Additional Blogs by SAP
cancel
Showing results for 
Search instead for 
Did you mean: 
slavko_snjegota
Advisor
Advisor
0 Kudos

Overview

It can be really frustrating if you have to type your user name and password in your application many times per day. It can be even worse if there are links from your main page to other pages that also require authentication. Solution for this problem is simple, use Single Sign On (SSO). Idea is to have user certificate installed on client machine and sent automatically to server everytime when server require authentication. That approach also required that communication between frontend and backend must be protected using Secure Network Communication (SNC) library so nobody else can see what is transferred between server and client. There are various products that allow such functionality and in 2011 SAP acquired one of them: Secude SecureLogin. If you have installed it then it will be represented by green diamond icon in notification bar, allowing users to select default user certificate which can be used for SSO login to ERP systems. If everything is setup properly then user will be able to login to backend without any additional questions, password requests etc.

SAP 3D Visual Enterprise Login

In SAP 3D Visual Enterprise all our products that need communication with ERP systems (VE Author, VE Planner, VE Instance Loader...) use common login control to establish credentials and open communication channel to those ERP systems. This control lists all existing connections that user has setup in SAP Logon and allows him/her to select which connection to use.

If Single Sign On option is enabled then there may not be such dialog box dislayed at all, or if there is no sufficient information provided by application, it may look like this:

If you open the Options expander you can see detailes of selected connection. Please note that these connections are read-only and cannot be changed in this control. User shall use SAP Logon to maintain them.

In addition to these connections there is an option to create new, custom connection that doesn't exist in SAP Logon. This option is primarily provided to support cases when user, for any reason, cannot create or change SAP Logon connections. To create custom connection select "Add new connection" from list of available connections. That will allow you to type connection name, parameters, select communication security and so on.

Please note that these options are optional and application developer may have decided not to allow custom connections in which case Options expander and "Add new connection" options will not be present.

Security

By default all communication between application and selected ERP system is open and unprotected. That means that someone can capture network traffic and see content of this communication including sensitive business data. To protect communication, standard way is to use Secure Network Communication (SNC) library. Default installation of SAP Logon 720 and 730 is comming with Secude cryptography library. However, customers may decide not to use this one but to install their own library for various reasons. It may be because they want to use Windows Kerberos authentication, some other standard authentication or in some cases, their own custom proprietary authentication mechanism which allows them high level of security.

Switching authentication libraries is very easy, as full path to this library is stored in environment variable SNC_LIB. However, SNC library has to fully comply with GSS-API V2. You can read more about SNC in SAP here: http://help.sap.com/saphelp_nwmobile71/helpdata/EN/e6/56f466e99a11d1a5b00000e835363f/frameset.htm

Problem

Now problem is that all SAP 3D Visual Enterprise applications exist in both 32 bit and 64 bit while default Secude cryptography library is 32 bit only. That means that 64 bit applications cannot use SNC! However, in case of custom third party libraries they may exist in both 32 bit and 64 bit versions, but there is only one environment variable that holds full path to this library which means that if you set it up for 64bit library your SAP Logon and other 32bit applications will not be able to use SNC anymore.

SAP has provided solution for this library path problem in SAP support note 1746967 by introducing another environment variable SNC_LIB_64 which is supposed to hold full path to 64bit version of SNC library.

So now users can install third party SNC libraries for both 32bit and 64bit modes and as long as environment variables are properly set, all our software will be able to use SNC and SSO.

However, if they don't use third party libraries, then we still have the same problem as default installation of Secude library is still 32bit only!

Solution

Fortunatelly SAP has provided solution for this problem too. In January 2013 SAP has released its Single Sign On 2.0 library. Release note with list of features is published in SAP Support note 1808526. More information can be found here: http://help.sap.com/nwsso20

SSO2 installs new credentials manager which is now represented with blue diamond icon in notification bar area.

Among impressive list of features (support for Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, Digital Signatures in SAP Applications etc.) this new library now supports both 32bit and 64bit client software as it installes both versions of SNC cryptography library and sets both environment variables properly.

Please note that in order to make this solution work the same SSO2 library must be installed on ERP system as well, otherwise user still won't be able to connect using SNC and SSO.

Conclusion

SAP Single Sign On 2.0 library is here and it will be rolled on into all existing systems over time. In order to allow SAP 3D Visual Enterprise 64bit applications to use standard (not third party) SSO, we now require SAP SSO2 library to be installed on both client and server.

However, if customer is using third party library then the only action required is to make sure that 64bit version of this library is available and path to it is set in SNC_LIB_64 environment variable.