You must configure Access Manager to consume the Kerberos tickets from Active Directory. Access Manager can use the authentication information in the Kerberos tickets to enable single sign-on for the SAP Portal.
This helps to troubleshoot authentication issues.
In the Access Manager Administration Console, click > > > .
Select the and options to enable these options.
Under the heading, set the option to .
Enable , then select , , and as .
Click , then refresh the Identity Server.
The bcsLogin.conf file is an authentication file for the Java* authentication and authorization service (JAAS).
In an text editor, enter the following lines:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/amser.provo.novell.com@AD.NOVELL.COM"
useKeyTab="true"
keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab"
storeKey="true";
};
The file cannot contain any white space, only end-of-line characters.
ticketCache: The location of the cache file where the Kerberos ticket is stored. In the example, this is the default location on SUSE® Linux Enterprise Server (SLES) 10. If you are using Windows for the cache, the default location is:
C:\\Program Files\\Novell\\jre\\lib\\security\\spnegoTicket.cache
The path must contain double slashes.
principal: Specify the service principal name for the Access Manager Identity Server. This value is unique to your configuration.
keyTab: Specify the location of the keytab you created in Creating a Keytab File. This value is unique to your configuration. In the example, this is the default location on SLES 10. If you are using Windows for the cache, the default location is:
C:\\Program Files\\Novell\\jre\\lib\\security\\nidpkey.keytab
The path must contain double slashes.
Save this file with the name bcsLogin.conf.
Copy this file to the same directory as where the keytab file is stored.
Make sure that the permissions are set correctly. The permissions are set to 644.
Restart Tomcat.
Linux: /etc/init.d/novell-tomcat5 restart
Windows: Stop and start the Tomcat service from the control panel.
When a change is made to the bcsLogin.conf file, Tomcat must be restarted.
You need to either configure your Identity Server to use Active Directory as a user store or verify your existing configuration for your Active Directory user store.
In the Administration Console, click > > .
Click to view your user stores.
If you have already configured your Identity Server to use the Active Directory server, click its name.
If you haven’t configured a user store for the Active Directory server, click .
For a new user store, fill in the following fields. For an existing Active Directory user store, verify the values.
Name: Specify a name for the user store for reference.
Admin name: Specify the name of the administrator of the Active Directory server. Administrator-level rights are required for setting up a user store. This ensures read/write access to all objects used by Access Manager.
Directory Type: Select .
Server replica: (Conditional) For a new Active Directory user store, click to add a replica. Fill in the following fields:
Name: Specify a name of the replica for reference. This can be the name of the Active Directory server.
IP Address: Specify the IP address of the Active Directory server and the port you want the Identity Server to use when communicating with the Active Directory server.
Port: Specify the port that the Active Directory server uses to communicate to the Identity Server. This communication occurs over LDAP. The default non-secure port is 389. The default secure port is 636.
Search Context: For a new user store, click and specify the context of the administrator of the Active Directory server. For an existing user store, verify that you have an entry for the context of the administrator. Add a context if it is missing.
Click to save the changes.
In the tab of the Identity Server, click > .
Fill in the following fields:
Display name: Specify a name to identify this class.
Java Class: Select .
Click .
Fill in the following fields:
Service Principal Name: Specify the value of the servicePrincipalName attribute of the Identity Server user. This is the user created in Creating a User Account in Active Directory for the Identity Server.
Kerberos Realm: Specify the name of the Kerberos realm. The default value for this realm is the domain name of the Active Directory server, entered in all capitals. The value in this field is case sensitive.
JAAS config file for Kerberos: Specify the path to the bcsLogin.conf file. This is the created in Creating the bcsLogin.conf File.
Kerberos KDC: Specify the IP address of the Active Directory server.
User Attribute: Specify the attribute in the Identity Vault that contains the userPrincipalName from Active Directory. For example, the mail attribute in the Identity Vault can store the userPrincipalName from Active Directory.
If this attribute does not contain the userPrincipalName from Active Directory, the authentication into the SAP Portal fails.
Click to save the authentication class.
In the tab of the Identity Server, click > .
Fill in the following fields:
Display name: Specify a name to identify this method.
Class: Select the Kerberos class created in Creating a Kerberos Authentication Class for the Identity Server.
User stores: Move the user store for the Identity Vault to the list of . This must be the Identity Vault user store, not the Active Directory user store.
Click to save the method.
In the tab of the Identity Server, click > .
Fill in the following fields:
Display name: Specify a name to identify this contract.
URI: Specify a value that uniquely identifies the contract from all other contracts.
The URI cannot begin with a slash, and it must uniquely identify the contract. For example: kerberos/contract.
Methods: From the list of available methods, move the Kerberos method, created in Creating a Kerberos Method for the Identity Server, to the list.
Click to save the contract.
To view the catalina.out (Linux) or the stdout.log (Windows) file of the Identity Server:
In the Administration Console, click g > .
In the Identity Servers section, select the catalina.out or stdout.log file.
Download the file and open it in a text editor.
Search for Kerberos and verify that a subsequent line contains a Commit Succeeded phrase. For the configuration example, the lines look similar to the following:
principal's key obtained from the keytab principal is HTTP/amser.provo.novell.com@AD.NOVELL.COM Added server's keyKerberos Principal HTTP/amser.provo.novell.com@AD.NOVELL.COMKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=0000: CB 0E 91 FB 7A 4C 64 FE [Krb5LoginModule] added Krb5Principal HTTP/amser.provo.novell.com@AD.NOVELL.COM to Subject Commit Succeeded
If the file does not contain any lines similar to these, verify that you have enabled logging. See Enabling Logging for Kerberos Transactions.
If the commit did not succeed, search backward in the file and verify the following values:
Service Principal Name
Name of keytab file
For the example configuration, the file contains lines with text similar to the following:
Principal is HTTP/amser.provo.novell.com KeyTab is /usr/lib/java/jre/lib/security/nidpkey.keytab
(Conditional) If you make any modifications to the configuration, either in the Administration Console or to the bcsLogin file, restart Tomcat on the Identity Server.
You must create a SAML identity injection policy for Access Manager to use. This allows the authentication information in the Kerberos tickets to be passed to the Role Mapping Application.
In the Administration Console, click > > .
The policy must reside in the master container.
Click to create a new policy.
Specify a name to identify the policy.
For the policy type, select .
Click .
Fill in the following fields to define the policy:
Description: Specify a description for the policy.
Priority: Leave the priority at the default level of 1.
Actions: Click > .
User Name: Select , then select for the username.
Password: Select Credential Profile, then select SAML Credentials:SAML Assertion
Multi-Value Separator: Leave the default separator as a comma.
DN Format: Leave the default DN format as LDAP.
Click twice to save the policy.
In order for the changes to the Identity Server to take affect, you must refresh the Identity Server.
In the Administration Console, select > .
Select your Identity Server, then click .
Click .