directcontrol for netweaver as java - centrify · pdf filedirectcontrol for netweaver as java...

Centrify Suite

DirectControl for NetWeaver AS JavaApril 2016

Centrify Corporation

Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

© 2004-2016 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify User Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify for SaaS, Centrify for Mac, DirectManage, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103 B2; 9,112,846; 9,197,670; and 9,378,391.

The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

Contents

About this guide 6

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How this manual is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Full PDF search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Where to find more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

NetWeaver AS Java authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Operating systems and Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1 Product Overview 9

Summary of features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How the NetWeaver connection to DirectControl works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How authentication flow works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Overview of user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring single sign-on for SAP cloud-based applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

How to proceed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 Installation and Configuration 14

Understand the procedural basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

SAP naming conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Checking that applications have loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Install DirectControl Agent on the NetWeaver host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Set library path for SAP administrator – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Set Java and library paths – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Install and deploy DirectControl for NetWeaver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configure the NetWeaver classloader to load Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . 22

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3

Load and Configure Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Login Module Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Authentication scheme options and behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configure the Centrify login module stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 3 Final Steps 33

Set up user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setup for mapping by Active Directory attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setup for direct mapping from Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Setup for mapping by SAP custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Create a UME custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Reference example: user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Make optional adjustments to single sign-on behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Modify the password-change functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configure logout for NetWeaver AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Set up browsers for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Set up Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring Firefox to allow silent authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configuring Safari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 4 Logging and Troubleshooting 44

Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Log configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

For SAP 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

For SAP 7.3/7.4/7.5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Log viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Viewing developer traces for SAP 7.3/7.4/7.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Command not found – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

DirectControl for NetWeaver AS Java 4

Command not found – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Library not found – UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Library or NetWeaver AS Java not found – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Deployment errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Authentication errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

User mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Login module stack does not work as intended. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Appendix A Mixed Authentication 57

How redirection works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Set up mixed authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configure login module options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

User procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Appendix B Clustered Environments 61

Centrify software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configure a clustered environment with a reverse proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configure a clustered environment with a load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Index 67

5

About this guide

This document describes DirectControl for NetWeaver, which enables NetWeaver J2EE applications to use DirectControl as their authentication mechanism, provides users with single sign-on (SSO) capability, and enables the administrator to disable user accounts centrally in Active Directory (AD). Where applicable, separate instructions are provided for SAP 7.0 and SAP 7.3/7.4/7.5.

Intended audienceThis manual is intended for NetWeaver AS Java administrators and application developers who have appropriate permissions in and working knowledge of the NetWeaver AS Java environment.

This manual also assumes that the DirectControl Management Tools and DirectControl Agent are installed on at least one computer in your environment.

How this manual is organizedThis chapter explains documentation conventions, where to find further information, and how to contact Centrify Corporation.

Chapter 1, “Product Overview” outlines how DirectControl and SAP NetWeaver AS Java are integrated for single sign-on, authentication, and so on. The chapter also summarizes how the integrated environment is set up.

Chapter 2, “Installation and Configuration” explains the steps to take after installing the DirectControl Agent on the NetWeaver server.

Chapter 3, “Final Steps” explains how user mapping works, how to set up users for user mapping, and optional adjustments to make so that single sign-on works seamlessly.

Chapter 4, “Logging and Troubleshooting” describes where to find DirectControl for NetWeaver AS Java log files and how to interpret them; the most common error scenarios and how to fix them; and what information to gather and send to Centrify customer support to expedite problem resolution.

Appendix A, “Mixed Authentication” describes how to install the supplemental redirect application included in the package that gives you the ability to have some NetWeaver users log in using their Active Directory account and others who use just their UME account.

Appendix B, “Clustered Environments” describes how to install DirectControl for NetWeaver in a clustered environment.

6

Document conventions

This guide includes an index.

Document conventionsThe following conventions are used in this guide: Unless otherwise noted, the term UNIX refers to all supported versions of the UNIX,

Linux, and Macintosh OS X operating systems.

Fixed-width font is used for sample code, program names, program output, file names, and command-line commands. Italicized fixed-width font indicates variables such as version numbers. In command-line reference information, square brackets ([ ]) indicate optional arguments.

Bold text is used to emphasize commands, buttons or user interface text, and to introduce new terms.

Italic text is used for book titles, and to emphasize specific words or terms.

The variable release indicates a specific release number in file names. For example, centrifydc-release-sol8-sparc-local.tgz refers to a release version of the DirectControl for NetWeaver Agent for Solaris 8 on SPARC. For example, if this file is for version 4.1.2, the file name is centrifydc-4.1.2-sol8-sparc-local.tgz.

Full PDF searchBesides an index, the PDF version of documentation offers a comprehensive search capability. To access it, open the drop-down list available to the right of the Find text box () and select Open Full Reader Search. You can search multiple documents by putting them in one folder and browsing to that folder for your search. The page number appears if you let the cursor hover over a results line.

Where to find more informationBe sure to refer to the package release notes before proceeding with installation and configurations

If you are unfamiliar with the Centrify Suite in general or DirectControl in particular the following books provide introductory and in-depth instructions and configuration information relevant to DirectControl for NetWeaver AS Java installation and use: Centrify Suite Evaluation Guide describes how to set up an evaluation environment and use

DirectControl to test typical authentication and authorization scenarios, such creating zones, adding UNIX users, creating groups and assigning user privileges.

Centrify Suite Administrator’s Guide describes how to use the DirectControl Administrator Console and command line programs to manage UNIX computers, users, groups and

About this guide 7

Contacting Centrify

zones through Active Directory. This guide focuses on managing the environment after deployment.

Centrify Suite 2012 Planning and Deployment Guide provides guidelines, strategies, and best practices to set up DirectControl to run in a production environment. Use this guide in conjunction with the DirectControl Administrator’s Guide.

NetWeaver AS Java authentication

SAP makes documents available on help.sap.com, including the NetWeaver AS Java Security Guide. Refer in particular to the section titled “Authentication Mechanisms and Single Sign-On Integration.”

Operating systems and Microsoft Active Directory

You may also want to consult documentation for Windows, UNIX, Linux or Mac OS X, as well as the documentation for Microsoft Active Directory.

Contacting CentrifyIf you have a problem during DirectControl for NetWeaver software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and login for the Technical Support contact information.


help.sap.com

http://help.sap.com/saphelp_nw04s/helpdata/en/57/d8bfcf38f66f48b95ce1f52b3f5184/content.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/57/d8bfcf38f66f48b95ce1f52b3f5184/content.htm

http://www.centrify.com/support



C h a p t e r 1

Product Overview

This chapter summarizes the features of DirectControl for NetWeaver AS Java, how it works, and how it is set up.

The following topics are covered: Summary of features

How the NetWeaver connection to DirectControl works

How authentication flow works

Overview of user mapping

Configuring single sign-on for SAP cloud-based applications

Summary of featuresDirectControl for NetWeaver AS Java provides seamless user authentication methods for NetWeaver applications via Active Directory user credentials, including Kerberos, NTLM, BASIC or FORM. A user who has been configured with a UME/ABAP account can access NetWeaver business applications with single sign-on (SSO). This capability increases user satisfaction and reduces support desk calls to reset passwords and unlock accounts. In addition, the administrator can use Active Directory to disable users’ NetWeaver accounts centrally, immediately removing access to SAP NetWeaver, including Portal.

With Centrify’s SAP-certified login modules and DirectControl for NetWeaver AS Java authentication, you can: Allow users to leverage their Active Directory credentials to access NetWeaver

Centrally manage and enforce consistent passwords and other security policies

Deploy single sign-on without intrusive changes to Active Directory

Simplify compliance with regulatory requirements

Maximize your investment in Active Directory

How the NetWeaver connection to DirectControl worksDirectControl provides an integration layer between Active Directory and non-Windows operating system environments. The integration layer is the DirectControl Agent installed on each UNIX server.

9

How the NetWeaver connection to DirectControl works

When a UNIX computer with the DirectControl Agent joins the Active Directory domain, it becomes an Active Directory client for authentication, authorization, policy management and directory services. To extend authentication services to NetWeaver servers and clients, you then install login modules, and configure NetWeaver applications to handle login requests via those modules. The login modules in turn handle authentication requests via the DirectControl Agent.

After logging in (1 in the following figure) to a Windows Active Directory client, or a UNIX box equipped with DirectControl, the user requests and receives a Kerberos ticket. Using this ticket, the desktop client, via the browser, requests (2) a service ticket from the Kerberos Key Distribution Center (KDC). This service ticket is forwarded to the login module of the application that the user is trying to access (3). The DirectControl Agent on the server validates the authentication request via Active Directory (4), and forwards the response to the login module. The authenticated username is provided to the NetWeaver server. The NetWeaver server compares this user ID with the UME data source, and if it is valid (5), grants access to the user.


How authentication flow works

How authentication flow worksIn production, the authentication flow for the DirectControl for NetWeaver solution has four primary steps, as shown in the following figure.

1 The web browser uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to request access to the NetWeaver server. NetWeaver login module and browser negotiate the appropriate level and type of authentication.

Note Kerberos is shown. SPNEGO also supports NTLM. DirectControl for NetWeaver also implements HTTP BASIC and FORM authentication.

2 For Kerberos, the browser client requests a service ticket using the built-in Kerberos Security Service Provider (SSP) from the Active Directory KDC or local cache. The web browser presents this service ticket to the NetWeaver server.

3 The Netweaver server validates the request ticket via the login module and the DirectControl Agent. Once the request is successfully authenticated with Active Directory, the authenticated username, group information and other attributes are extracted.

4 The login module maps the authenticated user to the appropriate UME account and grants access to the user.

The requested content is returned to the user based on Active Directory credentials and NetWeaver AS Java, without the need for a username or password.

Product Overview 11

Overview of user mapping

Overview of user mappingAfter a user is authenticated with Active Directory (AD), DirectControl for NetWeaver maps the user's AD name to an SAP username in NetWeaver UME based on the settings in the Centrify login modules and the login module stack. Mapping proceeds in this order:

Step 1: Mapping by Active Directory attribute. DirectControl for NetWeaver first checks a Centrify login module (or login module stack) option you can set to designate a user attribute in Active Directory whose value could match the UME user name. (This step enables you to override direct mapping from Active Directory attributes.)

Step 2: Direct mapping from Active Directory. If the mapping in step 1 fails for any reason, DirectControl for NetWeaver tries to match the AD user name to a UME user name.

Step 3: Mapping by SAP custom attribute. If the mapping in step 2 fails for any reason, DirectControl for NetWeaver tries to match the value of the AD user’s userPrincipalName (in AD) to the name of a UME custom attribute specified by the values of Centrify login module (or login module stack) options. If the match succeeds, the AD user’s name is mapped to the corresponding UME user name.

The next chapter (Chapter 2, “Installation and Configuration”) describes how to set up Centrify login modules and the login module stack to use these mapping methods. The chapter after that (Chapter 3, “Final Steps”) describes how to set up Active Directory and UME attributes and values to implement the mapping. That chapter also contains a reference example illustrating how all the options, AD attributes, UME custom attributes and UME user names work together to map AD users to UME users.

Configuring single sign-on for SAP cloud-based applicationsIf your users access SAP servers through the SAP cloud-based applications: SAP NetWeaver Application Server ABAP or SAP NetWeaver Application Server Java, you can use Centrify Identity Service for single sign-on (SSO) as an alternative to using Centrify Server Suite as discussed in the current document.

Centrify Identify Service (CIS) is a comprehensive cloud service that secures access to cloud, mobile, and on-premises apps via single sign-on, user provisioning and multi-factor authentication.

CIS allows you to choose where to store the directory — either on-premises (within corporate control) or in the cloud. Centrify integrates the Centrify Cloud with Active Directory or LDAP without poking extra holes in the firewall or adding devices in the DMZ.

In the web-portal interface to CIS, you configure NetWeaver AS ABAP and NetWeaver AS Java for SSO by enabling SAML (Security Assertion Markup Language)-based authentication for these applications.


https://www.centrify.com/products/identity-service/

How to proceed

SAP NetWeaver ABAP and NetWeaver Java offer both IdP-initiated SAML SSO (for SSO access through the CIS web-based management portal) and SP-initiated SAML SSO (for SSO access directly through the NetWeaver ABAP or Java web application). You can configure these applications for either or both types of SSO. Enabling both methods ensures that users can log in to SAP NetWeaver ABAP or NetWeaver Java in different situations such as clicking through a notification email.

To configure the SAP NetWeaver Java web application for SSO, you need the following: A subscription to Centrify Identify Service

SAP NetWeaver Java or NetWeaver ABAP.

An active SAP NetWeaver Java or NetWeaver ABAP account with administrator rights for your organization.

You can find complete instructions for configuring SSO for NetWeaver ABAP and NetWeaver Java in the application configuration help included in the web-portal interface to CIS.

How to proceedThis guide assumes you have already taken the following steps in a standard Active Directory environment: Installed the DirectControl Agent on the NetWeaver AS Java server or servers in a

cluster.

Joined the NetWeaver server or servers in a cluster (see Appendix B, Clustered Environments for the join requirements) to the Active Directory domain, so the Java server can present valid credentials for authentication.

If you have not already installed the DirectControl Agent, go to the Centrify Suite Administrator’s Guide for the instructions.

After the DirectControl Agent is installed on the NetWeaver server(s), proceed to the next chapter to deploy the DirectControl for NetWeaver package and then load and configure the Centrify login module.

Product Overview 13

https://www.centrify.com/free-trial/identity-service-form/

https://cloud.centrify.com/vfslow/lib/docs//appref/index.html#page/cloudhelp%2Fcloud-appconfig-welcome.html%23

C h a p t e r 2

Installation and Configuration

This chapter describes the procedures for installing and configuring DirectControl for NetWeaver. If you are installing DirectControl for NetWeaver in a clustered environment, see Appendix B, “Clustered Environments,” for additional information.

The topics in this chapter include: Understand the procedural basics

Install DirectControl Agent on the NetWeaver host

Set library path for SAP administrator – UNIX

Set Java and library paths – Windows

Install and deploy DirectControl for NetWeaver

Configure the NetWeaver classloader to load Centrify login module


Configure the Centrify login module stack

Set up browsers for authentication

Understand the procedural basics

SAP naming conventions

The typical installation directory descriptions in the instructions below use the following variable definitions: SID is the system ID. The SID must be three, alphanumeric characters only. When you

include the system ID in a path specification is must be in UPPER CASE.

Instance is the application server instance name. The instance has two components in the form Tnn

T: Indicates the instance type. There are four types:

JC: Java Central (deprecated)

J: Java Central or Dialog

DVEBMGS: ABAP/DoubleStack Central

D:ABAP/DoubleStack Dialog

nn: Indicates the instance number. The default is 00. This number is always two-digits.

14

Understand the procedural basics

For example, the typical installation directory for an instance with the system ID NWS, instance type ABAP/DoubleStack Central and number 13:

UNIX: /usr/sap/NWS/DVEBMGS13Windows: C:\usr\sap\NWS\DVEBMGS13

The system ID for the SAP instance administrator has user name sidadm and home directory /home/sidadm/. In this case, the system ID sid is always in lower case. For example, if the SAP system ID is NWS, the SAP administrator name is nwsadm and the UNIX home directory is /home/nwsadm.

Checking that applications have loaded

Loading and deploying applications in SAP can take several minutes. Confirm that the applications have loaded using the procedure corresponding to your server platform:

UNIX

1 Login as the sidadm and enter the following commandsapcontrol -nr instancenumber -function GetProcessList

where instancenumber is the two-digit number the instance (do not preface the number with the instance type).

2 The following figure illustrates the display when the applications:

If the dispstatus is GREEN (see the last line in the display), the server is ready. If you see YELLOW, it means “starting” or “warning;” GREY means “unavailable” and RED means “error.”

Windows

To check that all applications have loaded in the SAP server from a Windows system, run C:\Windows\sapmmc.msc, the SAP Microsoft Management Console. Navigate in the tree

Installation and Configuration 15

Install DirectControl Agent on the NetWeaver host

view to Console Root > SAP Systems > sid > instance_name. If after several minutes the circle to the left of Process List turns green, deployment succeeded.

Install DirectControl Agent on the NetWeaver hostThe NetWeaver server UNIX host must use DirectControl version 4.4.x (part of the Centrify Suite) or later. The NetWeaver server should be joined to a DirectControl zone (the default zone, unless you designate another) in the Active Directory. For detailed installation and domain-joining instructions, refer to the Centrify Suite Administrator’s Guide. For version-specific information, refer to the release notes.

If you need single sign-on for AD users of SAP systems but do not require wider Centrify features, you can join a UNIX server to Active Directory without creating any Active Directory zones. To do this, use the adjoin option -z NULL:

adjoin --user AD_user --password xxx --zone NULL -V domain --container DN

The value DN stands for the domain name or container name for the organizational unit or container where the computer is to be created.

Note If you install NetWeaver in a clustered environment, the adjoin command is executed at a different point in the procedure and requires additional arguments (next section).

Set library path for SAP administrator – UNIXThis section explains how to set up a library path for DirectControl for NetWeaver on a UNIX machine. To set up the required paths on a Windows machine, go to the next section.

UNIX environments require a library path pointing to SAP NetWeaver AS Java so it can be found and started. Add the appropriate line below to the end of the shell startup configuration file (.cshrc for C-shell, etc.) of the SAP administrator: In a Linux or Solaris 32-bit environment:

setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib:${LD_LIBRARY_PATH}

In a Linux 64-bit environment:setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib64:${LD_LIBRARY_PATH}



In a Solaris 64-bit environment:setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib/sparcv9:${LD_LIBRARY_PATH}

In an AIX environment:setenv LIBPATH /usr/share/centrifydc/java/lib/64:${LIBPATH}

In an HP-UX IA64 environment:setenv SHLIB_PATH /usr/share/centrifydc/java/lib/hpux64:{SHLIB_PATH}

In an HP-UX PA-RISC environment:setenv SHLIB_PATH /usr/share/centrifydc/java/lib:{SHLIB_PATH}

Save the .cshrc file, exit from user root, and issue the command:su – sidadm

You should not see any error messages before the prompt reappears.

Set Java and library paths – WindowsThis section explains how to set up the required paths for DirectControl for NetWeaver on a Windows machine. To set up paths on a UNIX machine, go back to the previous section.

On Windows systems, you need to configure library and Java paths via system properties:

1 Left-click on Start in the taskbar, right-click on My Computer, and select Properties.

2 Click the Advanced tab, and click Environment Variables.

3 Highlight the variable name Path in the system variables list, and click Edit.

4 Place the cursor at the beginning of the Variable value line, and add this string:C:\Centrify\DirectControl\java\lib;



Note The string must end with a semicolon.

5 Click OK to store the changed variable value.

6 Click New below the system variables list, near the bottom of the window.

7 In the New System Variable dialog box, type JAVA_HOME for the variable name and C:\j2sdk1.4.2_28-x64 for the variable value.

8 Click OK to store the new variable value.

9 Click OK to exit from the System Properties window.




For SAP 7.0

To install the DirectControl login module library on the NetWeaver host for SAP 7.0:

1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the centrify-netweaver-release.zip (Windows) corresponding to the host’s processor architecture (32- or 64-bit) from the Centrify Download Center.

Note For the location and filename of the package suitable for your operating environment, refer to the release notes.

2 Expand the downloaded package in a temporary directory. For example, in UNIX:# cd ~/desktop

# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz

# ls

centrifydc-netweaver-noarch.tar

# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar

CentrifyLoginModuleLibrary.sda

centrifyRedirectApp.ear

Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as described in the next steps. You use centrifyRedirectApp.ear when you have mixed authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for the description and installation instructions.

3 Transfer the CentrifyLoginModuleLibrary.sda file to a place on the SAP server system where sidadm can read it, such as /home/sidadm/.

4 Log in as sidadm and run the Software Deployment Manager (SDM):UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.shWindows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat

The Software Deployment Manager - GUI window appears.

5 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.


http://www.centrify.com/support/downloadcenter.asp


Note This password might be different from the SAP administrator password.

6 Click the Deployment tab.

7 Click the clipboard-plus-sign icon ( ) in the upper left corner of the Deployment tab.

8 Navigate to the place where you stored CentrifyLoginModuleLibrary.sda, select it, and click the Choose button. Wait for the choosing process to complete.

9 Click Next at the bottom to advance to Step 2. Because no changes are required in this step, click Next again, and then click the Start Deployment button at the bottom of the window.

When the deployment is complete, the Overall Deployment Progress bar in the lower right of the window shows 100% and a “Finished successfully” message appears. If deployment does not succeed, refer to the Troubleshooting section (page 52).

In a Windows system, you can run C:\Windows\sapmmc.msc, and navigate to Console Root > SAP Systems > sid > instance_name. Under it, the dot to the left of Process List turns green when the deployment process is complete. It may take up to ten minutes after deployment for this color change to occur.

Note You also can check that deployment was successful by selecting the Undeployment tab and verifying that centrify.com/CentrifyLoginModuleLibrary is somewhere on the Vendor/Name list.

10 Restart the SAP server so the changes take effect, and wait for all applications to start:



stopsap [Linux: stopsap j2ee]

startsap [Linux: startsap j2ee]

This process may take several minutes. For suggested ways to check for completion, refer to “Checking that applications have loaded” on page 15.

For SAP 7.3/7.4/7.5

To install the DirectControl login module library on the NetWeaver host for SAP 7.3/7.4/7.5:

1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the centrify-netweaver-release.zip (Windows) corresponding to the host’s processor architecture (32- or 64-bit) from the Centrify Download Center.

Note For the location and filename of the package suitable for your operating environment, refer to the release notes.

2 Expand the downloaded package in a temporary directory. For example, in UNIX:# cd ~/desktop

# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz

# ls

centrifydc-netweaver-noarch.tar

# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar

CentrifyLoginModuleLibrary.sda

centrifyRedirectApp.ear

Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as described in the next steps. You use centrifyRedirectApp.ear when you have mixed authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for the description and installation instructions.

3 Copy the CentrifyLoginModuleLibrary.sda file to /usr/sap/trans/EPS/in.

4 Create a new text file, deploylist.txt file in /usr/sap/trans/EPS/in.

5 Add the path of the CentrifyLoginModuleLibrary.sda file to the deploylist.txt file, for example:/usr/sap/trans/EPS/in/CentrifyLoginModuleLibrary.sda

6 Start telnet in a shell window by entering the command:telnet localhost 50008

7 Sign in as administrator.

8 Enter the command:deploy list=/usr/sap/trans/EPS/in/deploylist.txt

9 When the deployment operation finishes, restart SAP.


http://www.centrify.com/support/downloadcenter.asp



Note Use Software Update Manager (SUM) for NetWeaver 7.4. If you are using NetWeaver 7.3, you can use JSPM as an alternative.

This concludes the installation and deployment of the CentrifyLoginModuleLibrary.sda.

In the next steps, you configure the NetWeaver classloader to load the Centrify login modules and then configure the NetWeaver login stack to use them.


For SAP 7.0

Once the Centrify login modules have been added to NetWeaver, make the NetWeaver classloader load the library:

1 Log in as the SAP administrator sidadm and run Visual Administrator.UNIX: /usr/sap/SID/instance/j2ee/admin/goWindows: C:\usr\sap\SID\instance\j2ee\admin\go.bat

2 In the tree view on the left, select the Global Configuration tab and the Server tab. Then navigate to Services > Security Provider.

3 In the Properties tab in the right pane.In the Key column, click the row the LoginModuleClassLoaders row.

4 In the Value field near the bottom, add the following text:library:centrify.com~CentrifyLoginModuleLibrary

and click the Update button.

Note Separate multiple entries with commas but no spaces.



5 The value for the LoginModuleClassLoaders key is now set. To save the classloader configuration, click the disk icon.

6 The Visual Administrator prompts you to confirm. Leave the Server ... box checked and click Yes.

For SAP 7.3/7.4/7.5

Once the Centrify login modules have been added to NetWeaver, make the NetWeaver classloader load the library:

1 Run the AS Java Config Tool by typing this command in a shell window:/usr/sap/<SID>/<instance>/j2ee/configtool/configtool.sh

2 In the pane on the left side of the Config Tool window, open the folder: cluster-data > template - Usage_Type_All_in-One > instance <INSTID> > services > security

3 Add this value to the LoginModuleClassLoaders key:library:centrify.com~CentrifyLoginModuleLibrary


Load and Configure Centrify login module

Note If the LoginModuleClassLoaders key already has a value, separate it from the value you are adding with a comma and no spaces.

4 (7.3/7.4) Click Save.

5 (7.5 only) Click Set Custom Value.

6 Restart SAP Java.

Load and Configure Centrify login moduleFor details about using the Centrify login module, see the section for the version of SAP you are using: “For SAP 7.0” on page 24

“For SAP 7.3/7.4/7.5” on page 26

For SAP 7.0

Use the following steps to load the Centrify login module CentrifySpnegoLoginModule and set the options. If you have multiple clusters, you must load and configure CentrifySpnegoLoginModule individually on each cluster.

To see how the options you set on this page interact with UME, AD and other settings, refer to “Set up user mapping” on page 33 in the next chapter.

1 If you are not yet running the Visual Administrator, log in as sidadm and start it:UNIX: /usr/sap/SID/instance/j2ee/admin/goWindows: C:\usr\sap\SID\instance\j2ee\admin\go.bat

2 In the tree view in the left pane, select the Cluster tab. Then, navigate to the Server server_name> Services > Security Provider. The right pane is now populated with set of tabs.

3 Click the Runtime tab and the User Management subtab in the right pane.

4 Click the pencil icon (the Switch to Edit Mode button) above the Runtime tab. This activates the Manage Security Stores button in the lower right corner.



Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.

5 Click the Manage Security Stores button. This updates the User Management pane to show the current User Stores on the left and the current Login Modules.

6 If the UME User Store is not already selected, select it.

Click the Add Login Module button near the lower right.

7 In the Choose editor for login module options window, leave Use a specific editor for the login module options unchecked. You do not need to fill in an editor class name. Click OK.

8 Add the Centrify login module in the Add Login Module window. Enter the following for the corresponding parameter.

Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule

Display Name: CentrifySpnegoLoginModule

Description: Centrify SPNEGO Login Module



So far the Add Login Module window should look like this.

9 Set the CentrifySpnegoLoginModule options. The Login Module Options table lists the options. For all options that have a default you do not need to enter them unless you want to change the default value.

10 Enter the authentication scheme options and click the OK button to add the module.The Authentication scheme options and behavior table lists all valid enableAuthSchemes combinations for specifying browser and Centrify plug-in behavior.

For SAP 7.3/7.4/7.5

Use the following steps to load the Centrify login module CentrifySpnegoLoginModule and set the options. If you have multiple clusters, you must load and configure CentrifySpnegoLoginModule individually on each cluster.

To see how the options you set on this page interact with UME, AD and other settings, refer to “Set up user mapping” on page 33 in the next chapter.

1 Go to the NetWeaver Administration page of the SAP Java system.Go to Configuration > Security > Authentication and Single Sign-on.

2 On the Login Modules subtab, click Create.

. . .



3 In the New Login Modules window, enter these values:

The Login Module Options table lists all the options. For all options that have a default you do not need to enter them unless you want to change the default value.

4 Enter the authentication scheme options and click the OK button to add the module.The Authentication scheme options and behavior table lists all valid enableAuthSchemes combinations for specifying browser and Centrify plug-in behavior.

5 Click Save.

Display Name: CentrifySpnegoLoginModule

Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule

Description: Centrify SPNEGO Login Module



Login Module Options

Authentication scheme options and behavior

Login ModuleOption

Default Value Description

realmName centrify.dc.realm Value of the realm attribute (see RFC 1945 and RFC 2617) in HTTP BASIC authentication. This value is used only if BASIC is one of the values set in enableAuthSchemes (next option).

enableAuthSchemes Negotiate, NTLM,BASIC

Lists which authentication methods the module uses. See the table Authentication scheme options and behavior for the authentication method options. Browsers typically try the available schemes in order from most secure (Negotiate) to least secure (BASIC).

numReprompts 3 Specifies the number of login retries. The number of retries is one less than the number set. For example, if the Kerberos ticket is invalid or the password is incorrect, the default gives the user two more attempts.

ADMappingVariable [no default value] Name of Active Directory attribute in which to find the user’s SAP username. If this is set, the named attribute in the user’s Active Directory entry is used to map to the SAP user. If this is not set, or if the AD attribute of the user’s AD entry is not set or does not map to an existing SAP user, the value of usernameConfig is used to map the AD user to the SAP user. (See “Setup for mapping by SAP custom attribute” on page 35.)

usernameConfig CdcUserName Name of the SAP user profile custom attribute used to map Active Directory users to SAP users. You need to add this custom attribute to the SAP User Management Engine (UME) Custom attributes of the user profile. (See “Setup for mapping by SAP custom attribute” on page 35.)

namespace com.sap.security.core.usermanagement

Centrify login modules use the same default namespace for SAP user profile custom attributes as SAP uses. To use a different namespace, set its name here, and add the custom attribute to the UME. (See “Setup for mapping by SAP custom attribute” on page 35.) The attribute path is of the form <namespace>:<usernameConfig>.

errorUrl [no default value] URL to go to if an error occurs. Used by CentrifyRedirectApp.ear.

unauthorizedUrl [no default value] URL to go to if authorization fails. Used by CentrifyRedirectApp.ear.

redirectUrl [no default value] URL to go to if authentication succeeds. Used by CentrifyRedirectApp.ear.

enableAuthSchemes Browser and Centrify plug-in behavior

Negotiate Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials

Plug-in: accepts only Kerberos credentials

Negotiate, NTLM, BASIC Browser: sends Kerberos, NTLM or BASIC credentials

Plug-in: accepts Kerberos, NTLM or BASIC credentials

Negotiate, NTLM Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials

Plug-in: accepts Kerberos or NTLM credentials, but not BASIC credentials


http://www.ietf.org/rfc/rfc1945.txt

http://www.ietf.org/rfc/rfc2617.txt


Configure the Centrify login module stack For details about using the Centrify stack, see the section for the version of SAP you are using: “For SAP 7.0” on page 29

“For SAP 7.3/7.4/7.5” on page 32

For SAP 7.0

When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules to authenticate a user for each requested application. To accommodate the use of DirectControl authentication, the login stack needs to be modified to include the Centrify CentrifySpnegoLoginModule login module. Use the following steps to configure NetWeaver Portal login stack:

1 If you are not in the Visual Administrator, Log in as sidadm and start it using the following: UNIX: /usr/sap/SID/instance/j2ee/admin/go

Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat

2 In the tree view on the left, navigate to Server server_name > Services > Security Provider.

3 Click the Policy Configurations tab and then the Authentication tab.

4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.

Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.

5 In the components list on the left, select the ticket template; on the right, select No for the Authentication template.

6 Select each login module currently configured for ticket and click the Remove button at the bottom of the window.

Negotiate, BASIC Browser: sends Kerberos, NTLM or BASIC credentials

Plug-in: accepts Kerberos or BASIC credentials, but not NTLM credentials

NTLM Browser: sends only NTLM credentials

Plug-in: accepts only NTLM credentials

NTLM, BASIC Browser: sends either NTLM or BASIC credentials

Plug-in: accepts NTLM or BASIC credentials, but not Kerberos credentials

BASIC Browser: sends only BASIC credentials

Plug-in: accepts only BASIC credentials

enableAuthSchemes Browser and Centrify plug-in behavior



7 Add Centrify and SAP ticket login modules as follows:

a Click the Add New button at the bottom of the screen.

b In the Available Login Modules window, click EvaluateTicketLoginModule and click OK.

c Repeat Substep a and Substep b for the following login modules:

CentrifySpnegoLoginModuleCreateTicketLoginModuleBasicPasswordLoginModuleCreateTicketLoginModule [a second time]

d After you have added all login modules, for each login module click the Modify button to modify the Flag and to add Option names and values.

Login modules stack

e The final login stack should look like the following figure.

Login Modules Flag Options

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true, enableAuthSchemes= Negotiate, Basic}

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE { }

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}



Note If you set ume.configuration.active=true, the logon ticket configuration settings are taken from the UME property sheet rather than from the login module options.

With this login module stack setup, users are authenticated in priority order as listed in the table below.

The enableAuthSchemes option in the CentrifySpnegoLoginModule of this login module stack can be modified (for example) to bypass BASIC authentication if Kerberos fails. See the enableAuthSchemes row in the table on page 28 for more information on that option.

Note If you plan to use mixed authentication—that is, some users will be authenticated using their Active Directory account and others will not have an Active Directory account and be authenticated solely by UME—you need to do two things:

Skip Step 8.

After you restart the SAP server and confirm Active Directory authentication is working, go to Appendix A, Mixed Authentication and deploy the CentrifyRedirectApp application included in the package.

8 If you do NOT plan to use mixed authentication set the sap.com/irj*irj Authentication Template to “ticket” in the Visual Administrator. On the left side of the right frame, scroll down and click on sap.com/irj*irj (iView Runtime for Java). On the right side, for Authentication template, select ticket.

9 Click the glasses icon above the Runtime tab to switch to read-only mode.

Method In the following case

Kerberos Ticket is valid and user maps to a user in the NetWeaver UME.

HTTP BASIC Kerberos fails, and Active Directory username and password are valid.

NetWeaver UME BASIC fails, and the user can be authenticated by username and password from the NetWeaver UME on the default NetWeaver login page.



Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.

10 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


After SAP restarts, authentication to the Portal proceeds as described in the table above.

Note If you are logged in as an Active Directory user and want to access the SAP NetWeaver Administrator role, make sure your Active Directory username is mapped to a user in the NetWeaver UME with administrator privileges. If your Active Directory username is not mapped to a UME user with administrator privileges, allow that AD authentication to fail and then log in again as a UME user with administrator privileges.

For SAP 7.3/7.4/7.5

When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules to authenticate a user for each requested application. To accommodate the use of DirectControl authentication, the login stack needs to be modified to include the Centrify CentrifySpnegoLoginModule login module. Use the following steps to configure NetWeaver Portal login stack:

1 Go to the NetWeaver Administration page of the SAP Java System.

2 Go to Configuration > Security >Authentication and Single Sign-on.

3 Select the Components tab.

4 Select ticket and click the Edit button.

5 Change the order of the Login Module Flag Options to this:

6 Click Save.

Login Modules Flag Options

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true}

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE { }

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}


Final Steps

This chapter describes the final steps to integrate SAP NetWeaver with Active Directory using DirectControl for NetWeaver, and to verify that authentication and user mapping take place as intended.

This chapter discusses the following topics: Set up user mapping

Make optional adjustments to single sign-on behavior

Verify the installation

Set up user mappingThe Centrify DirectControl login modules follow a three-step user mapping procedure, as described in “Overview of user mapping” on page 12, that depends on attributes and values you set in Active Directory and in NetWeaver UME. Recall that the three steps are, in order: Mapping by Active Directory attribute

Direct mapping from Active Directory

Mapping by SAP custom attribute

The subsections that follow explain how to set up options, attributes and values to cause the desired mapping to occur.

Setup for mapping by Active Directory attribute

If an Active Directory attribute is specified in the ADMappingVariable option in the Centrify login module or the login module stack, DirectControl for NetWeaver checks whether the user's AD attribute is set to an SAP username in the UME. If so, the user is mapped to this username, provided the name in the user’s AD attribute matches the SAP username in UME.

To use mapping by Active Directory attribute:

1 If no Active Directory users exist, create one.

2 In the ADMappingVariable option in the Centrify login module or the login module stack, specify the name of the AD user entry attribute to use for the mapping.

To configure the Centrify login module in SAP 7.0, see Step 9 on page 26; for SAP 7.3/7.4/7.5, see Step 4 on page 27.

33

Setup for direct mapping from Active Directory

To configure the login module stack in SAP 7.0, see Substep d on page 30; for SAP 7.3/7.4/7.5, see Substep e on page 32.

3 Make sure the name contained in the specified AD user entry attribute is the same as the user name in the UME.

Setup for direct mapping from Active Directory

For SAP 7.0

If an SAP username is not found in the attempt to map by AD attribute, DirectControl for NetWeaver checks whether any username in the UME exactly matches the user's Active Directory login name. If so, the user is mapped to this username.

To use direct mapping from Active Directory, create an SAP user with the same name in the UME as the Active Directory user. To do this:

1 Go to this location:http://sap_server_system:50000/nwa

2 Log in as administrator.

3 Go to the System Management tab, Administration subtab.

4 Click Identity Management on the left side.

5 Click the Create User button.

6 For the Logon ID, enter the Active Directory login ID.

7 Click Save All Changes.

For SAP 7.3/7.4/7.5

To use direct mapping from Active Directory, create an SAP user with a different name in the UME from the Active Directory user. The SAP username may not match the AD username. To do this:

1 Go to this location:http://sap_server_system:50000/nwa

2 Log in as administrator.

3 Go to the Configuration> Identity Management on the left side.

4 Click the Configuration button.

5 Click the Create User button.

6 For the Logon ID, enter the Active Directory login ID.


Setup for mapping by SAP custom attribute


Setup for mapping by SAP custom attributeIf an SAP username is not found in the attempt to map directly from AD, DirectControl for NetWeaver checks whether a UME user profile has a custom attribute set to the user's Active Directory userPrincipalName (UPN). If so, the user is mapped to the UME user name of the user with this UPN. The name of the custom attribute in the UME user's profile is specified in the usernameConfig option, or by a concatenation of the usernameConfig and namespace (if set) options of the Centrify login module (see Step 9 on page 26) or the login module stack (see Substep d on page 30). The custom attribute also needs to be added to the user's profile. (See Create a UME custom attribute, below.)

1 Create the custom attribute in the UME (next section).

2 Restart the SAP server so the updates take effect. Log in as sidadm and run:stopsap [Linux: stopsap j2ee]



3 Find the custom attribute in the user's profile.

4 Set the user's custom attribute in the UME to the user’s UPN in Active Directory.

Create a UME custom attribute

While configuring Centrify login module, you set options (page 28) to designate a custom variable in the UME. This variable, visible in the SAP user profile, maps Active Directory users to SAP users. You need to add this custom attribute to an appropriate place in the UME.

The location of the custom UME attribute is specified in one of three ways: The usernameConfig option is at its default value (CdcUserName), and the namespace

option is at its default value (com.sap.security.core.usermanagement). The login module looks for the UME custom attribute at com.sap.security.core.usermanagement:CdcUserName

The usernameConfig option is set to a different value (for example, altAttribute), but the namespace option is left at its default value. The login module looks for the UME custom attribute at com.sap.security.core.usermanagement:altAttribute.

The usernameConfig option is at its default value, but the namespace option is set to a different value (for example, com.a.b.c) to distinguish the Centrify instance of CdcUserName from the SAP instance of CdcUserName. The login module looks for the UME custom attribute at com.a.b.c:CdcUserName.

Final Steps 35


For SAP 7.0:

1 Go to the NetWeaver Administrator web page:http://sap_server_system:50000/nwa

2 Log in as the SAP administrator (sidadm).

3 Go to the System Management tab and the Administration subtab. Click the Identity Management button on the left.


5 Click User Admin UI and then the Modify Configuration button.

6 For Administrator-managed Custom Attributes, enter CdcUserName or some other value for userNameConfig in the Login Module options.

If you entered a value for the namespace option in the login module stack, specify the pair of values in the form:namespace_option_value:usernameConfig_option_value

For example, if you entered mynamespace for the namespace option and use the default value CdcUserName for usernameConfig in the Login Module stack, specify:mynamespace:CdcUserName


8 Log out and restart SAP so the updates take effect:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


When you sign back in to the NetWeaver Administrator Web page, you find a field called CdcUserName in the Customized Information section. Set this field to the Active Directory user login ID or the user's UPN in Active Directory. When someone signs in to an SAP Web application using an Active Directory user name, the application identifies that person as the corresponding SAP user.

To set the custom attribute in a user's profile:

1 Go to the NetWeaver Administrator web page.

2 Log in as an AD user who maps to a UME username with SAP administrator privileges.

3 Click the Administration tab.

4 Click Identity Management.

5 In Search Criteria, enter the user name and click Go.

6 If the correct user is listed, select that user’s row. Details of the user will appear.


http://sap_server_system:50000/nwa


7 Click the Modify button just under Details of User username.

8 Click the Customized Information tab.

You should see text fields with custom attributes; for example, a value for CdcUserName.

9 Type the user's UPN in the CdcUserName field and click Save.

For SAP 7.3/7.4/7.5:

1 Go to the NetWeaver Administrator web page:http://sap_server_system:50000/nwa

2 Log in as the SAP administrator (sidadm).

3 Go to the Configuration tab and the Security subtab, then click the Identity Management link on the left.


5 Click User Admin UI and then the Modify Configuration button.

6 For Administrator-Managed Custom Attributes, enter CdcUserName or some other value for userNameConfig in the Login Module options.

If you entered a value for the namespace option in the login module stack, specify the pair of values in the form:namespace_option_value:usernameConfig_option_value

For example, if you entered mynamespace for the namespace option and use the default value CdcUserName for usernameConfig in the Login Module stack, specify:mynamespace:CdcUserName


8 Log out and restart SAP so the updates take effect:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


When you sign back in to the NetWeaver Administrator Web page, you find a field called CdcUserName in the Customized Information section. Set this field to the Active Directory user login ID or the user's UPN in Active Directory. When someone signs in to an SAP Web application using an Active Directory user name, the application identifies that person as the corresponding SAP user.

To set the custom attribute in a user's profile:

1 Go to the NetWeaver Administrator web page.

2 Log in as an AD user who maps to a UME username with SAP administrator privileges.

Final Steps 37

http://sap_server_system:50000/nwa


3 Click the Configuration tab and the Security subtab.

4 Click Identity Management.

5 In Search Criteria, enter the user name and click Go.

6 If the correct user is listed, select that user’s row. Details of the user will appear.

7 Click the Modify button just under Details of User username.

8 Click the Customized Information tab.

You should see text fields with custom attributes; for example, a value for CdcUserName.

9 Type the user's UPN in the CdcUserName field and click Save.


Reference example: user mapping

Reference example: user mappingThis section interrupts the procedural flow to give a specific example of how the mapping algorithm works.

Sample values (V) in the table below show the three-step mapping sequence applied to a user who logs in with AD user name jeandoe. Abbreviations O, A, N and C are spelled out in the table headings. Each connecting line indicates a match.

Make optional adjustments to single sign-on behaviorYou can take a few simple steps to fine-tune the single-sign-on experience so that users do not need to change SAP account passwords created by administrators, and do not get automatically redirected to a login page when they log out from NetWeaver.

StepCentrify login module or login

module stack option (O)AD user entry attribute

(A) for jeandoeUME user name (N) or custom attribute (C) Outcome

1 If O ADMappingVariableV firstNameHireNum

A firstNameHireNumV jean10256

N jean10256 AD user jeandoe mapsto jean10256

but if O ADMappingVariableV firstNameHireNum

A firstNameHireNumV jean10256

N [no match] goes to step 2

or if O ADMappingVariableV firstNameHireNum

A firstNameHireNumV [attr absent or not set]

goes to step 2

or if O ADMappingVariableV [default state: not set]

goes to step 2

2 If A sAMAccountNameV jeandoe

N jeandoe AD user jeandoe mapsto jeandoe

but if A sAMAccountNameV jeandoe

N [no match] goes to step 3

3 Specify C with

O usernameConfigV CdcUserName or [empty]

A userPrincipalNameV [email protected]

N jean999C CdcUserNameV [email protected]

AD user jeandoe mapsto jean999

or with O usernameConfigV altAttribute


N jean999C altAttributeV [email protected]


or with O usernameConfigV CdcUserNameO namespaceV com.a.b.c


N jean999C com.a.b.c : CdcUserNameV [email protected]


but if [for any of the options] C [whichever UME target]V [no match]

AD user mapping fails

Final Steps 39

Make optional adjustments to single sign-on behavior

Modify the password-change functionality

If users consistently use SSO through DirectControl for NetWeaver, the SAP UME default security policy still forces them to change SAP account passwords created by an SAP administrator (such as for new SAP users). So by default the user must authenticate to DirectControl and then to NetWeaver AS Java before being able to change the password.

To eliminate this type of scenario, configure the SAP UME so it does not require password changes for single sign-on:

1 Start the configuration tool configtool.bat (typically found in AS_Java_installation\j2ee\configtool\).

2 Navigate to Cluster-data > Global Server Configuration > Services > com.sap.security.core.ume.service.

3 Locate the key ume.logon.force_password_change_on_sso and set the value to FALSE.

4 Apply the change by selecting File > Apply.

5 Click OK, and click OK again.

6 Restart the SAP server so the updates take effect. To do this, log in as sidadm and run:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


To verify the change, create a new SAP user account; log in as that user; when requested to change the account password, see if you can change it without first authenticating to DirectControl.

Configure logout for NetWeaver AS Java

To ensure a seamless experience for users, it may be advisable to adjust the logout URL. For example, users logging out of SAP Portal are typically redirected to the login: with SSO configured they are then automatically logged back in (when in fact they probably wanted to remain logged out). To change the logout URL, follow these steps:

1 Start the configuration tool configtool.bat (typically found in AS_Java_installation\j2ee\configtool\).

2 In the tree, navigate to Global Server Configuration > Services > com.sap.security.core.ume.service.

3 Scroll to the ume.logoff.redirect.url property and configure the fully qualified logout URL.

4 Click the Apply Changes icon (which looks like a floppy disk).

5 Restart the SAP server so the updates take effect. Log in as sidadm and run:



stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


To verify the change after configuring and deploying DirectControl for NetWeaver, log in to SAP Portal as a NetWeaver user and log out again. Make sure you are not automatically logged back in.

Set up browsers for authenticationThis section explains how to set up Internet Explorer and Firefox for Kerberos and NTLM authentication.

Set up Internet Explorer

To prepare Internet Explorer for Kerberos and NTLM authentication, you need to understand IE security zones and then make appropriate modifications.

Understand Internet Explorer security zones

For users to be authenticated silently when they use Internet Explorer to access an application on the Web server with Kerberos or NTLM authentication, the Web server must be in the local intranet Internet Explorer security zone, or explicitly configured as part of the local intranet security zone.

For Internet Explorer, a server is recognized as part of the local intranet security zone in one of two ways: When the user specifies a URL that is not a fully qualified DNS domain name – for

example, http://admin-server/index.html – Internet Explorer interprets the URL as a site in the local intranet security zone.

When the user specifies a URL with a fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer – for example, http://admin-server.mycompany.com/index.html – Internet Explorer interprets the URL as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.

Depending on which type of URL the user specifies, silent authentication may require that you modify the local intranet security zone in Internet Explorer.

Modify the local intranet security zone

If users log on to Web applications using a fully-qualified path in the URL, they may need to modify the settings for the local intranet security zone in Internet Explorer to enable silent authentication. To do this:

Final Steps 41


1 Open Internet Explorer and select Tools > Internet Options.

2 Click the Security tab.

3 Click the Local intranet icon.

4 Click Sites and then click Advanced.

5 Type the URL for the Web site you want to make part of the local intranet, and click Add. You can use wildcards in the site address, for example, *://*.mycompany.com. When you are finished adding URLs or URL patterns, click OK.

6 Click OK to accept the local intranet configuration settings, and click OK to close the Internet Options dialog box.

Once you have configured the local intranet security zone, you can log on to Web or Java applications through Kerberos or NTLM without being prompted for a user name and password.

Configuring Firefox to allow silent authentication

By default, Firefox supports “prompted NTLM authentication.” To enable “silent NTLM authentication” (no prompts), open Firefox and configure the browser to trust sites:

1 Type about:config as the target URL and press Return.

2 Click the I’ll be careful button. Type ntlm in the Filter field.

3 Open network.automatic-ntlm-auth.trusted-uris.

4 Type a comma-separated list of partner URLs or domain names and click OK.

Note You can use wildcards (for example, *.company.com); however, for the sake of security, make this list as restrictive as possible.


Verify the installation

Mozilla Firefox supports negotiated (SPNEGO) authentication, but not by default. To enable silent SPNEGO authentication, continue as follows:

5 Type neg in the Filter field.

6 Open network.negotiate-auth.delegation-uris, type a comma-separated list of partner URLs or domain names as string values, and click OK.

Note For security reasons, make this list as restrictive as possible. If your Web server uses SSL, be sure to include https:// in the string.

7 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner URLs or domain names, and click OK.

Configuring Safari

Safari does not require any configuration to work with DirectControl for NetWeaver.

Verify the installationTo verify that user authentication and mapping work as intended:

1 Create an Active Directory user if one does not yet exist.

2 Go to the NetWeaver Portal:http://sap_server_system:50000/irj

3 Log in as an AD user, and note the login behavior of the system when you attempt to use NetWeaver.

4 To test individual user mapping, log in as an Active Directory user and verify that the expected mapping occurs (page 12) in each scenario you expect users to encounter; for example:

Change Active Directory attributes and values, and UME default and custom attributes, and verify that the expected mapping occurs in each case.

Change values in the login modules the login module stack (page 29), and check for expected outcomes in each scenario.

A list of troubleshooting scenarios and solutions can be found on page 55.

5 To check Kerberos authentication in a clustered environment behind a reverse proxy (page 62) or load balancer (page 63), ask IT to create both routine and edge conditions for the cluster, and then verify expected outcomes.

If problems occur, refer to the troubleshooting section (page 52) in the next chapter. If problems persist go to www.centrify.com/support and login for the Technical Support contact information.

Final Steps 43



C h a p t e r 4

Logging and Troubleshooting

This chapter discusses the following topics: Log Files

Troubleshooting

Log FilesSAP NetWeaver separates log files from trace files: Log files are operation log messages that are written to categories. Categories have

names that start with a slash (/) and are specific to an area; for example, /System/Network.

Trace files are debug log messages that are written to locations. Locations have names made up of components separated by dots (.); for example, com.sap.tc.security.

In both cases the names are hierarchical; for example, if the log level for com.centrify.dc.netweaver is not set, it inherits the log level for com.centrify.dc.

DirectControl for NetWeaver creates a category called /System/Security/Centrify and a location for each class. The location name is the name of the class.

Log configuration For details about log configuration, see the section for the version of SAP you are using: “For SAP 7.0” on page 44

“For SAP 7.3/7.4/7.5:” on page 47

For SAP 7.0

You can configure logging in one of three ways: With your own configuration file

Using Visual Administrator

Logging in from a browser, using NetWeaver Administrator (the preferred method because you can configure all server nodes from one place).

44

Log configuration

Before configuring logging, you need to deploy and configure DirectControl for NetWeaver, and restart NetWeaver. When DirectControl for NetWeaver is loaded, the following categories and locations are automatically created in the Visual Administrator.

Configure log level for categories using the Visual Administrator:

1 Open the Visual Administrator and log in as an administrator.

2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.

3 Click the Categories tab and open ROOT CATEGORY > System > Security > Centrify.

4 Select the severity level and click Apply (the floppy-disk icon).

Configure log level for locations using the Visual Administrator:

1 Open the Visual Administrator and login as an administrator.

2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.

3 Click the Locations tab and open ROOT CATEGORY > com > centrify > common (or dc, or anything below it).

Default Severity Level Description

Categories

/System/Security/Centrify Info Messages info level and higher from all classes

Locations

com.centrify.dc.netweaver Debug Messages from NetWeaver plug-in classes

com.centrify.dc.wbase Debug Messages from base authentication classes

com.centrify.dc.common Debug Messages from common utility classes

com.centrify.dc.common.logging Debug Messages from logging classes

Logging and Troubleshooting 45

Log configuration

4 Select the severity level and click Apply (the floppy-disk icon).

Configure log level for categories using the NetWeaver Administrator:

1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an administrator.

2 Click Configuration > Log configuration.

3 In Show, select Logging Categories and open ROOT CATEGORY > System > Security > Centrify.

4 Select the severity level and click Save Configuration.


Log configuration

Configure log level for locations using the NetWeaver Administrator:


2 Click Configuration > Log configuration.

3 In Show, select Tracing Locations and open ROOT LOCATION > com > centrify > common (or dc, or anything below it).


For SAP 7.3/7.4/7.5:

You can configure logging in one of two ways: With your own configuration file

Logging in from a browser, using NetWeaver Administrator (the preferred method because you can configure all server nodes from one place).

Note Visual Administrator is deprecated in NetWeaver 7.3/7.4/7.5.

Before configuring logging, you need to deploy and configure DirectControl for NetWeaver, and restart NetWeaver.

Configure log level for categories using the NetWeaver Administrator:


2 Goto Troubleshooting> Logs and Traces > Log Configuration.

3 In Show, select Logging Categories and open ROOT CATEGORY > System > Security > Centrify.


Log configuration


Configure log level for locations using the NetWeaver Administrator:


2 Goto Troubleshooting> Logs and Traces > Log Configuration.

3 In Show, select Tracing Locations and open ROOT LOCATION > com > centrify.

4 Select the severity level.Use the Copy to Subtree button to propagate the settings, if required.

5 Click Save Configuration.

Log viewing

You can view log messages from category and locations in two ways: using a text editor, or using NetWeaver Administrator Log Viewer (the easiest way to see the logs from a GUI).

Note Centrify log messages are always preceded by a timestamp in the format yyyy.mm.dd hh:mm:ss:sss zone so that an ordinary text editor can see the time the message was logged.

Viewing logs using a text editor

To view logs using a text editor such as vi (UNIX/Linux) or Notepad (Windows), do the following:

1 Change directory to /usr/sap/SID/JCinstance_#/j2ee/cluster/servern/log (where n is the server node number)

2 Open the latest defaultTrace.nn.trc file – for example, defaultTrace.17.trc – in the text editor.

3 To see log messages for a category, search for its directory path; for example, /System/Security/Centrify.

4 To see trace messages for a location, search for the location or class name; for example, com.centrify.dc.netweaver.CentrifySpnegoLoginModule.

The following text is an example of a log file.#1.5^H#000C29A1D5CF0078000000C90000497B0004967437B0D8BE#1291325801552#com.centrify.dc.netweaver.CentrifySpnegoLoginModule#sap.com/com.sap.security.core.admin#com.centrify.dc.netweaver.CentrifySpnegoLoginModule#Guest#0##n/a##40682e60fe5c11df8984000c29a1d5cf#SAPEngine_Application_Thread[impl:3]_7##0#0#Info#1#/System/Security/Centrify#Plain###2010.12.02 13:36:41:552 PST login: Got status : ERROR from CentrifyAuth.authenticate()#


Log configuration

#1.5^H#000C29A1D5CF006C0000003A0000497B0004967581F005ED#1291331342173#com.centrify.dc.netweaver.CentrifyLoginModule#sap.com/tc~wd~dispwda#com.centrify.dc.netweaver.CentrifyLoginModule#Guest#0##n/a##26e0c490fe6911df8daa000c29a1d5cf#SAPEngine_Application_Thread[impl:3]_0##0#0#Debug##Plain###2010.12.02 15:09:02:173 PST exiting method: commit#

The first line shows a message logged to both the category /System/Security/Centrify and the location com.centrify.dc.netweaver.CentrifySpnegoLoginModule at severity INFO. The message is the string 2010.12.02 13:36:41:552 PST login: Got status : ERROR from CentrifyAuth.authenticate().

The second line shows a message logged at severity DEBUG to location com.centrify.dc.netweaver.CentrifyLoginModule. The message is 2010.12.02 15:09:02:173 PST, exiting method: commit.

Viewing category log messages using NetWeaver Administrator Log Viewer

To view category log messages using NetWeaver Administrator Log Viewer, do the steps in this section for the version of SAP you are using.

Viewing category log messages for SAP 7.0:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-server>:50000/nwa and log in as an administrator.

2 Click Monitoring > Logs and Traces.

3 In Show, select Predefined View.

4 Next to Predefined View, select SAP Logs.


Log configuration

5 To see logs in /System/Security/Centrify, click Open Search and in Search By enter select Category and equals, and type /System/Security/Centrify.

Viewing category log messages for SAP 7.3/7.4/7.5:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<netweaver-host>:50000/nwa and log in as an administrator.

2 Goto Troubleshooting > Logs and Traces > Log Viewer.

3 In Show, select View > Open View > SAP Logs.

4 Enter *centrify* (with the asterisks) in the Category filter.

The log displays so that you can review it.

Viewing location log messages using NetWeaver Administrator Log Viewer

To view location log messages using NetWeaver Administrator Log Viewer, do the steps in this section for the version of SAP you are using.

Viewing location log messages for SAP 7.0:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-server>:50000/nwa and log in as an administrator.

2 Click on Monitoring > Logs and Traces.

3 In Show, select Predefined View.

4 Next to Predefined View, select Default Trace.


Log configuration

5 To see messages in a specific location, in Search By select Location, select equals, and type (for example) com.centrify.dc.netweaver.CentrifySpnegoLoginModule.

Viewing location log messages for SAP 7.3/7.4/7.5:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<netweaver-host>:50000/nwa and log in as an administrator.

2 Go to Troubleshooting > Logs and Traces > Log Viewer.

3 In Show, select View > Open View > SAP Logs.

4 Enter *centrify* (with the asterisks) in the Location filter.


Viewing developer traces for SAP 7.3/7.4/7.5

To view developer trace messages using NetWeaver Administrator Log Viewer, do the following:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<java-host>:java-port/nwa and log in as an administrator.

2 Go to Troubleshooting > Logs and Traces > Log Viewer.

3 In Show, select View > Open View > Developer Traces.

4 Enter *centrify* (with the asterisks) in the Location filter.



Troubleshooting

TroubleshootingThis section describes the most commonly encountered error conditions and solutions.

Command not found – UNIX

Symptom: You type a command to open Visual Administrator or Software Deployment Manager and the system returns the message, Command not found.

Cause: Different versions of NetWeaver can have different directory trees. The path to the command you typed is incorrect.

Solution: Use this table to help locate the command.

Command not found – Windows

Symptom: You type a command to open Visual Administrator or Software Deployment Manager and the system cannot find the application.

Cause: Different versions of NetWeaver can organize files into different folders and subfolders. The path to the command you typed is incorrect.

Solution: Use this table to help locate the command.

Library not found – UNIX

Symptom: The DirectControl for NetWeaver library is not found.

Cause: All of the UNIX-like operating systems require an environment variable (LIB_PATH, SHLIB_PATH or LD_LIBRARY_PATH) in the shell startup configuration file. The environment variable is not set or not found.

Solution: Check the following: Make sure both the environment variable name and the path are correct for the

operating environment on the machine (32-bit vs. 64-bit, Solaris vs. AIX, etc).

To find type this and then this

Visual Administrator cd /usr/sap find . -name go

Software Deployment Manager (SDM) GUI

cd /usr/sap find . -name RemoteGui.sh

To find navigate to this folder and search for this

Visual Administrator C:\usr\sap go.bat

Software Deployment Manager (SDM) GUI

C:\usr\sap RemoteGui.bat

SAP Management Console C:\Windows sapmmc.msc


Troubleshooting

Make sure the environment variable name is being set in the startup configuration file (.cshrc, .bashrc, etc.) that corresponds to the shell the SAP administrator will be using.

Library or NetWeaver AS Java not found – Windows

Symptom: The DirectControl for NetWeaver library or NetWeaver AS Java is not found.

Cause: Environment variables are not properly set.

Solution: Go to Start > My Computer > Properties, Advanced tab, and click Environment Variables. In the system variables (lower) list, check for the following: A variable named JAVA_HOME exists and has the value C:\j2sdk1.4.2_28-x64.

The value for the Path variable begins with C:\Centrify\DirectControl\java\lib, followed by a semicolon separator.

Note Although C:\Program Files\centrify\directcontrol is the default directory when installing CentrifyDC_Java.msi, the space in Program Files does not work for SAP in Windows. Change from the default directory to a directory path with no spaces in it.

Deployment errors

Symptom: You click the Start Deployment button in the Software Deployment Manager, and deployment succeeds for the .sda file, but then fails for the .ear file.=================================================

Deployment started Fri Dec 10 10:59:22 PST 2010

=================================================

Starting Deployment of CentrifyLoginModuleLibrary

Finished successfully: development component

'CentrifyLoginModuleLibrary'/'centrify.com'/'localhost'/'2010.03.02.13.49.33'/'0'

Deployment of CentrifyLoginModuleLibrary finished successfully (Duration 6223ms)

Starting Deployment of CentrifyRedirectApp

Aborted: development component...

Cause: You select both the .sda and the .ear for deployment at the same time.

Solution: Be sure to stop and restart SAP after deploying a module and before deploying any other module.


Troubleshooting

Symptom: If you click Next to advance from Step 2 to Step 3 in the Software Deployment Manager, the following error message appears.

Cause: The CentrifyLoginModuleLibrary.sda has already been installed.

Solution: Skip the deployment step – it is not needed.

Authentication errors

Authentication errors result from failures in the login module (“Load and Configure Centrify login module” on page 24)

Symptom Causes and solutions

User authentication fails. Check that all of the following conditions have been met:• Make sure you installed and configured the login module stack to use the Centrify

login module for the types of authentication you want to apply (page 29).

• If you are using the CentrifySpnegoLoginModule and BASIC is the authentication scheme, make sure the realm attribute (realmName) is set to the correct value in the login module stack.

The wrong type of user authentication is applied to users.

• Make sure the enableAuthSchemes login module option lists the correct types of user authentication, and lists them in the correct order.


Troubleshooting

User mapping errors

For a description of the user mapping algorithm, refer to Chapter 3, “Final Steps,” and in particular the table on page 39.

Login module stack does not work as intended

Symptom: The login module stack does not have the expected effects.

Cause: Possibly the ordering of login modules, or the flags applied to each instance of a login module, is incorrect.

Note If a module cannot be found or cannot be opened, it is ignored.

Symptom Causes and solutions

You set ADMappingVariable, but instead of mapping to the value of the attribute named in ADMappingVariable, the AD user is mapped to a different username, or mapping fails.

Check the following:• Make sure the UME user name value matches the value in the AD

user entry attribute named in ADMappingVariable.

• Make sure the AD user entry attribute named in ADMappingVariable is present and set.

• Make sure the ADMappingVariable is not in its default state (that is, not set).

The user named in sAMAccountName in Active Directory did not map to the same user name in UME.

Note the following:• If ADMappingVariable is set, and its value matches the name

of a user entry attribute in Active Directory, and the value of that attribute matches the value of a UME user name, the AD user is mapped to the matching value. This mapping takes precedence over direct mapping from Active Directory.

• It may be that no match was found between a value of sAMAccountName in Active Directory and a value for a user name in UME.

You set the usernameConfig or namespace option, or both, in a Centrify login module or in the login module stack, but the AD user fails to map to a UME user name via the custom attribute designated by those options.

Note the following:• If ADMappingVariable is set, its value matches the name of a

user entry attribute in Active Directory, and the value of that attribute matches the value of a UME user name, that mapping takes precedence over mapping via SAP custom attribute.

• If a match is found between a value of sAMAccountName in Active Directory and a value for a user name in UME, that mapping takes precedence over mapping via SAP custom attribute.

• If no match is found between an Active Directory sAMAccountName value and a value in the custom attribute designated in a Centrify login module or in the login module stack, the AD user fails to map to a UME user name in the UME custom attribute.


Troubleshooting

Solution: Check the following table, which summarizes the effects of control flags on the stack.

Flags Condition Action taken

REQUISITE The module fails. Control immediately returns to the application with “failure” status, along with the error value from this module.

The module passes. Control moves to the next module in the stack.

REQUIRED The module fails. If this is the first REQUIRED module in the stack to fail, its error value is stored for later forwarding to the application. Control moves to the next module in the stack.

The module passes. Control moves to the next module in the stack. If this is the last module and all REQUIRED modules have passed, control returns to the application with “success” status. If one or more REQUIRED modules has failed, control returns to the application with “failure” status, along with the error value from the first failed REQUIRED module.

No REQUISITE or REQUIRED flag is present in the stack.

At least one SUFFICIENT or OPTIONAL module must pass for control to return to the application with “success” status. If none pass, control returns to the application with “failure” status, along with the error value from the first module that failed.

SUFFICIENT The module passes. “Sufficient modules have been executed.” Control returns to the application, with “success” status if all previous REQUIRED modules have passed, or with “failure” status if one or more REQUIRED modules have failed, with the error value from the first REQUIRED module that failed.

The module fails. Control moves to the next module in the stack.

OPTIONAL The module passes or fails. Control moves to the next module in the stack.

The last module has been processed.

If and when the last module in the stack has been processed, if at least one REQUISITE or REQUIRED module was present and all have passed, control returns to the application with “success” status; and SUFFICIENT and OPTIONAL error values are ignored. If one or more REQUIRED modules have failed, control returns to the application with “failure” status, along with the error value from the first failed REQUIRED module.


Appendix A

Mixed Authentication

DirectControl for NetWeaver supports mixed authentication, in which some users are authenticated by Active Directory and some by NetWeaver UME. One such scenario is a phased roll-out of DirectControl for NetWeaver; for example, in the first phase only engineering would be authenticated by Active Directory while others still would authenticate using the previous method. In the second phase, engineering and support would be authenticated by AD while others remain authenticated by the previous method and in the last phase, everyone would be converted to Active Directory authentication.

This appendix explains how to install the CentrifyRedirectApp.ear application to support mixed authentication.

Note If mixed authentication is not used, after the Centrify login module has been added users who are not migrated to Active Directory get an “Authentication Failed” error message when they try to login to the NetWeaver portal.

How redirection worksWhen it is deployed the CentrifyRedirectApp.ear enforces the following behavior: It authenticates users based on the value for the enableAuthSchemes option (the default is

Kerberos, NTLM or BASIC). (See on page 28 for other options.)

If authentication succeeds and the user is mapped to user in the UME, the user is redirected to the NetWeaver portal page set in the redirectUrl option.

If authentication succeeds but the AD user is not mapped to a user in the UME, the user is redirected to the NetWeaver portal login page set in the unauthorizedUrl option.

If authentication still fails, the user is redirected to the page set in the unauthorizedUrl option.

Note If authentication fails because the Kerberos ticket is invalid or the password is incorrect, the user can try authentication to Active Directory using her Active Directory username and password twice more before being redirected to unauthorizedurl. (You can change the number of retries using numReprompts.)

If an internal error occurs, the user is redirected to the page set in the errorUrl option.

The following figure shows the behavior of CentrifyRedirectApp. when the options are set.

57

Set up mixed authentication

Set up mixed authenticationYou deploy CentrifyRedirectApp.ear after you have installed and deployed DirectControl for NetWeaver, configured the NetWeaver classloader to load the Centrify login module library, and added and configured the CentrifySpnegoLoginModule module, as described in Chapter 2, “Installation and Configuration.”

Load

In the following steps you load CentrifyRedirectApp.ear into the SAP Software Deployment Manager and configure the module to enforce a systematic authentication process using Active Directory and/or UME.

Note You use the same procedure to load CentrifyRedirectApp.ear as you did to load CentrifyLoginModuleLibrary.sda.

1 Log in as sidadm and run the Software Deployment Manager (SDM):UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.sh

Windows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat

The Software Deployment Manager - GUI window appears.

2 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.Note This password might be different from the SAP administrator password.


Set up mixed authentication

3 Click the Deployment tab and then the clipboard-plus-sign icon ( ).

4 Navigate to the directory in which you stored CentrifyRedirectApp.ear, select it and click the Choose button. Wait for the choosing process to complete.

5 Click Next at the bottom to advance to Step 2. Because no changes are required in this step, click Next again, and then click the Start Deployment button at the bottom of the window.

The Overall Deployment Progress bar in the lower right of the window shows 100% and “Finished successfully” message appears when you can proceed to the next steps. If deployment does not succeed, refer to the Troubleshooting section (page 52).Note You can check that deployment was successful by selecting the Undeployment tab and verifying that CentrifyRedirectApp is in the Vendor/Name list (see the Note on page 20 for an example).

6 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]


Configure login module options

1 Log in as sidadm and run the Visual Administrator:UNIX: /usr/sap/SID/instance/j2ee/admin/go

Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat

2 In the tree view on the left, navigate to Server server_name > Services > Security Provider.

3 Click the Policy Configurations tab and then the Authentication tab.

4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.

5 In the components list on the left, select the ticket template

6 Select the CentrifySpnegoLoginModule and click the Modify button. The table Authentication scheme options and behavior describes all of the options. Three options are associated with the mixed authentication. They specify the redirect URLs for different conditions:

Mixed Authentication 59

User procedures

CentrifySpnegoLoginModule options

7 Click the glasses icon above the Runtime tab to switch to read-only mode.Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.

8 Restart the SAP server so the changes take effect, and wait for all applications to start:stopsap [Linux: stopsap j2ee]startsap [Linux: startsap j2ee]


User proceduresAfter SAP restarts, the system is set up to accommodate AD users who are already mapped to UME users, and those who are not mapped: Users to be authenticated by UME (not using Active Directory) should use the standard

portal URL to access the NetWeaver portal.

Users to be authenticated by AD should use the URL of the Centrify redirect application to access NetWeaver: http://sap_server_system:50000/centrifydc-redirect.

Note External users accessing the portal from Internet Explorer may see an NTLM pop-up if the URL is not added to Internet Explorer's local intranet security zone, among other reasons. For details, refer to “Set up Internet Explorer” on page 41.

Login ModuleOption

Default Value Description

errorUrl [no default value] Redirects user to this URL when there is an internal error during authentication. Set to the NetWeaver portal login page URL.

unauthorizedUrl [no default value] Redirects user to this URL if all authentication attempts failed. Set to the NetWeaver portal login page URL.

redirectUrl [no default value] Redirects user to this URL if the user is authenticated by Active Directory but is not mapped to an UME user. Set to the NetWeaver portal page URL.


Appendix B

Clustered Environments

This appendix explains how to install the DirectControl for NetWeaver package in a clustered environment.

The following topics are covered: Centrify software requirements

Configure a clustered environment with a reverse proxy

Configure a clustered environment with a load balancer

Centrify software requirementsWhen you set up NetWeaver servers in a cluster, each server and, if you are using a reverse proxy the reverse proxy computer as well, must have the following Centrify software installed: All UNIX-based systems: The DirectControl agent (adclient) must be installed. Run

adinfo on each server to confirm that the agent is installed. (Windows-based servers do not require adclient.)

All UNIX- and Windows-based systems: The DirectControl for NetWeaver software must be installed.

Note A load balancer is an exception to this rule. If you are using a load balancer, do not install the DirectControl agent or the DirectControl for NetWeaver software on the load balancer.

In addition, the Kerberos keytabs for each server must be the same. The following instructions tell you how to copy the keytab across systems.

The next two sections provide sample, step-by-step instructions you can customize for your environment to set up Active Directory authentication in a clustered environment with a reverse proxy and then with a load balancer.

61

Configure a clustered environment with a reverse proxy

Configure a clustered environment with a reverse proxyThis section assumes that you are installing the DirectControl for NetWeaver package in a cluster that has a reverse proxy with multiple servers on the back end.

In the following example, the reverse proxy is running on a machine named A, internal back-end NetWeaver servers are running on machines named B and C, and the domain is domain.com. The figure summarizes the steps and where they are carried out.

1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for NetWeaver package installed as required.

2 If the servers are joined to the domain controller (run adinfo to find out), run adleave on each UNIX machine to “unjoin.”

3 On machine A, run the following command to join machine A to the domain with aliases for B and C:adjoin -a B -a B.domain.com -a C -a C.domain.com domain.com

Add another -a (--alias) option for each additional application server. (See the Centrify Suite Administrator’s Guide for the description of the adjoin command.)

4 If A has more than one hostname, use the following command to add hostnames:adkeytab -a -P http/other_host_name

5 On machine A, run the following commands to replicate the keytabs from machine A onto machines B and C:cd /tar cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*scp cluster.tgz B:/scp cluster.tgz C:/

If you have additional servers, run scp to copy cluster.tgz to each one.

Application server (B)(1) Confirm Centrify software installation(2) adleave (if joined)(6) untar keytabs received from A ;

start adclient with centrifydc start

Application server (C)(1) Confirm Centrify software installation(2) adleave (if joined)(6) untar keytabs received from A ;

start adclient with centrifydc start

Reverse proxy (A)

(1) Confirm Centrify software installation(2) adleave (if joined)(3) adjoin -a B -a B.domain.com \

-a C -a C.domain.com \domain.com

(4) adkeytab -a -P \http/other_host_name

(5) cd /tar cvfz cluster .tgz \

/etc/krb5.keytab \/var/centrifydc/kset.*

scp cluster.tgz B:/scp cluster.tgz C:/

rem

ote

(in

tern

et)

clie

nt

Domain Controllerdomain.com

Active Directory



6 On machines B and C (and each additional server), run the following commands to install the keytabs from machine A and to start adclient:cd /tar xvfz cluster.tgz/usr/share/centrifydc/bin/centrifydc start

Note If the password for machine A is changed, run Step 5 and Step 6 after every change. This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts the DirectControl agent for a new account password on an interval defined in the DirectControl adclient.krb5.password.change.interval configuration parameter (see the Configuration Parameters Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.

Configure a clustered environment with a load balancerThis section describes how to configure a clustered environment with a load balancer. To provide authentication across all of the servers, you need to create a service account for the load balancer on the domain controller, create a new keytab based on that account, and then merge that keytab on each application server.

Note To create new service accounts, you need permission to the container in which you are creating or deleting the account. See Understanding object permissions for using adkeytab in the Using adkeytab description in the Centrify Suite Administrator’s Guide for the description of the permissions required.

In this demonstration: the DirectControl agent and DirectControl for NetWeaver software are already installed

on servers B and C (do not install either software package on the load balancer)

the load balancer hostname is LB

the servers behind the load balancer are named B and C

the domain is ace.com.

The following figure summarizes the steps for a two-server configuration. For each additional machine, perform Step 8 once more on B, and Step 9 through Step 16 on each additional machine.

This procedure requires users who have the following permissions: Create user account on Active Directory on the domain controller

Add a new service principal name to the user account on the domain controller

Change service account password from the UNIX computer.

1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for NetWeaver package installed as required.

Clustered Environments 63


Unless they are already joined to the domain controller, run adjoin on machines B and C (and all other application servers) to join them to the domain controller.

2 Create a new Active Directory account called centrifyprod. Verify that the user principal name (UPN) is [email protected].

Note To have setspn available to run in Step 3 and Step 4, you need to install Windows Support Tools

3 From a Windows system with Windows Support Tools installed, run the setspn command to add a new service principal name (SPN) to the user account:setspn -a HTTP/LB.ace.com centrifyprod

4 Confirm that the SPN was created correctly:setspn -l centrifyprod

You should see the SPN HTTP/LB.ace.com.

Perform Step 5 through Step 8 on machine B only.

5 Use the following adkeytab command with the --adopt option to create the keytab for the new centrifyprod account and have DirectControl take over the management of the keytab:adkeytab --adopt --principal HTTP/LB.ace.com \--encryption-type arcfour-hmac-md5 \--encryption-type des-cbc-md5 \--encryption-type des-cbc-crc \--keytab /etc/krb5/centrifyprod.keytab centrifyprod

Notes To run this adkeytab command the user must have write permission to change the password for the service account and read/write permission to the userAccountControl

Application server (B)(1) adjoin(5) adkeytab (create keytab on new service account)(6) klist -kt (verify that keytab was created correctly )(7) kinit -kt (verify that keytab works )(8) copy keytab to machine C (and others in cluster)(9-16) merge keytabs; check for connected state

with adinfo and adclient

Application server (C)(1) adjoin

(9-16) merge keytabs; check for connected statewith adinfo and adclient

Domain Controller ace.com

Active Directory(2) create account = centrifyprod

UPN = [email protected]+ SPN = HTTP/LB.ace.com

Windows Support Tools(3, 4) setspn command

loa

d ba

lanc

er

(LB

)

clie

nt

ma

chin

es


http://technet.microsoft.com/en-us/library/cc755948(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc755948(WS.10).aspx


attribute on the Active Directory domain controller. (See Understanding object permissions for using adkeytab in the Using adkeytab description in the Centrify Suite Administrator’s Guide for the description of the permissions required.) Often, this is NOT the case for the UNIX administrator running adkeytab.

Use the following adkeytab option to work around this problem. This does require, however, the UNIX admin to know and then expose the password in the command line. (The alternative would be to give the Active Directory admin root privileges on the UNIX computer or the UNIX admin password reset privileges on the domain controller.) The Active Directory administrator creates the new AD account and adds the SPN to the

account as above but then provides the password to the UNIX admin.

The UNIX admin uses the following adkeytab command instead of the command in Step 5. In this example the new user created by the AD admin is again [email protected] and the password is ABC123xyz:adkeytab --adopt --user [email protected] \--local --newpassword ABC123xyz \--encryption-type arcfour-hmac-md5 \--encryption-type des-cbc-md5 \--encryption-type des-cbc-crc \--keytab /etc/krb5/centrifyprod.keytab [email protected]

The --user option specifies the new account created by the AD admin; --local updates the keytab file on the computer (in this case, machine B) without changing the password in AD and --newpassword specifies the new password (required by the --local option). (This example uses the same sample encryption types as above.) See the adkeytab description in the Centrify Suite Administrator’s Guide for the full explanation of each option.

6 Verify that the keytab was created correctly:/usr/share/centrifydc/kerberos/bin/klist \

-kt /etc/krb5/centrifyprod.keytab

You should see the SPN http/LB.domain.com.

7 Verify that the keytab works:/usr/share/centrifydc/kerberos/bin/kinit \

-kt /etc/krb5/centrifyprod.keytab centrifyprod

You should see no output if everything worked correctly.

8 Copy the keytab /etc/krb5/centrifyprod.keytab to machine C.

Perform Step 9 through Step 16 on both machine B and machine C.

9 Disable DirectControl to prepare for merging keytabs:svcadm disable centrifydc

10 Back up the existing keytab:cp /etc/krb5/krb5.keytab \

/etc/krb5/krb5.keytab.todaysdate

Clustered Environments 65


11 Merge the keytabs:/usr/bin/ktutilrkt /etc/krb5/krb5.keytabrkt /etc/krb5/centrifyprod.keytabwkt /etc/krb5/krb5.keytab.newq

12 Verify that the new keytab was created correctly:/usr/share/centrifydc/kerberos/bin/klist \

-kt /etc/krb5/krb5.keytab.new

13 Copy the new keytab to the default location with the appropriate name:cp /etc/krb5/krb5.keytab.new /etc/krb5/krb5.keytab

14 Verify that the new keytab works:/usr/share/centrifydc/kerberos/bin/kinit -kt centrifyprod

You should see no output if everything worked correctly.

15 Enable DirectControl:svcadm enable centrifydc

16 Run adinfo and check that adclient goes into a connected state. If adclient reports that it is disconnected, something has gone wrong in the setup.

Note If the password for the centrifyprod Active Directory account is changed, run Step 5 through Step 16 after every change.This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts for a new account password on an interval defined in the DirectControl adclient.krb5.password.change.interval configuration parameter (see the Configuration Parameters Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.


Index

Symbols.cshrc file 16, 17

AActive Directory attributes

SAP 7.0 34SAP 7.3/7.4/7.5 34

adjoin 62adkeytab 62adleave 62ADMappingVariable 28, 33, 39, 55AIX environment 17authentication 10authentication errors 54authentication flow 11Authentication template, Visual Administrator

SAP 7.0 31authorization 10

Bbase authentication classes

SAP 7.0 45bashrc 53BASIC 9, 11, 54, 57

SAP 7.0 31BASIC (authorization scheme setting) 28BASIC authentication 28BasicPasswordLoginModule

SAP 7.0 30SAP 7.3/7.4/7.5 32

Ccategories 44category log messages 48, 49CdcUserName 28, 35, 36, 37, 39Centrify login module 33Centrify login module usage 35Centrify ticket login module

SAP 7.0 30centrify.dc.realm 28CentrifyDC_Java.msi 53

centrifydc-netweaver-release.tgzSAP 7.0 19SAP 7.3/7.4/7.5 21

CentrifyLoginModule 49CentrifyLoginModuleLibrary 54

SAP 7.0 22CentrifyLoginModuleLibrary.sda 21, 59

SAP 7.0 19, 20SAP 7.3/7.4/7.5 21

CentrifyRedirectApp.ear 57centrifyRedirectApp.ear 57

SAP 7.0 19SAP 7.3/7.4/7.5 21

CentrifySpnegoLoginModule 30, 48, 49load and configure 24, 26SAP 7.0 24, 30, 31, 51SAP 7.3/7.4/7.5 26, 32

Class NameSAP 7.0 25SAP 7.3/7.4/7.5 27

classloaderSAP 7.0 22SAP 7.3/7.4/7.5 23

Cluster tabSAP 7.0 45

Cluster-data 40com.centrify.dc.netweaver

SAP 7.0 30SAP 7.3/7.4/7.5 32

com.sap.security.core.server.jaasSAP 7.0 30SAP 7.3/7.4/7.5 32

com.sap.security.core.usermanagement 35Command not found 52common utility classes

SAP 7.0 45configtool.bat 40configure Java path 17configure library path 17configure log level 47

SAP 7.0 45, 46

67

SAP 7.3/7.4/7.5 47, 48configure logging

SAP 7.0 44SAP 7.3/7.4/7.5 47

conventions, documentation 7core.ume.service 40CreateTicketLoginModule

SAP 7.0 30SAP 7.3/7.4/7.5 32

cshrc 53custom attribute 35, 55Customized Information section 36, 37

Ddebug log messages 44debug logs

SAP 7.0 45default NetWeaver login page

SAP 7.0 31default security policy 40Default Trace

SAP 7.0 50default zone 16defaultTrace.nn.trc file 48Deployment tab 59

SAP 7.0 20Description

SAP 7.3/7.4/7.5 27direct mapping from Active Directory

SAP 7.0 34SAP 7.3/7.4/7.5 34

DirectControl Agent 6, 9, 10, 11, 13DirectControl Management Tools 6DirectControl version 16DirectControl zone 16directory services 10directory trees 52Display Name

SAP 7.0 25SAP 7.3/7.4/7.5 27

documentationconventions 7

Ee 31ear file 53enableAuthSchemes 28, 54, 57

SAP 7.0 26, 27, 30, 31environment variable 52Environment Variables 53errorUrl 28, 57, 60EvaluateTicketLoginModule

SAP 7.0 30SAP 7.3/7.4/7.5 32

example of a log file 48

FFirefox

configuring silent authentication 42fixed-width font 7floppy-disk icon

SAP 7.0 46force_password_change_on_sso 40FORM 9, 11

Ggo.bat 52

Hhelp.sap.com URL 8HLIB_PATH 17HP-UX IA64 environment 17HP-UX PA-RISC environment 17HTTP BASIC

SAP 7.0 31HTTP BASIC authentication 28

IIdentity Management 36, 37, 38

SAP 7.0 34SAP 7.3/7.4/7.5 34

info level logsSAP 7.0 45

instanceNumber 14Internet Explorer

local intranet zone 41security zones 41

Internet Explorer security zones 41irj 43

JJ2EE 6JAVA_HOME 53


KKDC 10, 11Kerberos 9, 11, 57

Internet Explorer security zones 41SAP 7.0 31

Kerberos Key Distribution Center 10Kerberos Security Service Provider 11Kerberos ticket 10Key Distribution Center 10

LLD_LIBRARY_PATH 16, 52LIB_PATH 52LIBPATH 17library

centrify.comSAP 7.0 22

library not found 52Linux

naming convention 7Linux 32-bit environment 16Linux 64-bit environment 16location log messages 48, 50locations 44Log configuration 48

SAP 7.0 46, 47SAP 7.3/7.4/7.5 47

Log ConfiguratorSAP 7.0 45

log file categories 44log files 44log messages 48Log Viewer 48, 49, 50log viewing 48Logging Categories

SAP 7.0 46SAP 7.3/7.4/7.5 47

logging classesSAP 7.0 45

Login Mod 28login module

SAP 7.0 19SAP 7.3/7.4/7.5 21, 32

login module options 28, 60login module stack 55LoginModuleClassLoaders

SAP 7.0 22

SAP 7.3/7.4/7.5 23logout URL 40Logs and Traces

SAP 7.0 49, 50SAP 7.3/7.4/7.5 50, 51

MMacintosh OS X operating system 7Manage Security Stores

SAP 7.0 24map AD users to SAP users 28mapping by AD attribute 33Monitoring

SAP 7.0 49

Nnamespace 28, 35, 36, 37, 39, 55Negotiate (authorization scheme setting) 28Negotiate authentication 28NetWeaver AS Java not found 53NetWeaver AS Java Security Guide 8NetWeaver classloader

SAP 7.0 22SAP 7.3/7.4/7.5 23

NetWeaver J2EE applications 6NetWeaver login page

SAP 7.0 31NetWeaver plug-in classes

SAP 7.0 45NetWeaver UME

SAP 7.0 31ng 52Notepad 48NTLM 9, 11NTLM (authorization scheme setting) 28NTLM authentication

Internet Explorer security zones 41numReprompts 28nwa 36, 37

SAP 7.0 34SAP 7.3/7.4/7.5 34

OOpen View

SAP 7.3/7.4/7.5 50operation log messages 44OPTIONAL flag 56

Index 69

Ppassword changes for SSO 40Path variable 53policy management 10Portal 9Predefined View

SAP 7.0 49, 50Program Files 53Properties tab

SAP 7.0 22

RrealmName 28redirectUrl 28, 57, 60release notes 16release variable 7RemoteGui.bat 52REQUIRED flag 56REQUISITE flag 56RFC 1945 28RFC 2617 28root

SAP 7.0 17ROOT CATEGORY

SAP 7.0 45, 46SAP 7.3/7.4/7.5 47

ROOT LOCATIONSAP 7.0 47SAP 7.3/7.4/7.5 48

Runtime tabSAP 7.0 24

SsAMAccountName 55SAP documentation 8SAP Logs

SAP 7.0 49SAP Management Console 52SAP Portal 40SAP ticket login module 30SAP UME 40SAP user profile custom attribute 28SAP username 28sap.com/irj*irj

SAP 7.0 31SAP-certified login modules 9sapmmc.msc 52

scp 62sda file 53SDM 52

SAP 7.0 19Security Provider

SAP 7.0 24Security Service Provider 11semicolon separator 53server cluster 13severity debug 49severity info 49severity level

SAP 7.0 45, 46SAP 7.3/7.4/7.5 48

shell startup configuration file 16SHLIB_PATH 52sid 14sidadm 15, 17, 35, 40, 58

SAP 7.0 19Single Sign-On

configuring security zones 41Software Deployment Manager 52, 58

SAP 7.0 19Solaris 32-bit environment 16Solaris 64-bit environment 17space in "Program Files" path 53sparcv9 17SPNEGO 11SSO 6, 40SSP 11Start Deployment button 59

SAP 7.0 20startsap 21, 32, 35, 36, 37, 40, 41, 59, 60startsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60

SAP 7.0 21, 32startup configuration file 52stopsap 21, 32, 35, 36, 37, 40, 41, 59, 60stopsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60

SAP 7.0 21, 32su – command 17SUFFICIENT flag 56System/Security/Centrify 44, 48, 49

SAP 7.0 50

Ttar command 62tar file, untarring


SAP 7.0 19SAP 7.3/7.4/7.5 21

tgz file, unzippingSAP 7.0 19SAP 7.3/7.4/7.5 21

ticketSAP 7.0 31

timestamp 48trace file locations 44trace files 44trace messages 48Trace Viewer

SAP 7.3/7.4/7.5 51Tracing Locations 47

SAP 7.3/7.4/7.5 48Troubleshooting 52

SAP 7.3/7.4/7.5 50, 51

UUME 10, 11, 12, 28, 33, 35, 40, 57

SAP 7.0 31, 34UME custom attribute 35UME default security policy 40UME user name 55ume.configuration.active

SAP 7.0 30SAP 7.3/7.4/7.5 32

ume.logoff.redirect.url 40ume.logon key 40unauthorizedUrl 28, 57, 60UNIX

naming convention 7UNIX servers 9UPN 35, 36, 37, 39User Management subtab

SAP 7.0 24, 25user profile custom attribute 28user's UPN 36, 37userNameConfig 36, 37usernameConfig 28, 35, 36, 37, 39, 55userPrincipalName 39users

silent authentication 41usr/sap 52usrsap 52

Vvi editor 48Visual Administrator

SAP 7.0 22, 44, 45

Wwbase

SAP 7.0 45web applications

local intranet zone 41silent authentication 41

Zzone 16

Index 71

directcontrol for netweaver as java - centrify · pdf filedirectcontrol for netweaver as java...

Documents