To use the SAP Cryptographic Library (SAPCRYPTOLIB) for SNC, the SAP S/4 HANA server must possess a public and private key pair that is stored in its SNC PSE. It must also be able to identify its communication partners using SNC. Use the procedure below to generate the key pair and configure the application server accordingly.

Downloading and Installing the SAP Cryptographic Library

The SAP Cryptographic Library (SAPCRYPTOLIOB) is the default security product provided by SAP to use for encryption with SAP Systems. 

NOTE

Please check the instructions on SAP-Help-Portal -> Using the SAP Cryptographic Library for SNC. The SAP-Help-Portal will be update on any S/4 HANA changes.

Procedure

1. Download the SAP Cryptographic Library for your operating system from SAP Service Marketplace (service.sap.com/swdc → Support Packages and Patches (S) → SAPCRYPTOLIB).
   
2. Extract the contents of the SAP Cryptographic Library installation package.
   
3. Copy the library file and the sapgenpse.exe configuration tool to the directory specified by the application server DIR_EXECUTABLE profile parameter.

In the following example, this directory is represented with the notation $(DIR_EXECUTABLE).

Microsoft Windows:

DIR_EXECUTABLE: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\ 

Location of SAP Cryptographic Library: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll 

4. Check the file permissions for the SAP Cryptographic Library. Make sure that <sid> adm, or SAPService <SID> under Windows, is able to execute the library functions.
   
5. Copy the ticket file to the sec subdirectory in the instance directory $(DIR_INSTANCE).
   

Microsoft Windows:

DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance> 

Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket 

6. Set the SECUDIR environment variable to the sec subdirectory. 
   

The application server uses this variable to locate the ticket and its credentials at runtime. If you set the environment variable using the command line, then the value may not be applied to the server processes. Setting SECUDIR in the start-up profile for the server user or in the registry is recommended.

Setting Profile Parameters for the Trust Manager and for SNC

Procedure

1. Logon to SAP S/4 HANA and call the RZ10 transaction.
   
2. In the Profile field, select the application server instance profile, in the Edit Profile window, select Extended maintenance, and choose Change.
   
3. Add the following parameters:
   

Parameter and Value	Description
ssf/name = SAPSECULIB	Name of the external security product.
ssf/ssfapi_lib = C:\usr\sap\<SystemID>\SYS\exe\uc\ NTAMD64\sapcrypto.dll	Path to and name of the SSF API external library
sec/libsapsecu = C:\usr\sap\<SystemID>\SYS\exe\uc\ NTAMD64\sapcrypto.dll	Complete path and filename for the external security product, for example, SAP Cryptographic Library
snc/enable = 0	Activates SNC on the application server.  Caution Do not activate it now; some further steps are necessary before activation.
snc/identity/as = p:CN=<Name>, C=<Country>	SNC name of the application server, here an X.500 name
snc/gssapi_lib = C:\usr\sap\<SystemID>\SYS\exe\uc\ NTAMD64\sapcrypto.dll	This parameter contains the path and file name of the GSS-API V2 shared library.
snc/data_protection/max = 3	Enter the maximum level of data protection for connections initiated by SAP S/4 HANA.
snc/data_protection/min = 1	Enter the minimum data protection level required for SNC communications.
snc/data_protection/use = 3	Set the default level of data protection for connections initiated by SAP S/4 HANA.
snc/accept_insecure_cpic = 1	Set this parameter to specify that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are to be accepted. 1 allows unprotected CPIC connections.
snc/accept_insecure_gui = 1	Accept insecure SAPGUI logins to SNC-enabled Server [0,1].
snc/accept_insecure_rfc = 0	Accept insecure RFC-connections to the SNC-enabled server [0,1].
snc/accept_insecure_r3int_rfc = 1	Accept insecure internal RFC calls on the SNC-enabled server [0,1].
snc/r3int_rfc_secure = 1	Use SNC for internal RFC communication [0,1].
snc/r3int_rfc_qop = 8	Quality of protection for internal RFC calls with SNC.
snc/permit_insecure_start = 1	Permit to start insecure programs when SNC is enabled [0,1].
snc/force_login_screen = 0	Display login screen for each SNC-protected login. [0,1]

4. Save your settings and restart the server.
   

Creating the SNC PSE in Trust Manager

Procedure

1. Logon to SAP S/4 HANA and call the STRUST transaction.
   
2. Select the SNC SAPCryptolib node.
   
3. Using the context menu, choose Create.
   

The <Create/Replace> PSE dialog appears.

4. Accept the SNC ID which is taken from the snc/identity/as instance parameter.
   
5. Save your settings.
   

Exporting the SNCPSE 

Export the SNC PSE so that you can copy it to the communication partner's host.

Procedure

1. Logon to SAP S/4 HANA and call the STRUST transaction.
   
2. Select the SNC SAPCryptolib node. 
   

The SNC PSE information appears on the right side.

3. From the menu, choose PSE → Export.
   
4. Save the PSE to the file system.
   

Result

The SNC PSE is available in the file system. Copy it to the appropriate location on the communication partner's host.

Setting the Profile Parameter to Enable SNC

To finally activate SNC in SAP S/4 HANA, change the snc/enable profile parameter.

Procedure

1. Logon to SAP S/4 HANA and call the RZ10 transaction.
   
2. In the Profile field, select the application server instance profile, in the Edit Profile window, select Extended maintenance, and choose Change.
   
3. Set the snc/enable parameter to 1.
   
4. Save your settings and restart the server.
   

Assigning the SNC Name to the Technical User

Procedure

1. Logon to SAP S/4 HANA and call the SU01 transaction.
   
2. Select the technical user that you use to run the RFC connections.
   
3. On the SNC tab, enter the SNC name. 
   

The name is the value you have provided for the snc/identity/as parameter.

Next Step: Enabling SNC for SAP Integration Framework 2.0 for SAP S/4 HANA Integration