Configuring SNC: Using CPIC from AS ABAP

To use SNC with CPIC calls from AS ABAP, you must configure the SNC options for each CPIC destination individually. You can either use transaction SM54 or SM30 (table TXCOMSECU). In this section, we describe how to configure the SNC options using transaction SM54.

Transaction SM54 distinguishes the following types of CPIC destinations (depending on the communication partner):

● TYPE = C: R/2 connections (Does not support SNC.)

● TYPE = I: R/3 connections

● TYPE = E: Connections to external programs that are started over a gateway

● TYPE = R: Connections to registered external programs

SNC for CPIC connections to R/2 (type = C) is not supported. There are no security products available for mainframes that support the GSS-API or that are implemented in R/2.

Therefore, you cannot activate SNC for connections defined as protocol type = C! Currently, you receive no error message when you activate SNC in the SNC options; however, you receive an error when you attempt to establish such a CPIC connection.

Maintaining SNC options for the initiator (AS ABAP) is similar for all of the categories and is described in Maintaining CPIC Destinations and Their SNC Options Using Transaction SM54.

Configuring SNC: SAProuter à SAProuter

Use

The SAProuter is a program that acts as an intermediate location in the network between SAP systems where access is controlled before data is sent further along the communication path.

Connections can also be established between SAP systems over several SAProuters. You can then secure connections between adjacent SAProuters using SNC. A typical example is shown in the figure below.

SNC Communication Between SAProuters

The connection between the adjacent SAProuters is protected using SNC. The SAProuters authenticate each other and encrypt the exchanged messages. In this way, you can establish a secure tunnel for communications between components that may not be able to use SNC.

A single SAProuter can be both the initiator and acceptor for an SNC-protected connection.

For a detailed description on the SAProuter, see SAProuter. In this document, we only describe the aspects that relate to SNC.

To establish SNC-protected connections between two SAProuters:

· You must establish an SNC environment for both SAProuters.

· You must activate SNC for the connection in the SAProuter's route permission table.

Establishing the SNC Environment

Perform the following steps to establish the SNC environment for each SAProuter:

...

1. On each SAProuter host, make sure that the environment variable SNC_LIB contains the path and file name of the external library.

2. Start the SAProuter with the option -K , where is the SNC name of the SAProuter being started.

The SAProuter then loads the external library and initializes the SNC environment.

Configuring SNC in the Route Permission Table

There are two types of entries that you need to make in the SAProuter route permission table:

● KT (Key-Target) entries

A Key-Target entry specifies that the designated SAProuter à SAProuter connection should use SNC.

● KP- / KD- / KS- entries

These entries are similar to the normal P- / D- / S- entries, but are used for SNC connections instead of standard connections. They specify the hosts and services that are or are not allowed to communicate with one another. As with normal P- / D- / S- entries, you can also specify a password for the connection.

You must pay attention to the order of the entries in the route permission table. For incoming connections, the SAProuter applies the first matching entry it finds in the route permission table. If a matching P- / D- / S- entry precedes an SNC entry, the SAProuter ignores the SNC entry. See the examples at the end of this topic.

KT Entries

To specify a KT entry, enter a line in the SAProuter's route permission table using the following syntax:

KT

Where:

· SNC should be activated for connections to .

· is the SNC name of the communication partner.

· is the name of the host (either the symbolic name or the IP address).

· is the name of the service (either the symbolic name or the port number).

A wildcard entry (*) for or is not practical because the SNC partner name refers to a distinct partner.

To avoid conflicting entries, make K- entries before any normal P- / D- / S- entries.

KP- / KD- / KS- Entries

You must also enter KP- / KD- / KS- entries in the route permission table instead of P- / D- / S- entries for the SNC connections. These entries have the same meanings as the P- / D- / S- entries, except that the name of the source host or IP address is replaced with the SNC name of the source host. They have the following syntax:

K ""

The SAProuter establishes (KT, KS) or denies (KD) a connection if the values received from the connection request match those in the above mentioned route permission table entries.

Quality of Protection (QoP)

When using SNC protection between SAProuters, the maximum available quality of protection is always applied.

Accepting the Incoming Connection

The SAProuter accepts an incoming connection if it finds a corresponding entry in it's route permission table. For normal incoming connections (that do not use SNC protection), it identifies the communication partner using the source host (IP address) and the destination (host and service). However, for SNC-protected connections coming from a SAProuter, it uses the source SAProuter's SNC name for identification.

Example SAProuter Configurations when Using SNC

Example 1

Two SAProuters, one on host1, the other on host2, are to communicate with another using SNC protection. The SAProuter on host2 should accept only SNC-protected connections from host1that are directed to a dispatcher or gateway with a system number 00.

SNC names of SAProuters on host1 and host2

● SNC name on host1: "p:CN=saprout1, OU=TEST01, O=myCompany, C=US"

● SNC name on host2: "p:CN=saprout2, OU=TEST01, O=myCompany, C=US"

Starting SAProuter on host1

The following entry starts the SAProuter on host1:

saprouter -r -K "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" &

Route Permission Table on host1

The route permission table on host1 contains the following entries:

# Initiating SNC for all connections to host2 : KT = "p:CN=saprout2, OU=TEST01, O=myCompany, C=US" host2 * # Accepting all connections P * * *

Starting SAProuter on host2

The following entry starts SAProuter on host2:

saprouter -r -K "p:CN=saprout2, OU=TEST01, O=myCompany, C=US" &

Route Permission Table on host2

The route permission table on host2 contains the following entries:

# accept incoming connections from SAProuter1 # with destination sapdp00 on any host KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00 # accept incoming connections from SAProuter1 # with destination sapgw00 on any host KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapgw00

Example 2

As previously mentioned, you must pay attention to the order of the entries in the route permission table. The SAProuter applies the first matching entry it finds. In the following example, the SAProuter will not accept the SNC-protected connection request from host1 to host2 because of the first entry.

D host1 * * KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00

Example 3

In the following example, the second line is unnecessary because the first line allows all connections from host1. Therefore, the second line does not enforce SNC protection for connections to sapdp00.

P host1 * * KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00

Configuring SNC: SAP GUI à AS ABAP

For the communication between the SAP GUI and the AS ABAP, the SAP GUI is the initiator of the communication and the AS ABAP is the acceptor.

Initiator (SAP GUI)

There are several ways to start SAP GUI. They are:

· Direct start (execute sapgui.exe from a command prompt or over a shortcut)

· SAP Logon

· SAP Shortcuts

We describe the SNC configuration for each of the supported start methods in the following topics:

● Configuring SNC: SAP GUI when Using Direct Start

● Configuring SNC: SAP GUI when Using SAP Logon

● Configuring SNC: SAP GUI When Using SAP Shortcuts

Acceptor (AS ABAP)

To configure the acceptor (AS ABAP) for using SNC, set the profile parameter settings on the application server and define the entries in user maintenance as described in Profile Parameter Settings on AS ABAP and User Maintenance on AS ABAP.

Configuring SNC: Printing

You can also apply SNC protection to data being printed. This applies to both printing on the frontend computer (access method = F) and printing using SAPlpd (access method = S).

Printing on a Frontend Computer

Printing on a frontend computer is automatically protected with SNC if the SAP GUI connection is SNC-protected.

Printing Using SAPlpd

When printing using SAPlpd (printing with access method = S), the AS ABAP spool work process is the initiator of the communication and the SAPlpd program on the printer server is the acceptor.

Initiator (AS ABAP)

To configure SAPlpd to use SNC protection, use the spool administration (transaction SPAD).

Prerequisites

● SNC must be activated on the application server (snc/enable = 1).

● The printer must use the access method type = S (Print on LPDHOST via SAP protocol).

Procedure

From the Spool Administration: Initial Screen (transaction SPAD):

...

1. Choose Configuration à Output devices.

A list of output devices appears.

2. To maintain an existing device, select the output device and choose Output device à Choose; to create a new device, choose Output device à Create.

The maintenance screen for the device appears.

3. In addition to the standard printer data:

a. Under Access Method, select the type S: Print on LDPHOST via SAP protocol.

b. Under Security, select the level of protection to use.

If you select Only Authentication (QoP = 1), Integrity Protection (QoP = 2), or Privacy Protection (QoP = 3), then SNC is also activated.

4. As Security Mode select whether SNC protection is optional or not. (For a variety of reasons, it may not be possible for all communications using SAPlpd to be SNC-protected.)

5. Enter the SNC name of the SAPlpd in the Identity of the Remote SAPlpd for the Security System: field.

6. Save the data.

Acceptor (SAPlpd)

On the accepting side (SAPlpd), you need to specify the SNC parameters in the win.ini file. You also need to specify additional options after starting SAPlpd.

Specifying SNC parameters in win.ini

Prerequisites

You want to protect the communication between the AS ABAP and SAPlpd with SNC. The following parameters are not necessary if you do not want to use SNC.

Procedure

...

1. To activate SNC, create a section called [snc] in the win.ini file.

2. Set the SNC parameters shown in the table below.

SNC Parameters for SAPlpd

Parameter	Description	Required or Optional	Permitted Values	Default
gssapi_lib	Path and file name of the gssapi library	Required	String value	None
Enable	SNC activation indicator	Required	0,1 0=SNC disabled 1=SNC activated	None
identity/lpd	SNC name of SAPlpd	Required	String value	None

Example

Example destination in the win.ini file:

[snc] enable=1 gssapi_lib=C:\SAP_Cryptolib\sapcrypto.dll identity/lpd=p:CN=saplpd.host5, OU=TEST01, O=myCompany, C=US

Specifying Additional SNC Options for SAPlpd

Prerequisites

You have started SAPlpd.

Procedure

From the Saplpd.log -SAPLPD dialog box:

...

1. Choose Options à Secured Connection.

The Secured connections screen appears.

2. Choose the appropriate option from the SAP Security Library group. This setting must correlate with the Security setting in the SAP System (Mandatory or Optional). The options have the following meanings:

○ Do not use All communications are insecure

○ Use if possible SNC-protection depends on the initiator

○ Use always Accept only SNC-protected connections

3. Set the Quality of protection (QoP) by choosing the appropriate option. This setting must be the same as the quality of protection level set in the SAP System. The options have the following meanings:

○ Authenticate sender QoP = 1: Authentication only

○ Integrity protection of data QoP = 2: Authentication and integrity protection

○ Privacy protection of data QoP = 3: Authentication, integrity protection, and privacy protection

4. Choose Add new connection to specify the partners SAPlpd should accept.

The Authorized connections screen appears.

5. Either select Accept every authenticated connection to accept all connections or create a list of the individual partners to accept.

To add partner names to the list:

a. Enter the partner's SNC name in the Last authenticated connection initiator field.

b. Choose Authorize.

If you choose to accept all connections, then the name of the last accepted partner automatically appears in the Last authenticated connection initiator field. You can then add it to the list.

6. Choose OK.

Result

The configuration is automatically saved in the win.ini file.