Contact Us 1-800-596-4880

Configuring an SAP Secure Network Communication Connection

Configure an SAP Secure Network Communication (SNC) to take advantage of security features such as secure data communication between the SAP system client and server, application-level end-to-end security, and the ability to change security products without impacting your SAP business applications. Enabling SNC requires you to configure the client environment, the SAP server, and Anypoint Connector for SAP (SAP Connector).

Before You Begin

To configure an SAP SNC, you must have access to:

  • The SAP GUI application. To install this client, Java must already be installed on your machine. Then, download the installer for your OS from SAP.

  • The SAPCAR utility and SAP Cryptographic Library, which you can download from the SAP Support Portal, if you are an S-user

  • An SAP ECC instance that can use SNC system variables

  • The following transactions:

    • STRUST (Trust Manager)

    • SM30 (Table Maintenance)

Configure the Client Environment

Configure the system variables that depend on the operating system you are using, and generate the personal security environment (PSE):

  1. Open the Windows command line or Mac Terminal app.

  2. Use the SAPCAR utility to unpack the SAP Cryptographic Library to the specified folder:

    SAPCAR –xvf <folder-name.SAR>

  3. Configure the following environment variables:

    • SNC_LIB: <path_to_library>\sapcrypto.dll

    • SECUDIR: <path_to_library>

    • LD_LIBRARY_PATH: <path_to_library>\sapcrypto.dll

    • SSF_LIBRARY_PATH: <path_to_library>\sapcrypto.dll

      For Windows, the sapcrypto.dll 64-bit version must be in a different path and added to a new variable called SNC_LIB_64:

      Windows variable SNC_LIB_64
  4. Use the sapgenpse tool to create the PSE:

    sapgenpse gen_pse -v -p RFC.pse

    When you run this command, you must enter a PIN to use later and a distinguished name, which must be unique. For example, you can enter a distinguished name like this:

    CN=RFC, C=AR, O=YourCompany, OU=IT

    You can use STRUST to see names that are already in use.

  5. Use the sapgenpse tool to create the cred_v2 file, which stores the credentials for accessing the PSE:

    sapgenpse seclogin -p RFC -O <user-credentials>

  6. Use the sapgenpse tool to export the client’s certificate from the PSE:

    sapgenpse <export_own_cert> –v –p RFC –o RFC_MULE.crt

Configure the SAP Server

Configure the certificates and tables that authorize you to use SNC with your distinguished name. To configure the SAP server:

  1. View the SAP distinguished name and certificates.

  2. Link the SAP certificate to your certificate.

  3. Authorize the SNC client in SAP.

View the SAP Distinguished Name and Certificates

View the SAP distinguished name and list of certificates:

  1. Log in to the SAP GUI and enter the strust transaction.

  2. Select the SNC SAPCryptolib folder in the left pane.

    The SAP distinguished name and certificate list are displayed.

Download the SAP instance certificate and link it to your certificate:

  1. Click the glasses icon (first icon on the left of the screen) to enable the edition mode, and then double click CN=SL-ABAP-IDP.

  2. Click the download button at the bottom of the screen and enter the target path for the download.

  3. Click the import icon and enter the target path to upload your certificate.

  4. Click Add to Certificate List and then click the save icon.

  5. Open a command-line interface or terminal window and use the sapgenpse tool to link your certificate to your PSE:

    sapgenpse maintain_pk -v -a <name_of_SAP_Server_Certificate.crt> -p <name_of_your_PSE.pse>

    The following example links a certificate named IDE.crt to a PSE named RFC.pse:

    Link `IDE.crt` to `RFC.pse`

Authorize the SNC Client in SAP

Add a new entry to the VSNCSYSACL view to enable your distinguished name to use SNC:

  1. In the SAP GUI, navigate to the SM30 transaction and enter VSNCSYSACL as the view name.

  2. Click Maintain.

  3. Select E as the work area.

  4. In the System ID field, enter the SAP ID.

  5. In the SNC name field, enter your distinguished name:

    p:<your-distinguished-name>

  6. Select all of the checkboxes to activate the entries.

  7. Click the save icon.

    • If the server accepts the SNC name, it displays a Canonical Name Determined message in the SNC data box.

    • If the server does not accept the SNC name, check that the name used on the PSE file is the same as the name used on the Mule app and the name listed on STRUST.

  8. Enable the SAP user for the Mule app so the app can use the SNC connection type:

    1. Navigate to the SM30 transaction, specify the VUSREXTID view, and click Maintain.

    2. In the External ID type field, select DN as the work area.

    3. In the External ID field, enter the distinguished name.

    4. In the User field, enter the SAP username.

    5. Select Activated.

    6. Click the save icon.

Configure SAP Connector

Configure SAP Connector to enable SNC:

  1. Access Anypoint Studio.

  2. Select SAP in the Studio canvas.

  3. Click the plus sign (+) next to the Connector configuration field to access the global element configuration fields.

  4. Configure the connection type.

    For a simple connection, follow these steps:

    1. In the Connection field, select Simple connection provider.

    2. On the General tab, configure these fields:

      • Username

      • Password

      • SAP system number

      • SAP client ID

      • Application server host

    3. On the Advanced tab, configure extended properties.

    For an X.509 certificate connection, follow these steps:

    1. In the Connection field, select Certificate.

    2. On the General tab, configure these fields:

      • X.509 Certificate (not base64 encoded)

      • Sap client ID

      • Application server host

    3. On the Advanced tab, configure the extended properties.

SAP Server-Side Extended Properties Example:

The following table shows example values for the server-side extended properties:

Property Example Value

jco.server.snc_mode

1

jco.server.snc_partnername

p:CN=SL-ABAP-IDP

jco.server.snc_qop

8

jco.server.snc_myname

p:CN=MVIDP, C=AR, O=MuleSoft, OU=IT

jco.server.snc_lib

C:/SNC/64bit/sapcrypto.dll

SAP Client Side Extended Properties Example

The following table shows example values for the client side extended properties:

Property Example Value

jco.client.snc_mode

1

jco.client.snc_partnername

p:CN=SL-ABAP-IDP

jco.client.snc_qop

8

jco.client.snc_myname

p:CN=MVIDP, C=AR, O=MuleSoft, OU=IT

jco.client.snc_lib

C:/SNC/64bit/sapcrypto.dll

jco.client.x509cert

ABCD12EFG

View on GitHub