SNC setup for connection SAPGUI - ABAP (no SSO)
I am trying to set up SNC for our ABAP systems (Web AS 7.0). The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients) and the ABAP systems (HP-UX).
When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel and have the user log in just like he always does (w/ Username & PW).
I have performed the following steps so far:
- Created the SNC PSE (in <i>STRUST</i>, I used "<SID>snc" for DN, self-signed)
- Installation of SAP Cryptolib
- Updated profile with SNC parameters (along with environment variable <i>SECUDIR</i>)
The system started up correctly but when I tried to logon using SNC I first got the error message "<b>Unable to load sncgss32.dll</b>". For this case I renamed the sapcrypto.dll file on the client system (where the GUI is located) to sncgss32.dll and copied it into the SYSTEM32 folder. I have also set the environment variable SNC_LIB to sncgss32.dll. After this was done, a new error message started to pop, saying that <b>No credentials are supplied</b>.
My questions are the following:
- I have read something about not using the Cryptolib for the Win XP clients and use GSSKRB5.dll instead. Is this also required when I don't want to setup SSO? And if yes, where will I get that file?
- Do I have to create the credentials for the SNC? (with the SAPGENPSE program)
- Is the SNC PSE Password required for any of the steps?
- Is there anything necessary to be setup in SU01 in the SNC-tab for my purpose? I have read a lot about the SNC-Name but I am not really sure if it only affects SSO-aspects
- Or are there any other steps I am missing?
Thanks in advance,
Wolfgang Janzen replied
Well, as explained in my previous posting: SNC was not made for that requirement.
I only see one option: you can setup an SNC connection between two SAProuters (same as for the remote service connections between you and SAP) also known as "secure tunnel". SNC is then only used to encrypt the data which is transmitted over the SAProuter-SAProuter connection (but not outside that "tunnel"); SNC also provides a reliable authentication of both SAProuters (= communication peers).
The entire "pictures" then looks like this:
SAPGUI ---> SAProuter ---> SAProuter ---> ABAP server
Notice: this scenario is typically used for WAN connections.
It is <u>not</u> really suitable to install a SAProuter on each frontend PC.
I still recommend that you consider to use SNC to achieve both, data encryption and (mutual) authentication (which you can then use for SSO purposes).