Solved: SNC setup for connection SAPGUI - ABAP (no SSO)

Former Member · ‎11-07-2007

Hello Experts,

I am trying to set up SNC for our ABAP systems (Web AS 7.0). The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients) and the ABAP systems (HP-UX).

When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel and have the user log in just like he always does (w/ Username & PW).

I have performed the following steps so far:

- Created the SNC PSE (in STRUST, I used "<SID>snc" for DN, self-signed)

- Installation of SAP Cryptolib

- Updated profile with SNC parameters (along with environment variable SECUDIR)

The system started up correctly but when I tried to logon using SNC I first got the error message "Unable to load sncgss32.dll". For this case I renamed the sapcrypto.dll file on the client system (where the GUI is located) to sncgss32.dll and copied it into the SYSTEM32 folder. I have also set the environment variable “SNC_LIB” to “sncgss32.dll”. After this was done, a new error message started to pop, saying that ”No credentials are supplied”.

My questions are the following:

- I have read something about not using the Cryptolib for the Win XP clients and use GSSKRB5.dll instead. Is this also required when I don't want to setup SSO? And if yes, where will I get that file?

- Do I have to create the credentials for the SNC? (with the SAPGENPSE program)

- Is the SNC PSE Password required for any of the steps?

- Is there anything necessary to be setup in SU01 in the SNC-tab for my purpose? I have read a lot about the SNC-Name but I am not really sure if it only affects SSO-aspects…

- Or are there any other steps I am missing?

Thanks in advance,

Best regards,

Jan Kaps

WolfgangJanzen · ‎11-09-2007

> I am trying to set up SNC for our ABAP systems (Web AS 7.0).

> The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients)

> and the ABAP systems (HP-UX).

>

> When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO

> combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel

> and have the user log in just like he always does (w/ Username & PW).

Well, then I have bad news for you: that's not possible.

Reason: SNC is based on GSS-API and that defines the philosophy: you can choose between certain Quality-of-Protection (QoP) levels which are:

1. authentication only

2. authentication + data integrity

3. authentication + data integrity + confidentiality

As you can see: there is no way to have "data integrity + confidentiality" without having "authentication". That's different from SSL where you basically have two QoP levels:

1. server authentication + data integrity + confidentiality

2. mutual authentication (server + client) + data integrity + confidentiality

You can also see: using SNC does not necessarily mean that the data is encrypted (confidentiality).

Regards, Wolfgang

WolfgangJanzen · ‎11-09-2007

> I am trying to set up SNC for our ABAP systems (Web AS 7.0).

> The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients)

> and the ABAP systems (HP-UX).

>

> When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO

> combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel

> and have the user log in just like he always does (w/ Username & PW).

Well, then I have bad news for you: that's not possible.

Reason: SNC is based on GSS-API and that defines the philosophy: you can choose between certain Quality-of-Protection (QoP) levels which are:

1. authentication only

2. authentication + data integrity

3. authentication + data integrity + confidentiality

As you can see: there is no way to have "data integrity + confidentiality" without having "authentication". That's different from SSL where you basically have two QoP levels:

1. server authentication + data integrity + confidentiality

2. mutual authentication (server + client) + data integrity + confidentiality

You can also see: using SNC does not necessarily mean that the data is encrypted (confidentiality).

Regards, Wolfgang

Former Member · ‎11-09-2007

Thanks for you reply, Wolgang.

So for our purpose (secure connection from GUI to SAP) it will be necessary to provide authentication for each user...

Does this mean we need to provide full credentials for every user when he wants to log on via the SAP GUI? Or could this probably be done with certificates that we would provide for all clients along with the SAP GUI?

Do you know of another way to approach this security requirement?

Thank you very much,

Jan

WolfgangJanzen · ‎11-09-2007

> So for our purpose (secure connection from GUI to SAP) it will be necessary to provide authentication for each user...

> Does this mean we need to provide full credentials for every user when he wants to log on via the SAP GUI?

I thought that this is what you intend.

You wrote that you want your users to provider userID and password for authentication. You stated that you do not want to use SSO (Single Sign-On).

> Or could this probably be done with certificates that we would provide for all clients along with the SAP GUI?

Well, SNC / GSS-API abstracts from the actual implementation. You are referring to a PKI based solution. Notice: SNC / GSS-API also allow other implementations (e.g. based on Kerberos, NTLM, ...).

I'm now no longer sure what actually you intend to achieve:

Do you want SSO or "only" encrypted data transmission (in combination with "classic" UID/PWD authentication, as described in your initial posting)?

Former Member · ‎11-09-2007

Sorry, my last post might have been a little confusing. But you are right, we actually only want to encrypt the data transmission in combination with UID/PW authentication.

WolfgangJanzen · ‎11-09-2007

Well, as explained in my previous posting: SNC was not made for that requirement.

I only see one option: you can setup an SNC connection between two SAProuters (same as for the remote service connections between you and SAP) also known as "secure tunnel". SNC is then only used to encrypt the data which is transmitted over the SAProuter-SAProuter connection (but not outside that "tunnel"); SNC also provides a reliable authentication of both SAProuters (= communication peers).

The entire "pictures" then looks like this:

SAPGUI ---> SAProuter ---> SAProuter ---> ABAP server

Notice: this scenario is typically used for WAN connections.

It is not really suitable to install a SAProuter on each frontend PC.

I still recommend that you consider to use SNC to achieve both, data encryption and (mutual) authentication (which you can then use for SSO purposes).

Regards, Wolfgang

Former Member · ‎11-09-2007

Ok, I will take a closer look at your considerations.

Thank you very much for your effort.

Best regards,

Jan

Former Member · ‎11-27-2007

It is possible to implement a secure connection between SAPGUI and ABAP server on HP-UX with authentication based on SAP user name and password - even without SSO. You have to separate the user authentication method from the sign-on method. They are often looked at jointly, but it actually provides a lot of flexibility to separate them. It doesn't work with SAP technology alone - it requires the purchase a (SAP-certified) 3rd-party product - which you need in any case, if you want to use SNC with an SAP server on HP-UX. Feel free to contact me, if you want to learn more (see business card).