Solved: SNC: Using SNC to Encrypt Traffic - Client/Server ...

Former Member · ‎07-10-2013

Hello everyone,

I am using SNC to Encrypt Client/Server GUI Traffic from Windows GUI clients to SAP AS ABAP running on Solaris 10. SSO is not a consideration in this configuration.

I have read the "Installation, Configuration, and Administration Guide - SAP NetWeaver Single Sign-On SP1". My AS ABAP System is now configured and running an SNC X.509 Configuration as described in section 3.1 (Starting on Page 19) of this document. All well so far. dev_w0 confirms SNC is enabled on AS ABAP.

My Windows GUI Installation (SAPGUI 7.30 - Patch 2) is has SNC enabled

On the "Network" tab of the given GUI Connection I have check "Activate Secure Network Communication" and have entered the same "SNC Name" as is entered in "snc/identity/as", which corresponds to the PSE that has been entered using STRUST (obviously).

The Server SNC Key is signed by a root certificate I created using "snc createroot".

My GUI won't allow the connection because seemingly it can't resolve the trust path back to my self-created rootCA (makes sense).

My question: is there any way to get the GUI to recognize and trust my self-created root-CA or am I forced into abandoning this solution and using Kerberos as described starting on Page 22 (with Section 3.2) and in this overview?

Many thanks for your thoughts...

Former Member · ‎07-11-2013

Hi Philipp,

you did make use of the wrong documentation I would assume. Please check the docs at the help portal. You can also find additional information in note 1643878.

Regards,

Patrick

Former Member · ‎07-11-2013

Hi Philipp,

you did make use of the wrong documentation I would assume. Please check the docs at the help portal. You can also find additional information in note 1643878.

Regards,

Patrick

Former Member · ‎07-11-2013

So Kerberos is the only way to implement the solution? X.509 is not viable?

Former Member · ‎07-11-2013

Also, do you have thoughts on which of these documents are appropriate?:

English
Secure Login Implementation Guide
English
Password Manager Implementation Guide
English
Identity Provider Implementation Guide
English
Security Token Service Implementation Guide

Former Member · ‎07-12-2013

Hi Phillip,

you are correct, the free SNC solution needs a Kerberos integration to verifiy the systems and to get the tokens for encryption. Is there any reason for you not to make use of Kerberos?

With regards to the documentation, the links you refer to are from different products and features all not related to the free SNC solution. The closest match would be the Secure Login Implementation Guide, although this does refer to the SAP NetWeaver SSO product and NOT to the free encryption only SNC solution.

The correct documentation can be found in the SAP Help portal only.

Former Member · ‎07-12-2013

Is there any reason for you not to make use of Kerberos?

I'm just not looking forward to working with our AD team. I'll manage with them somehow.

Thanks again for the input.

Former Member · ‎08-06-2013

Hello Patrick,

I've actually inquired with our client partner if you are available to help us implement this.

I do have one question regarding the documentation you referred me to.

On this page it says

 Create the technical accounts in Microsoft Active Directory for your SAP NetWeaver AS ABAP systems and assign service principal names. For more information about the configuration of the Microsoft Active Directory server, see the documentation that came with your product.

My AD People have created a Service account and a Service Principal Name (SPN); however, it is not working.

The Service Account is named SA_Kerberos<SID> and the SPN is SAP/Keberos<SID>.

The instructions didn't give any specific format or instruction on what the SA or SPN should be named in the resources you referred me to. Were these correct? I found them here reference on page 24 and 25.

Former Member · ‎08-08-2013

Hi Philip,

did you check note 1643878 for release restrictions? The new feature requires patches to the SAP GUI and the kernel, this might be a reason why your setup is failing.

The names should be ok unless you used <SID> literally and did not replace them with the SID of the system in question 😉

Please check the service principle names you entered. They are case sensitive!

Did you do a trace as suggested here? What has been the result?

Regards,

Patrick

Former Member · ‎08-08-2013

When I try to run the installer on the SNC client add-on it indicates the add-on is already present (only option is to uninstall).

The trace produces the attached file.

Yes, <SID> and <DOMAIN> contain appropriate values *(which are all caps), but have been redacted out of this log.

Former Member · ‎08-15-2013

Hi Patrick. I have good news. We now have SNC working.

I've developed a document in consultation with our onsite SAP America Consultant which explains the process (hopefully a bit better than SAP's documentation). It's under review and hopefully will be posted soon.

SNC: Using SNC to Encrypt Traffic - Client/Server (No SSO)