Skip to Content

FATAL SNCERROR – Accepting Credentials not available!

Hello upgrade friends,

do you use SSO in your environment? Yes?
Do plan an upgrade to EhP6 or kernel change to 7.20/7.21 EXT? Yes?

=> Than you might run into the same difficulty like me :/

After kernel switch phase of an EhP 6 upgrade I have faced the issue that the system couldn’t start (Phase: STARTSAP_PUPG).
OK, let’s try to look into the work process traces, because there were no disp+work processes active and sapcontrol (sapcontrolnr x -function GetProcessList) shows me also that not all prcoesses are running.


N        UserId=”sidadm” (ID), envvar USER=”sidadm

SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)
SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)
SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)
SncInit(): found snc/gssapi_lib=/usr/sap/SID/<Instanz>/sll/libsecgss.so
N    File “/usr/sap/SID/<Instance>/sll/libsecgss.so” dynamically loaded as GSS-API v2 library.
N    The internal Adapter for the loaded GSS-API mechanism identifies as:
N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
SncInit():  found snc/identity/as=p:CN=<…>
N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]
N        GSS-API(maj): No credentials were supplied
N      Could’t acquire ACCEPTING credentials for
N
N      name=”p:CN=<….>”
N      FATAL SNCERROR — Accepting Credentials not available!
N      (debug hint: default acceptor = “p:CN=DummyCredential“)
N  <<- SncInit()==SNCERR_GSSAPI
N          sec_avail = “false”
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

First try was easily to deactivate the SNC parameter in the profiles (=> snc/enable=0) -> it worked, but this solved not the real issue just the symptom.
I have noticed that the SNC Adapter changed with kernel from “SECUDE 5/GSS-API v2” to “SAP Netweaver Single Sign-On v1.x”. OK, I could find out that these adapters are compatible. But wait moment, why it didn’t work if they are compatible?

I have checked the SLL (secure login library) configuration (normally located under /usr/sap/SID/DV*/SLL/ ). The executeable “snc” showed me that everything looks fine:

Using command ‘status -v’, call with –h to see more commands
——————————————————————————
———— status ——————————————————-
——————————————————————————
Product version     : Secure Login Library 1.0 SP 4 Patch 3
  : CryptoLib 8.3.7.11
  : aix-6.1-ppc-64

GSS library         : available
GSS library name    : libsecgss.so

PSE directory       : (existing) /usr/sap/SID/DV*/sec
PSE file            : (existing) /usr/sap/SID/DV*/sec/pse.zip
STRUST cred file    : (existing) /usr/sap/SID/DV*/sec/cred_v2
SNC config file     : (existing) /usr/sap/SID/DV*/sll/gss.xml

PSE accessible      : yes
PSE logged in       : yes
PSE credentials     : MasterPassword SystemDefault

Kerberos keyTab     : Not existing
——————————————————————————
SNC keys registered :  1 entries
1: STRUST  certificate  CN=<…>

Trusted certificates:
from STRUST       :
1: CN=SLS RootCA, OU=SAP SSO, O=<…>, C=DE

It seems that everything is fine!? But it still didn’t work.
May be other libraries were used with the new kernel.
-> No, this also not the right answer because via the profile the same lib is used -> /usr/sap/SID/DV*/sll/libsecgss.so

For me it seems like that cred_v2 cannot be compared with the pse. So I created a new PSE via STRUST and secured it via password to create the cred_v2. (This can also be done via sapgenpse)

I reactivated SNC via the profile parameters and I could start the instance without any issues. So it seems that the old PSE and cred_v2 files are _not_ compatible with the new SNC adapter.

Hope if you run into this issue, you can fix it faster and waste not so much time like me.

Best Regards,
Jens

5 Comments
You must be Logged on to comment or reply to a post.
  • Hi Jens,

    we faced the same problem, not during the upraged, but after kernel update.

    Solution provided by works perfectly. Thanks!!

    System started with snc/enable = 0 without any problems. Then I had to recreate PSE for SCN SAPCryptolib (cred_v2 was recreated). THen activate snc/enable parameter and one more restart.

    One more times.. THANK YOU

    BR< Petr

    • Just one question,

      Does what you set profile parameter snc/identity/as have to match what is in the system PSE? For example I need to add an OU, O and C to what already exists as SAP standard, in order to activate SNC for secure HMRC connection in XI 7.3

      • Hello Maria,

        Exactly. You have to set the parameter snc/identity/as to the value of the SNC PSE as it describes the Application Servers security token (i.e. p:<X.509_Distinguished_Name>)

        Regards,

        Philippe

    • Hello,

      1) change profile variable snc/enable = 0
      2) start the system
      3) goto transaction STRUST
      4) recreate system PSE with a password
      5) change profile variable snc/enable = 1
      6) restart system
      Regards,
      Jens