Solved: Is it possible to connect a non-SAP J2EE server to...

Former Member · ‎10-29-2013

Hello Dear Security Experts,

My project needs that web services we will develop on a non SAP JEE server (JBoss) connect via jco to ECC 6. We want to make SSO connections.

The pb is that the WS will be called from browsers on windows clients, connected to MS Active Directory. So we expect leveraging the Kerberos authentication made on the windows client, get the user's Kerberos token on the JBoss server and ... then use JCO to connect to ECC. That's where it seems complicated. It seems that JCO only accepts these connection modes:

1 - user / password

2 - X509 certificate

3 - MYSAPSSO2 ticket

4 - SNC connection with a SNC Kerberos Library (according to Tim Alsop there: "In the RFC connection, you would use SNC_PARTNERNAME and SNC_MYNAME to specify Kerberos principal names of user and backend system, but you won't be needing to specify a userid and password, x.509 cert or MYSAPSSO2. The SNC parameters will determine the user identity under which the function module executes because of mapping info in USRACL table. As I mentioned, you need a Kerberos SNC library on backend, as well as on JEE server." (http://scn.sap.com/thread/1696272)

tim_alsop · ‎10-29-2013

Yes, I would recommend using SNC with a Kerberos library to use the delegated credentials of the user and authenticate to ECC. I have used this method many times before - it is actually quite easy. I look forward to helping you with this.

tim_alsop · ‎10-29-2013

Yes, I would recommend using SNC with a Kerberos library to use the delegated credentials of the user and authenticate to ECC. I have used this method many times before - it is actually quite easy. I look forward to helping you with this.

Former Member · ‎10-29-2013

Hello Tim,

I haven't found any SNC library that leverages Kerberos authentication (in store.sap.com and in SAP Partner Finder). Could you please develop how you combined SNC and Kerberos on a non-SAP J2EE server? Did you use SAP SNC library (sapcryptolib) ?

Thanks a lot for your help...

Nicolas

tim_alsop · ‎10-29-2013

The library used is included with this product - https://store.sap.com/sap/cpa/ui/resources/store/html/SolutionDetails.html?pid=0000011330&catID=&pcn....

Former Member · ‎10-29-2013

Thanks Tim for the link. I saw the product in the store but I don't understand what we should buy (product ?, bundle ?, SNC library doesn't seem sold alone) in order to achieve the goal of my project :

1) user logs on the windows desktop (connected to Active Directory)

2) user opens the browser and calls a web service hosted on a JBoss server

3) the web service on the JBoss server connects to ECC, via jco, and SSO is performed based on the Kerberos token.

Do we need to install something on user's desktop (like SAP secure client in NetWeaver SSO 2.0 product) ?

Except the specific SNC library, do we need to install something on the JBoss server ?

Do we need to install something on the ECC server ?

Thanks in advance for your clarifications

Regards,

Nicolas

tim_alsop · ‎10-29-2013

Questions about products on the SAP store need to be discussed with the vendor of those products. The vendor in this case is my company called CyberSafe, and I will be able to answer your questions, but not in this public forum.

Former Member · ‎10-29-2013

Thanks Tim. I will see if my customer wants to investigate more deeply in this way.

Regards

Nicolas

former_member259859 · ‎12-29-2020

I have the same scenario, could you tell me about snc and sap system?

Is it possible to connect a non-SAP J2EE server to ECC via JCO and use Active Directory authentication for SSO ?