Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNC via Kerberos and SAPCRYPTOLIB

Former Member
0 Kudos

Hi,

Is it possible for Kerberos (gsskbr5) to interoperate with SAPCRYPTOLIB?

I have an R3 system where SNC is enabled, using kerberos (gsskbr5.dll). The parameter snc/permit_insecure_start is set to false. I want to connect a SAP Business Connector system to the R3 system. When I test the RFC connection, I get the error " SNC Disabled start of insecure program" or something to that effect. Is there a way for me to correct this without setting the mentioned parameter to true?

To correct this, is it possible for me to use SAPCRYPTOLIB on the SAP BC Server? I mean generate a PSE for SAP BC (via sapgenpse) and import this to the R3 system, and make the necessary ACL changes on the R3 system.

Any tip or advice will be highly appreciated.

Cheers,

JLJ

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

No, Kebreros is not interoperable with SAP Cryptolib. When you are using SNC, both parties need to use the same protocol so if Kerberos is being used at one side and x.509 certificates at the other they will not understand each other.

If you have a system where you are using a Kerberos library and want to setup RFC connections with other SAP systems then you also need to use an SNC library to allow the server to server communications to work. You can use RFC between these systems without using SNC since that will be supported if both systems have correct instance parameters to allow this.

Thanks,

Tim

2 REPLIES 2

tim_alsop
Active Contributor
0 Kudos

No, Kebreros is not interoperable with SAP Cryptolib. When you are using SNC, both parties need to use the same protocol so if Kerberos is being used at one side and x.509 certificates at the other they will not understand each other.

If you have a system where you are using a Kerberos library and want to setup RFC connections with other SAP systems then you also need to use an SNC library to allow the server to server communications to work. You can use RFC between these systems without using SNC since that will be supported if both systems have correct instance parameters to allow this.

Thanks,

Tim

Former Member
0 Kudos

Another way to address your situation is to use a SAPcryptolib-compatible library and combine it with ADS / Kerberos authentication for the SAP users. That way you can implement SNC connections with servers that use SAPcryptolib and still keep you ADS / Kerberos authentication for users. My company has worked with a number of customers who have implemented such secure SSO solution (both SNC and SSL) and combined with SNC encryption between SAP servers.

Peter