Secure Network Communications (SNC) provides stronger authentication and encryption mechanisms than the default security options of SAP.
This document explains how to enable Secure Network Communications (SNC) to secure the communications between Virtual DataPort and SAP. Take into account the following:
- In Virtual DataPort, you can enable SNC on the data sources that use SAP JCo (SAP Java Connector) to connect to SAP. These are:
- BAPI data sources.
- Multidimensional data sources with the adapters “SAP BI 7.x (BAPI)” or “SAP BW 3.x (BAPI)”.
SNC cannot be enabled in multidimensional data sources with the adapters “SAP BI 7.x (XMLA)” or “SAP BW 3.x (XMLA)”.
- SNC is used to secure the communications (Privacy Protection). However, the authentication of users is performed using their username and password and not their certificate.
NOTE: To configure SNC it is required to use the SAP Cryptographic Library. Details regarding how to obtain this tool can be found in the following SAP link:
In the host where the Virtual DataPort server is installed, execute these steps:
- Open a command line and execute the following commands to create the Personal Security Environment (PSE) file:
SET SECUDIR = C:\SAP\SNC\sec
sapgenpse.exe gen_pse -v -p denodo_SAPSSLS.pse
Note: For environments where Systemd used to start the Virtual DataPort server as a service. Add the assignment directly on to the service directive to ensure this environment variable is available for the process. This variable points to the location of the libraries and credentials file which is required for authentication and Virtual DataPort server process should be able to access it.
You will see something like the following and at the end of the process, you will obtain the pse file.
You will have to provide the PIN and the distinguished name (DN) of the user.
Please enter PIN:
Please reenter PIN:
get_pse: Distinguished name of PSE owner: cn=server
Supplied distinguished name: "cn=server"
Creating PSE with format v2 (default)
Generating key (RSA, 2048-bits) ... succeeded.
certificate creation... ok
PSE update... ok
Generating certificate request... ok.
PKCS#10 certificate request for "C:\SAP\SNC\sec\denodo_SAPSSLS.pse":
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
- Export the pse file to a crt file:
sapgenpse.exe export_own_cert -v -p denodo_SAPSSLS.pse -o denodo_SAPSSLS.crt
- Assign credentials to the user account that you will use for running Virtual DataPort server:
sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O <domain>\<user>
sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O CONTOSO\frank
You will see something like:
running seclogin with USER="frank"
creating credentials for user "CONTOSO\frank" (yourself)...
Adjusting credentials and PSE ACLs to include "CONTOSO\frank"...
Oh, you supplied your own name explicitly ... ok.
C:\SAP\SNC\sec\cred_v2 ... ok.
C:\SAP\SNC\sec\denodo_SAPSSLS.pse ... ok.
Added SSO-credentials for PSE "C:\SAP\SNC\sec\denodo_SAPSSLS.pse"
Note: if user exists only in the system (it does not belong to a Windows domain), then execute:
sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O SYSTEM
- Open SAP GUI and log-in.
- Import the client certificate into SAP. To do this, follow these steps:
- Start the transaction STRUST.
- On the left side of the dialog, expand the node SNC SAPCryptolib and double-click on the server where you want to install the crt certificate generated in the previous steps.
- If the certificate does not exist for this SAP Server, do the following:
- Right-click System PSE
- Click Display <-> Change to enable the “Create” option.
- Import the certificate by clicking the button , at the bottom of the dialog and select the file denodo_SAPSSLS.crt created before.
- Click Add to Certificate List to add the imported certificate to the list of certificates of the System PSE. Now, the certificate will appear at “Certificate List” table.
- Start the transaction SNC0. You will see a dialog like the following:
- Click New entries. You will see a dialog like the following:
- In the SNC Name box, enter the Distinguished Name (DN) you provided in the first step.
- Select, at least, the Entry for ext. ID activated check box.
- Click the Save button:
- Go back to the STRUST transaction and do the following:
- Expand the node SNC SAPCryptolib and double-click the host where the certificate was imported.
You will see a dialog like the following:
- In the “Certificate List”, select the subject of the certificate you want to export.
- Click the button to export the certificate. Use the option Base64.
Store it with the name dnd_out.crt.
- In the host where the Virtual DataPort server runs, execute the following to import the server “.crt”:
sapgenpse.exe maintain_pk -a dnd_out.crt -p denodo_SAPSSLS.pse
You will see something like this:
maintain_pk for PSE "C:\SAP\SNC\sec\denodo_SAPSSLS.pse"
Subject : CN=SNC, CN=ERP
PKList updated (1 entries total, 1 newly added)
- In Virtual DataPort, open the configuration of the BAPI data source or a multidimensional data source with a BAPI adapter.
The user account used in the data source is a regular SAP user account without any special configuration. To see the SNC configuration of a user, do the following:
- In SAP GUI, start the transaction SU01.
- Enter the name of a user and click the “Display” icon: .
- Then, click the tab SNC to see the SNC configuration for that particular user. You will see a dialog like the following:
- In Virtual DataPort, in the dialog to configure the data source, click Advanced and follow these steps (the steps to enable SNC are the same for both types of data sources):
- Enter the path to the SAP Cryptographic Library. That is, the path to the file sapcrypto.dll (if the Server runs on Windows) or to libsapcrypto.so (if the Server runs on Linux). You can download this library from the SAP website.
- Enter the Partner name. That is, the distinguished name of the SAP server. For example, p:CN=SNC,CN=ERP.
- Select the Security level. SAP offers three levels of configuration and in addition, you have these options:
- Use the value from snc/data_protection/use: uses the default security level set by the SAP server.
- Use the value from snc/data_protection/max: uses the maximum level of security offered by the SAP server.
After creating the data source, you can use a network packets analyzer (e.g. WireShark) to check that the messages are encrypted:
Appendix A: Configuration Properties of SAP
At the SAP server, the profile configuration file (in our scenario: C:\usr\sap\ERP\SYS\profile\ERP_DVEBMGS03) has to have the following properties.
# Properties related to SNC configuration
snc/enable = 1
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 3
snc/permit_insecure_start = 1
snc/identity/as = p:CN=SNC,CN=ERP
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
spnego/construct_SNC_name = 111
snc/gssapi_lib = C:\usr\sap\ERP\DVEBMGS03\exe\sapcrypto.dll
The following link explains in more detail the meaning of these properties: Profile Parameter Settings on AS ABAP.