Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

How do I configure RFCs for SNC communication?

Hello Everyone,

I'm an Oracle DBA / Basis Admin and am new to configuring SNC.  So far I've been able to configure SAPgui sessions to communicate with systems using SNC but am having difficulty locating documentation to tell me how to get systems to use SNC with their RFC communication.  Everything seems to assume you already have the prerequisite configuration complete and just says to go to SM59, go to the Logon & Security tab and click the SNC button.  I, however, believe I'm missing the steps where I'm guessing I need to install a certificate for the other server/system.

I've exported different certificates out of STRUST on one system (SBX) and imported them into SNC SAPCryptolib on the other (SD2) and vice versa, and restarted the ICM each time but the connection test failes with this error:

LogonCancel
Error DetailsGSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refuses certif
Error DetailsERROR: GSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refu
Error DetailsLOCATION: SAP-Server SSBX4_SBX_00 on host SSBX4 (wp 4)
Error DetailsDETAIL: SncPEstablishContext
Error DetailsCALL: gss_init_sec_context
Error DetailsCOMPONENT: SNC (Secure Network Communication)
Error DetailsCOUNTER: 43
Error DetailsMODULE: sncxxall.c
Error DetailsLINE: 3551
Error DetailsRETURN CODE: -4
Error DetailsSUBRC: 0
Error DetailsRELEASE: 721
Error DetailsTIME: Tue Apr 05 09:12:25 2016
Error DetailsVERSION: 6

I don't even know if the partner name specified on the Logon & Security tab for the RFC definition under the SNC button is correct.  I at least no longer get the "Unable to Determine Canonical SNC Name RC= 4-" error that I used to get but have no indication if what I do have is correct:  The format for the Partner name that I'm using is:

p:CN=<FQDN>, OU=<SAP Customer ID>, OU=<Long Company Name>, O=<Short Company Name>, L=<City>, SP=<State>, C=<Country>

This partner name matches the X.509 name used in the other system's SSL server Standard PSE in STRUST.

Can someone help me with this, please, either by pointing me to documentation and/or by giving me a step by step for what to do to get this working?

Please let me know if there's any other information you need to help with this.

Thanks in advance!

Jeff

Tags:
replied

Hi Jeff, it is unclear if you understood the dependency between

  • the the snc/identity/as parameter
  • the subject of a server's own certificate in SNC SAPCryptolib PSE (STRUST)
  • Entries in SNC0
  • The AD account's SPN attribute

FQDN is just completely irrelevant for SNC.

One example how I would do configuration:

First system: ABC (calling)

Second System: XYZ (called)

(The example is based on CommonCryptolib or Secure Login Library with Secure Login Client or SNC Client Encryption)

Configuration of System ABC:

  • snc/identity/as = p:CN=systemABCcn
  • SNC SAPCryptolib PSE Sybject= CN=systemABCcn
  • AD account's SPN=SAP/systemABCcn


Configuration of system XYZ

  • snc/identity/as= p:CN=systemXYZcn
  • SNC SAP Cryptolib PSE Subject: CN=systemXYZcn
  • AD account's SPN=SAP/systemXYZcn
  • SNC0: include an entry
    • System ID = ABC
    • SNC name = p:CN=systemABCcn


To enable trust you have to export both certificates and import each into the other system's SNC SAPCryptolib PSE's Certificate list. You obviously did this.

Instead you could get both certificates signed by a CA and only import your CA's root certificate into the certificate list.

We only have one SNC SAPCryptolib PSE per system even if we have many application servers. I don't think you will get it work with one PSE per application server but I never tried. I am not sure if you tried this.

Since you seem to already have GUI-SNC (SAP SSO/SNC Client Encryption with Kerberos?) up and running you will have to start with your existing snc/identity/as and derive your certificate's subject from them. There are some implicit rules which SPN will match which snc/identity/as and subject. You might have to adhust your snc/identity/as parameters. You will find documentation on this here:

Supporting Authentication with Kerberos and X.509 on SAP NetWeaver AS ABAP - What Is Secure Login? - SAP Library

If you are not using SAP SSO or SNC Client Encryption this will get more interesting (and I will be out).

Regards,

Lutz

1 View this answer in context
Not what you were looking for? View more on this topic or Ask a question