Академический Документы
Профессиональный Документы
Культура Документы
, mprusov@yandex.ru
11 2004 .
SNC
SAP- SAP AG. SNC Users
Guide 1.2 SAP AG,
, .
SAP AG.
SNC-, (MSNC-). ,
, http://mprusov.narod.ru/
sap/snc/index.html.
mailto:
mprusov@yandex.ru.
1.1 SNC? . . . . . . . . . . . . . .
1.2 SNC? . . . . . . . . . . . .
1.2.1 . . . . .
1.2.2 . . . . .
1.2.3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
9
10
10
10
10
2 SNC SAP
2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 SNC SAP . . . . . . . . . . . . . . . . . . . . . . . .
2.2.1 , SNC . . . . .
2.2.2 SNC
SAP- . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 . . . . . . . . . .
2.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4 SAP- . . . . . . . . . . . . .
2.5 SNC . . . . .
2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
17
17
18
19
19
22
3 SNC SAP
3.1 . . . . . . . . . . . . . . . . . . . . . . .
3.2
3.2.1 snc/enable . . . . . . . . . . . . . . . . . . . . .
3.2.2 snc/user_maint . . . . . . . . . . . . . . . . . .
3.2.3 snc/gssapi_lib . . . . . . . . . . . . . . . . . . .
3.2.4 snc/identity/as . . . . . . . . . . . . . . . . . .
3.2.5 snc/data_protection/max . . . . . . . . . . . . .
3.2.6 snc/data_protection/min . . . . . . . . . . . . .
3.2.7 snc/data_protection/use . . . . . . . . . . . . .
25
25
26
26
28
28
29
29
30
31
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
13
15
15
3.3
3.4
3.5
3.6
3.7
3.2.8 snc/r3int_rfc_secure . . . . . . . . . . . . . . . . . . .
3.2.9 snc/r3int_rfc_qop . . . . . . . . . . . . . . . . . . . . .
3.2.10 snc/permit_insecure_comm . . . . . . . . . . . . . . .
3.2.11 snc/accept_insecure_cpic . . . . . . . . . . . . . . . . .
3.2.12 snc/permit_insecure_gui . . . . . . . . . . . . . . . . .
3.2.13 snc/accept_insecure_gui . . . . . . . . . . . . . . . . .
3.2.14 snc/accept_insecure_r3int_rfc . . . . . . . . . . . . . .
3.2.15 snc/accept_insecure_rfc . . . . . . . . . . . . . . . . .
3.2.16 snc/permit_insecure_start . . . . . . . . . . . . . . . .
3.2.17 snc/force_login_screen . . . . . . . . . . . . . . . . . .
3.2.18 rdisp/maximum_snc_hold_time . . . . . . . . . . . . .
3.2.19 login/disable_password_logon . . . . . . . . . . . . . .
3.2.20 login/password_logon_usergroup . . . . . . . . . . . .
. . . . . . . . . . . .
3.3.1 snc/enable . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.2 snc/gssapi_lib . . . . . . . . . . . . . . . . . . . . . . .
3.3.3 snc/permit_insecure_start . . . . . . . . . . . . . . . .
3.3.4 gw/rem_start . . . . . . . . . . . . . . . . . . . . . . .
SAP- . . . . . . . . . . . . . . . . . . . .
3.4.1 (ACL) . . . . . . . . . . . .
3.4.1.1
3.4.1.2 . . . .
3.4.2 . . . . . . . . . . . . . . . . . . . . .
3.4.2.1 SAPlpd . . . . . . . . . .
3.4.2.2 RFC . . . . . . . . . . . . . . . . . . . . . . .
3.4.2.3 CPIC . . . . . . . . . . . . . . . . . . . . . .
3.4.2.4
. . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 . . . . . . . . . . . . . . . .
3.5.1.1
3.5.1.2 . . . .
3.5.2 . . . . . . . . . . . . . . . . . . . . .
3.5.2.1 SAPlpd . . . . . . . . . .
3.5.2.2 RFC . . . . . . . . . . . . . . . . . . . . . . .
3.5.2.3 CPIC . . . . . . . . . . . . . . . . . . . . . .
SAP- . . . . . . . . . . . .
3.6.1 SNC- . . . . .
3.6.2 SNC- . . . .
SAP- . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
32
32
33
34
34
35
35
36
36
37
37
38
38
39
39
40
40
40
41
41
42
42
42
42
43
43
43
44
44
44
45
45
45
45
45
45
48
49
4 SNC
4.1 SNC: SAPgui SAP- . . . . . . . . . . . . .
4.1.1 SAPgui (sapgui.exe) . . . . . . . . . . . . . .
4.1.1.1 SNC_PARTNERNAME . . . . . . . . . . . . . .
4.1.1.2 SNC_LIB . . . . . . . . . . . . . . . . . . . . . .
4.1.1.3 SNC_MODE . . . . . . . . . . . . . . . . . . . .
4.1.1.4 SNC_QOP . . . . . . . . . . . . . . . . . . . . .
4.1.2 SAPgui (SAP Logon) . . . . . . . . . . . . . .
4.1.2.1 . . . . . . . . . . . . .
4.1.2.2 . . . . . . . . . . .
4.1.2.3 . . . . . . . . . . . . . . .
4.1.3 SAPgui (SAP Shortcuts) . . . . . . . . . . . .
4.1.3.1 SNC_NAME . . . . . . . . . . . . . . . . . . . .
4.1.4 (SAP-) . . . . . . . . . . . . . . . . . .
4.2 SNC: RFC- SAP- . . .
4.2.1 ( ) . . . . . . . . . . . . .
4.2.1.1 SNC_PARTNERNAME . . . . . . . . . . . . . .
4.2.1.2 SNC_LIB . . . . . . . . . . . . . . . . . . . . . .
4.2.1.3 SNC_MODE . . . . . . . . . . . . . . . . . . . .
4.2.1.4 SNC_QOP . . . . . . . . . . . . . . . . . . . . .
4.2.1.5 SNC_MYNAME . . . . . . . . . . . . . . . . . .
4.2.2 (SAP-) . . . . . . . . . . . . . . . . . .
4.2.3 . . . . . . . . . . . . . . .
4.3 SNC: CPIC- SAP- . .
4.3.1 ( ) . . . . . . . . . . . . .
4.3.1.1 SNC_PARTNERNAME . . . . . . . . . . . . . .
4.3.1.2 SNC_LIB . . . . . . . . . . . . . . . . . . . . . .
4.3.1.3 SNC_MODE . . . . . . . . . . . . . . . . . . . .
4.3.1.4 SNC_QOP . . . . . . . . . . . . . . . . . . . . .
4.3.1.5 SNC_MYNAME . . . . . . . . . . . . . . . . . .
4.3.1.6 GWSERV . . . . . . . . . . . . . . . . . . . . . .
4.3.2 (SAP-) . . . . . . . . . . . . . . . . . .
4.3.3 . . . . . . . . . . . . . . .
4.4 SNC: RFC- SAP- . . .
4.4.1 RFC- SNC- SM59
4.4.2 SAP- R/2 . . . . . . . . . . . . . . . . . . . . .
4.4.3 SAP- SAP- . . . . . . . . . . . . . . . .
4.4.3.1 (SAP-) . . . . . . . . . . . .
4.4.3.2 (SAP-) . . . . . . . . . . . . .
4.4.3.3 . . .
5
51
51
52
52
52
53
53
53
54
55
55
55
56
56
56
57
57
58
58
58
59
59
59
60
60
61
61
61
62
62
62
63
63
64
64
67
67
68
68
69
4.4.4
4.4.5
4.4.6
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.6.1 (SAP-) . . . . . . . . . . . .
4.4.6.2 ( ) . . . . . . . . .
4.4.7 TCP/IP
4.4.7.1 (SAP-) . . . . . . . . . . . .
4.4.7.2 ( ) . . . . . . . . .
4.4.7.3 . . . . . . . . . . . . . . . . . .
4.4.8 TCP/IP SAPgui
4.4.8.1 (SAP-) . . . . . . . . . . . .
4.4.8.2 ( ) . . . . . . . . .
4.4.9 TCP/IP . . . . . . . .
4.4.9.1 (SAP-) . . . . . . . . . . . .
4.4.9.2 ( ) . . .
4.4.9.3 SNC . . .
4.4.9.4 . . . . . . . . . . . . . . . . . .
4.4.10 SM51 . . . . . . . . .
4.4.11 SM59 . . . . . . . .
4.4.12 . . . . . . . . . . . . . . . . . . .
4.4.12.1 BACK . . . . . . . . . . . . . . . . . . .
4.4.12.2 NONE . . . . . . . . . . . . . . . . . .
4.4.13 RFCDES- . . . . . . . . . . . . . . .
4.4.14 RFC- . . . . . . . . . . . . . . . . . . . . . . . . .
4.5 SNC: CPIC- SAP- . .
4.6 SNC: . . . . . . . . . . . . . . . . . . . . . . .
4.6.1 (SAP-) . . . . . . . . . . . . . . . . .
4.6.2 ( SAPlpd) . . . . . . . . . . . . . . .
4.6.2.1 gssapi_lib . . . . . . . . . . . . . . . . . . . . . .
4.6.2.2 enable . . . . . . . . . . . . . . . . . . . . . . . .
4.6.2.3 identity/lpd . . . . . . . . . . . . . . . . . . . . .
4.6.3 SNC- SAPlpd . . . . . . . . . . .
4.7 SNC: SAProuter SAProuter . . . . . . . . . . . . .
4.7.1 SNC- . . . . . . . . . . . . . . . . .
4.7.2 . . . . . . .
4.7.2.1 KT- . . . . . . . . . . . . . . . . . . . . .
4.7.2.2 KP-, KD- KS- . . . . . . . . . . . . . .
4.7.3 . . . . . . . . . . . . . . . . . . . . . . .
4.7.4 SNC . . . . . . . . . . . . . . .
70
71
71
71
71
72
72
72
73
74
74
74
75
75
75
75
75
75
75
75
75
76
76
76
77
78
78
78
78
80
81
81
84
85
85
85
86
86
86
4.8 SNC: ITS SAP- . . . . . . . .
4.8.1 (ITS WGate) . . . . . . . . . . .
4.8.1.1 SNC_LIB . . . . . . . . . . . . . . .
4.8.1.2 Type . . . . . . . . . . . . . . . . . .
4.8.1.3 SncNameAGate . . . . . . . . . . .
4.8.1.4 SncNameWGate . . . . . . . . . . .
4.8.2 (ITS AGate) . . . . . . . . . . . . .
4.8.2.1 SNC_LIB . . . . . . . . . . . . . . .
4.8.2.2 Type . . . . . . . . . . . . . . . . . .
4.8.2.3 SncNameAGate . . . . . . . . . . .
4.8.2.4 SncNameWGate . . . . . . . . . . .
4.8.3 (ITS AGate) . . . . . . . . . . . .
4.8.3.1 sncNameAGate . . . . . . . . . . .
4.8.3.2 sncNameR3 . . . . . . . . . . . . .
4.8.3.3 sncQoPR3 . . . . . . . . . . . . . .
4.8.4 (SAP-) . . . . . . . . . . .
4.9 C .
4.9.1 CPIC .
4.9.2 RFC .
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
88
88
89
89
89
90
90
90
91
91
91
91
92
92
92
93
94
94
94
A SNC-
95
B SNC-
97
C 3.1G/H 4.0A
C.1 snc/data_protection/max . . . . . . . . . . .
C.2 . . . . . . . . . . . . . . . . . . . . . . . .
99
99
99
1.1
SNC?
SNC SAP-, .
SAP- , SAP
. SNC ,
. , SNC:
SNC . SNC
, SNC (,
SAPgui SAP).
, SAP- (, -
).
10
1.
. , .
- SAP-.
1.2
SNC?
1.2.1
,
.
. , SNC.
1.2.2
, .
.
1.2.3
, .
1.2. SNC?
11
.
, SNC.
12
1.
2
SNC SAP
SNC SAP-.
2.1
SNC .
.
GSS-API V2 , IETF
(Internet Engineering Task Force). SNC GSS-API V2
.
, , gssapi, SNC_LIB , , . , (
, ).
(credentails) ,
. , , .
, . ,
14
2. SNC SAP
.
, (, SAP-)
. . 2.3.2: .
SNC- SAP-. SNC- , . 3.1I
4.0A . SNC-
:
< >:< >
< >/<>:< >
:
< > , :
p , ;
s /;
u .
<> .
< >
, (.
).
SNC-
.
SNC-:
p:C=RU, O=Mecomp, OU=IT, CN=mprusov
s:sap03@h502
15
2.2
SNC SAP
,
SNC , SNC
SAP-.
2.2.1
, SNC
SNC SAP-:
/ , .
.
( ).
1
gss_canonicalize_name.
16
2. SNC SAP
. :
SAP-, .
- .
(Single SignOn).
SNC ,
,
, .
,
SAP- GSSAPI V2 IETF.
2.2.2
SNC
SAP-
2.3.
17
2.3
, .
2.3.1
, SAP-,
:
, GSS-API V2.
18
2. SNC SAP
.
,
SAP-.
(ICC) SAP AG.
SAP-. SAP AG,
ICC[1] 66687[6].
2.3.2
.
SAP-.
, SNC-, SAP
SAP- .
SAP-
.
, , X.500.
SAP-, ,
,
SAP- , . , X.500,
SAP- CN, (OU, O, C) .
, solarmic SAP-
:
C=RU, O=HOME, OU=IT, CN=solarmic
SAP-,
SAP-. ,
, . :
sap< >.< >
2.4. SAP-
19
, 01,
mysapcom, :
C=RU, O=HOME, OU=IT, CN=sap01.mysapcom
, ,
RSUSR300 SNC-
SAP-.
2.4
SAP-
SAP- :
SAP (SAP WAS)
SAPgui
SAPlpd
RFC-
CPIC-
SAProuter
SAP ITS
SNC-
2.1.
, ,
SNC, , 4:
SNC.
2.5
SNC
SNC .
,
, . , SAPgui
20
2. SNC SAP
SNC
3.1G
4.1
SAPgui
SAP WAS
..
SAP WAS
RFC
4.0A
4.2
..
SAP WAS
CPIC
4.0A
4.3
SAP WAS
SAP WAS
RFC
4.0A
4.4.3
SAP WAS
SAP WAS
CPIC
4.0A
4.5
SAP WAS
..
RFC
4.0A
4.4.64.4.8
SAP WAS
..
CPIC
4.0A
4.5
SAP WAS
SAPlpd
3.1G
4.6
SAProuter
SAProuter
4.0A
4.7
SAP ITS
SAP WAS
4.5A
4.8
2.5. SNC
21
SNC_MODE
SNC. 0: SNC
; 1: SNC .
SNC_MYNAME
SNC- . . 255 2 .
SNC_PARTNERNAME
SNC- . . 255 .
SNC_QOP
( ). 1: ; 2: ; 3:
; 8: -; 9:
.
. ,
.
SNC_LIB
, .
. 255 .
, , SAP-.
/ , ,
.
, SNC .
2
22
2. SNC SAP
2.6
SNC:
SNC SAP-.
,
SAP. SNC
. SAP ( 2.2).
,
RFC- .
SAP-
, , (, RFC). ( SNC ), SAP- .
SNC- ( 2.2).
snc/r3int_rfc_secure.
SAP-.
. (sapdp<nn>)
, SAProuter. SAProuter 3299.
SAP- ,
, SNC, . , , .
snc/accept_insecure_gui.
2.6.
23
. 2.2. , SNC.
(sapgw<nn>s)
, SNC, SAP-
RFC-.
SAP- RFC-. SNC
, SNC, RFC-.
,
. sapgw<nn>s
sapgw<nn> SAP-.
48004899.
, SAProuter.
, ,
SAProuter
SAProuter.
24
2. SNC SAP
3
SNC
SAP
SNC
SAP-.
3.1
SAP-. , SAP, .
, .
, , .
SNC- , SNC-
SAP-.
,
SNC SNC. , .
SNC- SAP- RSSNCSRV.
SNC SAP- ,
, SNC . -
26
3. SNC SAP
. ,
, SNC, , .
3.2
SAP- RZ1012 .
( ).
, snc/identity/as , snc/gssapi_lib .
SNC- SAP-.
3.2.1
snc/enable
SNC .
.
SNC . SNC 1.
, SNC, , SNC, . , ,
, (snc/
accept_insecure_gui, snc/accept_insecure_rfc , snc/accept_insecure_cpic).
snc/gssapi_lib. SNC
,
1
, RZ10
. 396983[10].
2
4.0B 4.5B, , RZ10
, SNC- .
149646[7].
3.2.
snc/enable
snc/user_maint
snc/gssapi_lib
snc/identity/as
snc/data_protection/max
snc/data_protection/min
snc/data_protection/use
3.1
4.0
4.5
4.6
6.1
6.2
snc/r3int_rfc_secure
snc/r3int_rfc_qop
snc/permit_insecure_comm
snc/accept_insecure_cpic
snc/permit_insecure_gui
snc/accept_insecure_gui
snc/accept_insecure_r3int_rfc
snc/accept_insecure_rfc
snc/permit_insecure_start
snc/force_login_screen
rdisp/maximum_snc_hold_time
login/disable_password_logon
login/password_logon_usergroup
27
28
3. SNC SAP
. , , ( , , SncInit, SNCERR_INIT).
- 0 (SNC ).
snc/gssapi_lib, snc/identity/as.
0: SNC ; 1: SNC .
3.2.2
snc/user_maint
SNC SU01.
3.1.
, SAP SNC- ,
1.
- 0 ( SNC-).
.
0: SNC-; 1:
SNC-.
3.2.3
snc/gssapi_lib
.
.
GSS-API V2 .
SNC , . ,
SAP- ,
3.2.
29
, ,
.
-
.
.
255 .
.
3.2.4
snc/identity/as
SNC- .
.
SNC-
SAP-. .
(message server) SNC- SAP
Logon RFC- .
- .
.
. 2.3.2: .
3.2.5
snc/data_protection/max
SNC-, SAP-.
.
.
3.1G/H: , , .
, .
30
3. SNC SAP
3.1I: .
4.0A: . .
, RFC- , .
4.0B: ,
(9). .
3.1 4.0A
.
C: 3.1G/H 4.0A.
- 3 ( ).
snc/data_protection/min, snc/data_protection/
use.
snc/data_protection/use.
: 1: ; 2: ;
3: .
3.2.6
snc/data_protection/min
, SNC-.
.
, .
SNC , . ,
.
- 2 ( ).
3.2.
31
snc/data_protection/max, snc/data_protection/
use.
: 1: ; 2: ; 3:
.
3.2.7
snc/data_protection/use
,
SAP .
.
RFC- CPIC-.
RFC- CPIC-, - (8).
- 3 ( ).
snc/data_protection/min, snc/data_protection/
max.
snc/data_protection/min snc/data_protection/max. : 1:
; 2: ; 3: ; 9: ,
snc/data_protection/max.
3.2.8
snc/r3int_rfc_secure
SNC RFC-.
4.0A.
, , SNC,
RFC- .
,
RFC-
32
3. SNC SAP
SNC.
.
2.6: .
- 0 ( SNC
RFC-).
snc/accept_insecure_rfc,
snc/accept_insecure_r3int_rfc.
0: SNC RFC-; 1: SNC
RFC-.
3.2.9
snc/r3int_rfc_qop
SNC- RFC-.
4.0A.
,
RFC- , SNC
RFC- .
- 8 ( ,
snc/data_protection/use).
snc/r3int_rfc_secure.
,
snc/data_protection/min. : 1: ; 2: ; 3: ; 8: ,
snc/data_protection/use; 9:
, snc/data_protection/max.
3.2.10
snc/permit_insecure_comm
CPIC-
SNC.
3.2.
33
3.1.
-, SNC,
, SNC, CPIC-.
3.1 CPIC- SNC
, 1
, CPIC .
- 0 ( CPIC-).
.
0: CPIC-; 1: CPIC-.
3.2.11 snc/accept_insecure_cpic
CPIC- SNC.
4.0.
-, SNC,
, SNC, CPIC-. .
- 0 ( CPIC-).
.
0: CPIC-; 1: CPIC-; U:
CPIC- ,
.
3.6: SAP-.
34
3. SNC SAP
3.2.12
snc/permit_insecure_gui
3.2.13
snc/accept_insecure_gui
3.2.
3.2.14
35
snc/accept_insecure_r3int_rfc
, SNC, RFC-
SNC.
4.0.
RFC-. RFC-,
snc/accept_insecure_rfc.
snc/accept_insecure_rfc 0. ,
RFC-
.
- 1 (
RFC-).
snc/accept_insecure_rfc, snc/r3int_rfc_secure.
0: RFC; 1: RFC-.
3.2.15
snc/accept_insecure_rfc
, SNC, RFC-
SNC.
4.0.
-, SNC,
SAP- RFC-. ,
RFC-,
snc/accept_insecure_r3int_rfc.
- 0 (
RFC-).
snc/accept_insecure_r3int_rfc.
36
3. SNC SAP
0: RFC; 1: RFC-;
U: RFC-
,
. 3.6: SAP-.
3.2.16
snc/permit_insecure_start
,
SNC, .
4.0.
-, SNC ,
, SNC, .
- 0 ( SNC).
.
0: SNC-; 1: SNC-.
3.2.17
snc/force_login_screen
SNC-.
4.5.
-, SNC , SNC-
, .
- 0 (
).
.
3.2.
37
0:
; 1 X3 : .
3.2.18
rdisp/maximum_snc_hold_time
SNC-4 .
4.6C.
, SNC, SAP-
Hold .
. SNC-.
- 0 ( ).
.
0: ; >0: , .
3.2.19
login/disable_password_logon
,
5 .
4.6.
, .
snc/accept_insecure_gui , , SNC,
.
3
38
3. SNC SAP
- 0 ( ).
login/password_logon_usergroup.
0: ;
1:
, login/password_logon_usergroup.
3.2.20
login/password_logon_usergroup
, , 6 .
4.6.
, , , , login/
disable_password_logon 1.
- .
login/disable_password_logon.
SU01 ( Logon data, User group for authorization
check).
3.3
, SNC, SAP-
. SNC , .
,
. , .
6
379081[9].
3.3.
39
3.3.1
snc/enable
SNC .
.
, , SNC, 1.
SNC :
(sapgw<nn>) (sapgw<nn>s),
.
, SNC
. , SNC-, snc/permit_insecure_start .
- 0 (SNC ).
snc/gssapi_lib, snc/permit_insecure_start.
0: SNC ; 1: SNC .
3.3.2
snc/gssapi_lib
. snc/gssapi_lib SAP-.
.
40
3. SNC SAP
3.3.3
snc/permit_insecure_start
,
SNC, .
snc/permit_insecure_start
SAP-.
3.3.4
gw/rem_start
CPIC-.
4.0.
SNC,
RFC- CPIC- SNC-. , ,
. ,
SNC.
4.0A 4.0B: REMOTE_SHELL
, gw/remsh , ..
4.5A: DISABLED .
- REMOTE_SHELL (
rsh remsh).
SNC.
REMOTE_SHELL: rsh
remsh; REXEC: rexec; DISABLED:
.
3.4
SAP-
3.4. SAP-
41
SNC : Basis Components System Administration Management of External Security Systems Secure Network Communication. SO70
SIMG_BCSNC.
SNC- SNC-, SNC
SNC- . , ,
, SNC-
, .
3.4.1
(ACL)
, . ACL ACL.
3.4.1.1
ACL:
SNC SAP-.
SU01. 3.6: SAP-.
ACL SNC- ,
, SAP-
, . 2.3.2: .
ACL SU01, SM30 USRACL SNC .
3.6: SAP-.
ACL SNC RFC- CPIC- SM30
USRACLEXT.
3.6.2: SNC- .
42
3. SNC SAP
RFC- , SAP- RFC-:
S_RFC RFC-.
S_RFCACL RFC-.
(Authorization Info
System) SUIM, , .
- (Cross-application Authority Objects).
3.4.1.2
3.4.2
, SNC, SAP-,
RFC- CPIC-.
3.4.2.1
SAPlpd
RFC
RFC
SNC:
RFC- SM59 RFC-. 4.4: SNC: RFC- SAP-.
3.5.
43
SNC- RFC-
SM30 RFCDESSECU SNC-. 4.4: SNC: RFC- SAP-.
3.4.2.3
CPIC
CPIC SNC:
CPIC- SM54 CPIC-. 4.5: SNC: CPIC- SAP-.
SNC- CPIC- SM30 TXCOMSECU SNC-.
4.5: SNC:
CPIC- SAP-.
3.4.2.4
, , :
SNC- SNC- SAP- ,
, RSUSR402.
, RSSNCCHK, SNC-
SAP-, SNC.
SNC- ,
SNC- . , , , SNC- ,
, .
3.5
, SAP, :
44
3. SNC SAP
(, ALE)
, SNC-. - . -
.
3.5.1
3.5.1.1
.
USRACL ( SNC- ) SM30.
USRACLEXT ( SNC- SNC-
RFC- CPIC-) SM30.
3.5.1.2
( SNC-
), SNC0 SM30 VSNCSYSACL E.
( I).
VSNCSYSACL. SM30
VSNCSYSACL.
3.6. SAP-
3.5.2
45
, SNC.
3.5.2.1
SAPlpd
RFC
RFC- .
3.5.2.3
CPIC
CPIC- .
3.6
SAP-
SNC, , ,
, SNC- SAP-. , SAP- SAPgui
SNC, SNC- SAPgui SNC SAP-. , SAP- SNC-,
, ( ) . , SAP-,
, , .
SAP-.
3.6.1
SNC-
SAP-, SNC,
46
3. SNC SAP
SAP- SNC- .
/ :
SNC- SAP-. ,
SNC- .
, 4.5,
SNC- . , SNC- SAP.
4.5 (
snc/force_login_screen, 0) , SNC- SAP. SNC- ,
,
. 3.7: SAP-.
SNC, U snc/accept_insecure_gui.
SNC- :
1. SU01, .
2. SNC- SNC.
3.1.
3. SNC name SNC- .
4. Unsecure communication permitted SNC. ,
snc/accept_insecure_gui U.
3.6. SAP-
47
48
3. SNC SAP
3.6.2
SNC-
3.7. SAP-
49
* , SNC, SNC-.
* ,
.
3.7
SAP-
4.5
SNC.
:
snc/force_login_screen 0.
.
snc/force_login_screen 1 X7 ,
.
667470[12].
50
3. SNC SAP
4
SNC
SNC SAP- .
, , . ,
SAProuter-,
, .
SAP-
SAP-.
SNC .
, .
, , .
4.1
52
4. SNC
SAP Logon,
SAP Shortcuts.
SNC-, SNC,
, .
4.1.1
SAPgui (sapgui.exe)
, , SNC,
SAPgui SAP-, SAPgui SNC-
,
sapgui.exe. .
4.1.1.1
SNC_PARTNERNAME
SNC- SAP-.
SNC- SAP .
- SNC-.
.
, ".
.
4.1.1.2
SNC_LIB
.
GSS-API V2 .
-
.
.
255 ,
". .
.
53
SNC_MODE
SNC.
, SNC.
- SNC_PARTNERNAME , 1, 0.
.
0: SNC ; 1: SNC .
.
4.1.1.4
SNC_QOP
.
SNC-.
- 3.
.
1: ; 2:
; 3: ; 8:
-; 9: .
.
4.1.2
54
4. SNC
,
,
.
1 .
4.1.2.1
SAP Logon :
1
55
1. News. . . .
2. Advanced. . . . Advanced options 4.1.
3. SNC-:
(a) Enable Secure Network Communication.
(b) SNC- SNC name.
(c) SNC-.
4.1.2.2
Server. . . SNC- .
SNC , SNC- SNC name.
4.1.2.3
Groups. . . SNC- .
, SNC , SNC. ,
SNC name , SNC-
. SAP-.
4.1.3
56
4. SNC
SNC_NAME
SNC- .
SNC- .
- .
.
.
.
4.1.4
(SAP-)
4.2
SNC: RFC-
SAP-
RFC- , SAP- .
, 4.0, RFC- SNC ,
SAP- 4.0.
2
4.2.1
57
( )
SNC_PARTNERNAME
SNC- SAP-.
SNC- SAP-.
- SNC-.
.
.
58
4. SNC
4.2.1.2
SNC_LIB
.
GSS-API V2 .
-
.
.
.
.
4.2.1.3
SNC_MODE
SNC.
, SNC.
- .
.
0: SNC ; 1: SNC .
4.2.1.4
SNC_QOP
.
SNC-.
- 3.
.
1: ; 2:
; 3: ; 8:
-; 9: .
59
SNC_MYNAME
SNC- RFC-.
SNC- RFC-.
- .
.
.
4.2.2
(SAP-)
SAP- ,
SNC, RFC-, 3.2:
.
RFC- . , SNC, , SNC-. , SAP 4.0 4.5, SNC ,
.
4.2.3
60
4. SNC
3. , SAP- USRACLEXT
, *
SNC-. , SAP- . , SAP- , SNC, .
4. , SAP- USRACLEXT SNC-, * . , SAP-
. , SAP- , SNC, .
5. , SAP- USRACLEXT , * SNC-, * . , SAP- . ,
SAP- , SNC, .
6. , SAP- RFC.
4.3
SNC: CPIC-
SAP-
CPIC- , SAP- .
, 4.0, CPIC-
SNC , SAP- 4.0.
4.3.1 ( )
SNC CPIC- SAP-, SNC-
sideinfo, SAP CPIC. SNC- sideinfo.
SAP CPIC
4.9.1: CPIC.
61
SNC-,
CPIC- SAP-.
4.3.1.1
SNC_PARTNERNAME
SNC- SAP-.
SNC- SAP-.
- SNC-.
.
255 .
4.3.1.2
SNC_LIB
.
GSS-API V2 .
-
.
.
255 .
.
4.3.1.3
SNC_MODE
SNC.
, SNC.
- .
.
0: SNC ; 1: SNC .
62
4. SNC
4.3.1.4
SNC_QOP
.
SNC-.
- 3.
.
1: ; 2:
; 3: ; 8:
-; 9: .
4.3.1.5
SNC_MYNAME
SNC- CPIC-.
SNC- CPIC-.
- .
.
255 .
4.3.1.6
GWSERV
CPIC-.
, CPIC-. , SNC,
.
- ??.
??.
.
sapgw<nn>: ; sapgw<nn>s:
.
4.3.2
63
(SAP-)
SAP- ,
SNC, CPIC-, 3.2: .
4.3.3
64
4. SNC
4.4
SNC: RFC-
SAP-
4.4.1
SNC- RFC-, :
SNC
SNC-
SNC- (SNC- , , , -) (.
3.2: ).
65
, RFC- (Activation
type = Start ) , :
,
SNC- SNC-.
, SNC-
SNC- .
SNC- RFC:
1. SM59 RFC-
Change ( 4.2).
2. SNC, SNC Activ.
3. SNC-: Destination SNC Options ( 4.3).
4. QOP .
5. ( ),
SNC- .
6. .
:
RFC- , snc/data_protection/min , snc/
data_protection/max .
RFC- , , .
RFC- 8,
, snc/data_protection/use
.
66
4. SNC
RFC- 9,
, snc/data_protection/max
.
67
4.0A.
C: 3.1G/H 4.0A.
4.4.2
SAP- R/2
SNC- R/2 .
4.4.3
SAP- SAP-
,
SNC, SAP-.
68
4. SNC
4.4.3.1
(SAP-)
SNC-
SM59. 4.4.1: RFC- SNC SM59.
:
, SNC-
SNC names ( 4.3).
,
, .
-
SNC- SAP
SNC-.
SNC- Msg. Server ( 4.4).
4.4.3.2
(SAP-)
, SAP-
RFC- SAP-,
- ACL . SNC0
, RFC. ACL 4.5.
, :
, SNC0
( E). ( I) SNC0.
RFC- SAP- (.. RFC-
SM59 R/3 connections),
.
69
4.4.3.3
, SNC, RFC-
SAP-, SNC. SNCSYSACL , , RFC-
SAP-.
, ,
.
70
4. SNC
4.4.4
SAP-
RFC- ( I), .
SNCSYSACL.
.
SNC
RFC- (. 2.6: ).
SNC RFC-,
71
snc/r3int_rfc_secure snc/r3int_rfc_qop
SAP-. ,
RFC-.
, RFC-, SNC,
SNCSYSACL.
4.4.5
, , . , SNC- SNC .
4.4.6
TCP/IP
RFC-, RFC- , .
, RFC- TCP/IP- .
. SNC , ,
RFC-, SNC-.
SAP- ,
RFC- .
4.4.6.1
(SAP-)
SNC-
SM59. 4.4.1: RFC- SNC SM59.
4.4.6.2
( )
SNC- , . :
72
4. SNC
SNC SNC
SNC-
SM59 .
snc/
gssapi_lib .
SNC- SAP- SNC-
RFC-. RFC- - ,
, .
4.4.7
TCP/IP
RFC- , , , .
RFC, TCP/IP-
, SAP- , RFC- .
4.4.7.1
(SAP-)
SNC-
SM59. 4.4.1: RFC- SNC SM59.
, RFC-, RFC- .
, SAP- ,
4.4.6: TCP/IP . SNC-, RFC-,
SNC- .
4.4.7.2
( )
SNC- , .
:
73
SNC SNC
SNC-
SM59 .
.
snc/gssapi_lib .
SNC- SNC- RFC- RFC RFC- .
RFC- RFC-. RFC-
.
4.4.7.3
, SNC, 3.3:
.
:
, SNC ( snc/enable 1), ( snc/gssapi_lib).
-, SNC.
SNC-, snc/permit_insecure_start
1.
SNC
RFC- .
3.3: .
RFC- , ,
, snc/gssapi_lib
,
.
74
4. SNC
4.4.8
TCP/IP
SAPgui
, SAPgui,
, SAP.
RFC, TCP/IP-
SAPgui, SAP- , RFC- .
4.4.8.1
(SAP-)
SNC-
SM59. 4.4.1: RFC- SNC SM59.
RFC- , SAPgui,
, SNC, , SAP- SNC.
, RFC- SNC-.
4.4.8.2
( )
SNC- , SAPgui. :
SNC SNC
SNC-
SM59 , ,
SNC- .
SAPgui (SNC_LIB).
SNC- SNC- RFC-
SAPgui4 .
4
,
, .
4.4.9
75
TCP/IP
. . .
4.4.9.1
(SAP-)
. . .
4.4.9.2
( )
. . .
4.4.9.3
SNC
. . .
4.4.9.4
. . .
4.4.10 SM51
SAP-
SM51,
RFC-. ,
SNC, snc/r3int_rfc_secure 1.
4.4.11
SM59
. . .
4.4.12
. . .
4.4.12.1 BACK
. . .
76
4. SNC
4.4.12.2
NONE
NONE , . SNC
, NONE SNC (. snc/r3int_rfc_secure).
4.4.13
RFCDES-
RFCDES SNC.
4.4.14
RFC-
RFC- SAP- .
RFC- ,
CALL FUNCTION ... DESTINATION IN GROUP ...
.
SNC- RFC-.
4.5
77
SNC: CPIC-
SAP-
. . .
78
4. SNC
4.6
SNC:
, SNC,
SAP- SAPlpd.
SAPlpd ( S), spool , SAPlpd .
4.6.1
(SAP-)
SAP-
SPAD. SPAD
.
Access method Host spool access method S. Do not query host spooler. . . 4.6.
Security Degree of security . Backup mode
SNC- . SNC-
Identity of the remote SAPlpd. . .
4.7.
4.6.2
( SAPlpd)
SNC SAPlpd
win.ini saplpd.ini5 .
[SNC].
4.6.2.1
gssapi_lib
.
GSS-API V2 .
-
.
5
4.6. SNC:
79
. 4.6. : S.
255 .
.
80
4. SNC
. 4.7. : SNC-.
4.6.2.2
enable
SNC.
SNC.
- .
.
0: SNC ; 1: SNC .
4.6. SNC:
4.6.2.3
81
identity/lpd
SNC- SAPlpd.
SNC- SAPlpd.
.
- .
. 2.3.2: .
4.6.3
SNC- SAPlpd
SNC- SAPlpd
SNC. :
1. Options Secured Connection.
4.8.
82
4. SNC
Do not use .
Use if possible SNC-
.
Use always ,
SNC, .
3. Quality of protection. , SAP-.
4. SAPlpd Add
new connection. 4.9.
5. Accept every authenticated connection ,
SNC- . , SNC-
Last authenticated connection initiator
Authorize.
,
saplpd.ini, win.ini
SAPlpd.
4.6. SNC:
83
84
4. SNC
4.7
SAProuter ,
- SAP. SAProuter .
SAProuter 4.10.
4.7.1
85
SNC-
, SNC- SAProuter
:
1. SNC_LIB,
.
2. SAProuter -K <SNC->,
<SNC-> SNC SAProuter.
4.7.2
SNC:
1. KT- , SAProuter SAProuter,
SNC.
2. KP-, KD- KS- , , SNC, .
P-, D- S-, .
4.7.2.1
KT-
, SAProuter , SNC,
KT-, :
KT <SNC- > < > < >
:
<SNC- > SNC- .
< > IP- .
< >
.
* SNC-
.
, , KT-
P-, D-, S-.
86
4. SNC
4.7.2.2
SNC- P-,
D-, S-, KP-, KD-, KS- .
, , IP- SNC-. ,
:
K<D/P/S> "<SNC- >" < >
< > <>
SAProuter (KP-, KS-) (KD-) , .
4.7.3
4.7.4
SNC
, SNC,
SAProuter. host1,
host2. , SAP- mysapcom 00.
SNC- :
p:CN=sr1, OU=IT, O=HOME, C=RU
SNC- :
p:CN=sr2, OU=IT, O=HOME, C=RU
:
# SNC host2
KT "p:CN=sr1, OU=IT, O=HOME, C=RU" host2 *
#
P * * *
87
:
# sr1
#
mysapcom sapdp00
KP "p:CN=sr1, OU=IT, O=HOME, C=RU" mysapcom sapdp00
# sr1
#
mysapcom sapgw00
KP "p:CN=sr1, OU=IT, O=HOME, C=RU" mysapcom sapgw00
:
saprouter -r -K "p:CN=sr1, OU=IT, O=HOME, C=RU"
:
saprouter -r -K "p:CN=sr2, OU=IT, O=HOME, C=RU"
88
4. SNC
4.8
4.5B SNC-
SAP ITS (WGate AGate) SAP.
, SNC, 4.11.
4.8.1
(ITS WGate)
89
HKLM\SOFTWARE\SAP\its\2.0\< ITS>\Programs\
Connects
HKLM\SOFTWARE\SAP\its\2.0\< ITS>\Programs\
WGate\environment
< ITS> WGate.
SNC_LIB ,
.
SAP ITS 4.6D WGate wgate.conf.
4.8.1.1
SNC_LIB
.
GSS-API V2 .
255 .
.
.
4.8.1.2
Type
.
WGate AGate. , SNC, 2
(NI-SNC).
0: Sockets; 1: SAP NI; 2: SAP NI-SNC.
, wgate.conf.
4.8.1.3
SncNameAGate
SNC- AGate.
SNC- AGate.
.
, wgate.conf.
90
4. SNC
4.8.1.4
SncNameWGate
SNC- WGate.
SNC- WGate.
.
, wgate.conf.
4.8.2
(ITS AGate)
, WGate AGate
SNC, SNC-, ITS Manager. AGate.trc
Mmanager.trc.
, SNC_LIB, Win32-. :
HKLM\SOFTWARE\SAP\its\2.0\< ITS>\Programs\
Connects
HKLM\SOFTWARE\SAP\its\2.0\< ITS>\Programs\
AGate\environment
< ITS> AGate.
SNC_LIB ,
.
4.8.2.1
SNC_LIB
.
GSS-API V2 .
255 .
.
.
91
Type
.
WGate AGate. , SNC, 2
(NI-SNC).
0: Sockets; 1: SAP NI; 2: SAP NI-SNC.
.
4.8.2.3
SncNameAGate
SNC- AGate.
SNC- AGate.
.
.
4.8.2.4
SncNameWGate
SNC- WGate.
SNC- WGate.
.
.
4.8.3
(ITS AGate)
, AGate
SNC, SNC- AGate.
global.srvc - (Internet Application Component, IAC).
.
92
4. SNC
4.8.3.1
sncNameAGate
SNC- AGate.
SNC- AGate.
. ,
SNC-, WGate ( SncNameAGate).
.
IAC.
4.8.3.2
sncNameR3
.
SAP-. SNC
AGate .
.
IAC.
4.8.3.3
sncQoPR3
SNC-.
SNC-
AGate SAP-.
1: ; 2:
; 3: ; 9:
, snc/data_protection/max
.
IAC.
4.8.4
93
(SAP-)
94
4. SNC
4.9
4.9.1
CPIC
. . .
4.9.2
RFC
SNC- RFC-
saprfc.ini . RFC-
SNC ( 4.4.6, 4.4.7, 4.4.8, 4.4.9).
SNC- RFC-: RfcOpenEx.
4.1 RFC-, SNC.
RfcOpenEx
RFC-
RfcSncMode
SNC
RfcSncPartnerName
SNC-
RfcSncPartnerAclKey
SNC-
RfcSncNameToAclKey
SNC-
RfcSncAclKeyToName
SNC-
A
SNC-
,
SNC.
USRACL
SNC-,
SAP-. ,
SNC ( SAPgui CPIC RFC-).
USRACLEXT
SNC-,
SAP-. (CPIC- RFC-). ,
SNC CPIC- RFC-.
SNCSYSACL
SNC-
, SNC, .
A.1. , .
96
A. SNC-
RFCDES
RFC-,
SNC .
RFCDESSECU
SNC- RFC-.
TXCOM
CPIC-,
SNC .
TXCOMSECU
SNC- CPIC-.
A.2. , .
B
SNC-
SNC-,
SAP-.
RSSNCCHK
SNC-
RSSNC40A
RSSNCSRV
SNC-
RSUSR300
SNC-
RSUSR402
B.1. SNC-.
98
B. SNC-
C
3.1G/H
4.0A
3.1G/H 4.0A .
.
C.1
snc/data_protection/max
snc/data_protection/max .
, SNCERR_OVERSECURE
.
C.2
snc/data_protection/min,
snc/data_protection/use snc/data_protection/max 2.
1, 2. 1 ,
.
100
C. 3.1G/H 4.0A
[1] SAP ICC , , BC-SNC.
http://www.sap.com/partners/icc/
http://www.sap.com/partners/icc/scenarios/
technology/bc-snc.asp
[2] SAP: Printing Guide
SAP R/3 4.6C: Basis Components Computing Center Management
System SAP Printing Guide
[3] SAP: SAProuter
SAP R/3 4.6C: Basis Components Client/Server Technology
SAProuter
[4] SAP: Internet Transaction Server
SAP R/3 4.6C: Basis Components Frontend Services ITS /
SAP@Web Studio
[5] SAP: RFC API
SAP R/3 4.6C: Basis Components Communication Interfaces
Remote Communications
[6] 66687: Use of network security products.
[7] 149646: During maintenance with RZ10 SNC profile parameter
warning.
[8] 184277: Length Limitation of SNC-Names.
102
AGate.trc, 90
global.srvc, 91
GSS-API V2, 13, 16, 17, 28
Mmanager.trc, 90
sapdp<nn>, 22
sapgw<nn>, 23, 39
sapgw<nn>s, 23, 39
saplpd.ini, 78, 82
sapms<SAPSID>, 54
saprfc.hlp, 94
saprfc.ini, 57, 94
SNC-, 1415
SNC_LIB, 13, 21
SNC_MODE, 21
SNC_MYNAME, 21
SNC_PARTNERNAME, 21
SNC_QOP, 21
SNCERR_INIT, 28
SNCERR_OVERSECURE, 99
wgate.conf, 89
WGate.trc, 88
win.ini, 78, 82
, 10
, 14
, 13
SNC, 1415
X.500, 18
, 14
, 15
, 15
SNCERR_INIT, 28
SNCERR_OVERSECURE, 99
, 1011
, 1314
RSSNC40A, 97
RSSNCCHK, 43, 97
RSSNCSRV, 25, 97
RSUSR300, 19, 97
RSUSR402, 43, 97
CPIC
GWSERV, 62
SNC_LIB, 61
SNC_MODE, 61
SNC_MYNAME, 62
SNC_PARTNERNAME, 61
SNC_QOP, 62
ITS AGate
sncNameAGate, 92
sncNameR3, 92
sncQoPR3, 92
SNC_LIB, 90
SncNameAGate, 91
SncNameWGate, 91
Type, 91
ITS WGate
SNC_LIB, 8889
104
SncNameAGate, 89
SncNameWGate, 90
Type, 89
RFC
SNC_LIB, 58
SNC_MODE, 58
SNC_MYNAME, 59
SNC_PARTNERNAME, 57
SNC_QOP, 58
SAP Shortcuts
SNC_NAME, 56
SAPgui
SNC_LIB, 52, 74
SNC_MODE, 53
SNC_PARTNERNAME, 5253
SNC_QOP, 53
SAPlpd
enable, 80
gssapi_lib, 7879
identity/lpd, 81
SAProuter
KD-, 8586
KP-, 8586
KS-, 8586
KT-, 85
login/disable_password_logon, 38
login/disable_password_logon, 27,
3738
login/password_logon_usergroup, 27,
38
rdisp/maximum_snc_hold_time, 27,
37
snc/accept_insecure_cpic, 26, 27,
33
snc/accept_insecure_gui, 37, 46
snc/permit_insecure_comm, 3233
snc/accept_insecure_gui, 22, 26, 27,
34
snc/accept_insecure_r3int_rfc, 27,
32, 35
gw/rem_start, 40
gw/remsh, 40
snc/permit_insecure_comm, 39
snc/enable, 39, 73
snc/gssapi_lib, 39, 73
snc/permit_insecure_start, 3940,
73
48<nn>, 23
sapdp<nn>, 22
sapgw<nn>, 23, 39
sapgw<nn>s, 23, 39
sapms<SAPSID>, 54
SAProuter, 22
(ACL)
, 4142, 44, 47
49, 93
, 42, 44, 68, 93
RFCDES, 76, 96
RFCDESSECU, 64, 96
SNCSYSACL, 6971, 95
TXCOM, 96
TXCOMSECU, 43, 96
USR15, 97
USRACL, 41, 44, 47, 95, 97
USRACLEXT, 41, 44, 48, 59, 60,
93, 95
VSNCSYSACL, 42, 44, 93
RZ10, 26
SM30
RFCDESSECU, 43, 64
TXCOMSECU, 43
USRACL, 41, 44, 47
USRACLEXT, 41, 44, 48
VSNCSYSACL, 42, 44, 93
SM51, 75
SM54, 43
SM59, 42, 6468, 7174
SNC0, 42, 44, 68
SO70
SIMG_BCSNC, 41
SPAD, 42, 78, 81
SPRO, 40
SU01, 28, 38, 41, 46, 48
SUIM, 42
, 10, 15
, 10
, 1011
, 10
AGate.trc, 90
global.srvc, 91
Mmanager.trc, 90
saplpd.ini, 78, 82
saprfc.hlp, 94
saprfc.ini, 57, 94
wgate.conf, 89
105
WGate.trc, 88
win.ini, 78, 82
, 10