Skip to Content
avatar image
Former Member

SNC using JCO API

I am trying to connect to a SAP Server (having SNC enabled) using JCO

API. I am using a simple java program. I mentioned the following

parameters

jco.client.snc_mode=1

jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE

jco.client.snc_qop=1

jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE

jco.client.snc_lib=C:/usr/sap/UC6/SYS/exe/uc/NTAMD64/sapcrypto.dll

I have placed the sapcrypto.dll in the Path. I have generated the

Client PSE and Cred_V2 files too. I have placed them in the Path too.

I am using the "$X509CERT$" as user and sending the x509 certificate

information as password.

But I get the following error

(103) RFC_ERROR_LOGON_FAILURE: SNC required for this connection

When I look at the error files dev_w0 (in the work folder) I see the

following error

  • ERROR => iSignSncServerLogin: insecure transmission of X.509 client

certificate (SNC required) [sign.c 8638]

Any help is greatly appreciate as this is a mjor blocker for our release

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 22, 2008 at 09:23 AM

    1. obviously, the JCO connection (using RFC) is not SNC-protected; otherwise you'd not receive that error information

    2. I'm not sure whether you are using the right approach: forwarding a X.509 client certificate via SNC-protected RFC connnection is only intended to work for a small number of trusted middleware components (such as the ITS Agate or a NWAS Java). It is assumed that this middleware component (or a component in front of it, such as a webserver in front of the ITS) is performing a proper SSL handshake in order to validate the X.509 client certificate.

    3. Instead of jco.client.user = "$X509CERT$" and jco.client.passwd = ... you should use jco.client.x509cert = ...

    Java-based applets running on a user's PC should act as SSL client and submit their https requests directly to the NWAS ABAP (which is the SSL server in that case). It does not make sense to use JCO and SNC to forward externally validated X.509 client certificates - not just because it's much more complex (and increasing the TCO) but also because it's not intended to be used in that way (it simply does not scale).

    Regards, Wolfgang

    PS: the error is most likely caused because of the missing SNCSYSACL entry (see trace, using note 495911)

    Edited by: Wolfgang Janzen on Jan 22, 2008 10:25 AM

    Add comment
    10|10000 characters needed characters exceeded