To secure and encrypt customer networks, SAP offers the SNC (Secure Network Communications) interface with which users can log in to SAP systems without having to enter a user name or password. In the standard system, SAP login credentials are transmitted in clear text. The SNC interface routes calls through the SAP Cryptographic Library, to encrypt all communications between the SAP GUI and the SAP server. This enables secure individual logins for SAP.
The minimum level of security that SNC offers is “Authentication”. If only this parameter is used, the system verifies the identity of the communication partners and encrypts the user’s login credentials (user name and password). At higher levels, data transmission and data package content can also be encrypted with SNC.
This represents an important step toward technical protection of SAP systems.
In the following, I’ll explain how SNC-encrypted communication can be set up without incurring the additional costs of implementing single sign-on (SSO).
The SAP Secure Login Client can be used to log in to the SAP system. The Secure Login Client is a client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications. It uses the functions of the SAP Cryptographic Library (CommonCryptoLib).
Secure login supports users with authentication, among other features, using the authentication mechanism of the Windows domain (Active Directory server) or an SSL (Secure Sockets Layer) certificate.
With SAP Single Sign-On 3.0, users can log in with the SAP GUI using encrypted communications, but without needing single sign-on.
The prerequisites:
The following options are available for configuring the Secure Login Client:
To clarify use of the Secure Login Client, we asked the following question of SAP: “The SNC encryption to be implemented will only use the SAP Cryptographic Library of the Secure Login Client. SSO is not planned. Will costs be incurred anyway?”
The answer from SAP: “This case involves secure client encryption. This component can be used at no additional cost. Please note, however, that this approach provides ‘encryption only’. It cannot be used to implement single sign-on.”
If we follow this argument to its logical conclusion, this means the Secure Login Client can be used free of charge, as long as SSO isn’t used.
An existing SSL certificate for https is used for SCN connection encryption. As a result, no connection to the Microsoft AD (Kerberos) is needed. Encryption is ensured by the SSL certificate in PSE and in the SNC Library.
In this scenario, however, it is important to monitor certificate expiration dates and renew them in time. If the certificate is not renewed in time, SNC cannot be used until successful recertification.
How to prepare ABAP properly: In the SAP, transaction STRUST is used to “copy” the PSE file from the SSL server entry to the SNC SAPCryptolib entry. As such, the SNC name for the SAPGUI entry is determined from the SLL server certificate, for example, “p:CN=<SID>.<customer>.de, OU=SAP Basis, O=<service provider>, L=Frankfurt am Main, C=DE”.
In SAP GUI Logon, SNC must be activated for the individual users and the SNC name “p:CN=<SID>.<customer>.de, OU=SAP Basis, O=<service provider>, L=Frankfurt am Main, C=DE” must be entered.
This assumes that all options have been set correctly and that SNC is fully functional on the server side. The user can log in using an encrypted network connection,
which is identified by the “closed padlock” icon in the lower right corner of the SAP GUI.
SNC encryption via SSL offers the following advantages:
If SSL is used, however, the certificate expiration date must be monitored, because SNC cannot be used with an expired certificate.
An SNC implementation is possible at reasonable cost, even without a grand solution including SSO. In this context, we recommend using SNC with SSL encryption, which reduces the required implementation effort even more.
Do you want to learn more about technical safeguards for your SAP systems? Talk to our SAP security experts today.
Share