Solved: Is it possible to implement SNC without Active Dir...

Former Member · ‎11-11-2013

Hello,

We have our servers hosted at a remote site and we want to use SAPRouter to connect to this location and add SNC to encrypt connections.

The issue is that we don't have an Active Directory implemented and I was wondering if there are any options to implement SNC library for front end connections without using an Active Directory.

Thank you!

Kaempfer · ‎11-12-2013

Hi Maria,

see my answers which are SAP centric.

Encryption of communication of SAP GUI to SAP System

For SCE Client Encryption a MS AD is required for SNC.

For SAP NW SSO you can use also enryption via certificates and without an MS AD.

Encryption of communication from SAP System to SAP System

SAPCRYPTOLIB --> no MS AD required

Regards

Matthias

tim_alsop · ‎11-11-2013

Do you want to use SNC in SAP router only, or use SNC to encrypt the DIAG protocol connection (e.g. SAP GUI - SAP NW ABAP) over the network where the SAP router is used ? Both are possible, but have different implications.

Former Member · ‎11-11-2013

Hi Tim,

Thank you for the quick reply. I am talking about using SNC to encrypt the DIAG protocol connection.

Maria

tim_alsop · ‎11-11-2013

ok, thanks.

So, does user on workstation (where SAP GUI is running) logon to a local windows account ?

Former Member · ‎11-11-2013

Hi Tim

Yes, they would logon to a local windows account.

Now, if we could possibly implement Active Directory but at our offices without including the servers at the remote site... would this help with the scenario?

Thank you

tim_alsop · ‎11-11-2013

The workstation where SAP GUI is installed would need to be able to connect to Active Directory, but the SAP server where AS for ABAP is running does not need to connect to Active Directory. If you don't have Active Directory, then you will need another server which can be used to issue cryptographic keys for encrypting the session.

Actually, I am wondering why local accounts are used ? Doesn't this cause issues with controlling central password policy and controlling access to the systems ? How many workstations are involved ? Is it a lot ?

Former Member · ‎11-12-2013

Hi Tim,

It is a very small business with few users and that's why the administration is minimal but security is still needed.

Thank you

tim_alsop · ‎11-12-2013

ok, makes sense now.

So, you can implement MS AD and use SAP GUI Client Encryption SNC library (which is free). Or you can purchase a license for an SNC library from SAP (part of SAP NW SSO product) or from a SAP partner (such as the one I work for). If you purchase a product then you will also get added benefits such as SSO, not just encryption. As you are a small company, I would guess you want to go with the free option instead of buying licenses.

Thanks,

Tim

Former Member · ‎11-12-2013

Thank you for the follow up on this thread

Kaempfer · ‎11-12-2013