35 Replies Latest reply: Jul 4, 2013 8:44 AM by Patrick Hildenbrand RSS

Import of SAP Server Certifiacte in SNC X.509 method

Deepak Chittora
Currently Being Moderated

Hello,

 

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

 

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

 

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

 

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

 

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

 

 

Please provide suggestions an inputs.

 

Regards,
Deepak

  • Re: Import of SAP Server Certifiacte in SNC X.509 method
    Mohammed shanser nasser
    Currently Being Moderated

    Hi Deepak,

     

    have a look at the Secure Login Server guide.

    you will find what your looking for in the certificate management section.

     

    I suggest you read all 3 guides in conjunction to have a better understanding of this product.

    Secure Login Server

    Secure Login Library

    Secure Login Client

     

    Regards,

    Shanser

  • Re: Import of SAP Server Certifiacte in SNC X.509 method
    Matthias Kaempfer
    Currently Being Moderated

    Did you check the step-by-step guide?

    https://scn.sap.com/docs/DOC-29687

     

    Perhaps this helps.

     

    Regards

    Matthias

  • Re: Import of SAP Server Certifiacte in SNC X.509 method
    Deepak Chittora
    Currently Being Moderated

    Hi Matthias,

     

    Thanks for the information and guide mentioned by you.

     

    I am following the Secure Login Library Guide, as mentioned in the guide we have finished with

    1. Secure Login Library Installation

    2.Enable Secure Login paramertes

    3. We have also created the pse file using command

    snc crtpse -x <PSE_management_passowrd>

     

    After that we can copied and PSE file generated by above command, on our desktop and we are trying to import the PSE with Tx : STRUST.

     

    But, in process PSE is not getting imported and after providing the password its giving out error saying "Cannot Load PSE".(even the password is same as what was given while creating pse)

     

    Any Suggestions.

     

    Regards,
    Deepak

    • Re: Import of SAP Server Certifiacte in SNC X.509 method
      Matthias Kaempfer
      Currently Being Moderated

      Are you using Secure Login Library or SAP Cryptolib on the SAP system side?

       

      Regards

      Matthias

      • Re: Import of SAP Server Certifiacte in SNC X.509 method
        Deepak Chittora
        Currently Being Moderated

        We are using Secure Login Library, we have uncared the Secure Login Library  SCA file under the structure /usr/sap/<SID>/DV*/SLL and from there we are using snc.

         

        Regards,
        Deepak

        • Re: Import of SAP Server Certifiacte in SNC X.509 method
          Matthias Kaempfer
          Currently Being Moderated

          TRUST and SSL still need SAPCRYPTOLIB. This will be changed but this is until today the case.

          Is SAPCRYPTOLIB still configured on the SAP system?

           

          Regards

          Matthias

          • Re: Import of SAP Server Certifiacte in SNC X.509 method
            Deepak Chittora
            Currently Being Moderated

            Yes SAPCRYPTOLIB is installed on the SAP System.

             

            When i check the log sof work directory after the error it says,

            krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=24

            N  *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c   1540]

            N  *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR)  [ssfxxkrn.c   1540]

             

             

            Regards,

            Deepak

            • Re: Import of SAP Server Certifiacte in SNC X.509 method
              Matthias Kaempfer
              Currently Being Moderated

              So your problem is that the strust transaction is not working right? Because of that I think that you have an issues with SAPCRYPTOLIB but I am not sure.

               

              Transaction STRUST->menu->enviroment->display SSF version

              What do you see here? Any entry with SAPCRYPTOLIB version XXXX? If not -> enviroment is perhaps wrong

               

              You can get help on this also via SAP support (if not someone else has an idea) -> component BC-IAM-SL

               

              Sorry - I have not a better idea at the moment

              Matthias

              • Re: Import of SAP Server Certifiacte in SNC X.509 method
                Deepak Chittora
                Currently Being Moderated

                Hi Matthias,

                 

                we can see below entry in location speacified by you.

                 

                SSFLIB Version 1.555.34;SAP CRYPTOLIB Version

                5.5.5pl34 # Copyright (c) SAP AG     , 2011-2012 # installed with sapcryto release tag =<>

                 

                That means SAPCRYPTO is installed.

                 

                Yesterday, I also installed Secure Login Client, but i see one entry Kerberos Token and one for Microsoft Certificate  Store (certificate expired), how this has to be taken care for choosing deafult SAP Login.

                 

                In earlier document, we saw Secure login server Entry as default but we do not have Secure Login Server.

                 

                Regards,

                Deepak

                • Re: Import of SAP Server Certifiacte in SNC X.509 method
                  Frane Milicevic
                  Currently Being Moderated

                  Hi Deepak,

                   

                  i would like to provide some configuration hints / checklist.

                   

                  Target

                  Import X.509 AS ABAP Server Certificate for SNC using transaction STRUST.

                   

                  Preconditions

                  1. SAPCRYPTOLIB must be installed

                    Copy sapcryptolib.dll and sapgenpse.exe (for Windows OS) to the folder "..\exe" folder (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\).

                    Copy the file ticket  to the  "..\sec" folder
                    (e.g. D:\usr\sap\<SID>\DVEBMGSxx\sec\)

                    Set environment variable SECUDIR to the "..\sec" folder
                    (e.g. D:\usr\sap\<SID>\DVEBMGSxx\sec\)
                  2. In order to enable STRUST you need to configure the following instance profile parameter (transaction RZ10):

                    sec/libsapsecu = <path to the SAPCRYPTOLIB library file>
                                                  (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\sapcrypto.dll)
                    ssf/name = SAPSECULIB
                    ssf/ssfapi_lib = <path to the SAPCRYPTOLIB library file>
                                                  (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\sapcrypto.dll)
                  3. In order to enable SNC you need to configure the SNC instance profile parameter (transaction RZ10). Please keep in mind the parameter snc/identity/as defines the distinguished name (certificate name of the SAP AS ABAP Server for SNC).
                    So if you already have a SNC certificate, please define the correct name here.

                    The background is, that the tool STRUST will verify this parameter (certificate Name) before it will import the certificate.

                   

                  How-To import X.509 certificate for SNC

                  1. Start transaction STRUST
                    You should see a list of entries here like:
                    Capture.JPG
                    If you only see System PSE --> SAPCRYPTOLIB is not installed correctly.
                  2. Choose in menu PSE --> Import and choose your *.pse file (SAP AS ABAP SNC certificate). Maybe you will be asked for the password (the *.pse file is protected).
                  3. Choose in menue PSE --> Save as and choose SNC SAPCryptolib
                    Please keep in mind the certificate name will be checked against the information of the instance profile parameter snc/identity/as
                  4. Save the configuration. Enable in instance profile parameter snc/enable = 1 and restart SAP AS ABAP Server

                   

                  I hope this helps.

                   

                  Regards,

                  Frane

                  • Re: Import of SAP Server Certifiacte in SNC X.509 method
                    Deepak Chittora
                    Currently Being Moderated

                    Hi Frane,

                     

                    Thanks for the detailed description of the process.

                     

                    All preconditions have been met as mentione dearlier in the message.When we come to

                    How-To import X.509 certificate for SNC step, I am stuck at point 2.

                     

                    We are not able to import the *.pse file, when we do import and enter the passwpord given at the time of genereation of pse, it gives out error saying "Cannot Open PSE".

                     

                    We are using command "snc crtpse -x <Passwprd>" for creating/generating the pse file.

                     

                    Any suggestions why that *.pse file is not getting imported.

                     

                    Regards,

                    Deepak

                    • Re: Import of SAP Server Certifiacte in SNC X.509 method
                      Frane Milicevic
                      Currently Being Moderated

                      Hi Deepak,

                       

                      how did you create the *.pse file (X.509 certificate for AS ABAP for SNC)?

                       

                      Please keep in mind, the PSE.ZIP is not a certificate. PSE.ZIP is a security container, where the Kerberos keyTabs are stored securely and are used by Secure Login Library.

                       

                      What is your use case? What i understand is you want to setup Kerberos SSO between SAP GUI --> SAP AS ABAP System and sever-to-server communication encryption between 2 AS ABAP systems, correct?

                       

                      If this is correct the Kerberos technology will be used for SAP GUI --> AS ABAP and X.509 certificates will be used for AS ABAP --> AS ABAP.

                      In order to create X.509 certificates you have two possibilities:

                       

                      1.) Create self-signed certificates using transaction STRUST

                      2.) Use Secure Login Server (part of the SAP NW SSO) to create the certificates.

                            Secure Login Server is an Out-Of-The-Box PKI for the SAP environment.

                       

                      Best regards,

                      Frane

                      • Re: Import of SAP Server Certifiacte in SNC X.509 method
                        Deepak Chittora
                        Currently Being Moderated

                        Hi Frane,

                         

                        I am creating pse using the command,

                        snc crtpse -x <Password>

                         

                        I am trying to setup a communication between SAP AS ABAP system and SAP GUI.

                         

                        But as mentioned in Secure Login Library guide for SAP NW SSO, we can have X.509 Certificate method for SNC using Tx STRUST.

                         

                        Regards,

                        Deepak

                        • Re: Import of SAP Server Certifiacte in SNC X.509 method
                          Frane Milicevic
                          Currently Being Moderated

                          Hi Deepak,

                           

                          with the command snc crtpse -x <Password> you create a PSE.ZIP file.

                          This PSE.ZIP file is a security token container (and not a X.509 certificate).

                           

                          If You are using Kerberos for client-to-server SSO the Kerberos keyTab will be add to this security token container. I assume you use the command:
                          snc crtkeytab -s SAP/Kerberos<SID>@<DOMAIN> -p <Password>
                          to add a keyTab).

                           

                          If you now want to establish in parallel a server-to-server secure communication using X.509 certificates, you can use STRUST application to create X.509 self-signed certificates.

                           

                          Start transaction STRUST and choose SNC SAPCryptolib with right-click Create.

                          Define the parameter for the desired certificate.

                           

                          CreateSNC.JPG

                           

                          Please keep in mind the parameter you will define here depends to the instance profile parameter snc/identity/as.

                           

                          This needs to be done on the other AS ABAP system (maybe still available).

                          The last step is to exchange the certificates between the communication partner.

                           

                          Another possibility is to use the Secure Login Server component (which is part of the SAP NetWeaver Single Sign-On product) to create the out-of-the box PKI.

                          Using this component you can create all required X.509 certificates for all SAP NW AS.

                          The advantage is you don't need to exchange the certificates between the communication partners because there is a common trust (root certificate).

                           

                          Best regards,

                          Frane

                          • Re: Import of SAP Server Certifiacte in SNC X.509 method
                            Chandrakanth Angannagari
                            Currently Being Moderated

                            Hello Frane,

                             

                            I am not clear with your statement on "Kerberos technology will be used for SAP GUI --> AS ABAP, while X.509 certificates will be used for AS ABAP --> AS ABAP"

                             

                            a)X.509 certificates can be used for GUI --> AS ABAP SSO as well?

                            b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

                            c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

                            d) Or would it be ok to create any self signed cerficate into the SNC pse on the server as long as the root CA certificated is added into the list of "trusted certificates" of the SNC pse

                             

                            We have an established PKI within our company and would like to use the user certificates without the need to install a SLS to generate out-of-the-box PKI.

                            • Re: Import of SAP Server Certifiacte in SNC X.509 method
                              Frane Milicevic
                              Currently Being Moderated

                              Hello Chandrakanth,

                               

                              here ny answers to your questions.

                               

                              Best regards,

                              Frane

                              --------------------------------------------------------------------------------------------------------------------

                               

                              a)X.509 certificates can be used for GUI --> AS ABAP SSO as well?

                              Frane: Sure this is possible. In my answer i mention to the use case scenario of Deepak's environment.

                               

                              b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

                              Frane: You can create self-signed certificates or you can use Secure Login Server which is a part of the SAP NetWeaver Single Sign-On solution.

                               

                              c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

                              Frane: Typically the PSE file contains all required public certificates of the certificate chain (e.g. Server SNC Certificate --> Sub CA certificate --> Root CA certificate).

                              d) Or would it be ok to create any self signed cerficate into the SNC pse on the server as long as the root CA certificated is added into the list of "trusted certificates" of the SNC pse

                              Frane: This is possible too, but maybe it is easier to use Secure Login Server?

                              Secure login Server will create the "correct" SAP Server certificates as required.

                               

                              We have an established PKI within our company and would like to use the user certificates without the need to install a SLS to generate out-of-the-box PKI.

                              Frane: Sure, this is possible :-)

                              • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                Deepak Chittora
                                Currently Being Moderated

                                Hi,

                                Guys need help on this.

                                 

                                Now we are implementing Secure Login Library Configuration using authentication based on kerberos token.

                                 

                                As mentioned in Installtion guide, we set all the SNC Parameters.

                                 

                                Going ahead we have created a Microsoft Windows Account for SAP Server with format as required.

                                 

                                But, while defining servicePrincipleName we cannot use the process mentioned in Guide due to some organizationsal limitations.

                                Instead of using ADSIEDIT tool (As mentioned in Guide), we want to use the setspn command.

                                 

                                But , we are not sure about the setspn command format, we have used below format

                                which also not helping the cause.

                                setspn –A <service>/<hostname><port> <account name>

                                 

                                If any one is aware about the correct setspn command to register ServicePrincipleName for a particulat windows account, please share.

                                 

                                Regards,

                                Deepak

                                • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                  Karthikeyan Viswanathan
                                  Currently Being Moderated

                                  Hi Deepak,

                                  When you say that it is not helping, can you mention what exactly the problem is. This will help us to understand the issue better.

                                   

                                  Regards,

                                  Karthik

                                  • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                    Deepak Chittora
                                    Currently Being Moderated

                                    Sorry for the Late Reply Guys.

                                     

                                    I was able to register the SPN and generate the Kerberos Keytab.

                                     

                                    But, when I try to do the User Mapping for a particular user using Tx SU01 and going into SNC tab.

                                    I have entered my  SNC name which was used in parameter snc/identity/as, the saam eSNC is also available in Kerberos Keytab.

                                     

                                    When i try to save the enetered data in SU01 after putting value in field SNC Name under SNC tab, it ending in a dump(Runtime Error). Below is the descrption of the dump

                                     

                                    Runtime Errors         DBIF_RSQL_TABLE_UNKNOWN
                                    Date and Time          10.08.2012 10:33:20

                                     

                                    Short text
                                         A table is unknown or does not exist.

                                     

                                    What happened?
                                         Error in the ABAP Application Program

                                         The current ABAP program "CL_LSO_CE_UTIL================CP" had to be
                                          terminated because it has
                                         come across a statement that unfortunately cannot be executed.

                                     

                                    Error analysis
                                         A table is referred to in an SAP Open SQL statement that either does not
                                          exist or is unknown to the ABAP Data Dictionary.
                                         The table involved is "T529U " or another table accessed in the statement.

                                     

                                    Please help, if any one has some idea.

                                     

                                    Regards,

                                    Deepak

                                    • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                      Karthikeyan Viswanathan
                                      Currently Being Moderated

                                      Hi Deepak,

                                      I think you are using the Server's SNC name as your SNC name when you are entering it in SU01 transaction. The SNC name when entering into SU01 will be the kerberos name which is generated and displayed in your Secure Login Client.

                                       

                                      I think you need to change this as explained above. The Server SNC name which is given under snc/identity/as will always be different than the user's SNC name

                                       

                                      Let me know if things change after doing these changes.

                                       

                                      Best Regards,

                                      Karthik

                                      • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                        Deepak Chittora
                                        Currently Being Moderated

                                        Hi Karthik,

                                         

                                        Thanks for the reply.

                                         

                                        But my issue got resolved after the activation of T529U.After activation, i was able to save the User details under SNC tab in Tx SU01.

                                         

                                        Now, my Login client is also installed and i have logged in using Windows Account which was created with the name of Kerberos<SID>.

                                         

                                        And now same entry as parameter "snc/identity/as" is also maintained in  Network tab of SAPGUI for that particular system and also "Activate Secure Network Communication" checkbox is checked.

                                         

                                        But when, I try to login into the SAP system using SAPGUI Login Pad its giveving error saying

                                         

                                        "GSS-API(Maj):No Credentails were supplied". Unable to establish the security context target =<vale of SNC parameter>.

                                         

                                        Error in SNC"

                                         

                                        Please help in case of any idea,

                                         

                                        Regards,

                                        Deepak

                                        • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                          Markus Nüsseler-Polke
                                          Currently Being Moderated

                                          Hello Deepak,

                                           

                                          as far as I understand you will implement SAP NW Single Sign-On with using the Active Directory Authentication (Kerberos) of the users. Are my assumption correct?

                                           

                                          In this case you do not need STRUST, you do not need the SAPCryptoLib and you do not need to deal with certificates on the ABAP server.

                                           

                                          In the Secure Login Library Guide are the steps described, how-to configure the AS ABAP to accept the Kerberos Tickets of the users. All you need is to place the Secure Login Library in the folder \sll\, set the instance profile parameter and using the command line utility \sll\snc

                                           

                                          I can provide you more support here, if you want. First of all I need to know, whether you will setup SSO with Active Directory Authentication (Kerberos)

                                           

                                          Regards,

                                          Markus

                                          • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                            Deepak Chittora
                                            Currently Being Moderated

                                            Hi Markus,

                                             

                                            yes, we are implementing SAP NW SSO using AD (kerberos) Authentication.

                                             

                                            As mentioned by you, we  have already configured Login Ligrary under /usr/sap/<SID>/D*/SLL folder.

                                            All parameteres are already defined.

                                             

                                            And Kerberos keytab is also generated, which is can be verified using snc command under SLL folder.

                                             

                                            And now same entry as parameter "snc/identity/as" is also maintained in  Network tab of SAPGUI for that particular system and also "Activate Secure Network Communication" checkbox is checked.

                                             

                                            For particular ABPA user, SNC has been maintain in SNC tab in tx SU01.

                                             

                                            But when, I try to login into the SAP system using SAPGUI Login Pad its giveving error saying

                                             

                                            "GSS-API(Maj):No Credentails were supplied". Unable to establish the security context target =<vale of SNC parameter>.

                                             

                                            Error in SNC"

                                             

                                            Regards,
                                            Deepak

                                            • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                              Markus Nüsseler-Polke
                                              Currently Being Moderated

                                              Hello Deepak,

                                               

                                              do you use actual SAP GUI 7.20 with at least PL 09?

                                               

                                              You have to enter the SNC-Name of the user in SU01 in uppercase.

                                               

                                              Can you send the output of >snc?

                                              If you restart your ABAP, then you will have SNC Trace information in the logfile dev_w0. Look for SncInit(). Can you send the lines which reflect the SNC initialization.

                                               

                                              Regards,

                                              Markus

                                              • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                Deepak Chittora
                                                Currently Being Moderated

                                                Hi Markus,

                                                 

                                                I am using SAPGUI 720 PL 12.Yes, I have all entries in SU01 in uppercase

                                                 

                                                Below is the output of snc command.

                                                ------------------------------------------------------------------------------
                                                ------------ status    -------------------------------------------------------
                                                ------------------------------------------------------------------------------
                                                Product version     : Secure Login Library 1.0.3.1
                                                                    : CryptoLib            8.3.6.3
                                                                    :                      linux-gcc-4.1-x86-64

                                                GSS library         : available
                                                GSS library name    : libsecgss.so

                                                PSE directory       : (existing) /usr/sap/SID/DVEBMGS<>/sec
                                                PSE file            : (existing) /usr/sap/SID/DVEBMGS<>/sec/pse.zip
                                                STRUST cred file    : (existing) /usr/sap/SID/DVEBMGS<>/sec/cred_v2
                                                SNC config file     : (existing) /usr/sap/SID/DVEBMGS<>/SLL/gss.xml

                                                PSE accessible      : yes
                                                PSE logged in       : yes
                                                PSE credentials     : MasterPassword SystemDefault

                                                Kerberos keyTab     :  4 entries
                                                  SAP/KerberosSID@hostname (KeyType DES)
                                                  SAP/KerberosSID@hostname (KeyType AES128)
                                                  SAP/KerberosSID@hostname (KeyType AES256)
                                                  SAP/KerberosSID@hostname (KeyType RC4)
                                                SNC keys registered :  1 entries
                                                  STRUST  certificate  CN=SAP/KerberosSID@hostname

                                                Trusted certificates:
                                                  in PSE            :
                                                    CN=RMU, OU=<>, OU=SAP Web AS, O=SAP Trust Community, C=DE
                                                  from STRUST       :
                                                    CN=SAP/KerberosSID@hostname
                                                    CN=SAP/KerberosSID@hostname

                                                 

                                                I just restared my SAP System, in checked for logs in Dev_w0 in work directory which clearly says that SNC is enabled.Below are logs

                                                 

                                                SncInit(): Initializing Secure Network Communication (SNC)

                                                N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

                                                N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

                                                N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

                                                N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

                                                N  SncInit(): found  snc/gssapi_lib=/usr/sap/SID/DVEBMGS<>/SLL/libsecgss.so

                                                N    File "/usr/sap/SID/DVEBMGS<>/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.

                                                N    The internal Adapter for the loaded GSS-API mechanism identifies as:

                                                N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

                                                N  SncInit():   found snc/identity/as=p:CN=SAP/KerberosSID@hostname

                                                N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

                                                N  SncInit(): Initiating Credentials available, lifetime=Indefinite

                                                M  ***LOG R1Q=> 1& [thxxsnc.c    261]

                                                M  SNC (Secure Network Communication) enabled

                                                 

                                                Regards,

                                                Deepak

                                                • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                  Markus Nüsseler-Polke
                                                  Currently Being Moderated

                                                  Hello Deepak,

                                                   

                                                  I can see, what went wrong. Your Kerberos keyTab name is "SAP/KerberosSID@hostname". This is the placeholder into the documentation. You has to use a real account into your real Active Directory.

                                                   

                                                  Do the following steps:

                                                  Ask you Active Directory administrator to create a new useraccount (a service/technical user) into the same domain, where all you SAP users are located. If your domain is firma.local, then you need a useraccount for the SAP Server into the domain firma.local. The name of the useraccount does not matter. The example of SAP is to use Kerberos<SID of your AS ABAP> as name. The password of the new useraccount must not expire. You will receive from your Active Directory administrator a username and a password. Let us say, the username is "KerberosQHR" and the password is "123456"

                                                   

                                                  The next step is, that your Active Directory administrator enter add the Kerberos Service Prinicpal name to the useraccount. He can user the Active Directory tool adsiedit.msc

                                                   

                                                  ADSI Edit (adsiedit.msc) ->
                                                  Default Naming context ->
                                                  domain ->
                                                  CN=Users ->
                                                  CN=<Service User> ->
                                                  Properties ->
                                                  servicePrinicipalName ->
                                                  Edit

                                                   

                                                  He has to enter: "SAP/KerberosQHR@firma.local".

                                                   

                                                  Now you can generate a new keyTab. Please do at first the following steps:

                                                   

                                                  delete /sec/cred_v2 You do not need it in the Kerberos scenario.

                                                  delete /sec/pse.zip You need to create a new one.

                                                  snc crtpse -x <enter a new pse-password>

                                                  snc crtkeytab -s SAP/KerberosQHR@firma.local -p 123456

                                                  Use your own useraccout and password!!

                                                   

                                                  Edit into the instance profile of you ABAP

                                                  snc/identity/as=p:CN=SAP/KerberosQHR@firma.local

                                                   

                                                  Reboot your SAP System.

                                                   

                                                  What is into dev_w0?

                                                   

                                                  Regards,

                                                  Markus

                                                  • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                    Deepak Chittora
                                                    Currently Being Moderated

                                                    Hi Markus,

                                                    We are using real Active Directory name only with format Service/Account Name.

                                                    Its just that for writing here in the blog, we used that dummy name.

                                                     

                                                    Out Active Directory user is created in same domain as our SAP users.

                                                     

                                                    Also we have use setspn command to register ServicePrincipalName instead of ADSI Edit tool.

                                                     

                                                    Regards,

                                                    Deepak

                                                    • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                      Markus Nüsseler-Polke
                                                      Currently Being Moderated

                                                      Hello Deepak,

                                                       

                                                      ok! Then it could be, that the STRUST certificate has a side effect with the kerberos authentication. Delete / rename the cred_v2 and restart your SAP Server. It is just a try.

                                                       

                                                      Are you sure, that you did use the correct password in the command: snc crtkeytab?

                                                       

                                                      A chance to find the reason for the error is to enable the traces of the Secure Login Library. See chapter 4.1 Enable Traces into the Secure Login Library manual.

                                                       

                                                      Regards,
                                                      Markus

                                                      • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                        Deepak Chittora
                                                        Currently Being Moderated

                                                        Hi Markus,

                                                        Thanks for the update.

                                                         

                                                        But, deleting the cred_v2 file did'nt work.

                                                         

                                                        yes we gave the right password while creating crtkeytab, with wrong password your snc crtkettab wont work.

                                                         

                                                        Please conform one thing, whether Active Directory User and SAP users much be in same domain?

                                                        In our case, we have SAP Installaed in some different domain and Active Directory Account is in different domain.

                                                         

                                                        I guess, this can be a issues?Please suggest.

                                                         

                                                        Regards,

                                                        Deepak

                                                        • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                          Markus Nüsseler-Polke
                                                          Currently Being Moderated

                                                          Hello Deepak,

                                                           

                                                           

                                                          if you are using the wrong password with the command snc crtkeytab -s <Name> -p <password> you will not receive an error message. The password will not be validated. It is stored locally into the keyTab file.

                                                           

                                                          The SAP Users must be in the same domain in which you did generate the Service Account for your ABAP Server. e.g. if the users are into the domain firma.local, then the Service Account for the ABAP Server needs to be generated into the domain firma.local.

                                                           

                                                          For user authentication the keyTab is used. The SAP Systems itself or the machine needs not to be into an Active Directory domain.

                                                           

                                                          Regards,

                                                          Markus

                                                          • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                            Deepak Chittora
                                                            Currently Being Moderated

                                                            Hi Markus,

                                                             

                                                            Now whar we have is that our Active Directory User (KerberosSID) is in domain say ADUSER.firma.com.

                                                             

                                                            Winodws login account is also is in same domain ADUSER.firma.com , but my SAP System is installed is in some other domain say DEMO.corp.com

                                                             

                                                            Whether such set up would up.

                                                             

                                                             

                                                            Regards,

                                                            Deepak

                                                            • Re: Import of SAP Server Certifiacte in SNC X.509 method
                                                              Deepak Chittora
                                                              Currently Being Moderated

                                                              Hi Everyone,

                                                               

                                                              Good News we kept it going.

                                                              We updated our setspn command to register SPN in AD.And also we created snc crtkeytab entries using server name in UPPER CASE.

                                                               

                                                              Now we can login into SAP System using Kerberos Authentication using Secure Login Client w/o user id and password inputs.

                                                               

                                                              But, we have one more query when we uninstall our Secure Login Client form our workstation our SNC also doed not work.What we did is that we uninstalled the Loigin client but in SAPGUI the SNC entry is activated.When we login into SAP System its gives out error saying "SncPDL()==SNCERR_INIT unable to load GSS-API DLL named " C:/Prohram Files\SAP\Frontend\SecureLogin\lib\secgss.dll"

                                                               

                                                              Error in SNC.

                                                               

                                                              But what I understand is that SNC is just used for secure network with backend system, so when we enable SNC and we know User id and password , we should be able to login into SAP System.

                                                               

                                                              Please help.

                                                               

                                                              Regards,

                                                              Deepak

  • Re: Import of SAP Server Certifiacte in SNC X.509 method
    SriHarsha Nandamuri
    Currently Being Moderated

    Hi ,

     

    I have followed the steps as the discussion went trough . I am getting a strange error of SNC name and specified user/client do not match .Can you help me with this.

     

    Thanks,

    Sri.

Actions