SAP GUI SNC client encryption with commoncryptolib

Former Member · ‎04-17-2015

Dear experts,

I am searching a lot in this Topic but I am not sure if it is possible and allowed by SAP to encrypt the communication between SAP GUI and AS ABAP using the commoncryptolib without SAP Netweaver Single-Sign-On. Important for me is encrypted communication and not the single sign on Feature. As far as possible the product should be without additional costs so I think commoncryptolib would be fine.

Can somebody give me a link to a tutorial how to configure SNC Client encryption between SAP GUI and AS ABAP (please not SAP help http://help.sap.com/saphelp_nw74/helpdata/en/b9/0dfa4a0457487bb0e59d304eb1a79a/content.htm?frameset=... )

I tried the SAP help Information and had Problems with the Active Directory Integration which is only described rudimentary).

Also in my Scenario I had multiple Domains in different Locations which cannot be integrated in trusted Domains. So a solution without active Directory would be fine. Is this possible?

Thank you very much in advance.

Kind regards, Basti

tim_alsop · ‎04-17-2015

Hi,

The commoncryptolib uses x.509 certificates, so you wouldn't be able to use this unless you distribute certificates to each workstation and maintain these when they expire. If you already have a PKI in your company, then this might work for you. The SNC Client Encryption library is free and uses Kerberos tickets to generate encryption keys, which are used to encrypt the DIAG protocol communications. If however you don't have and cannot setup trust between domains, then this library won't work for you. So, your can't do what you want for free.

Thanks

Tim

Former Member · ‎04-21-2015

Hi Tim,

I'm not quite sure I do understand your comments fully. To my information, SNC Client Encryption does not require trust to be set up between any domains. The ABAP server works in sort of an offline mode, only the client needs to be connected to a domain controller to get a Kerberos ticket to communicate to the server. SCE is only about encryption of the channel. If you want any authentication (independant whether it is server or client) you need an SSO solution.

So I fail to see which requirement can not be dealt with by SCE in this case.

Kind regards,

Patrick

tim_alsop · ‎04-21-2015

Patrick,

The client library on users workstation needs to get a Kerberos TGT and this is got from the domain that the user is logged onto. Then, during logon, for SNC to encrypt the session it needs a session key, so it requests a Kerberos service ticket from the same domain, but the service (the SAP system) is in a different domain which is not trusting the domain the user logged onto. Therefore SCE requires trust to be setup so it can get the session key to encrypt the session via a service ticket issued by the domain of the SAP system.

Yes, a product that includes an SNC library which is able to authenticate the user is required if customer wants SSO. In this case, he just wants to encrypt the session. These products often include features which allow encryption and authentication with and without domain trust. My point is that the free SNC library (for encryption only) does not work if domains are not trusted.

Thanks

TIm

Former Member · ‎04-21-2015

Hi Tim,

sorry, maybe I was not precise enough in my first reponse. You are correct, for the protocol as such (I guess you are more of an expert for this than most of us anyway ;-), however the ABAP system does not need to be part of any domain. What you have to do is to create one keytab entry for each CLIENT domain, where clients exist that want to connect using encryption (using sapgenpse keytab ...). This will create the service ticket required and store it in a PSE (for commoncryptolib, this would be the SAPSNCSKERB.pse). If the client domains trust each other, then you need less keytab entries, as you only need one for a pool of domains, where all other domains trust the domain the service was created in. Only clients not part of any domain would be an issue, however this could then only be solved by using X.509 auth anyway.

As far as I did understand the post, all clients are in a domain, however these my be different domains not trusting each other. So for encryption only, I still do not see, why the current implementation does not work.

Thanks and kind regards,

Patrick

tim_alsop · ‎04-21-2015

Patrick,

I am very familiar with the concept of creating multiple key table entries, one for each domain (when there is no trust). Our TrustBroker product supports this, as does the SAP SSO product. I was however under the impression that the free SNC (encryption only) library didn't support this and if customer had this requirement for multiple domains without trust that they needed to buy a product that has more features than they get for free.

Thanks

Tim

Former Member · ‎05-29-2015

Hi Tim & Patric,

You are both experts.

Could you share some congfiguration document about SAP GUI Client ecryption with commoncryptolib?

We met lots of issue during confguring that.

Should the public key of abap server be shared to GUi client ?How do we that?Does the client need to generate pse and share the public key to server?

there is no any doc about that in http://help.sap.com/saphelp_nw74/helpdata/en/32/431c3aadda4f25e10000000a11402f/content.htm?frameset=...