Configuring SNC: Printing

You can also apply SNC protection to data being printed. This applies to both printing on the frontend computer (access method = F) and printing using SAPlpd (access method = S).

Printing on a Frontend Computer

Printing on a frontend computer is automatically protected with SNC if the SAP GUI connection is SNC-protected.

Printing Using SAPlpd

When printing using SAPlpd (printing with access method = S), the AS ABAP spool work process is the initiator of the communication and the SAPlpd program on the printer server is the acceptor.

Initiator (AS ABAP)

To configure SAPlpd to use SNC protection, use the spool administration (transaction SPAD).

Prerequisites

SNC must be activated on the application server (snc/enable = 1).

The printer must use the access method type = S (Print on LPDHOST via SAP protocol).

Procedure

From the Spool Administration: Initial Screen (transaction SPAD):

...

1. Choose Configuration à Output devices.

A list of output devices appears.

2. To maintain an existing device, select the output device and choose Output device à Choose; to create a new device, choose Output device à Create.

The maintenance screen for the device appears.

3. In addition to the standard printer data:

a. Under Access Method, select the type S: Print on LDPHOST via SAP protocol.

b. Under Security, select the level of protection to use.

If you select Only Authentication (QoP = 1), Integrity Protection (QoP = 2), or Privacy Protection (QoP = 3), then SNC is also activated.

4. As Security Mode select whether SNC protection is optional or not. (For a variety of reasons, it may not be possible for all communications using SAPlpd to be SNC-protected.)

5. Enter the SNC name of the SAPlpd in the Identity of the Remote SAPlpd for the Security System: field.

6. Save the data.

Acceptor (SAPlpd)

On the accepting side (SAPlpd), you need to specify the SNC parameters in the win.ini file. You also need to specify additional options after starting SAPlpd.

Specifying SNC parameters in win.ini
Prerequisites

You want to protect the communication between the AS ABAP and SAPlpd with SNC. The following parameters are not necessary if you do not want to use SNC.

Procedure

...

1. To activate SNC, create a section called [snc] in the win.ini file.

2. Set the SNC parameters shown in the table below.

SNC Parameters for SAPlpd

Parameter

Description

Required or Optional

Permitted Values

Default

gssapi_lib

Path and file name of the gssapi library

Required

String value

None

Enable

SNC activation indicator

Required

0,1

0=SNC disabled

1=SNC activated

None

identity/lpd

SNC name of SAPlpd

Required

String value

None

Example

Example destination in the win.ini file:

[snc]
enable=1
gssapi_lib=C:\SAP_Cryptolib\sapcrypto.dll
identity/lpd=p:CN=saplpd.host5, OU=TEST01, O=myCompany, C=US

Specifying Additional SNC Options for SAPlpd
Prerequisites

You have started SAPlpd.

Procedure

From the Saplpd.log -SAPLPD dialog box:

...

1. Choose Options à Secured Connection.

The Secured connections screen appears.

2. Choose the appropriate option from the SAP Security Library group. This setting must correlate with the Security setting in the SAP System (Mandatory or Optional). The options have the following meanings:

Do not use All communications are insecure

Use if possible SNC-protection depends on the initiator

Use always Accept only SNC-protected connections

3. Set the Quality of protection (QoP) by choosing the appropriate option. This setting must be the same as the quality of protection level set in the SAP System. The options have the following meanings:

Authenticate sender QoP = 1: Authentication only

Integrity protection of data QoP = 2: Authentication and integrity protection

Privacy protection of data QoP = 3: Authentication, integrity protection, and privacy protection

4. Choose Add new connection to specify the partners SAPlpd should accept.

The Authorized connections screen appears.

5. Either select Accept every authenticated connection to accept all connections or create a list of the individual partners to accept.

To add partner names to the list:

a. Enter the partner's SNC name in the Last authenticated connection initiator field.

b. Choose Authorize.


If you choose to accept all connections, then the name of the last accepted partner automatically appears in the Last authenticated connection initiator field. You can then add it to the list.

6. Choose OK.

Result

The configuration is automatically saved in the win.ini file.

No comments:

topics