Show TOC Start of Content Area

Background documentation External Security Products  Locate the document in its SAP Library structure

This topic provides the requirements that SNC imposes on external security products and describes possible naming conventions that products may use.

Requirements

To use a security product with SAP systems, the product must meet the following requirements:

·        The product must provide the entire range of functions defined in the GSS-API V2 interface.

·        The functions must be dynamically loadable.

·        The product must be available on platforms supported by SAP systems.

·        The product must be certified for use by SAP.

The SAP Partner Program certifies external products for use with SAP system. For more information on product availability and certification, see the partner information at www.sap.com/partners.

Naming Conventions

The various security products define their own naming conventions to assign their users' identifications. These external names are normally created independent of the user IDs in the SAP system. (You do need to define a relationship between the two IDs; we describe how to establish this relationship in User Maintenance in the SAP System.)

In addition, to communicate using SNC, application servers and other SAP system services (which do not usually have user IDs in the SAP system) also need identifications for use with the security product. For successful authentication, the SAP system must also be able to recognize these external identifications.

This section describes a couple of the more popular naming conventions. For a more detailed description, see the documentation provided by the external security product.

Note

The syntax of the external names is determined by the security product. However, in most cases the entries are case-sensitive and blanks can neither be omitted nor their number increased.

Example

Example 1:

This example shows an X.500 Distinguished Name. It is formed from different elements that represent a hierarchical name space.

CN=miller, OU=ADMIN, O=myCompany, C=US

Where CN = Common Name, OU = Organizational Unit, O= Organization, and C = Country.

Example

Example 2:

This example shows a Kerberos-principal name created from the user ID and domain (or realm).

miller@myCompany.US

Recommendation (for AS ABAP): Use report RSUSR300 to create SNC names

Note

In the following recommendation, we use an X.500 naming convention.

If possible, build the external name for a user from the SAP system user ID and the rest as constants that are the same for all users. For example, for X.500 names, you can use the SAP system user ID for the CN element (CN = miller in Example 1), and for the other elements (OU, O, C), use constant values that are the same for all users.

The same applies to the external name for SAP system components such as the application server. Build the external name from a server-specific component and the rest as constant components.

Recommendation

For the server-specific component, we recommend the following syntax:

sap<system number>.<server name>

Example

For example, the application server on the server host1 where the system number is 01 has the external name:

CN=sap01.host1, OU=TEST01, O=myCompany, C=US

If you define such a naming convention, you can use the report RSUSR300 to automatically generate the users' and components' SNC names in the SAP system.

 

End of Content Area