So, you want to enable SNC (without Single Sign On — SSO) in your environment?  You have Solaris (or other UNIX) and you don’t want to pay for third party libraries?

SAP has a solution for you!  But implementing the solution may be a nightmare.  SAP developed their own guide/documentation showing how to do this, but you may find following their documentation a bit troublesome.  It’s for this reason I developed this document.

Applicable Notes with Prerequisites

Some notes with important pre-readings below.  There are three version prerequisites to watch out for: GUI, Kernel, SAP Basis Component.

SAP OSS Note 1561161Enabling SAP GUI password logon despite using SNC.  This note discusses Kernel Version and Basis Support Pack prerequisites.

SAP OSS Note 1053737 –  Versions of supported SAPGUIs

SAP OSS Note 1580808SAP Logon 7.20: “SNC logon w/o SSO” for connection entry


Tags below

In this document you will see the following tags used.  This section explains what you should substitute into the tag.

<SID> = Your System ID.

<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.

<SPN> = Service Principal Name created in Active Directory

<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified – ex: DomainName.YourOrganization.org).  If you don’t know what this should be, ask your Active Directory Staff.

Our situation:

OS = Solaris 10

Database = Oracle

Hardware Platform (SPARC)

You’ll need to search for and download the following:

1. SNC Client Encryption/Libraries 1.0

SAP’s Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades -> 51042493 OR

SAP’s Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)

2 SNC Client Encryption/Libraries 1.0 SP 02

SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR

SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02

3. Latest SAPCrypto Lib

SAP’s Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates

So now that you have downloaded what you need, now to get to business!

1. Server Side Installation

1. Upload all files downloaded above to your server.

2. Unzip the library you downloaded in in #1 Above.

3. In a separate folder, un-sar the file you downloaded in #2 above.

4. Inside the unzipped archive (from Step 2) you will find a folder called “SECURE_LOGIN_LIBRARY”.  Inside it select the correct subfolder for your OS.  Hint “Solaris” is often referred to as sunos 5.  If you have Solaris 10 on Sparc (like us) you will want the folder called “sunos-5.10-sparc-64”.

5. Inside the unzipped archive (from step 3) you will find a series of folders that match up to you operating system version.  Note the appropriate folder.

6. Go to /usr/sap/<SID>/<INSTANCE>.  Inside it create two directories (if they don’t already exist): “SLL” and “security”.

7. Inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” which is in the folder you identified in Step 4.

8. While still inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” identified in Step 5.

9. Go to /sapmnt/<SID>/exe/.  Once inside it use SAPCAR to un-sar the file downloaded in #3 above

2. Active Directory Preparation/Work

This solution requires that you use MS Active Directory (aka Domains).  For this section you will have to work with your organization’s active directory staff.

1. Have the active directory staff create a new service account for you.  The name of the account doesn’t really matter, just note what it is.

2. Set a strong account password.  Set the password to never expire and unchangeable.  Note the exact PaSsWoRd made here, you’ll need it later in section 3.

3. Inside the new account created in the previous step, have them create/assign a new “Service Principal Name” (SPN).  The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID> — as previously noted this entry is CaSe SeNsItIvE.  Here-in this will be called <SPN>

3. Server Side Config

1. Change directories to /usr/sap/<SID>/<Instance>/SLL

2. Set the environment variable “SECUDIR” to “/usr/sap/<SID>/<Instance>/sec”.  If you like/use bash (like me) do this by executing “export SECUDIR=/usr/sap/<SID>/<Instance>/sec”.

3. Create the PSE Environment.  Do this by executing: “./snc crtpse” with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/.  You’ll be prompted to create a password.  The value of this password doesn’t matter, but note what you make it.

4. Create a keytab entry for your SPN created above.  Do this by executing “./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>”.  You will be prompted for a password.  This password must be the same as the password when you created the active directory account in step 2-1The <ActiveDirectoryDomain> must be in ALL CAPS.

4. AS ABAP Configuration

1. Log into your SAP System GUI.

2. Start up transaction RZ10.  Set the following parameters in your instance (or DEFAULT.PFL, if you prefer) profile(s):

snc/permit_insecure_start         1
snc/accept_insecure_cpic          1
snc/r3int_rfc_qop                 8
snc/r3int_rfc_secure              0
snc/data_protection/use           3
snc/data_protection/min           2
snc/data_protection/max           3
snc/identity/as                   p:CN=<SPN>@<ActiveDirectoryDomain> – The <ActiveDirectoryDomain> must be in ALL CAPS
snc/gssapi_lib                    /usr/sap/<SID>/<Instance>/SLL/libsecgss.so
snc/enable                        0
snc/force_login_screen            1
snc/accept_insecure_rfc           1
snc/accept_insecure_gui          

1

ssf/name (Suggested in DEFAULT.PFL) SAPSECULIB
ssf/ssfapi_lib $(ssl/ssl_lib)
ssl/ssl_lib $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/libsapsecu $(ssl/ssl_lib)

3. Add the following entry to your start profile(s):

SETENV_XX (XX = next available value) SECUDIR=$(DIR_INSTANCE)/sec

3. Exit AS ABAP/Log off.

4. Restart the SAP System.

5. Once the system is restarted, go to transaction STRUST.

6. In transaction STRUST you will now find an entry in the left pane that says “SNC SAPCryptolib”.  It should have a red “X” next to it.  Right click on it and select “Create”.  You’ll notice the “SNC ID” is already filled in for you.  Select RSA and an appropriate key size, then click the green check mark.

7. Go back to RZ10.  Change the value of “snc/enable” to 1.

8. Log out and restart the SAP system again.

Once you’ve restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:

N Wed Aug 14 13:45:01 2013

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so

N    File “/usr/sap/<SID>/<Instance>/SLL/libsecgss.so” dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N  SncInit():   found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c    266]

M  SNC (Secure Network Communication) enabled

If you don’t see this but instead see errors, chances are your ABAP system no longer works (good job ).  You’ll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0.  Then restart your system and troubleshoot (good luck).

5. PC SNC Client Installation/Config

1. Inside the main SNC library file you downloaded above in file download step 1 , you’ll find a “SNC_CLIENT_ENCRYPTION” folder.  On your PC execute the “SapSncClientEncryption.exe” file you’ll find in this folder.  If you already have the “SNC Client Encryption” installed, I’d recommend you uninstall it and re-install it, just to make sure you have a compatible version.

2. After you executed the previous step, start up the SAP GUI on your workstation.

3. In the GUI right click on the logon entry representing the SAP you are working on.  Select “Properties” from the context menu that pops up.

4. On the window that pops up, select the “Network” tab.

5. Check the box that says “Activate Secure Network Communications”.

6. Enter the “SNC Name” as follows: p:CN=<SPN>@<ActiveDirectoryDomain>

7. Select “Maximum security settings available”

8. Check the box “SNC logon with user/password (no Single Sign-On)”

You’ve done it.  Now all that’s left is pray to the deity of your choosing <grin>.  If he/she smiles upon you, you should be able to log in to your SAP System.  You’ll note a lock (which was previously open) in the lower right hand of your GUI screen in the status bar.

6. Troubleshooting

For troubleshooting SNC issues on the client side, consider reading this document on the SAP help site or Google: “Enabling Traces for SNC Client Encryption

To report this post you need to login first.

45 Comments

You must be Logged on to comment or reply to a post.

  1. K N Prabhu

    Being new  to SNC, I want to know about the use of Active Directory Preparation. Can we do the SNC configuration without single sign on without Active Directory Preparation.

    I am configuring SAP SNC on ECC, with RHEL OS

    (0) 
    1. Phillip Hofmeister Post author

      Hello M. Prabhu:

      Sadly, I know of no way to do it other than using Active Directory.  Active Directory is used to authenticate the server/system to the desktop.

      To do it without Active DIrectory would be outside of my experience.  Check the SAP guide referenced in my second paragraph.  If you can figure something out, I hope you will document it as well.

      Best of luck…

      (0) 
      1. K N Prabhu

        Hi Phillip,

        Being new to the SNC ,I want futher clarification on following thing about Active Directory step:

        1. As per the above steps the Service Principal Name could be used as SAP<SID> or KerberosSID. Also as I am going to implement it on the whole landscape(dev, qas & prd systems) do I have to make different SPNs for each system or I can use a single SPN for the whole landscape say for example “SAPECC/KerberosECC”.

        (0) 
        1. Phillip Hofmeister Post author

          Hello Mr. Prabhu:

          The SPN must be SID specific and it is CaSe SeNsiTiVE.  The service account name can be anything, but the SPN must be SAP/Kerberos<SID> (SID is all caps) where SID is your system ID.

          You’ll need to know the password for the Service Account and it should be marked:

          * Never Expire

          * Unchangable

          You’ll need the Password for the service account when you create the Keytab with the “snc crtkeytab” command.

          Feel free to let me know if you have any further questions or need help troubleshooting.

          (0) 
          1. K N Prabhu

            Hi Phillip,

            As you said SPN must be SID specific plus unchangable(password wise and its user typewise).

            As  I will be configuring SNC in the landscape(dev,qas, prd) so I think I have to make separate SPN as per SIDs in my landscape(for example SAPdev,SAPqas, SAPprd for whole landscape).

            Please correct me on the above if I am wrong.

            (0) 
  2. Priya Bharath

    Hi Philip,

    I have followed your steps very closely, but at some steps the guide seems to be for advanced users (perhaps not)

    I am presently stuck at this step

    3. Create the PSE Environment.  Do this by executing: “./snc crtpse”.  You’ll be prompted to create a password.  The value of this password doesn’t matter, but note what you make it.


    How to do that? from cmd? cause when i run that its saying snc is not a recognized program , what could i be missing?

    This blog is very much relevant to what I want to achieve. Pls assist tks so much for your blog and excellent support for the rest of us. 🙂

    (0) 
      1. Priya Bharath

        Tks, for the very quick response. Now, i am done with that step and been struggling with another step, actually not a step but more of a rather output.

        Problem:

        Quetsion(s)

        Qn1

        When you say domain, shld it be host.domainname? for example abc is my hostname (where Active Directory is installed) and def.com is my domain.

        So far I have assumed that I have to just use def.com at every instruction that you mentioned domain name

        Qn2

        SETENV_XX (XX = next available value)   SECUDIR=$(DIR_INSTANCE)/sec

        For now I have this, I added this in one whole line.

        SETENV_01 SECUDIR=$(DIR_INSTANCE)/sec

        The XX in the above statement is very confusing to me. (Also in my windows do I need this?)

        When I try to login I am getting this error.

        /wp-content/uploads/2014/01/screenshot2_372002.jpg

        BTW few things to take note,my environment is Windows, so I managed to find this

        http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0f9efa8-c207-2f10-119b-b3f3bc905ad5?QuickLink=index&&hellip;




        (0) 
          1. Phillip Hofmeister Post author

            Hi Jack,

            I’m a weekday warrior (Monday-Friday — 8:30-5:30).  Please excuse the delayed response.

            With regards to your problem, I’d suggest you look at the parameters specified in RZ10 very carefully and then double check that those parameters were correctly “activated” on the filesystem copy of the profiles. There are MANY parameters in this setup (sadly) and if you miss or incorrectly set just one of them, the whole system will not work.

            Answer 1:

            When I say ActiveDirectoryDomain, I mean the DNS name of your active directory.  If you are unsure what this is, you should contact your Active Directory staff for your organization.  I do *NOT* mean hostname.  In you’re example if def.com is your company’s active directory domain name, you should use def.com.  A defect in this area would not become apparant until you go to login to the SAP System with your GUI.

            Answer 2: I do not see SID in your string, see the instructions:

            6. Enter the “SNC Name” as follows: p:CN=<SPN>@<ActiveDirectoryDomain>

            Please re-read #3 under “2. Active Directory Preparation/Work”.  As I said it’s very critical each configuration piece be set precisely.  If you have a specific question of interpretation, please ask.

            (0) 
            1. Priya Bharath

              Hi Philip,

              Sorry for not updating you regarding the progress.

              A big tks to u, i managed to get the SNC working, but only on that server. BUT, the problem is this now, I am trying to login in to the server that is not on the domain but can connect to the server with out the SNC enabled. Hence the earlier screenshot which I am getting the error.

              So to summarise SNC IS WORKING! (guess my deity is just giving a smirk, but not really smiling! 🙂 ) pls assist tks

              (0) 
              1. Phillip Hofmeister Post author

                Hi Jack.

                In order for this solution to work, the server and client must be on the same active directory domain or at the very least the client domain must trust the domain the server is in.

                I hope this help?

                (0) 
                  1. Phillip Hofmeister Post author

                    Not taht I know of.  Maybe you could do some research and write about it if you find such a solution.  I’d be interested.  FWIW, I looked when in the process of developing this and I could find no such solution.

                    (0) 
                    1. Kumar Devarakonda

                      Hi Philip

                      I am having the same error as in the screen shot by jack, My active directory domain is Newly created for SAP. my client windows and Server Unix machine is on different Domain. Do I need any trust between these domains ?

                      Jack,

                      Were you able to resolve your issue ?

                      (0) 
                      1. Phillip Hofmeister Post author

                        Hi Kumar,

                        The desktop must be a part of a windows domain.  There must be a Service Account in that domain for this system and the Servie Account must have an associated Service Principal Name (SPN) as specified above.  It is CaSe SeNsiTiVe.

                        The *nix server doesn’t have to be a part of the Windows Domain.  I don’t even know if it is possible for a *nix server to join a windows domain.  That being said, the SNC command must reference the windows domain as specified in section 3 above.

                        (0) 
                        1. Kumar Devarakonda

                          I got my SAPGUI able to Launch with Active SNC from Domain that is used as AD for SAP. But when I login with one of the AD user that is Mapped with SNC name p:CN=<User>@DOMAIN.LOCAL, it errors out /does not login with message “You have no password; you cannot log on using a password”

                          (0) 
        1. Pradeep Gali

          We are on AIX and the above steps worked fine for us. Initially we got No Credentials error message but we corrected the SPN name as indicated from SAP/Kerberos<SID> to SAP/<SID> then it worked fine for us.

          Our string is : p:CN=SAP/<SID>@<doamin>.<doamin>.com

          Thanks

          Pradeep

          (0) 
          1. Vasudevan Vimalan

            Hi All,

            i am working on HP-UNIX and followed below steps

            snc/identity/as=p:CN=AD-USER@Domain

            snc crtkey tab -s AD-user@Domain -p password

            IN Gui

            p:CN=AD-USER@Domain

            setspn -a SAP/AD-USER AD-USER

            Error:- gss-api(maj) no credentials were supplied

            Have any one of you faced the issues as above? If yes, any info on this will be appreciated.

            Thanks in advance

            (0) 
            1. Pradeep Gali

              Hi Vasudevan,

              We are on AIX and got the same error and this was due to the SPN name related with      the AD account . Initially we have the SPN name as SAP/Kerberos<SID> when we corrected this to SAP/<SID> then it worked for us.

              As Phillip mentioned this is very picky and needs to match exactly same.

              snc/identity/as = p:CN=SAP/<SID>@<doamin>..com

              In SAP GUI our string is p:CN=SAP/<SID>@<doamin>..com

              Please also make sure SAP is using the same certificate STRUST-SNC SAPCyptolib- CN=SAP/<SID>@<doamin>..com

              Thanks

              Pradeep

              (0) 
  3. Tim Alsop

    Hi,

    In the first line of this blog, it says “You have Solaris (or other UNIX) and you don’t want to pay for expensive third party libraries?

    Can I suggest that you don’t mention the word ‘expensive’ since this gives the wrong impression. Often the products are NOT expensive, so it would be better if you just says ‘…and you don’t want to pay for third party SNC libraries’.

    Also, I wanted to point out that the third party products are offering more than just encryption. Some of them allow the user to authenticate using a single Active Directory domain user id and password when they logon to many SAP systems. When a user only has a single password and user id, they are more productive, and costs are reduced (e.g. helpdesk costs, costs of managing many passwords). From my experience (I have been working in this space for nearly 20 years) I find that the cost savings are higher than the license costs for such products. The return on investment is very quick.

    I hope you don’t mind me mentioning the above. I just wanted readers to know that just enabling encryption is not going to reduce costs (of course, it will improve security), and I feel that this blog is the right place to highlight this difference.

    Thanks

    Tim

    (0) 
    1. Phillip Hofmeister Post author

      I took out the word expensive, but I did keep the fact you have to pay for them as I have yet to find one that is free.

      FWIW, In the corporate world, it doesn’t matter if something is $10 or $500,000.  The amount of effort you have to expend to get that money is the same.  In that regard anything that isn’t free is “expensive”.

      (0) 
      1. Tim Alsop

        Phillip,

        Thank you for making the change.

        I wasn’t suggesting that third party libraries are free. I was trying to make the point that these libraries also include other functionality (reducing the number of passwords a user has to remember and increasing user productivity), which actually reduce costs. For example, lets suppose the libraries cost $X. Then, after a number of months/years, the company has a total cost saving > $X, so you could say they effectively paid < $0 for the software as they have received > 100% ROI. This cannot be said about using free technology that only does encryption, which is described in this blog.

        Thanks,

        Tim

        (0) 
  4. Arkadiusz Janowski

    Hi Phillip,

    thanks for the great doc!

    Now I’m configuring a SNC-Scenario but I am facing problems with creating the keytab (Step 3.4).

    snc crtkeytab -s SAP/KerberosE01@USERDOM.LOCAL

    WARNING: Kerberos service user name contain a ‘/’, this is unusual !

    Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM

    Kerberos principle name must contain a ‘@’!

    Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM

    No keytab is created. Without the ‘/’ in the SPN it would work.

    It is strange!

    Maybe you have an idea?

    Im am working on Windows.

    Thanks

    AJ

    (0) 
        1. Arkadiusz Janowski

          Hi All,

          here are some, maybe, interessting informations.

          Due to some SLL-modifications in SP04 there are some changes at configuration side.

          The new Doc You can find here:

          https://websmp208.sap-ag.de/~sapidb/011000358700001219782011

          Some interessting notes are:

          2057374 – Using SNC Client Encryption (SCE) for encrypting SAP GUI Connection 

          1696905 – SNC name configuration to support Kerberos and Certificates

          The major change is, that you now have to use the UPN instead of the SPN during keytab-operations.

          Example:

          UPN (AD-User): SAPServiceS01

          SPN:                SAP/ServiceS01

          Domain:           USRDOM.LOCAL

          PSE-Creation:

          snc crtpse -x PWDOFPSE

          snc crtkeytab -s SAPServiceK01@USRDOM.LOCAL -p PWDOFUSER

          Test with snc:

          E:\usr\sap\S01\DVEBMGS00\SLL>snc -O SAPServiceS01 status -V
          ——————————————————————————
          ———— status    ——————————————————-
          ——————————————————————————
          Product version     : Secure Login Library 1.0 SP 4 Patch 3
                              : CryptoLib            8.3.7.12
                              :                      windows-x86-64

          GSS library         : available
          GSS library name    : secgss.dll

          PSE directory       : (existing) E:\usr\sap\S01\DVEBMGS00\sec
          PSE file            : (existing) E:\usr\sap\S01\DVEBMGS00\sec\pse.zip
          STRUST cred file    : (existing) E:\usr\sap\S01\DVEBMGS00\sec\cred_v2
          SNC config file     : (existing) E:\usr\sap\S01\DVEBMGS00\SLL\gss.xml

          PSE accessible      : yes
          PSE logged in       : yes
          PSE credentials     : MasterPassword SystemDefault

          Kerberos keyTab     :  4 entries
          1: SAPServiceS01@USRDOM.LOCAL (KeyType DES)
          2: SAPServiceS01@USRDOM.LOCAL (KeyType AES128)
          3: SAPServiceS01@USRDOM.LOCAL (KeyType AES256)
          4: SAPServiceS01@USRDOM.LOCAL (KeyType RC4)
          ——————————————————————————
          SNC keys registered :  1 entries
          1: STRUST  certificate
              NAME       : CN=SAPServiceS01@USRDOM.LOCAL
              TYPE       : RSA      ENC SIG
              VALIDITY   : 380101000001Z
              URI        : toksw:E:\usr\sap\S01\DVEBMGS00\sec\SAPSNCS.pse
              KEYID      : 43657274
          ——————————————————————————

          Trusted certificates:
          from STRUST       :
          1: CN=SAPServiceS01@USRDOM.LOCAL

          In the Configuration of the SAP-Gui-Connection you can use SPN with the Domain-Name: p:CN=SAP/SAPServiceS01@USRDOM.LOCAL

          The set of my parameters was:

          ssl/ssl_lib = E:\usr\sap\S01\DVEBMGS00\exe\sapcrypto.dll

          sec/libsapsecu = $(ssl/ssl_lib)

          ssf/ssfapi_lib = $(ssl/ssl_lib)

          ssf/name = SAPSECULIB

          snc/gssapi_lib = E:\usr\sap\S01\DVEBMGS00\SLL\secgss.dll

          snc/enable = 1

          snc/identity/as = p:CN=SAPServiceS01@USRDOM.LOCAL

          snc/data_protection/max = 3

          snc/data_protection/min = 2

          snc/data_protection/use = 3

          snc/r3int_rfc_secure = 0

          snc/r3int_rfc_qop = 8

          snc/accept_insecure_cpic = 1

          snc/accept_insecure_gui = 1

          snc/accept_insecure_rfc = 1

          snc/permit_insecure_start = 1

          snc/force_login_screen = 0

          login/password_change_for_SSO = 0

          With this settings, SNC works fine for me 🙂

          Good Luck!

          AJ

          (0) 
  5. Mallik D

    Hi Phillip,


    Thanks for the document and it helped us to move forward configuring our SNC without SSO. Currently we are facing below error while trying to login into the system.


    GSS-API(maj): Miscellaneous failure

    GSS-API(min): A2210217: The verification of the Kerberos ticket failed target=”p:CN=SAP/KerberosSID@ABC.COM


    To give little more context on the architecture …. our SAP system is in a data center in a
    different domain and the users are in a different domain. We can say server is in XYZ.COM and users are in ABC.COM.


    We have created the service principal name in the MS ADS of ABC.COM and maintained snc/identity/as = p:CN=SAP/KerberosSID@ABC.COM and have done the other configurations as discussed in this blog.


    Post configuration we could see as below in the log which confirms that SNC is activated.


    N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

    N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

    N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

    N  SncInit(): found snc/gssapi_lib=/usr/sap/SID/DVEBMGS72/SLL/libsecgss.so

    N    File “/usr/sap/SID/DVEBMGS72/SLL/libsecgss.so” dynamically loaded as GSS-API v2 lib

    N    The internal Adapter for the loaded GSS-API mechanism identifies as:

    N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

    N  SncInit():   found snc/identity/as=p:CN=SAP/KerberosSID@ABC.COM

    N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

    N  SncInit(): Initiating Credentials available, lifetime=Indefinite

    M  ***LOG R1Q=> p:CN=SAP/KerberosSID@ABC.COM [thxxsnc.c 265]

    M  SNC (Secure Network Communication) enabled

    Result of SNC command in
    SLL folder is as below

    ./snc

    Using command ‘status -v’, call with -h to see more commands


    Product version : Secure Login Library 1.0.2.2

    : CryptoLib 8.3.4.18

    : aix-6.1-ppc-64

    GSS library : available

    GSS library name : libsecgss.so

    PSE directory : (existing) /homeSID/SIDadm/se

    PSE file : (existing) /homeSID/SIDadm/sec/pse.zip

    STRUST cred file : (missing)/homeSID/SIDadm/sec/cred_v2

    SNC config file : (existing) /usr/sap/SID/DVEBMGS72/SLL/gss.xml

    PSE accessible : yes

    PSE logged in : yes

    PSE credentials :MasterPassword SystemDefault

    Kerberos keyTab : 4 entries

    SAP/KerberosSID@ABC.COM (KeyType DES)

    SAP/KerberosSID@ABC.COM (KeyType AES128)

    SAP/KerberosSID@ABC.COM(KeyType AES256)

    SAP/KerberosSID@ABC.COM(KeyType RC4)

    SNC keys registered : 0 entries

    Trusted certificates:


    Could you please suggest what could be causing the error we are getting and any inputs to resolve are highly appreciated.


    Thanks & Regards

    Mall

    (0) 
      1. Mallik D

        Thanks Arkadiusz for helping with inputs..

        We could find the above suggestions in SAP note 1837595 – “Secure Login Library Fixes for SP4 Patch Level 03” as well.

        We have now patched our SLL to SP04 patch 4. With earlier version we could not create keytab entries with user id as it was mandating for existence of “/” which would be there in a service principal name. Post the patching SLL to SP04 patch 4 we could now create keytab entries as required after deleting old ones. Post this also still getting the same error.

        As it is not mentioned to change the snc/identity/as parameter in the note we just checked if changing ketab entries will alone work or not but haven’t. We will now change this parameter and will test and will post back.

        In the meantime could anyone through some light on how we could enable these traces as what we could see in the below link is not helping to get any logs.

        Enabling Traces for SNC Client Encryption – Network and Transport Layer Security – SAP Library

        Thanks & Regards

        Malli

        (0) 
  6. Dipyaman Biswas

    This is in continuation with Malli’s post above. We are currently not able to connect to the system using SNC.  We are seeing an error – RFC connection cannot bbe created in STRUST pse nodes as well as in SM51 – SNC status. We have also regenerated PSE.zip. However deleting/creating PSE using strust is not regenerating the cred_v2 file automatically. in the log file on our cliuent machines, we are seeing errors like below:

    ERROR|SDK            |LOADER         |sec_get_SEC_DLL               |ERROR in DLL->sec_get_SEC_DLL(): Cannot load DLL

    —————————————————————————–

    TRACE|SDK            |SDK loader     |sec_get_SEC_DLL               |Failed to load secpse

    —————————————————————————–

    ERROR|SDK            |LOADER         |sec_get_API_locked            |ERROR in DLL->sec_get_API_locked(): Cannot load DLL

    —————————————————————————–

    TRACE|SDK            |SDK loader     |sec_get_API_locked            |Loading              SEC_PSE_1 unsuccessful

    —————————————————————————–

    ERROR|SDK            |BASE           |sec_ASC_get_PSE               |ERROR in DLL->sec_ASC_get_PSE(): Cannot load DLL

    —————————————————————————–

    TRACE|SDK            |GSS            |sec1_gss_inquire_cred         |Inquire creds (get cred info)

    ——————————————————————————————————-

    —————————————————————————–

    TRACE|SDK            |GSS            |gss_cache_client_getSession   |Cli-40000013: SessionCache(Client): Did not find or could not resume session.

    —————————————————————————–

    INFO |SDK            |GSS            |getPCI                        |Cli-40000013: No own key found

    —————————————————————————–

    ERROR|SDK            |GSS            |sec1_gss_get_clt_alg_prefs    |Have no certificate and got no kerberos ticket

    —————————————————————————–

    ERROR|SDK            |GSS            |message_create_client_hello   |Cli-40000013: –> Msg ClientHello         create  failed : errval=70000, minor_status=0

    —————————————————————————–

    INFO |SDK            |GSS            |sec1_gss_delete_sec_context   |Cli-40000013: Context deleted

    (0) 
  7. João Durão

    Hello Philip,

    First my congrats for the excellent How to!

    I have a question, with the scenario can we have connections to several domains? Meaning can we have SNC with out SSO with users from diferent domains?

    Thank you,
    João

    (0) 
  8. Valerie Kouatchou-Sunou

    Hi Phillip,

    The description in § 3 is not valid anymore. Since the correction described in the SAP Note 1837595, the keytab creation is not with the SPN@DOMAIN but with the UPN. Furhtermore, the recommandation now is to use the CommonCryptoLib as backend library instead of the Secure Login Library 1.0. Please refer to the KBA 2057374 or the SNC Client Encryption Release Note 1643878

    In $ 4, the snc/identity/as profile parameter should be configured with UPN e.g. p:CN=KerberosABC@DOMAIN and not the SPN@DOMAIN

    In the SAP GUI configuration in § 5 step 6, the configuration with the SPN is the still correct.

    In conclusion:

    – Keytab creation now with UPN on ABAP side

    – SAP GUI SNC configuration with SPN on Client side

    KR
    Valerie
    (0) 
  9. Andres Cosentino

    Hello Phillip.

    This is a very helpful doc, so I want to thank you in the first place. I would like to ask you something , maybe you can help me. I’ve made all steps as you described here, and as long as I could see, the SNC is working (at least the sync) because I can see the cannonical name checked in transaction su01. In addition, I see green the sapcryptolab in transacition STRUST. However, when I try to logon with a AD user/password, I got “SNC required for this connection” message. Do you have any idea what this is about? I was searching through the internet but I couldn’t find my scenario. As a comment let me tell you a doubt I have: how it is supposed to be the scenario in which with SNC enabled, you create a new user? I mean, how does the initial password work? Because if I set an initial password I guess the user it will be required to write it in his first logon. So if he write the initial password, what do the system do later? Ask for a new password or start to use the AD password? Because in the first case it would has not sense with the SNC functionality. Anyway, plase let me know if you can give me any advice. Thanks in advance and best regards.

    Andrés.-

    (0) 

Leave a Reply