cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

Former Member

on ‎10-26-2011 9:45 AM

0 Kudos

I am attempting to setup SNC for business objects and this has fallen at the first hurdle.

I have taken one of my app servers out of all logon groups and am configuring this for SAPCrypto. Accordning to the documentation I need to set a number of parameters to the file path for the sapcrypto.dll file (done!) and also set the snc/identiy/as to the DN for the SAP server.

I have copied theDN from t-code strust to put into the profile, this is prefixed with p:

Therefore looks like

p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE

I checked on the server to ensure that the environment variable SECUDIR is set to the sec directory on the server - which contains a number of pse files.

After restarting the instance the application server fails to restart with the following error;

dbexpbuf: Buffer ESM (addr: 000000002A9C0170, size: 81920000, end: 000000002F7E0170)

B dbexpbuf: Buffer CUA (addr: 0000000035040170, size: 81920000, end: 0000000039E60170)

B dbexpbuf: Buffer OTR (addr: 000000002F7F0170, size: 4194304, end: 000000002FBF0170)

B dbcalbuf: Buffer CALE (addr: 000000002FC00050, size: 500000, end: 000000002FC7A170)

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/min=2, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=
UKCLU61201\SAPMNT\XB7\SYS\exe\nuc\NTAMD64\sapcrypto.dll

N File "
UKCLU61201\SAPMNT\XB7\SYS\exe\nuc\NTAMD64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N SncInit(): found snc/identity/as=p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): No credentials were supplied

N GSS-API(min): File is not existing

N Could't acquire ACCEPTING credentials for

N

N name="p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10651]

My questions are:

1. What is it looking for?

2. Where is it looking for it?

None of the documents I can find refer to creating a credentials file or anything of the kind - what step is missing from the documentation?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

sunny_pahuja2
Active Contributor
‎10-26-2011 10:41 AM
0 Kudos

Hi,

It looks like pse file is missing at OS level. Please make sure that SECUDIR parameter should be set in environment of user <sid>adm and also generate pse file with sapgenpse tool and at same time assign its credentials to <sid>adm user.

Thanks

Sunny

Show replies
Show replies
Former Member
‎10-26-2011 10:49 AM
0 Kudos

I'm not sure I understand your response.

The environment variable is set and the sec directory contains pse files (as I mentioned).

Exactly which pse file would be missing? Also can you refer me to the necessary documentation for

"generate pse file with sapgenpse tool and at same time assign its credentials to admin user" ?

I have followed the SAP documentation that I can find which simply states that the sapcrypto.dll and sapgenpse.exe should be saved to the SAP server and that the ticket file that comes with this download should be placed in the sec directory referred to by the SECUDIR environment variable.

It would be very helpful to see the documentation that details the creation and storage of the generated pse file from sapgenpse and also what the assignment of the credentials piece entails.

Former Member
‎10-26-2011 1:19 PM
0 Kudos

It seems that this original error was caused because we have always used SSO for our SAP systems - I am changing from GSSAPI on a single app server to sapcrypto. As a result the profile parameter snc/enable was already set to 1, I have set this to 0 and this allowed the server to restart.

However!

When I try to create the SNC SAPCrytolib entry in STRUST I get the error message that the distinguished name is already used.

Well of course it is! The documentation states that I must enter the distinguished name (DN) of the SAP server into the profile parameter snc/identity/as. I did this, finding the correct DN in Strust field "Own Certificate".

Can someone please tell me what I am supposed to enter as the DN? As I guess from the system response I cannot use the actual DN of the system but must use some other thing. Do I just invent a DN?

sunny_pahuja2
Active Contributor
‎10-26-2011 7:47 PM
0 Kudos

Hi,

As per SAP recommendation DN name should be Fully Qualified hostname of the server but in your case as it is already used, you can use hostname of the server only.

As far as sapgenpse tool and assignment of password to <sid>adm user is concerned, you can follow below link:

http://help.sap.com/saphelp_nw04s/helpdata/en/4a/61bc8c8a53ae45b906c3451b7b321a/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/56/a92f3ae689f058e10000000a11402f/content.htm

Thanks

Sunny

Former Member
‎11-01-2011 3:58 PM
0 Kudos

Just to complete this thread, we have worked out what the issues were and so that no one else needs to go through the hoops we just did here is the solution.

1. the documentation assumes that your SAP system does not have any sort of SNC implemented - therefore if you are using client side SNC for SAP GUI etc you need to reverse the initial steps and do the following,

Set parameter snc/enable = 0 (turn off SNC) & restart your server

in STRUST create the SNC PSE - this generates the cred file that is required, NOW you can set the paramters as documented in the config guide and restart your server successfully.

Then you need to make sure of the following,

Logon to your BOE server using the administration account that the SIA runs under to create your BOE PSE file. You need to make sure that the user that your J2EE runs under is this same account (this is critical!).

If you have multple BOE servers ALL SIA must run under the same account, and it must be typed into the SIA properties in THE SAME CASE - if you have one in upper and one in lower case the single sign on will fail.

Ask a Question