SAP S4hana ABAP RFC connection via SNC

 Overview

Under this blog i have outlined ABAP RFC connection via SNC, so we have used RFC with SNC (Secure Network Communications)2.0 setup.

SNC is a software layer in the SAP system that provides an interface to an external security product. SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide.

Dia from help.sap.com

DISCLAIMER
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.

Purpose

This document tried to include all Basis steps for enabling SNC for ABAP RFCs for secure connections.
SAP S4hana ABAP connection via SNC

Steps: –
• Setup SNC in both systems
• Generate SNC cert from both systems and map in strustsso2  SNC SAPCryptolib
• Create a user (sidadm or any name) in AD Users and update service principal name same as             SNC cert in Attribute Editor (SAP/ SNC cert name) as per note 1696905 (Optional if you are               using AD connection)
• ACL mode either 0 or whitelist hostname
• Update SNC0 with target system cert details
• Update SM54 with the destination
• Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name
• Create RFC with SNC config and test

Take all system backup: –

As per preventive measures take full DB backup, We are only adding new configuration and no in-system core functionality.

Setup SNC in both systems

We will use SNCWIZARD for SNC setup

Check all snc-related parameters below

In the below screen, it will give all your instance details which need to restart.

If you do not want to configure Kerberos credentials, choose Skip

We will use this cert for RFC communication

Strustsso2

Repeat the same steps in the target system

Check all SNC parameters in the default profile

snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/data_protection/max = 2
snc/data_protection/min = 1
snc/enable = 1
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/identity/as = SNC cer name
snc/permit_insecure_start = 1
spnego/enable = 1

Restart the application server

After restart check SNC status via SM51 SNC check

SNC cert from both systems and map in strustsso2 ( SNC SAPCryptolib)

Goto strustsso2:- below cert generated during SNC setup Click on edit and export below cert as base64 and import into target system (Repeat same steps in target system)

ACL mode either 0 or whitelist hostname

Gateway ACL mode 0
The following values are possible:

0: There is no restriction with starting external servers or registering servers. This setting should not be used in production operations.

1: External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files.

The default value of the parameter is 1.

If you are using 1 then go to SMGW and allow the target hostname.

SMGW  Goto  expert functions  external security  maintain ACL list (secinfo and reginfo)

Update SNC0 with target system cert details

Update target system SID and SNC certificate details with p:
Active entry for RFC, entry for CPIC, Entry for the certificate (same on the target system)

The SNCSYSACL entries that you make using transaction SNC0 are saved as external RFC destinations (type = E). Internal destinations (type = I) are automatically generated and not shown in transaction SNC0.

Update SM54 with the destination

Update destination sid, login type I, and update target SNC cert name with p: It will update VSNCSYSACL

Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name

Go to SM30 give table name as VSNCSYSACL click on display

Give work are as I for internal system

Go back and give the work area as E for the External system

Create RFC with SNC config and test

Create type 3 RFC , Give RFC destination name and description

Go to logon security and give the target system user id,

On the same page active SNC

Perform connection and authorization test

Reference SAP Notes:-

https://help.sap.com/docs/SAP_NETWEAVER_740/621bb4e3951b4a8ca633ca7ed1c0aba2/aa38ff4fa187622fe10000000a44176d.html?version=7.4.25

2653733 – Enabling SNC on RFCs between AS ABAP

https://help.sap.com/saphelp_nwpi71/helpdata/en/28/03f4ad8d9d490c99a3e8a57551d264/frameset.htm

Advantages:-
1. Help to secure RFC connection

I hope this document will help you with the RFC setup with snc.

Cheers!
Anikesh Jyotishi