Safeguard Authentication Services 5.0.2 - Single Sign-on for SAP Integration Guide

Enabling SNC on the SAP server

To enable Secure Network Communications (SNC) on the R3 server

1. Add and configure the SNC-specific parameters to the instance profile of the SAP Server.

   You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights to make these changes.

2. Add the following SNC parameters to the instance profile of the application server. These settings enable the SNC features without impacting existing operations.

   snc/enable = 1
   snc/data_protection/min = 1
   snc/data_protection/max = 3
   snc/data_protection/use = 3
   snc/accept_insecure_gui = 1
   snc/accept_insecure_cpic = 1
   snc/accept_insecure_rfc = 1
   snc/accept_insecure_r3int_rfc = 1
   snc/r3int_rfc_secure = 0
   snc/r3int_rfc_qop = 3
   snc/permit_insecure_start = 1
   snc/identity/as = p:sAMAccountName@REALM
   snc/gssapi_lib = /opt/quest/lib/libvas-gssapi.so

   The actual path of the GSSAPI library varies by platform. The following table lists the path and file name of snc/gssapi_lib in the last line of the SNC parameters listed above.

   Table 2: Object: User-Display

   Platform	Path	Filename
   Any 32-bit (except HP-UX)	/opt/quest/lib	libvas-gssapi.so
   HPUX 32-bit	/opt/quest/lib	libvas-gssap.sl
   AIX 64	/opt/quest/lib	libvas-gssapi64.so
   Linux-x86_64	/opt/quest/lib64	libvas-gssapi.so
   Oracle Solaris-SPARC 64	/opt/quest/lib/sparcv9	libvas-gssapi.so
   Oracle Solaris-x86_64	/opt/quest/lib/64	libvas-gssapi.so
   HP-UX pa-risc 64	/opt/quest/lib/pa20_64	libvas-gssapi.sl
   HP-UX ia64	/opt/quest/lib/hpux64	libvas-gssapi.so

   The snc/identity/as parameter, sAMAccountName@REALM, corresponds to the KRB5 principal name of the SAP Server. You can determine the sAMAccountName@REALM (or KRB5 principal name) by examining the Kerberos ticket cache using the vastool klist command.

3. Change the group ownership of /etc/opt/quest/vas/host.keytab to sapsys by running:

   chgrp sapsys /etc/opt/quest/vas/host.keytab

   Modify the permissions so that the sapsys group has read access:

   chmod 640 /etc/opt/quest/vas/host.keytab

4. Restart the SAP Application Server.

   If problems occur with the startup of the SNC, they are logged into the work directory of the SAP Application Server in the /usr/sap/SID/instance/work/dev_w0 file.

   Here is a sample work process log containing SNC activation messages:

   N SncInit(): Initializing Secure Network Communication (SNC)
   N    Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
   N SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)
   N SncInit():  found snc/data_protection/min=1, using 1 (Authentication Level)
   N SncInit():  found snc/data_protection/use=9, using 3 (Privacy Level)
   N SncInit(): found snc/gssapi_lib=/opt/quest/lib/libvas-gssapi.so
   N
   N Tue Sep 30 17:11:14 2008
   N  File "/opt/quest/lib/libvas-gssapi.so" dynamically loaded as GSSAPI v2 library.
   N  The internal Adapter for the loaded GSSAPI mechanism identifies as:
   N  Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSSAPI v2
   N SncInit():  found snc/identity/as=p:sAMAccountName@REALM
   N SncInit(): Accepting Credentials available, lifetime=Indefinite
   N
   N Tue Sep 30 17:11:15 2008
   N SncInit(): Initiating Credentials available, lifetime=09h 57m 07s
   M ***LOG R1Q=> 1& [thxxsnc.c  252]
   M SNC (Secure Network Communication) enabled

Configuring a SAP user to enable SNC authentication

Each user must have a unique Kerberos Principal Name (KPN) associated with their SAP account to use Single Sign-on for SAP.

To configure a SAP user to enable SNC authentication

1. Log on to the SAP Server as a user with administrative permissions.

2. Enter SU01 and click Enter or access the user management functions under SAP Menu | Tools | Administration | User Maintenance | Users.

   

3. In the User field, enter a user name and click the pencil icon.

   

4. Select the SNC tab of the User Management screen.

   

5. In the SNC name field, enter the user's Kerberos Principal Name (KPN) (sAMAccountName@realm).

   Note: You must put a "p:" in front of the user's KPN, as follows: p:sAMAccountName@realm

6. Click Save on the menu bar.

   The SNC data properties displays a check mark next to the Canonical name determined message.

Installing Safeguard Authentication Services Single Sign-on for SAP

You can install Safeguard Authentication Services Single Sign-on for SAP from the installation setup wizard. From the Autorun Setup page, select Single Sign-on for SAP from the Related Products tab to install this add-on or follow the steps below.

To install Safeguard Authentication Services Single Sign-on for SAP

1. In Windows Explorer open the Safeguard Authentication Services CD, navigate to add-ons | qas-sso-for-sap.
2. Double-click qas-sso-for-sap-x.x.x.x.msi to launch the installer.

   where "x.x.x.x" is the latest version number.

3. Click Next.
4. Click Browse to locate the license file.

   Note: You must have a license file to install.

5. Select I accept the terms in the license agreement and click Next.
6. Click Next to install to the default folder, or click Change to install to an alternate location.

   Note: If you are running the installer as a non-administrator, One Identity recommends that you specify an alternate location where you have rights to copy files.

7. Select Complete and click Next.
8. The Ready to Install the Program dialog displays. Click Install.

   Note: You may be prompted for permission to install. In that case, click Allow.

9. Click Finish to exit the wizard.

Deploying Single Sign-on for SAP through Group Policy

The Single Sign-on for SAP package includes a transform file called qas-sso-for-sap.mst along with the main MSI installer file. This transform file together with a special .cab file allows you to perform a silent installation of the Single Sign-on for SAP package using your license file.

When deploying Single Sign-on for SAP using Group Policy you must first create a CAB from your license file.