Skip to Content
Technical Articles
Author's profile photo Abhyudaya Arya

Setting up SAP Secure Network Communications (SNC) ON S4HANA and integration with ITX (IBM Transformation Extender) Tool

Overview

Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an interface to connect to an external product securely. SNC provides security at the application level, which means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) as well as third-party application software, e.g. IBM ITX Tool is guaranteed, regardless of the communication link or transport medium. Therefore, you have a secure network connection between two SNC-enabled communication partners.

 

Common Abbreviations & Terminology Used

Knowing below mentioned terminology / abbreviation helps you in understanding this document better

Terminology / Abbreviation Referred As
SNC Secured Network Communication
PSE Personal Security Environment
Client In the SNC context, the Information Server Client / Engine Tiers
SAP AS SAP Application Server
X.509 X.509 Certificate
SSO Single Sign On
T-code SAP Transaction Code
QoP Quality of Protection
DN Distinguished Name
IIS IBM Information Server
SAP Server A supported SAP system (ERP, Netweaver or S/4HANA)

Defining Secured Network Communication

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor).

For using SNC between SAP Server and ITX Tool following are the parameters that needs to set

Name Description Value
SNC_MODE The SNC flag to indicate whether the communication should use SNC protection
  • 0 – Do not apply SNC to connections.
    1—Apply SNC to connections.
SNC_MYNAME Client SNC name (DataStage Server SNC Name). It is also referred as client Personal Security Environment (PSE) Name. A valid client SNC name, which is equal to Distinguished Name(DN) of client PSE
SNC_PARTNERNAME The communication partner’s SNC name. Therefore, this is SAP server SNC PSE name. A valid SAP server SNC name, which is equal to Distinguished Name(DN) of SAP server PSE
SNC_QOP The quality of protection level. Enter one of the following values:

  • 1 – Apply authentication only.
    2 – Apply authentication and integrity protection
    3 – Apply authentication, integrity, and privacy protection (encryption)
    8 – Apply global default protection (usually 3)
    9 – Apply the maximum protection.
SNC_LIB The external security product’s library The path and file name for the SAP Cryptography library.

 

Setting up SNC on the SAP Server

The following sections cover the installation and configuration of SNC on SAP server

Install SAP Cryptographic Library

SAPCRYPTOLIB generally comes with kernel. Its availability is documented in the SAP Note for SAPCRYPTOLIB

Create Personal Security Environment (PSE) for SAP serverYou need to follow these steps to create the PSE for the SAP Server:
1. Open t-code STRUST:…………………………2. Select the SNC(SAP Cryptolib) node and choose “Create PSE” from contextual menu.
3. Enter all the required details for Distinguished Name. Distinguished Name is formed of elements that represent a hierarchical name space and these elements are
CN = Common Name
OU= Organizational Unit
O=Organization
C=Country
4. Press Enter

Setting profile parameters for SNC on SAP Application Server

  1. Use transaction RZ10 to maintain the profile parameters
  2. Set the parameters as listed in the table below in instance profile file
Parameter Description Value
1 snc/enable Activates SNC on the application
Server.
0: SNC is disabled
1: SNC is activated
Default Value=0
2 snc/gssapi_lib

The path and file name of the GSS-API V2 shared library. Path and file name where the SAP Cryptographic Library is located. You also need to maintain the corresponding environment variables on SAP server as mentioned below:

LD_LIBRARY_PATH (Unix, Solaris)
LIBPATH (AIX)
PATH (Windows)

Windows: C:\usr\sap\<SID>

  • \SYS\exe\run\sapcrypto.dll
  • Unix/Linux: usr/sap/<SID>/SYS/exe/

run/libsapcrypto.so

Note: File name up to 255 characters long are allowed

3 snc/identity/as The SNC name of the application
server.
Syntax: p:<Distinguished_Name> The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE. For example, p:CN=ABC,OU=Test,O=MyCompany,
C=US
4 snc/data_protection/max The maximum level of data protection for connections
initiated by the SAP System.
The maximum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 3
5 snc/data_protection/min The minimum data protection level required for SNC
communications.
The minimum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 2
6 snc/data_protection/use Default level of data protection for connections initiated by the SAP
System
The default level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
9: Use the value from snc/data_

  • protection/max

Default Value: 3

7 snc/accept_insecure_cpic Determines whether unprotected incoming CPIC connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting CPIC
connections:
0: Reject unprotected connections
1: Accept unprotected connections
8 snc/accept_insecure_gui Determines whether logon attempt coming from the SAP interface that is not protected with SNC on an SNC-enabled application server will be accepted or not. The settings for accepting logon attempts:
0: Reject SNC-based logons
1: Accept logons with user ID and password
Default Value: 0
9 snc/accept_insecure_r3int_rfc Determines whether unprotected
internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal r3int RFC-connections
0: Reject unprotected internal RFCs
1: Accept unprotected internal RFCs
Default Value: 1
10 snc/accept_insecure_rfc Determines whether unprotected internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal RFC-connections
0: Reject unprotected external RFCs
1: Accept all unprotected RFCs (internal and external)
Default Value: 0
11 snc/permit_insecure_start Permits the starting of programs without using SNC-protected communications, even when SNC
is enabled.
0: Start programs only with SNC-protected communication
1: Start programs without SNC-protected communication
Default Value: 0
12 snc/extid_login_diag Enable login with external identity (DIAG)
0: do not accept
1: allow
Default Value: 0
13 snc/extid_login_rfc Enable log in with external identity (DIAG) (for RFC Com
0: do not accept
1: allow
Default Value: 1

3. Save

4. Restart the SAP Application Server

Export the SAP SNC Certificate for client

Export the SAP Certificate from the application server that is required to be imported on the client/server (IIS). You need to follow below mentioned steps for exporting SAP certificate

1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might have to change mode “Display <-> Change” to enable exporting of certificate
4. Select SAP Own certificate (to be exported) – double-click the certificate name
5. Export button in the bottom of the page> provide the path and save the certificate in “Base64” format

 

Import a client PSE certificate

You need to import the client (ITX Tool) PSE certificate in the SAP Application Server.

Follow the below mentioned steps to import the client PSE certificate
1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might need to switch “Display <-> Change” mode

 

Configuring SAP User for Secured Network Connection

You need to configure SAP user to be used with the client for connecting to SAP server by using Secured Network connections. Following points describe the necessary settings/permissions to be set for SAP user.

1. Login into SAP GUI> open t-code “SU01”
2. In the User field, enter the SAP user name to which you want to grant permissions to execute the SNC functions

3. Click the Change icon. The Maintain User screen appears
4. Click the SNC tab.
5. In the SNC name field, enter the client PSE Distinguished Name prefixed by “p:” as in the example below. Note after saving, SAP may or might not display the “p:”.
Example: p:CN=ITX,OU=SAPPACK,O=IBM,C=US

6. Click OK. A message appears stating that the canonical name is determined
7. Save

Additional SAP settings for X.509

Additionally, in case you also want to configure SAP user for X.509 SNC connection that allows client to have SNC without the need for SAP user and password, you need to do more settings as described in following steps

1. Login into SAP GUI> open t-code SM30
2. Maintain two tables VSNCSYSACL and VUSREXTID
3. Maintaining table VSNCSYSACL
a. Open the table VSNCSYSACL for maintenance

b. Choose external type work area

c. Choose New Entries

d. Enter the following data in the corresponding fields
System ID: Name of the SAP system
SNC Name: Distinguished Name associated with the client PSE

e. Save the data

4. Maintaining table VUSREXTID
a. Open the table VUSREXTID for maintenance

b. Choose the work area as “DN”

c. Enter the data above in the corresponding fields as explained below
User: SAP User that the client uses to connect to SAP Server.
Sequence Number: Enter the SAP client number.
SNC Name: DN associated with the client PSE. For example, “p: CN=ITX,OU=SAPPACK,O=IBM,C=US”

Activated: Check ON this option

d. Save the data

 

Setting up SNC on the client (IBM ITX)

For establishing Secured Network Connection between IBM ITX and SAP application server, it is essential to configure SNC both on SAP and IBM ITX components like client and engine tiers machines.

1.Creating an SNC Personal Security Environment (PSE) for ITX Tool
ITX must have a Personal Security Environment and an associated certificate to be imported in the SAP Application server for establishing SNC connection. You need to create and use the SAP specific PSE that is generated from the sapgenpse tool provided by SAP Cryptographic library. Using the generated PSE either you can create a self-signed certificate or can obtain a certificate from a trusted Certification Authority (CA)
sapgenpse get_pse -p simple “CN=SIMPLE” -x SimpleP@ssw0rd
2.Bind PSE with the OS user and create the cred_v2 file
Use the following command to bind client PSE with OS user that will be used by ITX client or server tier to design and/or run the jobs respectively. During the operation, a cred_V2 file is generated which provide the active credentials to the RFC Program running on the Information Server to the PSE without providing the password for the PSE
sapgenpse seclogin -p simple -x SimpleP@ssw0rd

3.Export the Client Certificate of the newly created PSE

We need to export the client PSE Certificate / X.509 certificate from the generated client PSE file. This certificate is required to be imported into the SAP Application Server to establish SNC connection between ITX Tool and that SAP server

sapgenpse export_own_cert -o simple.crt -p simple.pse

 

4.Import the SAP Application Server Certificate to the Client PSE
We need to import PSE certificate of the SAP Application Server to your client PSE to establish SNC connection between the ITX Tool and SAP Application Server
sapgenpse maintain_pk -a d:\installs\sap\secudir\p09.crt -p simple.pse -x SimpleP@ssw0rd

5. Validating the SAP AS PSE in the Client environment

Once you have imported the SAP Application Server PSE into the client PSE, you can review the details SAP Application Server PSE in the client PSE by running the following command

sapgenpse maintain_pk -v -l -p simple.pse

Running the command “sapgenpse maintain_pk -v -l -p simple.pse” will generate this response:

 

For more information on Setting up SAP Secure Network Communications (SNC) and using it with Pack for SAP Applications and non SAP applications (IBM ITX or oracle applications) navigate through below links.

Overview of Secure Network Communications for SAP – Configuring Secure Network Communications for SAP (oracle.com)

Secure Network Communications (SNC) – SAP Help Portal

Conclusion : Here we configured SAP and ITX to communicate through SNC (which provides an interface to connect to an external product securely and also provides security at the application level, which means that a secure connection between the components of the SAP system, and ITX) using self-signed certificates from both sides to create trusted two-way communication.
Communication and integration has been completed successfully.

Assigned tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Harsh Verma
      Harsh Verma

      This is really a good blogpost ! A detailed one.....