Tip

Set up data encryption between RFC Client and Web AS ABAP with SNC

Secure Network Connection (SNC) is the SAP technology provided for Network and Transport Layer Security. In this Blog I will provide a how to guide on enabling data encryption for RFC connections to ABAP back ends.

How to avoid problems

    Requires Free Membership to View

* Do only install SAP Cryptographic Library. SAP Cryptographic Library and libsapsecure will not work in parallel.
* You have to setup SNC before you can activate SNC with the parameter snc/enable = 1.

Preparation

Please follow these steps of the SAP Documentation to install the SAP Cryptographic Library:

1. Download the SAP Cryptographic Library from http://service.sap.com/download -> Download -> SAP Cryptographic Software.
2. Install the SAP Cryptographic Library on the SAP Web AS.
3. Don't forget to set the environment variable SECUDIR for the User which runs the SAP ABAP stack.
4. Now you can also set the Profile Parameters for Using SSL or use my Blog "Setup HTTPS (SSL) for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows" to do that.

Setup SNC on the ABAP Server

First we set the instance parameter "snc/identity/as" to the distinguished name the server should get. I use "CN=IDS, OU=IT, O=CSW, C=DE". Don't forget to add "p:" in front of the DN:

 

snc/identity/as   p:CN=IDS, OU=IT, O=CSW, C=DE

Create "SNC (SAPCryptolib)" PSE

After a restart of your server you can now create the SNC PSE. Start transaction STRUST or STRUSTSSO2 and right click on "SNC (SAPCryptolib)" choosing Create:

You just have to accept the SNC ID which is taken from the instance parameter "snc/identity/as":

Please follow the next hint and add a password for the "SNC (SAPCryptolib)" PSE:

To do this double click "SNC (SAPCryptolib)" and choose "Assign Password":

Type in a password which can contain letters and numbers:

Without the password the server would not start when you have set the parameter "snc/enable" to 1! Save the settings.

Set additional parameters

With the "SNC (SAPCryptolib)" PSE created we can now set this Instance Parameters:

snc/enable 1 snc/accept_insecure_rfc 1 snc/accept_insecure_gui 1 snc/accept_insecure_cpic 1 snc/permit_insecure_start 1 snc/data_protection/min 1 snc/extid_login_diag 1 snc/extid_login_rfc 1

I have chosen values which will enable you to still connect to the system without encryption. Done that, you have to restart the application server again.

Create PSE for RFC Client

I've decided to use a separate PSE for my RFC Client as described in Scenario 2: Using Individual PSEs for Components. To create this PSE I follow the instructions given in Creating an SNC PSE for the SAP J2EE Engine. The steps described show an example setup done on my Linux box. To test the connection I use the demo programs coming with SAP Java Connector available at http://service.sap.com/connectors. I've extracted the connector in /usr/sap/jco.

Create sec directory for RFC Client PSEM

To store the RFC Client PSE I create a subdirectory sec in "/usr/sap/jco/demo":

zappod:~# cd /usr/sap/jco/demo/
zappod:/usr/sap/jco/demo# mkdir sec

Now switch to this directory and create the PSE:

zappod:~# cd sec

Create PSE

To run sapgenpse the directory containing the SAP Cryptographic Library (libsapcrypto.so on Linux) must be made available in the environment variable LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=/usr/sap/jco/:/usr/sap/IDS/SYS/exe/run/
Also the just created directory "/usr/sap/jco/demo/sec" has to be set as the SECUDIR:

export SECUDIR=/usr/sap/jco/demo/sec
Before you can start creating the PSE you also have to copy the ticket license file to it:

cp /usr/sap/IDS/DVEBMGS00/sec/ticket .
Now we are ready to create the PSE:

zappod:/usr/sap/jco/demo/sec# /sapmnt/IDS/exe/sapgenpse gen_pse -v -p RFC.pse
Got absolute PSE path "/usr/sap/IDS/DVEBMGS00/sec/RFC.pse".
Please enter PIN: ********
Please reenter PIN: ********
get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE
Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
PKCS#10 certificate request for "/usr/sap/jco/demo/sec/RFC.pse":

Export Client Certificate

We have to export the Client Certificate of the just created PSE:

# /sapmnt/IDS/exe/sapgenpse export_own_cert -v -p RFC.pse –o RFC.crt
Opening PSE "/usr/sap/jco/demo/sec/RFC.pse"...
No SSO credentials found for this PSE.
Please enter PIN: ********
PSE open ok.
Retrieving my certificate... ok.
writing to file ...... ok

Import Client Certificate to Server PSE

You can import the client Certificate via Transaction STRUST. First open the Node SNC (SAPCryptolib) again. You have to provide the password set before:

Click on "Import certificate"

Set the file format to Base64 and choose the file:

Finally click "Add to Certificate List"

Export Server Certificate

Now we have to export the Server Certificate. Already in the STRUST node SNC (SAPCryptolib) double click on your own certificate so it is displayed in the Certificate field. Click on Export certificate:

Choose also Base64 for the File format and provide a name for the file:

Import Server Certificate to Client PSE

That is done again on the command line:

# /sapmnt/IDS/exe/sapgenpse maintain_pk -v -a SNC.crt -p RFC.pse
Opening PSE "/usr/sap/jco/demo/sec/RFC.pse"...
No SSO credentials found for this PSE.
Please enter PIN: ********
PSE open ok.
Adding new certificate from file "SNC.crt"
----------------------------------------------------------------------------
Subject : CN=IDS, OU=IT, O=CSW, C=DE
Issuer : CN=IDS, OU=IT, O=CSW, C=DE
Serialno: 00
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Wed Sep 27 21:37:32 2006 (060927193732Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
----------

PKList updated (1 entries total, 1 newly added)

Create cred_v2 file

After we've now setup the RFC client PSE we have to create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE. On the command line run:

# /usr/sap/IDS/SYS/exe/run/sapgenpse seclogin -p RFC.pse -O root running seclogin with USER="root"
creatingcredentials for yourself (USER="root")...
Please enter PIN: ********
Added SSO-credentials for PSE "/usr/sap/jco/demo/sec/RFC.pse"
"CN=RFC, OU=IT, O=CSW, C=DE"

Allow SNC RFC Connection

On the ABAP Server side we have now to maintain the View VSNCSYSACL which is used to restrict the SNC RFC Connections by an Access Control List (ACL). Start Transaction SM30, enter VSNCSYSACL and click Maintain. Accept the "The table is cross-client" information:

Choose "E" for the type of Type of ACL entry:

Enter System ID and SNC name. Don't forget the "p:" in front of the DN! Check the boxes according to this screenshot:

Don't forget to save this entry.

Map X.509 Certificate to User

To accept a X.509 Certificate for Login you have to maintain View VUSREXTID. Via this View you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User. Start Transaction SM30, enter VUSREXTID and click Maintain. Choose DN for the External ID type:

Create a new entry and don't forget to activate it:

Test connection

Now we have everything in place to test the connection! To login with the X.509 Certificate you have to concatenate the previously exported Certificate in one line without "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". All login information can be maintained in the "vericlient.properties" file in directory "/usr/sap/jco/demo. I've used these values:

jco.client.client=800
jco.client.x509cert=Base64 Encoded Certificate in one line
jco.client.ashost=zappod.csw.local
jco.client.sysnr=00
jco.client.snc_mode=1
jco.client.snc_partnername=p:CN=IDS, OU=IT, O=CSW, C=DE
jco.client.snc_qop=3
jco.client.snc_myname=p:CN=RFC, OU=IT, O=CSW, C=DE
jco.client.snc_lib=/usr/sap/IDS/SYS/exe/run/libsapcrypto.so
Compile the Class VeriClient:

javac VeriClient.java
And run it providing the properties file as a parameter:

java VeriClient vericlient.properties
Somewhere in the result you should also see:
------------------------------------------------------------------------------
Test ------------------------------------------------------ Status ----------
------------------------------------------------------------------------------
JCO.createClient()..........................................ok
client.connect()............................................ok

Outlook

With SNC enabled we can use the RFC Enabled Function Module SUSR_CHECK_LOGON_DATA to authenticate with an external ID. If the authentication was successful it will return a valid SSO2 Ticket. But that part of another Blog.

 


This content is reposted from the SAP Developer Network.
Copyright 2006, SAP Developer Network

SAP Developer Network (SDN) is an active online community where ABAP, Java, .NET, and other cutting-edge technologies converge to form a resource and collaboration channel for SAP developers, consultants, integrators, and business analysts. SDN hosts a technical library, expert blogs, exclusive downloads and code samples, an extensive eLearning catalog, and active, moderated discussion forums. SDN membership is free.

Want to read more from this author? Click here to read Gregor Wolf's Weblog. Click here to read more about Application Server on SDN.



 

This was first published in October 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.