on 06-09-2014 3:10 PM
Dear Experts,
When trying to decide which route to go for SSO X.509 certificate or Kerberos token for SAP Abap system only , I am a bit confused.
These are the main steps for using X.509. All the documents I found only talk about installing Secure Login Server on AS Java by using Telnet/JSPM deployment. Can we not do the same for AS Abap? If that is true, does that mean X.509 certificate can only be using for ABAP + JAVA systems and not for Abap only?
X.509 Certificate:
1. Install and Configure Secure Login Server on SAP AS Java system.
2. Intall Secure Login Client
3. Install and Configure Secure Login Library on SAP AS ABAP
4. Configure User Mapping in SAP AS ABAP/JAVA
On the other hand Kerberos seems much simpler because installation of Secure Login Server is not required for AS ABAP.
1. Install and Configure Secure Login Library
Configure SPNEGO & SNC in SAP AS ABAP
2. Install Secure Login Client
3. Configure user mapping in AS ABAP.
Kindly advise.
Of course you can use X.509 certificates without AS JAVA and without SAP SSO (the product). You will then just need to figure out how to generate and deploy the certificates to your users assuming you don't already have a PKI within your company. With SAP SSO that happens automatically. Correct, ABAP SPNEGO doesn't require SLS. You can use ABAP SPNEGO assuming you purchase SAP SSO licenses and your system meets the requirements (version, SP level, kernel, etc).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok , that makes sense. And that is the reason SSO 2.0 Kerberos based solution using SPNEGO seems more doable to me.
Before purchasing SAP SSO license I just want to make sure our system meets the requirements.
Here's our current systems details:
SAP System Data: SAP CRM ABAP 7.0
kernel version is 720_REL, Patch 500.
OS is AIX 64 bit, Database is "DB6 10.05.0003"
CRM ABAP 7.0 is supported according to PAM.
https://websmp102.sap-ag.de/~sapidb/011000358700000373232013E
Just doublechecking, do you happen to see any gotcha's with the versions?
Thanks!
If you are planning to use Kerberos based authentication only for SAP GUI, you should be fine. You won't be able to use Kerberos authentication for web applications, the requirements are listed in SAP note 1798979.
We don't intend to use this on other web applications except for web gui.
From what I understood, we create 2 values for "servicePrincipalName" for the user in AD. One for SNC interface for Gui and the other entry to web interface for web gui users and with SNC/SPNEGO configured, Kerberos keyTab also configured for SAPNEGO/SNC in ABAP , users should be able to login to gui and web gui.
That said, below are our current versions. Do we still have to upgrade kernel version?
S/W component Release Level Highest Support Package
SAP_BASIS 702 0012 SAPKB70212
Kernel
kernel make variant 720_REL , Unicode, AIX 64 BIT, Patch number 500.
The setup of SPNs etc. is not the issue here. In order to have SPNEGO ABAP support for web applications (webgui is one) considering that you are on 7.02, you will need at least SP14 of SAP_BASIS or else you will have to contact SAP. Regarding the kernel, I would just upgrade to the newest 7.21 kernel (PL 300). It might work with your current kernel but it won't be a supported combination.
The note says that PL 110 or higher is recommended so you can go to PL 300 directly. The EXT kernels are downward compatible meaning they are a safer choice then the standard (REL) kernels. Make sure the combination of OS and DB is supported, however. See SAP note 1716826 for details. If any doubt, create a new discussion thread in the space.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.