Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC communication between servers

SergioSanchez
Explorer

‎12-22-2014 10:43 AM

0 Kudos

Hi, guys

We've already installed a 3rd party Identity Management software. Our target is to distribute a productive password from IdM software to satellite environments. According to SAP Note "1287410 - BAPI_USER_CHANGE: Set productive password", communication between IdM and SAP needs to be encrypted with SNC in order to use PRODUCTIVE_PWD parameter of BAPI_USER_CHANGE BAPI.

We've enabled SNC in our ABAP application server with the following parameters:

    • snc/accept_insecure_cpic: 1
    • snc/accept_insecure_gui: 1
    • snc/accept_insecure_r3int_rfc: 1
    • snc/accept_insecure_rfc: 1
    • snc/data_protection/max: 3
    • snc/data_protection/min: 1
    • snc/data_protection/use: 9
    • snc/enable: 1
    • snc/extid_login_diag: 0
    • snc/extid_login_rfc: 0
    • snc/force_login_screen: 0
    • snc/gssapi_lib: /usr/lib64/libgssapi_krb5.so
    • snc/identity/as: p:SVcSMD_D_CSSO@xx.xx.xxx.xx
    • snc/permit_insecure_start: 1
    • snc/r3int_rfc_qop: 8
    • snc/r3int_rfc_secure: 0

On the other side, we've downloaded SAP Cryptographic software and we've enabled SNC communication in Java application of 3rd party software:

    • Export SNC_LIB and SECUDIR environment variables
    • Create a PSE environment
      • ./sapgenpse get_pse -p $SECUDIR/OIM_DES.pse -x XXXXXXXXX "cn=myCN,ou=myOU,o=myCompany,c=XX"
    • Add credentials
      • ./sapgenpse seclogin -p OIM_DES.pse -x XXXXXXXXXXXxxx -O oracle
    • Exchange certificates between ABAP application server and 3rd party software

After that, we've tried to establish a productive password for a dummy user, but we receive the following error:

[2014-12-10T17:58:16.122+01:00] [oim_server1] [ERROR] [] [OIMCP.SAPU] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 89584c7bb1d2bdf6:3830fe27:14a351afc0a:-8000-0000000000000299,0] [APP: oim#11.1.1.3.0] oracle.iam.connectors.common.ConnectorException: Initialization of repository destination esfsgrssm01ld.fcc.es failed: connection closed without message (CM_NO_DATA_RECEIVED)

It seems there's a connection attempt, but the encrypted session couldn't be established due to some encryption problem. After some SCN investigation, we think we have to use the same cryptographic library in both partners (ABAP & 3rd party) and currently we're using different software (Kerberos library in ABAP part and SAP Cryptographic library in Java).

But we're using SSO in our production environment (SNC enabled with Kerberos library), so we can't use both libraries at the same time (Kerberos & SAP Cryptographic Lib).

So how can we enable SNC between servers and SSO with kerberos at the same time?

Thanks,

Sergio

2 REPLIES 2

tim_alsop
Active Contributor

‎12-22-2014 10:51 AM

0 Kudos

You need to use a Kerberos SNC library on the server running IdM software, so I don't recommend using the SAP Cryptolib as this only supports use of x.509 certificates for server to server connections. As you indicated, you need to use the same protocol (Kerberos or x.509) at both ends, otherwise it would be like talking to somebody in German who only understands English 🙂

Former Member

‎04-12-2016 2:11 AM

0 Kudos

Hi, could you resolve this problem?

I am facing a very similar scenario and wondering if an SAP System using kerberos library can communicate with an external RFC client using SNC with the SAP Cryptography library.

How did you manage?