08-07-2007 10:06 AM
Hi out there,
we are on WAS7.0 and want to youse the WAS-ABAP as SOAP-Client. All is prepared, but the SOAP-Service only accept Kerberos authentication. With a "normal" RFC-Connection to an external server i give user and password, wich results in need Basic-Authentication on Server-Side.
Is there a possebility to get an Kerberos-Authenticated connection from ABAP to externel Server?
Thanks for your ideas
Regards André
08-07-2007 12:24 PM
Hold on - André want to "use the WAS-ABAP as SOAP-Client".
I assume that this (external, non-SAP) SOAP Server is using http as transport protocol - and not the SAP-proprietary RFC protocol. In that case you cannot use SNC.
Furthermore: I'm not sure whether the SOAP Server only wants to authenticate the communication partner (i.e. the ABAP server) or whether it is intended to execute the requested service on behalf of the current ABAP user. In that case you'd need to take a look into the "black box" (which SNC and SSL cannot). For web services (and I assume that this is meant by referring to "SOAP") typically SAML (-> WS-Trust, WS Security) comes into play.
Unfortenately, there are two concurrent approaches: SAML 2.0 and WS-Federation (-> MS ADFS). I assume that André is referring to Microsoft's approach. Am I right?
08-07-2007 10:16 AM
Andre,
Yes, this is possible. The SAP RFC protocol is secured using SNC, so you need to install an SNC Kerberos library on your WAS system, and you can then initiate a secure RFC connection. The SNC Kerberos library will use Kerberos to authenticate to the non-ABAP system.
I represent a vendor called CyberSafe, and we have a SAP certified Kerberos library which is available for UNIX, Linux and Windows, and will give you what you need. If you have any questions about our product, or would like to evaluate it, please contact me using my email address in SDN business card.
Thanks,
Tim
08-07-2007 12:24 PM
Hold on - André want to "use the WAS-ABAP as SOAP-Client".
I assume that this (external, non-SAP) SOAP Server is using http as transport protocol - and not the SAP-proprietary RFC protocol. In that case you cannot use SNC.
Furthermore: I'm not sure whether the SOAP Server only wants to authenticate the communication partner (i.e. the ABAP server) or whether it is intended to execute the requested service on behalf of the current ABAP user. In that case you'd need to take a look into the "black box" (which SNC and SSL cannot). For web services (and I assume that this is meant by referring to "SOAP") typically SAML (-> WS-Trust, WS Security) comes into play.
Unfortenately, there are two concurrent approaches: SAML 2.0 and WS-Federation (-> MS ADFS). I assume that André is referring to Microsoft's approach. Am I right?
08-07-2007 12:39 PM
Hi Wolfgang,
you are absolutely right. The WAS-ABAP should be the client for a webservice. The kerberos authentication is just for authenticating the Webservice-Client (WAS-ABAP) to the Webservice-Server. Could you come a little more regarding SAML?
How to use and configure it.
Thanks.
Regards André
08-07-2007 12:45 PM
Andre,
It is my understanding that the SAP SAML login module currently only supports certificates, so you may have to wait until SAP add Kerberos authentication support to their product, or see if you can enable your web service server to support x.509 certificate based authentication.
Thanks again,
Tim
08-07-2007 1:10 PM
Hi Tim,
thanks, but i have no influence what the Webservice-Server will accept.
regards
André