You are on page 1of 11

Enabling SNC on SAP Connections

Revision 20160211

NOTE
This document is confidential and proprietary of Denodo Technologies.
No part of this document may be reproduced in any form by any means without prior
written authorization of Denodo Technologies.

Copyright © 2018
Denodo Technologies Proprietary and Confidential
Enabling SNC on SAP Connections 20160211
2 of 11

Goal

Secure Network Communications (SNC) provides stronger authentication and


encryption mechanisms than the default security options of SAP.

This document explains how to enable Secure Network Communications (SNC) to


secure the communications between Virtual DataPort and SAP. Take into account the
following:

● In Virtual DataPort, you can enable SNC on the data sources that use SAP JCo
(SAP Java Connector) to connect to SAP. These are:

○ BAPI data sources.

○ Multidimensional data sources with the adapters “SAP BI 7.x (BAPI)” or


“SAP BW 3.x (BAPI)”.

SNC cannot be enabled in multidimensional data sources with the adapters “SAP
BI 7.x (XMLA)” or “SAP BW 3.x (XMLA)”.

● SNC is used to secure the communications (Privacy Protection). However, the


authentication of users is performed using their username and password and
not their certificate.

Content

In the host where the Virtual DataPort server is installed, execute these steps:

1. Open a command line and execute the following commands to create the
Personal Security Environment (PSE) file:

cd C:\SAP\SNC\sec
SET SECUDIR = C:\SAP\SNC\sec
sapgenpse.exe gen_pse -v -p denodo_SAPSSLS.pse

You will see something like the following and at the end of the process, you will
obtain the pse file.
You will have to provide the PIN and the distinguished name (DN) of the user.

Please enter PIN:


Please reenter PIN:
get_pse: Distinguished name of PSE owner: cn=server
Supplied distinguished name: "cn=server"
Creating PSE with format v2 (default)
Generating key (RSA, 2048-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
PKCS#10 certificate request for "C:\SAP\SNC\sec\denodo_SAPSSLS.pse":
Enabling SNC on SAP Connections 20160211
3 of 11

-----BEGIN CERTIFICATE REQUEST-----


MIICVTCCAT0CAQAwEDEOMAwGA1UEAxMFYWx0ZWEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQD7GZ46+OuMWAf9YhHs2hvh4DAb0xYTzm8kO8PwaoFCuJEK
CXf7l5qAf5Yd8UlAgyhf7pzOWL1XkKcnIo7/Mcmu6iYnXOd55jzbPWzH5iYWa9Cj
bbSJKfjESNexsgp5xJVdQB8Smefhy9YAq0cOSU1SOnoMBDs7agPgKyF1GhiG5EJp
s9Thrh3ZxSqzJYkY7T7Qrt5QYsgUhMxaBxJoCnLAVS9ImNoOPrwVp7d2Zw3JAR6A
WmlgosFcuiV/8HD5XipKz9V5LQgi+klGopYWsjhb+Oc2FGXRG+/rw5pDZ+xFZ4YQ
sV+LGktFj+UwP/NmIjGicYXCXsmBzhc81j05RPLNAgMBAAGgADANBgkqhkiG9w0B
AQUFAAOCAQEAvYt5HZS7TreD8N3gmkkBnUCPTbd/izl+8L2UW0YduH0ZFdcCn6z
xOY/zG7FfNTTBhoGbw0uzaPyn6yKgdAaIQ==
-----END CERTIFICATE REQUEST-----

2. Export the pse file to a crt file:

sapgenpse.exe export_own_cert -v -p denodo_SAPSSLS.pse -o denodo_SAPSSLS.crt

3. Assign credentials to the user account that you will use in the Multidimensional
data source or the BAPI data source of Virtual DataPort:

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O <domain>\<user>

For example,

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O CONTOSO\frank

You will see something like:

running seclogin with USER="frank"


creating credentials for user "CONTOSO\frank" (yourself)...
Adjusting credentials and PSE ACLs to include "CONTOSO\frank"...
Oh, you supplied your own name explicitly ... ok.
C:\SAP\SNC\sec\cred_v2 ... ok.
C:\SAP\SNC\sec\dnd_altea.pse ... ok.
C:\SAP\SNC\sec\dnd_altea.pse ... ok.
Updated SSO-credentials (#1) for PSE "C:\SAP\SNC\sec\denodo_SAPSSLS.pse"
"CN=server"

Note: if user exists only in the system (it does not belong to a Windows
domain), then execute:

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O SYSTEM

4. Open SAP GUI and log-in.

5. Import the client certificate into SAP. To do this, follow these steps:

a. Start the transaction STRUST.


Enabling SNC on SAP Connections 20160211
4 of 11

b. On the left side of the dialog, expand the node SNC SAPCryptolib and
double-click on the server where you want to install the crt certificate
generated in the previous steps.

c. If the certificate does not exist for this SAP Server, do the following:

i. Right-click System PSE

ii. Click Display <-> Change to enable the “Create” option.

d. Import the certificate by clicking the button , at the bottom of the


dialog and select the file denodo_SAPSSLS.crt created before.
Enabling SNC on SAP Connections 20160211
5 of 11

e. Click Add to Certificate List to add the imported certificate to the list
of certificates of the System PSE.

6. Start the transaction SNC0. You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
6 of 11

a. Click New entries. You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
7 of 11

b. In the SNC Name box, enter the Distinguished Name (DN) you provided
in the first step.

c. Select, at least, the Entry for ext. ID activated check box.

d. Click the Save button:

7. Go back to the STRUST transaction and do the following:

a. Expand the node SNC SAPCryptolib and double-click the host where
the certificate was imported.
You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
8 of 11

b. In the “Certificate List”, select the subject of the certificate you want to
export.

c. Click the button to export the certificate. Use the option Base64.
Store it with the name dnd_abap_tazzari_out.crt.

8. In the host where the Virtual DataPort server runs, execute the following to
import the server “.crt”:

sapgenpse.exe maintain_pk -a dnd_abap_tazzari_out.crt -p dnd_altea.pse

You will see something like this:

maintain_pk for PSE "C:\SAP\SNC\sec\dnd_altea.pse"


Subject : CN=SNC, CN=ERP
PKList updated (1 entries total, 1 newly added)

9. In Virtual DataPort, open the configuration of the BAPI data source or a


multidimensional data source with a BAPI adapter.
Enabling SNC on SAP Connections 20160211
9 of 11

The user account used in the data source is a regular SAP user account without
any special configuration. To see the SNC configuration of a user, do the
following:

a. In SAP GUI, start the transaction SU01.

b. Enter the name of a user and click the “Display” icon: .

c. Then, click the tab SNC to see the SNC configuration for that particular
user. You will see a dialog like the following:

10. In Virtual DataPort, in the dialog to configure the data source, click Advanced
and follow these steps (the steps to enable SNC are the same for both types of
data sources):

a. Enter the path to the SAP Cryptographic Library. That is, the path to
the file sapcrypto.dll (if the Server runs on Windows) or to
libsapcrypto.so (if the Server runs on Linux). You can download this
library from the SAP website.

b. Enter the Partner name. That is, the distinguished name of the SAP
server. For example, p:CN=SNC,CN=ERP.

c. Select the Security level. SAP offers three levels of configuration and in
addition, you have these options:
Enabling SNC on SAP Connections 20160211
10 of 11

i. Use the value from snc/data_protection/use: uses the default


security level set by the SAP server.
ii. Use the value from snc/data_protection/max: uses the
maximum level of security offered by the SAP server.

After creating the data source, you can use a network packets analyzer (e.g. WireShark)
to check that the messages are encrypted:

Appendix A: Configuration Properties of SAP

At the SAP server, the profile configuration file (in our scenario:
C:\usr\sap\ERP\SYS\profile\ERP_DVEBMGS03_tazzari) has to have the following
properties.

# Properties related to SNC configuration


snc/enable = 1
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic= 1
Enabling SNC on SAP Connections 20160211
11 of 11

snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 3
snc/permit_insecure_start = 1
snc/identity/as = p:CN=SNC,CN=ERP
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
spnego/construct_SNC_name = 111
snc/gssapi_lib = C:\usr\sap\ERP\DVEBMGS03\exe\sapcrypto.dll

The following link explains in more detail the meaning of these properties: Profile
Parameter Settings on AS ABAP.

You might also like