SPNego for multi-forest using IBM JDK

Hi All,
I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
Thanks in Advance,
Anthony

Jan,
ok, thanks. I will now explain how I think we can help.
Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
Thanks,
Tim

Similar Messages

  • Issues in TIME OUT for Dynamic Queues- Using  IBM MQ Client

    Hi
    I have an issue with Dynamic queues. I am using IBM websphere as my Mesaging server and IBM MQ client. I need to send a request to a static queue and then wait for a response for a specified duration(in my case it is 100 millisecs) in the corresponding dynamic queue.But what I found out that in some cases, I got response even after 100 ms !!!! Here's my code. Is there anything wrong going on somewhere???
    com.ibm.mq.jms.MQTemporaryQueue replyToQueue = com.ibm.mq.jms.MQTemporaryQueue)queueSession.createTemporaryQueue();
    replyToQueue.setTargetClient(JMSC.MQJMS_CLIENT_JMS_COMPLIANT);
    requestMsg.setJMSReplyTo(replyToQueue);
    long t1 = System.currentTimeMillis();
    queueSender.send(requestMsg);
    queueReceiver = queueSession.createReceiver(replyToQueue);
    queueConnection.start();
    m = queueReceiver.receive(100);
    long t2 = System.currentTimeMillis();
    if(m != null){
    System.out.println("Response Time: " + (t2 - t1) + " ms");}
    I have left out the queueSession and queueSender piece of code here.
    Anyways, I found 1 response in 122 ms and another in 128 ms. Can anyone throw some light as to why and how this is happening?

    Don't run from the client ... run from the server
    or
    if running from a client use the built-in DBMS_DATAPUMP package's API.
    http://www.morganslibrary.org/reference/pkgs/dbms_datapump.html

  • Custom code for Multi-org - Use x_all tables or views with set_client_info?

    Trying to determine what is normal for custom sql and plsql within 11i. I am trying to find out what other 11i installations are using in regards to custom code. Are you using the all tables or using the views utilizing setclient_info. Any feedback would be appreciated.
    Note: We have converted to multi-org and are setup as a single organization.
    Thanks, Ira

    Hi,
    Using views or table are depend upon the requirement of clinets and implementation.
    If one need to access multiple tables, its always good to have a view and access that... else its same to access view or table...
    Thanks
    Yogi

  • Partitioning a WD passport for multi-purpose use

    Hello there,
    I recently bought a WD My Passport Ultra with 2 TB of storage. It is formatted in NTFS. I have a macbook pro 15' early 2011 with bootcamp running windows 7 ultimate. My goal is to use the drive for time machine AND for it to be like a carrying bag of data for me wherever I go, meaning that everywhere I plug my drive, I wanna be able to add files or take files from it and for it to be used for time machine on my mavericks partition of the mac. I have heard that there is a way I could partition the drive. one partition with HFS+, the other with ExFat. I've opened Disk Utility, went to partition, and prepared a 2 partition format with 600 gigs for HFS+ and the rest with ExFat.
    My question is, what is the most reliable partition table I could use (GUID, Apple or Master Boot Record) ? I think you can tell from the naivety of my question that I am not entirely familiar with partition tables or whatever they are supposed to be or mean.

    Welcome to Apple Support Communities
    Open a Finder window, and your external drive should show up in the sidebar, under "Devices".
    A different way is to go to Finder menu (in the menu bar) > Preferences > General, and tick "External disks". If your external drive is detected by OS X, it will show up at the top right corner of Desktop, so double-click it to access to the content.

  • Multi-Forest LDAP Authentication

    Hi Guys
    We are trying to implement authentication and import across multiple domains
    We originally tried to build our own custom code but this has failed due to some unforseen errors.
    I have revert back to the inbuilt ciac option for import person and EUA
    The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
    for example
    ASE\#sAMAccountName#
    or
    #userPrincipalName#
    When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
    I have tried the format for EUA as
    uid=#LoginId#,dc=ase,dc=internal
    DomainName\#LoginId#
    #LoginId#
    Any help will be greatly apreciated
    Regards,
    Matt

    If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
    Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
    To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
    Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
    Regards,
    Tim

  • Multi Forest AD Authentication

    Hi ,
    I think I messed up some where in the web.xml . The problem is like this:
    1. I have users across geography.
    2. In AD they are in different domains for example : Europe , Asia , NA etc.
    3. Logon the general way is
    <Domain>\ <Username>
    But when I am supplying domain name its throwing an error. But when I login with just the username it logs in fine. But that is only for one domain. The users of other domains are not able to login.
    So please advise where to change in the XML so that they can supply the domain name.
    Regards
    Sid
    Urgently required. So please all a quick response will be very helpful .

    If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
    Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
    To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
    Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
    Regards,
    Tim

  • Bug in WebLogic 8.1 SP4 for IBM JDK 1.4.2?

    Hello,
    <p>
    In a previous thread i posted (http://forums.bea.com/bea/thread.jspa?threadID=600006934&tstart=0), I reported that we had problems in trying to use JAAS in connecting Acegi with WebLogic 8.1 SP4 on IBM JDK 1.4.2
    <p>
    We did some more research and found the following:
    <br>
    WebLogic uses the class <i>weblogic.security.service.ServerConfiguration</i> for reading the JAAS config file. This class extends the default <i>javax.security.auth.login.Configuration</i> class. To see what's going on we decompiled the class and it looks like this:
    <p>
    <i>
    try {
         // code omitted.
    } catch (Exception exception) {
         String s1 = System.getProperty("login.configuration.provider");
         if(s1 == null)
         s1 = "com.sun.security.auth.login.ConfigFile";
         if(!s1.equals("weblogic.security.service.ServerConfiguration"))
         try
              Configuration configuration = (Configuration)Class.forName(s1).newInstance();
              configuration.refresh();
              aappconfigurationentry = configuration.getAppConfigurationEntry(s);
         catch(Exception exception1) { }
    </i>
    <p>
    The following happens when trying to authenticate through JAAS:
    <p>
    - The "omitted code" throws the Exception <i>weblogic.security.service.InvalidParameterException: [Security:090396]Security Realm sample does not exist</i>.
    <p>
    Why is this Exception thrown? Why does the name of my JAAS configuration in the JAAS config file needs to be the same as a Security Realm? Or this try-catch block used as some kind of control flow and is this exception expected?
    <p>
    - Then in the catch block the <b>System</b>.property <i>login.configuration.provider</i> is retrieved. However the JDK Specification of the class <i>javax.security.auth.login.Configuration</i> (sse the javadoc) states that:<p>
    <i>The default Configuration implementation can be changed by setting the value of the "login.configuration.provider" security property (in the Java security properties file) to the fully qualified name of the desired Configuration implementation class</i>
    <p>
    So because the <b>System</b> property is read instead of the <b>Security</b> property (which contains the correct IBM class), <i>null</i> is returned. Is this a bug?
    <p>
    - Because the System property is <i>null</i> the code then tries to load the class <i>com.sun.security.auth.login.ConfigFile</i>, which of course is not present in the IBM JDK, and a ClassNotFoundException is thrown. Since
    the Exception is swallowed by the nested catch block we will not see this exception and <i>null</i> is returned that eventually leads to the "No LoginModule found..." exception.
    <p>
    So to summarize, my questions are these:
    <p>
    - Does the name of the JAAS configuration in the JAAS config file need to be the same as the name of the Realm? And if so why?<br>
    - Is it a bug that instead of reading the <b>Security</b> this code is reading the <b>System</b> property?
    <p><p>
    Regards,<br>
    Lars Vonk
    <p>
    PS<br>
    As a workaround we set the System property <i>login.configuration.provider</i> to the correct value <i>com.ibm.security.auth.login.ConfigFile</i> and then it works.

    Sorry, i saw the forum about your problem in BEA 8.1 SP 6 about a
    weblogic.security.SSL.SSLCertificate.verify(SSLCertificate.java:235)
    error and you said that bea sent a path named CR295205_810sp6.jar.
    I have the same problem
    Do you have this patch?
    Could you send it to me?
    my email address is
    [email protected]

  • New IBM JDK 1.4.2 for SAP NetWeaver 2004 and 2004s

    In May 2006 IBM System p brand and SAP announced the direction to enhance the IBM AIX 5L JDK 1.4.2 for SAP NetWeaver 2004 and SAP NetWeaver 2004s based applications. The new IBM JDK 1.4.2 for SAP NetWeaver applications on AIX 5L is 100% upward compatible for all SAP business applications and, compared to the classical AIX JDK, provides a more consistent runtime behavior, enhances memory management, and improves debugging capabilities.
    <b>General Availability (GA) of the new IBM JDK 1.4.2 for SAP NetWeaver 2004 and 2004s on AIX 5L</b>
    As part of a staged release process aligned between IBM and SAP a customer pilot program was started in August 2006 followed by a Controlled Availability (CA) program. Based on positive customer feedback resulting from real production usage and the very encouraging internal test results, the new IBM JDK on AIX 5L is/will be generally available
    •     for SAP NetWeaver 2004 SP14 and above starting at 5th of February 2007
                    and
    •     for SAP NetWeaver 2004s SP06 and above starting at 30th of March 2007.
    This means systems running above SAP NetWeaver releases in an AIX 5L environment are allowed to use the new IBM JDK without restrictions.
    This announcement does not affect the use and support of the classical AIX JDK outside SAP environments.
    <b>Transition Plan to the new IBM JDK 1.4.2 on AIX 5L</b>
    SAP will support the classical and the new JDK in parallel for a limited number of NetWeaver support packages. Afterwards only the new IBM JDK will be supported:
    •     for SAP NetWeaver 2004 the first support package only supporting the new JDK will be SP21 (planned date for SP21 see http://service.sap.com/~sapidb/011000358700001130682005E),
    •     for SAP NetWeaver 2004s it will be SP14 (planned date for SP14 see http://service.sap.com/~sapidb/011000358700004584092005E).
    So please plan a transition to the new JDK prior to the upgrade to these support packages.
    SAP and IBM strongly believe that the switch to the new JDK will improve your experience with JAVA based SAP applications on AIX 5L. Both companies recommend upgrading to the new IBM JDK 1.4.2 for SAP applications running on AIX 5L as soon as it matches your company’s maintenance plans.

    You can download the JDK directly from the sun java website...
    http://java.sun.com/products/archive/j2se/1.4.2_12/index.html
    I don't think Ubuntu is supported...
    Regards
    Juan

  • Error: 1:n multi-mapping using BPM for file to file scenario

    Hi. Iu2019m trying to do 1:n multi-mapping using bpm scenario. I use file to file. Input file consists of many records and then I want many record to be transformed into many file at target system. I follow step in http://www.riyaz.net/blog/xipi-1n-multi-mapping-using-bpm/. However, I have a problem when file is retrieved in to XI. It doesnu2019t create any output file.
    When I look at SXMB_MONI, it shows u201CNo object type found for the message Check that the corresponding process is activated.u201D Besides, it shows error message "Unable to perform action for selected message" when i clikc at PE in SXMB_MONI.
    I have check at many previous posts with the same error message but still couldnu2019t solve it. I already activate my BPM and check that status in SXI_CACHE = 0. There is noting left in change list of my IR and ID.
    Here is my design and configuration.
    IR
    Data Type: DT_file_split -> for both input and output file
    Message Type: MT_file_split_sender, MT_file_split_receiver
    Message Interface: SI_file_split_in, SI_file_split_out, SI_file_abs_source, SI_file_abs_target
    Message mapping: MM_file_split for mapping MT_file_split_sender with MT_file_split_receiver
    Interface mapping: OM_file_split
    u2022     Source = SI_file_split_out
    u2022     Target = SI_file_split_in
    u2022     Mapping Program = MM_file_split
    BPM following this link http://www.riyaz.net/blog/xipi-1n-multi-mapping-using-bpm/.
    ID
    Import my Integration process
    2 Communication Channel for getting input file (CC_File_split_sender) and creating output file (CC_File_split)
    2 Receiver determination:
    u2022     Source system to BPM using interface SI_File_Abs_source
    u2022     BPM to target system using interface SI_File_Abs_target
    1 Interface determination:
    u2022     from source system to BPM
    u2022     Sender interface: SI_File_Split_Out
    u2022     Receiver interface: SI_file_abs_source
    1 Sender Agreement
    u2022     Commu. Component: Source System
    u2022     Using interface: SI_File_Abs_source
    u2022     Sender Communication Channel: CC_File_Split_Sender
    1 Receiver Agreement
    u2022     Sender Communication Component: BPM
    u2022     Receiver Communication Component: Target System
    u2022     Receiver Interface: SI_File_Split_In
    u2022     Receiver Communication Channel: CC_File_Split
    Anyone know how to fix this?
    Thanks,
    Pavin

    Hi,
    Yes, thats the problem.
    You are creating file from test tab of  1..N mapping .
    In case of 1..N mappping in mapping Extra tags of messages are addded to the data.As shown here:-
    Messages
          Message1
               MessageType
    When you use this mapping to generate xml message then it will add additional tags for <Messages> and <Message1>, which is not correct. it should only have structure of you MT.
    So remove start and end tag of <Messages> and <Message1> from your data file. Mentioned below in bold.
    <xml......>
    <Messages>
    <Message1>
    <MT_...>
    </MT_...>
    </Message1>
    </Messages>
    This should solve your problem.
    Regards,
    Sami.

  • The software i use to play video cause for multi display in which my Macbook pro has only a single display. Is theres a way to get a multi display added to to my computer

    The software i use to play dj music videos cause for multi disply in which my Macbook pro has a single display funtion. Is the ant way to get multi monitor display added to my computer

    If the monitor can be detected your Displays preferences should show it in its Arrangement panel.  You may have to play around with your Display panel to get the desired resolution.  And also may have to click detect displays and gather windows to see both sets of preferences on your main screen.

  • How to use a dictionary for multi languages when displaying mess

    how to use a dictionary for multi languages when displaying messages??

    1st you have to define new messages in the dictionary:-
    1.     We have to open the application.
    2.     Functional administrator responsibility.
    3.     Core services.
    4.     Messages.
    •     Create message button.
    •     Now fill the name of the message that we want to call it from our code in the Code field.
    •     Fill the application name with short name of the application.
    •     Choose the language.
    •     Set the text you want to be displayed.
    2nd, Now in the CO in the in the process form request you will code throw new OAException ("application short name","Code").
    Now run and see the result.
    3rd we want to use Arabic messages, use the same one you have created for saving as an example but you choose duplicate and set the language Arabic.
    •     Run the page.
    •     Choose preferences.
    •     Current Session language = Arabic.
    Now you can see the result.

  • securityagent name when using IBM TAM for SSO with Hyerion

    Hi,
    What should we declare in the css_config.xml file for the <securityagent>, when using IBM TAM for SSO with Hyperion.
    The admin guide only mentions Netegrity, but that would be the case when we use Siteminder for SSO.
    Any lights??
    Thanks,
    Sasi

    While, seems one way is to use stream to bypass login.

  • For Multi Selection of Whare used list

    Dear Friends,
    I have Used T-code CS-15 for whare used list of material. if any other T-code for multi selection of materials for where used list.
    Please write.
    Thanks & Regards
    Ajit Sharma

    Hi Ajit,
    As mentioned in the previous posts, it is not adviced to have a multiple selection where-used, as the runtime is very long for this report.
    But if there is a specific need, you can build a Z report by using the FM -> CS_WHERE_USED_MAT
    But do ensure that your abaper puts in some restriction criteria. In the z report which i had done in one of the projects, i had put a restriction of 10 materials as the runtime was long.
    If helpful award points
    Regards,
    Vivek

  • Looking for setting for multi color circle effect, that i have used with photoshop 11

    Looking for the setting for multi color circle effect for photoshop 11. I have used it before, but cant find it again. I was able to change the size  of the circle , and only had to pick one color it  did the multi color by its self.

    Do you mean photoshop elements 11 or photoshop cs4 (photoshop 11)?
    Anyway since you posted about photoshop elements 11 before.
    Select the Expert Mode
    Select the Brush Tool
    In the Tool Options under Brush Settings use the Hue Jitter
    (select different foreground and background colors at the bottom tool box)

  • HT1816 How do I turn auto-renew off for my multi-pass using my iphone

    How do I turn auto-renew off for my multi-pass using my iphone

    Anserwed in your other post on this Topic...
    https://discussions.apple.com/message/22415340#22415340
    See the first Link I posted...
    iTunes Store: Purchasing and managing auto-renewing subscriptions

Maybe you are looking for