2006 Dec 12 1:04 PM
Hello,
We have an R3 system with SSO enabled for SAPGUI. We would like to setup an SNC RFC connection with another R3 system so we are in the AS-ABAP -> AS ABAP (RFC) scenario.
The SSO is using the kerberos library gi64krb5.dll.
Do you know if it is possible to enable SNC using the sapcrypto.dll and continue using the kerberos library for SSO?
Do you think using the following parameters would do the trick:
snc/gssapi_lib = gi64krb5.dll
ssf/ssfapi_lib = sapcrypto.dll
sec/libsapsecu = sapcrypto.dll
snc/identity/as = p:SAPService<SID>@<DOMAIN>
Do you know if there a way to use the sapcrytpo lib for both purposes (SNC for ABAP-ABAP RFC and SSO for SAPGUI)?
Thanks a lot for your answers,
Florin
PS: I am aware that the parameters listed above are not all needed for enabling SNC and SSO. I only listed those related with the library and the name.
2006 Dec 12 1:10 PM
I'm sorry to tell you the bad news: it is <b>not possible</b> to operate <u>two SNC libraries</u> (in parallel) at <u>one</u> application server instance.
However, you are describing to use SAPCRYPTOLIB for SSF (and potentially also for SSL) and "gi64krb5.dll" as SNC library. <u>That</u> is possible. But that's not related to your question regarding the simultaneous usage of two SNC libraries ...
Regards, Wolfgang
2006 Dec 12 1:10 PM
I'm sorry to tell you the bad news: it is <b>not possible</b> to operate <u>two SNC libraries</u> (in parallel) at <u>one</u> application server instance.
However, you are describing to use SAPCRYPTOLIB for SSF (and potentially also for SSL) and "gi64krb5.dll" as SNC library. <u>That</u> is possible. But that's not related to your question regarding the simultaneous usage of two SNC libraries ...
Regards, Wolfgang
2006 Dec 12 1:23 PM
Hi Wolfgang,
Thanks for your reply.
Then what would be the approach to achieve my goal (SSO for GUI and SNC for RFC with another AS ABAP)?
Can sapcrypto.dll cover both aspects?
Thanks a lot,
Best Regards,
Florin
2006 Dec 12 5:04 PM
No - the other way round: use the Kerberos SNC library for both purposes (i.e. client-server and server-server communication).
SAPCRYPTOLIB is only released for usage (as SNC library) for server-server communication. That's an OEM license restriction.
Regards, Wolfgang
2006 Dec 12 6:14 PM
Thanks Wolfgang.
Last question, I promise
Like I said I want to use SNC RFC between two AS ABAP. One is on Windows (and currently has Kerberos library installed and used for SAPGUI connection). The other system is UNIX Solaris.
According to note 150380 using a kerberos SNC library on Unix is not really supported by SAP. The interoperability can be tested with the GSSTEST tool but if it comes to support then the OS vendor is responsible.
Just to resume:
- using sapcrypto - NOT possible because only supported for server-server
- using kerberos - in heterogenous environments no full support from SAP
Do you know if there is other option to achieve what I am looking for?
Thanks a lot for your valuable help,
Regards,
Florin
2006 Dec 13 7:48 AM
Hi Florin,
the note relates to the ggskrb5.dll we ship and is meant for the combination of this dll being used on the SAP-GUI side and a selfmade dll on the server side. The reason in this case is, that gsskrb5.dll is just a wrapper to some MS APIs, we do neither control nor can support ourselves.
If you are using a certified product (I do not know which vendors dll gi64krb5.dll is) and have installed this product on the server as well as on the client this is supported. If the product is not certified, maybe you can ask the vendor to certify it.
regards, Patrick
2006 Dec 13 8:43 AM
Florin,
If you are looking for a single product, which is SAP certified, commercially supported, and allows you to use SNC with Kerberos between SAP GUI and SAP ABAP as well as SAP ABAP -> SAP ABAP, and works in both Windows and UNIX environments, then you might want to check http://www.cybersafe.com/links/snc.htm
Regards,
Tim
2006 Dec 13 1:19 PM
> Just to resume:
> - using sapcrypto - NOT possible because only supported for server-server
> - using kerberos - in heterogenous environments no full support from SAP
Well, indeed that is a conflict which can currently not be resolved - unless using a 3rd party SNC product that is available on both platforms (Windows and Solaris) and which can be used for both purposes (client-server and server-server communication), like Tim has pointed out (presenting one of the certified vendors).
Regards, Wolfgang
2006 Dec 13 3:43 PM
"gi64krb5.dll" is provided by SAP - see attachment "win64sso.zip" of <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0352295">SAP Note 352295</a>.
Cheers, Wolfgang
2007 Oct 29 3:48 PM
Hi,
we are facing something simular - is it possible to connect to two active directories at the same time?
Thanks,
Tobias