Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
anikesh_jyotishi2
Participant
6,417
 Overview

Under this blog I have outlined ABAP RFC connection via SNC, so we have used RFC with SNC (Secure Network Communications)2.0 setup.

SNC is a software layer in the SAP system that provides an interface to an external security product. SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide.


Dia from help.sap.com

DISCLAIMER
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.

Purpose

This document tried to include all Basis steps for enabling SNC for ABAP RFCs for secure connections.
SAP S4/Hana ABAP connection via SNC

Steps: –
• Setup SNC in both systems
• Generate SNC certificate from both systems and map in strustsso2  SNC SAPCryptolib
• Create a user (sidadm or any name) in AD Users and update service principal name same as            SNC cert in Attribute Editor (SAP/ SNC certificate name) as per note 1696905 (Optional if you are      using AD connection)
• ACL mode either 0 or whitelist hostname
• Update SNC0 with target system certificate details
• Update SM54 with the destination
• Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name
• Create RFC with SNC config and test

 

Setup SNC in both systems

We will use SNCWIZARD for SNC setup



Check all SNC-related parameters below


In the below screen, it will give all your instance details which need to restart.


If you do not want to configure Kerberos credentials, choose Skip


We will use this cert for RFC communication



Strustsso2



Repeat the same steps in the target system

Check all SNC parameters in the default profile

snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/data_protection/max = 2
snc/data_protection/min = 1
snc/enable = 1
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/identity/as = SNC cer name
snc/permit_insecure_start = 1
spnego/enable = 1

Restart the application server

After restart check SNC status via SM51 SNC check


SNC certificate from both systems and map in strustsso2 (SNC SAPCryptolib)

Goto strustsso2:- below certificate generated during SNC setup. Click on edit and export below certificate as base64 and import into target system (Repeat same steps in target system)



 

ACL mode either 0 or whitelist hostname

Gateway ACL mode 0
The following values are possible:

0: There is no restriction with starting external servers or registering servers. This setting should not be used in production operations.

1: External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files.

The default value of the parameter is 1.


If you are using 1 then go to SMGW and allow the target hostname.

SMGW  Goto  expert functions  external security  maintain ACL list (secinfo and reginfo)

Update SNC0 with target system cert details

Update target system SID and SNC certificate details with p: (update SNC canonical name)
Active entry for RFC, entry for CPIC, Entry for the certificate (same on the target system)


The SNCSYSACL entries that you make using transaction SNC0 are saved as external RFC destinations (type = E). Internal destinations (type = I) are automatically generated and not shown in transaction SNC0.

Update SM54 with the destination

Update destination SID, login type I, and update target SNC cert name with p: It will update the VSNCSYSACL table.

 



 

Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name

Go to SM30 give table name as VSNCSYSACL click on display

Give work area as I for internal system



Go back and give the work area as E for the External system



Create RFC with SNC config and test

Create type 3 RFC, Give RFC destination name and description


Go to logon security and give the target system user id.


On the same page activate SNC



Perform connection and authorization test



Reference SAP Notes:-

https://help.sap.com/docs/SAP_NETWEAVER_740/621bb4e3951b4a8ca633ca7ed1c0aba2/aa38ff4fa187622fe100000...

2653733 - Enabling SNC on RFCs between AS ABAP

https://help.sap.com/saphelp_nwpi71/helpdata/en/28/03f4ad8d9d490c99a3e8a57551d264/frameset.htm

Advantages:-
1. Help to secure RFC connection

I hope this document will help you with the RFC setup via SNC.

Cheers!
Anikesh Jyotishi
Labels in this area