on 04-03-2009 11:32 PM
We have several people that need to connect to our ERP netweaver servers from outside of our secured network using SAPGUI. Obviously, we don't want to open more ports than we absolutely have to and any ports we do open we want the traffic to be encrypted. Our user store is located in the ABAP store and therefore we can't use a third party single sign on tool. Does anyone know how to encrypt SAPGUI traffic from the client to the server while using ABAP as the authentication store? Please give step by step instructions if you do. Thanks.
Edited by: Aaron McNulty on Apr 4, 2009 12:32 AM
hi aaron,
as far as i know that SAPGUI traffic (especially for SAPGUI for Windows) is already encrypted (CMIIW)...
If you want to be more secure then you should implement VPN connection between your end user and SAP server.
ardhian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
According to SAP's website the traffic is not encrypted just compressed. If I use SNC can I connect to the server with just using the SAPGUI client and if so, do you know where the documentation is that tells me how? And can I have it use a different port that the server will only accept encrypted traffic on?
I notice that SDN has a "Security" forum, where you might get some more specific help.
If you login to SAP's Service Marketplace portal and go to
SAP NetWeaver -> SAP NetWeaver in Detail -> Security ->
Security in Detail -> Secure User Access ->
Authentication & Single Sign-On
there is a link to "SNC User's Guide" PDF document
The guide appears not to have been revised in the last ten years, but as far as I know, it is still helpful.
In our case, we are using SNC (with Kerberos) for both authentication and encryption. There might be a simpler solution if all you wanted was encryption and you were authenticating in some other way - but I can't help with that.
With respect to your question about "just using the SAPGUI client", I can talk to the case where the underlying mechanism is Kerberos. In the Kerberos case, in addition to the software from SAP, you need to have a certain amount of Kerberos infrastructure. You need to be running a KDC (key distribution center) somewhere that can be accessed by both the SAPgui and R/3 application servers. You need to have Kerberos software on the SAPgui computer (supplied by Apple as part of the Macintosh operating system and (I believe) supplied by Microsoft for Windows. On both the R/3 application servers and the SAPgui computer you need a (SAP-supplied) library to implement the GSSAPI calls with the relevant (in our case, Kerberos) functionality.
By default, the traffic would be compressed, not encrypted. You need to explicitly set the "SNC quality of protocol" parameter to require encryption. Quoting from SAP's documentation of the Java SAPgui (but basically the same thing applies to the native Windows SAPgui and to the R/3 application server) "sncqop - SNC quality of protocol: one of the following numbers:
1: Authentication
2: Integrity
3: Encryption
9: Maximum available"
If either the SAPgui or R/3 application server set sncqop = 3 and the other side won't encrypt the traffic, the connection should be rejected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We use SNC (SAP's Secure Network Connection) for all our intranet and internet (Windows and Macintosh) SAPgui connections. In our case, the underlying mechanism is Kerberos, but other choices are available. You can set the R/3 system to any of three levels of security (Authentication, Integrity, Encryption) or the "Maximum available" level. You have the same choices in the SAPgui. If you set both the R/3 system and the SAPgui to "Encryption", all the traffic between the SAPgui and the R/3 system should be encrypted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.