Due to public holidays in Germany until April the 1st, there will be delays in the processing of tickets. Thank you for your understanding.

Enabling Secure Network Communication (SNC) via X.509 certificate

About this approach

The following article describes how an SNC connection to an SAP source system can be established with the Xtract products.

A workflow with X.509 certificate is used as the basis, which provides the logon data of the Windows AD user. The correctness of this X.509 certificate is ensured via the company’s internal certification authority (ca).

Workflow

  1. Upon connection start, the Secure Login Client retrieves the SNC name from the SAP NetWeaver AS ABAP.
  2. The Secure Login Client uses the authentication profile for this SNC name.
  3. The user unlocks the security token, for example, by entering the PIN or password.
  4. The Secure Login Client receives the X.509 certificate from the user security token.
  5. The Secure Login Client provides the X.509 certificate for single sign-on and secure communication between SAP GUI or Web GUI and the AS ABAP.
  6. The user is authenticated, and the communication is secured.

Tip: The necessary configuration of the X.509 certificate should be implemented by the network & SAP Basis team and requires basic knowledge in this area

Requirements 

The following system settings are a prerequisite for using this SNC solution:

  • Installed Secure Login Client.
  • The SAP application server is configured and activated for Secure Network Communication (SNC).
  • The SNC standard library sapcryptolib is used as the SNC solution.
  • The following SNC parameters are configured as mentioned.
SNC parameter Value Example
snc/gssapi_lib Path and file name where the SAP Cryptographic Library is located. $(DIR_EXECUTABLE)\sapcrypto.dll
snc/identity/as Application server’s SNC name Syntax: p:<Distinguished_Name>
The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE.
p:CN=saperp.theobald.local

Step-by-Step Guide 

  • Generate certificate for the application server and AD-user context from common Certificate Authority (ca).



Note X.509 certificate will be available when placed in folder Certmgr > Personal > Certificates within Windows certificate store (user).

  •  Convert pfx file to SAP PSE format e.g., sapgenpse.exe import_p12 -p cert.pse cert.pfx.
  • Import the created PSE file via TA STRUST > Edit mode > PSE Import > PSE Save as SNC Libcrypto
  • Edit the SNC configuration of the corresponding SAP user via transaction SU01 (1), SNC (2), SNC Name (3) = p:<Full Distinguished_Name> e.g., p:EMAIL="RandomUser@domain",CN="Random User",OU="Users",OU="TheobaldSoftware",DC="theobald",DC="local"


Creation date: 4/12/2022 8:28 AM      Updated: 6/6/2022 8:11 PM