Solved: SAP SSO Extension Library (sapssoext) Licensing/do...

Former Member · ‎10-23-2006

We are trying to support SAP logon tickets as a part of our java based application. Can someone please shed some light on how we can get the library and is that library available for everyone or just SAP customers? If it is just for customers how can vendors support SAP log on tickets?

Strehle · ‎10-24-2006

Hello,

the library can be downloaded in the SAP service marketplace http://service.sap.com/swdc -> search here for SAPSSOEXT

The library has a hard dependency to either the library SAPSECU or SAPCRYPTOLIB and thererfore the problems with the license depend more on is the customer entitled to use one of the mention libraries.

The question about none SAP customers is difficult to answer. In general it makes no sense for non-SAP customers, because all of these libraries are verfication libaries. Only a SAP system can create such logon tickets and therefore it is only interesting for SAP customers.

Normally a SAP customer uses the SAP logon tickets to enable a non-SAP system (internal employee portal for HR or something else) with SAPSSOEXT, so that in the external portal the users of SAP are checked.

kind regards,

-markus

Strehle · ‎10-24-2006

Hello,

the library can be downloaded in the SAP service marketplace http://service.sap.com/swdc -> search here for SAPSSOEXT

The library has a hard dependency to either the library SAPSECU or SAPCRYPTOLIB and thererfore the problems with the license depend more on is the customer entitled to use one of the mention libraries.

The question about none SAP customers is difficult to answer. In general it makes no sense for non-SAP customers, because all of these libraries are verfication libaries. Only a SAP system can create such logon tickets and therefore it is only interesting for SAP customers.

Normally a SAP customer uses the SAP logon tickets to enable a non-SAP system (internal employee portal for HR or something else) with SAPSSOEXT, so that in the external portal the users of SAP are checked.

kind regards,

-markus

WolfgangJanzen · ‎10-24-2006

Well, it's not only SAPSSOEXT that is required.

You'll also need SAPSECULIB (or, alternatively, SAPCRYPTOLIB) which both are OEM libraries; that imposes the restriction to "SAP customers only".

But anyway, as Markus has highlighted, it does not make much sense to use SAPSSOEXT (and SAPSECULIB / SAPCRYPTOLIB) without at least one SAP system which is able to create such SAP logon tickets.

Please notice: you can obtain the <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/downloaditem?rid=/library/uuid/cfc19866-0401-0010-35b2-dc8158247fb6">sap NetWeaver 2004s ABAP/Java Trial Version</a> here in SDN.

Former Member · ‎10-24-2006

Well the thing is we dont have SAP System internally but our clients who buy our product (web application hosted by us) have SAP and they generate the SAP logon tickets. our Java based application inturn need to consume SAP Logon Ticket -> decrypt -> authenticate the user.

Please advice.

Strehle · ‎10-24-2006

ok, then your customer has to download:

1) SAPSSOEXT:

<http://service.sap.com/~form/handler?_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=N&FUNCTIONBAR=N&EVENT=TREE&TMPL=01200615320200007513&V=MAINT>

2) SAPSECU:

<http://service.sap.com/~form/handler?_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=Y&FUNCTIONBAR=Y&EVENT=TREE&TMPL=01200615320100002465&NTYPE=L_C&V=MAINT&TA=ACTUAL>

Documentation is here: <http://help.sap.com/saphelp_nw04/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm>

and inside the SAPSSOEXT package, including a JAVA example.

regards,

-markus

Former Member · ‎10-24-2006

Markus, thanks for your reply - I think I have enough help for where i can find the libraries and how to implement. But mainly what i am looking is the licensing details -

1) we host the web application and clients has SAP system. Can we have the Library downloaded by clients and we host it ?

2) Also we want to package in our application for any clients to use if they have their SSO.

I have tried to contact someone internal to SAP for the above details but they wanted me to post it here to get these details.

WolfgangJanzen · ‎10-25-2006

Dear Sai,

to clarify the legal aspects kindly submit a <a href="mailto:security@sap.com">mail request to SAP Security Product Management</a>. Markus and me are not able to provide an answer to that question.

Back to technology:

Are you aware that you need to import the signer's certificate in order to be able to verify the digitally signed SAP logon ticket?

Are you further aware that you might need to perform a user mapping (based on the "userID" contained in the ticket as well as on the issuer information (also contained in the ticket: "systemID" and "client") - since uniqueness is only assured for the complete tuple <userID, systemID, client>) - if your application is using its own user management. Open issue: there is no Identity Provisioning - your user management system will not be notified on changes of the remote user management (new/modified/deleted user accounts).

Regards, Wolfgang

Former Member · ‎10-26-2006

Thanks Wolfgang for the information that is very useful. I haven't started implentation yet but trying to get all the information if this integration is possible at all. I just dont want to spend lot of development time to realize that there will be licensing issues with the library. so I guess I have to wait until sap security team get backs to me. Do you know usually how much time does it takes for secury team to reply?

Former Member · ‎11-13-2006

We are trying to get the SAPSSOEXT_2-20001126.SAR running on HP-UX B.11.23 U ia64, but are entering problems. We get the following error:

libsapssoext.so is not a valid load module: Bad magic number.

Can anybody please help? Is the libsapssoext.so the only library we need for this? We were able to get the SAPSSOEXT running on Windows putting the sapsecu.lib and sapsecu.dll and sapssoext.dll in the windows/system32 folder. On Windows it runs like a charm, but why are we getting the above descibed error on UNIX?

Thanks and Regards,

Felix

Former Member · ‎11-14-2006

Hi Felix,

yes, you also need the sapseculib or the sapcryptolib. As Markus Link did not work for me, here is a different link to the <a href="https://service.sap.com/~form/handler?_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=Y&FUNCTIONBAR=Y&EVENT=TREE&TMPL=01200615320200006395&NTYPE=L_CV&V=MAINT&TA=ACTUAL&U=D033099&PAGE=SEARCH">SAPSECULIB 5.4</a> download page.

Strehle · ‎11-14-2006

Hi,

here again a URL for <a href="http://service.sap.com/~form/handler?_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=N&FUNCTIONBAR=N&EVENT=TREE&TMPL=01200615320200007513&V=MAINT">SAPSSOEXT</a>.

On HP-UX you have to set the environment variable SHLIB_PATH to the directory where the libraries are. If you still have problems with the library, then it is the best to open a OSS ticket on component BC-SEC-SSF.

-markus

Former Member · ‎11-14-2006

Hi Markus,

thank you for your reply. It seems as if the both libsapsecu.so and libsapssoext.so do not work on our HP-UX ia64. Just for the case, this is my testclass:

public class testloadlib {

public static String SECLIBRARY ;

/**

@param args

*/

public static void main(String[] args) {

// TODO Auto-generated method stub

try {

System.out.println("java.library.path ist: " + System.getProperty("java.library.path"));

//SECLIBRARY = "libsapsecu.so";

//System.loadLibrary(SECLIBRARY);

System.load("/BEA/dev_streamline/shlibs/libsapsecu.so");

System.load("/BEA/dev_streamline/shlibs/libsapssoext.so");

System.load("/BEA/dev_streamline/shlibs/sapsecin");

System.out.println("SECLIBRARY loaded.");

}

catch (Throwable e) {

System.out.println ("Error during initialization of SECLIBRARY or SSO2TICKET:\n" + e.getMessage());

}

We have set SHLIB_PATH to /BEA/dev_streamline/shlibs. Loading other .so files than

libsapsecu.so and libsapssoext.so works fine. Here again our error message:

" '/BEA/dev_streamline/shlibs/libsapsecu.so' is not a valid load module: Bad magic number." Same with the libsapssoext.so.

Now my question: Where exactly can I open a OSS ticket and what is the meaning of BC-SEC-SSF? This is my first case in the SAP Network.

Many thanks to all of you!

Felix

Former Member · ‎11-14-2006

Hi Felix,

maybe a dumb question, but did you compile the application to be 64bit ? The message may also indicate, that the application is a 32 bit app trying to load a 64bit lib.

Regards,

Patrick

Strehle · ‎11-14-2006

Hi Felix,

Patrick might be right, you should check whether:

java -d64 myClass ...

works. Depending on your VM (you should check with java -help for a 64 bit option) you can run java code in 32 or 64 bit process mode.

The SAP shared libraries for SAPSECU, SAPCrypto and SAPSSOEXT are per default for 64 bit on HP ia64. Therefore if you run java programs the switch between 32 and 64 is not so difficult, in own native programs you have to take care about the compilation process to set a flag in your compiler!!!

I guess you are SAP customer, then you should have access to http://service.sap.com/message . In the Service Portal you can create a request. In the process to create such a ticket you can assign it to a component, this means BC-SEC-SSF. (basis component - security - secure store forward).

regards,

-markus

Former Member · ‎11-14-2006

Hi Markus,

here is what I get when I enter "java -version":

java -version

java version "1.4.2.09"

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2.09-050713-03:34)

Java HotSpot(TM) Server VM (build 1.4.2 1.4.2.09-050713-09:59-IA64N IA64, mixed mode)

I think this looks good. Right? I also tried "java -d64 myClass" and "java -d32 myClass", but the error message again is "'/BEA/dev_streamline/shlibs/libsapssoext.so' is not a valid load module: Bad magic number".

I try to open up now a ticket as you described. Do you or anybody else have any hints for me? I really appreciate all your help!

Felix

Former Member · ‎08-06-2009

Hi! Felix,

We have the same issue in the UNIX environment .We badly need help on this. If you managed to resolve this issue please let me know how did you resolve the issue.

Regards

Ramesh

tim_alsop · ‎08-06-2009

Ramesh,

if you have a request for assistance from the SDN community members, I suggest you open a new thread - if your request is similar to this thread, then you could refer to it in your thread. This thread is already marked as answered and so using a new thread will be much better, and more likely to receive a response.

Regards,

Tim

Strehle · ‎11-14-2006

Hi Felix,

this is what I got on our ia64 machine:

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2.11-060824-11:11)

Java HotSpot(TM) Server VM (build 1.4.2 1.4.2.11-060824-16:35-IA64N IA64, mixed mode)

Therefore it seems ,that the linker on your machine has some problems. "Bad magic numer" means that the OS has a problem with the shared library format. Typically the problem is a mix of 32/64 bit software. You should run tests with the provided test programs SSO2Ticket.class and ssosamp (c program). The examples are in the SAPSSOEXT package.

java -d64 SSO2Ticket -i ~/ticket.txt -p ~/verify.PSE -L libsapsecu.so

or

./ssosamp -i ~/ticket.txt -p ~/verify.PSE -L libsapsecu.so

-

If you still have problems to get it running so that these examples run on your HP-UX, then it the best, that you open a customer message. In this customer message you can then open a connection to your system and we could logon to the machine directly.

___________________________________________________

In your example I see that you use BEA Web Application server. This is running with 32 Bit on your IA64 machine. We had another customer with a similar problem.

There the solution was, sorry we do not support 32 Bit libraries for HP-UX ia64. This means, in a new java process it should work as described, but if you want use it later with BEA then it wont work.

regards,

-markus

Former Member · ‎11-14-2006

It seems my thread got hijacked :). Anyways I am still looking for answers to below questions

1) We host the web application and clients has SAP system. Can we have the SSO Extension Library downloaded by clients and we host it ?

2) Also we want to package in our application for any clients to use if they have their SSO.

I have sent an email numerous times to SAP security team no response. Is there anyone who can help on this or know a contact that can help on this. I am kind of new to this SAP stuff and so far not liking it.

Former Member · ‎11-21-2006

Here is what I have got from SAP after number of emails

Dear Mr. Kolla,

after quite some discussions internally we came up with the following results:

The SAPSECULIB can only be downloaded by SAP customers and only those customers are allowed to use it. Concerning hosting activities the software may only be used by the SAP customer himself while he may give the software to his hosting providers.

If a SAP partner vendor wants to distribute the Library with his software, he has to get a license himself from the company it_Sec/Secude. Please understand that SAP also is just a OEM vendor of this software. We have a redistribution license from it_Sec/Secude that allows us to give the software to our customers but not to our partners for redistribution.

Best regards,

SAP Security

http://service.sap.com/security

mailto:security@sap.com

(6)

SAP SSO Extension Library (sapssoext) Licensing/download