Wednesday, 08 January 2020 19:13

SAP Secure Network Communication (SNC) Encryption configuration from SAP Portal to ABAP systems and SAP Gui to ABAP systems

Written by https://blogs.sap.com/2020/01/09/sap-secure-network-communication-snc-encryption-configuration-from-sap-portal-to-abap-systems-and-sap-gui-to-abap-systems/
Rate this item
(0 votes)

Source https://blogs.sap.com/2020/01/09/sap-secure-network-communication-snc-encryption-configuration-from-sap-portal-to-abap-systems-and-sap-gui-to-abap-systems/

“© 2020. SAP SE or an SAP affiliate company. All rights reserved.” “Used with permission of SAP SE”
implemented using the  SAP Secure Network Communication (SNC). This document explains about step by step configuration of SNC Encryption on the existing SAP Gui to ABAP systems and SAP Portal Traffic to ABAP systems. SNC can be implemented in HANA On premise and Hana Cloud Landscapes as well.

Landscape

 In order to demonstrate this configuration, the below landscape is required

  • SAP ABAP Systems: ECC, SRM, GRC, HR, PI and Solution Manager
  • SAP GUI 7.5 running on windows
  • Active Directory service user account
  • SAP Netweaver Application Server ABAP with Common Crypto Library installed
  • Microsoft Windows Domain Controller

Tools

  • LIBSAPCRPYTO Library files
  • Microsoft Active Directory ADSI
  • Microsoft Kerberos

Conclusion:

SNC Encryption enhances the exisiting SAP Cloud and On-Premise environment with high level security and the communications between the SAP systems are highly secured.

Configuration Steps:

Pre-Requisites:

  • SAP GUI Installed on a computer running on Microsoft Windows
  • Microsoft Windows Domain Controller – Service SPN accounts and SPN configuration
  • SAP Netweaver Application server ABAP with Common Crypto library installed

Check the SECUDIR environment variables defined for sec directory

Check the SNC library path

Backup of the existing sec folder and profile directory

Profile directory

sec directory

Create the SPN accounts : service user in Microsoft Active Directory

Example : KerberosABC

Set the checkboxes as below:

Goto ADSI edit and set the Service Principle Name for Service user as ie. SAP/Kerberos<SID>

Check the Service Principal Name is unique

Create SNC pse file as below command

sapgenpse get_pse -p < path to the sec directory/xxxx.pse> -x <path to the sec directory/xxxx.req> “CN=<name of the SNC>”

Create the credentials

sapgenpse seclogin -p <path to the sec directory/xxxx.pse> -o <sidadm>

Now log in to the ABAP system

Goto Transaction : STRUSTSSO2

create SNC SAP Cryptolib PSE file right click the SNC SAP Cryptolib as below:

Remove the default values of Org(opt) & comp/org and maintain the below values and SAVE

Now select SNC SAP Crypto pse and Double click the CN=This email address is being protected from spambots. You need JavaScript enabled to view it.

Press Export button   and export to your machine.

Use the name <SID>.cert

Select “Base64” as <SID>.cert

Exchanging the Public-Key Certificates

Save the crt into the sec directory of portal dev system

Export certificate of Java SNC PSE

sapgenpse export_own_cert -o <name.crt> <name.pse> -x <password for pse>

Import ABAP SNC certificate into Java SNC PSE

sapgenpse maintain_pk -p /usr/sap/<SID>J00/sec/xxxx.pse -a /usr/sap/<SID>/J<nn>/sec/xxxx.cer

To get the details of the certificate

sapgenpse get_my_name -p <path to the pse file >

Import Java SNC certificate into ABAP SNC PSE

Maintaining the System ACL on the AS ABAP

Goto Transaction SM30 -type VSNCSYSACL and next screen select “E” and click new entries

And add the system <SID> and SNC name ex. P:CN=This email address is being protected from spambots. You need JavaScript enabled to view it. as below:

Maintain SNC related parameters in instance profile of Java system and ABAP system

Java System parameter as below:

ABAP Systems (ECC) Parameters as below

Now continue with the Portal configuration as below:

Portal SNC with Backend System (ECC)

 

  • System Object creation (using Connection String):

Then, maintained connection string as mentioned below.

Connection String: /H/<Hostname FQDN>/S/3200 SNC_PARTNERNAME=”p:CN=This email address is being protected from spambots. You need JavaScript enabled to view it.” SNC_QOP=9

  • Transaction Iview details:

As per note: 1881298 created 2 sample transaction iviews and maintained below property

Additional Parameters to start SAP GUI: SUPPORTBIT_ON=NEED_STDDYNPRO

Iview 1 Name: ECC SNC

3) Testing iview from Portal:

Pad lock is “ON” & SAP backend (ECC) is connected from portal using SNC.

Updating the SAPGUI xml properties with the SNC details of respective SAP systems:

Update the SAPGUI .xml details  with the corresponding system name and SNC names

SAPGUI logon pad all the SAP systems are encrypted with key lock as below

RFC connections are encrypted with SNC as below:

End of the configuration.

Reference Configuration links:

SAP SNC config as SAP JAVA to ABAP config

  1. https://launchpad.support.sap.com/#/notes/2573413
  1. https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/c3/d2281db19ec347a2365fba6ab3b22b/frameset.htm

SNC config for SAP PORTAL iview

3. https://launchpad.support.sap.com/#/notes/1881298

Read 425 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.