Procedure For SNC Setup

Procedure for SNC Setup
Procedure for SNC Setup

The following steps describe the procedure of setting up the SNC in the SAP system and the
SAP Adapter.
1. Download the SAP Cryptographic Library
2. Install the SAP Cryptographic Library
3. Set the Trust Manager Profile Parameters
4. Create the Personal Security Environment (PSE)
5. Setup SNC Profile Parameters for SAP
6. Installing the PSE
7. Install the SAP Cryptographic Library on the Adapter
8. Setup the SNC Parameter Specific to an Inbound Scenario
9. Setup SNC Parameters Specific to Outbound Scenarios

Download the SAP Cryptographic Library
Download the SAP Cryptographic Library from SAP Service Market Place from:
https://websmp101.sap-
ag.de/~form/handler?_APP=00200682500000000917&_EVENT=DISPLAY
The following libraries are required:
Microsoft Windows
sapcrypto.dll
sapgenpse.exe
ticket
UNIX
libsapcrypto.so ( or sl )
sapgenpse
ticket
Install the SAP Cryptographic Library
Follow these steps to install the SAP Cryptographic libraries:
1. Extract the contents of the SAP Cryptographic Library installation package.
2.
Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the
application server's profile parameter DIR_EXECUTABLE.
In the following example, this directory is represented by the notation $(DIR_EXECUTABLE).
UNIX:
DIR_EXECUTABLE: /usr/sap/<SID>/<INSTANCE>/exe/
Location of SAP Cryptographic Library:
/usr/sap/<SID>/<INSTANCE>/exe/libsapcrypto.so
Microsoft Windows:
DIR_EXECUTABLE: <DRIVE>:\usr\sap\<SID>\<INSTANCE>\exe
Location of SAP Cryptographic Library: C:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll
3.
Check the file permissions for the SAP Cryptographic Library. For example, if you copied the
library using ftp on UNIX, platforms the file permissions may not be set correctly. Make sure

that <sid>adm (or SAPService<SID>under Microsoft Windows) has the permissions required
to execute the library functions.
4. Copy the ticket file to the sub-directory SEC in the instance directory $(DIR_INSTANCE).
UNIX:
DIR_INSTANCE: /usr/sap/<SID>/<instance>
Location of the ticket: usr\sap\BAM\DVEBMGS00\sec
Microsoft Windows:
DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance>
Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket
5.
Set the environment variable SECUDIR. The application server uses this variable to locate the
ticket and its credentials at run-time.
SECUDIR=D:\usr\sap\BAM\DVEBMGS00\sec
If you set the environment variable using the command line the value may not be applied to the
server's processes. Therefore, we recommend setting SECUDIR in the startup profile for the
server's user or in the registry (Microsoft Windows).
The SAP Cryptographic Library is installed on the application server and the environment is set
up so that the library can be located by the server at runtime.
Set the Trust Manager Profile Parameters
Follow these steps to set the profile parameters, using transaction RZ10, so that the trust manager
can access the SAP Cryptographic Library:
1.
Set the profile parameters on each SAP Web AS ABAP instance. The following table provides
the profile parameters and sample values.
Table 10 Trust Manager Profile Parameters
Profile
Parameters
Value
sec/libsapsecu Path and file name of the SAP Cryptographic
Library
ssf/ssfapi_lib Path and file name of the SAP Cryptographic
Library
ssf/name SAPSECULIB
sec/libsapsecu = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll
ssf/ssfapi_lib = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll
ssf/name = SAPSECULIB
Where sec/libsapsecu is the path and file name of the SAP Cryptographic Library, and
ssf/ssfapi_lib is the path and file name of the SAP Cryptographic Library.
For more information on these profile parameters refer to the SAP documentation.
2. Restart the application server.
The SNC PSE can now be maintained using the trust manager.
Create the Personal Security Environment (PSE)
Before creating the PSE make sure you have:
installed the SAP Cryptographic Library on the application server.
If the SAP Cryptographic Library is not installed, then the trust manager does not display the
node for the SNC PSE.
set the environment variable SECUDIR to point to the location where the PSE is stored.

the naming convention you use for the Distinguished Name matches the Distinguished Name
part of the server's SNC name that you define in the profile parameter snc/identity/as. If this
profile parameter is not yet set, then you can still specify the server's Distinguished Name, but
you receive a warning that you have to maintain the profile parameter.
Additionally, the server's Distinguished Name for SNC must be unique. It cannot also be used in
a different PSE.
Follow these steps to create the PSE that the server will use for SNC. If you are using a single
PSE for all server components and you have already created the PSE on a different server, then
see Importing the SNC PSE
Using the trust manager (transaction STRUST):
1. Select the SNC PSE node.
2. Using the context menu, choose Create (if no PSE exists) or Replace.
3. The <Create/Replace> PSE dialog appears.
If the server's SNC name is defined in the profile parameter snc/identity/as, then the system
automatically determines the Distinguished Name accordingly. Otherwise, enter the
Distinguished Name parts in the corresponding fields, for example:
Name = <SID>
Org. (opt.) = Test
Comp./Org. = MyCompany
Country = US
If you want to use a reference to a CA name space, then the elements contained in the CA field
are automatically used for the server's Distinguished Name. In addition, you cannot modify the
Country field. Use the toggle function to activate or deactivate the reference to a CA name space.
In addition, the application server's Distinguished Name to use for SNC must be unique. You
cannot specify a Distinguished Name that the server uses in a different PSE, for example, the
system PSE.
4. Choose Enter.
You return to the Trust Manager screen.
5. For SNC you must assign a password to the PSE. Choose Assign password.
The PSE dialog appears.
6. Enter a password for the PSE and choose Enter.
You return to the Trust Manager screen.
The SNC PSE is created and distributed to the individual application servers. The system
protects the PSE with a password and creates credentials for the server to access the PSE at run-
time.

Setup SNC Profile Parameters for SAP
This section describes how to set the SNC-relevant profile parameters. The RZ10 Transaction
code is used to set the following parameters in the instance profile.
Setting the profile parameter snc/enable to 1 activates SNC on the application server. If this
parameter is set but the SNC PSE and credentials do not exist, then the application server will
not start. Therefore, setting the SNC parameters should be the last step in the configuration
procedure.
Make sure the SNC PSE and the corresponding credentials exist for the application server.
1.
Set the following profile parameters on the application server so that the server can
communicate using SNC.
The important parameters are listed below. For a complete list, see the SNC User's Guide.
Table 11 SNC Profile Parameters
Profile Parameters Value
snc/enable 1
snc/gssapi_lib The path and file name where the SAP Cryptographic
Library is located
snc/identity/as Application server's SNC name in the format:
p:<Distinguished_Name>
The Distinguished Name part must match the
Distinguished Name that you specify when creating the
SNC PSE.
snc/data_protection/max 1: Authentication only
2: Integrity protection
3: Privacy protection
snc/data_protection/min 1: Authentication only
snc/data_protection/use 1: Authentication only
9: Use the value from snc/data_protection/max
snc/accept_insecure_cpic 0: do not accept
1: accept
snc/accept_insecure_gui 0: do not accept
1: accept
snc/accept_insecure_r3int_rfc 0: do not accept
1: accept
snc/accept_insecure_rfc 0: do not accept
1: accept
For example:
snc/identity/as = p:CN=BAM, OU=ENGG, O=TIBCO, C=US
snc/gssapi_lib = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/data_protection/use = 3
snc/data_protection/min = 1
snc/data_protection/max = 3
snc/enable = 1
snc/permit_insecure_start = 1
3. Save and activate the profile.
The application server is now ready to use SNC.
Install the SAP Cryptographic Library on the Adapter
1. Extract the SAP Cryptographic Library.
2.
Copy the SAP Cryptographic Library file to any folder. Make sure you add the path to this
folder to the SNC_LIB parameter of the saprfc.ini file.
3. Create the SEC directory and copy the ticket file to this directory.
This is the same ticket file obtained in step 4 in Install the SAP Cryptographic Library.
4. Set the SECUDIR environment variable to point to the sec directory created in step 3
This parameter is set for the user that executes the adapter process. If deploying and running the
adapter using TIBCO Administrator, make sure the SECUDIR variable is set and is available for
the adapter process.
On Microsoft Windows platforms, the SECUDIR variable is set in the adr3u.tra (for Unicode
adapter) or adr3.tra (for non-Unicode adapters) files.
On UNIX platforms, the SECUDIR variable is set in the adr3u_env.sh (for Unicode adapter) or
adr3_env.sh (for non-Unicode adapters) files.
If using the adapter tester, the SECUDIR variable is set in the adr3u.tra (for Unicode adapter) or
adr3.tra (for non-Unicode adapters).
The SAP Cryptographic Library is now installed.
Installing the PSE
Follow these steps to create the PSE that the adapter will use for SNC
Using a Single PSE for All Components
In this scenario you create a single PSE for all components.
1. Create the PSE on a single component, for example, the AGate and copy it to the other servers.
2. Copying a Single PSE to all Server Components
3. Copy PSE into SEC directory
4.
Create Credential on client (the SAP Adapter) cred_v2 file using the following command and
copy cred_v2 into the SEC directory:
sapgenpse seclogin -p SAPSNCS.PSE -O username
Using Individual PSE for All Components
In this scenario you create an individual PSE for each component. To establish the necessary
trust relationships between these components, you must exchange the corresponding public-key
certificates. For each of the servers, export the server's public-key certificate and import it into its
partners' PSEs. See the graphic below:
Using Individual PSEs and Exchanging Public-Key Certificates
To Create PSE for the Client
1. Create a directory on your system to store the PSE.
2.
Copy the ticket license file and the SAP Certified Client Cryptographic library (ex. SECUDIR)
to the directory you just created.
Make sure you set the SECUDIR environment variable to this directory, copy the library to a
different directory, and add this path to your PATH environment variable.
3. Execute the following command to generate the PSE
The client PSE is named as RFC.pse. From the command line, you can specify the distinguished
name. For example: "CN=RFC, OU=IT, O=CSW, C=DE"
> sapgenpse gen_pse -v -p RFC.pse
Got absolute PSE path "<your path>/RFC.pse".
Please enter PIN: ********
Please reenter PIN: ********
get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE
Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
PKCS#10 certificate request for "<your path>/RFC.pse"
4. Execute the following command to export the Client Certificate of the newly created PSE.
The exported certificate is named as RFC.crt.
> sapgenpse export_own_cert -v -p RFC.pse -o RFC.crt
Opening PSE your path>/RFC.pse"...
No SSO credentials found for this PSE.
PSE open ok.
Retrieving my certificate... ok.
writing to file ...... ok
5.
Import the Client Certificate to Server PSE via the
transaction STRUST.
a. Open the Node SNC (SAPCryptolib) again
b. Enter the SAPCryptolib password.
c.
Click on the Import certificate button.

d.
Set the file format to Base64 and choose the file.

e. Click Add to Certificate List.
6.
Export the Server Certificate via the transaction
STRUST.
a. At node SNC (SAPCryptolib), double click on your own certificate so it displays in
the Certificate field.
b. Click on Export certificate.
c.
From the File tab, choose Base64 for the File format and provide a name for the file.

7. Import the Server Certificate to the Client PSE
On the command line run:
> sapgenpse maintain_pk -v -a SNC.crt -p RFC.pse
Opening PSE your path>/RFC.pse"...
No SSO credentials found for this PSE.
PSE open ok.
Adding new certificate from file "SNC.crt"
---------------------------------------------------------------
Subject : CN=IDS, OU=IT, O=CSW, C=DE
Issuer : CN=IDS, OU=IT, O=CSW, C=DE
Serialno: 00
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Wed Mar 6 21:37:32 2008 (060927193732Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
---------------------------------------------------------------
PKList updated (1 entries total, 1 newly added)
8. Create the cred_v2 file.
After setting up the client PSE you must create a file called cred_v2 which is used to securely
give the RFC Program access to the PSE without providing the password for the PSE.
On the command line run:
> sapgenpse seclogin -p RFC.pse -O root running seclogin with USER="root"
creatingcredentials for yourself (USER="root")...
Added SSO-credentials for PSE "<your path>/RFC.pse"
"CN=RFC, OU=IT, O=CSW, C=DE"
When you generate the cred_v2 file, the seclogin must be carried out under the account of the
<sid>adm.
9. Allow SNC RFC Connection.
Map the x.509 certificates that were created for the user accounts on the SAP Server.
a. Start Transaction SM30 and enter the view VSNCSYSACL.
This view is used to restrict the SNC RFC Connections by an Access Control List (ACL). You
will see an alert window pop-up, just click on the "right" symbol.

b.
Choose E for the Type of ACL entry.

c. Enter System ID and SNC name.

Do not forget the p: in front of the DN.
d. Check the boxes according to the following figure.

e. Save the entry.

When trying to edit the entry, you may see an alert window pop-up. Click on
the right symbol and make your changes.
Setup the SNC Parameter Specific to an Inbound Scenario
For the communication path from an external program to an AS ABAP when using RFC, the
external program is the initiator of the communication and the AS ABAP is the acceptor. One
example of such a connection is the connection from an AS Java to an AS ABAP server. In this
case, the AS Java uses the Java Connector (JCo) to establish the connection.
Initiator (External Program)
To apply SNC protection to external programs that communicate with an AS ABAP using RFC,
you need to specify the SNC options in either the saprfc.ini file or over the program interface in
rfclib. This section describes how to specify the information in the saprfc.ini file.
The program may have a user interface for maintaining the parameters. See the documentation
for the program for details. For example, on the AS Java you make the settings according to the
application that establishes the connection. The application may also have its own user interface,
or it may use the Destination or RFC Adapter service.
Before setting the SNC parameters make sure:

You want to apply SNC protection to the communications between the RFC external program
and the AS ABAP.
The external program uses the saprfc.ini file.
Procedure
Use the following table to set the SNC parameters in saprfc.ini:
Table 12 SNC Parameters for saprfc.ini
Parameter Description Required?
Valid
values
Default Value
SNC_PARTNERNAME The SNC name of
the communication
partner (application
server)
Y string none
SNC_LIB The path and file
name of the gssapi
library
Y string none
SNC_MODE The SNC activation
indicator
Y 0,1
0 = SNC
disabled
1= SNC
activated
none
SNC_QOP Quality of protection
(protection level)
N 1,2,3,8,9 3
SNC_MYNAME The SNC name of
the user sending the
RFC.
N string The name
provided by
the security
product for the
logged-on
user.

Sample saprfc.ini file
DEST=SNCINBOUND
TYPE=A
ASHOST=adsap
SYSNR=00
SNC_MODE=1
SNC_PARTNERNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=US
SNC_LIB=C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dll
SNC_QOP=9
SNC_MYNAME=p:CN=RFC, OU=ENGG, O=TIBCO, C=US
This example sets up the application server adsap as the RFC destination. The server's SNC
name is p:CN=BAM, OU=ENGG, O=myCompany, C=US and the SNC library is located at
C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dll.
Acceptor (AS ABAP)
Follow steps described in the SAP documentation to configure the acceptor (the AS ABAP) for
using SNC, set the profile parameters on the application server.
The value contained in the parameter snc/accept_insecure_rfc determines whether or not to
accept unprotected RFC connections. You can define this parameter to deny all insecure RFCs,
accept all insecure RFCs, or accept insecure RFCs for specific users only (based on the Insecure
communications permitted indicator in the table USRACL).
User Authentication in the SAP System
As with RFC calls without SNC protection, you need to specify a user and a client in the RFC
program when connecting to the SAP system. Note the following details about the authentication
procedure when using SNC:
If the SNC name from the RFC program corresponds to the SNC name in the specified user's
master record in the designated client, then the SAP system accepts the RFC logon request
(without performing additional authentication).

Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the
client, user, and SNC name combination. If a matching entry is found, then the SAP system
accepts the logon request (without performing additional authentication).

client, user, and an asterisk (*) as the SNC name. If a matching entry is found, then the system
verifies the user's password. If the password is valid, then the SAP system accepts the logon as
a secure logon.

client, an asterisk as the user ID, and the RFC program's SNC name. If a matching entry is
found, then the system verifies the user's password. If the password is valid, then the SAP
system accepts the logon as a secure logon.

client, an asterisk as the user ID, and an asterisk as the SNC name. If a matching entry is found,
then the system verifies the user's password. If the password is valid, then the SAP system
accepts the logon as a secure logon.
Otherwise, the SAP system denies the logon request.
When Establishing the RFC connection
The RFC connection is established over a gateway port. For SNC-protected connection requests,
the RFC library normally uses the secure gateway port, which accepts only SNC-protected
connections. However, if both SNC and load-balancing are used, the RFC libraries also use the
conventional gateway port for SNC-protected connections.
Creating the Access Control List Entries on the Application Server
Access control lists have to be created before configuring SNC between the application server
and the AGate component. Make sure you have the ANC name for the AGate before proceeding.
To maintain the SNC system access control list:
1. Use table SNCSYSACL, view VSNCSYSACL, type=E.
See Figure 13, Figure 14, and Figure 15 for reference.
Figure 13 Map the SNC Name to the User

Figure 14 Maintain ACL SM30

Figure 15 Work Entry Type

2. Enter the AGate's SNC name in the SNC name field. The System ID field is optional.
3. Check the checkboxes for:
Entry for RFC activated
Entry for CPIC activated
Entry for DIAG activated (if you use the webgui service)
Entry for certificates activated (if users log on with X.509 client certificates)

Entry for external ID (if users log on using an external identity, for example, when using
Pluggable Authentication Services)
Figure 16 Details for the Access Control List

4. Save the data.
Setup SNC Parameters Specific to Outbound Scenarios

RFC: TCP/IP Connection - Registered Program
For an RFC call that uses a TCP/IP connection to call a registered program, the SAP System is
the initiator of the communication and the registered program is the acceptor. In order to use
ISNC protection, a registered program must be linked with an rfclib of at least Release 4.5A. It
can, however, communicate with a SAP System Release 4.0A/B via a 4.0A/B gateway.
Initiator (SAP System)
Use transaction SM59 to maintain RFC destinations and their SNC options.
The following description is only applicable as of Release 4.0.
When maintaining the SNC options for RFC destinations using transaction SM59, you specify
the following SNC information:
SNC mode for the connection (active or inactive)
Quality of protection (QoP)
SNC partner name
The other settings relevant to SNC (the application server's SNC name, the location of the
external library, the maximum quality of protection, and the default quality of protection) are
applied as defined in the application server's instance profile.
If the RFC destination is an external RFC server program (Activation type = Start), then note the
following:

If you specify the external server program to start on an explicit host, then you need to specify
the SNC name of the partner host in the SNC options to use SNC for the connection.

If you specify the external server program to start on the application server or on the front end
workstation, then the SNC name of the partner is automatically derived from an existing secure
path and you do not need to specify the SNC name of the partner in the SNC options. (In this
case, the field for the SNC name is not activated.)
Configuring the Communication Partners for Use with SNC
Before configuring the communication parameters make sure the RFC destination is defined and
the SNC activated on the application server.
From the Display and maintain RFC destinations screen (transaction SM59):
1. Place the cursor on the destination application server and choose Change.
2. To enable SNC, select the SNC Activ indicator.
3. Choose Destination SNC Options.
The Change View "SNC extension: Details" screen appears.
4. Enter the quality of protection in the QOP field.
5.
Unless the destination is an external program that starts on the front end workstation (see the
note above), enter the SNC name of the communication partner in the SNC names group.
6. Save the data.
Quality of Protection (QoP)
The following rules apply to the relationship between the QoP specified when configuring the
communication partners and the QoP configured in the application server's profile parameter:

The RFC destination's QoP can be smaller than the application server's snc/data_protection/min
or larger than the application server's snc/data_protection/max.

If the RFC destination's QoP is larger than the level provided by the external security product,
then the largest possible QoP is used.

If the RFC destination's QoP = 8 (default), then the QoP value from the application server's
snc/data_protection/use is used.
If the RFC destination's QoP = 9 (maximum), then the QoP value from the application server's
snc/data_protection/max is used.
For any modifications to these rules refer to the SAP documentation.
Acceptor (registered program)
To apply SNC protection to registered programs that communicate with SAP Systems using
RFC, you need to specify the SNC options in either the saprfc.ini file or use the program
interface inrfclib. This section describes how to specify the information in saprfc.ini. For more
information about using rfclib, see the SAP documentation.
Make sure you provide or install accepting credentials for the RFC server program. The
procedure for installing credentials depends on the security product that you use.
Set the SNC parameters in saprfc.ini using values shown in Table 13:
Table 13 SNC Parameters for RFC
Parameter Description Required?
Valid
values
Default
Value
SNC_LIB Path and file name
of the gssapi library
Y String None
SNC_MODE SNC

Activation
indicator
Y 0, 1
0=SNC
disabled
1=SNC
activated
None
SNC_QOPOptional

Quality of protection
(protection level)
N 1,2,3,8,9
3

SNC_MYNAME Name of the RFC server
program
You can use the parameter
SNC_MYNAME to locally
define the name that
corresponds to the
credentials for the RFC
server program. If you do,
then make sure that this
SNC name corresponds to
the SNC name as defined
in the SNC options (SNC
partner name) for the RFC
destination for this server
program. If you do not
locally define
SNC_MYNAME, then the
registered program uses the
SNC name defined in the
N String The SNC
name
contained in
the RFC
destination's
SNC options.
RFC destination.
Sample destination in the saprfc.ini file:
DEST=SNCOUTBOUND
TYPE=R
PROGID=sapusrpid
GWHOST=adsap
GWSERV=sapgw00
SNC_MODE=1
SNC_MYNAME=p:CN=BAM, OU=ENGG, O=TIBCO, C=US
Using SNC with Registered Programs
You can only enter one SNC partner name when you enter the SNC options for RFC
destinations.
If more than one program has the same registered program ID, they must also use the same
credentials. This is generally not a problem if the programs are started on the same computer.
However, starting registered programs on different computers is possible only if the same
credentials can be used on the different computers. This largely depends on the security product
used.

SNC INI File Example for the Adapter
Setup the following connection parameters in the SAP INI File
INBOUND Connection INI File Example
DEST=SNCINBOUND
TYPE=A
ASHOST=adsap
SYSNR=00
SNC_MODE=1
SNC_PARTNERNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=US
SNC_LIB=C:\Adapter\Dev\Ongoing\SNC\sapcrypto.dll
SNC_QOP=9
SNC_MYNAME=p:CN=BAM, OU=ENGG, O=TIBCO, C=US
OUTBOUND Connection INI File Example
DEST=SNCOUTBOUND
TYPE=R
PROGID=adapterpid
GWHOST=adsap
GWSERV=sapgw00
SNC_MODE=1
SNC_MYNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=US
Transaction Codes
The following Transaction codes are used for the SNC Setup:
STRUST
RZ10
SU01
SM59
SM30

Procedure For SNC Setup

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Procedure For SNC Setup

Uploaded by

Copyright:

Available Formats

Procedure for SNC Setup

Procedure for SNC Setup

You might also like