12-21-2006 5:57 PM
Hi everybody,
First of all, please excuse me if I'm not posting in the right group. If
so, could you please redirect me to the appropriate forum?
Ok, so here's my problem...
I'm trying to activate SNC on a IDES SAP ERP 2005 (NW04s) system (running on a Solaris 10 x64). I followed the documentation inscructions and
added the following parameters to my SAP instance profile (using the
RZ10 transaction)
snc/enable = 1
snc/data_protection/min = 1
snc/data_protection/max =13
snc/data_protection/use = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/permit_insecure_start = 1
snc/gssapi_lib = /usr/lib/snckrb5.so
snc/identity/as = p:user@xx.xxx.xx
My GSS-API library successfully passed the tests done by the sap test
tool.
When I restart my SAP system I get the following error in the Syslog:
Initialization SNC Failed, Return Code -000004 or Initialization SNC Failed, Return Code -000001
This error is repeated several times, then the server terminates.
Does anyone have an idea of what I'm doing wrong?
Thanks for your help,
12-22-2006 9:13 PM
Hi,
Can you recheck Parameters
snc/data_protection/max =13
snc/data_protection/use = 1
snc/gssapi_lib = /usr/lib/snckrb5.so
For more helpful you can check with the following link
http://help.sap.com/saphelp_nw04/helpdata/en/19/164442c1a1c353e10000000a1550b0/frameset.htm
Cheers
Soma
12-25-2006 2:27 PM
I'm set parameter
snc/identity/as = u:user@xx.xxx.xx and all working!
Message was edited by:
Peter Bachofer
12-26-2006 10:03 AM
Alexandr,
It looks like you are trying to use the Kerberos library provided with Solaris 10 x64. The use of this library is not supported by SAP, so I doubt you will get much help using this forum. Instead, you might want to consider using a SAP certified and supported solution, as mentioned many times elsewhere in this forum. If you search this Security forum for keywords such as "SNC", "Kerberos", and "UNIX" I am sure you will find details of how other companies have solved this problem.
Thanks,
Tim
12-27-2006 8:23 AM
12-27-2006 10:15 AM
Well, frankly speaking I doubt that your happiness will last long.
To me it looks like you've been extremely lucky - and it honestly surprises me that "u:user@..." works since all SNC names have to start with "p:".
It also looks weird that you assign a user credential to a server.
Last but not least: Tim is right stating that you are using a non-certified solution (at your own risk).
Nether-the-less: I wish you Good Luck for the New Year.
Cheers, Wolfgang
12-27-2006 11:11 AM
12-27-2006 11:12 AM
Well, be happy then (and consider yourself lucky).
But don't be surprised if problems arise, later on.
Cheers, Wolfgang
12-27-2006 11:14 AM
09-03-2007 1:37 PM
Eugeny,
I know this is an old thread, but I wondered if you still need any help. I also wanted to ask if you can award SDN points to answers provided already.
Thanks,
Tim