Page Comparison

Intro

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems provide basic security measures like SAP authorization and user authentication based on passwords.With SNC you can include protection by an external security product. SNC provides application-level, end-to-end security. It secures all communications between two SNC-protected components. For example, between SAPGUI and an SAP ApplicationServer. SNC protection only applies to connections that use SAP protocols (dialog, RFC or CPIC protocols).

Please see /wiki/spaces/IE/pages/791412944 instruction for more details.

Prepare IT-Conductor Gateway

Set SNC environment variables

...

java_path=./jdk1.8.0_171/jre/bin/java
SECUDIR=/opt/itconductor/conf
export SECUDIR

Install SAP Cryptographic Library

1. Download the SAP Cryptographic Library (SPACRYPTOLIB.SAR ) from the SAP Service Marketplace
2. Extract and copy the library (Windows: sapcrypto.dll; Linux: sapcrypto.so) and the command line tool (Windows: sapgenpse.exe; Unix/Linux sapgenpse) to a local directory.

...

• Exchange public-key certificates by export and import.
  To communicate using SNC, the IT-Conductor and SAP Systems must identify each other:
  

  1. Export the public-key certificate corresponding to the above created local PSE (used by the IT-Conductor) as the following:

     sapgenpse export_own_cert -v -o <output_file> -p <PSE_name>

     Linux:
     

     ./sapgenpse export_own_cert -v -o itconductor_pse.crt -p itconductor

     Windows:
     

     sapgenpse.exe export_own_cert -v -o itconductor_pse.crt -p itconductor

     
     

  2. For Each SAP System IT-Conductor will be connecting using SNC repeat the following steps:
     1. Import the created client certificate into the SAP System, using the trust manager (transaction code STRUST).

     2. Export the server certificate from the SAP Server, using the trust manager (transaction code STRUST).

        
        

        Info
        If server certificate does not exist, create a server certificate. For more information, contact your SAP Administrator.

        
        

     3. Import the SAP Server certificate into the IT-Conductor PSE using the following command:

        sapgenpse maintain_pk -v [-a <cert_file>] -p <PSE_name>

        
        Linux:
        

        ./sapgenpse maintain_pk -v -a /tmp/sap_system_XYZ.crt -p itconductor

        Windows:
        

        sapgenpse.exe maintain_pk -v -a C:\tmp\sap_system_XYZ.crt -p itconductor
        
        

     4. Update SNC name for IT-Conductor SAP accounts using Transaction code SU01.

        Make sure you prefix the DN with "p:" as:

        p:CN=IT-Conductor, OU=IT, O=ACME, C=US
        
        

        Info
        Do that for each SAP Account that you are planning to use in IT-Conductor using the same DN.

        
        
        

  3. Grant SNC permissions to the operating system user the Gateway service is running as
     SAP System requires active credentials at run-time to access its PSE. You can use the seclogin to open the PSE and create the required credentials.

     sapgenpse seclogin [-p <PSE_name>] [-O <user_ID>]

     
     

     Info
     On Windows, the user name is SYSTEM as the gateway runs under Local System Account. On Linux, the user name is root as the gateway runs under root account.

     
     
     The following command line grants SNC permissions for the user SYSTEM to access the file sap_plugin_pse.
     Linux:
     

     ./sapgenpse seclogin -p itconductor -O root

     Windows:
     

     sapgenpse.exe seclogin -p itconductor -O SYSTEM

...