cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC error in Linux

Former Member

on ‎07-10-2014 1:23 PM

0 Kudos

Hello Gurus,

We have recently migrated one of our quality systems from Oracle / Windows 2008 server to Sybase / Linux.

After the migration, we find that we are unable to reactivate the SNC settings, despite having modified the SNC parameters for the target system.

Please find our parameter values as below

snc/data_protection/max = 1

snc/enable = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/data_protection/min = 1

snc/data_protection/use = 1

snc/permit_insecure_start = 1

snc/identity/as = p:CN=SAPService<SAPSID>@<DOMAIN.COM>  [ For windows this was p:<DOMAIN>\SAPService<SAPSID>  ]

snc/r3int_rfc_qop = 3

snc/accept_insecure_r3int_rfc = 1

snc/r3int_rfc_secure = 0

snc/gssapi_lib = /usr/sap/<SAPSID>/DVEBMGS00/SLL/libsapcrypto.so

Our active directory is on windows and the SNC was working fine till before the export and now it doesnt [ even with modified parameters].

Please find the log of the work process attached , where it is able to login to the PSE and the SNC setups is verified as correct.

Thu Jul 10 04:45:09 2014

N  SncInit(): Initializing Secure Network Communication (SNC)

N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="devadm" (20093), envvar USER="devadm"

N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/DEV/DVEBMGS00/SLL/libsapcrypto.so

N    File "/usr/sap/DEV/DVEBMGS00/SLL/libsapcrypto.so" dynamically loaded as GSS-API v2 library.

N    SECUDIR="/usr/sap/DEV/DVEBMGS00/sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAPCRYPTOLIB

N    Product Version = SAPCRYPTOLIB  5.5.5C pl34  (Mar  1 2012) MT,AESNI,NB

N  SncInit():   found snc/identity/as=p:CN=SAPServiceDEV@<DOMAIN.COM>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  SNC (Secure Network Communication) enabled

We are getting error when we try to connect , Please help.

Warm Regards

Prashant Vijaydas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎07-24-2014 7:32 AM
0 Kudos

We raised an SAP OSS call and they confirmed our initial doubt that SNC Client Encryption does __not__ offer  SSO functionality (i.e. it will __not__ work without providing user
and password).


There is no SNC product free of charge that provide
that for SAPGUI logon, as already mentioned. In that case, you should
use SAP Netweaver Single Sign-On product which provides you that.


So we will now look at SSO to SAP systems from GUI via the kerberos method.


Thanks a lot for your support.


Regards

Prashant



Show replies
Show replies
former_member188883
Active Contributor
‎07-10-2014 1:35 PM
0 Kudos

Hi Prashant,

Could you please attach the error message .

Regards,

Deepak Kori

Show replies
Show replies
Former Member
‎07-10-2014 2:43 PM
0 Kudos

Hi Deepak,

We are getting the below error message

SAP system Message :

S

There are no errors in the work process logs and the SNC is started successfully

  SncInit(): Initializing Secure Network Communication (SNC)

N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="devadm" (20093), envvar USER="devadm"

G  GetWritePermissionForShm( pLocation = 281, pEnforce = 0 )

G  RelWritePermissionForShm( pLocation = 277, pEnforce = 0 )

N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/DEV/DVEBMGS00/SLL/libsapcrypto.so

N    File "/usr/sap/DEV/DVEBMGS00/SLL/libsapcrypto.so" dynamically loaded as GSS-API v2 library.

N    SECUDIR="/usr/sap/DEV/DVEBMGS00/sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAPCRYPTOLIB

N    Product Version = SAPCRYPTOLIB  5.5.5C pl34  (Mar  1 2012) MT,AESNI,NB

N  SncInit():   found snc/identity/as=p:CN=SAPServiceDEV@<Domain.COM>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=SAPServiceDEV@RADISYS.COM [thxxsnc.c    267]

M  SNC (Secure Network Communication) enabled

Regards

Prashant

former_member188883
Active Contributor
‎07-10-2014 5:22 PM
0 Kudos

Hi Prashant,

Can you apply latest SAP kernel and check the results.

Regards,

Deepak Kori

Former Member
‎07-15-2014 4:52 PM
0 Kudos

Hi Deepak,

We updated the kernel to the latest and tried again, but it doesnt work either.

I was doing some digging up and looks like our target Linux box cannot be authenticated on the AD in the same way that our source Windows server 2008 R2 box did.

This means that we have to have some form of integration between Linux / windows AD.

This can either be via Kerberos or via NW SSO.

However licensing terms make it difficult for us to go for the NW SSO 2.0 , so possibly we might go for the Kerberos based AD authentication.

However as per SAP Note 150380 - Is MIT Kerberos 5 supported for use with SNC ? , there are concerns whether SAP will support the Kerberos based SNC related problems.

Our initial assumption was that SNC with sap Cryptolib should work the same way on SAP/Linux as it did on SAP/Windows when connecting to the Windows server 2008 AD, but this is not the case.

Please let me know if we are right to proceed this way.

Regards

Prashant

Ask a Question