sec wpb manager 9.2

Security Guide

Workforce Performance Builder

Document Version: 1.0 2013-10-11

CUSTOMER

SAP Workforce Performance Builder 9.2 Manager

2

Customer

2013 SAP AG. All rights reserved.

SAP Workforce Performance Builder 9.2

Typographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they

appear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .


Table of Contents

Customer

2013 SAP AG. All rights reserved. 3

Table of Contents

1 Security settings ........................................................................................................................................... 4 1.1 Individualising the initial login ................................................................................................................................. 5 1.2 Origin restrictions for administrative roles ............................................................................................................ 6 1.3 Separating content and administrative tasks ....................................................................................................... 7 1.4 Password restrictions .............................................................................................................................................. 7

1.4.1 Applying restrictions to Excel import .................................................................................................... 8 1.5 Communication encryption via SSL certificate .................................................................................................... 8

1.5.1 Creating a Tomcat keystore ................................................................................................................... 9 1.5.2 Creating an internal certificate ............................................................................................................ 10 1.5.3 Installing an external certificate ............................................................................................................ 11 1.5.4 Adjusting the configuration file ............................................................................................................ 12 1.5.5 Displaying certificates ........................................................................................................................... 15

1.6 SSL secured LDAP connection ............................................................................................................................. 16 1.7 Single sign-on using Kerberos .............................................................................................................................. 17

1.7.1 Configuration ......................................................................................................................................... 17 1.7.2 Settings for Mozilla Firefox .................................................................................................................. 20 1.7.3 Settings for Internet Explorer .............................................................................................................. 20 1.7.4 Adjusting the HTTP header size .......................................................................................................... 20 1.7.5 Troubleshooting .................................................................................................................................... 21

4

Customer



Security settings

1 Security settings

The Manager gives you various options for tailoring work with the web application and communication between

the client and server to your individual security requirements.

There are also already security functions implemented by default that prevent unauthorized access or

manipulation of your content. These include, for example, a function that detects malicious code implemented in

content as well as a function that grants workarea-specific read and write access.

The following sub-chapters describe various options that you can use individually or in combination to achieve the

best possible data security to meet your needs.


Security settings

Customer


1.1 Individualising the initial login

With the shipping of the Manager you get separate credentials to enter for installation assistant and server

import. This credentials can be adjusted freely after installation.

Note

To adjust new credentials you must have access to the respective webapps folder on your Tomcat server

as well as you need local administrator privileges on server machine or at least specially adapted

privileges permitting you to do changes to files within access protected storage of the web application.

To adjust the initial credentials please follow these steps:

1. Go to the webapps folder of your Manager.

2. Go to folder WEB-INF -> classes and open file config.properties with the text editor of your choice.

3. Search for these phrases and adjust them as your prefer:

1. init.adminPassword=xxx

2. init.adminUser=admin

4. Save and close the file.

5. Open the Tomcat Manager in your browser (/manager) and do a Reload on respective Manager authority

or reboot the Tomcat server itself.

You can now use your adjusted initial credentials to gain access to special protected areas in Manager.

6

Customer



Security settings

1.2 Origin restrictions for administrative roles

The Administrator IP Ranges server setting lets you restrict access to specific network addresses/address ranges

from roles with admin permissions. This allows you, for example, to permit access from these types of roles only

from within the internal company network.

Enter the IP address as described below:

As a list of IP addresses

Enter individual IP addresses separated by a comma, e.g.

Syntax

192.168.1.1, 192.168.1.2, 192.168.1.3

The following additional options are also available when entering IP origin ranges.

Entry of sub-networks

You can specify sub-networks by entering the length notation, e.g.

Syntax

192.168.1.10/24

Using wildcards

You can structure IP addresses dynamically using the wildcard character, e.g.

Syntax

192.168.1.10*

Note

Please keep in mind that if this function is activated, users can only access the server from specified

origin IP addresses once they have been assigned admin permissions.


Security settings

Customer


1.3 Separating content and administrative tasks

The server-side detection and removal of malicious code implemented in content can also be supported by

separating content and administrative tasks.

In this case, after the Filter content permissions if user has admin permissions function has been activated, the

workarea view is no longer displayed for users with admin permissions (e.g. administration of server settings and

meta information such as status, milestones, etc.). If the user still needs access to content, a second user account

without admin permissions must be created for this user. The user then logs in separately with this profile to view

or edit content.

Note

If the user account is issued admin permissions when content separation is activated, the Producer-side

connection to the login data of this user account is prevented. As a result, make sure that if you activate

this function at a later time, you inform users with admin permissions that it is necessary to return write

permissions to prevent data inconsistencies resulting from write permissions kept in local workarea

copies. These can then no longer be returned or are lost when the user logs in with another user account.

1.4 Password restrictions

User login information is more difficult for attackers to elicit if different character sets are used in longer character

sequences. If you use password restrictions, you require users to comply with predefined security criteria when

entering a password and prevent passwords that are easy to remember and also easy to crack from being used.

The following restrictions are available to you in the server settings:

o Minimum password length:

Indicates the minimum character length of the password. If you enter 0, user accounts may be created

without passwords.

o Password must contain number:

Indicates that the password to be entered must contain at least one numeric character (0-9).

o Password must contain special character:

Indicates that the password to be entered must contain at least one special character (&,$,...).

o Password must contain lower and upper case letters:

Indicates that the password to be entered must contain at least one upper and one lower case letter.

Note

o The password restrictions do not apply for passwords from LDAP-supported user profiles because, in

this case, the Active Directory server administrates the user profiles and their security criteria.

o The password restrictions do not affect passwords in user profiles that have already been created.

The restrictions only apply to these profiles when the user changes the password.

8

Customer



Security settings

1.4.1 Applying restrictions to Excel import

Password restrictions can also be applied when importing user data in an Excel file. To do this, activate the use

password policy option above the path entered for the Excel file.

As a result, all users whose passwords violate the restrictions in the Excel file are imported as inactive users. They

must be manually activated and a new password issued.

1.5 Communication encryption via SSL certificate

The Tomcat server environment supports the creation of self-certified SSL certificates and the import of certified

SSL certificates (Trusted Third Party, e.g. VeriSign, TC TrustCenter, Signtrust, TeleSec, Thawte Consulting). You

can use these types of security certificates to encrypt the communication between users and the Manager.

Access then occurs using the address prefix https://.

To prepare the Tomcat server for SSL encryption, please follow the steps described in the sub-chapters. You can

find more information in the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-7.0-doc/ssl-

howto.html.

Note

o Keep in mind that the validity of an SSL certificate is limited to a single IP address. If you make the

server accessible via tunnels or technically similar communication channels, remember that the IP

address can change as a result and the certificate is then displayed as invalid.

o To make it possible to access your server using an encrypted connection, it may be necessary for you

to configure the ports provided for this purpose in your firewall accordingly.


Security settings

Customer


1.5.1 Creating a Tomcat keystore

The keystore of the Tomcat server is a protected repository that contains the security certificates and encrypted

keys. It is not created manually during installation but must be created manually.

To create the Tomcat keystore, open your server's command display. (Start > Run > "cmd")

1. Enter the following command:

Syntax

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

Note

o If the command line displays the message that the location of the file is unknown, it is possible that

the %JAVA_HOME% system variable is not declared in your system. If this is the case, replace the

string with the installation path of your Java instance, e.g. C:\Progra~1\Java\jre7.

o The command creates the keystore file in the home directory of the user creating the keystore. If you

want to store the file in a different directory, add the following to the command:

[...] -keystore /path/to/my/file

2. You are now prompted to specify a password to encrypt the protected area. Your entry is not shown in the

command line for security reasons. Confirm your entry by clicking Enter. Enter the password again for

verification.

3. You are then prompted to enter data that is used to create an initial certificate in the keystore. Confirm

every entry by clicking Enter.

4. Now enter an individual password for your certificate instance with the alias. Use the same

password here that you previously used for the keystore because otherwise the Tomcat server cannot

access the keystore later on.

The file for the keystore ('.keystore') has now been created in the specified directory.

10

Customer



Security settings

Note

Please keep in mind that when using a system with user account management (Windows Vista/Windows

7), the command line and server are executed by different users. Your home directory is not available for

the server as a result. Copy the created keystore file in this case to the respective home directory, e.g. for

system under C:\windows\system32\config\systemprofile.

1.5.1.1 Preparing the keystore

Tomcat supports keystores in the formats JKS, PKCS11 and PKCS12. Here, the JKS format represents the

standard Java keystore format which is also created by the keytool command line program contained in the Java

JDK.

PKCS12 represents an Internet standard that can be created and changed using various programs (OpenSSL,

Microsoft KeyManager,...).

To import a signed certificate, please read the documentation relevant for the tools you are using.

Note

Every entry in the keystore is opened via an alias. To prevent conflicts, we do not recommend using

different aliases that are the same except for upper and lower case letters because, e.g. the PKCS11

format only recognizes upper case letters.

1.5.2 Creating an internal certificate

You can create your own local certificates for data encryption for your server. The disadvantage, however, is that

these certificates are only valid for a short time and they are not verified by a public body. When your users visit

the server from within a browser, a warning appears that the certificate was not able to be authenticated and it

has to be manually added to the user's trusted sites.

Enter the following command in the command line program to create your own certificate:

Syntax

%JAVA_HOME\bin\keytool -selfcert -v -alias tomcat -storepass

The values of the certificate you created are then listed. The certificate is now available.

Note

The initial connection of the Producer to an SSL-protected server with a local certificate may fail. In this

case, open the Manager instance with Internet Explorer and confirm the trustworthiness of the certificate

when prompted. Try to establish a connection in the Producer again.


Security settings

Customer


1.5.3 Installing an external certificate

Using digital SSL certificates from public certification bodies your web application is given authenticated, unique

keys and additional information from your service provider to encrypt and decrypt the transfer of confidential data

and to authenticate the origin on your side. Using this type of certificate is particularly necessary when you want

to make encrypted access to your server possible outside of internal networks, i.e. over the Internet.

1.5.3.1 Creating a Certification Signing Request (CSR)

To create a certificate from a public certification body, you have to create what is known as a Certification Signing

Request (CSR) beforehand. This is required by the certification body to identify your web application as "secure".

1. Create a local certificate by entering the following command in the command line (Start > Run > cmd):

Syntax

%JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA \

-keystore

2. Enter your personal data for the respective prompts and confirm your entries by clicking Enter.

Note

Some certification bodies require the domain of the web pages to be entered for the first and last name

prompt. Find out if this is necessary for the certification body you have chosen here.

3. Now create the CSR by entering the following command:

Syntax

%JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr \

-keystore

4. Send the file you created in step 2 certreq.csr to the certification body you selected. It can now create and

send you a certificate.

12

Customer



Security settings

1.5.3.2 Importing the certificate

Once you have received the certificate created by the certification body, you can implement it to your locally

created keystore. To do this, you have to import what is known as a chain certificate or a root certificate to the

keystore prior to importing the certificate. You can download this certificate from the page set up by your chosen

certification body for this purpose.

1. Import the downloaded root certificate by entering the following command in the command line (Start >

Run > cmd):

Syntax

%JAVA_HOME%\bin\keytool -import -alias root -keystore

\

-trustcacerts -file

2. Now import the SSL certificate you received by entering the following command:

Syntax

%JAVA_HOME%\bin\keytool -import -alias tomcat -keystore

\

-file

3. Restart the Tomcat server to load the certificate

1.5.4 Adjusting the configuration file

To implement SSL, it is necessary to define a Java (JSSE) connector. Support is not provided for implementation

via the APR connector which is also available.

To carry out implementation, proceed as follows:

1. Use a text editor to open the file server.xml in the conf directory of your Tomcat installation directory.

2. This file already contains an example of a commented out element for operation with SSL. It

should look as follows:

Syntax


Security settings

Customer


3. Remove the tags so that the element is no longer commented out and the connector is

activated.

4. Adjust the parameters to your specifications in line with the table below or add them if they do not exist.

Depending on your server specifications, it may be necessary to enter additional parameters. You can find

a list of all other parameters in the Tomcat reference.

Parameter Description

port Specifies the TCP/IP port on which the Tomcat server

responds to inquiries for a secure connection. You can

change the default port 8443 to any one you want. If

you change the value, please also change it in other

defined connectors in the redirectPort parameter to

reroute users accordingly.

keystoreFile Enter the path to the keystore file. This file is created

by default in the home directory of the user creating

the keystore - if you change this value, you should

have stored your keystore file in a different location.

Please keep in mind that the Tomcat instance must

have access rights to this directory

keystorePass Enter the password necessary to access the keystore

file. You defined this password in the steps described

in the chapter Creating a Tomcat keystore.


6. Restart the Tomcat server to reload the changed settings.

7. Your web applications running on the Tomcat server are now available via secure HTTP communication

and can be accessed as in the following example:

https://my server:8443/Manager

14

Customer



Security settings

1.5.4.1 Allow encrypted connections only

To make your installation of the Manager available exclusively via SSL-encrypted communication, several

additional settings are necessary.

1. Deactivate access via the HTTP standard port 80. Comment out the respective connector by inserting

"" after the connector block:

Syntax

2. Assign the port number 443 (standard Apache) to the SSL connector. If you prefer to use a different port

number, you have to configure routing via a proxy server or a port forwarding application (e.g. Iptables).

3. Adjust any other connectors in use accordingly in the redirectPort parameter.

4. Save the file.

5. Restart the Tomcat server.

Your Tomcat server is now available exclusively via the following address:

https://myserver

or

https://myserver/myManager

Browser inquiries to the address http://myserver are now ignored by the server - the respective browser displays

a connection error to the user.

Caution

If you have installed the Tomcat server in addition to a web server like Apache or IIS, inquiries are handled

by this server instead. An inquiry sent to port 443 would produce an error message in this case. Change

the port number in the server.xml file to 8443 and forward the inquiry from the Apache web server using

the mod_jk connector.


Security settings

Customer


Note

After deactivating the standard HTTP port, you have to specify the connection address in the connection

settings of the Producer with the prefix https and the port entry 443, e.g.:

https://myserver:443/Manager.

1.5.5 Displaying certificates

To display the certificates stored in your keystore, proceed as follows:

1. Open command line.

2. Enter the following command:

Syntax

%JAVA_HOME%\bin\keytool -list -v -storepass

3. Confirm your entry by clicking Enter.

16

Customer



Security settings

1.6 SSL secured LDAP connection

By using LDAPS instead of LDAP it is possible to secure the connection to the Active Directory server with SSL

protocol. This basically needs some preparation on side of Active Directory server. On side of Manager there is

only the server address to be changed.

LDAPs connections to your Active Directory server will be directly available after having installed the Certification

Authority and integrated a CA certificate in your Active Directory. This certificate can be created by your own or

provided by a Trust Authority Service like Verisign, Thawte or other.

Setting up Certification Authority (CA)

On Active Directory server you have to install the Enterprise Root Certification Authority as well as you have to

integrate an CA certificate into it. Please read linked documentations to install and configure CA on a Microsoft

Windows based Active Directory server.

http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx

Setting up LDAPs connection in Manager

To connect to an Active Directory server supporting SSL-secured connections enter the ldap server address as

follows. Replace the placeholder with correct server name:

Syntax

ldaps://:636

Note

The port number suffix 636 is the default port number for ldaps connections. It's mainly not necessary to

add this to address. You have to, if your Active Directory server is setup to use another port for ldaps

connections. Please contact your network administrator to gain details about deviant port allocations.


Security settings

Customer


1.7 Single sign-on using Kerberos

In combination with an Active Directory server available in the network, the Manager grants your users access

with a single sign-on. This means that they don't have to log in every time but are given immediate access to the

areas assigned to them through automatic authentication.

Caution

o It is not possible to use single sign-on in combination with Microsoft Server 2008 and its Service Pack

1 due to a system-specific error interpretation. Consequently, Service Pack 2 is needed for Microsoft

Server 2008 to guarantee proper operation.

o It is not possible to play navigations (*.dnt) from the Manager when the single sign-on is activated and

Internet Explorer 6 is in use due to a technical problem with the browser.

Note

o In case that some of your Active Directory Server objects have a large amount of group memberships

or that you have groups with very long names you should consider to adjust the size of HTTP headers.

This will avoid errors while transferring the credentials of those objects. Read the chapter Adjusting

the HTTP header size to learn more about.

Note

This function is not supported in the Oracle Edition.

1.7.1 Configuration

Note

o If you want to reference a DNS alias name created for this purpose instead of the native host name of

the server, please keep in mind that this alias name must be defined in the table of the resource

record as a referencing CNAME. If the host name is entered as an address alias (A record) an invalid

keytab file will be generated.

o Ensure that the version of ktpass is at least the same as your Active Directory version. To check right-

click on the file ktpass.exe and select Properties > Details within the context menu. Now you can see

the version number.

If necessary update your system by downloading the Windows Support Tools in a version as same as

your system version. Consider that there might be two different versions of ktpass (32bit and 64bit) if

you run a 64bit system.

18

Customer



Security settings

Follow the steps below to configure server-side single sign-on in your installation of the Manager:

1. Create a user account in the Active Directory (LDAP). The account should be created on a top level

domain server which contains the global catalog and must be different from the host name of the server

on which the Manager is installed. Ensure that the password of the account used for the SSO connection

won't expire. Enable the option "Password never expires" when creating the according account.

2. Open the command line interpreter on the Active Directory server and enter the following commands,

replacing the placeholders with the appropriate values. These create the keytab file necessary for the

functionality. To specify an output path, enter it in the /out parameter along with the file name. Otherwise

the keytab file will be created in the current directory.

Firstly use this command to set SPN for created user account. Replace text in left and right angle brackets

by your individual parameters:

Syntax

ktpass /pass /mapuser /princ

HTTP/.@ /ptype KRB5_NT_PRINCIPAL /Target

*Placeholders shown in upper case letters must be also written in upper case letters.

**Use DNS name for domain. NetBIOS names are not supported.

Following use this command to create the key tab file. Again replace text in left and right angle brackets

with your individual parameters:

Syntax

ktpass /out () /princ

HTTP/.@ /ptype KRB5_NT_PRINCIPAL /Target

/pass /mapuser

*Placeholders shown in upper case letters must be also written in upper case letters.

**Use DNS name for domain. NetBIOS names are not supported.

Caution

Keep in mind that the princ HTTP parameter has to be entered in the following format:

@.

3. Place the keytab file somewhere on the Manager server (e.g.: C:\Manager\Managerpc.HTTP.keytab).

Avoid placing the file in the webapp directory of the Manager because it will be deleted if the program is

updated.

Now enter the appropriate data in the LDAP import wizard of the Manager. This data is explained in brief below.


Security settings

Customer


Parameter Description

Enable SSO Activate SSO for the LDAP import. To activate SSO for

your users additionally activate Single Sign-on within

the Server Settings. Note that SSO Will only work for

accounts imported by LDAP.

Service Principal*

Enter the service authentication with the complete

service description and domain ID of the Manager

server here, e.g.

HTTP/[email protected]

Keytab File Name If there is already a Kerberos service set up in your

network and a config file regulates service access,

select the according file by clicking Select Keytab File.

The fields Server name and Realm do not need to be

filled out in this case. You can find more information

at:

http://download.oracle.com/javase/1.5.0/docs/guid

e/security/jgss/tutorials/KerberosReq.html

Server name* Enter the host name of the Active Directory server

here, e.g. master.

Realm* Enter your domain here, e.g. MYCOMPANY.DE

4. Now click Save LDAP Access to save the data you entered. You may now select the data to be imported by

clicking the button Select or leave the assistant by clicking Close.

5. To activate Single sign-on for your users go to Administration -> Server Settings and activate the Setting

Enable Single sign-on within the section Single sign-on.

Note

Single sign-on based on Kerberos does not work by accessing the local host. You have to address your

instance of Manager from a different computer to make use of the single sign-on.

20

Customer



Security settings

1.7.2 Settings for Mozilla Firefox

Open the advanced browser configuration by entering about:config in the address bar. Search for the setting

network.negotiate-auth.trusted-uris and enter the name of the server or the server domain.

1.7.3 Settings for Internet Explorer

Open the browser settings by clicking Tools > Internet settings and make the following changes:

1. Open the Advanced tab. Activate the option Integrated Windows Authentication under Security.

2. Open the Security tab and click Local intranet. Click the Custom level button and select Automatic logon

only Intranet zone under User Authentication > Logon. Close the dialog box and click OK.

3. Click the Sites button in the dialog window that opens and select Advanced. Enter the IP address of the

host name of the server where Manager is installed in the upper input box. If the input box is not available

for entry, contact your network administrator to add it to the listed values.

1.7.4 Adjusting the HTTP header size

In case of users which are assigned to a big amount of groups it may happen, that the length of the http header

exceeds the maximum size as permitted by Tomcat server. This happens because of the need to send all group

dependencies inside the header. In this case the Tomcat server unfortunately discards the authentication,

resulting in a server error message which is display to the user after calling Manager. To solve this issue, an

adaption of the default value (8Kb) within the Tomcat configuration will be necessary.

Do as following to adapt your Tomcat configuration:

1. Start your favorite text editor and open file server.xml which is located within directory conf of your

Tomcat installation directory.

2. Scroll to the part of the Connector definitions and add the parameter maxHttpHeader to each definition of

an active connector. In box below you see an example of an adapted connector element. The added

parameter is marked red.

Syntax

Input value has to be defined in Bytes. The example given matches 64KB.


4. Restart the Tomcat server service.


Security settings

Customer


1.7.5 Troubleshooting

Having trouble with your Single Sign-on configuration may have several reasons. To investigate what might be the

reason for the error you will need to read out the server logs and the client-server communication.

Log files

The log files are written to Tomcats default log path - individualize text in left and right angle brackets according to

your scenario. You will need a text viewer application to open the log files.

\logs\-

manager_exceptions.log

Track communication

To track the communication between client and server we highly recommend the use of Wireshark

(http://www.wireshark.org) or an appropriate application.

1.7.5.1 Exception log messages and possible reasons

Exception message

Syntax

java.io.EOFException: DEF length 84 object truncated by 46 - Additional A

Pointer or duplicate SPN

Possible reasons

1. Check your DNS server if an additional A record has been set for the server hosting the Manager. Use

CName instead.

2. Use command setspn -X on your Domain Controller to find duplicate SPN's. If duplicates exist, you

should either delete the user account which has the same SPN or use command setspn -d

"\" to delete the duplicate SPN from that account.

22

Customer



Security settings

Exception message

Syntax

javax.security.auth.login.LoginException: No CallbackHandler available to garner

authentication information from the user

Possible reasons

1. The account holding the SPN might be disabled. Re-enable that account in the Active Directory server.

2. Check with the command setspn -L "\" if the proper SPN has been set for

that account. If not, use ktpass to do so.

Exception message

Syntax

"0x6 - KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database" OR

"0x7 - KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database"

Possible reasons

1. These two errors usually indicate that an SPN has not been set correctly. Check with the command

setspn -L "\" if the proper SPN has been set for that account. If not, use

ktpass to do so.

1.7.5.2 Recreate kerberos file after Java update

If you update the Oracle JRE environment from version 6 to version 7 your currently running SSO scenario will fail.

This a result of the incompatibility of the JRE generated kerberos files between both major versions. To fix this

issue you have to regenerate the kerberos file with new JRE version.

Proceed as following to do so:

1. Open your browser and enter URL to access your Manager instance.

2. Logon to Manager.

3. Go to Administration > Server Import.

4. Enter the credentials of the initial user account when asked for.

5. On page Manager Import click LDAP.

6. Select one data source you are using for your SSO scenario and click edit.

7. On page Import LDAP Data ensure to have specified keytab file and service principal.

8. Click Save LDAP Access.


Security settings

Customer


9. Close the browser.

The kerberos file now has been regenerated using the newer JRE version. Your SSO scenario will run flawless

again.

Note

If you run multiple Manager instances you will have to do this procedure only for each keytab file you are

using, not for each Manager instance itself. Once the kerberos file is regenerated, it will work for all other

Manager instances as well.

1.7.5.3 Additional troubleshooting

o Make sure the Domain Controller is accessible for the Manager and for the client. Use tools like ping or

nslookup for checking.

o Use the command klist on your client to see if you received the proper Kerberos ticket. If you did not

receive anything, then there might be an issue with your Kerberos service on your Domain Controller or

the Kerberos configurations on your client. Check if the setting "Integrated Windows Authentication" is

enabled in your client's Internet Explorer.

o Make sure that your Domain Trusts have been set properly if you try to use SSO across multiple domains.

o Make sure that you don't use a second A record for your Manager. Same applies to your reverse lookup

zones.

o Use Wireshark or appropriate application on the server hosting your Manager and filter for Kerberos to

see if any Kerberos communication take place.

www.sap.com/contactsap

Material Number


No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System ads, System i5, System

p, System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise

Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2

Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems

Incorporated in the United States and/or other countries.

Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod,

iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are

trademarks or registered trademarks of Apple Inc.

Oracle and Java are registered trademarks of Oracle and its

affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks

of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts

Institute of Technology.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,

ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world. All other product and

service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated companies ("SAP

Group") for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the

express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting

an additional warranty.

1 Security settings1.1 Individualising the initial login1.2 Origin restrictions for administrative roles1.3 Separating content and administrative tasks1.4 Password restrictions1.4.1 Applying restrictions to Excel import

1.5 Communication encryption via SSL certificate1.5.1 Creating a Tomcat keystore1.5.1.1 Preparing the keystore

1.5.2 Creating an internal certificate1.5.3 Installing an external certificate1.5.3.1 Creating a Certification Signing Request (CSR)1.5.3.2 Importing the certificate

1.5.4 Adjusting the configuration file1.5.4.1 Allow encrypted connections only

1.5.5 Displaying certificates

1.6 SSL secured LDAP connection1.7 Single sign-on using Kerberos1.7.1 Configuration1.7.2 Settings for Mozilla Firefox1.7.3 Settings for Internet Explorer1.7.4 Adjusting the HTTP header size1.7.5 Troubleshooting1.7.5.1 Exception log messages and possible reasons1.7.5.2 Recreate kerberos file after Java update1.7.5.3 Additional troubleshooting