Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC between SAPGui for windows and SAP servers

Former Member

‎05-24-2007 7:18 AM

0 Kudos

Dear All,

We would like to enable secure communication between sap GUI for windows and SAP servers.

Please let me know the links/snote/document where i can find more on this?

Thanks

12 REPLIES 12

tim_alsop
Active Contributor

‎05-24-2007 11:07 AM

0 Kudos

Hello,

This is a common question on SDN security forum. You can find many answers to same question in this forum. All of them refer to the fact that the SNC library can be downloaded from SAP if the SAP system is on Windows, but if SAP is on UNIX or Linux, you need to purchase a SAP certified SNC library/product. It is very common to find companies running SAP on UNIX or Linux and wanting to use Kerberos/SNC since Active Directory is a Kerberos authentication server. My company is one of the vendors who has such a product.

I hope you find what you are looking for on this forum, but if not please ask for additional help or clarification here.

Cheers,

Tim

desiree_matas
Contributor

‎05-24-2007 4:06 PM

0 Kudos

Hello!

Just a little correction. SNC for SAPGUI requires a third party product (sapcryptolib cannot be used for securing connections between frontend and server, just server-server). For a list of SAP certified partner products see:

URL: http://service.sap.com/security -> "Certified Security Partners"

Regards,

Désiré

tim_alsop
Active Contributor
In response to desiree_matas

‎05-24-2007 5:42 PM

0 Kudos

> Hello!

>

> Just a little correction. SNC for SAPGUI requires a

> third party product (sapcryptolib cannot be used for

> securing connections between frontend and server,

> just server-server).

Desiree, regarding above - what are you correcting ? It appears you might have thought I referred to sapcryptolib in my last post, but I didn't. I was refering to the SNC library which is available for SNC with Kerberos, and is only available and supported if SAP is on a Windows Server and SAP GUI is also on Windows.

Thanks,

Tim

desiree_matas
Contributor

‎05-25-2007 8:47 AM

0 Kudos

Hi Tim

Yes, I though you were talking about sapcryptolib (on the other hand, this is a common mistake). Sorry for the misunderstanding

Regards,

Désiré

tim_alsop
Active Contributor
In response to desiree_matas

‎05-25-2007 9:31 AM

0 Kudos

> Yes, I though you were talking about sapcryptolib (on

> the other hand, this is a common mistake). Sorry for

> the misunderstanding

Thank you. I understand now. I have also come across the mistake where a SAP customer thinks that sapcrypolib can be used for SNC with SAP GUI etc.

Former Member
In response to desiree_matas

‎05-25-2007 10:55 AM

0 Kudos

Dear Tim,

We wanted to enable encrypted communication between our Win SAP Gui and SAP server(windows). Does it involves crypto Licensecing?

Please let me know the procedure for enabling secure communication?

Appreciate your help.

tim_alsop
Active Contributor
In response to desiree_matas

‎05-25-2007 11:04 AM

0 Kudos

Hi,

Since your SAP server is on Windows you can use the Kerberos GSS-API libraries that SAP provide for this purpose. They use Kerberos because Active Directory uses Kerberos to authenticate the user when they logon to their workstation. The result is as follows :

1. user logs onto windows workstation using Active Directory domain account.

2. The users Kerberos credentials are cached on workstation and available for applications to use for SSO and security when configured to do so.

3. When they user connects to SAP using SAP GUI, and SNC is configured correctly the session between SAP GUI and SAP app server is used to authenticate the user who logged on at workstation to the SAP system (no passwords are transmitted). The session can also be secured by adding encryption and data integrity (via configuration in saplogon.ini and/or in SAP instance params).

4. The user gets a single signon experience, and also sessions between SAP GUI and SAP Server can be encrypted.

Does this help ?

I am not 100% sure of the correct place to download the Windows SNC libraries from to give you the above functionality, but I am sure somebody from SAP will respond, giving you the correct download details.

If you Windows server is not a domain member and/or your workstations are not always logged onto a domain account, please contact me because my company has a product which will provide the functionality you require instead of the libraries from SAP. We support SAP on Windows and also on UNIX or Linux. I suggest you try the Windows libraries from SAP first and see if they meet your needs.

Thanks,

Tim

Former Member

‎05-29-2007 7:57 AM

0 Kudos

Dear All,

We would like to use secude as external security product in our system.

Could you please help me on where to download/how to get the software in place?

Thanks

tim_alsop
Active Contributor
In response to Former Member

‎05-29-2007 8:04 AM

0 Kudos

Hi,

I thought I had explained in my last post that you can download the software you need form SAP. The software I refer to is not Secude - the software I refer to is a gss/kerberos library that SAP provide for free, and it is ideal for customers such as yourself where SAP is running on Windows. I suggest you use this software instead of purchasing software from Secude.

Thanks,

Tim

Former Member

‎05-29-2007 9:18 AM

0 Kudos

Dear Tim,

Thanks for your information.

I thought GSS-API (supported by SAP) is the technology used by the external product and we would need install external product (uses this tech) on all desktops where GUI is installed to enable SNC.

If you are sure on Kerberos is available for free then i will go for that only.

Let me check where i can download the kerberos?

tim_alsop
Active Contributor
In response to Former Member

‎05-29-2007 9:26 AM

0 Kudos

Please check SAP Note # 352295

This note gives details of the library I refer to and how to download it.

yes, GSS-API is the technology used by external products when they are using SNC interfaces in SAP. However, since you have Windows servers and you also have Active Directory you should consider the free option instead, and use the GSS-API libraries for this Windows-only environment, available from SAP.

Thanks,

Tim

tim_alsop
Active Contributor
In response to Former Member

‎05-29-2007 9:39 AM

0 Kudos

Also, to be 100% clear - if you plan to change your SAP servers to UNIX or Linux, or have any UNIX or Linux servers that you want to include in same SNC/SSO solution, then the solution provided by SAP, and mentioned in my last post is not suitable.

Instead, I suggest you contact me offline so you can evaluate our product. I represent a company called CyberSafe, and our products are SAP certified, and are available for SAP servers running on various UNIX and Linux operating systems, as well as on Windows. You might also want to look at our products instead of the free library from SAP if you have a need to use SNC, but your users are logged onto a different domain to that used by SAP servers, and the domain is not trusted, or if you want to authenticate the user each time they logon to SAP, but still use encryption and integrity offered by SNC (e.g. ignore the credentials issued during the users logon to workstation, and get new credentials when logging onto SAP).

Thanks,

Tim