You can also apply SNC protection to data being printed. This applies to both printing on the frontend computer (access method = F) and printing using SAPlpd (access method = S).
Printing on a Frontend Computer
Printing on a frontend computer is automatically protected with SNC if the SAP GUI connection is SNC-protected.
Printing Using SAPlpd
When printing using SAPlpd (printing with access method = S), the AS ABAP spool work process is the initiator of the communication and the SAPlpd program on the printer server is the acceptor.
Initiator (AS ABAP)
To configure SAPlpd to use SNC protection, use the spool administration (transaction SPAD).
Prerequisites
● SNC must be activated on the application server (snc/enable = 1).
● The printer must use the access method type = S (Print on LPDHOST via SAP protocol).
Procedure
From the Spool Administration: Initial Screen (transaction SPAD):
...
1. Choose Configuration à Output devices.
A list of output devices appears.
2. To maintain an existing device, select the output device and choose Output device à Choose; to create a new device, choose Output device à Create.
The maintenance screen for the device appears.
3. In addition to the standard printer data:
a. Under Access Method, select the type S: Print on LDPHOST via SAP protocol.
b. Under Security, select the level of protection to use.
If you select Only Authentication (QoP = 1), Integrity Protection (QoP = 2), or Privacy Protection (QoP = 3), then SNC is also activated.
4. As Security Mode select whether SNC protection is optional or not. (For a variety of reasons, it may not be possible for all communications using SAPlpd to be SNC-protected.)
5. Enter the SNC name of the SAPlpd in the Identity of the Remote SAPlpd for the Security System: field.
6. Save the data.
Acceptor (SAPlpd)
On the accepting side (SAPlpd), you need to specify the SNC parameters in the win.ini file. You also need to specify additional options after starting SAPlpd.
Specifying SNC parameters in win.ini
Prerequisites
You want to protect the communication between the AS ABAP and SAPlpd with SNC. The following parameters are not necessary if you do not want to use SNC.
Procedure
...
1. To activate SNC, create a section called [snc] in the win.ini file.
2. Set the SNC parameters shown in the table below.
SNC Parameters for SAPlpd
Parameter | Description | Required or Optional | Permitted Values | Default |
gssapi_lib | Path and file name of the gssapi library | Required | String value | None |
Enable | SNC activation indicator | Required | 0,1 0=SNC disabled 1=SNC activated | None |
identity/lpd | SNC name of SAPlpd | Required | String value | None |
Example
Example destination in the win.ini file:
[snc] |
Specifying Additional SNC Options for SAPlpd
Prerequisites
You have started SAPlpd.
Procedure
From the Saplpd.log -SAPLPD dialog box:
...
1. Choose Options à Secured Connection.
The Secured connections screen appears.
2. Choose the appropriate option from the SAP Security Library group. This setting must correlate with the Security setting in the SAP System (Mandatory or Optional). The options have the following meanings:
○ Do not use All communications are insecure
○ Use if possible SNC-protection depends on the initiator
○ Use always Accept only SNC-protected connections
3. Set the Quality of protection (QoP) by choosing the appropriate option. This setting must be the same as the quality of protection level set in the SAP System. The options have the following meanings:
○ Authenticate sender QoP = 1: Authentication only
○ Integrity protection of data QoP = 2: Authentication and integrity protection
○ Privacy protection of data QoP = 3: Authentication, integrity protection, and privacy protection
4. Choose Add new connection to specify the partners SAPlpd should accept.
The Authorized connections screen appears.
5. Either select Accept every authenticated connection to accept all connections or create a list of the individual partners to accept.
To add partner names to the list:
a. Enter the partner's SNC name in the Last authenticated connection initiator field.
b. Choose Authorize.
If you choose to accept all connections, then the name of the last accepted partner automatically appears in the Last authenticated connection initiator field. You can then add it to the list.
6. Choose OK.
Result
The configuration is automatically saved in the win.ini file.
No comments:
Post a Comment