Chat now with support
Chat mit Support

Safeguard Authentication Services 6.0 LTS - SSO for SAP Integration Guide

Enabling SNC on the SAP server

To enable Secure Network Communications (SNC) on the R3 server

  1. Add and configure the SNC-specific parameters to the instance profile of the SAP Server.

    You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights to make these changes.

  2. Add the following SNC parameters to the instance profile of the application server. These settings enable the SNC features without impacting existing operations.

    snc/enable = 1
    snc/data_protection/min = 1
    snc/data_protection/max = 3
    snc/data_protection/use = 3
    snc/accept_insecure_gui = 1
    snc/accept_insecure_cpic = 1
    snc/accept_insecure_rfc = 1
    snc/accept_insecure_r3int_rfc = 1
    snc/r3int_rfc_secure = 0
    snc/r3int_rfc_qop = 3
    snc/permit_insecure_start = 1
    snc/identity/as = p:sAMAccountName@REALM
    snc/gssapi_lib = /opt/quest/lib/libvas-gssapi.so

    The actual path of the GSSAPI library varies from platform to platform. The following table lists the path and file name of snc/gssapi_lib in the last line of the SNC parameters listed above.

    Table 2: Object: User-Display
    Platform Path Filename

    Any 32-bit (except HP-UX)

    /opt/quest/lib

    libvas-gssapi.so

    HPUX 32-bit

    /opt/quest/lib

    libvas-gssap.sl

    AIX 64

    /opt/quest/lib

    libvas-gssapi64.so

    Linux-x86_64

    /opt/quest/lib64

    libvas-gssapi.so

    Oracle Solaris-SPARC 64

    /opt/quest/lib/sparcv9

    libvas-gssapi.so

    Oracle Solaris-x86_64

    /opt/quest/lib/64

    libvas-gssapi.so

    HP-UX pa-risc 64

    /opt/quest/lib/pa20_64

    libvas-gssapi.sl

    HP-UX ia64

    /opt/quest/lib/hpux64

    libvas-gssapi.so

    The snc/identity/as parameter (for example, sAMAccountName@REALM) corresponds to the KRB5 principal name of the SAP Server. You can determine the sAMAccountName@REALM (or KRB5 principal name) by examining the Kerberos ticket cache using the vastool klist command.

  3. Change the group ownership of /etc/opt/quest/vas/host.keytab to sapsys by running chgrp sapsys /etc/opt/quest/vas/host.keytab.

  4. Modify the permissions so that the sapsys group has read access: chmod 640 /etc/opt/quest/vas/host.keytab.

  5. Restart the SAP Application Server.

    If problems occur with the startup of the SNC, they are logged into the work directory of the SAP Application Server in the /usr/sap/SID/instance/work/dev_w0 file.

    Here is a sample work process log containing SNC activation messages:

    N SncInit(): Initializing Secure Network Communication (SNC)
    N    Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
    N SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)
    N SncInit():  found snc/data_protection/min=1, using 1 (Authentication Level)
    N SncInit():  found snc/data_protection/use=9, using 3 (Privacy Level)
    N SncInit(): found snc/gssapi_lib=/opt/quest/lib/libvas-gssapi.so
    N
    N Tue Sep 30 17:11:14 2008
    N  File "/opt/quest/lib/libvas-gssapi.so" dynamically loaded as GSSAPI v2 library.
    N  The internal Adapter for the loaded GSSAPI mechanism identifies as:
    N  Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSSAPI v2
    N SncInit():  found snc/identity/as=p:sAMAccountName@REALM
    N SncInit(): Accepting Credentials available, lifetime=Indefinite
    N
    N Tue Sep 30 17:11:15 2008
    N SncInit(): Initiating Credentials available, lifetime=09h 57m 07s
    M ***LOG R1Q=> 1& [thxxsnc.c  252]
    M SNC (Secure Network Communication) enabled

Configuring an SAP user to enable SNC authentication

Each user must have a unique Kerberos Principal Name (KPN) associated with their SAP account to use Single Sign-on for SAP.

To configure a SAP user to enable SNC authentication

  1. Log in to the SAP Server as a user with administrative permissions.

  2. Enter SU01 and click Enter, or access the user management functions under SAP Menu > Tools > Administration > User Maintenance > Users.

  3. In the User field, enter a user name and click the pencil icon.

  4. Select the SNC tab of the User Management screen.

  5. In the SNC name field, enter the user's Kerberos Principal Name (KPN) (sAMAccountName@realm).

    NOTE: You must put a "p:" in front of the user's KPN, as follows: p:sAMAccountName@realm

  6. Click Save on the menu bar.

    The SNC data properties displays a check mark next to the Canonical name determined message.

Installing Safeguard Authentication Services Single Sign-on for SAP

You can install Safeguard Authentication Services Single Sign-on for SAP from the installation setup wizard. From the Autorun Setup page, select Single Sign-on for SAP from the Related Products tab to install this add-on or follow the steps below.

NOTE: If you do not have local administrator rights, the SNC_LIB system environment variable will not be set during the installation. To resolve this issue, you can set the environment variable path for SNC_LIB to <install folder>/qgsskrb5.dll.

To install Safeguard Authentication Services Single Sign-on for SAP

  1. In Windows Explorer open the Safeguard Authentication Services CD, then navigate to add-ons > qas-sso-for-sap.

  2. To launch the installer, double-click qas-sso-for-sap-x.x.x.x.msi (where "x.x.x.x" is the latest version number).

  3. Click Next.

  4. To locate the license file, click Browse.

    NOTE: You must have a license file to install.

  5. Select I accept the terms in the license agreement and click Next.

  6. You have two options:

    • To install to the default folder, click Next.

    • To install to an alternate location, click Change.

    NOTE: If you are running the installer as a non-administrator, One Identity recommends that you specify an alternate location where you have rights to copy files.

  7. Select Complete and click Next.

  8. The Ready to Install the Program dialog appears. Click Install.

    NOTE: You may be prompted for permission to install. In this case, click Allow.

  9. Click Finish to exit the wizard.

Deploying Single Sign-on for SAP through Group Policy

The Single Sign-on for SAP package includes a transform file called qas-sso-for-sap.mst along with the main MSI installer file. Together with a special .cab file, this transform file allows you to perform a silent installation of the Single Sign-on for SAP package that uses your license file.

When deploying Single Sign-on for SAP using Group Policy, you must first create a CAB from your license file.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen