Pedro,

ok, so if your customer wants to use SNC with SAP Router this does not require SAP GUI using SNC since the SAP Router is for routing traffic between systems, not for user logon from GUI.

If you want to configure SNC with SAP GUI this needs to use different approach.

I hope you are clear now, and your questions have been answered, but if you still have questions/concerns let us know.

Thanks,

Tim

Pedro,

I think you are still confused. The SAP router encrypts communications at transport level, but when you configure SNC in SAP GUI - this is for user authentication which is a diffferent level to what is used by SAP Router.

Perhaps if you show a diagram it might help ?

For example:

Customer network -> SAP Router <Internet> SAP Router < SAP ABAP AS

Using a diagram like above might help us understand what you are trying to do.

Thanks,

Tim

>

>  has I have understand from what you said, I could just achieve this using two saprouters, the customer side saprouter and other in the network of remote users. But if the remote user has an pc directly connected to the internet, I have to install a SAPRouter in this PC ? 
yes, this is correct. If they have PC directly connected to internet then they would use a VPN to secure the connection between their PC and the network where SAP is running, and SAP router is not involved.
> 
>  The SAPGui SNC Section is only for SSO purposes?!?
Not quite - when using SNC with SAP GUI and SAP ABAP AS you also get end to end encryption of communications between the GUI and ABAP system, and data integrity is also provided. Some customers use this application level security to secure conneciton between GUI and SAP ABAP systems, and use normal network security for the transport level security (e.g. using vpn solution). If your customer does not want to use a VPN then the SAP router option will suffice, but will not be useful when PC is directly connected to Internet.

Pedro,

Yes, when SNC is used for SSO the encryption and integrity is also provided if the SAP ABAP system is configured with correct instance profile parameters to force encrypted communications when the user logs on. As mentioned earlier, if you want to use SNC with SAP GUI you need to contact a SAP partner for help and partner products cannot be discussed in detail on SDN. I work for one of those partners, which is why I know this

Thanks,

Tim

Pedro,

Let me try and explain differently.

If you install a SAP certified SNC library on each workstation where SAP GUI is installed and also on each ABAP server where the user logs on using SAP GUI, then you can implement the following: SSO, End-to-End encryption and Data Integrity of data transmitted. If you don't want SSO for some reason, some of the products allow the user to authenticate each time they logon to SAP ABAP system, but still use SNC for the network security requirements.

is this clearer ?

Thanks,

Tim

>

> Hi Tim,
> 
>  this was quite clear  Thanks.
Good. I am pleased you are clear now on what you need to do.
> The question now is, could this be achieved with SAPCRYTPOLIB? 
NO. This is not possible, since SAPCRYPTOLIB is a library OEMed by SAP and the license for its use DOES NOT allow it to be used with SAP GUI. if you try to use it with SAP GUI then you are doing something ilegal.
> 
> Witch Steps?
> 
> 1. profile parameters (activate SNC and so on)
This depends on the SNC product you use, so you need to ask the vendor you choose for guidance.
> 2. Install SAPCRYPTO in user PC
NO, you cannot do this for use with SAP GUI. Please see note above, and confirmation from Sietze who works for the vendor providing this library to SAP.
> 3. configure SAPGui for use SNC using SNC name from SAP System
You need to get advice on this from the SNC product vendor you are using.
> 
> The SNC Name that I confgured in STRUST should apear in comand sapgenpse get_my_name ?
Since you cannot use SAPCRYPTOLIB this is not relavent. Also, STRUST is for trust relationships so it not involved when logging onto an ABAP system using SAP GUI.
> 
> I'm consulting SNC User's Guide from SAP security area in marketplace but I couldn't yet be able to logon to SAP System yet using SNC, right now using SNC NAME between "" like "p:CN=SAP, OU=Company, O=NAME, C=DE" the sapgui does not gave any error message or logs on, without "" I get the erro:
> 
> Couldn't aquire DEFAULT INITIATING credentials :-S
As I have mentioned, the use of SAPCRYPTOLIB is not allowed with SAP GUI.
> 
> thanks and best regards,
> Pedro

>

> If you install a SAP certified SNC library on each workstation where SAP GUI is installed and also on each ABAP server where the user logs on using SAP GUI, then you can implement the following: SSO, End-to-End encryption and Data Integrity of data transmitted. If you don't want SSO for some reason, some of the products allow the user to authenticate each time they logon to SAP ABAP system, but still use SNC for the network security requirements.

Sorry, Tim. But I do not agree.

Using SNC with SAP GUI you'll always disable the (ABAP) password authentication; the ABAP system then demands that the user is authenticated via SNC (SSO).

SNC is based on GSS-API and the QoP (Quality of Protection) levels allow only to choose between:

- authentication (SSO)

- authentication + data integrity

- authentication + data integrity + confidentiality (encryption)

So, you cannot have SNC without SSO (for the SAP GUI usage scenario). As I've explained earlier there is another usage scenario (SAProuter - SAProuter) where "authentication" cannot be used to identify single users and thus is not suitable for SSO. Since SAP GUI is a "user agent" (i.e. software component that represents a single user) it is possible to use the "authentication of the communication partner" (user agent) for the "authentication of an user" (-> SSO).

>

> Sorry, Tim. But I do not agree.
> Using SNC with SAP GUI you'll always disable the (ABAP) password authentication; the ABAP system then demands that the user is authenticated via SNC (SSO).
Yes, so the SNC product on workstation can authenticate the user when required (not using SAP user and password, but using external authentication server). This is what I was referring to. Our product is able to authenticate the user when the SAP GUI is used and when user selects the option in SAP Logon to logon to a particular system. I will send you an email containing a short movie showing this working.
 
> SNC is based on GSS-API and the QoP (Quality of Protection) levels allow only to choose between:
>    - authentication (SSO)
>    - authentication + data integrity
>    - authentication + data integrity + confidentiality (encryption)
> 
> So, you cannot have SNC without SSO (for the SAP GUI usage scenario). As I've explained earlier there is another usage scenario (SAProuter - SAProuter) where "authentication" cannot be used to identify single users and thus is not suitable for SSO. Since SAP GUI is a "user agent" (i.e. software component that represents a single user) it is possible to use the "authentication of the communication partner" (user agent) for the "authentication of an user" (-> SSO).
Yes you can, it is just not possible when using products that you are familiar with. With our product which is using SNC we are able to support this requirement - it is one of our competitive advantages 

>

> > Wolfgang Janzen wrote:
> > Sorry, Tim. But I do not agree.
> > Using SNC with SAP GUI you'll always disable the (ABAP) password authentication; the ABAP system then demands that the user is authenticated via SNC (SSO).
> Yes, so the SNC product on workstation can authenticate the user when required (not using SAP user and password, but using external authentication server). This is what I was referring to. 

Thanks for the clarification (confirming my statement).

I just wanted to emphasize that (from the perspective of the ABAP system) it's an SNC authentication (-> you need to maintain the user-specific SNC name settings in ABAP transaction SU01).

Of course it's possible that the external security product is prompting the user each time to (re-)authenticate before it is providing its services (-> credentials).

But I guess that this is subject of customizing - and that other products might offer this option (via policy settings) as well.

Just another word from my side regarding certified SNC products which offer the option to prompt the user before enabling the usage of their credentials:

Please keep in mind that the SNC handshake must be finished in not more than 10 seconds (in order to [get certified|https://www.sdn.sap.com/irj/sdn/sdnservices/icc?rid=/webcontent/uuid/e112cb72-0501-0010-63a3-f45326c176ae]). Therefore the SNC product needs to perform the user interaction prior (but not during) the SNC handshake.

Regards, Wolfgang

>

> Just another word from my side regarding certified SNC products which offer the option to prompt the user before enabling the usage of their credentials:
> 
> Please keep in mind that the SNC handshake must be finished in not more than 10 seconds (in order to [get certified|https://www.sdn.sap.com/irj/sdn/sdnservices/icc?rid=/webcontent/uuid/e112cb72-0501-0010-63a3-f45326c176ae]). Therefore the SNC product needs to perform the user interaction prior (but not during) the SNC handshake.
> 
> Regards, Wolfgang

For the beneift of other people reading this thread, we certified our product by disabling this feature so our product ceritfication with SAP ICC is only covering the standard SSO features we provide. However, we did find that during our testing we could take much longer than 10 seconds to complete the authentication and it still works - we therefore fully support this "use case" when customers are using our products. A case where this occurs is when user takes a long time to type in their password.

Also, I wondered if SAP might consider adding an environment variable which can be configured to point to a program that is invoked before SAP GUI attempts to authenticate the user. This program can then be used to authenticate the user, and then we could make sure that credentials are available before SNC is used to initiate the security context.

Pedro,

I would love to send it to you. I cannot find your email address in your business card ?

Thanks,

Tim

>

> For the benefit of other people reading this thread, we certified our product by disabling this feature so our product certification with SAP ICC is only covering the standard SSO features we provide. However, we did find that during our testing we could take much longer than 10 seconds to complete the authentication and it still works ...

The checks performed during the SNC certification are deliberately more strict than what is demanded by the SAP products you can use SNC with - that's true. But there are good reasons why an upper time limit was defined for the SNC handshake (which is a blocking operation).

> Also, I wondered if SAP might consider adding an environment variable which can be configured to point to a program that is invoked before SAP GUI attempts to authenticate the user. This program can then be used to authenticate the user, and then we could make sure that credentials are available before SNC is used to initiate the security context.

Frankly speaking that doesn't sound like a good approach to me.

To me it would make more sense if an SNC library would (be able to) provide a kind of event handler which could be triggered by SAPGUI (or an interactive RFC client) before establishing a new connection (if configured to use SNC), so that the required user interaction (in order to acquire the credentials) takes place before starting the SNC/GSS handshake.

However, that would require to enhance the SNC SPI (potentially invalidating previous SNC certifications) - well, for that you have to provide convincing arguments.

>

> Frankly speaking that doesn't sound like a good approach to me.
> To me it would make more sense if an SNC library would (be able to) provide a kind of event handler which could be triggered by SAPGUI (or an interactive RFC client) before establishing a new connection (if configured to use SNC), so that the required user interaction (in order to acquire the credentials) takes place before starting the SNC/GSS handshake.
> 
> However, that would require to enhance the SNC SPI (potentially invalidating previous SNC certifications) - well, for that you have to provide convincing arguments.
The problem with your suggestion is that the SNC interface uses a GSS-API v2 standard, so adding non GSS standard functions to a GSS library might not be very easy since it would mean that the library is not standard anymore ! Instead, there needs to be a way for SAP GUI to be configured to call a vendor supplied library (not the same GSS-API v2 library used for SNC, but complementary/compatible with it). This is why I suggested the environment variable so that the feature can be turned on or off on certain workstations based on whether the envrionment variable is set or not - like SNC_LIB can be used to refer to the SNC library, the other environment variable can be used to refer to the user authentication library.
Anyway, having said this - I doubt SAP would develop this enhancement, and we are certainly happy with our current implementation of this feature, our customers like it, and we fully understand the SNC certification considerations that you have mentioned.

Well, I just want to finally add the statement that (see my previous posting) the SNC handshake is a blocking operation - means: during this period of time (which should therefore be kept very short) an ABAP work process is unable to process any other tasks. That will decrease the overall system performance (throughput) and increase the response times (for all other clients waiting for an idle work process).

That's something a customer needs to know before making the decision to activate such a feature (which is, as you confirm, excluded from the SNC certification - because otherwise the product would not have passed the certification tests).

Disclaimer:

this is a general statement - not referring to a certain 3rd party product.

In particular I do not want to discourage to choose or use a certain product.

My statement only intends to inform you on implications, enabling you to make proper decisions (to use or not to use certain features - not products).

This statement is made by an individual - not representing a company / vendor.

>

> That's something a customer needs to know before making the decision to activate such a feature (which is, as you confirm, excluded from the SNC certification - because otherwise the product would not have passed the certification tests).

Yes, we mention this when we explain this feature to our customers. In practice most customers don't seem to mind so we are happy and the customer is happy that we provide full support for our solution.

>

> >

> > That's something a customer needs to know before making the decision to activate such a feature (which is, as you confirm, excluded from the SNC certification - because otherwise the product would not have passed the certification tests).
> 

> Yes, we mention this when we explain this feature to our customers. In practice most customers don't seem to mind so we are happy and the customer is happy that we provide full support for our solution.

Well, I'm pretty sure that you'll not be bothered with support issues dealing with large (UI) response times or bad system performance ... - and I'm also pretty sure that it takes quite some time for the SAP support to identify the root cause of such ...

That's just something I like to bring to everybody's attention (knowing the impacts before making decisions is advisable).

Eduardo,

This thread is marked as answered so I suggest you open a new thread and ask your question, then I will give you a detailed answer.

Thanks,

Tim