Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC using JCO API

Former Member

‎01-21-2008 12:42 PM

0 Kudos

I am trying to connect to a SAP Server (having SNC enabled) using JCO

API. I am using a simple java program. I mentioned the following

parameters

jco.client.snc_mode=1

jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE

jco.client.snc_qop=1

jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE

jco.client.snc_lib=C:/usr/sap/UC6/SYS/exe/uc/NTAMD64/sapcrypto.dll

I have placed the sapcrypto.dll in the Path. I have generated the

Client PSE and Cred_V2 files too. I have placed them in the Path too.

I am using the "$X509CERT$" as user and sending the x509 certificate

information as password.

But I get the following error

(103) RFC_ERROR_LOGON_FAILURE: SNC required for this connection

When I look at the error files dev_w0 (in the work folder) I see the

following error

      • ERROR => iSignSncServerLogin: insecure transmission of X.509 client

certificate (SNC required) [sign.c 8638]

Any help is greatly appreciate as this is a mjor blocker for our release

1 REPLY 1

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎01-22-2008 9:23 AM

0 Kudos

1. obviously, the JCO connection (using RFC) is not SNC-protected; otherwise you'd not receive that error information

2. I'm not sure whether you are using the right approach: forwarding a X.509 client certificate via SNC-protected RFC connnection is only intended to work for a small number of trusted middleware components (such as the ITS Agate or a NWAS Java). It is assumed that this middleware component (or a component in front of it, such as a webserver in front of the ITS) is performing a proper SSL handshake in order to validate the X.509 client certificate.

3. Instead of jco.client.user = "$X509CERT$" and jco.client.passwd = ... you should use jco.client.x509cert = ...

Java-based applets running on a user's PC should act as SSL client and submit their https requests directly to the NWAS ABAP (which is the SSL server in that case). It does not make sense to use JCO and SNC to forward externally validated X.509 client certificates - not just because it's much more complex (and increasing the TCO) but also because it's not intended to be used in that way (it simply does not scale).

Regards, Wolfgang

PS: the error is most likely caused because of the missing SNCSYSACL entry (see trace, using note 495911)

Edited by: Wolfgang Janzen on Jan 22, 2008 10:25 AM