Show TOC

External Security ProductsLocate this document in the navigation structure

Use

This topic provides the prerequisites that SNC imposes on external security products and describes possible naming conventions that products may use.

Prerequisites

To use a security product with SAP NetWeaver Application Server (AS) ABAP, the product must meet the following prerequisites:

  • The product must provide the entire range of functions defined in the GSS-API V2 interface.

  • The functions must be dynamically loadable.

  • The product must be available on platforms supported by AS ABAP.

The SAP Partner Program certifies external products for use with AS ABAP. For more information about product availability and certification, see the partner information at http://www.sap.com/partners/overview.htmlInformation published on SAP site.

Note

We offer our own external security product, SAP Single Sign-On.

For more information, see SAP Single Sign-On at http://help.sap.com/nwsso.

Naming Conventions

The various security products define their own naming conventions to assign identifications to their users. These external names are normally created independent of the user IDs in the AS ABAP. (You do need to define a relationship between the two IDs.)

For more information about how to establish this relationship, see User Maintenance on AS ABAP ..

To communicate using SNC, application servers and other AS ABAP services (which do not usually have user IDs in the AS ABAP) also need identifications for use with the security product. For successful authentication, the AS ABAP must also be able to recognize these external identifications.

This section describes a couple of the more popular naming conventions.

For more information, see the documentation provided by the external security product.

Note

The syntax of the external names is determined by the security product. However, in most cases the entries are case-sensitive and spaces can neither be omitted nor their number increased.

Example

Example 1:

This example shows an X.500 distinguished name. It is formed from different elements that represent a hierarchical name space.

CN=miller, OU=ADMIN, O=myCompany, C=US

Where CN= common name, OU= organizational unit, O= organization, and C= country.

Example

Example 2:

This example shows a Kerberos principal name created from the user ID and domain (or realm).

miller@myCompany.US

Recommendation (for AS ABAP): Use report RSUSR300 to create SNC names

Note

In the following, we use an X.500 naming convention.

If possible, build the external name for a user from the AS ABAP user ID and the rest as constants that are the same for all users. For example, for X.500 names, you can use the AS ABAP user ID for the CN element ( CN= miller in Example 1), and for the other elements ( OU, O, C), use constant values that are the same for all users.

The same applies to the external name for AS ABAP components such as the application server. Build the external name from a server-specific component and the rest as constant components.

Recommendation

For the server-specific component, we recommend the following syntax:

sap <system number>. <server name>

Example

For example, the application server on the server host1 where the system number is 01, has the external name:

CN=sap01.host1, OU=TEST01, O=myCompany, C=US

If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users and components in the AS ABAP.