Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Using sapcrypto with Rfc client

Former Member
0 Kudos
305

Hi All,

I am using an application written on top of Rfc Sdk library to communicate with Sap server. I want to use SNC with encryption. I came across this post(), which says that sapcrypto library is not licensed to use with Rfc client.

Is there exist some implementation of cryptographic library by sap, that could be used with Rfc client?

Also, I am not quite clear how these encryption certificates are to be configured in the client and server side and how it is being used by the gss library(for data encryption). Can someone point me to a doc/blog that gives an overall idea about this?

Any help would be highly appreciated!

Thanks,

Jeevitha

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos
221

Jeevitha,

As Sietze has explained, when SAP is on Windows Servers, and you want to use Kerberos protocol, you can use the SNC library provided by SAP. However, if SAP is on UNIX or Linux you need to consider other options (e.g. purchasing a SAP certified SNC library from a SAP partner).

If your RFC client application is running on a Windows Server, and users are authenticating to this server using Active Directory authentication (Kerberos protocol), then use of and Kerberos-based SNC library might be more suited to your needs, compared to one which uses x.509 certificates.

Thanks,

Tim

10 REPLIES 10

Former Member
0 Kudos
221

Hi,

Do u want SAProuter configuration with SNC Connection right. Your SAP Router worfectly now? You want how to apply SNC certificate renewel or new?

Regards

kesav

Former Member
0 Kudos
221

This is correct. You will need a license in that case.

Basically, using SNC with the SAP Crypto Library is like SSL with client authentication. Both parties of the communication identify themselves using X.509 certificates. A secret session key is negotiated and subsequently used for encrypting the contents of the session.

You can also investigate Kerberos if both sides (SAP server and RFC client) reside on Windows. In that case, no license is needed as all components can be gotten from SAP without any additional payments.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
221

>

> You can also investigate Kerberos if both sides (SAP server and RFC client) reside on Windows. In that case, no license is needed as all components can be gotten from SAP without any additional payments.

Well, Jeevitha wrote that he wants "to use SNC with encryption" - which cannot be achieved with the SNC wrapper libraries provided by SAP.

0 Kudos
221

>

> Well, Jeevitha wrote that he wants "to use SNC with encryption" - which cannot be achieved with the SNC wrapper libraries provided by SAP.

Are you suggesting that the SNC library provided by SAP which wraps SSPI is not able to encrypt communications ? Why not ? I thought that all SNC libraries were able to offer mutual auth, integrity and encryption ?

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
221

>

> Are you suggesting that the SNC library provided by SAP which wraps SSPI is not able to encrypt communications ? Why not ? I thought that all SNC libraries were able to offer mutual auth, integrity and encryption ?

Well, at least the NTLM library is definetly unable to provide anything else than authentication - "integrity" and "confidentiality", both QoP are not offered by that SNC library (because the underlying Microsoft SSPI does not).

Frankly speaking, I'm not 100% sure, but as far as I remember also the SNC wrapper for the MS-Kerberos SSPI does not provide more than "authentication".

Notice: not all SNC libraries / products offer all GSS-API Quality-of-Protection (QoP) levels.

Nightly greetings,

Wolfgang

0 Kudos
221

>

> Well, at least the NTLM library is definetly unable to provide anything else than authentication - "integrity" and "confidentiality", both QoP are not offered by that SNC library (because the underlying Microsoft SSPI does not).

yes, that makes sense. I am more concerned about the Kerberos protocol SNC library and not the NTLM library provided by SAP.

>

> Frankly speaking, I'm not 100% sure, but as far as I remember also the SNC wrapper for the MS-Kerberos SSPI does not provide more than "authentication".

It is important to know this - how can we get this confirmed ? I have talked to SAP customers who are using the SAP supplied SNC library and they beleive it is giving them encryption of the session, so if it doesn't do this we need to inform these customers so they know they are less protected than they thought. Can you ask Martin Rex if he can confirm ?

>

> Notice: not all SNC libraries / products offer all GSS-API Quality-of-Protection (QoP) levels.

I hope this only applies to NTLM SNC library provided by SAP and not to any Kerberos or x.509 SNC library.

>

> Nightly greetings,

> Wolfgang

0 Kudos
221

I am quite sure that the SAP supplied kerberos libraries support encryption. I can even remember looking through the source code that encryption is turned for suitable QoP levels. Unless, of course, you don't regard RC4 as safe....

Edited by: Sietze Roorda on Jul 9, 2009 7:40 PM

0 Kudos
221

Siteze,

ok, that is good. This is what I thought was the case aswell, but it was the comment from Wolfgang that made me doubt it.

Yes, I consider RC4 and AES (when using Windows Server 2008 version of AD) to be safe.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
221

Sorry, my fault - Martin (sitting opposite of me) just pointed to [SAP Note 352295|https://service.sap.com/sap/support/notes/352295] which states:

"GSSKRB5.DLL will provide a secure mutual authentication along with integrity and confidentiality protection for the entire communication."

Well - isn't that clear enough ...?

Mea culpa.

(I should not post any statements when I'm tired ... - don't worry, I was not coding any stuff at that point of time)

tim_alsop
Active Contributor
0 Kudos
222

Jeevitha,

As Sietze has explained, when SAP is on Windows Servers, and you want to use Kerberos protocol, you can use the SNC library provided by SAP. However, if SAP is on UNIX or Linux you need to consider other options (e.g. purchasing a SAP certified SNC library from a SAP partner).

If your RFC client application is running on a Windows Server, and users are authenticating to this server using Active Directory authentication (Kerberos protocol), then use of and Kerberos-based SNC library might be more suited to your needs, compared to one which uses x.509 certificates.

Thanks,

Tim