Is it possible to use SNC encryption with CLIENT E...

toscatsui · ‎2024 Jul 26

Hi All,

I have no MicrosoftAD or SSO component.

Only want to use secure data transport between GUI and ABAP server, only encryption, self-typed user and password.

GUI version - 8.00 with CLIENT ENCRYPTION 2.0

ABAP server - ERP6 EHP7

For Server, a certificate from my colleague is installed into STUST-SNCSAPCryptolib, and show "CN=*.companydns.com, O=xxxxxxxxx,C=xx" . Configurations are done with tcode SNCWIZARD. SAPCRYPTOLIB version is 8.5.47.

For PC, RootCA is separated from certificate and installed.

I get error on GUI "A2200210 Peer certificate verification failed".

Then I find a article. How SNC Client Encryption Works | SAP Help Portal

There is MS-AD in the structure.

So i got confused. But, I'm using CLIENT ENCRYPTION 2.0 not 1.0, I'm using X.509 not kerberos. Is MS AD still necessary? Is it possible to use SNC encryption with CLIENT ENCRYPTION 2.0 and X.509, without SSO or MS AD?

toscatsui · ‎2024 Aug 01

Problem is solved, and encryption is implemented in my environment now.

My aims are

Communication between GUI and ABAPserver.

Encryption only, without SSO or MicrosoftAD.

Time to share! 😌

SNC Implementation

Components

GUI - SNC Client Encryption 2.0 (SCE 2.0)

ABAP Server - sap common cryptolib (CCL)

Certificate - X.509

/ Users with internal network =》 ASCS withoutSNC =》 Common DIs withoutSNC

\ noVPN Users with public network =》 SAP ROUTER =》 Specified DI with SNC

Import PSE

Tcode STRUST

toolbar PSE -> Import -> choose xxx.pse file

toolbar PSE -> Save as SNC SAPCryptolib

Then, Subject name below SAPCryptolib-OwnCertificate is blank, not 'self-signed'.

Parameter configuration on Specified DI

SAPLOCALHOSTFULL spcfdi.xxx.com

ccl/snc/snc_client_encryption_require_x509 1

snc/identity/as p:CN=*.xxx.com, O=xxxx, SP=xxxx, C=XX

spnego/enable 0

snc/permit_insecure_start 1

snc/gssapi_lib $(SAPCRYPTOLIB)

snc/extid_login_rfc 1

snc/extid_login_diag 1

snc/enable 1

snc/accept_insecure_gui 1

snc/accept_insecure_cpic 0

snc/accept_insecure_rfc 0

snc/only_encrypted_gui 1

Cryptolib Update

stop the specified DI

renew libsapcrypto.so and sapgenpse provided by dw_utils_xxx.sar

restart the specified DI

SAP Router

Autorun with OS Start

/etc/rc.local

/usr/sap/saprouter/saprouter -r -R /usr/sap/saprouter/saprouttab

Router Auth

/usr/sap/saprouter/saprouttab

# Auth Source Destination Port Or Service Password

# Permit ALL SAP Connections specifiedDI

S * spcfdi.xxx.com *

Router-Router SNC (Optional Router Standalone)

3208252 - SNC saprouter failed to start

GUI Configuration

AppServer spcfdi.xxx.com

SAPRouter Character /H/saprouter.xxx.com/S/32XX

Network and Security

Specified DI OS Firewall Configuration

Only IT department and SAPRouter CAN get to port 32XX.

DNS Name

SAPRouter

saprouter.xxx.com

Publish to internal network and public network

Specified DI

spcfdi.xxx.com

Publish to internal network

Result

Specified DI can only be logged in with SNC connections.

ASCS and other DI not influenced.

Common users with inner network environment CANNOT get to the specified DI.

Issues I Met

Tcode SNCWIZARD error "SAPCRYPTOLIB too old" after CommonCryptolib update

2304831 - Programs fail after CCL 8.5 is installed

Or, set parameters manually with RZ10.

Tcode SNCWIZARD would write parameters into DEFAULT.PFL and change all DI to SNC.

Figure out WHY still ‘self-signed’ after cer file imported

Certificate file imported with wrong method.

3342217 - How To Import A Root CA Certificate Into a Local Windows Workstation

510007 - Additional considerations about setting up SSL on Application Server ABAP

section 3

You have to submit the CSRs to a Certification Authority of your own choice, and install each certification response from the chosen CA exactly into that SSL Server PSE from which the corresponding CSR was created.

What format of certificate to choose? How to get?

I chose PFX. Then convert PFX to PSE.

3040959 - How to get a CA signed server certificate in ABAP

Method I Get signed certificate by signing current existed certificate.

Method II Get signed certificate via replacing current PSE with new one.

2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file

Error ‘import_p12: cer chain incomplete, need certificate of xxx’ when converting PFX to PSE

3142481 - STRUST: How to extract required certificate response from provided file by CA vendor

Error WRONG DN TRUST071 when saving SAPCryptolibPSE

Parameter ‘snc/identity/as’ may exist in profile and differ with new SAPCryptolibPSE Subject name.

Change parameter ‘snc/identity/as’ with RZ10.

System restart succeed, but GUI connection fail and port 32XX LISTENING disappear several seconds later.

SAPLOCALHOSTFULL is set in specified DI, but not changed in ASCS /etc/hosts.

OR

Parameter ‘snc/enable = 1’ already when using STRUST to change SNCSAPCryptolibPSE subject to signed.

GUI compatibility

Find GUI compatibility with Client Encryption 2.0 in Note.

2440692 - Central Note for SNC Client Encryption 2.0

For old PC, GUI750 is compatible with both ClientEncrypto2.0 and Windows7.

Patch GUI to the latest version.

2283920 - Tutorial " Patching the Installation Server" [VIDEO]

Error occurs when install GUI750Patch15 on Windows7.

2562722 - SAP self-extractor has stopped working

A221021D error on GUI

Cryptolib version too low may cause A221021D error.

Update cryptolib version to kernel’s newest dw_utils.sar version, at least 8.4.47, which contains RSA algorithm.

2125088 - CommonCryptoLib in dw_utils.sar

A2200210 error on GUI

2680913 - SNC Error Code A2200210:Peer certificate verification failed - Certificate X.509 configuration

3142481 - STRUST: How to extract required certificate response from provided file by CA vendor

"SNC required for this connection" error

Only specified DI with encryption and ASCS without encryption are combined.

2510046 - "SNC required for this connection" error using SNC Client Encryption 2.0