Configuring SPNego with ABAP datasource

After writing three blogs about configuring and troubleshooting SPNego (Part 1, Part 2 and Part 3) I got several questions about what steps are necessary to use SPNego if your J2EE Engine is connected to an ABAP backend.
In this blog I will try to explain just that.

In general the setup is similar to the one mentioned in the video for dataSourceConfiguration_DB attached to the SPNego Wizard.

As in "Configuring and troubleshooting SPNego -- Part 1" the first thing to do is to create a service user in the ADS (even if you are using the ABAP System as the userstore for the J2EE Engine, the ADS still plays an important part).


Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expires and
* Use DES encryption types for this account
are set. (in the following screenshots I will use j2ee-hbr as the service-user.)

Then run the setspn command to assign the ServicePrincipalName to the user. (this was the URL that you use to access the J2EE Engine -- all these steps are explained in detail in the first blog).


A short ldifde reveals some important parameters that we are going to use later:
sAMAccountName: j2ee-hbr
userPrincipalName: j2ee-hbr@dev16
servicePrincipalName: HTTP/vmw2153

Now, if not already done connect the J2EE to the ABAP System:

image


In the next screen I also used the user j2ee-hbr to connect the J2EE to the ABAP system (for this I had to created this user in the ABAP system as well). You could also use a service user as mentioned here (Requirements for the System User for UME-ABAP Communication and here Configuring the UME to Use an AS ABAP as Data Source)

image

Now start the configtool and add the krb5principalname as an additional ume attribute

image


After a restart this property will be available to all user objects in the UME. Search for your service user (j2ee-hbr, which will now be found in the ABAP system) and set the krb5principalname to the same name as the userPrincipalName of the ADS user (see above) [this can be a little confusing: you now have two users j2ee-hbr. One in the ADS and one in the ABAP system]

image

Now we can start the SPNego Wizard:

image

Make sure that krb5principalname is used for Mapping Attribute and continue:

image

In the next screen make sure that the KPN Prefix is set to uniquename (which is defined in the ABAP dataSourceConfiguration file.)

image

After testing the resolution mode continue with the next step. I always prefer to create a new template and assign this template later on to my ticket component:

image

That's it.

image

Restart the J2EE Engine and you should be done with the wizard.

image

Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator:

image

That should be it!

Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the previous blogs mentioned above..

No comments:

topics