Connect DWC to SAP Source System using SNC RFC

For connecting SAP Data Warehouse Cloud to on-premise systems, the Data Provisioning Agent (DP Agent) is required. Remote Function Call (RFC) acts as the standard interface for communication between SAP systems. Due to security reasons, some companies only allow the use of encrypted RFCs, even internally. In order to meet this requirement, DPAgent must be connected over encrypted RFC. The following guide will describe the setup of encrypted RFC step by step.

1. Download SAPCryptolib

The encryption is done via the standard Cryptolib.
Download SAPCryptolib 8 from SAP Support Downloads either for Linux or Windows:
Software-Downloads – SAP ONE Support Launchpad

2. Extract with SAPCAR to Install-Dir of DPAgent

sapcar -xf SAPCRYPTOLIBP_8542-20011729.SAR -R C:\usr\sap\dataprovagent\Cryptolib

3. Set environment variable “SECUDIR” to point to this directory

In order to make the necessary commands become available, you need to set the environment variable “SECUDIR” pointing to the directory where you extracted the cryptolib.
You will find these variables by entering “Edit the system enivronment variables” in the windows search.

Example:

For Linux enter

export SECUDIR=/usr/sap/dataprovagent/Cryptolib

4. Create PSE in this directory

Now you need to create a PSE first, which will be used for your connections.

command:

sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]

Parameters:

Suggestion PSE_name: SNC.pse

PIN: Alphanumeric Characters, length 8

DN: Distinguished name of server running dpagent

sapgenpse get_pse -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! “CN=DPAgentserver,OU=Servers,DC=company,DC=com“

5. Create credentials

Now you need to created login credentials for the system (OS) user which is actually running the DPAgent service

command:

sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]

Parameters:

PSE_name: as above

PIN: as above

User_ID: User that runs the dpagent service

sapgenpse seclogin -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! -O company\dpagent

6. Exchange the public key

Now both systems (DPAgent and SAP System) need to exchange the public keys.

6.1 Export the DPAgents public key

Command:

sapgenpse export_own_cert -o <output_file> -p <PSE_name> [- x <PIN>]

Parameters:

output_file: <servername>.crt

PSE_name: as above

PIN: as above

sapgenpse export_own_cert -o dpagent.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!

6.2 Import public key to AS ABAP system

Now import this key to your SAP Systems Trust Store.

Transaction: STRUST

1. Select the SNC SAPCryptolib PSE with a double-click.

2. Enter the PIN that protects access to the PSE.

   Information about the SNC PSE appears in the upper section of the trust manager’s screen.

3. Choose Certificate  Import from the menu or the symbol for Import certificate.

4. In the dialog that follows, enter the path and file name of the Identity Center’s public-key certificate file, select the Base64 format, and choose Enter.

   The certificate appears in the Certificate section of the trust manager’s screen.

5. Choose Add to Certificate List to add the certificate to the AS ABAP’s SNC PSE.

   Save the data.

6.3 Export AS ABAP public key

1. Make sure the SNC SAPCryptolib is still the selected PSE.

2. Select the certificate shown in the Owner field with a double-click.

   Information about the certificate appears in the Certificate section.

3. Choose Certificate  Export from the menu or the symbol for Export certificate.

4. In the dialog that follows, enter the path and file name where you want to save the file, select the Base64 format and choose Enter.

   The file is saved to the file system.

6.4 Import AS ABAPs public key to dpagents PSE

Command:

sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]

Parameters:

cert_file: Exportet certificate of AS ABAP

PSE_name: as above

PIN: as above

sapgenpse maintain_pk -a sapsystem.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!

7. Restart dpagent

Restart the agent either through service-manager or by executing agentcli -configAgent

8. Configure connection in DWC

Edit your existing connection or create a new one.
Under the Advanced Properties you need to enter the parameters according to your settings from the steps before:

Change from default values:

SNC Mode: ON
SNC Library: <path to sapcrypto.dll on DPAgent server>
SNC Name of Client: <DN of step 4>
SNC Name of SAP-Server: <value from AS ABAP RZ11 parameter snc/identity/as>
SNC Quality of Protection: 3

9. Set RFC-Connection to SNC active

In your SAP System you also have to set the RFC-connection which you use for the DPAgent to SNC.
Edit your RFC-connection in SM59, Tab “Logon & Security”

Click on the button “SNC” and enter the Partner information (DPAgent)

By following this step-by-step guide, you should be able to set up an encrypted RFC. This will enable communication between SAP Data Warehouse Cloud and on-premise systems when the use of an encrypted RFC is mandatory.. Feel free to let me know in the comments if you were successful in setting up an encrypted RFC using the instructions above.