- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Kerberos Delegation for SNC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos Delegation for SNC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2010 1:44 PM
Hi,
I am evaluating different techniques for SSO. In my scenario, there is a non-SAP JEE server which supports integrated Windows Authentication using SPNEGO. The JEE server is able to use Credential Delegation when calling out to backend systems.
There is a Web application running on this JEE server to which the user does not need to log in manually, because her Windows credentials are accepted.
Now, the Web Application requires data from a SAP ABAP backend system. It uses JCO to open a RFC connection (actually SNC). So far I found out how to use
- userid / password
- X.509 certificates
- MYSAPSSO2 tickets
to authenticate from my JCO client (Web app) to the ABAP backend.
My question is: Is there a way to use Kerberos Credential Delegation with JCO 3?
Any hint is appreciated.
Regards,
Jens
P.S. Right now, I am using SAP CryptoLib for the SNC connection from my JEE server to the ABAP backend. This somehow authenticates my JCO client (Web app) to the ABAP backend. However, in JCO, I still need to provide additional credentials (one of the 3 options from the list above).
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2010 1:53 PM
Jens,
Yes, this is actually quite easy to do.
You would need to use an SNC library which supports Kerberos on your ABAP backend, and you would need an SNC library which supports Kerberos on the JEE server. THen the JCO library will use the SNC library if the correct connection string is given. The SNC library on JEE server will use the forwarded credentials of the user at workstation. I have done this with JCO and also with .NET applications running on IIS. The concepts are same.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2010 1:53 PM
Jens,
Yes, this is actually quite easy to do.
You would need to use an SNC library which supports Kerberos on your ABAP backend, and you would need an SNC library which supports Kerberos on the JEE server. THen the JCO library will use the SNC library if the correct connection string is given. The SNC library on JEE server will use the forwarded credentials of the user at workstation. I have done this with JCO and also with .NET applications running on IIS. The concepts are same.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2010 2:49 PM
Tim, great!
would you have some pointers to documentation about setting up such a scenario with one of the certified external security libraries?
I realise you are working for one of these companies. Feel free to do some advertising here.
Regards,
Jens
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2010 2:55 PM
Jens,
I am not sure what you are expecting from me via SDN ?. if you are considering our product, and want to test this in your landscape, we can arrange a free evaluation and help you with the configuration. If you are already using another vendors SNC Kerberos library, I am sure they can also help you with their library configuration.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2010 7:40 AM
Hi Tim,
I am actually not looking for a product in my own landscape. I try to understand the set of option which I can recommend to my customers. My hope was to find some type of white paper and I tried to indicate that I don't really care if and which external security library is involved as this is the customers decision and likely there is already something in place.
The point which is not yet clear to me is how I can use a delegated SPNEGO token for an outbound SNC request.
Assume my JEE server is running as SPN=HTTP/JEEServer.acme.com<at>acme.com
The end user has authenticated in Windows as CPN=alice<at>acme.com
The end user sends a HTTP request to my JEE server, which accepts the SPNEGO token for authentication. The JEE server triggers the Web application which sends some HTML back to the user. On one of the pages, the user can trigger an action that makes the Web application call out to my SAP ABAP backend over SNC. The function module in SAP should execute on behalf of alice.
If the outbound call from my web application was a HTTP request, my Web app would request a service ticket for alice to call this backend service and it would attach this token to the HTTP request by setting the HTTP header "Authorization".
In case of SNC, there is no HTTP header of course, so I am not sure how to pass alice's service ticket to JCO (or the external security library).
When connecting to SAP over SNC using JCO, I can pass SNC MyName and SNC PartnerName as connection parameters. However, I additionally need to pass something either in the
- username + password parameters or
- X509cert parameter or
- MYSAPSSO2 parameter
The latter parameters determine the user identity under which the ABAP code executes. I haven't found a way to somehow pass my SPNEGO token to JCO.
Regards,
Jens
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2010 8:26 AM
Jens,
Thankyou for explaining. I thought my previous explanation was clear enough, but I assumed you were familiar with how Kerberos delegation/fowrarding works.
In the web environment, the browser sends a GSS-API token to Web server wrapped inside an SPNEGO token. The web server unwraps the SPNEGO token, finds the GSS-API token and uses this token to accept the security context. At the Kerberos protocol mechanism level, this means the web server is taking a service ticket from browser and decrypting it using key in keytab found on web server. If ticket forwarding is used, this process will result in a forwarded TGT of user in the Kerberos credentials cache at web server, so that the web server code can connect to other systems and use this users TGT for Kerberos auth. In your case, this is what you want, sot hat the JEE server can use the users credentials from the Kerberos credentials cache and authenticate to backend using JCO/RFC/SNC
So, within the context of user logged onto web server, the credentials of the user will be present. These credentials will be used if in the same context an RFC connection is triggered via JCO. if RFC SNC parameters are used in the connection string.
Hopefully this helps ? It seems from you previous post that you are trying to understand how the Web with SPNEGO is linked to the RFC connection whcih is not HTTP based. Hopefully you can see now that this is done using the Kerberos credentials cache on web server in the user context, so that all code running in this context can access these credentials as if the user was logged onto the web server directly.
In the RFC connection, you would use SNC_PARTNERNAME and SNC_MYNAME to specify Kerberos principal names of user and backend system, but you won't be needing to specify a userid and password, x.509 cert or MYSAPSSO2. The SNC parameters will determine the user identity under which the function module executes because of mapping info in USRACL table. As I mentioned, you need a Kerberos SNC library on backend, as well as on JEE server.
Thanks,
Tim
- SAP Managed Tags:
- Security
