Embed Size (px)
Citation preview
Procedure for SNC Setup
Procedure for SNC SetupThe following steps describe the procedure of setting up the SNC in the SAP system and the SAP Adapter.1. Download the SAP Cryptographic Library2. Install the SAP Cryptographic Library3. Set the Trust Manager Profile Parameters4. Create the Personal Security Environment (PSE)5. Setup SNC Profile Parameters for SAP6. Installing the PSE7. Install the SAP Cryptographic Library on the Adapter8. Setup the SNC Parameter Specific to an Inbound Scenario9. Setup SNC Parameters Specific to Outbound Scenarios Download the SAP Cryptographic Library Download the SAP Cryptographic Library from SAP Service Market Place from:https://websmp101.sap-ag.de/~form/handler?_APP=00200682500000000917&_EVENT=DISPLAYThe following libraries are required:Microsoft Windows • sapcrypto.dll • sapgenpse.exe• ticketUNIX• libsapcrypto.so ( or sl )• sapgenpse• ticketInstall the SAP Cryptographic Library
Follow these steps to install the SAP Cryptographic libraries:1. Extract the contents of the SAP Cryptographic Library installation package.2.
Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the application server's profile parameter DIR_EXECUTABLE.
In the following example, this directory is represented by the notation $(DIR_EXECUTABLE).UNIX: DIR_EXECUTABLE: /usr/sap/<SID>/<INSTANCE>/exe/ Location of SAP Cryptographic Library: /usr/sap/<SID>/<INSTANCE>/exe/libsapcrypto.soMicrosoft Windows: DIR_EXECUTABLE: <DRIVE>:\usr\sap\<SID>\<INSTANCE>\exe Location of SAP Cryptographic Library: C:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll
3.
Check the file permissions for the SAP Cryptographic Library. For example, if you copied the library using ftp on UNIX, platforms the file permissions may not be set correctly. Make sure that <sid>adm (or SAPService<SID>under Microsoft Windows) has the permissions required to execute the library functions.
4. Copy the ticket file to the sub-directory SEC in the instance directory $(DIR_INSTANCE).UNIX: DIR_INSTANCE: /usr/sap/<SID>/<instance>Location of the ticket: usr\sap\BAM\DVEBMGS00\secMicrosoft Windows: DIR_INSTANCE: <DRIVE>:\usr\sap\<SID>\<instance>Location of the ticket: <DRIVE>:\usr\sap\<SID>\<instance>\sec\ticket5.
Set the environment variable SECUDIR. The application server uses this variable to locate the ticket and its credentials at run-time.
SECUDIR=D:\usr\sap\BAM\DVEBMGS00\secIf you set the environment variable using the command line the value may not be applied to the server's processes. Therefore, we recommend setting SECUDIR in the startup profile for the server's user or in the registry (Microsoft Windows). The SAP Cryptographic Library is installed on the application server and the environment is set up so that the library can be located by the server at runtime. Set the Trust Manager Profile Parameters Follow these steps to set the profile parameters, using transaction RZ10, so that the trust manager can access the SAP Cryptographic Library:1.
Set the profile parameters on each SAP Web AS ABAP instance. The following table provides the profile parameters and sample values.
Table 10 Trust Manager Profile Parameters
Profile Parameters Value
sec/libsapsecu Path and file name of the SAP Cryptographic Library
ssf/ssfapi_lib Path and file name of the SAP Cryptographic Library
ssf/name SAPSECULIB
sec/libsapsecu = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll ssf/ssfapi_lib = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll ssf/name = SAPSECULIBWhere sec/libsapsecu is the path and file name of the SAP Cryptographic Library, andssf/ssfapi_lib is the path and file name of the SAP Cryptographic Library.For more information on these profile parameters refer to the SAP documentation.2. Restart the application server.The SNC PSE can now be maintained using the trust manager.Create the Personal Security Environment (PSE) Before creating the PSE make sure you have:• installed the SAP Cryptographic Library on the application server.If the SAP Cryptographic Library is not installed, then the trust manager does not display the node for the SNC PSE. • set the environment variable SECUDIR to point to the location where the PSE is stored.
•
the naming convention you use for the Distinguished Name matches the Distinguished Name part of the server's SNC name that you define in the profile parameter snc/identity/as. If this profile parameter is not yet set, then you can still specify the server's Distinguished Name, but you receive a warning that you have to maintain the profile parameter.
Additionally, the server's Distinguished Name for SNC must be unique. It cannot also be used in a different PSE.Follow these steps to create the PSE that the server will use for SNC. If you are using a single PSE for all server components and you have already created the PSE on a different server, then see Importing the SNC PSEUsing the trust manager (transaction STRUST):1. Select the SNC PSE node.2. Using the context menu, choose Create (if no PSE exists) or Replace.3. The <Create/Replace> PSE dialog appears.If the server's SNC name is defined in the profile parameter snc/identity/as, then the system automatically determines the Distinguished Name accordingly. Otherwise, enter the Distinguished Name parts in the corresponding fields, for example:Name = <SID>Org. (opt.) = TestComp./Org. = MyCompanyCountry = US
If you want to use a reference to a CA name space, then the elements contained in the CA field are automatically used for the server's Distinguished Name. In addition, you cannot modify the Country field. Use the toggle function to activate or deactivate the reference to a CA name space.In addition, the application server's Distinguished Name to use for SNC must be unique. You cannot specify a Distinguished Name that the server uses in a different PSE, for example, the system PSE.4. Choose Enter.You return to the Trust Manager screen.5. For SNC you must assign a password to the PSE. Choose Assign password.The PSE dialog appears.6. Enter a password for the PSE and choose Enter.You return to the Trust Manager screen.The SNC PSE is created and distributed to the individual application servers. The system protects the PSE with a password and creates credentials for the server to access the PSE at run-time.
Setup SNC Profile Parameters for SAPThis section describes how to set the SNC-relevant profile parameters. The RZ10 Transaction code is used to set the following parameters in the instance profile.Setting the profile parameter snc/enable to 1 activates SNC on the application server. If this parameter is set but the SNC PSE and credentials do not exist, then the application server will not start. Therefore, setting the SNC parameters should be the last step in the configuration procedure.Make sure the SNC PSE and the corresponding credentials exist for the application server.1.
Set the following profile parameters on the application server so that the server can communicate using SNC.
The important parameters are listed below. For a complete list, see the SNC User's Guide.Table 11 SNC Profile Parameters
Profile Parameters Value
snc/enable 1
snc/gssapi_lib The path and file name where the SAP Cryptographic Library is located
snc/identity/as Application server's SNC name in the format:p:<Distinguished_Name>The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE.
snc/data_protection/max 1: Authentication only2: Integrity protection3: Privacy protection
snc/data_protection/min 1: Authentication only2: Integrity protection3: Privacy protection
snc/data_protection/use 1: Authentication only2: Integrity protection3: Privacy protection9: Use the value from snc/data_protection/max
snc/accept_insecure_cpic 0: do not accept1: accept
snc/accept_insecure_gui 0: do not accept1: accept
snc/accept_insecure_r3int_rfc
0: do not accept1: accept
snc/accept_insecure_rfc 0: do not accept1: accept
For example: snc/identity/as = p:CN=BAM, OU=ENGG, O=TIBCO, C=US snc/gssapi_lib = D:\usr\sap\BAM\DVEBMGS00\exe\sapcrypto.dll snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic = 1 snc/data_protection/use = 3 snc/data_protection/min = 1
snc/data_protection/max = 3 snc/enable = 1 snc/permit_insecure_start = 12. Restart the application server.3. Save and activate the profile.4. Restart the application server.The application server is now ready to use SNC.Install the SAP Cryptographic Library on the Adapter1. Extract the SAP Cryptographic Library.2.
Copy the SAP Cryptographic Library file to any folder. Make sure you add the path to this folder to the SNC_LIB parameter of the saprfc.ini file.
3. Create the SEC directory and copy the ticket file to this directory.This is the same ticket file obtained in step 4 in Install the SAP Cryptographic Library.4. Set the SECUDIR environment variable to point to the sec directory created in step 3 This parameter is set for the user that executes the adapter process. If deploying and running the adapter using TIBCO Administrator, make sure the SECUDIR variable is set and is available for the adapter process. On Microsoft Windows platforms, the SECUDIR variable is set in the adr3u.tra (for Unicode adapter) or adr3.tra (for non-Unicode adapters) files.On UNIX platforms, the SECUDIR variable is set in the adr3u_env.sh (for Unicode adapter) or adr3_env.sh (for non-Unicode adapters) files.If using the adapter tester, the SECUDIR variable is set in the adr3u.tra (for Unicode adapter) or adr3.tra (for non-Unicode adapters).The SAP Cryptographic Library is now installed.Installing the PSEFollow these steps to create the PSE that the adapter will use for SNCUsing a Single PSE for All Components In this scenario you create a single PSE for all components.1. Create the PSE on a single component, for example, the AGate and copy it to the other servers.2. Copying a Single PSE to all Server Components3. Copy PSE into SEC directory 4.
Create Credential on client (the SAP Adapter) cred_v2 file using the following command and copy cred_v2 into the SEC directory:
sapgenpse seclogin -p SAPSNCS.PSE -O usernameUsing Individual PSE for All Components
In this scenario you create an individual PSE for each component. To establish the necessary trust relationships between these components, you must exchange the corresponding public-key certificates. For each of the servers, export the server's public-key certificate and import it into its partners' PSEs. See the graphic below:Using Individual PSEs and Exchanging Public-Key CertificatesTo Create PSE for the Client1. Create a directory on your system to store the PSE. 2.
Copy the ticket license file and the SAP Certified Client Cryptographic library (ex. SECUDIR) to the directory you just created.
Make sure you set the SECUDIR environment variable to this directory, copy the library to a different directory, and add this path to your PATH environment variable.3. Execute the following command to generate the PSE The client PSE is named as RFC.pse. From the command line, you can specify the distinguished name. For example: "CN=RFC, OU=IT, O=CSW, C=DE" > sapgenpse gen_pse -v -p RFC.pse Got absolute PSE path "<your path>/RFC.pse". Please enter PIN: ******** Please reenter PIN: ******** get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE" Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. PKCS#10 certificate request for "<your path>/RFC.pse"4. Execute the following command to export the Client Certificate of the newly created PSE. The exported certificate is named as RFC.crt. > sapgenpse export_own_cert -v -p RFC.pse -o RFC.crt Opening PSE your path>/RFC.pse"... No SSO credentials found for this PSE. Please enter PIN: ******** PSE open ok. Retrieving my certificate... ok. writing to file ...... ok
5. Import the Client Certificate to Server PSE via the transaction STRUST.
a. Open the Node SNC (SAPCryptolib) againb. Enter the SAPCryptolib password.c. Click on the Import certificate button.
d.
Set the file format to Base64 and choose the file.
e. Click Add to Certificate List.
6. Export the Server Certificate via the transaction STRUST.
a.
At node SNC (SAPCryptolib), double click on your own certificate so it displays in
the Certificate field.b. Click on Export certificate.c. From the File tab, choose Base64 for the File format and provide a name for the file.
7. Import the Server Certificate to the Client PSE On the command line run: > sapgenpse maintain_pk -v -a SNC.crt -p RFC.pse Opening PSE your path>/RFC.pse"... No SSO credentials found for this PSE. Please enter PIN: ******** PSE open ok. Adding new certificate from file "SNC.crt" --------------------------------------------------------------- Subject : CN=IDS, OU=IT, O=CSW, C=DE Issuer : CN=IDS, OU=IT, O=CSW, C=DE Serialno: 00 KeyInfo : RSA, 2048-bit Validity - NotBefore: Wed Mar 6 21:37:32 2008 (060927193732Z) NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z) --------------------------------------------------------------- PKList updated (1 entries total, 1 newly added) 8. Create the cred_v2 file. After setting up the client PSE you must create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE.On the command line run: > sapgenpse seclogin -p RFC.pse -O root running seclogin with USER="root" creatingcredentials for yourself (USER="root")... Please enter PIN: ******** Added SSO-credentials for PSE "<your path>/RFC.pse" "CN=RFC, OU=IT, O=CSW, C=DE" When you generate the cred_v2 file, the seclogin must be carried out under the account of the <sid>adm.9. Allow SNC RFC Connection. Map the x.509 certificates that were created for the user accounts on the SAP Server.a. Start Transaction SM30 and enter the view VSNCSYSACL.
This view is used to restrict the SNC RFC Connections by an Access Control List (ACL). You will see an alert window pop-up, just click on the "right" symbol.
b.
Choose E for the Type of ACL entry.
c. Enter System ID and SNC name.
Do not forget the p: in front of the DN.
d.
Check the boxes according to the following figure.
e. Save the entry.
When trying to edit the entry, you may see an alert window pop-up. Click on the right symbol and make your changes.
Setup the SNC Parameter Specific to an Inbound Scenario
For the communication path from an external program to an AS ABAP when using RFC, the external program is the initiator of the communication and the AS ABAP is the acceptor. One example of such a connection is the connection from an AS Java to an AS ABAP server. In this case, the AS Java uses the Java Connector (JCo) to establish the connection. Initiator (External Program) To apply SNC protection to external programs that communicate with an AS ABAP using RFC, you need to specify the SNC options in either the saprfc.ini file or over the program interface in rfclib. This section describes how to specify the information in the saprfc.ini file. The program may have a user interface for maintaining the parameters. See the documentation for the program for details. For example, on the AS Java you make the settings according to the application that establishes the connection. The application may also have its own user interface, or it may use the Destination or RFC Adapter service.Before setting the SNC parameters make sure:
• You want to apply SNC protection to the communications between the RFC external program and the AS ABAP.• The external program uses the saprfc.ini file.ProcedureUse the following table to set the SNC parameters in saprfc.ini:Table 12 SNC Parameters for saprfc.ini
Parameter Description Required? Valid values Default Value
SNC_PARTNERNAME The SNC name of the communication partner (application server)
Y string none
SNC_LIB The path and file name of the gssapi library
Y string none
SNC_MODE The SNC activation indicator
Y 0,10 = SNC disabled1= SNC activated
none
SNC_QOP Quality of protection (protection level)
N 1,2,3,8,9 3
SNC_MYNAME The SNC name of the user sending the RFC.
N string The name provided by the security product for the
logged-on user.
Sample saprfc.ini fileDEST=SNCINBOUNDTYPE=AASHOST=adsapSYSNR=00SNC_MODE=1SNC_PARTNERNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=USSNC_LIB=C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dllSNC_QOP=9SNC_MYNAME=p:CN=RFC, OU=ENGG, O=TIBCO, C=USThis example sets up the application server adsap as the RFC destination. The server's SNC name is p:CN=BAM, OU=ENGG, O=myCompany, C=US and the SNC library is located at C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dll.Acceptor (AS ABAP)Follow steps described in the SAP documentation to configure the acceptor (the AS ABAP) for using SNC, set the profile parameters on the application server.The value contained in the parameter snc/accept_insecure_rfc determines whether or not to accept unprotected RFC connections. You can define this parameter to deny all insecure RFCs, accept all insecure RFCs, or accept insecure RFCs for specific users only (based on the Insecure communications permitted indicator in the table USRACL).User Authentication in the SAP SystemAs with RFC calls without SNC protection, you need to specify a user and a client in the RFC program when connecting to the SAP system. Note the following details about the authentication procedure when using SNC:
−
If the SNC name from the RFC program corresponds to the SNC name in the specified user's master record in the designated client, then the SAP system accepts the RFC logon request (without performing additional authentication).
−
Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and SNC name combination. If a matching entry is found, then the SAP system accepts the logon request (without performing additional authentication).
−
Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and an asterisk (*) as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
−
Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and the RFC program's SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
−
Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and an asterisk as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
− Otherwise, the SAP system denies the logon request.When Establishing the RFC connectionThe RFC connection is established over a gateway port. For SNC-protected connection requests, the RFC library normally uses the secure gateway port, which accepts only SNC-protected connections. However, if both SNC and load-balancing are used, the RFC libraries also use the conventional gateway port for SNC-protected connections. Creating the Access Control List Entries on the Application Server Access control lists have to be created before configuring SNC between the application server and the AGate component. Make sure you have the ANC name for the AGate before proceeding.To maintain the SNC system access control list:1. Use table SNCSYSACL, view VSNCSYSACL, type=E. See Figure 13 , Figure 14 , and Figure 15 for reference.
Figure 13 Map the SNC Name to the User Figure 14 Maintain ACL SM30
Figure 15 Work Entry Type
2. Enter the AGate's SNC name in the SNC name field. The System ID field is optional. 3. Check the checkboxes for:− Entry for RFC activated− Entry for CPIC activated− Entry for DIAG activated (if you use the webgui service)− Entry for certificates activated (if users log on with X.509 client certificates)
− Entry for external ID (if users log on using an external identity, for example, when using Pluggable Authentication Services)
Figure 16 Details for the Access Control List
4. Save the data.Setup SNC Parameters Specific to Outbound Scenarios RFC: TCP/IP Connection - Registered ProgramFor an RFC call that uses a TCP/IP connection to call a registered program, the SAP System is the initiator of the communication and the registered program is the acceptor. In order to use ISNC protection, a registered program must be linked with an rfclib of at least Release 4.5A. It can, however, communicate with a SAP System Release 4.0A/B via a 4.0A/B gateway.Initiator (SAP System)Use transaction SM59 to maintain RFC destinations and their SNC options.The following description is only applicable as of Release 4.0.
When maintaining the SNC options for RFC destinations using transaction SM59, you specify the following SNC information:• SNC mode for the connection (active or inactive)• Quality of protection (QoP)• SNC partner nameThe other settings relevant to SNC (the application server's SNC name, the location of the external library, the maximum quality of protection, and the default quality of protection) are applied as defined in the application server's instance profile.If the RFC destination is an external RFC server program (Activation type = Start), then note the following:
• If you specify the external server program to start on an explicit host, then you need to specify the SNC name of the partner host in the SNC options to use SNC for the connection.
•
If you specify the external server program to start on the application server or on the front end workstation, then the SNC name of the partner is automatically derived from an existing secure path and you do not need to specify the SNC name of the partner in the SNC options. (In this case, the field for the SNC name is not activated.)
Configuring the Communication Partners for Use with SNCBefore configuring the communication parameters make sure the RFC destination is defined and the SNC activated on the application server.From the Display and maintain RFC destinations screen (transaction SM59):1. Place the cursor on the destination application server and choose Change.2. To enable SNC, select the SNC Activ indicator.3. Choose Destination SNC Options.The Change View "SNC extension: Details" screen appears.4. Enter the quality of protection in the QOP field.5.
Unless the destination is an external program that starts on the front end workstation (see the note above), enter the SNC name of the communication partner in the SNC names group.
6. Save the data.Quality of Protection (QoP)The following rules apply to the relationship between the QoP specified when configuring the communication partners and the QoP configured in the application server's profile parameter:
• The RFC destination's QoP can be smaller than the application server's snc/data_protection/min or larger than the application server's snc/data_protection/max.• If the RFC destination's QoP is larger than the level provided by the external security product, then the largest possible QoP is used.• If the RFC destination's QoP = 8 (default), then the QoP value from the application server's snc/data_protection/use is used.
• If the RFC destination's QoP = 9 (maximum), then the QoP value from the application server's snc/data_protection/max is used.
For any modifications to these rules refer to the SAP documentation.Acceptor (registered program)To apply SNC protection to registered programs that communicate with SAP Systems using RFC, you need to specify the SNC options in either the saprfc.ini file or use the program interface inrfclib. This section describes how to specify the information in saprfc.ini. For more information about using rfclib, see the SAP documentation.Make sure you provide or install accepting credentials for the RFC server program. The procedure for installing credentials depends on the security product that you use.Set the SNC parameters in saprfc.ini using values shown in Table 13 :Table 13 SNC Parameters for RFC
Parameter Description Required? Valid values
Default Value
SNC_LIB Path and file nameof the gssapi library
Y String None
SNC_MODE SNC
Activationindicator
Y 0, 10=SNC disabled1=SNC activated
None
SNC_QOPOptional
Quality of protection(protection level)
N 1,2,3,8,9 3
SNC_MYNAME Name of the RFC server programYou can use the parameter SNC_MYNAME to locally define the name that corresponds to the credentials for the RFC server program. If you do, then make sure that this SNC name corresponds to the SNC name as defined in the SNC options (SNC partner name) for the RFC destination for this server program. If you do not locally define SNC_MYNAME, then the registered program uses the
N String The SNC name contained in the RFC destination's SNC options.
SNC name defined in the RFC destination.
Sample destination in the saprfc.ini file:DEST=SNCOUTBOUNDTYPE=RPROGID=sapusrpidGWHOST=adsapGWSERV=sapgw00SNC_MODE=1SNC_MYNAME=p:CN=BAM, OU=ENGG, O=TIBCO, C=USSNC_LIB=C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dllUsing SNC with Registered ProgramsYou can only enter one SNC partner name when you enter the SNC options for RFC destinations.If more than one program has the same registered program ID, they must also use the same credentials. This is generally not a problem if the programs are started on the same computer.However, starting registered programs on different computers is possible only if the same credentials can be used on the different computers. This largely depends on the security product used.
SNC INI File Example for the Adapter Setup the following connection parameters in the SAP INI File• INBOUND Connection INI File Example DEST=SNCINBOUND TYPE=A ASHOST=adsap SYSNR=00 SNC_MODE=1 SNC_PARTNERNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=US SNC_LIB=C:\Adapter\Dev\Ongoing\SNC\sapcrypto.dll SNC_QOP=9 SNC_MYNAME=p:CN=BAM, OU=ENGG, O=TIBCO, C=US
• OUTBOUND Connection INI File Example DEST=SNCOUTBOUND TYPE=R PROGID=adapterpid GWHOST=adsap GWSERV=sapgw00 SNC_MODE=1 SNC_MYNAME=p:CN=BAM, OU=ENGG, O=myCompany, C=US SNC_LIB=C:\SAPUsr\Dev\Ongoing\SNC\sapcrypto.dllTransaction CodesThe following Transaction codes are used for the SNC Setup:• STRUST• RZ10• SU01• SM59• SM30
