Solved: SNC: Problem implementing SNC on a system with mul...

Former Member · ‎2013 Sep 09

All,

So I followed this document (yes, one of my own creation) to implement SNC on our QA system. Unlike our development/sandbox systems, our QA system has multiple application instances (two, to be exact).

The first instance starts up just fine. The second one had this problem:

N SncInit(): Initializing Secure Network Communication (SNC)

N Solaris on SPARCV9 CPU (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/sap/EQ1/D21/SLL/libsecgss.so

N File "/usr/sap/<SID>/DXX/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N SncInit(): found snc/identity/as=p:CN=SAP/Kerberos<SID>@<DOMAIN>

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): No credentials were supplied

N Could't acquire ACCEPTING credentials for

N

N name="p:CN=SAP/Kerberos<SID>@<DOMAIN>"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 235]

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 238]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11292]

Of note: I used the same value for "snc/identity/as" in each application instance. They are also both using the same "Service Principal Name" in the Active Directory.

I read somewhere in my reading (I can't find where now) that you had to follow a different convention for "snc/identity/as" on systems where you have multiple instances. Any ideas on this or the resolution to this problem?

Former Member · ‎2013 Sep 11

This problem is resolved via OSS.

Guilherme helped me realize I did not follow my own documentation. This line was missing from the START profile of the second instance.

SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec

Former Member · ‎2013 Sep 09

By the way, the log snippet comes from /usr/sap/<SID>/<Instance>/work/dev_w0. Sorry I forgot to specify this in the OP.

Former Member · ‎2013 Sep 09

See the attached link for a similar discussion thread, there are several points to check.

http://scn.sap.com/thread/3374861

Former Member · ‎2013 Sep 09

Thank you for the reference. I see the thread has some good discussion, but no resolution =\

Former Member · ‎2013 Sep 10

Hi Philip,

did you specifiy SAP/Kerberos<SID>@<DOMAIN>" literally or did you replace it to keep the info private.

If the latter, you at least forgot to hide the sid completely 😉

In you case I would have expected to see something like

CN=SAP/KerberosEQ1@<YOUR_AD_DOMAIN>

To my knowledge a system uses the same service principle for all instances. However the config has to be created for each one, just as outlined in your document.

Regards,

Patrick

Former Member · ‎2013 Sep 10

Hi Patrick.

I appreciate the reply. Yes, <SID> and <DOMAIN> both contain appropriate values (and are all caps) but have been redacted by me -- although it appears I missed <SID> on one occasion

Former Member · ‎2013 Sep 11

This problem is resolved via OSS.

Guilherme helped me realize I did not follow my own documentation. This line was missing from the START profile of the second instance.

SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

SNC: Problem implementing SNC on a system with multiple instances