Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
Using SNC Client Encryption for encrypting SAP GUI Connectio with CommonCryptoLib
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
Contents 1.
Prerequisites ........................................................................................................................
2.
Downloading the SNC Client Encryption ..............................................................................
3.
Configuration in the Microsoft Active Directory ..................................................................
4.
Configuration in the Server side...........................................................................................
5.
Configuration in the Client side...........................................................................................
6.
Troubleshooting SNC Client Encryption ..............................................................................
7.
Troubleshooting CommonCryptoLib ...................................................................................
8.
References...........................................................................................................................
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
1. Prerequisites
You have SAP GUI installed on a computer running Microsoft Windows You have SAP NetWeaver Application Server (AS) ABAP with CommonCryptoLib configured You have a Microsoft Windows Domain Controller You fulfill the requisites of the following SAP Notes:
SAP Note 1561161 – Enabling SAP GUI password logon despite using SNC SAP Note 1580808 – SAP Logon 7.20: "SNC logon w/o SSO" for connection entry SAP Note 1616598 – Enabling RFC password logon despite using SNC SAP Note 1617641 – Addition of SSO feature for SNC in Logon Control
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
2. Downloading the SNC Client Encryption
To configure SNC Client Encryption, the first step is to download the latest version available for SNC Client Encryption. Then, it is necessary to check if your environment has the CommonCryptoLib already configured. 2.1 Downloading the SNC Client Encryption 1.0
Go to SAP Marketplace Software Download Center Support Packages and Patches Browse our Download Catalog SAP Cryptographic Software SNC CLIENT ENCRYPTION SNC CLIENT ENCRYPTION 1.0
NOTE: Alternatively, you can use the new SAP GUI setup (as of release 7.30). It comes with the SNC Client Encryption embedded.
2.2 Checking the configuration of CommonCryptoLib 2.2.1 The CommonCryptoLib is delivered with latest kernel patches under $(DIR_EXECUTABLE) folder. Check if the library is available in your environment and if it is properly configured accordingly to SAP Note 1848999. You're Reading a Preview use report check NOTE: You can also Unlock SSF02 to full access with a free trial.the installation of CommonCryptoLib. Start report SSF02 in transaction SE38 -> Choose option Determine Version -> Execute report (F8) -> Output for CommonCryptoLib looks Download With Free Trial like: Version information:
142
SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 (+MT)
(in this example, CommonCryptoLib patch level Sign30 is up toinstalled). vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
2.2.2 If you want to update CommonCryptoLib, you can download the latest version and replace the current one: Go to SAP Marketplace Software Download Center Support Packages and Patches Browse our Download Catalog SAP Cryptographic Software SAPCRYPTOLIB COMMONCRYPTOLIB 8
NOTE: If you do not have CommonCryptoLib configured, you can use the Secure Login Library instead of CommonCryptoLib to configure your server side. In that case, please refer to SAP Note 2057374.
Relevant Information SAP Note 1682957 - Downloading Patches for SNC Client Encryption SAP Note 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
3. Configuration in the Microsoft Active Directory 3.1 Create a Service User (Kerberos
) in Microsoft Active Directory (i.e. KerberosABC):
3.2 Set the following checkboxes for the Service User: You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title NOTE: In this example the password set was AbCdE1@3$5 Useful Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
3.3 Go to ADSI Edit and set the Service Principal Name for the Service User as SAP/Kerberos (i.e. SAP/KerberosABC):
You're Reading a Preview
Unlock full access with a freethere trial. is no trust, perform the steps where 3.4 For a Multiple Domains environment 1, 3.2 and 3.3 for each domain Download With Free Trial
3.5 Check if the Service Principal Name is unique: setspn -Q (i.e. setspn -Q SAP/KerberosABC)
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
4. Configuration in the Server side 4.1 Configure the SNC parameters: Parameter
Value
snc/enable
1
snc/gssapi_lib
For example: $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX) sapcrypto$(FT_DLL) Single Domain: p:CN=@ (i.e. p:[email protected])
snc/identity/as
Multiple Domains: p:CN= (i.e. p:CN=KerberosABC) snc/data_protection/max
3
snc/data_protection/min snc/data_protection/use
2
You're Reading a Preview 3
Unlock full access with a free trial.
snc/r3int_rfc_secure
0
Download With Free Trial
snc/r3int_rfc_qop
8
snc/accept_insecure_cpic
1
snc/accept_insecure_gui
1
snc/accept_insecure_rfc
1 Sign up to vote on this title
snc/permit_insecure_start
1
snc/force_login_screen
0
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Upload
Sign In
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
4.2 As of SAP_BASIS 731 SP15 and 740 SP08, you can use transaction SPNEGO to
configure your keytab for SNC. In that case, please refer to the SAP Single Sign On Implementation Guide, Chapter “Creating Keytab for Kerberos”. Otherwise, proceed with steps below.
4.3 Create your Kerberos keytab: 4.3.1 Open the Command Prompt (Windows) or Terminal (UNIX/Linux) 4.3.2 Set the environment variable: Microsoft Windows: set SECUDIR=$(DIR_INSTANCE)\sec UNIX/Linux (depends on shell): setenv SECUDIR $(DIR_INSTANCE)/sec export SECUDIR=$(DIR_INSTANCE)/sec
4.3.3 Single Domain: sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a @ (i.e. sapgenpse keytab -p SAPSNCSKERB.pse -x -X AbCdE1@3$5 -a [email protected])
4.3.4 Multiple Domains:
You're Reading a Preview sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a @ Unlock full access with a free trial. (i.e. sapgenpse keytab -p SAPSNCSKERB.pse -x -X AbCdE1@3$5 -a [email protected]) Download With Free Trial
sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a @ -nopsegen (i.e. sapgenpse keytab -p SAPSNCSKERB.pse -x -X AbCdE1@3$5 -a [email protected] -nopsegen) sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a @ -nopsegen Sign up to vote on this title (i.e. sapgenpse keytab -p SAPSNCSKERB.pse -x -X Useful Not useful AbCdE1@3$5 -a [email protected] -nopsegen)
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
4.5 Create the credentials:
sapgenpse seclogin -p SAPSNCSKERB.pse -x -O (i.e. sapgenpse seclogin -p SAPSNCSKERB.pse -x -O SAPServiceABC (or abcadm))
4.6 Check if the credentials were successfully created with “sapgenpse seclogin command 4.7 Restart your SAP system
NOTE: The keytab creation is case-sensitive and it is made from @.
Relevant Information SAP Note 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB) SAP Note 1996839 - Configuration Files for SNC on CommonCryptoLib SAP Note 1996851 - Migration from Secure Login Library to SAP Cryptographic Libra (CommonCryptoLib): Special characters SAP Note 1996852 - Migration from Secure Login Library to SAP Cryptographic Libra (CommonCryptoLib): How to Solve the Keyword Issue You'reGuide Reading a Preview SAP Single Sign On Implementation (found at https://help.sap.com/sso) Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
5. Configuration in the Client side
5.1 As of SAP GUI 7.30, you can install the SNC Client Encryption directly from SA GUI setup. Otherwise, you can extract the SNC Client Encryption .SAR file downloaded and install the SapSncClientEncryption.exe program (with Administrator permission) 5.2 Restart your client
5.3 Check if the SNC_LIB environment variable has been created and is pointing to your \Encryption\secgss.dll (i.e. SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAP GUI\Encryption\secgss.dll)
5.4 Set your SAP GUI SNC Name equal to your Service User’s SPN and check the checkbox “SNC logon with user/password (no Single Sign-On)”: 5.4.1 Single Domain: SNC Name = p:CN=@
(i.e. p:CN=SAP/[email protected])
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
5.4.2 Multiple Domain: SNC Name = p:CN=
(i.e. p:CN=SAP/KerberosABC)
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Download
Adding Language R12
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
6. Troubleshooting SNC Client Encryption 6.1 Enabling Traces for SNC Client Encryption 6.1.1 Create the trace file directory in either %HOMEDRIVE%%HOMEPATH%\sec or C:\sec.
6.1.2 Create the file sec_log_file_filename.txt in the trace file directory. This fil sets the name format for the trace files.
6.1.3 Enter the name format for the trace files in the sec_log_file_filename.txt file. Use the following format: \log-%.PID.%.txt Example C:\sec\log-%.PID.%.txt This creates a log file in the sec directory with the process ID replacing %.PID.% in the name. You're Reading a Preview Unlock full access with a free trial.
6.1.4 Create the file sec_log_file_level.txt in the trace file directory. This file sets the trace level. Download With Free Trial
6.1.5 To start the trace, enter a trace value as a single digit in the trace level file according to the table below. Trace Levels for SNC Client Encryption Value Description 0 No trace 1 Errors 2 Errors and warnings
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config Adding Language R12
Save
Embed
Share
Print
Download
1
of 15
Oa Patching r12
LX300 bidirecional
Search document
7. Troubleshooting CommonCryptoLib
7.1 To turn on trace file generation for CommonCryptoLib, go to the program folder where the library is loaded from (like /usr/sap///exe), and create a new text file named "sectrace.ini" with the following content: LEVEL=4 DIRECTORY=
7.2 The value of DIRECTORY must a valid folder name for the respective platform, and it must be the subfolder of an existing one, and should be placed in a local drive. If DIRECTORY does not exist, it will be created. Example for Windows: DIRECTORY=D:\usr\sap\\\sectrace Example for Linux: DIRECTORY=/usr/sap///sectrace
where and are the concrete SID and instance names. NOTE: The number and size of generated trace files in DIRECTORY may You're Reading a Preview grow very quickly, so there should be sufficient disk space. Unlock full access with a free trial.
7.3 It is recommended to remove or rename "sectrace.ini" once the troubleshooting Withoff Free Trial tracing immediately. All trace activities are completed, Download which will turn further files should be removed manually once they are not needed for problem analys anymore.
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
Search
Home
Saved
0
44 views
Sign In
Upload
Join
RELATED TITLES
0
Configuring SNC Client Encryption With CCL
Uploaded by mahesh vengurlekar
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
SAP SNC config
Save
Embed
Share
Print
Adding Language R12
1
Download
of 15
Oa Patching r12
LX300 bidirecional
Search document
8. References 8.1 Official Documentation:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b9/0dfa4a0457487bb0e59d30 eb1a79a/content.htm SAP Single Sign-On Implementation Guide
8.2 Relevant SAP Notes:
SAP Note 1643878 - Release Notes for SNC Client Encryption SAP Note 1690662 - Option: Blocking unencrypted SAPGUI/RFC connections SAP Note 1932513 - SNC Client Encryption Fixes for Version 1.0 SP01 PL02 SAP Note 1940669 - SNC Client Encryption Fixes for Version 1.0 SP01 PL03 SAP Note 1951788 - Fixes for SNC Client Encryption 1.0 SP01 PL04 SAP Note 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB SAP Note 2057374 - Using SNC Client Encryption (SCE) for encrypting SAP GU
Connection
You're Reading a Preview Unlock full access with a free trial.
Download With Free Trial
Sign up to vote on this title
Useful
Not useful
Home
Saved
Top Charts
Books
Audiobooks
Magazines
News
Documents
Sheet Music
Upload
Sign In
Join
