Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Single Sign-on for SAP Integration Guide

Enabling SNC on the SAP server

To enable Secure Network Communications (SNC) on the R3 server

  1. Add and configure the SNC-specific parameters to the instance profile of the SAP Server.

    The SNC parameters for configuring SAP are fully described in the SNC User’s Guide published by SAP.

    You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights to make these changes.

  2. Add the following SNC-parameters to the instance profile of the application server. These settings enable the SNC features without impacting existing operations.
    snc/enable = 1
    snc/data_protection/min = 1
    snc/data_protection/max = 3
    snc/data_protection/use = 3
    snc/accept_insecure_gui = 1
    snc/accept_insecure_cpic = 1
    snc/accept_insecure_rfc = 1
    snc/accept_insecure_r3int_rfc = 1
    snc/r3int_rfc_secure = 0
    snc/r3int_rfc_qop = 3
    snc/permit_insecure_start = 1
    snc/identity/as = p:sAMAccountName@REALM
    snc/gssapi_lib = /opt/quest/lib/libvas-gssapi.so

    The actual path of the GSS-API library varies by platform. The following table lists the path and file name of snc/gssapi_lib in the last line of the SNC-parameters listed above.

    Table 2: Object: User-Display
    Platform Path Filename
    Any 32-bit (except HP-UX) /opt/quest/lib libvas-gssapi.so
    HPUX 32-bit /opt/quest/lib libvas-gssap.sl
    AIX 64 /opt/quest/lib libvas-gssapi64.so
    Linux-x86_64 /opt/quest/lib64 libvas-gssapi.so
    Solaris-SPARC 64 /opt/quest/lib/sparcv9 libvas-gssapi.so
    Solaris-x86_64 /opt/quest/lib/64 libvas-gssapi.so
    HP-UX pa-risc 64 /opt/quest/lib/pa20_64 libvas-gssapi.sl
    HP-UX ia64 /opt/quest/lib/hpux64 libvas-gssapi.so

    The snc/identity/as parameter, sAMAccountName@REALM, corresponds to the KRB5 principal name of the SAP Server. You can determine the sAMAccountName@REALM (or KRB5 principal name) by examining the Kerberos ticket cache using the vastool klist command.

  3. Change the group ownership of /etc/opt/quest/vas/host.keytab to sapsys by running:
    chgrp sapsys /etc/opt/quest/vas/host.keytab

    Modify the permissions so that the sapsys group has read access:

    chmod 640 /etc/opt/quest/vas/host.keytab
  4. Restart the SAP Application Server.

    If problems occur with the startup of the SNC, they are logged into the work directory of the SAP Application Server in the /usr/sap/SID/instance/work/dev_w0 file.

    Here is a sample work process log containing SNC activation messages:

    N SncInit(): Initializing Secure Network Communication (SNC)
    N    Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
    N SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)
    N SncInit():  found snc/data_protection/min=1, using 1 (Authentication Level)
    N SncInit():  found snc/data_protection/use=9, using 3 (Privacy Level)
    N SncInit(): found snc/gssapi_lib=/opt/quest/lib/libvas-gssapi.so
    N
    N Tue Sep 30 17:11:14 2008
    N  File "/opt/quest/lib/libvas-gssapi.so" dynamically loaded as GSS-API v2 library.
    N  The internal Adapter for the loaded GSS-API mechanism identifies as:
    N  Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
    N SncInit():  found snc/identity/as=p:sAMAccountName@REALM
    N SncInit(): Accepting Credentials available, lifetime=Indefinite
    N
    N Tue Sep 30 17:11:15 2008
    N SncInit(): Initiating Credentials available, lifetime=09h 57m 07s
    M ***LOG R1Q=> 1& [thxxsnc.c  252]
    M SNC (Secure Network Communication) enabled

Configuring a SAP user to enable SNC authentication

Each user must have a unique Kerberos Principal Name (KPN) associated with their SAP account to use Single Sign-on for SAP.

To configure a SAP user to enable SNC authentication

  1. Log on to the SAP Server as a user with administrative permissions.

  2. Enter SU01 and click Enter or access the user management functions under SAP Menu | Tools | Administration | User Maintenance | Users.

  3. Enter a User name and click the pencil icon.

  4. Select the SNC tab of the User Management screen.
  5. In the SNC name box, enter the user's Kerberos Principal Name (KPN) (sAMAccountName@realm).

    Note: You must put a "p:" in front of the user's KPN, as follows: p:sAMAccountName@realm

  6. Click Save on the menu bar.

    The SNC data properties displays a check mark next to the Canonical name determined message.

Installing Authentication Services Single Sign-on for SAP

You can install Authentication Services Single Sign-on for SAP from the installation setup wizard. From the Autorun Setup page, select Single Sign-on for SAP from the Related Products tab to install this add-on or follow the steps below.

Note: If you do not have local administrator rights, the SNC_LIB system environment variable will not be set during the installation. To resolve this issue, you can set the environment variable path for SNC_LIB to <install folder>/qgsskrb5.dll.

To install Authentication Services Single Sign-on for SAP

  1. In Windows Explorer open the Authentication Services CD, navigate to add-ons | qas-sso-for-sap.
  2. Double-click qas-sso-for-sap-x.x.x.x.msi to launch the installer.

    where "x.x.x.x" is the latest version number.

  3. Click Next.
  4. Click Browse to locate the license file.

    Note: You must have a license file to install.

  5. Select I accept the terms in the license agreement and click Next.
  6. Click Next to install to the default folder, or click Change to install to an alternate location.

    Note: If you are running the installer as a non-administrator, One Identity recommends that you specify an alternate location where you have rights to copy files.

  7. Select Complete and click Next.
  8. The Ready to Install the Program dialog displays. Click Install.

    Note: On Windows Vista or higher you may be prompted for permission to install. In that case, click Allow.

  9. Click Finish to exit the wizard.

Deploying Single Sign-on for SAP through Group Policy

The Single Sign-on for SAP package includes a transform file called qas-sso-for-sap.mst along with the main MSI installer file. This transform file together with a special .cab file allows you to perform a silent installation of the Single Sign-on for SAP package using your license file.

When deploying Single Sign-on for SAP using Group Policy you must first create a CAB from your license file.

Related Documents