single sign-on for sap r/3 on unix with centrify...

W H I T E P A P E R

C E N T R I F Y C O R P .

M A Y 2 0 0 8

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

The Active Directory-Based Single Sign-On Solution for SAP R/3

A B S T R A C T

Many of the largest, most recognizable and successful organizations use SAP

R/3. But to the end-users within those organizations who need access to SAP

R/3, this means yet another username and password they have to remember

and constantly enter and re-enter. To IT managers, SAP R/3 represents yet

another authentication and identity store to manage. In addition, given the

sensitive nature of the data stored in SAP R/3 systems, there is a compelling

need from both a security and compliance perspective to ensure that

communication and access to that sensitive data is done in a highly secure

manner.

In most organizations, Microsoft’s Active Directory is now the de facto standard

for providing authentication and identity management for Windows systems and

applications. Centrify’s DirectControl extends Active Directory’s reach to UNIX,

Linux, Mac, Java/web and database environments. Centrify DirectControl for

SAP goes one step farther by enabling Active Directory-based single sign-on for

SAP R/3. This means Windows users using SAP GUI and non-Windows users

using SAP Java client can enter their Active Directory credentials to access SAP

R/3 running on UNIX or Linux without having to remember or re-enter another

username and password. And auditors and security professionals can feel safe

that access to SAP R/3 is more secure due to DirectControl’s use of Kerberos.

This white paper describes how Centrify DirectControl for SAP delivers single

sign-on capabilities for SAP R/3 and how this ability translates into major

benefits in the form of increased security, ease of use and enterprise readiness.

WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY

© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE II

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Centrify Corporation. All rights reserved.

Centrify is a registered trademark, and DirectControl and DirectAudit are trademarks of Centrify Corporation. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names used are trademarks of their respective companies

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

WP017-2008-05-18


© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE III

Contents

1 Introduction ........................................................................1

2 Challenges with SAP Authentication ....................................2

3 Addressing SAP Authentication Challenges with DirectControl for SAP...........................................................3

3.1 The Centrify DirectControl Solution.................................... 4

3.2 SAP Secure Network Communications (BC-SNC) Overview ...6

3.3 Enterprise Readiness .......................................................6

4 SAP and DirectControl Integration: Step-by-Step ................7

4.1 Join the SAP Server to Active Directory with DirectControl .... 8

4.2 Configure Service and Kerberos ........................................ 8

4.3 Configure SNC on the SAP Server...................................... 9

4.4 Configure the SAP Client ..................................................9

4.5 Single Sign-On Using SNC, Kerberos and Active Directory .. 10

5 Summary ...........................................................................11

6 How to Contact Centrify .....................................................12


© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 1

1 Introduction

Centrify DirectControl delivers secure access control and centralized identity

management by seamlessly integrating your UNIX, Linux, Mac, web and database

platforms with Microsoft Active Directory. DirectControl effectively turns a non-

Microsoft system into an Active Directory client, enabling you to secure that system using

the same authentication, authorization and Group Policy services currently deployed for

your Windows systems. With its patent-pending Zone technology, Centrify delivers the

only solution that does not require intrusive reconfiguration of existing systems and

provides the granular administrative control needed to securely manage a diverse set of

systems and applications. With DirectControl, you can fully leverage your investment in

Active Directory to address regulatory compliance, strengthen security, and enhance IT

and end-user efficiency and productivity.

Centrify DirectControl for SAP enables Active Directory-based single sign-on to SAP R/3

servers running on a UNIX or Linux system. This means users who access SAP R/3 via

the SAP GUI client application on Windows workstations and/or via the SAP Java client

on non-Windows workstations can access the desired SAP business application using

their Active Directory user credentials. DirectControl enables this capability via

integration with SAP’s Secure Network Communication (SNC) interface.

Key benefits of Centrify DirectControl for SAP include the ability to:

Increase user satisfaction and reduce user/password-related support calls by

providing users with single sign-on (SSO) access to SAP R/3 through their Active

Directory credentials.

Increase security by allowing IT administrators to disable access not only to Windows

but also to DirectControl-managed systems and applications such as SAP via a single

management tool — Microsoft Active Directory.

Enforce consistent password and other security policies using familiar Active

Directory tools.

Implement encrypted communication between the SAP client and the SAP R/3 server

via DirectControl’s use of Kerberos.

Deploy without intrusive changes to Active Directory.

Simplify compliance with regulatory requirements.

Maximize your existing investment in Active Directory.

Before discussing the details of the DirectControl for SAP solution, let’s first discuss some

of the challenges of SAP authentication.



2 Challenges with SAP Authentication

SAP R/3 is a mature technology that has been widely used in many organizations for

many years. However, SAP provides many approaches to securing communication and

authenticating end-users to SAP R/3. Understanding and choosing the right approach

can be a confusing and difficult process, often requiring external consulting time and

rationalization with existing security policies and architecture. With the standard SAP-

defined username and password approach to authentication (which is the default

deployment option with SAP R/3), SAP administrators may find that this approach has

some shortcomings when compared to more secure approaches provided by commercial

security software:

Additional usernames and passwords have to be defined and managed in SAP. This

creates a hassle both for end-users, who need to remember another username and

password, and for IT and SAP administrators, who need to deal with password resets

and user account lockouts.

Additional usernames and passwords also create security vulnerability, as end-users

often write down their username and password in order to remember them.

Another security concern arises when end-users leave an organization. Their user

account in SAP (and in Active Directory, and in every system and application they are

provisioned into) needs to be at least deactivated if not completely deprovisioned.

Administrators would prefer to make deprovisioning a periodic task and not a

security issue requiring expensive and complex software and processes that exist just

to manage identities throughout their lifecycle.

Microsoft provides basic information on how to integrate SAP with Active Directory if the

R/3 server is installed on Windows Server. This is of little help to the majority of SAP R/3

customers who have deployed on AIX, HP-UX, Solaris or a flavor of Linux. Alternatives to

using basic username and password authentication for SAP servers installed on UNIX or

Linux include:

Complex and expensive public key infrastructure (PKI) providing access via SSL and

X.509 client certificates.

Pluggable Authentication Modules (“PAM”) to leverage the UNIX operating system

credentials. While the PAM approach can be integrated with Active Directory using

DirectControl for Systems, this is less than an ideal solution because it challenges

end-users to re-enter their Active Directory username and password, depriving them

of the SSO login experience.

Other challenges arise when organizations need enterprise-quality end-to-end support.

For example, Microsoft will support the Windows client side for SSO and authentication,

but does not provide support services for UNIX.



Other higher-end enterprise features such as cross-domain authentication, failover

support for NTLM, domain controller failover support, large group-based access control,

and access rights reporting are simply not supported with most other approaches.

Based on feedback from SAP R/3 users who needed true enterprise-level SSO capabilities

for working with Active Directory, Centrify has built a dedicated solution that extends

DirectControl to SAP R/3.

3 Addressing SAP Authentication Challenges with DirectControl for SAP

In order to address the challenge of providing a more secure, Active Directory-centric

SSO solution for SAP, Centrify provides a solution that consists of the following

components:

DirectControl for Systems. Centrify DirectControl delivers secure access control

and centralized identity management by seamlessly integrating your UNIX, Linux,

Mac, Java/web and database platforms with Microsoft Active Directory. The

DirectControl Agent effectively turns a non-Microsoft system into an Active Directory

client, enabling you to secure that system using the same operating system-level

authentication, authorization and Group Policy services currently deployed for your

Windows systems. DirectControl is non-intrusive, easy to deploy and manage, and is

the only solution that enables fine-grained operating system access control through

its unique Zone technology.

SAP Secure Network Communication. SAP provides a standard layer for SAP

R/3 to integrate and interface with third-party security software called SNC (Secure

Network Communication). SNC enables a secure connection between SAP clients,

servers and services. This layer is designed to allow third-party security software

providers to cleanly and comprehensively integrate with SAP R/3 to provide security

services such as SSO authentication. In fact, SNC is being developed in the Internet

Engineering Task Force (IETF), an international standards body.

DirectControl for SAP. The DirectControl for SAP module is an extension of SNC

providing single sign-on for an SAP client based on the exchange of Kerberos tickets.

By implementing the Generic Security Services API (GSS-API), DirectControl for SAP

provides the necessary SNC extensions to enable Kerberos ticket exchange from the

SAP client to the SAP server. Additional security, including signing and encrypting of

data that is communicated between the SAP client and server, is provided by

leveraging these Kerberos tickets.

Solution Documentation. DirectControl for SAP includes an installation and

deployment guide. There is also guidance related to configuring your SAP R/3 server,

SNC environment and SAP clients (SAPgui and SAPjava.)



Solution Support. Licensed Centrify customers who have maintenance contracts

and are running Centrify DirectControl for SAP R/3 can get support for the

integration of DirectControl with SAP R/3.

By packaging the DirectControl Agent for the operating system and SAP SNC, along with

installation and configuration documentation of the DirectControl and SAP products into

a single comprehensive solution, Centrify delivers a true SAP R/3 single sign-on solution

and better interoperability with your enterprise. Not only do you get a finished product

that works — you know who to contact if you encounter problems.

In addition, Centrify addresses a number of issues related to central user attribute

storage, enterprise functionality and complete integration with Active Directory, as

mentioned earlier in this paper.

Let’s take a look at these components in more detail.

3.1 The Centrify DirectControl Solution

Centrify DirectControl delivers secure access control and centralized identity

management by seamlessly integrating your UNIX, Linux, Mac and web platforms with

Microsoft Active Directory. DirectControl effectively turns a non-Microsoft system into an

Active Directory client, enabling you to secure that system using the same authentication,

authorization and Group Policy services currently deployed for your Windows systems.

DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that

enables fine-grained access control through its unique Zone technology.

DirectControl also supports strong Kerberos-based Active Directory authentication for

databases such as IBM’s DB2 and Informix, and for enterprise applications such as SAP.

While many of these platforms offer some type of Kerberos support, setting up and

administering the Kerberos service to talk with Active Directory securely and reliably can

be a complex task on non-Microsoft platforms. With the DirectControl Agent installed,

the host platform becomes Active Directory-aware and can take advantage of active

Directory services — such as automatic updates of Keytab files and Keytab versioning,

automatic time synchronization with Active Directory, local caching for disconnected

mode, and dynamic DNS support — that greatly simplify initial configuration and provide

a much higher degree of maintainability and reliability. The end result is cross-platform

and cross-application single sign-on as shown by Figure 1.



Figure 1. Centrify eliminates the need for multiple Access Control, Identity and Policy

Management solutions in the distributed environment by consolidating management in Microsoft

Active Directory: one user, one account, one directory, one policy mechanism.

The DirectControl suite is comprised of two main architectural components that

seamlessly integrate with your Active Directory infrastructure:

On UNIX, Linux and Mac systems, a DirectControl Agent is installed on each

server or workstation. The DirectControl Agent, which is natively compiled for each

platform, effectively turns the host system into an Active Directory client, enabling

you to secure that system using the same authentication, access control and Group

Policy services currently deployed for your Windows systems. The agent is not a

single piece of code; rather, it is a central service that interacts with a set of

seamlessly integrated modules that provide services such as web and database single

sign-on and Samba integration. UNIX administrators have a comprehensive

command-line interface for real-time or scripted interaction with Active Directory-

held data.

The DirectControl Management Tools enable both Windows and UNIX

administrators to manage UNIX-specific data stored in Active Directory. The

Windows tools consist of a Microsoft Management Console (MMC) application for all

administrative tasks and centralized reporting and license management. Property

extensions to the Active Directory Users and Computers MMC are also provided, and

DirectControl’s UNIX/Linux/Mac policies are fully integrated into the standard

Group Policy Editor. A browser-based management console also provides cross-

platform access to essential administrative tasks.



3.2 SAP Secure Network Communications (BC-SNC) Overview

SAP provides a standard layer for SAP R/3 and ERP to integrate and interface with third-

party security software called SNC (Secure Network Communication). SNC protects the

communication between SAP components (client, router, application server, etc.). By

leveraging SNC you can extend the basic user and password authentication used by SAP

to include the protection and benefits of Centrify DirectControl and Active Directory. SNC

is also being developed in the Internet Engineering Task Force (IETF), an international

standards body.

The primary integration point with SNC is via the GSSAPI v2 (Generic Security Services

Application Programming Interface version 2). Centrify DirectControl provides support

for integration via Kerberos and the GSSAPI as depicted below:

Figure 2. Centrify DirectControl integration with SAP.

In addition to providing an interface to authenticate users via DirectControl, SNC also

allow higher levels of security through the configuration of communication integrity

(ensuring that communication has not been tampered or altered) as well as

communication encryption (ensuring that communication is secure in transit).

3.3 Enterprise Readiness

In addition, DirectControl for SAP supports a number of enterprise features that are not

found in other similar solutions.

Full Support for Active Directory Policies. DirectControl for SAP talks directly

to Active Directory; therefore, all native Active Directory features are supported. This

includes support for a centrally managed password policy and flexible user-naming

conventions of Active Directory.

Cross-Domain Authentication. Users who are authenticated members of a

remote domain can access an SAP server joined to another domain if the appropriate

cross-domain trust relationship has been established. This occurs without the user

being prompted for credentials. This is the same behavior that users would expect in

an all-Windows environment.



Gold Standard Kerberos: Leveraging the MIT reference implementation of

Kerberos, DirectControl delivers the most compatible and mature approach to

Kerberos-based Active Directory authentication for enterprise applications such as

SAP. While many platforms offer some type of Kerberos support, setting up and

administering the Kerberos service to talk with Active Directory securely and reliably

can be a complex task on non-Microsoft platforms. With the DirectControl agent

installed, the host platform becomes Active Directory-aware and can take advantage

of DirectControl services – such as automatic updates of Keytab files and Keytab

versioning, automatic time synchronization with Active Directory, local caching for

disconnected mode, and dynamic DNS support – that greatly simplifies initial

configuration and provides a much higher degree of maintainability and reliability.

4 SAP and DirectControl Integration: Step-by-Step

Once the DirectControl for SAP solution is deployed, the basic steps to the authentication

are as follows:

When a user first signs on to a Windows XP workstation, a Kerberos ticket granting

ticket (tgt) is obtained from Active Directory.

When the user then opens SAPgui, XP requests, via SNC, an SAP service ticket from

the SAP Server/Router using the previously obtained tgt. SNC passes the service

request to the DirectControl Agent.

The DirectControl Agent validates the ticket with Active Directory.

The user is granted access and a secure user session is provided back to the client.

The simple steps to set up the various components of this solution are as follows:

Figure 3: Single Sign-On Flow for SAP R/3 using Active Directory



1. Join the SAP server to Active Directory with DirectControl.

2. Configure Kerberos and the SAP service.

3. Configure SNC on the SAP server.

4. Configure SNC on the SAPgui.

4.1 Join the SAP Server to Active Directory with DirectControl

The automation scripts included with DirectControl for Systems simplify the installation

and configuration of DirectControl and Active Directory. The installation script will do

the following automatically for you:

You will be prompted for the domain, Zone, and the Active Directory username and

password to be used for joining to Active Directory. The script will offer defaults

based on your current configuration.

Checks are made to ensure that DNS is set up correctly on your system.

PAM and NSS modules are configured correctly.

The machine is joined to the Active Directory domain, and is added to the

DirectControl Zone.

The DirectControl adclient service is started.

Scripts are created to automatically start the correct DirectControl services each time

the system boots.

The configuration information for DirectControl is output to the screen.

4.2 Configure Service and Kerberos

Another utility, adkeytab, is provided with DirectControl to simplify the creation of an

SAP service in Active Directory and to configure the Kerberos stack. This utility will do

the following automatically for you:

Create a new service account in Active Directory for SAP in the currently joined

domain.

Configure the encryption type.

Configure the Keytab file in the Kerberos stack to work correctly based on this new

service account.



4.3 Configure SNC on the SAP Server

SNC must be enabled and properly configured on each of the SAP servers. The

DirectControl for SAP solution provides instructions that augment the SAP SNC

documentation and OSS notes to accomplish the following:

Install the DirectControl for SAP package into the DirectControl for Systems Agent.

Modify the default and instance profiles to enable and configure SNC.

Modify the SAP server UNIX environment to see the DirectControl libraries and to

renew Kerberos tickets periodically.

Modify the user profiles that are used to leverage SNC and map them to their Active

Directory User Principal Name (UPN).

Figure 4. Mapping of the Active Directory user to the SAP account. Once SAP is configured to use

SNC, it is very straightforward to map an Active Directory user to an SAP user.

4.4 Configure the SAP Client

The SAPgui Client must also be configured to use SNC for SSO to SAP R/3. The

DirectControl for SAP solution provides instructions that augment the SAP SNC

documentation and OSS notes to accomplish the following:

Install the SNC SSO patch for SAPgui.



Enable Secure Networking Communications and provide the SNC name for the SAP

service.

Similar steps are documented for configuring the SAP Java client as well.

4.5 Single Sign-On Using SNC, Kerberos and Active Directory

Once the SAP server has been joined into Active Directory and the SAP server and clients

have been configured properly, the SAP server can be configured to use the Centrify

DirectControl GSSAPI library to support the authentication to Active Directory.

Figure 5. Single sign-on for SAPgui using Active Directory and Secure Network Communication.

In production the Centrify DirectControl for SAP solution has four primary steps:

The SAP client requests a service ticket using the built-in Kerberos SSP (Security

Service Provider) from the Active Directory KDC (or local cache). This is

accomplished via the cgsskrb5.dll library that translates standard GSS calls to SSP

calls on the client.

The SAP client then connects with the SAP server and presents the service ticket

received from step 1.

The SAP server consumes the request and validates it via the GSS libraries and

Centrify’s DirectControl Agent. Once the request is successfully authenticated with

Active Directory, a User Principal Name (UPN) is provided to the SAP server. This

UPN is mapped to an SAP user in the SNC tab of the user profile.

Finally, when the user is logged on using his Active Directory identity, he is mapped

to the correct SAP user without having to physically provide a username or password.



5 Summary

In summary, Centrify DirectControl for SAP provides a number of unique features that

enable organizations to leverage Kerberos and Microsoft Active Directory to provide

single sign-on for their SAP users:

SAP users can now use their Active Directory username and password to log in to

their Windows workstation once and then gain SSO into SAP R/3 on UNIX.

SAP authentication is managed securely, using SNC and the Kerberos technology that

is part of DirectControl and Active Directory.

The SAP UNIX systems are securely joined to the Active Directory domain and a

DirectControl Zone and can be controlled and managed centrally through Active

Directory.

Advanced enterprise features such as full support for Active Directory policies, multi-

domain trusted authentication and NTLM support are provided by the DirectControl

software.

The complex and often underestimated tasks of administering a Kerberos service and

managing keytab and configuration files is scripted and automated.

Central password policy is applied to SAP through the Kerberos services.

Any update of DNS, KDC and other Active Directory-relevant information in a

distributed enterprise environment is required to achieve minimum downtime and

maximum security. DirectControl updates this information automatically.

SAP integration is much easier because of Centrify’s SNC module and the

professional support to provide a single point of contact for your problems.

In general, DirectControl is less complex and time-consuming to maintain in

comparison to open source integration solutions, delivering organizations a payback

of the product investment.

Centrify’s professional services and support help to guarantee organizations a faster

resolution in case of technical problems.

The resulting benefits for customers include:

More Secure. SAP is now tightly coupled with Active Directory authentication. In

addition, DirectControl Zone technology gives users the ability to create secure Zones

to help with enforcement of role-based access control to the SAP servers by the ABAP

administrators. DirectControl reports also allow administrators and auditors to

instantly see who has access to corporate resources.



More Manageable. The resulting solution is easier to configure and maintain.

Administrators have full centralized control over user and group access rights with

the DirectControl Administrator’s Console. Management costs can be reduced

because less time is required to maintain SAP.

Enterprise Ready. By providing pre-packaged, tested SAP binaries and enterprise-

class support, Centrify turns SAP SSO into a solution that any organization can feel

comfortable deploying.

6 How to Contact Centrify

For the latest product information on DirectControl, check out our web site:

http://www.centrify.com/products

See the DirectControl for SAP portal for the latest information on using this solution:

http://www.centrify.com/sap

North America (And All Locations Outside EMEA)

Europe, Middle East, Africa (EMEA)

Centrify Corporation 444 Castro St., Suite 1100 Mountain View, CA 94041 United States

Centrify EMEA Asmec Centre Merlin House Brunel Road Theale, Berkshire, RG7 4AB United Kingdom

Sales: +1 (650) 961-1100 Sales: +44 1189 026580

Enquiries: [email protected] Web site: www.centrify.com

single sign-on for sap r/3 on unix with centrify...

Documents