09-07-2022 6:07 PM
Hello all,
SAP AS ABAP system fails to start after system refresh. We have recently enabled SNC and first time performing system refresh with SNC enabled. The application fails to start after the database recovery. The work process trace shows the application could not acquire accepting credentials for name (p:CN=SAPsncTARGETSID, O=CompanyName, L=Cityname, C=CountryName) associated to target system. It shows the default acceptor name from the source system (p:CN=SAPsncSOURCESID, O=CompanyName, L=Cityname, C=CountryName).
We use ABAP PCA to export and import system specific data, however, unable to bring system up. We have tried copying the PSE file from SOURCE system into the SECUDIR and created cred_v2 file but that did not help.
What is the best practice followed to perform system refresh on systems with SNC enabled?
10-12-2022 6:51 PM
We checked with SAP support and following feedback was given:
"When the STRUST-managed "SNC SAPCryptolib" PSE (aka SAPSNCS.pse) is used for SNC, then the original of that PSE file is persisted on the database by STRUST, and the PSE file contents are downloaded from the database and written into $(DIR_INSTANCE)$(DIR_SEP)sec$(DIR_SEP)SAPSNCS.pse during AppServer start, and before SncInit is called.
If the STRUST database table currently contain an incorrect "SNC SAPCryptolib" PSE as result of a database copy, then system should be started without SNC (snc/enable=0), then contents of "SNC SAPCryptolib" PSE in STRUST need to be replaced with the actually desired SNC PSE for the new system (such as a from a file-based backup copy of the previous SNC PSE), and that "SNC SAPCryptolib" PSE need to be imported and saved in tx STRUST, and then system needs to be restarted with the appropriate value for "snc/identity/as" & "snc/enable=1""
Regards,Asif10-04-2022 7:36 PM
Hi,
The SAPSNCS.pse should contain the certificate with the subject defined by snc/identity/as parameter. This is certificate that the system is expecting during startup.
Best regards,
Gabriel
10-12-2022 6:51 PM
10-12-2022 6:51 PM
We checked with SAP support and following feedback was given:
"When the STRUST-managed "SNC SAPCryptolib" PSE (aka SAPSNCS.pse) is used for SNC, then the original of that PSE file is persisted on the database by STRUST, and the PSE file contents are downloaded from the database and written into $(DIR_INSTANCE)$(DIR_SEP)sec$(DIR_SEP)SAPSNCS.pse during AppServer start, and before SncInit is called.
If the STRUST database table currently contain an incorrect "SNC SAPCryptolib" PSE as result of a database copy, then system should be started without SNC (snc/enable=0), then contents of "SNC SAPCryptolib" PSE in STRUST need to be replaced with the actually desired SNC PSE for the new system (such as a from a file-based backup copy of the previous SNC PSE), and that "SNC SAPCryptolib" PSE need to be imported and saved in tx STRUST, and then system needs to be restarted with the appropriate value for "snc/identity/as" & "snc/enable=1""
Regards,Asif