====== SNC ABAP connection ====== This chapter describes how to set the SAP Secured Network Communication (SNC) protocol in an ABAP connector. In the following sections, the SAP server will be called « SNC server » and the collector be called « SNC client ». ===== Disclaimer ===== * This documentation is meant for **SAP admins who already understand SNC** mechanisms. * The below procedure is a general guide, but not a complete description of the configuration steps involved when configuring SNC in SAP. * Check the **troubleshooting** section below first if you run into some problems ===== Overview ===== The SNC configuration consists of those main steps: * Create a dedicated folder and install crypto libraries **on the client** * Set environment variables * Generate PSE certificate * Generate SNC client certificate * Register SNC client certificate in SAP * Register SNC server certificate in the client * Create credential file for the SAP user * Configure SNC user in SAP * Configure SNC settings in the ABAP connector ===== SNC libraries ===== SNC cryptographic libraries and certificates must be installed within a dedicated folder enabling the SNC client to handle PSE certificates * Create a folder dedicated to SNC: * Example: ''/opt/Pro.Monitor/SNC'' * Download the latest **SAPCRYPTOLIB** package from SAP launchpad and extract it in the dedicated SNC folder * Copy the license ''ticket'' file to the ''/sec'' sub-folder of your SNC folder * If ''ticket'' file is not available in the crypto archive, you can find one on the host of an SNC enabled system, in the ''sec'' folder: Example: ''/usr/sap/ID2/DVEBMGS00/sec'' ===== Environment Variables ===== * Two environment variables must be set for the SNC client application and ''sapgenpse'' to work: * **SECUDIR** * **PATH** * Set environment variable in ''setenv.sh'' file * ''cd /bin'' * ''echo export SECUDIR=/sec >> setenv.sh'' * **DO NOT EDIT setenv.sh file manually** * create file ''/etc/profile.d/promonitor.sh'' and add below settings: SECUDIR=/sec PATH=$PATH:$SECUDIR export $SECUDIR ===== Create PSE of the SNC client ===== We use the SNC configuration scenario called « Using Individual PSEs for Components ». * Here we decided to use this Distinguish Name for the SNC client: ** CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH** * From SNC client, open a shell and run the following command: * cd ''/sec'' * ''../sapgenpse gen_pse -v -p PROMONITOR'' * In return, the command should print a result similar to this: Got absolute PSE path "/home/notroot/SNC/sec/PROMONITOR.pse". Please enter PIN: ********* Please reenter PIN: ********* get_pse: Distinguished name of PSE owner: CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH Supplied distinguished name: "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH" Creating PSE with format v2 (default) Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. PKCS#10 certificate request for "/home/notroot/SNC/sec/PROMONITOR.pse": -----BEGIN CERTIFICATE REQUEST----- MIIBhzCB8QIBADBIMQswCQYDVQQGEwJDSDERMA8GA1UEChMIUkVEUEVBS1MxETAP BgNVBAsTCFJFRFBFQUtTMRMwEQYDVQQDEwpQUk9NT05JVE9SMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQD8PaynQAdux0nqVWU83rtqi79meyCWSynEgbDEzQnv onNtDSV/hlH52Us8v8jXYO3ruujCWGgSJwhTgmtUy5uTbXQSZMfkFoqLN/DdD3e2 bf28a0CAUcMvdiBAlydzpKFrx5U+bv+XZp7XykBrkLEyWXYWyy1KtdfXEdHZYdKO nwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEA8nmBL+cmjoLmhYin49MVCC9tCiMN ZaU0KtpMmU2nTRD20SscfB7RgUp3EqnxLn+c2hzw2CMSMOb8enfPiGWTkPSbF26P dKBXbr6oD8Fanl+tkRvrkX7hKBWKOUr/uR+l+cKVVeY1mCzZOcC1OkC1ygulEAyP k0mlWWkOvDCNSeg= -----END CERTIFICATE REQUEST----- ===== Creating the SNC client certificate ===== * From SNC client, open a shell and run the following command: * cd ''/sec'' * ''../sapgenpse export_own_cert -v -p PROMONITOR.pse -o PROMONITOR.crt'' * In return, the command should print a result similar to this: Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. Retrieving my certificate... ok. Writing to file (PEM-framed base64-encoded)... ok. * The certificate ''PROMONITOR.crt'' is created in the ''/sec'' folder ===== Importing of the client certificate in the SAP SNC server ===== This operation will tell the system to trust the SNC client * In the SAP system, start the **STRUST** transaction to import the client certificate in the ''SNC SAPCryptolib'' PSE * Import the generated ''crt'' file. ===== Exporting of the SAP SNC server certificate ===== This operation will tell the SNC client to trust the system On the SAP system: * Run the **STRUST** transaction to export the SAP system certificate from the ''System PSE''. * Mind the select **Base64** file format. * You should obtain a ''crt'' file On the SNC client: * Open a shell and run the following command: * cd ''/sec'' * ''../sapgenpse maintain_pk -v -p PROMONITOR.pse -a .crt'' * In return, the command should print a result similar to this: Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. retrieving PKList Adding new certificate from file "S4H.crt" ---------- Subject : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Issuer : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Serialno: 73:E9:56:E2:33:DB:C7:8C:49:30:82:30:83:E5:A3:E2 KeyInfo : RSA, 2048-bit Validity - NotBefore: Wed Jan 27 11:50:47 2016 (160127105047Z) NotAfter: Sat Nov 4 20:41:43 2119 (21191104194143Z) ---------------------------------------------------------------------------- PKList updated (1 entries total, 1 newly added) ===== Creating the credential file for the SNC client user account ===== You have to allow the OS account of the SNC client application to access the PSE, by creating the credential file “cred_v2”. * The OS user running Redpeaks (**promonitor** by default) must be granted to open the PSE file * **Make sure you register the same user !** * This is an example for **promonitor** account on previousely created PSE file * From a shell run the following command: * cd ''/sec'' * ''../sapgenpse seclogin -p PROMONITOR.pse -O promonitor'' * In return, the command should print a result similar to this: running seclogin with USER="notroot" creating credentials for secondary user "promonitor" ... Please enter PIN: **** Added SSO-credentials (#0) for PSE "/home/notroot/sec/PROMONITOR.pse" "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH" * The file ''cred_v2'' is created in the ''sec'' folder. ===== Configure the SNC client user in SAP ===== * In the SAP system, run the **SM30** transaction and edit **USRACLEXT** table. * Add a new entry for the SNC client user and its Distinguished Name. * Be carefull to add the user in the right client. * Example: {{:products:promonitor:6.8:userguide:configuration:systemsconnectors:abap:pasted:20240104-165332.png}} ===== SNC settings in ABAP connector ===== * Within the ABAP connector setting, activate SNC checkbox. * Fill out the below fields: * **SNC library:** The path to the ''sapcrypto.dll'' file within SNC client. * **SNC partner name:** the DN of the SAP SNC server * Example: ''p:CN=ID2, OU=I0020275243, OU=SAP Web AS, O=SAP Trust Community, C=DE'' * **SNC my name:** the DN of the SNC client * Example: ''p:CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH'' {{:products:promonitor:6.8:userguide:configuration:systemsconnectors:abap:pasted:20240102-172951.png}} ====== Troubleshooting ====== ===== libsapcrypto.so: cannot open shared object file ===== * Executing ''sapgenpse'' triggers an error such as: ERROR in unix_dlopen(): dlopen("libsapcrypto.so") FAILED: "libsapcrypto.so: cannot open shared object file: No such file or directory" * This issue can be resolved by creating a dedicated ''conf'' file in ''/etc/ld.so.conf.d/'' folder, such as: * ''/etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf'' * The file must contain the path to your SNC folder, by example: # more /etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf /root/SNC * from your SNC folder, run ''ldconfig'' * This will register the path to your ''libsapcrypto.so'' library. * ''sapgenpse'' should now run successfuly