SingleSignOn ( SSO) in SAP HANA(SAP HANA中的单点登陆)
2013-04-24 09:17
363 查看
This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.
Why do we need SSO ?
By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again
There are different teams involved for this set up ( This may change based on your organization structure)
1) System administrator needs to install Kerberos Client on Hana server
2) Active Directory & Service account set up is done by of Identity Management Administrator
3) Hana Administrator needs to set up the configuration & user creation
Note: I have greyed out server names & service account names in screen shots for security reasons
Kerberos Client Installation:
Please make sure that the Kerberos client & libraries are installed on the Hana Database server
Creation of service account:
Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot
The SPN needs to have the following syntax:
hdb/ <Domain Name >@Kerberos realm name
<Domain Name>: fully qualified domain name of the host
Generating a key Tab :
ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>
<PRINCIPAL> = KRB5_NT_PRINCIPAL
<CRYPTOGRAPHIC TYPE> = RC4-HMAC-NT
Using the above syntax key tab file is generated
Hana Admin configuration:
Login as root & update the krb5.conf file. This is located at /etc/krb5.conf
Entries in the file
[libdefaults]
default_realm= <realm>
[realms]
<realm>={ kdc=<kdc_name>}
Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.
Realm is your domain name in uppercase letters, such as DOMAIN_NAME.
Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator
Import the key tab which was generated into Hana Box.
Make sure the permissions are changed
Creation of user in HANA:
This can be done via GUI screen or via sql syntax
CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;
Please assign the appropriate role to this user
While configuring the user in Hana studio , Please check the authentication by OS user as shown below
Why do we need SSO ?
By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again
There are different teams involved for this set up ( This may change based on your organization structure)
1) System administrator needs to install Kerberos Client on Hana server
2) Active Directory & Service account set up is done by of Identity Management Administrator
3) Hana Administrator needs to set up the configuration & user creation
Note: I have greyed out server names & service account names in screen shots for security reasons
Kerberos Client Installation:
Please make sure that the Kerberos client & libraries are installed on the Hana Database server
Creation of service account:
Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot
The SPN needs to have the following syntax:
hdb/ <Domain Name >@Kerberos realm name
<Domain Name>: fully qualified domain name of the host
Generating a key Tab :
ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>
<PRINCIPAL> = KRB5_NT_PRINCIPAL
<CRYPTOGRAPHIC TYPE> = RC4-HMAC-NT
Using the above syntax key tab file is generated
Hana Admin configuration:
Login as root & update the krb5.conf file. This is located at /etc/krb5.conf
Entries in the file
[libdefaults]
default_realm= <realm>
[realms]
<realm>={ kdc=<kdc_name>}
Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.
Realm is your domain name in uppercase letters, such as DOMAIN_NAME.
Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator
Import the key tab which was generated into Hana Box.
Make sure the permissions are changed
Creation of user in HANA:
This can be done via GUI screen or via sql syntax
CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;
Please assign the appropriate role to this user
While configuring the user in Hana studio , Please check the authentication by OS user as shown below
相关文章推荐
- 单点登陆(Single Sign On-SSO)
- Single Sign on (SSO) Using Cookie in asp.net
- Single Sign-On(SSO)单点登陆的具体实现方案【转载】
- 单点登陆,SSO英文全称Single Sign On
- 单点登陆(Single Sign On-SSO)
- idp sp sso---SAML Single Sign-On (SSO) Service for Google Apps
- MOSS SSO -2147217900调用 SPS Single Sign-on 失败。返回的错误代码为“-2147217900”。 错误
- SSO-单点登录(single sign on)
- idp sp sso---SAML Single Sign-On (SSO) Service for Google Apps
- ASP.NET 2.0: Implementing Single Sign On (SSO) with Membership API
- 开始学习HANA: In-memory Computing with SAP HANA on Lenovo X6 Systems
- Single Sign On , 简称 SSO
- SSO单点登录三种情况的实现方式详解 单点登录(SSO——Single Sign On)
- SSO英文全称Single Sign On 即单点登录
- SiteMinder - Single sign on (SSO)
- SSO(Single Sign On)系列(一)--SSO简介
- SSO(Single Sign on)-单点登录收藏
- [导入]Single-Sign-On(SSO) 在你的应用程序里实现统一身份认证
- 单点登录(Single Sign On)--SSO
- SSO(Single Sign On)系列(一)--SSO简介