cancel
Showing results for 
Search instead for 
Did you mean: 

SNC certificate error TRUST040

Former Member
0 Kudos

Hi All,

I am getting an error TRUST040 when trying to replace first and delete/ create SNCcryptolib certrificate in strust transaction.

I have gone through following notes but was not able to find the solution.

510007 - Setting up SSL on Web Application Server ABAP

1471126 - STRUST: How to correctly install SAPCRYPTOLIB

1375378 - Select the right version of an SAP security toolkit

397175 - SAP Cryptographic Software - Export control

455033 - SAPCRYPTOLIB versions, bugs and fixes


Environment variables,Parameteres in RZ10, sapcrytolib all are set properly as described in the sap notes.



1) Iam getting this error in solution manager

2) SNC SAProuter is also running on the same host as solution manager

3) RFC connection SM_<SID>_BACK in ECC to solman are failing with TYPE=E error


When i looked at OS level on solution manager, i found sapcryptolib.dll in two locations one under saprouter directory and other under \<sid>\exe and following are env.variables.


1) Environment Variables

a) under user variables for SIDADM

     SECUDIR is set to E:\usr\sap\saprouter\

      SNC_LIB is set to  E:\usr\sap\saprouter\sapcryto.dll

b) Under system variables

      SAPSECUDIR is set to E:\usr\sap\SID\SYS\exe\uc\NTAMD64

      SECUDIR      is set to   e:\usr\sap\saprouter


Questions:

1) Are these env.variables correctly set ?

2) can sapcrypto.dll  exist in different locations on the same host even though they are for two different purposes?


2) RZ10 Parameters, i think these are all required parameters which already exist in our system


snc/identity/as                             p:SAPService<SID>@DOMAIN

snc/accept_insecure_start                   1

snc/accept_insecure_cpic                    1

snc/accept_insecure_r3int_rfc               1

snc/accept_insercure_rfc                    1

snc/accept_insecure_gui                     1

snc/enable                                  1

ssf/name                                    SAPSECULIB

DIR_EXECUTABLE                              $(DIR_INSTANCE)\exe

sec/libsapsecu                              E:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssf/ssfapi_lib                              E:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssl/ssl_lib                                 E:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

All this has started when RFC connections from ECC to solman are failing with TYPE= E error which is related to SNC.

As you can see i have done all background work before posting this and i guess iam missing something which iam unable to figure out. SO i would appreciate if you some one can help me .

Regards

Raj

Accepted Solutions (0)

Answers (2)

Answers (2)

jimguo
Advisor
Advisor
0 Kudos

Hi,

Please review your configuations:

1. Environment variable SECUDIR

You need set it to  E:\usr\sap\<SID>\DVEBMSGXX\sec.

For the user which is used to start saprouter, you need to set user variable. don't mix up user for saprouter and R3 system.

2. SNC name

snc/identity/as                             p:SAPService<SID>@DOMAIN

You have set to use sapcrypto library. In this case, you need to use format like:

p:CN=sap01.hostxx, O=myorganisation, C=DE

I recommend you check your settings as described in the following link:

SAP Library - SAP NetWeaver by Key Capability

Thanks.

Jim

Former Member
0 Kudos

Hi Rishi/Jim,

Thank you for your replies.

1) I have changed system environment variable 

SECUDIR to E:\USR\SAP\<SID>\DVEBMGS00\SEC from e:\usr\sap\saprouter

2)I have  parameter already set

snc/identify/as         p:SAPService<SID>@Domain

3)

You have set to use sapcrypto library. In this case, you need to use format like:

p:CN=sap01.hostxx, O=myorganisation, C=DE

Does your above statement mean to change the SNC ID in strust transaction while creating the certificate from p:SAPService<SID>@Domain to p:CN=sap01.hostxx, O=myorganisation, C=DE ? if so how can i change it as it is poping defaultly see the screenshot below.



Iam still getting same error while creating the certificate.


REgards

Raj


Former Member
0 Kudos

Hi Jim,

Thank you for your reply.

I am still getting the same error.

1) I have changed the SYSTEM environment variable for secudir toE:\usr\sap\<SID>\DVEBMSGXX\sec.

2) The parameter is already set

3)

You have set to use sapcrypto library. In this case, you need to use format like:

p:CN=sap01.hostxx, O=myorganisation, C=DE

I did not understand above statement. does this mean to change SNCID  when in transaction strust?. I get SNCID as   p:SAPService<SID>@DOMAIN by default. if i understand correctly then how can i change SNCID ?

I have attached the screenshot of my strust

Regards

Raj

Former Member
0 Kudos

Hi Jim/Rishi

What is the difference between

snc\identify\as p:SAPService<SID>@DOMAIN

snc\identify\as  p:CN=IDS, OU=IT, O=CSW, C=DE

Regards

Raj

Former Member
0 Kudos

Hi,

First of all please # the below entry in the system.

#snc/identity/as                             p:SAPService<SID>@DOMAIN

#snc/accept_insecure_start                   1

#snc/accept_insecure_cpic                    1

#snc/accept_insecure_r3int_rfc               1

#snc/accept_insercure_rfc                    1

#snc/accept_insecure_gui                     1

#snc/enable                                          1

Then reboot the system and go in strustsso2

Try to create the strustss02 sapcrypto cert and this time it will get cerated.

As you have set the parameters earlier that was the reason the issue was happening.

Now to set the SNC you need to set the above parameters.

Main thing is that the value of the

This parameter determines the name of the application server with the external security system and its name type

snc/identity/as should be = p:<copy the owner name in strustsso2 sapcrypto tab.>

The value of this parameters should be used as below when you want to configure SSO using sap gui.

Secure Single Sign-On

  • Chapter: "Preparing the Application Server for Single Sign-On":
    • Replace "snc/identity/as =p:<Domain_Name>\sapsid<adm> (<DOMAIN_NAME> is the NT domain that the user <sapsid>adm belongs to)" with the following:

                    "snc/identity/as =p:<Domain_Name>\SAPService<SAPSID> (<DOMAIN_NAME> is the NT domain that the user SAPService<SAPSID> belongs to)".

595341 - Installation issues with Single Sign-On and SNC

To activate RFC snc you need to maintain VSNCSYSACL view with Transaction SM30

Take the reference of the below note . It is in relation with BO but with sap backend. So you can do the stuff on the backend same as in the note amd leave the BO steps apart.

1500150 - Troubleshooting SNC server trust setup, STS issues, prerequisites, tracing, etc in SAP Bus...

Thanks

Rishi Abrol

jimguo
Advisor
Advisor
0 Kudos

Hi,

You need to change the profile parameter and restart system first.

snc\identify\as is used to set SNC name and the format depends on security product.

p:SAPService<SID>@DOMAIN is for kerberos. In your case, you use sapcrypto library so you need to use format like p:CN=IDS, OU=IT, O=CSW, C=DE .

Thanks.

Jim

Former Member
0 Kudos

Hi Rishi/Jim

Iam not configuring sso. The problem is RFC connections failing between ECC and Solman with error  "Target system requires SNC for connections of<my ecc sid>    (type=E). "

All the above discussed parameters,crypto, .dll files, env. variables are already setup in all our SAP systems. I realised recently that were setup by previous consultant as part of SSO configuration. SNC certificates in ECC systems are fine but have problem in solman.

What iam trying is to resolve the RFC connection problems to Solman so that i can configure Earlywatch alerts, MOPZ , CCMS etc...

After this long discussion iam thinking to change the following parameters in Solman for RFC connections to work, I have two choices here,correct me if iam wrong please.

1)Though SSO is configured this is not in use, therefore if i disable or remove all the parameters in solman will RFC connections work? bearing in mind that we have snc saprouter configured on same host as solman, do i need or not to change env variables.?

2) Change the following parameters in solman and restart to see if i can create the certificate and my RFC's work

  snc\identify\as to  p:CN=IDS, OU=IT, O=CSW, C=DE

  disable the existing snc\enable   = 1   ( since it is enable, the system will not start as it will look for certificate and if disable i will not be able to generate the certificate ) any suggestions

Thank you for your patience all the way through.

Regards

Raj

jimguo
Advisor
Advisor
0 Kudos

Hi,

You have 3 options.

1. Deactivate SNC in your Solman system.

2. Activate SNC in your ECC system and use SNC for the RFC connection.

3. Set the following profile parameter to accept insecure RFC connection in your Solman system.

snc/accept_insecure_rfc 1

You have mentioned RZ10 settings in your description but the spelling is not correct:  snc/accept_insercure_rfc vs. snc/accept_insecure_rfc

If you would like to use SNC for the RFC connection you need to use same security product in Solman and ECC system.

Thanks.

Jim

Former Member
0 Kudos

Hi,

Please read the earlier blog that was suggested and follow that path.

Thanks

Rishi abrol

Former Member
0 Kudos

Hi,

What is the kernel version.

1740744 - SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256


Prerequisite: apply kernel patch from note 1739681. If the kernel is too old, the generation of RSA-PSEs with SHA-256 fails in transaction STRUST with error message "Error while creating PSE" (TRUST040).


Thanks

Rishi Abrol

Former Member
0 Kudos

HI Rishi,

Thank you for your reply.

My kernel is 721 with patch level 100. The note is valid for my system as basis component on patch  12,SAPKB70212.

However i am generating  SNC certificate with RSA algorithm and  key length 1024 .does this note apply to me aswell ?

Regards

Raj

Former Member
0 Kudos

Hi,

Can try because when you try to generate the cert there is option or can say drop down RSA with SHA-1.

------------------------------------------------------------------------

|Manual Post-Implement.                                                |

------------------------------------------------------------------------

|VALID FOR                                                             |

|Software Component   SAP_BASIS                      SAP Basis compo...|

| Release 620          Until SAPKB62072                                |

| Release 640          Until SAPKB64030                                |

| Release 700          SAPKB70014 - SAPKB70027                         |

| Release 710          Until SAPKB71015                                |

| Release 711          SAPKB71101 - SAPKB71110                         |

| Release 701          Until SAPKB70112                                |

------------------------------------------------------------------------

Change the value range of domain SSFPKALGD as follows:

R RSA with SHA-1

S RSA with SHA-256

D DSA with SHA-1

Thanks

Rishi Abrol

Former Member
0 Kudos

Hi Rishi,

I did not understand manual steps means? does this mean  selecting the options in drop down menu  in strust? if so i only have Algorithm RSA and DSA. In key length 512,768,1024,2048 only exist does not contain SHA-1

I looked in pre-requiste note 1739681, according to it the required pacth level for 64 kernel 721 uc is 0019 and we are on 100. So i think kernel patch level is fine.!!

Regards

Raj

Former Member
0 Kudos

Hi ,

Once you implement the note you need to get the manual correction also done. Yes its for the drop down..

yes correct the prerequisite is ok.

Thanks

Rishi Abrol

Former Member
0 Kudos

Hi Rishi,

Iam still getting the same error  after applying the note and aswell performing manual changes.

Saying that when i looked in snote the status of the note 1740744 is incompletely implemented? I found a note related to this 1685578 - Problem applying a note through Snote . I have applied this successfully !!!! and re-implemented the original and the status doesn't  change .

any idea?

Regards

Raj

Former Member
0 Kudos

Hi Rishi,

I have re-implemented the note and it has been successfully implemented. But still cant create the SNC certificate in strust.

Regards

Raj

Former Member
0 Kudos

Hi,

Can you please check the version of the cryptolib file ...

Your solution manager would be at 720 kernel.

Can you just try and see if you set the variable of SECUDIR e:\usr\sap\saprouter to SECUDIR=/usr/sap/SID/DVEBMXX/sec(Set as per your Drive this is example of value)

I know that in this case SAProuter will stop working but just asking you try and see if it makes difference and is cause of the issue.

Thanks

Rishi abrol