Show TOC Entering content frame

Procedure documentation Configuring Non-ADS Data Sources for Kerberos Authentication

Use

Use this topic to modify the UMEdata source configuration for using non-ADS data stores with Kerberos authentication.

Caution

Using Kerberos for Windows Integrated authentication with non-ADS data sources on the J2EE Engine can lead to security vulnerabilities due to inconsistency of user data. The reason is that the source of authentication, the Windows DC acting as a KDC, can use a user store that is different from the user repository of the J2EE engine. For example, Joe in the KDC and Joe in an ABAP user repository for the J2EE Engine may not be the same physical person, and there may not even be a Joe in the ABAP system. Therefore, we recommend that you regularly synchronize the user information in the two user store, or use a single user data store.

Prerequisites

For this scenario, the UME uses the user account ID of the authenticated user to search for the user in the UME data source. Therefore, the user account ID attribute must be unique for each of the users in the UME data source.

Procedure

...

       1.      Modify the value of the SPNegoLoginModule property com.sap.spnego.uid.resolution.mode to use prefixbased user resolution mode. For more information, see Structure linkManaging Login Modules and Overview of SPNegoLoginModule.

       2.      Customize the UME data source configuration file. For more information, see Structure linkCustomizing UME Data Source Configuration.

                            a.      Define the attribute kpnprefix in the responsibleFor section of the UME data source configuration file.

                            b.      Map the attribute kpnprefix to the physical attribute in the UME data source that corresponds to the user account ID.

This graphic is explained in the accompanying text

When using Sun JDK, you have to map the krb5principalname to the physical attribute user principal name. This is necessary for the acquisition of the J2EE Engine service user credentials.

       3.      Add an additional user profile attribute krb5principalname to the UME property ume.admin.addattrs. For more information about adding user attributes, see Structure linkUME Reference ®  Structure linkAdministration.

       4.      Create a J2EE Engine service user in the UME data source. For more information, see Structure linkCreating and Removing Users.

                            a.      Modify the krb5principalname value for the J2EE Engine service user to the KPN used on the KDC, for example HTTP/hades.customer.de@IT.CUSTOMER.DE. For more information, see Structure linkUser Management Administration Console  ® Structure linkUser Profile.

                            b.      Enable the No password change required option for the J2EE Engine service user. For more information, see Structure linkViewing User Information.

Example

Defining a UME attribute:

     <responsibleFor>

        ...

        <principal type="user">

          <nameSpaces>

            <nameSpace name="com.sap.security.core.usermanagement">

              <attributes>

                <attribute name="firstname" populateInitially="true"/>

                ...               

                <attribute name="kpnprefix"/>

              </attributes>

            </namespace>

          </namespaces>

        </principal>

        ...

     </responsibleFor>

Mapping UME attribute:

    <attributeMapping>

      <principals>

        <principal type="account">

          <nameSpaces>

           ...

          </nameSpaces>

        </principal>

        <principal type="user">

          <nameSpaces>

            <nameSpace name="com.sap.security.core.usermanagement">

              <attributes>

                <attribute name="firstname">

                  <physicalAttribute name="givenname"/>

                </attribute>

                ...

                <attribute name="kpnprefix">

                  <physicalAttribute name="uid"/>

                </attribute>

              </attributes>

           </namespace>

         </namespaces>

       </principal>

     </attributeMapping>

Note

The uid attribute in the attribute mapping above is specific to this example. In many directory servers, for example Sun ONE LDAP server, the uid attribute is used as logonid and can be used to uniquely identify a user.

See also:

Structure linkCustomizing a UME Data Source Configuration

 

 

Leaving content frame