Kerberos network-based authentication is a single sign on feature which allows Kerberos clients authenticated with Kerberos system, to be able to connect to any application that supports Kerberos authentication. With one centralized password stored, you need not specify a password to connect to an application that supports Kerberos.
Kerberos version 5, the version supported by SAP ASE, also provides a feature called credential delegation or ticket forwarding, which allows a Kerberos client to delegate the
credential when connecting to a server, allowing the server to initiate Kerberos authentication for further connections to other servers on behalf of Kerberos client.
The credential delegation feature is currently only certified with MIT Kerberos GSSAPI libraries version 4.x and later. Clients must obtain a delegatable credential from the Kerberos system (usingthe kinit -f option on UNIX systems) before connecting to SAP ASE.
A Kerberos client connected to SAP ASE can request a Remote Procedure Call (RPC) to SAP ASE, and for general distributed query processing requests to a remote Adapter Server through CIS by using the Kerberos credential delegation feature. Kerberos authentication is not supported for site handler based remote server connection.
To use Kerberos unified login, a System Security Office can use the following command to enable the Kerberos security mechanism for CIS to a remote SAP ASE.
sp_serveroption [server, optname, optvalue]
For example, the following command executed on local server S1 enables Kerberos authentication for connections to remote server S2 when the current logged in user is authenticated using Kerberos mechanism.
sp_serveroption s2, “security mechanism”, csfkrb5
Configuring Kerberos security services
Once the Kerberos security mechanism is enabled for connections to a remote SAP ASE, you can use a number of security services provided by Kerberos.
Including:
• Message confidentiality
Data is encrypted over the network to protect against unauthorized disclosure. • Message integrity
Verifies that communications have not been modified during transport. • Mutual authentication
Verifies the identity of the client and the server. The local server initiating the remote connection can request mutual authentication for all remote connection requests to target an SAP ASE. This allows the client to verify the identity of the remote server.
Note: The optional security services provided by Kerberos are not enabled by default.
This command, executed on local server S1, sets mutual authentication for all connections to remote server S2 using Kerberos authentication.
sp_serveroption s2, "mutual authentication", true
• The following command executed on local server S1 sets message confidentiality for all connections to remote server S2 using Kerberos authentication:
sp_serveroption s2, "use message confidentiality", true
• This command, executed on local server S1, sets message integrity for all connections to remote server S2 using Kerberos authentication
sp_serveroption s2, "use message integrity", true
• This command, executed on local server S1, sets mutual authentication for all connections to remote server S2 using Kerberos authentication:
sp_serveroption s2, “mutual authentication”, true
Configuring the Remote SAP ASE Kerberos Principal Name The SAP ASE principal name is the default name of the server.
Since the principal name of the SAP ASE can be different than the server name, the System Security Officer can specify the server principal name for each remote server.
The following command specifies a remote SAP ASE principle name for remote server S2:
sp_serveroption S2, "server principal", [email protected]
Configuring Component Integration Services Remote Procedure Calls CIS uses persistent client-library connections to handle the RPC request.
CIS handles outbound RPCs by determining whether the client already has a client-library connection to the server in which the RPC is intended. If no connection exists, it will be established.
To enable the CIS RPC handling mechanism, set the configuration option cis rpc handling to 1. When not enabled, the Kerberos user needs to temporarily enable CIS RPC for the current session to use this feature.
This command enables CIS RPC handling for the current login session:
set cis_rpc_handling on
In the following example, user1 is a Kerberos user who logins into SAP ASE S1 and request RPC to the remote SAP ASE S2.
1. Add an entry to the interfaces file or the Directory Service for both servers S1 and S2 and a
secmech line for the Kerberos security mechanism.
2. Add a login for the Kerberos user if one does not exist.
create login user1 with password pwuser1
3. Enable the use of security mechanisms by setting the configuration option to on.
sp_configure "use security services", 1
4. On the local server S1, enable Kerberos Authentication for CIS to remote server S2. Note: This assumes that remote server S2 only receives CIS command requests from S1.
However, if S2 can also request CIS commands to other servers and requires enabling Kerberos Authentication, than similar configuration on S2 will be required.
a. On the local server S1, add the remote server S2.
sp_addserver S2
b. Enable Kerberos security mechanism on S1 for outbound RPC requests to S2. The
sp_serveroption S2, "security mechanism", csfkrb5