Skip to Content

Hello upgrade friends,

do you use SSO in your environment? Yes?
Do plan an upgrade to EhP6 or kernel change to 7.20/7.21 EXT? Yes?

=> Than you might run into the same difficulty like me :/

After kernel switch phase of an EhP 6 upgrade I have faced the issue that the system couldn’t start (Phase: STARTSAP_PUPG).
OK, let’s try to look into the work process traces, because there were no disp+work processes active and sapcontrol (sapcontrolnr x -function GetProcessList) shows me also that not all prcoesses are running.


N        UserId=”sidadm” (ID), envvar USER=”sidadm

SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)
SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)
SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)
SncInit(): found snc/gssapi_lib=/usr/sap/SID/<Instanz>/sll/libsecgss.so
N    File “/usr/sap/SID/<Instance>/sll/libsecgss.so” dynamically loaded as GSS-API v2 library.
N    The internal Adapter for the loaded GSS-API mechanism identifies as:
N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
SncInit():  found snc/identity/as=p:CN=<…>
N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]
N        GSS-API(maj): No credentials were supplied
N      Could’t acquire ACCEPTING credentials for
N
N      name=”p:CN=<….>”
N      FATAL SNCERROR — Accepting Credentials not available!
N      (debug hint: default acceptor = “p:CN=DummyCredential“)
N  <<- SncInit()==SNCERR_GSSAPI
N          sec_avail = “false”
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

First try was easily to deactivate the SNC parameter in the profiles (=> snc/enable=0) -> it worked, but this solved not the real issue just the symptom.
I have noticed that the SNC Adapter changed with kernel from “SECUDE 5/GSS-API v2” to “SAP Netweaver Single Sign-On v1.x”. OK, I could find out that these adapters are compatible. But wait moment, why it didn’t work if they are compatible?

I have checked the SLL (secure login library) configuration (normally located under /usr/sap/SID/DV*/SLL/ ). The executeable “snc” showed me that everything looks fine:

Using command ‘status -v’, call with –h to see more commands
——————————————————————————
———— status ——————————————————-
——————————————————————————
Product version     : Secure Login Library 1.0 SP 4 Patch 3
  : CryptoLib 8.3.7.11
  : aix-6.1-ppc-64

GSS library         : available
GSS library name    : libsecgss.so

PSE directory       : (existing) /usr/sap/SID/DV*/sec
PSE file            : (existing) /usr/sap/SID/DV*/sec/pse.zip
STRUST cred file    : (existing) /usr/sap/SID/DV*/sec/cred_v2
SNC config file     : (existing) /usr/sap/SID/DV*/sll/gss.xml

PSE accessible      : yes
PSE logged in       : yes
PSE credentials     : MasterPassword SystemDefault

Kerberos keyTab     : Not existing
——————————————————————————
SNC keys registered :  1 entries
1: STRUST  certificate  CN=<…>

Trusted certificates:
from STRUST       :
1: CN=SLS RootCA, OU=SAP SSO, O=<…>, C=DE

It seems that everything is fine!? But it still didn’t work.
May be other libraries were used with the new kernel.
-> No, this also not the right answer because via the profile the same lib is used -> /usr/sap/SID/DV*/sll/libsecgss.so

For me it seems like that cred_v2 cannot be compared with the pse. So I created a new PSE via STRUST and secured it via password to create the cred_v2. (This can also be done via sapgenpse)

I reactivated SNC via the profile parameters and I could start the instance without any issues. So it seems that the old PSE and cred_v2 files are _not_ compatible with the new SNC adapter.

Hope if you run into this issue, you can fix it faster and waste not so much time like me.

Best Regards,
Jens

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Petr Hopp

    Hi Jens,

    we faced the same problem, not during the upraged, but after kernel update.

    Solution provided by works perfectly. Thanks!!

    System started with snc/enable = 0 without any problems. Then I had to recreate PSE for SCN SAPCryptolib (cred_v2 was recreated). THen activate snc/enable parameter and one more restart.

    One more times.. THANK YOU

    BR< Petr

    (0) 
    1. Maria Stock

      Just one question,

      Does what you set profile parameter snc/identity/as have to match what is in the system PSE? For example I need to add an OU, O and C to what already exists as SAP standard, in order to activate SNC for secure HMRC connection in XI 7.3

      (0) 
      1. Philippe Ramette

        Hello Maria,

        Exactly. You have to set the parameter snc/identity/as to the value of the SNC PSE as it describes the Application Servers security token (i.e. p:<X.509_Distinguished_Name>)

        Regards,

        Philippe

        (0) 
    1. Jens Gleichmann Post author

      Hello,

      1) change profile variable snc/enable = 0
      2) start the system
      3) goto transaction STRUST
      4) recreate system PSE with a password
      5) change profile variable snc/enable = 1
      6) restart system
      Regards,
      Jens

      (0) 

Leave a Reply