04-29-2011 7:58 PM
I would like to know if there are different techniques to securing the SM9 connecton between tow ABAP rather than using user account/ password.
I would rather not enter any use ID or passwrd to minimize.
Can I used X.509 certs, etc etc.
What is best practice for using configuring SAP uinterconnectivy thiough SM59 without pas
Jex Wildfire
04-29-2011 11:21 PM
Hi,
There is only one way to secure the RFC connections between SAP systems. It is using SNC (Secure Network Communications). For SNC, you need an SNC library which supports a common security mechanism. The SM59 desination would then be configured with an SNC name for the target system.
There is an SNC library available from SAP which can be used for this, and uses x.509 certificates. Or, if you prefer you can use an SNC library from a SAP partner which uses Kerberos, and then you can use Active Directory for key management. When you use x.509 certificates, the certificates expire, so you need to re-create them every few years. If you use Kerberos, the keys can be renewed automatically, e.g. every 30 days, so once setup you can leave it forever.
Thanks,
Tim
04-29-2011 11:21 PM
Hi,
There is only one way to secure the RFC connections between SAP systems. It is using SNC (Secure Network Communications). For SNC, you need an SNC library which supports a common security mechanism. The SM59 desination would then be configured with an SNC name for the target system.
There is an SNC library available from SAP which can be used for this, and uses x.509 certificates. Or, if you prefer you can use an SNC library from a SAP partner which uses Kerberos, and then you can use Active Directory for key management. When you use x.509 certificates, the certificates expire, so you need to re-create them every few years. If you use Kerberos, the keys can be renewed automatically, e.g. every 30 days, so once setup you can leave it forever.
Thanks,
Tim
05-01-2011 5:05 AM
TIm,
Thank you for the information.
I do not want to use any third party solution, so it looks like SAP SNC library using X.509 cert .
Do you recommend any documents or URLs that would have an example or two of setting it up.
Thanks
Jexun
05-01-2011 9:03 AM
Jexun,
I don't know of any docs, sorry,.
If you use x.509 certificates, one for each ABAP system, in the future, if you want to improve SAP GUI communication security or want SAP GUI SSO, then you will need to issue client certificates, one for each user. This will require a lot of extra costs for certificate storage and management, e.g. a PKI. If you use Kerberos instead, then you can use the existing Active Directory infrastructure without any additional costs.
Of course, you can use x.509 certificates on servers now and change to using Kerberos later if you want to take advantage of AD authentication using Kerberos.
Thanks,
Tim
05-01-2011 10:55 AM
Hi,
you can start [here|http://help.sap.com/saphelp_nw2004s/helpdata/en/41/45453c3ff4110ee10000000a11405a/frameset.htm]. You can also find document called SNC User's Guide on service.sap.com/security.
Cheers
05-01-2011 8:55 PM
In addition to the SNC protection, you can also create trusted RFC conenctions between the partners. This also works without SNC though, but as Tim stated it is better to encrypt the trust than compress and encode it.
This gives you the option to define the connection as being the current user - so their own access rights and even existence will determine what they can do via the connection.
This works very well for "normal" users, but you must have their authorizations user control and understand the concept behind it (for example that you can use the same technical connection for various scenarios without the authorizations of the SYSTEM user in the connection accumulating to the sum of all of them).
Additionally, authorizations in the target system are at the same time authentication for the "caller" user and system and transaction context. You need to be very carefull of the calling users's ability to influence this context of the call.
Cheers,
Julius