Skip to Content

SNC Client Encryption

It was nice to hear that we could secure SAP GUI communication.

Most customers are not aware of this and use SAP GUI w/o encryption in clear text mode.

SNC Client Encryption is a tool that could be used for encryption without license fee.

I configured our ABAP Systems and SAP GUIs for encryption with the help of SAP notes, guides, help pages and scn blogs.

Like Phillip Hofmeister said in his blog I also had some difficulties for finding the right guide for configuring SNC Client Encryption.

Then I decided writing this blog for newer versions of SAP and CommonCryptoLib.

You can go below links to have detailed information.

I want to share how I did the configuration step by step.

Notes and links that needs to be read;

   How SNC Client Encryption Works

   Using SNC Client Encryption for Password Logon

   1643878 – Release Notes for SNC Client Encryption

   2185235 – Using SNC Client Encryption (SCE) for Encrypting SAP GUI Connection with CommonCryptoLib

(This note has the right configuration Guide –Configuring SNC Client Encryption with CCL.pdf– that I realized lately)

I tried to follow the help page but unfortunately it was not clear and was not a step by step guide. (Some guys were complaining about this kinds of telling to do the things but not showing how to do that documents in discussions and blogs) I lost some time for this reason. At last I found the right guide attached to the note 2185235 that is very easy to use and helpful. No need to other documents.

 

Configurations Steps that I performed;


1 – Kernel Patch from 7.20 to 7.22 SP 23 (So CommonCryptoLib 8.4.30 is available in Kernel.)

   Our system’s Kernel version was low so I changed the Kernel to 7.22 that is including the prerequisite CommonCryptoLib version 8.4.30 or higher condition.

2 – Check and apply the notes 1561161, 1580808, 1616598, 1617641 if applicable.

3 – Created an AD user

I asked System Administrators to create a user with below properties.

Logon Name             : SNC-CE-USER

First Name             : SNC

Last Name              : Client Encryption User

Password               : <Define a Password>

Service Principal Name : SAP/SNC-CE-USER

User Cannot Change Password

Password nnever expires

You can check SPN with below command.

setspn -Q SAP/SNC-CE-USER      

SNC_setspn.jpg

4 – Defined below SNC parameters

Using RZ10 transaction you must define below parameters to enable SNC

snc/enable                  = 1

snc/permit_insecure_start   = 1

snc/accept_insecure_gui     = 1

snc/accept_insecure_rfc     = 1

snc/accept_insecure_cpic    = 1

snc/r3int_rfc_qop           = 8

snc/r3int_rfc_secure        = 0

snc/data_protection/use     = 3

snc/data_protection/min     = 2

snc/data_protection/max     = 3

snc/force_login_screen      = 0

snc/identity/as             = p:CN=SNC-CE-USER@MYDOMAIN.COM

snc/gssapi_lib              = D:\usr\sap\<SID>\DVEBMGS00\exe\sapcrypto.dll

5 –  Create your Kerberos keytab

Login to your SAP Systems OS with sidadm and using cmd create the keytab

set SECUDIR=D:\usr\sap\<SID>\DVEBMGS00\sec

sapgenpse keytab -p SAPSNCSKERB.pse -x  <password for PSE> -y  <password of user SNC-CE-USER> -a SNC-CE-USER@MYDOMAIN.COM

/wp-content/uploads/2016/01/sapgenpse_1_876711.jpg

sapgenpse seclogin -p SAPSNCSKERB.pse -x <password for PSE> -O SAPService<SID>      

/wp-content/uploads/2016/01/sapgenpse_2_876712.jpg

You can check the PSE with below command;

sapgenpse keytab -p SAPSNCSKERB.pse -x <password for PSE> -nopsegen      

/wp-content/uploads/2016/01/sapgenpse_3_876713.jpg

You can check if the credentials were successfully created with below command

sapgenpse seclogin -l

/wp-content/uploads/2016/01/sapgenpse_4_876714.jpg

6 – Restart your SAP system

When you restart SAP system if there is problem with keytab SAP system does not start. That time you can change snc/enable parameter to 0 and restart the system. After correcting the inconsistencies, you need to enable SNC again and restart your system.

You can check dev_wX trace files for troubleshooting the SNCinit problems.

7- Install SNC Client Encryption on the Windows hosts for the SAP GUI for Windows clients.

You install the SNC Client Encryption program on clients systems.

SNC_CE.jpg

You can check if SNC_LIB environment parameter is defined after the installation.

(i.e. SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAP GUI\Encryption\secgss.dll)

8 – Configure SAP GUI for Windows to use SNC Client Encryption.

SNC_GUI.jpg

9 – Check the GUI connection

When you connect to the system you could see a lock symbol on the left bottom corner of the GUI screen like below.

      SNC_encrypted.jpg

     If you could see this lock on your GUIs you have managed configuring SNC Client Encryption, too.

     Congratulations. 🙂


Links that I visited and had some knowledge for troubleshooting

https://scn.sap.com/thread/3544987

https://scn.sap.com/thread/3813876

https://scn.sap.com/thread/3389036

http://scn.sap.com/docs/DOC-45138

http://wiki.scn.sap.com/wiki/display/Security/SNC+Client+Encryption

SNC: Using SNC to Encrypt Traffic – Client/Server (No SSO)

Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 Secure Login Library

SAP Single Sign-On 2.0 SP04 Document Version: 1.0 – 2014-10-28 Secure Login for SAP Single Sign-On Implementation Guide

Wishes;

  • I wish SAP could have mentioned the note 2185235 and attached document in the help page.
  • I wish SAPA could provide encryption without these kinds of many configuration steps. It could have been done with activation of a parameter and check box filling on SAP GUI.

Questions;

  • Are your customers (for consultants) or are you aware of clear text communication between GUI and SAP Server?
  • Do you think SNC Client Encryption is a useful tool?
  • Do you use SNC Client Encryption  for your systems?


Thanks for your interest.




To report this post you need to login first.

16 Comments

You must be Logged on to comment or reply to a post.

  1. Matt Fraser

    Yuksel,

    This is just the kind of blog I like to see, with clear detailed descriptions and screenshots of a well laid-out step-by-step process, that is important to all of us and yet has thoroughly inadequate documentation to guide one through an actual implementation. Thank you.

    Cheers,

    Matt

    (0) 
    1. Isaias Freitas

      Hello Yüksel,

      I have forwarded your suggestion to add the SAP KBA 2185235 to that help.sap.com page.

      Let’s see how it goes 🙂 .

      @ Matt Fraser, I believe you meant “adequate”? 🙂

      Cheers!

      Isaías

      (0) 
      1. Matt Fraser

        Perhaps “thoroughly” was too strong a word. 🙂

        In reality, documentation on some of these things can be all over the map. Sometimes it’s simply out of date, and other times it seems to become circularly referential, with pointers to Notes or SCN documents or Help pages that then point back to the original document, such that the reader is left with a spinning head, wondering why it can’t just all be gathered together in one place with a clear “do this” guide that leads to correct implementation. Other times it perfectly lists all the available options but gives practically no guidance on when or why you would choose one over the other, or what the consequences would be. This isn’t always the case, but often enough.

        Of course, Isaías, I would never say this of your documentation! In all seriousness, you’ve been a great help to many people here.

        But this is when blogs like Yüksel’s become invaluable, with pointers to all the original documentation for those who want to dig deeper, but practical real-world advice on what worked for the author and the sequence of steps to get there.

        (0) 
          1. Yuksel AKCINAR Post author

            Hello Matt, Hello Isaias,

            Thank you for your valuable comments.

            I am aware of not being thoroughly adequate. 🙂

            In my opinion these kinds of documents can be prepared by the product owners, lab guys, developers etc.

            Indeed there are a lot of topic to know in IT area even in SAP and even only in netweaever administration area as you know. So it is very difficult to keep yourself fresh and well informed for everything  when everyday new versions of the products are coming as Matt mentioned.

            Anyhow I enjoyed when I am writing this blog.

            Thanks again for spending time on my blog and encouraging me to write more.

            Regards,

            Yuksel AKCINAR

            (0) 
  2. Martin Mikala

    Hello,

    I study few days how it is doing, but It’s still unclear for me. .

    I thought that SNC is only secure connection layer like https or ssh, but it is probably both secure connection and authentication. Is it true?

    Of course https has also some authentication based on certificates and to public servers is possible connect without client certificate and only server certificate is signed by trusted CA or not.

    I also thought that SNC Client Encryption is only for secure connection without SSO. And for SSO is SAP NW SSO2. And I’m supprised that SNC CE need some kerberos token/registration.


    I’ve just created question about it, but in bad group.

    NW7.4 with Quest SSO and SNC encrypted connection outside domain with password


    I thought, that I can set SAP GUI only for secure connection without any authorization with manual logon.


    So can I secure connect from SAP GUI to ABAP when I’m not in any kerberos/AD domain and other users in domain can also connect by this way and also with SSO?


    B.R.

    Martin


    (0) 
    1. Yuksel AKCINAR Post author

      Hello Martin,

      SNC w/o SSO is used for encryption only. Yes, it is like https and ssh. For authentication you need to enter user password.

      When you use SNC with SSO (this option is licensed) you can user certificates, tickets etc for logon. No user password needed for the AD or LDAP users.

      Check the picture in How SNC Client Encryption Works – Transport Layer Security on the AS ABAP – SAP Library to see how CE works.

      I don’t think you can use SNC without AD user. I haven’t checked it either.

      As you can see from above picture you must get a token from AD to use SNC CE.

      But it is not mentioned in prerequisites that you must logon with AD user to a windows system. This is the prerequisite “SAP GUI with SNC Client Encryption installed on a computer running Microsoft Windows”

      I will try to check an return back to you.

      Regards,

      Yuksel AKCINAR

      (0) 
      1. Martin Mikala

        Thanks Yuksel,

        Seems, that kerberos/AD tokens are used for check if SAP GUI Win user/PC and NW AS ABAP are in trusted domain. So there probably are not connect negotiations like trusted certificate signed by CA in https or fingerprint in knownhosts for ssh.

        B.R. Martin

        (0) 
        1. Lutz Rottmann

          Hi Martin, SNC Client Encryption is kind of a stripped down version of the Secure Login Client which is part of the SAP SSO license. They cut away X.509 support and they scramble the clients’ SNC name during logon so no SSO is possible.

          SAP knows that there are loads of scenarios where encryption is needed but PCs are out of Windows domains or in many windows domains and is currently thinking about alternatives. We will have to wait and see what will come out of this thoughts.

          Regards,

          Lutz

          (0) 
  3. Lutz Rottmann

    Hi  Yüksel, this is a great blog. I don’t feel that alone anymore with my “encrypt everything now and care about SSO later” approach.

    From my experience I would like to add two things:

    1. snc/idenity/as naming conventions
    If you take this “Encrypt everything” approach sooner or later you will also configure X.509 based SNC for server server communication. AFAIK the @-sign in the snc/idenity/as paramater can make trouble in certificates’ CN. Thererfore we have a convention to just use

    snc/idenity/as= p:CN=SAPSNC-<SID>-<Installation#>

    So in System ABC with installationnumber 0012345678 this would be

    snc/idenity/as= p:CN=SAPSNC-ABC-0012345678

    Certificates with this CN will be signed by our CA for easier trust configuration and the SPN attribute in the Domain accounts are unique and can easiliy be related to single SAP systems.


    2. BW Clients and SNC without SSO
    Everybody should know that there are loads of trouble with SNC without SSO and older BW Clients (older than approaximately one year).

    Keep your GUI, Bex Analyzer and Analysis for Office installations updated in case BW Clients are used!

    Also keep your BW systems updated because client launching transactions RRMX and RAAOE were buggy too.

    (Bugs were e.g.: Logon impossible, traffic not encrypted, encrypted traffic using wrong RFC port (33xx instead of 48xx) and more).


    So great to know that there is somebody else out there using the SNC Client Encryption (SNC without SSO).

    Regards,

    Lutz

    (0) 
  4. K N Prabhu

    Hello Mr. Yuksel,

     

    Thanks for this nice blog, it really helps.

    As per the Note 2185235 and the Guide I have implemented SNC for my customer.

    As per current configuration, Users which are not using SNC Name under Network Tab of SAP GUI Client can also able to access my AS ABAP server using unsecured mode with Unlock Locked (i.e, SNC Not enabled) and the Users who has provided the SNC name can access under secured mode with SNC enabled and Lock appeared on right corner or SAP GUI.

    If I have to permit users only to access SNC enabled connection what should I need to do?

    As of now as per my knowledge, I have try to use the parameter “snc/accept_insecure_gui=0″, and after putting the parameter value to 0 and restarted the server.

    Now with the above parameter value , I can not be able to login after putting correct user id password. Error ” SNC Required for this connection”. It is pertinent to mention that I have already mentioned the SNC Name under Network tab, instead of that this error is coming.

    Please help ASAP, I would also like to understand ” SNC only encrypt the network between SAP GUI Client and AS ABAP server. is user also need to map in SU01 under SNC tab?

    Also please suggest is transactional users id which are maintained in AS ABAP (Created with SU01) and in Windows Domain AD users who accessing the desktop (in domain) should be same?

    Is user id which are created under AS ABAP with SU01 need to to created in Active Directory with same name?

    Please answer keeping all the scenarios in view only for SNC implementation, Not SSO.

     

    (0) 
  5. Nishant Choudhary

    Dear Mr. Yuksel Akcinar,

    For your Questions,

    Questions;

    • Are your customers (for consultants) or are you aware of clear text communication between GUI and SAP Server?
    •  Yes
    • Do you think SNC Client Encryption is a useful tool?
    • Yes
    • Do you use SNC Client Encryption  for your systems?
    • Yes , and excatly using in the same fashion as you are.

     

    Further , I would like to know one thing that, when we implement SNC with Common cryptoLib 8 then after implementation how can we upgrade kernel.

    Because when we upgrade the kernel every time the Common cryptoLib 8 file will also be updated and get replaced with the new one. Then is we have to again do the keytab generation steps and integrate it with kerberos user or Windows AD.

    Please suggest how can we go further while Kernel upgrade, or it will not effect the existing implemented SNC after upgrade … Please give some light.

     

    Thanks,

    Nishant

    (0) 

Leave a Reply