Monday, March 28, 2011

SAP Security FAQs - Trust Relationship Management



How can I use a Single Sign On logon other than the SAP system logon with username and password (for example with Active Directory integration)?

For more information, see the documentation on "Pluggable Authentication Services" available at http://service.sap.com/security -> Security in Detail -> Trust Relationship Management -> Pluggable Authentication Services.

The document describes, for example, how you can use the Microsoft Windows NT/Windows 2000 standard logon as a Single Sign-On for SAP systems (including Employee Self-Service (ESS) systems). The Windows 2000 standard logon uses Active Directory. If you are using special user attributes through a direct access to Active Directory, you can still provide your own authentication service by attaching your library to the Pluggable Authentication Service interface on the ITS Agate component of your SAP ESS installation.

How do I use SSO for SAP and non-SAP web applications?

You can use SSO with non-SAP web applications by using mySAP Logon Tickets. After the first authentication (by the mySAP Workplace), the ticket is sent with each URL call. This means that your (non-SAP) applications also receive a ticket. This ticket can be verified. You can find sample programs for reading and checking tickets in the download area of the MiniApp community page (using Quick Link: miniapp). Please be aware that if you have two IIS instances running on two servers IIS_number1 and IIS_number2, they must be in the same webserver domain, such as

·          server1.workplace.yourcompany.com

·          server2.workplace.yourcompany.com.

SAP Passports - where can I learn more about it?

On SAP Service Marketplace you can find a detailed description of the process in the presentation "SAP Passports - How to Get Started". To test SAP passport functionality in your SAP Workplace, please generate a Certificate Request (CR) and send a message on component BC-SEC to SAP via SAPNet R/3 Frontend (OSS) or SAP Service Marketplace. We will send you the necessary certificate for your Registration Authority (RA).

How do Pluggable Authentication Service and X.509 certificates work together?

The Pluggable Authentication Service (PAS) is a way for the mySAP Workplace 2.11 to use external authentication, for example, by reusing the Windows NT logon (the user does not need to enter an additional username/password for the mySAP Workplace 2.11) for internal usage or, for example, for using Radius (SecurID Cards) for external usage of the mySAP Workplace as a portal. If you want to use certificate-based authentication, SAP components (as of SAP R/3 4.5) do not require PAS, since they natively support certificate authentication.

Do I need a license for Pluggable Authentication Service (PAS)?

Customers no longer need to license the mySAP Workplace to be able to use PAS. All they need is an ITS, which is free of charge.

What do I need to do to install and configure the Pluggable Authentication Service (PAS)?

In short, you need:
   - To install/modify an ITS service (SAP-proprietary)
   - To install/modify the HTML logon template (standard HTML)
   - In certain cases: write a DLL for connecting an external authentication server (such as Netegrity Siteminder, and so on)
For more information, see
www.service.sap.com/security -> Security in Detail -> Trust Relationship Management ->Pluggable Authentication Service.

Does SAP offer a Trust Center?

Yes. For more information, see the SAP Service Marketplace using the alias /TCS. SAP offers client certificates, server certificates, for example, for Secure Socket Layer, and router certificates for service connections through SAPRouter.

What are trusted systems?

Trusted systems are systems with a relationship of trust between them. For example, if you have set up a trusted relationship between system A and system B, so that system A trusts system B, a user that has logged onto system A can start a transaction in system B without entering a password but using the user ID from system A. (This is important since a user ID and password in an RFC destination means that all connections result in the same user ID connecting.)

Where is the SAP Passport physically stored?

Passports are stored wherever the browser stores its certificates. In the case of Microsoft Internet Explorer, this is the registry. You can usually also replace the browser storage using a third party product, for example a smart card or a central Personal Security Environment (PSE) server.

What is Kerberos?

Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT). It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and the server to a client) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. (Source: http://web.mit.edu/kerberos/www/ )

How do I integrate an external product like Kerberos into Secure Network Communication from SAP?

Secure Network Communication (SNC) is an SAP protocol that interfaces with security products such as Kerberos through the Generic Security Services Application Programming Interface (GSS API), in the context of SAP. Each SNC node needs to have a Personal Security Environment (PSE), where a key pair is stored, as well as public key certificates from other SNC nodes, and CA trust hierarchies, certification revocation lists, and so on. You also need to download a Kerberos GSS API package.

 


No comments:

Post a Comment