Configuring Secure Network Communication (SNC) between SAP systems and clients using WebSphere Adapter for SAP Software V7.5
SAP systems include the basic security measures of SAP authorization and user authentication by password. This article shows you how to use Secure Network Connection (SNC) to extend SAP system security beyond these basic measures to include the additional protection of stronger authentication methods and encryption. This article explains connectivity mechanisms provided by IBM® WebSphere® Adapter for SAP Software to establish a secure connection via SNC to SAP.
- IBM Integration Designer V7.5 (formerly called IBM WebSphere Integration Developer) or IBM Business Process Manager V7.5 Advanced Edition
- WebSphere Adapter for SAP Software V7.5 (hereafter called WebSphere SAP Adapter)
- Access to a SAP system with IDoc/BAPI processing configured
- A SAP JCo Library and SAP Cryptographic Library
- A basic understanding of IBM Integration Designer and WebSphere SAP Adapter. For more information on these products, see Related topics at the bottom of the article.
Secure Network Communication (SNC)
SNC is a software layer in the SAP system architecture that provides an interface to external security products. With SNC, you can strengthen the security of your SAP system by implementing additional security functions and protections. SNC provides application-level, end-to-end security to ensure reliable, consistent, and secure connections.
SNC is used to secure Remote Function Call (RFC) connections to SAP Advanced Business Application Programming (ABAP) systems. SNC support is implemented as a layer between the SAP kernel and an external security library that implements the Generic Security Services API (GSS-API). SAP also provides the SAP Cryptographic Library, which you can download from SAP.
WebSphere SAP Adapter enables you to connect to SAP systems by establishing a secure RFC connection called as SNC. The next section shows you how to establish SNC to a SAP system using WebSphere Adapter for SAP Software with IBM Integration Designer V7.5 or IBM Business Process Manager V7.5 Advanced Edition.
Configuring SNC on SAP and WebSphere SAP Adapter
1. SAP Cryptographic Library
SAP Cryptographic Library is the default SAP security product performing encryption functions in SAP systems. It meets the requirements of the GSS-API V2 Interface. Download the SAP Cryptographic Library (SAP authorization required). The SAP Cryptographic Library installation package contains the following files:
- SAP Cryptographic Library (
sapcrypto.dllfor Microsoft® Windows®)
- A corresponding license ticket
- The configuration tool
2. SNC configuration on SAP Advanced Business Application Programming (ABAP) system
When using SAP Cryptographic Library for SNC, the server and its communication partner system (where the WebSphere runtime is installed) must both be configured for SNC. Personal Security Environment (PSE) must be configured -- it is used by both components to verify and authenticate the remote component, and to store public-private key pairs and public-key certificates. For SNC, it is better for each component to have its own individual PSE, because if a single PSE is shared by all components, an attacker can fool a client system and connect to the WebSphere server instead of to the SAP server, and the client would have no way to detect the attack. In this article, individual PSEs are used by both systems.
Creating and configuring server PSE
You need to set SAP instance profile parameters to enable SNC and specify the SNC name. Follow the instructions below to configure PSE and activate SNC on the SAP server:
- Setting up data encryption between RFC Client and Web AS ABAP with SNC
- Configuring SNC: AS Java and AS ABAP
3. SNC configuration on client system
The client system in this case includes IBM Business Process Manager with the WebSphere SAP Adapter deployed on it. You need to do a one-time setup process of creating a PSE on the client and creating and exchanging cryptographic key material. This setup is required and regardless of whether you are configuring the environment to support inbound or outbound communications.
3a. Setting environment variable
Here are the configuration steps needed on the client system. Set the environment variables
LD_LIBRARY_PATH as shown below.
SECUDIR contains the license ticket obtained in Step 1.
LD_LIBRARY_PATH contains the sapcrypto.dll and sapgenpse.exe file.
Setting environment variable
3b. Creating client PSE
Create a PSE using
sapgenpse gen_pse -v -p PSE_FILE_NAME.
You will be asked to set a PIN, which serves as the PSE password. Then you need to enter distinguished name for the PSE owner. Make the following specifications:
CN=myhost.mydomain, C=mycountry, S=mystate, O=mycompany, OU=mydepartment.
Creating client PSE
Configure the PSE and create a credentials file named
cred_v2 for the user. It lets client applications access the key store. This file is usable only for the current operating system user:
sapgenpse seclogin -p PSE_FILE_NAME -O USERNAME.
Configuring client PSE.
4. Exchange certificates between SAP ABAP system and the client
The SAP ABAP system and the client need to exchange the certificates in order to trust each other and communicate securely.
4a. Client certificate exchange
Export the client certificate from PSE using the following command:
sapgenpse export_own_cert -v -p PSE_FILE_NAME -o CLIENT_CERT_NAME.
Exporting client certificate
Go to configured PSE on the SAP server (
eccdev_SD1_10 in this case) and import the client certificate into SAP using the SAP transaction code STRUST.
Then use Import Certificate to select the certificate exported in the above step and add it to the certificate list.
Import client certificate into SAP system
4b. SAP system certificate exchange
Export the SAP certificate from the server: Select the server certificate and click Export:
Export SAP certificate
Import the SAP certificate into the client PSE using the following command:
sapgenpse maintain_pk -v -a SERVER_CERT_NAME -p PSE_FILE_NAME
Import SAP certificate into client PSE
5. Authorize the client application on SAP
SNC has an access control list, so you need to create an entry for your client for the SAP system to allow SNC connection for RFC. On SAP, go to Transaction SM30, enter
VSNCSYSACL and click Maintain. Then click The table is cross-client information. You are now done with SNC configuration on both the client and server sides.
Authorize client application
SNC connectivity using WebSphere SAP Adapter
You can configure WebSphere SAP Adapter using IBM Integration Designer. Run the Enterprise Service Discovery wizard to create an EIS import or export that you can use to access your back-end SAP system. For details on running this wizard and on configuration steps, see Related topics at the bottom of the article. The Enterprise Service Discovery wizard provides a section under Advanced Properties for SNC related configuration. It provides these properties:
- Secure Network Connection (SNC) name -- Specify the distinguished name for client PSE (created above in step 3b).
- Secure Network Connection (SNC) partner -- Specify the distinguished name for server PSE (created above in step 2).
- Secure Network Connection (SNC) security level -- This property specifies the level of security for the secure network connection.
Security level support is provided by Cryptographic Library and all security levels may not be supported by a particular library file. Select from drop-down as required:
- Authentication only
- Integrity protection
- Privacy protection, and so on
- SNC library path -- This property specifies the path to the library that provides the secure network connection service (
sapcrypto.dllobtained above in Step 1).
- X509 certificate -- This optional property specifies the X509 certificate to be used as the logon ticket. You can connect to SAP via SNC using a conventional username and password
or via an X509 certificate(client certificate generated above as part of step 3b and exported to file system in step 4a with the name
CLIENT.crt). You can verify SNC connection status via SAP System Trace and adapter trace file. More information on above properties.
SNC configuration in WebSphere SAP Adapter
In this article you learned the basics of Secure Network Communication (SNC) to SAP and how to use the WebSphere SAP Adapter to configure an SNC connection. The article also showed you how to configure a SAP system and a client system for SNC.
The author would like to thank Jens Engelke from IBM BPM Development for reviewing this article.
- WebSphere Adapter resources
- WebSphere Adapter for SAP Software documentation
Details on WebSphere SAP adapter configuration on BPM.
- IBM WebSphere Adapter for SAP Software Samples
The samples in this section show how to use various interfaces supported by the WebSphere Adapter for SAP Software.
- WebSphere Adapters information center
A single Web portal to all WebSphere Adapters documentation, with conceptual, task, and reference information on installing, configuring, and using WebSphere Adapters.
- WebSphere Adapters product page
Product benefits, product descriptions, product news, case studies, training information, support information, and more.
- WebSphere Adapters product library
Product demos, Redbooks, white papers, and more.
- Business process management samples and tutorials using WebSphere Adapters
These samples show you how to use WebSphere Adapters in solutions developed with WebSphere Integration Developer and deployed on WebSphere Process Server or WebSphere ESB.
- WebSphere Adapter for SAP Software documentation
- developerWorks resources
- Trial downloads for IBM software products
No-charge trial downloads.
- developerWorks cloud computing resources
Access the IBM or Amazon EC2 cloud, test an IBM cloud computing product in a sandbox, see demos of cloud computing products and services, read cloud articles, and access other cloud resources.
- developerWorks tech briefings
Free technical sessions by IBM experts to accelerate your learning curve and help you succeed in your most challenging software projects. Sessions range from one-hour virtual briefings to half-day and full-day live sessions in cities worldwide.
- developerWorks on Twitter
Check out recent Twitter messages and URLs.
- Trial downloads for IBM software products