SNC Client Encryption
It was nice to hear that we could secure SAP GUI communication.
Most customers are not aware of this and use SAP GUI w/o encryption in clear text mode.
SNC Client Encryption is a tool that could be used for encryption without license fee.
I configured our ABAP Systems and SAP GUIs for encryption with the help of SAP notes, guides, help pages and scn blogs.
Like phillip.hofmeister said in his blog I also had some difficulties for finding the right guide for configuring SNC Client Encryption.
Then I decided writing this blog for newer versions of SAP and CommonCryptoLib.
You can go below links to have detailed information.
I want to share how I did the configuration step by step.
Notes and links that needs to be read;
How SNC Client Encryption Works
Using SNC Client Encryption for Password Logon
1643878 - Release Notes for SNC Client Encryption
2185235 - Using SNC Client Encryption (SCE) for Encrypting SAP GUI Connection with CommonCryptoLib
(This note has the right configuration Guide -Configuring SNC Client Encryption with CCL.pdf- that I realized lately)
I tried to follow the help page but unfortunately it was not clear and was not a step by step guide. (Some guys were complaining about this kinds of telling to do the things but not showing how to do that documents in discussions and blogs) I lost some time for this reason. At last I found the right guide attached to the note 2185235 that is very easy to use and helpful. No need to other documents.
Configurations Steps that I performed;
1 - Kernel Patch from 7.20 to 7.22 SP 23 (So CommonCryptoLib 8.4.30 is available in Kernel.)
Our system's Kernel version was low so I changed the Kernel to 7.22 that is including the prerequisite CommonCryptoLib version 8.4.30 or higher condition.
2 - Check and apply the notes 1561161, 1580808, 1616598, 1617641 if applicable.
3 - Created an AD user
I asked System Administrators to create a user with below properties.
Logon Name : SNC-CE-USER
First Name : SNC
Last Name : Client Encryption User
Password : <Define a Password>
Service Principal Name : SAP/SNC-CE-USER
User Cannot Change Password
Password nnever expires
You can check SPN with below command.
setspn -Q SAP/SNC-CE-USER
4 - Defined below SNC parameters
Using RZ10 transaction you must define below parameters to enable SNC
snc/enable = 1
snc/permit_insecure_start = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/force_login_screen = 0
snc/identity/as = p:CN=SNC-CE-USER@MYDOMAIN.COM
snc/gssapi_lib = D:\usr\sap\<SID>\DVEBMGS00\exe\sapcrypto.dll
5 - Create your Kerberos keytab
Login to your SAP Systems OS with sidadm and using cmd create the keytab
set SECUDIR=D:\usr\sap\<SID>\DVEBMGS00\sec
sapgenpse keytab -p SAPSNCSKERB.pse -x <password for PSE> -y <password of user SNC-CE-USER> -a SNC-CE-USER@MYDOMAIN.COM
sapgenpse seclogin -p SAPSNCSKERB.pse -x <password for PSE> -O SAPService<SID>
You can check the PSE with below command;
sapgenpse keytab -p SAPSNCSKERB.pse -x <password for PSE> -nopsegen
You can check if the credentials were successfully created with below command
sapgenpse seclogin -l
6 - Restart your SAP system
When you restart SAP system if there is problem with keytab SAP system does not start. That time you can change snc/enable parameter to 0 and restart the system. After correcting the inconsistencies, you need to enable SNC again and restart your system.
You can check dev_wX trace files for troubleshooting the SNCinit problems.
7- Install SNC Client Encryption on the Windows hosts for the SAP GUI for Windows clients.
You install the SNC Client Encryption program on clients systems.
You can check if SNC_LIB environment parameter is defined after the installation.
(i.e. SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAP GUI\Encryption\secgss.dll)
8 - Configure SAP GUI for Windows to use SNC Client Encryption.
9 - Check the GUI connection
When you connect to the system you could see a lock symbol on the left bottom corner of the GUI screen like below.
If you could see this lock on your GUIs you have managed configuring SNC Client Encryption, too.
Congratulations. :smile:
Links that I visited and had some knowledge for troubleshooting
https://scn.sap.com/thread/3544987
https://scn.sap.com/thread/3813876
https://scn.sap.com/thread/3389036
http://scn.sap.com/docs/DOC-45138
http://wiki.scn.sap.com/wiki/display/Security/SNC+Client+Encryption
SNC: Using SNC to Encrypt Traffic - Client/Server (No SSO)
Wishes;
- I wish SAP could have mentioned the note 2185235 and attached document in the help page.
- I wish SAPA could provide encryption without these kinds of many configuration steps. It could have been done with activation of a parameter and check box filling on SAP GUI.
Questions;
- Are your customers (for consultants) or are you aware of clear text communication between GUI and SAP Server?
- Do you think SNC Client Encryption is a useful tool?
- Do you use SNC Client Encryption for your systems?
Thanks for your interest.
- SAP Managed Tags:
18 Comments
