05-07-2010 7:15 AM
Hi,
I followed Gregor Wolf's excellent tutorial at: Setup data encryption between RFC Client and Web AS ABAP with SNC
When testing my JCO Client, I am getting the following error:
RfcException: [null]
message: SNC name of the partner system not in ACL system on xxx
Return code: RFC_SYS_EXCEPTION(3)
error group: 103
key: RFC_ERROR_LOGON_FAILURE
at com.sap.conn.rfc.api.RfcApi.RfcOpen(RfcApi.java:211)
at com.sap.conn.jco.rt.MiddlewareJavaRfc$JavaRfcClient.connect(MiddlewareJavaRfc.java:1273)
... 9 more
I verified that I have the SNC name of the JCO client in the System ACL (tx SNC0).
Is there any way to trace what's happening there?
Do I have to maintain an ACL on my JCO client side, too?
Regards,
Jens
05-07-2010 9:16 AM
Hi Jens,
Looking at the blog I suspect that you might be trying to use the SAP cryptographic library for your SNC connection from JCo client to the SAP application server. If yes, then I think the issue is that this library can only be used for application server to application server communication as explained in the SAP online help, see [Using the SAP Cryptographic Library for SNC|http://help.sap.com/saphelp_nw04/helpdata/en/32/431c3aadda4f25e10000000a11402f/frameset.htm]. For SAPgui or other external tools you have to use a library from a third party, e.g. [Secude|http://www.secude.com].
See also this thread .
Cheers, harald
05-07-2010 10:57 AM
Hi Harald,
thanks for your answer.
However, I had read the help.sap.com documentation before and it says:
"You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for frontend components (for example, SAP GUI for Windows), then you must purchase an SNC-certified partner product."
I am not trying to connect from a frontend component such as SAP GUI. In my case, the JCO client is a server component - just as XI or Portal are Server components, connecting to an ABAP backend.
My interpretation about the frontend comment was the difficulties in key/credential distribution without underlying security products like Secude.
What would a server component in the sense of this documentation be - and what not?
How would PI or Portal use SNC and how did it work for Gregor in the Blog?
Regards,
Jens
05-07-2010 12:51 PM
You're right, on second read I start suspecting that I misinterpreted server components. So I read again through the blog and now I can see that he clearly utilized JCo. The only thing that I noticed (might be wrong again) is that his JCo client seems to reside on the application server (but one would assume that this shouldn't really matter).
Quickly checked OSS but didn't find anything useful. OSS note [201417 - CPIC call failes in case of activated SNC|https://service.sap.com/sap/support/notes/201417] just mentioned maintaining the ACL, but per your comment that's already done.
Have you tried any tracing and checked the various logs? I also noticed that you posted a comment on the blog. Let's see if somebody else can provide a solution.
05-07-2010 2:40 PM
Hi Harald,
yes, I commented in the Blog referring to this thread here. I had heard the "SAP Crypto Lib usage is very limited" comment before - referring license restrictions last time. I wanted to get Gregor's opinion - ideally in the forum.
Tracing would be one of the first things to do. However, I am very much a Java guy and my problem occurs in the ABAP part. I enabled some trace in SMGW, but this didn't really help me (it might help some RFC experts).
However, my guess is that on the ABAP side in my case the same is required as if I'd connect from PI or Portal. I hoped there would be some common trap into which I ran.
Which trace would you recommend?
Thanks!
Jens
05-08-2010 6:31 AM
Lots of options for tracing in SAP, especially when it comes to RFC. However, for logon problems I suspect there's probably much less reasonable choices, e.g. activating a full trace on the JCo client program probably won't tell much. I'd start with the recommendations given in OSS note 495911 - Trace analysis for logon problems. You need access to the SAP service market place to see the note].
Assuming that the error message is pointing out a valid issue, the question would still be if your setup is correct. If you use any non-ASCII characters in your SNC name check out OSS note 952208 - SNC-Names with non-ASCII characters in SAP WebAS Unicode. OSS note 320991 - Error codes during logon (list) lists error codes encountered during logon (though for your problem there's no additional information beyond what you know already).
05-14-2010 10:08 AM
Hi,
I finally managed to resolve my problem. As the error indicated, the problem was in the ACL. There were multiple entries in my System ACL for the same SNC name (with more or less blanks and in particular: one of them had the checkboxes for "Entry for certificate activated" and "Entry for ext.ID activated" unchecked).
Removing all of them and re-creating one correct entry was all that was required.
Thanks a lot for your help!
Jens