IBM Support

Setting up SAP Secure Network Communications (SNC) and using it with Pack for SAP Applications and BW

Question & Answer


Question

How do I set up SNC for using with the SAP Packs?

Cause

Support for SNC was introduced across all connectors in these versions: Pack for SAP Applications 8.1.0.0, Pack for SAP BW 4.4.0.0
Previously, only the ABAP stage in the Pack for SAP Applications had supported SNC. 

Answer

The process of setting up an SNC connection involves several layers. Follow the links below to navigate to specific sections within the document.
 


Overview

Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an interface to connect to an external product securely. SNC provides security at the application level, which means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) as well as third-party application software, e.g. IBM InfoSphere Server is guaranteed, regardless of the communication link or transport medium. Therefore, you have a secure network connection between two SNC-enabled communication partners. This article describes how to configure the SNC to secure communications between SAP Application server and InfoSphere Information Server Packs for SAP Applications and BW.
 

Common Abbreviations & Terminology Used

Knowing below mentioned terminology / abbreviation helps you in understanding this document better

Terminology / Abbreviation Referred As
SNC Secured Network Communication
PSE Personal Security Environment
Client In the SNC context, the Information Server Client / Engine Tiers
SAP AS SAP Application Server
X.509 X.509 Certificate
SSO Single Sign On
T-code SAP Transaction Code
QoP Quality of Protection
DN Distinguished Name
IIS IBM Information Server
SAP Server A supported SAP system (ERP, Netweaver or S/4HANA)


Levels of Security Protection

SNC provides three levels of security protection as mentioned below:

  1. Authentication only — When using the Authentication only protection level, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.
  2. Integrity protection — When using Integrity protection, the system detects any changes or manipulation of the data, which might have occurred between the two end points of a communication.
  3. Privacy protection — When using Privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.


Defining Secured Network Communication

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor). For example, when DataStage server starts a connection with SAP Application server, the DataStage Server becomes the initiator of the communication and the SAP Application server becomes the acceptor. Both sides of the communication link need to specify SNC options.

For using SNC between SAP Server and Information Server the following SNC Parameters are defined (the Datastage component that uses SNC will set these automatically, based on the parameters specified by the user in the DS Admin for SAP):

Name Description Value
SNC_MODE The SNC flag to indicate whether the communication should use SNC protection
  • 0 - Do not apply SNC to connections.
    1—Apply SNC to connections.
SNC_MYNAME Client SNC name (DataStage Server SNC Name). It is also referred as client Personal Security Environment (PSE) Name. A valid client SNC name, which is equal to Distinguished Name(DN) of client PSE
SNC_PARTNERNAME The communication partner's SNC name. Therefore, this is SAP server SNC PSE name.  A valid SAP server SNC name, which is equal to Distinguished Name(DN) of SAP server PSE
SNC_QOP The quality of protection level. Enter one of the following values:
  • 1 - Apply authentication only.
    2 - Apply authentication and integrity protection
    3 - Apply authentication, integrity, and privacy protection (encryption)
    8 - Apply global default protection (usually 3)
    9 - Apply the maximum protection.
SNC_LIB The external security product's library The path and file name for the SAP Cryptography library.

When SNC is initialized, the system dynamically loads the functions provided by the external library. Afterward, when two components communicate by using SNC, the SNC layer first processes the messages being sent to SAP (for example, to apply encryption) and then sends them over the network by using the SAP Network Interface. Upon receipt, the SAP System component decrypts the receiving messages by using external library functions in a similar manner.
For example, for a case where the DatStage client PSE DN name and SAP Server PSE DN name are “p:CN= Test, O=IBM, C=US, OU=SAPPACK” and “p:CN=EC7, O=SAP, C=US, OU=SAP” respectively to establish a secure network communication with maximum protection level between DataStage and SAP servers, following SNC parameters are configured:
a. SNC_MYNAME = p:CN=Test, O=IBM, C=US, OU=SAPPACK
b. SNC_PARTNERNAME= p:CN=EC7, O=SAP, C=US, OU=SAP
c. SNC_MODE= 1
d. SNC_QOP=9
e. SNC_LIB= C:\SNC\sapcrypto.dll
 

Possible Logins by using SNC

SNC allows the following login connections:

  1. Single Sign-On tickets (SSO tickets): This login type is not supported in SAP Packs
  2. X.509 Certificate: Login with X.509 is based on SNC encryption only. This is supported in Packs and you need to provide a valid X.509 certificate. Currently, Packs support certificate with .crt file extension only.
  3. Single Sign ON (SSO): Log in only with SAP user. This SAP user should be configured for SSO in SAP server. Using this login type you are not required to provide SAP user password in SAP Connection for DataStage.


Setting up SNC on the SAP Server

The following sections cover the installation and configuration of SNC on SAP server

Note: Appropriate SAP authorizations are required for carrying out these steps in SAP server. Defining all the authorization is outside the scope of this document. These steps are SAP Administration tasks and generally done by your BASIS team.


 
Install SAP Cryptographic Library

SAPCRYPTOLIB generally comes with kernel. Its availability is documented in the SAP Note for SAPCRYPTOLIB [1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)]. You can verify whether SAPCRYPTOLIB is available by checking T-code “STRUST” in SAP GUI as shown in the following screen capture:


It is recommended to update the kernel as per above mentioned SAP Note to get SAPCRYPTOLIB. In case kernel upgrade is not possible, you can follow these step to download & install SAP Cryptographic Library on SAP server:
1. Extract the contents of the SAP Cryptographic Library installation package. The installation package is available for authorized customers on the SAP Service Marketplace at https://support.sap.com/swdc .
2. Copy the “sapcrypto.dll (for Windows)/ libsapcrypto.so (for Unix/Linux)” file and the configuration tool “sapgenpse.exe” (for Windows) / sapgenpse (for Unix/Linux) to the directory specified by the application server's profile parameter DIR_EXECUTABLE. Following examples shows the directory with the notation $(DIR_EXECUTABLE):
Windows:
DIR_EXECUTABLE: C:\usr\sap\LI1\SYS\exe\uc\NTAMB64
Location of SAP Cryptographic Library: C:\usr\sap\LI1\SYS\exe\uc\NTAMB64\sapcrypto.dll
Linux/Unix:
Path is similar as specified for Windows above for example “/usr/sap/LI1/SYS/exe”

3. Check the file permissions for the SAP Cryptographic Library. Make sure that user “<sid>adm” (or SAPService<SID> under Windows) has execute permission for the library.

4. Copy the ticket file to the sec subdirectory in the instance directory $(DIR_INSTANCE)
DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance>
Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket
Note: SAP’s New Cryptographic Library “CommonCryptoLib” does not require a ticket file. As a workaround you can use a dummy file named “ticket”

5. Set the environment variable SECUDIR to the sec subdirectory. Example:
SECUDIR =  C:\usr\sap\PD1\DVEBMGS10\sec

The application server uses this variable to locate the ticket and its credentials at run time. If you set the environment variable by using the command line, the value might not be applied to the server's processes. Therefore, setting SECUDIR in the start-up profile for the server's user or in the registry is recommended.


 

Create Personal Security Environment (PSE) for SAP server

You need to follow these steps to create the PSE for the SAP Server:
1. Open t-code STRUST:


2. Select the SNC(SAPCryptolib) node and choose “Create PSE” from contextual menu.
3. Enter all the required details for Distinguished Name. Distinguished Name is formed of elements that represent a hierarchical name space and these elements are
CN = Common Name
OU= Organizational Unit
O=Organization
C=Country
4. Press Enter
5. In some SAP System, if asked for setting password for the created PSE. You must assign it. Otherwise, you need to select the created PSE in “Certificate List” and set the password for it.
6. Save the settings


Setting profile parameters for SNC on SAP Application Server

  1. Use transaction RZ10 to maintain the profile parameters
  2. Set the parameters as listed in the table below in instance profile file
Parameter Description Value
1 snc/enable Activates SNC on the application
Server.
0: SNC is disabled
1: SNC is activated
Default Value=0
2 snc/gssapi_lib The path and file name of the GSS-API V2 shared library. Path and file name where the SAP Cryptographic Library is located. You also need to maintain the corresponding environment variables on SAP server as mentioned below:

LD_LIBRARY_PATH (Unix, Solaris)
LIBPATH (AIX)
PATH (Windows)
Windows: C:\usr\sap\<SID>
  • \SYS\exe\run\sapcrypto.dll
  • Unix/Linux: usr/sap/<SID>/SYS/exe/
run/libsapcrypto.so

Note: File name up to 255 characters long are allowed
3 snc/identity/as The SNC name of the application
server.
Syntax: p:<Distinguished_Name> The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE. For example, p:CN=ABC,OU=Test,O=MyCompany,
C=US
4 snc/data_protection/max The maximum level of data protection for connections
initiated by the SAP System.
The maximum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 3
5 snc/data_protection/min The minimum data protection level required for SNC
communications.
The minimum level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
Default Value = 2
6 snc/data_protection/use Default level of data protection for connections initiated by the SAP
System
The default level of data protection settings:
1: Authentication only
2: Integrity protection
3: Privacy protection
9: Use the value from snc/data_
  • protection/max
Default Value: 3
7 snc/accept_insecure_cpic Determines whether unprotected incoming CPIC connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting CPIC
connections:
0: Reject unprotected connections
1: Accept unprotected connections
8 snc/accept_insecure_gui Determines whether logon attempt coming from the SAP interface that is not protected with SNC on an SNC-enabled application server will be accepted or not. The settings for accepting logon attempts:
0: Reject SNC-based logons
1: Accept logons with user ID and password
Default Value: 0
9 snc/accept_insecure_r3int_rfc Determines whether unprotected
internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal r3int RFC-connections
0: Reject unprotected internal RFCs
1: Accept unprotected internal RFCs
Default Value: 1
10 snc/accept_insecure_rfc Determines whether unprotected internal RFC-connections on an
SNC-enabled application server
will be accepted or not.
The settings for accepting unprotected internal RFC-connections
0: Reject unprotected external RFCs
1: Accept all unprotected RFCs (internal and external)
Default Value: 0
11 snc/permit_insecure_start Permits the starting of programs without using SNC-protected communications, even when SNC
is enabled.
0: Start programs only with SNC-protected communication
1: Start programs without SNC-protected communication
Default Value: 0
12 snc/extid_login_diag Enable login with external identity (DIAG)
0: do not accept
1: allow
Default Value: 0
13 snc/extid_login_rfc Enable log in with external identity (DIAG) (for RFC Com
0: do not accept
1: allow
Default Value: 1

3. Save

4. Restart the SAP Application Server

Notes:

  • Alternatively, you can set these profiles in instance profile file at Operating System level. Instance profile generally is available in the following locations
    Windows: <Drive>:\sapmnt\SID\SYS\profile
    Unix/Linux: \sapmnt\SID\SYS\profile
  • Setting the profile parameter snc/enable to 1 activates SNC on the application server. If this parameter is set but the SNC PSE does not exist, then the application server will not start. Therefore, setting the SNC profile parameters should be the last step in the configuration procedure.
  • Above shows only the most important parameters. These must be set maintained in the same format as shown in the example file below
  • For the load-balancing cases, where there can be multiple SAP Application Server instance, profile parameters need to set on each instance.
  • For more details, you can refer to SAP user guide on Secured Network communications: Profile Parameter Settings on AS ABAP


Example: Following is the screen capture from the instance profile showing some of the above parameters


Setting Profile Parameters for SNC on the Gateway

To use SNC for securing connections that connect via the Gateway, for example, by using stand-alone gateway, you also need to set the appropriate parameters in the gateway profile. The gateway itself does not directly use the routines from the security product; however, it does supply the SNC configuration parameters to the programs that it starts.

The following profile parameters are relevant for the gateway settings:

Name Description Value
1 snc/enable For a gateway to accept SNC-protected connections, you need to set the profile parameter snc/enable to the value 1. The gateway then knows that an SNC environment is in operation and opens a secure port for communication. 0: SNC is disabled
1: SNC is activated
Default Value=0
2 snc/gssapi_lib As with the application server, if snc/enable = 1, then the parameter snc/gssapi_lib must contain the path and file name of the external library. The gateway passes this information to the external programs that it starts Windows: C:\usr\sap\<SID>
\SYS\exe\run\sapcrypto.dll

Unix/Linux: usr/sap/<SID>/SYS/exe/
run/libsapcrypto.so

Note: File name up to 255 characters long are allowed
3 snc/permit_insecure_start If snc/enable = 1, then the gateway does not start or register any external programs without using SNC-protected communications (as default). You can explicitly override this configuration by setting the parameter snc/permit_insecure_start to the value 1. The gateway will then start or register programs even if SNC protection is not used for the communication. The parameter is only necessary if programs without SNC protection are to be directly started by or registered on the gateway 0: Start programs only with SNC-protected communication
1: Start programs without SNC-protected communication
Default Value: 0


Notes:

  • If the gateway is started directly on an application server, it uses the application server's profile settings. In this case, the parameters snc/enable and snc/gssapi_lib are set in the application server's profile. For the gateway, you then only need to consider the parameter snc/permit_insecure_start
  • If a gateway is to be started independent of the application server (stand-alone gateway), then you need to consider all the above-mentioned parameters
  • For more details, you can refer to SAP provided documentation: Profile Parameter Settings on the Gateway


Export the SAP SNC Certificate for client

Export the SAP Certificate from the application server that is required to be imported on the client/server (IIS). You need to follow below mentioned steps for exporting SAP certificate

1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might have to change mode “Display <-> Change” to enable exporting of certificate
4. Select SAP Own certificate (to be exported) - double-click the certificate name
5. Export button in the bottom of the page> provide the path and save the certificate in “Base64” format



 
Import a client PSE certificate

You need to import the client (Information server) PSE certificate in the SAP Application Server. Generation of client certificate in Information Server is covered section Step 3 - Export the Client Certificate of the newly created PSE  in section Creating an SNC Personal Security Environment (PSE) for Information Server

Follow the below mentioned steps to import the client PSE certificate
1. Login into SAP GUI> open t-code STRUST
2. Go to SNC (SAPCRYPTOLIB)
3. In some systems, you might need to switch “Display <-> Change” mode


4. Click import button in the bottom of the page
5. Browse and select a valid client PSE name. Select file format as “Base64
6. Click Add to Certificate List> Save

 
 

Configuring SAP User for Secured Network Connection

You need to configure SAP user to be used with the client for connecting to SAP server by using Secured Network connections. Following points describe the necessary settings/permissions to be set for SAP user.

1. Login into SAP GUI> open t-code “SU01”
2. In the User field, enter the SAP user name to which you want to grant permissions to execute the SNC functions



3. Click the Change icon. The Maintain User screen appears
4. Click the SNC tab.
5. In the SNC name field, enter the client PSE Distinguished Name prefixed by "p:" as in the example below. Note after saving, SAP may or might not display the "p:".
Example: p:CN=IIS,OU=SAPPACK,O=IBM,C=US


6. Click OK. A message appears stating that the canonical name is determined
7. Save
 

Additional SAP settings for X.509

Additionally, in case you also want to configure SAP user for X.509 SNC connection that allows client to have SNC without the need for SAP user and password, you need to do more settings as described in following steps

1. Login into SAP GUI> open t-code SM30
2. Maintain two tables VSNCSYSACL and VUSREXTID
3. Maintaining table VSNCSYSACL
a. Open the table VSNCSYSACL for maintenance


b. Choose external type work area



c. Choose New Entries



d. Enter the following data in the corresponding fields
System ID: Name of the SAP system
SNC Name: Distinguished Name associated with the client PSE


e. Save the data

4. Maintaining table VUSREXTID
a. Open the table VUSREXTID for maintenance


b. Choose the work area as “DN”


c. Choose New Entries



d. Enter the data in the corresponding fields as explained below
User: SAP User that the client uses to connect to SAP Server.
Sequence Number: Enter the SAP client number.
SNC Name: DN associated with the client PSE. For example, "p: CN=TEST,OU=DS,O=IBM,C=IN”
Activated: Check ON this option


e. Save the data

Note (Applicable for SAPJCo 3.1.3 and higher versions): For Single Sign ON (SSO) login, entry must be removed from VUSREXTID table. Entry in VUSREXTID table cause connection failure with error "CALL_FUNCTION_SIGNON_INCOMPL"
 


Setting up SNC on the client (DataStage client/server tier)

For establishing Secured Network Connection between DataStage server and SAP application server, it is essential to configure SNC both on SAP and Information server components like client and engine tiers machines.

The following diagram briefly explains the different steps for configuring SNC on the Information Server:

Following sections of the document explain these steps in details.

Downloading SAP Cryptographic Library and setting mandatory environment variables

You must have the SAP Cryptographic library present in the Information Server component (client/server tier) to enable SNC communication with SAP Application Server. You can follow below mentioned steps to do download this library and setting required environment variables so that these libraries can be used with the application.

On Unix, it's recommended to include the environment variables in the dsenv configuration file (found in $DSHOME/DSEngine, for example,  /opt/IBM/InformationServer/Server/DSEngine). This ensures the same setting is used during SNC configuration and runtime. After editing dsenv, run it before executing the sapgenpse utility mentioned below.

On Windows, set the environment variables at system level in Advanced System Settings before executing sapgenpse.

For IBM Cloud Pak for Data 3.5, it's recommended to include the environment variables in the dsenv configuration file on conductor pod that is,  is-en-conductor-0 (found in $DSHOME/DSEngine, for example,  /opt/IBM/InformationServer/Server/DSEngine). This ensures the same setting is used during SNC configuration and runtime. After editing dsenv, run it before executing the sapgenpse utility mentioned below.

After updating dsenv or system variables, restart Datastage on the tier where you'll be using SNC (Engine or Client).

Steps:
1. Download the SAP Cryptographic Library (SPACRYPTOLIB.SAR ) from the SAP Service Marketplace at https://support.sap.com/swdc (available for authorized customers by using valid SUSER ID) and extract it to a temporary directory. For Windows platform, you must use 32-bit library. For Unix/Linux, bitness of the library should be as per platform.
Search for SAPCRYPTOLIB in Downloads (under Installation and Upgrades). Or try this direct link .
Select your platform in the drop-down, then from the results select the highest patch level available (example below).

image

2. Copy the library (Windows: sapcrypto.dll; Unix/Linux: sapcrypto.so) and the command-line tool (Windows: sapgenpse.exe; Unix/Linux sapgenpse) to a local directory on the IIS system. Example:
Windows: C:\usr\sap\sec
Unix/Linux: You must log in as the DS Admin user (for example, dsadm) and can use the user's home folder - create a dedicated subfolder (for example, /home/dsadm/sec).

3. Set the environment variable SECUDIR to this directory. Example:
Windows: SECUDIR=C:\usr\sap\sec
Unix/Linux: SECUDIR=/home/dsadm/sec/

4. Set the environment variable SNC_LIB for the library file. Example:
Windows: SNC_LIB=C:\usr\sap\sec\sapcrypto.dll
Unix/Linux: SNC_LIB=/home/dsadm/sec/libsapcrypto.so

5. Modify system path variable for different OS as follows:
Windows: PATH=%PATH%;%SECUDIR%
Unix/Linux: PATH=$PATH:$SECUDIR

6. For Unix machines, modify environment variable LD_LIBRARY_PATH (Linux, Solaris) or LIBPATH (AIX)
Linux, Solaris: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SECUDIR
AIX: LIBPATH=$LIBPATH:$SECUDIR

Creating an SNC Personal Security Environment (PSE) for Information Server

Information Server must have a Personal Security Environment and an associated certificate to be imported in the SAP Application server for establishing SNC connection. You need to create and use the SAP specific PSE that is generated from the sapgenpse tool provided by SAP Cryptographic library. Using the generated PSE either you can create a self-signed certificate or can obtain a certificate from a trusted Certification Authority (CA). Scope of this document is limited to explaining how to create self-signed certificate.

You need to perform these steps to create SNC PSE for the Information Server:

Step 1 - Generate the PSE file

1. Run dsenv (where you had previously defined the SNC environment variables)
. $DSHOME/dsenv

2. Start a command-line console and change to the directory containing sapgenpse tool (for example, directory where SAP cryptographic libraries are copied)

3. Create a PSE for the DataStage by running the following command:
sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]
where:
-p <PSE_name>: Path and ?le name for the client PSE
-x <PIN>: PIN that protects the PSE. (This PIN is the user-defined password for client PSE and is asked every time whenever we use the PSE)
DN: Distinguished Name for the client PSE. The Distinguished Name is used to build the client SNC name. It consists of the following elements:
CN= <Common Name>
OU= <Organizational Unit>
O= <Organization>
C= <Country>
Example: sapgenpse get_pse -p client.pse -x passw0rd "CN=IIS,OU=SAPPACK,O=IBM,C=US"

As an output of this command, file client.pse is generated in the $SECUDIR folder.


Step 2 - Bind PSE with the OS user and create the cred_v2 file

Use the following command to bind client PSE with OS user that will be used by Information Server client or server tier to design and/or run the jobs respectively. During the operation, a cred_V2 file is generated which provide the active credentials to the RFC Program running on the Information Server to the PSE without providing the password for the PSE
sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O <OS-USER-ID>]
where:
-p <PSE_name>: Path and ?le name for the client PSE
-x <PIN>: PIN that protects the client PSE (PIN provided at the time of generating PSE)
-O \< OS-USER-ID>: OS user for which the credentials are created (the user that runs the client service). If omitted, it uses the current logged in user.
Example: sapgenpse seclogin -p client.pse -x password -O dsadm

As an output of this command a cred_v2 file is generated in the $SECUDIR folder that binds client.pse with dsadm.

Note: You need to use OS user that is used for the running the Information Server client/server tier components. For example,  for the engine tier hosted on the Unix/Linux based Information Server, you need to use OS user that is mapped to IS-suite user (to be used to run the jobs) in Information Server Web console/Doman Management/Engine Credentials. Any change in this OS user, requires a rerun of this step for the client PSE. See here for details on how to determine this user.


Step 3 - Export the Client Certificate of the newly created PSE

You need to export the client PSE Certificate / X.509 certificate from the generated client PSE file. This certificate is required to be imported into the SAP Application Server to establish SNC connection between Information server and that SAP server. This certificate file will also be used as X.509 certificate to be configured in SAP Connection to DataStage server as explained section Defining the SNC connection in the Pack for SAP Applications . The Pack supports only certificate with .crt file extension.
For exporting this certificate, you need to run the following command:
sapgenpse export_own_cert -o <output_?le> -p <PSE_name> [-x <PIN>]
where:
-o <output_?le>: File name for the exported certi?cate in .crt file extension.
-p <PSE_name>: Path and ?le name for the client PSE
-x<PIN>: PIN that protects the PSE
Example: sapgenpse export_own_cert -o client.crt -p client.pse -x passw0rd

To check the .crt certificate created, use the openssl command (if available for your platform); should display the serial number and public key:
openssl x509 -in ds.crt -text -noout

image


Step 4 - Import the SAP Application Server Certificate to the Client PSE

You need to import PSE certificate of the SAP Application Server to your client PSE to establish SNC connection between the Information Server and SAP Application Server. In case you need to establish SNC connection for multiple SAP servers with the Information Servers, you need to repeat this step for the multiple SAP servers

1. You must have exported PSE certificate from SAP Application Server. For exporting PSE certificate, refer to section Export the SAP SNC Certificate for client

2. Copy the exported certi?cate to the Information Server system at directory referred by environment variable SECUDIR. For more details, refer to section Downloading SAP Cryptographic Library and setting mandatory environment variables

3. On the client system, you need to run the following command to import the exported certificate into the client PSE. You should get a confirmation PKList updated (1 entries total, 1 newly added)
sapgenpse maintain_pk [-a <sap_cert_?le>] -p < client_PSE_file_name> [-x <PIN>]
where:
-a < sap_cert_?le >: Path and ?le name of SAP Application Server PSE Certificate (also referred as SAP AS ABAP's public certi?cate)
-p <client_PSE_file_name>: Path and ?le name for the client PSE file
-x <PIN>: PIN that protects the client PSE
Example: sapgenpse maintain_pk -a sap.crt -p client.pse -x password

Importing the Client PSE (public) certificate into SAP Application Server PSE

After importing the SAP Application Server PSE certificate into client PSE, you also need to maintain the PSE information in the SAP Application server for proper handshaking while establishing SNC connection. Steps:
1. Export the client PSE certificate from Information Server. For details refer to Export the Client Certificate of the newly created PSE
2. Import the client PSE certificate into SAP Application server. For details refer to Import a client PSE certificate generated from client


Validating the SAP AS PSE in the Client environment

Once you have imported the SAP Application Server PSE into the client PSE, you can review the details SAP Application Server PSE in the client PSE by running the following command:
sapgenpse maintain_pk -v -l -p <client_PSE_file_name> [-x <PIN>]
where -p <client_PSE_file_name>: Client PSE name.
Example
Let’s suppose client PSE name is “client.pse”. This client PSE is linked with two SAP servers with the SID: B75, SA1 having DN of PSE as: “CN=B75, OU=BASIS, OU=Bcone, O=SAP Trust Community, C=DE” and “CN=SA1, OU=I0020070395, OU=SAP Web AS, O=SAP Trust Community, C=DE” respectively.

The command generates a report where you can verify the DN of the SAP Server’s PSE that is imported into this client.
Running the command “sapgenpse maintain_pk -v -l -p client.pse” will generate this response:


Defining the SNC connection in the Pack for SAP Applications or BW

Finally, to use SNC Connection between the Pack for SAP and SAP Server, you need to define SNC enabled SAP connection for DataStage. This is done by using DataStage Administrator for SAP as described below:

  1. Open DS Administrator for SAP
  2.  Select/create a new SAP connection
  3. Click properties and go to SNC settings page
  4. You need to enable SNC for client and/or runtime connection
    a. To enable it for runtime, you need to select “Enable SNC for run time”. Enabling SNC connection for run time ensures that during job run time, SNC connection is established with SAP server and all data is exchanged with SAP in encrypted way.
    b. Similarly, to enable it for the client side, you need to select “Enable SNC for GUI”. Enabling SNC connection for GUI/client side ensures that SNC connection is established with SAP while designing the jobs.
    c. In case you have engine and client tiers on the same machine, you can opt to "Use runtime SNC settings”. This ensures that runtime SNC settings are used for the SAP connection on client tier while designing the jobs. You are not required to set the SNC settings for GUI separately in such cases.
    Note: For engine and client tiers on different machines, you need to configure SNC separately for each tier
  5. To create a connection with X.509, check the enable X.509 and provide the path for client PSE certificate. Only certificate files with .crt file extension are supported.
  6. Provide the other SNC parameters such as SNC Name, SNC Partner Name, SNC QOP, SNC Library PATH. Note the distinguished names need to be prefixed by "p:".
    For more details, refer to section Defining Secured Network Communication .
    Example:
  7. If using an automatically created RFC Destination (option available in the ABAP stage only), the SNC settings are automatically included when the stage creates the Destination.
    If using an existing RFC Destination (mandatory in IDOC/BW RFC Manager or optional in ABAP stage), you need to manually enable SNC in RFC Destination / Logical system to be used with DataStage. Follow these steps:


Tracing options

Tracing the NW SDK-based connectors (ABAP Extract, BAPI, BW OpenHub Extract, BW Legacy Load)
Enable the RFC trace: set environment variables RFC_TRACE:1, RFC_TRACE_DIR=<directory_of_trace_files>
Check the generated RFC trace files (rfc*.trc) - note due to a known issue, some files might be generated in the DS Project folder (for example, /opt/IBM/InformationServer/Server/Projects/dstage1).
The section RfcOpenConnection/RFCOptions shows the connection options:
1. No SNC:  SNC Mode: 0
2. SNC without SSO: SNC Mode: 1 and GetSSO2: 0 and X.509 Certificate empty
3. SNC with SSO: SNC Mode: 1 and GetSSO2: 1
4. SNC with X509 certificate:  SNC Mode: 1 and X.509 displays the certificate; for example, X.509 Certificate: MIIC7zCCAdcCCAogGBA (...)
Example: /opt/IBM/InformationServer/Server/Projects/dstage1/rfc16097_1634998080.trc
>> RfcOpenConnection
>> RfcOptions
        Partner Char Size: 1
        Client: 800
        User:
        Alias:
        Passwd: (- null -)
        Language: E
        MySAPSSO2:
        GetSSO2: 0
        X.509 Certificate: MIIC7zCCAdcCCAogGBAkIUlEMA0GCSqGSIb3DQEBCwUAMDoxCz (...)
        SysNr: 00
        ASHost: ipsvm00770.svl.ibm.com
        ASService:
        GWHost:
        GWService:
        R3Name:
        MSHost:
        MSService:
        Group: PUBLIC
        ProgramID:
        SAPRouter:
        SNC Mode: 1
        SNC QOP: 0
        SNC Lib: /home/isadmin/SAPCRYPTOLIBP_8522-Linux64/libsapcrypto.so
        SNC Myname: p:CN=Ramos2,OU=IBM,O=CSW,C=US
        SNC Partnername: p:CN=RP7, OU=IINITIAL, OU=SAP Web AS, O=SAP Trust Community, C=DE
Tracing the JCo based connectors (IDOC Load/Extract, Delta Extract, BW 7xLoad)
How to confirm SNC is used from external JCo client traces:
A. Enable the JCo traces (details in technote 1408720 ). Use either option A1 or A2):
A1. Set environment variables RFC_TRACE:<0....10>, RFC_TRACE_DIR=<directory_of_trace_files>
A2. set environment variable IBM_JAVA_OPTIONS (for IBM Java, which is default for IIS) or JAVA_TOOL_OPTIONS for non-IBM Java
IBM_JAVA_OPTIONS = -Djco.trace_level=<0...10> -Djco.trace_path=<directory_of_trace_files> -Dcpic.trace=<-1...3>
Note: Minimum RFC_TRACE / jco.trace_level to get the SNC info is 4.  Entry cpic.trace is optional to get the CPIC trace.

B. Run the job, then check the JCo traces
File names are JCO<date>_<timestamp>.trc, for example, JCO20170821_201849819.trc
Look for the entry PoolingFactory.setPeakLimit and these strings (separated by "|"); note SNCx means QOP (Quality of Protection) is set to x (in the examples below QOP is 9)

B1. No SNC: string SNC not present
main [17:07:18:679]: [JCoAPI] PoolingFactory.setPeakLimit(2147483647) on pool JCO_DESTINATION_ID|CONFIGURED_USER&800|I12241|EN|8E080AC489F558DDD47C82E80B5ED92D

B2. SNC without SSO: both string SNC and WOSSO present
main [20:18:50:775]: [JCoAPI] PoolingFactory.setPeakLimit(2147483647) on pool JCO_DESTINATION_ID|CONFIGURED_USER&800|I12241|EN|EEAD7B39CF8E67BD5EB914202B630E9C|SNC9|p:CN=ER0, OU=NOIDA, O=BCONE, C=IN|p:CN=IBMER, OU=IT, O=CSW, C=DE|WOSSO

B3. SNC with SSO: only string SNC present (without WOSSO or X509)
e.g. main [20:17:37:562]: [JCoAPI] PoolingFactory.setPeakLimit(2147483647) on pool JCO_DESTINATION_ID|CONFIGURED_USER&800|I12241|EN|148A98CBFD048F5D81ACDD0A2D528584|SNC9|p:CN=ER0, OU=NOIDA, O=BCONE, C=IN|p:CN=IBMER, OU=IT, O=CSW, C=DE

B4. SNC with X509 certificate: both strings SNC and X509 present
main [20:21:34:469]: [JCoAPI] PoolingFactory.setPeakLimit(2147483647) on pool JCO_DESTINATION_ID|CONFIGURED_USER&800|EN|CN=IBMER,OU=IT,O=CSW,C=DE|X509|SNC9|p:CN=ER0, OU=NOIDA, O=BCONE, C=IN

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"Pack for SAP Applications","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"Pack for SAP BW","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.4","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 July 2021

UID

swg22004893