Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

Former Member
‎08-14-2013 6:51 PM


So, you want to enable SNC (without Single Sign On -- SSO) in your environment?  You have Solaris (or other UNIX) and you don't want to pay for third party libraries?

SAP has a solution for you!  But implementing the solution may be a nightmare.  SAP developed their own guide/documentation showing how to do this, but you may find following their documentation a bit troublesome.  It's for this reason I developed this document.

Applicable Notes with Prerequisites


Some notes with important pre-readings below.  There are three version prerequisites to watch out for: GUI, Kernel, SAP Basis Component.

SAP OSS Note 1561161 - Enabling SAP GUI password logon despite using SNC.  This note discusses Kernel Version and Basis Support Pack prerequisites.

SAP OSS Note 1053737 -  Versions of supported SAPGUIs

SAP OSS Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry

 

Tags below


In this document you will see the following tags used.  This section explains what you should substitute into the tag.

<SID> = Your System ID.

<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.

<SPN> = Service Principal Name created in Active Directory

<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified - ex: DomainName.YourOrganization.org).  If you don't know what this should be, ask your Active Directory Staff.

Our situation:

OS = Solaris 10

Database = Oracle

Hardware Platform (SPARC)

You'll need to search for and download the following:

1. SNC Client Encryption/Libraries 1.0

SAP's Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades -> 51042493 OR

SAP's Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)

2 SNC Client Encryption/Libraries 1.0 SP 02

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and Patches -> SLLIBRARY02

3. Latest SAPCrypto Lib

SAP's Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates

So now that you have downloaded what you need, now to get to business!

1. Server Side Installation


1. Upload all files downloaded above to your server.

2. Unzip the library you downloaded in in #1 Above.

3. In a separate folder, un-sar the file you downloaded in #2 above.

4. Inside the unzipped archive (from Step 2) you will find a folder called "SECURE_LOGIN_LIBRARY".  Inside it select the correct subfolder for your OS.  Hint "Solaris" is often referred to as sunos 5.  If you have Solaris 10 on Sparc (like us) you will want the folder called "sunos-5.10-sparc-64".

5. Inside the unzipped archive (from step 3) you will find a series of folders that match up to you operating system version.  Note the appropriate folder.

6. Go to /usr/sap/<SID>/<INSTANCE>.  Inside it create two directories (if they don't already exist): "SLL" and "security".

7. Inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" which is in the folder you identified in Step 4.

8. While still inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" identified in Step 5.

9. Go to /sapmnt/<SID>/exe/.  Once inside it use SAPCAR to un-sar the file downloaded in #3 above

2. Active Directory Preparation/Work


This solution requires that you use MS Active Directory (aka Domains).  For this section you will have to work with your organization's active directory staff.

1. Have the active directory staff create a new service account for you.  The name of the account doesn't really matter, just note what it is.

2. Set a strong account password.  Set the password to never expire and unchangeable.  Note the exact PaSsWoRd made here, you'll need it later in section 3.

3. Inside the new account created in the previous step, have them create/assign a new "Service Principal Name" (SPN).  The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID> -- as previously noted this entry is CaSe SeNsItIvE.  Here-in this will be called <SPN>

3. Server Side Config


1. Change directories to /usr/sap/<SID>/<Instance>/SLL

2. Set the environment variable "SECUDIR" to "/usr/sap/<SID>/<Instance>/sec".  If you like/use bash (like me) do this by executing "export SECUDIR=/usr/sap/<SID>/<Instance>/sec".

3. Create the PSE Environment.  Do this by executing: "./snc crtpse" with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/.  You'll be prompted to create a password.  The value of this password doesn't matter, but note what you make it.

4. Create a keytab entry for your SPN created above.  Do this by executing "./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>".  You will be prompted for a password.  This password must be the same as the password when you created the active directory account in step 2-1The <ActiveDirectoryDomain> must be in ALL CAPS.

4. AS ABAP Configuration


1. Log into your SAP System GUI.

2. Start up transaction RZ10.  Set the following parameters in your instance (or DEFAULT.PFL, if you prefer) profile(s):








































































snc/permit_insecure_start 1
snc/accept_insecure_cpic 1
snc/r3int_rfc_qop 8
snc/r3int_rfc_secure 0
snc/data_protection/use 3
snc/data_protection/min 2
snc/data_protection/max 3
snc/identity/as p:CN=<SPN>@<ActiveDirectoryDomain> - The <ActiveDirectoryDomain> must be in ALL CAPS
snc/gssapi_lib /usr/sap/<SID>/<Instance>/SLL/libsecgss.so
snc/enable 0
snc/force_login_screen 1
snc/accept_insecure_rfc 1
snc/accept_insecure_gui 1
ssf/name (Suggested in DEFAULT.PFL) SAPSECULIB
ssf/ssfapi_lib $(ssl/ssl_lib)
ssl/ssl_lib $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/libsapsecu $(ssl/ssl_lib)


3. Add the following entry to your start profile(s):








SETENV_XX (XX = next available value) SECUDIR=$(DIR_INSTANCE)/sec


3. Exit AS ABAP/Log off.

4. Restart the SAP System.

5. Once the system is restarted, go to transaction STRUST.

6. In transaction STRUST you will now find an entry in the left pane that says "SNC SAPCryptolib".  It should have a red "X" next to it.  Right click on it and select "Create".  You'll notice the "SNC ID" is already filled in for you.  Select RSA and an appropriate key size, then click the green check mark.

7. Go back to RZ10.  Change the value of "snc/enable" to 1.

8. Log out and restart the SAP system again.

Once you've restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:
N Wed Aug 14 13:45:01 2013

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so

N    File "/usr/sap/<SID>/<Instance>/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N  SncInit():   found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c    266]

M  SNC (Secure Network Communication) enabled

If you don't see this but instead see errors, chances are your ABAP system no longer works (good job ).  You'll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0.  Then restart your system and troubleshoot (good luck).

5. PC SNC Client Installation/Config


1. Inside the main SNC library file you downloaded above in file download step 1 , you'll find a "SNC_CLIENT_ENCRYPTION" folder.  On your PC execute the "SapSncClientEncryption.exe" file you'll find in this folder.  If you already have the "SNC Client Encryption" installed, I'd recommend you uninstall it and re-install it, just to make sure you have a compatible version.

2. After you executed the previous step, start up the SAP GUI on your workstation.

3. In the GUI right click on the logon entry representing the SAP you are working on.  Select "Properties" from the context menu that pops up.

4. On the window that pops up, select the "Network" tab.

5. Check the box that says "Activate Secure Network Communications".

6. Enter the "SNC Name" as follows: p:CN=<SPN>@<ActiveDirectoryDomain>

7. Select "Maximum security settings available"

8. Check the box "SNC logon with user/password (no Single Sign-On)"

You've done it.  Now all that's left is pray to the deity of your choosing <grin>.  If he/she smiles upon you, you should be able to log in to your SAP System.  You'll note a lock (which was previously open) in the lower right hand of your GUI screen in the status bar.

6. Troubleshooting


For troubleshooting SNC issues on the client side, consider reading this document on the SAP help si... or Google: "Enabling Traces for SNC Client Encryption"

48 Comments
Labels in this area
Popular Blog Posts