SecuringConnectionstoASABAPwithSNCSecurityandIdentityManagementSCNWiki
GettingStarted Newsletters
Welcome,Guest
Login
Register
Store
SearchtheCommunity
Products
Services&Support
AboutSCN
Downloads
Industries
Training&Education
Partnership
DeveloperCenter
LinesofBusiness
UniversityAlliances
Events&Webinars
Innovation
SecurityandIdentityManagement / / SecuritywithinIDM
SecuringConnectionstoASABAPwithSNC
CreadoporChristopherLeonard,modificadoporltimavezenoct18,2012
Purpose
SettingupsecuredconnectionsisrequiredforprovisioningpasswordstoanASABAPServerfromtheSAPNetweaverIdentityManagementsolution7.1.
Overview
WewilllookatthevariousstepsrequiredtoinstallthesecuritylibariesontheIDMsystemtoenableSNC.
InstallSAPcryptolib
SAPprovidesitsowncryptographiclibrarySapcryptolibandacommandlinetoolSAPGENPSEinordertosetupyourSNCPSE(PersonalSecurityEnvironment)ontheIDMserver.Youcandownload
thesefromServiceMarketplace.Seenote397175.
ThestepstosetupSNCareasfollows:
ThesapcryptolibdllandSAPGENPSE.exefilesarecopiedtotheIDMserveregD:\usr\sap\IdM\IdentityCenter\SAPCryptoandasubdirectoyD:\usr\sap\IdM\IdentityCenter\SAPCrypto\sec.The
sapcryptoliblicensefileisthenplacedinthesecdirectory(.lstfileonwindows)
SettheenvironmentalvariableSECUDIRtopointtotheD:\usr\sap\IdM\IdentityCenter\SAPCrypto\secdirectory.ThisissothattheSYSTEMuserrunningtheIDMsolutioncanaccessthePSEand
credentialfilesrequiredatruntime
TocheckyourinstallationrunthecommandSAPGENPSEwhichwilloutputtheversionofsapcryptolibinstalledandthevalueoftheSECUDIRvariable.
https://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
1/5
3/8/2016
SecuringConnectionstoASABAPwithSNCSecurityandIdentityManagementSCNWiki
GeneratePSEfilesforSNC
NowcreatethePSEfilerequiredforSNC.TheSAPGENPSE.exetoolresidesinthesapcryptofolderthereforeusingthecommandlinefromthisdirectorycallthesapgenpsecommandsapgenpseget_pse
pIC.pse"CN=IDM,OU=SAP,C=DE>youcanpresstheenterkeywhenpromptedforPINbothtimesifyoudonotwishtoPINprotectthePSEfilehoweveryoucanenteraPINinthisstep.
FortheIdentityCentretoaccessthePSEatruntimeitrequiresacredential(storedinthefilecred_v2)thereforethiscanbecreatedbyrunningthecommandsapgenpsesecloginpic.pseOSYSTEM
NowthepublickeycertificatemustbeexportedfromtheIdentityCenter'sPSEfilesothatitcanbeimportedtotheABAPstack.Runthecommandsapgenpseexport_own_certoidm.crtwhichcreatesthe
certificateinthesamefolderasthesapgenpsetool
https://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
2/5
3/8/2016
SecuringConnectionstoASABAPwithSNCSecurityandIdentityManagementSCNWiki
ConfiguretheSNCsettingsintheASABAPserver
NowlogintotheABAPstackandopentransactionSTRUST>expandtheSNCfolderanddoubleclickedontheservernamesothatitisselected.Thebuttonimportcertificateischosenwhichallowsthe
selectionofthecertificateoftheIdentityCenterthathadbeenexportedinthepreviousstep.TheAddcertificatetolist
buttonensuredthatthecertificatewassavedtotheSNCPSEoftheABAPstack
UsingthesamescreendoubleclickedontheOwncertificateandchosethebuttonExportcertificateandsavedtheABAPcerttomypcforexporttotheIdentityCenterchoosingBase64asthefileformat.
https://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
3/5
3/8/2016
SecuringConnectionstoASABAPwithSNCSecurityandIdentityManagementSCNWiki
TheABAPcertificatemustnowbeimportedintotheIDMPSEfile.IplacedtheABAPcertificateinthesamedirectoryassapgenpseandthenranthecommandsapgenpsemaintain_pkap12.crtpic.pse
NowbothsystemshavetheirSNCcertiifcatesexchanged.TheABAPstacknowneedstohavetheIDMsystemaddedtotheUSRACLEXTtabletoallowconnections.CalltransactionSM30andmaintain
tableUSRACLEXT.Addanewentry>enterthecommunicationuserusedtoconnecttotheABAPsystemintheuserfield.TheSNCnamewillbetheuniquedistinguishednamenamegivenwhentheIDM
PSEwascreatedegCN=IDM,OU=SAP,C=DE.Makesuretoplaceap:beforetheSNCnameiep:CN=IDM,OU=SAP,C=DE.
https://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
4/5
3/8/2016
SecuringConnectionstoASABAPwithSNCSecurityandIdentityManagementSCNWiki
SNCisnowenabled.TherepositoryconstantsforSNCthenneedtobeupdatedwiththespecificdetails.SeetheIdentityManagementforSAPSystemLandscapes:ConfigurationGuideintheappendix
setttingsformoredetails.
RelatedContent
RelatedDocuments
http://scn.sap.com/docs/DOC8397
RelatedNotes
snc
ContactUs
Privacy
SAPHelpPortal
TermsofUse
LegalDisclosure
Copyright
https://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
idm
identity
management
password
provisioning
FollowSCN
5/5