Generated by Jive on 2014-04-02+02:001

Configuring SAP SNC without Single Sign-Onon UNIX/Solaris/Linux

So, you want to enable SNC (without Single Sign On -- SSO) in your environment? You have Solaris (or other

UNIX) and you don't want to pay for third party libraries?

SAP has a solution for you! But implementing the solution may be a nightmare. SAP developed their own

guide/documentation showing how to do this, but you may find following their documentation a bit troublesome.

It's for this reason I developed this document.

Applicable Notes with PrerequisitesSome notes with important pre-readings below. There are three version prerequisites to watch out for: GUI,

Kernel, SAP Basis Component.

SAP OSS Note 1561161 - Enabling SAP GUI password logon despite using SNC. This note discusses Kernel

Version and Basis Support Pack prerequisites.

SAP OSS Note 1053737 - Versions of supported SAPGUIs

SAP OSS Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry

Tags belowIn this document you will see the following tags used. This section explains what you should substitute into the

tag.

<SID> = Your System ID.

<Instance> = The name/number of the instance, ex: DVEBMGS## or D##.

<SPN> = Service Principal Name created in Active Directory

<ActiveDirectoryDomain> = Name of your active directory domain name (Fully Qualified - ex:

DomainName.YourOrganization.org). If you don't know what this should be, ask your Active Directory Staff.

Our situation:

OS = Solaris 10

Database = Oracle

Hardware Platform (SPARC)

You'll need to search for and download the following:

1. SNC Client Encryption/Libraries 1.0

SAP's Software Distribution Center -> Installations and Upgrades -> Search For Installations and Upgrades ->

51042493 OR

SAP's Software Distribution Center -> Installations and Upgrades -> Browse our Download Catalog -> SAP

Cryptographic Software -> SNC CLIENT ENCRYPTION 1.0 -> Installation -> 51042493 (or latest version)

Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

Generated by Jive on 2014-04-02+02:002

2 SNC Client Encryption/Libraries 1.0 SP 02

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and

Patches -> SLLIBRARY02_4-20008890 (This patch is for Solaris on SPARC 64 only) OR

SAP's Software Distribution Center -> Support Packages and Patches -> Search Support Packages and

Patches -> SLLIBRARY02

3. Latest SAPCrypto Lib

SAP's Software Distribution Center -> Support Packages and Patches -> Browse our Download Catalog ->

SAP Cryptographic Software -> SAPCryptolib for Updates

So now that you have downloaded what you need, now to get to business!

1. Server Side Installation1. Upload all files downloaded above to your server.

2. Unzip the library you downloaded in in #1 Above on page 1.

3. In a separate folder, un-sar the file you downloaded in #2 above on page 1.

4. Inside the unzipped archive (from Step 2 on page 2) you will find a folder called

"SECURE_LOGIN_LIBRARY". Inside it select the correct subfolder for your OS. Hint "Solaris" is often

referred to as sunos 5. If you have Solaris 10 on Sparc (like us) you will want the folder called "sunos-5.10-

sparc-64".

5. Inside the unzipped archive (from step 3 on page 2) you will find a series of folders that match up to you

operating system version. Note the appropriate folder.

6. Go to /usr/sap/<SID>/<INSTANCE>. Inside it create two directories (if they don't already exist): "SLL" and

"security".

7. Inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" which is in the folder you

identified in Step 4 on page 2.

8. While still inside the SLL folder use SAPCAR to un-sar the "SECURELOGINLIB.SAR" identified in Step 5 on

page 2.

9. Go to /sapmnt/<SID>/exe/. Once inside it use SAPCAR to un-sar the file downloaded in #3 above on page

2

2. Active Directory Preparation/WorkThis solution requires that you use MS Active Directory (aka Domains). For this section you will have to work

with your organization's active directory staff.

1. Have the active directory staff create a new service account for you. The name of the account doesn't really

matter, just note what it is.

2. Set a strong account password. Set the password to never expire and unchangeable. Note the exact

PaSsWoRd made here, you'll need it later in section 3.

Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

Generated by Jive on 2014-04-02+02:003

3. Inside the new account created in the previous step, have them create/assign a new "Service Principal

Name" (SPN). The name and case of this SPN is critical and must be followed precisely: SAP/Kerberos<SID>

-- as previously noted this entry is CaSe SeNsItIvE. Here-in this will be called <SPN>

3. Server Side Config1. Change directories to /usr/sap/<SID>/<Instance>/SLL

2. Set the environment variable "SECUDIR" to "/usr/sap/<SID>/<Instance>/sec". If you like/use bash (like me)

do this by executing "export SECUDIR=/usr/sap/<SID>/<Instance>/sec".

3. Create the PSE Environment. Do this by executing: "./snc crtpse" with you PWD (Present Working

Directory) being /usr/sap/<SID>/<INSTANCE>/SLL/. You'll be prompted to create a password. The value of

this password doesn't matter, but note what you make it.

4. Create a keytab entry for your SPN created above. Do this by executing "./snc crtkeytab -s

<SPN>@<ActiveDirectoryDomain>". You will be prompted for a password. This password must be the same

as the password when you created the active directory account in step 2-1. The <ActiveDirectoryDomain>

must be in ALL CAPS.

4. AS ABAP Configuration1. Log into your SAP System GUI.

2. Start up transaction RZ10. Set the following parameters in your instance (or DEFAULT.PFL, if you prefer)

profile(s):

snc/permit_insecure_start 1

snc/accept_insecure_cpic 1

snc/r3int_rfc_qop 8

snc/r3int_rfc_secure 0

snc/data_protection/use 3

snc/data_protection/min 2

snc/data_protection/max 3

snc/identity/as p:CN=<SPN>@<ActiveDirectoryDomain> - The<ActiveDirectoryDomain> must be in ALL CAPS

snc/gssapi_lib /usr/sap/<SID>/<Instance>/SLL/libsecgss.so

snc/enable 0

snc/force_login_screen 1

snc/accept_insecure_rfc 1

snc/accept_insecure_gui 1

ssf/name (Suggested in DEFAULT.PFL) SAPSECULIB

ssf/ssfapi_lib $(ssl/ssl_lib)

ssl/ssl_lib $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

Generated by Jive on 2014-04-02+02:004

sec/libsapsecu $(ssl/ssl_lib)

3. Add the following entry to your start profile(s):

SETENV_XX (XX = next available value) SECUDIR=$(DIR_INSTANCE)/sec

3. Exit AS ABAP/Log off.

4. Restart the SAP System.

5. Once the system is restarted, go to transaction STRUST.

6. In transaction STRUST you will now find an entry in the left pane that says "SNC SAPCryptolib". It should

have a red "X" next to it. Right click on it and select "Create". You'll notice the "SNC ID" is already filled in for

you. Select RSA and an appropriate key size, then click the green check mark.

7. Go back to RZ10. Change the value of "snc/enable" to 1.

8. Log out and restart the SAP system again.

Once you've restarted the system you can look in /usr/sap/<SID>/<Instance>/work/dev_w0 and see something

like this:

N Wed Aug 14 13:45:01 2013

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/sap/EQ2/DVEBMGS51/SLL/libsecgss.so

N File "/usr/sap/<SID>/<Instance>/SLL/libsecgss.so" dynamically loaded as GSS-API v2

library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N SncInit(): found snc/identity/as=p:CN=<SPN>@<ActiveDirectoryDomain>

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=Indefinite

M ***LOG R1Q=> p:CN=<SPN>@<ActiveDirectoryDomain> [thxxsnc.c 266]

M SNC (Secure Network Communication) enabled

If you don't see this but instead see errors, chances are your ABAP system no longer works (good job

). You'll have to manually edit your instance profile in /sapmnt/<SID>/profile and set snc/enable to 0. Then

restart your system and troubleshoot (good luck).

5. PC SNC Client Installation/Config1. Inside the main SNC library file you downloaded above in file download step 1 on page 1 , you'll find a

"SNC_CLIENT_ENCRYPTION" folder. On your PC execute the "SapSncClientEncryption.exe" file you'll find

in this folder. If you already have the "SNC Client Encryption" installed, I'd recommend you uninstall it and re-

install it, just to make sure you have a compatible version.

2. After you executed the previous step, start up the SAP GUI on your workstation.

Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

Generated by Jive on 2014-04-02+02:005

3. In the GUI right click on the logon entry representing the SAP you are working on. Select "Properties" from

the context menu that pops up.

4. On the window that pops up, select the "Network" tab.

5. Check the box that says "Activate Secure Network Communications".

6. Enter the "SNC Name" as follows: p:CN=<SPN>@<ActiveDirectoryDomain>

7. Select "Maximum security settings available"

8. Check the box "SNC logon with user/password (no Single Sign-On)"

You've done it. Now all that's left is pray to the deity of your choosing <grin>. If he/she smiles upon you, you

should be able to log in to your SAP System. You'll note a lock (which was previously open) in the lower right

hand of your GUI screen in the status bar.