The SAP Web AS Java enables you to use the Simple and Protected GSS API Negotiation Mechanism (SPNego) to negotiate Kerberos authentication with Web clients, such as Web browsers. SPNego is a standard mechanism to determine shared authentication mechanisms, select one and establish a security context for communication.
The SPNego functions on the AS Java are available with the JAAS login module SPNegoLoginModule. With this login module, you can use Kerberos authentication without an intermediary Web server. In addition, the use of Kerberos authentication is not tied to the specific operating system of the AS Java host.
This guide describes the steps to configure and use the original version of SPNego distributed with SAP NetWeaver Application Server Java. With the latest service packs (SPs), however, some of the features of SPNego have changed. The current documentation describes SPNego distributed with the following releases:
■ SAP NetWeaver Application Server 6.40 SP26 and lower
■ SAP NetWeaver Application Server 7.00 SP 22 and lower
■ SAP NetWeaver Application Server 7.01 SP 07 and lower
■ SAP NetWeaver Application Server 7.02 SP5 and lower
If you are using a higher SP than the mentioned above or if you want to migrate the old SPNEGO to the new version, refer to SAP Note 1488409 and the configuration guide attached to it.
When you use SPNego, authentication is performed by several systems in your landscape, which negotiate the outcome of the authentication process transparently for the user. At a minimum, SPNego authentication involves the following systems:
● Web client – the Web client requests a service or a resource from the AS Java and authenticates against the Kerberos Key Distribution Center. For example, users use a Web browser for a Web client to access Web applications running on the AS Java.
● Kerberos Key Distribution Center (KDC) – the KDC authenticates the user and grants a Kerberos Client/Server Session Ticket that is used for the communication between the AS Java and the user’s Web client.
● SAP Web AS Java – the AS Java uses Generic Security Service Application Programming Interface (GSS-API), provided by the Java Virtual Machine (JVM) and the User Management Engine (UME). The GSS-API is used to acquire the negotiated security context with the Kerberos ticket issuer, and the UME is used to retrieve the identity management information for the authenticated with Kerberos user. Subsequently, the AS Java provides access to the services or resources requested by the Web client.
For more information about the Kerberos systems landscape and infrastructure, see Kerberos V5 Administrator’s Guide, available from web.mit.edu
The SPNegoLoginModule enables the use of the Single Sign-On (SSO) authentication mechanism which is an integral part of the Microsoft Windows 2000 and higher operating systems. SPNego authentication can be used for Windows Integrated Authentication in a Windows Domain which makes use of a Microsoft Windows Domain Controller (DC) that acts as a KDC.
For information about the integration of non-Windows server components in the Microsoft Kerberos Infrastructure, see the documents available from the Microsoft Developer Network (MSDN) at msdn.microsoft.com.
Kerberos authentication with the J2EE Engine has been tested with the following platforms:
● SAP NetWeaver Web Application Server Java Release:
○ J2EE Engine 640 SP 15 or higher
● Java Development Kits (JDKs):
○ Sun JDK 1.4 on Windows
○ Sun JDK 1.4 on SuSE Linux Enterprise Server SLES9
○ Sun JDK 1.4 on Sun Solaris
○ IBM JDK 1.4 on AIX
○ Sun JDK 1.4 on HP UX
● Windows Kerberos Environment:
○ Microsoft Windows Server 2000 Active Directory
○ Microsoft Windows Server 2003 Active Directory
The systems involved in the SPNego authentication process share user information. Therefore, to enable the AS Java to use SPNego authentication you have to configure several systems including the KDC, the AS Java and its UME, as well as the Web client. In addition, the AS Java uses the GSS-API functions available from your Java Development Kit (JDK) and the actual AS Java configuration depends on the underlying JDK you use.
For information about configuring Kerberos authentication with the AS Java, see the following topics:
Information about required configuration settings on the KDC, such as creating a service user and a Kerberos keytab for the J2EE Engine.
Information about the step-by-step wizard which is used to configure the AS Java for SPNego authentication.
Information about Web client configuration for using Kerberos authentication.
In addition, SPNego does not provide transport layer security. Therefore, we recommend that you use transport layer security mechanisms, such as SSL, for increased security for the SPNego communication with the AS Java. For more information, see Network and Transport Layer Security.
For an example of the SPNego authentication process, see the figure below:
Example of Kerberos authentication with the AS Java
1. The Web client accesses a AS Java resource with a GET request.
2. The AS Java sends back a 401 response code (unauthorized) with a request to initiate SPNego authentication by setting the HTTP header “WWW-Authenticate” to “Negotiate”.
3. The Web client recognizes that the AS Java host is a member of the Kerberos Realm and procures a Kerberos Client/Server Session Ticket for the AS Java from the KDC.
4. The Web client then sends the Kerberos Client/Server Session Ticket to the AS Java wrapped as a SPNego token in the HTTP authorization header.
5. The SPNegoLoginModule reads the token from the HTTP request and feeds the Kerberos implementation of the JDK with it.
6. The result is either successful client authentication or failure when the client request is rejected or another roundtrip to the KDC is necessary. In the case of failure, the Kerberos JDK implementation of the AS Java generates and sends back to the Web client an output token. The output token is wrapped as a SPNego token and sent in the HTTP authorization header.
● 696294 – Logoff from Portal does not invalidate 3rd-party SSO session
● 968191 – SPNego Central Note
● 994791 – Wizard-based SPNego configuration