Set Up SAP SNC Client

Owned by Darcy Curtin
Jul 21, 2014
2 min read

Follow these steps to set up SAP SNC (Secure Network Communication).

Step-by-step guide

At a very high level, the basic process for configuring SAP SNC is as follows:

  1. Create a Personal Security Environment (PSE) on the SAP Server.
  2. Create a PSE on the Client
  3. Exchange cryptographic certificates between systems.
  4. Add the client to SAP’s SNC Access Control List.

SNC Client Setup           

The basic steps are as follows:

  1. Make some basic naming convention decisions.
  2. Install the SAP Crypto library and configure the client to use it.
  3. Create the Client PSE.
  4. Configure the Client PSE for the specified user.
  5. Export the Client Certificate.
  6. Import the SAP Server Certificate.
  

Naming Conventions          

The PSE is stored in a file and you need to decide what to name the file. We will name our file NLINK.pse and the Certificate will be exported as NLINK.crt.

You need to set a Distinguished Name for the client. We will use:

CN = client.JUNOTSYSTEMS.COM
OU = NLINK
O = JUNOT
C = US

  

Install the SAP Crypto library and Configure the Client          

Install the provided library file and sapgenpse.exe file in a folder on the client machine.

Add the full path of the installed components to the system’s $PATH environment variable.

Create an environment variable SECUDIR that points to the location of the installed components.

Set the SNC_LIB environment variable to the fully qualified name of the SAP Crypt0 library (if you plan to use SAP GUI on that machine).

  

Create the Client PSE          

Using the above naming conventions, we need to open a command window and run the following command:

sapgenpse gen_pse -p NLINK.pse

You will be asked to set a PIN, which serves as the PSE password. Then you need to enter the distinguished name for the PSE owner. In our case:

CN=client.JUNOTSYSTEMS.COM, OU=NLINK, O=JUNOT, C=US

Check that the NLINK.pse file has been created in the SECUDIR folder.

  

Configure the Client PSE          

We now have to configure the PSE and create a credentials file named cred_v2 for the named user. It lets client applications access the PSE without having to provide the PIN. This file is usable only for the current operating system user.

From the command line, run the following command (assuming we are authorizing the local administrator account):

sapgenpse seclogin -p NLINK.pse -O administrator

Supply the PSE PIN when prompted.

Check that the cred_v2 file has been created in the SECUDIR folder.

  

Export the Client Certificate          

Export the client certificate from PSE using the following command:

sapgenpse export_own_cert -v -p NLINK.pse -o NLINK.crt

Supply the PSE PIN when prompted.

Check that the NLINK.crt file has been created in the SECUDIR folder.

  

Send the Client Certificate to the SAP Basis Group          

Send the exported client certificate file (NLINK.crt) to the SAP Basis Group so that they can import it into their PSE. At the same time, request their certificate so that you can import it into your PSE.

  

Import the SAP Server Certificate          

Copy the received SAP certificate to the SECUDIR folder. We will assume that the SAP certificate is called SNC.crt.

At a command prompt, run the following command:

sapgenpse maintain_pk -v -a SNC.crt -p NLINK.pse

Provide the PSE PIN when prompted.