Enabling SNC in SAP ECC for SAP ECC Integration
To use the SAP Cryptographic Library (SAPCRYPTOLIB) for SNC, the SAP ECC server must possess a public and private key pair that is stored in its SNC PSE. It must also be able to identify its communication partners using SNC. Use the procedure below to generate the key pair and configure the application server accordingly.
Downloading and Installing the SAP Cryptographic Library
The SAP Cryptographic Library (SAPCRYPTOLIOB) is the default security product provided by SAP to use for encryption with SAP Systems.
NOTE
Please check the instructions on SAP-Help-Portal -> Using the SAP Cryptographic Library for SNC. The SAP-Help-Portal will be update on any ECC changes.
Procedure
- Download the SAP Cryptographic Library for your operating system from SAP Service Marketplace (service.sap.com/swdc → Support Packages and Patches (S) → SAPCRYPTOLIB).
- Extract the contents of the SAP Cryptographic Library installation package.
- Copy the library file and the sapgenpse.exe configuration tool to the directory specified by the application server DIR_EXECUTABLE profile parameter.
In the following example, this directory is represented with the notation $(DIR_EXECUTABLE).
Microsoft Windows:
DIR_EXECUTABLE: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\
Location of SAP Cryptographic Library: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll
- Check the file permissions for the SAP Cryptographic Library. Make sure that <sid> adm, or SAPService <SID> under Windows, is able to execute the library functions.
- Copy the ticket file to the sec subdirectory in the instance directory $(DIR_INSTANCE).
Microsoft Windows:
DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance>
Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket
- Set the SECUDIR environment variable to the sec subdirectory.
The application server uses this variable to locate the ticket and its credentials at runtime. If you set the environment variable using the command line, then the value may not be applied to the server processes. Setting SECUDIR in the start-up profile for the server user or in the registry is recommended.
Setting Profile Parameters for the Trust Manager and for SNC
Procedure
- Logon to SAP ECC and call the RZ10 transaction.
- In the Profile field, select the application server instance profile, in the Edit Profile window, select Extended maintenance, and choose Change.
- Add the following parameters:
Parameter and Value
Description
ssf/name = SAPSECULIB
Name of the external security product.
ssf/ssfapi_lib = C:\usr\sap\<SystemID>\SYS\exe\uc\
NTAMD64\sapcrypto.dllPath to and name of the SSF API external library
sec/libsapsecu = C:\usr\sap\<SystemID>\SYS\exe\uc\
NTAMD64\sapcrypto.dllComplete path and filename for the external security product, for example, SAP Cryptographic Library
snc/enable = 0
snc/identity/as = p:CN=<Name>, C=<Country>
SNC name of the application server, here an X.500 name
snc/gssapi_lib = C:\usr\sap\<SystemID>\SYS\exe\uc\
NTAMD64\sapcrypto.dllThis parameter contains the path and file name of the GSS-API V2 shared library.
snc/data_protection/max = 3
Enter the maximum level of data protection for connections initiated by SAP ECC.
snc/data_protection/min = 1
Enter the minimum data protection level required for SNC communications.
snc/data_protection/use = 3
Set the default level of data protection for connections initiated by SAP ECC.
snc/accept_insecure_cpic = 1
Set this parameter to specify that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are to be accepted.
1 allows unprotected CPIC connections.
snc/accept_insecure_gui = 1
Accept insecure SAPGUI logins to SNC-enabled Server [0,1].
snc/accept_insecure_rfc = 0
Accept insecure RFC-connections to the SNC-enabled server [0,1].
snc/accept_insecure_r3int_rfc = 1
Accept insecure internal RFC calls on the SNC-enabled server [0,1].
snc/r3int_rfc_secure = 1
Use SNC for internal RFC communication [0,1].
snc/r3int_rfc_qop = 8
Quality of protection for internal RFC calls with SNC.
snc/permit_insecure_start = 1
Permit to start insecure programs when SNC is enabled [0,1].
snc/force_login_screen = 0
Display login screen for each SNC-protected login. [0,1]
- Save your settings and restart the server.
Creating the SNC PSE in Trust Manager
Procedure
- Logon to SAP ECC and call the STRUST transaction.
- Select the SNC SAPCryptolib node.
- Using the context menu, choose Create.
The <Create/Replace> PSE dialog appears.
- Accept the SNC ID which is taken from the snc/identity/as instance parameter.
- Save your settings.
Exporting the SNCPSE
Export the SNC PSE so that you can copy it to the communication partner's host.
Procedure
- Logon to SAP ECC and call the STRUST transaction.
- Select the SNC SAPCryptolib node.
The SNC PSE information appears on the right side.
- From the menu, choose PSE → Export.
- Save the PSE to the file system.
Result
The SNC PSE is available in the file system. Copy it to the appropriate location on the communication partner's host.
Setting the Profile Parameter to Enable SNC
To finally activate SNC in SAP ECC, change the snc/enable profile parameter.
Procedure
- Logon to SAP ECC and call the RZ10 transaction.
- In the Profile field, select the application server instance profile, in the Edit Profile window, select Extended maintenance, and choose Change.
- Set the snc/enable parameter to 1.
- Save your settings and restart the server.
Assigning the SNC Name to the Technical User
Procedure
- Logon to SAP ECC and call the SU01 transaction.
- Select the technical user that you use to run the RFC connections.
- On the SNC tab, enter the SNC name.
The name is the value you have provided for the snc/identity/as parameter.
Next Step: Enabling SNC for SAP Integration Framework 2.0 for SAP ECC Integration
Related Articles
Enabling SNC for SAP Integration Framework 2.0 for SAP ECC Integration
In the following sections we assume that you run SAP Integration Framework 2.0 on a Microsoft operating system. Downloading and Installing the SAP Cryptographic Library The SAP Cryptographic Library is the default security product delivered by SAP ...Enabling Secure Network Communication for SAP ECC Integration
Secure Network Communication (SNC) is an application layer in SAP ECC that provides an interface to an external security product. To secure RFC connections between SAP ECC and SAP Integration Framework 2.0, use SNC with the SAP Cryptographic Library ...SAP ECC Integration with SAP Business One
The integration package for integration with SAP ECC provides you with sample integration content and is addressing partners to rapidly build up their demo and development system. The sample integration content must not be applied as-is into the ...Configuration in SAP Integration Framework 2.0 to connect SAP ECC
To enable communication between SAP Integration Framework 2.0 and SAP ECC, do the following in SAP Integration Framework 2.0: Create a system landscape entry for SAP ECC with RFCA parameters in the System Landscape Directory Maintain connectivity ...Configuration in SAP ECC to connect with SAP Integration Framework 2 0
In SAP ECC check whether there is a client and RFC destination available for the client you want to use for the connection to SAP Integration Framework 2.0. Create a logical system and an RFC destination for SAP Integration Framework 2.0 in SAP ECC. ...