SNC communication between servers
We've already installed a 3rd party Identity Management software. Our target is to distribute a productive password from IdM software to satellite environments. According to SAP Note "1287410 - BAPI_USER_CHANGE: Set productive password", communication between IdM and SAP needs to be encrypted with SNC in order to use PRODUCTIVE_PWD parameter of BAPI_USER_CHANGE BAPI.
We've enabled SNC in our ABAP application server with the following parameters:
- snc/accept_insecure_cpic: 1
- snc/accept_insecure_gui: 1
- snc/accept_insecure_r3int_rfc: 1
- snc/accept_insecure_rfc: 1
- snc/data_protection/max: 3
- snc/data_protection/min: 1
- snc/data_protection/use: 9
- snc/enable: 1
- snc/extid_login_diag: 0
- snc/extid_login_rfc: 0
- snc/force_login_screen: 0
- snc/gssapi_lib: /usr/lib64/libgssapi_krb5.so
- snc/identity/as: p:SVcSMD_D_CSSO@xx.xx.xxx.xx
- snc/permit_insecure_start: 1
- snc/r3int_rfc_qop: 8
- snc/r3int_rfc_secure: 0
On the other side, we've downloaded SAP Cryptographic software and we've enabled SNC communication in Java application of 3rd party software:
- Export SNC_LIB and SECUDIR environment variables
- Create a PSE environment
- ./sapgenpse get_pse -p $SECUDIR/OIM_DES.pse -x XXXXXXXXX "cn=myCN,ou=myOU,o=myCompany,c=XX"
- Add credentials
- ./sapgenpse seclogin -p OIM_DES.pse -x XXXXXXXXXXXxxx -O oracle
- Exchange certificates between ABAP application server and 3rd party software
After that, we've tried to establish a productive password for a dummy user, but we receive the following error:
[2014-12-10T17:58:16.122+01:00] [oim_server1] [ERROR]  [OIMCP.SAPU] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 89584c7bb1d2bdf6:3830fe27:14a351afc0a:-8000-0000000000000299,0] [APP: oim#22.214.171.124.0] oracle.iam.connectors.common.ConnectorException: Initialization of repository destination esfsgrssm01ld.fcc.es failed: connection closed without message (CM_NO_DATA_RECEIVED)
It seems there's a connection attempt, but the encrypted session couldn't be established due to some encryption problem. After some SCN investigation, we think we have to use the same cryptographic library in both partners (ABAP & 3rd party) and currently we're using different software (Kerberos library in ABAP part and SAP Cryptographic library in Java).
But we're using SSO in our production environment (SNC enabled with Kerberos library), so we can't use both libraries at the same time (Kerberos & SAP Cryptographic Lib).
So how can we enable SNC between servers and SSO with kerberos at the same time?