Beruflich Dokumente
Kultur Dokumente
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document “as is” without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
© 2004-2016 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify User
Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify for SaaS, Centrify for
Mac, DirectManage, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity
Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other
countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103 B2; 9,112,846; and
9,197,670.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.
Contents
3
Index 67
5
This document describes DirectControl for NetWeaver, which enables NetWeaver J2EE
applications to use DirectControl as their authentication mechanism, provides users with
single sign-on (SSO) capability, and enables the administrator to disable user accounts
centrally in Active Directory (AD). Where applicable, separate instructions are provided for
SAP 7.0 and SAP 7.3/7.4/7.5.
Intended audience
This manual is intended for NetWeaver AS Java administrators and application developers
who have appropriate permissions in and working knowledge of the NetWeaver AS Java
environment.
This manual also assumes that the DirectControl Management Tools and DirectControl Agent
are installed on at least one computer in your environment.
6
Document conventions
Document conventions
The following conventions are used in this guide:
Unless otherwise noted, the term UNIX refers to all supported versions of the UNIX,
Linux, and Macintosh OS X operating systems.
Fixed-width font is used for sample code, program names, program output, file names,
and command-line commands. Italicized fixed-width font indicates variables such as
version numbers. In command-line reference information, square brackets ([ ]) indicate
optional arguments.
Bold text is used to emphasize commands, buttons or user interface text, and to
introduce new terms.
Italic text is used for book titles, and to emphasize specific words or terms.
The variable release indicates a specific release number in file names. For example,
centrifydc-release-sol8-sparc-local.tgz refers to a release version of the DirectControl for
NetWeaver Agent for Solaris 8 on SPARC. For example, if this file is for version 4.1.2,
the file name is centrifydc-4.1.2-sol8-sparc-local.tgz.
zones through Active Directory. This guide focuses on managing the environment after
deployment.
Centrify Suite 2012 Planning and Deployment Guide provides guidelines, strategies, and best
practices to set up DirectControl to run in a production environment. Use this guide in
conjunction with the DirectControl Administrator’s Guide.
Contacting Centrify
If you have a problem during DirectControl for NetWeaver software installation or
configuration, need help with Active Directory configuration, or want clarification on best
practices contact your Centrify System Engineer or Technical Support. Go to
www.centrify.com/support and login for the Technical Support contact information.
Product Overview
This chapter summarizes the features of DirectControl for NetWeaver AS Java, how it
works, and how it is set up.
The following topics are covered:
Summary of features
How the NetWeaver connection to DirectControl works
How authentication flow works
Overview of user mapping
Configuring single sign-on for SAP cloud-based applications
Summary of features
DirectControl for NetWeaver AS Java provides seamless user authentication methods for
NetWeaver applications via Active Directory user credentials, including Kerberos, NTLM,
BASIC or FORM. A user who has been configured with a UME/ABAP account can access
NetWeaver business applications with single sign-on (SSO). This capability increases user
satisfaction and reduces support desk calls to reset passwords and unlock accounts. In
addition, the administrator can use Active Directory to disable users’ NetWeaver accounts
centrally, immediately removing access to SAP NetWeaver, including Portal.
With Centrify’s SAP-certified login modules and DirectControl for NetWeaver AS Java
authentication, you can:
Allow users to leverage their Active Directory credentials to access NetWeaver
Centrally manage and enforce consistent passwords and other security policies
Deploy single sign-on without intrusive changes to Active Directory
Simplify compliance with regulatory requirements
Maximize your investment in Active Directory
9
How the NetWeaver connection to DirectControl works
When a UNIX computer with the DirectControl Agent joins the Active Directory domain,
it becomes an Active Directory client for authentication, authorization, policy management
and directory services. To extend authentication services to NetWeaver servers and clients,
you then install login modules, and configure NetWeaver applications to handle login
requests via those modules. The login modules in turn handle authentication requests via
the DirectControl Agent.
After logging in (1 in the following figure) to a Windows Active Directory client, or a
UNIX box equipped with DirectControl, the user requests and receives a Kerberos ticket.
Using this ticket, the desktop client, via the browser, requests (2) a service ticket from the
Kerberos Key Distribution Center (KDC). This service ticket is forwarded to the login
module of the application that the user is trying to access (3). The DirectControl Agent on
the server validates the authentication request via Active Directory (4), and forwards the
response to the login module. The authenticated username is provided to the NetWeaver
server. The NetWeaver server compares this user ID with the UME data source, and if it is
valid (5), grants access to the user.
1 The web browser uses the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) to request access to the NetWeaver server. NetWeaver login module and
browser negotiate the appropriate level and type of authentication.
Note Kerberos is shown. SPNEGO also supports NTLM. DirectControl for NetWeaver
also implements HTTP BASIC and FORM authentication.
2 For Kerberos, the browser client requests a service ticket using the built-in Kerberos
Security Service Provider (SSP) from the Active Directory KDC or local cache. The web
browser presents this service ticket to the NetWeaver server.
3 The Netweaver server validates the request ticket via the login module and the
DirectControl Agent. Once the request is successfully authenticated with Active
Directory, the authenticated username, group information and other attributes are
extracted.
4 The login module maps the authenticated user to the appropriate UME account and
grants access to the user.
The requested content is returned to the user based on Active Directory credentials and
NetWeaver AS Java, without the need for a username or password.
Product Overview 11
Overview of user mapping
SAP NetWeaver ABAP and NetWeaver Java offer both IdP-initiated SAML SSO (for SSO
access through the CIS web-based management portal) and SP-initiated SAML SSO (for
SSO access directly through the NetWeaver ABAP or Java web application). You can
configure these applications for either or both types of SSO. Enabling both methods ensures
that users can log in to SAP NetWeaver ABAP or NetWeaver Java in different situations such
as clicking through a notification email.
To configure the SAP NetWeaver Java web application for SSO, you need the following:
A subscription to Centrify Identify Service
SAP NetWeaver Java or NetWeaver ABAP.
An active SAP NetWeaver Java or NetWeaver ABAP account with administrator rights
for your organization.
You can find complete instructions for configuring SSO for NetWeaver ABAP and
NetWeaver Java in the application configuration help included in the web-portal interface to
CIS.
How to proceed
This guide assumes you have already taken the following steps in a standard Active
Directory environment:
Installed the DirectControl Agent on the NetWeaver AS Java server or servers in a
cluster.
Joined the NetWeaver server or servers in a cluster (see Appendix B, Clustered
Environments for the join requirements) to the Active Directory domain, so the Java
server can present valid credentials for authentication.
If you have not already installed the DirectControl Agent, go to the Centrify Suite
Administrator’s Guide for the instructions.
After the DirectControl Agent is installed on the NetWeaver server(s), proceed to the next
chapter to deploy the DirectControl for NetWeaver package and then load and configure
the Centrify login module.
Product Overview 13
Chapter 2
This chapter describes the procedures for installing and configuring DirectControl for
NetWeaver. If you are installing DirectControl for NetWeaver in a clustered environment,
see Appendix B, “Clustered Environments,” for additional information.
The topics in this chapter include:
Understand the procedural basics
Install DirectControl Agent on the NetWeaver host
Set library path for SAP administrator – UNIX
Set Java and library paths – Windows
Install and deploy DirectControl for NetWeaver
Configure the NetWeaver classloader to load Centrify login module
Install and deploy DirectControl for NetWeaver
Configure the Centrify login module stack
Set up browsers for authentication
14
Understand the procedural basics
For example, the typical installation directory for an instance with the system ID NWS,
instance type ABAP/DoubleStack Central and number 13:
UNIX: /usr/sap/NWS/DVEBMGS13
Windows: C:\usr\sap\NWS\DVEBMGS13
The system ID for the SAP instance administrator has user name sidadm and home
directory /home/sidadm/. In this case, the system ID sid is always in lower case. For
example, if the SAP system ID is NWS, the SAP administrator name is nwsadm and the UNIX
home directory is /home/nwsadm.
UNIX
1 Login as the sidadm and enter the following command
sapcontrol -nr instancenumber -function GetProcessList
where instancenumber is the two-digit number the instance (do not preface the
number with the instance type).
2 The following figure illustrates the display when the applications:
If the dispstatus is GREEN (see the last line in the display), the server is ready. If you
see YELLOW, it means “starting” or “warning;” GREY means “unavailable” and RED
means “error.”
Windows
To check that all applications have loaded in the SAP server from a Windows system, run
C:\Windows\sapmmc.msc, the SAP Microsoft Management Console. Navigate in the tree
view to Console Root > SAP Systems > sid > instance_name. If after several minutes
the circle to the left of Process List turns green, deployment succeeded.
The value DN stands for the domain name or container name for the organizational unit or
container where the computer is to be created.
Note If you install NetWeaver in a clustered environment, the adjoin command is executed
at a different point in the procedure and requires additional arguments (next section).
Save the .cshrc file, exit from user root, and issue the command:
su – sidadm
You should not see any error messages before the prompt reappears.
3 Highlight the variable name Path in the system variables list, and click Edit.
4 Place the cursor at the beginning of the Variable value line, and add this string:
C:\Centrify\DirectControl\java\lib;
5 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.
Note This password might be different from the SAP administrator password.
6 Click the Deployment tab.
7 Click the clipboard-plus-sign icon ( ) in the upper left corner of the Deployment tab.
NoteYou also can check that deployment was successful by selecting the
Undeployment tab and verifying that centrify.com/CentrifyLoginModuleLibrary is
somewhere on the Vendor/Name list.
10 Restart the SAP server so the changes take effect, and wait for all applications to start:
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
7 Sign in as administrator.
8 Enter the command:
deploy list=/usr/sap/trans/EPS/in/deploylist.txt
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
Note Use Software Update Manager (SUM) for NetWeaver 7.4. If you are using NetWeaver
7.3, you can use JSPM as an alternative.
4 In the Value field near the bottom, add the following text:
library:centrify.com~CentrifyLoginModuleLibrary
5 The value for the LoginModuleClassLoaders key is now set. To save the classloader
configuration, click the disk icon.
6 The Visual Administrator prompts you to confirm. Leave the Server ... box checked and
click Yes.
2 In the pane on the left side of the Config Tool window, open the folder:
cluster-data > template - Usage_Type_All_in-One > instance <INSTID> >
services > security
Note If the LoginModuleClassLoaders key already has a value, separate it from the value
you are adding with a comma and no spaces.
4 (7.3/7.4) Click Save.
5 (7.5 only) Click Set Custom Value.
6 Restart SAP Java.
To see how the options you set on this page interact with UME, AD and other settings, refer
to “Set up user mapping” on page 33 in the next chapter.
1 If you are not yet running the Visual Administrator, log in as sidadm and start it:
UNIX: /usr/sap/SID/instance/j2ee/admin/go
Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view in the left pane, select the Cluster tab. Then, navigate to the Server
server_name> Services > Security Provider.
The right pane is now populated with set of tabs.
3 Click the Runtime tab and the User Management subtab in the right pane.
4 Click the pencil icon (the Switch to Edit Mode button) above the Runtime tab. This
activates the Manage Security Stores button in the lower right corner.
Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 Click the Manage Security Stores button. This updates the User Management pane
to show the current User Stores on the left and the current Login Modules.
6 If the UME User Store is not already selected, select it.
Click the Add Login Module button near the lower right.
7 In the Choose editor for login module options window, leave Use a specific
editor for the login module options unchecked. You do not need to fill in an editor
class name. Click OK.
8 Add the Centrify login module in the Add Login Module window. Enter the following
for the corresponding parameter.
So far the Add Login Module window should look like this.
...
9 Set the CentrifySpnegoLoginModule options. The Login Module Options table lists the
options. For all options that have a default you do not need to enter them unless you want
to change the default value.
10 Enter the authentication scheme options and click the OK button to add the module.The
Authentication scheme options and behavior table lists all valid enableAuthSchemes
combinations for specifying browser and Centrify plug-in behavior.
To see how the options you set on this page interact with UME, AD and other settings, refer
to “Set up user mapping” on page 33 in the next chapter.
1 Go to the NetWeaver Administration page of the SAP Java system.Go to Configuration
> Security > Authentication and Single Sign-on.
2 On the Login Modules subtab, click Create.
The Login Module Options table lists all the options. For all options that have a default
you do not need to enter them unless you want to change the default value.
4 Enter the authentication scheme options and click the OK button to add the module.The
Authentication scheme options and behavior table lists all valid enableAuthSchemes
combinations for specifying browser and Centrify plug-in behavior.
5 Click Save.
2 In the tree view on the left, navigate to Server server_name > Services > Security
Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.
Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 In the components list on the left, select the ticket template; on the right, select No for
the Authentication template.
6 Select each login module currently configured for ticket and click the Remove button
at the bottom of the window.
e The final login stack should look like the following figure.
Skip Step 8.
After you restart the SAP server and confirm Active Directory authentication is
working, go to Appendix A, Mixed Authentication and deploy the CentrifyRedirectApp
application included in the package.
8 If you do NOT plan to use mixed authentication set the sap.com/irj*irj Authentication
Template to “ticket” in the Visual Administrator. On the left side of the right frame,
scroll down and click on sap.com/irj*irj (iView Runtime for Java). On the right side,
for Authentication template, select ticket.
9 Click the glasses icon above the Runtime tab to switch to read-only mode.
Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
10 Restart the SAP server so the changes take effect, and wait for all applications to start:
stopsap [Linux: stopsap j2ee]
startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to
“Checking that applications have loaded” on page 15.
After SAP restarts, authentication to the Portal proceeds as described in the table above.
Note If you are logged in as an Active Directory user and want to access the SAP NetWeaver
Administrator role, make sure your Active Directory username is mapped to a user in the
NetWeaver UME with administrator privileges. If your Active Directory username is not
mapped to a UME user with administrator privileges, allow that AD authentication to fail
and then log in again as a UME user with administrator privileges.
6 Click Save.
Final Steps
This chapter describes the final steps to integrate SAP NetWeaver with Active Directory
using DirectControl for NetWeaver, and to verify that authentication and user mapping
take place as intended.
This chapter discusses the following topics:
Set up user mapping
Make optional adjustments to single sign-on behavior
Verify the installation
33
Setup for direct mapping from Active Directory
To configure the login module stack in SAP 7.0, see Substep d on page 30; for SAP 7.3/
7.4/7.5, see Substep e on page 32.
3 Make sure the name contained in the specified AD user entry attribute is the same as the
user name in the UME.
2 Log in as administrator.
3 Go to the System Management tab, Administration subtab.
4 Click Identity Management on the left side.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.
7 Click Save All Changes.
2 Log in as administrator.
3 Go to the Configuration> Identity Management on the left side.
4 Click the Configuration button.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
3 Find the custom attribute in the user's profile.
4 Set the user's custom attribute in the UME to the user’s UPN in Active Directory.
The usernameConfig option is set to a different value (for example, altAttribute), but
the namespace option is left at its default value. The login module looks for the UME
custom attribute at com.sap.security.core.usermanagement:altAttribute.
The usernameConfig option is at its default value, but the namespace option is set to a
different value (for example, com.a.b.c) to distinguish the Centrify instance of
CdcUserName from the SAP instance of CdcUserName. The login module looks for the
UME custom attribute at com.a.b.c:CdcUserName.
Final Steps 35
Setup for mapping by SAP custom attribute
For example, if you entered mynamespace for the namespace option and use the default
value CdcUserName for usernameConfig in the Login Module stack, specify:
mynamespace:CdcUserName
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
When you sign back in to the NetWeaver Administrator Web page, you find a field called
CdcUserName in the Customized Information section. Set this field to the Active
Directory user login ID or the user's UPN in Active Directory. When someone signs in to
an SAP Web application using an Active Directory user name, the application identifies that
person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
3 Click the Administration tab.
4 Click Identity Management.
5 In Search Criteria, enter the user name and click Go.
6 If the correct user is listed, select that user’s row. Details of the user will appear.
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.
For example, if you entered mynamespace for the namespace option and use the default
value CdcUserName for usernameConfig in the Login Module stack, specify:
mynamespace:CdcUserName
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
When you sign back in to the NetWeaver Administrator Web page, you find a field called
CdcUserName in the Customized Information section. Set this field to the Active
Directory user login ID or the user's UPN in Active Directory. When someone signs in to
an SAP Web application using an Active Directory user name, the application identifies that
person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
Final Steps 37
Setup for mapping by SAP custom attribute
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.
Centrify login module or login AD user entry attribute UME user name (N) or
Step module stack option (O) (A) for jeandoe custom attribute (C) Outcome
1 If O ADMappingVariable A firstNameHireNum N jean10256 AD user jeandoe maps
V firstNameHireNum V jean10256 to jean10256
but if O ADMappingVariable A firstNameHireNum N [no match] goes to step 2
V firstNameHireNum V jean10256
or if O ADMappingVariable A firstNameHireNum goes to step 2
V firstNameHireNum V [attr absent or not set]
or if O ADMappingVariable goes to step 2
V [default state: not set]
2 If A sAMAccountName N jeandoe AD user jeandoe maps
V jeandoe to jeandoe
but if A sAMAccountName N [no match] goes to step 3
V jeandoe
3 Specify O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
C with V CdcUserName or [empty] V jdoe@domain.com C CdcUserName to jean999
V jdoe@domain.com
or with O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
V altAttribute V jdoe@domain.com C altAttribute to jean999
V jdoe@domain.com
or with O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
V CdcUserName V jdoe@domain.com C com.a.b.c : CdcUserName to jean999
O namespace V jdoe@domain.com
V com.a.b.c
but if [for any of the options] C [whichever UME target] AD user mapping fails
V [no match]
Final Steps 39
Make optional adjustments to single sign-on behavior
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
To verify the change, create a new SAP user account; log in as that user; when requested to
change the account password, see if you can change it without first authenticating to
DirectControl.
3 Scroll to the ume.logoff.redirect.url property and configure the fully qualified logout
URL.
4 Click the Apply Changes icon (which looks like a floppy disk).
5 Restart the SAP server so the updates take effect. Log in as sidadm and run:
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
To verify the change after configuring and deploying DirectControl for NetWeaver, log in
to SAP Portal as a NetWeaver user and log out again. Make sure you are not automatically
logged back in.
Final Steps 41
Set up browsers for authentication
3 Open network.automatic-ntlm-auth.trusted-uris.
4 Type a comma-separated list of partner URLs or domain names and click OK.
Note You can use wildcards (for example, *.company.com); however, for the sake of
security, make this list as restrictive as possible.
Mozilla Firefox supports negotiated (SPNEGO) authentication, but not by default. To enable
silent SPNEGO authentication, continue as follows:
5 Type neg in the Filter field.
6 Open network.negotiate-auth.delegation-uris, type a comma-separated list of
partner URLs or domain names as string values, and click OK.
Note For security reasons, make this list as restrictive as possible. If your Web server uses
SSL, be sure to include https:// in the string.
7 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner
URLs or domain names, and click OK.
Configuring Safari
Safari does not require any configuration to work with DirectControl for NetWeaver.
3 Log in as an AD user, and note the login behavior of the system when you attempt to use
NetWeaver.
4 To test individual user mapping, log in as an Active Directory user and verify that the
expected mapping occurs (page 12) in each scenario you expect users to encounter; for
example:
Change Active Directory attributes and values, and UME default and custom
attributes, and verify that the expected mapping occurs in each case.
Change values in the login modules the login module stack (page 29), and check for
expected outcomes in each scenario.
A list of troubleshooting scenarios and solutions can be found on page 55.
5 To check Kerberos authentication in a clustered environment behind a reverse proxy
(page 62) or load balancer (page 63), ask IT to create both routine and edge conditions
for the cluster, and then verify expected outcomes.
If problems occur, refer to the troubleshooting section (page 52) in the next chapter. If
problems persist go to www.centrify.com/support and login for the Technical Support
contact information.
Final Steps 43
Chapter 4
Log Files
SAP NetWeaver separates log files from trace files:
Log files are operation log messages that are written to categories. Categories have
names that start with a slash (/) and are specific to an area; for example, /System/
Network.
Tracefiles are debug log messages that are written to locations. Locations have names
made up of components separated by dots (.); for example, com.sap.tc.security.
In both cases the names are hierarchical; for example, if the log level for
com.centrify.dc.netweaver is not set, it inherits the log level for com.centrify.dc.
Log configuration
For details about log configuration, see the section for the version of SAP you are using:
“For SAP 7.0” on page 44
“For SAP 7.3/7.4/7.5:” on page 47
44
Log configuration
Before configuring logging, you need to deploy and configure DirectControl for
NetWeaver, and restart NetWeaver. When DirectControl for NetWeaver is loaded, the
following categories and locations are automatically created in the Visual Administrator.
4 Select the severity level and click Apply (the floppy-disk icon).
Before configuring logging, you need to deploy and configure DirectControl for
NetWeaver, and restart NetWeaver.
Log viewing
You can view log messages from category and locations in two ways: using a text editor, or
using NetWeaver Administrator Log Viewer (the easiest way to see the logs from a GUI).
Note Centrify log messages are always preceded by a timestamp in the format yyyy.mm.dd
hh:mm:ss:sss zone so that an ordinary text editor can see the time the message was logged.
4 To see trace messages for a location, search for the location or class name; for example,
com.centrify.dc.netweaver.CentrifySpnegoLoginModule.
#1.5^H#000C29A1D5CF006C0000003A0000497B0004967581F005ED#1291331342173#
com.centrify.dc.netweaver.CentrifyLoginModule#sap.com/
tc~wd~dispwda#com.centrify.dc.netweaver.CentrifyLoginModule#Guest#0##n
/
a##26e0c490fe6911df8daa000c29a1d5cf#SAPEngine_Application_Thread[impl:
3]_0##0#0#Debug##Plain###2010.12.02 15:09:02:173 PST exiting method:
commit#
The first line shows a message logged to both the category /System/Security/Centrify
and the location com.centrify.dc.netweaver.CentrifySpnegoLoginModule at severity
INFO. The message is the string 2010.12.02 13:36:41:552 PST login: Got status :
ERROR from CentrifyAuth.authenticate().
Troubleshooting
This section describes the most commonly encountered error conditions and solutions.
Make sure the environment variable name is being set in the startup configuration file
(.cshrc, .bashrc, etc.) that corresponds to the shell the SAP administrator will be
using.
Deployment errors
Symptom: You click the Start Deployment button in the Software Deployment
Manager, and deployment succeeds for the .sda file, but then fails for the .ear file.
=================================================
Deployment started Fri Dec 10 10:59:22 PST 2010
=================================================
Starting Deployment of CentrifyLoginModuleLibrary
Finished successfully: development component
'CentrifyLoginModuleLibrary'/'centrify.com'/'localhost'/
'2010.03.02.13.49.33'/'0'
Deployment of CentrifyLoginModuleLibrary finished successfully (Duration
6223ms)
Cause: You select both the .sda and the .ear for deployment at the same time.
Solution: Be sure to stop and restart SAP after deploying a module and before deploying
any other module.
Symptom: If you click Next to advance from Step 2 to Step 3 in the Software
Deployment Manager, the following error message appears.
Authentication errors
Authentication errors result from failures in the login module (“Load and Configure
Centrify login module” on page 24)
Solution: Check the following table, which summarizes the effects of control flags on the
stack.
Mixed Authentication
DirectControl for NetWeaver supports mixed authentication, in which some users are
authenticated by Active Directory and some by NetWeaver UME. One such scenario is a
phased roll-out of DirectControl for NetWeaver; for example, in the first phase only
engineering would be authenticated by Active Directory while others still would authenticate
using the previous method. In the second phase, engineering and support would be
authenticated by AD while others remain authenticated by the previous method and in the last
phase, everyone would be converted to Active Directory authentication.
This appendix explains how to install the CentrifyRedirectApp.ear application to support
mixed authentication.
Note If mixed authentication is not used, after the Centrify login module has been added users
who are not migrated to Active Directory get an “Authentication Failed” error message when
they try to login to the NetWeaver portal.
57
Set up mixed authentication
Load
In the following steps you load CentrifyRedirectApp.ear into the SAP Software
Deployment Manager and configure the module to enforce a systematic authentication
process using Active Directory and/or UME.
Note You use the same procedure to load CentrifyRedirectApp.ear as you did to load
CentrifyLoginModuleLibrary.sda.
2 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.
Note This password might be different from the SAP administrator password.
2 In the tree view on the left, navigate to Server server_name > Services > Security
Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.
Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 In the components list on the left, select the ticket template
6 Select the CentrifySpnegoLoginModule and click the Modify button. The table
Authentication scheme options and behavior describes all of the options. Three options are
associated with the mixed authentication. They specify the redirect URLs for different
conditions:
Mixed Authentication 59
User procedures
CentrifySpnegoLoginModule options
7 Click the glasses icon above the Runtime tab to switch to read-only mode.
Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
8 Restart the SAP server so the changes take effect, and wait for all applications to start:
stopsap [Linux: stopsap j2ee]
startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer to
“Checking that applications have loaded” on page 15.
User procedures
After SAP restarts, the system is set up to accommodate AD users who are already mapped
to UME users, and those who are not mapped:
Users to be authenticated by UME (not using Active Directory) should use the standard
portal URL to access the NetWeaver portal.
Users to be authenticated by AD should use the URL of the Centrify redirect application
to access NetWeaver: http://sap_server_system:50000/centrifydc-redirect.
Note External users accessing the portal from Internet Explorer may see an NTLM pop-up if
the URL is not added to Internet Explorer's local intranet security zone, among other reasons.
For details, refer to “Set up Internet Explorer” on page 41.
Clustered Environments
This appendix explains how to install the DirectControl for NetWeaver package in a clustered
environment.
The following topics are covered:
Centrify software requirements
Configure a clustered environment with a reverse proxy
Configure a clustered environment with a load balancer
In addition, the Kerberos keytabs for each server must be the same. The following
instructions tell you how to copy the keytab across systems.
The next two sections provide sample, step-by-step instructions you can customize for your
environment to set up Active Directory authentication in a clustered environment with a
reverse proxy and then with a load balancer.
61
Configure a clustered environment with a reverse proxy
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for
NetWeaver package installed as required.
2 If the servers are joined to the domain controller (run adinfo to find out), run adleave on
each UNIX machine to “unjoin.”
3 On machine A, run the following command to join machine A to the domain with aliases
for B and C:
adjoin -a B -a B.domain.com -a C -a C.domain.com domain.com
Add another -a (--alias) option for each additional application server. (See the Centrify Suite
Administrator’s Guide for the description of the adjoin command.)
4 If A has more than one hostname, use the following command to add hostnames:
adkeytab -a -P http/other_host_name
5 On machine A, run the following commands to replicate the keytabs from machine A onto
machines B and C:
cd /
tar cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*
scp cluster.tgz B:/
scp cluster.tgz C:/
If you have additional servers, run scp to copy cluster.tgz to each one.
6 On machines B and C (and each additional server), run the following commands to install
the keytabs from machine A and to start adclient:
cd /
tar xvfz cluster.tgz
/usr/share/centrifydc/bin/centrifydc start
Note If the password for machine A is changed, run Step 5 and Step 6 after every change. This
password is changed transparently in a protocol initiated by Active Directory; that is, Active
Directory prompts the DirectControl agent for a new account password on an interval defined
in the DirectControl adclient.krb5.password.change.interval configuration parameter
(see the Configuration Parameters Reference Guide for the description). The DirectControl agent
then automatically generates a new password for the computer account and issues the new
password to Active Directory. The default interval is 28 days.
In this demonstration:
the DirectControl agent and DirectControl for NetWeaver software are already installed
on servers B and C (do not install either software package on the load balancer)
the load balancer hostname is LB
the servers behind the load balancer are named B and C
the domain is ace.com.
The following figure summarizes the steps for a two-server configuration. For each additional
machine, perform Step 8 once more on B, and Step 9 through Step 16 on each additional
machine.
This procedure requires users who have the following permissions:
Create user account on Active Directory on the domain controller
Add a new service principal name to the user account on the domain controller
Change service account password from the UNIX computer.
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for
NetWeaver package installed as required.
Clustered Environments 63
Configure a clustered environment with a load balancer
Unless they are already joined to the domain controller, run adjoin on machines B and C
(and all other application servers) to join them to the domain controller.
2 Create a new Active Directory account called centrifyprod. Verify that the user principal
name (UPN) is centrifyprod@ace.com.
Note To have setspn available to run in Step 3 and Step 4, you need to install Windows
Support Tools
3 From a Windows system with Windows Support Tools installed, run the setspn command
to add a new service principal name (SPN) to the user account:
setspn -a HTTP/LB.ace.com centrifyprod
NotesTo run this adkeytab command the user must have write permission to change the
password for the service account and read/write permission to the userAccountControl
The --user option specifies the new account created by the AD admin; --local updates the
keytab file on the computer (in this case, machine B) without changing the password in AD and
--newpassword specifies the new password (required by the --local option). (This example
uses the same sample encryption types as above.) See the adkeytab description in the Centrify
Suite Administrator’s Guide for the full explanation of each option.
Clustered Environments 65
Configure a clustered environment with a load balancer
13 Copy the new keytab to the default location with the appropriate name:
cp /etc/krb5/krb5.keytab.new /etc/krb5/krb5.keytab
16 Run adinfo and check that adclient goes into a connected state. If adclient reports that
it is disconnected, something has gone wrong in the setup.
Note If the password for the centrifyprod Active Directory account is changed, run Step 5
through Step 16 after every change.This password is changed transparently in a protocol
initiated by Active Directory; that is, Active Directory prompts for a new account password
on an interval defined in the DirectControl adclient.krb5.password.change.interval
configuration parameter (see the Configuration Parameters Reference Guide for the description).
The DirectControl agent then automatically generates a new password for the computer
account and issues the new password to Active Directory. The default interval is 28 days.
Index
Symbols centrifydc-netweaver-release.tgz
.cshrc file 16, 17 SAP 7.0 19
SAP 7.3/7.4/7.5 21
A CentrifyLoginModule 49
Active Directory attributes CentrifyLoginModuleLibrary 54
SAP 7.0 34 SAP 7.0 22
SAP 7.3/7.4/7.5 34 CentrifyLoginModuleLibrary.sda 21, 59
adjoin 62 SAP 7.0 19, 20
adkeytab 62 SAP 7.3/7.4/7.5 21
adleave 62 CentrifyRedirectApp.ear 57
ADMappingVariable 28, 33, 39, 55 centrifyRedirectApp.ear 57
AIX environment 17 SAP 7.0 19
authentication 10 SAP 7.3/7.4/7.5 21
authentication errors 54 CentrifySpnegoLoginModule 30, 48, 49
authentication flow 11 load and configure 24, 26
Authentication template, Visual Administrator SAP 7.0 24, 30, 31, 51
SAP 7.0 31 SAP 7.3/7.4/7.5 26, 32
authorization 10 Class Name
SAP 7.0 25
B SAP 7.3/7.4/7.5 27
base authentication classes classloader
SAP 7.0 45 SAP 7.0 22
bashrc 53 SAP 7.3/7.4/7.5 23
BASIC 9, 11, 54, 57 Cluster tab
SAP 7.0 31 SAP 7.0 45
BASIC (authorization scheme setting) 28 Cluster-data 40
BASIC authentication 28 com.centrify.dc.netweaver
BasicPasswordLoginModule SAP 7.0 30
SAP 7.0 30 SAP 7.3/7.4/7.5 32
SAP 7.3/7.4/7.5 32 com.sap.security.core.server.jaas
SAP 7.0 30
SAP 7.3/7.4/7.5 32
C
com.sap.security.core.usermanagement 35
categories 44
Command not found 52
category log messages 48, 49
common utility classes
CdcUserName 28, 35, 36, 37, 39
SAP 7.0 45
Centrify login module 33
configtool.bat 40
Centrify login module usage 35
configure Java path 17
Centrify ticket login module
configure library path 17
SAP 7.0 30
configure log level 47
centrify.dc.realm 28
SAP 7.0 45, 46
CentrifyDC_Java.msi 53
67
K SAP 7.3/7.4/7.5 23
KDC 10, 11 logout URL 40
Kerberos 9, 11, 57 Logs and Traces
Internet Explorer security zones 41 SAP 7.0 49, 50
SAP 7.0 31 SAP 7.3/7.4/7.5 50, 51
Kerberos Key Distribution Center 10
Kerberos Security Service Provider 11 M
Kerberos ticket 10 Macintosh OS X operating system 7
Key Distribution Center 10 Manage Security Stores
SAP 7.0 24
L map AD users to SAP users 28
LD_LIBRARY_PATH 16, 52 mapping by AD attribute 33
LIB_PATH 52 Monitoring
LIBPATH 17 SAP 7.0 49
library
centrify.com N
SAP 7.0 22 namespace 28, 35, 36, 37, 39, 55
library not found 52 Negotiate (authorization scheme setting) 28
Linux Negotiate authentication 28
naming convention 7 NetWeaver AS Java not found 53
Linux 32-bit environment 16 NetWeaver AS Java Security Guide 8
Linux 64-bit environment 16 NetWeaver classloader
location log messages 48, 50 SAP 7.0 22
locations 44 SAP 7.3/7.4/7.5 23
Log configuration 48 NetWeaver J2EE applications 6
SAP 7.0 46, 47 NetWeaver login page
SAP 7.3/7.4/7.5 47 SAP 7.0 31
Log Configurator NetWeaver plug-in classes
SAP 7.0 45 SAP 7.0 45
log file categories 44 NetWeaver UME
log files 44 SAP 7.0 31
log messages 48 ng 52
Log Viewer 48, 49, 50 Notepad 48
log viewing 48 NTLM 9, 11
Logging Categories NTLM (authorization scheme setting) 28
SAP 7.0 46 NTLM authentication
SAP 7.3/7.4/7.5 47 Internet Explorer security zones 41
logging classes numReprompts 28
SAP 7.0 45 nwa 36, 37
Login Mod 28 SAP 7.0 34
login module SAP 7.3/7.4/7.5 34
SAP 7.0 19
SAP 7.3/7.4/7.5 21, 32 O
login module options 28, 60 Open View
login module stack 55 SAP 7.3/7.4/7.5 50
LoginModuleClassLoaders operation log messages 44
SAP 7.0 22 OPTIONAL flag 56
Index 69
P scp 62
password changes for SSO 40 sda file 53
Path variable 53 SDM 52
policy management 10 SAP 7.0 19
Portal 9 Security Provider
Predefined View SAP 7.0 24
SAP 7.0 49, 50 Security Service Provider 11
Program Files 53 semicolon separator 53
Properties tab server cluster 13
SAP 7.0 22 severity debug 49
severity info 49
R severity level
realmName 28 SAP 7.0 45, 46
redirectUrl 28, 57, 60 SAP 7.3/7.4/7.5 48
release notes 16 shell startup configuration file 16
release variable 7 SHLIB_PATH 52
RemoteGui.bat 52 sid 14
REQUIRED flag 56 sidadm 15, 17, 35, 40, 58
REQUISITE flag 56 SAP 7.0 19
RFC 1945 28 Single Sign-On
RFC 2617 28 configuring security zones 41
root Software Deployment Manager 52, 58
SAP 7.0 17 SAP 7.0 19
ROOT CATEGORY Solaris 32-bit environment 16
SAP 7.0 45, 46 Solaris 64-bit environment 17
SAP 7.3/7.4/7.5 47 space in "Program Files" path 53
ROOT LOCATION sparcv9 17
SAP 7.0 47 SPNEGO 11
SAP 7.3/7.4/7.5 48 SSO 6, 40
Runtime tab SSP 11
SAP 7.0 24 Start Deployment button 59
SAP 7.0 20
S startsap 21, 32, 35, 36, 37, 40, 41, 59, 60
sAMAccountName 55 startsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP documentation 8 SAP 7.0 21, 32
SAP Logs startup configuration file 52
SAP 7.0 49 stopsap 21, 32, 35, 36, 37, 40, 41, 59, 60
SAP Management Console 52 stopsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP Portal 40 SAP 7.0 21, 32
SAP ticket login module 30 su – command 17
SAP UME 40 SUFFICIENT flag 56
SAP user profile custom attribute 28 System/Security/Centrify 44, 48, 49
SAP username 28 SAP 7.0 50
sap.com/irj*irj
SAP 7.0 31 T
SAP-certified login modules 9 tar command 62
sapmmc.msc 52 tar file, untarring
SAP 7.0 19 V
SAP 7.3/7.4/7.5 21 vi editor 48
tgz file, unzipping Visual Administrator
SAP 7.0 19 SAP 7.0 22, 44, 45
SAP 7.3/7.4/7.5 21
ticket W
SAP 7.0 31 wbase
timestamp 48 SAP 7.0 45
trace file locations 44 web applications
trace files 44 local intranet zone 41
trace messages 48 silent authentication 41
Trace Viewer
SAP 7.3/7.4/7.5 51 Z
Tracing Locations 47 zone 16
SAP 7.3/7.4/7.5 48
Troubleshooting 52
SAP 7.3/7.4/7.5 50, 51
U
UME 10, 11, 12, 28, 33, 35, 40, 57
SAP 7.0 31, 34
UME custom attribute 35
UME default security policy 40
UME user name 55
ume.configuration.active
SAP 7.0 30
SAP 7.3/7.4/7.5 32
ume.logoff.redirect.url 40
ume.logon key 40
unauthorizedUrl 28, 57, 60
UNIX
naming convention 7
UNIX servers 9
UPN 35, 36, 37, 39
User Management subtab
SAP 7.0 24, 25
user profile custom attribute 28
user's UPN 36, 37
userNameConfig 36, 37
usernameConfig 28, 35, 36, 37, 39, 55
userPrincipalName 39
users
silent authentication 41
usr/sap 52
usrsap 52
Index 71