Contact Us 1-800-596-4880
  1. Homepage
  2. SAP Connector (5.9)

  3. Configuring an SAP Secure Network Communication Connection with Certificate

All Connectors

Configuring an SAP Secure Network Communication Connection with Certificate

Configure an SAP Secure Network Communication (SNC) with certificate to take advantage of security features such as secure data communication between the SAP system client and server, application-level end-to-end security, and the ability to change security products without impacting your SAP business applications. Enabling SNC with certificate requires you to configure the client environment, the SAP server, and Anypoint Connector for SAP (SAP Connector).

Before You Begin

To configure an SAP SNC with certificate, you must have access to:

  • The SAP GUI application. To install this client, Java must already be installed on your machine. Then, download the installer for your OS from SAP.

  • The SAPCAR utility and SAP Cryptographic Library, which you can download from the SAP Support Portal, if you are an S-user

  • An SAP ECC instance that can use SNC system variables

  • The following transactions:

    • STRUST (Trust Manager)

    • SM30 (Table Maintenance)

Configure the Client Environment

Configure the system variables that depend on the operating system you are using, and generate the personal security environment (PSE):

  1. Open the Windows command line or Mac Terminal app.

  2. Use the SAPCAR utility to unpack the SAP Cryptographic Library to the specified folder:

    SAPCAR –xvf <folder-name.SAR>

  3. Configure the following environment variables:

    • SNC_LIB: <path_to_library>\sapcrypto.dll

    • SECUDIR: <path_to_library>

    • LD_LIBRARY_PATH: <path_to_library>\sapcrypto.dll

    • SSF_LIBRARY_PATH: <path_to_library>\sapcrypto.dll

      For Windows, the sapcrypto.dll 64-bit version must be in a different path and added to a new variable called SNC_LIB_64:

      Windows variable SNC_LIB_64

  4. Use the sapgenpse tool to create the PSE:

    sapgenpse gen_pse -v -p RFC.pse

    When you run this command, you must enter a PIN to use later and a distinguished name, which must be unique. For example, you can enter a distinguished name like this:

    CN=RFC, C=AR, O=YourCompany, OU=IT

    You can use STRUST to see names that are already in use.

  5. Use the sapgenpse tool to create the cred_v2 file, which stores the credentials for accessing the PSE:

    sapgenpse seclogin -p RFC -O <user-credentials>

  6. Use the sapgenpse tool to export the client’s certificate from the PSE:

    sapgenpse <export_own_cert> –v –p RFC –o RFC_MULE.crt

Configure the Client Environment When Deploying in CloudHub 2.0 or Runtime Fabric

In SAP Connector 5.9.5 and later, an application that uses the Certificate connection type can be deployed in CloudHub 2.0 or Runtime Fabric. SAP Connector has an embedded installer that sets up the Personal Security Environment (PSE).

You must first create your application:

  1. Open Anypoint Studio.

  2. Navigate to the src/main/resources folder of your application.

  3. In the src/main/resources folder, create a folder named sec.

    SAP resources sec folder structure

  4. Add the following files to the sec folder:

    • libsapcrypto.so

      Linux version of the SAP CommonCryptoLib

    • sapgenpse

      Linux version of the SAP command line tool that manages PSE files

    • RFC.pse

      File that you created in the previous step

  5. Because CloudHub 2.0 runs on Linux machines, ensure that any dependency of the application is compiled for Linux, including com.sap.conn.jco:libsapjco3.

  6. Save the application and export the jar file used for CloudHub 2.0 deployment.

You must then import the created application in CloudHub 2.0 or Runtime Fabric:

  1. Log in to your Anypoint Platform account and navigate to Runtime Manager.

  2. Click Deploy Application.

  3. In Application Name, enter a name for the application, for example, cert-ch2.

  4. In Deployment Target, select CloudHub 2.0 or Runtime Fabric if it is not selected already.

  5. Click Choose File and upload your jar file.

  6. In the Properties tab, add the following:

    Property Example Value Description

    secFilesCopy

    true

    If true, triggers the embedded installer.

    sourceSecFolder

    /opt/mule/apps/my-app-name/sec/

    Location of the resources/sec folder in CloudHub 2.0 or Runtime Fabric. Replace the name of the application to match your scenario.

    targetSecFolder

    /tmp/sec/

    Leave this value hardcoded.

    pseFile

    RFC

    Name of the PSE file, without an extension.

    psePassword

    Your PSE file password

    PSE file password. Click the Protect button next to this property to hide its content.

    osUsername

    app

    Default CloudHub 2.0 username that is used to create the cred_v2 file. You can omit this property, in which case the connector automatically figures it out.

  7. Click Start to run the application.

When using the embedded installer, you must reference the CommonCryptoLib library in the SAP Connector Config properties with the proper path.
Property Example Value Description

jco.client.snc_lib

${app.home}/sec/libsapcrypto.so

Location of the SAP CommonCryptoLib. The library configured through this property is used by the connector operations. Depending on the operating system you may have to use other libraries, for example, the CloudHub 2.0 operating system is Linux based.

jco.server.snc_lib

${app.home}/sec/libsapcrypto.so

Location of the SAP CommonCryptoLib. The library configured through this property is used by the connector sources. Depending on the operating system you may have to use other libraries, for example, the CloudHub 2.0 operating system is Linux based.

Configure the SAP Server

Configure the certificates and tables that authorize you to use SNC with your distinguished name. To configure the SAP server:

  1. View the SAP distinguished name and certificates.

  2. Link the SAP certificate to your certificate.

  3. Authorize the SNC client in SAP.

View the SAP Distinguished Name and Certificates

View the SAP distinguished name and list of certificates:

  1. Log in to the SAP GUI and enter the strust transaction.

  2. Select the SNC SAPCryptolib folder in the left pane.

    The SAP distinguished name and certificate list are displayed.

Download the SAP instance certificate and link it to your certificate:

  1. Click the glasses icon (first icon on the left of the screen) to enable the edition mode, and then double click CN=SL-ABAP-IDP.

  2. Click the download button at the bottom of the screen and enter the target path for the download.

  3. Click the import icon and enter the target path to upload your certificate.

  4. Click Add to Certificate List and then click the save icon.

  5. Open a command-line interface or terminal window and use the sapgenpse tool to link your certificate to your PSE:

    sapgenpse maintain_pk -v -a <name_of_SAP_Server_Certificate.crt> -p <name_of_your_PSE.pse>

    The following example links a certificate named IDE.crt to a PSE named RFC.pse:

    Terminal window for linking IDE.crt to RFC.pse

Authorize the SNC Client in SAP

Add a new entry to the VSNCSYSACL view to enable your distinguished name to use SNC:

  1. In the SAP GUI, navigate to the SM30 transaction and enter VSNCSYSACL as the view name.

  2. Click Maintain.

  3. Select E as the work area.

  4. In the System ID field, enter the SAP ID.

  5. In the SNC name field, enter your distinguished name:

    p:<your-distinguished-name>

  6. Select all of the checkboxes to activate the entries.

  7. Click the save icon.

    • If the server accepts the SNC name, it displays a Canonical Name Determined message in the SNC data box.

    • If the server does not accept the SNC name, check that the name used on the PSE file is the same as the name used on the Mule app and the name listed on STRUST.

  8. Enable the SAP user for the Mule app so the app can use the SNC connection type:

    1. Navigate to the SM30 transaction, specify the VUSREXTID view, and click Maintain.

    2. In the External ID type field, select DN as the work area.

    3. In the External ID field, enter the distinguished name.

    4. In the User field, enter the SAP username.

    5. Select Activated.

    6. Click the save icon.

Configure SAP Connector

Configure SAP Connector to enable SNC with certificate:

  1. Access Anypoint Studio.

  2. Select SAP in the Studio canvas.

  3. Click the plus sign (+) next to the Connector configuration field to access the global element configuration fields.

  4. Configure the X.509 certificate connection:

    1. In the Connection field, select Certificate.

    2. On the General tab, configure these fields:

      • X.509 Certificate (not base64 encoded)

      • Sap client ID

      • Application server host

    3. On the Advanced tab, configure the extended properties.

SAP Server-Side Extended Properties Example:

The following table shows example values for the server-side extended properties:

Property Example Value

jco.server.snc_mode

1

jco.server.snc_partnername

p:CN=SL-ABAP-IDP

jco.server.snc_qop

8

jco.server.snc_myname

p:CN=MVIDP, C=AR, O=MuleSoft, OU=IT

jco.server.snc_lib

C:/SNC/64bit/sapcrypto.dll

SAP Client Side Extended Properties Example

The following table shows example values for the client side extended properties:

Property Example Value

jco.client.snc_mode

1

jco.client.snc_partnername

p:CN=SL-ABAP-IDP

jco.client.snc_qop

8

jco.client.snc_myname

p:CN=MVIDP, C=AR, O=MuleSoft, OU=IT

jco.client.snc_lib

C:/SNC/64bit/sapcrypto.dll

jco.client.x509cert

ABCD12EFG

See also

Back to top
View on GitHub