03-26-2013 10:00 PM
Hi Experts
I have got the task to enable encryption between SAP GUI and SAP Server. Here is a brief description, what I have done so far:
1) installed SAPCRYPTOLIB
2) Configured STRTUST - like:
3) RZ10 Parameters:
snc/enable = 1
snc/gssapi_lib = E:\usr\sap\NET\SYS\exe\uc\NTAMD64\sapcrypto.dll
snc/identity/as = p:CN=NET, OU=I0020276123, OU=SAP Web AS, O=SAP Trust Community, C=DE
snc/accept_insecure_gui = 0
4) SAP Logon:
Activated Secure Network Communication
SNC-navn: p:CN=NET, OU=I0020276123, OU=SAP Web AS, O=SAP Trust Community, C=DE
Enabled encryption
Ticked SNC-logon with user/passwords (without Single Sign-On)
When starting from SAP Logon i get this error message:
What am I missing? Would be a huge help if someone can point out the missing link.. Thanks a lot
03-26-2013 10:14 PM
SAP Cryptographic Library can't be used for SNC, it can only be used to validate X.509 certificates. If you require encryption download and configure SNC Client Encryption.
03-26-2013 10:22 PM
Hi Kaski
Thanks for an instant reply. I am happy for that.
To start with this task, I did exactly what you are saying. I downloaded the SNC CLient Encryption and pathced my GUI with it, like mentioned in this article:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/d6/2c85a6706e40b599e64ba25b096ae6/content.htm
But as I can see it's only a patch for GUI. How can I be sure that the connection between my GUI and SAP Server is encrypted by applying this patch?
Isn't there anything els to do beside applying this patch?
And thanks again.
03-26-2013 10:51 PM
With the parameter snc/accept_insecure_gui = 0 users can't logon without using SNC. All the involved steps are in the documentation you have found.
05-16-2013 5:38 PM
Hello Tariq,
I am also facing the same issue, did you got a solution?, if yes then please share.
Thanks
Crístian Vélez.
05-21-2013 6:09 AM
Hello Tariq,
unfortunately, Samuli's response is only partly correct.
Correct is, that SAPCRYPTOLIB is not supported for the use on the SAPGUI.
For enabling SNC in the backend, SAPCRYPTOLIB can be used.
Since you want to implement SNC on the SAPGUI<-->ABAP server network segment, any SNC solution except SAPCRYPTOLIB can be used - including Secure Client Encryption (SCE), which comes for free, but does not provide you with SSO functionality.
Finally, I'd like to point you to the actual cause for the error message that you noted in the developer traces.
When implementing SNC with SAPCRYPTOLIB, the library uses so called credentials, which are stored in a file named 'cred_v2' in order to map the SNC PSE to be used to the SNC name as specified by the profile parameter 'snc/identity/as'.
When maintaining your SNC PSE via transaction STRUST, the easiest way to create credentials is by asisgning a password to the PSE.
You can also create credentials using the command 'sapgenpse seclogin'. Please run 'sapgenpse seclogin -h' to get an overview of the available commands.
When using 'sapgenpse', please be careful to have the environment variables SECUDIR and USER set correctly.
Be certain not to forget that password (or PIN), as it can not be retrieved, and it can not be reset without knowing the actual password.
Regards,
sebastian
05-21-2013 6:14 PM
Sebastian Broll wrote:
unfortunately, Samuli's response is only partly correct.
Correct is, that SAPCRYPTOLIB is not supported for the use on the SAPGUI.
For enabling SNC in the backend, SAPCRYPTOLIB can be used.
I thought the context of SAPGUI was assumed since the original poster had attached a screenshot from SAPGUI and describes the requirement to have encryption between SAPGUI and the backend. Anyway, I can't edit my original answer to emphasize the point you made.
The SAP Cryptographic Library contained in NWSSO has more functionality so it is also important to specify which library is being used.
05-21-2013 8:15 AM
04-02-2015 2:38 PM
I'm facing the same issue. I can't see if it was solved. Was it ? and How ?
Michel
04-06-2015 8:29 PM
Hello,
I am also simply trying to configure encryption between the SAPGUI (on Windows) and my BW ABAP server on Solaris/Sparc 64 (UNIX).
I am experiencing the exact same situation... I think I have it all correct and my configuration virtually mirrors yours (Tariq) with the exception that I have the snc/accept_insecure_gui = 1.
What was the final resolution to your problem?
Thanks,
Jim