This chapter describes how to set the SAP Secured Network Communication (SNC) protocol in an ABAP connector. In the following sections, the SAP server will be called « SNC server » and the collector be called « SNC client ».
The SNC configuration consists of those main steps:
SNC cryptographic libraries and certificates must be installed within a dedicated folder enabling the SNC client to handle PSE certificates
/opt/Pro.Monitor/SNC
ticket
file to the /sec
sub-folder of your SNC folderticket
file is not available in the crypto archive, you can find one on the host of an SNC enabled system, in the sec
folder: Example: /usr/sap/ID2/DVEBMGS00/sec
sapgenpse
to work:setenv.sh
file cd <PM_INSTALL_FOLDER>/bin
echo export SECUDIR=<YOUR_SNC_FOLDER>/sec » setenv.sh
/etc/profile.d/promonitor.sh
and add below settings:SECUDIR=<YOUR_SNC_FOLDER>/sec PATH=$PATH:$SECUDIR export $SECUDIR
We use the SNC configuration scenario called « Using Individual PSEs for Components ».
<YOUR_SNC_FOLDER>/sec
../sapgenpse gen_pse -v -p PROMONITOR
Got absolute PSE path "/home/notroot/SNC/sec/PROMONITOR.pse". Please enter PIN: ********* Please reenter PIN: ********* get_pse: Distinguished name of PSE owner: CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH Supplied distinguished name: "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH" Creating PSE with format v2 (default) Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. PKCS#10 certificate request for "/home/notroot/SNC/sec/PROMONITOR.pse": -----BEGIN CERTIFICATE REQUEST----- MIIBhzCB8QIBADBIMQswCQYDVQQGEwJDSDERMA8GA1UEChMIUkVEUEVBS1MxETAP BgNVBAsTCFJFRFBFQUtTMRMwEQYDVQQDEwpQUk9NT05JVE9SMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQD8PaynQAdux0nqVWU83rtqi79meyCWSynEgbDEzQnv onNtDSV/hlH52Us8v8jXYO3ruujCWGgSJwhTgmtUy5uTbXQSZMfkFoqLN/DdD3e2 bf28a0CAUcMvdiBAlydzpKFrx5U+bv+XZp7XykBrkLEyWXYWyy1KtdfXEdHZYdKO nwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEA8nmBL+cmjoLmhYin49MVCC9tCiMN ZaU0KtpMmU2nTRD20SscfB7RgUp3EqnxLn+c2hzw2CMSMOb8enfPiGWTkPSbF26P dKBXbr6oD8Fanl+tkRvrkX7hKBWKOUr/uR+l+cKVVeY1mCzZOcC1OkC1ygulEAyP k0mlWWkOvDCNSeg= -----END CERTIFICATE REQUEST-----
<YOUR_SNC_FOLDER>/sec
../sapgenpse export_own_cert -v -p PROMONITOR.pse -o PROMONITOR.crt
Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. Retrieving my certificate... ok. Writing to file (PEM-framed base64-encoded)... ok.
PROMONITOR.crt
is created in the /sec
folderThis operation will tell the system to trust the SNC client
SNC SAPCryptolib
PSEcrt
file.This operation will tell the SNC client to trust the system
On the SAP system:
System PSE
.crt
fileOn the SNC client:
<YOUR_SNC_FOLDER>/sec
../sapgenpse maintain_pk -v -p PROMONITOR.pse -a <YOUR_SYSTEM_CERTIFICATE>.crt
Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. retrieving PKList Adding new certificate from file "S4H.crt" ---------- Subject : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Issuer : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Serialno: 73:E9:56:E2:33:DB:C7:8C:49:30:82:30:83:E5:A3:E2 KeyInfo : RSA, 2048-bit Validity - NotBefore: Wed Jan 27 11:50:47 2016 (160127105047Z) NotAfter: Sat Nov 4 20:41:43 2119 (21191104194143Z) ---------------------------------------------------------------------------- PKList updated (1 entries total, 1 newly added)
You have to allow the OS account of the SNC client application to access the PSE, by creating the credential file “cred_v2”.
<YOUR_SNC_FOLDER>/sec
../sapgenpse seclogin -p PROMONITOR.pse -O promonitor
running seclogin with USER="notroot" creating credentials for secondary user "promonitor" ... Please enter PIN: **** Added SSO-credentials (#0) for PSE "/home/notroot/sec/PROMONITOR.pse" "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH"
cred_v2
is created in the sec
folder.sapcrypto.dll
file within SNC client.p:CN=ID2, OU=I0020275243, OU=SAP Web AS, O=SAP Trust Community, C=DE
p:CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH
sapgenpse
triggers an error such as:ERROR in unix_dlopen(): dlopen("libsapcrypto.so") FAILED: "libsapcrypto.so: cannot open shared object file: No such file or directory"
conf
file in /etc/ld.so.conf.d/
folder, such as:/etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf
# more /etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf /root/SNC
ldconfig
libsapcrypto.so
library.sapgenpse
should now run successfuly