Show TOC

Background documentationTerminology Locate this document in the navigation structure

 

We use the terms in the table below frequently when describing SNC.

Term

Definition

canonical name

Because an X.500 name can have different forms that are all equivalent, the SAP system converts such names into a standard format, called the canonical name. The SAP system uses a GSS-API V2 function for the conversion.

credentials

Credentials are user or component-specific information that allow the users or components to access their security information. The credentials may be located for example, in a protected file in the file system. They often have a limited life span. For example, the credentials of a user may be created when the user logs on to a security product and deleted when he or she logs off.

  • external library

  • external security product’s library

  • gssapi library

  • SNC_LIB

The terms, external security product’s library, external library, SNC_LIB, or gssapi library refer to the library that contains the functions provided by the external security product. When the file name of the library is required for the configuration of a component, we recommend you use a local copy of the library and include the complete path and file name in the reference.

external name

The external name is the identification that a user or other component (for example, an application server) has with the external security system. The external security product assigns and maintains the external name of the user.

For examples of external names, see External Security Products.

Generic Security Services Application Programming Interface Version 2 (GSS-API V2)

The GSS-API V2 is a standard interface to security functions that was developed by the Internet Engineering Task Force (IETF). SNC uses the GSS-API V2 as the standard interface for the function calls to external security products.

  • protection level

  • quality of protection (QoP)

The protection level indicates what level of security should be applied to a communication (authentication only, integrity, or privacy).

SNC name

The SAP system refers not to the external name, but to an extended version of the external name, called the SNC name. You create the SNC name by providing a prefix with the external user name that designates the name type. You can also use an optional <product> indicator in the prefix. See below for the SNC formats:

  • normal format: <name type>:<external name>

  • extended format: <name type>/<product>:<external name>

    ...where:

    • <name type> indicates the name type syntax and may be one of the following values:

      • p: Product-specific default printable name

      • s: Host-based service name form

      • u: User name

        Note Note

        Defaults are product-specific. For example, SECUDE uses X.500 names by default. Kerberos uses Kerberos principal names by default.

        End of the note.
    • <product> indicates the security product used and can currently be one of the following values:

      • krb5: Kerberos

      • secude: SECUDE

      • sapntlm: SAP-supplied indicator for the Windows LAN Manager Security Service Provider (NTLMSSP) on Win32 platforms

        Note Note

        If you omit the <product> indicator, the system uses the currently active product to determine the name syntax.

        End of the note.
    • <external name> indicates the external name of the user as it is known by the security product. (See the definition for external name.)

Note Note

When specifying or referring to SNC names, make sure you include the name type prefix.

End of the note.

Example Example

Examples of SNC names:

  • p:CN=miller, OU=ADMIN, O=myCompany, C=US

  • p:miller@example.com

  • s:sap00@host1

  • p/secude:CN=miller, OU=ADMIN, O=myCompany, C=US

  • p/krb5:miller@example.com

  • s/krb5:sap00@host1

End of the example.

Recommendation Recommendation

We do not recommend using SNC names that are longer than 80 printable characters.

For more information, see SAP Note 184277.

End of the recommendation.
  • SNC-protected communication

  • SNC protection

SNC-protected communication or SNC protection refers to a communication between two components, where all of the transferred information and data are protected using the SNC functions.