SNC connection to an SAP System
Secure Network Communications (SNC) can be used to secure RFC connections between on-site Redwood Server and SAP instances.
information
For SaaS instances, you do not have direct access to the operating system and hence need a component to configure SNC connections; if you want to configure SNC for a spool host (SaaS environments, only), see Secure Spool Host Connections with SNC.
To make use of SNC, you need to configure your SAP system to use SNC.
The systems involved require the following SAP Cryptographic library to be available in the path.
These library can be found on SAP Launchpad.
Prerequisites
- You have installed the correct SAP Cryptographic library for your platform in the path of your systems. See Secure Connections with SNC for more information. Note that on Windows, you need to set
SECUDIRandSNC_LIBas a system variable if a system user is used to run the server.
Procedure
- In the instance profile of the central instance (Target SAP System), the SAP parameters below need to be set.
- Restart the SAP instance to activate the SNC settings.
snc/enable = 1
snc/gssapi_lib =<DRIVE>:\%windir%\system32\sapcrypto.dll
snc/identity/as =p:<SAP_Service_User>@<DOMAIN_NAME>
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
See Profile Parameter Settings on the ABAP Platform for specific documentation on these profile parameters.
Configuration on the ABAP System
- In the Target ABAP System, use transaction SU01 to define a service user that will be used by Redwood Server to connect.
- On the SNC-Tab, specify the SNC Name for Redwood Server (
p:<SAP_Service_User>@<DOMAIN_NAME>).
note
If more than one SNC name needs to be assigned to this user, these can be specified in table USRACLEXT (use transaction SM30 to maintain it).
Configuration in Redwood Server
- Navigate to "Environment > SAP".
- Choose Edit from the context-menu of the SAP system you want to connect to via SNC.
- On the SAP System tab, fill the connect string below into the RFC Connect String field.
- Choose Check connection and make sure the connection was successful.
- On the XBP tab, choose Check Connection Settings.
- Choose Save & Close.
- Navigate to "Environment > Process Servers" and restart the process server belonging to the SAP system.
SNC_MODE=1 SNC_PARTNERNAME="p[/secude]:CN=TNW, OU=Administartors, O=Example, C=DE" SNC_LIB=<SAPCRYPTOLIB_DLL>
SNC_MODE=1 SNC_PARTNERNAME="p[/krb5]:tnw@example.de" SNC_LIB=<SAPCRYPTOLIB_DLL>
The connect string of the SAP System needs additional parameters for SNC.
| Parameter | Description | Mandatory |
|---|---|---|
SNC_MODE=1 | Activates SNC for the connection | ✓ |
SNC_PARTNERNAME="p[/secude]:<name>"SNC_PARTNERNAME="p[/krb5]:<name>" | Defines the target SAP systems DN (secude) or Kerberos name (krb5) | ✓ |
SNC_SSO=1 | Enable SSO (default) | - |
SNC_QOP=3 | Defines how secure the connection is 1=Auth only, 3=Integrity, 3=Privacy, 8=Default, 9=Maximum | - |
SNC_MYNAME="p[/secude]:<name>"SNC_MYNAME="p[/krb5]:<krb5_name>" | Defines the DN or Kerberos name of the PSE to use | - |
See Configuring SNC: External Programs → ABAP Platform Using RFC for more information.
Example
This example shows how the SAP Cryptographic library can be used for SNC connection between Redwood Server and a connected SAP ABAP System.
Instance profile settings in SAP
snc/enable = 1
snc/gssapi_lib =c:\windows\system32\sapcrypto.dll
snc/identity/as =p:SAPServicePRD@EXAMPLE.COM
Service user in the target ABAP system
p:SAPServicePRD@EXAMPLE.COM
Connect String in Redwood Server
SNC_MODE=1 SNC_PARTNERNAME="p:SAPServicePRD@EXAMPLE.COM" SNC_LIB=sapcrypto.dll
See Also
- SNC Terminology
- SAP Note 1848999
- SAP Note 2573413
- Configuring SNC: External Programs → ABAP Platform Using RFC
- Exporting the Server's Certificate Using SAPGENPSE
- Creating the Server's Credentials Using SAPGENPSE
- Maintaining the Server's Certificate List Using SAPGENPSE
onsiteTopic