Below mentioned configuration is essential to enable the secure network communications (SNC) between SAP GUI and SAP ABAP systems.
Prerequisites:
Along with SAP BASIS related transcations, we'd like below additional transactions.
SNCCONFIG
SNCWIZARD
We also need below details
SAP System ID
Fully qualified message server hostname
Installation number
CommonCryptoLib version must be at least CommonCryptoLib 8.5.2.
snapshots of SAP instance, default profiles,SNCCONFIG and STRUST settings.
Transaction RZ10 > Import the most recent version of profiles
Take backup of profiles at OS level
SNCCONFIG
SNCWIZARD
We also need below details
SAP System ID
Fully qualified message server hostname
Installation number
CommonCryptoLib version must be at least CommonCryptoLib 8.5.2.
snapshots of SAP instance, default profiles,SNCCONFIG and STRUST settings.
Transaction RZ10 > Import the most recent version of profiles
Take backup of profiles at OS level
Procedure:
Configure SNC
Transaction RZ10 > Import the newest version of profiles
Transaction SNCWIZARD
Continue
Copy and paste the details like SNC identity parameter generated by the wizard here:
p:CN=, OU=, OU=SAP Web AS, O=SAP Trust Community, C=DE
Replace the parameter value with the subsequent format, per your client CA requirement:
p:CN=, OU=, L=, O=, SP=, C=, EMAIL=<email>
Transaction RZ10 > Import the newest version of profiles
Transaction SNCWIZARD
Continue
Copy and paste the details like SNC identity parameter generated by the wizard here:
p:CN=, OU=, OU=SAP Web AS, O=SAP Trust Community, C=DE
Replace the parameter value with the subsequent format, per your client CA requirement:
p:CN=, OU=, L=, O=, SP=, C=, EMAIL=<email>
Please note:
The message server host is defined within the SAP Logon pad.
The installation number, OU=, is unique to each SAP environment.
Continue
Continue
Continue
If you are prompted to configure Kerberos Credentials, click on Skip.
Continue
Transaction STRUST opens in a separate window.
Expand folder and double-click on SNC SAPCryptolib
The self-signed SNC SAPCryptolib certificate created via SNCWIZARD earlier occurs here.
Click on to Create Certificate request
Select all and replica the certificate (without empty lines)
Paste in Notepad (without empty lines) and reserve it as “_SNC.csr”.
Exit transaction STRUST and return to SNCWIZARD
Complete
Request client signed certificate
Update DEFAULT.PFL
While expecting the signed certificate, update the subsequent parameters in DEFAULT.PFL.
Verify the file libsapcrypto.so exists on the OS level, in /usr/sap//SYS/exe/run directory.
Transaction RZ10
Parameter Required value
snc/gssapi_lib usr/sap//SYS/exe/run/libsapcrypto.so
spnego/enable 0
Save changes.
Need to restart SAP application once parameter changes are done..
Import client signed certificates (*.p7b file)
Double-click to open the *.p7b file
Expand certificates
It contains 3 certificates - Issuing, Root & Server.
All 3 certificates must be exported and combined in a single text file. Here is how …
Right click on the server certificate “<host>.<domain>.com” > All Tasks > Export in Base-64 encoded X.509 format, save each *.cer to your desktop location.
Next
Select “Base-64 encoded X.509 (.CER)” > Next
File name = Next
Finish
OK
Repeat an equivalent steps above to export "root" and "issuing" certificates
Close the certmgr screen.
Open each *.cer file with Notepad, combine all 3 certificates into 1 document , during this specific order - server, root and issuing.
Delete any extra empty lines or carriage returns.
Then, save as a text file. For example: __signed.txt
Login to SAP system
Execute transaction STRUST
Click on to switch to change mode
Expand folder and double-click on SNC SAPCryptolib
Under Own Certificate, select "Import certificate response"
Copy and insert the certificate chain - server, root & issuing, confirm there are not any empty lines at the start and end of the file.
Continue
SNC certificate is now signed.
Click on to save changes.
Restart SAP after succesful SNC configuration, Update the GUI entry and test SNC connection.
The installation number, OU=, is unique to each SAP environment.
Continue
Continue
Continue
If you are prompted to configure Kerberos Credentials, click on Skip.
Continue
Transaction STRUST opens in a separate window.
Expand folder and double-click on SNC SAPCryptolib
The self-signed SNC SAPCryptolib certificate created via SNCWIZARD earlier occurs here.
Click on to Create Certificate request
Select all and replica the certificate (without empty lines)
Paste in Notepad (without empty lines) and reserve it as “_SNC.csr”.
Exit transaction STRUST and return to SNCWIZARD
Complete
Request client signed certificate
Update DEFAULT.PFL
While expecting the signed certificate, update the subsequent parameters in DEFAULT.PFL.
Verify the file libsapcrypto.so exists on the OS level, in /usr/sap//SYS/exe/run directory.
Transaction RZ10
Parameter Required value
snc/gssapi_lib usr/sap//SYS/exe/run/libsapcrypto.so
spnego/enable 0
Save changes.
Need to restart SAP application once parameter changes are done..
Import client signed certificates (*.p7b file)
Double-click to open the *.p7b file
Expand certificates
It contains 3 certificates - Issuing, Root & Server.
All 3 certificates must be exported and combined in a single text file. Here is how …
Right click on the server certificate “<host>.<domain>.com” > All Tasks > Export in Base-64 encoded X.509 format, save each *.cer to your desktop location.
Next
Select “Base-64 encoded X.509 (.CER)” > Next
File name = Next
Finish
OK
Repeat an equivalent steps above to export "root" and "issuing" certificates
Close the certmgr screen.
Open each *.cer file with Notepad, combine all 3 certificates into 1 document , during this specific order - server, root and issuing.
Delete any extra empty lines or carriage returns.
Then, save as a text file. For example: __signed.txt
Login to SAP system
Execute transaction STRUST
Click on to switch to change mode
Expand folder and double-click on SNC SAPCryptolib
Under Own Certificate, select "Import certificate response"
Copy and insert the certificate chain - server, root & issuing, confirm there are not any empty lines at the start and end of the file.
Continue
SNC certificate is now signed.
Click on to save changes.
Restart SAP after succesful SNC configuration, Update the GUI entry and test SNC connection.
