01-21-2008 12:42 PM
I am trying to connect to a SAP Server (having SNC enabled) using JCO
API. I am using a simple java program. I mentioned the following
parameters
jco.client.snc_mode=1
jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE
jco.client.snc_qop=1
jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE
jco.client.snc_lib=C:/usr/sap/UC6/SYS/exe/uc/NTAMD64/sapcrypto.dll
I have placed the sapcrypto.dll in the Path. I have generated the
Client PSE and Cred_V2 files too. I have placed them in the Path too.
I am using the "$X509CERT$" as user and sending the x509 certificate
information as password.
But I get the following error
(103) RFC_ERROR_LOGON_FAILURE: SNC required for this connection
When I look at the error files dev_w0 (in the work folder) I see the
following error
ERROR => iSignSncServerLogin: insecure transmission of X.509 client
certificate (SNC required) [sign.c 8638]
Any help is greatly appreciate as this is a mjor blocker for our release
01-22-2008 9:23 AM
1. obviously, the JCO connection (using RFC) is not SNC-protected; otherwise you'd not receive that error information
2. I'm not sure whether you are using the right approach: forwarding a X.509 client certificate via SNC-protected RFC connnection is only intended to work for a small number of trusted middleware components (such as the ITS Agate or a NWAS Java). It is assumed that this middleware component (or a component in front of it, such as a webserver in front of the ITS) is performing a proper SSL handshake in order to validate the X.509 client certificate.
3. Instead of jco.client.user = "$X509CERT$" and jco.client.passwd = ... you should use jco.client.x509cert = ...
Java-based applets running on a user's PC should act as SSL client and submit their https requests directly to the NWAS ABAP (which is the SSL server in that case). It does not make sense to use JCO and SNC to forward externally validated X.509 client certificates - not just because it's much more complex (and increasing the TCO) but also because it's not intended to be used in that way (it simply does not scale).
Regards, Wolfgang
PS: the error is most likely caused because of the missing SNCSYSACL entry (see trace, using note 495911)
Edited by: Wolfgang Janzen on Jan 22, 2008 10:25 AM