Configuring Secure Network Communication (SNC) between SAP systems and clients using WebSphere Adapter for SAP Software V7.5

Learn how to set up SNC between SAP systems and clients using WebSphere Adapter for SAP Software V7.5. This article describes SNC configuration at the SAP server end and shows you how to exchange the keys between the SAP and client systems.

Matu Agarwal (matu.agarwal@in.ibm.com), Software Engineer, WebSphere Adapters team, IBM

Photo of Matu AgarwalMatu Agarwal is a Software Engineer on the WebSphere Adapters team at the IBM Software Lab in Bangalore, India, where he works in Development and Customer Support. He has a Bachelor of Technology degree in Computer Science and Engineering from Harcourt Butler Technological Institute in Kanpur, and has four years of IT experience working with various Java technologies including JCA. You can contact Matu at matu.agarwal@in.ibm.com.



23 May 2012

Also available in Chinese Russian

Introduction

SAP systems include the basic security measures of SAP authorization and user authentication by password. This article shows you how to use Secure Network Connection (SNC) to extend SAP system security beyond these basic measures to include the additional protection of stronger authentication methods and encryption. This article explains connectivity mechanisms provided by IBM® WebSphere® Adapter for SAP Software to establish a secure connection via SNC to SAP.

Prerequisites

  • IBM Integration Designer V7.5 (formerly called IBM WebSphere Integration Developer) or IBM Business Process Manager V7.5 Advanced Edition
  • WebSphere Adapter for SAP Software V7.5 (hereafter called WebSphere SAP Adapter)
  • Access to a SAP system with IDoc/BAPI processing configured
  • A SAP JCo Library and SAP Cryptographic Library
  • A basic understanding of IBM Integration Designer and WebSphere SAP Adapter. For more information on these products, see Resources at the bottom of the article.

Secure Network Communication (SNC)

SNC is a software layer in the SAP system architecture that provides an interface to external security products. With SNC, you can strengthen the security of your SAP system by implementing additional security functions and protections. SNC provides application-level, end-to-end security to ensure reliable, consistent, and secure connections.

SNC is used to secure Remote Function Call (RFC) connections to SAP Advanced Business Application Programming (ABAP) systems. SNC support is implemented as a layer between the SAP kernel and an external security library that implements the Generic Security Services API (GSS-API). SAP also provides the SAP Cryptographic Library, which you can download from SAP.

WebSphere SAP Adapter enables you to connect to SAP systems by establishing a secure RFC connection called as SNC. The next section shows you how to establish SNC to a SAP system using WebSphere Adapter for SAP Software with IBM Integration Designer V7.5 or IBM Business Process Manager V7.5 Advanced Edition.

Configuring SNC on SAP and WebSphere SAP Adapter

1. SAP Cryptographic Library

SAP Cryptographic Library is the default SAP security product performing encryption functions in SAP systems. It meets the requirements of the GSS-API V2 Interface. Download SAP Cryptographic Library (SAP authorization required). The SAP Cryptographic Library installation package contains the following files:

  • SAP Cryptographic Library (sapcrypto.dll for Microsoft® Windows®)
  • A corresponding license ticket
  • The configuration tool sapgenpse.exe

2. SNC configuration on SAP Advanced Business Application Programming (ABAP) system

When using SAP Cryptographic Library for SNC, the server and its communication partner system (where the WebSphere runtime is installed) must both be configured for SNC. Personal Security Environment (PSE) must be configured -- it is used by both components to verify and authenticate the remote component, and to store public-private key pairs and public-key certificates. For SNC, it is better for each component to have its own individual PSE, because if a single PSE is shared by all components, an attacker can fool a client system and connect to the WebSphere server instead of to the SAP server, and the client would have no way to detect the attack. In this article, individual PSEs are used by both systems.

Creating and configuring server PSE

You need to set SAP instance profile parameters to enable SNC and specify the SNC name. Follow the instructions below to configure PSE and activate SNC on the SAP server:

3. SNC configuration on client system

The client system in this case includes IBM Business Process Manager with the WebSphere SAP Adapter deployed on it. You need to do a one-time setup process of creating a PSE on the client and creating and exchanging cryptographic key material. This setup is required and regardless of whether you are configuring the environment to support inbound or outbound communications.

3a. Setting environment variable

Here are the configuration steps needed on the client system. Set the environment variables SECUDIR and LD_LIBRARY_PATH as shown below. SECUDIR contains the license ticket obtained in Step 1. LD_LIBRARY_PATH contains the sapcrypto.dll and sapgenpse.exe file.

Setting environment variable
Setting environment variable

3b. Creating client PSE

Create a PSE using sapgenpse.exe: sapgenpse gen_pse -v -p PSE_FILE_NAME. You will be asked to set a PIN, which serves as the PSE password. Then you need to enter distinguished name for the PSE owner. Make the following specifications: CN=myhost.mydomain, C=mycountry, S=mystate, O=mycompany, OU=mydepartment.

Creating client PSE
Creating client PSE

Configure the PSE and create a credentials file named cred_v2 for the user. It lets client applications access the key store. This file is usable only for the current operating system user:
sapgenpse seclogin -p PSE_FILE_NAME -O USERNAME.

Configuring client PSE.
Configuring client PSE

4. Exchange certificates between SAP ABAP system and the client

The SAP ABAP system and the client need to exchange the certificates in order to trust each other and communicate securely.

4a. Client certificate exchange

Export the client certificate from PSE using the following command:
sapgenpse export_own_cert -v -p PSE_FILE_NAME -o CLIENT_CERT_NAME.

Exporting client certificate
Exporting client certificate

Go to configured PSE on the SAP server (eccdev_SD1_10 in this case) and import the client certificate into SAP using the SAP transaction code STRUST. Then use Import Certificate to select the certificate exported in the above step and add it to the certificate list.

Import client certificate into SAP system
Import client certificate into SAP system

4b. SAP system certificate exchange

Export the SAP certificate from the server: Select the server certificate and click Export:

Export SAP certificate
Export certificate

Import the SAP certificate into the client PSE using the following command:
sapgenpse maintain_pk -v -a SERVER_CERT_NAME -p PSE_FILE_NAME

Import SAP certificate into client PSE
Import SAP certificate into client PSE

5. Authorize the client application on SAP

SNC has an access control list, so you need to create an entry for your client for the SAP system to allow SNC connection for RFC. On SAP, go to Transaction SM30, enter VSNCSYSACL and click Maintain. Then click The table is cross-client information. You are now done with SNC configuration on both the client and server sides.

Authorize client application
Authorize client application

SNC connectivity using WebSphere SAP Adapter

You can configure WebSphere SAP Adapter using IBM Integration Designer. Run the Enterprise Service Discovery wizard to create an EIS import or export that you can use to access your back-end SAP system. For details on running this wizard and on configuration steps, see Resources at the bottom of the article. The Enterprise Service Discovery wizard provides a section under Advanced Properties for SNC related configuration. It provides these properties:

  • Secure Network Connection (SNC) name -- Specify the distinguished name for client PSE (created above in step 3b).
  • Secure Network Connection (SNC) partner -- Specify the distinguished name for server PSE (created above in step 2).
  • Secure Network Connection (SNC) security level -- This property specifies the level of security for the secure network connection. Security level support is provided by Cryptographic Library and all security levels may not be supported by a particular library file. Select from drop-down as required:
    • Authentication only
    • Integrity protection
    • Privacy protection, and so on
  • SNC library path -- This property specifies the path to the library that provides the secure network connection service (sapcrypto.dll obtained above in Step 1).
  • X509 certificate -- This optional property specifies the X509 certificate to be used as the logon ticket. You can connect to SAP via SNC using a conventional username and password or via an X509 certificate(client certificate generated above as part of step 3b and exported to file system in step 4a with the name CLIENT.crt). You can verify SNC connection status via SAP System Trace and adapter trace file. More information on above properties.
SNC configuration in WebSphere SAP Adapter
SNC configuration in WebSphere SAP Adapter

Conclusion

In this article you learned the basics of Secure Network Communication (SNC) to SAP and how to use the WebSphere SAP Adapter to configure an SNC connection. The article also showed you how to configure a SAP system and a client system for SNC.

Acknowledgement

The author would like to thank Jens Engelke from IBM BPM Development for reviewing this article.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere, Security
ArticleID=818270
ArticleTitle=Configuring Secure Network Communication (SNC) between SAP systems and clients using WebSphere Adapter for SAP Software V7.5
publish-date=05232012