Skip to Content
Technical Articles
Author's profile photo Dominik Wittassek

Connect DWC to SAP Source System using SNC RFC

For connecting SAP Data Warehouse Cloud to on-premise systems, the Data Provisioning Agent (DP Agent) is required. Remote Function Call (RFC) acts as the standard interface for communication between SAP systems. Due to security reasons, some companies only allow the use of encrypted RFCs, even internally. In order to meet this requirement, DPAgent must be connected over encrypted RFC. The following guide will describe the setup of encrypted RFC step by step.


1. Download SAPCryptolib

The encryption is done via the standard Cryptolib.
Download SAPCryptolib 8 from SAP Support Downloads either for Linux or Windows:
Software-Downloads – SAP ONE Support Launchpad

2. Extract with SAPCAR to Install-Dir of DPAgent

Extract the downloaded file using SAPCAR to the installation directory of the DPAgent.
By default, this should be C:\usr\sap\dataprovagent or /usr/sap/dataprovagent.


sapcar -xf SAPCRYPTOLIBP_8542-20011729.SAR -R C:\usr\sap\dataprovagent\Cryptolib

3. Set environment variable “SECUDIR” to point to this directory

In order to make the necessary commands become available, you need to set the environment variable “SECUDIR” pointing to the directory where you extracted the cryptolib.
You will find these variables by entering “Edit the system enivronment variables” in the windows search.


For Linux enter

export SECUDIR=/usr/sap/dataprovagent/Cryptolib

4. Create PSE in this directory

Now you need to create a PSE first, which will be used for your connections.


sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]


Suggestion PSE_name: SNC.pse

PIN: Alphanumeric Characters, length 8

DN: Distinguished name of server running dpagent


sapgenpse get_pse -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! “CN=DPAgentserver,OU=Servers,DC=company,DC=com“

5. Create credentials

Now you need to created login credentials for the system (OS) user which is actually running the DPAgent service


sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]


PSE_name: as above

PIN: as above

User_ID: User that runs the dpagent service


sapgenpse seclogin -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! -O company\dpagent

6. Exchange the public key

Now both systems (DPAgent and SAP System) need to exchange the public keys.

6.1 Export the DPAgents public key


sapgenpse export_own_cert -o <output_file> -p <PSE_name> [- x <PIN>]


output_file: <servername>.crt

PSE_name: as above

PIN: as above


sapgenpse export_own_cert -o dpagent.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!

6.2 Import public key to AS ABAP system

Now import this key to your SAP Systems Trust Store.

Transaction: STRUST

  1. Select the SNC SAPCryptolib PSE with a double-click.

  2. Enter the PIN that protects access to the PSE.

    Information about the SNC PSE appears in the upper section of the trust manager’s screen.

  3. Choose Certificate  Import from the menu or the symbol for Import certificate.

  4. In the dialog that follows, enter the path and file name of the Identity Center’s public-key certificate file, select the Base64 format, and choose Enter.

    The certificate appears in the Certificate section of the trust manager’s screen.

  5. Choose Add to Certificate List to add the certificate to the AS ABAP’s SNC PSE.

    Save the data.


6.3 Export AS ABAP public key

  1. Make sure the SNC SAPCryptolib is still the selected PSE.

  2. Select the certificate shown in the Owner field with a double-click.

    Information about the certificate appears in the Certificate section.

  3. Choose Certificate  Export from the menu or the symbol for Export certificate.

  4. In the dialog that follows, enter the path and file name where you want to save the file, select the Base64 format and choose Enter.

    The file is saved to the file system.


6.4 Import AS ABAPs public key to dpagents PSE


sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]


cert_file: Exportet certificate of AS ABAP

PSE_name: as above

PIN: as above


sapgenpse maintain_pk -a sapsystem.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!

7. Restart dpagent

Restart the agent either through service-manager or by executing agentcli -configAgent

8. Configure connection in DWC

Edit your existing connection or create a new one.
Under the Advanced Properties you need to enter the parameters according to your settings from the steps before:

Change from default values:

SNC Mode: ON
SNC Library: <path to sapcrypto.dll on DPAgent server>
SNC Name of Client: <DN of step 4>
SNC Name of SAP-Server: <value from AS ABAP RZ11 parameter snc/identity/as>
SNC Quality of Protection: 3


9. Set RFC-Connection to SNC active

In your SAP System you also have to set the RFC-connection which you use for the DPAgent to SNC.
Edit your RFC-connection in SM59, Tab “Logon & Security”

Click on the button “SNC” and enter the Partner information (DPAgent)


By following this step-by-step guide, you should be able to set up an encrypted RFC. This will enable communication between SAP Data Warehouse Cloud and on-premise systems when the use of an encrypted RFC is mandatory.. Feel free to let me know in the comments if you were successful in setting up an encrypted RFC using the instructions above.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Roland Kramer
      Roland Kramer

      Hello Dominik Wittassek

      thanks for this important detail about the DWC connection via the SDI Agent. I have added these Information to my Blog - next Mystery solved – proper SAC Connection

      Best Regards Roland

      Author's profile photo Mohammed Razal Velekode Nazar
      Mohammed Razal Velekode Nazar

      Simple and Clear presentation.

      Author's profile photo Mohamad Noel Abdul Halim
      Mohamad Noel Abdul Halim

      Hi Dominik,

      For  step 9. May I know what RFC is this? Is this RFC for SAP to connect direct to DPagent? Is there a guide or info about this?



      Author's profile photo Dominik Wittassek
      Dominik Wittassek
      Blog Post Author


      what exactly do you want to know, I didn't understand that question...
      DPAgent connects to the backend system by registering a server program with the name like "IM_HANA_ABAPADAPTER_*" when using RFC streaming.
      Means you don't pull the data from the system, it's more you tell your backend system "Please send the data to the DWC".
      You need RFC streaming if the data is larger than your free shared memory in your backend system.
      In this RFC connection you'll need to activate SNC for the encryption with the SNC-Name you specified when creating the PSE in step 4 (It's the Distinguished name).
      You can do RFC streaming without encryption, but most of our clients have this requirement by their security department.