cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC related JCo Parameters

Go to solution
S0020961829
Explorer

on ‎05-11-2023 4:29 AM

0 Kudos

Hi Experts,

I am interested in all the JCo properties which can be used for SNC connection. Only Five properties were mentioned on General Comments Pertaining to the SNC Configuration (sap.com) . Those five properties are SNC_MODE, SNC_MYNAME, SNC_PARTNERNAME, SNC_QOP, SNC_LIB. But later I found out that there can be one more property i.e.

X509CERT which can be used in case if I want to use X509Cert SNC Communication. Now I want to know all the other possible properties which can be used as part of configuration in SNC Connection.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎05-11-2023 4:48 PM

X509CERT is not really related to SNC communication: it is a completely different logon mechanism! (It is only mentioned together with SNC, because in order to use X509CERT logon, the backend system usually requires that the connection be encrypted with SNC.

So basically, SNC can be used for two completely different things:

  • Encrypting the traffic
  • Performing a logon routine to establish a user identity

These two things are independent of one another. But by default, if not specified otherwise, they are both executed at the same time by the external RFC libraries, i.e. the SNC PSE is first used to setup an encrypted line and then presented to the backend for user identification. (For this, the SNC_MYNAME needs to be mapped to a SAP user in transaction SU01.)

However, it is also possible to separate these two things, e.g. use SNC only for encrypting the line, and then do the user logon via an alternative logon mechanism, like

  • user & password
  • X509CERT parameter
  • one of the SAP proprietary tokens: SSO2 ticket, assertion ticket and re-entrance ticket
  • SPNego
  • etc. depending on what your backend's kernel release supports.

This brings into play one more SNC parameter, the 6th in addition to the 5 parameters mentioned in the document you cited:

SNC_SSO = 0/1

The value "1" is the default and means: "use the PSE also for user logon". "0" means: only perform encryption, and then additional connection parameters need to be provided by the application, which are then used for logon (like in your example the X509CERT parameter, which contains a base64-coded certificate that needs to be mapped to a SAP user in transactions EXTID_DN or CERTRULE).

Unfortunately, this parameter (SNC_SSO) is a bit "misleadingly named". It stand for "single-sign-on", but has nothing to do with the single-sign-on mechanism implemented by the original SSO and SSO2 tickets. SNC_SSO=1 simply means that the logon is performed by whichever authentication mechanism your installed SNC product uses. This could be Microsoft Kerberos tokens, if you use Kerberos as your SNC solution, or it could be the exchange and mutual verification of X.509 certificates, if you use the SAP Crypto Lib as your SNC solution. (Which, while we are at it, has nothing to do with the X509CERT parameter, as that one uses a completely independent logon mechanism... Well, all of this has developed "historically" over 30-40 years, so it is not really "stream-lined and logical"...)

Show replies
Show replies
S0020961829
Explorer
‎05-12-2023 6:41 AM
0 Kudos

Thanks Ulrich Schmidt!

Can you help me with the jco parameters which can be used as part of logon mechanism (as if SNC_SSO = 1) by different security products like kerberos,sap crytpto lib,x509cert,etc.

Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎05-12-2023 10:41 AM
0 Kudos

Hi Anshu,

from JCo side, there is nothing special you need to do. Just install & setup the SNC product according to its documentation, e.g. Microsoft's documentation for Kerberos, or SAP's documentation for SAP Cryptolib or for the Secure Login Client (a convenient tool for setting up SNC on Windows frontends), and then provide the library name and the SNC partner name in the JCo properties. (For Kerberos, the SNC myname may be required in addition, but for SAPCryptolib it can - and should - be omitted, because the SAPCryptolib supports only one single user identity per operating system user, and already knows it automatically after installation. So supplying the SNC myname in the JCo configuration doesn't add any benefit and can only cause problems, if it is wrong...)

A typical JCo configuration would then look like:

jco.client.snc_mode="1"
jco.client.snc_partnername="p:CN=A74, OU=SAP Web AS, O=SAP-AG, C=DE"
jco.client.snc_qop="9"
jco.client.snc_lib="C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll"

And the usual hostname, client, logon language, system number, etc. that you also need for ordinary connections. That's all.

Answers (0)

Ask a Question