Scribd
Upload
180 views

Preparation: Snc/identity/as P:CN IDS, OU IT, O CSW, C DE

1. The document provides instructions for setting up SNC (SAP Cryptographic Library) encryption for RFC connections between an ABAP server and a Java client. 2. It describes creating SNC PSEs (private security environments) on both the server and client, exporting and importing certificates between them, and configuring parameters and access controls to enable the encrypted connection. 3. The instructions are tested by running a Java program that connects to the ABAP system using the client's SNC PSE and certificate for authentication.

Uploaded by

spicychaitu
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
180 views

Preparation: Snc/identity/as P:CN IDS, OU IT, O CSW, C DE

1. The document provides instructions for setting up SNC (SAP Cryptographic Library) encryption for RFC connections between an ABAP server and a Java client. 2. It describes creating SNC PSEs (private security environments) on both the server and client, exporting and importing certificates between them, and configuring parameters and access controls to enable the encrypted connection. 3. The instructions are tested by running a Java program that connects to the ABAP system using the client's SNC PSE and certificate for authentication.

Uploaded by

spicychaitu
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 8

* Do only install SAP Cryptographic Library.

SAP Cryptographic Library and


libsapsecure will not work in parallel.
* You have to setup SNC beore you can activate SNC with the para!eter snc"enable # $.
Preparation
Please ollow these steps o the SAP Docu!entation to install the SAP Cryptographic
Library%
$. Download the SAP Cryptographic Library ro! http%""service.sap.co!"download &'
Download &' SAP Cryptographic Sotware.
(. )nstall the SAP Cryptographic Library on the SAP *eb AS.
+. Don,t orget to set the environ!ent variable S-C.D)/ or the .ser which runs the
SAP A0AP stack.
1. Now you can also set the Proile Para!eters or .sing SSL or use !y 0log 2Setup
344PS 5SSL6 or the Sneak Preview SAP Net*eaver 71 A0AP -dition on *indows2 to
do that.
Setup SNC on the ABAP Server
8irst we set the instance para!eter 2snc"identity"as2 to the distinguished na!e the server
should get. ) use 2CN#)DS9 :.#)49 :#CS*9 C#D-2. Don,t orget to add 2p%2 in ront o
the DN%
snc/identity/as p:CN=IDS, OU=IT, O=CSW, C=DE
Create "SNC (SAPCryptolib)" PSE
Ater a restart o your server you can now create the SNC PS-. Start transaction
S4/.S4 or S4/.S4SS:( and right click on 2SNC 5SAPCryptolib62 choosing Create%
You ;ust have to accept the SNC )D which is taken ro! the instance para!eter
2snc"identity"as2%
Please ollow the ne<t hint and add a password or the 2SNC 5SAPCryptolib62 PS-%
4o do this double click 2SNC 5SAPCryptolib62 and choose 2Assign Password2%
4ype in a password which can contain letters and nu!bers%
*ithout the password the server would not start when you have set the para!eter
2snc"enable2 to $= Save the settings.
Set additional parameters
*ith the 2SNC 5SAPCryptolib62 PS- created we can now set this )nstance Para!eters%
snc"enable $ snc"accept>insecure>rc $ snc"accept>insecure>gui $
snc"accept>insecure>cpic $ snc"per!it>insecure>start $ snc"data>protection"!in $
snc"e<tid>login>diag $ snc"e<tid>login>rc $
) have chosen values which will enable you to still connect to the syste! without
encryption. Done that9 you have to restart the application server again.
Create PSE for RFC Client
),ve decided to use a separate PS- or !y /8C Client as described in Scenario (% .sing
)ndividual PS-s or Co!ponents. 4o create this PS- ) ollow the instructions given in
Creating an SNC PS- or the SAP ?(-- -ngine. 4he steps described show an e<a!ple
setup done on !y Linu< bo<. 4o test the connection ) use the de!o progra!s co!ing
with SAP ?ava Connector available at http%""service.sap.co!"connectors. ),ve e<tracted
the connector in "usr"sap";co.
Create se diretory for RFC Client PSE!
4o store the /8C Client PS- ) create a subdirectory sec in 2"usr"sap";co"de!o2%
@appod%AB d "usr"sap"#o"demo"
@appod%"usr"sap";co"de!oB m$dir se
Now switch to this directory and create the PS-%
@appod%AB d se
Create PSE
4o run sapgenpse the directory containing the SAP Cryptographic Library
5libsapcrypto.so on Linu<6 !ust be !ade available in the environ!ent variable
LD>L)0/A/Y>PA43%
e<port LD>L)0/A/Y>PA43#"usr"sap";co"%"usr"sap")DS"SYS"e<e"run"
Also the ;ust created directory 2"usr"sap";co"de!o"sec2 has to be set as the S-C.D)/%
e<port S-C.D)/#"usr"sap";co"de!o"sec
0eore you can start creating the PS- you also have to copy the ticket license ile to it%
cp "usr"sap")DS"DC-0DES77"sec"ticket .
Now we are ready to create the PS-%
@appod%"usr"sap";co"de!o"secB "sap!nt")DS"e<e"sapgenpse gen>pse &v &p /8C.pse
Eot absolute PS- path 2"usr"sap")DS"DC-0DES77"sec"/8C.pse2.
Please enter P)N% ********
Please reenter P)N% ********
get>pse% Distinguished na!e o PS- owner% CN#/8C9 :.#)49 :#CS*9 C#D-
Supplied distinguished na!e% 2CN#/8C9 :.#)49 :#CS*9 C#D-2
Eenerating key 5/SA9 $7(1&bits6 ... succeeded.
certiicate creation... ok
PS- update... ok
PF/oot... ok
Eenerating certiicate reGuest... ok.
PFCSB$7 certiicate reGuest or 2"usr"sap";co"de!o"sec"/8C.pse2%
E%port Client Certifiate
*e have to e<port the Client Certiicate o the ;ust created PS-%
B "sap!nt")DS"e<e"sapgenpse e<port>own>cert &v &p /8C.pse Ho /8C.crt
:pening PS- 2"usr"sap";co"de!o"sec"/8C.pse2...
No SS: credentials ound or this PS-.
Please enter P)N% ********
PS- open ok.
/etrieving !y certiicate... ok.
writing to ile ...... ok
&mport Client Certifiate to Server PSE
You can i!port the client Certiicate via 4ransaction S4/.S4. 8irst open the Node SNC
5SAPCryptolib6 again. You have to provide the password set beore%
Click on 2)!port certiicate2
Set the ile or!at to 0aseI1 and choose the ile%
8inally click 2Add to Certiicate List2
E%port Server Certifiate
Now we have to e<port the Server Certiicate. Already in the S4/.S4 node SNC
5SAPCryptolib6 double click on your own certiicate so it is displayed in the Certiicate
ield. Click on -<port certiicate%
Choose also 0aseI1 or the 8ile or!at and provide a na!e or the ile%
&mport Server Certifiate to Client PSE
4hat is done again on the co!!and line%
' "sapmnt"&(S"e%e"sap)enpse maintain*p$ +v +a SNC,rt +p RFC,pse
:pening PS- 2"usr"sap";co"de!o"sec"/8C.pse2...
No SS: credentials ound or this PS-.
Please enter P)N% ********
PS- open ok.
Adding new certiicate ro! ile 2SNC.crt2
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Sub;ect % CN#)DS9 :.#)49 :#CS*9 C#D-
)ssuer % CN#)DS9 :.#)49 :#CS*9 C#D-
Serialno% 77
Fey)no % /SA9 (71J&bit
Calidity & Not0eore% *ed Sep (K ($%+K%+( (77I 57I7L(K$L+K+(M6
NotAter% 8ri ?an $ 7$%77%7$ (7+J 5+J7$7$77777$M6
&&&&&&&&&&
PFList updated 5$ entries total9 $ newly added6
Create red*v- file
Ater we,ve now setup the /8C client PS- we have to create a ile called cred>v( which
is used to securely give the /8C Progra! access to the PS- without providing the
password or the PS-. :n the co!!and line run%
' "usr"sap"&(S"S.S"e%e"run"sap)enpse selo)in +p RFC,pse +/ root running seclogin
with .S-/#2root2
creatingcredentials or yoursel 5.S-/#2root26...
Please enter P)N% ********
Added SS:&credentials or PS- 2"usr"sap";co"de!o"sec"/8C.pse2
2CN#/8C9 :.#)49 :#CS*9 C#D-2
Allo0 SNC RFC Connetion
:n the A0AP Server side we have now to !aintain the Ciew CSNCSYSACL which is
used to restrict the SNC /8C Connections by an Access Control List 5ACL6. Start
4ransaction SD+79 enter CSNCSYSACL and click Daintain. Accept the 24he table is
cross&client2 inor!ation%
Choose 2-2 or the type o 4ype o ACL entry%
-nter Syste! )D and SNC na!e. Don,t orget the 2p%2 in ront o the DN= Check the
bo<es according to this screenshot%
Don,t orget to save this entry.
!ap 1,234 Certifiate to 5ser
4o accept a N.O7L Certiicate or Login you have to !aintain Ciew C.S/-N4)D. Cia
this Ciew you can setup a !apping between the Distinguished Na!e provided by a
N.O7L Certiicate and an A0AP .ser. Start 4ransaction SD+79 enter C.S/-N4)D and
click Daintain. Choose DN or the -<ternal )D type%
Create a new entry and don,t orget to activate it%
6est onnetion
Now we have everything in place to test the connection= 4o login with the N.O7L
Certiicate you have to concatenate the previously e<ported Certiicate in one line
without 2&&&&&0-E)N C-/4)8)CA4-&&&&&2 and 2&&&&&-ND C-/4)8)CA4-&&&&&2. All
login inor!ation can be !aintained in the 2vericlient.properties2 ile in directory
2"usr"sap";co"de!o. ),ve used these values%
;co.client.client#J77
;co.client.<O7Lcert#0aseI1 -ncoded Certiicate in one line
;co.client.ashost#@appod.csw.local
;co.client.sysnr#77
;co.client.snc>!ode#$
;co.client.snc>partnerna!e#p%CN#)DS9 :.#)49 :#CS*9 C#D-
;co.client.snc>Gop#+
;co.client.snc>!yna!e#p%CN#/8C9 :.#)49 :#CS*9 C#D-
;co.client.snc>lib#"usr"sap")DS"SYS"e<e"run"libsapcrypto.so
Co!pile the Class CeriClient%
;avac CeriClient.;ava
And run it providing the properties ile as a para!eter%
;ava CeriClient vericlient.properties
So!ewhere in the result you should also see%
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
4est &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Status &&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
?C:.createClient56..........................................ok
client.connect56............................................ok
/utloo$
*ith SNC enabled we can use the /8C -nabled 8unction Dodule
S.S/>C3-CF>L:E:N>DA4A to authenticate with an e<ternal )D. ) the
authentication was successul it will return a valid SS:( 4icket. 0ut that part o another
0log.

You might also like