Skip to Content
0

SAP Single Sign On - Kerberos And X.509

Mar 25, 2017 at 03:55 PM

199

avatar image

We are trying to implement SAP Single Sign On and SNC Client Encryption as follows:

A limited number of users will use Single Sign On with an Entrust token.

All other users will use passwords, but with SNC client Encryption.

We have successfully implemented both features, but are running into the following problem.

For the users who will use SNC client encryption only, we set the SAP Logon Entry SNC name as p:CN=SAPServiceXXX.

However, when the backend system also has the X.509 configuration enabled, the SNC name in the SAP logon gets automatically updated to the corresponding X.509 name and the SNC client encryption fails.

How can we prevent the automatic change of the SNC name ?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Carsten Olt Mar 30, 2017 at 01:13 PM
1

Hi Avinash,

you must use one SNC Name snc/identityas for both scenarios. The SNC Name in the sap logon is distributed by message server reading this parameter. just create a x.509 snc certificate from strust while keeping the name for snc client encryption. Or wait one month and use SNC Client Encryption 2.0 which is much simpler to implement and no longer only kerberos but also x.509 certificate based.

cheers,

Carsten

Share
10 |10000 characters needed characters left characters exceeded