SAP SNC Connector

cloud-related topic

The SAP SNC Connector lets you configure SaaS RunMyJobs environments for SAP SNC Connections. This lets you connect the SaaS central RunMyJobs server to your SAP systems. You must configure the spool host on the Platform Agent side to retrieve output files.

For on-premises RunMyJobs deployments, see Configuring SNC.

Name Description Availability
REDWOOD_SAPSNC_Tooling Maintaining SNC configurations in SaaS environments. On request from Redwood Support.

Prerequisites

The following is required to be able to activate SNC connections.

Requirement Section
SNC enabled in Target SAP System(s) See Initialize SNC in SAP System
SNC Certificate(s) of Target SAP Systems(s) See Extract SNC certificate of SAP System
Technical SAP User to be used See SAP User
  • Administrative privileges on the central RunMyJobs server.
  • OS User running spool host.
  • SAP Cryptographic library.

For x86_64 GNU/Linux (cloud) and your spool host platform.

Contents

Object Type Name Description
Folder REDWOOD.CUS_FCA.REDWOOD.CUS_FCA_SAP.REDWOOD.CUS_FCA_SAP_SNC SAP SNC Tooling
Job Definition REDWOOD.CUS_FCA_SAP_SNC_Tooling SAP SNC: Tooling
Library REDWOOD.Custom_Redwood_SAPSNC Redwood library for SAP SNC

Redwood_SAPSNC_Tooling

Provides tooling to upload / download SAP SNC related information.

Parameters

Name Description Documentation Data Type Direction Default Expression Values
ACTION Action to perform

String In

GL=Get Startup logfile
UL=Upload zip file with SAP Crypto library
UC=Upload SAP Target System certificate
DC=Download the current SAP Target System certificates
RC=Remove a target SAP certificate
RL=Remove SNC
DP=Download PSE file
PC=Download PSE certificate
UP=Upload the PSE
US=Upload cred_v2
FORCE Force pre/post actions

String In

X
FILE Upload File

File In

NAME Name of SAP certificate

String In

  • UL: Once you have prepared a ZIP file according to the procedure outlined below, you upload it.
  • UC: Uploads the certificate for the SAP server so that the server is trusted.
  • DC: Downloads the server certificate to allow you to make sure it is correct.
  • RC: Removes the server certificate. You will have to upload a new certificate or you will not be able to use SNC with the target SAP system as the system will not be trusted.
  • RL: Removes the SAP Crypto library.
  • DP: Downloads the PSE files used for SAP SNC.
  • PC: Downloads the client certificate used for authentication.

Note: The Job Definition does NOT support SAP sar files. You must follow the steps in Upload the SAP Cryptographic Library to the Cloud.

Configure RunMyJobs for SNC

The PSE file can be created automatically or you can provide your own PSE file.

Prerequisites

  • SAP Crypto library for x86_64.
  • SAP CAR program for your desktop platform to extract the SAP cryptographic library.
  • SNC tooling CAR file from Redwood.
    • CAR file needs to be imported.

Upload the SAP Cryptographic Library to the Cloud

  1. Use sapcar to extract the SAP Cryptographic library:
    sapcar -xvf SAPCRYPTOLIBP _<version>-<date>.sar -R <destination_path>.
  2. Zip the files in <destination_path>. No directories are allowed in the ZIP file.
  3. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  4. Choose UL – Upload zip file with SAP Crypto library in the Parameter Action to perform.
  5. Click Browse and navigate to the ZIP file containing the libraries.
  6. Click Run.

Upload the SAP Target System Certificate

Retrieve the certificate of the SAP and upload it to the cloud environment. See Extract SNC certificate of SAP System for instructions. This needs to be done for each SAP System that is connected using SNC. The certificate must have a crt extension.

  1. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  2. Choose UC – Upload SAP Target System certificate in parameter Action to perform.
  3. Click Browse and navigate to the certificate.
  4. Click Run.

Note: The RunMyJobs instance must be restarted after this step.

Download the RunMyJobs Certificate

  1. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  2. Choose PC – Download PSE certificate in parameter Action to perform.
  3. Click Submit Summary.
  4. Choose Monitor process <process_id>.
  5. When the Job has completed, the certificate will be available in the Detail View under Files.

Prepare Target SAP for RunMyJobs SNC connection

Start transaction STRUST and double-click SNC SAP Cryptolib. Enter the PSE password. If no password is defined, set one.

Switch to change mode.

  1. Import the RunMyJobs certificate.
  2. Click Add to Certificate List and save the changes.

Update Target SAP System Connect String

Once SNC have been enabled on the SAP system, you can update the SAP system connect string with the additional parameters for SNC. If you have not enabled SNC on the SAP application server, follow the instructions in Initialize SNC in SAP System to do so.

Parameter Description Mandatory
SNC_MODE=1 Activates SNC for the connection. <span title="Mandatory">✓</span>
SNC_PARTNERNAME="p[/krb5]:<name>"
SNC_PARTNERNAME="p[/secude]:<name>" 		Defines the target SAP systems DN (secude) or Kerberos name (krb5). <span title="Mandatory">✓</span>
SNC_SSO=1 Enable SSO (default). <span title="Optional">-</span>
SNC_QOP=3 Defines how secure the connection is 1=Auth only, 3=Integrity, 3=Privacy, 8=Default, 9=Maximum. <span title="Optional">-</span>
SNC_MYNAME="p[/krb5]:<name>"
SNC_MYNAME="p[/secude]:<name>" 		Defines the DN (secude) or Kerberos name (krb5) of the PSE to use. <span title="Optional">-</span>

Upload Your Own PSE file

Use the action UP in the SNC Tooling to upload your own PSE file into the cloud.

  1. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  2. Choose UP – Upload the PSE in Parameter Action to perform.
  3. Click Browse and navigate to the PSE file.
  4. Click Run.

Note: The PSE file should NOT have a PIN defined to allow access.

Upload Your Own cred_v2 file

Use the action US in the SNC Tooling to upload your own cred_v2 file into the cloud.

  1. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  2. Choose US – Upload cred_v2 in parameter Action to perform.
  3. Click Browse and navigate to the cred_v2 file.
  4. Click Run.

Note: The user Redwood should be able to gain access to the PSE.

What SNC Commands are Executed at Instance Startup?

When the instance is started, the environment required for SNC is defined. With this environment set, the following sappsegen commands are executed:

  • If no PSE file is found:
    • gen_pse: PSE file is created with a DN (created from URL).
  • support_info: Details of the existing PSE.
  • seclogin: Add security for the current user.
  • export_own_cert: Create the certificate for the PSE file.
  • For each uploaded target SAP certificate:
    • maintain_pk: Add certificate to PSE.
  • maintain_pk: List all stored certificates.

The output from the commands is contained in the startup.log file, which can be downloaded using the SNC Tooling action GL.

Spool Host Platform Agent

The spool host Platform Agent needs environment variables setup and the CryptoLib, PSE / cred_v2 files from your RunMyJobs instance to be able to access the correct SNC information.

Note: For SNC on UNIX the UUID daemon must be active. For more information see SAP Note 1391070.

**** Trace file opened at 2023-01-01, 08:45:45 GMT
RFC library: 753, Current working directory /data/redwood/agent, Program: jrfc
Hardware AMD/Intel x86_64 with Linux x86_64, Operating_system: Linux 7.12.13-155.89-default, Kernel_release: 753 patchlevel 99
Hostname: pr1.example.local, IP address: 1.2.3.4, IP address_v6: 64:ff9b::1.2.3.4

ERROR The UUID daemon (uuid) is not active.

Please ask your system administrator to activate
uuid according to SAP note 1391070.
  • SAP Crypto software for the target platform:
    • Copy to ${InstallDir}/saplibs/.
  • SAP NW RFC SDK:
    • Copy to ${InstallDir}/saplibs/.
  • Directory that will contain the PSE file:
    • Create ${InstallDir}/sapsec/.
  • Environment variables:
    • Define in {InstallDir}/etc/startup/default/environment:
      • SECUDIR pointing to the PSE file directory (${InstallDir}/sapsec).
      • SNC_LIB pointing to sapcrypto library (Linux).
  • SNC_LIB = ${InstallDir}/saplibs/<library>.
  • <library> = sapcrypto.dll (Windows) libsapcrypto.so (linux/UNIX).

Note: It is also possible to define the environment variables in the following places:

  • Globally in /etc/profile.d.
  • In the Service at /etc/system.d/system/<service>.service.d.

Setting the environment in the user environment is not sufficient for the spool host.

Download the PSE Files

  1. Run the REDWOOD_SAPSNC_Tooling Job Definition.
  2. Choose DP – Download PSE file in parameter Action to perform.
  3. Click Submit Summary on the left-hand side.
  4. Check the Job in the Monitor screen. The file will be available under Files in the Detail View.
  5. Unzip the file into the ${InstallDir}/sapsec directory.

Create Secure Login File

Execute sapgenpse to allow the OS user access to the PSE file.

Windows / Unix:

sapgenpse seclogin-v -p <PSE file> -O <OS User>

Extract SNC Certificate of SAP System

To extract the SNC certificate of an SAP system:

  1. Start transaction STRUST and double-click SNC SAPCryptolib. Enter the PSE password. If no password is defined, set it.

  2. Double-click on the owner subject. The certificate is now shown.

    Image displaying certificate details.

  3. Switch to Change mode and export the certificate in Base64 format.

SAP User

In transaction SU01, the SNC tab needs to be filled in. If the tab does not exist, SNC is not activated on the system.

Image showing a User's SNC settings

The SNC name uses the syntax <type>[/<tech>]:<name>, where:

  • <type> is one of the following:
    • p: Printable name.
    • s: service@host name.
    • u: User name.
  • <tech>: (optional, defaults to active tech) is one of the following:
    • krb5: Kerberos name.
    • secude: X.500 name.
    • sapntlm: NTMSSP name (Windows, only).
  • <name> is one of the folloing:
    • Kerberos name such as jdoe@example.local.
    • X.500 name such as CN=John Doe, OU=Administrators, O=Example, C=DE.
    • NTMSSP name such as Example\jdoe.

If the user needs to be connected to more than one PSE, then the additional DNs need to be defined in the table USRACLEXT. See Maintaining SNC Information for Non-Dialog Users for more information.

Initialize SNC in SAP System

Redwood recommends using secude printable names as SNC name, such as p[/secude]:CN=John Doe, OU=Administrators, O=Example, C=DE.

Prerequisite

  • sapcrypto library must have been installed on the SAP server.

See Central Note for SNC Client Encryption 2.0 for more information.

Procedure

  1. Start transaction STRUST and choose Change.

    Image showing transaction STRUST in Change mode

  2. Use context menu "Create" and provide the required information.

    Image showing the Replace PSE dialog

  3. Select the SNC row (double click) and set a password.

SNC Requirements

snc/enable= 1
snc/gssapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
snc/identity/as= p:CN=TNW, OU=Administrators, O=Example, C=NL
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc= 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1

Restart the SAP system after these changes.

Testing RFC Connection from Agent

The startrfc executable in the NW RFC SDK can be used to do a connection test. For SNC it requires a sapnwrfc.ini file containing the connection information.

DEST=PR1
ASHOST=pr1.example.local
SYSNR=00
CLIENT=000
USER=ED
PASSWD=xxx
LANG=EN
NO_COMPRESSION=1
TRACE=2
SNC_MODE=1
SNC_SSO=1
SNC_PARTNERNAME=p/secude:CN=PRD, O=Example, C=SE
startrfc -v

NM RFC Library Version: 750 Patch Level 9
Compiler Version:
180040665 (VVRRPPPPPP. Microsoft C/C++ Compiler)
Startrfc Version: 2023-01-01

Note: If you do not get output, then the library cannot be reached (check the path).

startrfc -D PR1 -t -i

SAP System ID: PR1
SAP System Number: 00
Partner Host: pr1.example.local
Own Host: dsk.example.local
Partner System Release: 740
[...]

Checklist for SNC connections

OS Level

Action Checked
Determine the OS user under which RunMyJobs or spool host is executed.

Check Environment of OS user for correct SECUDIR, SNC_LIB, SNC_LIB_64 environment settings.

Check Crypto Library can be used using sapgenpse support_info or sapgenpse cryptinfo

Check PSE file is accessible using sapgenpse show -f <pse file>

Check SSO credentials are available using sapgenpse seclogin -l -O <os user>

Check PSE file contains target SAP system certificates using sapgenpse maintain_pk -l

Target SAP Level

Action Checked
Check that the SNC profile parameters are set correctly in RZ10/RZ11

Check that RunMyJobs certificate is stored in STRUST under SNC SAPCryptolib

Check that the RFC User to be used, contains the correct SNC name using SU01

RunMyJobs Level

Action Checked
Check the SAP System connect string. Only specify the minimal number of parameters required as this reduces error checking. Example SNC_MYNAME is only required if multiple PSE are defined and used.

If a spool host is used, check that the retrieval of SAP spools is working