Ask or search…
Comment on page

IT-Conductor Gateway Setup for SAP Secure Network Communications (SNC)

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems offers basic security measures like SAP authorization and user authentication based on passwords. With SNC, you can include protection by an external security product. SNC provides application-level, end-to-end security, and secures all communications between two SNC-protected components. SNC protection only applies to connections that use SAP protocols such as dialog, RFC, or CPIC protocols.

How to Prepare the IT-Conductor Gateway

Set SNC Environment Variables

On Windows:
Open the System Properties dialog and change the directory to "/opt/itconductor/conf".
Note: If SNC is already configured on the machine and the SECUDIR system environment variable is set, skip this step.
Edit file startup. Add SECUDIR lines as shown below:
export SECUDIR
Note: If SNC is already configured on the machine and SECUDIR uses the value of the existing environment variable.

Install SAP Cryptographic Library

1. Download the SAP Cryptographic Library ("SAPCRYPTOLIB.SAR" file) from the SAP Service Marketplace.
Figure 1: SAP Cryptographic Library
2. Extract and copy the library and the command-line tool to a local directory.
Figure 2: Extracting SAP Cryptographic Library
Command Line
Figure 3: Command to Check SECUDIR Set
Note: Make sure the SECUDIR environment variable is set. You can set it for the current session on Linux and make sure the value is the same as in the previous steps.

How to Configure SNC PSE

1. Obtain the SNC Distinguished Name (DN) for the IT-Conductor Gateway from your security team. (e.g., CN=IT-Conductor, OU=IT, O=ACME, C=US)
2. Decide on PSE Name. It could be "itconductor" or any valid name.
3. Create a local Personal Security Environment (PSE).
  • To create the SNC PSE for IT-Conductor, use the command line tool sapgenpse.
  • Run the following command to create a PSE in the directory corresponding to the SECUDIR environment variable:
sapgenpse get_pse -p <PSE_Name> <DN>
sapgenpse.exe get_pse -p itconductor "CN=IT-Conductor, OU=IT, O=ACME, C=US"
./sapgenpse get_pse -p itconductor "CN=IT-Conductor, OU=IT, O=ACME, C=US"
Figure 4: Creating Personal Security Environment
Note: The SNC DN "CN=IT-Conductor, OU=IT, O=ACME, C=US" is used for the optional "SNC Client Name" field in the IT-Conductor SAP Account.
  • Exchange public-key certificates by export and import. IT-Conductor and SAP Systems must identify each other to communicate using SNC.
1. Export the public-key certificate corresponding to the above created local PSE (used by the IT-Conductor) as the following:
sapgenpse export_own_cert -v -o <output_file> -p <PSE_name>
sapgenpse.exe export_own_cert -v -o itconductor_pse.crt -p itconductor
./sapgenpse export_own_cert -v -o itconductor_pse.crt -p itconductor
Figure 5: Exporting Public-Key Certificate
2. For each SAP System, IT-Conductor will be connecting using SNC. Repeat the following steps:
a. Import the created client certificate into the SAP System using the trust manager (transaction code STRUST).
b. Export the server certificate from the SAP Server using the trust manager (transaction code STRUST).
Note: If a server certificate does not exist, create a server certificate. For more information, contact your SAP Administrator.
Figure 6: Export Server Certificate
c. Import the SAP Server certificate into the IT-Conductor PSE using the following command:
sapgenpse maintain_pk -v [-a <cert_file>] -p <PSE_name>
sapgenpse.exe maintain_pk -v -a C:\tmp\sap_system_XYZ.crt -p itconductor
./sapgenpse maintain_pk -v -a /tmp/sap_system_XYZ.crt -p itconductor
Figure 7: Import SAP Server Certificate
d. Update SNC name for IT-Conductor SAP accounts using Transaction code SU01.
Make sure to prefix the DN for each SAP Account you plan to use in IT-Conductor with "p:" as p:CN=IT-Conductor, OU=IT, O=ACME, C=US.
Figure 8: Updating SNC Name
3. Grant SNC permissions to the operating system. The Gateway service running as SAP System requires active credentials at run-time to access its PSE. You can use the seclogin to open the PSE and create the required credentials.
sapgenpse seclogin [-p <PSE_name>] [-O <user_ID>]
The following command line grants SNC permissions for the user SYSTEM to access the file sap_plugin_pse.
The user name is SYSTEM, as the gateway runs under the Local System Account.
sapgenpse.exe seclogin -p itconductor -O SYSTEM
The user name is root, as the gateway runs under the root account.
./sapgenpse seclogin -p itconductor -O root
Figure 9: Granting SNC Permissions