cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What User Authentication for EEM Scripts (HTTP and SAPGUI/DIAG)

Go to solution
former_member477815
Explorer

on ‎11-30-2015 8:41 AM

0 Kudos

Hi,

i have the requirement to implement the simplest available measure to avoid sending passwords for user via standard DIAG or HTTP as part of the EEM Scripts. So either they are encrypted or the solution avoids sending password at all. Solution should be same for both protocols. The EEM Robot are supposed to run on Win 2012 64-bit, (2008 32-bit could be an exception).

Certificate (X.509) based authentications seems to be the most complex. Does it work for SAPGUI/DIAG access to ABAP Application Server and for Webbrowser Access to WebDynpro ABAP and Java Application with EEM in the same way?

FAQ mention Windows NT LAN Manager (NTLM) Authentication. Does it work for both SAPGUI/DIAG and HTTP? It seems to be a outdated implementation as while its recommended by SAP docu - outside the EEM space - to use "Kerberos for SAP GUI Authentication for system environments consisting of Microsoft Windows 2000 and higher"

SAP Single Sign-On 2.0 supports for Secure Login the Windows-based Kerberos tickets that authenticates users into the SAP software through a Webbrowser or Windows-based SAP GUI.

It that supported with EEM Scripts? Will it work?

Any experiences made, which could help on this?

Many Thanks

Martin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

TomCenens
Active Contributor
‎12-01-2015 12:16 PM
0 Kudos

Hi Martin

I would have the tendency in this case to use the certificate based authentication for the Diagnostic Agents (taking into account relevant SAP notes such as 1985387) and then checking the Generic information on EEM Security Concepts.


A SAP notes search using keywords "EEM authentication" give some interesting SAP notes back:

1985387 - Potential information disclosure relating to SAP Solution Manager


<- This SAP note contains interesting information on security related to Diagnostics Agent


2090861 - EEM proxy authentication fails for some proxy products when NTLM is used


1971026 - EEM script fails with "Authentication failed" using a certificate - Solution Manager 7.10


1943922 - EEM: NTLM authentication improvements



Generic information on EEM and it's Security related concepts contains information on other spots where you would want to be  careful ~ for example user/pass in scripts, HTML posts etc.


http://wiki.scn.sap.com/wiki/display/EEM/Security+Concepts


Best regards


Tom

Show replies
Show replies
former_member477815
Explorer
‎12-02-2015 9:56 AM
0 Kudos

Thanks Tom,

Note 1985387 was helpful in general, but did not solve my problem.

Let me rephrase it:

My EEM Script for SAPGUI should not send a password via regular DIAG even if the traffic is inside a VLAN. What Option do i have?

a) SNC Client Encryption: SAP GUI sends encrypted user ID and password to the SAP NetWeaver AS for ABAP

  1. User logs on to a Windows client (domain logon) and starts an SAP GUI connection to an SAP NetWeaver AS for ABAP system protected with SNC Client Encryption. 
  2. SNC Client Encryption recognizes the request for an SNC connection and requests a service ticket for the SAP NetWeaver AS for ABAP from the Microsoft Active Directory server. 
  3. The Microsoft Active Directory server returns the ticket to SNC Client Encryption. 
  4. SAP GUI requests a user ID and password from the user. 
  5. Encrypted channel established. 

    SAP GUI sends encrypted user ID and password to the SAP NetWeaver AS for ABAP for authentication. All further communication during the current session is secure.

Will it work with EEM Script? Or it the only supported alternative to use NTLM

b) Client Certificate Logon for SAP GUI Client Certificate Logon for SAP GUI - User Authentication and Single Sign-On - SAP Library

  • requires to use an external security product to perform the authentication
  • requires x.509 client certificates from a Certification Authority (CA)

-> Complex and costly

My EEM Script for HTTP should not send a password via HTTP even if the traffic is inside a VLAN. It also only about logon to one Application Server, no SSO requirement. What Option do i have?

a) Client X.509 Certificate Logon and Secure Sockets Layer (SSL) X.509 Client Certificates - User Authentication and Single Sign-On - SAP Library

  • requires to use an external security product to perform the authentication
  • requires x.509 client certificates from a Certification Authority (CA)

-> Complex and costly

b) Kerberos Authentication - User Authentication and Single Sign-On - SAP Library

? Will it work with EEM Script? Or it the only supported alternative to use NTLM



Configuring the SMD Agent to SolMan with certificate based authentication seems to be straight forward compared to the above

TomCenens
Active Contributor
‎12-02-2015 10:18 AM
0 Kudos

Hi Martin


I don't have the answers but I'm interested in knowing as well hehe

Would be nice if someone from team inside SAP can comment on this maybe?

Best regards

Tom

former_member477815
Explorer
‎12-02-2015 10:46 AM
0 Kudos

mhm...bad luck...

...i hoped that Marc Arnold Bach the author of Home - End-User Experience Monitoring - SCN Wiki will be able to look at this. Unfortunately i´m not able o send him a direct message.

Are you able to do that Tom?

Thanks Martin

TomCenens
Active Contributor
‎12-02-2015 10:58 AM
0 Kudos

Hi Martin,

I've pinged Jens and Marc.

Best regards


Tom

jens_claussen
Discoverer
‎12-02-2015 11:55 AM
0 Kudos

Hi Martin,

let me summarize what is currently supported and possible for EEM authentication:

1. EEM SAPGUI scripts

Here EEM only supports user/password authentication. Technically, SNC communication might be feasible as well and we were able to use it in a POC in the EEM Editor (by specifying additional connection parameters), but there are two major aspects that keep us from supporting it:

a. SNC depends on additional security libraries to implement SNC. In my understanding there are multiple vendors providing such a solution. Would be a huge effort even to set this up in a test environment.

b. Connection to the OS user: the certificate store for SNC is typically connected to the OS user. This would be the Windows Service user running the diagnostics agent, e.g. SAPServiceDAA. This does not fit to the concept of deploying multiple different self-contained script configurations including authentication to a robot.

2. EEM HTTP scripts

We should distinguish authentication and encryption here.

a. Encryption: EEM relies on the encryption features for HTTPS of the underlying SAP JVM 6 on robot side. Every script can have a dedicated list of trusted certificates. Using HTTPS should be sufficient to avoid sendind passwords in clear text over the network.

b. Authentication: Here I repeat the contents of the FAQ. Supported authentication methods:

* Basic

* NTLM

* X509 client certificates (provided in a script-specific key store)

Hope this clarifies it.

regards

Jens

former_member477815
Explorer
‎12-02-2015 2:05 PM
0 Kudos

Many Thanks Jens! Clear to me now!

Best regards Martin

former_member477815
Explorer
‎12-04-2015 9:22 AM
0 Kudos

Hi Jens,

maybe you get still alerted on this threat....

I do have another need for clarification with respect to parallelization of eem script executions.

Parallel "instances" = Script Execution" of the same script connecting to different sap application server with same user name for logon. Every 5 mins, to the same sap application server.

Do you expect any executions conflicts, blocking situations?

What are key variables handle dynamically per script execution?

Thanks Martin

Answers (0)

Ask a Question