SDA Deployment Using SSO

These instructions will explain how to configure the deployment of an SDA and the access to the deployed SDA using SSO certificates.

Create Configuration File

Create the settings file in the location:

• Windows: "C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings"
• Unix: /usr/sap/hostctrl/exe/config.d/http.server.settings

Configure SSO deployment

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to deploy the SDA via the URL "/SMDAgent/deploy".
Multiple SSO-distinguished names can be specified as a comma separated list. Also multiple "DN : " entries are allowed.

For example the following configuration are equivalent:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
        DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE", "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}

Configure SSO Access to SDA

URL: /lmsl/sda {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

This configuration allows the SSO-distinguished name "CN=xyz.sap.corp, O=SAP AG, C=DE" to access the SDA.
Like the SSO deployment configuration multiple SSO-distinguished names can be specified as a comma-separated list and multiple "DN : " entries can be specified.

An example settings file may looks like this:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}
URL: /lmsl/sda {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
}

The SSO configuration is now finished.

The settings can be activated without the need to restart SAP HostAgent with the Webservice "ReloadConfiguration".

• <sha-dir>/saphostctrl -function ReloadConfiguration

Additional Configurations

Alternatively, an "include" settings can be specified:

URL: /lmsl/sda {
	authentication {
		include : /SMDAgent/deploy
	}
}

This configuration includes the authentication setting from URL "/SMDAgent/deploy".

Additionally to SSO-distinguished names also usernames and groups can be specified.

URL: /lmsl/sda {
	authentication {
        DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
        username: abcadm, myuser
        group: sapsys, mygroup
	}
}

In this configuration the SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE", the user "abcadm" and "myuser" and all members of the groups "sapsys" and "mygroup" have access to the URL /lmsl/sda

Different Deployment and Access DN´s

It is also possible to specify different SSO-distinguished names for the deployment and access to the SDA.
When doing so it is recommended to disable the automatic start of the SDA after the deployment because this may cause deployment errors.

A possible configuration may look like this:

URL: /SMDAgent/deploy {
	authentication {
		DN : "CN=abc.sap.corp, O=SAP AG, C=DE"
	}
	start: no
}
URL: /lmsl/sda {
	authentication {
		DN : "CN=xyz.sap.corp, O=SAP AG, C=DE"
	}
}

The SSO DN "CN=abc.sap.corp, O=SAP AG, C=DE" is able to deploy the SDA and it will not be started after deployment.
The SSO DN "CN=xyz.sap.corp, O=SAP AG, C=DE" is able to access the SDA.
The SDA will be started automatically on access if it is not running.

SSO configuration for SDA operations

The SDA is shipping its own Host Agent operations which are so far

The authorization for each operation is configured in the operation configuration file in the Host Agent "operations.d" directory. The operation configuration files can be customized to change the authorization for each operation individually. However, changing the configuration will be undone with the next SDA upgrade or redeployment. Since Host Agent 7.22 PL 56 there is another way to customize the authorization for each operation which will also persist an SDA upgrade or redeployment. This can be configured in the Host Agent configuration file "http.server.settings". 

Example how to add an authorization configuration to a single operation

operation: configureDS {
    authentication {
        DN: "CN=company.sap.corp, O=SAP AG, C=DE"
    }
}

1. line: The word "operation" is a keyword similar to "URL" which means that the following configuration is for an operation. After the colon follows the operation name. 
2. line: In the context of an operation only "authentication" can be configured. 
3. line: The keyword "DN" stands for distinguished name. The colon follows the distinguished name for which the operation should be allowed to be executed.

With this example the operation "configureDS" can now be executed also with an SSO DN "CN=company.sap.corp, O=SAP AG, C=DE". 

The authentication configuration for an operation is similar to above described configuration for URLs. Besides the "DN" keyword also "username", "group", and "include" is available to operation configurations. 

In case to change the authentication configuation for more than one operation in the same way it can be done conviniently like this 

operation: "configureDS, configureHanaDS" {
    authentication {
        DN: "CN=company.sap.corp, O=SAP AG, C=DE"
    }
}

Instead of a single operation name a list of operation names can be given which needs to be enclosed in double quotes and comma separated.

In case there is already a configuration for URL "/lmsl/sda" and operations should be allowed to be executed the same as the URL is allowd to be accessed it can be achieved with the "include" keyword

operation: "configureDS, configureHanaDS" {
    authentication {
        include: URL//lmsl/sda
    }
}

Since there is a cross reference between "operation" and "URL" configuration there needs to be the prefix "URL/" before the actual URL which is different to the example above with URLs only.

The "include" configuration can also be used in the same context "operation" as follows

operation: configureDS {
    authentication {
        DN: "CN=company.sap.corp, O=SAP AG, C=DE"
    }
}
operation: configureHanaDS {
    authentication {
        include: configureDS
    }
}