$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content
avatar image
Former Member

How to enable SNC in SAP Netweaver AS ABAP?

How to enable SNC in SAP Netweaver AS ABAP? We are facing issue, after setting "snc/enable = 1" for instance profile. However, post setting this value, we are not able to start Netweaver server, as it is showing SNC Intialization error.

Please help in addressing the issue.

Add comment
10|10000 characters needed characters exceeded

  • Former Member

    I am able to enable SNC, however, while integration SAP Netweaver with IBM Identity Manager, I am getting below error in IBM TDI Logs:

    2016-10-25 22:35:16,896 ERROR [log4j.logger.com.ibm.di.admin] - CTGDIK220E Communication error with SAP R/3. The message is: 'Initialization of repository destination SAP_001_sapuser1_192.168.87.155_00_EN_null failed: CPIC-CALL: CMRCV on convId: 62243160

    LOCATION CPIC (TCP/IP) with Unicode

    ERROR GSS-API(maj): Miscellaneous failure GSS-API(min): A2210210:Verification of own certificate by server faile target="p:CN=SNC, OU=DTAG, O=DTAG, C=IN"

    TIME Tue Oct 25 22:35:16 2016

    RELEASE 721

    COMPONENT SNC (Secure Network Communication)

    VERSION 6

    RC -4

    MODULE sncxxall_mt.c

    LINE 3604

    DETAIL SncPEstablishContext

    SYSTEM CALL gss_init_sec_context

    COUNTER 4

    Please help...

  • Get RSS Feed

2 Answers

  • Oct 25, 2016 at 04:08 PM

    Hi Tinu,

    There's quite a bit more required than just enabling this profile parameter. The reason your system won't start afterwards is that you have to have a working Kerberos keytab setup first, and for that you also need some configuration in a Kerberos Domain Controller (KDC). For most of us working in Microsoft Active Directory domains, the AD domain controllers are the KDC.

    The steps are outlined quite clearly in the PDF guide attached to Note 2185235: https://launchpad.support.sap.com/#/notes/0002185235.

    Yuksel Akcinar also wrote a blog about this at https://blogs.sap.com/2016/01/28/is-your-sap-gui-connection-encrypted-can-someone-eavesdrop-your-data/.

    Here are my notes from setting this up in my environment:

    • Create or modify a service account in AD (it's ok to use your SAP system's service account, e.g. "SAPServiceSID", although some might argue you should keep this separate). The account needs to support Kerberos AES 128/256 bit encryption, and you need to set an SPN (Service Principal Name) = "SAP/SAPServiceSID". Double check, using ADSI Edit, that the SamAccountName and the UPN exactly match the SPN, case-sensitive (except for the "SAP/" prefix). Any mismatches in case will cause a failure.
    • Create an environment variable on your server: SECUDIR = "E:\usr\sap\SID\DVEBMGS00\sec" (substitute correct drive and path for your server).
    • In a DOS prompt (for a Windows server), create your keytab: "sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a SAPServiceSID@DOMAIN.COM" (obviously substitute your Active Directory domain here; also, it's important to capitalize the domain just like I did in the example).
    • In the same DOS prompt: "sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceSID"
    • Setup the profile parameters as defined in the guide, including "snc/enable = 1". An important one to get right, case-sensitive is "snc/identity_as = p:CN=SAPServiceSID@DOMAIN.COM"
    • Restart the instance. If it still doesn't start, you'll find clues in the work process traces. Almost certainly it's a problem with the keytab, however, and the problems usually stem from incorrect passwords or case mismatches.
    • If you've got the server correctly restarting, the next step is to configure the clients:
    • Install SNC Client Encryption on the SAPGUI clients (distribute with a SAPGUI Installation Server).
    • In saplogon, configure the connection entry:
    • Activate Secure Network Communication
    • SNC Name = p:CN=SAP/SAPServiceSID@DOMAIN.COM
    • Use maximum security settings available
    • Check "SNC logon with user/password (no Single Sign-On)" (because SSO requires a different product with additional licensing)
    • Connect! If you're able to connect and see the lock icon in the lower right corner of SAPGUI, then it's all working.

    Cheer,
    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 26, 2016 at 05:48 AM

    Hi Matt,

    Thanks for reply. However, I am doing this integration with IBM Identity Manager. I am able to enable SNC. However, communication is resulting in error at ISIM end.

    It is updated in the post.

    Please help, if you have any idea about this.

    Thank you

    Tinu

    Add comment
    10|10000 characters needed characters exceeded