Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux
So, you want to enable SNC (without Single Sign On — SSO) in your environment? You have Solaris (or other UNIX) and you don’t want to pay for third party libraries?
SAP has a solution for you! But implementing the solution may be a nightmare. SAP developed their own guide/documentation showing how to do this, but you may find following their documentation a bit troublesome. It’s for this reason I developed this document.
Applicable Notes with Prerequisites
Some notes with important pre-readings below. There are three version prerequisites to watch out for: GUI, Kernel, SAP Basis Component.
SAP OSS Note 1561161 – Enabling SAP GUI password logon despite using SNC. This note discusses Kernel Version and Basis Support Pack prerequisites.
SAP OSS Note 1053737 – Versions of supported SAPGUIs
SAP OSS Note 1580808 – SAP Logon 7.20: “SNC logon w/o SSO” for connection entry
Tags below
In this document you will see the following tags used. This section explains what you should substitute into the tag.
<SID> = Your System ID.
<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.
<SPN> = Service Principal Name created in Active Directory
<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified – ex: DomainName.YourOrganization.org). If you don’t know what this should be, ask your Active Directory Staff.
Our situation:
OS = Solaris 10
Database = Oracle
Hardware Platform (SPARC)
You’ll need to search for and download the following:
1. SNC Client Encryption/Libraries 1.0
SAP’s Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades -> 51042493 OR
SAP’s Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)
2 SNC Client Encryption/Libraries 1.0 SP 02
SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR
SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02
SAP’s Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates
So now that you have downloaded what you need, now to get to business!
1. Server Side Installation
1. Upload all files downloaded above to your server.
2. Unzip the library you downloaded in in #1 Above.
3. In a separate folder, un-sar the file you downloaded in #2 above.
4. Inside the unzipped archive (from Step 2) you will find a folder called “SECURE_LOGIN_LIBRARY”. Inside it select the correct subfolder for your OS. Hint “Solaris” is often referred to as sunos 5. If you have Solaris 10 on Sparc (like us) you will want the folder called “sunos-5.10-sparc-64”.
5. Inside the unzipped archive (from step 3) you will find a series of folders that match up to you operating system version. Note the appropriate folder.
6. Go to /usr/sap/<SID>/<INSTANCE>. Inside it create two directories (if they don’t already exist): “SLL” and “security”.
7. Inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” which is in the folder you identified in Step 4.
8. While still inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” identified in Step 5.
9. Go to /sapmnt/<SID>/exe/. Once inside it use SAPCAR to un-sar the file downloaded in #3 above
2. Active Directory Preparation/Work
This solution requires that you use MS Active Directory (aka Domains). For this section you will have to work with your organization’s active directory staff.
1. Have the active directory staff create a new service account for you. The name of the account doesn’t really matter, just note what it is.
2. Set a strong account password. Set the password to never expire and unchangeable. Note the exact PaSsWoRd made here, you’ll need it later in section 3.
3. Inside the new account created in the previous step, have them create/assign a new “Service Principal Name” (SPN). The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID> — as previously noted this entry is CaSe SeNsItIvE. Here-in this will be called <SPN>
3. Server Side Config
1. Change directories to /usr/sap/<SID>/<Instance>/SLL
2. Set the environment variable “SECUDIR” to “/usr/sap/<SID>/<Instance>/sec”. If you like/use bash (like me) do this by executing “export SECUDIR=/usr/sap/<SID>/<Instance>/sec”.
3. Create the PSE Environment. Do this by executing: “./snc crtpse” with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/. You’ll be prompted to create a password. The value of this password doesn’t matter, but note what you make it.
4. Create a keytab entry for your SPN created above. Do this by executing “./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>”. You will be prompted for a password. This password must be the same as the password when you created the active directory account in step 2-1. The <ActiveDirectoryDomain> must be in ALL CAPS.
4. AS ABAP Configuration
1. Log into your SAP System GUI.
2. Start up transaction RZ10. Set the following parameters in your instance (or DEFAULT.PFL, if you prefer) profile(s):
| snc/permit_insecure_start | 1 |
| snc/accept_insecure_cpic | 1 |
| snc/r3int_rfc_qop | 8 |
| snc/r3int_rfc_secure | 0 |
| snc/data_protection/use | 3 |
| snc/data_protection/min | 2 |
| snc/data_protection/max | 3 |
| snc/identity/as | p:CN=<SPN>@<ActiveDirectoryDomain> – The <ActiveDirectoryDomain> must be in ALL CAPS |
| snc/gssapi_lib | /usr/sap/<SID>/<Instance>/SLL/libsecgss.so |
| snc/enable | 0 |
| snc/force_login_screen | 1 |
| snc/accept_insecure_rfc | 1 |
| snc/accept_insecure_gui | 1 |
| ssf/name (Suggested in DEFAULT.PFL) | SAPSECULIB |
| ssf/ssfapi_lib | $(ssl/ssl_lib) |
| ssl/ssl_lib | $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) |
| sec/libsapsecu | $(ssl/ssl_lib) |
3. Add the following entry to your start profile(s):
| SETENV_XX (XX = next available value) | SECUDIR=$(DIR_INSTANCE)/sec |
3. Exit AS ABAP/Log off.
4. Restart the SAP System.
5. Once the system is restarted, go to transaction STRUST.
6. In transaction STRUST you will now find an entry in the left pane that says “SNC SAPCryptolib”. It should have a red “X” next to it. Right click on it and select “Create”. You’ll notice the “SNC ID” is already filled in for you. Select RSA and an appropriate key size, then click the green check mark.
7. Go back to RZ10. Change the value of “snc/enable” to 1.
8. Log out and restart the SAP system again.
Once you’ve restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:
N Wed Aug 14 13:45:01 2013
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so
N File “/usr/sap/<SID>/<Instance>/SLL/libsecgss.so” dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N SncInit(): found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c 266]
M SNC (Secure Network Communication) enabled
If you don’t see this but instead see errors, chances are your ABAP system no longer works (good job ). You’ll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0. Then restart your system and troubleshoot (good luck).
5. PC SNC Client Installation/Config
1. Inside the main SNC library file you downloaded above in file download step 1 , you’ll find a “SNC_CLIENT_ENCRYPTION” folder. On your PC execute the “SapSncClientEncryption.exe” file you’ll find in this folder. If you already have the “SNC Client Encryption” installed, I’d recommend you uninstall it and re-install it, just to make sure you have a compatible version.
2. After you executed the previous step, start up the SAP GUI on your workstation.
3. In the GUI right click on the logon entry representing the SAP you are working on. Select “Properties” from the context menu that pops up.
4. On the window that pops up, select the “Network” tab.
5. Check the box that says “Activate Secure Network Communications”.
6. Enter the “SNC Name” as follows: p:CN=<SPN>@<ActiveDirectoryDomain>
7. Select “Maximum security settings available”
8. Check the box “SNC logon with user/password (no Single Sign-On)”
You’ve done it. Now all that’s left is pray to the deity of your choosing <grin>. If he/she smiles upon you, you should be able to log in to your SAP System. You’ll note a lock (which was previously open) in the lower right hand of your GUI screen in the status bar.
6. Troubleshooting
For troubleshooting SNC issues on the client side, consider reading this document on the SAP help site or Google: “Enabling Traces for SNC Client Encryption”
Parameter snc/enable =0 not enable
set snc/enable to 1
Yes. You'll notice later on in the document it says to enable snc. If you enable snc before you complete the setup, the system will not be usable,
Being new to SNC, I want to know about the use of Active Directory Preparation. Can we do the SNC configuration without single sign on without Active Directory Preparation.
I am configuring SAP SNC on ECC, with RHEL OS
Hello M. Prabhu:
Sadly, I know of no way to do it other than using Active Directory. Active Directory is used to authenticate the server/system to the desktop.
To do it without Active DIrectory would be outside of my experience. Check the SAP guide referenced in my second paragraph. If you can figure something out, I hope you will document it as well.
Best of luck...
Hi Phillip,
Being new to the SNC ,I want futher clarification on following thing about Active Directory step:
1. As per the above steps the Service Principal Name could be used as SAP<SID> or KerberosSID. Also as I am going to implement it on the whole landscape(dev, qas & prd systems) do I have to make different SPNs for each system or I can use a single SPN for the whole landscape say for example "SAPECC/KerberosECC".
Hello Mr. Prabhu:
The SPN must be SID specific and it is CaSe SeNsiTiVE. The service account name can be anything, but the SPN must be SAP/Kerberos<SID> (SID is all caps) where SID is your system ID.
You'll need to know the password for the Service Account and it should be marked:
* Never Expire
* Unchangable
You'll need the Password for the service account when you create the Keytab with the "snc crtkeytab" command.
Feel free to let me know if you have any further questions or need help troubleshooting.
Hi Phillip,
As you said SPN must be SID specific plus unchangable(password wise and its user typewise).
As I will be configuring SNC in the landscape(dev,qas, prd) so I think I have to make separate SPN as per SIDs in my landscape(for example SAPdev,SAPqas, SAPprd for whole landscape).
Please correct me on the above if I am wrong.
Unless you have Dev, QA, and Production on the same system (which would be a folly), you'll need a different SPN for each system.
Hi Philip,
I have followed your steps very closely, but at some steps the guide seems to be for advanced users (perhaps not)
I am presently stuck at this step
3. Create the PSE Environment. Do this by executing: "./snc crtpse". You'll be prompted to create a password. The value of this password doesn't matter, but note what you make it.
How to do that? from cmd? cause when i run that its saying snc is not a recognized program , what could i be missing?
This blog is very much relevant to what I want to achieve. Pls assist tks so much for your blog and excellent support for the rest of us. 🙂
Hi Jack,
I've updated the instructions to include an answer to your question.
Tks, for the very quick response. Now, i am done with that step and been struggling with another step, actually not a step but more of a rather output.
Problem:
Quetsion(s)
Qn1
When you say domain, shld it be host.domainname? for example abc is my hostname (where Active Directory is installed) and def.com is my domain.
So far I have assumed that I have to just use def.com at every instruction that you mentioned domain name
Qn2
SETENV_XX (XX = next available value) SECUDIR=$(DIR_INSTANCE)/sec
For now I have this, I added this in one whole line.
The XX in the above statement is very confusing to me. (Also in my windows do I need this?)
When I try to login I am getting this error.
BTW few things to take note,my environment is Windows, so I managed to find this
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0f9efa8-c207-2f10-119b-b3f3bc905ad5?QuickLink=index&…
Hi Philip, awaiting your expert suggestion, tks
Hi Jack,
I'm a weekday warrior (Monday-Friday -- 8:30-5:30). Please excuse the delayed response.
With regards to your problem, I'd suggest you look at the parameters specified in RZ10 very carefully and then double check that those parameters were correctly "activated" on the filesystem copy of the profiles. There are MANY parameters in this setup (sadly) and if you miss or incorrectly set just one of them, the whole system will not work.
Answer 1:
When I say ActiveDirectoryDomain, I mean the DNS name of your active directory. If you are unsure what this is, you should contact your Active Directory staff for your organization. I do *NOT* mean hostname. In you're example if def.com is your company's active directory domain name, you should use def.com. A defect in this area would not become apparant until you go to login to the SAP System with your GUI.
Answer 2: I do not see SID in your string, see the instructions:
6. Enter the "SNC Name" as follows: p:CN=<SPN>@<ActiveDirectoryDomain>
Please re-read #3 under "2. Active Directory Preparation/Work". As I said it's very critical each configuration piece be set precisely. If you have a specific question of interpretation, please ask.
Hi Philip,
Sorry for not updating you regarding the progress.
A big tks to u, i managed to get the SNC working, but only on that server. BUT, the problem is this now, I am trying to login in to the server that is not on the domain but can connect to the server with out the SNC enabled. Hence the earlier screenshot which I am getting the error.
So to summarise SNC IS WORKING! (guess my deity is just giving a smirk, but not really smiling! 🙂 ) pls assist tks
Hi Jack.
In order for this solution to work, the server and client must be on the same active directory domain or at the very least the client domain must trust the domain the server is in.
I hope this help?
Oh, ok let me give that a try and update you again 2mrw.. tks!
But is there any other solution to make this work not only on the domain?
Not taht I know of. Maybe you could do some research and write about it if you find such a solution. I'd be interested. FWIW, I looked when in the process of developing this and I could find no such solution.
Hi Philip
I am having the same error as in the screen shot by jack, My active directory domain is Newly created for SAP. my client windows and Server Unix machine is on different Domain. Do I need any trust between these domains ?
Jack,
Were you able to resolve your issue ?
Hi Kumar,
The desktop must be a part of a windows domain. There must be a Service Account in that domain for this system and the Servie Account must have an associated Service Principal Name (SPN) as specified above. It is CaSe SeNsiTiVe.
The *nix server doesn't have to be a part of the Windows Domain. I don't even know if it is possible for a *nix server to join a windows domain. That being said, the SNC command must reference the windows domain as specified in section 3 above.
I got my SAPGUI able to Launch with Active SNC from Domain that is used as AD for SAP. But when I login with one of the AD user that is Mapped with SNC name p:CN=<User>@DOMAIN.LOCAL, it errors out /does not login with message "You have no password; you cannot log on using a password"
Hi Kumar.
I've added Section 6 titled Troubleshooting that may assist you in resolving your problem...?
Hello Jack,
Can you share with us how did you solve the error in the screenshot??
Thank you,
João
Hi Jack,
how you managed to solve the error shown in screenshot.
We are on AIX and the above steps worked fine for us. Initially we got No Credentials error message but we corrected the SPN name as indicated from SAP/Kerberos<SID> to SAP/<SID> then it worked fine for us.
Our string is : p:CN=SAP/<SID>@<doamin>.<doamin>.com
Thanks
Pradeep
Hi All,
i am working on HP-UNIX and followed below steps
snc/identity/as=p:CN=AD-USER@Domain
snc crtkey tab -s AD-user@Domain -p password
IN Gui
p:CN=AD-USER@Domain
setspn -a SAP/AD-USER AD-USER
Error:- gss-api(maj) no credentials were supplied
Have any one of you faced the issues as above? If yes, any info on this will be appreciated.
Thanks in advance
Hi Vasudevan,
We are on AIX and got the same error and this was due to the SPN name related with the AD account . Initially we have the SPN name as SAP/Kerberos<SID> when we corrected this to SAP/<SID> then it worked for us.
As Phillip mentioned this is very picky and needs to match exactly same.
snc/identity/as = p:CN=SAP/<SID>@<doamin>..com
In SAP GUI our string is p:CN=SAP/<SID>@<doamin>..com
Please also make sure SAP is using the same certificate STRUST-SNC SAPCyptolib- CN=SAP/<SID>@<doamin>..com
Thanks
Pradeep
Hi,
In the first line of this blog, it says "You have Solaris (or other UNIX) and you don't want to pay for expensive third party libraries?"
Can I suggest that you don't mention the word 'expensive' since this gives the wrong impression. Often the products are NOT expensive, so it would be better if you just says '...and you don't want to pay for third party SNC libraries'.
Also, I wanted to point out that the third party products are offering more than just encryption. Some of them allow the user to authenticate using a single Active Directory domain user id and password when they logon to many SAP systems. When a user only has a single password and user id, they are more productive, and costs are reduced (e.g. helpdesk costs, costs of managing many passwords). From my experience (I have been working in this space for nearly 20 years) I find that the cost savings are higher than the license costs for such products. The return on investment is very quick.
I hope you don't mind me mentioning the above. I just wanted readers to know that just enabling encryption is not going to reduce costs (of course, it will improve security), and I feel that this blog is the right place to highlight this difference.
Thanks
Tim
I took out the word expensive, but I did keep the fact you have to pay for them as I have yet to find one that is free.
FWIW, In the corporate world, it doesn't matter if something is $10 or $500,000. The amount of effort you have to expend to get that money is the same. In that regard anything that isn't free is "expensive".
Phillip,
Thank you for making the change.
I wasn't suggesting that third party libraries are free. I was trying to make the point that these libraries also include other functionality (reducing the number of passwords a user has to remember and increasing user productivity), which actually reduce costs. For example, lets suppose the libraries cost $X. Then, after a number of months/years, the company has a total cost saving > $X, so you could say they effectively paid < $0 for the software as they have received > 100% ROI. This cannot be said about using free technology that only does encryption, which is described in this blog.
Thanks,
Tim
Hi Phillip,
SAP Note '0051042493' does not exist, what is the right note ?
Kumar
51042493 is NOT a note number, but rather a CD/DVD number that is available at the SWDC.
Hi Phillip,
thanks for the great doc!
Now I'm configuring a SNC-Scenario but I am facing problems with creating the keytab (Step 3.4).
snc crtkeytab -s SAP/KerberosE01@USERDOM.LOCAL
WARNING: Kerberos service user name contain a '/', this is unusual !
Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM
Kerberos principle name must contain a '@'!
Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM
No keytab is created. Without the '/' in the SPN it would work.
It is strange!
Maybe you have an idea?
Im am working on Windows.
Thanks
AJ
Try wrapping your SPN@Domain with 's or "s. Try both....
Hi Phillip,
this was my first idea. I have tried all kinds of notation.
I have opened a customer message at SAP.
Best regards
AJ
Hi All,
here are some, maybe, interessting informations.
Due to some SLL-modifications in SP04 there are some changes at configuration side.
The new Doc You can find here:
https://websmp208.sap-ag.de/~sapidb/011000358700001219782011
Some interessting notes are:
2057374 - Using SNC Client Encryption (SCE) for encrypting SAP GUI Connection
1696905 - SNC name configuration to support Kerberos and Certificates
The major change is, that you now have to use the UPN instead of the SPN during keytab-operations.
Example:
UPN (AD-User): SAPServiceS01
SPN: SAP/ServiceS01
Domain: USRDOM.LOCAL
PSE-Creation:
snc crtpse -x PWDOFPSE
snc crtkeytab -s SAPServiceK01@USRDOM.LOCAL -p PWDOFUSER
Test with snc:
E:\usr\sap\S01\DVEBMGS00\SLL>snc -O SAPServiceS01 status -V
------------------------------------------------------------------------------
------------ status -------------------------------------------------------
------------------------------------------------------------------------------
Product version : Secure Login Library 1.0 SP 4 Patch 3
: CryptoLib 8.3.7.12
: windows-x86-64
GSS library : available
GSS library name : secgss.dll
PSE directory : (existing) E:\usr\sap\S01\DVEBMGS00\sec
PSE file : (existing) E:\usr\sap\S01\DVEBMGS00\sec\pse.zip
STRUST cred file : (existing) E:\usr\sap\S01\DVEBMGS00\sec\cred_v2
SNC config file : (existing) E:\usr\sap\S01\DVEBMGS00\SLL\gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials : MasterPassword SystemDefault
Kerberos keyTab : 4 entries
1: SAPServiceS01@USRDOM.LOCAL (KeyType DES)
2: SAPServiceS01@USRDOM.LOCAL (KeyType AES128)
3: SAPServiceS01@USRDOM.LOCAL (KeyType AES256)
4: SAPServiceS01@USRDOM.LOCAL (KeyType RC4)
------------------------------------------------------------------------------
SNC keys registered : 1 entries
1: STRUST certificate
NAME : CN=SAPServiceS01@USRDOM.LOCAL
TYPE : RSA ENC SIG
VALIDITY : 380101000001Z
URI : toksw:E:\usr\sap\S01\DVEBMGS00\sec\SAPSNCS.pse
KEYID : 43657274
------------------------------------------------------------------------------
Trusted certificates:
from STRUST :
1: CN=SAPServiceS01@USRDOM.LOCAL
In the Configuration of the SAP-Gui-Connection you can use SPN with the Domain-Name: p:CN=SAP/SAPServiceS01@USRDOM.LOCAL
The set of my parameters was:
ssl/ssl_lib = E:\usr\sap\S01\DVEBMGS00\exe\sapcrypto.dll
sec/libsapsecu = $(ssl/ssl_lib)
ssf/ssfapi_lib = $(ssl/ssl_lib)
ssf/name = SAPSECULIB
snc/gssapi_lib = E:\usr\sap\S01\DVEBMGS00\SLL\secgss.dll
snc/enable = 1
snc/identity/as = p:CN=SAPServiceS01@USRDOM.LOCAL
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 0
login/password_change_for_SSO = 0
With this settings, SNC works fine for me 🙂
Good Luck!
AJ
Hi Phillip,
Thanks for the document and it helped us to move forward configuring our SNC without SSO. Currently we are facing below error while trying to login into the system.
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210217: The verification of the Kerberos ticket failed target="p:CN=SAP/KerberosSID@ABC.COM
To give little more context on the architecture .... our SAP system is in a data center in a
different domain and the users are in a different domain. We can say server is in XYZ.COM and users are in ABC.COM.
We have created the service principal name in the MS ADS of ABC.COM and maintained snc/identity/as = p:CN=SAP/KerberosSID@ABC.COM and have done the other configurations as discussed in this blog.
Post configuration we could see as below in the log which confirms that SNC is activated.
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/SID/DVEBMGS72/SLL/libsecgss.so
N File "/usr/sap/SID/DVEBMGS72/SLL/libsecgss.so" dynamically loaded as GSS-API v2 lib
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N SncInit(): found snc/identity/as=p:CN=SAP/KerberosSID@ABC.COM
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN=SAP/KerberosSID@ABC.COM [thxxsnc.c 265]
M SNC (Secure Network Communication) enabled
Result of SNC command in
SLL folder is as below
./snc
Using command 'status -v', call with -h to see more commands
Product version : Secure Login Library 1.0.2.2
: CryptoLib 8.3.4.18
: aix-6.1-ppc-64
GSS library : available
GSS library name : libsecgss.so
PSE directory : (existing) /homeSID/SIDadm/se
PSE file : (existing) /homeSID/SIDadm/sec/pse.zip
STRUST cred file : (missing)/homeSID/SIDadm/sec/cred_v2
SNC config file : (existing) /usr/sap/SID/DVEBMGS72/SLL/gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials :MasterPassword SystemDefault
Kerberos keyTab : 4 entries
SAP/KerberosSID@ABC.COM (KeyType DES)
SAP/KerberosSID@ABC.COM (KeyType AES128)
SAP/KerberosSID@ABC.COM(KeyType AES256)
SAP/KerberosSID@ABC.COM(KeyType RC4)
SNC keys registered : 0 entries
Trusted certificates:
Could you please suggest what could be causing the error we are getting and any inputs to resolve are highly appreciated.
Thanks & Regards
Mall
Hi,
please try following:
UPD (Username): KerberosSID
SPN : SAP/KerberosSID
snc crtkeytab -s SAPKerberosSID@ABC.COM -p PWDOFUSER
In the profile set following:
snc/identity/as = p:CN=SAPKerberosSID@ABC.COM
In the Gui-Connection set following:
p:CN=SAP/SAPKerberosSID@ABC.COM
It worked for me 🙂
Best Regards
Arkadiusz
Thanks Arkadiusz for helping with inputs..
We could find the above suggestions in SAP note 1837595 - "Secure Login Library Fixes for SP4 Patch Level 03" as well.
We have now patched our SLL to SP04 patch 4. With earlier version we could not create keytab entries with user id as it was mandating for existence of "/" which would be there in a service principal name. Post the patching SLL to SP04 patch 4 we could now create keytab entries as required after deleting old ones. Post this also still getting the same error.
As it is not mentioned to change the snc/identity/as parameter in the note we just checked if changing ketab entries will alone work or not but haven't. We will now change this parameter and will test and will post back.
In the meantime could anyone through some light on how we could enable these traces as what we could see in the below link is not helping to get any logs.
Enabling Traces for SNC Client Encryption - Network and Transport Layer Security - SAP Library
Thanks & Regards
Malli
Hi Malik,
you will find usefull informations about the traces on Page 30 in the ConfGuide:
https://websmp208.sap-ag.de/~sapidb/011000358700001219782011
I created the two files exactly as mentioned (in c:\sec on Windows) in this guide.
They have to exist on the box sap is running on.
Unix/linux should be:
$HOME/sec or /etc/sec
After restarting the instance you will find the traces in this directory.
Best regars
AJ
This is in continuation with Malli's post above. We are currently not able to connect to the system using SNC. We are seeing an error - RFC connection cannot bbe created in STRUST pse nodes as well as in SM51 - SNC status. We have also regenerated PSE.zip. However deleting/creating PSE using strust is not regenerating the cred_v2 file automatically. in the log file on our cliuent machines, we are seeing errors like below:
ERROR|SDK |LOADER |sec_get_SEC_DLL |ERROR in DLL->sec_get_SEC_DLL(): Cannot load DLL
-----------------------------------------------------------------------------
TRACE|SDK |SDK loader |sec_get_SEC_DLL |Failed to load secpse
-----------------------------------------------------------------------------
ERROR|SDK |LOADER |sec_get_API_locked |ERROR in DLL->sec_get_API_locked(): Cannot load DLL
-----------------------------------------------------------------------------
TRACE|SDK |SDK loader |sec_get_API_locked |Loading SEC_PSE_1 unsuccessful
-----------------------------------------------------------------------------
ERROR|SDK |BASE |sec_ASC_get_PSE |ERROR in DLL->sec_ASC_get_PSE(): Cannot load DLL
-----------------------------------------------------------------------------
TRACE|SDK |GSS |sec1_gss_inquire_cred |Inquire creds (get cred info)
-------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------
TRACE|SDK |GSS |gss_cache_client_getSession |Cli-40000013: SessionCache(Client): Did not find or could not resume session.
-----------------------------------------------------------------------------
INFO |SDK |GSS |getPCI |Cli-40000013: No own key found
-----------------------------------------------------------------------------
ERROR|SDK |GSS |sec1_gss_get_clt_alg_prefs |Have no certificate and got no kerberos ticket
-----------------------------------------------------------------------------
ERROR|SDK |GSS |message_create_client_hello |Cli-40000013: --> Msg ClientHello create failed : errval=70000, minor_status=0
-----------------------------------------------------------------------------
INFO |SDK |GSS |sec1_gss_delete_sec_context |Cli-40000013: Context deleted
Have any one of you faced the issues as above? If yes, any info on this will be appreciated.
Thanks & Regards,
Dipyaman
Hello Philip,
First my congrats for the excellent How to!
I have a question, with the scenario can we have connections to several domains? Meaning can we have SNC with out SSO with users from diferent domains?
Thank you,
João
Hi Phillip,
The description in § 3 is not valid anymore. Since the correction described in the SAP Note 1837595, the keytab creation is not with the SPN@DOMAIN but with the UPN. Furhtermore, the recommandation now is to use the CommonCryptoLib as backend library instead of the Secure Login Library 1.0. Please refer to the KBA 2057374 or the SNC Client Encryption Release Note 1643878
In $ 4, the snc/identity/as profile parameter should be configured with UPN e.g. p:CN=KerberosABC@DOMAIN and not the SPN@DOMAIN
In the SAP GUI configuration in § 5 step 6, the configuration with the SPN is the still correct.
In conclusion:
- Keytab creation now with UPN on ABAP side
- SAP GUI SNC configuration with SPN on Client side
Great "How To" ! Worked perfectly. Stealing this doc. Thank you!
Hello Phillip.
This is a very helpful doc, so I want to thank you in the first place. I would like to ask you something , maybe you can help me. I've made all steps as you described here, and as long as I could see, the SNC is working (at least the sync) because I can see the cannonical name checked in transaction su01. In addition, I see green the sapcryptolab in transacition STRUST. However, when I try to logon with a AD user/password, I got "SNC required for this connection" message. Do you have any idea what this is about? I was searching through the internet but I couldn't find my scenario. As a comment let me tell you a doubt I have: how it is supposed to be the scenario in which with SNC enabled, you create a new user? I mean, how does the initial password work? Because if I set an initial password I guess the user it will be required to write it in his first logon. So if he write the initial password, what do the system do later? Ask for a new password or start to use the AD password? Because in the first case it would has not sense with the SNC functionality. Anyway, plase let me know if you can give me any advice. Thanks in advance and best regards.
Andrés.-
Hello Andrés,
this is a blog espacially for case not using sso. For using sso I had implemented a POC of SAP SSO. It was really easy to configure for kerberos but you depend on a windows domain. The documentation is really good - for SSO from Windows to ABAP. e.g. https://help.sap.com/doc/7d3f26c449524c54b5d8232e11f0a771/3.0/en-US/SecureLoginForSAPSSO3.0_UACP.pdf
If I understand your issue you seem not to have to check SNC configuration again.
Best regards
Andreas
SNC Client Encryption without SSO. Instruction in detail
Hi.
I need help.
I make SNC Client Encryption solution for ABAP sandbox (for next implantation to prod).
And i cant find full instructions with correct examples.
After all activities, i can connect with security lock, but without properly logon to system (there is offer to me for enter login and password ).
I follow main instructions, with count comments.
So, my steps:
instance (or DEFAULT.PFL) profile:
snc/gssapi_lib E:\usr\sap\PD2\DVEBMGS02\SSL\secgss.dll
snc/identity/as p:CN=SNCLogonPD2@DOMAIN.LOCAL
snc/data_protection/max 3
snc/data_protection/min 2
snc/data_protection/use 3
snc/r3int_rfc_secure 0
snc/r3int_rfc_qop 8
snc/permit_insecure_start 1
snc/accept_insecure_cpic 1
snc/accept_insecure_rfc 1
snc/force_login_screen 1
snc/enable 0
snc/accept_insecure_gui 1
ssf/name SAPSECULIB
ssf/ssfapi_lib $(ssl/ssl_lib)
ssl/ssl_lib $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/libsapsecu
Add the following entry to your start profile(s):
SETENV_00 PATH=$(DIR_EXECUTABLE);%PATH%
SETENV_01 SECUDIR=$(DIR_INSTANCE)/sec
Owner: p:CN=SNCLogonPD2@DOMAIN.LOCAL
What did I wrong during settings ? What I forgot ?
Hello Phillip,
I have found a documentation of actual trends of SAP SSO. There are some slides of SCE 2.0 showing following facts:
This would solve some problems of nessessary domain trusts mentioned above.
This Secure Logon Client 2.0 is avaiable since April 2017 and is delivered in SAP Gui 750. So SNC-Encryption for SAP Gui should be really easy.
But it does not work in our tests. I have not found any documentation of configuration of SCE 2.0 in help.sap.com or SAP Gui Installation or Administration guide.
Can you confirm my information and perhaps provide some links for documantation?
Best Regards
Andreas