Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to create an import connection to SAP BW using SNC in SAC

ivanyin
Advisor
Advisor
‎10-04-2022 8:28 AM
From Version 2022.15(2022 QRC3), SAP Analytics Cloud(SAC) supports to create an import connection to SAP BW using Secure Network Communication (SNC) to encrypt communication between the cloud agent and SAP BW. In SAP Note 3234061, it includes the general steps to complete this configuration.

 

This blog is to record some detailed steps of how I implemented it in my internal test SAC tenant, Cloud Agent server and BW server. The whole scenario accsumes SNC has been enabled in the ABAP server side. If not, maybe you need to refer this KBA 2979858 first.

 

Also, all the steps below are only verified in the internal systems currently. Some of them could be changed in the future and you may need to adjust them according to different system conditions.

 

Disclaimer: All screenshots, commands and other information were taking from a sample test system and do not represent actual data (any resemblance as such is purely coincidental).

 

Let's start now!

 

Step 1: Set up local SAP Crypto Libraries


First of all, we need to prepare SAP Crypto Libraries in the machine where SAP Cloud Agent is running.

  1. Update SAC Cloud Agent to the newest version follow this guide.

  2. Get SAP Crypto Libraries files by either of the two methods below:

    1. You can find them in the folder extracted from the downloaded SAC Cloud Agent above. The relative path is \C4AAGENT355_0-80000881\win64_x64\tp.sap.cryptolib.

    2. Download SAP Crypto libraries following KBA 1954305.

    3. Or you can merge these files to avoid any potential issues 🙂



  3. Create a local directory to store the SAP Crypto libraries. (Here I use C:\Users\Administrator\Desktop\SAPCRYPTO)

  4. Copy all the files in Step 2 to this location (C:\Users\Administrator\Desktop\SAPCRYPTO)

  5. Create a sub-directory called "sec" (C:\Users\Administrator\Desktop\SAPCRYPTO\sec)

  6. Create a sub-directory called "cpic" (C:\Users\Administrator\Desktop\SAPCRYPTO\cpic)


  7. Create Windows system environement variables as below:





























    Variable name Variable value
    SNC_LIB C:\Users\Administrator\Desktop\SAPCRYPTO
    SECUDIR C:\Users\Administrator\Desktop\SAPCRYPTO\sec
    CPIC_TRACE C:\Users\Administrator\Desktop\SAPCRYPTO\cpic
    CPIC_TRACE 0
    CPIC_TRACE_DIR C:\Users\Administrator\Desktop\SAPCRYPTO\cpic




  8. Edit the Windows system environment variable Path and add the root directory containing your sapcrypto libraries (it is C:\Users\Administrator\Desktop\SAPCRYPTO in this case)

  9. Go to Windows Start Menu->Tomcat configuration->Log on. Then change/make sure the logon user is OS Administrator(instead of Localsystem).

  10. Reboot the whole OS to make sure all the changes can take effect.


Step 2: Generate PSE Certificates



  1. Open Windows Command Line and switch to the folder containing sapgenpse.exe.(C:\Users\Administrator\Desktop\SAPCRYPTO in this case)

  2. Run the command sapgenpse gen_pse -v -p <NAME_OF_PSE>

    • Change <NAME_OF_PSE> to the file name you want to assign to the PSE file. I will use CloudAgent.pse here.



  3. When prompted, provide a PSE PIN/Passphrase

  4. When prompted, provide a distinguished name for the server.

    • Here I use CN=Cloud Agent.

    • You can use DN of your server.



  5. When complete, the result should look similar to this and the pse file will be generated under the sec folder.

  6. Run command: sapgenpse export_own_cert -x <PSE PIN/Passphrase> -v -p <NAME_OF_PSE> -o <NAME_OF_CLIENT_CERT>

    • Change <PSE PIN/Passphrase> to the password your just set.

    • Change <NAME_OF_PSE> to the PSE file name above.

    • Change <NAME_OF_CLIENT_CERT> to the file name you want to assign to the CRT file. I use the certificate name "CloudAgent.crt"



  7. When complete, the results should look similar to this and the crt file should be generated in the root folder(C:\Users\Administrator\Desktop\SAPCRYPTO).


Step 3: Exchange Certificates


Importing Cloud Agent certificate in to SAP BW Server



  1. Log into BW/ABAP and run STRUST transaction.

  2. Expand the "SNC (SAPCryptolib)" item and click Certificate > Import Certificate in the menu bar.

  3. Select the CRT that was created previously (CloudAgent.crt) and click the green checkmark to import.

  4. Click "Add to Certificate list" to add the certificate to the SAP PSE file.


Exporting SAP Certificate from SAP System



  1. Double-click the Subject DN in the "Own Certificate" section to actively select the certificate (it will change the details in the "Certificate" section").

  2. Click the "Export Certificate" button at the bottom.

  3. Provide a path and filename for the exported certificate (I give it the name as G75.crt)

  4. Select "Base64" in the File Format section.

  5. Click the green checkmark to complete the export. Copy the file to the root folder(C:\Users\Administrator\Desktop\SAPCRYPTO).

  6. Back on the "Trust Manager" window, click the SAVE icon to commit all of the changes.(Do not forget this step!!!)


Adding SNC ACL Entry in SAP System



  1. Go to SNC0 and click "New Entries".

  2. Provide a System ID (e.g CloudAgent)

  3. Provide the SNC name of the Cloud Agent certificate, starting with p: (It should be the value set in Step2.4 and it is p:CN=CloudAgent here).

  4. Check the "Entry for RFC activated," "Entry for CPIC activated" and "Entry for ext. ID activated" boxes.

  5. Save it and the SNC data status box should change to "Canonical name defined".


Complete the Trust relationship on the Cloud Agent server



  1. Open Windows Command Line and switch to the folder containing sapgenpse.exe.(C:\Users\Administrator\Desktop\SAPCRYPTO in this case)

  2. Run sapgenpse maintain_pk -v -a <NAME_OF_SERVER_CERT> -p <NAME_OF_PSE>

    • Change <NAME_OF_SERVER_CERT> to the file name of the certificate we just exported from BW. It is G75.crt here.

    • Change <NAME_OF_PSE> to the PSE file we generated in Step 2.2 and it is CloudAgent.pse here.



  3. When prompted, provide the PSE PIN/Passphrase

  4. When completed, the results should appear similar to

  5. Run sapgenpse seclogin -x <PSE PIN/Passphrase> -p <NAME_OF_PSE>

    • Currently you should run the Windows command line using the OS account that is used to start Tomcat.

    • Change <PSE PIN/Passphrase> to the value you set in Step2.3.

    • Change <NAME_OF_PSE> to the PSE file we generated in Step 2.2 and it is CloudAgent.pse here.



  6. Run sapgenpse get_my_name -p <NAME_OF_PSE>

  7. Run sapgenpse maintain_pk -l -p <NAME_OF_PSE>

  8. When completed, the results should appear similar to the screenshots below:

  9. Restart Tomcat.


Step4: Enable SNC support for SAC





    1. Log into to SAC and go to System > Administration > Date Source Configuration.

    2. Create a new or edit an existing Cloud agent location.

    3. Enable SNC support toggle.

    4. Enter full path of SAP crypto library on the Cloud agent system. In this blog, it is C:\Users\Administrator\Desktop\SAPCRYPTO\sapcrypto.dll

    5. Enter SNC name of Cloud agent. It is set in Step 3 > Adding SNC ACL Entry in SAP System > 3. It is p:CN=CloudAgent here.

    6. Enter SNC quality of protection or leave it as default.

    7. Go to SAC > Connections.

    8. Create new or edit existing BW Import connection.

    9. Select Cloud agent location that we just set to support SNC.

    10. Check Enable Secure Network Communication (SNC)

    11. Enter SNC name of the BW system. You can find it in the subject DN in STRUST or in the result of the command sapgenpse maintain_pk -v -a <NAME_OF_SERVER_CERT> -p <NAME_OF_PSE>. It is p:CN=G75 OU=XX C=XX here.

    12. Enter all other fields and create connection.




 

After that, you can create a model using this connection and see if it works now! Any question, please leave comments here!
5 Comments
Ranganathan
Advisor
Advisor
‎11-25-2022 10:55 AM
0 Kudos

Thanks for the nice blog.

configurations were fine without any error, 

but on connection creation step in sac it gives below exception,

 

Connection to BW system failed: CPIC-CALL: CMRCV on convId: 76194811 with rc: 20
LOCATION CPIC (TCP/IP) with Unicode

ERROR GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=L01, OU=TIP, OU=SAP, C=FR"
TIME Fri Nov 25 10:54:46 2022
RELEASE 753
COMPONENT SNC (Secure Network Communication)
VERSION 6
RC -4
MODULE D:/depot/bas/753_REL/src/krn/snc/sncxxall.c
LINE 3604
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 16

Correlation ID: 41383573-8225-4118-8292-875698830245
is there any way to resolve.
thanks
Ranganathan
ivanyin
Advisor
Advisor
‎12-01-2022 1:15 AM
0 Kudos
Hi Ranganathan,

 

The most common issue is the logon user of the Tomcat is not set correctly. Please check the below step in the blog and do the needful change.

  • Go to Windows Start Menu->Tomcat configuration->Log on. Then change/make sure the logon user is OS Administrator(instead of Localsystem).


Regards,

Ivan
former_member834142
Member
‎12-20-2022 4:39 PM
0 Kudos
Hi Yvan,

Before explaining my issue, i want to thank you as this is the only blog i was able to find that explains entire configuration for Connecting using SNC from SAC to BW. Sadly i have the same issue as Ranganathan. But in my case we are using Linux, would you know which would be the alternative step for doing this on Linux CC/Tomcat Configuration, what i have done is run seclogin with tomcat user, which is the user that runs that Service, but the one i use to start the service is root. Thanks a lot.

Kind Regards,

Manuel
diwakarvaish
Explorer
‎01-23-2023 1:22 PM
0 Kudos
Hi Ivan,

we have followed the blog to configure SNC between BW and SAC. We have disabled non-SNC connection to BW, by implementing parameter : snc/accept_insecure_rfc = 0

 

When testing the Import connection, we are getting error as following:

Connection to BW system failed: SNC required for this connection
Correlation ID: 16728554-3337-4614-9961-623717433931

 

 
dasari_reddy_ext
Explorer
‎03-21-2023 12:40 PM
0 Kudos
Hi ivan.yin2 ,

We are facing an issue while saving the connection to BW System using SNC in our SAC Tenant.
We have done all the configurations correctly but still facing the issue. Kindly suggest what could be the cause for it.

CONNECT_TO_BW_SYSTEM_FAILED CPIC-CALL: CMRCV on convId: 16890629 with rc: 20

LOCATION CPIC (TCP/IP) with Unicode
ERROR GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210210:Verification of own certificate by
server faile
target="p:CN=xxxxxxxxxxxxxxx, OU=CIT, O=xxxxxxxxxxxx, C=DE"
TIME Tue Mar 21 09:29:00 2023
RELEASE 753
COMPONENT SNC (Secure Network Communication)
VERSION 6
RC -4
MODULE D:/depot/bas/753_REL/src/krn/snc/sncxxall.c
LINE 3604
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 60


Regards,
Labels in this area
Popular Blog Posts