Skip to content

Enable Secure Network Communication (SNC) via X.509 certificate

The following article describes how to establish an SNC connection to an SAP source system.

The depicted approach uses an X.509 certificate that provides the logon data of the Windows AD user. The correctness of this X.509 certificate is ensured via the company's internal certification authority (ca).

Workflow

  1. Upon connection start, the Secure Login Client retrieves the SNC name from the SAP NetWeaver AS ABAP.
  2. The Secure Login Client uses the authentication profile for this SNC name.
  3. The user unlocks the security token, for example, by entering the PIN or password.
  4. The Secure Login Client receives the X.509 certificate from the user security token.
  5. The Secure Login Client provides the X.509 certificate for single sign-on and secure communication between SAP GUI or Web GUI and the AS ABAP.
  6. The user is authenticated and the communication is secured.

Tip

The configuration of the X.509 certificate should be implemented by the network & SAP Basis team and requires basic knowledge in this area.

Requirements

The following system settings are a prerequisite for using this SNC solution:

  • Install the Secure Login Client.
  • The SAP application server is configured and activated for Secure Network Communication (SNC).
  • The SNC standard library sapcryptolib is used as the SNC solution.
  • The following SNC parameters are configured:
SNC parameter Value Example
snc/gssapi_lib Path and file name where the SAP Cryptographic Library is located. $(DIR_EXECUTABLE)\sapcrypto.dll
snc/identity/as Application server's SNC name Syntax: p:\<Distinguished_Name>
The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE.
p:CN=saperp.theobald.local

Step-by-Step Guide

  1. Generate certificate for the application server and AD-user context from common Certificate Authority (ca).
    X.509 Certificate Details

    Note

    The X.509 certificate is available when placed in folder Certmgr > Personal > Certificates within Windows certificate store (user).

  2. Convert pfx file to SAP PSE format e.g., sapgenpse.exe import_p12 -p cert.pse cert.pfx.

  3. Import the created PSE file via TA STRUST > Edit mode > PSE Import > PSE Save as SNC Libcrypto.
  4. Edit the SNC configuration of the corresponding SAP user via transaction SU01 , SNC , SNC Name = p:\<Full Distinguished_Name>
    e.g., p:EMAIL="RandomUser@domain",CN="Random User",OU="Users",OU="TheobaldSoftware",DC="theobald",DC="local".
    SNC User Settings
  5. Set up SNC authentication in the Xtract IS SAP connection settings.


Last update: May 17, 2024