Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connect DWC to SAP Source System using SNC RFC

dominik_wittassek
Explorer
‎03-04-2022 9:12 AM
For connecting SAP Data Warehouse Cloud to on-premise systems, the Data Provisioning Agent (DP Agent) is required. Remote Function Call (RFC) acts as the standard interface for communication between SAP systems. Due to security reasons, some companies only allow the use of encrypted RFCs, even internally. In order to meet this requirement, DPAgent must be connected over encrypted RFC. The following guide will describe the setup of encrypted RFC step by step.

 

1. Download SAPCryptolib


The encryption is done via the standard Cryptolib.
Download SAPCryptolib 8 from SAP Support Downloads either for Linux or Windows:
Software-Downloads - SAP ONE Support Launchpad



2. Extract with SAPCAR to Install-Dir of DPAgent



Extract the downloaded file using SAPCAR to the installation directory of the DPAgent.
By default, this should be C:\usr\sap\dataprovagent or /usr/sap/dataprovagent.


Example:



sapcar -xf SAPCRYPTOLIBP_8542-20011729.SAR -R C:\usr\sap\dataprovagent\Cryptolib



3. Set environment variable “SECUDIR” to point to this directory


In order to make the necessary commands become available, you need to set the environment variable "SECUDIR" pointing to the directory where you extracted the cryptolib.
You will find these variables by entering "Edit the system enivronment variables" in the windows search.

Example:



For Linux enter



export SECUDIR=/usr/sap/dataprovagent/Cryptolib

4. Create PSE in this directory


Now you need to create a PSE first, which will be used for your connections.


command:



sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]

Parameters:


Suggestion PSE_name: SNC.pse

PIN: Alphanumeric Characters, length 8


DN: Distinguished name of server running dpagent






Example:



sapgenpse get_pse -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! “CN=DPAgentserver,OU=Servers,DC=company,DC=com“



5. Create credentials


Now you need to created login credentials for the system (OS) user which is actually running the DPAgent service

command:



sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]

Parameters:


PSE_name: as above


PIN: as above


User_ID: User that runs the dpagent service






Example:



sapgenpse seclogin -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! -O company\dpagent



6. Exchange the public key


Now both systems (DPAgent and SAP System) need to exchange the public keys.

6.1 Export the DPAgents public key


Command:



sapgenpse export_own_cert -o <output_file> -p <PSE_name> [- x <PIN>]

Parameters:


output_file: <servername>.crt


PSE_name: as above


PIN: as above






Example:



sapgenpse export_own_cert -o dpagent.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!



6.2 Import public key to AS ABAP system


Now import this key to your SAP Systems Trust Store.

Transaction: STRUST





  1. Select the SNC SAPCryptolib PSE with a double-click.




  2. Enter the PIN that protects access to the PSE.


    Information about the SNC PSE appears in the upper section of the trust manager’s screen.




  3. Choose Certificate  Import from the menu or the symbol for Import certificate.




  4. In the dialog that follows, enter the path and file name of the Identity Center’s public-key certificate file, select the Base64 format, and choose Enter.


    The certificate appears in the Certificate section of the trust manager’s screen.




  5. Choose Add to Certificate List to add the certificate to the AS ABAP’s SNC PSE.


    Save the data.




 

6.3 Export AS ABAP public key




  1. Make sure the SNC SAPCryptolib is still the selected PSE.




  2. Select the certificate shown in the Owner field with a double-click.


    Information about the certificate appears in the Certificate section.




  3. Choose Certificate  Export from the menu or the symbol for Export certificate.




  4. In the dialog that follows, enter the path and file name where you want to save the file, select the Base64 format and choose Enter.


    The file is saved to the file system.




 

6.4 Import AS ABAPs public key to dpagents PSE


Command:



sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]

Parameters:


cert_file: Exportet certificate of AS ABAP


PSE_name: as above


PIN: as above






Exampe:



sapgenpse maintain_pk -a sapsystem.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!



7. Restart dpagent


Restart the agent either through service-manager or by executing agentcli -configAgent

8. Configure connection in DWC


Edit your existing connection or create a new one.
Under the Advanced Properties you need to enter the parameters according to your settings from the steps before:


Change from default values:

SNC Mode: ON
SNC Library: <path to sapcrypto.dll on DPAgent server>
SNC Name of Client: <DN of step 4>
SNC Name of SAP-Server: <value from AS ABAP RZ11 parameter snc/identity/as>
SNC Quality of Protection: 3

 

9. Set RFC-Connection to SNC active


In your SAP System you also have to set the RFC-connection which you use for the DPAgent to SNC.
Edit your RFC-connection in SM59, Tab "Logon & Security"

Click on the button "SNC" and enter the Partner information (DPAgent)


 

By following this step-by-step guide, you should be able to set up an encrypted RFC. This will enable communication between SAP Data Warehouse Cloud and on-premise systems when the use of an encrypted RFC is mandatory.. Feel free to let me know in the comments if you were successful in setting up an encrypted RFC using the instructions above.
4 Comments
Labels in this area
Popular Blog Posts