Skip to Content
Former Member
Jun 30, 2015 at 01:30 PM

GSS-API(maj) : No credential were supplied , Unable to establish security context


I want to Configure SAP Abap (standalone) to use X509 Authentication.

I followed the following steps.

  1. Created the profile parameter
  • ssf/name= SAPSECULIB
  • ssl/ssl_lib = C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • sec/libsapsecu = C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • ssf/ssfapi_lib = C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • snc/gssapi_lib = C:\usr\sap\xyz\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • snc/identity/as = p:CN=sr3, OU=I0020217358, O=Mycompany Inc, C=US
  • Restart the server .

2. Created pse for server

  • Transaction strust
  • created sapcryptolib pse
  • SNC ID which is taken from the instance parameter "snc/identity/as."
  • Assign Password

3. Create PSE for the Client

  • Set the Environment variable SECUDIR to sec folder
  • Executed the command : sapgenpse gen_pse -v -p SR3.pse
  • Created pse with DN : CN=sr3, OU=I0020217358, O=XYZ Enterprise Solutions Holdings Inc, C=US
  • signed that certificate from ca authority and get sr3.crt ,
  • sapgenpse export_own_cert -v -p SR3.pse -o SR3.crt

4. Imported the Client Certificate to Server PSE.

  • Open the Node SNC (SAPCryptolib) again
  • Enter the SAPCryptolib password.
  • Import certificate button.
  • Set the file format to Base64 and choose the file
  • Added to Certificate List

5. Exported the Server Certificate.

  • At node SNC (SAPCryptolib),
  • Export certificate.
  • From the File tab, choose Base64 for the File format and provide a name for the file.

6. Imported the Server Certificate to the Client PSE

  • sapgenpse maintain_pk -v -a SR3.crt -p SR3.pse

7. Created the cred_v2 file

  • sapgenpse seclogin -p SR3.pse -x 123456 -O [<Windows_Domain>\]<sidadm>
  • runned sucessfully.

8. Allowed SNC RFC Connection.

  • Start Transaction SM30 and enter the view VSNCSYSACL.
  • Choose "E" for the Type of ACL entry.
  • Enter System ID and SNC name.
  • Save the entry.

9. Map the X.509 Certificate to the User.

The X.509 Certificate must be accepted for a successful Login.

  • Start Transaction SM30.
  • Enter VUSREXTID and click Maintain.
  • Using the view VUSREXTID, you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User.
  • Choose the Distinguished Name for the External ID type.
  • Create a new entry and activate it.

10. set the Environment variable : snc_lib: C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll .on th host where sap gui is installed.

I followed all this step successfully.

but when i am using sap gui with SCN enabled DN : p:CN=sr3, OU=I0020217358, O=Infor Enterprise Solutions Holdings Inc, C=US

i am receiving error.

GSS-API(maj) : No credential were supplied , Unable to establish security context.

Is there any thing I did wrong or missed in this steps?

Does Out of box pki is necessery for sap gui to use x509 certificate?


error.png (27.1 kB)