How to install SSO for SAP without joining QAS to the domain
1. Install the vasclnt package
2. Run the below command to configure the vas.conf, replacing YOURDOMAIN.COM
# /opt/quest/bin/vastool configure realm YOURDOMAIN.COM
3 - Then follow instructions in the QAS for SAP Admin Guide. Ensuring that
"Creating and Using a Service Account for the SAP Service" is followed.
Once complete validate that it is working by:
# /opt/quest/bin/vastool auth -S SERVICE/fdqn
# /opt/quest/bin/vastool -u
Note: no daemons or services for Authentication Services need to be running (ie. vasd or vasgpd).
If the service account was created on the window server and it has a SPN you will need to create a keytab on the unix machine to reference the service account. This can be done by running the below command and changing the password on the service account and storing a hash of it in the keytab file.
/opt/quest/bin/vastool -u < service account> -w <password> passwd -r -o -k <path to keytab file you wish to create> -e <service account name>
-r says to create a random password.
-o tells us to output the new password to the screen.
-k is store in the keytab file. we recommend storing in /etc/opt/quest/vas/<serviceacct name>.keytab
The /etc/opt/quest/vas/vas.conf file should look similiar to the below:
default_realm = YOURDOMAIN.COM
ticket_lifetime = 36000
forwardable = true
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
centos.yourdomain.com = YOURDOMAIN.COM