SNC Connection to an SAP System

on-site-related topic

You can use Secure Network Communications (SNC) to secure RFC connections between on-site Redwood Server and SAP instances.

To make use of SNC, you must configure your target SAP system to use SNC. For more information, see Initializing SNC in an SAP System.

Note: For SaaS instances, you do not have direct access to the operating system, so you need the SAP SNC Connector to configure SNC connections.

Note: If you want to configure SNC for a Platform Agent, see Securing Connections with Secure Network Connections (SNC).

Prerequisites

To configure an SNC connection to an SAP system, you need the following.

  • The SAP Crypto library for your platform. To locate this, search for SAPCRYPTOLIB under Downloads in the SAP Launchpad.

  • The SAP CAR program for your platform, to extract the SAP Crypto library. To locate this, search for SAPCAR on the SAP Launchpad.

  • The SNC certificate for the target SAP system. For more information, see Extracting an SAP System's SNC Certificate.

Configuring RunMyJobs for SNC

To configure RunMyJobs for SNC:

  1. Unpack the SAP Crypto SAR file using sapcar. For example: sapcar -xvf SAPCRYPTOLIBP_8540-20011697.SAR

  2. Copy the SAP Cryptographic library (sapcrypto.dll for Windows, or libsapcrypto.so for UNIX) to the desired location (for example, C:\Program Files (x86)\Redwood\local\saplibs for Windows or /opt/redwood/local/saplibs for UNIX).

  3. Set the following environment variables. For more information, see Setting Environment Variables and JVM Properties.

    • Set SNC_LIB (or SNC_LIB_64 for Windows with a 64-bit JVM) to the full path of the library file (for example, C:\Program Files (x86)\Redwood\local\saplibs\sapcrypto.dll for Windows, or /opt/redwood/agent/local/sapcrypto.so for UNIX).

    • Set SECUDIR to the directory which will contain the PSE and cred_v2 files (for example, C:\Program Files (x86)\Red-wood\local\sapsec for Windows or /opt/redwood/agent/sapsec for UNIX).

  4. Execute the following commands using the values listed below. The following examples are for Windows.

    1. Create the PSE file: sapgenpse %_FIPS% gen_pse -v %_ALG% %_LPS% -x %_PASS% -p %_PSE% %_DN%

    2. For each Target SAP System, execute sapgenpse %_FIPS% maintain_pk -v -x %_PASS% -a <Target SAP certificate>.crt -p %_PSE%

    3. Export your own SNC Certificate: sapgenpse %_FIPS% export_own_cert -v -x %_PASS% -p %_PSE% -o %_CRT%

    4. Create the logon (cred_v2 file) for PSE: sapgenpse %_FIPS% seclogin -v %_LPS% -x %_PASS% -p %_PSE% -O <OS User>

    5. Make sure the user under which RunMyJobs runs can read the following directories and their contents: SNC_LIB and SECUDIR.

  5. Restart the RunMyJobs server.

Values

  • _PASS=<password>: The password of the PSE.

  • _FIPS=-fips on: Leave this empty if FIPS is not to be used.

  • _LPS=-lps: Leave this empty if no LPS is to be used.

  • _ALG= -a RSA:2048:SHA256: The encryption algorithm to use.

  • _PSE=RunMyJobs.pse: The name of the PSE to create.

  • _CRT=RunMyJobs.crt: The certificate that needs to be installed in the target SAP system(s). For more information, see Preparing an SAP System for RunMyJobs SNC Connection.

  • _DN="CN=RunMyJobs, OU=Example, O=Redwood, C=NL": The organizational name to be used for RunMyJobs.

  • <OS User>: The user that runs RunMyJobs (SYSTEM for Windows using a local system user).

Extracting an SAP System's SNC Certificate

To extract the SNC certificate of an SAP system:

  1. Start transaction STRUST.

  2. Double-click SNC SAPCryptolib.

  3. Enter the PSE password. If no password is defined, set one.

  4. Double-click on the owner subject. The certificate displays.

  5. Switch to Change mode.

  6. Export the certificate in Base64 format.

Preparing an SAP System for RunMyJobs SNC Connection

To prepare the SAP System for RunMyJobs SNC connection:

  1. Start transaction STRUST.

  2. Double-click SNC SAPCryptolib.

  3. Enter the PSE password. If no password is defined, set one.

  4. Switch to Change mode.

  5. Import the RunMyJobs SNC certificate.

  6. To save the changes, click Add to Certificate List.

Updating the SAP RFC Connect String

Once SNC has been enabled on the SAP system, you can update the SAP system RFC connect string with the additional parameters for SNC. If you have not enabled SNC on the SAP application server, follow the instructions in Initializing SNC in an SAP System.

  1. Navigate to Configure > Admin > Manage Connectors > SAP Systems.

  2. Right-click the SAP system you want to connect to via SNC and choose Edit.

  3. On the SAP System tab, add the parameters below to the RFC Connect String.

  4. Click Check connection and make sure the connection is successful.

  5. On the XBP tab, click Check connection and make sure that connection is successful.

  6. Click Save & Close.

  7. Navigate to Configure > Control > (Undefined variable: General.Job) Servers and restart the (Undefined variable: General.Job) Server belonging to the SAP system.

Parameters

Parameter Description Mandatory?
SNC_MODE=1 Activates SNC for the connection. Yes

SNC_PARTNERNAME="p[/krb5]:<name>"

SNC_PARTNERNAME="p[/secude]:<name>"

 Defines the target SAP systems DN (secude) or Kerberos name (krb5). Yes
SNC_SSO=1 Enable SSO (default)? No
SNC_QOP=3 Defines how secure the connection is. 1=Auth only, 3=Integrity, 3=Privacy, 8=Default, 9=Maximum. No

SNC_MYNAME="p[/krb5]:<name>"

SNC_MYNAME="p[/secude]:<name>"

 Defines the RFC user to be used. For more information, see Configuring an SAP User for SNC. No

Configuring an SAP User for SNC

In transaction SU01, you must configure the SNC tab, or SNC will not be activated. The following screen shot shows a user's SNC settings.

The SNC name uses the syntax <type>[/<tech>]:<name>, where:

  • <type> is one of the following:

    • p: Printable name.

    • s: Service@host name.

    • u: User name.

  • <tech> (optional, defaults to active tech) is one of the following:

    • krb5: Kerberos name.

    • secude: X.500 name.

    • sapntlm: NTMSSP name (Windows only).

  • <name> is one of the following:

    • Kerberos name, such as jdoe@example.local.

    • X.500 name, such as CN=John Doe, OU=Administrators, O=Example, or C=DE.

    • NTMSSP name, such as Example\jdoe.

Note: If the user needs to be connected to more than one PSE, then the additional DNs need to be defined in the USRACLEXT table. For more information, see Maintaining SNC Information for Non-Dialog Users.

Initializing SNC in an SAP System

To initialize SNC in an SAP system:

  1. In the instance profile of the central instance (target SAP System), set these SAP parameters:

    Copy 
    snc/enable = 1
                            snc/gssapi_lib =<DRIVE>:\%windir%\system32\sapcrypto.dll
                            snc/identity/as =p:<SAP_Service_User>@<DOMAIN_NAME>
                            snc/data_protection/max = 3
                            snc/data_protection/min = 2
                            snc/data_protection/use = 3
                            snc/accept_insecure_cpic = 1
                            snc/accept_insecure_gui = 1
                            snc/accept_insecure_r3int_rfc = 1
                            snc/accept_insecure_rfc = 1
                        snc/permit_insecure_start = 1

  2. Restart the SAP instance.

For more information about these profile parameters, see Profile Parameter Settings on the ABAP Platform.

Checklist for SNC Connections

OS level:

  • Determine the OS user under which RunMyJobs is executed.

  • Check the OS user's environment settings for the correct SECUDIR, SNC_LIB, and SNC_LIB_64 environment settings by running the System_Info (Undefined variable: General.Job) Definition.

  • Make sure the SAP Crypto library can be used by running sapgenpse support_info or sapgenpse cryptinfo.

  • Make sure the PSE file is accessible by running sapgenpse show -f <pse file>.

  • Make sure SSO credentials are available by running sapgenpse seclogin -l -O <os user>.

  • Make sure the PSE file contains the target SAP system certificates by running sapgenpse maintain_pk -l.

Target SAP level:

  • Make sure the SNC profile parameters are set correctly in RZ10/RZ11.

  • Make sure the RunMyJobs certificate is stored in STRUST under SNC SAPCryptolib.

  • Make sure the RFC User to be used contains the correct SNC name by running SU01.

  • Check the USRACLEXT table to see if a different SNC name is assigned to the RFC user.

RunMyJobs level:

  • Check the SAP RFC connect string. To reduce error checking, specify only the minimum number of parameters required. For example, SNC_MYNAME is required only if multiple PSEs are defined and used.

See Also