This chapter describes how to set the SAP Secured Network Communication (SNC) protocol in
 an ABAP connector. In the following sections, the SAP server will be called « SNC server » 
and the collector be called « SNC client ».

• This documentation is meant for SAP admins who already understand SNC mechanisms.
• The below procedure is a general guide, but not a complete description of the configuration steps involved when configuring SNC in SAP.
• Check the troubleshooting section below first if you run into some problems

The SNC configuration consists of those main steps:

• Create a dedicated folder and install crypto libraries on the client
• Set environment variables
• Generate PSE certificate
• Generate SNC client certificate
• Register SNC client certificate in SAP
• Register SNC server certificate in the client
• Create credential file for the SAP user
• Configure SNC user in SAP
• Configure SNC settings in the ABAP connector

SNC cryptographic libraries and certificates must be installed within a dedicated folder
enabling the SNC client to handle PSE certificates

• Create a folder dedicated to SNC:
  • Example: /opt/Pro.Monitor/SNC
• Download the latest SAPCRYPTOLIB package from SAP launchpad and extract it in the dedicated SNC folder
• Copy the license ticket file to the /sec sub-folder of your SNC folder
  • If ticket file is not available in the crypto archive, you can find one on the host of an SNC enabled system, in the sec folder: Example: /usr/sap/ID2/DVEBMGS00/sec

• Two environment variables must be set for the SNC client application and sapgenpse to work:
  • SECUDIR
  • PATH
• Set environment variable in setenv.sh file
  • cd <PM_INSTALL_FOLDER>/bin
  • echo export SECUDIR=<YOUR_SNC_FOLDER>/sec » setenv.sh
  • DO NOT EDIT setenv.sh file manually
• create file /etc/profile.d/promonitor.sh and add below settings:

SECUDIR=<YOUR_SNC_FOLDER>/sec
PATH=$PATH:$SECUDIR
export $SECUDIR

We use the SNC configuration scenario called « Using Individual PSEs for Components ».

• Here we decided to use this Distinguish Name for the SNC client: CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH
• From SNC client, open a shell and run the following command:
  • cd <YOUR_SNC_FOLDER>/sec
  • ../sapgenpse gen_pse -v -p PROMONITOR
• In return, the command should print a result similar to this:

 
 Got absolute PSE path "/home/notroot/SNC/sec/PROMONITOR.pse".
Please enter PIN: *********
Please reenter PIN: *********
get_pse: Distinguished name of PSE owner: CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH
 Supplied distinguished name: "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH"
 Creating PSE with format v2 (default)
 Generating key (RSA, 1024-bits) ... succeeded.
 certificate creation... ok
 PSE update... ok
 PKRoot... ok
Generating certificate request... ok.
PKCS#10 certificate request for "/home/notroot/SNC/sec/PROMONITOR.pse":

-----BEGIN CERTIFICATE REQUEST-----
MIIBhzCB8QIBADBIMQswCQYDVQQGEwJDSDERMA8GA1UEChMIUkVEUEVBS1MxETAP
BgNVBAsTCFJFRFBFQUtTMRMwEQYDVQQDEwpQUk9NT05JVE9SMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQD8PaynQAdux0nqVWU83rtqi79meyCWSynEgbDEzQnv
onNtDSV/hlH52Us8v8jXYO3ruujCWGgSJwhTgmtUy5uTbXQSZMfkFoqLN/DdD3e2
bf28a0CAUcMvdiBAlydzpKFrx5U+bv+XZp7XykBrkLEyWXYWyy1KtdfXEdHZYdKO
nwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEA8nmBL+cmjoLmhYin49MVCC9tCiMN
ZaU0KtpMmU2nTRD20SscfB7RgUp3EqnxLn+c2hzw2CMSMOb8enfPiGWTkPSbF26P
dKBXbr6oD8Fanl+tkRvrkX7hKBWKOUr/uR+l+cKVVeY1mCzZOcC1OkC1ygulEAyP
k0mlWWkOvDCNSeg=
-----END CERTIFICATE REQUEST-----

• From SNC client, open a shell and run the following command:
  • cd <YOUR_SNC_FOLDER>/sec
  • ../sapgenpse export_own_cert -v -p PROMONITOR.pse -o PROMONITOR.crt
• In return, the command should print a result similar to this:

  Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"...
 No SSO credentials found for this PSE.
Please enter PIN: *********
 PSE (v2) open ok.
 Retrieving my certificate... ok.
 Writing to file (PEM-framed base64-encoded)... ok.

• The certificate PROMONITOR.crt is created in the /sec folder

This operation will tell the system to trust the SNC client

• In the SAP system, start the STRUST transaction to import the client certificate in the SNC SAPCryptolib PSE
• Import the generated crt file.

This operation will tell the  SNC client to trust the system

On the SAP system:

• Run the STRUST transaction to export the SAP system certificate from the System PSE.
• Mind the select Base64 file format.
• You should obtain a crt file

On the SNC client:

• Open a shell and run the following command:
  • cd <YOUR_SNC_FOLDER>/sec
  • ../sapgenpse maintain_pk -v -p PROMONITOR.pse -a <YOUR_SYSTEM_CERTIFICATE>.crt
• In return, the command should print a result similar to this:

 Opening PSE "/home/notroot/SNC/sec/PROMONITOR.pse"...
 No SSO credentials found for this PSE.
Please enter PIN: *********
 PSE (v2) open ok.
 retrieving PKList
 Adding new certificate from file "S4H.crt"
----------
Subject : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET
Issuer  : CN=CLOUD-SAA100-CA, DC=CLOUD, DC=AGENTIL, DC=NET
Serialno: 73:E9:56:E2:33:DB:C7:8C:49:30:82:30:83:E5:A3:E2
KeyInfo : RSA, 2048-bit
Validity  -  NotBefore:   Wed Jan 27 11:50:47 2016 (160127105047Z)
              NotAfter:   Sat Nov  4 20:41:43 2119 (21191104194143Z)
----------------------------------------------------------------------------

 PKList updated (1 entries total, 1 newly added)

You have to allow the OS account of the SNC client application to access
 the PSE, by creating the credential file “cred_v2”.

• The OS user running Redpeaks (promonitor by default) must be granted to open the PSE file
• Make sure you register the same user !
• This is an example for promonitor account on previousely created PSE file
• From a shell run the following command:
  • cd <YOUR_SNC_FOLDER>/sec
  • ../sapgenpse seclogin -p PROMONITOR.pse -O promonitor
• In return, the command should print a result similar to this:

  
 running seclogin with USER="notroot"
 creating credentials for secondary user "promonitor" ...
Please enter PIN: ****
 Added SSO-credentials (#0) for PSE "/home/notroot/sec/PROMONITOR.pse"
   "CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH"

• The file cred_v2 is created in the sec folder.

• In the SAP system, run the SM30 transaction and edit USRACLEXT table.
• Add a new entry for the SNC client user and its Distinguished Name.
• Be carefull to add the user in the right client.
• Example:

• Within the ABAP connector setting, activate SNC checkbox.
• Fill out the below fields:
  • SNC library: The path to the sapcrypto.dll file within SNC client.
  • SNC partner name: the DN of the SAP SNC server
    • Example: p:CN=ID2, OU=I0020275243, OU=SAP Web AS, O=SAP Trust Community, C=DE
  • SNC my name: the DN of the SNC client
    • Example: p:CN=PROMONITOR, OU=REDPEAKS, O=REDPEAKS, C=CH

• Executing sapgenpse triggers an error such as:

ERROR in unix_dlopen(): dlopen("libsapcrypto.so") FAILED:
"libsapcrypto.so: cannot open shared object file: No such file or directory"

• This issue can be resolved by creating a dedicated conf file in /etc/ld.so.conf.d/ folder, such as:
  • /etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf
• The file must contain the path to your SNC folder, by example:

# more /etc/ld.so.conf.d/libsapcrypto-555.x86_64.conf
/root/SNC

• from your SNC folder, run ldconfig
• This will register the path to your libsapcrypto.so library.
• sapgenpse should now run successfuly