cancel
Showing results for 
Search instead for 
Did you mean: 

Is it possible to configure client encryption only without SSO

former_member185954
Active Contributor
0 Kudos

Hello,

We are attempting to implement encryption of communication between a user desktop (SAPGUI/SAP NWBC) and SAP ABAP Application Server (SAP ECC 6.0 EHP7).

We have tried the following:

1. Download SAP Secure Login Library and configure it on ABAP Application Server

2. Configure it as per guide available on help.sap.com/nwsso.

3. Setup SNC on SAP ABAP server as per the guide and standard SNC parameters.

4. Download SAP SNC Client Encryption software from service.sap.com/swdc -> Installs and Upgrades ->Browse our Download Catalog -> SAP Cryptopgraphic Software -> SNC Client Encryption 1.0 -> Installation  (Note : We don't have license for SAP NW Single Sign on available in the path SAP Netweaver and Complementary Products as we don't intend to use SSO).

5. Installed SAP SNC Client Encryption

6. Configured SAP Logon pad (SAP GUI 7.3 being used) entries to respond to SNC details, however checked the box which says, SNC logon with userid/password (no SSO required).

Everytime a login is attempted, we get the following in our SAPGUI trace:

*** ERROR => SncPEstablishContext() failed for target='p:CN=CT054577@xyz.com' [sncxxall.c 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3352]

      GSS-API(maj): No credentials were supplied

    Unable to establish the security context

    target="p:CN=CT054577@xyz.com"

<<- SncProcessOutput()==SNCERR_GSSAPI

There are couple of threads which point to similar issue, however one thread is unanswered and the other thread involves integration with Active Directory and hence may not be applicable for us. Since, we are not integrating with Active Directory (Kerberos Integration), nor do we want to use SSO, we simpy want to encrypt the communication channel between user desktop and SAP Application Server.

Not sure if we are doing the right thing and hence want to know if its possible in the first place.

Any help would be useful.

Regards,

Siddhesh


View Entire Topic
tim_alsop
Active Contributor
0 Kudos

Hi,

The SAP client encryption library uses Kerberos, so that the Kerberos session key can be used to perform the encryption/decryption. The use of Kerberos requires a KDC (Kerberos Key Distribution Center) and Active Directory is often used as a KDC since users normally logon to their workstations using an AD user account. Do your users logon to their workstation using an AD account, or do you use some other credential store when users logon to Windows workstations ? The error message you show suggests that the user is not logged onto a domain, and this is why 'No credentials were supplied' is shown.

Thanks

Tim

former_member185954
Active Contributor
0 Kudos

Hello Tim,

Thanks for your response.

The user is logged into a windows domain, however it looks like even if I don't wish to use SSO or integrate with Kerberos, I still need to create a service user on Active Directory with a principal name specific to my SAP SID.

Further put that Principal name into keytab on the SAP Application ABAP server SNC PSE followed by creating a SAP LOGON PAD entry with a canonical name that matches the principal name. 

Let me try that and get back to you.

I was hoping that I don't have to use Kerberos integration

Regards,

Siddhesh

tim_alsop
Active Contributor
0 Kudos

Yes, that is correct. As I explained, Kerberos is used so that Active Directory can issue an encryption key during the logon.

Regards,

Tim