Technical Articles
Setting up SAP Secure Network Communications (SNC) ON S4HANA and integration with ITX (IBM Transformation Extender) Tool
Overview
Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an interface to connect to an external product securely. SNC provides security at the application level, which means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) as well as third-party application software, e.g. IBM ITX Tool is guaranteed, regardless of the communication link or transport medium. Therefore, you have a secure network connection between two SNC-enabled communication partners.
Common Abbreviations & Terminology Used
Knowing below mentioned terminology / abbreviation helps you in understanding this document better
| Terminology / Abbreviation | Referred As |
| SNC | Secured Network Communication |
| PSE | Personal Security Environment |
| Client | In the SNC context, the Information Server Client / Engine Tiers |
| SAP AS | SAP Application Server |
| X.509 | X.509 Certificate |
| SSO | Single Sign On |
| T-code | SAP Transaction Code |
| QoP | Quality of Protection |
| DN | Distinguished Name |
| IIS | IBM Information Server |
| SAP Server | A supported SAP system (ERP, Netweaver or S/4HANA) |
Defining Secured Network Communication
SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor).
For using SNC between SAP Server and ITX Tool following are the parameters that needs to set
| Name | Description | Value |
| SNC_MODE | The SNC flag to indicate whether the communication should use SNC protection |
|
| SNC_MYNAME | Client SNC name (DataStage Server SNC Name). It is also referred as client Personal Security Environment (PSE) Name. | A valid client SNC name, which is equal to Distinguished Name(DN) of client PSE |
| SNC_PARTNERNAME | The communication partner’s SNC name. Therefore, this is SAP server SNC PSE name. | A valid SAP server SNC name, which is equal to Distinguished Name(DN) of SAP server PSE |
| SNC_QOP | The quality of protection level. | Enter one of the following values:
|
| SNC_LIB | The external security product’s library | The path and file name for the SAP Cryptography library. |
Setting up SNC on the SAP Server
The following sections cover the installation and configuration of SNC on SAP server
Install SAP Cryptographic Library
SAPCRYPTOLIB generally comes with kernel. Its availability is documented in the SAP Note for SAPCRYPTOLIB
1. Open t-code STRUST:…………………………2. Select the SNC(SAP Cryptolib) node and choose “Create PSE” from contextual menu.
3. Enter all the required details for Distinguished Name. Distinguished Name is formed of elements that represent a hierarchical name space and these elements are
CN = Common Name
OU= Organizational Unit
O=Organization
C=Country
4. Press Enter
Setting profile parameters for SNC on SAP Application Server
- Use transaction RZ10 to maintain the profile parameters
- Set the parameters as listed in the table below in instance profile file
| Parameter | Description | Value | |
| 1 | snc/enable | Activates SNC on the application Server. |
0: SNC is disabled 1: SNC is activated Default Value=0 |
| 2 | snc/gssapi_lib |
The path and file name of the GSS-API V2 shared library. Path and file name where the SAP Cryptographic Library is located. You also need to maintain the corresponding environment variables on SAP server as mentioned below: LD_LIBRARY_PATH (Unix, Solaris) |
Windows: C:\usr\sap\<SID>
run/libsapcrypto.so Note: File name up to 255 characters long are allowed |
| 3 | snc/identity/as | The SNC name of the application server. |
Syntax: p:<Distinguished_Name> The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE. For example, p:CN=ABC,OU=Test,O=MyCompany, C=US |
| 4 | snc/data_protection/max | The maximum level of data protection for connections initiated by the SAP System. |
The maximum level of data protection settings: 1: Authentication only 2: Integrity protection 3: Privacy protection Default Value = 3 |
| 5 | snc/data_protection/min | The minimum data protection level required for SNC communications. |
The minimum level of data protection settings: 1: Authentication only 2: Integrity protection 3: Privacy protection Default Value = 2 |
| 6 | snc/data_protection/use | Default level of data protection for connections initiated by the SAP System |
The default level of data protection settings: 1: Authentication only 2: Integrity protection 3: Privacy protection 9: Use the value from snc/data_
Default Value: 3 |
| 7 | snc/accept_insecure_cpic | Determines whether unprotected incoming CPIC connections on an SNC-enabled application server will be accepted or not. |
The settings for accepting CPIC connections: 0: Reject unprotected connections 1: Accept unprotected connections |
| 8 | snc/accept_insecure_gui | Determines whether logon attempt coming from the SAP interface that is not protected with SNC on an SNC-enabled application server will be accepted or not. | The settings for accepting logon attempts: 0: Reject SNC-based logons 1: Accept logons with user ID and password Default Value: 0 |
| 9 | snc/accept_insecure_r3int_rfc | Determines whether unprotected internal RFC-connections on an SNC-enabled application server will be accepted or not. |
The settings for accepting unprotected internal r3int RFC-connections 0: Reject unprotected internal RFCs 1: Accept unprotected internal RFCs Default Value: 1 |
| 10 | snc/accept_insecure_rfc | Determines whether unprotected internal RFC-connections on an SNC-enabled application server will be accepted or not. |
The settings for accepting unprotected internal RFC-connections 0: Reject unprotected external RFCs 1: Accept all unprotected RFCs (internal and external) Default Value: 0 |
| 11 | snc/permit_insecure_start | Permits the starting of programs without using SNC-protected communications, even when SNC is enabled. |
0: Start programs only with SNC-protected communication 1: Start programs without SNC-protected communication Default Value: 0 |
| 12 | snc/extid_login_diag | Enable login with external identity (DIAG) 0: do not accept 1: allow Default Value: 0 |
|
| 13 | snc/extid_login_rfc | Enable log in with external identity (DIAG) (for RFC Com 0: do not accept 1: allow Default Value: 1 |
3. Save
4. Restart the SAP Application Server
Export the SAP SNC Certificate for client
Export the SAP Certificate from the application server that is required to be imported on the client/server (IIS). You need to follow below mentioned steps for exporting SAP certificate
1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might have to change mode “Display <-> Change” to enable exporting of certificate
4. Select SAP Own certificate (to be exported) – double-click the certificate name
5. Export button in the bottom of the page> provide the path and save the certificate in “Base64” format
Import a client PSE certificate
You need to import the client (ITX Tool) PSE certificate in the SAP Application Server.
Follow the below mentioned steps to import the client PSE certificate
1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might need to switch “Display <-> Change” mode
Configuring SAP User for Secured Network Connection
You need to configure SAP user to be used with the client for connecting to SAP server by using Secured Network connections. Following points describe the necessary settings/permissions to be set for SAP user.
1. Login into SAP GUI> open t-code “SU01”
2. In the User field, enter the SAP user name to which you want to grant permissions to execute the SNC functions
3. Click the Change icon. The Maintain User screen appears
4. Click the SNC tab.
5. In the SNC name field, enter the client PSE Distinguished Name prefixed by “p:” as in the example below. Note after saving, SAP may or might not display the “p:”.
Example: p:CN=ITX,OU=SAPPACK,O=IBM,C=US
6. Click OK. A message appears stating that the canonical name is determined
7. Save
Additional SAP settings for X.509
Additionally, in case you also want to configure SAP user for X.509 SNC connection that allows client to have SNC without the need for SAP user and password, you need to do more settings as described in following steps
1. Login into SAP GUI> open t-code SM30
2. Maintain two tables VSNCSYSACL and VUSREXTID
3. Maintaining table VSNCSYSACL
a. Open the table VSNCSYSACL for maintenance
b. Choose external type work area
c. Choose New Entries
d. Enter the following data in the corresponding fields
System ID: Name of the SAP system
SNC Name: Distinguished Name associated with the client PSE
e. Save the data
4. Maintaining table VUSREXTID
a. Open the table VUSREXTID for maintenance
b. Choose the work area as “DN”
c. Enter the data above in the corresponding fields as explained below
User: SAP User that the client uses to connect to SAP Server.
Sequence Number: Enter the SAP client number.
SNC Name: DN associated with the client PSE. For example, “p: CN=ITX,OU=SAPPACK,O=IBM,C=US”
Activated: Check ON this option
d. Save the data
Setting up SNC on the client (IBM ITX)
For establishing Secured Network Connection between IBM ITX and SAP application server, it is essential to configure SNC both on SAP and IBM ITX components like client and engine tiers machines.
3.Export the Client Certificate of the newly created PSE
We need to export the client PSE Certificate / X.509 certificate from the generated client PSE file. This certificate is required to be imported into the SAP Application Server to establish SNC connection between ITX Tool and that SAP server
sapgenpse export_own_cert -o simple.crt -p simple.pse
5. Validating the SAP AS PSE in the Client environment
Once you have imported the SAP Application Server PSE into the client PSE, you can review the details SAP Application Server PSE in the client PSE by running the following command
sapgenpse maintain_pk -v -l -p simple.pse
Running the command “sapgenpse maintain_pk -v -l -p simple.pse” will generate this response:
For more information on Setting up SAP Secure Network Communications (SNC) and using it with Pack for SAP Applications and non SAP applications (IBM ITX or oracle applications) navigate through below links.
Secure Network Communications (SNC) – SAP Help Portal
This is really a good blogpost ! A detailed one.....