Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Is this possible: SNC connection from SAP GUI to SAP Router, and ...

Former Member
0 Kudos

Hi,

I have (stupid perhaps) question.

Is this scenario possible:

SNC connection from SAP GUI to SAP Router, and non-SNC connection from SAP Router to SAP System.

I know how to set up scenario like this:

SAP System --- (non-SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP GUI.

Best regards,

Marek Majchrowski

7 REPLIES 7

tim_alsop
Active Contributor
0 Kudos

Marek,

If you were able to setup such a connection, then the SAP GUI user would only be able to logon to the SAP Router, and not onto the SAP system behind the router - this is because SNC logon with SAP GUI needs to be end-to-end, e.g. SNC needs to be used by SAP GUI and also (using SNC library supporting same protocol) on SAP Application Server.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, SNC is defining an end-to-end communication - in your case the two endpoints are the SAPGUI frontend and the ABAP application server. Anything in-between (like the two SAProuters) is not of interest for both communication endpoints.

Notice: the SAProuter operates on a different communication stack level (NI layer) and is therefore transparent to SAPGUI and the ABAP applicastion server (both: operating on the DIAG protocol layer, on top of the NI layer).

tim_alsop
Active Contributor
0 Kudos

Wolfgang,

To be sure myself and Marek understand, can you confirm the different scenarios supported:

Scenario 1:

SAP GUI --- (non SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP System

With this scenario, it would be possible for a user to logon using SAP GUI onto the SAP System, but without SAP GUI SNC.

Scenario 2:

SAP GUI --- (SNC conn) --- saprouter1 --- (non SNC conn) --- saprouter2 --- (SNC conn) --- SAP System

With this scenario it would be possible to logon to the SAP System using SAP GUI, and using SNC authentication.

Also, with this scenario the SAP GUI software and SAP System software would consider this to be similar to:

SAP GUI -- (SNC conn) -- SAP System

Scenario 3:

This is the scenario mentioned by Marek in his initial question:

SAP GUI -- (SNC conn) -- saprouter1 -- (non SNC conn) -- SAP System

With this scenario it will not be possible to logon to SAP System using SNC, and only possible if the SAP GUI is configured to not use SNC. In other words the SNC connection between SAP GUI and saprouter1 is available, but cannot be used.

Thanks,

Tim

Edited by: Tim Alsop on Feb 25, 2008 5:24 PM

tim_alsop
Active Contributor
0 Kudos

Marek,

I just got email from somebody at SAP about this subject, and he confirmed the following:

-


It is possible to use SNC to protect the communication channel between two SAProuters, which then works somewhat like a protected VPN between the SAProuters. For communication traversing the SAProuter<->SAProuter connection this is completely transparent, and at the SNC-level one SAProuter is authenticated to the other SAProuter.

Components like SAPgui and the SAP AppServer do not speak SNC at the low level of SAProuters. They both use SNC at the application level in order to authenticate user<->backend or backend<->backend.

An SNC-authentication user<->SAProuter or SAProuter<->backend is not possible.

-


This confirms that my scenario 2 and 3 are not possible.

I hope this answers your question ?

Thanks,

Tim

Former Member
0 Kudos

Hi Guys

Is the scenario:

SAP GUI -- (SNC conn) -- saprouter1 -- (non SNC conn) -- SAP System

Possible now?

Thanks

JP

tim_alsop
Active Contributor
0 Kudos

No, that is not possible. SNC is used by SAP router at network layer and SNC is used by SAP GUI and NW ABAP for application/user authentication. You can do the following though:

SAP GUI ------------------ (SNC encryption, integrity and user authentication) ---> SAP ABAP

                        SAP Router <------ SNC encryption   ------> SAP Router

Thanks

Tim

Former Member
0 Kudos

Thank, for the response

We successfully connect from outside our domain (internet) from GUI via router to backend system. 

Q: is there a way to secure this without SSO or third party software?

And as you recommended is the only way then forward for us is to create another saprouter for SNC to backend to be able to work.

Thanks

JP