Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 

As per the client request to encrypt the SAP Portal traffic to SAP ABAP systems and SAPGUI encryption to ABAP systems as part of their Infosec policy. Encryption is implemented using the  SAP Secure Network Communication (SNC). This document explains about step by step configuration of SNC Encryption on the existing SAP Gui to ABAP systems and SAP Portal Traffic to ABAP systems. SNC can be implemented in HANA On premise and Hana Cloud Landscapes as well.



 In order to demonstrate this configuration, the below landscape is required

  • SAP ABAP Systems: ECC, SRM, GRC, HR, PI and Solution Manager

  • SAP GUI 7.5 running on windows

  • Active Directory service user account

  • SAP Netweaver Application Server ABAP with Common Crypto Library installed

  • Microsoft Windows Domain Controller


  • LIBSAPCRPYTO Library files

  • Microsoft Active Directory ADSI

  • Microsoft Kerberos


SNC Encryption enhances the exisiting SAP Cloud and On-Premise environment with high level security and the communications between the SAP systems are highly secured.


Configuration Steps:


  • SAP GUI Installed on a computer running on Microsoft Windows

  • Microsoft Windows Domain Controller – Service SPN accounts and SPN configuration

  • SAP Netweaver Application server ABAP with Common Crypto library installed


Check the SECUDIR environment variables defined for sec directory

Check the SNC library path

Backup of the existing sec folder and profile directory

Profile directory

sec directory

Create the SPN accounts : service user in Microsoft Active Directory

Example : KerberosABC

Set the checkboxes as below:

Goto ADSI edit and set the Service Principle Name for Service user as ie. SAP/Kerberos<SID>

Check the Service Principal Name is unique

Create SNC pse file as below command

sapgenpse get_pse -p < path to the sec directory/xxxx.pse> -x <path to the sec directory/xxxx.req> “CN=<name of the SNC>”


Create the credentials

sapgenpse seclogin -p <path to the sec directory/xxxx.pse> -o <sidadm>


Now log in to the ABAP system

Goto Transaction : STRUSTSSO2

create SNC SAP Cryptolib PSE file right click the SNC SAP Cryptolib as below:

Remove the default values of Org(opt) & comp/org and maintain the below values and SAVE

Now select SNC SAP Crypto pse and Double click the

Press Export button   and export to your machine.

Use the name <SID>.cert

Select “Base64” as <SID>.cert

Exchanging the Public-Key Certificates

Save the crt into the sec directory of portal dev system

Export certificate of Java SNC PSE

sapgenpse export_own_cert -o <name.crt> <name.pse> -x <password for pse>

Import ABAP SNC certificate into Java SNC PSE

sapgenpse maintain_pk -p /usr/sap/<SID>J00/sec/xxxx.pse -a /usr/sap/<SID>/J<nn>/sec/xxxx.cer

To get the details of the certificate

sapgenpse get_my_name -p <path to the pse file >

Import Java SNC certificate into ABAP SNC PSE

Maintaining the System ACL on the AS ABAP

Goto Transaction SM30 -type VSNCSYSACL and next screen select “E” and click new entries

And add the system <SID> and SNC name ex. as below:

Maintain SNC related parameters in instance profile of Java system and ABAP system

Java System parameter as below:

ABAP Systems (ECC) Parameters as below

Now continue with the Portal configuration as below:

Portal SNC with Backend System (ECC)


  • System Object creation (using Connection String):


Then, maintained connection string as mentioned below.

Connection String: /H/<Hostname FQDN>/S/3200 SNC_PARTNERNAME="" SNC_QOP=9

  • Transaction Iview details:

As per note: 1881298 created 2 sample transaction iviews and maintained below property

Additional Parameters to start SAP GUI: SUPPORTBIT_ON=NEED_STDDYNPRO

Iview 1 Name: ECC SNC


3) Testing iview from Portal:

Pad lock is “ON” & SAP backend (ECC) is connected from portal using SNC.


Updating the SAPGUI xml properties with the SNC details of respective SAP systems:


Update the SAPGUI .xml details  with the corresponding system name and SNC names


SAPGUI logon pad all the SAP systems are encrypted with key lock as below

RFC connections are encrypted with SNC as below:

End of the configuration.




Reference Configuration links:


SAP SNC config as SAP JAVA to ABAP config



SNC config for SAP PORTAL iview





1 Comment
Labels in this area