SAP Single Sign-On Insider Tips – Volume #1

“Insider Tips” talks about some of the lesser known configuration options of SAP Single Sign-On. In volume #1, we will look at how to handle X.509 server certificates that contain special characters in the Distinguished Name (DN). We will also find out how to enable Secure Network Communications (SNC) to encrypt data using the Secure Login Client (SLC) but without enabling Single Sign-On or leveraging Kerberos. Thanks to my colleague Carsten Olt and former colleague Markus Nüsseler for those tips.

I was recently working with a customer who had SLC 3.0 deployed and wanted to use it to encrypt data, transferred between SAP GUI and AS ABAP but without enabling Single Sign-On or leveraging Secure Login Server (SLS). In the past, such a use case could only be covered by either configuring SLS to issue short-term user certificates that would expire immediately after each successful authentication attempt, or by leveraging Kerberos. Starting with SAP Single Sign-On 3.0, and more specifically with the CommonCryptoLib (CCL) 8.5.4+, there is a third option: Encryption-only mode.

Encryption-only mode

The encryption-only mode is a feature of SLC and thus requires a separate SAP Single Sign-On license. Enabling this mode is relatively straightforward and requires a valid SNC PSE (Personal Security Environment) on the AS ABAP. Ideally, the PSE used on AS ABAP was issued by a Certification Authority (CA) that your users’ computers already trust, even though manual server trust is an option. The big advantage of this approach is that it doesn’t require any additional backend infrastructure and doesn’t change how users log in to SAP. At the same time, this mode ensures that all data, transferred between SAP GUI is AS ABAP is encrypted.

In comparison, the setting “SNC logon with user/password (no Single Sign-On)” in SAP GUI requires Kerberos (Active Directory) as the underlying authentication mechanism.

How to handle special characters in server certificates

If your organization operates its own CA and if you would like to leverage that CA to provide digital certificates for your SAP Single Sign-On infrastructure, you may run into unexpected issues. A common problem I have seen is certificates that contain special characters in their distinguished name (also known as the subject name). As of this writing, the latest release of SAP GUI cannot connect to an AS ABAP via SNC if the server has a certificate (PSE file) that contains a quotation mark, for example.

In the context of single sign-on, a certificate’s subject name is referred to as the SNC name. A typical SNC name of an AS ABAP may look similar to this: CN=ABC, O=Acme, L=Tampa, C=US. But depending on the configuration of the certificate templates of your CA, your certificates may have a subject name similar to this: CN=ABC, OU=Finance, O=Acme, L=”Tampa, Florida”, SP=”Tampa, Florida”, C=US.

A subject name like in the above example will cause the SNC name parser in SAP GUI to fail, thus preventing a successful connection to the AS ABAP. Fortunately, there is an easy workaround to this problem, by replacing the quotation mark (“) with its UNICODE counterpart. In our example, the resulting SNC name that SAP GUI can correctly parse would be: CN=ABC, OU=Finance, O=Acme, L=\u0022Tampa, Florida\u0022, SP=\u0022Tampa, Florida\u0022, C=US.

The prefix \u indicates that a UNICODE code will follow and 0022 is the UNICODE equivalent of the quotation mark (“). For a complete list of possible characters go to unicode.com.

Stay tuned for volume #2 of Xiting’s Insider Tips for SAP Single Sign-On!