domain Controller is accessible for the Manager and for the client. Use tools like ping or
nslookup for checking.
o Use the command klist on your client to see if you received the proper Kerberos ticket. If you did not
receive anything, then there might be an issue with your Kerberos service on your Domain Controller or
the Kerberos configurations on your client. Check if the setting "Integrated Windows Authentication" is
enabled in your client's Internet Explorer.
o Make sure that your Domain Trusts have been set properly if you try to use SSO across multiple domains.
o Make sure that you don't use a second A record for your Manager. Same applies to your reverse lookup
zones.
o Use Wireshark or appropriate application on the server hosting your Manager and filter for Kerberos to
see if any Kerberos communication take place.
www.sap.com/contactsap
Material Number
2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System ads, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise
Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2
Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod,
iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are
trademarks or registered trademarks of Apple Inc.
Oracle and Java are registered trademarks of Oracle and its
affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks
of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting
an additional warranty.
1 Security settings1.1 Individualising the initial login1.2 Origin restrictions for administrative roles1.3 Separating content and administrative tasks1.4 Password restrictions1.4.1 Applying restrictions to Excel import
1.5 Communication encryption via SSL certificate1.5.1 Creating a Tomcat keystore1.5.1.1 Preparing the keystore
1.5.2 Creating an internal certificate1.5.3 Installing an external certificate1.5.3.1 Creating a Certification Signing Request (CSR)1.5.3.2 Importing the certificate
1.5.4 Adjusting the configuration file1.5.4.1 Allow encrypted connections only
1.5.5 Displaying certificates
1.6 SSL secured LDAP connection1.7 Single sign-on using Kerberos1.7.1 Configuration1.7.2 Settings for Mozilla Firefox1.7.3 Settings for Internet Explorer1.7.4 Adjusting the HTTP header size1.7.5 Troubleshooting1.7.5.1 Exception log messages and possible reasons1.7.5.2 Recreate kerberos file after Java update1.7.5.3 Additional troubleshooting