on 04-02-2015 2:56 PM
I found an old conversation about the same issue but it is not ended with a solution !
Despite many actions I still have the same error when login into my SAP System via SNC.
Abap: Common sapcrypto installed
RZ10
snc/accept_insecure_cpic = 1
snc/permit_insecure_start = 1
snc/gssapi_lib = /usr/sap/SB2/SYS/exe/run/libsapcrypto.o
snc/identity/as = p: CN=ehxs82fr.fr.intra.net, OU=GID, O=EH, C=EN
snc/accept_insecure_gui = 0
snc/enable = 1
SMLG: shows that SNC is active
Windows client
Client SAPcryptolib Installed
Envir. Variables
SECUDIR=C:\Users\mcolombe\Documents\SNCsec
SESSIONNAME=Console
SNC_LIB=C:\Program Files (x86)\SAP\FrontEnd\SapGui\Encryption\secgss.dll
SNC_LIB_64=C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll
And then when I logon with sapgui 7.40 I always received
GSS-API(gss) no credentials were supplied....
Could you help on this ?
Salut Michel,
you must have some "PSE" (personal security environment) on your client side too. This is possible (but costly) using "NW-SSO" product of SAP.
Otherwise, you have to fizzle around with sapcryptolib/common cryptolib and supply a certificate for the client. As we have NW-SSO working, this is easy, but I don't know how to do it without.
In your cleint configuration you're using two different Libs for SNC. As GUI is still a 32-Bit application the 32-Bit common cryptolib should be sufficient.
Maybe if you do the same things with "sapgenpse" you did apparently on the server side, also on the client side to create a PSE on the client side helps?
Cordialement,
Jürgen
Edit:
Just because of curiosity:
I installed a recent cryptolib 32-Bit SAPCRYPTOLIBP_8435-20011731.SAR, then, after extracting it, on command prompt:
😆 cd D:\test\SAP\SAPCRYPTOLIBP_8435-20011731
😆 sapgenpse
...
Environment variable $SECUDIR is not defined!
Fallback selection of SECUDIR through APPDATA:
"somewhere\Users\gaertner\AppData\Local\sec"
...
Aha. It expects the same stuff as the server does, but on a different location. So I extrported my X509-Cert from Firefox and put it in a PKCS12-file. On the prompt again:
😆 mkdir somewhere\Users\gaertner\AppData\Local\sec
😆 D:\test\SAP\WinX64_SAPCRYPTOLIBP_8430-20011729>sapgenpse import_p12 -p test.pse x:\somewhere\Certificate.p12
import_p12: MISSING password for PKCS#12 file "d:\work\JG\LUH.p12"
Please enter PKCS#12 encryption password: ********
PKCS#12/PFX file contains 1 keypair:
1. FriendlyName = "Leibniz Universitaet Hannover ID von Juergen Gaertner #2"
X.509v3 (type=Both) RSA-2048 (signed with sha1WithRsaEncryption)
Subject="CN=Juergen Gaertner,...
Choose a PIN/Passphrase for your new PSE "somewhere\Users\gaertner\AppData\Local\sec\test.pse"
Please enter PSE PIN/Passphrase: *******
Please reenter PSE PIN/Passphrase: *******
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
So the PSE is generated in "somewhere\Users\gaertner\AppData\Local\sec\test.pse". Now we have to create the credentials:
TT
😆 D:\test\SAP\WinX64_SAPCRYPTOLIBP_8430-20011729>sapgenpse seclogin -p test.pse
which creates "somewhere\Users\gaertner\AppData\Local\sec\cred_v2". Now, we can start the SAPgui using SNC-Syntax:
😆 set SNC_LIB=D:\test\SAP\WinX64_SAPCRYPTOLIBP_8430-20011729\sapcrypto.dll
😆 "C:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPgui.exe" SNC_PARTNERNAME="p:Distinguish Name of Server" SNC_QOP=9 /H/Server-IP/S/sapdp00
et voila, ca marche...
Message was edited by: Jürgen Gärtner
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.