Terminology
We use the following terms frequently when describing SNC:
· Generic Security Services Application Programming Interface Version 2 (GSS-API V2)
The GSS-API V2 is a standard interface to security functions that was developed by the Internet Engineering Task Force (IETF). SNC uses the GSS-API V2 as the standard interface for the function calls to external security products.
●
External security product's library
External library
SNC_LIB
gssapi library
The terms, external security product's library, external library, SNC_LIB, or gssapi library refer to the library that contains the functions provided by the external security product. When the file name of the library is required for a component's configuration, we recommend you use a local copy of the library and include the complete path and file name in the reference.
● Credentials
Credentials are user or component-specific information that allow the users or components to access their security information. The credentials may be located for example, in a protected file in the file system. They often have a limited life span. For example, a user's credentials may be created when the user logs on to a security product and deleted when he or she logs off.
● External name
The external name is the identification that a user or other component (for example, an application server) has with the external security system. The external security product assigns and maintains the user's external name. For examples of external names, see External Security Products.
● SNC name
The SAP system refers not to the external name, but to an extended version of the external name, called the SNC name. You create the SNC name by providing a prefix with the external user name that designates the name type. You can also use an optional <product> indicator in the prefix. See below for the SNC formats:
¡ normal format: <name type>:<external name>
○ extended format: <name type>/<product>:<external name>
Where:
§ <name type> indicates the name type syntax and may be one of the following values:
§ p product-specific default printable name
■ s host-based service name form
■ u user name
Defaults are product-specific. For example, SECUDE™ uses X.500 names by default. Kerberos uses Kerberos-principal names as default.
■ <product> indicates the security product used and can currently be one of the following values:
■ krb5 Kerberos
■ secude SECUDE™
■ sapntlm SAP-supplied indicator for the Windows LAN Manager Security Service Provider (NTLMSSP) on Win32 platforms.
If you omit the <product> indicator, the system uses the currently active product to determine the name syntax.
■ <external name> indicates the user's external name as it is known by the security product. (See the definition for external name.)
When specifying or referring to SNC names, make sure you include the name type prefix.
Examples of SNC names:
p:CN=miller, OU=ADMIN, O=myCompany, C=US
p:miller@myCompany.com
s:sap00@host1
p/secude:CN=miller, OU=ADMIN, O=myCompany, C=US
p/krb5:miller@myCompany.com
s/krb5:sap00@host1
We do not recommend using SNC names that are longer than 80 printable characters. For more information, see SAP Note 184277.
● Canonical name
Because an X.500 name can have different forms that are all equivalent, the SAP system converts such names into a standard format, called the canonical name. (The SAP system uses a GSS-API V2 function for the conversion.)
●
Protection level
Quality of Protection (QoP)
The protection level indicates what level of security should be applied to a communication (authentication only, integrity, or privacy).
●
SNC-protected communication
SNC protection
SNC-protected communication or SNC protection refers to a communication between two components where all of the transferred information and data are protected using the SNC functions.