Sunteți pe pagina 1din 11
Enabling SNC on SAP Connections Revision 20160211 NOTE This document is confidential and proprietary of

Enabling SNC on SAP Connections

Revision 20160211

NOTE This document is confidential and proprietary of Denodo Technologies. No part of this document may be reproduced in any form by any means without prior written authorization of Denodo Technologies.

Copyright © 2018 Denodo Technologies Proprietary and Confidential

Goal Enabling SNC on SAP Connections 20160211 2 of 11 Secure Network Communications (SNC) provides

Goal

Enabling SNC on SAP Connections 20160211 2 of 11

Secure Network Communications (SNC) provides stronger authentication and encryption mechanisms than the default security options of SAP.

This document explains how to enable Secure Network Communications (SNC) to secure the communications between Virtual DataPort and SAP. Take into account the following:

● In Virtual DataPort, you can enable SNC on the data sources that use SAP JCo (SAP Java Connector) to connect to SAP. These are:

○ BAPI data sources.

○ Multidimensional data sources with the adapters “SAP BI 7.x (BAPI)” or “SAP BW 3.x (BAPI)”.

SNC cannot be enabled in multidimensional data sources with the adapters “SAP BI 7.x (XMLA)” or “SAP BW 3.x (XMLA)”.

● SNC is used to secure the communications (Privacy Protection). However, the authentication of users is performed using their username and password and not their certificate.

Content

In the host where the Virtual DataPort server is installed, execute these steps:

1.

Open a command line and execute the following commands to create the Personal Security Environment (PSE) file:

cd C:\SAP\SNC\sec SET SECUDIR = C:\SAP\SNC\sec sapgenpse.exe gen_pse -v -p denodo_SAPSSLS.pse

You will see something like the following and at the end of the process, you will obtain the pse file. You will have to provide the PIN and the distinguished name (DN) of the user.

Please enter PIN:

Please reenter PIN:

get_pse: Distinguished name of PSE owner: cn=server Supplied distinguished name: "cn=server" Creating PSE with format v2 (default)

Generating key (RSA, 2048-bits)

certificate creation

ok

succeeded.

PSE update

ok

PKRoot

ok

Generating certificate request

PKCS#10 certificate request for "C:\SAP\SNC\sec\denodo_SAPSSLS.pse":

ok.

Enabling SNC on SAP Connections 20160211 3 of 11 -----BEGIN CERTIFICATE REQUEST-----

Enabling SNC on SAP Connections 20160211 3 of 11

-----BEGIN CERTIFICATE REQUEST-----

MIICVTCCAT0CAQAwEDEOMAwGA1UEAxMFYWx0ZWEwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQD7GZ46+OuMWAf9YhHs2hvh4DAb0xYTzm8kO8PwaoFCuJEK

CXf7l5qAf5Yd8UlAgyhf7pzOWL1XkKcnIo7/Mcmu6iYnXOd55jzbPWzH5iYWa9Cj

bbSJKfjESNexsgp5xJVdQB8Smefhy9YAq0cOSU1SOnoMBDs7agPgKyF1GhiG5EJp

s9Thrh3ZxSqzJYkY7T7Qrt5QYsgUhMxaBxJoCnLAVS9ImNoOPrwVp7d2Zw3JAR6A

WmlgosFcuiV/8HD5XipKz9V5LQgi+klGopYWsjhb+Oc2FGXRG+/rw5pDZ+xFZ4YQ

sV+LGktFj+UwP/NmIjGicYXCXsmBzhc81j05RPLNAgMBAAGgADANBgkqhkiG9w0B

AQUFAAOCAQEAvYt5HZS7TreD8N3gmkkBnUCPTbd/izl+8L2UW0YduH0ZFdcCn6z

xOY/zG7FfNTTBhoGbw0uzaPyn6yKgdAaIQ==

-----END CERTIFICATE REQUEST-----

2. Export the pse file to a crt file:

sapgenpse.exe export_own_cert -v -p denodo_SAPSSLS.pse -o denodo_SAPSSLS.crt

3. Assign credentials to the user account that you will use in the Multidimensional data source or the BAPI data source of Virtual DataPort:

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O <domain>\<user>

For example,

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O CONTOSO\frank

You will see something like:

running seclogin with USER="frank"

creating credentials for user "CONTOSO\frank" (yourself) Adjusting credentials and PSE ACLs to include "CONTOSO\frank"

Oh, you supplied your own name explicitly

ok.

C:\SAP\SNC\sec\cred_v2

ok.

C:\SAP\SNC\sec\dnd_altea.pse

ok.

C:\SAP\SNC\sec\dnd_altea.pse

ok.

Updated SSO-credentials (#1) for PSE "C:\SAP\SNC\sec\denodo_SAPSSLS.pse" "CN=server"

Note: if user exists only in the system (it does not belong to a Windows domain), then execute:

sapgenpse.exe seclogin -p denodo_SAPSSLS.pse -O SYSTEM

4. Open SAP GUI and log-in.

5. Import the client certificate into SAP. To do this, follow these steps:

a. Start the transaction STRUST.

Enabling SNC on SAP Connections 20160211 4 of 11 b. On the left side of

Enabling SNC on SAP Connections 20160211 4 of 11

Enabling SNC on SAP Connections 20160211 4 of 11 b. On the left side of the

b. On the left side of the dialog, expand the node SNC SAPCryptolib and double-click on the server where you want to install the crt certificate generated in the previous steps.

c. If the certificate does not exist for this SAP Server, do the following:

i. Right-click System PSE

ii. Click Display <-> Change to enable the “Create” option.

<-> Change to enable the “ Create ” option. d. Import the certificate by clicking the

d. Import the certificate by clicking the button , at the bottom of the dialog and select the file denodo_SAPSSLS.crt created before.

Enabling SNC on SAP Connections 20160211 5 of 11 e. Click Add to Certificate List

Enabling SNC on SAP Connections 20160211 5 of 11

Enabling SNC on SAP Connections 20160211 5 of 11 e. Click Add to Certificate List to

e. Click Add to Certificate List to add the imported certificate to the list of certificates of the System PSE.

6. Start the transaction SNC0. You will see a dialog like the following:

Enabling SNC on SAP Connections 20160211 6 of 11 a. Click New entries . You

Enabling SNC on SAP Connections 20160211 6 of 11

Enabling SNC on SAP Connections 20160211 6 of 11 a. Click New entries . You will

a. Click New entries. You will see a dialog like the following:

Enabling SNC on SAP Connections 20160211 7 of 11 b. In the SNC Name box,

Enabling SNC on SAP Connections 20160211 7 of 11

Enabling SNC on SAP Connections 20160211 7 of 11 b. In the SNC Name box, enter

b. In the SNC Name box, enter the Distinguished Name (DN) you provided in the first step.

c. Select, at least, the Entry for ext. ID activated check box.

d. Click the Save button:

for ext. ID activated check box. d. Click the Save button: 7. Go back to the

7. Go back to the STRUST transaction and do the following:

a. Expand the node SNC SAPCryptolib and double-click the host where the certificate was imported. You will see a dialog like the following:

Enabling SNC on SAP Connections 20160211 8 of 11 b. In the “Certificate List”, select

Enabling SNC on SAP Connections 20160211 8 of 11

Enabling SNC on SAP Connections 20160211 8 of 11 b. In the “Certificate List”, select the

b. In the “Certificate List”, select the subject of the certificate you want to export.

c. Click the button to export the certificate. Use the option Base64. Store it with the name dnd_abap_tazzari_out.crt.

Base64 . Store it with the name dnd_abap_tazzari_out.crt . 8. In the host where the Virtual

8. In the host where the Virtual DataPort server runs, execute the following to import the server “.crt”:

sapgenpse.exe maintain_pk -a dnd_abap_tazzari_out.crt -p dnd_altea.pse

You will see something like this:

maintain_pk for PSE "C:\SAP\SNC\sec\dnd_altea.pse" Subject : CN=SNC, CN=ERP PKList updated (1 entries total, 1 newly added)

9. In Virtual DataPort, open the configuration of the BAPI data source or a multidimensional data source with a BAPI adapter.

Enabling SNC on SAP Connections 20160211 9 of 11 The user account used in the

Enabling SNC on SAP Connections 20160211 9 of 11

The user account used in the data source is a regular SAP user account without any special configuration. To see the SNC configuration of a user, do the following:

a. In SAP GUI, start the transaction SU01.

b. Enter the name of a user and click the “Display” icon:

.
.

c. Then, click the tab SNC to see the SNC configuration for that particular user. You will see a dialog like the following:

particular user. You will see a dialog like the following: 10. In Virtual DataPort, in the

10. In Virtual DataPort, in the dialog to configure the data source, click Advanced and follow these steps (the steps to enable SNC are the same for both types of data sources):

a. Enter the path to the SAP Cryptographic Library. That is, the path to the file sapcrypto.dll (if the Server runs on Windows) or to libsapcrypto.so (if the Server runs on Linux). You can download this library from the SAP website.

b. Enter the Partner name. That is, the distinguished name of the SAP server. For example, p:CN=SNC,CN=ERP.

c. Select the Security level. SAP offers three levels of configuration and in addition, you have these options:

Enabling SNC on SAP Connections 20160211 10 of 11 i. Use the value from snc/data_protection/use

Enabling SNC on SAP Connections 20160211 10 of 11

i. Use the value from snc/data_protection/use: uses the default security level set by the SAP server. ii. Use the value from snc/data_protection/max: uses the maximum level of security offered by the SAP server.

After creating the data source, you can use a network packets analyzer (e.g. WireShark) to check that the messages are encrypted:

WireShark ) to check that the messages are encrypted: Appendix A: Configuration Properties of SAP At

Appendix A: Configuration Properties of SAP

At

C:\usr\sap\ERP\SYS\profile\ERP_DVEBMGS03_tazzari) has to have the following

scenario:

the

SAP

server,

the

profile

configuration

file

(in

our

properties.

# Properties related to SNC configuration snc/enable = 1 snc/data_protection/min = 2 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic= 1

Enabling SNC on SAP Connections 20160211 11 of 11 snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1

Enabling SNC on SAP Connections 20160211 11 of 11

snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/r3int_rfc_qop = 3 snc/permit_insecure_start = 1 snc/identity/as = p:CN=SNC,CN=ERP snc/extid_login_diag = 1 snc/extid_login_rfc = 1 spnego/construct_SNC_name = 111 snc/gssapi_lib = C:\usr\sap\ERP\DVEBMGS03\exe\sapcrypto.dll

The following link explains in more detail the meaning of these properties: