-
Title
Setting up SAP SSO in a SAP clustered environment using a shared service account -
Description
Setting up SAP SSO in a SAP clustered environment using a shared service account -
Resolution
Step 1: Create a service account for the virtual hostname using vastool on the SAP R/3 Server host:# /opt/quest/bin/vastool –uservice create SAP/virtualhostname.mydnsdomain@MYDOMAIN This command creates the file /etc/opt/quest/vas/SAP.keytab. The –u parameter,
, is the name of the active directory user with administrative privileges to create a new service account. The user will be prompted for their Active Directory (AD) password which is required to authenticate them to AD. For a better understanding of the vastool service create command and its available options, please read the vastool man page. Note: A possible service account naming convention is SERVICE_ID. For example, the service name for SAP running on the NW4 instance could be SAP_NW4/virtualhostname.mydnsdomain@MYDOMAINStep 2: Change the file permissions on the newly created service keytab file so that the corresponding service has the rights to read from the keytab file.
# chgrp sapsys /etc/opt/quest/vas/SAP.keytabThis command changes the group ownership of the keytab to the sapsys group.# chmod 640 /etc/opt/quest/vas/SAP.keytab
Or# chmod g=r /etc/opt/quest/vas/SAP.keytabThese commands change the file access permissions so that group has read rights.Step 3: Move the newly created file /etc/opt/quest/vas/SAP.keytab to a shared location between the SAP nodes in the cluster.
Step 4: Set the snc/identity/as value to: p:SAP/virtualhostname.mydnsdomain@MYDOMAIN, on each SAP server in the cluster.
*** Make sure that virtualhostname.mydnsdomain is a fully qualified DNS name.Step 5: On each SAP node in the cluster set the environment variable KRB5_KTNAME to point to the shared location of the SAP.keytab file. This environment variable needs to be set for the SAP admin user that will be starting the SAP services.
Step 6: Restart the SAP services.