IBM Support

Setting up SAP Secure Network Communications (SNC) and using it with Pack for SAP Applications

Technote (FAQ)


Question

How do I set up SNC for using with the Pack?

Answer

The process of setting up an SNC connection involves several layers. Follow the links below to navigate to specific sections within the document.
Overview
....Common Abbreviations & Terminology Used
....Levels of Security Protection
....Defining Secured Network Communication
....Possible Logins using SNC
Setting up SNC on the SAP Server
....Install SAP Cryptographic Library
....Create Personal Security Environment (PSE) for SAP Server
....Setting Profile Parameters for SNC on the Gateway
....Export the SAP SNC Certificate for client
....Import a client PSE certificate
....Configuring SAP User for Secured Network Connection
....Additional SAP settings for X.509
Setting up SNC on the client (DataStage client/server tier)
....Downloading SAP Cryptographic Library and setting mandatory environment variables
....Creating a SNC Personal Security Environment (PSE) for Information Server
........Step 1 - Generate the PSE file
........Step 2 - Bind PSE with the OS user and create the cred_v2 file
........Step 3 - Export the Client Certificate of the newly created PSE
........Step 4 - Import the SAP Application Server Certificate to the Client PSE
....Importing the Client PSE (public) certificate into SAP Application Server PSE
....Validating the SAP AS PSE in the Client environment
Defining the SNC connection in the Pack for SAP Applications


Overview

Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an interface to connect to an external product securely. SNC provides security at the application level which means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) as well as third party application software e.g. IBM InfoSphere Server is guaranteed, regardless of the communication link or transport medium. You therefore have a secure network connection between two SNC-enabled communication partners. This article describes how to configure the SNC to secure communications between SAP Application server and InfoSphere Information Server SAP Applications.


Common Abbreviations & Terminology Used

Knowing below mentioned terminology / abbreviation helps you in understanding this document better

Terminology / Abbreviation Referred As
SNC Secured Network Communication
PSE Personal Security Environment
Client In the SNC context, the Information Server Client / Engine Tiers
SAP AS SAP Application Server
X.509 X.509 Certificate
SSO Single Sign On
t-code SAP Transaction Code
QoP Quality of Protection
DN Distinguished Name
IIS IBM Information Server


Levels of Security Protection

SNC provides three levels of security protection as mentioned below:

1. Authentication only — When using the Authentication only protection level, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.

2. Integrity protection — When using Integrity protection, the system detects any changes or manipulation of the data which may have occurred between the two end points of a communication.

3. Privacy protection — When using Privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.



Defining Secured Network Communication

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor). For example, when DataStage server starts a connection with SAP Application server, the DataStage Server becomes the initiator of the communication and the SAP Application server becomes the acceptor. Both sides of the communication link need to specify SNC options.

For using SNC between SAP Server and Information Server you need to define following SNC Parameters

Name Description Value
SNC_MODE The SNC flag to indicate whether the communication should use SNC protection
    0 - Do not apply SNC to connections.
    1—Apply SNC to connections.
SNC_MYNAME Client SNC name (DataStage Server SNC Name). It is also referred as client Personal Security Environment (PSE) Name. A valid client SNC name which is equal to Distinguished Name(DN) of client PSE
SNC_PARTNERNAME The communication partner's SNC name. This is therefore SAP server SNC PSE name. A valid SAP server SNC name which is equal to Distinguished Name(DN) of SAP server PSE
SNC_QOP The quality of protection level. Enter one of the following values:
    1 - Apply authentication only.
    2 - Apply authentication and integrity protection
    3 - Apply authentication, integrity, and privacy protection (encryption)
    8 - Apply global default protection (usually 3)
    9 - Apply the maximum protection.
SNC_LIB The external security product's library The path and filename for the SAP Cryptography library.

When SNC is initialized, the system dynamically loads the functions provided by the external library. Afterwards, when two components communicate using SNC, the SNC layer first processes the messages being sent to SAP (for example, to apply encryption) and then sends them over the network using the SAP Network Interface. Upon receipt, the SAP System component decrypts the receiving messages using external library functions in a similar manner.

For example, for a case where the DatStage client PSE DN name and SAP Server PSE DN name are “p:CN= Test, O=IBM, C=US, OU=SAPPACK” and “p:CN=EC7, O=SAP, C=US, OU=SAP” respectively, to establish a secure network communication with maximum protection level between DataStage and SAP servers, following SNC parameters will be configured:

a. SNC_MYNAME = p:CN=Test, O=IBM, C=US, OU=SAPPACK
b. SNC_PARTNERNAME= p:CN=EC7, O=SAP, C=US, OU=SAP
c. SNC_MODE= 1
d. SNC_QOP=9
e. SNC_LIB= C:\SNC\sapcrypto.dll


Possible Logins using SNC

SNC allows the following login connections:
1. Single Sign-On tickets (SSO tickets): This login type is not supported in SAP Packs

2. X.509 Certificate: Login with X.509 is based on SNC encryption only. This is supported in Packs and you need to provide a valid X.509 certificate. Currently Packs supports certificate with .crt file extension only.

3. Single Sign ON (SSO): Login only with SAP user. This SAP user should be configured for SSO in SAP server. Using this login type you are not required to provide SAP user password in SAP Connection for DataStage.



Back to top



Setting up SNC on the SAP Server

The following sections cover the installation and configuration of SNC on SAP server

Note: Appropriate SAP authorizations are required for carrying out these steps in SAP server. Defining all these authorization is outside the scope of this document. These steps are SAP Administration tasks and generally done by your BASIS team.



Install SAP Cryptographic Library

SAPCRYPTOLIB generally comes with kernel however its availability is documented in the SAP Note for SAPCRYPTOLIB [1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)].

You can verify whether SAPCRYPTOLIB is available by checking T-code “STRUST” in SAP GUI as shown below in the screenshot:



It is recommended to update the kernel as per above mentioned SAP Note to get SAPCRYPTOLIB.

In case kernel upgrade is not possible, you can follow these step to download & install SAP Cryptographic Library on SAP server :

1. Extract the contents of the SAP Cryptographic Library installation package. The installation package is available for authorized customers on the SAP Service Marketplace at https://support.sap.com/swdc .


2. Copy the “sapcrypto.dll (for Windows)/ libsapcrypto.so (for Unix/Linux)” file and the configuration tool “sapgenpse.exe” (for Windows) / sapgenpse (for Unix/Linux) to the directory specified by the application server's profile parameter DIR_EXECUTABLE. Following examples shows the directory with the notation $(DIR_EXECUTABLE)

Example:
Windows:
DIR_EXECUTABLE: <DRIVE>:\sapmnt\LI1\SYS\exe\uc\NTAMB64
Location of SAP Cryptographic Library: <DRIVE>:\sapmnt\LI1\SYS\exe\uc\NTAMB64\sapcrypto.dll

where “sapmnt” represents: \usr\sap\

Linux/Unix:
Path will be similar as specified for Windows above e.g. “/usr/sap/LI1/SYS/exe”

3. Check the file permissions for the SAP Cryptographic Library. Make sure that user “<sid>adm” (or SAPService<SID> under Windows) should have execute permission for the library.

4. Copy the ticket file to the sec subdirectory in the instance directory $(DIR_INSTANCE)
DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance>
Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket

Note: SAP’s New Cryptographic Library “CommonCryptoLib” does not require a ticket file. As a workaround you can use a dummy file named “ticket”

5. Set the environment variable SECUDIR to the sec subdirectory.
for example:
SECUDIR: D:\usr\sap\PD1\DVEBMGS10\sec

The application server uses this variable to locate the ticket and its credentials at runtime. If you set the environment variable using the command line, the value may not be applied to the server's processes. Therefore, setting SECUDIR in the start-up profile for the server's user or in the registry is recommended.


Back to top


Create Personal Security Environment (PSE) for SAP server

You need to follow below mentioned steps to create the PSE for the SAP Server

1. Open the t-code STRUST




2. Select the SNC(SAPCryptolib) node and choose “Create PSE” from contextual menu.
3. Enter all the required details for Distinguished Name. Distinguished Name is formed of elements that represent a hierarchical name space and these elements are
CN = Common Name
OU= Organizational Unit
O=Organization
C=Country
4. Press Enter
5. In some SAP System, if asked for setting password for the created PSE. You must assign it. Otherwise you need to select the created PSE in “Certificate List” and set the password for it.
6. Save the settings


Setting profile parameters for SNC on SAP Application Server

1. Use transaction RZ10 to maintain the profile parameters

2. Set the parameters as listed in the table below in instance profile file

Parameter Description Value
1 snc/enable Activates SNC on the application
Server.
0: SNC is disabled
1: SNC is activated
Default Value=0
2 snc/gssapi_lib The path and file name of the GSS-API V2 shared library. Path and file name where the SAP Cryptographic Library is located. You also need to maintain the corresponding environment variables on SAP server as mentioned below:

LD_LIBRARY_PATH (Unix, Solaris)
LIBPATH (AIX)
PATH (Windows)
Windows: C:\usr\sap\<SID>
    \SYS\exe\run\sapcrypto.dll
Unix/Linux: usr/sap/<SID>/SYS/exe/
run/libsapcrypto.so

Note: File name up to 255 characters long are allowed
3 snc/identity/as The SNC name of the application
server.
Syntax: p:<Distinguished_Name> The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE. For example, p:CN=ABC,OU=Test,O=MyCompany,
C=US
4 snc/data_protection/max The maximum level of data protection for connections
initiated by the SAP System.
The maximum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 3
5 snc/data_protection/min The minimum data protection level required for SNC
communications.
The minimum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 2
6 snc/data_protection/use Default level of data protection for connections initiated by the SAP
System
The default level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
9: Use the value from snc/data_
    protection/max
Default Value: 3
7 snc/accept_insecure_cpic Determines if unprotected incoming CPIC connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting CPIC
connections:
0: Reject unprotected connections
1: Accept unprotected connections
8 snc/accept_insecure_gui Determines if logon attempts coming from the SAP interface that are not protected with SNC on an SNC-enabled application server will be accepted or not. The settings for accepting logon attempts:
0: Reject SNC-based logons
1: Accept logons with user ID and password
Default Value: 0
9 snc/accept_insecure_r3int_rfc Determines if unprotected
internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal r3int RFC-connections
0: Reject unprotected internal RFCs
1: Accept unprotected internal RFCs
Default Value:1
10 snc/accept_insecure_rfc Determines if unprotected internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal RFC-connections
0: Reject unprotected external RFCs
1: Accept all unprotected RFCs (internal and external)
Default Value: 0
11 snc/permit_insecure_start Permits the starting of programs without using SNC-protected communications, even when SNC
is enabled.
0: Start programs only with SNC-protected communication
1: Start programs without SNC-protected communication
Default Value: 0
12 snc/extid_login_diag Enable login with external identity (DIAG)
0: do not accept
1: allow
Default Value: 0
13 snc/extid_login_rfc Enable log in with external identity (DIAG) (for RFC Com
0: do not accept
1: allow
Default Value: 1

3. Save

4. Restart the SAP Application Server

Notes:

  • Alternatively, you can set these profiles in instance profile file at Operating System level. Instance profile generally is available in the following locations
    Windows: <Drive>:\sapmnt\SID\SYS\profile
    Unix/Linux: \sapmnt\SID\SYS\profile
  • Setting the profile parameter snc/enable to 1 activates SNC on the application server. If this parameter is set but the SNC PSE do not exist, then the application server will not start. Therefore, setting the SNC profile parameters should be the last step in the configuration procedure.
  • Above shows only the most important parameters. These must be set maintained in the same format as shown in the example file below
  • For the load balancing cases, where there can be multiple SAP Application Server instance, profile parameters need to set on each instance.
  • For more details, you can refer to SAP user guide on Secured Network communications: Profile Parameter Settings on AS ABAP

Example: Below is the screenshot from the instance profile showing some of the above parameters



Back to top


Setting Profile Parameters for SNC on the Gateway

To use SNC for securing connections that connect via the Gateway for example using standalone gateway, you also need to set the appropriate parameters in the gateway profile. The gateway itself does not directly use the routines from the security product; however, it does supply the SNC configuration parameters to the programs that it starts.

The following profile parameters are relevant for the gateway settings:

Name Description Value
1 snc/enable For a gateway to accept SNC-protected connections, you need to set the profile parameter snc/enable to the value 1. The gateway then knows that an SNC environment is in operation and opens a secure port for communication. 0: SNC is disabled
1: SNC is activated
Default Value=0
2 snc/gssapi_lib As with the application server, if snc/enable = 1, then the parameter snc/gssapi_lib must contain the path and file name of the external library. The gateway passes this information to the external programs that it starts Windows: C:\usr\sap\<SID>
\SYS\exe\run\sapcrypto.dll

Unix/Linux: usr/sap/<SID>/SYS/exe/
run/libsapcrypto.so

Note: File name up to 255 characters long are allowed
3 snc/permit_insecure_start If snc/enable = 1, then the gateway does not start or register any external programs without using SNC-protected communications (as default). You can explicitly override this configuration by setting the parameter snc/permit_insecure_start to the value 1. The gateway will then start or register programs even if SNC protection is not used for the communication. The parameter is only necessary if programs without SNC protection are to be directly started by or registered on the gateway 0: Start programs only with SNC-protected communication
1: Start programs without SNC-protected communication
Default Value: 0

Notes:
  • If the gateway is started directly on an application server, it uses the application server's profile settings. In this case, the parameters snc/enable and snc/gssapi_lib are set in the application server's profile. For the gateway, you then only need to consider the parameter snc/permit_insecure_start
  • If a gateway is to be started independent of the application server (standalone gateway), then you need to consider all the above-mentioned parameters
  • For more details, you can refer to SAP provided documentation: Profile Parameter Settings on the Gateway



Export the SAP SNC Certificate
for client

Export the SAP Certificate from the application server which is required to be imported on the client server (IIS). You need to follow below mentioned steps for exporting SAP certificate

1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you may require going for “ Display <-> Change” mode
4. Select SAP Own certificate (to be exported)
5. Export button in the bottom of the page> provide the path and save the certificate in “ Base64” format





Import a client PSE certificate

You need to import the client (Information server) PSE certificate in the SAP Application Server. Generation of client certificate in Information Server is covered section Export the Client Certificate of the newly created PSE .

Follow the below mentioned steps to import the client PSE certificate
1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you may may need to switch “ Display <-> Change” mode


4. Click on import button in the bottom of the page
5. Browse and select a valid client PSE name. Select file format as “ Base64
6. Click on Add to Certificate List> Save


Back to top


Configuring SAP User for Secured Network Connection

You need to configure SAP user to be used with the client for connecting to SAP server using Secured Network connections. Following points describe the necessary settings/permissions to be set for SAP user

1. Login into SAP GUI> open t-code “SU01”
2. In the User field, enter the SAP user name to which you want to grant permissions to execute the SNC functions



3. Click the Change icon. The Maintain User screen appears
4. Click the SNC tab.
5. In the SNC name field, enter the client PSE Distinguished Name.
Example: p:CN=IIS,OU=SAPPACK,O=IBM,C=US


6. Click OK. A message appears stating that the canonical name is determined
7. Save


Additional SAP settings for X.509

Additionally, in case you also want to configure SAP user for X.509 SNC connection which allows client to have SNC without the need for SAP user and password, you need to do additional settings as described in below mentioned steps

1. Login into SAP GUI> open t-code SM30
2. Maintain two tables VSNCSYSACL and VUSREXTID
3. Maintaining table VSNCSYSACL
a. Open the table VSNCSYSACL for maintenance


b. Choose external type work area



c. Choose New Entries



d. Enter the following data in the corresponding fields



System ID: Name of the SAP system
SNC Name: Distinguished Name associated with the client PSE
e. Save the data

4. Maintaining table VUSREXTID
a. Open the table VUSREXTID for maintenance



b. Choose the work area as “DN”



c. Choose New Entries



d. Enter the data in the corresponding fields as explained below

User: SAP User that the client uses to connect to SAP Server.
Sequence Number: Enter the SAP client number.
SNC Name: DN associated with the client PSE. For example "p: CN=TEST,OU=DS,O=IBM,C=IN”
Activated: Check ON this option



e. Save the data


Back to top




Setting up SNC on the client (DataStage client/server tier)

For establishing Secured Network Connection between DataStage server and SAP application server, it is essential to configure SNC both on SAP and Information server components like client and engine tiers machines.

The following diagram briefly explains the different steps for configuring SNC on the Information Server:

Following sections of the document explains these steps in details.


Downloading SAP Cryptographic Library and setting mandatory environment variables

You must have the SAP Cryptographic library present in the Information Server component (client/server tier) to enable SNC communication with SAP Application Sever. You can follow below mentioned steps to do download this library and setting required environment variables so that these libraries can be used with the application.

On Unix, it's recommended to include the environment variables in the dsenv configuration file (found in $DSHOME/DSEngine, e.g. /opt/IBM/InformationServer/Server/DSEngine). This will ensure the same setting will be used during SNC configuration and runtime. After editing dsenv, run it before executing the sapgenpse utility mentioned below.

On Windows, set the environment variables at system level in Advanced System Settings, before executing sapgenpse.

1. Download the SAP Cryptographic Library (SPACRYPTOLIB.SAR ) from the SAP Service Marketplace at https://support.sap.com/swdc (available for authorized customers using valid SUSER ID) and extract it to a temporary directory. For Windows platform, you must use 32-bit library. For Unix/Linux, bitness of the library should be as per platform.

2. Copy the library (Windows: sapcrypto.dll; Unix/Linux: sapcrypto.so) and the command line tool (Windows: sapgenpse.exe; Unix/Linux sapgenpse) to a local directory on the IIS system.

Example

Windows: C:\usr\sap

Unix/Linux: You must login as the DS Admin user (e.g. dsadm) and can use the user's home folder (e.g. /home/dsadm).

3. Create the “sec” subfolder in the directory createdat step 2:

Example

Windows: C:\usr\sap\sec

Unix/Linux: /home/dsadm/sec/

4. Set the environment variable SECUDIR to this directory:

Example

Windows: SECUDIR=C:\usr\sap\sec

Unix/Linux: SECUDIR=/home/dsadm/sec/

5. Set the environment variable SNC_LIB for the library file:

Example

Windows: SNC_LIB=C:\usr\sap\sec\sapcrypto.dll
Unix/Linux: SNC_LIB=/home/dsadm/sec/libsapcrypto.so

6. Modify system path variable for different OS as follows:
Windows: PATH=%PATH%;%SECUDIR%
Unix/Linux: PATH=$PATH:$SECUDIR

7. Modify environment variable LD_LIBRARY_PATH or /LIBPATH for Unix/Linux based machines

Solaris, Linux: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SECUDIR

AIX: LIBPATH=$LIBPATH:$SECUDIR



Creating a SNC Personal Security Environment (PSE) for Information Server

Information Server must have a Personal Security Environment and an associated certificate to be imported in the SAP Application server for establishing SNC connection. You need to need to create and use the SAP specific PSE that is generated from the sapgenpse tool provided by SAP Cryptographic library. Using the generated PSE either you can create a self-signed certificate or may obtain a certificate from a trusted Certification Authority (CA). Scope of this document is limited to explaining how to create self-signed certificate.

You need to perform the steps to create SNC PSE for the Information Server:


Step 1 - Generate the PSE file

1. Start a command line console and change to the directory containing sapgenpse tool (e.g. directory where SAP cryptographic libraries are copied)

2. Create a PSE for the DataStage by running the following command:

sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]

where:

-p <PSE_name>: Path and file name for the client PSE

-x <PIN>: PIN that protects the PSE. (This PIN is the user-defined password for client PSE and is asked every time whenever we use the PSE)

DN: Distinguished Name for the client PSE. The Distinguished Name is used to build the client SNC name. It consists of the following elements:

CN= <Common Name>

OU= <Organizational Unit>

O= <Organization>

C= <Country>

Example: sapgenpse get_pse -p test.pse -x passw0rd "CN=IIS,OU=SAPPACK,O=IBM,C=US"

As an output of this command, file test.pse will be generated at the current directory


Step 2 - Bind PSE with the OS user and create the cred_v2 file

Use the following command to bind client PSE with OS user which will be used by Information Server client or server tier to design and/or run the jobs respectively. During the operation, a cred_V2 file is generated which provide the active credentials to the RFC Program running on the Information Server to the PSE without providing the password for the PSE

sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O <OS-USER-ID>]

where:

-p <PSE_name>: Path and file name for the client PSE
-x <PIN>: PIN that protects the client PSE (PIN provided at the time of generating PSE)
-O \< OS-USER-ID>: OS user for which the credentials are created (the user that runs the client service). If omitted, it uses the current logged in user.

Note: You need to use OS user which is used for the running the Information Server client/server tier components. E.g. for the engine tier hosted on the Unix/Linux based Information Server, you need to use OS user which is mapped to IS-suite user (to be used to run the jobs) in Information Server Web console/Doman Management/Engine Credentials. Any change in this OS user, requires a re-run of this step for the client PSE.

Example: sapgenpse seclogin -p client.pse -x password -O dsadm

As an output of this command a cred_v2 file will be generated in the current folder which binds client.pse with dsadm.


Step 3 - Export the Client Certificate of the newly created PSE

You need to export the client PSE Certificate / X.509 certificate from the generated client PSE file. This certificate is required to be imported into the SAP Application Server to establish SNC connection between Information server and that SAP server. This certificate file will also be used as X.509 certificate to be configured in SAP Connection to DataStage server as explained section Defining the SNC connection in the Pack for SAP Applications. The Pack supports only certificate with .crt file extension.

For exporting this certificate, you need to run the following command:

sapgenpse export_own_cert -o <output_file> -p <PSE_name> [-x <PIN>]

where:

-o <output_file>: File name for the exported certificate in .crt file extension.
-p <PSE_name>: Path and file name for the client PSE
-x<PIN>: PIN that protects the PSE

Example: sapgenpse export_own_cert -o client.crt -p client.pse -x passw0rd


Step 4 - Import the SAP Application Server Certificate to the Client PSE

You need to import PSE certificate of the SAP Application Server to your client) PSE to establish SNC connection between these Information server and application server. In case you need to establish SNC connection for multiple SAP servers with the Information Servers, you need to repeat this steps for the multiple SAP servers

1. You must have exported PSE certificate from SAP Application Server. For exporting PSE certificate, refer to section Export the SAP SNC Certificate for client

2. Copy the exported certificate to the Information Server system at directory referred by environment variable SECUDIR. For more details refer to section Downloading SAP Cryptographic Library and setting mandatory environment variables

3. On the client system, you need to run the following command to import the exported certificate into the client PSE

sapgenpse maintain_pk [-a <sap_cert_file>] -p < client_PSE_file_name> [-x <PIN>]

where:

-a < sap_cert_file >: Path and file name of SAP Application Server PSE Certificate (also referred as SAP AS ABAP's public certificate)

-p <client_PSE_file_name>: Path and file name for the client PSE file

-x <PIN>: PIN that protects the client PSE

Example: sapgenpse maintain_pk -a sap.crt -p client.pse



Back to top



Importing the Client PSE (public) certificate into SAP Application Server PSE

After importing the SAP Application Server PSE certificate into client PSE, you also need to maintain the PSE information in the SAP Application server for proper handshaking while establishing SNC connection. You need to follow below mentioned steps for doing this.

1. Export the client PSE certificate from Information Server. For details refer to Export the Client Certificate of the newly created PSE

2. Import the client PSE certificate into SAP Application server. For details refer to Import a client PSE certificate generated from client




Validating the SAP AS PSE in the Client environment


Once you have imported the SAP Application Server PSE into the client PSE, you can review the details SAP Application Server PSE in the client PSE by running the following command

sapgenpse maintain_pk -l -p <client_PSE_file_name> [-x <PIN>]

where -p <client_PSE_file_name>: Client PSE name.

Above command will generate report where you can verify the DN of the SAP Server’s PSE which are imported into this client.

Example

Let’s suppose client PSE name is “test.pse”. This client PSE is linked with two SAP servers with the SID: B75, SA1 having DN of PSE as: “CN=B75, OU=BASIS, OU=Bcone, O=SAP Trust Community, C=DE” and “CN=SA1, OU=I0020070395, OU=SAP Web AS, O=SAP Trust Community, C=DE” respectively.

Running the command “sapgenpse maintain_pk -v -l -p test.pse” will generate this response:

Back to top



Defining the SNC connection in the Pack for SAP Applications

Finally, to use SNC Connection between IIS Pack for SAP Applications and SAP Server, you need to define SNC enabled SAP connection for DataStage. This is done using DataStage Administrator for SAP as described below:

1. Open DS Administrator for SAP
2. Select/create a new SAP connection
3. Click on properties and go to SNC settings page

4. You need to enable SNC for client and/or runtime connection

a. To enable it for runtime, you need to select “Enable SNC for run time”. Enabling SNC connection for run time ensures that during job run time, SNC connection is established with SAP server and all data is exchanged with SAP in encrypted way.

b. Similarly, to enable it for the client side, you need to select “Enable SNC for GUI”. Enabling SNC connection for GUI/client side ensures that SNC connection is established with SAP while designing the jobs.

c. In case you have engine and client tiers on the same machine, you can opt to "Use runtime SNC settings”. This will ensure that runtime SNC settings are used for the SAP connection on client tier while designing the jobs. You are not required to set the SNC settings for GUI separately in such cases.

Note: For engine and client tiers on different machines, you need to configure SNC separately for each tier

5. To create a connection with X.509, check the enable X.509 and provide the path for client PSE certificate. Only certificate files with .crt file extension are supported.

6. Provide the other SNC parameters such as SNC Name, SNC Partner Name, SNC QOP, SNC Library PATH. For more details, refer to section Defining Secured Network Communication.

Example:

7. You need to enable SNC in RFC Destination / Logical system to be used with DataStage. For doing this, you must these steps:



Document information

More support for: InfoSphere Information Server
Pack for SAP Applications

Software version: 8.1

Operating system(s): AIX, Linux, Windows

Software edition: Edition Independent

Reference #: 2004893

Modified date: 24 May 2018


Translate this page: