Redpeaks V6.8
Trouble shooting
Monitors Guide
Trouble shooting
Monitors Guide
This chapter describes how to set the SAP Secured Network Communication (SNC) protocol in an ABAP connector. In the following sections, the SAP server will be called « SNC server » and the collector be called « SNC client ».
The SNC configuration consists of those main steps:
SNC cryptographic libraries and certificates must be installed within a dedicated folder enabling the SNC client to handle PSE certificates
/opt/Pro.Monitor/SNC
ticket
file to the /sec
sub-folder of your SNC folderticket
file is not available in the crypto archive, you can find one on the host of an SNC enabled system, in the sec
folder: Example: /usr/sap/ID2/DVEBMGS00/sec
sapgenpse
to work:setenv.sh
file cd <PM_INSTALL_FOLDER>/bin
echo export SECUDIR=<YOUR_SNC_FOLDER>/sec » setenv.sh
/etc/profile.d/promonitor.sh
and add below settings:SECUDIR=<YOUR_SNC_FOLDER>/sec PATH=$PATH:$SECUDIR export $SECUDIR
We use the SNC configuration scenario called « Using Individual PSEs for Components ».
<YOUR_SNC_FOLDER>/sec
../sapgenpse gen_pse -v -p PROMONITOR
Got absolute PSE path "/home/notroot/SNC/sec/PROMONITOR.pse". Please enter PIN: ********* Please reenter PIN: ********* get_pse: Distinguished name of PSE owner: CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH Supplied distinguished name: "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH" Creating PSE with format v2 (default) Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. PKCS#10 certificate request for "/home/notroot/SNC/sec/PROMONITOR.pse": -----BEGIN CERTIFICATE REQUEST----- MIIBhzCB8QIBADBIMQswCQYDVQQGEwJDSDERMA8GA1UEChMIUkVEUEVBS1MxETAP BgNVBAsTCFJFRFBFQUtTMRMwEQYDVQQDEwpQUk9NT05JVE9SMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQD8PaynQAdux0nqVWU83rtqi79meyCWSynEgbDEzQnv onNtDSV/hlH52Us8v8jXYO3ruujCWGgSJwhTgmtUy5uTbXQSZMfkFoqLN/DdD3e2 bf28a0CAUcMvdiBAlydzpKFrx5U+bv+XZp7XykBrkLEyWXYWyy1KtdfXEdHZYdKO nwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEA8nmBL+cmjoLmhYin49MVCC9tCiMN ZaU0KtpMmU2nTRD20SscfB7RgUp3EqnxLn+c2hzw2CMSMOb8enfPiGWTkPSbF26P dKBXbr6oD8Fanl+tkRvrkX7hKBWKOUr/uR+l+cKVVeY1mCzZOcC1OkC1ygulEAyP k0mlWWkOvDCNSeg= -----END CERTIFICATE REQUEST-----
<YOUR_SNC_FOLDER>/sec
../sapgenpse export_own_cert -v -p PROMONITOR.pse -o PROMONITOR.crt
Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. Retrieving my certificate... ok. Writing to file (PEM-framed base64-encoded)... ok.
PROMONITOR.crt
is created in the /sec
folderThis operation will tell the system to trust the SNC client
SNC SAPCryptolib
PSEcrt
file.This operation will tell the SNC client to trust the system
On the SAP system:
System PSE
.crt
fileOn the SNC client:
<YOUR_SNC_FOLDER>/sec
../sapgenpse maintain_pk -v -p PROMONITOR.pse -a <YOUR_SYSTEM_CERTIFICATE>.crt
Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"... No SSO credentials found for this PSE. Please enter PIN: ********* PSE (v2) open ok. retrieving PKList Adding new certificate from file "S4H.crt" ---------- Subject : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Issuer : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET Serialno: 73:E9:56:E2:33:DB:C7:8C:49:30:82:30:83:E5:A3:E2 KeyInfo : RSA, 2048-bit Validity - NotBefore: Wed Jan 27 11:50:47 2016 (160127105047Z) NotAfter: Sat Nov 4 20:41:43 2119 (21191104194143Z) ---------------------------------------------------------------------------- PKList updated (1 entries total, 1 newly added)
You have to allow the OS account of the SNC client application to access the PSE, by creating the credential file “cred_v2”.
<YOUR_SNC_FOLDER>/sec
../sapgenpse seclogin -p PROMONITOR.pse -O promonitor
running seclogin with USER="notroot" creating credentials for secondary user "promonitor" ... Please enter PIN: **** Added SSO-credentials (#0) for PSE "/home/notroot/sec/PROMONITOR.pse" "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH"
cred_v2
is created in the sec
folder.sapcrypto.dll
file within SNC client.p:CN=ID2, OU=I0020275243, OU=SAP Web AS, O=SAP Trust Community, C=DE
p:CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH
sapgenpse
triggers an error such as:ERROR in unix_dlopen(): dlopen("libsapcrypto.so") FAILED: "libsapcrypto.so: cannot open shared object file: No such file or directory"
conf
file in /etc/ld.so.conf.d/
folder, such as:/etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf
# more /etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf /root/SNC
ldconfig
libsapcrypto.so
library.sapgenpse
should now run successfuly