Enable Secure Network Communications (SNC) in BW

Enable SNC to provide a secure connection between SAP BW and the remote function call (RFC) server for jobs that you launch from SAP BW.

Prerequisites:

  • Verify that SAP Cloud Integration for data services has the 64-bit SNC library installed.

  • Download the SAPGUI_WIN32 package, which is the SAP Front End UI, if not installed already, to log on to the SAP system to perform tasks like importing the host certificate and exporting the server certification.

  1. Open a command prompt as an administrator.
  2. Execute cd %link_dir%/bin.
  3. Generate the host certificate PSE by running the following command:

    sapgenpse.exe gen_pse -p PSE_name.pse -x PSE_password "CN=host_name, O=SAP, C=US"

    The distinguished name consists of the following case-sensitive elements:

    • CN = <Common_Name>

    • O = <Organization>

    • C = <Country>

    Example
    sapgenpse.exe gen_pse -p hostname.pse -x abc1234 "CN=hostname, O=SAP, C=US"

    Result: The PSE certificate is created under ProgramData > SAP > DataServicesAgent > ssl > sec.

  4. On the same cmd as the previous step, create the login credential for the newly created PSE by running the following command:

    sapgenpse.exe seclogin –p PSE_name.pse -x PSE_password -o PSE_username

    Refer to the syntax definitions in step 3.
    Example
    sapgenpse.exe seclogin -p hostname.pse -x "abc1234" -o XYZ6789

    Result: The credential file cred_v2 is created under ProgramData > SAP > DataServicesAgent > ssl > sec.

  5. On the same cmd as the previous step, export the host certificate by running the following command:

    sapgenpse.exe export_own_cert –o %ds_common_dir%\ssl\sec\PSE_name.crt -p PSE_name.pse -x PSE_password

    Refer to the syntax definitions in step 3.
    Example
    sapgenpse.exe export_own_cert –o %ds_common_dir%\ssl\sec\hostname.crt -p hostname.pse -x XYZ6789
  6. In the SAP Logon application, update the BW/4HANA server with the agent host name certificate by doing the following:

    1. Select the BW/4HANA server or create a new entry for the server if necessary by performing the following steps:

      1. Select a connection type of Custom Application Server.

      2. Select User Specified System and select Next.

      3. Select Custom Application Server.

      4. Enter a description, the application server name, the instance number, and the system ID, then select Finish.

    2. Log on to the server by doing the following:

      1. Double-click the created connection.

      2. Enter the username and password.

    3. On the SAP Easy Access page, enter STRUST in all capital letters, then select Enter to access SAP Trust Manager.

    4. Locate and expand SNC SAPCryptolib, then select on the host server certificate beneath it.

    5. Select the Display / Change icon in the upper left to go into Change mode.

    6. Import the host <PSE_name>.crt certificate to the BW/4HANA server by doing the following:

      1. Select the Import Certificate icon at the bottom of the window.

      2. Locate the host certificate .crt file in the directory to which you extracted it in step 5, then select Open and Continue.

        Note
        Select Allow if you receive a security warning about file access.

      3. Select Add to Certificate List to add the imported certificate to the list of certificates.

      4. Select Save. The message “Certificate added to PSE” appears in the lower left of the window.

  7. Export the BW/4HANA server certificate to update the host certificate by performing these steps:

    1. Double-click the Subject field.

    2. Select the Export Certificate icon in the lower left of the window.

      Note

      Confirm that the information you will export is related to the server certificate, not the PSE file you created.

    3. In File path, change the prepopulated file name, but be sure to maintain a .crt extension. This name cannot be the same as the one you just imported. Also, make this certificate name unique so you do not overwrite it if you export other certificates.

      Example
      BWServerB42Certificate.crt

    4. In File Format, select Base64.

    5. Select the green Confirm checkmark. Select Allow if you receive a security warning about file access.

      Result: The .crt file is created under ProgramData > SAP > DataServicesAgent > ssl > sec.

    6. Select Save.

  8. Point the host to the server by doing the following:

    1. In the SAP Logon application, enter transaction /nSU01.

    2. Enter the username you use to log into your SAP system, then press Enter. This is not the user you use to log into the host machine.

    3. Select the Display icon.

    4. Navigate to the SNC tab.

    5. Select the Change icon in the upper left of the window.

    6. In the SNC Name field, insert the information you added when you created the certificate in the following format: p:CN=<your CN>, O=<your O>, C=<your C>.

      Example
      In step 3 you executed sapgenpse.exe gen_pse -p local_machine.pse -x password "CN=local_machine, O=SAP, C=US". Therefore, in SNC Name you would enter p:CN=local_machine, O=SAP, C=US.

    7. Make sure that Allow password logon for SAP GUI (user-specific) is selected.

  9. Update the PSE with the server certificate by going back to the command prompt and in the folder %link_dir%\bin running the following command:

    sapgenpse.exe maintain_pk -a %ds_common_dir%\ssl\sec\server_certificate.crt -p PSE_name.pse -x PSE_password

    Example
    sapgenpse.exe maintain_pk -a %ds_common_dir%\ssl\sec\BWServerB42Certificate.crt -p local_machine.pse -x password
  10. Go into the datastore and set up SNC authentication by doing the following:

    1. Select SNC as the authentication type.

    2. Provide the SNC library, the SNC name of Data Services, and the SNC name of the SAP system, as follows:

      • SNC library

        Enter the full path and name of the third-party security library to use for SNC communication (authentication, encryption, and signatures), which in a standard agent installation is C:\Program Files\SAP\DataServicesAgent\bin\sapcrypto.dll.

        You must add the folder C:\Program Files\SAP\DataServicesAgent\bin as a configured directory on your agent machine.

      • SNC name of Data Services

        This is the PSE of the certificate of the Agent. This is the information you entered in step 8.f.
        Example
        p:CN=ccus1vmwin083, O=SAP, C=US

      • SNC name of SAP system

        This is the certificate of the appserver, which was created when IT installed the server. It must be in the following format: p:<subject>.
        Example
        p:CN=B42, OU=SAP-BI, O=SAP, C=FR
        Gather this information as follows:

        1. In the SAP Logon application, log on to the server.

        2. At the command prompt of the SAP Logon application, type STRUST in all capital letters, then select Enter to access SAP Trust Manager.

        3. View the certificate list.

        4. For SNC name of SAP system, on the Own Certificate window select in the Subject field at the top, then copy the contents of the Subject field in the lower portion of the window. You populate the SNC name of SAP system field with this value.


Task overview: Datastores
Related Information