Show TOC

External Security ProductsLocate this document in the navigation structure

This topic provides the prerequisites that SNC imposes on external security products and describes possible naming conventions that products may use.

Prerequisites

To use a security product with SAP NetWeaver Application Server (AS) ABAP, the product must meet the following prerequisites:

  • The product must provide the entire range of functions defined in the GSS-API V2 interface.

  • The functions must be dynamically loadable.

  • The product must be available on platforms supported by AS ABAP.

The SAP Partner Program certifies external products for use with AS ABAP. For more information about product availability and certification, see the partner information at http://www.sap.com/partners/overview.htmlInformation published on SAP site.

Note

We offer our own external security product, SAP NetWeaver Single Sign-On.

For more information, see SAP NetWeaver Single Sign-On at http://help.sap.com/nwsso.

Naming Conventions

The various security products define their own naming conventions to assign identifications to their users. These external names are normally created independent of the user IDs in the AS ABAP. (You do need to define a relationship between the two IDs.)

For more information about how to establish this relationship, see User Maintenance on AS ABAP ..

To communicate using SNC, application servers and other AS ABAP services (which do not usually have user IDs in the AS ABAP) also need identifications for use with the security product. For successful authentication, the AS ABAP must also be able to recognize these external identifications.

This section describes a couple of the more popular naming conventions.

For more information, see the documentation provided by the external security product.

Note The syntax of the external names is determined by the security product. However, in most cases the entries are case-sensitive and spaces can neither be omitted nor their number increased.
Example

This example shows an X.500 distinguished name. It is formed from different elements that represent a hierarchical name space.

CN=miller, OU=ADMIN, O=myCompany, C=US

Where CN= common name, OU= organizational unit, O= organization, and C= country.

Example

This example shows a Kerberos principal name created from the user ID and domain (or realm).

miller@myCompany.US

Recommendation (for AS ABAP): Use report RSUSR300 to create SNC names

Note In the following, we use an X.500 naming convention.

If possible, build the external name for a user from the AS ABAP user ID and the rest as constants that are the same for all users. For example, for X.500 names, you can use the AS ABAP user ID for the CN element ( CN= miller in Example 1), and for the other elements ( OU, O, C), use constant values that are the same for all users.

The SAP system itself also needs an external name. Build the CN element of the external name using the SID (system ID) of your SAP system.

Recommendation

We recommend the following syntax for the CN element of the external name:

CN=<SID>

Example

For example, an application server with the system ID ABC has the following external name:

CN=ABC, OU=TEST01, O=myCompany, C=US

If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users in the AS ABAP.