How do I configure RFCs for SNC communication?
I'm an Oracle DBA / Basis Admin and am new to configuring SNC. So far I've been able to configure SAPgui sessions to communicate with systems using SNC but am having difficulty locating documentation to tell me how to get systems to use SNC with their RFC communication. Everything seems to assume you already have the prerequisite configuration complete and just says to go to SM59, go to the Logon & Security tab and click the SNC button. I, however, believe I'm missing the steps where I'm guessing I need to install a certificate for the other server/system.
I've exported different certificates out of STRUST on one system (SBX) and imported them into SNC SAPCryptolib on the other (SD2) and vice versa, and restarted the ICM each time but the connection test failes with this error:
|Error Details||GSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refuses certif|
|Error Details||ERROR: GSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refu|
|Error Details||LOCATION: SAP-Server SSBX4_SBX_00 on host SSBX4 (wp 4)|
|Error Details||DETAIL: SncPEstablishContext|
|Error Details||CALL: gss_init_sec_context|
|Error Details||COMPONENT: SNC (Secure Network Communication)|
|Error Details||COUNTER: 43|
|Error Details||MODULE: sncxxall.c|
|Error Details||LINE: 3551|
|Error Details||RETURN CODE: -4|
|Error Details||SUBRC: 0|
|Error Details||RELEASE: 721|
|Error Details||TIME: Tue Apr 05 09:12:25 2016|
|Error Details||VERSION: 6|
I don't even know if the partner name specified on the Logon & Security tab for the RFC definition under the SNC button is correct. I at least no longer get the "Unable to Determine Canonical SNC Name RC= 4-" error that I used to get but have no indication if what I do have is correct: The format for the Partner name that I'm using is:
p:CN=<FQDN>, OU=<SAP Customer ID>, OU=<Long Company Name>, O=<Short Company Name>, L=<City>, SP=<State>, C=<Country>
This partner name matches the X.509 name used in the other system's SSL server Standard PSE in STRUST.
Can someone help me with this, please, either by pointing me to documentation and/or by giving me a step by step for what to do to get this working?
Please let me know if there's any other information you need to help with this.
Thanks in advance!
Lutz Rottmann replied
Hi Jeff, it is unclear if you understood the dependency between
- the the snc/identity/as parameter
- the subject of a server's own certificate in SNC SAPCryptolib PSE (STRUST)
- Entries in SNC0
- The AD account's SPN attribute
FQDN is just completely irrelevant for SNC.
One example how I would do configuration:
First system: ABC (calling)
Second System: XYZ (called)
(The example is based on CommonCryptolib or Secure Login Library with Secure Login Client or SNC Client Encryption)
Configuration of System ABC:
- snc/identity/as = p:CN=systemABCcn
- SNC SAPCryptolib PSE Sybject= CN=systemABCcn
- AD account's SPN=SAP/systemABCcn
Configuration of system XYZ
- snc/identity/as= p:CN=systemXYZcn
- SNC SAP Cryptolib PSE Subject: CN=systemXYZcn
- AD account's SPN=SAP/systemXYZcn
- SNC0: include an entry
- System ID = ABC
- SNC name = p:CN=systemABCcn
To enable trust you have to export both certificates and import each into the other system's SNC SAPCryptolib PSE's Certificate list. You obviously did this.
Instead you could get both certificates signed by a CA and only import your CA's root certificate into the certificate list.
We only have one SNC SAPCryptolib PSE per system even if we have many application servers. I don't think you will get it work with one PSE per application server but I never tried. I am not sure if you tried this.
Since you seem to already have GUI-SNC (SAP SSO/SNC Client Encryption with Kerberos?) up and running you will have to start with your existing snc/identity/as and derive your certificate's subject from them. There are some implicit rules which SPN will match which snc/identity/as and subject. You might have to adhust your snc/identity/as parameters. You will find documentation on this here:
If you are not using SAP SSO or SNC Client Encryption this will get more interesting (and I will be out).