- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SNC and SSO using the sapcryptolib and kerberos li...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SNC and SSO using the sapcryptolib and kerberos lib
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 1:04 PM
Hello,
We have an R3 system with SSO enabled for SAPGUI. We would like to setup an SNC RFC connection with another R3 system so we are in the AS-ABAP -> AS ABAP (RFC) scenario.
The SSO is using the kerberos library gi64krb5.dll.
Do you know if it is possible to enable SNC using the sapcrypto.dll and continue using the kerberos library for SSO?
Do you think using the following parameters would do the trick:
snc/gssapi_lib = gi64krb5.dll
ssf/ssfapi_lib = sapcrypto.dll
sec/libsapsecu = sapcrypto.dll
snc/identity/as = p:SAPService<SID>@<DOMAIN>
Do you know if there a way to use the sapcrytpo lib for both purposes (SNC for ABAP-ABAP RFC and SSO for SAPGUI)?
Thanks a lot for your answers,
Florin
PS: I am aware that the parameters listed above are not all needed for enabling SNC and SSO. I only listed those related with the library and the name.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 1:10 PM
I'm sorry to tell you the bad news: it is <b>not possible</b> to operate <u>two SNC libraries</u> (in parallel) at <u>one</u> application server instance.
However, you are describing to use SAPCRYPTOLIB for SSF (and potentially also for SSL) and "gi64krb5.dll" as SNC library. <u>That</u> is possible. But that's not related to your question regarding the simultaneous usage of two SNC libraries ...
Regards, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 1:10 PM
I'm sorry to tell you the bad news: it is <b>not possible</b> to operate <u>two SNC libraries</u> (in parallel) at <u>one</u> application server instance.
However, you are describing to use SAPCRYPTOLIB for SSF (and potentially also for SSL) and "gi64krb5.dll" as SNC library. <u>That</u> is possible. But that's not related to your question regarding the simultaneous usage of two SNC libraries ...
Regards, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 1:23 PM
Hi Wolfgang,
Thanks for your reply.
Then what would be the approach to achieve my goal (SSO for GUI and SNC for RFC with another AS ABAP)?
Can sapcrypto.dll cover both aspects?
Thanks a lot,
Best Regards,
Florin
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 5:04 PM
No - the other way round: use the Kerberos SNC library for both purposes (i.e. client-server and server-server communication).
SAPCRYPTOLIB is only released for usage (as SNC library) for server-server communication. That's an OEM license restriction.
Regards, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2006 6:14 PM
Thanks Wolfgang.
Last question, I promise
Like I said I want to use SNC RFC between two AS ABAP. One is on Windows (and currently has Kerberos library installed and used for SAPGUI connection). The other system is UNIX Solaris.
According to note 150380 using a kerberos SNC library on Unix is not really supported by SAP. The interoperability can be tested with the GSSTEST tool but if it comes to support then the OS vendor is responsible.
Just to resume:
- using sapcrypto - NOT possible because only supported for server-server
- using kerberos - in heterogenous environments no full support from SAP
Do you know if there is other option to achieve what I am looking for?
Thanks a lot for your valuable help,
Regards,
Florin
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2006 7:48 AM
Hi Florin,
the note relates to the ggskrb5.dll we ship and is meant for the combination of this dll being used on the SAP-GUI side and a selfmade dll on the server side. The reason in this case is, that gsskrb5.dll is just a wrapper to some MS APIs, we do neither control nor can support ourselves.
If you are using a certified product (I do not know which vendors dll gi64krb5.dll is) and have installed this product on the server as well as on the client this is supported. If the product is not certified, maybe you can ask the vendor to certify it.
regards, Patrick
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2006 8:43 AM
Florin,
If you are looking for a single product, which is SAP certified, commercially supported, and allows you to use SNC with Kerberos between SAP GUI and SAP ABAP as well as SAP ABAP -> SAP ABAP, and works in both Windows and UNIX environments, then you might want to check http://www.cybersafe.com/links/snc.htm
Regards,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2006 1:19 PM
> Just to resume:
> - using sapcrypto - NOT possible because only supported for server-server
> - using kerberos - in heterogenous environments no full support from SAP
Well, indeed that is a conflict which can currently not be resolved - unless using a 3rd party SNC product that is available on both platforms (Windows and Solaris) and which can be used for both purposes (client-server and server-server communication), like Tim has pointed out (presenting one of the certified vendors).
Regards, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2006 3:43 PM
"gi64krb5.dll" is provided by SAP - see attachment "win64sso.zip" of <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0352295">SAP Note 352295</a>.
Cheers, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2007 3:48 PM
Hi,
we are facing something simular - is it possible to connect to two active directories at the same time?
Thanks,
Tobias
- SAP Managed Tags:
- Security
