cancel
Showing results for 
Search instead for 
Did you mean: 

Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

Former Member
0 Kudos

Hi!

One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.

Example: p:CN=SAP/SNCServiceUser@CUSTOMERDOMAIN.LOCAL

 

The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).

Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.

Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.

Replacing the SNC Library on the AS ABAP

The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/SNCServiceUser@CUSTOMERDOMAIN.LOCAL.

After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.

The problem

We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/SNCServiceUser@CUSTOMERDOMAIN.LOCAL This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.

As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.

As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.

Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  

Any ideas how to solve this and have both solutions in parallel?

Appreciate any help.

Regards,

Carsten

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Meanwhile we tested this scenario with latest CommonCryptoLib instead of using the SNC Library provided within the Secure Login Library 2.0 SP3 package. Same results.

  Platform:   linux-gcc-4.1-x86-64   (linux-gcc-4.1-x86-64)

  Versions:   SAPGENPSE     8.4.20 (Jun 23 2014)

              FILE-Version  8.4.20.0

              CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.20 pl40 (Jun 23 2014) MT-safe

X.509 SSO with SLC works fine but SNC Client Encryptions works only sometimes... from what we see in the level 4 traces the system seems to use the SAPSNCSKERB.PSE sometimes for verification and sometimes the SAPSNCS.PSE which then lead to key exchange issues...

Former Member
0 Kudos

Hi Mr. Colt,

Officially the CommonCryptoLib did not support SNC Client Encryption.  SNC Client Encryption works with Secure Login Library 1.0

The snc/identity/as can be changed to SNCServiceUser and the SAP/ and domain name will be appended or not during SAP GUI login depending on which kind of connection you need. So you can set up your X.509 to CN=SNCServiceUser.

I would like to check you trace for verification, when the issue happens with failed SNC Client Encryption login.

KR

Valerie

Former Member
0 Kudos

Hello Valerie,

thanks for your reply. Unfortunately this doesn't helps us out

1. Customer is using Logon Groups and the SAP GUI Frontend is using the snc/identity/as from Message Server. If this does not contain p:CN=SAP/.... our assumption was that the SNC Client Encryption Client is not able to request service ticket because of missing SPN Syntax

2. Until today my assumption was, the SAP/ append feature is a feature of the Secure Login Client SP2 Patch 3 and not of the SAP GUI or SNC Client Encryption Installation (based on SSO 1.0) at least I found this information first in SAP Note 169605 - SNC name configuration to Kerberos and Certificates. So lets assume the Server Identity contains the p:CN=SAP/... shouldn't be the issue, the Domain append is working well, we know.

3. I don´t like this information "..the CommonCryptoLib does not support SNC Client Encryption". I can tell you why 


there is the possiblity to configure X.509 and Kerberos authentication in parallel on the server side.

It would be ok that one client will be the SNC client Encryption SAP GUI instead of a full SSO Secure Login Client. It makes no difference for SNC on server side.

This scenario will work.

please see this post - Please let me know what is correct now? Is this also not supported using the Secure Login Library 2.0?

Will recommend the customer to create OSS Message.

Best regards,
Carsten

Former Member
0 Kudos

Hi Mr Colt,

I think you issue has been solved and the solution provided was a configuration issue.

KR

Valerie

Former Member
0 Kudos

Hi all,

we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...

This was how the configuration looks before:

Environment variable $SECUDIR is defined:

"/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“

sapgenpse seclogin -l -v

running seclogin with USER="<SID>adm"

Credentials for username '<SID>adm':

0 (LPS:OFF):

         (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse

1 (LPS:OFF):

         (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse

After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.

As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.

And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear

Thread closed hope this helps someone

Carsten


Answers (0)