Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux
So, you want to enable SNC (without Single Sign On — SSO) in your environment? You have Solaris (or other UNIX) and you don’t want to pay for third party libraries?
SAP has a solution for you! But implementing the solution may be a nightmare. SAP developed their own guide/documentation showing how to do this, but you may find following their documentation a bit troublesome. It’s for this reason I developed this document.
Applicable Notes with Prerequisites
Some notes with important pre-readings below. There are three version prerequisites to watch out for: GUI, Kernel, SAP Basis Component.
SAP OSS Note 1561161 – Enabling SAP GUI password logon despite using SNC. This note discusses Kernel Version and Basis Support Pack prerequisites.
SAP OSS Note 1053737 – Versions of supported SAPGUIs
SAP OSS Note 1580808 – SAP Logon 7.20: “SNC logon w/o SSO” for connection entry
In this document you will see the following tags used. This section explains what you should substitute into the tag.
<SID> = Your System ID.
<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.
<SPN> = Service Principal Name created in Active Directory
<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified – ex: DomainName.YourOrganization.org). If you don’t know what this should be, ask your Active Directory Staff.
OS = Solaris 10
Database = Oracle
Hardware Platform (SPARC)
You’ll need to search for and download the following:
SAP’s Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades -> 51042493 OR
SAP’s Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)
SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR
SAP’s Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02
SAP’s Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates
So now that you have downloaded what you need, now to get to business!
1. Server Side Installation
2. Unzip the library you downloaded in in #1 Above.
3. In a separate folder, un-sar the file you downloaded in #2 above.
4. Inside the unzipped archive (from Step 2) you will find a folder called “SECURE_LOGIN_LIBRARY”. Inside it select the correct subfolder for your OS. Hint “Solaris” is often referred to as sunos 5. If you have Solaris 10 on Sparc (like us) you will want the folder called “sunos-5.10-sparc-64”.
5. Inside the unzipped archive (from step 3) you will find a series of folders that match up to you operating system version. Note the appropriate folder.
7. Inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” which is in the folder you identified in Step 4.
8. While still inside the SLL folder use SAPCAR to un-sar the “SECURELOGINLIB.SAR” identified in Step 5.
9. Go to /sapmnt/<SID>/exe/. Once inside it use SAPCAR to un-sar the file downloaded in #3 above
2. Active Directory Preparation/Work
This solution requires that you use MS Active Directory (aka Domains). For this section you will have to work with your organization’s active directory staff.
2. Set a strong account password. Set the password to never expire and unchangeable. Note the exact PaSsWoRd made here, you’ll need it later in section 3.
3. Inside the new account created in the previous step, have them create/assign a new “Service Principal Name” (SPN). The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID> — as previously noted this entry is CaSe SeNsItIvE. Here-in this will be called <SPN>
3. Server Side Config
1. Change directories to /usr/sap/<SID>/<Instance>/SLL
2. Set the environment variable “SECUDIR” to “/usr/sap/<SID>/<Instance>/sec”. If you like/use bash (like me) do this by executing “export SECUDIR=/usr/sap/<SID>/<Instance>/sec”.
3. Create the PSE Environment. Do this by executing: “./snc crtpse” with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/. You’ll be prompted to create a password. The value of this password doesn’t matter, but note what you make it.
4. Create a keytab entry for your SPN created above. Do this by executing “./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>”. You will be prompted for a password. This password must be the same as the password when you created the active directory account in step 2-1. The <ActiveDirectoryDomain> must be in ALL CAPS.
4. AS ABAP Configuration
1. Log into your SAP System GUI.
2. Start up transaction RZ10. Set the following parameters in your instance (or DEFAULT.PFL, if you prefer) profile(s):
|snc/identity/as||p:CN=<SPN>@<ActiveDirectoryDomain> – The <ActiveDirectoryDomain> must be in ALL CAPS|
|ssf/name (Suggested in DEFAULT.PFL)||SAPSECULIB|
3. Add the following entry to your start profile(s):
|SETENV_XX (XX = next available value)||SECUDIR=$(DIR_INSTANCE)/sec|
3. Exit AS ABAP/Log off.
4. Restart the SAP System.
5. Once the system is restarted, go to transaction STRUST.
6. In transaction STRUST you will now find an entry in the left pane that says “SNC SAPCryptolib”. It should have a red “X” next to it. Right click on it and select “Create”. You’ll notice the “SNC ID” is already filled in for you. Select RSA and an appropriate key size, then click the green check mark.
7. Go back to RZ10. Change the value of “snc/enable” to 1.
8. Log out and restart the SAP system again.
Once you’ve restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:
N Wed Aug 14 13:45:01 2013
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so
N File “/usr/sap/<SID>/<Instance>/SLL/libsecgss.so” dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N SncInit(): found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c 266]
M SNC (Secure Network Communication) enabled
If you don’t see this but instead see errors, chances are your ABAP system no longer works (good job ). You’ll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0. Then restart your system and troubleshoot (good luck).
5. PC SNC Client Installation/Config
1. Inside the main SNC library file you downloaded above in file download step 1 , you’ll find a “SNC_CLIENT_ENCRYPTION” folder. On your PC execute the “SapSncClientEncryption.exe” file you’ll find in this folder. If you already have the “SNC Client Encryption” installed, I’d recommend you uninstall it and re-install it, just to make sure you have a compatible version.
2. After you executed the previous step, start up the SAP GUI on your workstation.
3. In the GUI right click on the logon entry representing the SAP you are working on. Select “Properties” from the context menu that pops up.
4. On the window that pops up, select the “Network” tab.
5. Check the box that says “Activate Secure Network Communications”.
6. Enter the “SNC Name” as follows: p:CN=<SPN>@<ActiveDirectoryDomain>
7. Select “Maximum security settings available”
8. Check the box “SNC logon with user/password (no Single Sign-On)”
You’ve done it. Now all that’s left is pray to the deity of your choosing <grin>. If he/she smiles upon you, you should be able to log in to your SAP System. You’ll note a lock (which was previously open) in the lower right hand of your GUI screen in the status bar.