Configuring SAP Secure Network Communication (SNC)
This enhancement enables you to perform secure network communication with SAP.
Prerequisites for IIM
Important: Make sure to set the required environment variables (SECUDIR and/or SNC_LIB) before starting the Sterling B2B Integrator. The SAP Jco 3.x adapter may not be enabled if the environment variables are not defined during the start of the Sterling B2B Integrator. To persist the environment variables for Sterling B2B Integrator restart operations, it is recommended to add these variables to bash_profile or bashrc in Linux environments, and for Windows, update the environment variables.
- Make sure you have downloaded the files required for the SAP SNC connection, which include the cryptographic library (saplibcrypto.so or saplibcrypto.dll based on the operating system running Sterling B2B Integrator) and the command-line tool (Windows: sapgenpse.exe; Unix/Linux sapgenpse) to a local directory. These are two options to place the files:
- Create a directory with the name
secunder the user's home directory, and place the files under that directory.Example:
Unix/Linux - /home/<user>/sec, Windows - C:\Users\<user>\AppData\Local\sec
- Create a custom directory under any accessible directory, set the environment variable SECUDIR to this directory, and place the downloaded files.
- Create a directory with the name
- Set the environment variable SNC_LIB for the library file. Example:Windows: SNC_LIB=C:\SAPLib\sapcrypto.dllUnix/Linux: SNC_LIB=/opt/SAPLib/libsapcrypto.soNote: This step is required if the SAP Jco 3.x adapter SNC details page config parameter SNC Library path is left blank.
- You need to manually set the Jco library path (.dll) on the PATH system variable for Windows-based Sterling B2B Integrator installs if it is not already set.
- If you are installing Sterling B2B Integrator on Windows, make sure to create the cred_v2 file with the userid you used to install Sterling B2B Integrator and run all Sterling B2B Integrator services as the same user.
Prerequisites for Certified Container
- Install the SNC Cryptographic shared library using the Customization UI.
- Configure a PSE file. To configure a PSE file, see Creating PSE File.
- Create a SAP SNC Secret.The Secret will be created with two files with the names: snc-client.pse, sapgenpse, along with the password (the password of the PSE file).Example:
oc create secret generic <snc_secret_name> --from-file=snc-client.pse=<path to the .pse file> --from-literal=pse-password=<password for PSE file> --from-file=sapgenpse=<path to the sapgenpse file>
- Define values for the below fields in the Helm configuration file.
sapSncSecretName: Name of the secret holding SAP SNC PSE file and password along with the sapgenpse utility. sapSncLibVendorName: SAP SNC library vendor name. This is same as the vendor name configured on customization UI for the SAP SNC library. sapSncLibVersion: SAP SNC library version. Specify the value in quotes. This is same as the vendor version configured on customization UI for the SAP SNC library. sapSncLibName: SAP SNC library name. This is same as the native library file name uploaded on customization UI for the SAP SNC library.
Creating PSE and Cred_v2 Files
- Generate the PSE file.Run the below command to generate a PSE file after downloading sapgenpse for the OS where Sterling B2B Integrator is installed.
sapgenpse gen_pse [-p <PSE_name>] [-x <PIN>] [DN]Where:-p <PSE_name>: Path and file name for the client PSE-x <PIN>: PIN that protects the PSE.Note: This PIN is the user-defined password for the client PSE, and it is asked every time you use the PSE.DN: Distinguished Name for the client PSE. The Distinguished Name is used to build the client SNC name. It consists of the following elements:
- CN = <Common Name>
- OU = <Organizational Unit>
- O = <Organization>
- C = <Country Code>
./sapgenpse gen_pse -p /opt/SAPLib/client.pse -x passw0rd "CN=xxxxxx, OU=yyyyyy, O= zzzzzzz, C=US"As an output of this command, a file with the name client.pse is generated in the $SECUDIR folder or sec directory under the user's home directory, based on the option chosen to save the files.
- Export the client certificate of the newly created PSE.Run this command to export the certificate from the client.pse file.
sapgenpse export_own_cert -o <output_file> -p <PSE_name> [-x <PIN>]Where:-o <output_file>: File name for the exported certificate in .crt file extension.-p <PSE_name>: Path and file name for the client.pse-x<PIN>: PIN that protects the PSE is used while creating the client.pse file.Example:
./sapgenpse export_own_cert -v -p /opt/SAPLib/client.pse -o client.crtThis certificate needs to be shared with SAP Server admin for adding it to the SAP Server pse file used to establish the SNC connection.
- Import the SAP Application Server Certificate to the client PSE.Note: You need to import the certificate of the SAP Application Server to your client PSE to establish an SNC connection between the Sterling B2B Integrator and SAP Application Server. In case you need to establish an SNC connection for multiple SAP servers with the Sterling B2B Integrator, you need to repeat this step for the multiple SAP servers.
- You must have exported a certificate file from SAP Application Server.
- Copy the exported certificate to the Sterling B2B Integrator under the directory referred by the environment variable $SECUDIR or the sec directory under the user's home directory, based on the option chosen to save the files.
- On the Sterling B2B Integrator hosting file system, you need to run the following command to import the exported SAP Application Server certificate into the client.pse file.
sapgenpse maintain_pk [-a <sap_cert_file>] -p < client_PSE_file_name> [-x <PIN>]Where:-a < sap_cert_file >: Path and file name of SAP Application Server certificate extracted from its PSE file.-p <client_PSE_file_name>: Path and file name for the client PSE file.-x <PIN>: PIN that protects the client PSE provided while creating client.pse file.Example:
./sapgenpse maintain_pk -a sap.crt -p /opt/SAPLib/client.pse -x password
- Create the cred_v2 file.Note: This step is only applicable for IIM deployment.After setting up the client PSE, you must create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE.Example:
./sapgenpse seclogin -p /opt/SAPLib/client.pse -x passw0rd -O usernameAs a result of this output, it will create the cred_v2 file in the $SECUDIR folder.