cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Different between SSO using X.509 and Kerberos

Former Member

on ‎06-09-2014 3:10 PM

0 Kudos

Dear Experts,

When trying to decide which route to go for SSO X.509 certificate or Kerberos token for SAP Abap system only , I am a bit confused.

These are the main steps for using X.509. All the documents I found only talk about installing Secure Login Server on AS Java by using Telnet/JSPM deployment. Can we not do the same for AS Abap? If that is true, does that mean X.509 certificate can only be using for ABAP + JAVA systems and not for Abap only?

X.509 Certificate:

1. Install and Configure Secure Login Server on SAP AS Java system.

2. Intall Secure Login Client

3. Install and Configure Secure Login Library on SAP AS ABAP

4. Configure User Mapping in SAP AS ABAP/JAVA

On the other hand Kerberos seems much simpler because installation of Secure Login Server is not required for AS ABAP.

1. Install and Configure Secure Login Library

   Configure SPNEGO & SNC in SAP AS ABAP

2. Install Secure Login Client

3. Configure user mapping in AS ABAP.

Kindly advise.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎06-09-2014 5:55 PM
0 Kudos

Of course you can use X.509 certificates without AS JAVA and without SAP SSO (the product). You will then just need to figure out how to generate and deploy the certificates to your users assuming you don't already have a PKI within your company. With SAP SSO that happens automatically. Correct, ABAP SPNEGO doesn't require SLS. You can use ABAP SPNEGO assuming you purchase SAP SSO licenses and your system meets the requirements (version, SP level, kernel, etc).

Show replies
Show replies
Former Member
‎06-09-2014 6:52 PM
0 Kudos

Ok , that makes sense. And that is the reason SSO 2.0 Kerberos based solution using SPNEGO seems more doable to me.

Before purchasing SAP SSO license I just want to make sure our system meets the requirements.

Here's our current systems details:

SAP System Data: SAP CRM ABAP 7.0

kernel version is 720_REL, Patch 500.

OS is AIX 64 bit, Database is "DB6 10.05.0003"

CRM ABAP 7.0 is supported according to PAM.

https://websmp102.sap-ag.de/~sapidb/011000358700000373232013E

Just doublechecking, do you happen to see any gotcha's with the versions?

Thanks!

Former Member
‎06-09-2014 7:01 PM
0 Kudos

If you are planning to use Kerberos based authentication only for SAP GUI, you should be fine. You won't be able to use Kerberos authentication for web applications, the requirements are listed in SAP note 1798979.

Former Member
‎06-09-2014 7:43 PM
0 Kudos

We don't intend to use this on other web applications except for web gui.

From what I understood, we create 2 values for "servicePrincipalName" for the user in AD. One for SNC interface for Gui and the other entry to web interface for web gui users and with SNC/SPNEGO configured, Kerberos keyTab also configured for SAPNEGO/SNC in ABAP , users should be able to login to gui and web gui.

That said, below are our current versions. Do we still have to upgrade kernel version?

S/W component     Release  Level      Highest Support Package

SAP_BASIS             702         0012     SAPKB70212

Kernel

kernel make variant           720_REL , Unicode, AIX 64 BIT, Patch number 500.

Former Member
‎06-09-2014 7:53 PM
0 Kudos

The setup of SPNs etc. is not the issue here. In order to have SPNEGO ABAP support for web applications (webgui is one) considering that you are on 7.02, you will need at least SP14 of SAP_BASIS or else you will have to contact SAP. Regarding the kernel, I would just upgrade to the newest 7.21 kernel (PL 300). It might work with your current kernel but it won't be a supported combination.

Former Member
‎06-10-2014 2:12 PM
0 Kudos

Ok so SAP_BASIS level SP14 and Kernel 7.21 Patch level 300 is required/recommended.

Right now we are on  720_REL but are still not using  720_EXT. So when upgraded can we just go to 721_REL or is the 721_EXT a definite requirement?

Former Member
‎06-10-2014 2:29 PM
0 Kudos

The note says that PL 110 or higher is recommended so you can go to PL 300 directly. The EXT kernels are downward compatible meaning they are a safer choice then the standard (REL) kernels. Make sure the combination of OS and DB is supported, however. See SAP note 1716826 for details. If any doubt, create a new discussion thread in the space.

Ask a Question