SNC – Secure Network Communication   Configuration between Enterprise Portal to BW system

Pre-Requisites:

Parameters to be checked before the configuration

  • login/accept_sso2_ticket    = 1
  • login/create_sso2_ticket    = 2 (recommended) or 1
  • snc/enable  = 1
  • icm/host name full. (SMICM – to check fully qualified hostname )

   

check https://help.sap.com  for the parameter values

  • snc/force_login_screen
  • snc/identity/as
  • snc/gssapi_lib
  • snc/permit_insecure_start
  • snc/r3int_rfc_qop
  • snc/r3int_rfc_secure
  • snc/accept_insecure_r3int_r
  • snc/accept_insecure_rfc
  • snc/accept_insecure_cpic
  • snc/accept_insecure_gui

STEP1:

Login to portal as a “administrator “ user  goto  http://<hostname:port/nwa

->click “configuration “ tab ->click “certificate and keys”

Note : parameter snc/enable=1 (to activate the SNC)

Login to portal as administrator  ->click  configuration  tab ->click  certificate and keys

/wp-content/uploads/2013/10/1_303325.jpg

Click the Ticket Key store entry listed under tab Key storage then select “SAPLogonTicketKeypair-cert “

/wp-content/uploads/2013/10/2_303344.jpg

Then click Export Entry Select Binary .x.509 format and Save it locally

STEP 2:

Login to ABAP system default client: XXX  Goto transaction STRUSTSSO2

/wp-content/uploads/2013/10/4_303346.jpg

Click  System PSE and then click   import certificate

/wp-content/uploads/2013/10/5_303347.jpg

Select the format Binary then click “Add to Certificate to List” then click “Add to ACL”

Fill portal SID and client 000 below

/wp-content/uploads/2013/10/6_303348.jpg

STEP3

Goto STRUSTSSO2 click System PSE -> click <FQDN > right side check the portal certificate info.

/wp-content/uploads/2013/10/7_303349.jpg

Create SNC SAP Cryptolib PSE file  right click the SNC SAP Cryptolib

/wp-content/uploads/2013/10/8_303353.jpg

Remove the default values of Org(opt) & comp/org and maintain the below values and SAVE

/wp-content/uploads/2013/10/9_303354.jpg

/wp-content/uploads/2013/10/10_303355.jpg

Now select SNC SAP Crypto pse and Double click the CN=<SID>, O=GM, C=US 

/wp-content/uploads/2013/10/11_303356.jpg

Press Export button   and export to your machine. 

Use the name <SIDof BW system>.cert

/wp-content/uploads/2013/10/12_303357.jpg

Select “Base64” as <SID>.cert

STEP4

Login to the Portal Server on the OS level (sidadm)

Goto file path:  /usr/sap/<SID>/JCXX/sec directory

Check the shared library and environmental variable are set 

/usr/sap/SID/JCXX/sec 

/wp-content/uploads/2013/10/13_303358.jpg

Set the environment variable for the path usr/sap/<SID>/JC<nn>/sec

<SID>adm> export SECUDIR=/usr/sap/<SID>/J<nn>/sec

STEP5:

Create the SAP_<any name for example J2EE>.pse file using the command

sapgenpse get_pse -p SAP_J2EE.pse -x j2eepin “CN=<SID>, O=<organization 2 letters>, C=<country code 2 letters>”

/wp-content/uploads/2013/10/14_303359.jpg

STEP6:

Then execute,

Sapgenpse  seclogin –p <please give any pse file name>.pse –x j2eepin –O <SID>adm

/wp-content/uploads/2013/10/15_303360.jpg

STEP7:

Generate the Portal SNC certificate with the command:

Sapgenpse export_own_certificate –p <pse name> -o <portal certificate>

  1. Ex. Sapgenpse export_own_cert –p <pse name>  –o <portal certificate>

/wp-content/uploads/2013/10/17_303361.jpg

STEP8:

Then  upload the SAP ECC certificate into Portal PSE with the command

  1. Ex. sapgenpse maintain_pk –p < please give any pse file name>.pse -a <SID BW system name>.cert

/wp-content/uploads/2013/10/18_303362.jpg

STEP9:

Transfer (Ftp) the file <SID>.cert from Portal Server to your machine

Login to BW system -> goto STRUSTSSO2 -> click SNC SAPCrypto -> double click

Then click  to import the file 

/wp-content/uploads/2013/10/19_303363.jpg

/wp-content/uploads/2013/10/20_303364.jpg

Then click  and finally save it

Before starting the following profile parameters need to be set in respective ABAP systems :

/wp-content/uploads/2013/10/21_303365.jpg

STEP10:

then Goto ->  SM30 and type the VSNCSYSACL and press Display

/wp-content/uploads/2013/10/22_303366.jpg

Select “ E” for external system

/wp-content/uploads/2013/10/23_303367.jpg

/wp-content/uploads/2013/10/24_304895.jpg

STEP11:

Goto SM30 and Enter USRACLEXT in Table/View field and press Display

/wp-content/uploads/2013/10/25_304896.jpg

Press “New Entries” and Add the SNC Name for Portal and “save” it

/wp-content/uploads/2013/10/26_304907.jpg

STEP12:

Creation of system’s in Portal System Administration->System landscape ->

/wp-content/uploads/2013/10/27_304909.jpg

Portal content -> SystemLandscapeRight click->System Landscape->  New -> 

/wp-content/uploads/2013/10/28_304916.jpg

Select option  then click  Next

STEP13:

How to get system information for web application server as and ITS

Goto se37 then press f8

Then provide the info :

FM name : RSBB_URL_PREFIX_GET

I_HANDLERCLASS : CL_RSR_WWW_HTTP

Clear the clear the I_message server entry -> execute (F8)

For getting the ICM info :

Goto se37

FM name : RSBB_URL_PREFIX_GET

I_HANDLERCLASS : CL_HTTP_EXT_ITS

Then clear   I_message server   entry -> execute (F8)

save” the details and provide the system alias name 

Choose “next” and then “finish”

System is created now

STEP14:

System Landscape->click under this node you may find your newly created system ->right click the new system created ->click properties

Enter the SNC parameters in the system data container

Then conduct a system connection test , and this successfull test completes the SNC configuration between Enterprise Portal and BW system

Note : Login with the user same as in backend Don’t provide any user  and click the button “test”

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Andy Silvey

    Hi Rajeshkumar,

    this is an excellent blog showing all of the steps and will for sure be a lot  of help to people having to do this.

    If I can suggest, in the pre-requisites, includes the step of

         download SAPCryptoLib

         install SAPCryptoLib

         enable juristiction policy

    infact it would be nice if those steps were included with screenshots and then you would have the end to end implementation documented.

    Furthermore, it would be useful to point out that there is a sequence for setting the Profile paramters on the R/3 system, because if they are all set at once and the system restarted logon will not be possible,

    Another useful point is transaction SNC0 which shows the ACL tables and their contents, this is useful for trouble shooting.

    All the best,

    Andy.

    (0) 

Leave a Reply