Where we come from
Since we first released it in 2011, SAP Single Sign-On has become a very popular product (thanks to all of you for that). Many customers decided to increase the security of their SAP landscape and the efficiency and satisfaction of their end users by implementing it. Even customers who were already using a product for SAP GUI Secure Network Communication (SNC) decided to switch to the SNC support that comes with SAP Single Sign-On.
Back then however, switching an SNC product was a tricky thing. SNC requires matching libraries on the frontend and the backend, and different SNC products are not interoperable. This left customers with the big bang approach. All frontend and backend systems had to be updated at the same time to avoid broken connections.
What is new
In the current version of SAP GUI and many RFC clients we have now added a capability that will significantly simplify the SNC product migration. SAP GUI was enabled to support 2 SNC products within the same SAP GUI installation. This can be configured by customers using newly introduced environment variables and specifying the required SNC product for each SAP GUI connection.
How to migrate to SAP Single Sign-On SNC
- In the beginning, an old SNC product is still installed and the environment variables SNC_LIB, SNC_LIB_32 or SNC_LIB_64 point to this.
- You ensure up-to-date versions of SAP GUI and relevant RFC clients are rolled out to your frontend systems. See OSS note 2025528 for the list of recommended versions.
- You install the Secure Login Client component of SAP Single Sign-On on the clients and set the newly introduced environment variables SNC_LIB_2, SNC_LIB_32_2 or SNC_LIB_64_2 to the location of the Secure Login Library that comes with the Secure Login Client.
- You replace the old SNC product on a backend with SAP CommonCryptoLib and update the SNC name for the system on the clients to specify p/sapsso as the product name (e.g. p/sapsso:CN=ALX,O=SAP-AG,C=DE). If the connection is managed through a message server then this change can be done centrally without modifying the individual clients. Use transaction SNC4 to update the canonical name of the system.
- Once all backend systems have been updated to use SAP Single Sign-On you may uninstall the old SNC product from the clients and update SNC_LIB, SNC_LIB_32 or SNC_LIB_64 to point to the Secure Login Library. Now the environment variables SNC_LIB_2, SNC_LIB_32_2 or SNC_LIB_64_2 can be removed as they were only needed for the migration.
With this approach you are able to upgrade your landscape to SAP Single Sign-On step by step. So now is the time to get started 😎