Skip to Content

SNC with Kerberos AND SAPCRYPTOLIB on the same server

Hello All,

I have setup my systems using SSO with Kerberos. Since these SAP Systems run on UNIX is used SNC to connect to the MIT Kerberos Library.

This part works flawlessly.

I now am supposed to setup SSO from an external ITS 6.20 PL24 to this same SAP Server and therefore need to create a SNC PSE in transaction STRUST.

I configured all necessary profil-parameters like ssf/name and sec/libsapsecu and so on, according to the SNC Guide.

I now face the problem that I am unable to create a SNC SAPCRYPTOLIB PSE (I of course installed this lib and also set OS variable SECUDIR to point to the appropriate directory).

Whenever I try to create a PSE I receive the error message: Message TRUST040 'error in creating pse'

Does anyone know, whether or not I can have Kerberos AND SAPCRYPTOLIB Support for SNC in one Application Server?

Thanks ins advance,

Christian

Edited by: Christian Guenther on Feb 25, 2008 5:10 PM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Feb 25, 2008 at 04:19 PM

    Christian,

    I am sure you are already aware of the security issues and support considerations when using MIT kerberos libraries, and I also hope you are aware that there are commercial alternatives available that are fully supported and SAP certified.

    Anyway, you also need to be aware that when you use SNC in SAP you have to code the snc/gssapi_lib parameter which then specifies where the SNC library is. This SNC library is the only SNC library that can be used by the SAP system, so if you want to use SAPCRYPTOLIB for SNC between ITS AGATE and SAP you need to use the same protocol. From your question it sounds like you are using Kerberos for SAP GUI -> SAP and trying to use x.509 certificates for ITS AGATE to SAP - this is clearly not possible without the SAP system supporting two different protocols.

    The company I represent (CyberSafe) has a product which is installed on a SAP ITS AGATE server to provide SSO and SNC security with SAP application servers using Kerberos. If you want to know more, or see a demo please contact me offline using the email address in my business card.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 28, 2008 at 03:40 PM

    Christian,

    it is possible to combine the benefits of using an existing Windows infrastructure (Kerberos) for user authentication and the benefits of X.509 certificate based security functionality like SAPCRYPTOLIB provides. The key is to separate the user authentication step from signing into SAP and securely communicating. Feel free to contact me, if you want to learn more.

    Peter

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 15, 2008 at 10:56 AM

    As it turned out - you simply can't have more than one cryptographic provider on one application server!

    Add comment
    10|10000 characters needed characters exceeded

    • Christian,

      Since your SAP system is using an SNC Kerberos library for SAP GUI SSO, and you want to secure the connection from SAP ITS AGATE, I can help you with this if you are still interested. You just need to use Kerberos between AGATE and SAP system, and then you dont need to have more than one SNC library on SAP system.

      Thanks

      Tim