Skip to Content

Part II: How to modify the existing connection of SAP Mobile Documents to an on-premise ABAP System to use a named-user connection

In the first part you have set up a connection from SAP Mobile Documents to your on-premise ABAP system with a service user connection. In this part I will describe what changes you need to make for the connection to use the named user in the backend. The forwarding of the user logon to the backend is called Principal Propagation.

In order to be able to use Principal Propagation, a trust needs to be created between the SAP HANA Cloud Connector and the ABAP System. For this we use a technology called SNC (Secure Network Communication).

After the trust is established, you can configure the Cloud Connector to use Principal Propagation. Technically, the Cloud Connector will issue short-lived client certificates for each user upon request to the backend system. For the ABAP system to accept these certificates, you need to configure the acceptance of client certificates in the ABAP system. Are you still with me??

These are the things you need to do:

1. Enable SNC for the ABAP System

2. Enable SNC for the HANA Cloud Connector

3. Establish Trust between ABAP System and Cloud Connector

4. Enable Principal Propagation in the HANA Cloud Connector (to issue client certificates)

5. Enable Client Certificate Authentication on the ABAP System

6. Modify the Destination in HCP Cockpit to use Principal Propagation

7. Have a beer, if you managed to get it done!

For your reference, have a look at the official Cloud Connector documentation.

1. Enable SNC for the ABAP System

1a) Enable SNC

To enable SNC for the Cloud Connector, you need to perform similar steps as described by Gregor Wolf in his blog:

http://scn.sap.com/people/gregor.wolf/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc

For your reference see also the official SAP Documentation for using the SAPCRYPTOLIB on AS ABAP

However, life has become a lot easier in the ABAP world as of release 7.31. As of this release you can use transaction SNCWIZARD to enable SNC for the ABAP system.

1b) Export ABAP SNC certificate

After you have configured SNC, you now need to export the ABAP SNC certificate (to import it later into the PSE of the Cloud Connector).

Open transaction STRUST

Switch to Change Mode

Double click on the certificate.

Double click on the Subject Entry

Click the export certificate icon.

/wp-content/uploads/2015/12/pic_841319.png

Save it on the file system. You will need the certificate file to add to the PSE of the cloud connector.

/wp-content/uploads/2015/12/pic_841319.png


2. Enable SNC for the HANA Cloud Connector

In this chapter, I will explain how to prepare the Cloud Connector to be ready for the secure connection with the ABAP system.

2a) Create a dedicated Cloud Connector user

First, create new windows user for Cloud Connector.

/wp-content/uploads/2015/12/pic_841319.png

Assign this user to the Cloud Connector Service

/wp-content/uploads/2015/12/pic_841319.png

/wp-content/uploads/2015/12/pic_841319.png


2b) Get SAPCRYPTOLIB

The secure connection requires security stuff (the experts call it SAPCRYPTOLIB) to be downloaded from the Support Portal. The SAPCRYPTOLIB containts the cryptographic functions that are required to establish a secure connection.

Download the Sapcryptolib from the Support Portal:

https://support.sap.com/swdc – Go to “Search for Software”

Search for “sapcryptolib”

As I use Windows, I downloaded the following (with the latest Patch Level)

/wp-content/uploads/2015/12/pic_841319.png

2c) Download SAPCAR

In case you have SAPCAR somewhere already, you can skip this step.

SAPCAR is the tool to unzip the downloaded .sar file.

As you searched the download center for “sapcryptolib” in the previous step, you now search for “sapcar” and download the latest version for the operating system.

Put both files in one folder. For ease of use, I renamed the one file to “sapcryptolib.sar” and the other to “sapcar.exe”.

Open the Command prompt in this folder and use the following command to extract the content in sapcryptolib.sar:

/wp-content/uploads/2015/12/pic_841319.png


2d) Set SECUDIR Environment Variable

How does the Cloud Connector know, where the security stuff is stored?

The SECUDIR variable is used for the cloud connector user to be able to access the security credentials for SNC during runtime.

This is my description for the steps on Windows 2008R2:

Log on with the user you have created for the cloud connector to run on

(in our case the user name is cloudconnector)

Right-click on Computer (on the desktop)

Select Properties

/wp-content/uploads/2015/12/pic_841319.png

/wp-content/uploads/2015/12/pic_841319.png


2e) Create PSE for the Cloud Connector

Make sure you are logged in with Admin rights to the Windows machine.

Open a Command Prompt Window with Administrative Rights (right click on Command Prompt, run as Administrator).

/wp-content/uploads/2015/12/pic_841319.png

Navigate to the folder in which you have put the files sapcrypto.dll and sapgenpse.exe.

Enter the following command to set a temporary environment variable for the pse-file and the credentials file to be stored at the right location:

Set = <path where you put the files sapcrypto.dll and sapgenpse>


/wp-content/uploads/2015/12/pic_841319.png

Enter the following command:

sapgenpse gen_pse -v -p <path and name of PSE file to be created>

When prompted, enter a password to protect access to the PSE.

/wp-content/uploads/2015/12/pic_841319.png

As a result, the file .pse is created in the folder.

2f) Create Credentials File

The next step is to create a so-called credentials file for the user that the cloud connector is running on. With this, that user will be able to access the pse-file during runtime.

Enter command:

sapgenpse seclogin -p <path to pse file> -O <user that the cloud connector runs with>

sapgenpse seclogin -p d:\sapcrypto\CC.pse -O cloudconnector

As a result, a file called cred_v2 is created in the folder.

2g) Export own certificate

To export your own certificate to establish the trust to the ABAP system, perform the following command:

sapgenpse export_own_cert -o <certificate file to be created> – p <pse file>


/wp-content/uploads/2015/12/pic_841319.png


This is the file, you will need to import into the ABAP PSE.

2h) Perform SNC Settings in Cloud Connector

The required steps are described in the Cloud Connector documentation:

https://help.hana.ondemand.com/help/frameset.htm?f09eefe71d1e4d4484e1dd4b121585fb.html

These are the settings for my implementation (you can set the QoP Level according to your security requirements):

/wp-content/uploads/2015/12/pic_841319.png

3. Establish Trust between ABAP system and Cloud Connector

At this stage, you have prepared the security requirements (in our case the configuration of SNC) for both communication partners, ABAP and the Cloud Connector.

Now they are ready to trust each other. To establish the actual trust, the certificate of each party needs to be imported into the PSE of the other party (I will not go into additional crypto basics here!).

3a) Import the ABAP SNC Certificate into Cloud Connector PSE

Open a command prompt window in the folder in that you have placed the PSE and credentials file of the cloud connector. To import the ABAP SNC certificate, enter the following command:

sapgenpse maintain_pk -v -a <SNC certificate file of the ABAP server> -p <PSE file of the Cloud Connector>

Example (in my case):

sapgenpse maintain_pk -v -a ABA_SNC.crt -p CC.pse

As a result the Cloud Connector PSE now also contains the SNC certificate of the ABAP System.

3b) Import the Cloud Connector SNC Certificate into ABAP System PSE

Log on to the ABAP System

Open transaction STRUST

Switch to Change Mode

Open the node SNC SAPCRYPTOLIB

Double click on the (green) entry in folder SNC SAPCryptolib

In the Menu select certificate – Import

Browse to the certificate file you have exported from the Cloud Connector PSE

Click on Add to Certificate List

/wp-content/uploads/2015/12/pic_841319.png

The certificate should now appear in the certificate list.

Do not forget to click SAVE!

3c) Maintain Access Control List for SNC connections

The ABAP uses an additional security measure to protect access. To enable the SNC communication for the Cloud Connector you need to maintain the ACL for SNC connections. See the documentation (Step 1) for further details.

These are the settings I did for my implementation (transaction SNC0):

/wp-content/uploads/2015/12/pic_841319.png

4. Enable the Cloud Connector to issue Certificates


Follow the steps described in the documentation.

My configuration looks like this:

/wp-content/uploads/2015/12/pic_841319.png


5. Enable Client Certificate Authentication on the ABAP System

5a) Upload Sample Certificate

Details on how to enable certificate Authentication can be found in the official documentation (Step 2)

I chose to configure the certificate mapping. Details are described here.

/wp-content/uploads/2015/12/pic_841319.png

5b) Maintain table USREXTID

There has to be a mapping of each certificate to the user in the ABAP system. In our case, the certificate name follows the structure that you have maintained in the Cloud Connector. So in this case, in the ABAP system the mapping can be automated:

Go to transaction SE38 – Call report RSUSREXT

https://help.sap.com/saphelp_nw70ehp2/helpdata/en/a8/f11960daa149958bd73c9b1b20095a/content.htm

6. Modify Destination in HCP Cockpit

To enable Principal Propagation, you need to modify the destination in the HCP Cockpit.

In the HCP Cockpit, go to Destinations.

Click the pencil icon to change the entry:

/wp-content/uploads/2015/12/pic_841319.png

Remove User and Password values and enter them in the fields Repository User and Repository Password.

Add the property jco.destination.auth_type and set the value to PrincipalPropagation

/wp-content/uploads/2015/12/pic_841319.png

You can find further details about the parameters in the official documentation.

Now you can test, if the connection in the Mobile Documents Web UI works. If yes, congratulations!

You can now proceed to the next section.

7. Have a beer, if you managed to get it done!

I guess you know the required steps! 🙂

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply