01-08-2007 5:12 AM
Hi All,
We have a requirement where client says ,there needs to be a SSL tunnel established between SAP R/3 and Portal(through ITS) to access R/3 through portal
Do we have to use SSL for that or SNC?I heard SNC is a mechanism which have to be used here since it uses DIAG protocol to connect but not Http.Is it true?Kindly give some more ideas on this.
Other thing is to do this they need to open a port between for using Firewall.Can you guide which SAP port has to be open for this connection?
Thanks In Advance
Regards
Rani A
01-16-2007 8:23 PM
Hi Rani,
SNC provides security at the application level. This means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) is guaranteed, regardless of the communication link or transport medium (see the graphic below). You therefore have a secure network connection between two SNC-enabled communication partners.
Please check the URL for futher info
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/frameset.htm
SNC-secured connection ports:
-
Dispatcher sapdp'nr's 47'nr' sapdp00s 4700
Dispatcher sapdp'nr's 47'nr' sapdp00s 4700
Hope this help
Cheers,
Shyam
01-08-2007 9:22 AM
Please provide some more detailed information:
(1) version of the ABAP system ("R/3") => internal / external ITS
(2) communication peers: "Who is the client? Who is the server?"
(I suspect that in both cases the browser is the client, so
actually there is no server-to-server communication)
Regarding SSL vs SNC:
yes, SSL can be used with http (-> https) while SNC can be used with SAP's proprietary protocols (RFC and DIAG) which are used for the communication between ITS Agate and the ABAP application server (when using an external ITS). When using the internal ITS (available as of NetWeaver 2004 / 6.40) http(s) is used for the communication between the browser and the <i><u>Web</u></i> Application Server.
Cheers, Wolfgang
01-08-2007 11:11 AM
Hi Wolfgang/Siezte,
I would be back with more information like version,type of ITS and exact requirement very soon.
Thanks for Now
Rani A
01-08-2007 10:30 AM
RFC is the protocol used for the communication between Portal and a R/3 (ABAP) system. RFC must be secured using SNC. You can use the SAP Crypto Library for doing this but there are alternatives.
You have to use SSL to secure the communication between the browser (user) and the Portal.
It may also be necessary to use both. This depends on your exact requirements.
01-08-2007 12:03 PM
Yes, that's true if UME is using that ABAP system as user store provider.
See <a href="https://service.sap.com/sap/support/notes/645876">SAP Note 645876</a>, then.
<a href="https://service.sap.com/sap/support/notes/510007">SAP Note 510007</a> explains how to activate SSL for the ABAP WebAS (as of 6.10).
01-16-2007 10:48 AM
Hi All,
I have all information now to proceed further.It is standalone ITS.It is on a WAS 6.4 server.R/3 is 4.6C and above.
We are planning to have SSL between Browser and ITS and then SNC between ITS and SAP.
Now the question is what all ports needs to be opened in order to establish SNC between ITS and SAP.Any inputs?
Thanks and Regards
Rani A
01-16-2007 10:54 AM
The external ITS (Agate) communicates with the ABAP application server via RFC and DIAG. So, the ports "sapdp##" and "sapgw##" (with ## = instance number) are required. If using load-balancing, then the message server (sapms<SID>) needs to be accessible as well.
But: usually you place the ITS Agate inside the server network - and the ITS Wgate together with the Webserver (IIS / Apache) in a DMZ, with a packet filter firewall in between both.
I'm pretty sure that you should find some documents on <a href="http://service.sap.com/security">http://service.sap.com/security</a> regarding this issue ("X.509 Certificate Logon via the ITS" in the "Archive (Old Documents)" section). There you will also find a document with the title "Configuring SNC for the Agate / SAP System Connect" (cookbook, PDF).
Cheers, Wolfgang
01-16-2007 11:22 AM
Hi,
That means fro Dispatcher it is 32NN
and for Gateway it is 33NN.
where NN is R/3 instance.
Did you mean for these ports?
Regards
Rani A
01-16-2007 8:23 PM
Hi Rani,
SNC provides security at the application level. This means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) is guaranteed, regardless of the communication link or transport medium (see the graphic below). You therefore have a secure network connection between two SNC-enabled communication partners.
Please check the URL for futher info
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/frameset.htm
SNC-secured connection ports:
-
Dispatcher sapdp'nr's 47'nr' sapdp00s 4700
Dispatcher sapdp'nr's 47'nr' sapdp00s 4700
Hope this help
Cheers,
Shyam
01-17-2007 7:29 AM
Hi Rani,
which dispatcher are you talking about ?
The default port for the ABAP dispatcher is 36NN. For an overview of the ports used by SAP, please have a lok at <a href="https://service.sap.com/security">https://service.sap.com/security</a> -> Security in Detail -> Infrastructure Security, where you can find a document titled <a href="https://websmp207.sap-ag.de/~sapdownload/011000358700006260282006E/TI-SAP_Ports-061005.pdf">TCP/IP Ports Used by SAP Applications</a>.
Regards, Patrick
01-17-2007 11:31 AM
Hi Patrick/Shyam,
Actually I am new to ITS and Basis kind of work.Now for SNC between ITS and SAPABAP,client say we need to configure the IP of R/3 in ITS.Is it True?How to do that?Any idea?
How to access the ITS admin Tool.Please guide me on this?
Regards
Rani A
01-17-2007 1:31 PM
Hi Rani,
what the ITS Admin is, is explained in the docs to the <a href="http://help.sap.com/saphelp_nw04/helpdata/en/44/28611e0bd26493e10000000a1553f7/frameset.htm">ITS Admin Tool</a>. This also includes how to access it.
Usually specifiying the ABAP backend is done by maintaining the <a href="http://help.sap.com/saphelp_nw04/helpdata/en/44/2b67fe369b060ae10000000a155369/frameset.htm">Global Service File Parameters</a>.
The <a href="http://help.sap.com/saphelp_nw04/helpdata/en/44/2aa8081a3a060ae10000000a155369/frameset.htm">SNC configuration</a> is part of the <a href="http://help.sap.com/saphelp_nw04/helpdata/en/44/2a95a61a3a060ae10000000a155369/frameset.htm">Security Configuration</a> and also done in the ADM instance of the ITS.
Regards,
Patrick
01-18-2007 6:55 AM
Hi,
Thanks for your help.Now i need to configure SSL between browser and ITS.where can i find the doc or link for that??
Bye
Rani A
01-18-2007 12:58 PM
01-18-2007 1:21 PM
Hi Rani,
I guess you are using the IIS as the webserver underneath the WGate right ? In this case, I would recommend to check the docs of your IIS. If I remeber correctly, this is part of the properties of the webserver in the IIS. For the browser, you usually do not need to do anything. If you want do forbid HTTP, I would recommend to put a redirect from the HTTP part to the HTTPS part of the webserver.
There is also a page in the MS Technet about <a href="http://technet2.microsoft.com/WindowsServer/en/library/0c828f40-a479-44a2-9b82-4653896c86281033.mspx">Configuring SSL</a> for IIS 6.
Regards,
Patrick
01-18-2007 1:32 PM
The external ITS is using a standard web server (e.g. Microsoft IIS, Apache, ....) which implements the SSL protocol. Therefore you have to refer to the documentation of the (3rd party) web server product.
Regards, Wolfgang
01-19-2007 11:39 AM