Are you using Secure Login Library or SAP Cryptolib on the SAP system side?

Regards

Matthias

TRUST and SSL still need SAPCRYPTOLIB. This will be changed but this is until today the case.

Is SAPCRYPTOLIB still configured on the SAP system?

Regards

Matthias

So your problem is that the strust transaction is not working right? Because of that I think that you have an issues with SAPCRYPTOLIB but I am not sure.

Transaction STRUST->menu->enviroment->display SSF version

What do you see here? Any entry with SAPCRYPTOLIB version XXXX? If not -> enviroment is perhaps wrong

You can get help on this also via SAP support (if not someone else has an idea) -> component BC-IAM-SL

Sorry - I have not a better idea at the moment

Matthias

Hi Deepak,

i would like to provide some configuration hints / checklist.

Target

Import X.509 AS ABAP Server Certificate for SNC using transaction STRUST.

Preconditions

1. SAPCRYPTOLIB must be installed
   
   Copy sapcryptolib.dll and sapgenpse.exe (for Windows OS) to the folder "..\exe" folder (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\).
   
   Copy the file ticket  to the  "..\sec" folder
   (e.g. D:\usr\sap\<SID>\DVEBMGSxx\sec\)
   
   Set environment variable SECUDIR to the "..\sec" folder
   (e.g. D:\usr\sap\<SID>\DVEBMGSxx\sec\)
2. In order to enable STRUST you need to configure the following instance profile parameter (transaction RZ10):
   
   sec/libsapsecu = <path to the SAPCRYPTOLIB library file>
                                 (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\sapcrypto.dll)
   ssf/name = SAPSECULIB
   ssf/ssfapi_lib = <path to the SAPCRYPTOLIB library file>
                                 (e.g. D:\usr\sap\<SID>\DVEBMGSxx\exe\sapcrypto.dll)
3. In order to enable SNC you need to configure the SNC instance profile parameter (transaction RZ10). Please keep in mind the parameter snc/identity/as defines the distinguished name (certificate name of the SAP AS ABAP Server for SNC).
   So if you already have a SNC certificate, please define the correct name here.
   
   The background is, that the tool STRUST will verify this parameter (certificate Name) before it will import the certificate.

How-To import X.509 certificate for SNC

1. Start transaction STRUST
   You should see a list of entries here like:
   
   If you only see System PSE --> SAPCRYPTOLIB is not installed correctly.
2. Choose in menu PSE --> Import and choose your *.pse file (SAP AS ABAP SNC certificate). Maybe you will be asked for the password (the *.pse file is protected).
3. Choose in menue PSE --> Save as and choose SNC SAPCryptolib
   Please keep in mind the certificate name will be checked against the information of the instance profile parameter snc/identity/as
4. Save the configuration. Enable in instance profile parameter snc/enable = 1 and restart SAP AS ABAP Server

I hope this helps.

Regards,

Frane

Hi Deepak,

with the command snc crtpse -x <Password> you create a PSE.ZIP file.

This PSE.ZIP file is a security token container (and not a X.509 certificate).

If You are using Kerberos for client-to-server SSO the Kerberos keyTab will be add to this security token container. I assume you use the command:
snc crtkeytab -s SAP/Kerberos<SID>@<DOMAIN> -p <Password>
to add a keyTab).

If you now want to establish in parallel a server-to-server secure communication using X.509 certificates, you can use STRUST application to create X.509 self-signed certificates.

Start transaction STRUST and choose SNC SAPCryptolib with right-click Create.

Define the parameter for the desired certificate.

Please keep in mind the parameter you will define here depends to the instance profile parameter snc/identity/as.

This needs to be done on the other AS ABAP system (maybe still available).

The last step is to exchange the certificates between the communication partner.

Another possibility is to use the Secure Login Server component (which is part of the SAP NetWeaver Single Sign-On product) to create the out-of-the box PKI.

Using this component you can create all required X.509 certificates for all SAP NW AS.

The advantage is you don't need to exchange the certificates between the communication partners because there is a common trust (root certificate).

Best regards,

Frane

Hello Frane,

I am not clear with your statement on "Kerberos technology will be used for SAP GUI --> AS ABAP, while X.509 certificates will be used for AS ABAP --> AS ABAP"

a)X.509 certificates can be used for GUI --> AS ABAP SSO as well?

b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

d) Or would it be ok to create any self signed cerficate into the SNC pse on the server as long as the root CA certificated is added into the list of "trusted certificates" of the SNC pse

We have an established PKI within our company and would like to use the user certificates without the need to install a SLS to generate out-of-the-box PKI.

Hello Chandrakanth,

here ny answers to your questions.

Best regards,

Frane

--------------------------------------------------------------------------------------------------------------------

a)X.509 certificates can be used for GUI --> AS ABAP SSO as well?

Frane: Sure this is possible. In my answer i mention to the use case scenario of Deepak's environment.

b)The SLL guide says to "import" a pse while setting up SNC for X.509. But how do you create that pse is not clearly mentioned - commands etc. (As you mentioned pse.zip is not a pse in itself)

Frane: You can create self-signed certificates or you can use Secure Login Server which is a part of the SAP NetWeaver Single Sign-On solution.

c) What must i add into that pse before importing it via STRUST? The server public key certificate and the root CA certificate? If so , the root CA certificate must match the issuer of the root certificate that issues the user pc certificates also?

Frane: Typically the PSE file contains all required public certificates of the certificate chain (e.g. Server SNC Certificate --> Sub CA certificate --> Root CA certificate).

d) Or would it be ok to create any self signed cerficate into the SNC pse on the server as long as the root CA certificated is added into the list of "trusted certificates" of the SNC pse

Frane: This is possible too, but maybe it is easier to use Secure Login Server?

Secure login Server will create the "correct" SAP Server certificates as required.

We have an established PKI within our company and would like to use the user certificates without the need to install a SLS to generate out-of-the-box PKI.

Frane: Sure, this is possible 🙂

Hi Deepak,

When you say that it is not helping, can you mention what exactly the problem is. This will help us to understand the issue better.

Regards,

Karthik

Hi Deepak,

I think you are using the Server's SNC name as your SNC name when you are entering it in SU01 transaction. The SNC name when entering into SU01 will be the kerberos name which is generated and displayed in your Secure Login Client.

I think you need to change this as explained above. The Server SNC name which is given under snc/identity/as will always be different than the user's SNC name

Let me know if things change after doing these changes.

Best Regards,

Karthik

Hello Deepak,

as far as I understand you will implement SAP NW Single Sign-On with using the Active Directory Authentication (Kerberos) of the users. Are my assumption correct?

In this case you do not need STRUST, you do not need the SAPCryptoLib and you do not need to deal with certificates on the ABAP server.

In the Secure Login Library Guide are the steps described, how-to configure the AS ABAP to accept the Kerberos Tickets of the users. All you need is to place the Secure Login Library in the folder \sll\, set the instance profile parameter and using the command line utility \sll\snc

I can provide you more support here, if you want. First of all I need to know, whether you will setup SSO with Active Directory Authentication (Kerberos)

Regards,

Markus

Hello Deepak,

do you use actual SAP GUI 7.20 with at least PL 09?

You have to enter the SNC-Name of the user in SU01 in uppercase.

Can you send the output of >snc?

If you restart your ABAP, then you will have SNC Trace information in the logfile dev_w0. Look for SncInit(). Can you send the lines which reflect the SNC initialization.

Regards,

Markus

Hello Deepak,

I can see, what went wrong. Your Kerberos keyTab name is "SAP/KerberosSID@hostname". This is the placeholder into the documentation. You has to use a real account into your real Active Directory.

Do the following steps:

Ask you Active Directory administrator to create a new useraccount (a service/technical user) into the same domain, where all you SAP users are located. If your domain is firma.local, then you need a useraccount for the SAP Server into the domain firma.local. The name of the useraccount does not matter. The example of SAP is to use Kerberos<SID of your AS ABAP> as name. The password of the new useraccount must not expire. You will receive from your Active Directory administrator a username and a password. Let us say, the username is "KerberosQHR" and the password is "123456"

The next step is, that your Active Directory administrator enter add the Kerberos Service Prinicpal name to the useraccount. He can user the Active Directory tool adsiedit.msc

ADSI Edit (adsiedit.msc) ->
Default Naming context ->
domain ->
CN=Users ->
CN=<Service User> ->
Properties ->
servicePrinicipalName ->
Edit

He has to enter: "SAP/KerberosQHR@firma.local".

Now you can generate a new keyTab. Please do at first the following steps:

delete /sec/cred_v2 You do not need it in the Kerberos scenario.

delete /sec/pse.zip You need to create a new one.

snc crtpse -x <enter a new pse-password>

snc crtkeytab -s SAP/KerberosQHR@firma.local -p 123456

Use your own useraccout and password!!

Edit into the instance profile of you ABAP

snc/identity/as=p:CN=SAP/KerberosQHR@firma.local

Reboot your SAP System.

What is into dev_w0?

Regards,

Markus

Hello Deepak,

ok! Then it could be, that the STRUST certificate has a side effect with the kerberos authentication. Delete / rename the cred_v2 and restart your SAP Server. It is just a try.

Are you sure, that you did use the correct password in the command: snc crtkeytab?

A chance to find the reason for the error is to enable the traces of the Secure Login Library. See chapter 4.1 Enable Traces into the Secure Login Library manual.

Regards,
Markus

Hello Deepak,

if you are using the wrong password with the command snc crtkeytab -s <Name> -p <password> you will not receive an error message. The password will not be validated. It is stored locally into the keyTab file.

The SAP Users must be in the same domain in which you did generate the Service Account for your ABAP Server. e.g. if the users are into the domain firma.local, then the Service Account for the ABAP Server needs to be generated into the domain firma.local.

For user authentication the keyTab is used. The SAP Systems itself or the machine needs not to be into an Active Directory domain.

Regards,

Markus