SAP long text formatter

A common problem with SAP applications is that they save free text with each line in a database column; this presents some extra formatting hassle if you want to save free text from many different sources. For this purpose I have created a small application that takes some seemingly garbled text and formats it into a readable SAP friendly format.


The text must obey a few simple rules. Bulleted paragraphs may not contain any empty lines, valid bullets are sequential numbers or letters or •

Try copy the below text into the application found here to test for your self

SAP, started in 1972 by five former IBM employees in Mannheim, Germany, states that it is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall.

1. The original name for SAP was German: Systeme, Anwendungen, Produkte,
2.               German for "Systems Applications and Products." The original SAP
               3.              idea was to provide customers
with the ability to
      interact with a common
corporate database for a comprehensive range of applications.
a.Gradually, the applications        have been assembled and today many corporations,
b.including IBM and Microsoft, are using SAP products to run their own businesses.
• SAP                 applications, built            around their latest
                R/3 system, provide the capability to
manage financial, asset, and cost accounting,
• production operations and materials, personnel, plants, and archived documents. The R/3 system runs on a number of platforms including Windows 2000 and uses the client/server model. The latest version of R/3 includes a comprehensive Internet-enabled package.
c.  SAP has recently recast its product offerings under a comprehensive
d.                   Web interface, called mySAP.com, 
and added             new e-business applications,
including customer      relationship management
                       (CRM) and supply chain management (SCM).
4. As of January 2007, SAP, a publicly traded
company,
 had over 38,4000 employees in over 50 countries,
5. and more than
36,200 customers around the world. SAP is turning its attention to small- and-medium sized businesses (SMB).

•A recent R/3 version was provided for IBM's AS/400 platform.

How to SSO in mixed OS environment

 

Introduction
System Requirements
Date and Time configuration
DNS configuration
Creating a unique service account in Active Directory
Create a Single Sign On group in Active Directory
Generate a Keytab file on the Windows 2008R2 machine
Configuring the Negotiate Identity Assertion Provider
Configuring an Active Directory Authentication Provider
Create a Kerberos Configuration file
Creating a JAAS Login File
Startup Arguments for Kerberos Authentication with WebLogic Server
Creating the Kerberos Ticket for WebLogic
Setup Internet Explorer (and others) on the Windows 7 client
Enabling DES support for legacy applications
Debugging
References

 

Introduction

This article is an step by step guide to configure Single Sign On (SSO) in mixed OS environments, before we get started let me just say that Kerberos/SPNEGO is one of those things that when it works it's awesome, and when it doesn't it's incredibly frustrating to debug. Add to the mix the fact that so much of what's happening is automatic and so few people actually understand what's really happening, and you have a recipe for pain and frustration. So if you during this process feel like pulling out what is left of your hair, please do it, you are fully entitled to do so.

How does this work? Here is a brief overview:

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2). The Browser will then ask the Kerberos Server to get a so called service ticket (3). The Browser then sends this service ticket, which proves the identity of the caller, and some additional things to the web application (5). After validating the ticket, based on a shared secret (the keytab file) between your web application and the Kerberos server, you get back the username.





Note: Everything in Kerberos is a Principal - machines, services and even users. A Principal is identified by a simple string called a Service Principal Name or SPN in one of two forms - either PROTOCOL/hostname for services (e.g. HTTP/www.matas.dk for a web server) or username@DOMAIN for users (e.g. fodsved@MATAS.DK). The case of the string is important; the Protocol and domain name are always in CAPITAL LETTERS and the hostname and username are always in lower case.

System requirements

For today’s exercise we will use a Windows 2008 R2 for the Active Directory, and Oracle Linux for the Weblogic server, the clients will be using Windows 7 for Internet Explorer.

 

Active Directory

Windows 2008R2

Domain: MATAS.LOCAL

Domain Controller: FREJA

Host name: freja

IP address: 192.168.56.121

DNS server: 192.168.56.121

 

WebLogic Server 10.3.4.0

Oracle Enterprise Linux 5

JDK 1.6.2.

Oracle host name: localhost.oracle

DNS search path: oracle

IP address: 192.168.56.101

DNS server: 192.168.56.121

 

Internet Explorer 8 and later, or a .NET Web Service client

Windows 7

Windows XP

IP address: 192.168.56.99

DNS server: 192.168.56.121

 

 

Date and Time configuration

 Have all machines synchronized in the same time zone, time and date.

 

DNS configuration

 Put the following A records in your DNS server

_kerberos-master._udp.matas.local     A     192.168.56.121
_kerberos-master._tcp.matas.local     A     192.168.56.121

The above entries are automatically added in networks where the AD server is configured to update DNS, in any case you should check for their presence.

freja.matas.local                      A     192.168.56.121
wlserver.oracle                        A     192.168.56.101

Test your DNS server by running the following command

dcdiag /s:freja.matas.local

All errors must be corrected before you continue

Creating a unique service account in Active Directory

First start by adding a user to the Active Directory

dsadd user "cn=wlsuser,cn=users,dc=matas,dc=local" -disabled no -mustchpwd no -canchpwd no -pwdneverexpires yes -acctexpires never -pwd @windows2008 -upn wlsuser@matas.local



Now check that you don’t have any duplicate SPN’s by entering

setspn –Q HTTP/*

Note:If you have installed IIS on the machine, then uninstall it. IIS registers the Kerberos service principal HTTP/machine and HTTP/machine.domain.com and if you leave IIS installed you'll never manage to get Kerberos on WebLogic working correctly.

Once you have created that user, use the setspn utility to associate the HTTP/machine and HTTP/machine.domain.com principals with the user.

setspn -a HTTP/wlserver wlsuser
setspn -a HTTP/wlserver.oracle wlsuser


Create a Single Sign On group in Active Directory

Create a Group in Active Directory called WebLogicADusers and add all Active Directory users that should have Single Sign On access to the Weblogic server, the group is referenced in the weblogic.xml configuration file of your web application or service.

Note:  Do not use space in group names, it will not work at all with WebLogic SSO

 

Generate a Keytab file on the Windows 2008R2 machine

The ktpass command configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos keytab file containing the shared secret key of the service. The command allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Windows Server Kerberos KDC service.

ktpass /princ HTTP/wlserver.oracle@MATAS.LOCAL /pass @windows2008 /mapuser wlsuser@MATAS.LOCAL /out krb5.keytab /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

The generated output:

Targeting domain controller: FREJA.matas.local
Using legacy password setting method
Successfully mapped HTTP/wlserver.oracle to wlsuser.

Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 67 HTTP/wlserver.oracle@MATAS.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC)
keylength 16 (0xc1a3e32a0ab09249e6a89563977ff771)

Note: The ktpass command changes the principal name in the Active Directory server from account-name to HTTP/account-name. Consequently, the keytab file is generated for a principal named HTTP/account-name. However, sometimes the name change does not happen. If not, you should change it manually in the Active Directory server; otherwise the keytab you generate will not work properly.

Now copy the generated krb5.keytab file to the WebLogic machine. I put it in the folder /etc

 

Configuring the Negotiate Identity Assertion Provider

Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps them to WebLogic users

Open the WebLogic console application and go to security realms -> myrealm -> providers -> authentication

And create a new authentication provider and select NegotiateIdentityAsserter from the drop down list and name it KerberosIdentityAsserter. Go into the Identity Asserter's configuration and click on the Provider Specific tab and uncheck the "Form Based Negotiation Enabled" box.

Configuring an Active Directory Authentication Provider

Open the WebLogic console application and go to security realms -> myrealm -> providers -> authentication

Create an ActiveDirectoryAuthenticator and name it ADauthenticator

Open the ADauthenticator and go to Provider Specific and set the following, and leaving the reminder at default values.

Host:                                          192.168.56.121
Principal:                                    CN=wlsuser,CN=Users,DC=matas,DC=local
Credentials:                                @windows2008
User base DN:                             CN=Users,DC=matas,DC=local
Group base DN:                          CN=Users,DC=matas,DC=local


On the Provider Summary page, reorder the providers in the following order, making sure that their Control Flags are set to SUFFICIENT where applicable:

1.      KerberosIdentityAsserter

2.      ADauthenticator (SUFFICIENT)

3.      DefaultAuthenticator (SUFFICIENT)

4.      Other authenticators...

After you logout and then login again on the management console, you should be able to see all you Active Directory users and groups listed together with the embedded LDAP users.

 

Create a Kerberos Configuration file

On the Linux machine make a file called krb5.conf with the following content, and put it in the /etc folder

 

[libdefaults]
default_realm = MATAS.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
ticket_lifetime = 6000
[realms]
MATAS.LOCAL = {
kdc = 192.168.56.121
admin_server = freja.matas.local
default_domain = MATAS.LOCAL
}
[domain_realm]
.matas.local = MATAS.LOCAL
[appdefaults]
autologin = true
forward = true
forwardable = true encrypt = true

Creating a JAAS Login File

The Kerberos related classes included with the JDK require a config file to run properly. Basically this file tells the GSS layer which classes are used to do the actual work and provides configuration information to those classes. Create a krb5login.conf file with the contents below and place the file in your domains home directory, in my case /u01/app/oracle/product/Middleware/user_projects/domains/webcenter

You specify the location of the krb5login.conf file in the java.security.auth.login.config startup argument for WebLogic Server

com.sun.security.jgss.krb5.accept
{
 com.sun.security.auth.module.Krb5LoginModule required 
 principal="HTTP/wlserver.oracle@MATAS.LOCAL"
 useKeyTab=true
 keyTab="/etc/krb5.keytab"
 storeKey=true
 doNotPrompt=true;
};

com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule required 
 principal="HTTP/wlserver.oracle@MATAS.LOCAL"
 useKeyTab=true
 keyTab="/etc/krb5.keytab"
 storeKey=true
 doNotPrompt=true;
};

com.sun.security.jgss.initiate { 
 com.sun.security.auth.module.Krb5LoginModule required 
 principal="HTTP/wlserver.oracle@MATAS.LOCAL"
 useKeyTab=true
 keyTab="/etc/krb5.keytab"
 storeKey=true;
};

com.sun.security.jgss.accept {
 com.sun.security.auth.module.Krb5LoginModule required 
 principal="HTTP/wlserver.oracle@MATAS.LOCAL"
 useKeyTab=true
 keyTab="/etc/krb5.keytab"
 storeKey=true;
};


 

Startup Arguments for Kerberos Authentication with WebLogic Server

To use Kerberos authentication with WebLogic Server, Add the following parameters to the JAVA_OPTIONS in the setDomainEnv.sh of your domain.

JAVA_OPTIONS="${JAVA_OPTIONS} -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/u01/app/oracle/product/Middleware/user_projects/domains/webcenter/krb5login.conf -Djava.security.krb5.realm=MATAS.LOCAL -Djava.security.krb5.kdc=freja.matas.local"

For the Kerberos protocol to authenticate with Active Directory, so you need to configure the Linux system to act as a Kerberos client for the realm (domain) for this facility to work. Oracle Linux supplies the MIT Kerberos software. If the krb5-workstation package has been installed then the necessary client programs will be in /usr/kerberos/bin/


Creating the Kerberos Ticket for WebLogic

Now obtain a Ticket using the kinit command like so:

kinit -k -t /etc/krb5.keytab HTTP/wlserver.oracle@MATAS.LOCAL

This should exit without any error messages, and this Kerberos ticket will now appear when you execute the klist -5 command, this is the output generated by klist:

Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/wlserver.oracle@MATAS.LOCAL
Valid starting     Expires            Service principal
10/23/11 06:15:44  10/23/11 06:25:44  krbtgt/MATAS.LOCAL@MATAS.LOCAL


Tip:
If you want to purge the ticket cache use the kdestroy command.
Tip: The command klist -ke will give you a list if what is in the keytab file.

Test the ticket by using the kinit command again

kinit HTTP/wlserver.oracle@MATAS.LOCAL

This should exit without any errors
Deploy a test Application on WebLogic
Create or change an application with ADF Security or a normal Web Application which got security enabled.

web.xml

<?xml version = '1.0' encoding = 'UTF-8'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
  <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>GoAway</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>AnyString</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  <security-role>
    <role-name>AnyString</role-name>
  </security-role>
</web-app>

 weblogic.xml

<<?xml version = '1.0' encoding = 'UTF-8'?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd"
                  xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
  <security-role-assignment>
    <role-name>AnyString</role-name>
    <principal-name>WebLogicADusers</principal-name>
  </security-role-assignment>
  <session-descriptor>
    <debug-enabled>true</debug-enabled>
  </session-descriptor>
</weblogic-web-app>


Setup Internet Explorer (and others) on the Windows 7 client

In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the Enable Integrated Windows Authentication check-box.

Next, switch to the security tab and click Local intranet -> Sites in the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Then click the Advanced button and add all relative domain names that will be used for WebLogic Server instances participating in the SSO configuration, in our case http://*.wlserver.oracle


Next, also in the security tab and click Local Intranet -> Custom Level and select Automatic log-on with current user name and password.

Test that the client is actually obtaining a ticket. First clear the ticket cache by running klist purge and then run klist -5 and it should tell you that you have 0 (zero) tickets in the cache, then browse to your security enabled WebLogic application, and run again klist -5  5 and it should tell you that you have tickets in the cache.

Google Chrome
Start chrome.exe with the following parameter --args --auth-server-whitelist="*matas.local" This allows SSO with chrome.

Firefox
·
In the address bar of Firefox, type about:config to display the list of current configuration options.
·
  In the Filter field, type negotiate to restrict the list of options.
·
  Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
·
  Enter the name of the domain against which you want to authenticate, for example, .matas.local.
·
  Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.

 

Enabling DES support for legacy applications

Since DES encryption is disabled by default in Windows 2008 R2 and Windows 7, it can cause compatibility problems with legacy applications with only DES encryption or if the Windows account that runs a service is configured to use only DES encryption. These services or applications will fail unless you reconfigure them to support another encryption type or you enable DES support.

You can enable DES encryption for Kerberos authentication on Windows 7 or Server 2008 R2 by editing the Group Policy Object setting Network security: Configure encryption types allowed for Kerberos located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. The Group Policy Object can be edited with gpedit.msc.

 

Debugging

Check spelling and case errors, this is a common cause for errors.

In general, Wireshark is your friend, use it to capture network traffic, it will expose all visible protocol errors.

Enable debug for authentication and authorization via the WebLogic Console Servers -> [Server Name] -> Debug -> WebLogic -> Security -> atn (for Authentication) and atz (for Authorization).

Sometimes a silent prayer might also do the trick.

 

References

Configuring SSO for Microsoft Clients
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

Kerberos Requirements

Kerberos troubleshooting

Kerberos Authentication Technical Reference

Kerberos and WebLogic Server on Windows step-by-step

Single Sign On with Windows / Kerberos on WebLogic

Få det fulde udbytte af XBRL

Folketinget har vedtaget en lov om at regnskaber skal inberettes digitalt i det såkaldet XBRL format, der findes derfor allerede en del værktøjer på markedet som kan både redigere og læse digitale regnskaber, men som det eneste kommercielle produkt kan Oracle XBRL lagre og behandle store mængder af digitale regnskaber.

Oracle XBRL giver en Enterprise klasse løsning for indsamling, opbevaring, forespørgsler, analyse og styring af store mængder XBRL indhold. Oracle XBRL understøtter end-to-end behandling og validering af XBRL indhold på vej ind eller ud af Oracle Databasen. Oracle XBRL giver udviklere og brugere af XBRL indhold mulighed for at udvikle, implementere og administrere applikationer, der udnytter alle fordelene ved XBRL modellen.

Når et regnskab i form af et XML dokument (så kaldt instans) bliver indsat i Oracle XBRL databasen, så bliver den først valideret mod taksonomien og derefter fladet ud i en relationel database, og af den relationelle form kan man lave afledede repræsentationer som kan bruges af BI værktøjer, samtidigt at XML dokumentet bevarer sin oprindelige form.


Oracle XBRL databasen integreres let med Oracle Business Intelligence Suite Enterprise Edition (OBIEE) for analyser og rapportering eller med letvægts produkter som Excel, ligeledes kan Oracle XBRL databasen integreres med interaktive udviklingsmiljøer (IDE'er) og designværktøjer til at oprette og redigere XBRL taksonomier. Administration af instanser kan gøres så enkelt som træk-og-slip i f.eks. Windows Explorer.

For yderligere information
Gordon Flemming
gfs@miracleas.dk
+45 53747233

 

Welcome To Miracle Consulting's blog

This is the very first entry Smile

Month List

RecentPosts