cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot set SECUDIR | Environmental Variable

Former Member
0 Kudos

Hi, I am trying to configure Single Sign-On based on Kerberos/SPNEGO. I have sucessfully already configured in other servers however in this one I am not able to success.

The error I am getting in dev_w0 is the following:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

N        GetUserName()="SAPServiceSH1"  NetWkstaUser="SAPServiceSH1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll

N    File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib

N    Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.42 pl40 (Sep 24 2015) MT-safe

N  SncInit():   found snc/identity/as=p:CN=SL-ABAP-SH1@<DOMAIN>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SL-ABAP-SH1@<DOMAIN>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    271]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    273]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c   2393]

Note: Where is <DOMAIN> I replaced with the correct domain.


Possible solution:

How can i set permanetly the SECUDIR to F:\usr\sap\SH1\DVEBMGS01\sec instead of C:\Users\sapservicesh1.SNL\AppData\Local\sec

I have executed the following commands:

1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec

2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>

3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N


Profile Parameters:


snc/enable=1
snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
snc/identity/as= p:CN=SL-ABAP-SH1@<DOMAIN>
snc/data_protection/min=2
snc/data_protection/max=3
snc/data_protection/use=3
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/r3int_rfc_qop=8
snc/r3int_rfc_secure=0
snc/force_login_screen=0
spnego/enable=1
spnego/krbspnego_lib= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll

SAPCRYPTOLIB= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll

Information:

Command sapgenpse:

Command sapgenpse seclogin -l

Checked the RSBDCOS0 (t-code SE38) and executed the command sapgenpse seclogin -l 2>&1

Command setspn -L SL-ABAP-SH1

Command klist

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello Andre,

Have your other servers where you have done it also been windows servers ?

Anyway, open a command window as sh1adm and run the "set" command. This will confirm if SECUDIR is set properly/permanently.

For windows you do have to set it permanently in the windows user environment.

Hope that helps.

KR,

Amerjit

Former Member
0 Kudos

Hi Amerjit,

Yes all the other servers where I have done it are also Windows Servers.

When you say windows user environment is the environment where is the server?

Former Member
0 Kudos

Hi Andre,

It's a bit odd that it's not working as you expect on this machine if you have already set it up as per your other windows systems.

When you ran SET from a cmd prompt, I guess you didn't find SECUDIR in the output ?

Wherever you have defined user sh1adm you will set it there in the user environment.

I'm not in front of a Windows Server machine but this is how you'd go about it on Windows Desktop machines.

Logged on as sh1adm:

Open file explorer.

Right Click on Computer

Select properties

Advanced System Settings

Environment Variables

On the following screen you can set system wide or user specific environment variables. Set SECUDIR just for the user (you can use %variable% if you want).

Hope it helps.

KR,

Amerjit

Former Member
0 Kudos

I didn't understand your question of "When you ran SET from a cmd prompt, I guess you didn't find SECUDIR in the output ?"

The commands I ran are these:

1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec

2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>

3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N


The output where we can see that the environmental variable is defined is below:

It could be confirmed also in RZ11 and SECUDIR parameter:

I have never defined the environmental variable in the windows environment and I have aswell checked in the configurations which I succeeded and there is nothing related with the SECUDIR or SNC_LIB. However I can try do it, which is the variable I should add in the Environmental Variables?

One question:

I think my problem is with the user I am logging to the server. I have checked in the AD and the user sh1adm is not created there, could it be the problem? For my succeeded configurations the users are created in AD like dg1adm, qg1adm etc...

Former Member
0 Kudos

Hello André,

1. Have you cross checked as per the suggestion of

You must make sure that the SETENV_05 is unique (no other SETENV_05 entries) and that there are no other entries trying to set SECUDIR.

2. Please run the following commands from RSBDCOS0 when logged on to SH1 and check what is returned for SECUDIR. Please also do this in a system where you have SNC working properly and compare the results.

Run: SET

Run: sapcontrol -nr 01 -function GetEnvironment

3. Please see the following OSS notes that will help you with environment setting.

1827566 - How to set environment variables for SAP system?

31559 - Setting/changing environment variables

800240 - FAQ: SAP Cryptographic Library error analysis (App. Server)

Kind Regards,

Amerjit

0 Kudos

Hi André

Does the ABAP system have the SETENV, SECUDIR parameter set within the instance profile?

i.e. SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec

Rgrds

Craig

Former Member
0 Kudos

Hi Craig,

I have that parameters already set, but doesn't work.

In the trace file dev_w0 is normal that this appear?

N    File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)


Instead of "C:\Users\sapservicesh1.SNL\AppData\Local\sec" in my case it should not be "F:\usr\sap\SH1\DVEBMGS01\sec"?


Other question:

My SNC SAPCRYPTOLIB pse generated in STRUST should have which name when I create it?