on 11-30-2015 8:41 AM
Hi,
i have the requirement to implement the simplest available measure to avoid sending passwords for user via standard DIAG or HTTP as part of the EEM Scripts. So either they are encrypted or the solution avoids sending password at all. Solution should be same for both protocols. The EEM Robot are supposed to run on Win 2012 64-bit, (2008 32-bit could be an exception).
Certificate (X.509) based authentications seems to be the most complex. Does it work for SAPGUI/DIAG access to ABAP Application Server and for Webbrowser Access to WebDynpro ABAP and Java Application with EEM in the same way?
FAQ mention Windows NT LAN Manager (NTLM) Authentication. Does it work for both SAPGUI/DIAG and HTTP? It seems to be a outdated implementation as while its recommended by SAP docu - outside the EEM space - to use "Kerberos for SAP GUI Authentication for system environments consisting of Microsoft Windows 2000 and higher"
SAP Single Sign-On 2.0 supports for Secure Login the Windows-based Kerberos tickets that authenticates users into the SAP software through a Webbrowser or Windows-based SAP GUI.
It that supported with EEM Scripts? Will it work?
Any experiences made, which could help on this?
Many Thanks
Martin
Hi Martin
I would have the tendency in this case to use the certificate based authentication for the Diagnostic Agents (taking into account relevant SAP notes such as 1985387) and then checking the Generic information on EEM Security Concepts.
A SAP notes search using keywords "EEM authentication" give some interesting SAP notes back:
1985387 - Potential information disclosure relating to SAP Solution Manager
<- This SAP note contains interesting information on security related to Diagnostics Agent
2090861 - EEM proxy authentication fails for some proxy products when NTLM is used
1971026 - EEM script fails with "Authentication failed" using a certificate - Solution Manager 7.10
1943922 - EEM: NTLM authentication improvements
Generic information on EEM and it's Security related concepts contains information on other spots where you would want to be careful ~ for example user/pass in scripts, HTML posts etc.
http://wiki.scn.sap.com/wiki/display/EEM/Security+Concepts
Best regards
Tom
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Tom,
Note 1985387 was helpful in general, but did not solve my problem.
Let me rephrase it:
My EEM Script for SAPGUI should not send a password via regular DIAG even if the traffic is inside a VLAN. What Option do i have?
a) SNC Client Encryption: SAP GUI sends encrypted user ID and password to the SAP NetWeaver AS for ABAP
SAP GUI sends encrypted user ID and password to the SAP NetWeaver AS for ABAP for authentication. All further communication during the current session is secure.
Will it work with EEM Script? Or it the only supported alternative to use NTLM
b) Client Certificate Logon for SAP GUI Client Certificate Logon for SAP GUI - User Authentication and Single Sign-On - SAP Library
-> Complex and costly
My EEM Script for HTTP should not send a password via HTTP even if the traffic is inside a VLAN. It also only about logon to one Application Server, no SSO requirement. What Option do i have?
a) Client X.509 Certificate Logon and Secure Sockets Layer (SSL) X.509 Client Certificates - User Authentication and Single Sign-On - SAP Library
-> Complex and costly
b) Kerberos Authentication - User Authentication and Single Sign-On - SAP Library
? Will it work with EEM Script? Or it the only supported alternative to use NTLM
Configuring the SMD Agent to SolMan with certificate based authentication seems to be straight forward compared to the above
mhm...bad luck...
...i hoped that Marc Arnold Bach the author of Home - End-User Experience Monitoring - SCN Wiki will be able to look at this. Unfortunately i´m not able o send him a direct message.
Are you able to do that Tom?
Thanks Martin
Hi Martin,
let me summarize what is currently supported and possible for EEM authentication:
1. EEM SAPGUI scripts
Here EEM only supports user/password authentication. Technically, SNC communication might be feasible as well and we were able to use it in a POC in the EEM Editor (by specifying additional connection parameters), but there are two major aspects that keep us from supporting it:
a. SNC depends on additional security libraries to implement SNC. In my understanding there are multiple vendors providing such a solution. Would be a huge effort even to set this up in a test environment.
b. Connection to the OS user: the certificate store for SNC is typically connected to the OS user. This would be the Windows Service user running the diagnostics agent, e.g. SAPServiceDAA. This does not fit to the concept of deploying multiple different self-contained script configurations including authentication to a robot.
2. EEM HTTP scripts
We should distinguish authentication and encryption here.
a. Encryption: EEM relies on the encryption features for HTTPS of the underlying SAP JVM 6 on robot side. Every script can have a dedicated list of trusted certificates. Using HTTPS should be sufficient to avoid sendind passwords in clear text over the network.
b. Authentication: Here I repeat the contents of the FAQ. Supported authentication methods:
* Basic
* NTLM
* X509 client certificates (provided in a script-specific key store)
Hope this clarifies it.
regards
Jens
Hi Jens,
maybe you get still alerted on this threat....
I do have another need for clarification with respect to parallelization of eem script executions.
Parallel "instances" = Script Execution" of the same script connecting to different sap application server with same user name for logon. Every 5 mins, to the same sap application server.
Do you expect any executions conflicts, blocking situations?
What are key variables handle dynamically per script execution?
Thanks Martin
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.