SAP Knowledge Base Article

2979858 - Example SNC Configuration for AS AS ABAP with COMMONCRYPTOLIB

Component: BC-IAM-SSO-CCL (CommonCryptoLib), Version: 1, Released On: 13.10.2020

Symptom
You need to configure the application ABAP server for SNC connection to SAP Portal or application leveraging SAPJco

Environment
SAP Netweaver

Reproducing the Issue

RFC server to server Connection using SNC is required between the AS ABAP server and SAPJco used on SAP Netweaver Portal or standalone
SAPJco

Resolution
1. As of release 7.31 (see note 2015966 - minimum CommonCryptoLib version 8.4.20 or higher required) the transaction
SNCWIZARD can be used to configure the ABAP server for SNC. See documentation and example video tutorial on
using the wizard (Part 1:Kerberos Based SSO to application server) .
.
2. If the Wizard option is not available then proceed as per the documentation to use manual steps
In transaction STRUST create the SNC PSE (right click on the red X Icon for SNC SAPCryptolib entry and choose create
from the context Menu). For the Subject create a unique name not used for any other entry in STRUST and save the
entry . Now an X.509 server certificate for SNC usage has been configured.
Untitled.png
Set the minimum profile parameters to enable SNC on the server like the examples below. See transaction SNCCONFIG
for detailed descriptions of each parameter or the documenation . There are further parameters also documented that
allow further levels of security for SNC rfc connectivity to be set.
snc/enable = 1 (on next restart of the system SNC will be initialized)
snc/gssapi_lib = path to the commoncryptolib library (found in executable directory and delivered with SAP kernel)
e.g D:\usr\sap\CPI\D00\exe\sapcrypto.dll for windows platform
snc/identity/as = p:<distinguished name of the SNC PSE certificate created in STRUST> e.g. p:cn=CPI. The parameter
must be set correctly otherwise the system will not start up
A restart of the server is required after the profile parameters are set
For connection to communication partner like SAPJCo see the documentation
A connection must be defined in transaction SM59 and set the SNC identity of the target system . In this case target
ABAP system is CPI - value is derived from profile parameter snc/identity/as of the target system CPI or in the case of a
Portal/SAPJco the distinguished name of the X.509 certificate of the SNC PSE configured there must be used) . See
documentation for maintaing RFC connections
 Untitled2.png

3. In order for the Portal/SAPJco to trust the ABAP server the X.509 SNC certificate of the ABAP Netweaver server must be exported in order that it can
be imported to the PSE of the Portal/SAPJco.

In STRUST open the SNC Sapcryptolib folder and double click on the instance entry with green traffic light so it is selected and press the edit button
to begin working . Double click with the mouse in the subject field to prepare the servers' SNC certificate for export

Untitled3.png

In the certificate window select the xport certificate button to begin the export of the certificate - follow the subsequent dialog popup instructions. Now the
certificate can be imported to the Portal sever or PSE file used by the SAPjco.
 Untitled4.png

See Also
SNC Error codes
1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)
2491573 - How to enable trace of CommonCryptoLib
Setting up SNC on AS Java 7.5

Keywords
SncPEstablishContext, GSSAPI

Attributes
Key Value

Other Components BC-SEC-SNC (Secure Network Communications)

Other Components BC-MID-CON-JCO (Java-Connector)

Other Components BC-JAS-SEC (Security, User Management)

Products
Products

SAP NetWeaver 7.4

SAP NetWeaver 7.5

SAP enhancement package 1 for SAP NetWeaver 7.3