Configuring Certificate-Based Logon with SAP SNC - trillium_quality - 17.1

Trillium Quality for SAP Reference Guide

Product type
Software
Portfolio
Verify
Product family
Trillium
Product
Trillium > Trillium Quality
Version
17.1
Language
English
Product name
Trillium Quality
Title
Trillium Quality for SAP Reference Guide
Topic type
Administration
Overview
How Do I
Configuration
Reference
Installation
First publish date
2008

The following example configures the Trillium SAP Client to connect to an SAP ERP system with the system ID ERD.  

  1. Download the SAP Cryptolib from the SAP Service Marketplace. Be sure to download the appropriate version for your platform.

  2. Install the SAP Cryptolib on your SAP system. Copy sapcrypto.dll and sapgenpse.exe to your SAP system’s kernel directory. (The file extensions will be different if you are not using Windows.) In this example, the kernel directory is E:\usr\sap\E6D\SYS\exe\uc\NTI386.

  3. Copy the ticket file to the SAP instance security directory. In this example, the instance security directory is E:\usr\sap\E6D\DVEBMGS00\sec.

  4. For user <sid>adm, set the environment variable SECUDIR to the SAP instance security directory, in this example, E:\usr\sap\E6D\DVEBMGS00\sec. Be sure to set this permanently in the user’s environment.

  5. Set the following SAP instance profile parameters. Adapt the values as appropriate for your system ID and platform. The snc/identity/as can be set however you like. Using the SAP system ID as the ‘CN’, your company’s domain as the ‘O’, and your country code as the ‘C’ are recommended.  The ‘OU’ can be any value that represents your organization unit.

    • sec/libsapsecu   E:\usr\sap\E6D\SYS\exe\uc\NTI386\sapcrypto.dll

    • ssf/ssfapi_lib   E:\usr\sap\E6D\SYS\exe\uc\NTI386\sapcrypto.dll

    • snc/gssapi_lib   E:\usr\sap\E6D\SYS\exe\uc\NTI386\sapcrypto.dll

    • ssf/name   SAPSECULIB

    • snc/identity/as   p:CN=E6D, OU=SAPCON, O=TRILLIUM, C=US

  6. Re-boot your server (Windows only) and re-start SAP (all platforms).

  7. Logon to SAP using an account with Basis Administration authorizations.

  8. Create the SNC PSE using transaction STRUST.

    The SNC ID will default-in from the value set in parameter snc/identity/as.

  9. Confirm the information message.

  10. Assign a password to the SNC PSE. Remember this password; you will need it later.

  11. Now that the PSE is created and has a password, set the following SAP instance profile parameters. These settings allow for continued access to the system with user and password as well as certificate-based logon. Set these as appropriate for your environment.

    • snc/enable         1

    • snc/accept_insecure_rfc   1

    • snc/accept_insecure_gui   1

    • snc/accept_insecure_cpic   1

    • snc/permit_insecure_start   1

    • snc/data_protection/min   1

    • snc/extid_login_diag      1

    • snc/extid_login_rfc      1

  12. Stop and re-start SAP to activate these new parameters.

  13. Install the SAP Cryptolib on the system where the Trillium SAP Client is installed:
    1. Create a security directory under your Trillium Software directory. In this example the directory is named C:\Program Files\TrilliumSoftware\MBSW\17\tsq\Software\bin\sec.

    2. Copy ticket and sapcrypto.dll to the new security directory (C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec).

    3. Copy sappsegen.exe to the Trillium Software bin directory. In this example the directory is C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin.

    4. If you run Trillium on the same server as your SAP system, do not run Trillium as user <sid>adm. You need to create a separate operating system user to run the Trillium services/processes. If you do not already have a separate operating system user create one before continuing.

    5. For the Trillium service user, set the environment variable SECUDIR to the Trillium security directory, in this example C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec. Be sure to set this permanently in the users’ environment.

    6. Change your current directory to C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec.

    7. Generate a PSE for the RFC user that will be used to login to SAP. In this example, the SAP user ID is RFCUSER1. Run C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sapgenpse gen_pse -v -p RFCUSER1.pse. You will be prompted to enter the following:

      • PIN:   <PIN for the PSE> For this example, the PIN is set to rfcuser1pin

      • Distinguished name of PSE owner: CN=RFCUSER1, OU=SAPCON, O=TRILLIUM, C=US

  14. Export the client certificate for RFCUSER1 from the PSE:
    1. Change your current directory to C:\Program Files\Trillium Soft­ware\MBSW\17\tsq\Software\bin\sec.

    2. Run C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sapgenpse export_own_cert -v –p RFCUSER1.pse -o RFCUSER1.crt.

    3. When prompted, enter the PSE PIN from step 13g above (in this example, rfcuser1pin).

  15. Import the client certificate for RFCUSER1 into the SAP system:
    1. Copy the client certificate for RFCUSER1 from C:\Program Files\Tril­lium Software\MBSW\17\tsq\Software\bin\sec\ RFCUSER1.crt to a location that is accessible from your desktop PC.

    2. Login to SAP and run transaction STRUST. Open the SNC (SAPCryptolib) node and double click the instance name to open the server’s SNC PSE.

    3. Press the import certificate button.

    4. Enter the path for the local copy of the client certificate for RFCUSER1 and select file format Base64.

       

    5. The certificate for RFCUSER1 appears in the bottom half of the screen. Click Add to Certificate List to add RFCUSER1’s certificate to the server’s SNC PSE.

       

  16. Export the SAP server’s certificate:
    1. Double click on the SNC server certificate so that it is displayed in the bottom portion of the screen, then click Export Certificate.

    2. Enter a location to save the certificate file and select file format Base64.

  17. Import the SAP server’s certificate into RFCUSER1’s PSE:
    1. Copy the SAP server’s certificate to the system where the Trillium SAP Client is installed. Put the certificate file into the security directory. In this example C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec.

    2. Import the certificate. Run C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sapgenpse maintain_pk -v -a E6D.crt -p RFCUSER1.pse. When prompted, enter the PIN for RFCUSER1’s PSE, in this example, rfcuser1pin.

    3. Add SSO credentials for the Trillium service user. Login as the Trillium service user. Run C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sapgenpse seclogin -p RFCUSER1.pse -O TRILLSERV\TRILLUSER

  18. Configure the SNC ACL in the SAP system to allow RFC connections:
    1. Run transaction SM30 on view VSNCSYSACL. Enter Type of ACL “E”.

    2. Create a new entry as shown in the following image:

  19. Create a communications user in the SAP system (in this example, user RFCUSER1 in client 001). See Chapter 2, “Activating the SAP System” for details on the required authorizations. On the SNC tab, enter RFCUSER1’s SNC name from step 5 above, in this example p:CN=E6D, OU=SAPCON, O=TRILLIUM, C=US.

  20. If you have firewalls in your environment, be sure that the secure gateway port is open. In this example the secure gateway service name and port number are:   sapgw00s   4800. The “00”s should be replaced with your SAP system number, if your system number is not “00.”

  21. Configure the destination for your SAP system as follows in your SAPNWRFC.INI file on the Trillium server. In this example the file location is C:\Program Files\Trillium Software\MBSW\17\tsq\Software\conf\SAPNWRFC.INI.

    DEST=E6D

    ASHOST=sapdev-lt

    SYSNR=00

    SNC_MODE=1

    SNC_PARTNERNAME=p:CN=E6D, OU=SAPCON, O=TRILLIUM, C=US

    SNC_LIB=C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec\sapcrypto.dll

    TRACE=0

  22. Remove the clear text password from the trilSAP.cfg file.

    [SAP<HOST1>]

    Dest=E6D

  23. Stop the Trillium SAP client.

  24. Logout and login again as the Trillium service user.

  25. Verify that the environment variable SECUDIR is set to the Trillium security directory, in this example C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec.

  26. Restart the Trillium SAP Client. You should now be connected without using a clear text password.

  27. Set the permissions on the security directory C:\Program Files\Trillium Software\MBSW\17\tsq\Software\bin\sec to prevent access by users other than the Trillium service user.