cancel
Showing results for 
Search instead for 
Did you mean: 

SNC/SSO Migration from MIT kerberos to SAP cryptilib.

0 Kudos

Hello Experts

Currently we have SNC/SSO with MIT Kerberos.Could you please let me know procedure to migrate it to SAP cryptolib.

Thanks in advance

Karthik

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Karthik,

Oh, the old tiresome topic of migrating from *-SNC to SAP CommonCryptoLib. In order to migrate your SSO solution based on the MIT Kerberos SNC Library, it is required to switch back to Username + Password based authentication. There is no smooth migration possible, due to the fact, you never can have more than one SNC library on your AS ABAP or Windows client PC. In short, this isn’t possible without either big-bang or switching back to password auth.

The parallel operation of several SNC libraries on the client side “could” be possible (controllable via Script, environment variables ...) but very adventurous. I would love to have a “standard” way (at least on the SAP GUI) where a user (or the admins) are able to “control” which SNC library is used for which connection. Just a small configuration on the SAP GUI client, a saplogon.ini parameter or whatever. A place where you would be able to define the path and SNC lib used for a specific connection. This could then run at least on the client side, and allow for several SNC solutions in parallel.

That would provide customers with the possibility, to rollout the Secure Login Client and migrate the ABAP backend one after another. Connections to migrated servers would use the new SAP CCL while the old SNC based connections would still work.

For backend migration: Although SNC libraries are based on the standard interface GSS-API V2 most of the time, the token formats are incompatible with each other, this will involve a GSS API token itself as well as the user mapping format (often another canonical name format).

So when you replace the SNC lib, profile parameter and created the required SNC credentials, it is required to re-create the canonical names and perform the user mapping with the proper format.

Does that help a bit


Regards, Carsten