Background
As per the client request to encrypt the SAP Portal traffic to SAP ABAP systems and SAPGUI encryption to ABAP systems as part of their Infosec policy. Encryption is implemented using the SAP Secure Network Communication (SNC). This document explains about step by step configuration of SNC Encryption on the existing SAP Gui to ABAP systems and SAP Portal Traffic to ABAP systems. SNC can be implemented in HANA On premise and Hana Cloud Landscapes as well.
Landscape
In order to demonstrate this configuration, the below landscape is required
- SAP ABAP Systems: ECC, SRM, GRC, HR, PI and Solution Manager
- SAP GUI 7.5 running on windows
- Active Directory service user account
- SAP Netweaver Application Server ABAP with Common Crypto Library installed
- Microsoft Windows Domain Controller
Read More: SAP HANAIMP 12 Certification Preparation Guide
Tools
- LIBSAPCRPYTO Library files
- Microsoft Active Directory ADSI
- Microsoft Kerberos
Conclusion:
SNC Encryption enhances the exisiting SAP Cloud and On-Premise environment with high level security and the communications between the SAP systems are highly secured.
Configuration Steps:
Pre-Requisites:
- SAP GUI Installed on a computer running on Microsoft Windows
- Microsoft Windows Domain Controller – Service SPN accounts and SPN configuration
- SAP Netweaver Application server ABAP with Common Crypto library installed
Check the SECUDIR environment variables defined for sec directory
Check the SNC library path
Backup of the existing sec folder and profile directory
Profile directory
sec directory
Create the SPN accounts : service user in Microsoft Active Directory
Example : KerberosABC
Set the checkboxes as below:
Goto ADSI edit and set the Service Principle Name for Service user as ie. SAP/Kerberos<SID>
Check the Service Principal Name is unique
Create SNC pse file as below command
sapgenpse get_pse -p < path to the sec directory/xxxx.pse> -x <path to the sec directory/xxxx.req> “CN=<name of the SNC>”
Create the credentials
sapgenpse seclogin -p <path to the sec directory/xxxx.pse> -o <sidadm>
Now log in to the ABAP system
Goto Transaction : STRUSTSSO2
create SNC SAP Cryptolib PSE file right click the SNC SAP Cryptolib as below:
Remove the default values of Org(opt) & comp/org and maintain the below values and SAVE
Now select SNC SAP Crypto pse and Double click the CN=XXXXXX@XXXX.com
Press Export button and export to your machine.
Use the name <SID>.cert
Select “Base64” as .cert
Exchanging the Public-Key Certificates
Save the crt into the sec directory of portal dev system
Export certificate of Java SNC PSE
sapgenpse export_own_cert -o -x
Import ABAP SNC certificate into Java SNC PSE
sapgenpse maintain_pk -p /usr/sap/<SID>J00/sec/xxxx.pse -a /usr/sap/<SID>/J<nn>/sec/xxxx.cer
To get the details of the certificate
sapgenpse get_my_name -p
Import Java SNC certificate into ABAP SNC PSE
Maintaining the System ACL on the AS ABAP
Goto Transaction SM30 -type VSNCSYSACL and next screen select “E” and click new entries
And add the system and SNC name ex. P:CN=xxxx@org.com as below:
Maintain SNC related parameters in instance profile of Java system and ABAP system
Java System parameter as below:
ABAP Systems (ECC) Parameters as below
Now continue with the Portal configuration as below:
Portal SNC with Backend System (ECC)
- System Object creation (using Connection String):
Then, maintained connection string as mentioned below.
Connection String: /H/<Hostname FQDN>/S/3200 SNC_PARTNERNAME=”p:CN=xxxxxxxxxx@xxxx.com” SNC_QOP=9
- Transaction Iview details:
As per note: 1881298 created 2 sample transaction iviews and maintained below property
Additional Parameters to start SAP GUI: SUPPORTBIT_ON=NEED_STDDYNPRO
Iview 1 Name: ECC SNC
3) Testing iview from Portal:
Pad lock is “ON” & SAP backend (ECC) is connected from portal using SNC.
Updating the SAPGUI xml properties with the SNC details of respective SAP systems:
Update the SAPGUI .xml details with the corresponding system name and SNC names
SAPGUI logon pad all the SAP systems are encrypted with key lock as below
RFC connections are encrypted with SNC as below:
End of the configuration.
