Skip to Content

SNC communication between servers

Hi, guys

We've already installed a 3rd party Identity Management software. Our target is to distribute a productive password from IdM software to satellite environments. According to SAP Note "1287410 - BAPI_USER_CHANGE: Set productive password", communication between IdM and SAP needs to be encrypted with SNC in order to use PRODUCTIVE_PWD parameter of BAPI_USER_CHANGE BAPI.

We've enabled SNC in our ABAP application server with the following parameters:

  • snc/accept_insecure_cpic: 1
  • snc/accept_insecure_gui: 1
  • snc/accept_insecure_r3int_rfc: 1
  • snc/accept_insecure_rfc: 1
  • snc/data_protection/max: 3
  • snc/data_protection/min: 1
  • snc/data_protection/use: 9
  • snc/enable: 1
  • snc/extid_login_diag: 0
  • snc/extid_login_rfc: 0
  • snc/force_login_screen: 0
  • snc/gssapi_lib: /usr/lib64/libgssapi_krb5.so
  • snc/identity/as: p:SVcSMD_D_CSSO@xx.xx.xxx.xx
  • snc/permit_insecure_start: 1
  • snc/r3int_rfc_qop: 8
  • snc/r3int_rfc_secure: 0

On the other side, we've downloaded SAP Cryptographic software and we've enabled SNC communication in Java application of 3rd party software:

  • Export SNC_LIB and SECUDIR environment variables
  • Create a PSE environment
    • ./sapgenpse get_pse -p $SECUDIR/OIM_DES.pse -x XXXXXXXXX "cn=myCN,ou=myOU,o=myCompany,c=XX"
  • Add credentials
    • ./sapgenpse seclogin -p OIM_DES.pse -x XXXXXXXXXXXxxx -O oracle
  • Exchange certificates between ABAP application server and 3rd party software

After that, we've tried to establish a productive password for a dummy user, but we receive the following error:

[2014-12-10T17:58:16.122+01:00] [oim_server1] [ERROR] [] [OIMCP.SAPU] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 89584c7bb1d2bdf6:3830fe27:14a351afc0a:-8000-0000000000000299,0] [APP: oim#11.1.1.3.0] oracle.iam.connectors.common.ConnectorException: Initialization of repository destination esfsgrssm01ld.fcc.es failed: connection closed without message (CM_NO_DATA_RECEIVED)

It seems there's a connection attempt, but the encrypted session couldn't be established due to some encryption problem. After some SCN investigation, we think we have to use the same cryptographic library in both partners (ABAP & 3rd party) and currently we're using different software (Kerberos library in ABAP part and SAP Cryptographic library in Java).

But we're using SSO in our production environment (SNC enabled with Kerberos library), so we can't use both libraries at the same time (Kerberos & SAP Cryptographic Lib).

So how can we enable SNC between servers and SSO with kerberos at the same time?

Thanks,

Sergio

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Dec 22, 2014 at 10:51 AM

    You need to use a Kerberos SNC library on the server running IdM software, so I don't recommend using the SAP Cryptolib as this only supports use of x.509 certificates for server to server connections. As you indicated, you need to use the same protocol (Kerberos or x.509) at both ends, otherwise it would be like talking to somebody in German who only understands English :-)

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 12, 2016 at 01:11 AM

    Hi, could you resolve this problem?

    I am facing a very similar scenario and wondering if an SAP System using kerberos library can communicate with an external RFC client using SNC with the SAP Cryptography library.

    How did you manage?

    Add comment
    10|10000 characters needed characters exceeded