Centrify DC Netweaver PDF

Centrify Suite
DirectControl for NetWeaver AS Java

April 2016
Centrify Corporation
     
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document “as is” without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
© 2004-2016 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify User
Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify for SaaS, Centrify for
Mac, DirectManage, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity
Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other
countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103 B2; 9,112,846; and
9,197,670.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide 6

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How this manual is organized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Full PDF search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Where to find more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
NetWeaver AS Java authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Operating systems and Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1 Product Overview 9

Summary of features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How the NetWeaver connection to DirectControl works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How authentication flow works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Overview of user mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring single sign-on for SAP cloud-based applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How to proceed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Installation and Configuration 14

Understand the procedural basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SAP naming conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Checking that applications have loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Install DirectControl Agent on the NetWeaver host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Set library path for SAP administrator – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Set Java and library paths – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Install and deploy DirectControl for NetWeaver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure the NetWeaver classloader to load Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . 22
For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3
     
Load and Configure Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Login Module Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Authentication scheme options and behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure the Centrify login module stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 3 Final Steps 33

Set up user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup for mapping by Active Directory attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup for direct mapping from Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
For SAP 7.3/7.4/7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Setup for mapping by SAP custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Create a UME custom attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Reference example: user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Make optional adjustments to single sign-on behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the password-change functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure logout for NetWeaver AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Set up browsers for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Set up Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring Firefox to allow silent authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring Safari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 4 Logging and Troubleshooting 44

Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Log configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
For SAP 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
For SAP 7.3/7.4/7.5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Log viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Viewing developer traces for SAP 7.3/7.4/7.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Command not found – UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
DirectControl for NetWeaver AS Java 4

     
Command not found – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Library not found – UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Library or NetWeaver AS Java not found – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Deployment errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Authentication errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
User mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Login module stack does not work as intended. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Appendix A Mixed Authentication 57

How redirection works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Set up mixed authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure login module options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
User procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Appendix B Clustered Environments 61

Centrify software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configure a clustered environment with a reverse proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configure a clustered environment with a load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Index 67
5

About this guide
This document describes DirectControl for NetWeaver, which enables NetWeaver J2EE
applications to use DirectControl as their authentication mechanism, provides users with
single sign-on (SSO) capability, and enables the administrator to disable user accounts
centrally in Active Directory (AD). Where applicable, separate instructions are provided for
SAP 7.0 and SAP 7.3/7.4/7.5.
Intended audience
This manual is intended for NetWeaver AS Java administrators and application developers
who have appropriate permissions in and working knowledge of the NetWeaver AS Java
environment.
This manual also assumes that the DirectControl Management Tools and DirectControl Agent
are installed on at least one computer in your environment.
How this manual is organized

This chapter explains documentation conventions, where to find further information, and
how to contact Centrify Corporation.
Chapter 1, “Product Overview” outlines how DirectControl and SAP NetWeaver AS Java are
integrated for single sign-on, authentication, and so on. The chapter also summarizes how the
integrated environment is set up.
Chapter 2, “Installation and Configuration” explains the steps to take after installing the
DirectControl Agent on the NetWeaver server.
Chapter 3, “Final Steps” explains how user mapping works, how to set up users for user
mapping, and optional adjustments to make so that single sign-on works seamlessly.
Chapter 4, “Logging and Troubleshooting” describes where to find DirectControl for
NetWeaver AS Java log files and how to interpret them; the most common error scenarios
and how to fix them; and what information to gather and send to Centrify customer support
to expedite problem resolution.
Appendix A, “Mixed Authentication” describes how to install the supplemental redirect
application included in the package that gives you the ability to have some NetWeaver users
log in using their Active Directory account and others who use just their UME account.
Appendix B, “Clustered Environments” describes how to install DirectControl for NetWeaver
in a clustered environment.
6
      Document conventions
This guide includes an index.
Document conventions
The following conventions are used in this guide:
 Unless otherwise noted, the term UNIX refers to all supported versions of the UNIX,
Linux, and Macintosh OS X operating systems.
 Fixed-width font is used for sample code, program names, program output, file names,
and command-line commands. Italicized fixed-width font indicates variables such as
version numbers. In command-line reference information, square brackets ([ ]) indicate
optional arguments.
 Bold text is used to emphasize commands, buttons or user interface text, and to
introduce new terms.
 Italic text is used for book titles, and to emphasize specific words or terms.
 The variable release indicates a specific release number in file names. For example,
centrifydc-release-sol8-sparc-local.tgz refers to a release version of the DirectControl for
NetWeaver Agent for Solaris 8 on SPARC. For example, if this file is for version 4.1.2,
the file name is centrifydc-4.1.2-sol8-sparc-local.tgz.
Full PDF search

Besides an index, the PDF version of documentation offers a comprehensive search capability.
To access it, open the drop-down list available to the right of the Find text box () and select
Open Full Reader Search. You can search multiple documents by putting them in one
folder and browsing to that folder for your search. The page number appears if you let the
cursor hover over a results line.
Where to find more information

Be sure to refer to the package release notes before proceeding with installation and
configurations
If you are unfamiliar with the Centrify Suite in general or DirectControl in particular the
following books provide introductory and in-depth instructions and configuration information
relevant to DirectControl for NetWeaver AS Java installation and use:
 Centrify Suite Evaluation Guide describes how to set up an evaluation environment and use
DirectControl to test typical authentication and authorization scenarios, such creating
zones, adding UNIX users, creating groups and assigning user privileges.
 Centrify Suite Administrator’s Guide describes how to use the DirectControl Administrator
Console and command line programs to manage UNIX computers, users, groups and
About this guide 7

      Contacting Centrify
zones through Active Directory. This guide focuses on managing the environment after
deployment.
 Centrify Suite 2012 Planning and Deployment Guide provides guidelines, strategies, and best
practices to set up DirectControl to run in a production environment. Use this guide in
conjunction with the DirectControl Administrator’s Guide.
NetWeaver AS Java authentication

SAP makes documents available on help.sap.com, including the NetWeaver AS Java Security
Guide. Refer in particular to the section titled “Authentication Mechanisms and Single Sign-
On Integration.”
Operating systems and Microsoft Active Directory

You may also want to consult documentation for Windows, UNIX, Linux or Mac OS X, as
well as the documentation for Microsoft Active Directory.
Contacting Centrify
If you have a problem during DirectControl for NetWeaver software installation or
configuration, need help with Active Directory configuration, or want clarification on best
practices contact your Centrify System Engineer or Technical Support. Go to
www.centrify.com/support and login for the Technical Support contact information.

Chapter 1
Product Overview
This chapter summarizes the features of DirectControl for NetWeaver AS Java, how it
works, and how it is set up.
The following topics are covered:
 Summary of features
 How the NetWeaver connection to DirectControl works
 How authentication flow works
 Overview of user mapping
 Configuring single sign-on for SAP cloud-based applications
Summary of features
DirectControl for NetWeaver AS Java provides seamless user authentication methods for
NetWeaver applications via Active Directory user credentials, including Kerberos, NTLM,
BASIC or FORM. A user who has been configured with a UME/ABAP account can access
NetWeaver business applications with single sign-on (SSO). This capability increases user
satisfaction and reduces support desk calls to reset passwords and unlock accounts. In
addition, the administrator can use Active Directory to disable users’ NetWeaver accounts
centrally, immediately removing access to SAP NetWeaver, including Portal.
With Centrify’s SAP-certified login modules and DirectControl for NetWeaver AS Java
authentication, you can:
 Allow users to leverage their Active Directory credentials to access NetWeaver
 Centrally manage and enforce consistent passwords and other security policies
 Deploy single sign-on without intrusive changes to Active Directory
 Simplify compliance with regulatory requirements
 Maximize your investment in Active Directory
How the NetWeaver connection to DirectControl works

DirectControl provides an integration layer between Active Directory and non-Windows
operating system environments. The integration layer is the DirectControl Agent installed
on each UNIX server.
9
      How the NetWeaver connection to DirectControl works
When a UNIX computer with the DirectControl Agent joins the Active Directory domain,
it becomes an Active Directory client for authentication, authorization, policy management
and directory services. To extend authentication services to NetWeaver servers and clients,
you then install login modules, and configure NetWeaver applications to handle login
requests via those modules. The login modules in turn handle authentication requests via
the DirectControl Agent.
After logging in (1 in the following figure) to a Windows Active Directory client, or a
UNIX box equipped with DirectControl, the user requests and receives a Kerberos ticket.
Using this ticket, the desktop client, via the browser, requests (2) a service ticket from the
Kerberos Key Distribution Center (KDC). This service ticket is forwarded to the login
module of the application that the user is trying to access (3). The DirectControl Agent on
the server validates the authentication request via Active Directory (4), and forwards the
response to the login module. The authenticated username is provided to the NetWeaver
server. The NetWeaver server compares this user ID with the UME data source, and if it is
valid (5), grants access to the user.

      How authentication flow works
How authentication flow works

In production, the authentication flow for the DirectControl for NetWeaver solution has
four primary steps, as shown in the following figure.
1 The web browser uses the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) to request access to the NetWeaver server. NetWeaver login module and
browser negotiate the appropriate level and type of authentication.
Note Kerberos is shown. SPNEGO also supports NTLM. DirectControl for NetWeaver
also implements HTTP BASIC and FORM authentication.
2 For Kerberos, the browser client requests a service ticket using the built-in Kerberos
Security Service Provider (SSP) from the Active Directory KDC or local cache. The web
browser presents this service ticket to the NetWeaver server.
3 The Netweaver server validates the request ticket via the login module and the
DirectControl Agent. Once the request is successfully authenticated with Active
Directory, the authenticated username, group information and other attributes are
extracted.
4 The login module maps the authenticated user to the appropriate UME account and
grants access to the user.
The requested content is returned to the user based on Active Directory credentials and
NetWeaver AS Java, without the need for a username or password.
Product Overview 11
      Overview of user mapping
Overview of user mapping

After a user is authenticated with Active Directory (AD), DirectControl for NetWeaver
maps the user's AD name to an SAP username in NetWeaver UME based on the settings in
the Centrify login modules and the login module stack. Mapping proceeds in this order:
Step 1: Mapping by Active Directory attribute. DirectControl for NetWeaver first
checks a Centrify login module (or login module stack) option you can set to designate a
user attribute in Active Directory whose value could match the UME user name. (This step
enables you to override direct mapping from Active Directory attributes.)
Step 2: Direct mapping from Active Directory. If the mapping in step 1 fails for any
reason, DirectControl for NetWeaver tries to match the AD user name to a UME user
name.
Step 3: Mapping by SAP custom attribute. If the mapping in step 2 fails for any
reason, DirectControl for NetWeaver tries to match the value of the AD user’s
userPrincipalName (in AD) to the name of a UME custom attribute specified by the values
of Centrify login module (or login module stack) options. If the match succeeds, the AD
user’s name is mapped to the corresponding UME user name.
The next chapter (Chapter 2, “Installation and Configuration”) describes how to set up
Centrify login modules and the login module stack to use these mapping methods. The
chapter after that (Chapter 3, “Final Steps”) describes how to set up Active Directory and
UME attributes and values to implement the mapping. That chapter also contains a
reference example illustrating how all the options, AD attributes, UME custom attributes
and UME user names work together to map AD users to UME users.
Configuring single sign-on for SAP cloud-based applications

If your users access SAP servers through the SAP cloud-based applications: SAP NetWeaver
Application Server ABAP or SAP NetWeaver Application Server Java, you can use Centrify
Identity Service for single sign-on (SSO) as an alternative to using Centrify Server Suite as
discussed in the current document.
Centrify Identify Service (CIS) is a comprehensive cloud service that secures access to
cloud, mobile, and on-premises apps via single sign-on, user provisioning and multi-factor
authentication.
CIS allows you to choose where to store the directory — either on-premises (within
corporate control) or in the cloud. Centrify integrates the Centrify Cloud with Active
Directory or LDAP without poking extra holes in the firewall or adding devices in the
DMZ.
In the web-portal interface to CIS, you configure NetWeaver AS ABAP and NetWeaver AS
Java for SSO by enabling SAML (Security Assertion Markup Language)-based authentication
for these applications.

      How to proceed
SAP NetWeaver ABAP and NetWeaver Java offer both IdP-initiated SAML SSO (for SSO
access through the CIS web-based management portal) and SP-initiated SAML SSO (for
SSO access directly through the NetWeaver ABAP or Java web application). You can
configure these applications for either or both types of SSO. Enabling both methods ensures
that users can log in to SAP NetWeaver ABAP or NetWeaver Java in different situations such
as clicking through a notification email.
To configure the SAP NetWeaver Java web application for SSO, you need the following:
 A subscription to Centrify Identify Service
 SAP NetWeaver Java or NetWeaver ABAP.
 An active SAP NetWeaver Java or NetWeaver ABAP account with administrator rights
for your organization.
You can find complete instructions for configuring SSO for NetWeaver ABAP and
NetWeaver Java in the application configuration help included in the web-portal interface to
CIS.
How to proceed
This guide assumes you have already taken the following steps in a standard Active
Directory environment:
 Installed the DirectControl Agent on the NetWeaver AS Java server or servers in a
cluster.
 Joined the NetWeaver server or servers in a cluster (see Appendix B, Clustered
Environments for the join requirements) to the Active Directory domain, so the Java
server can present valid credentials for authentication.
If you have not already installed the DirectControl Agent, go to the Centrify Suite
Administrator’s Guide for the instructions.
After the DirectControl Agent is installed on the NetWeaver server(s), proceed to the next
chapter to deploy the DirectControl for NetWeaver package and then load and configure
the Centrify login module.
Product Overview 13
Chapter 2
Installation and Configuration
This chapter describes the procedures for installing and configuring DirectControl for
NetWeaver. If you are installing DirectControl for NetWeaver in a clustered environment,
see Appendix B, “Clustered Environments,” for additional information.
The topics in this chapter include:
 Understand the procedural basics
 Install DirectControl Agent on the NetWeaver host
 Set library path for SAP administrator – UNIX
 Set Java and library paths – Windows
 Install and deploy DirectControl for NetWeaver
 Configure the NetWeaver classloader to load Centrify login module
 Install and deploy DirectControl for NetWeaver
 Configure the Centrify login module stack
 Set up browsers for authentication
Understand the procedural basics
SAP naming conventions

The typical installation directory descriptions in the instructions below use the following
variable definitions:
 SID is the system ID. The SID must be three, alphanumeric characters only. When you
include the system ID in a path specification is must be in UPPER CASE.
 Instance is the application server instance name. The instance has two components in
the form Tnn
 T: Indicates the instance type. There are four types:
JC: Java Central (deprecated)
J: Java Central or Dialog
DVEBMGS: ABAP/DoubleStack Central
D:ABAP/DoubleStack Dialog
 nn: Indicates the instance number. The default is 00. This number is always two-digits.
14
      Understand the procedural basics
For example, the typical installation directory for an instance with the system ID NWS,
instance type ABAP/DoubleStack Central and number 13:
UNIX: /usr/sap/NWS/DVEBMGS13
Windows: C:\usr\sap\NWS\DVEBMGS13
The system ID for the SAP instance administrator has user name sidadm and home
directory /home/sidadm/. In this case, the system ID sid is always in lower case. For
example, if the SAP system ID is NWS, the SAP administrator name is nwsadm and the UNIX
home directory is /home/nwsadm.
Checking that applications have loaded

Loading and deploying applications in SAP can take several minutes. Confirm that the
applications have loaded using the procedure corresponding to your server platform:
UNIX
1 Login as the sidadm and enter the following command
sapcontrol -nr instancenumber -function GetProcessList
where instancenumber is the two-digit number the instance (do not preface the
number with the instance type).
2 The following figure illustrates the display when the applications:
If the dispstatus is GREEN (see the last line in the display), the server is ready. If you
see YELLOW, it means “starting” or “warning;” GREY means “unavailable” and RED
means “error.”
Windows
To check that all applications have loaded in the SAP server from a Windows system, run
C:\Windows\sapmmc.msc, the SAP Microsoft Management Console. Navigate in the tree
Installation and Configuration 15

      Install DirectControl Agent on the NetWeaver host
view to Console Root > SAP Systems > sid > instance_name. If after several minutes
the circle to the left of Process List turns green, deployment succeeded.
Install DirectControl Agent on the NetWeaver host

The NetWeaver server UNIX host must use DirectControl version 4.4.x (part of the
Centrify Suite) or later. The NetWeaver server should be joined to a DirectControl zone
(the default zone, unless you designate another) in the Active Directory. For detailed
installation and domain-joining instructions, refer to the Centrify Suite Administrator’s Guide.
For version-specific information, refer to the release notes.
If you need single sign-on for AD users of SAP systems but do not require wider Centrify
features, you can join a UNIX server to Active Directory without creating any Active
Directory zones. To do this, use the adjoin option -z NULL:
adjoin --user AD_user --password xxx --zone NULL -V domain --container DN
The value DN stands for the domain name or container name for the organizational unit or
container where the computer is to be created.
Note If you install NetWeaver in a clustered environment, the adjoin command is executed
at a different point in the procedure and requires additional arguments (next section).
Set library path for SAP administrator – UNIX

This section explains how to set up a library path for DirectControl for NetWeaver on a
UNIX machine. To set up the required paths on a Windows machine, go to the next section.
UNIX environments require a library path pointing to SAP NetWeaver AS Java so it can be
found and started. Add the appropriate line below to the end of the shell startup
configuration file (.cshrc for C-shell, etc.) of the SAP administrator:
 In a Linux or Solaris 32-bit environment:
setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/
lib:${LD_LIBRARY_PATH}
 In a Linux 64-bit environment:
setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/
lib64:${LD_LIBRARY_PATH}

      Set Java and library paths – Windows
 In a Solaris 64-bit environment:

setenv LD_LIBRARY_PATH /usr/share/centrifydc/java/lib/
sparcv9:${LD_LIBRARY_PATH}
 In an AIX environment:
setenv LIBPATH /usr/share/centrifydc/java/lib/64:${LIBPATH}
 In an HP-UX IA64 environment:
setenv SHLIB_PATH /usr/share/centrifydc/java/lib/hpux64:{SHLIB_PATH}
 In an HP-UX PA-RISC environment:
setenv SHLIB_PATH /usr/share/centrifydc/java/lib:{SHLIB_PATH}
Save the .cshrc file, exit from user root, and issue the command:
su – sidadm
You should not see any error messages before the prompt reappears.
Set Java and library paths – Windows

This section explains how to set up the required paths for DirectControl for NetWeaver on
a Windows machine. To set up paths on a UNIX machine, go back to the previous section.
On Windows systems, you need to configure library and Java paths via system properties:
1 Left-click on Start in the taskbar, right-click on My Computer, and select
Properties.
2 Click the Advanced tab, and click Environment Variables.
3 Highlight the variable name Path in the system variables list, and click Edit.
4 Place the cursor at the beginning of the Variable value line, and add this string:
C:\Centrify\DirectControl\java\lib;

      Set Java and library paths – Windows
Note The string must end with a semicolon.
5 Click OK to store the changed variable value.

6 Click New below the system variables list, near the bottom of the window.
7 In the New System Variable dialog box, type JAVA_HOME for the variable name and
C:\j2sdk1.4.2_28-x64 for the variable value.
8 Click OK to store the new variable value.

9 Click OK to exit from the System Properties window.

      Install and deploy DirectControl for NetWeaver
Install and deploy DirectControl for NetWeaver
For SAP 7.0

To install the DirectControl login module library on the NetWeaver host for SAP 7.0:
1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the
centrify-netweaver-release.zip (Windows) corresponding to the host’s processor
architecture (32- or 64-bit) from the Centrify Download Center.
Note For the location and filename of the package suitable for your operating
environment, refer to the release notes.
2 Expand the downloaded package in a temporary directory. For example, in UNIX:
# cd ~/desktop
# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz
# ls
centrifydc-netweaver-noarch.tar
# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar
CentrifyLoginModuleLibrary.sda
centrifyRedirectApp.ear
Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are

both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as
described in the next steps. You use centrifyRedirectApp.ear when you have mixed
authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for
the description and installation instructions.
3 Transfer the CentrifyLoginModuleLibrary.sda file to a place on the SAP server
system where sidadm can read it, such as /home/sidadm/.
4 Log in as sidadm and run the Software Deployment Manager (SDM):
UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.sh
Windows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat
The Software Deployment Manager - GUI window appears.
5 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.

Note This password might be different from the SAP administrator password.
6 Click the Deployment tab.
7 Click the clipboard-plus-sign icon ( ) in the upper left corner of the Deployment tab.
8 Navigate to the place where you stored CentrifyLoginModuleLibrary.sda, select it,

and click the Choose button. Wait for the choosing process to complete.
9 Click Next at the bottom to advance to Step 2. Because no changes are required in this
step, click Next again, and then click the Start Deployment button at the bottom of
the window.
When the deployment is complete, the Overall Deployment Progress bar in the lower
right of the window shows 100% and a “Finished successfully” message appears. If
deployment does not succeed, refer to the Troubleshooting section (page 52).
In a Windows system, you can run C:\Windows\sapmmc.msc, and navigate to Console
Root > SAP Systems > sid > instance_name. Under it, the dot to the left of Process
List turns green when the deployment process is complete. It may take up to ten minutes
after deployment for this color change to occur.
NoteYou also can check that deployment was successful by selecting the
Undeployment tab and verifying that centrify.com/CentrifyLoginModuleLibrary is
somewhere on the Vendor/Name list.
10 Restart the SAP server so the changes take effect, and wait for all applications to start:

stopsap [Linux: stopsap j2ee]

startsap [Linux: startsap j2ee]
This process may take several minutes. For suggested ways to check for completion, refer
to “Checking that applications have loaded” on page 15.
For SAP 7.3/7.4/7.5

To install the DirectControl login module library on the NetWeaver host for SAP 7.3/7.4/7.5:
1 Download the centrifydc-netweaver-release-noarch.tgz package (UNIX) or the
centrify-netweaver-release.zip (Windows) corresponding to the host’s processor
architecture (32- or 64-bit) from the Centrify Download Center.
Note For the location and filename of the package suitable for your operating
environment, refer to the release notes.
2 Expand the downloaded package in a temporary directory. For example, in UNIX:
# cd ~/desktop
# gunzip centrifydc-netweaver-v.v.v-noarch2.tgz
# ls
centrifydc-netweaver-noarch.tar
# tar -xvf centrifydc-netweaver-v.v.v-noarch.tar
CentrifyLoginModuleLibrary.sda
centrifyRedirectApp.ear
Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are

both present. You install CentrifyLoginModuleLibrary.sda on the SAP server as
described in the next steps. You use centrifyRedirectApp.ear when you have mixed
authentication (Active Directory and UME); see Appendix A, “Mixed Authentication” for
the description and installation instructions.
3 Copy the CentrifyLoginModuleLibrary.sda file to /usr/sap/trans/EPS/in.
4 Create a new text file, deploylist.txt file in /usr/sap/trans/EPS/in.
5 Add the path of the CentrifyLoginModuleLibrary.sda file to the deploylist.txt file,
for example:
/usr/sap/trans/EPS/in/CentrifyLoginModuleLibrary.sda
6 Start telnet in a shell window by entering the command:

telnet localhost 50008
7 Sign in as administrator.
8 Enter the command:
deploy list=/usr/sap/trans/EPS/in/deploylist.txt
9 When the deployment operation finishes, restart SAP.

      Configure the NetWeaver classloader to load Centrify login module
Note Use Software Update Manager (SUM) for NetWeaver 7.4. If you are using NetWeaver
7.3, you can use JSPM as an alternative.
This concludes the installation and deployment of the CentrifyLoginModuleLibrary.sda.

In the next steps, you configure the NetWeaver classloader to load the Centrify login
modules and then configure the NetWeaver login stack to use them.
Configure the NetWeaver classloader to load Centrify login module
For SAP 7.0

Once the Centrify login modules have been added to NetWeaver, make the NetWeaver
classloader load the library:
1 Log in as the SAP administrator sidadm and run Visual Administrator.
UNIX: /usr/sap/SID/instance/j2ee/admin/go
Windows: C:\usr\sap\SID\instance\j2ee\admin\go.bat
2 In the tree view on the left, select the Global Configuration tab and the Server tab.
Then navigate to Services > Security Provider.
3 In the Properties tab in the right pane.In the Key column, click the row the
LoginModuleClassLoaders row.
4 In the Value field near the bottom, add the following text:
library:centrify.com~CentrifyLoginModuleLibrary
and click the Update button.

Note Separate multiple entries with commas but no spaces.

      Configure the NetWeaver classloader to load Centrify login module
5 The value for the LoginModuleClassLoaders key is now set. To save the classloader
configuration, click the disk icon.
6 The Visual Administrator prompts you to confirm. Leave the Server ... box checked and
click Yes.
For SAP 7.3/7.4/7.5

Once the Centrify login modules have been added to NetWeaver, make the NetWeaver
classloader load the library:
1 Run the AS Java Config Tool by typing this command in a shell window:
/usr/sap/<SID>/<instance>/j2ee/configtool/configtool.sh
2 In the pane on the left side of the Config Tool window, open the folder:
cluster-data > template - Usage_Type_All_in-One > instance <INSTID> >
services > security
3 Add this value to the LoginModuleClassLoaders key:

library:centrify.com~CentrifyLoginModuleLibrary

      Load and Configure Centrify login module
Note If the LoginModuleClassLoaders key already has a value, separate it from the value
you are adding with a comma and no spaces.
4 (7.3/7.4) Click Save.
5 (7.5 only) Click Set Custom Value.
6 Restart SAP Java.
Load and Configure Centrify login module

For details about using the Centrify login module, see the section for the version of SAP you
are using:
 “For SAP 7.0” on page 24
 “For SAP 7.3/7.4/7.5” on page 26
For SAP 7.0

Use the following steps to load the Centrify login module CentrifySpnegoLoginModule
and set the options. If you have multiple clusters, you must load and configure
CentrifySpnegoLoginModule individually on each cluster.
To see how the options you set on this page interact with UME, AD and other settings, refer
to “Set up user mapping” on page 33 in the next chapter.
1 If you are not yet running the Visual Administrator, log in as sidadm and start it:
2 In the tree view in the left pane, select the Cluster tab. Then, navigate to the Server
server_name> Services > Security Provider.
The right pane is now populated with set of tabs.
3 Click the Runtime tab and the User Management subtab in the right pane.
4 Click the pencil icon (the Switch to Edit Mode button) above the Runtime tab. This
activates the Manage Security Stores button in the lower right corner.

Note If the icon above the Runtime tab is a pair of glasses, you are already in edit mode.
5 Click the Manage Security Stores button. This updates the User Management pane
to show the current User Stores on the left and the current Login Modules.
6 If the UME User Store is not already selected, select it.
Click the Add Login Module button near the lower right.
7 In the Choose editor for login module options window, leave Use a specific
editor for the login module options unchecked. You do not need to fill in an editor
class name. Click OK.
8 Add the Centrify login module in the Add Login Module window. Enter the following
for the corresponding parameter.
Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule

Display Name: CentrifySpnegoLoginModule
Description: Centrify SPNEGO Login Module

So far the Add Login Module window should look like this.
...
9 Set the CentrifySpnegoLoginModule options. The Login Module Options table lists the
options. For all options that have a default you do not need to enter them unless you want
to change the default value.
10 Enter the authentication scheme options and click the OK button to add the module.The
Authentication scheme options and behavior table lists all valid enableAuthSchemes
combinations for specifying browser and Centrify plug-in behavior.
For SAP 7.3/7.4/7.5

Use the following steps to load the Centrify login module CentrifySpnegoLoginModule
and set the options. If you have multiple clusters, you must load and configure
CentrifySpnegoLoginModule individually on each cluster.
To see how the options you set on this page interact with UME, AD and other settings, refer
to “Set up user mapping” on page 33 in the next chapter.
1 Go to the NetWeaver Administration page of the SAP Java system.Go to Configuration
> Security > Authentication and Single Sign-on.
2 On the Login Modules subtab, click Create.

3 In the New Login Modules window, enter these values:
Display Name: CentrifySpnegoLoginModule

Class Name: com.centrify.dc.netweaver.CentrifySpnegoLoginModule
Description: Centrify SPNEGO Login Module
The Login Module Options table lists all the options. For all options that have a default
you do not need to enter them unless you want to change the default value.
4 Enter the authentication scheme options and click the OK button to add the module.The
Authentication scheme options and behavior table lists all valid enableAuthSchemes
combinations for specifying browser and Centrify plug-in behavior.
5 Click Save.

Login Module Options

Login Module Default Value Description
Option
realmName centrify.dc.realm Value of the realm attribute (see RFC 1945 and RFC 2617) in HTTP BASIC
authentication. This value is used only if BASIC is one of the values set in
enableAuthSchemes (next option).
enableAuthSchemes Negotiate, NTLM, Lists which authentication methods the module uses. See the table
BASIC Authentication scheme options and behavior for the authentication
method options. Browsers typically try the available schemes in order
from most secure (Negotiate) to least secure (BASIC).
numReprompts 3 Specifies the number of login retries. The number of retries is one less
than the number set. For example, if the Kerberos ticket is invalid or the
password is incorrect, the default gives the user two more attempts.
ADMappingVariable [no default value] Name of Active Directory attribute in which to find the user’s SAP
username. If this is set, the named attribute in the user’s Active
Directory entry is used to map to the SAP user. If this is not set, or if the
AD attribute of the user’s AD entry is not set or does not map to an
existing SAP user, the value of usernameConfig is used to map the AD
user to the SAP user. (See “Setup for mapping by SAP custom attribute”
on page 35.)
usernameConfig CdcUserName Name of the SAP user profile custom attribute used to map Active
Directory users to SAP users. You need to add this custom attribute to
the SAP User Management Engine (UME) Custom attributes of the user
profile. (See “Setup for mapping by SAP custom attribute” on page 35.)
namespace com.sap.security.core Centrify login modules use the same default namespace for SAP user
.usermanagement profile custom attributes as SAP uses. To use a different namespace, set
its name here, and add the custom attribute to the UME. (See “Setup for
mapping by SAP custom attribute” on page 35.) The attribute path is of
the form <namespace>:<usernameConfig>.
errorUrl [no default value] URL to go to if an error occurs. Used by CentrifyRedirectApp.ear.
unauthorizedUrl [no default value] URL to go to if authorization fails. Used by CentrifyRedirectApp.ear.
redirectUrl [no default value] URL to go to if authentication succeeds. Used by
CentrifyRedirectApp.ear.
Authentication scheme options and behavior

enableAuthSchemes Browser and Centrify plug-in behavior
Negotiate Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials
Plug-in: accepts only Kerberos credentials
Negotiate, NTLM, BASIC Browser: sends Kerberos, NTLM or BASIC credentials
Plug-in: accepts Kerberos, NTLM or BASIC credentials
Negotiate, NTLM Browser: sends either Kerberos or NTLM credentials, but not BASIC credentials
Plug-in: accepts Kerberos or NTLM credentials, but not BASIC credentials

      Configure the Centrify login module stack
enableAuthSchemes Browser and Centrify plug-in behavior

Negotiate, BASIC Browser: sends Kerberos, NTLM or BASIC credentials
Plug-in: accepts Kerberos or BASIC credentials, but not NTLM credentials
NTLM Browser: sends only NTLM credentials
Plug-in: accepts only NTLM credentials
NTLM, BASIC Browser: sends either NTLM or BASIC credentials
Plug-in: accepts NTLM or BASIC credentials, but not Kerberos credentials
BASIC Browser: sends only BASIC credentials
Plug-in: accepts only BASIC credentials
Configure the Centrify login module stack

For details about using the Centrify stack, see the section for the version of SAP you are
using:
 “For SAP 7.3/7.4/7.5” on page 32
For SAP 7.0

When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules
to authenticate a user for each requested application. To accommodate the use of
DirectControl authentication, the login stack needs to be modified to include the Centrify
CentrifySpnegoLoginModule login module. Use the following steps to configure
NetWeaver Portal login stack:
1 If you are not in the Visual Administrator, Log in as sidadm and start it using the
following:
2 In the tree view on the left, navigate to Server server_name > Services > Security
Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.
5 In the components list on the left, select the ticket template; on the right, select No for
the Authentication template.
6 Select each login module currently configured for ticket and click the Remove button
at the bottom of the window.

7 Add Centrify and SAP ticket login modules as follows:

a Click the Add New button at the bottom of the screen.
b In the Available Login Modules window, click EvaluateTicketLoginModule
and click OK.
c Repeat Substep a and Substep b for the following login modules:

CentrifySpnegoLoginModule
CreateTicketLoginModule
BasicPasswordLoginModule
CreateTicketLoginModule [a second time]
d After you have added all login modules, for each login module click the Modify
button to modify the Flag and to add Option names and values.
Login modules stack
Login Modules Flag Options

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true,
enableAuthSchemes= Negotiate, Basic}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE { }
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
e The final login stack should look like the following figure.

Note If you set ume.configuration.active=true, the logon ticket configuration

settings are taken from the UME property sheet rather than from the login module
options.
With this login module stack setup, users are authenticated in priority order as listed in
the table below.
Method In the following case

Kerberos Ticket is valid and user maps to a user in the NetWeaver UME.
HTTP BASIC Kerberos fails, and Active Directory username and password are valid.
NetWeaver UME BASIC fails, and the user can be authenticated by username and password from the
NetWeaver UME on the default NetWeaver login page.
The enableAuthSchemes option in the CentrifySpnegoLoginModule of this login module

stack can be modified (for example) to bypass BASIC authentication if Kerberos fails. See
the enableAuthSchemes row in the table on page 28 for more information on that option.
Note If you plan to use mixed authentication—that is, some users will be authenticated
using their Active Directory account and others will not have an Active Directory account
and be authenticated solely by UME—you need to do two things:
 Skip Step 8.
 After you restart the SAP server and confirm Active Directory authentication is
working, go to Appendix A, Mixed Authentication and deploy the CentrifyRedirectApp
application included in the package.
8 If you do NOT plan to use mixed authentication set the sap.com/irj*irj Authentication
Template to “ticket” in the Visual Administrator. On the left side of the right frame,
scroll down and click on sap.com/irj*irj (iView Runtime for Java). On the right side,
for Authentication template, select ticket.
9 Click the glasses icon above the Runtime tab to switch to read-only mode.

Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
This process may take several minutes. For suggested ways to check for completion, refer to
“Checking that applications have loaded” on page 15.
After SAP restarts, authentication to the Portal proceeds as described in the table above.
Note If you are logged in as an Active Directory user and want to access the SAP NetWeaver
Administrator role, make sure your Active Directory username is mapped to a user in the
NetWeaver UME with administrator privileges. If your Active Directory username is not
mapped to a UME user with administrator privileges, allow that AD authentication to fail
and then log in again as a UME user with administrator privileges.
For SAP 7.3/7.4/7.5

When a user logs into a NetWeaver AS Java server, the server uses a stack of login modules
to authenticate a user for each requested application. To accommodate the use of
DirectControl authentication, the login stack needs to be modified to include the Centrify
CentrifySpnegoLoginModule login module. Use the following steps to configure
NetWeaver Portal login stack:
1 Go to the NetWeaver Administration page of the SAP Java System.
2 Go to Configuration > Security >Authentication and Single Sign-on.
3 Select the Components tab.
4 Select ticket and click the Edit button.
5 Change the order of the Login Module Flag Options to this:
Login Modules Flag Options

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.centrify.dc.netweaver.CentrifySpnegoLoginModule OPTIONAL {ume.configuration.active=true}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE { }
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
6 Click Save.


Final Steps
This chapter describes the final steps to integrate SAP NetWeaver with Active Directory
using DirectControl for NetWeaver, and to verify that authentication and user mapping
take place as intended.
This chapter discusses the following topics:
 Set up user mapping
 Make optional adjustments to single sign-on behavior
 Verify the installation
Set up user mapping

The Centrify DirectControl login modules follow a three-step user mapping procedure, as
described in “Overview of user mapping” on page 12, that depends on attributes and values
you set in Active Directory and in NetWeaver UME. Recall that the three steps are, in
order:
 Mapping by Active Directory attribute
 Direct mapping from Active Directory
 Mapping by SAP custom attribute
The subsections that follow explain how to set up options, attributes and values to cause the
desired mapping to occur.
Setup for mapping by Active Directory attribute

If an Active Directory attribute is specified in the ADMappingVariable option in the
Centrify login module or the login module stack, DirectControl for NetWeaver checks
whether the user's AD attribute is set to an SAP username in the UME. If so, the user is
mapped to this username, provided the name in the user’s AD attribute matches the SAP
username in UME.
To use mapping by Active Directory attribute:
1 If no Active Directory users exist, create one.
2 In the ADMappingVariable option in the Centrify login module or the login module stack,
specify the name of the AD user entry attribute to use for the mapping.
To configure the Centrify login module in SAP 7.0, see Step 9 on page 26; for SAP 7.3/
7.4/7.5, see Step 4 on page 27.
33
      Setup for direct mapping from Active Directory
To configure the login module stack in SAP 7.0, see Substep d on page 30; for SAP 7.3/
7.4/7.5, see Substep e on page 32.
3 Make sure the name contained in the specified AD user entry attribute is the same as the
user name in the UME.
Setup for direct mapping from Active Directory
For SAP 7.0

If an SAP username is not found in the attempt to map by AD attribute, DirectControl for
NetWeaver checks whether any username in the UME exactly matches the user's Active
Directory login name. If so, the user is mapped to this username.
To use direct mapping from Active Directory, create an SAP user with the same name in the
UME as the Active Directory user. To do this:
1 Go to this location:
http://sap_server_system:50000/nwa
2 Log in as administrator.
3 Go to the System Management tab, Administration subtab.
4 Click Identity Management on the left side.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.
7 Click Save All Changes.
For SAP 7.3/7.4/7.5

To use direct mapping from Active Directory, create an SAP user with a different name in
the UME from the Active Directory user. The SAP username may not match the AD
username. To do this:
1 Go to this location:
2 Log in as administrator.
3 Go to the Configuration> Identity Management on the left side.
4 Click the Configuration button.
5 Click the Create User button.
6 For the Logon ID, enter the Active Directory login ID.

      Setup for mapping by SAP custom attribute
Setup for mapping by SAP custom attribute

If an SAP username is not found in the attempt to map directly from AD, DirectControl for
NetWeaver checks whether a UME user profile has a custom attribute set to the user's
Active Directory userPrincipalName (UPN). If so, the user is mapped to the UME user
name of the user with this UPN. The name of the custom attribute in the UME user's
profile is specified in the usernameConfig option, or by a concatenation of the
usernameConfig and namespace (if set) options of the Centrify login module (see Step 9 on
page 26) or the login module stack (see Substep d on page 30). The custom attribute also
needs to be added to the user's profile. (See Create a UME custom attribute, below.)
1 Create the custom attribute in the UME (next section).
2 Restart the SAP server so the updates take effect. Log in as sidadm and run:
3 Find the custom attribute in the user's profile.
4 Set the user's custom attribute in the UME to the user’s UPN in Active Directory.
Create a UME custom attribute

While configuring Centrify login module, you set options (page 28) to designate a custom
variable in the UME. This variable, visible in the SAP user profile, maps Active Directory
users to SAP users. You need to add this custom attribute to an appropriate place in the
UME.
The location of the custom UME attribute is specified in one of three ways:
 The usernameConfig option is at its default value (CdcUserName), and the namespace
option is at its default value (com.sap.security.core.usermanagement). The login
module looks for the UME custom attribute at
com.sap.security.core.usermanagement:CdcUserName
 The usernameConfig option is set to a different value (for example, altAttribute), but
the namespace option is left at its default value. The login module looks for the UME
custom attribute at com.sap.security.core.usermanagement:altAttribute.
 The usernameConfig option is at its default value, but the namespace option is set to a
different value (for example, com.a.b.c) to distinguish the Centrify instance of
CdcUserName from the SAP instance of CdcUserName. The login module looks for the
UME custom attribute at com.a.b.c:CdcUserName.
Final Steps 35
For SAP 7.0:

1 Go to the NetWeaver Administrator web page:
2 Log in as the SAP administrator (sidadm).

3 Go to the System Management tab and the Administration subtab. Click the
Identity Management button on the left.
5 Click User Admin UI and then the Modify Configuration button.
6 For Administrator-managed Custom Attributes, enter CdcUserName or some
other value for userNameConfig in the Login Module options.
If you entered a value for the namespace option in the login module stack, specify the pair
of values in the form:
namespace_option_value:usernameConfig_option_value
For example, if you entered mynamespace for the namespace option and use the default
value CdcUserName for usernameConfig in the Login Module stack, specify:
mynamespace:CdcUserName

8 Log out and restart SAP so the updates take effect:
When you sign back in to the NetWeaver Administrator Web page, you find a field called
CdcUserName in the Customized Information section. Set this field to the Active
Directory user login ID or the user's UPN in Active Directory. When someone signs in to
an SAP Web application using an Active Directory user name, the application identifies that
person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
3 Click the Administration tab.
4 Click Identity Management.
5 In Search Criteria, enter the user name and click Go.
6 If the correct user is listed, select that user’s row. Details of the user will appear.

7 Click the Modify button just under Details of User username.

8 Click the Customized Information tab.
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.
For SAP 7.3/7.4/7.5:

1 Go to the NetWeaver Administrator web page:
2 Log in as the SAP administrator (sidadm).

3 Go to the Configuration tab and the Security subtab, then click the Identity
Management link on the left.
5 Click User Admin UI and then the Modify Configuration button.
6 For Administrator-Managed Custom Attributes, enter CdcUserName or some
other value for userNameConfig in the Login Module options.
If you entered a value for the namespace option in the login module stack, specify the pair
of values in the form:
namespace_option_value:usernameConfig_option_value
For example, if you entered mynamespace for the namespace option and use the default
value CdcUserName for usernameConfig in the Login Module stack, specify:
mynamespace:CdcUserName

8 Log out and restart SAP so the updates take effect:
When you sign back in to the NetWeaver Administrator Web page, you find a field called
CdcUserName in the Customized Information section. Set this field to the Active
Directory user login ID or the user's UPN in Active Directory. When someone signs in to
an SAP Web application using an Active Directory user name, the application identifies that
person as the corresponding SAP user.
To set the custom attribute in a user's profile:
1 Go to the NetWeaver Administrator web page.
2 Log in as an AD user who maps to a UME username with SAP administrator privileges.
Final Steps 37
3 Click the Configuration tab and the Security subtab.

4 Click Identity Management.
5 In Search Criteria, enter the user name and click Go.
6 If the correct user is listed, select that user’s row. Details of the user will appear.
7 Click the Modify button just under Details of User username.
8 Click the Customized Information tab.
You should see text fields with custom attributes; for example, a value for CdcUserName.
9 Type the user's UPN in the CdcUserName field and click Save.

      Reference example: user mapping
Reference example: user mapping

This section interrupts the procedural flow to give a specific example of how the mapping
algorithm works.
Sample values ( V) in the table below show the three-step mapping sequence applied to a
user who logs in with AD user name jeandoe. Abbreviations O, A, N and C are spelled out in
the table headings. Each connecting line indicates a match.
Centrify login module or login AD user entry attribute UME user name (N) or
Step module stack option (O) (A) for jeandoe custom attribute (C) Outcome
1 If O ADMappingVariable A firstNameHireNum N jean10256 AD user jeandoe maps
V firstNameHireNum V jean10256 to jean10256
but if O ADMappingVariable A firstNameHireNum N [no match] goes to step 2
V firstNameHireNum V jean10256
or if O ADMappingVariable A firstNameHireNum goes to step 2
V firstNameHireNum V [attr absent or not set]
or if O ADMappingVariable goes to step 2
V [default state: not set]
2 If A sAMAccountName N jeandoe AD user jeandoe maps
V jeandoe to jeandoe
but if A sAMAccountName N [no match] goes to step 3
V jeandoe
3 Specify O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
C with V CdcUserName or [empty] V jdoe@domain.com C CdcUserName to jean999
V jdoe@domain.com
or with O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
V altAttribute V jdoe@domain.com C altAttribute to jean999
V jdoe@domain.com
or with O usernameConfig A userPrincipalName N jean999 AD user jeandoe maps
V CdcUserName V jdoe@domain.com C com.a.b.c : CdcUserName to jean999
O namespace V jdoe@domain.com
V com.a.b.c
but if [for any of the options] C [whichever UME target] AD user mapping fails
V [no match]
Make optional adjustments to single sign-on behavior

You can take a few simple steps to fine-tune the single-sign-on experience so that users do
not need to change SAP account passwords created by administrators, and do not get
automatically redirected to a login page when they log out from NetWeaver.
Final Steps 39
      Make optional adjustments to single sign-on behavior
Modify the password-change functionality

If users consistently use SSO through DirectControl for NetWeaver, the SAP UME default
security policy still forces them to change SAP account passwords created by an SAP
administrator (such as for new SAP users). So by default the user must authenticate to
DirectControl and then to NetWeaver AS Java before being able to change the password.
To eliminate this type of scenario, configure the SAP UME so it does not require password
changes for single sign-on:
1 Start the configuration tool configtool.bat (typically found in
AS_Java_installation\j2ee\configtool\).
2 Navigate to Cluster-data > Global Server Configuration > Services >

com.sap.security.core.ume.service.
3 Locate the key ume.logon.force_password_change_on_sso and set the value to FALSE.

4 Apply the change by selecting File > Apply.
5 Click OK, and click OK again.
6 Restart the SAP server so the updates take effect. To do this, log in as sidadm and run:
To verify the change, create a new SAP user account; log in as that user; when requested to
change the account password, see if you can change it without first authenticating to
DirectControl.
Configure logout for NetWeaver AS Java

To ensure a seamless experience for users, it may be advisable to adjust the logout URL. For
example, users logging out of SAP Portal are typically redirected to the login: with SSO
configured they are then automatically logged back in (when in fact they probably wanted to
remain logged out). To change the logout URL, follow these steps:
1 Start the configuration tool configtool.bat (typically found in
AS_Java_installation\j2ee\configtool\).
2 In the tree, navigate to Global Server Configuration > Services >

com.sap.security.core.ume.service.
3 Scroll to the ume.logoff.redirect.url property and configure the fully qualified logout
URL.
4 Click the Apply Changes icon (which looks like a floppy disk).
5 Restart the SAP server so the updates take effect. Log in as sidadm and run:

      Set up browsers for authentication

To verify the change after configuring and deploying DirectControl for NetWeaver, log in
to SAP Portal as a NetWeaver user and log out again. Make sure you are not automatically
logged back in.
Set up browsers for authentication

This section explains how to set up Internet Explorer and Firefox for Kerberos and NTLM
authentication.
Set up Internet Explorer

To prepare Internet Explorer for Kerberos and NTLM authentication, you need to
understand IE security zones and then make appropriate modifications.
Understand Internet Explorer security zones

For users to be authenticated silently when they use Internet Explorer to access an
application on the Web server with Kerberos or NTLM authentication, the Web server
must be in the local intranet Internet Explorer security zone, or explicitly configured as
part of the local intranet security zone.
For Internet Explorer, a server is recognized as part of the local intranet security zone in
one of two ways:
 When the user specifies a URL that is not a fully qualified DNS domain name – for
example, http://admin-server/index.html – Internet Explorer interprets the URL as
a site in the local intranet security zone.
 When the user specifies a URL with a fully qualified name that has been explicitly
configured as a local intranet site in Internet Explorer – for example, http://admin-
server.mycompany.com/index.html – Internet Explorer interprets the URL as a site
that is not part of the local intranet unless the site has been manually added to the local
intranet security zone.
Depending on which type of URL the user specifies, silent authentication may require that
you modify the local intranet security zone in Internet Explorer.
Modify the local intranet security zone

If users log on to Web applications using a fully-qualified path in the URL, they may need to
modify the settings for the local intranet security zone in Internet Explorer to enable silent
authentication. To do this:
Final Steps 41
      Set up browsers for authentication
1 Open Internet Explorer and select Tools > Internet Options.

2 Click the Security tab.
3 Click the Local intranet icon.
4 Click Sites and then click Advanced.
5 Type the URL for the Web site you want to make part of the local intranet, and click
Add. You can use wildcards in the site address, for example, *://*.mycompany.com.
When you are finished adding URLs or URL patterns, click OK.
6 Click OK to accept the local intranet configuration settings, and click OK to close the
Internet Options dialog box.
Once you have configured the local intranet security zone, you can log on to Web or Java
applications through Kerberos or NTLM without being prompted for a user name and
password.
Configuring Firefox to allow silent authentication

By default, Firefox supports “prompted NTLM authentication.” To enable “silent NTLM
authentication” (no prompts), open Firefox and configure the browser to trust sites:
1 Type about:config as the target URL and press Return.
2 Click the I’ll be careful button. Type ntlm in the Filter field.
3 Open network.automatic-ntlm-auth.trusted-uris.
4 Type a comma-separated list of partner URLs or domain names and click OK.
Note You can use wildcards (for example, *.company.com); however, for the sake of
security, make this list as restrictive as possible.

      Verify the installation
Mozilla Firefox supports negotiated (SPNEGO) authentication, but not by default. To enable
silent SPNEGO authentication, continue as follows:
5 Type neg in the Filter field.
6 Open network.negotiate-auth.delegation-uris, type a comma-separated list of
partner URLs or domain names as string values, and click OK.
Note For security reasons, make this list as restrictive as possible. If your Web server uses
SSL, be sure to include https:// in the string.
7 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner
URLs or domain names, and click OK.
Configuring Safari
Safari does not require any configuration to work with DirectControl for NetWeaver.
Verify the installation

To verify that user authentication and mapping work as intended:
1 Create an Active Directory user if one does not yet exist.
2 Go to the NetWeaver Portal:
http://sap_server_system:50000/irj
3 Log in as an AD user, and note the login behavior of the system when you attempt to use
NetWeaver.
4 To test individual user mapping, log in as an Active Directory user and verify that the
expected mapping occurs (page 12) in each scenario you expect users to encounter; for
example:
 Change Active Directory attributes and values, and UME default and custom
attributes, and verify that the expected mapping occurs in each case.
 Change values in the login modules the login module stack (page 29), and check for
expected outcomes in each scenario.
A list of troubleshooting scenarios and solutions can be found on page 55.
5 To check Kerberos authentication in a clustered environment behind a reverse proxy
(page 62) or load balancer (page 63), ask IT to create both routine and edge conditions
for the cluster, and then verify expected outcomes.
If problems occur, refer to the troubleshooting section (page 52) in the next chapter. If
problems persist go to www.centrify.com/support and login for the Technical Support
contact information.
Final Steps 43
Chapter 4
Logging and Troubleshooting
This chapter discusses the following topics:

 Log Files
 Troubleshooting
Log Files
SAP NetWeaver separates log files from trace files:
 Log files are operation log messages that are written to categories. Categories have
names that start with a slash (/) and are specific to an area; for example, /System/
Network.
 Tracefiles are debug log messages that are written to locations. Locations have names
made up of components separated by dots (.); for example, com.sap.tc.security.
In both cases the names are hierarchical; for example, if the log level for
com.centrify.dc.netweaver is not set, it inherits the log level for com.centrify.dc.
DirectControl for NetWeaver creates a category called /System/Security/Centrify and a

location for each class. The location name is the name of the class.
Log configuration
For details about log configuration, see the section for the version of SAP you are using:
 “For SAP 7.3/7.4/7.5:” on page 47
For SAP 7.0

You can configure logging in one of three ways:
 With your own configuration file
 Using Visual Administrator
 Logging in from a browser, using NetWeaver Administrator (the preferred method
because you can configure all server nodes from one place).
44
      Log configuration
Before configuring logging, you need to deploy and configure DirectControl for
NetWeaver, and restart NetWeaver. When DirectControl for NetWeaver is loaded, the
following categories and locations are automatically created in the Visual Administrator.
Default Severity Level Description

Categories
/System/Security/Centrify Info Messages info level and higher from all classes
Locations
com.centrify.dc.netweaver Debug Messages from NetWeaver plug-in classes
com.centrify.dc.wbase Debug Messages from base authentication classes
com.centrify.dc.common Debug Messages from common utility classes
com.centrify.dc.common.logging Debug Messages from logging classes
Configure log level for categories using the Visual Administrator:

1 Open the Visual Administrator and log in as an administrator.
2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.
3 Click the Categories tab and open ROOT CATEGORY > System > Security >
Centrify.
4 Select the severity level and click Apply (the floppy-disk icon).
Configure log level for locations using the Visual Administrator:

1 Open the Visual Administrator and login as an administrator.
2 Click the Cluster tab and go to sid > Server > Services > Log Configurator.
3 Click the Locations tab and open ROOT CATEGORY > com > centrify >
common (or dc, or anything below it).
Logging and Troubleshooting 45

4 Select the severity level and click Apply (the floppy-disk icon).
Configure log level for categories using the NetWeaver Administrator:

1 In a browser window, go to http://<netweaver-host>:50000/nwa and log in as an
administrator.
2 Click Configuration > Log configuration.
3 In Show, select Logging Categories and open ROOT CATEGORY > System >
Security > Centrify.
4 Select the severity level and click Save Configuration.

Configure log level for locations using the NetWeaver Administrator:

administrator.
2 Click Configuration > Log configuration.
3 In Show, select Tracing Locations and open ROOT LOCATION > com > centrify
> common (or dc, or anything below it).
For SAP 7.3/7.4/7.5:

You can configure logging in one of two ways:
 With your own configuration file
 Logging in from a browser, using NetWeaver Administrator (the preferred method
because you can configure all server nodes from one place).
Note Visual Administrator is deprecated in NetWeaver 7.3/7.4/7.5.
Before configuring logging, you need to deploy and configure DirectControl for
NetWeaver, and restart NetWeaver.
Configure log level for categories using the NetWeaver Administrator:

administrator.
2 Goto Troubleshooting> Logs and Traces > Log Configuration.
3 In Show, select Logging Categories and open ROOT CATEGORY > System >
Security > Centrify.

Configure log level for locations using the NetWeaver Administrator:

administrator.
2 Goto Troubleshooting> Logs and Traces > Log Configuration.
3 In Show, select Tracing Locations and open ROOT LOCATION > com >
centrify.
4 Select the severity level.Use the Copy to Subtree button to propagate the settings, if
required.
5 Click Save Configuration.
Log viewing
You can view log messages from category and locations in two ways: using a text editor, or
using NetWeaver Administrator Log Viewer (the easiest way to see the logs from a GUI).
Note Centrify log messages are always preceded by a timestamp in the format yyyy.mm.dd
hh:mm:ss:sss zone so that an ordinary text editor can see the time the message was logged.
Viewing logs using a text editor

To view logs using a text editor such as vi (UNIX/Linux) or Notepad (Windows), do the
following:
1 Change directory to /usr/sap/SID/JCinstance_#/j2ee/cluster/servern/log (where
n is the server node number)
2 Open the latest defaultTrace.nn.trc file – for example, defaultTrace.17.trc – in the
text editor.
3 To see log messages for a category, search for its directory path; for example, /System/
Security/Centrify.
4 To see trace messages for a location, search for the location or class name; for example,
com.centrify.dc.netweaver.CentrifySpnegoLoginModule.
The following text is an example of a log file.

#1.5^H#000C29A1D5CF0078000000C90000497B0004967437B0D8BE#1291325801552#
com.centrify.dc.netweaver.CentrifySpnegoLoginModule#sap.com/
com.sap.security.core.admin#com.centrify.dc.netweaver.CentrifySpnegoLo
ginModule#Guest#0##n/
a##40682e60fe5c11df8984000c29a1d5cf#SAPEngine_Application_Thread[impl:
3]_7##0#0#Info#1#/System/Security/Centrify#Plain###2010.12.02
13:36:41:552 PST login: Got status : ERROR from
CentrifyAuth.authenticate()#

#1.5^H#000C29A1D5CF006C0000003A0000497B0004967581F005ED#1291331342173#
com.centrify.dc.netweaver.CentrifyLoginModule#sap.com/
tc~wd~dispwda#com.centrify.dc.netweaver.CentrifyLoginModule#Guest#0##n
/
a##26e0c490fe6911df8daa000c29a1d5cf#SAPEngine_Application_Thread[impl:
3]_0##0#0#Debug##Plain###2010.12.02 15:09:02:173 PST exiting method:
commit#
The first line shows a message logged to both the category /System/Security/Centrify
and the location com.centrify.dc.netweaver.CentrifySpnegoLoginModule at severity
INFO. The message is the string 2010.12.02 13:36:41:552 PST login: Got status :
ERROR from CentrifyAuth.authenticate().
The second line shows a message logged at severity DEBUG to location

com.centrify.dc.netweaver.CentrifyLoginModule. The message is 2010.12.02
15:09:02:173 PST, exiting method: commit.
Viewing category log messages using NetWeaver Administrator Log Viewer

To view category log messages using NetWeaver Administrator Log Viewer, do the steps in
this section for the version of SAP you are using.
Viewing category log messages for SAP 7.0:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-
server>:50000/nwa and log in as an administrator.
2 Click Monitoring > Logs and Traces.
3 In Show, select Predefined View.
4 Next to Predefined View, select SAP Logs.

5 To see logs in /System/Security/Centrify, click Open Search and in Search By

enter select Category and equals, and type /System/Security/Centrify.
Viewing category log messages for SAP 7.3/7.4/7.5:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://
<netweaver-host>:50000/nwa and log in as an administrator.
2 Goto Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > SAP Logs.
4 Enter *centrify* (with the asterisks) in the Category filter.
The log displays so that you can review it.
Viewing location log messages using NetWeaver Administrator Log Viewer

To view location log messages using NetWeaver Administrator Log Viewer, do the steps in
this section for the version of SAP you are using.
Viewing location log messages for SAP 7.0:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<sap-
server>:50000/nwa and log in as an administrator.
2 Click on Monitoring > Logs and Traces.
3 In Show, select Predefined View.
4 Next to Predefined View, select Default Trace.

5 To see messages in a specific location, in Search By select Location, select equals,

and type (for example) com.centrify.dc.netweaver.CentrifySpnegoLoginModule.
Viewing location log messages for SAP 7.3/7.4/7.5:

1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://
<netweaver-host>:50000/nwa and log in as an administrator.
2 Go to Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > SAP Logs.
4 Enter *centrify* (with the asterisks) in the Location filter.
Viewing developer traces for SAP 7.3/7.4/7.5

To view developer trace messages using NetWeaver Administrator Log Viewer, do the
following:
1 In a browser window, go to the NetWeaver Administrator Log Viewer at http://<java-
host>:java-port/nwa and log in as an administrator.
2 Go to Troubleshooting > Logs and Traces > Log Viewer.
3 In Show, select View > Open View > Developer Traces.
4 Enter *centrify* (with the asterisks) in the Location filter.

      Troubleshooting
Troubleshooting
This section describes the most commonly encountered error conditions and solutions.
Command not found – UNIX

Symptom: You type a command to open Visual Administrator or Software Deployment
Manager and the system returns the message, Command not found.
Cause: Different versions of NetWeaver can have different directory trees. The path to the
command you typed is incorrect.
Solution: Use this table to help locate the command.
To find type this and then this

Visual Administrator cd /usr/sap find . -name go
Software Deployment Manager cd /usr/sap find . -name RemoteGui.sh
(SDM) GUI
Command not found – Windows

Symptom: You type a command to open Visual Administrator or Software Deployment
Manager and the system cannot find the application.
Cause: Different versions of NetWeaver can organize files into different folders and
subfolders. The path to the command you typed is incorrect.
Solution: Use this table to help locate the command.
To find navigate to this folder and search for this

Visual Administrator C:\usr\sap go.bat
Software Deployment Manager C:\usr\sap RemoteGui.bat
(SDM) GUI
SAP Management Console C:\Windows sapmmc.msc
Library not found – UNIX

Symptom: The DirectControl for NetWeaver library is not found.
Cause: All of the UNIX-like operating systems require an environment variable (LIB_PATH,
SHLIB_PATH or LD_LIBRARY_PATH) in the shell startup configuration file. The environment
variable is not set or not found.
Solution: Check the following:
 Make sure both the environment variable name and the path are correct for the
operating environment on the machine (32-bit vs. 64-bit, Solaris vs. AIX, etc).

 Make sure the environment variable name is being set in the startup configuration file
(.cshrc, .bashrc, etc.) that corresponds to the shell the SAP administrator will be
using.
Library or NetWeaver AS Java not found – Windows

Symptom: The DirectControl for NetWeaver library or NetWeaver AS Java is not found.
Cause: Environment variables are not properly set.
Solution: Go to Start > My Computer > Properties, Advanced tab, and click
Environment Variables. In the system variables (lower) list, check for the following:
 A variable named JAVA_HOME exists and has the value C:\j2sdk1.4.2_28-x64.
 The value for the Path variable begins with C:\Centrify\DirectControl\java\lib,
followed by a semicolon separator.
Note Although C:\Program Files\centrify\directcontrol is the default directory when
installing CentrifyDC_Java.msi, the space in Program Files does not work for SAP in
Windows. Change from the default directory to a directory path with no spaces in it.
Deployment errors
Symptom: You click the Start Deployment button in the Software Deployment
Manager, and deployment succeeds for the .sda file, but then fails for the .ear file.
=================================================
Deployment started Fri Dec 10 10:59:22 PST 2010
=================================================
Starting Deployment of CentrifyLoginModuleLibrary
Finished successfully: development component
'CentrifyLoginModuleLibrary'/'centrify.com'/'localhost'/
'2010.03.02.13.49.33'/'0'
Deployment of CentrifyLoginModuleLibrary finished successfully (Duration
6223ms)
Starting Deployment of CentrifyRedirectApp

Aborted: development component...
Cause: You select both the .sda and the .ear for deployment at the same time.
Solution: Be sure to stop and restart SAP after deploying a module and before deploying
any other module.

Symptom: If you click Next to advance from Step 2 to Step 3 in the Software
Deployment Manager, the following error message appears.
Cause: The CentrifyLoginModuleLibrary.sda has already been installed.

Solution: Skip the deployment step – it is not needed.
Authentication errors
Authentication errors result from failures in the login module (“Load and Configure
Centrify login module” on page 24)
Symptom Causes and solutions

User authentication fails. Check that all of the following conditions have been met:
• Make sure you installed and configured the login module stack to use the Centrify
login module for the types of authentication you want to apply (page 29).
• If you are using the CentrifySpnegoLoginModule and BASIC is the authentication
scheme, make sure the realm attribute (realmName) is set to the correct value in
the login module stack.
The wrong type of user • Make sure the enableAuthSchemes login module option lists the correct types
authentication is applied to of user authentication, and lists them in the correct order.
users.

User mapping errors

For a description of the user mapping algorithm, refer to Chapter 3, “Final Steps,” and in
particular the table on page 39.
Symptom Causes and solutions

You set ADMappingVariable, but instead of Check the following:
mapping to the value of the attribute named in • Make sure the UME user name value matches the value in the AD
ADMappingVariable, the AD user is mapped user entry attribute named in ADMappingVariable.
to a different username, or mapping fails. • Make sure the AD user entry attribute named in
ADMappingVariable is present and set.
• Make sure the ADMappingVariable is not in its default state
(that is, not set).
The user named in sAMAccountName in Active Note the following:
Directory did not map to the same user name in • If ADMappingVariable is set, and its value matches the name
UME. of a user entry attribute in Active Directory, and the value of that
attribute matches the value of a UME user name, the AD user is
mapped to the matching value. This mapping takes precedence
over direct mapping from Active Directory.
• It may be that no match was found between a value of
sAMAccountName in Active Directory and a value for a user
name in UME.
You set the usernameConfig or namespace Note the following:
option, or both, in a Centrify login module or in • If ADMappingVariable is set, its value matches the name of a
the login module stack, but the AD user fails to user entry attribute in Active Directory, and the value of that
map to a UME user name via the custom attribute matches the value of a UME user name, that mapping
attribute designated by those options. takes precedence over mapping via SAP custom attribute.
• If a match is found between a value of sAMAccountName in
Active Directory and a value for a user name in UME, that
mapping takes precedence over mapping via SAP custom
attribute.
• If no match is found between an Active Directory
sAMAccountName value and a value in the custom attribute
designated in a Centrify login module or in the login module
stack, the AD user fails to map to a UME user name in the UME
custom attribute.
Login module stack does not work as intended

Symptom: The login module stack does not have the expected effects.
Cause: Possibly the ordering of login modules, or the flags applied to each instance of a
login module, is incorrect.
Note If a module cannot be found or cannot be opened, it is ignored.

Solution: Check the following table, which summarizes the effects of control flags on the
stack.
Flags Condition Action taken

REQUISITE The module fails. Control immediately returns to the application with “failure” status,
along with the error value from this module.
The module passes. Control moves to the next module in the stack.
REQUIRED The module fails. If this is the first REQUIRED module in the stack to fail, its error value is
stored for later forwarding to the application. Control moves to the next
module in the stack.
The module passes. Control moves to the next module in the stack. If this is the last module
and all REQUIRED modules have passed, control returns to the
application with “success” status. If one or more REQUIRED modules has
failed, control returns to the application with “failure” status, along with
the error value from the first failed REQUIRED module.
No REQUISITE or REQUIRED At least one SUFFICIENT or OPTIONAL module must pass for control to
flag is present in the stack. return to the application with “success” status. If none pass, control
returns to the application with “failure” status, along with the error value
from the first module that failed.
SUFFICIENT The module passes. “Sufficient modules have been executed.” Control returns to the
application, with “success” status if all previous REQUIRED modules have
passed, or with “failure” status if one or more REQUIRED modules have
failed, with the error value from the first REQUIRED module that failed.
The module fails. Control moves to the next module in the stack.
OPTIONAL The module passes or fails. Control moves to the next module in the stack.
The last module has been If and when the last module in the stack has been processed, if at least
processed. one REQUISITE or REQUIRED module was present and all have passed,
control returns to the application with “success” status; and SUFFICIENT
and OPTIONAL error values are ignored. If one or more REQUIRED
modules have failed, control returns to the application with “failure”
status, along with the error value from the first failed REQUIRED module.

Appendix A
Mixed Authentication
DirectControl for NetWeaver supports mixed authentication, in which some users are
authenticated by Active Directory and some by NetWeaver UME. One such scenario is a
phased roll-out of DirectControl for NetWeaver; for example, in the first phase only
engineering would be authenticated by Active Directory while others still would authenticate
using the previous method. In the second phase, engineering and support would be
authenticated by AD while others remain authenticated by the previous method and in the last
phase, everyone would be converted to Active Directory authentication.
This appendix explains how to install the CentrifyRedirectApp.ear application to support
mixed authentication.
Note If mixed authentication is not used, after the Centrify login module has been added users
who are not migrated to Active Directory get an “Authentication Failed” error message when
they try to login to the NetWeaver portal.
How redirection works

When it is deployed the CentrifyRedirectApp.ear enforces the following behavior:
 It authenticates users based on the value for the enableAuthSchemes option (the default is
Kerberos, NTLM or BASIC). (See on page 28 for other options.)
 If authentication succeeds and the user is mapped to user in the UME, the user is
redirected to the NetWeaver portal page set in the redirectUrl option.
 If authentication succeeds but the AD user is not mapped to a user in the UME, the user is
redirected to the NetWeaver portal login page set in the unauthorizedUrl option.
 If authentication still fails, the user is redirected to the page set in the unauthorizedUrl
option.
Note If authentication fails because the Kerberos ticket is invalid or the password is
incorrect, the user can try authentication to Active Directory using her Active Directory
username and password twice more before being redirected to unauthorizedurl. (You
can change the number of retries using numReprompts.)
 If an internal error occurs, the user is redirected to the page set in the errorUrl option.
The following figure shows the behavior of CentrifyRedirectApp. when the options are set.
57
      Set up mixed authentication
Set up mixed authentication

You deploy CentrifyRedirectApp.ear after you have installed and deployed DirectControl
for NetWeaver, configured the NetWeaver classloader to load the Centrify login module
library, and added and configured the CentrifySpnegoLoginModule module, as described in
Chapter 2, “Installation and Configuration.”
Load
In the following steps you load CentrifyRedirectApp.ear into the SAP Software
Deployment Manager and configure the module to enforce a systematic authentication
process using Active Directory and/or UME.
Note You use the same procedure to load CentrifyRedirectApp.ear as you did to load
CentrifyLoginModuleLibrary.sda.
1 Log in as sidadm and run the Software Deployment Manager (SDM):

UNIX: /usr/sap/SID/instance/SDM/program/RemoteGui.sh
Windows: C:\usr\sap\SID\instance\SDM\program\RemoteGui.bat
The Software Deployment Manager - GUI window appears.
2 Click SDM Gui > Login. Enter the password for the NetWeaver SDM server.
Note This password might be different from the SAP administrator password.

      Set up mixed authentication
3 Click the Deployment tab and then the clipboard-plus-sign icon ( ).
4 Navigate to the directory in which you stored CentrifyRedirectApp.ear, select it and

click the Choose button. Wait for the choosing process to complete.
5 Click Next at the bottom to advance to Step 2. Because no changes are required in this
step, click Next again, and then click the Start Deployment button at the bottom of
the window.
The Overall Deployment Progress bar in the lower right of the window shows 100% and
“Finished successfully” message appears when you can proceed to the next steps. If
deployment does not succeed, refer to the Troubleshooting section (page 52).
Note You can check that deployment was successful by selecting the Undeployment
tab and verifying that CentrifyRedirectApp is in the Vendor/Name list (see the Note
on page 20 for an example).
Configure login module options

1 Log in as sidadm and run the Visual Administrator:
2 In the tree view on the left, navigate to Server server_name > Services > Security
Provider.
3 Click the Policy Configurations tab and then the Authentication tab.
4 Click the pencil icon (the Switch to Edit Mode button) above the tabs.
5 In the components list on the left, select the ticket template
6 Select the CentrifySpnegoLoginModule and click the Modify button. The table
Authentication scheme options and behavior describes all of the options. Three options are
associated with the mixed authentication. They specify the redirect URLs for different
conditions:
Mixed Authentication 59
      User procedures
CentrifySpnegoLoginModule options
Login Module Default Value Description

Option
errorUrl [no default value] Redirects user to this URL when there is an internal error during
authentication. Set to the NetWeaver portal login page URL.
unauthorizedUrl [no default value] Redirects user to this URL if all authentication attempts failed. Set
to the NetWeaver portal login page URL.
redirectUrl [no default value] Redirects user to this URL if the user is authenticated by Active
Directory but is not mapped to an UME user. Set to the NetWeaver
portal page URL.
7 Click the glasses icon above the Runtime tab to switch to read-only mode.
Note If the icon above the Runtime tab is a pencil, you are already in read-only mode.
This process may take several minutes. For suggested ways to check for completion, refer to
“Checking that applications have loaded” on page 15.
User procedures
After SAP restarts, the system is set up to accommodate AD users who are already mapped
to UME users, and those who are not mapped:
 Users to be authenticated by UME (not using Active Directory) should use the standard
portal URL to access the NetWeaver portal.
 Users to be authenticated by AD should use the URL of the Centrify redirect application
to access NetWeaver: http://sap_server_system:50000/centrifydc-redirect.
Note External users accessing the portal from Internet Explorer may see an NTLM pop-up if
the URL is not added to Internet Explorer's local intranet security zone, among other reasons.
For details, refer to “Set up Internet Explorer” on page 41.

Appendix B
Clustered Environments
This appendix explains how to install the DirectControl for NetWeaver package in a clustered
environment.
The following topics are covered:
 Centrify software requirements
 Configure a clustered environment with a reverse proxy
 Configure a clustered environment with a load balancer
Centrify software requirements

When you set up NetWeaver servers in a cluster, each server and, if you are using a reverse
proxy the reverse proxy computer as well, must have the following Centrify software
installed:
 All UNIX-based systems: The DirectControl agent (adclient) must be installed. Run
adinfo on each server to confirm that the agent is installed. (Windows-based servers do
not require adclient.)
 All UNIX- and Windows-based systems: The DirectControl for NetWeaver software must
be installed.
Note A load balancer is an exception to this rule. If you are using a load balancer, do not install
the DirectControl agent or the DirectControl for NetWeaver software on the load balancer.
In addition, the Kerberos keytabs for each server must be the same. The following
instructions tell you how to copy the keytab across systems.
The next two sections provide sample, step-by-step instructions you can customize for your
environment to set up Active Directory authentication in a clustered environment with a
reverse proxy and then with a load balancer.
61
      Configure a clustered environment with a reverse proxy
Configure a clustered environment with a reverse proxy

This section assumes that you are installing the DirectControl for NetWeaver package in a
cluster that has a reverse proxy with multiple servers on the back end.
In the following example, the reverse proxy is running on a machine named A, internal back-
end NetWeaver servers are running on machines named B and C, and the domain is
domain.com. The figure summarizes the steps and where they are carried out.
Reverse proxy (A) Application server (B)

(1) Confirm Centrify software installation
(2) adleave (if joined)
(6) untar keytabs received from A ;
(1) Confirm Centrify software installation
remote (internet) client
start adclient with centrifydc start

(2) adleave (if joined)
(3) adjoin -a B -a B.domain.com \
-a C -a C.domain.com \
domain.com Domain Controller
(4) adkeytab -a -P \ domain.com
http/other_host_name
(5) cd / Active Directory
tar cvfz cluster .tgz \
/etc/krb5.keytab \
/var/centrifydc/kset.* Application server (C)
scp cluster.tgz B:/ (1) Confirm Centrify software installation
scp cluster.tgz C:/ (2) adleave (if joined)
(6) untar keytabs received from A ;
start adclient with centrifydc start
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for
NetWeaver package installed as required.
2 If the servers are joined to the domain controller (run adinfo to find out), run adleave on
each UNIX machine to “unjoin.”
3 On machine A, run the following command to join machine A to the domain with aliases
for B and C:
adjoin -a B -a B.domain.com -a C -a C.domain.com domain.com
Add another -a (--alias) option for each additional application server. (See the Centrify Suite
Administrator’s Guide for the description of the adjoin command.)
4 If A has more than one hostname, use the following command to add hostnames:
adkeytab -a -P http/other_host_name
5 On machine A, run the following commands to replicate the keytabs from machine A onto
machines B and C:
cd /
tar cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*
scp cluster.tgz B:/
scp cluster.tgz C:/
If you have additional servers, run scp to copy cluster.tgz to each one.

      Configure a clustered environment with a load balancer
6 On machines B and C (and each additional server), run the following commands to install
the keytabs from machine A and to start adclient:
cd /
tar xvfz cluster.tgz
/usr/share/centrifydc/bin/centrifydc start
Note If the password for machine A is changed, run Step 5 and Step 6 after every change. This
password is changed transparently in a protocol initiated by Active Directory; that is, Active
Directory prompts the DirectControl agent for a new account password on an interval defined
in the DirectControl adclient.krb5.password.change.interval configuration parameter
(see the Configuration Parameters Reference Guide for the description). The DirectControl agent
then automatically generates a new password for the computer account and issues the new
password to Active Directory. The default interval is 28 days.
Configure a clustered environment with a load balancer

This section describes how to configure a clustered environment with a load balancer. To
provide authentication across all of the servers, you need to create a service account for the
load balancer on the domain controller, create a new keytab based on that account, and then
merge that keytab on each application server.
Note To create new service accounts, you need permission to the container in which you are
creating or deleting the account. See Understanding object permissions for using
adkeytab in the Using adkeytab description in the Centrify Suite Administrator’s Guide for the
description of the permissions required.
In this demonstration:
 the DirectControl agent and DirectControl for NetWeaver software are already installed
on servers B and C (do not install either software package on the load balancer)
 the load balancer hostname is LB
 the servers behind the load balancer are named B and C
 the domain is ace.com.
The following figure summarizes the steps for a two-server configuration. For each additional
machine, perform Step 8 once more on B, and Step 9 through Step 16 on each additional
machine.
This procedure requires users who have the following permissions:
 Create user account on Active Directory on the domain controller
 Add a new service principal name to the user account on the domain controller
 Change service account password from the UNIX computer.
1 Confirm that you have the DirectControl agent (adclient) and the DirectControl for
NetWeaver package installed as required.
Clustered Environments 63
Unless they are already joined to the domain controller, run adjoin on machines B and C
(and all other application servers) to join them to the domain controller.
Application server (B)

(1) adjoin
(5) adkeytab (create keytab on new service account )
(6) klist -kt (verify that keytab was created correctly )
(7) kinit -kt (verify that keytab works )
(8) copy keytab to machine C (and others in cluster)
(9-16) merge keytabs; check for connected state
with adinfo and adclient
load balancer (LB)
client machines
Domain Controller ace.com

Active Directory
(2) create account = centrifyprod
UPN = centrifyprod@ace.com
+ SPN = HTTP/LB.ace.com
Windows Support Tools

(3, 4) setspn command
Application server (C)

(1) adjoin
(9-16) merge keytabs; check for connected state

with adinfo and adclient
2 Create a new Active Directory account called centrifyprod. Verify that the user principal
name (UPN) is centrifyprod@ace.com.
Note To have setspn available to run in Step 3 and Step 4, you need to install Windows
Support Tools
3 From a Windows system with Windows Support Tools installed, run the setspn command
to add a new service principal name (SPN) to the user account:
setspn -a HTTP/LB.ace.com centrifyprod
4 Confirm that the SPN was created correctly:

setspn -l centrifyprod
You should see the SPN HTTP/LB.ace.com.

Perform Step 5 through Step 8 on machine B only.
5 Use the following adkeytab command with the --adopt option to create the keytab for the
new centrifyprod account and have DirectControl take over the management of the
keytab:
adkeytab --adopt --principal HTTP/LB.ace.com \
--encryption-type arcfour-hmac-md5 \
--encryption-type des-cbc-md5 \
--encryption-type des-cbc-crc \
--keytab /etc/krb5/centrifyprod.keytab centrifyprod
NotesTo run this adkeytab command the user must have write permission to change the
password for the service account and read/write permission to the userAccountControl

attribute on the Active Directory domain controller. (See Understanding object

permissions for using adkeytab in the Using adkeytab description in the Centrify Suite
Administrator’s Guide for the description of the permissions required.) Often, this is NOT the
case for the UNIX administrator running adkeytab.
Use the following adkeytab option to work around this problem. This does require, however,
the UNIX admin to know and then expose the password in the command line. (The
alternative would be to give the Active Directory admin root privileges on the UNIX
computer or the UNIX admin password reset privileges on the domain controller.)
 The Active Directory administrator creates the new AD account and adds the SPN to the
account as above but then provides the password to the UNIX admin.
 The UNIX admin uses the following adkeytab command instead of the command in
Step 5. In this example the new user created by the AD admin is again
centrifyprod@ace.com and the password is ABC123xyz:
adkeytab --adopt --user centrifyprod@ace.com \
--local --newpassword ABC123xyz \
--encryption-type arcfour-hmac-md5 \
--encryption-type des-cbc-md5 \
--encryption-type des-cbc-crc \
--keytab /etc/krb5/centrifyprod.keytab centrifyprod@ace.com
The --user option specifies the new account created by the AD admin; --local updates the
keytab file on the computer (in this case, machine B) without changing the password in AD and
--newpassword specifies the new password (required by the --local option). (This example
uses the same sample encryption types as above.) See the adkeytab description in the Centrify
Suite Administrator’s Guide for the full explanation of each option.
6 Verify that the keytab was created correctly:

/usr/share/centrifydc/kerberos/bin/klist \
-kt /etc/krb5/centrifyprod.keytab
You should see the SPN http/LB.domain.com.

7 Verify that the keytab works:
/usr/share/centrifydc/kerberos/bin/kinit \
-kt /etc/krb5/centrifyprod.keytab centrifyprod
You should see no output if everything worked correctly.

8 Copy the keytab /etc/krb5/centrifyprod.keytab to machine C.
Perform Step 9 through Step 16 on both machine B and machine C.
9 Disable DirectControl to prepare for merging keytabs:
svcadm disable centrifydc
10 Back up the existing keytab:

cp /etc/krb5/krb5.keytab \
/etc/krb5/krb5.keytab.todaysdate
Clustered Environments 65
11 Merge the keytabs:

/usr/bin/ktutil
rkt /etc/krb5/krb5.keytab
rkt /etc/krb5/centrifyprod.keytab
wkt /etc/krb5/krb5.keytab.new
q
12 Verify that the new keytab was created correctly:

/usr/share/centrifydc/kerberos/bin/klist \
-kt /etc/krb5/krb5.keytab.new
13 Copy the new keytab to the default location with the appropriate name:
cp /etc/krb5/krb5.keytab.new /etc/krb5/krb5.keytab
14 Verify that the new keytab works:

/usr/share/centrifydc/kerberos/bin/kinit -kt centrifyprod
You should see no output if everything worked correctly.

15 Enable DirectControl:
svcadm enable centrifydc
16 Run adinfo and check that adclient goes into a connected state. If adclient reports that
it is disconnected, something has gone wrong in the setup.
Note If the password for the centrifyprod Active Directory account is changed, run Step 5
through Step 16 after every change.This password is changed transparently in a protocol
initiated by Active Directory; that is, Active Directory prompts for a new account password
on an interval defined in the DirectControl adclient.krb5.password.change.interval
configuration parameter (see the Configuration Parameters Reference Guide for the description).
The DirectControl agent then automatically generates a new password for the computer
account and issues the new password to Active Directory. The default interval is 28 days.


Index
Symbols centrifydc-netweaver-release.tgz
.cshrc file 16, 17 SAP 7.0 19
SAP 7.3/7.4/7.5 21
A CentrifyLoginModule 49
Active Directory attributes CentrifyLoginModuleLibrary 54
SAP 7.0 34 SAP 7.0 22
SAP 7.3/7.4/7.5 34 CentrifyLoginModuleLibrary.sda 21, 59
adjoin 62 SAP 7.0 19, 20
adkeytab 62 SAP 7.3/7.4/7.5 21
adleave 62 CentrifyRedirectApp.ear 57
ADMappingVariable 28, 33, 39, 55 centrifyRedirectApp.ear 57
AIX environment 17 SAP 7.0 19
authentication 10 SAP 7.3/7.4/7.5 21
authentication errors 54 CentrifySpnegoLoginModule 30, 48, 49
authentication flow 11 load and configure 24, 26
Authentication template, Visual Administrator SAP 7.0 24, 30, 31, 51
SAP 7.0 31 SAP 7.3/7.4/7.5 26, 32
authorization 10 Class Name
SAP 7.0 25
B SAP 7.3/7.4/7.5 27
base authentication classes classloader
SAP 7.0 45 SAP 7.0 22
bashrc 53 SAP 7.3/7.4/7.5 23
BASIC 9, 11, 54, 57 Cluster tab
SAP 7.0 31 SAP 7.0 45
BASIC (authorization scheme setting) 28 Cluster-data 40
BASIC authentication 28 com.centrify.dc.netweaver
BasicPasswordLoginModule SAP 7.0 30
SAP 7.0 30 SAP 7.3/7.4/7.5 32
SAP 7.3/7.4/7.5 32 com.sap.security.core.server.jaas
SAP 7.0 30
SAP 7.3/7.4/7.5 32
C
com.sap.security.core.usermanagement 35
categories 44
Command not found 52
category log messages 48, 49
common utility classes
CdcUserName 28, 35, 36, 37, 39
SAP 7.0 45
Centrify login module 33
configtool.bat 40
Centrify login module usage 35
configure Java path 17
Centrify ticket login module
configure library path 17
SAP 7.0 30
configure log level 47
centrify.dc.realm 28
SAP 7.0 45, 46
CentrifyDC_Java.msi 53
67
     
SAP 7.3/7.4/7.5 47, 48 SAP 7.0 26, 27, 30, 31

configure logging environment variable 52
SAP 7.0 44 Environment Variables 53
SAP 7.3/7.4/7.5 47 errorUrl 28, 57, 60
conventions, documentation 7 EvaluateTicketLoginModule
core.ume.service 40 SAP 7.0 30
CreateTicketLoginModule SAP 7.3/7.4/7.5 32
SAP 7.0 30 example of a log file 48
SAP 7.3/7.4/7.5 32
cshrc 53 F
custom attribute 35, 55 Firefox
Customized Information section 36, 37 configuring silent authentication 42
fixed-width font 7
D floppy-disk icon
debug log messages 44 SAP 7.0 46
debug logs force_password_change_on_sso 40
SAP 7.0 45 FORM 9, 11
default NetWeaver login page
SAP 7.0 31 G
default security policy 40 go.bat 52
Default Trace
SAP 7.0 50 H
default zone 16 help.sap.com URL 8
defaultTrace.nn.trc file 48 HLIB_PATH 17
Deployment tab 59 HP-UX IA64 environment 17
SAP 7.0 20 HP-UX PA-RISC environment 17
Description HTTP BASIC
SAP 7.3/7.4/7.5 27 SAP 7.0 31
direct mapping from Active Directory HTTP BASIC authentication 28
SAP 7.0 34
SAP 7.3/7.4/7.5 34
I
DirectControl Agent 6, 9, 10, 11, 13
Identity Management 36, 37, 38
DirectControl Management Tools 6
SAP 7.0 34
DirectControl version 16
SAP 7.3/7.4/7.5 34
DirectControl zone 16
info level logs
directory services 10
SAP 7.0 45
directory trees 52
instanceNumber 14
Display Name
Internet Explorer
SAP 7.0 25
local intranet zone 41
SAP 7.3/7.4/7.5 27
security zones 41
documentation
Internet Explorer security zones 41
conventions 7
irj 43
E J
e 31
J2EE 6
ear file 53
JAVA_HOME 53
enableAuthSchemes 28, 54, 57

     
K SAP 7.3/7.4/7.5 23
KDC 10, 11 logout URL 40
Kerberos 9, 11, 57 Logs and Traces
Internet Explorer security zones 41 SAP 7.0 49, 50
SAP 7.0 31 SAP 7.3/7.4/7.5 50, 51
Kerberos Key Distribution Center 10
Kerberos Security Service Provider 11 M
Kerberos ticket 10 Macintosh OS X operating system 7
Key Distribution Center 10 Manage Security Stores
SAP 7.0 24
L map AD users to SAP users 28
LD_LIBRARY_PATH 16, 52 mapping by AD attribute 33
LIB_PATH 52 Monitoring
LIBPATH 17 SAP 7.0 49
library
centrify.com N
SAP 7.0 22 namespace 28, 35, 36, 37, 39, 55
library not found 52 Negotiate (authorization scheme setting) 28
Linux Negotiate authentication 28
naming convention 7 NetWeaver AS Java not found 53
Linux 32-bit environment 16 NetWeaver AS Java Security Guide 8
Linux 64-bit environment 16 NetWeaver classloader
location log messages 48, 50 SAP 7.0 22
locations 44 SAP 7.3/7.4/7.5 23
Log configuration 48 NetWeaver J2EE applications 6
SAP 7.0 46, 47 NetWeaver login page
SAP 7.3/7.4/7.5 47 SAP 7.0 31
Log Configurator NetWeaver plug-in classes
SAP 7.0 45 SAP 7.0 45
log file categories 44 NetWeaver UME
log files 44 SAP 7.0 31
log messages 48 ng 52
Log Viewer 48, 49, 50 Notepad 48
log viewing 48 NTLM 9, 11
Logging Categories NTLM (authorization scheme setting) 28
SAP 7.0 46 NTLM authentication
SAP 7.3/7.4/7.5 47 Internet Explorer security zones 41
logging classes numReprompts 28
SAP 7.0 45 nwa 36, 37
Login Mod 28 SAP 7.0 34
login module SAP 7.3/7.4/7.5 34
SAP 7.0 19
SAP 7.3/7.4/7.5 21, 32 O
login module options 28, 60 Open View
login module stack 55 SAP 7.3/7.4/7.5 50
LoginModuleClassLoaders operation log messages 44
SAP 7.0 22 OPTIONAL flag 56
Index 69
     
P scp 62
password changes for SSO 40 sda file 53
Path variable 53 SDM 52
policy management 10 SAP 7.0 19
Portal 9 Security Provider
Predefined View SAP 7.0 24
SAP 7.0 49, 50 Security Service Provider 11
Program Files 53 semicolon separator 53
Properties tab server cluster 13
SAP 7.0 22 severity debug 49
severity info 49
R severity level
realmName 28 SAP 7.0 45, 46
redirectUrl 28, 57, 60 SAP 7.3/7.4/7.5 48
release notes 16 shell startup configuration file 16
release variable 7 SHLIB_PATH 52
RemoteGui.bat 52 sid 14
REQUIRED flag 56 sidadm 15, 17, 35, 40, 58
REQUISITE flag 56 SAP 7.0 19
RFC 1945 28 Single Sign-On
RFC 2617 28 configuring security zones 41
root Software Deployment Manager 52, 58
SAP 7.0 17 SAP 7.0 19
ROOT CATEGORY Solaris 32-bit environment 16
SAP 7.0 45, 46 Solaris 64-bit environment 17
SAP 7.3/7.4/7.5 47 space in "Program Files" path 53
ROOT LOCATION sparcv9 17
SAP 7.0 47 SPNEGO 11
SAP 7.3/7.4/7.5 48 SSO 6, 40
Runtime tab SSP 11
SAP 7.0 24 Start Deployment button 59
SAP 7.0 20
S startsap 21, 32, 35, 36, 37, 40, 41, 59, 60
sAMAccountName 55 startsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP documentation 8 SAP 7.0 21, 32
SAP Logs startup configuration file 52
SAP 7.0 49 stopsap 21, 32, 35, 36, 37, 40, 41, 59, 60
SAP Management Console 52 stopsap j2ee (Linux) 35, 36, 37, 40, 41, 59, 60
SAP Portal 40 SAP 7.0 21, 32
SAP ticket login module 30 su – command 17
SAP UME 40 SUFFICIENT flag 56
SAP user profile custom attribute 28 System/Security/Centrify 44, 48, 49
SAP username 28 SAP 7.0 50
sap.com/irj*irj
SAP 7.0 31 T
SAP-certified login modules 9 tar command 62
sapmmc.msc 52 tar file, untarring

     
SAP 7.0 19 V
SAP 7.3/7.4/7.5 21 vi editor 48
tgz file, unzipping Visual Administrator
SAP 7.0 19 SAP 7.0 22, 44, 45
SAP 7.3/7.4/7.5 21
ticket W
SAP 7.0 31 wbase
timestamp 48 SAP 7.0 45
trace file locations 44 web applications
trace files 44 local intranet zone 41
trace messages 48 silent authentication 41
Trace Viewer
SAP 7.3/7.4/7.5 51 Z
Tracing Locations 47 zone 16
SAP 7.3/7.4/7.5 48
Troubleshooting 52
SAP 7.3/7.4/7.5 50, 51
U
UME 10, 11, 12, 28, 33, 35, 40, 57
SAP 7.0 31, 34
UME custom attribute 35
UME default security policy 40
UME user name 55
ume.configuration.active
SAP 7.0 30
SAP 7.3/7.4/7.5 32
ume.logoff.redirect.url 40
ume.logon key 40
unauthorizedUrl 28, 57, 60
UNIX
naming convention 7
UNIX servers 9
UPN 35, 36, 37, 39
User Management subtab
SAP 7.0 24, 25
user profile custom attribute 28
user's UPN 36, 37
userNameConfig 36, 37
usernameConfig 28, 35, 36, 37, 39, 55
userPrincipalName 39
users
silent authentication 41
usr/sap 52
usrsap 52
Index 71

Centrify DC Netweaver PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Centrify DC Netweaver PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Centrify Suite

DirectControl for NetWeaver AS Java

About this guide 6

Chapter 1 Product Overview 9

Chapter 2 Installation and Configuration 14

Load and Configure Centrify login module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 3 Final Steps 33

Chapter 4 Logging and Troubleshooting 44

DirectControl for NetWeaver AS Java 4

Command not found – Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Appendix A Mixed Authentication 57

Appendix B Clustered Environments 61

About this guide

How this manual is organized

This guide includes an index.

Full PDF search

Where to find more information

About this guide 7

NetWeaver AS Java authentication

Operating systems and Microsoft Active Directory

DirectControl for NetWeaver AS Java 8

How the NetWeaver connection to DirectControl works

DirectControl for NetWeaver AS Java 10

How authentication flow works

Overview of user mapping

Configuring single sign-on for SAP cloud-based applications

DirectControl for NetWeaver AS Java 12

Installation and Configuration

Understand the procedural basics

SAP naming conventions

Checking that applications have loaded

Installation and Configuration 15

Install DirectControl Agent on the NetWeaver host

Set library path for SAP administrator – UNIX

DirectControl for NetWeaver AS Java 16

 In a Solaris 64-bit environment:

Set Java and library paths – Windows

Installation and Configuration 17

Note The string must end with a semicolon.

5 Click OK to store the changed variable value.

8 Click OK to store the new variable value.

DirectControl for NetWeaver AS Java 18

Install and deploy DirectControl for NetWeaver

For SAP 7.0

Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are

Installation and Configuration 19

8 Navigate to the place where you stored CentrifyLoginModuleLibrary.sda, select it,

DirectControl for NetWeaver AS Java 20

stopsap [Linux: stopsap j2ee]

For SAP 7.3/7.4/7.5

Check that CentrifyLoginModuleLibrary.sda and centrifyRedirectApp.ear are

6 Start telnet in a shell window by entering the command:

9 When the deployment operation finishes, restart SAP.

Installation and Configuration 21

This concludes the installation and deployment of the CentrifyLoginModuleLibrary.sda.

Configure the NetWeaver classloader to load Centrify login module

For SAP 7.0

and click the Update button.

DirectControl for NetWeaver AS Java 22

For SAP 7.3/7.4/7.5

3 Add this value to the LoginModuleClassLoaders key:

Installation and Configuration 23

Load and Configure Centrify login module