- SAP Community
- Products and Technology
- Technology
- Technology Q&A
- SNC Setup = ERROR => SncPAcquireCred()==SNCERR_GS...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SNC Setup = ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 10-26-2011 9:47 AM
I am attempting to setup SNC for business objects and this has fallen at the first hurdle.
I have taken one of my app servers out of all logon groups and am configuring this for SAPCrypto. Accordning to the documentation I need to set a number of parameters to the file path for the sapcrypto.dll file (done!) and also set the snc/identiy/as to the DN for the SAP server.
I have copied theDN from t-code strust to put into the profile, this is prefixed with p:
Therefore looks like
p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE
I checked on the server to ensure that the environment variable SECUDIR is set to the sec directory on the server - which contains a number of pse files.
After restarting the instance the application server fails to restart with the following error;
dbexpbuf: Buffer ESM (addr: 000000002A9C0170, size: 81920000, end: 000000002F7E0170)
B dbexpbuf: Buffer CUA (addr: 0000000035040170, size: 81920000, end: 0000000039E60170)
B dbexpbuf: Buffer OTR (addr: 000000002F7F0170, size: 4194304, end: 000000002FBF0170)
B dbcalbuf: Buffer CALE (addr: 000000002FC00050, size: 500000, end: 000000002FC7A170)
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=2, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=
UKCLU61201\SAPMNT\XB7\SYS\exe\nuc\NTAMD64\sapcrypto.dll
N File "
UKCLU61201\SAPMNT\XB7\SYS\exe\nuc\NTAMD64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N GSS-API(min): File is not existing
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=XB7, OU=I0020141033, OU=SAP Web AS, O=SAP Trust Community, C=DE"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10651]
My questions are:
1. What is it looking for?
2. Where is it looking for it?
None of the documents I can find refer to creating a credentials file or anything of the kind - what step is missing from the documentation?
- SAP Managed Tags:
- SAP BusinessObjects Business Intelligence platform
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
you mentioned that you are switching between different SNC API and you talking about profile parameters, DN names, ...
SNC is a very sensitive topic so please talk to the basis guy to ensure that the steps are done correct and also in correct order as there are even situations when not done in the right order the SAP server will not boot up anymore.
so what is the current situation on the server ?
what is the goal ?
and why do you want to use SNC ?
thanks
ingo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Ingo
I totally agree that SNC setup is "sensitive"
Its the same old story - we are using SAP Portal KMC as the interface to Business Objects reporting, we are having single sign on issues and it seems that means we need SNC to be setup.
We don't allow our users to have passwords in BW for security reasons & the BO reports are issuing a no password error when we try to run them.
Anyway - I got past the original error that I reported here. It was an assumption in the documentation that SSO would not have been setup previously in the BW system (we use GSSAPI for GUI SSO). So I needed to switch the SNC/Enabled to 0 when I restart and not have the DN name filled in.
Then create a new DN name in STRUST before using this new DN in the profile parameters, setting enabled back to 1 and restarting again.
Anyway, I managed to complete (I think) the SNC configuraiton but we still get the no password error.
If you want more information have a look at our CSN message 0000860715 which has all the screenshots from the setup & even my configuration notes step by step.
in any case so far ... no single sign on
regards
Marina
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
Its the same old story - we are using SAP Portal KMC as the interface to Business Objects reporting, we are having single sign on issues and it seems that means we need SNC to be setup.
>> So why do you think that you need SNC to be able to view a report from the SAP Portal ?
We don't allow our users to have passwords in BW for security reasons & the BO reports are issuing a no password error when we try to run them.
>> So SNC is already configured on the SAP Server backend ?
Then create a new DN name in STRUST before using this new DN in the profile parameters, setting enabled back to 1 and restarting again.
>> You would first configure you profile parameters
Anyway, I managed to complete (I think) the SNC configuraiton but we still get the no password error.
If you want more information have a look at our CSN message 0000860715 which has all the screenshots from the setup & even my configuration notes step by step.
>> So you did configure SNC on the BW side and you also configured SNC on the BOE Server for being able to view the report from the portal ?
ingo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
>> So why do you think that you need SNC to be able to view a report from the SAP Portal ?
SAP support has told us we need to. SSO from SAP portal to BW directly works without any problems. However via BO it fails, the answer we were given is that SNC is a requirement.
>> So SNC is already configured on the SAP Server backend ?
Yes, with GSSAPI for SAP GUI SNC logon. Hence the reason for setting up SAPCrypto on specific application servers which are removed from the general logon groups - as you know SAPCrypto & GSSAPI cannot coexist on the same application server.
>> You would first configure you profile parameters
Yes, I have done that. However, the original error was caused because we already had SNC. The first step in configuring the profile parameters has to be to disable SNC before restarting and attempting to configure the SNC certificate in STRUST. Otherwise the credentials don't exist and the application server will fail to restart. Then following this the profile parameters should be set as per the documentation & the instance restarted.
>> So you did configure SNC on the BW side and you also configured SNC on the BOE Server for being able to view the report from the portal ?
Yes, I have gone through the process of configuring SNC on a specific application server for BW to use SAPCrypto & completed the process (as far as I am aware) on the BOE server - however the SSO still fails from the Webi report which is launched from the portal.
Cheers
Marina
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
> So why do you think that you need SNC to be able to view a report from the SAP Portal ?
SAP support has told us we need to. SSO from SAP portal to BW directly works without any problems. However via BO it fails, the answer we were given is that SNC is a requirement.
>>> SNC is not a requirement to do SSO from SAP Portal to BW to SAP BusinessObjects BI unless your SAP landscape is already configured for SNC.
>> So SNC is already configured on the SAP Server backend ?
Yes, with GSSAPI for SAP GUI SNC logon. Hence the reason for setting up SAPCrypto on specific application servers which are removed from the general logon groups - as you know SAPCrypto & GSSAPI cannot coexist on the same application server.
>>> sorry you are trying to configure two completely different SNC libraries at the same time ? SAP Crypto is Server Side trust and GSSAPI is CLIENT side SNC authentication. You can't have two totally different SNC libraries configured on your SAP server.
>> You would first configure you profile parameters
Yes, I have done that. However, the original error was caused because we already had SNC. The first step in configuring the profile parameters has to be to disable SNC before restarting and attempting to configure the SNC certificate in STRUST. Otherwise the credentials don't exist and the application server will fail to restart. Then following this the profile parameters should be set as per the documentation & the instance restarted.
>> So you did configure SNC on the BW side and you also configured SNC on the BOE Server for being able to view the report from the portal ?
>>> see above - you can't have two totally different sets of SNC configured
Yes, I have gone through the process of configuring SNC on a specific application server for BW to use SAPCrypto & completed the process (as far as I am aware) on the BOE server - however the SSO still fails from the Webi report which is launched from the portal.
>>> and I would also assume that you SAP GUI logon with GSSAPI now is not really working anymore.
Could I ask you to outline what the use cases are that you are trying to achieve and then we can clarify if SNC is needed and then we can talk about what to configure.
Ingo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
>>> SNC is not a requirement to do SSO from SAP Portal to BW to SAP BusinessObjects BI unless your SAP landscape is already configured for SNC.
Really! That would be great. But the SSO will not work. We are using the KMC integration in EP for BO reporting. The universes for BO are set for single sign on. The whole scenario is too long and detailed to explain here - sufficient to say that the SSO does not work.
>>> sorry you are trying to configure two completely different SNC libraries at the same time ? SAP Crypto is Server Side trust and GSSAPI is CLIENT side SNC authentication. You can't have two totally different SNC libraries configured on your SAP server.
I know that, which is why a single application server has been configured for SAPCrypto and the GSSAPI lib has been removed from the profile parameters. This single app server is the one that I have entered into the CMC configuration as the SAP authentication server.
>>> see above - you can't have two totally different sets of SNC configured
Its on a different app server - which is the single server configured in the CMC.
>>> and I would also assume that you SAP GUI logon with GSSAPI now is not really working anymore.
That's right, it doesnt for the specific srver that I reconfigured. The other servers are all fine with GSSAPI
>>> Could I ask you to outline what the use cases are that you are trying to achieve and then we can clarify if SNC is needed and then we can talk about what to configure.
I have universes configured to use SSO
The Webi reports are accessed through the SAPPortal
SSO between BW & EP is configured and works fine for native BW reports
What happens is, a user tries to access the BO report and they get an error saying the logon details are incomplete.
So we ran some tests & found that if we set a BW password for the user, interactively logon to infoview (or one of the other BO tools), and then try in the portal again they can successfully launch the reports.
We then deactivate the BW password again and the BO reports fail again.
We do not want our users to have BW passwords - I guess that this makes SNC a requirement??
Cheers
Marina
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
I have universes configured to use SSO
The Webi reports are accessed through the SAPPortal
SSO between BW & EP is configured and works fine for native BW reports
>> so far that does not require SNC
What happens is, a user tries to access the BO report and they get an error saying the logon details are incomplete.
So we ran some tests & found that if we set a BW password for the user, interactively logon to infoview (or one of the other BO tools), and then try in the portal again they can successfully launch the reports.
We then deactivate the BW password again and the BO reports fail again.
We do not want our users to have BW passwords - I guess that this makes SNC a requirement??
>> Yes - if that is the case then you either need to make sure you receive a Token - like coming from the SAP Portal or you need the SNC on the client.
So - for the Portal scenario there is no need to have SNC configured.
- make sure all URL use the full qualified names
- make sure OpenDocument is configured for SAP
- make sure SAP authentication is configured
- make sure the portal is sending SSO Logon Token
Ingo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Ingo
This is potentially very good news!
- make sure all URL use the full qualified names
In the configuration for the Business Objects Repository Manager we use all fully qualified domain names. We also launch the portal with fully qualified domain names.
- make sure OpenDocument is configured for SAP
Do you mean that the universe is configured for SAP single sign on? I'm not aware of a specific OpenDocument SAP statement - I will ask my team to investigate.
- make sure SAP authentication is configured
SAP Authentication was configured & all roles were imported into the CMC where the reports were assigned to users (this is changed now in an attempt to set up SNC)
- make sure the portal is sending SSO Logon Token
We use SSO2 tickets in our portals for signing on to both our SAP R/3 & BW systems. There is no specific setting (that I am aware of) for either the repository manager or the iView for displaying the repository that determines that the ticket should or should not be sent - I would therefore expect it to be sent.
Thanks
Marina
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
- make sure all URL use the full qualified names
In the configuration for the Business Objects Repository Manager we use all fully qualified domain names. We also launch the portal with fully qualified domain names.
- make sure OpenDocument is configured for SAP
Do you mean that the universe is configured for SAP single sign on? I'm not aware of a specific OpenDocument SAP statement - I will ask my team to investigate.
>> all the URLs in the Repository Configuration Manager should be fully qualified
- make sure SAP authentication is configured
SAP Authentication was configured & all roles were imported into the CMC where the reports were assigned to users (this is changed now in an attempt to set up SNC)
>> SAP authentication is needed with or without SNC
- make sure the portal is sending SSO Logon Token
We use SSO2 tickets in our portals for signing on to both our SAP R/3 & BW systems. There is no specific setting (that I am aware of) for either the repository manager or the iView for displaying the repository that determines that the ticket should or should not be sent - I would therefore expect it to be sent.
>> ok. so could you try to create a simple iView with a open document URL to see if SSO works there ?
we are talking XI 3.1 - correct ?
ingo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Ingo
Yes it is XI 3.1 (sorry I should have mentioned that up front).
We get the same problem with an iView rather than KMC. When the user has a password set the reports can be refreshed, once the password is disabled the error "Unable to connect to SAP BW server You have no password, you cannot logon using a password (WIS 10901)" is reported.
The System that is used for the iView is set to use SAP Logon ticket authentication.
I think that this is what lead the support engineer down the SNC path.
Regards
Marina
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
OK,
lets start different:
- you have an SAP App Server with SNC Configured - correct ?
- if yes - then yes you will need SNC configured for the BOE Server.
- if no - then you don't have to have SNC to view a report.
if you have SNC, configured then you need to make sure
(a) SNC is configured properly
and all the other items I mentioned before.
Ingo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Just to complete this thread, we have worked out what the issues were and so that no one else needs to go through the hoops we just did here is the solution.
1. the documentation assumes that your SAP system does not have any sort of SNC implemented - therefore if you are using client side SNC for SAP GUI etc you need to reverse the initial steps and do the following,
Set parameter snc/enable = 0 (turn off SNC) & restart your server
in STRUST create the SNC PSE - this generates the cred file that is required, NOW you can set the paramters as documented in the config guide and restart your server successfully.
Then you need to make sure of the following,
Logon to your BOE server using the administration account that the SIA runs under to create your BOE PSE file. You need to make sure that the user that your J2EE runs under is this same account (this is critical!).
If you have multple BOE servers ALL SIA must run under the same account, and it must be typed into the SIA properties in THE SAME CASE - if you have one in upper and one in lower case the single sign on will fail.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
The documentation is not for client side SNC because to use client side SNC you have to first of all purchase the SNC software and the configuration depends on the SNC software.
in regards to SIA and the J2EE server - that depends on the type of SNC you would like to configure.
And there is no need to have all servers under the same account.
Only services that are needed need to run under the account and you can configure a specific SIA for that.
Ingo
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
It seems that this original error was caused because we have always used SSO for our SAP systems - I am changing from GSSAPI on a single app server to sapcrypto. As a result the profile parameter snc/enable was already set to 1, I have set this to 0 and this allowed the server to restart.
However!
When I try to create the SNC SAPCrytolib entry in STRUST I get the error message that the distinguished name is already used.
Well of course it is! The documentation states that I must enter the distinguished name (DN) of the SAP server into the profile parameter snc/identity/as. I did this, finding the correct DN in Strust field "Own Certificate".
Can someone please tell me what I am supposed to enter as the DN? As I guess from the system response I cannot use the actual DN of the system but must use some other thing. Do I just invent a DN?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Embedding Business Context with the SAP HANA Cloud, Vector Engine in Technology Blogs by SAP
- How to configure HANA DB connections using SSL from ABAP instance in Technology Blogs by SAP
- Currency Translation in SAP Datasphere in Technology Blogs by Members
- Integrating a Python App with SAP Business Application Studio for an SAP S/4HANA Cloud System in Technology Blogs by Members
- Dynamically creating MPL custom headers without hardcoding in groovy script in Technology Blogs by Members
| User | Count |
|---|---|
| 78 | |
| 10 | |
| 9 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.