https://community.sap.com/t5/application-development-and-automation-discussions/snc-using-jco-api/m-p/3305694#M791629 <HTML><HEAD></HEAD><BODY><P>1. obviously, the JCO connection (using RFC) is not SNC-protected; otherwise you'd not receive that error information</P><P>2. I'm not sure whether you are using the right approach: forwarding a X.509 client certificate via SNC-protected RFC connnection is only intended to work for a small number of trusted middleware components (such as the ITS Agate or a NWAS Java). It is assumed that this middleware component (or a component in front of it, such as a webserver in front of the ITS) is performing a proper SSL handshake in order to validate the X.509 client certificate.</P><P>3. Instead of jco.client.user = "$X509CERT$" and jco.client.passwd = ... you should use jco.client.x509cert = ...</P><P></P><P>Java-based applets running on a user's PC should act as SSL client and submit their https requests directly to the NWAS ABAP (which is the SSL server in that case). It does not make sense to use JCO and SNC to forward externally validated X.509 client certificates - not just because it's much more complex (and increasing the TCO) but also because it's not intended to be used in that way (it simply does not scale).</P><P></P><P>Regards, Wolfgang</P><P></P><P>PS: the error is most likely caused because of the missing SNCSYSACL entry (see trace, using note 495911)</P><P></P><P>Edited by: Wolfgang Janzen on Jan 22, 2008 10:25 AM</P></BODY></HTML> Tue, 22 Jan 2008 09:23:09 GMT Wolfgang_Janzen 2008-01-22T09:23:09Z https://community.sap.com/t5/application-development-and-automation-discussions/snc-using-jco-api/m-p/3305693#M791628 <HTML><HEAD></HEAD><BODY><P>I am trying to connect to a SAP Server (having SNC enabled) using JCO</P><P>API. I am using a simple java program. I mentioned the following</P><P>parameters</P><P>jco.client.snc_mode=1</P><P>jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE</P><P>jco.client.snc_qop=1</P><P>jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE</P><P>jco.client.snc_lib=C:/usr/sap/UC6/SYS/exe/uc/NTAMD64/sapcrypto.dll</P><P></P><P>I have placed the sapcrypto.dll in the Path. I have generated the</P><P>Client PSE and Cred_V2 files too. I have placed them in the Path too.</P><P>I am using the "$X509CERT$" as user and sending the x509 certificate</P><P>information as password.</P><P></P><P>But I get the following error</P><P>(103) RFC_ERROR_LOGON_FAILURE: SNC required for this connection</P><P></P><P>When I look at the error files dev_w0 (in the work folder) I see the</P><P>following error</P><P></P><UL><UL><UL><LI level="3" type="ul"><P>ERROR =&gt; iSignSncServerLogin: insecure transmission of X.509 client</P></LI></UL></UL></UL><P>certificate (SNC required) [sign.c 8638]</P><P></P><P>Any help is greatly appreciate as this is a mjor blocker for our release</P></BODY></HTML> Mon, 21 Jan 2008 12:42:53 GMT https://community.sap.com/t5/application-development-and-automation-discussions/snc-using-jco-api/m-p/3305693#M791628 Former Member 2008-01-21T12:42:53Z https://community.sap.com/t5/application-development-and-automation-discussions/snc-using-jco-api/m-p/3305694#M791629 <HTML><HEAD></HEAD><BODY><P>1. obviously, the JCO connection (using RFC) is not SNC-protected; otherwise you'd not receive that error information</P><P>2. I'm not sure whether you are using the right approach: forwarding a X.509 client certificate via SNC-protected RFC connnection is only intended to work for a small number of trusted middleware components (such as the ITS Agate or a NWAS Java). It is assumed that this middleware component (or a component in front of it, such as a webserver in front of the ITS) is performing a proper SSL handshake in order to validate the X.509 client certificate.</P><P>3. Instead of jco.client.user = "$X509CERT$" and jco.client.passwd = ... you should use jco.client.x509cert = ...</P><P></P><P>Java-based applets running on a user's PC should act as SSL client and submit their https requests directly to the NWAS ABAP (which is the SSL server in that case). It does not make sense to use JCO and SNC to forward externally validated X.509 client certificates - not just because it's much more complex (and increasing the TCO) but also because it's not intended to be used in that way (it simply does not scale).</P><P></P><P>Regards, Wolfgang</P><P></P><P>PS: the error is most likely caused because of the missing SNCSYSACL entry (see trace, using note 495911)</P><P></P><P>Edited by: Wolfgang Janzen on Jan 22, 2008 10:25 AM</P></BODY></HTML> Tue, 22 Jan 2008 09:23:09 GMT https://community.sap.com/t5/application-development-and-automation-discussions/snc-using-jco-api/m-p/3305694#M791629 Wolfgang_Janzen 2008-01-22T09:23:09Z