Skip to Content
author's profile photo Former Member
Former Member

Unable to activate SNC for RFC communications

Hello Experts - We are using CRM ABAP stack which is on NW 7.0 EHP2 running on Linux OS

Our requirement is to have SNC active for all RFC connections between ABAP systems.

We had activated SNC in our development (Development system SID - ABC) and Quality systems successfully (Quality system SID - XYZ) by adding following parameters in instance profile (Only 1 application server exists for each system)

snc/enable =1

snc/accept_insecure_rfc=1

snc/accept_insecure_gui=1

snc/accept_insecure_cpic=1

snc/permit_insecure_start=1

snc/data_protection/min=1

snc/extid_login_diag=1

snc/extid_login_rfc=1

snc/gssapi_lib=/usr/sap/ /SYS/exe/run/ libsapcrypto.so

snc/identity/as=p:CN=<SID>, OU=IS, O=<organization>, C=CN

sec/libsapsecu=/usr/sap/ABC/SYS/exe/run/libsapcrypto.so

ssf/ssfapi_lib=/usr/sap/ABC/SYS/exe/run/libsapcrypto.so

ssf/name=SAPSECULIB

We have also exported the SNC SAPCryptolib certificate from Dev to Quality and Quality to Dev from Tx. STRUST.

DN (Certificate Name) for system PSE and SNC SAPCryptolib PSE are different.

We also added the entries of other systems in SNC0 transaction.

However, when we are trying to activate the RFC from ABC to XYZ or XYZ to ABC - We are seeing following error when we do a connection test: (Below example when we did a connection test of RFC from ABC to XYZ)

Mon May 30 04:17:52 2016

N *** ERROR => SncPEstablishContext() failed for target='p:CN=XYZ, OU=<OU>, O=Organization, C=CN' [sncxxall.c 3585]

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): A2210210:Verification of own certificate by server failed

N Unable to establish the security context

N target="p:CN=XYZ, OU=<OU>, O=Organization, C=CN"

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]

M {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]

M {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0

A RFC 3730 CONVID 81518143

A * CMRC=19 DATA=1 STATUS=1 SAPRC=221 ThSAPCMRCV

A RFC> ABAP Programm: RSRFCPIN (Transaction: SM59)

A RFC> User: <user> (Client: xxx)

A RFC> Destination: <SID>CLNT800 (handle: 2, DtConId: 574BEC703E996EB2E10000000A640267, DtConCnt: 1, ConvId: 81518143,{574BEC70-3E9

9-6EB2-E100-00000A640267})

A RFC> Called function module: RFC_PING

A *** ERROR => RFC ======> CPIC-CALL: 'ThSAPCMRCV' : cmRc=19 thRc=221

Communication terminated

[abrfcio.c 9225]

A {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0

A *** ERROR => RFC Error RFCIO_ERROR_SYSERROR in abrfcpic.c : 3732

CPIC-CALL: 'ThSAPCMRCV' : cmRc=19 thRc=221

Communication terminated

[abrfcio.c 9225]

A {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0

A RFC 3557 CONVID 81518143

A * CMRC=19 DATA=1 STATUS=1 SAPRC=221 comread

A *** ERROR => RFC Error RFCIO_ERROR_MESSAGE in abrfcio.c : 1984

[abrfcio.c 9225]

SAP note "1867829 - List of SNC Error Codes " which speaks about the error "A2210210:Verification of own certificate by server failed" jusy says "The verification of the peer certificate failed on the server side. See the log files to find out more details about this non-typical error"

Coudl you please help us the cause for this error and the logs to check (I checked the work process logs and rfc logs but no luck)

Thanks,

Subbu

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Jun 01, 2016 at 05:06 AM

    Hello Experts - Any suggestions please

    Thanks,

    Subbu

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 20, 2016 at 11:29 AM

    Hello Subbu,

    did you ever resolve your issue? If so, can you share how you fixed it?

    Thanks,

    Warren

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 27 at 04:09 PM

    Dear All,

    I have a similar situation as posted in question that's why i am answering this question for future reference.

    Cause :

    This issue occurs if there are credentials for multiple PSEs with the same name. In this case, SNC might use the wrong one and the SNC connection could fail if the wrong PSE has a different trust relationship.

    Solution :

    Refer SAP Note 1965519 for the same (https://launchpad.support.sap.com/#/notes/1965519).

    Thanks,

    Pritesh Kumar

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.