cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do I configure RFCs for SNC communication?

Go to solution
jeff_lashock
Explorer

on ‎04-05-2016 3:46 PM

0 Kudos

Hello Everyone,

I'm an Oracle DBA / Basis Admin and am new to configuring SNC.  So far I've been able to configure SAPgui sessions to communicate with systems using SNC but am having difficulty locating documentation to tell me how to get systems to use SNC with their RFC communication.  Everything seems to assume you already have the prerequisite configuration complete and just says to go to SM59, go to the Logon & Security tab and click the SNC button.  I, however, believe I'm missing the steps where I'm guessing I need to install a certificate for the other server/system.

I've exported different certificates out of STRUST on one system (SBX) and imported them into SNC SAPCryptolib on the other (SD2) and vice versa, and restarted the ICM each time but the connection test failes with this error:

LogonCancel
Error DetailsGSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refuses certif
Error DetailsERROR: GSS-API(maj): Miscellaneous failure GSS-API(min): A221021F:Server refu
Error DetailsLOCATION: SAP-Server SSBX4_SBX_00 on host SSBX4 (wp 4)
Error DetailsDETAIL: SncPEstablishContext
Error DetailsCALL: gss_init_sec_context
Error DetailsCOMPONENT: SNC (Secure Network Communication)
Error DetailsCOUNTER: 43
Error DetailsMODULE: sncxxall.c
Error DetailsLINE: 3551
Error DetailsRETURN CODE: -4
Error DetailsSUBRC: 0
Error DetailsRELEASE: 721
Error DetailsTIME: Tue Apr 05 09:12:25 2016
Error DetailsVERSION: 6

I don't even know if the partner name specified on the Logon & Security tab for the RFC definition under the SNC button is correct.  I at least no longer get the "Unable to Determine Canonical SNC Name RC= 4-" error that I used to get but have no indication if what I do have is correct:  The format for the Partner name that I'm using is:

p:CN=<FQDN>, OU=<SAP Customer ID>, OU=<Long Company Name>, O=<Short Company Name>, L=<City>, SP=<State>, C=<Country>

This partner name matches the X.509 name used in the other system's SSL server Standard PSE in STRUST.

Can someone help me with this, please, either by pointing me to documentation and/or by giving me a step by step for what to do to get this working?

Please let me know if there's any other information you need to help with this.

Thanks in advance!

Jeff

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member202592
Participant
‎04-07-2016 1:35 PM
0 Kudos

Hello Jeff,

In the SAP Help documentation below you can find all information necessary in order to configure SNC for RFC connections:

Configuring SNC: Using RFC from AS ABAP - Secure Network Communications (SNC) - SAP Library

Best regards,

Filipe Santos

Show replies
Show replies
jeff_lashock
Explorer
‎04-07-2016 7:26 PM
0 Kudos

Hello Filipe,

Thank you for your response.  I had seen that page before and, while it may have helped with determining the format for SNC names, it doesn't say anything about certificates and whether or not it is necessary to loadcertsfrom other systems that each system will be communicating with.  Does that mean that loading these other certificates isn't necessary?

I stated in my original post that I attempted to load thecerts for SBX into SD2 and loaded thecerts for SD2 into SBX.  This morning, after following the link you provided, I decided to go into SNC0 and define all systems and servers for our environment.  For systems with more than just the Central Instance, I defined all of the app servers for that system there.  They were all defined using the same format that I mentioned before:

p:CN=<FQDN>,OU=<SAP Customer ID>,OU=<Long Company Name>,O=<Short Company Name>,L=<City>,SP=<State>,C=<Country>

I then went back to SM59 and tested the connection again.  This time the error was slightly different:

LogonCancel
Error DetailsGSS-API(maj): Miscellaneous failure GSS-API(min): A2200202:Actual server namedi
Error DetailsERROR: GSS-API(maj): Miscellaneous failure GSS-API(min): A2200202:Actualserv
Error DetailsLOCATION: SAP-Server SSBX4_SBX_00 on host SSBX4 (wp4)
Error DetailsDETAIL: SncPEstablishContext
Error DetailsCALL: gss_init_sec_context
Error DetailsCOMPONENT: SNC (Secure Network Communication)
Error DetailsCOUNTER: 7
Error DetailsMODULE:sncxxall.c
Error DetailsLINE: 3551
Error DetailsRETURN CODE: -4
Error DetailsSUBRC: 0
Error DetailsRELEASE: 721
Error DetailsTIME: Thu Apr 07 14:06:09 2016
Error DetailsVERSION: 6

So, now, instead of "A221021F:Server refuses certif", I'm receiving "A2200202:Actual server name di" which, when not cut off, is "A2200202:Actual server name differs fromrequested one.".  I don't understand whichnames it's talking about.  I assume one is the SNC Partner name I gave after I clicked on the SNC button, but what is it comparing itwith?  Do I need to change the format for the SNC Partner name, whatever it's comparing it with, or both?

Any help you can provide is, of course, muchappriciated.

Thanks,

Jeff

LutzR
Active Contributor
‎04-11-2016 8:07 AM
0 Kudos

Hi Jeff, it is unclear if you understood the dependency between

  • the the snc/identity/as parameter
  • the subject of a server's own certificate in SNC SAPCryptolib PSE (STRUST)
  • Entries in SNC0
  • The AD account's SPN attribute

FQDN is just completely irrelevant for SNC.

One example how I would do configuration:

First system: ABC (calling)

Second System: XYZ (called)

(The example is based on CommonCryptolib or Secure Login Library with Secure Login Client or SNC Client Encryption)

Configuration of System ABC:

  • snc/identity/as = p:CN=systemABCcn
  • SNC SAPCryptolib PSE Sybject= CN=systemABCcn
  • AD account's SPN=SAP/systemABCcn


Configuration of system XYZ

  • snc/identity/as= p:CN=systemXYZcn
  • SNC SAP Cryptolib PSE Subject: CN=systemXYZcn
  • AD account's SPN=SAP/systemXYZcn
  • SNC0: include an entry
    • System ID = ABC
    • SNC name = p:CN=systemABCcn


To enable trust you have to export both certificates and import each into the other system's SNC SAPCryptolib PSE's Certificate list. You obviously did this.

Instead you could get both certificates signed by a CA and only import your CA's root certificate into the certificate list.

We only have one SNC SAPCryptolib PSE per system even if we have many application servers. I don't think you will get it work with one PSE per application server but I never tried. I am not sure if you tried this.

Since you seem to already have GUI-SNC (SAP SSO/SNC Client Encryption with Kerberos?) up and running you will have to start with your existing snc/identity/as and derive your certificate's subject from them. There are some implicit rules which SPN will match which snc/identity/as and subject. You might have to adhust your snc/identity/as parameters. You will find documentation on this here:

Supporting Authentication with Kerberos and X.509 on SAP NetWeaver AS ABAP - What Is Secure Login? -...

If you are not using SAP SSO or SNC Client Encryption this will get more interesting (and I will be out).

Regards,

Lutz

jeff_lashock
Explorer
‎04-15-2016 7:12 PM
0 Kudos

Hello Lutz,

I didn't get an opportunity to look at your response immediately but, when I did, it helped a great deal!  For some reason, it never clicked for me that snc/identity/as is the name that the system presented itself as until I read through and tried to understand your example.

I've deleted all of my incorrectly defined entries in SNC0 and added entries based on each system's setting for snc/identity/as.  I then went to SM59 in our sandbox and changed the SNC partner name to the value of snc/identity/as for the system that the RFC was talking to and the connection and authorization tests started working! 

Now I have the tedious task of changing all of the RFCs to add the appropriate value for SNC partner and activate SNC, but that would have been true no matter how long it took to get this resolved.

The other thing I need to figure out is how to enable SNC for communication with non-SAP systems, though, I'll admit that I haven't really tried to find that on my own, yet.  (Would you happen to have any recommendations for that?  I could create a new message so you can get extra points if you want. )

Thanks!

Jeff

LutzR
Active Contributor
‎04-18-2016 8:54 AM
0 Kudos

Hi Jeff, thanks for your feedback and your points. I have no experience with non SAP yet. But it is always quite similar in principle. You will need to give each communication partner a name (identity), create an SNC PSE with a key pair and export/import public keys. But you will have no STRUST and will need to do this using sapgenpse command line. Including the pse environment into the non sap solution will be very specific to each vendors' concepts.

But there are other people who are experienced. You should also check discussions here  and there .

I would very much recommend to open a new thread when it comes to discussing details.

Regards,

Lutz

Answers (0)

Ask a Question