Interfaces Using SAP NetWeaver Application Server ABAP with SPNego
4.7.8 User SNC Name Mapping
The following section describes how you configure the user SNC name in the SAP Cryptographic Library or in the Secure Login Library.
4.7.8.1 Uppercase Distinguished Name
To support case insensitivity for user certificate names used by SNC, the GSS Distinguished Names presented to SAP SNC may be converted to uppercase.
This can be defined in the configuration file gss.xml for the SAP Cryptographic Library or for the Secure Login Library.
The distinguished name is provided in uppercase.
false
The distinguished name is provided in mixed case.
Default is false.
4.7.8.2 Alternative Name DN Feature
It is possible to use the Subject Alternative Name from the user certificate that is presented to the SAP SNC interface.
You can define this in the configuration file gss.xml for the SAP Cryptographic Library or for the Secure Login Library.
You can enter several values separated by commas or spaces. The system uses the first value. If this is not possible, it proceeds to the second value etc. An error occurs when no value can be used.
Example 1
The SAP Cryptographic Library or the Secure Login Library uses the URI. If the URI is not available, it uses the subject (Distinguished Name).
<ClientNameSource>AltNameURI Subject</ClientNameSource>
Example 2
The SAP Cryptographic Library or the Secure Login Library uses the E-mail address and, as first alternative, the Microsoft User Principal Name. If the second alternative value is not available, an error occurs.
<ClientNameSource>AltNameEMAIL AltNameUPN</ClientNameSource>
Caution
If users change their own attributes (for example, through a self-service), and these attributes are used by the user certificate (issued by the Secure Login Server), a situation may occur in which these users are able to assign additional rights to themselves. Thus these users might get rights they are not supposed to have. For this case, we recommend that you implement access restrictions for the change of user attributes.
An AS ABAP uses, for example, certificate-based logon with the users’ e-mail addresses in the Distinguished Names. The string in the certificate has the following format:
This means that the user’s e-mail address is used for the user mapping in SNC. If an administrator enables the user to change his or her own data, for example, e-mail address, first name, last name etc. through a self-service, this user now has the possibility to enter, for example, his or her manager’s e-mail address
([email protected]) as attribute. Since this data is usually maintained centrally, this change would also affect the Secure Login Server. If the certification user mapping feature of the Secure Login Server is configured with the e-mail address as an attribute of the certificate, the user receives a certificate with the Distinguished Name [email protected]. This user is now able to log on to the AS ABAP as his or her manager.
4.7.8.3 Default User Schema Settings
The default user schema of the Secure Login Library is RFC2256. The configuration is located in the file gss.xml.
Note
Customers who run Secure Login Library 2.0 SP0 or SP1 and want to use patch 1 of Secure Login Library 2.0 SP1 or higher might be forced to edit the name schema in Secure Login Library 2.0 SP1 Patch 1 and enter their own name schema they used in the original release. For more information, see SAP Note 1864123 and related links.
By default, the configuration of the user schema in the file gss.xml is empty (meaning RFC2256). If you prefer, you can also enter RFC2256 for clarity.
Example
<gss>
<nameencoding>UTF8</nameencoding>
<nameschema></nameschema>
<!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components -->
</gss>
Example
<gss>
<nameencoding>UTF8</nameencoding>
<nameschema>rfc2256</nameschema>
<!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components -->
</gss>
Related Information
SNC Communication Protocol Parameters [page 131]
In the file gss.xml, you can configure the SNC communication protocol for server-to-server and client-to-server communication.
Communication and Protocol Parameters (Server and Client) [page 309]
In the file gss.xml, you can configure the SNC communication protocol for server-to-server and client-to-server communication.
4.7.8.3.1 SNC Name Compatibility with a SECUDE SAPCRYPTOLIB Release
User schemas for SNC names
The SNC names for a certificate-based logon consist of user schema attributes for example, CN (common name), O (organization), OU (organizationalUnit), or C (country). These attributes comply with the RFC2256 default for user schemas. For more information, see the Summary of the X.500(96) User Schema for Use with LDAPv3.
Previous releases of SAPCRYPTOLIB and old SECUDE releases still use a user schema with obsolete attributes.
The table below shows RFC2256-compliant attributes and the corresponding obsolete SAPCRYPTOLIB or SECUDE attributes, and the related keywords.
Keyword RFC2256-Compliant Attribute (Default)
Obsolete SAPCRYPTOLIB or SECUDE Attribute
surname SN S
street STREET ST
title TITLE T
serialNumber SERIALNUMBER SN
businessCategory BUSINESSCATEGORY BC
description DESCRIPTION D
stateOrProvinceName ST SP
4.7.8.3.2 Setting for SAPCRYPTOLIB or SECUDE Release
If customers want to keep their old user schema attributes, overwrite the user schema setting. To switch the Secure Login Library to use the attributes for obsolete SAPCRYTOLIB or SECUDE releases, open the gss.xml file and enter the schema sapcryptolib or secude.
Example
<gss>
<nameencoding>UTF8</nameencoding>
<nameschema>sapcryptolib</nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components -->
</gss>
Example
<gss>
<nameencoding>UTF8</nameencoding>
<nameschema>secude</nameschema> <!—‘secude’/'sapcryptolib' of 'rfc2256' (default) specifies the schema for order and keywords of name components -->
</gss>
4.7.8.4 Shorten Long Distinguished Names
It is possible to shorten parts of the distinguished name (SNC Name) from the user certificates that are presented to the SAP SNC interface. The character limit for SAP server systems is 255 characters (in older systems 80 characters).
For example, you can remove entire parts such as a company name which are identical for all users. You can define this in the Secure Login Library configuration file gss.xml.
Table 18:
Parameter Details
<searchstr>XXX</searchstr> In the <nameconversions> section, use the
<searchstr> parameter to define the part of the dis
tinguished name to be shortened.
Example
OU=Very Long Organization Unit Name
<replstr>XXX</replstr> In the <nameconversions> section, the <replstr>
parameter is used to define the part of the distin
guished name to be replaced.
Example
OU=Short Name
The following source code represents a section of the code of the gss.xml file:
<gss>