Technical Articles
Connect DWC to SAP Source System using SNC RFC
For connecting SAP Data Warehouse Cloud to on-premise systems, the Data Provisioning Agent (DP Agent) is required. Remote Function Call (RFC) acts as the standard interface for communication between SAP systems. Due to security reasons, some companies only allow the use of encrypted RFCs, even internally. In order to meet this requirement, DPAgent must be connected over encrypted RFC. The following guide will describe the setup of encrypted RFC step by step.
1. Download SAPCryptolib
The encryption is done via the standard Cryptolib.
Download SAPCryptolib 8 from SAP Support Downloads either for Linux or Windows:
Software-Downloads – SAP ONE Support Launchpad
2. Extract with SAPCAR to Install-Dir of DPAgent
By default, this should be C:\usr\sap\dataprovagent or /usr/sap/dataprovagent.
Example:
sapcar -xf SAPCRYPTOLIBP_8542-20011729.SAR -R C:\usr\sap\dataprovagent\Cryptolib
3. Set environment variable “SECUDIR” to point to this directory
In order to make the necessary commands become available, you need to set the environment variable “SECUDIR” pointing to the directory where you extracted the cryptolib.
You will find these variables by entering “Edit the system enivronment variables” in the windows search.
Example:
For Linux enter
export SECUDIR=/usr/sap/dataprovagent/Cryptolib
4. Create PSE in this directory
Now you need to create a PSE first, which will be used for your connections.
command:
sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]
Parameters:
Suggestion PSE_name: SNC.pse
PIN: Alphanumeric Characters, length 8
DN: Distinguished name of server running dpagent
Example:
sapgenpse get_pse -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! “CN=DPAgentserver,OU=Servers,DC=company,DC=com“
5. Create credentials
Now you need to created login credentials for the system (OS) user which is actually running the DPAgent service
command:
sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]
Parameters:
PSE_name: as above
PIN: as above
User_ID: User that runs the dpagent service
Example:
sapgenpse seclogin -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword! -O company\dpagent
6. Exchange the public key
Now both systems (DPAgent and SAP System) need to exchange the public keys.
6.1 Export the DPAgents public key
Command:
sapgenpse export_own_cert -o <output_file> -p <PSE_name> [- x <PIN>]
Parameters:
output_file: <servername>.crt
PSE_name: as above
PIN: as above
Example:
sapgenpse export_own_cert -o dpagent.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!
6.2 Import public key to AS ABAP system
Now import this key to your SAP Systems Trust Store.
Transaction: STRUST
-
Select the SNC SAPCryptolib PSE with a double-click.
-
Enter the PIN that protects access to the PSE.
Information about the SNC PSE appears in the upper section of the trust manager’s screen.
-
Choose Certificate Import from the menu or the symbol for Import certificate.
-
In the dialog that follows, enter the path and file name of the Identity Center’s public-key certificate file, select the Base64 format, and choose Enter.
The certificate appears in the Certificate section of the trust manager’s screen.
-
Choose Add to Certificate List to add the certificate to the AS ABAP’s SNC PSE.
Save the data.
6.3 Export AS ABAP public key
-
Make sure the SNC SAPCryptolib is still the selected PSE.
-
Select the certificate shown in the Owner field with a double-click.
Information about the certificate appears in the Certificate section.
-
Choose Certificate Export from the menu or the symbol for Export certificate.
-
In the dialog that follows, enter the path and file name where you want to save the file, select the Base64 format and choose Enter.
The file is saved to the file system.
6.4 Import AS ABAPs public key to dpagents PSE
Command:
sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]
Parameters:
cert_file: Exportet certificate of AS ABAP
PSE_name: as above
PIN: as above
Exampe:
sapgenpse maintain_pk -a sapsystem.crt -p C:\usr\sap\dataprovagent\Cryptolib\SNC.pse -x SecretPassword!
7. Restart dpagent
Restart the agent either through service-manager or by executing agentcli -configAgent
8. Configure connection in DWC
Edit your existing connection or create a new one.
Under the Advanced Properties you need to enter the parameters according to your settings from the steps before:
Change from default values:
SNC Mode: ON
SNC Library: <path to sapcrypto.dll on DPAgent server>
SNC Name of Client: <DN of step 4>
SNC Name of SAP-Server: <value from AS ABAP RZ11 parameter snc/identity/as>
SNC Quality of Protection: 3
9. Set RFC-Connection to SNC active
In your SAP System you also have to set the RFC-connection which you use for the DPAgent to SNC.
Edit your RFC-connection in SM59, Tab “Logon & Security”
Click on the button “SNC” and enter the Partner information (DPAgent)
By following this step-by-step guide, you should be able to set up an encrypted RFC. This will enable communication between SAP Data Warehouse Cloud and on-premise systems when the use of an encrypted RFC is mandatory.. Feel free to let me know in the comments if you were successful in setting up an encrypted RFC using the instructions above.
Hello Dominik Wittassek
thanks for this important detail about the DWC connection via the SDI Agent. I have added these Information to my Blog - next Mystery solved – proper SAC Connection
Best Regards Roland
Simple and Clear presentation.
Hi Dominik,
For step 9. May I know what RFC is this? Is this RFC for SAP to connect direct to DPagent? Is there a guide or info about this?
Thanks.
@Hi,
what exactly do you want to know, I didn't understand that question...
DPAgent connects to the backend system by registering a server program with the name like "IM_HANA_ABAPADAPTER_*" when using RFC streaming.
Means you don't pull the data from the system, it's more you tell your backend system "Please send the data to the DWC".
You need RFC streaming if the data is larger than your free shared memory in your backend system.
In this RFC connection you'll need to activate SNC for the encryption with the SNC-Name you specified when creating the PSE in step 4 (It's the Distinguished name).
You can do RFC streaming without encryption, but most of our clients have this requirement by their security department.