Configuring an SAP Secure Network Communication Connection (SNC)
To benefit from security capabilities including secure data transmission between the SAP system client and server, application-level end-to-end security, and the possibility to switch security products without affecting your SAP business applications, configure a SAP Secure Network Communication (SNC). You must set up the client environment, the SAP server, and Any point Connector for SAP before you can enable SNC (SAP Connector).
Before You Begin
To configure an SAP SNC, you must have access to:
l The SAP GUI software. Java must already be installed on your computer in order to install this client. Next, download the SAP OS installation for your computer.
l If you are an S-user, you may download the SAPCAR tool and SAP Cryptographic Library from the SAP Support Portal.
l An SAP ECC instance that can use SNC system variables
l The following transactions:
STRUST (Trust Manager)
SM30 (Table Maintenance)
STEP 1 :
You’ll need to search for and download the following:
1. SNC Client Encryption/Libraries 1.0
Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)
2. SNC Client Encryption/Libraries 1.0 SP 02
Support Packages and Patches -> Search Support Packages and Patches -> (Download based on you server OS)
3. Latest SAPCrypto Lib
Support Packages and Patches -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCryptolib for Updates
STEP 2 :
Step 2.1. Put all of the files you downloaded earlier on your server.
Step 2.2. The library you downloaded should be unzipped. 1 Above.
Step 2.3. Un-car the file you downloaded in a different folder. 2 above.
Step 2.4. There is a subdirectory called "SECURE_LOGIN_LIBRARY" inside the unzipped download (from Step 2.2). Choose the appropriate sub-folder for your OS inside of it.
Step 2.5. You will discover a number of directories that correspond to your operating system version inside the unzipped package (from step 2.3). Take note of the relevant folder.
Step 2.6. Go to /usr/sap/<SID>/<INSTANCE>. Create two folders inside of it. (if they don’t already exist): “SLL” and “security”.
Step 2.7. Use SAPCAR to un-sar the "SECURELOGINLIB.SAR" file located in the SLL folder that you specified in Step 2.4.
Step 2.8. Use SAPCAR to un-sar the "SECURELOGINLIB.SAR" found in Step 2.5 while remaining within the SLL folder.
Step 2.9. Go to /sapmnt/<SID>/exe/. Use SAPCAR to un-sar the downloaded file once inside. 3 above
STEP 3 :
Active Directory Preparation/Work
Microsoft Active Directory must be used for this solution (Domains). You will need to collaborate with the active directory employees at your company for this part.
Step 3.1. Have a new service account created for you by the active directory personnel. It doesn't really important what the account's name is; just make a note of it.
Step 3.2. Make your account password secure. Make the password immutable and never expiring. Take note of the precise password created here; you'll need it in STEP 4 later.
Step 3.3.Ask them to establish or assign a new "Service Principal Name" inside the new account they generated in the preceding step (SPN). This SPN's name and case are very important, and they must be followed exactly: SAP/Kerberos<SID> — as previously noted this entry is Case Sensitive. Here-in this will be called <SPN>
STEP 4:
Step 4.1. Change directories to /usr/sap/<SID>/<Instance>/SLL
cd C:usr\SAP\<SID>\<Instance>\SLL
Step 4.2. Set the "SECUDIR" environment variable to “/usr/sap/<SID>/<Instance>/sec”. If you like/use bash (like me) do this by executing “export SECUDIR=/usr/sap/<SID>/<Instance>/sec”.
Step 4.3. Setting up the PSE environment To do this, carry out: “./snc crtpse” with you PWD (Present Working Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/.
You will be asked to set up a password. It doesn't matter how valuable this password is, but pay attention to what you choose.
Step 4.4. Make a keytab entry for the SPN you just created. Implement this by doing. “./snc crtkeytab -s <SPN>@<ActiveDirectoryDomain>”.
A password prompt will appear. The password you used to establish the active directory account in step 2-1 must match this password. The <ActiveDirectoryDomain> must be in ALL CAPS.
STEP 5:
AS ABAP Configuration
Step 5.1. Log into your SAP System GUI.
Step 5.2. Open transaction RZ10. Set the following options in your instance's profile(s) or DEFAULT.PFL, if you prefer:
Step 5.3. Include the next entry in your start profile (s):
SETENV_XX (XX = next available value) | SECUDIR=$(DIR_INSTANCE)/sec |
Step 5.4. Exit AS ABAP/Log off.
Step 5.5. Restart the SAP System.
Step 5.6. Go to transaction when the system has been restarted. STRUST.
Step 5.7. There is now a "SNC SAPCryptolib" item in the left pane of transaction STRUST. A red "X" ought to be placed next to it. Select "Create" with a right-click and choose it. You'll see that your "SNC ID" has already been entered for you. Click the green check mark after selecting RSA and the proper key size.
Step 5.8. Go back to RZ10. Change the value of “snc/enable” to 1.
Step 5.9.Restart the SAP system after logging out.
You can check in after the system has been restarted./usr/sap/<SID>/<Instance>/work/dev_w0 and see something like this:
It's possible that your ABAP system is no longer functional if you don't see this but instead receive errors (good job ). You must manually change snc/enable to 0 in your instance profile at /sapmnt/SID>/profile. Restart your computer after that, then investigate.
STEP 6:
PC SNC Client Installation/Config
Step 6.1. There is a "SNC_CLIENT_ENCRYPTION" subdirectory located inside the main SNC library file that you received in file download step 1 above. Run the "SapSncClientEncryption.exe" programme from this folder on your computer. To make sure you have a suitable version, I advise uninstalling and reinstalling the "SNC Client Encryption" if it is already installed.
Step 6.2.Start your workstation's SAP GUI after completing the preceding step..
Step 6.3. Right-click the login entry for the SAP you're working on in the GUI. From the context menu that appears, choose "Properties."
Step 6.4. The "Network" tab should be chosen on the resulting window.
Step 6.5. "Activate Secure Network Communications" box should be checked.
Step 6.6. Enter the “SNC Name” as follows: p:CN=<SPN>@<ActiveDirectoryDomain>
Step 6.7. Select “Maximum security settings available”
Step 6.8. Select "SNC logon with user/password (no Single Sign-On)" from the drop-down menu.
You succeeded. All that's left to do now is offer prayers to the god of your choice. You should be able to log into your SAP System if they grin at you. In the status bar in the lower right corner of your GUI screen, you'll see a lock that was previously open.
0 Comments
Post a Comment