HEC Migration; encrypting communication between IBIS* and SAP
Target audience: For developers and system administrators who want to setup secure rfc connections.
How to setup secure RFC connections between IAF and SAP Secure Gateway using SNC (Secure Network Communications) with Java JCO3. This document explains how to setup a SAP PSE keystore using the sapgenpse tool.
*What is IBIS?
The Ibis Adapter Framework is a Java based Open Source framework. The Ibis Adapter Framework is an integration framework which allows messages to be exchanged between different systems. The entire configuration can be configured in XML and consists of three main elements: a Listener, an adapter and a Sender. The Listener can receive data from a system, the Sender sends data to a system and the Adapter connects the two pieces together. Inside an adapter you can manipulate or map the data. All steps in the Ibis are carefully recorded and saved (if enabled) for debugging purposes.
1. Configuring and installing SAP CryptoLib
First we need to configure the SAP CryptoLib before we can configure the IBIS.
Steps 1,2,3,4 and 11 are on the IBIS side, steps 5, 6, 7, 8, 9, 10 are on the SAP side.
Step 1 – Setting up the environment
Download SAPCRYPTOLIBP sources from SAP. Unzip all sources into a directory (D:\SAP\snc)
Set the environment variable SECUDIR to the directory you unzipped the SAPCRYPTOLIBP sources in. NOTE: make sure to use backslashes in the environment variable!
Open command prompt type: cd /d %SECUDIR%
This verifies the environment variable and opens the directory. Once in the directory, type sapgenpse. Debug information appears. Make sure the following lines are set properly:
Loaded CommonCryptoLib from sapgenpse folder
Environment variable $SECUDIR is defined:
Step 2 – Generating the Personal Security Environment
If everything is correct start by creating a new PSE (Personal Security Environment). You can do this by running the following command, note that the name of the example PSE is called snctest.pse
sapgenpse gen_pse -p snctest.pse
The command asks you the enter a pin in order to secure the PSE, and to enter the Distinguished Name of the certificate you wish to create.
The Distinguished Name consists of the following elements:
- CN = <Common_Name>
- OU = <Organizational_Unit>
- O = <Organization>
- C = <Country>
The example certificate will be: CN=LPAB00000018345.INSIM.BIZ, C=NL, O=NN, OU=M99F706
Step 3 – PSE Authentication
Next we will need to authenticate the use that will run the IBIS application. For example purposes the user will be M99F706. Please note that this user must exist on the local machine. It can be either a local or a domain user.
sapgenpse seclogin -p snctest.pse -O M99F706
You will be asked to enter the pin for the PSE in order to make changes to the it.
You should now have a cred_v2 file in the same directory the PSE is in.
Step 4 – Certificate Export
Once the PSE has successfully been created and a user has been granted access to it, we need to export the generated certificate which is in the PSE. The exported certificate will be a base64 x509 certificate, in this example we shall name it: snctest.crt.
sapgenpse export_own_cert -v -p snctest.pse -o snctest.crt
Step 5 – SAP RFC registration on the SAP gateway
In order for the IBIS to register, the TCP/IP RFC connection between the SAP ERP and the IBIS need to be available on the SAP side.
RFC Destination (SM59)
Step 6 – RFC Connection
Create the RFC connection with the program id which is registered in the SAP ERP gateway
Step 7 – SNC RFC communication setup between SAP and IBIS
(NOTE: SNC is already setup in ERP system)
Step 8 – Exchanging Certificates
The newly generated certificate (on the IBIS side) has to be exchanged with SAP, so SAP will trust this certificate.
Importing the IBIS certificate in the SAP ERP system:
On its turn SAP also has to export its own base64 x509 certificate. Exporting the SAP certificate:
Step 9 – Setting ACL rules
Add the entries in SNC0
Step 10 – Enable SNC on the RFC Destination
Enable the SNC in Sm59. Open up the RFC you wish to encrypt and click on the SNC button:
A new window opens up:
Set the QoP to 3 and the Partners SNC name to the IBIS client certificate.
Once applied, Restart the ERP system completely
Step 11 – Importing the SAP Certificate
The SAP certificate, in our case called IBIStestcm1.crt, will need to be imported in the client PSE.
sapgenpse maintain_pk -v -a D:/SAP/snc/IBIStestcm1.crt -p snctest.pse
Once executed the command you again have to enter the pin of the PSE in order to make changes to the file.
This concludes the steps in order to configure CryptoLib.
In the Configuration.xml file search for the sapSystem tag.
Add the following arguments, please enter values of the arguments accordingly.
All other arguments such as the host, systemnr and the group can remain the same. SNC can easily be enabled/disabled by setting the sncEnabled flag. Please note that the gwservOffset aka the secure port, will to connect to the secure gateway on SAP, this automatically force SNC on the SAP side.
3. Confirming SNC is enabled:
Open the gateway monitor:
Double click on the LU NAME:
You will see SNC enabled is set to 1. You may also check the port to which the client is connected, this should go through the secure gateway which automatically ensures the SNC protocol.
4. Relevant/Interesting Articles:
If all steps are executed as described above, there is no need to read these files. If you however want or need more information regarding SNC the following articles where relevant during the development of SNC for IBIS.
1965519 – SNC error when having multiple PSEs with same distinguished name.
We hope you’ve enjoyed reading this document, and you have learned a lot about HEC Migration, how to setup secure RFC connections between SAP Secure Gateway and IAF using SNC with Java JCO3.