W H I T E P A P E R C E N T R I F Y C O R P. M A Y 2008 Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory The Active Directory-Based Single Sign-On Solution for SAP R/3 A B S T R A C T Many of the largest, most recognizable and successful organizations use SAP R/3. But to the end-users within those organizations who need access to SAP R/3, this means yet another username and password they have to remember and constantly enter and re-enter. To IT managers, SAP R/3 represents yet another authentication and identity store to manage. In addition, given the sensitive nature of the data stored in SAP R/3 systems, there is a compelling need from both a security and compliance perspective to ensure that communication and access to that sensitive data is done in a highly secure manner. In most organizations, Microsoft s Active Directory is now the de facto standard for providing authentication and identity management for Windows systems and applications. Centrify s DirectControl extends Active Directory s reach to UNIX, Linux, Mac, Java/web and database environments. Centrify DirectControl for SAP goes one step farther by enabling Active Directory-based single sign-on for SAP R/3. This means Windows users using SAP GUI and non-windows users using SAP Java client can enter their Active Directory credentials to access SAP R/3 running on UNIX or Linux without having to remember or re-enter another username and password. And auditors and security professionals can feel safe that access to SAP R/3 is more secure due to DirectControl s use of Kerberos. This white paper describes how Centrify DirectControl for SAP delivers single sign-on capabilities for SAP R/3 and how this ability translates into major benefits in the form of increased security, ease of use and enterprise readiness.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e- mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Centrify Corporation. All rights reserved. Centrify is a registered trademark, and DirectControl and DirectAudit are trademarks of Centrify Corporation. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names used are trademarks of their respective companies The names of actual companies and products mentioned herein may be the trademarks of their respective owners. WP017-2008-05-18 CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE II
Contents 1 Introduction...1 2 Challenges with SAP Authentication...2 3 Addressing SAP Authentication Challenges with DirectControl for SAP...3 3.1 The Centrify DirectControl Solution... 4 3.2 SAP Secure Network Communications (BC-SNC) Overview...6 3.3 Enterprise Readiness... 6 4 SAP and DirectControl Integration: Step-by-Step...7 4.1 Join the SAP Server to Active Directory with DirectControl... 8 4.2 Configure Service and Kerberos... 8 4.3 Configure SNC on the SAP Server... 9 4.4 Configure the SAP Client... 9 4.5 Single Sign-On Using SNC, Kerberos and Active Directory.. 10 5 Summary...11 6 How to Contact Centrify...12 CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE III
1 Introduction Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, web and database platforms with Microsoft Active Directory. DirectControl effectively turns a non- Microsoft system into an Active Directory client, enabling you to secure that system using the same authentication, authorization and Group Policy services currently deployed for your Windows systems. With its patent-pending Zone technology, Centrify delivers the only solution that does not require intrusive reconfiguration of existing systems and provides the granular administrative control needed to securely manage a diverse set of systems and applications. With DirectControl, you can fully leverage your investment in Active Directory to address regulatory compliance, strengthen security, and enhance IT and end-user efficiency and productivity. Centrify DirectControl for SAP enables Active Directory-based single sign-on to SAP R/3 servers running on a UNIX or Linux system. This means users who access SAP R/3 via the SAP GUI client application on Windows workstations and/or via the SAP Java client on non-windows workstations can access the desired SAP business application using their Active Directory user credentials. DirectControl enables this capability via integration with SAP s Secure Network Communication (SNC) interface. Key benefits of Centrify DirectControl for SAP include the ability to: Increase user satisfaction and reduce user/password-related support calls by providing users with single sign-on (SSO) access to SAP R/3 through their Active Directory credentials. Increase security by allowing IT administrators to disable access not only to Windows but also to DirectControl-managed systems and applications such as SAP via a single management tool Microsoft Active Directory. Enforce consistent password and other security policies using familiar Active Directory tools. Implement encrypted communication between the SAP client and the SAP R/3 server via DirectControl s use of Kerberos. Deploy without intrusive changes to Active Directory. Simplify compliance with regulatory requirements. Maximize your existing investment in Active Directory. Before discussing the details of the DirectControl for SAP solution, let s first discuss some of the challenges of SAP authentication. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 1
2 Challenges with SAP Authentication SAP R/3 is a mature technology that has been widely used in many organizations for many years. However, SAP provides many approaches to securing communication and authenticating end-users to SAP R/3. Understanding and choosing the right approach can be a confusing and difficult process, often requiring external consulting time and rationalization with existing security policies and architecture. With the standard SAPdefined username and password approach to authentication (which is the default deployment option with SAP R/3), SAP administrators may find that this approach has some shortcomings when compared to more secure approaches provided by commercial security software: Additional usernames and passwords have to be defined and managed in SAP. This creates a hassle both for end-users, who need to remember another username and password, and for IT and SAP administrators, who need to deal with password resets and user account lockouts. Additional usernames and passwords also create security vulnerability, as end-users often write down their username and password in order to remember them. Another security concern arises when end-users leave an organization. Their user account in SAP (and in Active Directory, and in every system and application they are provisioned into) needs to be at least deactivated if not completely deprovisioned. Administrators would prefer to make deprovisioning a periodic task and not a security issue requiring expensive and complex software and processes that exist just to manage identities throughout their lifecycle. Microsoft provides basic information on how to integrate SAP with Active Directory if the R/3 server is installed on Windows Server. This is of little help to the majority of SAP R/3 customers who have deployed on AIX, HP-UX, Solaris or a flavor of Linux. Alternatives to using basic username and password authentication for SAP servers installed on UNIX or Linux include: Complex and expensive public key infrastructure (PKI) providing access via SSL and X.509 client certificates. Pluggable Authentication Modules ( PAM ) to leverage the UNIX operating system credentials. While the PAM approach can be integrated with Active Directory using DirectControl for Systems, this is less than an ideal solution because it challenges end-users to re-enter their Active Directory username and password, depriving them of the SSO login experience. Other challenges arise when organizations need enterprise-quality end-to-end support. For example, Microsoft will support the Windows client side for SSO and authentication, but does not provide support services for UNIX. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 2
Other higher-end enterprise features such as cross-domain authentication, failover support for NTLM, domain controller failover support, large group-based access control, and access rights reporting are simply not supported with most other approaches. Based on feedback from SAP R/3 users who needed true enterprise-level SSO capabilities for working with Active Directory, Centrify has built a dedicated solution that extends DirectControl to SAP R/3. 3 Addressing SAP Authentication Challenges with DirectControl for SAP In order to address the challenge of providing a more secure, Active Directory-centric SSO solution for SAP, Centrify provides a solution that consists of the following components: DirectControl for Systems. Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, Java/web and database platforms with Microsoft Active Directory. The DirectControl Agent effectively turns a non-microsoft system into an Active Directory client, enabling you to secure that system using the same operating system-level authentication, authorization and Group Policy services currently deployed for your Windows systems. DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that enables fine-grained operating system access control through its unique Zone technology. SAP Secure Network Communication. SAP provides a standard layer for SAP R/3 to integrate and interface with third-party security software called SNC (Secure Network Communication). SNC enables a secure connection between SAP clients, servers and services. This layer is designed to allow third-party security software providers to cleanly and comprehensively integrate with SAP R/3 to provide security services such as SSO authentication. In fact, SNC is being developed in the Internet Engineering Task Force (IETF), an international standards body. DirectControl for SAP. The DirectControl for SAP module is an extension of SNC providing single sign-on for an SAP client based on the exchange of Kerberos tickets. By implementing the Generic Security Services API (GSS-API), DirectControl for SAP provides the necessary SNC extensions to enable Kerberos ticket exchange from the SAP client to the SAP server. Additional security, including signing and encrypting of data that is communicated between the SAP client and server, is provided by leveraging these Kerberos tickets. Solution Documentation. DirectControl for SAP includes an installation and deployment guide. There is also guidance related to configuring your SAP R/3 server, SNC environment and SAP clients (SAPgui and SAPjava.) CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 3
Solution Support. Licensed Centrify customers who have maintenance contracts and are running Centrify DirectControl for SAP R/3 can get support for the integration of DirectControl with SAP R/3. By packaging the DirectControl Agent for the operating system and SAP SNC, along with installation and configuration documentation of the DirectControl and SAP products into a single comprehensive solution, Centrify delivers a true SAP R/3 single sign-on solution and better interoperability with your enterprise. Not only do you get a finished product that works you know who to contact if you encounter problems. In addition, Centrify addresses a number of issues related to central user attribute storage, enterprise functionality and complete integration with Active Directory, as mentioned earlier in this paper. Let s take a look at these components in more detail. 3.1 The Centrify DirectControl Solution Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac and web platforms with Microsoft Active Directory. DirectControl effectively turns a non-microsoft system into an Active Directory client, enabling you to secure that system using the same authentication, authorization and Group Policy services currently deployed for your Windows systems. DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that enables fine-grained access control through its unique Zone technology. DirectControl also supports strong Kerberos-based Active Directory authentication for databases such as IBM s DB2 and Informix, and for enterprise applications such as SAP. While many of these platforms offer some type of Kerberos support, setting up and administering the Kerberos service to talk with Active Directory securely and reliably can be a complex task on non-microsoft platforms. With the DirectControl Agent installed, the host platform becomes Active Directory-aware and can take advantage of active Directory services such as automatic updates of Keytab files and Keytab versioning, automatic time synchronization with Active Directory, local caching for disconnected mode, and dynamic DNS support that greatly simplify initial configuration and provide a much higher degree of maintainability and reliability. The end result is cross-platform and cross-application single sign-on as shown by Figure 1. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 4
Figure 1. Centrify eliminates the need for multiple Access Control, Identity and Policy Management solutions in the distributed environment by consolidating management in Microsoft Active Directory: one user, one account, one directory, one policy mechanism. The DirectControl suite is comprised of two main architectural components that seamlessly integrate with your Active Directory infrastructure: On UNIX, Linux and Mac systems, a DirectControl Agent is installed on each server or workstation. The DirectControl Agent, which is natively compiled for each platform, effectively turns the host system into an Active Directory client, enabling you to secure that system using the same authentication, access control and Group Policy services currently deployed for your Windows systems. The agent is not a single piece of code; rather, it is a central service that interacts with a set of seamlessly integrated modules that provide services such as web and database single sign-on and Samba integration. UNIX administrators have a comprehensive command-line interface for real-time or scripted interaction with Active Directoryheld data. The DirectControl Management Tools enable both Windows and UNIX administrators to manage UNIX-specific data stored in Active Directory. The Windows tools consist of a Microsoft Management Console (MMC) application for all administrative tasks and centralized reporting and license management. Property extensions to the Active Directory Users and Computers MMC are also provided, and DirectControl s UNIX/Linux/Mac policies are fully integrated into the standard Group Policy Editor. A browser-based management console also provides crossplatform access to essential administrative tasks. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 5
3.2 SAP Secure Network Communications (BC-SNC) Overview SAP provides a standard layer for SAP R/3 and ERP to integrate and interface with thirdparty security software called SNC (Secure Network Communication). SNC protects the communication between SAP components (client, router, application server, etc.). By leveraging SNC you can extend the basic user and password authentication used by SAP to include the protection and benefits of Centrify DirectControl and Active Directory. SNC is also being developed in the Internet Engineering Task Force (IETF), an international standards body. The primary integration point with SNC is via the GSSAPI v2 (Generic Security Services Application Programming Interface version 2). Centrify DirectControl provides support for integration via Kerberos and the GSSAPI as depicted below: Figure 2. Centrify DirectControl integration with SAP. In addition to providing an interface to authenticate users via DirectControl, SNC also allow higher levels of security through the configuration of communication integrity (ensuring that communication has not been tampered or altered) as well as communication encryption (ensuring that communication is secure in transit). 3.3 Enterprise Readiness In addition, DirectControl for SAP supports a number of enterprise features that are not found in other similar solutions. Full Support for Active Directory Policies. DirectControl for SAP talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and flexible user-naming conventions of Active Directory. Cross-Domain Authentication. Users who are authenticated members of a remote domain can access an SAP server joined to another domain if the appropriate cross-domain trust relationship has been established. This occurs without the user being prompted for credentials. This is the same behavior that users would expect in an all-windows environment. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 6
Gold Standard Kerberos: Leveraging the MIT reference implementation of Kerberos, DirectControl delivers the most compatible and mature approach to Kerberos-based Active Directory authentication for enterprise applications such as SAP. While many platforms offer some type of Kerberos support, setting up and administering the Kerberos service to talk with Active Directory securely and reliably can be a complex task on non-microsoft platforms. With the DirectControl agent installed, the host platform becomes Active Directory-aware and can take advantage of DirectControl services such as automatic updates of Keytab files and Keytab versioning, automatic time synchronization with Active Directory, local caching for disconnected mode, and dynamic DNS support that greatly simplifies initial configuration and provides a much higher degree of maintainability and reliability. 4 SAP and DirectControl Integration: Step-by-Step Once the DirectControl for SAP solution is deployed, the basic steps to the authentication are as follows: Figure 3: Single Sign-On Flow for SAP R/3 using Active Directory When a user first signs on to a Windows XP workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory. When the user then opens SAPgui, XP requests, via SNC, an SAP service ticket from the SAP Server/Router using the previously obtained tgt. SNC passes the service request to the DirectControl Agent. The DirectControl Agent validates the ticket with Active Directory. The user is granted access and a secure user session is provided back to the client. The simple steps to set up the various components of this solution are as follows: CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 7
1. Join the SAP server to Active Directory with DirectControl. 2. Configure Kerberos and the SAP service. 3. Configure SNC on the SAP server. 4. Configure SNC on the SAPgui. 4.1 Join the SAP Server to Active Directory with DirectControl The automation scripts included with DirectControl for Systems simplify the installation and configuration of DirectControl and Active Directory. The installation script will do the following automatically for you: You will be prompted for the domain, Zone, and the Active Directory username and password to be used for joining to Active Directory. The script will offer defaults based on your current configuration. Checks are made to ensure that DNS is set up correctly on your system. PAM and NSS modules are configured correctly. The machine is joined to the Active Directory domain, and is added to the DirectControl Zone. The DirectControl adclient service is started. Scripts are created to automatically start the correct DirectControl services each time the system boots. The configuration information for DirectControl is output to the screen. 4.2 Configure Service and Kerberos Another utility, adkeytab, is provided with DirectControl to simplify the creation of an SAP service in Active Directory and to configure the Kerberos stack. This utility will do the following automatically for you: Create a new service account in Active Directory for SAP in the currently joined domain. Configure the encryption type. Configure the Keytab file in the Kerberos stack to work correctly based on this new service account. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 8
4.3 Configure SNC on the SAP Server SNC must be enabled and properly configured on each of the SAP servers. The DirectControl for SAP solution provides instructions that augment the SAP SNC documentation and OSS notes to accomplish the following: Install the DirectControl for SAP package into the DirectControl for Systems Agent. Modify the default and instance profiles to enable and configure SNC. Modify the SAP server UNIX environment to see the DirectControl libraries and to renew Kerberos tickets periodically. Modify the user profiles that are used to leverage SNC and map them to their Active Directory User Principal Name (UPN). Figure 4. Mapping of the Active Directory user to the SAP account. Once SAP is configured to use SNC, it is very straightforward to map an Active Directory user to an SAP user. 4.4 Configure the SAP Client The SAPgui Client must also be configured to use SNC for SSO to SAP R/3. The DirectControl for SAP solution provides instructions that augment the SAP SNC documentation and OSS notes to accomplish the following: Install the SNC SSO patch for SAPgui. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 9
Enable Secure Networking Communications and provide the SNC name for the SAP service. Similar steps are documented for configuring the SAP Java client as well. 4.5 Single Sign-On Using SNC, Kerberos and Active Directory Once the SAP server has been joined into Active Directory and the SAP server and clients have been configured properly, the SAP server can be configured to use the Centrify DirectControl GSSAPI library to support the authentication to Active Directory. Figure 5. Single sign-on for SAPgui using Active Directory and Secure Network Communication. In production the Centrify DirectControl for SAP solution has four primary steps: The SAP client requests a service ticket using the built-in Kerberos SSP (Security Service Provider) from the Active Directory KDC (or local cache). This is accomplished via the cgsskrb5.dll library that translates standard GSS calls to SSP calls on the client. The SAP client then connects with the SAP server and presents the service ticket received from step 1. The SAP server consumes the request and validates it via the GSS libraries and Centrify s DirectControl Agent. Once the request is successfully authenticated with Active Directory, a User Principal Name (UPN) is provided to the SAP server. This UPN is mapped to an SAP user in the SNC tab of the user profile. Finally, when the user is logged on using his Active Directory identity, he is mapped to the correct SAP user without having to physically provide a username or password. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 10
5 Summary In summary, Centrify DirectControl for SAP provides a number of unique features that enable organizations to leverage Kerberos and Microsoft Active Directory to provide single sign-on for their SAP users: SAP users can now use their Active Directory username and password to log in to their Windows workstation once and then gain SSO into SAP R/3 on UNIX. SAP authentication is managed securely, using SNC and the Kerberos technology that is part of DirectControl and Active Directory. The SAP UNIX systems are securely joined to the Active Directory domain and a DirectControl Zone and can be controlled and managed centrally through Active Directory. Advanced enterprise features such as full support for Active Directory policies, multidomain trusted authentication and NTLM support are provided by the DirectControl software. The complex and often underestimated tasks of administering a Kerberos service and managing keytab and configuration files is scripted and automated. Central password policy is applied to SAP through the Kerberos services. Any update of DNS, KDC and other Active Directory-relevant information in a distributed enterprise environment is required to achieve minimum downtime and maximum security. DirectControl updates this information automatically. SAP integration is much easier because of Centrify s SNC module and the professional support to provide a single point of contact for your problems. In general, DirectControl is less complex and time-consuming to maintain in comparison to open source integration solutions, delivering organizations a payback of the product investment. Centrify s professional services and support help to guarantee organizations a faster resolution in case of technical problems. The resulting benefits for customers include: More Secure. SAP is now tightly coupled with Active Directory authentication. In addition, DirectControl Zone technology gives users the ability to create secure Zones to help with enforcement of role-based access control to the SAP servers by the ABAP administrators. DirectControl reports also allow administrators and auditors to instantly see who has access to corporate resources. CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 11
More Manageable. The resulting solution is easier to configure and maintain. Administrators have full centralized control over user and group access rights with the DirectControl Administrator s Console. Management costs can be reduced because less time is required to maintain SAP. Enterprise Ready. By providing pre-packaged, tested SAP binaries and enterpriseclass support, Centrify turns SAP SSO into a solution that any organization can feel comfortable deploying. 6 How to Contact Centrify For the latest product information on DirectControl, check out our web site: http://www.centrify.com/products See the DirectControl for SAP portal for the latest information on using this solution: http://www.centrify.com/sap North America (And All Locations Outside EMEA) Centrify Corporation 444 Castro St., Suite 1100 Mountain View, CA 94041 United States Europe, Middle East, Africa (EMEA) Centrify EMEA Asmec Centre Merlin House Brunel Road Theale, Berkshire, RG7 4AB United Kingdom Sales: +1 (650) 961-1100 Sales: +44 1189 026580 Enquiries: Web site: info@centrify.com www.centrify.com CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 12