Securing IDOC communications between SAP and PI system using SNC
Hi,
This is my first blog, and it is about the securing Idoc communications between SAP and PI system using SNC.
Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems provide basic security measures like SAP authorization and user authentication based on passwords. With SNC you can include protection by an external security product. SNC provides application-level, end-to-end security.
To create PSE (Personal Security Environment) for the server, Admin needs to take care of some points and I am not going deep into the admin activities as I want to focus on AS JAVA system configuration needs to be taken care by the integration developer.
Connecting the multiple SAP systems with a single PI system is common. In some occasions, we need to connect few SAP systems via SNC (Secure Network Communication) and few without SNC as per expected the security level of data between each system.
The available options for “RFC Server Parameters” in IDOC sender adapter are
- Default (Recommended)
- Manual
- From NWA
Option 1:
The communication will happen with the default inboundRA in NWA and this can be configured with additional parameters to enable SNC. This can also be useful if you like to enable SNC between multiple SAP system and PI system centrally via NWA.
For enabling SNC centrally in the default resource adapter you need to login to NWA –> Configuration –> Infrastructure –> Application Resources, search for inboundRA. Choose Resource Type Resource Adapter.
Go to Properties Tab. Click on the right corner of Add New Property icon which will show all the available properties.
Choose the required properties which need to be configured, there are four SNC related properties needs to be configured to enable the Secure Network Communication from the SAP systems.
SNC Properties:
Name | Type | Value |
activateSNC | Boolean | true (activating SNC) |
sNCMyName | String |
CN= common name (systemID of PI/PO system), OU= organizational unit, O= organization, and C= country. Example: p:CN=SID, OU=xxxx, C=DE The server’s SNC name is the Distinguished Name prefixed with p: |
sNCPartnerName | String |
The application server on the server host1 where the system number is 01, has the external name (AS ABAP system in this case) CN=sap01.host1, OU=TEST01, O=myCompany, C=US p:CN= common name(system ID of SAP system), OU= organizational unit, O= organization, and C= country. If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users and components in the AS ABAP SNC name of each system separated by “;” Example: p:CN=SID1, OU=xxxx, C=DE; p:CN=SID2, OU=xxxx, C=DE; p:CN=SID3, OU=xxxx, C=DE |
sNCLibPath | String |
The naming convention for the file name, its extension, and any dynamic references to other shared objects or libraries depends on the operating system you use. The default value is platform-specific and, in general, no library actually exists with the supplied default name. You need to set this parameter appropriately for your security product. File name can be up to 255 Characters long and recommended to have the Complete path and filename. Example: /usr/sap/SID/SYS/exe/run/libsapcrypto.so SID of Sap PI system in which SNC is being configured. |
Additional Property for connecting the repository of multiple AS ABAP system.
multirepository | String | XI_IDOC_DEFAULT_DEST_SID1_100; XI_IDOC_DEFAULT_DEST_SID2_100; XI_IDOC_DEFAULT_DEST_SID3_100 |
We can add destinations of all the SAP systems need to be connected separated by “;”. This will keep the resource adapter connected with all the AS ABAP systems.
Refer the below table for few of the basic properties configured for the resource adapter.
Name | Type | Value |
ProgramID | String |
ProgramID as registered in SM59 RFC destination of ECC systems. Ex. XI_IDOC_DEFAULT_SID (Can be Sap PI system ID since the same will be used across all SAP systems) |
MaxReaderThreadCount | Integer | 5 |
GatewayServer | String | SAP PI PO AEX hostname |
GatewayService | String |
sapgwXX (where XX is the gateway service) XX is SAP PI/PO/AEX’s System number + 1 Ex. SAP PI/PO/AEX’s System number is 00 then gateway service is sapgw01 |
DestinationName | String |
XI_IDOC_DEFAULT_DESTINATION_<SID of SAP ECC> Ex. XI_IDOC_DEFAULT_DESTINATION_SID |
local | Boolean | true |
bindingKey | String | PI_AAE_IDOC |
Note: All the SAP systems (SID1, SID2, SID3, etc) should use the same ProgramID in SM59 RFC Destination which we register in SAP PI system and should be activated with SNC.
Example: XI_IDOC_DEFAULT_SID
RFC Destination SAP ECC system with SNC:
Go to TCode SM59 and choose TCP/IP connection Type.
Create RFC Destination pointing to the SAP PI system with the ProgramID used in the inbound resource adapter.
Go to tab Logon & Security Press . You will get the below pop up which needs to be filled with required SNC details.
Different levels of Protection in SNC available. Set the QoP to either 8 (default) or 9 (maximum value).
Use this RFC destination when creating the IDOC port for sending IDocs (WE21) and use the port created in Partner Profile (WE20) in the respective SAP ECC systems.
Idoc Sender communication channel should be configured with RFC Server Parameters as Default:
Option 2:
In this option, you can provide the appropriate parameters and create a communication channel for each respective SAP ECC Business System for connecting each SAP ECC client. This will need more efforts comparatively as it involves all the SNC and Server parameters configuration in each channel for every SAP systems being connected.
Below is the sample to configure directly in the channel level with all the server details and SNC Parameters
There might also be a problem when you use this, as some security parameters which do not allow registering RFC server programs from remote host or a non-local host. The error is shown below.
Option 3:
This option will be more useful when we have a case where few systems want to have SNC enabled communication and the other systems without SNC. In these cases, we can create/clone the resource adapter and enable the new resource adapter with SNC and leave the default resource adapter untouched.
For this you need to login to NWA –> Configuration –> Infrastructure –> Application Resources, Create a New Resource Adapter.
Blogs for cloning a resource adapter is already available in sap portals.please refer.
Eg: inboundRA_SNC
You need to add the same properties to the new Cloned Resource Adapter, so click on the Resource Adapter [Cloning]. You can add the property in the Properties tab by clicking “Add New Property”, after adding the properties save the Resource Adapter.
Add the same properties mentioned in the above table for default resource adapter. But maintain different ProgramID then in the default resource Adapter. Add only the destinations of systems which needs to have SNC in the multi-repository property.
Once the Cloned Resource adapter is up and running. Use the resource adapter name in the Idoc Sender Channel of the systems from which you required to enable SNC.
From AS Java to AS ABAP SNC enablement:
Now we need to create and enable SNC in RFC destination from SAP PI to SAP ECC, NWA –> Configuration –> Security –> Destinations
Destination Name – The Destination Names given in the Resource Adapter Property above XI_IDOC_DEFAULT_DESTINATION_<SID of SAP ECC>
Destination Type: RFC
Enter all the details of the Connection. Once all the parameters are entered, Activate SNC and determine the level of Protection needed. SNC Partner name must be the receiver SAP system’s SNC Name.
Test the connection by clicking “Ping Destination”, make sure the ping is successful.
SAP PI, PO or AEX Java IDOC Receiver adapter can be configured using “RFC Client Parameters” as Default(Recommended), for which Destination created for each SAP ECC’s Business System will be given as a value in the parameter Destination.
In these way, All the IDoc communication between the multiple connected SAP system and our PI system are secure.
References:
Very Nice! An excellent first blog. Very nice detail and as always I really like screen shots.
Just curious - what project sent you down the path to determine how to use SNC? What prompted writing this blog?
Thank you for taking the time! I'm always adding to my bag of tools for SAP. I haven't had the chance to work with PI in a couple of years. I'm sure there is a lot to catch up on. Oh well - not a requirement for me - YET.
Michelle
Thanks Michelle! for acknowledging my post.
I had an requirement where I need to enable some SAP systems with SNC which are outside network and some without SNC which are inside HEC.
I couldn't get a proper/complete documentation to achieve this, So this prompted me to share the way I followed to implement this case.
Regards, Dhivakar.
Hi Dhivakar,
We have a requirement where PO will pick the file from SFTP>>>IDOC (S4) for security concern business wants to know whether the data is encrypted in transit before transmission to S4. Can we use the same settings which u have shared in the blog
Thanks,
Rishi
Yes SNC is mainly for communication between SAP/S4 and SAP PO.
Hi dhivakar muthusamy ,
nice blog. I try to understand where we have to install certificates before we can start this kind of configuration. I have found another block that indicates me already in right direction:
https://blogs.sap.com/2020/01/09/sap-secure-network-communication-snc-encryption-configuration-from-sap-portal-to-abap-systems-and-sap-gui-to-abap-systems/
But I have not really found all puzzle pieces - where i have to install the trusted certificates into PI Keystore ..
I want to have all IDOC communication SAP --> PI and PI --> SAP been setup with SNC. I know we have SAP GUI configured with SNC already in our Systems.
Thanks
Helmut
Sorry, I didn't notice this query earlier. Hope you have find the solution already. In my case the certficate installation was done by basis team on SAP side.
No ... not really - we haven't yet set this up - but we have to 😉 So if your Basis guy can comment in here would be great.