Show TOC

Background documentationExternal Security Products Locate this document in the navigation structure

 

This topic provides the prerequisites that SNC imposes on external security products and describes possible naming conventions that products may use.

Prerequisites

To use a security product with SAP NetWeaver Application Server (AS) ABAP, the product must meet the following prerequisites:

  • The product must provide the entire range of functions defined in the GSS-API V2 interface.

  • The functions must be dynamically loadable.

  • The product must be available on platforms supported by AS ABAP.

The SAP Partner Program certifies external products for use with AS ABAP. For more information about product availability and certification, see the partner information at http://www.sap.com/partners/overview.html.

Note Note

We offer our own external security product, SAP NetWeaver Single Sign-On.

For more information, see SAP NetWeaver Single Sign-On at http://scn.sap.com/community/netweaver-sso.

End of the note.
Naming Conventions

The various security products define their own naming conventions to assign identifications to their users. These external names are normally created independent of the user IDs in the AS ABAP. (You do need to define a relationship between the two IDs.)

For more information about how to establish this relationship, see User Maintenance on AS ABAP..

To communicate using SNC, application servers and other AS ABAP services (which do not usually have user IDs in the AS ABAP) also need identifications for use with the security product. For successful authentication, the AS ABAP must also be able to recognize these external identifications.

This section describes a couple of the more popular naming conventions.

For more information, see the documentation provided by the external security product.

Note Note

The syntax of the external names is determined by the security product. However, in most cases the entries are case-sensitive and spaces can neither be omitted nor their number increased.

End of the note.

Example Example

Example 1:

This example shows an X.500 distinguished name. It is formed from different elements that represent a hierarchical name space.

CN=miller, OU=ADMIN, O=myCompany, C=US

Where CN = common name, OU = organizational unit, O = organization, and C = country.

End of the example.

Example Example

Example 2:

This example shows a Kerberos principal name created from the user ID and domain (or realm).

miller@myCompany.US

End of the example.
Recommendation (for AS ABAP): Use report RSUSR300 to create SNC names

Note Note

In the following, we use an X.500 naming convention.

End of the note.

If possible, build the external name for a user from the AS ABAP user ID and the rest as constants that are the same for all users. For example, for X.500 names, you can use the AS ABAP user ID for the CN element (CN = miller in Example 1), and for the other elements (OU, O, C), use constant values that are the same for all users.

The same applies to the external name for AS ABAP components such as the application server. Build the external name from a server-specific component and the rest as constant components.

Recommendation Recommendation

For the server-specific component, we recommend the following syntax:

sap<system number>.<server name>

End of the recommendation.

Example Example

For example, the application server on the server host1 where the system number is 01, has the external name:

CN=sap01.host1, OU=TEST01, O=myCompany, C=US

End of the example.

If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users and components in the AS ABAP.