SNC Connection to an SAP System
You can use Secure Network Communications (SNC) to secure RFC connections between on-site Redwood Server and SAP instances.
To make use of SNC, you must configure your target SAP system to use SNC. For more information, see Initializing SNC in an SAP System.
Note: For SaaS instances, you do not have direct access to the operating system, so you need the SAP SNC Connector to configure SNC connections.
Note: If you want to configure SNC for a Platform Agent, see Securing Connections with Secure Network Connections (SNC).
Prerequisites
To configure an SNC connection to an SAP system, you need the following.
-
The SAP Crypto library for your platform. To locate this, search for
SAPCRYPTOLIB
under Downloads in the SAP Launchpad. -
The SAP CAR program for your platform, to extract the SAP Crypto library. To locate this, search for
SAPCAR
on the SAP Launchpad. -
The SNC certificate for the target SAP system. For more information, see Extracting an SAP System's SNC Certificate.
Configuring RunMyJobs for SNC
To configure RunMyJobs for SNC:
-
Unpack the SAP Crypto SAR file using
sapcar
. For example:sapcar -xvf SAPCRYPTOLIBP_8540-20011697.SAR
-
Copy the SAP Cryptographic library (
sapcrypto.dll
for Windows, orlibsapcrypto.so
for UNIX) to the desired location (for example,C:\Program Files (x86)\Redwood\local\saplibs
for Windows or/opt/redwood/local/saplibs
for UNIX). -
Set the following environment variables. For more information, see Setting Environment Variables and JVM Properties.
-
Set
SNC_LIB
(orSNC_LIB_64
for Windows with a 64-bit JVM) to the full path of the library file (for example,C:\Program Files (x86)\Redwood\local\saplibs\sapcrypto.dll
for Windows, or/opt/redwood/agent/local/sapcrypto.so
for UNIX). -
Set
SECUDIR
to the directory which will contain thePSE
andcred_v2
files (for example,C:\Program Files (x86)\Red-wood\local\sapsec
for Windows or/opt/redwood/agent/sapsec
for UNIX).
-
-
Execute the following commands using the values listed below. The following examples are for Windows.
-
Create the PSE file:
sapgenpse %_FIPS% gen_pse -v %_ALG% %_LPS% -x %_PASS% -p %_PSE% %_DN%
-
For each Target SAP System, execute
sapgenpse %_FIPS% maintain_pk -v -x %_PASS% -a <Target SAP certificate>.crt -p %_PSE%
-
Export your own SNC Certificate:
sapgenpse %_FIPS% export_own_cert -v -x %_PASS% -p %_PSE% -o %_CRT%
-
Create the logon (
cred_v2
file) for PSE:sapgenpse %_FIPS% seclogin -v %_LPS% -x %_PASS% -p %_PSE% -O <OS User>
-
Make sure the user under which RunMyJobs runs can read the following directories and their contents:
SNC_LIB
andSECUDIR.
-
-
Restart the RunMyJobs server.
Values
-
_PASS=<password>
: The password of the PSE. -
_FIPS=-fips on
: Leave this empty if FIPS is not to be used. -
_LPS=-lps
: Leave this empty if no LPS is to be used. -
_ALG= -a RSA:2048:SHA256
: The encryption algorithm to use. -
_PSE=RunMyJobs.pse
: The name of the PSE to create. -
_CRT=RunMyJobs.crt
: The certificate that needs to be installed in the target SAP system(s). For more information, see Preparing an SAP System for RunMyJobs SNC Connection. -
_DN="CN=RunMyJobs, OU=Example, O=Redwood, C=NL"
: The organizational name to be used for RunMyJobs. -
<OS User>
: The user that runs RunMyJobs (SYSTEM
for Windows using a local system user).
Extracting an SAP System's SNC Certificate
To extract the SNC certificate of an SAP system:
-
Start transaction
STRUST
. -
Double-click SNC SAPCryptolib.
-
Enter the PSE password. If no password is defined, set one.
-
Double-click on the owner subject. The certificate displays.
-
Switch to Change mode.
-
Export the certificate in Base64 format.
Preparing an SAP System for RunMyJobs SNC Connection
To prepare the SAP System for RunMyJobs SNC connection:
-
Start transaction
STRUST
. -
Double-click SNC SAPCryptolib.
-
Enter the PSE password. If no password is defined, set one.
-
Switch to Change mode.
-
Import the RunMyJobs SNC certificate.
-
To save the changes, click Add to Certificate List.
Updating the SAP RFC Connect String
Once SNC has been enabled on the SAP system, you can update the SAP system RFC connect string with the additional parameters for SNC. If you have not enabled SNC on the SAP application server, follow the instructions in Initializing SNC in an SAP System.
-
Navigate to Configure > Admin > Manage Connectors > SAP Systems.
-
Right-click the SAP system you want to connect to via SNC and choose Edit.
-
On the SAP System tab, add the parameters below to the RFC Connect String.
-
Click Check connection and make sure the connection is successful.
-
On the XBP tab, click Check connection and make sure that connection is successful.
-
Click Save & Close.
-
Navigate to Configure > Control > Job Servers and restart the Job Server belonging to the SAP system.
Parameters
Parameter | Description | Mandatory? |
---|---|---|
SNC_MODE=1 | Activates SNC for the connection. | Yes |
SNC_PARTNERNAME="p[/krb5]:<name>" SNC_PARTNERNAME="p[/secude]:<name>" |
Defines the target SAP systems DN (secude) or Kerberos name (krb5). | Yes |
SNC_SSO=1 | Enable SSO (default)? | No |
SNC_QOP=3 | Defines how secure the connection is. 1=Auth only, 3=Integrity, 3=Privacy, 8=Default, 9=Maximum. | No |
SNC_MYNAME="p[/krb5]:<name>" SNC_MYNAME="p[/secude]:<name>" |
Defines the RFC user to be used. For more information, see Configuring an SAP User for SNC. | No |
Configuring an SAP User for SNC
In transaction SU01
, you must configure the SNC tab, or SNC will not be activated. The following screen shot shows a user's SNC settings.
The SNC name uses the syntax <type>[/<tech>]:<name>
, where:
-
<type>
is one of the following:-
p
: Printable name. -
s
: Service@host name. -
u
: User name.
-
-
<tech>
(optional, defaults to active tech) is one of the following:-
krb5
: Kerberos name. -
secude
: X.500 name. -
sapntlm
: NTMSSP name (Windows only).
-
-
<name>
is one of the following:-
Kerberos name, such as
jdoe@example.local
. -
X.500 name, such as
CN=John Doe
,OU=Administrators
,O=Example
, orC=DE
. -
NTMSSP name, such as
Example\jdoe
.
-
Note: If the user needs to be connected to more than one PSE, then the additional DNs need to be defined in the USRACLEXT
table. For more information, see Maintaining SNC Information for Non-Dialog Users.
Initializing SNC in an SAP System
To initialize SNC in an SAP system:
-
In the instance profile of the central instance (target SAP System), set these SAP parameters:
Copysnc/enable = 1
snc/gssapi_lib =<DRIVE>:\%windir%\system32\sapcrypto.dll
snc/identity/as =p:<SAP_Service_User>@<DOMAIN_NAME>
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1 -
Restart the SAP instance.
For more information about these profile parameters, see Profile Parameter Settings on the ABAP Platform.
Checklist for SNC Connections
OS level:
-
Determine the OS user under which RunMyJobs is executed.
-
Check the OS user's environment settings for the correct
SECUDIR
,SNC_LIB
, andSNC_LIB_64
environment settings by running the System_Info Job Definition. -
Make sure the SAP Crypto library can be used by running
sapgenpse support_info
orsapgenpse cryptinfo
. -
Make sure the PSE file is accessible by running
sapgenpse show -f <pse file>
. -
Make sure SSO credentials are available by running
sapgenpse seclogin -l -O <os user>
. -
Make sure the PSE file contains the target SAP system certificates by running
sapgenpse maintain_pk -l
.
Target SAP level:
-
Make sure the SNC profile parameters are set correctly in RZ10/RZ11.
-
Make sure the RunMyJobs certificate is stored in
STRUST
under SNC SAPCryptolib. -
Make sure the RFC User to be used contains the correct SNC name by running
SU01
. -
Check the
USRACLEXT
table to see if a different SNC name is assigned to the RFC user.
RunMyJobs level:
-
Check the SAP RFC connect string. To reduce error checking, specify only the minimum number of parameters required. For example,
SNC_MYNAME
is required only if multiple PSEs are defined and used.