To secure and encrypt customer networks, SAP offers the SNC (Secure Network Communications) interface with which users can log in to SAP systems without having to enter a user name or password. In the standard system, SAP login credentials are transmitted in clear text. The SNC interface routes calls through the SAP Cryptographic Library, to encrypt all communications between the SAP GUI and the SAP server. This enables secure individual logins for SAP.
SNC implementation without SSO, but with SSL – is that possible?
The minimum level of security that SNC offers is “Authentication”. If only this parameter is used, the system verifies the identity of the communication partners and encrypts the user’s login credentials (user name and password). At higher levels, data transmission and data package content can also be encrypted with SNC.
This represents an important step toward technical protection of SAP systems.
In the following, I’ll explain how SNC-encrypted communication can be set up without incurring the additional costs of implementing single sign-on (SSO).
Secure login using the SAP Secure Login Client
The SAP Secure Login Client can be used to log in to the SAP system. The Secure Login Client is a client application that provides security tokens (Kerberos and X.509 technology) for a variety of applications. It uses the functions of the SAP Cryptographic Library (CommonCryptoLib).
Secure login supports users with authentication, among other features, using the authentication mechanism of the Windows domain (Active Directory server) or an SSL (Secure Sockets Layer) certificate.
With SAP Single Sign-On 3.0, users can log in with the SAP GUI using encrypted communications, but without needing single sign-on.
- The Secure Login Client from SAP Single Sign-On 3.0 or higher is running on the client PCs.
- The back-end systems are running SAP NetWeaver Application Server for ABAP with the CommonCryptoLib 8.5 or higher from the SAP Cryptographic Library.
The following options are available for configuring the Secure Login Client:
- Activation of legacy compatibility mode. This is an SNC-protected login on the server side. Legacy compatibility mode is available with CommonCryptoLib 8.5.x and lower and SAPCRYPTOLIB 5.5.5.
- Activation of the Secure Login Client, to select an authentication method (smart mode), if most of the application servers use the SAP Cryptographic Library CommonCryptoLib 8.5 or higher. This option is recommended by SAP, because the Secure Login Client always selects the best authentication method.
- Encryption can only be implemented permanently for all users or a group of users with SNC.
- Users can switch to encryption manually for the login with SNC.
Clarification of Secure Login Client license issue with SAP
To clarify use of the Secure Login Client, we asked the following question of SAP: “The SNC encryption to be implemented will only use the SAP Cryptographic Library of the Secure Login Client. SSO is not planned. Will costs be incurred anyway?”
The answer from SAP: “This case involves secure client encryption. This component can be used at no additional cost. Please note, however, that this approach provides ‘encryption only’. It cannot be used to implement single sign-on.”
If we follow this argument to its logical conclusion, this means the Secure Login Client can be used free of charge, as long as SSO isn’t used.
How the implementation of SNC with SSL encryption works
An existing SSL certificate for https is used for SCN connection encryption. As a result, no connection to the Microsoft AD (Kerberos) is needed. Encryption is ensured by the SSL certificate in PSE and in the SNC Library.
In this scenario, however, it is important to monitor certificate expiration dates and renew them in time. If the certificate is not renewed in time, SNC cannot be used until successful recertification.
How to prepare ABAP properly: In the SAP, transaction STRUST is used to “copy” the PSE file from the SSL server entry to the SNC SAPCryptolib entry. As such, the SNC name for the SAPGUI entry is determined from the SLL server certificate, for example, “p:CN=<SID>.<customer>.de, OU=SAP Basis, O=<service provider>, L=Frankfurt am Main, C=DE”.
In SAP GUI Logon, SNC must be activated for the individual users and the SNC name “p:CN=<SID>.<customer>.de, OU=SAP Basis, O=<service provider>, L=Frankfurt am Main, C=DE” must be entered.
This assumes that all options have been set correctly and that SNC is fully functional on the server side. The user can log in using an encrypted network connection,
which is identified by the “closed padlock” icon in the lower right corner of the SAP GUI.
Advantages of SNC encryption
SNC encryption via SSL offers the following advantages:
- No connection to the Microsoft AD required, which means lower maintenance and administration effort.
- External workers and service providers can only use SNC if a certificate with a recognized ROOT CA is used and Client Encryption 2.0 or Secure Login Client is installed on the front end.
- Only the SAP GUI has to be adjusted.
- No additional costs for encryption software, because the https certificate is already available.
- Often policy-compliant, since the SSL certificate is valid for an SAP/ABAP application.
- No follow-up work on SNC parameters or certificates needed after system copies.
- The SAP Secure Login Client can be used.
If SSL is used, however, the certificate expiration date must be monitored, because SNC cannot be used with an expired certificate.
An SNC implementation is possible at reasonable cost, even without a grand solution including SSO. In this context, we recommend using SNC with SSL encryption, which reduces the required implementation effort even more.
Matthias Anstötz (SAP Security Consultant, SAST SOLUTIONS)