Skip to Content

NW RFC SDK: Non-SAP to ABAP with username (trust relationship)

Hello,

I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.

Hereu2019s the scenario:

An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)

The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.

Instead, I want the ABAP server to trust the RFC client the same way it might

a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or

b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)

The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.

I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):

- I download run a program that creates a certificate file (public key?) which I import into the ABAP system.

- The same program creates a matching file (private key?) for the RFC client.

- For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.

- The Java SE application uses the JCo library to connect to the ABAP system.

- When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.

- On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.

Is that possible at all? How would you solve this?

Thank you very much in advance and best regards,

Thorsten

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    Jul 03, 2009 at 08:18 AM

    Hello,

    I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.

    Hereu2019s the scenario:

    An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)

    So, the RFC client is not a user agent (i.e. acting on behalf of a single individual human being) but a server component (i.e. serving multiple users). In such a server-to-server communication scenario you cannot use any mechanism (here: any SNC product) that identifies the communication partner (here: the RFC client = server component) for Single Sign-On purposes.

    > Instead, I want the ABAP server to trust the RFC client the same way it might

    > a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or

    > b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)

    Sorry, but that's not possible.

    In both cases proprietary tokens are used in combination with this proprietary protocol (RFC) - and external parties are not able to create those tokens.

    The solution is: use standards - here: WS-Security (SAML Tokens).

    The NetWeaver Application Server (NWAS) ABAP does support WS-Security as of release 7.0.

    You might want to take a look on https://wiki.sdn.sap.com/wiki/display/Security/SingleSignonforWeb+Services for further details.

    Regards, Wolfgang

    Add comment
    10|10000 characters needed characters exceeded

    • Well, I think you've got the point - and I'm sure you'll soon realize that you've to invest quite some effort to achieve a sound and robust solution.

      Session (and Resource) Management is quite critical - with regards to security (i.e. to ensure not to "mix up" the sessions, assigning wrong backend connections) and robustness (i.e. to ensure that unused sessions are closed, releasing server resources - otherwise there will be a "resource leak" resulting in a system halt).

      Conclusion: the more components are involved, the more effort needs to be invested to achieve a sound and robust system compound.

      -> end-to-end communication is preferred over mediated communication (via numberous middleware components)

      Don't get me wrong: I'm not promoting monolithic (ABAP) systems.

      I just want to create some awareness that compounds of (inhomogenous) system components (Distributed Systems) introduce a new kind of challenges.

      -> once you've managed to achieve SSO you are only halfway through (or even less)

      -> you also have to keep track of the sessions you have created using SSO techniques

      -> you have to provide SLO (single logoff) functionality, as well

      Cheers, Wolfgang

  • Jul 02, 2009 at 10:24 PM

    Hi,

    You can do this using a impersonation with SNC authentication/security. You can use any SNC mechanism you like, e.g. Kerberos or x.509. The approach used is same approach used by external ITS product when SSO is implemented on ITS server using a PAS module - in this case, the ITS server passes a userid (no password) over an SNC session to ABAP server, and since ABAP server considers SNC to be secure it trusts the connection and is able to issue an SSO2 ticket for the given userid. When the SSO2 ticket has been issued, this can be used to authetnicate the RFC connection.

    Sorry if above is a big vague - I don't have time right now to search and remind myself of the exact details, but I know what you want can be acheived using the above approach. I hope it is helpful in some way.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • >

      > Is my understanding correct here?

      Yes, your understanding is correct. Also, if you only need to make one RFC call for each Oracle user you can avoid the 'get SSO2 ticket' part and just use the SNC session (secured using a single Kerberos identity or x.509 cert) to run your RFC on ABAP server.

      >

      > Also, suppose I trust my RFC client completely. This means that I don't want any external authority to check username/password combinations coming from the RFC client or even validating the individual usernames against any other database (such as a Windows domain). If there is an SNC authority, I want it to be as "dummy" as possible.

      I am not quite sure I understand what you are asking, but it might help to understand that SNC is an interface for secure connections and for authentication. The SNC interface requries a GSS-API v2 library, and since GSS-API is a standard you can use standard security mechanisms such as Kerberos or x.509. The security mechanism used by the GSS-API library must be same on both client and server. It is also recommended that you use a SAP certified library to benefit from a reliable and supported solution. There are a few vendors who provide such SNC libraries and they are described on SAP EcoHub.

      >

      > Am I thinking along the right lines here?

      >

      > Best regards,

      >

      > Thorsten

  • Jul 02, 2009 at 10:16 PM

    Hi Thorsten,

    perhaps my Blogs:

    Authenticate from PHP to a Web Service using X.509 Certificates

    /people/gregor.wolf3/blog/2006/09/30/authenticate-from-php-to-a-web-service-using-x509-certificates

    Setup data encryption between RFC Client and Web AS ABAP with SNC

    /people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc

    can be a guide into the right direction.

    Is there a human User involved using a Web Application? Then another posibility to have Single Sign On could be Kerberos authentication to the Portal and then using the SAP Logon Ticket (SSO2Ticket) for the RFC Connection.

    Best regards

    Gregor

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 04, 2009 at 06:11 PM

    Hi Thorsten,

    please check out my other Blog:

    Single Sign On with External ID implemented in Ruby

    /people/gregor.wolf3/blog/2006/09/30/single-sign-on-with-external-id-implemented-in-ruby

    I think that will lead you to the solution. In shot it uses SNC to establish a first RFC connection which is used to call the Function Module SUSR_CHECK_LOGON_DATA. The external Username has to be passed to this funciton module. The mapping of the external username to a SAP User has to be maintained in VUSREXTID. Then the Function Module will return a SSO2 Ticket that can be used to establish another RFC connection which then use the other users credentials. I think it should be straigt forward to rewrite my exampe i.e. in Java using SAP JCo.

    Best regards

    Gregor

    Add comment
    10|10000 characters needed characters exceeded