Administrator

Kerberos Configuration Properties

Kerberos provides single sign-on (SSO) access to a back end that is integrated into the Kerberos realm. Another provider must authenticate clients before the Kerberos provider is called.

Description

Configure a Kerberos provider by:
  • Incorporating into your Kerberos realm all back-end resources to which you want to provide SSO access.
  • Associating the SAP Mobile Platform service with a user.
  • Enabling SAP Mobile Platform users to delegate to the services representing the Kerberos back-end resources.
  • Configuring a separate authentication provider, earlier in the list, in the same security profile.
  • Specifying appropriate values for the properties below.

Properties

Table 65: Kerberos General Configuration Properties
Property Default Value Description
Description None Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
Table 66: Kerberos Advanced Configuration Properties
Property Default Value Description
kdc None The Key Distribution Center (KDC) identifier, in the format <hostname>:<port>.
realm None The Kerberos realm to use for authenticating SAP Mobile Platform Server users to the KDC; must be capitalized, for example, MYREALM.MYCORP.COM.
cname None The user name in the KDC that is associated with SAP Mobile Platform Server.
key None The hexadecimal value of the key that is shared between the SAP Mobile Platform service and the KDC.
To create a key:
  1. Verify that either %JAVA_HOME%\bin\jdk or %JAVA_HOME%\bin\jre is in your path.
  2. On the command line, run:
    ktab -a <username>@<realm>:<password>

    The service key is saved in the C:\Users\<username>\krb5.keytab file.

  3. In krb5.keytab, for Key type: 23, use the value of Key, excluding the leading "0x". For example, if the Key is 0x9b45235463723db9963c994671ff4fc6, enter 9b45235463723db9963c994671ff4fc6.
credential spnego The name of the credential that provides the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Kerberos token upon successful authentication.

To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.