Is your SAP GUI Connection encrypted? Can someone ...

yakcinar · ‎2016 Jan 28

SNC Client Encryption

It was nice to hear that we could secure SAP GUI communication.

Most customers are not aware of this and use SAP GUI w/o encryption in clear text mode.

SNC Client Encryption is a tool that could be used for encryption without license fee.

I configured our ABAP Systems and SAP GUIs for encryption with the help of SAP notes, guides, help pages and scn blogs.

Like phillip.hofmeister said in his blog I also had some difficulties for finding the right guide for configuring SNC Client Encryption.

Then I decided writing this blog for newer versions of SAP and CommonCryptoLib.

You can go below links to have detailed information.

I want to share how I did the configuration step by step.

Notes and links that needs to be read;

How SNC Client Encryption Works

Using SNC Client Encryption for Password Logon

1643878 - Release Notes for SNC Client Encryption

2185235 - Using SNC Client Encryption (SCE) for Encrypting SAP GUI Connection with CommonCryptoLib

(This note has the right configuration Guide -Configuring SNC Client Encryption with CCL.pdf- that I realized lately)

I tried to follow the help page but unfortunately it was not clear and was not a step by step guide. (Some guys were complaining about this kinds of telling to do the things but not showing how to do that documents in discussions and blogs) I lost some time for this reason. At last I found the right guide attached to the note 2185235 that is very easy to use and helpful. No need to other documents.

Configurations Steps that I performed;

1 - Kernel Patch from 7.20 to 7.22 SP 23 (So CommonCryptoLib 8.4.30 is available in Kernel.)

Our system's Kernel version was low so I changed the Kernel to 7.22 that is including the prerequisite CommonCryptoLib version 8.4.30 or higher condition.

2 - Check and apply the notes 1561161, 1580808, 1616598, 1617641 if applicable.

3 - Created an AD user

I asked System Administrators to create a user with below properties.

Logon Name : SNC-CE-USER

First Name : SNC

Last Name : Client Encryption User

Password : <Define a Password>

Service Principal Name : SAP/SNC-CE-USER

User Cannot Change Password

Password nnever expires

You can check SPN with below command.

setspn -Q SAP/SNC-CE-USER

4 - Defined below SNC parameters

Using RZ10 transaction you must define below parameters to enable SNC

snc/enable = 1

snc/permit_insecure_start = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/r3int_rfc_qop = 8

snc/r3int_rfc_secure = 0

snc/data_protection/use = 3

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/force_login_screen = 0

snc/identity/as = p:CN=SNC-CE-USER@MYDOMAIN.COM

snc/gssapi_lib = D:\usr\sap\<SID>\DVEBMGS00\exe\sapcrypto.dll

5 - Create your Kerberos keytab

Login to your SAP Systems OS with sidadm and using cmd create the keytab

set SECUDIR=D:\usr\sap\<SID>\DVEBMGS00\sec

sapgenpse keytab -p SAPSNCSKERB.pse -x <password for PSE> -y <password of user SNC-CE-USER> -a SNC-CE-USER@MYDOMAIN.COM

sapgenpse seclogin -p SAPSNCSKERB.pse -x <password for PSE> -O SAPService<SID>

You can check the PSE with below command;

sapgenpse keytab -p SAPSNCSKERB.pse -x <password for PSE> -nopsegen

You can check if the credentials were successfully created with below command

sapgenpse seclogin -l

6 - Restart your SAP system

When you restart SAP system if there is problem with keytab SAP system does not start. That time you can change snc/enable parameter to 0 and restart the system. After correcting the inconsistencies, you need to enable SNC again and restart your system.

You can check dev_wX trace files for troubleshooting the SNCinit problems.

7- Install SNC Client Encryption on the Windows hosts for the SAP GUI for Windows clients.

You install the SNC Client Encryption program on clients systems.

You can check if SNC_LIB environment parameter is defined after the installation.

(i.e. SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAP GUI\Encryption\secgss.dll)

8 - Configure SAP GUI for Windows to use SNC Client Encryption.

9 - Check the GUI connection

When you connect to the system you could see a lock symbol on the left bottom corner of the GUI screen like below.

If you could see this lock on your GUIs you have managed configuring SNC Client Encryption, too.

Congratulations. :smile:

Links that I visited and had some knowledge for troubleshooting

https://scn.sap.com/thread/3544987

https://scn.sap.com/thread/3813876

https://scn.sap.com/thread/3389036

http://scn.sap.com/docs/DOC-45138

http://wiki.scn.sap.com/wiki/display/Security/SNC+Client+Encryption

SNC: Using SNC to Encrypt Traffic - Client/Server (No SSO)

Installation, Configuration, and Administration Guide SAP NetWeaver Single Sign-On SP1 Secure Login ...

SAP Single Sign-On 2.0 SP04 Document Version: 1.0 - 2014-10-28 Secure Login for SAP Single Sign-On I...

Wishes;

I wish SAP could have mentioned the note 2185235 and attached document in the help page.
I wish SAPA could provide encryption without these kinds of many configuration steps. It could have been done with activation of a parameter and check box filling on SAP GUI.

Questions;

Are your customers (for consultants) or are you aware of clear text communication between GUI and SAP Server?
Do you think SNC Client Encryption is a useful tool?
Do you use SNC Client Encryption for your systems?

Thanks for your interest.

fatihyar · ‎2016 Jan 28

Thank you Mr Akçınar for your valuable blog.

Matt_Fraser · ‎2016 Jan 29

Yuksel,

This is just the kind of blog I like to see, with clear detailed descriptions and screenshots of a well laid-out step-by-step process, that is important to all of us and yet has thoroughly inadequate documentation to guide one through an actual implementation. Thank you.

Cheers,

Matt

Isaías · ‎2016 Jan 29

Hello Yüksel,

I have forwarded your suggestion to add the SAP KBA 2185235 to that help.sap.com page.

Let's see how it goes :smile: .

@ matt.fraser, I believe you meant "adequate"? :smile:

Cheers!

Isaías

Matt_Fraser · ‎2016 Jan 29

Perhaps "thoroughly" was too strong a word. :smile:

In reality, documentation on some of these things can be all over the map. Sometimes it's simply out of date, and other times it seems to become circularly referential, with pointers to Notes or SCN documents or Help pages that then point back to the original document, such that the reader is left with a spinning head, wondering why it can't just all be gathered together in one place with a clear "do this" guide that leads to correct implementation. Other times it perfectly lists all the available options but gives practically no guidance on when or why you would choose one over the other, or what the consequences would be. This isn't always the case, but often enough.

Of course, Isaías, I would never say this of your documentation! In all seriousness, you've been a great help to many people here.

But this is when blogs like Yüksel's become invaluable, with pointers to all the original documentation for those who want to dig deeper, but practical real-world advice on what worked for the author and the sequence of steps to get there.

Isaías · ‎2016 Jan 29

ooops, now I understood what you meant :grin: .

And thank you for the kind words :smile: .

former_member182657 · ‎2016 Jan 30

Really a nice one !!

Thanks for your efforts & sharing .

yakcinar · ‎2016 Jan 30

Hello Matt, Hello Isaias,

Thank you for your valuable comments.

I am aware of not being thoroughly adequate. :smile:

In my opinion these kinds of documents can be prepared by the product owners, lab guys, developers etc.

Indeed there are a lot of topic to know in IT area even in SAP and even only in netweaever administration area as you know. So it is very difficult to keep yourself fresh and well informed for everything when everyday new versions of the products are coming as Matt mentioned.

Anyhow I enjoyed when I am writing this blog.

Thanks again for spending time on my blog and encouraging me to write more.

Regards,

Yuksel AKCINAR

yakcinar · ‎2016 Jan 30

Hello Gaurav,

Thank you.

Regards,

Yuksel AKCINAR

martin_mikala · ‎2016 Feb 03

Hello,

I study few days how it is doing, but It's still unclear for me. .

I thought that SNC is only secure connection layer like https or ssh, but it is probably both secure connection and authentication. Is it true?

Of course https has also some authentication based on certificates and to public servers is possible connect without client certificate and only server certificate is signed by trusted CA or not.

I also thought that SNC Client Encryption is only for secure connection without SSO. And for SSO is SAP NW SSO2. And I'm supprised that SNC CE need some kerberos token/registration.

I've just created question about it, but in bad group.

NW7.4 with Quest SSO and SNC encrypted connection outside domain with password

I thought, that I can set SAP GUI only for secure connection without any authorization with manual logon.

So can I secure connect from SAP GUI to ABAP when I'm not in any kerberos/AD domain and other users in domain can also connect by this way and also with SSO?

B.R.

Martin

yakcinar · ‎2016 Feb 03

Hello Martin,

SNC w/o SSO is used for encryption only. Yes, it is like https and ssh. For authentication you need to enter user password.

When you use SNC with SSO (this option is licensed) you can user certificates, tickets etc for logon. No user password needed for the AD or LDAP users.

Check the picture in How SNC Client Encryption Works - Transport Layer Security on the AS ABAP - SAP Library to see how CE works.

I don't think you can use SNC without AD user. I haven't checked it either.

As you can see from above picture you must get a token from AD to use SNC CE.

But it is not mentioned in prerequisites that you must logon with AD user to a windows system. This is the prerequisite "SAP GUI with SNC Client Encryption installed on a computer running Microsoft Windows"

I will try to check an return back to you.

Regards,

Yuksel AKCINAR

martin_mikala · ‎2016 Feb 03

Thanks Yuksel,

Seems, that kerberos/AD tokens are used for check if SAP GUI Win user/PC and NW AS ABAP are in trusted domain. So there probably are not connect negotiations like trusted certificate signed by CA in https or fingerprint in knownhosts for ssh.

B.R. Martin

LutzR · ‎2016 Apr 06

Hi Yüksel, this is a great blog. I don't feel that alone anymore with my "encrypt everything now and care about SSO later" approach.

From my experience I would like to add two things:

1. snc/idenity/as naming conventions
If you take this "Encrypt everything" approach sooner or later you will also configure X.509 based SNC for server server communication. AFAIK the @-sign in the snc/idenity/as paramater can make trouble in certificates' CN. Thererfore we have a convention to just use

snc/idenity/as= p:CN=SAPSNC-<SID>-<Installation#>

So in System ABC with installationnumber 0012345678 this would be

snc/idenity/as= p:CN=SAPSNC-ABC-0012345678

Certificates with this CN will be signed by our CA for easier trust configuration and the SPN attribute in the Domain accounts are unique and can easiliy be related to single SAP systems.

2. BW Clients and SNC without SSO
Everybody should know that there are loads of trouble with SNC without SSO and older BW Clients (older than approaximately one year).

Keep your GUI, Bex Analyzer and Analysis for Office installations updated in case BW Clients are used!

Also keep your BW systems updated because client launching transactions RRMX and RAAOE were buggy too.

(Bugs were e.g.: Logon impossible, traffic not encrypted, encrypted traffic using wrong RFC port (33xx instead of 48xx) and more).

So great to know that there is somebody else out there using the SNC Client Encryption (SNC without SSO).

Regards,

Lutz

LutzR · ‎2016 Apr 06

Hi Martin, SNC Client Encryption is kind of a stripped down version of the Secure Login Client which is part of the SAP SSO license. They cut away X.509 support and they scramble the clients' SNC name during logon so no SSO is possible.

SAP knows that there are loads of scenarios where encryption is needed but PCs are out of Windows domains or in many windows domains and is currently thinking about alternatives. We will have to wait and see what will come out of this thoughts.

Regards,

Lutz

yakcinar · ‎2016 Apr 07

Hello Lutz,

Thank you for your contribution.

I will keep them in mind for next configurations.

Regards,

Yuksel AKCINAR

Former Member · ‎2017 Jun 21

Hello Mr. Yuksel,

Thanks for this nice blog, it really helps.

As per the Note 2185235 and the Guide I have implemented SNC for my customer.

As per current configuration, Users which are not using SNC Name under Network Tab of SAP GUI Client can also able to access my AS ABAP server using unsecured mode with Unlock Locked (i.e, SNC Not enabled) and the Users who has provided the SNC name can access under secured mode with SNC enabled and Lock appeared on right corner or SAP GUI.

If I have to permit users only to access SNC enabled connection what should I need to do?

As of now as per my knowledge, I have try to use the parameter "snc/accept_insecure_gui=0", and after putting the parameter value to 0 and restarted the server.

Now with the above parameter value , I can not be able to login after putting correct user id password. Error " SNC Required for this connection". It is pertinent to mention that I have already mentioned the SNC Name under Network tab, instead of that this error is coming.

Please help ASAP, I would also like to understand " SNC only encrypt the network between SAP GUI Client and AS ABAP server. is user also need to map in SU01 under SNC tab?

Also please suggest is transactional users id which are maintained in AS ABAP (Created with SU01) and in Windows Domain AD users who accessing the desktop (in domain) should be same?

Is user id which are created under AS ABAP with SU01 need to to created in Active Directory with same name?

Please answer keeping all the scenarios in view only for SNC implementation, Not SSO.

Former Member · ‎2017 Jul 16

Dear Mr. Yuksel Akcinar,

For your Questions,

Questions;

Are your customers (for consultants) or are you aware of clear text communication between GUI and SAP Server?
Yes
Do you think SNC Client Encryption is a useful tool?
Yes
Do you use SNC Client Encryption for your systems?
Yes , and excatly using in the same fashion as you are.

Further , I would like to know one thing that, when we implement SNC with Common cryptoLib 8 then after implementation how can we upgrade kernel.

Because when we upgrade the kernel every time the Common cryptoLib 8 file will also be updated and get replaced with the new one. Then is we have to again do the keytab generation steps and integrate it with kerberos user or Windows AD.

Please suggest how can we go further while Kernel upgrade, or it will not effect the existing implemented SNC after upgrade … Please give some light.

Thanks,

Nishant

matta1 · ‎2018 Jul 20

Thanks for a great blog - it gave us a running start for SNC without SSO.

I wanted to add a few notes that helped us along.

We looked at kerberos for users with SAP GUI and X.509 for server to server.

After banging our heads for while with SCE 1.0.

It looks like SAP has improved things in SCE 2.0 around using X.509 and Kerberos concurrently.

2440692 - Central Note for SNC Client Encryption 2.0

In terms of having a snc identity name to support both X.509 and Kerberos

1696905 - SNC name configuration to support Kerberos and Certificates.

In regards to forcing connections to use SNC these parameters may help.

(Initially I would use it just to validate that SNC is being used ie for RFC SM59 test fails for non SNC traffic and works for SNC traffic.)

1690662 - Option: Blocking unencrypted SAPGUI/RFC connections

eg for RFC snc/only_encrypted_rfc

Also some logging is available

2122578 - New: Security Audit Log event for unencrypted GUI / RFC connections

Regards

Matt

jegadesh_k · ‎2022 May 12

I know this post is very old, is there a SNC setup guide for SAP Java GUI say for mac ?

Thanks

Jega

Is your SAP GUI Connection encrypted? Can someone eavesdrop your passwords?

SAP PI for Beginners

ABAP 7.40 Quick Reference

Difference between SAP S/4HANA :Public Vs Private edition : RISE with SAP