IT-Conductor Gateway Setup for SAP Secure Network Communications (SNC)

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems offers basic security measures like SAP authorization and user authentication based on passwords. With SNC, you can include protection by an external security product. SNC provides application-level, end-to-end security, and secures all communications between two SNC-protected components. SNC protection only applies to connections that use SAP protocols such as dialog, RFC, or CPIC protocols.

Installation Instructions

Set SNC Environment Variables

On Windows:

1. Open the System Properties dialog and change the directory to "/opt/itconductor/conf".

1. Edit file startup. Add SECUDIR lines as shown below:

java_path=./jdk1.8.0_171/jre/bin/java
SECUDIR=/opt/itconductor/conf
export SECUDIR

Install SAP Cryptographic Library

1. Download the SAP Cryptographic Library ("SAPCRYPTOLIB.SAR" file) from the SAP Service Marketplace.

1. Extract and copy the library and the command-line tool to a local directory.

Configure SNC PSE

1. Obtain the SNC Distinguished Name (DN) for the IT-Conductor Gateway from your security team. (e.g., CN=IT-Conductor, OU=IT, O=ACME, C=US)

2. Decide on PSE Name. It could be "itconductor" or any valid name.

3. Create a local Personal Security Environment (PSE).

• To create the SNC PSE for IT-Conductor, use the command line tool sapgenpse.

• Run the following command to create a PSE in the directory corresponding to the SECUDIR environment variable:

sapgenpse get_pse  -p <PSE_Name> <DN>

sapgenpse.exe get_pse -p itconductor "CN=IT-Conductor, OU=IT, O=ACME, C=US"

./sapgenpse get_pse -p itconductor "CN=IT-Conductor, OU=IT, O=ACME, C=US"

• Exchange public-key certificates by export and import. IT-Conductor and SAP Systems must identify each other to communicate using SNC.

1. Export the public-key certificate corresponding to the above created local PSE (used by the IT-Conductor) as the following:

sapgenpse export_own_cert -v -o <output_file> -p <PSE_name>

sapgenpse.exe export_own_cert -v -o itconductor_pse.crt -p itconductor

./sapgenpse export_own_cert -v -o itconductor_pse.crt -p itconductor

1. For each SAP System, IT-Conductor will be connecting using SNC. Repeat the following steps:

a. Import the created client certificate into the SAP System using the trust manager (transaction code STRUST).

b. Export the server certificate from the SAP Server using the trust manager (transaction code STRUST).

c. Import the SAP Server certificate into the IT-Conductor PSE using the following command:

sapgenpse maintain_pk -v [-a <cert_file>] -p <PSE_name>

sapgenpse.exe maintain_pk -v -a C:\tmp\sap_system_XYZ.crt -p itconductor

./sapgenpse maintain_pk -v -a /tmp/sap_system_XYZ.crt -p itconductor

d. Update SNC name for IT-Conductor SAP accounts using Transaction code SU01.

Make sure to prefix the DN for each SAP Account you plan to use in IT-Conductor with "p:" as p:CN=IT-Conductor, OU=IT, O=ACME, C=US.

1. Grant SNC permissions to the operating system. The Gateway service running as SAP System requires active credentials at run-time to access its PSE. You can use the seclogin to open the PSE and create the required credentials.

sapgenpse seclogin [-p <PSE_name>] [-O <user_ID>]

The following command line grants SNC permissions for the user SYSTEM to access the file sap_plugin_pse.

sapgenpse.exe seclogin -p itconductor -O SYSTEM

./sapgenpse seclogin -p itconductor -O root