Setup SNC on ABAP system

Download SNC Client Encryption/Libraries SP04 patchlevel 3

Go to /usr/sap/<SID>/<INSTANCE>. Inside it create directory: "SLL"

Extract SNC client library to folder

AS ABAP Configuration
1. Log into your SAP System GUI.
2. Startup transaction RZ10. Set the following parameters in your instance profile:
snc/permit_insecure_start 1

snc/accept_insecure_cpic 1

snc/identity/as p:CN=CA1, OU=PMX, O=GE, C=US

snc/gssapi_lib /usr/sap/<SID>/<Instance>/SLL/libsecgss.so

snc/enable 0

snc/accept_insecure_rfc 1

snc/accept_insecure_gui
1

Check if these parameters are set as well. In most cases they are already:
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib

All should point to $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

3. Exit AS ABAP/Log off.

4. Restart the SAP System.
5. Once the system is restarted, go to transaction STRUST.
6. In transaction STRUST you will now find an entry in the left pane that says "SNC SAPCryptolib". It should have
a red "X" next to it. Right click on it and select "Create". You'll notice the "SNC ID" is already filled in for
you. Select RSA+SHA256 and key size 2048, then click the green check mark.
7. Go back to RZ10. Change the value of "snc/enable" to 1.
8. Log out and restart the SAP system again.

Once you've restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something
like this:
N Wed Aug 14 13:45:01 2013
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so
N File "/usr/sap/<SID>/<Instance>/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N SncInit(): found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c 266]
M SNC (Secure Network Communication) enabled
If you don't see this but instead see errors, chances are your ABAP system no longer works (good
job ). You'll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to
0. Then restart your system and troubleshoot (good luck).

Create Client PSE and add client cert into Server

SAP_SNC.pdf

Commands used:

sapgenpse gen_pse -v -p /home/dg2adm/psecreation/DG2.pse

GESailPoint1+ (password)

SNC Name: CN=100727056, OU=DOM1, O=SAILPOINT, C=IN

sapgenpse export_own_cert -v -p /home/dg2adm/psecreation/DG2.pse -o

/home/dg2adm/psecreation/MY_CLIENT_CERT.crt

sapgenpse maintain_pk -v -a /home/dg2adm/psecreation/DG2_server_certificate_base64.crt -p

/home/dg2adm/psecreation/DG2.pse

Create login file for client PSE file

This step has to be done on the client, because the OS of the client may differ from the OS from the
SAP server. The step how to do this is mentioned in the pdf above

sapgenpse seclogin -p /home/dg2adm/psecreation/DG2.pse

sapgenpse seclogin –p C:\SNC\Local_DG2.pse

Create service user on the server for the client to login
Assign SNC name to the previous created client name

Make sure user type is “communication data”