This topic provides the prerequisites that SNC imposes on external security products and describes possible naming conventions that products may use.
To use a security product with SAP NetWeaver Application Server (AS) ABAP, the product must meet the following prerequisites:
The product must provide the entire range of functions defined in the GSS-API V2 interface.
The functions must be dynamically loadable.
The product must be available on platforms supported by AS ABAP.
The SAP Partner Program certifies external products for use with AS ABAP. For more information about product availability and certification, see the partner information at http://www.sap.com/partners/overview.html.
Note
We offer our own external security product, SAP NetWeaver Single Sign-On.
For more information, see SAP NetWeaver Single Sign-On at http://scn.sap.com/community/netweaver-sso.
The various security products define their own naming conventions to assign identifications to their users. These external names are normally created independent of the user IDs in the AS ABAP. (You do need to define a relationship between the two IDs.)
For more information about how to establish this relationship, see User Maintenance on AS ABAP..
To communicate using SNC, application servers and other AS ABAP services (which do not usually have user IDs in the AS ABAP) also need identifications for use with the security product. For successful authentication, the AS ABAP must also be able to recognize these external identifications.
This section describes a couple of the more popular naming conventions.
For more information, see the documentation provided by the external security product.
Note
The syntax of the external names is determined by the security product. However, in most cases the entries are case-sensitive and spaces can neither be omitted nor their number increased.
Example
Example 1:
This example shows an X.500 distinguished name. It is formed from different elements that represent a hierarchical name space.
CN=miller, OU=ADMIN, O=myCompany, C=US
Where CN = common name, OU = organizational unit, O = organization, and C = country.
Example
Example 2:
This example shows a Kerberos principal name created from the user ID and domain (or realm).
miller@myCompany.US
Note
In the following, we use an X.500 naming convention.
If possible, build the external name for a user from the AS ABAP user ID and the rest as constants that are the same for all users. For example, for X.500 names, you can use the AS ABAP user ID for the CN element (CN = miller in Example 1), and for the other elements (OU, O, C), use constant values that are the same for all users.
The same applies to the external name for AS ABAP components such as the application server. Build the external name from a server-specific component and the rest as constant components.
Recommendation
For the server-specific component, we recommend the following syntax:
sap<system number>.<server name>
Example
For example, the application server on the server host1 where the system number is 01, has the external name:
CN=sap01.host1, OU=TEST01, O=myCompany, C=US
If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users and components in the AS ABAP.