ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
Knowledge Partner Knowledge Partner
Knowledge Partner
730 views

Is the SAP-User driver SNC-capable

While working on a SAP-UM configuration I stumbled upon this disabled set of
driver parameters in the latest NetIQ preconfig:

<!--group>
<definition display-name="SAP SNC mode" id="115" name="nsap-snc-mode"
type="enum">
<description>Select if secure network communications (SNC) should be used.
</description>
<enum-choice display-name="Enable">1</enum-choice>
<enum-choice display-name="Disable">0</enum-choice>
<value>0</value>
</definition>
<subordinates active-value="1">
<definition display-name="Path to library which provides SNC service"
id="135" mandatory="true" name="nsap-jco-snc-library" type="string">
<description>Set JCO_SNC_LIBRARY</description>
<value/>
</definition>
<definition display-name="SNC name" id="135" mandatory="true"
name="nsap-jco-snc-myname" type="string">
<description>Set JCO_SNC_MYNAME, the SNC name of the user sending the
RFC.</description>
<value/>
</definition>
<definition display-name="SNC partner name" id="135" mandatory="true"
name="nsap-jco-snc-partnername" type="string">
<description>Set JCO_SNC_PARTNERNAME, the SNC name of the communication
partner, e.g. p:CN=R3, O=XYZ-INC, C=EN</description>
<value/>
</definition>
<definition display-name="SNC level of security" id="135" mandatory="true"
name="nsap-jco-snc-qop" type="string">
<description>Set JCO_SNC_QOP, quality of protection level or SNC level of
security, 1 to 9</description>
<value>9</value>
</definition>
</subordinates>
</group-->

Has anyone ever made the SAP-UM shim communicate over SNC with the SAP host?
Does it apply only to direct BAPI calls or also to the TRFC server component of
the shim?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
Labels (1)
0 Likes
8 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 2/6/2017 11:34 AM, Lothar Haeger wrote:
> While working on a SAP-UM configuration I stumbled upon this disabled set of
> driver parameters in the latest NetIQ preconfig:
>
> <!--group>
> <definition display-name="SAP SNC mode" id="115" name="nsap-snc-mode"
> type="enum">
> <description>Select if secure network communications (SNC) should be used.
> </description>
> <enum-choice display-name="Enable">1</enum-choice>
> <enum-choice display-name="Disable">0</enum-choice>
> <value>0</value>
> </definition>
> <subordinates active-value="1">
> <definition display-name="Path to library which provides SNC service"
> id="135" mandatory="true" name="nsap-jco-snc-library" type="string">
> <description>Set JCO_SNC_LIBRARY</description>
> <value/>
> </definition>
> <definition display-name="SNC name" id="135" mandatory="true"
> name="nsap-jco-snc-myname" type="string">
> <description>Set JCO_SNC_MYNAME, the SNC name of the user sending the
> RFC.</description>
> <value/>
> </definition>
> <definition display-name="SNC partner name" id="135" mandatory="true"
> name="nsap-jco-snc-partnername" type="string">
> <description>Set JCO_SNC_PARTNERNAME, the SNC name of the communication
> partner, e.g. p:CN=R3, O=XYZ-INC, C=EN</description>
> <value/>
> </definition>
> <definition display-name="SNC level of security" id="135" mandatory="true"
> name="nsap-jco-snc-qop" type="string">
> <description>Set JCO_SNC_QOP, quality of protection level or SNC level of
> security, 1 to 9</description>
> <value>9</value>
> </definition>
> </subordinates>
> </group-->
>
> Has anyone ever made the SAP-UM shim communicate over SNC with the SAP host?
> Does it apply only to direct BAPI calls or also to the TRFC server component of
> the shim?


I have not. I think you really need to ask Holger D for a real answer.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Geoffrey Carman wrote:

> I have not. I think you really need to ask Holger D for a real answer.


We gave it a try in our test environment today and it seems to work. Just the
setup is rather UA-ish but downloading all required components on the SAP
website was actually the hardest part.

I've also opened a SR to find out how the status of that feature is and if it
is supported for production use at customers. Will keep you updated...

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 2/7/2017 11:34 AM, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> I have not. I think you really need to ask Holger D for a real answer.

>
> We gave it a try in our test environment today and it seems to work. Just the
> setup is rather UA-ish but downloading all required components on the SAP
> website was actually the hardest part.
>
> I've also opened a SR to find out how the status of that feature is and if it
> is supported for production use at customers. Will keep you updated...


What kind of stuff was needed to be installed? All on the SAP side?
What is the point of SNC anyway?

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Geoffrey Carman wrote:

> What kind of stuff was needed to be installed?


SAP crypto library and certificates

> All on the SAP side?


Both client and server

> What is the point of SNC anyway?


PKI-based SSO, authentication and encryption. Think of it as "Mutual SSL for
SAP"

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 2/7/2017 12:26 PM, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> What kind of stuff was needed to be installed?

>
> SAP crypto library and certificates
>
>> All on the SAP side?

>
> Both client and server


So RL server needs some components added? Interesting. I guess that
makes sense, sort of like needing sapjco libaries.


>> What is the point of SNC anyway?

>
> PKI-based SSO, authentication and encryption. Think of it as "Mutual SSL for
> SAP"


Ah good to know.



0 Likes
Micro Focus Expert
Micro Focus Expert

On 2017-02-07 18:26, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> What kind of stuff was needed to be installed?

> SAP crypto library and certificates
>
>> All on the SAP side?

> Both client and server
>


How did you tell the driver shim where to find its certificate/private key?

--
Norbert
--
Norbert
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Norbert Klasen wrote:

> How did you tell the driver shim where to find its certificate/private key?


IIRC, you had to generate a key pair on the client side (called a PSE in SAP
lingo) with the sapgenpse tool coming with the library and then upload it to
SAP the server, so it's known to be good for authentication. You'd also have to
import the server cert or CA on the client side. The PSE is stored somewhere
with the client libs and identified by the SNC name parameter (which looks like
an LDAP DN), I guess.

I was loosely following the procedure described at
https://blogs.sap.com/2006/09/29/setup-data-encryption-between-rfc-client-and-we
b-as-abap-with-snc/ when testing last year but do not recall all the details
anymore.


# /opt/sap/libcrypto/sapgenpse -h

SAPGENPSE tool for creation and management of PSE-files and SSO-credentials

Usage: sapgenpse [-fips on/off] [-h] [-l <sapcryptoPath>] <command> [-h]
[sub-options] ...

-l <sapcryptoPath> Path of CommonCryptoLib (libsapcrypto.so) to be used
-h Show help text
-fips on/off Activate FIPS 140-2 mode
<command> Command to execute
<command> -h Show help text of named command

All commands that create PSEs or Credentials support the option -lps.
(These commands are gen_pse, import_p12, import_p8, keytab, seclogin)
The -lps option enables the usage of the Local Protection Storage (LPS) to
protect the sensitive information stored in PSEs and Credentials.
An LPS protected PSE or credential could only be used on the same system
where it has been created.
The LPS uses one of the following mechanisms to protect the data:
- (DP ) The Microsoft Data Protection API, on Windows only
- (TPM) Trusted Platform Module (TPM), on Linux systems with an installed TPM
- (INT) Internal protection mechanisms, on all other systems

It is strongly recommended to use LPS to protect all PSEs and Credentials.
The command lps_enable can be used to enable LPS on existing PSEs.
The command seclogin can be used to enable LPS on existing credentials.


<command> must be one of:
gen_pse create new PSE and/or PKCS#10 certification request
(same as "get_pse")
gen_verify_pse generate a verify PSE
import_own_cert import CA response to PKCS#10 certification request
seclogin create/add/delete SSO-credentials for a PSE ("cred_v2")
or change PIN/Passphrase of a PSE
get_my_name show attributes of the user certificate/keytab in a PSE
maintain_pk show/add/delete trusted keys/certs in PKList of PSE
export_own_cert export the user certificate of a PSE
import_p12 import a PKCS#12 digital ID transport file
export_p12 export a PKCS#12 digital ID transport file
pseconv convert between PSE format v2 and v4
import_p8 create new PSE from PKCS#8 private key plus certs
export_p8 export a PKCS#8 private key file
keytab manage keyTab in PSE
cryptinfo show properties of SAP CommonCryptoLib Crypto Kernel
lps_import import a PSE (add LPS protection)
lps_export export a PSE (remove LPS protection)
lps_enable enables LPS protection of a PSE (in-place)
lps_disable disables LPS protection of a PSE (in-place)
lps_show show LPS protection state of a PSE
show show file content and other information
tlsinfo show TLS cipersuites for a given alias string
sncinfo show SNC cipersuites for a given alias string
hsminfo check HSM access
get_crl get revocation list

passing "-h" after a <command> will show further help information


--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Micro Focus Expert
Micro Focus Expert

On 2018-09-25 19:56, Lothar Haeger wrote:
> Norbert Klasen wrote:
>
>> How did you tell the driver shim where to find its certificate/private key?

> IIRC, you had to generate a key pair on the client side (called a PSE in SAP
> lingo) with the sapgenpse tool coming with the library and then upload it to
> SAP the server, so it's known to be good for authentication. You'd also have to
> import the server cert or CA on the client side. The PSE is stored somewhere
> with the client libs and identified by the SNC name parameter (which looks like
> an LDAP DN), I guess.
>
> I was loosely following the procedure described at
> https://blogs.sap.com/2006/09/29/setup-data-encryption-between-rfc-client-and-we
> b-as-abap-with-snc/ when testing last year but do not recall all the details
> anymore.


In the mean time, I found this SAP Note: 2642538 - How to enable SNC
from external java program to ABAP using standalone JCo3

So yes, you need to put the output of sapgenpse on the host were the
remote loader is runnning. There is an environment variable (SECUDIR)
that points to the .pse and cred_v2 files.

--
Norbert
--
Norbert
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.