02-25-2008 4:37 PM
Hi,
I have (stupid perhaps) question.
Is this scenario possible:
SNC connection from SAP GUI to SAP Router, and non-SNC connection from SAP Router to SAP System.
I know how to set up scenario like this:
SAP System --- (non-SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP GUI.
Best regards,
Marek Majchrowski
02-25-2008 4:46 PM
Marek,
If you were able to setup such a connection, then the SAP GUI user would only be able to logon to the SAP Router, and not onto the SAP system behind the router - this is because SNC logon with SAP GUI needs to be end-to-end, e.g. SNC needs to be used by SAP GUI and also (using SNC library supporting same protocol) on SAP Application Server.
Thanks,
Tim
02-25-2008 5:05 PM
Well, SNC is defining an end-to-end communication - in your case the two endpoints are the SAPGUI frontend and the ABAP application server. Anything in-between (like the two SAProuters) is not of interest for both communication endpoints.
Notice: the SAProuter operates on a different communication stack level (NI layer) and is therefore transparent to SAPGUI and the ABAP applicastion server (both: operating on the DIAG protocol layer, on top of the NI layer).
02-25-2008 5:24 PM
Wolfgang,
To be sure myself and Marek understand, can you confirm the different scenarios supported:
Scenario 1:
SAP GUI --- (non SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP System
With this scenario, it would be possible for a user to logon using SAP GUI onto the SAP System, but without SAP GUI SNC.
Scenario 2:
SAP GUI --- (SNC conn) --- saprouter1 --- (non SNC conn) --- saprouter2 --- (SNC conn) --- SAP System
With this scenario it would be possible to logon to the SAP System using SAP GUI, and using SNC authentication.
Also, with this scenario the SAP GUI software and SAP System software would consider this to be similar to:
SAP GUI -- (SNC conn) -- SAP System
Scenario 3:
This is the scenario mentioned by Marek in his initial question:
SAP GUI -- (SNC conn) -- saprouter1 -- (non SNC conn) -- SAP System
With this scenario it will not be possible to logon to SAP System using SNC, and only possible if the SAP GUI is configured to not use SNC. In other words the SNC connection between SAP GUI and saprouter1 is available, but cannot be used.
Thanks,
Tim
Edited by: Tim Alsop on Feb 25, 2008 5:24 PM
02-25-2008 8:32 PM
Marek,
I just got email from somebody at SAP about this subject, and he confirmed the following:
-
It is possible to use SNC to protect the communication channel between two SAProuters, which then works somewhat like a protected VPN between the SAProuters. For communication traversing the SAProuter<->SAProuter connection this is completely transparent, and at the SNC-level one SAProuter is authenticated to the other SAProuter.
Components like SAPgui and the SAP AppServer do not speak SNC at the low level of SAProuters. They both use SNC at the application level in order to authenticate user<->backend or backend<->backend.
An SNC-authentication user<->SAProuter or SAProuter<->backend is not possible.
-
This confirms that my scenario 2 and 3 are not possible.
I hope this answers your question ?
Thanks,
Tim
08-14-2015 1:00 PM
Hi Guys
Is the scenario:
SAP GUI -- (SNC conn) -- saprouter1 -- (non SNC conn) -- SAP System
Possible now?
Thanks
JP
08-14-2015 1:05 PM
No, that is not possible. SNC is used by SAP router at network layer and SNC is used by SAP GUI and NW ABAP for application/user authentication. You can do the following though:
SAP GUI ------------------ (SNC encryption, integrity and user authentication) ---> SAP ABAP
SAP Router <------ SNC encryption ------> SAP Router
Thanks
Tim
08-14-2015 2:11 PM
Thank, for the response
We successfully connect from outside our domain (internet) from GUI via router to backend system.
Q: is there a way to secure this without SSO or third party software?
And as you recommended is the only way then forward for us is to create another saprouter for SNC to backend to be able to work.
Thanks
JP