Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNego Kerberos Authentication on Netweaver Java stack 7.1 or 7.2

Former Member

‎01-20-2010 10:21 AM

0 Kudos

Hello,

We have a project to implement ESS. For ESS we consider that Windows Integrated authentication is mandatory.

Currently we have set up an ESS 1.41 test system based on ERP6 EHP4 Netweaver Java EHP 1 on Windows 2003.

We tested successfully Windows integrated authentication using SAP standard method SPNEGO Kerberos using the Microsoft Active Directory as the Kerberos Key Distribution Center.

But the problem is that we have to configure the service user to use the DES encryption.

We got a NO GO from our security team because they consider DES to be obsolete and not secure enough.

The Microsoft AD uses now RC4 as the standard encryption algorithm and we were told that the security team will deactivate DES with the next AD upgrade.

After doing my homework on help.sap.com, SAP notes and SDN forums, It is my understanding that he problem comes from the SAP use of the so old SUN JDK 1.4.

I am aware that SAP partners sell Login modules which are able to use RC4 for SPnego Kerberos authentication but the price that they ask for it is so high that it is not a possibility. (more expensive that the cost of the project which needs it...)

I have tried to check an other future possibility : Netweaver CE 7.2 uses the new SAP JVM which is a rebranded (and adapted) SUN Java SE 6 VM (Cf : [SAP JVM|http://help.sap.com/saphelp_nwce72/helpdata/en/47/dc90b4ef17452289f9128b8c2bbd77/frameset.htm] ).

I have checked Sun documentation and the JVM does support now AES, RC4 and other modern encryption algorithms. the documentation does also explicitly talk about spnego kerberos authentication.

I have checked help.sap.com for Netweaver CE 7.2 about spnego but the documentation does not seem to have been updated since Netweaver 7.0 (it still mentions Sun JDK 1.4...)

My question now : Does any one know (or better have tested) if it is possible to use RC4 encryption for SPnego Kerberos authentication with Netweaver CE 7.2 ? If yes, will SAP update soon EP to use Netweaver 7.2 ?

Thanks for reading such a long post !

Regards,

Olivier

6 REPLIES 6

Former Member

‎01-20-2010 10:31 AM

0 Kudos

Hi Olivier,

Appart from the DES issue, ...

> But the problem is that we have to configure the service user to use the DES encryption.

Why are you using a SERVICE user for ESS?

Generally they would access the system in their own user's context and accordingly see only their own PERNR data.

If you use a generic service, then you will need to expose the PERNR to it somehow as input and give it the access to the infotypes which the user on the frontend is wanting to access. This is not an optimal security design...

Cheers,

Julius

tim_alsop
Active Contributor
In response to Former Member

‎01-20-2010 10:33 AM

0 Kudos

> 

> > But the problem is that we have to configure the service user to use the DES encryption. 
> Why are you using a SERVICE user for ESS?
> Cheers,
> Julius

This is an Active Directory user account and is being called a service user since it is being used for a Kerberos service - it is not a SAP service user which is being referenced in the context of this thread.

Former Member
In response to Former Member

‎01-20-2010 10:35 AM

0 Kudos

Thanks Tim!

tim_alsop
Active Contributor

‎01-20-2010 10:36 AM

0 Kudos

> 

> I am aware that SAP partners sell Login modules which are able to use RC4 for SPnego Kerberos authentication but the price that they ask for it  is so high that it is not a possibility. (more expensive that the cost of the project which needs it...)
> Regards,
> Olivier

I am not sure which products you have looked at cost for, but I don't beleive you have checked this product out: http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter

- you will find it to be very cost effective since it is not priced on per user basis - it is a fixed cost per installation, so you would just need to pay a few thousand dollars to get what you need for unlimited number of users. Also, discounts are available if you ask :-).

Thanks,

Tim

Former Member
In response to tim_alsop

‎01-20-2010 12:38 PM

0 Kudos

Hello Tim,

I will check your product. We'll see if it is so cheap !

We don't like the fact to have to buy addons for functionalities which are advertised as standard by SAP. And which are standard but based on obsolete technologies...

Does anyone has insights about modern encryption options with standard Netweaver 7.1 or 7.2 ?

Regards,

Olivier

tim_alsop
Active Contributor
In response to tim_alsop

‎01-20-2010 4:38 PM

0 Kudos

Olivier,

If you need to know whether NW 7.1 or 7.2 will allow JDK 1.5 or 1.6 to be used for SPNEGO then I suggest you open a message with SAP.

The product I mentioned earlier does not suffer from the dependancy on JDK version because it uses a JNI and therefore the kerberos crypto libraries are installed on operating system outside of Java environment.

Also, you will find that the products from other companies include additional features which you might find useful, and SAP SPNEGO login module just provides the basic capability for IWA auth with no additional features and lots of restrictions (e.g. only supports DES).

Thanks,

Tim