Skip to Content
Author's profile photo dhivakar muthusamy

Securing IDOC communications between SAP and PI system using SNC

Hi,

This is my first blog, and it is about the securing Idoc communications between SAP and PI system using SNC.

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems provide basic security measures like SAP authorization and user authentication based on passwords. With SNC you can include protection by an external security product. SNC provides application-level, end-to-end security.

To create PSE (Personal Security Environment) for the server, Admin needs to take care of some points and I am not going deep into the admin activities as I want to focus on AS JAVA system configuration needs to be taken care by the integration developer.

Connecting the multiple SAP systems with a single PI system is common. In some occasions, we need to connect few SAP systems via SNC (Secure Network Communication) and few without SNC as per expected the security level of data between each system.

 

The available options for “RFC Server Parameters” in IDOC sender adapter are

  1. Default (Recommended)
  2. Manual
  3. From NWA

Option 1:

The communication will happen with the default inboundRA in NWA and this can be configured with additional parameters to enable SNC. This can also be useful if you like to enable SNC between multiple SAP system and PI system centrally via NWA.

For enabling SNC centrally in the default resource adapter you need to login to NWA –> Configuration –> Infrastructure –> Application Resources, search for inboundRA. Choose Resource Type Resource Adapter.

Go to Properties Tab. Click on the right corner of Add New Property icon which will show all the available properties.

Choose the required properties which need to be configured, there are four SNC related properties needs to be configured to enable the Secure Network Communication from the SAP systems.

SNC Properties:

Name Type Value
activateSNC Boolean true (activating SNC)
sNCMyName String

CN= common name (systemID of PI/PO system), OU= organizational unit, O= organization, and C= country.

Example: p:CN=SID, OU=xxxx, C=DE

The server’s SNC name is the Distinguished Name prefixed with p:

sNCPartnerName String

The application server on the server host1 where the system number is 01, has the external name (AS ABAP system in this case)

CN=sap01.host1, OU=TEST01, O=myCompany, C=US

p:CN= common name(system ID of SAP system), OU= organizational unit, O= organization, and C= country.

If you define such a naming convention, you can use the report RSUSR300 to automatically generate the SNC names for users and components in the AS ABAP

SNC name of each system separated by “;

Example: p:CN=SID1, OU=xxxx, C=DE; p:CN=SID2, OU=xxxx, C=DE; p:CN=SID3, OU=xxxx, C=DE

sNCLibPath String

The naming convention for the file name, its extension, and any dynamic references to other shared objects or libraries depends on the operating system you use.

The default value is platform-specific and, in general, no library actually exists with the supplied default name. You need to set this parameter appropriately for your security product.

File name can be up to 255 Characters long and recommended to have the Complete path and filename.

Example: /usr/sap/SID/SYS/exe/run/libsapcrypto.so

SID of Sap PI system in which SNC is being configured.

Additional Property for connecting the repository of multiple AS ABAP system.

multirepository String XI_IDOC_DEFAULT_DEST_SID1_100; XI_IDOC_DEFAULT_DEST_SID2_100; XI_IDOC_DEFAULT_DEST_SID3_100

We can add destinations of all the SAP systems need to be connected separated by “;”. This will keep the resource adapter connected with all the AS ABAP systems.

 

Refer the below table for few of the basic properties configured for the resource adapter.

Name Type Value
ProgramID String

ProgramID as registered in SM59 RFC destination of ECC systems.

Ex. XI_IDOC_DEFAULT_SID (Can be Sap PI system ID since the same will be used across all SAP systems)

MaxReaderThreadCount Integer 5
GatewayServer String SAP PI PO AEX hostname
GatewayService String

sapgwXX (where XX is the gateway service)

XX is SAP PI/PO/AEX’s System number + 1

Ex. SAP PI/PO/AEX’s System number is 00 then gateway service is sapgw01

DestinationName String

XI_IDOC_DEFAULT_DESTINATION_<SID of SAP ECC>

Ex. XI_IDOC_DEFAULT_DESTINATION_SID

local Boolean true
bindingKey String PI_AAE_IDOC

Note: All the SAP systems (SID1, SID2, SID3, etc) should use the same ProgramID in SM59 RFC Destination which we register in SAP PI system and should be activated with SNC.

Example: XI_IDOC_DEFAULT_SID

 

RFC Destination SAP ECC system with SNC:

Go to TCode SM59 and choose TCP/IP connection Type.

Create RFC Destination pointing to the SAP PI system with the ProgramID used in the inbound resource adapter.

Go to tab Logon & Security Press . You will get the below pop up which needs to be filled with required SNC details.

Different levels of Protection in SNC available. Set the QoP to either 8 (default) or 9 (maximum value).

Use this RFC destination when creating the IDOC port for sending IDocs (WE21) and use the port created in Partner Profile (WE20) in the respective SAP ECC systems.

Idoc Sender communication channel should be configured with RFC Server Parameters as Default:

 

Option 2:

In this option, you can provide the appropriate parameters and create a communication channel for each respective SAP ECC Business System for connecting each SAP ECC client. This will need more efforts comparatively as it involves all the SNC and Server parameters configuration in each channel for every SAP systems being connected.

Below is the sample to configure directly in the channel level with all the server details and SNC Parameters

There might also be a problem when you use this, as some security parameters which do not allow registering RFC server programs from remote host or a non-local host. The error is shown below.

 

Option 3:

This option will be more useful when we have a case where few systems want to have SNC enabled communication and the other systems without SNC. In these cases, we can create/clone the resource adapter and enable the new resource adapter with SNC and leave the default resource adapter untouched.

For this you need to login to NWA –> Configuration –> Infrastructure –> Application Resources, Create a New Resource Adapter.

Blogs for cloning a resource adapter is already available in sap portals.please refer.

Eg: inboundRA_SNC

You need to add the same properties to the new Cloned Resource Adapter, so click on the Resource Adapter [Cloning]. You can add the property in the Properties tab by clicking “Add New Property”, after adding the properties save the Resource Adapter.

Add the same properties mentioned in the above table for default resource adapter. But maintain different ProgramID then in the default resource Adapter. Add only the destinations of systems which needs to have SNC in the multi-repository property.

Once the Cloned Resource adapter is up and running. Use the resource adapter name in the Idoc Sender Channel of the systems from which you required to enable SNC.

From AS Java to AS ABAP SNC enablement:

Now we need to create and enable SNC in RFC destination from SAP PI to SAP ECC, NWA –> Configuration –> Security –> Destinations

Destination Name – The Destination Names given in the Resource Adapter Property above XI_IDOC_DEFAULT_DESTINATION_<SID of SAP ECC>

Destination Type: RFC

 

Enter all the details of the Connection. Once all the parameters are entered, Activate SNC and determine the level of Protection needed. SNC Partner name must be the receiver SAP system’s SNC Name.

Test the connection by clicking “Ping Destination”, make sure the ping is successful.

SAP PI, PO or AEX Java IDOC Receiver adapter can be configured using “RFC Client Parameters” as Default(Recommended), for which Destination created for each SAP ECC’s Business System will be given as a value in the parameter Destination.

In these way, All the IDoc communication between the multiple connected SAP system and our PI system are secure.

References:

Cloning Resource Adapter

SNC Parameters

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michelle Crapo
      Michelle Crapo

      Very Nice! An excellent first blog. Very nice detail and as always I really like screen shots.

      Just curious - what project sent you down the path to determine how to use SNC? What prompted writing this blog?

      Thank you for taking the time! I'm always adding to my bag of tools for SAP. I haven't had the chance to work with PI in a couple of years. I'm sure there is a lot to catch up on. Oh well - not a requirement for me - YET.

      Michelle

      Author's profile photo dhivakar muthusamy
      dhivakar muthusamy
      Blog Post Author

      Thanks Michelle! for acknowledging my post.

       

      I had an requirement where I need to enable some SAP systems with SNC which are outside network and some without SNC which are inside HEC.

      I couldn't get a proper/complete documentation to achieve this, So this prompted me to share the way I followed to implement this case.

      Regards, Dhivakar.

      Author's profile photo HRUSHIKESH Tripathy
      HRUSHIKESH Tripathy

      Hi Dhivakar,

       

      We have a requirement where PO will pick the file from SFTP>>>IDOC (S4) for security concern business wants to know whether the data is encrypted in transit before transmission to S4. Can we use the same settings which u have shared in the blog

       

       

      Thanks,

      Rishi

      Author's profile photo dhivakar muthusamy
      dhivakar muthusamy
      Blog Post Author

      Yes SNC is mainly for communication between SAP/S4 and SAP PO.

      Author's profile photo Helmut Skolaut
      Helmut Skolaut

      Hi dhivakar muthusamy ,

      nice blog. I try to understand where we have to install certificates before we can start this kind of configuration. I have found another block that indicates me already in right direction:

      https://blogs.sap.com/2020/01/09/sap-secure-network-communication-snc-encryption-configuration-from-sap-portal-to-abap-systems-and-sap-gui-to-abap-systems/

      But I have not really found all puzzle pieces - where i have to install the trusted certificates into PI Keystore ..

      I want to have all IDOC communication SAP --> PI and PI --> SAP been setup with SNC. I know we have SAP GUI configured with SNC already in our Systems.

      Thanks
      Helmut

      Author's profile photo dhivakar muthusamy
      dhivakar muthusamy
      Blog Post Author

      Sorry, I didn't notice this query earlier. Hope you have find the solution already. In my case the certficate installation was done by basis team on SAP side.

      Author's profile photo Helmut Skolaut
      Helmut Skolaut

      No ... not really - we haven't yet set this up - but we have to 😉 So if your Basis guy can comment in here would be great.