Solved: Secure communication between SAP and .NET Applicat...

Former Member · ‎04-25-2016

Hi Team,

We have a .NET application which is connecting to SAP ABAP system using .NET Connectors and JAVA connectors.

Now we are trying to implement Secure communication between .NET application and SAP.

All our SAP systems are configured with SNC with out SSO using SNC client encryption for SAP GUI -> SAP ABAP app servers.

Same way we are connecting to SAP application with the parameters, SNC_MODE, SNC_QOP, SNC_Partenr name, SNC Library.

But we are unable to connect because the SNC client encryption library file is 32 bit and our .NET application is 64 bit.

Please advice how we can connect our .NET application --> SAP server using 32 bit library files? or do we have any 64 bit library files which support above scenario( we are not looking for SSO).

Thanks,

Krishna

LutzR · ‎04-25-2016

Hi Krishna,

What role does your client have? Do you want the .NET application to connect to the backend with a PC user's identity?

Or will your .NET application connect with a technical user?

If this is a typical machine to machine communication scenario with a technical user involved you could do X.509 based SNC by using Common Cryptolib both on client and on server side.

Regards,

Lutz

LutzR · ‎04-25-2016

Hi Krishna,

What role does your client have? Do you want the .NET application to connect to the backend with a PC user's identity?

Or will your .NET application connect with a technical user?

If this is a typical machine to machine communication scenario with a technical user involved you could do X.509 based SNC by using Common Cryptolib both on client and on server side.

Regards,

Lutz

Former Member · ‎04-25-2016

Hi Lutz,

My .NET application is installed on windows server with local computer account "Administrator".

and we are passing sap backend server connection details as " User name, password, Host, Client, Sys no, SNC_MODE,SNC_QOP, SNC_PARTNERNAME,SNC_LIBRARY"

We are trying for SNC with kerberos authentication protocol (without SSO). Is it possible to connect with SNC using kerberos authentication protocol?

Thanks,

Krishna

tim_alsop · ‎04-25-2016

For this you cannot use the SNC client encryption library (which is free) and you must use a licensed SNC library instead, either from SAP or from a SAP partner. The kerberos protocol can then be used to authenticate and secure the connection between .net app and SAP ABAP system on back end, and using 64-bit SNC library since your .net application is 64-bit. The free SCE library is only 32-bit.

Former Member · ‎04-25-2016

Hi Tim,

yes, since SCE is 32 bit i am using NW SSO 1.0 secure login client library files.

I have installed Secure login client in my .NET application server and specified Library path as " C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll" . But still getting same issue "Can not connect to target SNC partner name = "p:CN=SAP/KerberosSC2@DOMAIN.COM".

Thanks,

Krishna

LutzR · ‎04-25-2016

Hi Krishna, this sounds comparable to a typical ABAP-to-ABAP SNC scenario with a fixed technical user. So this could be solved like ABAP-to-ABAP SNC (or AS-JAVA-to-ABAP-RFC): with X.509 certificate and CCL.

Have look at this thread . Nowadays one would replace the secude libraries by the Common Cryptolib.

Regards,

Lutz

Former Member · ‎04-25-2016

Hi Lutz, would it be possible to encrypt the communication in the same scenario you mention there, but using the MIT Kerberos 5 library? (instead of Common Cryptolib).

tim_alsop · ‎04-25-2016

Except that using certificates means you can't have end to end identity, e.g. if architecture is as follows:

Web browser/workstation --> .net app server --> AS ABAP

With above, if you use Kerberos end to end, then the AS ABAP system will know the identity of the user logged onto workstation. If you use certificates between .net app server and AS ABAP then this won't be possible.

When I help customers with this exact scenario I find they prefer the end to end identity since it gives better control over the access to data on the back end ABAP system.

tim_alsop · ‎04-25-2016

Did you buy an NW SSO 1.0 license ? if you didn't you can't use this library.

Former Member · ‎04-25-2016

Hi Tim,

Our Scenario is like exactly you mentioned above. We are using web browse to connect .NET app server and we provide SAP backend system details like usernname, password, client etc to connect.

Web browser/workstation --> .net app server --> AS ABAP

From SAP server end SNC is configured similar to between SAP GUI -> AS ABAP

Similar to above we are configuring .NET app --> AS ABAP using NW SSO Secure login client at Client side. Instead of 32 bit SCE file we are using NW SSO Secure login client 64 bit SECGSS.dll file at .NET application side (We had Licensed NW SSO 1.0 product and Recently it is expired but using Dump file which was licensed one )

When connecting we are getting below dump.

**** Trace file opened at 2016-04-25 18:51:01 (UTC+05:30 India Standard Time)

SAP .NET Connector 3.0 with file version 3.0.5.0 running on 64-bit .NET Framework 4.0.30319.42000

Program: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug\NCO test.vshost.exe

Working dirctory: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug

Operating system: Windows 7 Enterprise 64-bit Service Pack 1

Processor: 4x AMD64 (or x64)

SAP release: 720, Kernel release: 720, Kernel patch level: 111

Hostname: INPUNKGINNELA1, IP address: 10.82.23.21, IP_v6 address:

Default trace level: None

>> Error entry 2016-04-25 18:51:01.936

Failure to create pool for destination 6be87c8c-4a9a-4450-ba85-00181306983d [NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM]

SAP.Middleware.Connector.RfcCommunicationException:

LOCATION CPIC (TCP/IP) with Unicode

ERROR GSS-API(maj): Miscellaneous failure

GSS-API(min): A2210223:A2210223

target="p:CN=SAP/KerberosSC2@DOMAIN.COM"

TIME Mon Apr 25 18:51:01 2016

RELEASE 720

COMPONENT SNC (Secure Network Communication)

VERSION 5

RC -4

MODULE sncxxall.c

LINE 3345

DETAIL SncPEstablishContext

SYSTEM CALL gss_init_sec_context

COUNTER 3

at SAP.Middleware.Connector.CpicConnection.CpicReceive(Int32 timeout)

at SAP.Middleware.Connector.CpicConnection.Read(Byte* buffer, Int32 offset, Int32 count)

at SAP.Middleware.Connector.RfcConnection.ReadBytes(Byte* buffer, Int32 count)

at SAP.Middleware.Connector.RfcConnection.ReadRfcIDBegin(Int32& length)

at SAP.Middleware.Connector.RfcConnection.ReadUpTo(RFCGET readState, RfcFunction function, RFCID toRid)

at SAP.Middleware.Connector.RfcConnection.RfcReceive(RfcFunction function)

at SAP.Middleware.Connector.RfcConnection.ConnectAsClient(RfcConfigParameters options)

at SAP.Middleware.Connector.RfcConnectionPool..ctor(RfcDestination destination, Boolean forRepositoryCalls)

>> Error entry 2016-04-25 18:51:02.128

NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM