NWBC (4.0) meets Single Sign-On: Simplify Secure Data Access (Part 1)
NWBC was originally designed to enable users to access data using multiple UI technologies from a single ABAP back end system.
To make data access secure, we now recommend combining NWBC with SAP NetWeaver Single Sign-On.
This solution is both simple and secure.
As of release SAP NetWeaver Single Sign-On 2.0, SAP NetWeaver Single Sign-On offers support for SPNEGO for ABAP.
Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few
manual configuration steps:
- Install the Secure Login Library on the SAP NetWeaver ABAP back end.
- Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the key Tab generated by the Active Directory Server in transaction SPNEGO.
- Map the user’s Kerberos principal name to the ABAP user name using transaction SU01.
Leveraging this Kerberos-based single sign-on technology, you can implement an SAP NetWeaver Single Sign-On solution for your NWBC quickly and easily, and without the need for a Java stack.
With SAP NetWeaver Single Sign-On 2.0 and NWBC you can simply reuse your Windows domain authentication for Single Sign-On, even across different domains.
This tutorial-like blog describes how to connect securely and in just three easy steps to either a single ABAP back end system or to multiple ABAP back end systems.
NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3
- After implementing SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, e.g. System 1, in SAP Logon.
- Activate Secure Network Communication (SNC) for your system.
- Open NWBC and create a system connection (System 1) referring to SAP GUI system connection (enter exactly the same string: System 1) to make use of the SNC settings activated in SAP GUI.
Connecting to More than One System
If you’d like to implement safe connections to more than one ABAP backend system you have to repeat the steps described above for a second system (e.g. System 2).
Note: For the server configuration (transaction RZ11) you must set the profile parameter. Enter the value 3 (default parameter in the kernel as of NetWeaver 7.40) to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value.
(login/create_sso2_ticket to 0 =no logon or assertion tickets)
Recommendation: Create a new service user on the Microsoft Active Directory server for each SAP system (see first part of the second video “Implementing Single Sign-On with Kerberos”)
Hint: Activate the NWBC system selector at start-up to switch easily between your systems, see the following screenshot.
To see how to access multiple systems. Referencing from one system to the other via PFCG mapping read part 2:
More information on Authentication and Single Sign-On with NWBC
Find more information about Single Sign-On 2.0 in the Community for SAP NetWeaver Single-Sign On.