Professional Documents
Culture Documents
Revision 20160211
NOTE
This document is confidential and proprietary of Denodo Technologies.
No part of this document may be reproduced in any form by any means without prior
written authorization of Denodo Technologies.
Copyright © 2018
Denodo Technologies Proprietary and Confidential
Enabling SNC on SAP Connections 20160211
2 of 11
Goal
● In Virtual DataPort, you can enable SNC on the data sources that use SAP JCo
(SAP Java Connector) to connect to SAP. These are:
SNC cannot be enabled in multidimensional data sources with the adapters “SAP
BI 7.x (XMLA)” or “SAP BW 3.x (XMLA)”.
Content
In the host where the Virtual DataPort server is installed, execute these steps:
1. Open a command line and execute the following commands to create the
Personal Security Environment (PSE) file:
cd C:\SAP\SNC\sec
SET SECUDIR = C:\SAP\SNC\sec
sapgenpse.exe gen_pse -v -p denodo_SAPSSLS.pse
You will see something like the following and at the end of the process, you will
obtain the pse file.
You will have to provide the PIN and the distinguished name (DN) of the user.
3. Assign credentials to the user account that you will use in the Multidimensional
data source or the BAPI data source of Virtual DataPort:
For example,
Note: if user exists only in the system (it does not belong to a Windows
domain), then execute:
5. Import the client certificate into SAP. To do this, follow these steps:
b. On the left side of the dialog, expand the node SNC SAPCryptolib and
double-click on the server where you want to install the crt certificate
generated in the previous steps.
c. If the certificate does not exist for this SAP Server, do the following:
e. Click Add to Certificate List to add the imported certificate to the list
of certificates of the System PSE.
6. Start the transaction SNC0. You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
6 of 11
a. Click New entries. You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
7 of 11
b. In the SNC Name box, enter the Distinguished Name (DN) you provided
in the first step.
a. Expand the node SNC SAPCryptolib and double-click the host where
the certificate was imported.
You will see a dialog like the following:
Enabling SNC on SAP Connections 20160211
8 of 11
b. In the “Certificate List”, select the subject of the certificate you want to
export.
c. Click the button to export the certificate. Use the option Base64.
Store it with the name dnd_abap_tazzari_out.crt.
8. In the host where the Virtual DataPort server runs, execute the following to
import the server “.crt”:
The user account used in the data source is a regular SAP user account without
any special configuration. To see the SNC configuration of a user, do the
following:
c. Then, click the tab SNC to see the SNC configuration for that particular
user. You will see a dialog like the following:
10. In Virtual DataPort, in the dialog to configure the data source, click Advanced
and follow these steps (the steps to enable SNC are the same for both types of
data sources):
a. Enter the path to the SAP Cryptographic Library. That is, the path to
the file sapcrypto.dll (if the Server runs on Windows) or to
libsapcrypto.so (if the Server runs on Linux). You can download this
library from the SAP website.
b. Enter the Partner name. That is, the distinguished name of the SAP
server. For example, p:CN=SNC,CN=ERP.
c. Select the Security level. SAP offers three levels of configuration and in
addition, you have these options:
Enabling SNC on SAP Connections 20160211
10 of 11
After creating the data source, you can use a network packets analyzer (e.g. WireShark)
to check that the messages are encrypted:
At the SAP server, the profile configuration file (in our scenario:
C:\usr\sap\ERP\SYS\profile\ERP_DVEBMGS03_tazzari) has to have the following
properties.
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 3
snc/permit_insecure_start = 1
snc/identity/as = p:CN=SNC,CN=ERP
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
spnego/construct_SNC_name = 111
snc/gssapi_lib = C:\usr\sap\ERP\DVEBMGS03\exe\sapcrypto.dll
The following link explains in more detail the meaning of these properties: Profile
Parameter Settings on AS ABAP.