Solved: Server (ABAP)-->Server(non-ABAP) via Kerberos?

Former Member · ‎08-07-2007

Hi out there,

we are on WAS7.0 and want to youse the WAS-ABAP as SOAP-Client. All is prepared, but the SOAP-Service only accept Kerberos authentication. With a "normal" RFC-Connection to an external server i give user and password, wich results in need Basic-Authentication on Server-Side.

Is there a possebility to get an Kerberos-Authenticated connection from ABAP to externel Server?

Thanks for your ideas

Regards André

WolfgangJanzen · ‎08-07-2007

Hold on - André want to "use the WAS-ABAP as SOAP-Client".

I assume that this (external, non-SAP) SOAP Server is using http as transport protocol - and not the SAP-proprietary RFC protocol. In that case you cannot use SNC.

Furthermore: I'm not sure whether the SOAP Server only wants to authenticate the communication partner (i.e. the ABAP server) or whether it is intended to execute the requested service on behalf of the current ABAP user. In that case you'd need to take a look into the "black box" (which SNC and SSL cannot). For web services (and I assume that this is meant by referring to "SOAP") typically SAML (-> WS-Trust, WS Security) comes into play.

Unfortenately, there are two concurrent approaches: SAML 2.0 and WS-Federation (-> MS ADFS). I assume that André is referring to Microsoft's approach. Am I right?

tim_alsop · ‎08-07-2007

Andre,

Yes, this is possible. The SAP RFC protocol is secured using SNC, so you need to install an SNC Kerberos library on your WAS system, and you can then initiate a secure RFC connection. The SNC Kerberos library will use Kerberos to authenticate to the non-ABAP system.

I represent a vendor called CyberSafe, and we have a SAP certified Kerberos library which is available for UNIX, Linux and Windows, and will give you what you need. If you have any questions about our product, or would like to evaluate it, please contact me using my email address in SDN business card.

Thanks,

Tim

WolfgangJanzen · ‎08-07-2007

Hold on - André want to "use the WAS-ABAP as SOAP-Client".

I assume that this (external, non-SAP) SOAP Server is using http as transport protocol - and not the SAP-proprietary RFC protocol. In that case you cannot use SNC.

Furthermore: I'm not sure whether the SOAP Server only wants to authenticate the communication partner (i.e. the ABAP server) or whether it is intended to execute the requested service on behalf of the current ABAP user. In that case you'd need to take a look into the "black box" (which SNC and SSL cannot). For web services (and I assume that this is meant by referring to "SOAP") typically SAML (-> WS-Trust, WS Security) comes into play.

Unfortenately, there are two concurrent approaches: SAML 2.0 and WS-Federation (-> MS ADFS). I assume that André is referring to Microsoft's approach. Am I right?

Former Member · ‎08-07-2007

Hi Wolfgang,

you are absolutely right. The WAS-ABAP should be the client for a webservice. The kerberos authentication is just for authenticating the Webservice-Client (WAS-ABAP) to the Webservice-Server. Could you come a little more regarding SAML?

How to use and configure it.

Thanks.

Regards André

tim_alsop · ‎08-07-2007

Andre,

It is my understanding that the SAP SAML login module currently only supports certificates, so you may have to wait until SAP add Kerberos authentication support to their product, or see if you can enable your web service server to support x.509 certificate based authentication.

Thanks again,

Tim

Former Member · ‎08-07-2007

Hi Tim,

thanks, but i have no influence what the Webservice-Server will accept.

regards

André