Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setup data encryption between RFC Client and Web AS ABAP with SNC

gregorw
Active Contributor
‎2006 Sep 29 3:59 PM
29,823
Secure Network Connection (SNC) is the SAP technology provided for Network and Transport Layer Security. In this Blog I will provide a how to guide how to enable data encryption for RFC connections to ABAP back ends.

How to avoid problems



  • Do only install SAP Cryptographic Library. SAP Cryptographic Library and libsapsecure will not work in parallel

  • You have to setup SNC before you can activate SNC with the parameter snc/enable = 1


Preparation


Please follow these steps of the SAP Documentation to install the SAP Cryptographic Library:

  1. Download the SAP Cryptographic Library from http://service.sap.com/download -> Download -> SAP Cryptographic Software

  2. Install the SAP Cryptographic Library

  3. Don’t forget to set the environment variable SECUDIR for the User which runs the SAP ABAP stack. For my NetWeaver AS ABAP 7.50 I've added the lines

    setenv SNC_LIB /usr/sap/cryptolib/libsapcrypto.so
    setenv SECUDIR /usr/sap/cryptolib/libsapcrypto.so


    to the .cshrc file of the npladm user.

  4. Now you can also set the Profile Parameters for Using SSL or use my Blog “Setup HTTPS (SSL) for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows” to do that


Setup SNC on the ABAP Server


First we set the instance parameter “snc/identity/as” to the distinguished name the Server should get. I use “CN=IDS, OU=IT, O=CSW, C=DE”. Don’t forget to add “p:” in front of the DN:
snc/identity/as = p:CN=IDS, OU=IT, O=CSW, C=DE

snc/gssapi_lib = /usr/sap/NPL/D00/exe/libsapcrypto.so

Create “SNC (SAPCryptolib)” PSE


After a restart of your server you can now create the SNC PSE. Start transaction STRUST or STRUSTSSO2 and right click on “SNC (SAPCryptolib)” choosing Create:



You just have to accept the SNC ID which is taken from the instance parameter “snc/identity/as”:



Please follow the next hint and add a password for the “SNC (SAPCryptolib)” PSE:



To do this double click “SNC (SAPCryptolib)” and choose “Assign Password”:



Type in a password which can contain letters and numbers:



Without the Password the Server would not start when you have set the parameter “snc/enable” to 1! Save the settings.

Set additional parameters


With the “SNC (SAPCryptolib)” PSE created we can now set this Instance Parameters:
snc/enable = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/permit_insecure_start = 1

snc/data_protection/min = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I have chosen values which will enable you to still connect to the system without encryption. Done that, you have to restart the application server again.

Create PSE for RFC Client


I’ve decided to use a separate PSE for my RFC Client as described in Scenario 2: Using Individual PSEs for Components. To create this PSE I follow the instructions given in Creating an SNC PSE for the AS Java. The steps described show an example setup done on my Linux box. To test the connection I use the demo Programs coming with SAP Java Connector available at http://service.sap.com/connectors. I’ve extracted the connector in /usr/sap/jco.

Create sec directory for RFC Client PSE


To store the RFC Client PSE I create a subdirectory sec in “/usr/sap/jco/demo”:
zappod:~# cd /usr/sap/jco/demo/

zappod:/usr/sap/jco/demo# mkdir sec

Now switch to this directory and create the PSE:
zappod:~# cd sec

Create PSE


To run sapgenpse the directory containing the SAP Cryptographic Library (libsapcrypto.so on Linux) must be made available in the environment variable LD_LIBRARY_PATH:
export LD_LIBRARY_PATH=/usr/sap/jco/:/usr/sap/IDS/SYS/exe/run/

Also the just created directory “/usr/sap/jco/demo/sec” has to be set as the SECUDIR:
export SECUDIR=/usr/sap/jco/demo/sec

Before you can start creating the PSE you also have to copy the ticket license file to it:
cp /usr/sap/IDS/DVEBMGS00/sec/ticket .

Now we are ready to create the PSE:
zappod:/usr/sap/jco/demo/sec# /sapmnt/IDS/exe/sapgenpse gen_pse -v -p RFC.pse 

Got absolute PSE path "/usr/sap/IDS/DVEBMGS00/sec/RFC.pse". 

Please enter PIN: ******** 

Please reenter PIN: ******** 

get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE 

Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE" 

Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok 

PSE update... ok 

PKRoot... ok 

Generating certificate request... ok. 

PKCS#10 certificate request for "/usr/sap/jco/demo/sec/RFC.pse":

Export Client Certificate


We have to export the Client Certificate of the just created PSE:
# /sapmnt/IDS/exe/sapgenpse export_own_cert -v -p RFC.pse -o RFC.crt 

Opening PSE "/usr/sap/jco/demo/sec/RFC.pse"... 

No SSO credentials found for this PSE. 

Please enter PIN: ******** 

PSE open ok. 

Retrieving my certificate... ok. 

writing to file ...... ok

Import Client Certificate to Server PSE


You can import the client Certificate via Transaction STRUST. First open the Node SNC (SAPCryptolib) again. You have to provide the password set before:



Click on “Import certificate”



Set the file format to Base64 and choose the file:



Finally click “Add to Certificate List”


Export Server Certificate


Now we have to export the Server Certificate. Already in the STRUST node SNC (SAPCryptolib) double click on your own certificate so it is displayed in the Certificate field. Click on Export certificate:



Choose also Base64 for the File format and provide a name for the file:


Import Server Certificate to Client PSE


That is done again on the command line:
# /sapmnt/IDS/exe/sapgenpse maintain_pk -v -a SNC.crt -p RFC.pse 

Opening PSE "/usr/sap/jco/demo/sec/RFC.pse"... 

No SSO credentials found for this PSE. 

Please enter PIN: ******** PSE open ok. 

Adding new certificate from file "SNC.crt" 

---------------------------------------------------------------------------- 

Subject : CN=IDS, OU=IT, O=CSW, C=DE Issuer : CN=IDS, OU=IT, O=CSW, C=DE 

Serialno: 00 

KeyInfo : RSA, 2048-bit 

Validity - NotBefore: Wed Sep 27 21:37:32 2006 (060927193732Z) 

NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z) ----------   

PKList updated (1 entries total, 1 newly added)

Create cred_v2 file


After we’ve now setup the RFC client PSE we have to create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE. On the command line run:
# /usr/sap/IDS/SYS/exe/run/sapgenpse seclogin -p RFC.pse -O root 

running seclogin with USER="root" creatingcredentials for yourself (USER="root")... 

Please enter PIN: ******** 

Added SSO-credentials for PSE "/usr/sap/jco/demo/sec/RFC.pse" "CN=RFC, OU=IT, O=CSW, C=DE"

Allow SNC RFC Connection


On the ABAP Server side we have now to maintain the View VSNCSYSACL which is used to restrict the SNC RFC Connections by an Access Control List (ACL). Start Transaction SM30, enter VSNCSYSACL and click Maintain. Accept the “The table is cross-client” information:



Choose “E” for the type of Type of ACL entry:



Enter System ID and SNC name. Don’t forget the “p:” in front of the DN! Check the boxes according to this screenshot:



Don’t forget to save this entry.

Map X.509 Certificate to User


To accept a X.509 Certificate for Login you have to maintain View VUSREXTID. Via this View you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User. Start Transaction SM30, enter VUSREXTID and click Maintain. Choose DN for the External ID type:



Create a new entry and don’t forget to activate it:


Test connection


Now we have everything in place to test the connection! To login with the X.509 Certificate you have to concatenate the previously exported Certificate in one line without “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“. All login information can be maintained in the “vericlient.properties” file in directory “/usr/sap/jco/demo. I’ve used these values:
jco.client.client=800

jco.client.x509cert=Base64 Encoded Certificate in one line 

jco.client.ashost=zappod.csw.local 

jco.client.sysnr=00 

jco.client.snc_mode=1 

jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE jco.client.snc_qop=3

jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE 

jco.client.snc_lib=/usr/sap/IDS/SYS/exe/run/libsapcrypto.so

Compile the Class VeriClient:
javac VeriClient.java

And run it providing the properties file as a parameter:
java VeriClient vericlient.properties

Somewhere in the result you should also see:
-------------- Test --------------------------------------------

-------------- Status ------------------------------------------

JCO.createClient()..........................................ok 

client.connect()............................................ok

Outlook


With SNC enabled we can use the RFC Enabled Function Module SUSR_CHECK_LOGON_DATA to authenticate with an external ID. If the authentication was successful it will return a valid SSO2 Ticket. But that part of another Blog: Single Sign On with External ID implemented in Ruby.
29 Comments
Former Member
‎2006 Sep 30 9:02 PM
0 Kudos
So, by default RFC connection is not encrypted and user/password is transferred as plain text?
gregorw
Active Contributor
‎2006 Sep 30 10:45 PM
0 Kudos
Hello Sam,

excactly. You can try it out using Ethereal.

Regards
Gregor
Former Member
‎2006 Oct 12 4:05 PM
0 Kudos
Hello Gregor,

Thank you for your answer.
Sorry for delay - my coComment does not notifies me about the answers on SDN Blogs.
Could you please recommend reliable way to track comments on SDN Blogs?

--
Thanks,
Sam Mesh
gregorw
Active Contributor
‎2006 Oct 15 11:31 PM
0 Kudos
Hi Sam,

unfortunately in the moment it is not possible to track Blog comments. Please search the Suggestions Forum if it is already on the ToDo List.

Regards
Gregor
Former Member
‎2006 Dec 11 10:02 AM
0 Kudos
like recommendation, what type of file permissions must have the file CRED_V2?
gregorw
Active Contributor
‎2007 Jan 03 7:59 AM
0 Kudos
Hi Hernando,

the permissions should be as minimal as possible. But the User the Web Server is running has to have read rights.

Regards
Gregor
Former Member
‎2007 Jan 04 5:09 AM
0 Kudos
Hi Gregor

the file have the following permission = 544, what's the recommendation?
gregorw
Active Contributor
‎2007 Jan 04 7:29 AM
0 Kudos
Hi,

440 should be enough.

Regards
Gregor
Former Member
‎2007 Mar 26 7:14 AM
0 Kudos
hi , good morning

i am ramesh from india
the procedure which you have given.. does it fits for credit card masking?

plz tell me .....
thanks in advance
gregorw
Active Contributor
‎2007 Mar 26 8:46 PM
0 Kudos
Hello Ramesh,

I don't think that this procedure can help you reagarding Payment Card Processing. Please have a look to the Doumentation for Payment Card Processing and to the SAP Implementation Guide (IMG) under Cross-Application Components -> Payment Cards -> Maintain Payment Card Type.

Best regards
Gregor
Former Member
‎2008 Aug 11 12:01 PM
0 Kudos

Hello<br/>This is a great blog where I got as much information as I could get regarding RFC client with SNC.<br/><br/>I was able to setup SSL and the https link works good with internet browser and the x509 cert is authenticated. In VUSREXTID I have mapped my CN found in certificate to SAP id. example CN=myguid, User=0022200. I have no issues in it.<br/><br/>I want to connect a java application from users laptop JCO 3.0 to NW7 ABAP stack using x509 cert. In this blog I do not understand the client RFC PSE creation export import section. Could you please explain more. But I have followed the steps and created RFC pse and exported, imported.<br/><br/>In STRUST I created SNC SAPCryptolib node, <br/>snc/identity/as = p:CN=DV1, OU=PRJ, O=KS, C=US<br/>snc/enable = 1<br/>snc/gssapi_lib = /usr/sap/DV1/SYS/exe/run/libsapcrypto.so<br/>snc/accept_insecure_cpic = 1<br/>snc/accept_insecure_gui = 1<br/>snc/accept_insecure_rfc = 1<br/>snc/permit_insecure_start = 1<br/>snc/data_protection/min = 1<br/>snc/extid_login_diag = 1<br/>snc/extid_login_rfc = 1<br/><br/>Configured SNC0 and it has system ID and DV1 and SNC name as p:CN=RFC, OU=PRJ, O=KS, C=US  all check boxes are checked, Canonical Name Determined.<br/><br/>Below is the error got when jco app is connected from the laptop<br/>[Thr 5996] *** ERROR => SncPDLInit(): DlLoadLib("/usr/sap/DV1/SYS/exe/run/libsapcrypto.so")=DLENOACCESS<br/>[Thr 5996]  [Thr 5996] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) /usr/sap/DV1/SYS/exe/run/libsa<br/>pcrypto.so not loaded<br/>[Thr 5996]  com.sap.conn.jco.JCoException: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failedHow to make the java application from my laptop to connect to ABAP NW7.

Former Member
‎2008 Dec 16 12:39 PM
0 Kudos
Hi Gregor

Thank you very much for your blog.  I tried using your instructions for a scenario where I substituted a web service testing app (soapUI) for the RFC client.  I included creating a client cert using keytool.

Unfortunately, when I test I get a HTTP 401 (unauthorized) error, and "Fehlercode: ICF-LE-https-c:001-l:-T:-C:5-U:-P:-L:6"

Do you know what I might be doing wrong?  Would there be a different configuration option needed for my scenario?

Many thanks for any help you can provide!

Cheers
Dave
gregorw
Active Contributor
‎2008 Dec 16 12:47 PM
0 Kudos
Hi Dave,

have you read my blog Authenticate from PHP to a Web Service using X.509 Certificates? Perhaps that could be helpfull. Let me know if that works with soapUI. Perhaps you can write a Blog or Wiki entry on that topic.

Best regards
Gregor
Former Member
‎2009 Nov 24 7:10 AM
0 Kudos
Hallo,
I try to connect a JCO-Client to a SAP test system NetWeaver 2004s.
When I start my JCO-Client or the VeriClient.java I always get the following exception: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE:  "No suitable SAP user found for X.509-client certificate". The ABAP Program ZSSF_TEST_PSE works without error (Signature, Verification, Encryption and Decryption are ok). Ich compared the views VSNCSYSACL and VUSREXTID again with the blog's data; I cannot see any difference. A JCO Server with the according SNC properties works without error. What is wrong?
Thank you for your help
Former Member
‎2010 May 07 2:05 AM
0 Kudos
Hi Gregor,

your blog is excellent!
However, I when using SAP Crypto Lib from my laptop to the ABAP server I get the above error.  I posted a question in a forum and the first hint points to "not using SAP Crypto Lib" ... Re: JCO and SNC Access Control list

Regards,
Jens
Former Member
‎2010 May 14 1:09 AM
0 Kudos
The problem was caused by too many entries with the same SNC name in the System ACL - in particular by one entry having the "Entry for certificate activated" and "Entry for ext.ID activated" checkboxes unchecked.
Benny
Product and Topic Expert
Product and Topic Expert
‎2020 Nov 27 11:50 AM
0 Kudos
Long living blog and it seems this one still is the best one about this issue.

But there is a change in JCo 3. Instead of /demo now there is a /examples directory. And class VeriClient does not exist, so you have to use class SimpleCall now. That can be found in com\sap\conn\jco\examples\client\beginner.

 

Hope that helps those who still fumble around on protocol level.

Regards,

Benny
lrayapat73
Participant
‎2020 Dec 29 1:09 PM
0 Kudos

Hi,

/usr/sap/IDS/SYS/exe/run/sapgenpse seclogin -p RFC.pse -O root

I above, what should we user on Windows OS in place of “root”

I am getting following error,

GSS-API(maj): No credentials were supplied
Unable to establish the security context

Pls. suggest.

Thanks,

Kumar

gregorw
Active Contributor
‎2020 Dec 29 2:55 PM
0 Kudos
You have to use the username you've logged on to check it with:
echo %USERNAME%
lrayapat73
Participant
‎2020 Dec 29 4:58 PM
0 Kudos
Thanks Gregor.

Could you please let me know if there is any article which explain above steps for windows OS.

"Before you can start creating the PSE you also have to copy the ticket license file to it:" which certificate is this one.

In my case SAP server setup is already done, I have done all client related steps as per this article. However, I am facing this issue : "No credentials were supplied Unable to establish the security context".

Could you please suggest what could go wrong in my case.

Thanks in advance.

 

 
gregorw
Active Contributor
‎2020 Dec 29 5:08 PM
Please check out the Note : 2642538 - How to enable SNC from external java program to ABAP using standalone JCo3 showing the steps needed on Windows.
lrayapat73
Participant
‎2021 Jan 11 6:41 PM
0 Kudos
Hi,

I am getting following error (on Windows) with Nco connector, could you pls. suggest

"No credentials were supplied
Unable to establish the security context "

Thanks!!
lrayapat73
Participant
‎2021 Jan 12 8:37 AM
0 Kudos
Hi,

How do we know the data is encrypted when we use SNC. Is it fine if the request goes to 4800 port  on SAP server?

I am checking through wire shark, it's going to 4800 port in my case, pls. suggest.
gregorw
Active Contributor
‎2021 Jan 12 9:24 PM
0 Kudos
I would suggest you change the parameter:
snc/accept_insecure_rfc = 1

to:
snc/accept_insecure_rfc = 0

and check if the connection is still working.

If you need further details I would suggest you search for the SAP SNC documentation, ask a question in the SAP Community Q&A or file an incident.
gregorw
Active Contributor
‎2021 Jan 16 7:53 PM
0 Kudos
Have you created the cred_v2 file?
Benny
Product and Topic Expert
Product and Topic Expert
‎2021 Feb 18 9:52 AM
0 Kudos
Hi Gregor,

long time no see and I hoped I don't have to disturb you with this...

I am currently in a project where we use your blog. Great value so far! (Although it is like 15 years old now!).

But now I constantly see a message I cannot interpret right. Have you ever seen this here:

A2210210 Verification of own certificate by server failed.

I checked every single step in the process and went through all details of the client sending the certificate and now think this looks more like the server is missing the certification authority. Ever seen this and how that can happen?

 

Best Regards,

Benny

 
gregorw
Active Contributor
‎2021 Feb 18 8:45 PM
0 Kudos
Hi Benny,

some posts have quite a long tail and this one still generates good leads :-).

I think I've just recently had the same issue. Please check that the entry you've created in VUSREXTID shows "Canonical Name Determined". If not delete the entry, exit the transaction and create it again by uploading the certificate.

CU
Gregor
vmolina
Explorer
‎2021 Apr 27 10:15 PM
0 Kudos
Hi Gregor,

Is the certificate only used to encrypt the connection or is it also used to authenticate? For example, I had done all the client and server configuration for snc and got the crt from that. However in my java application I'm using a self sign certificate (for testing purposes), which subject I also configured at VUSREXTID but maintaining the property jco.client.snc_myname with the original value. I'm not sure if it's an issue of my java implementation, but I can establish the connection and execute bapis using this configuration with the user related to the subject of the the self-sign certificate.

Thanks,
bradf1
Discoverer
‎2021 Jul 20 9:35 PM
0 Kudos


After following this excellent blog (Thanks Gregor!), I still had the "No suitable SAP user found for X.509-client certificate" error. On the step "Map X.509 Certificate to User" using SM30 and table VUSREXTID, I had mistakenly included the "p:" that often precedes the DN, but it should NOT here. In table VUSREXTID, the external ID should start with just "CN=". When I made that change, it worked fine.

Posting here in case anyone else has this issue.

Labels in this area
Popular Blog Posts