2006 Dec 21 5:57 PM
Hi everybody,
First of all, please excuse me if I'm not posting in the right group. If
so, could you please redirect me to the appropriate forum?
Ok, so here's my problem...
I'm trying to activate SNC on a IDES SAP ERP 2005 (NW04s) system (running on a Solaris 10 x64). I followed the documentation inscructions and
added the following parameters to my SAP instance profile (using the
RZ10 transaction)
snc/enable = 1
snc/data_protection/min = 1
snc/data_protection/max =13
snc/data_protection/use = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/permit_insecure_start = 1
snc/gssapi_lib = /usr/lib/snckrb5.so
snc/identity/as = p:user@xx.xxx.xx
My GSS-API library successfully passed the tests done by the sap test
tool.
When I restart my SAP system I get the following error in the Syslog:
Initialization SNC Failed, Return Code -000004 or Initialization SNC Failed, Return Code -000001
This error is repeated several times, then the server terminates.
Does anyone have an idea of what I'm doing wrong?
Thanks for your help,
2006 Dec 22 9:13 PM
Hi,
Can you recheck Parameters
snc/data_protection/max =13
snc/data_protection/use = 1
snc/gssapi_lib = /usr/lib/snckrb5.so
For more helpful you can check with the following link
http://help.sap.com/saphelp_nw04/helpdata/en/19/164442c1a1c353e10000000a1550b0/frameset.htm
Cheers
Soma
2006 Dec 25 2:27 PM
I'm set parameter
snc/identity/as = u:user@xx.xxx.xx and all working!
Message was edited by:
Peter Bachofer
2006 Dec 26 10:03 AM
Alexandr,
It looks like you are trying to use the Kerberos library provided with Solaris 10 x64. The use of this library is not supported by SAP, so I doubt you will get much help using this forum. Instead, you might want to consider using a SAP certified and supported solution, as mentioned many times elsewhere in this forum. If you search this Security forum for keywords such as "SNC", "Kerberos", and "UNIX" I am sure you will find details of how other companies have solved this problem.
Thanks,
Tim
2006 Dec 27 8:23 AM
2006 Dec 27 10:15 AM
Well, frankly speaking I doubt that your happiness will last long.
To me it looks like you've been extremely lucky - and it honestly surprises me that "u:user@..." works since all SNC names have to start with "p:".
It also looks weird that you assign a user credential to a server.
Last but not least: Tim is right stating that you are using a non-certified solution (at your own risk).
Nether-the-less: I wish you Good Luck for the New Year.
Cheers, Wolfgang
2006 Dec 27 11:11 AM
2006 Dec 27 11:12 AM
Well, be happy then (and consider yourself lucky).
But don't be surprised if problems arise, later on.
Cheers, Wolfgang
2006 Dec 27 11:14 AM
2007 Sep 03 1:37 PM
Eugeny,
I know this is an old thread, but I wondered if you still need any help. I also wanted to ask if you can award SDN points to answers provided already.
Thanks,
Tim