on 2017 Jul 26 2:50 PM
Dear Experts,
at a customer we want to authenticate to Fiori Launchpad using SPNEGO. For SAP GUI we use X.509 certificates, issued with CN=<USERNAME>
As the SPNEGO is using the SU01 SNC-Name we need to make sure the value e. g. p:CN=<USERNAME>@DOMAIN is the same for both. This works if we issue certificates using the SLS in this way: CN=<USERNAME>@DOMAIN
We want to avoid chaning the current user certificates and to make use of SPNEGO in parallel for WDA (ICM).
Now we are looking for a way to strip the REALM part from the kerberos ticket received from the client e.g. <USERNAME>@DOMAIN and to use the Principal part only. According to SAP note 2338952 - CommonCryptoLib 8.5: Configuration Profile Parameters, we set the parameter ccl/snc/server_partner_name_kerb = PrincipalOnly.
Now we expected to receive a kerberos ticket which is stripped by inner functions of the crypto library to <USERNAME> before compared with the SNC Name stored in USRACL, which we changed from p:CN=<USERNAME>@DOMAIN to p:CN=<USERNAME>
THIS WORKS FOR SAP SUI (SNC). Unfortunately this does not seem to work for ICM!!
Question: Is there any setting available to enable name conversion for the SPNEGO authentication on the ICM? If not pls. consider this as a feature request, even with very old AS Java SPNEGO it is possible to configure Principal only mappings. I would love to have something in the SPNEGO transaction of the AS ABAP or in spnego/construct_SNC_name.
Regards, Carsten
We implemented a workaround, similar to this steps:
If there is an easier way to achieve this without changing the SNC Names in all AS ABAP please let me know.
Cheers, Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
68 | |
11 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.