For the communication path from an external program to an AS ABAP when using CPIC, the external program is the initiator of the communication and the AS ABAP is the acceptor.
To apply SNC protection to external programs that communicate with an ABAP using CPIC, you need to specifythe SNC options in either the sideinfo file or over the program interface in cpictlib. This section describes how to specify the information in the sideinfofile. For information on using cpictlib, see C Program Interfaces.
Prerequisites
You want to apply SNC protection to the communications between the CPIC external program and the AS ABAP.
Procedure
Set the SNC parameters shown in the sideinfo file as shown in the table below.
SNC Parameters for CPIC External Programs → AS ABAP
Parameter | Description | Required or Optional | Permitted Values | Default |
---|---|---|---|---|
SNC_PARTNERNAME |
SNC name of the application server |
Required |
String value in quotation marks |
None |
SNC_LIB |
Path and file name of the gssapi library |
Required |
String value |
None |
SNC_MODE |
SNC activation parameter |
Required |
0,1 0=SNC disabled 1=SNC activated |
None |
SNC_QOP |
Quality of protection (protection level) |
Optional |
1,2,3,8,9 |
3 |
SNC_MYNAME |
SNC name of the user sending the CPIC |
Optional |
String value |
The name provided by the security product for the logged-on user. |
Example sideinfo file
DEST=XYZ_S PROTOCOL=I LU=host1 TP=sapdp01 GWHOST=host1 GWSERV=sapgw01s CPIC_TRACE=1 SNC_PARTNERNAME="p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US" SNC_MODE=1 SNC_LIB=/usr/sap/ABC/SYS/exe/run/libsapcrypto.so
This example sets up the application server hs0017 as the CPIC destination. The server's SNC name is p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US and the SNC library is located at: /usr/sap/ABC/SYS/exe/run/libsapcrypto.so.
Set the profile parameters on the application server as described in Profile Parameter Settings on AS ABAP.
The value contained in the parameter snc/accept_insecure_cpic determines whether or not to accept unprotected CPIC connections. You can define this parameter to deny all insecure CPICs, accept all insecure CPICs, or accept insecure CPICs for specific users only (based on the Insecure communications permittedindicator in the table USRACL).
As in CPIC calls without SNC protection, you need to specify a user and client in the CPIC program when connecting to the SAP system. The authentication procedure is identical to that for RFCs (see Configuring SNC: External Programs → AS ABAP Using RFC).
CPIC calls can only be performed with user accounts in the SAP system of type CPIC.
When establishing the CPIC connection:
The CPIC connection is established over a gateway port. For SNC-protected connections, you should use the secure gateway port. Specify the secure port in the parameter GWSERV in the sideinfo file. The secure port has the character s included in the name (see below):