Tips & Tricks

Configure SNC for IBIS

HEC Migration; encrypting communication between IBIS and SAP

Target audience: For developers and system administrators who want to setup secure rfc connections.

How to setup secure RFC connections between IAF and SAP Secure Gateway using SNC with Java JCO3. This document explains how to setup a SAP PSE keystore using the sapgenpse tool.

Click here to download this document (PDF).

 

1. Configuring and installing SAP CryptoLib

First we need to configure the SAP CryptoLib before we can configure the IBIS.

Steps 1,2,3,4 and 11 are on the IBIS side, steps 5, 6, 7, 8, 9, 10 are on the SAP side.

 

Step 1 – Setting up the environment

Download SAPCRYPTOLIBP sources from SAP. Unzip all sources into a directory (D:\SAP\snc)

Set the environment variable SECUDIR to the directory you unzipped the SAPCRYPTOLIBP sources in. NOTE: make sure to use backslashes in the environment variable!

Open command prompt type: cd /d %SECUDIR%

This verifies the environment variable and opens the directory. Once in the directory, type sapgenpse. Debug information appears. Make sure the following lines are set properly:

Loaded CommonCryptoLib from sapgenpse folder
“D:\SAP\snc\sapcrypto.dll”

Environment variable $SECUDIR is defined:
“D:\SAP\snc”

 

Step 2 – Generating the Personal Security Environment

If everything is correct start by creating a new PSE (Personal Security Environment). You can do this by running the following command, note that the name of the example PSE is called snctest.pse

sapgenpse gen_pse -p snctest.pse

The command asks you the enter a pin in order to secure the PSE, and to enter the Distinguished Name of the certificate you wish to create.

The Distinguished Name consists of the following elements:

  • CN = <Common_Name>
  • OU = <Organizational_Unit>
  • O = <Organization>
  • C = <Country>

The example certificate will be: CN=LPAB00000018345.INSIM.BIZ, C=NL, O=NN, OU=M99F706

 

Example:

 

 

Step 3 – PSE Authentication

Next we will need to authenticate the use that will run the IBIS application. For example purposes the user will be M99F706. Please note that this user must exist on the local machine. It can be either a local or a domain user.

sapgenpse seclogin -p snctest.pse -O M99F706

You will be asked to enter the pin for the PSE in order to make changes to the it.

 

Example:

You should now have a cred_v2 file in the same directory the PSE is in.

 

Step 4 – Certificate Export

Once the PSE has successfully been created and a user has been granted access to it, we need to export the generated certificate which is in the PSE. The exported certificate will be a base64 x509 certificate, in this example we shall name it: snctest.crt.

sapgenpse export_own_cert -v -p snctest.pse -o snctest.crt

 

Example:

 

Step 5 – SAP RFC registration on the SAP gateway

In order for the IBIS to register, the TCP/IP RFC connection between the SAP ERP and the IBIS need to be available on the SAP side.

 

RFC Destination (SM59)

 

Step 6 – RFC Connection

Create the RFC connection with the program id which is registered in the SAP ERP gateway

 

 

Step 7 – SNC RFC communication setup between SAP and IBIS

(NOTE: SNC is already setup in ERP system)

 

 

 

Step 8 – Exchanging Certificates

The newly generated certificate (on the IBIS side) has to be exchanged with SAP, so SAP will trust this certificate.

Importing the IBIS certificate in the SAP ERP system:

 

 

On its turn SAP also has to export its own base64 x509 certificate. Exporting the SAP certificate:

 

 

Step 9 – Setting ACL rules

Add the entries in SNC0

 


 

Step 10 – Enable SNC on the RFC Destination

Enable the SNC in Sm59. Open up the RFC you wish to encrypt and click on the SNC button:

 

 

A new window opens up:

 

 

Set the QoP to 3 and the Partners SNC name to the IBIS client certificate.

Once applied, Restart the ERP system completely

 

Step 11 – Importing the SAP Certificate

The SAP certificate, in our case called IBIStestcm1.crt, will need to be imported in the client PSE.

sapgenpse maintain_pk -v -a D:/SAP/snc/IBIStestcm1.crt -p snctest.pse

Once executed the command you again have to enter the pin of the PSE in order to make changes to the file.

 

Example:

This concludes the steps in order to configure CryptoLib.

 

2. Configuring the IBIS to use Encryption

 

In the Configuration.xml file search for the sapSystem tag.

Add the following arguments, please enter values of the arguments accordingly.

All other arguments such as the host, systemnr and the group can remain the same. SNC can easily be enabled/disabled by setting the sncEnabled flag. Please note that the gwservOffset aka the secure port, will to connect to the secure gateway on SAP, this automatically force SNC on the SAP side.

 

3. Confirming SNC is enabled:

 

Open the gateway monitor:

 

Double click on the LU NAME:

 

You will see SNC enabled is set to 1. You may also check the port to which the client is connected, this should go through the secure gateway which automatically ensures the SNC protocol.

 

4. Relevant/Interesting Articles:

If all steps are executed as described above, there is no need to read these files. If you however want or need more information regarding SNC the following articles where relevant during the development of SNC for IBIS.

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01703.0210/doc/html/fre1292886445861.html

https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.31.19/en-US/4145453c3ff4110ee10000000a11405a.html

https://blogs.sap.com/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc/

https://docs.oracle.com/cd/E19509-01/820-5064/cnfg_sap-snc_t/index.html

http://searchsap.techtarget.com/tip/Set-up-data-encryption-between-RFC-Client-and-Web-AS-ABAP-with-SNC

https://www.ibm.com/developerworks/websphere/library/techarticles/1205_agarwal/1205_agarwal.html

https://help.sap.com/saphelp_dimp50/helpdata/en/71/bb6e3fefa13042e10000000a114084/frameset.htm

https://help.sap.com/saphelp_dimp50/helpdata/en/32/8fc83ea57b7f68e10000000a114084/frameset.htm

https://help.sap.com/saphelp_nw70ehp1/helpdata/en/46/cd75ea61533c20e10000000a155369/content.htm

1965519 – SNC error when having multiple PSEs with same distinguished name.

 

We hope you’ve enjoyed reading this document, and you have learned a lot about HEC Migration, how to setup secure RFC connections between SAP Secure Gateway and IAF using SNC with Java JCO3.

If you have any further questions, don’t hesistate to contact us.

Click here te download this document.