Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is SAPcryptolib supported for standalone JCo RFC client?

Go to solution
Former Member

‎04-01-2016 11:08 AM

0 Kudos

Hi there,

I need to use SNC in a standalone JCo client for network security reasons. I am specifically not looking for end-to-end authentication involving Kerberos or some such. However, I need to support SNC on both Windows and Linux platforms.

1. Does SAP support the use of SAPcryptolib for this?

Search turns up conflicting advice. For example, FAQ no. 6 on the SAP JCo Service Marketplace page hints that this is a supported scenario:

The communication between SAP JCo and an SAP System can be secured via Secure Network Communication (SNC). For this you need the SAP Cryptographic Library.

There also seem to be some middleware products on the market that have documentation which I think implies that their SAP adapters internally use SAPcryptolib.

On the other hand, many posts by knowledgeable people like Wolfgang Janzen and Tim Alsop (but mostly rather old ones) indicate that SAP supports the use of SAPcryptolib only in scenarios where two server components (i.e. SAP J2EE Engine, SAP-System ABAP Engine, SAProuter,  etc.) are communicating with each other, and that SAPcryptolib is not supported to be used as an SNC library for frontend components such as RFC-based clients. For any such SNC activity one would have to get a third-party product that is compatible with SAPcryptolib.

Can anyone clear up this muddle for me? No guesses, please.

2. Additional question (guesses appreciated): Even if this scenario were not supported for SAPcryptolib, would it probably work in practice?

Thanks a lot,

Sebastian

1 ACCEPTED SOLUTION

Go to solution
LutzR
Active Contributor

‎04-01-2016 11:44 AM

0 Kudos

Hi Sebastian,

just use newer Common Cryptolib and everything is fine because it combines all SNC scenarios into one library. You should use Common Cryptolib anyway because anhancements (e.g. modern cryptography) will not be added to old SAP Cryptolib anymore.

Regards,

Lutz

6 REPLIES 6

Go to solution
LutzR
Active Contributor

‎04-01-2016 11:44 AM

0 Kudos

Hi Sebastian,

just use newer Common Cryptolib and everything is fine because it combines all SNC scenarios into one library. You should use Common Cryptolib anyway because anhancements (e.g. modern cryptography) will not be added to old SAP Cryptolib anymore.

Regards,

Lutz

Go to solution
Former Member
In response to LutzR

‎04-01-2016 11:52 AM

0 Kudos

Thanks for that information. Do you know if there's an updated user's guide as well? The SNC user's guide that can be downloaded from service.sap.com/security → Security in Detail → Secure User Access → Authentication & SSO → SNC User’s Guide is from 1999 and contains no information about using cryptolib in client scenarios.

Go to solution
LutzR
Active Contributor
In response to LutzR

‎04-01-2016 12:17 PM

0 Kudos

Hi Sebastian, I have not configured a stand alone client yet. But I would expect that it would be quite similar to the configration of AS JAVA to AS ABAP SNC:

Configuring SNC: AS Java to AS ABAP - Network and Transport Layer Security - SAP Library

But there were no great changes made to SNC in the last 20 years. So the user guide from 1999 is probably still valuable.

You might find more specifically experienced people here: , or  SAP Single Sign-On | SCN

Good luck,

Lutz

Go to solution
Former Member
In response to LutzR

‎04-05-2016 9:00 AM

0 Kudos

I have verified that this is correct.

I have modified SAP demo coding for use with JCo 3.0.9 or newer that demonstrates standalone RFC client. Prerequisites see SAP note 1701870. App server must be configured for SNC, local security environment (PSE) must be created with sapgenpse, and certificates must be exchanged between local and server.

I have attached code excerpt showing JCo params.

SncDestinationDataProvider.java.txt.zip

Go to solution
Former Member

‎04-01-2016 1:56 PM

0 Kudos

It should be possible. For sure the CommonCryptoLib allows to use SNC to encrypt communications from clients to servers (not only between servers). Using pyrfc (the python wrapper for RFC) is possible, actually it is not well documented, but passing the right arguments the RFC library will use the CommonCryptoLib to encrypt your communication.

Actually I didn't try using the JCO RFC, but as the RFC library interface is the same, you should be able to do it.

Check in PyRFC/_pyrfc.pyx at master · SAP/PyRFC · GitHub (line 108) how the SNC parameters are received, I think you should use the same parameters.

Go to solution
Former Member
In response to Former Member

‎04-01-2016 2:38 PM

0 Kudos

Thanks for the pointer to the python code. I still hope to find a working JCo example. There is none in the examples that come with the JCo download, and the documentation on interface DestinationDataProvider also only mentions the connection parameters.

The release notes say that since JCo 3.0.9 I can set jco.client.snc_sso=0 and logon with user/password while still having network encryption. That sounds like what I want. Would snc_myname or snc_partnername also be required in this case?

Can someone perhaps point me to working Java examples?