Under this blog i have outlined ABAP RFC connection via SNC, so we have used RFC with SNC (Secure Network Communications)2.0 setup.
SNC is a software layer in the SAP system that provides an interface to an external security product. SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide.
Dia from help.sap.com
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.
This document tried to include all Basis steps for enabling SNC for ABAP RFCs for secure connections.
SAP S4hana ABAP connection via SNC
• Setup SNC in both systems
• Generate SNC cert from both systems and map in strustsso2 SNC SAPCryptolib
• Create a user (sidadm or any name) in AD Users and update service principal name same as SNC cert in Attribute Editor (SAP/ SNC cert name) as per note 1696905 (Optional if you are using AD connection)
• ACL mode either 0 or whitelist hostname
• Update SNC0 with target system cert details
• Update SM54 with the destination
• Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name
• Create RFC with SNC config and test
Take all system backup: –
As per preventive measures take full DB backup, We are only adding new configuration and no in-system core functionality.
Setup SNC in both systems
We will use SNCWIZARD for SNC setup
Check all snc-related parameters below
In the below screen, it will give all your instance details which need to restart.
If you do not want to configure Kerberos credentials, choose Skip
We will use this cert for RFC communication
Repeat the same steps in the target system
Check all SNC parameters in the default profile
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/data_protection/max = 2
snc/data_protection/min = 1
snc/enable = 1
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/identity/as = SNC cer name
snc/permit_insecure_start = 1
spnego/enable = 1
Restart the application server
After restart check SNC status via SM51 SNC check
SNC cert from both systems and map in strustsso2 ( SNC SAPCryptolib)
Goto strustsso2:- below cert generated during SNC setup Click on edit and export below cert as base64 and import into target system (Repeat same steps in target system)
ACL mode either 0 or whitelist hostname
Gateway ACL mode 0
The following values are possible:
0: There is no restriction with starting external servers or registering servers. This setting should not be used in production operations.
1: External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files.
The default value of the parameter is 1.
If you are using 1 then go to SMGW and allow the target hostname.
SMGW Goto expert functions external security maintain ACL list (secinfo and reginfo)
Update SNC0 with target system cert details
Update target system SID and SNC certificate details with p:
Active entry for RFC, entry for CPIC, Entry for the certificate (same on the target system)
The SNCSYSACL entries that you make using transaction SNC0 are saved as external RFC destinations (type = E). Internal destinations (type = I) are automatically generated and not shown in transaction SNC0.
Update SM54 with the destination
Update destination sid, login type I, and update target SNC cert name with p: It will update VSNCSYSACL
Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name
Go to SM30 give table name as VSNCSYSACL click on display
Give work are as I for internal system
Go back and give the work area as E for the External system
Create RFC with SNC config and test
Create type 3 RFC , Give RFC destination name and description
Go to logon security and give the target system user id,
On the same page active SNC
Perform connection and authorization test
Reference SAP Notes:-
2653733 – Enabling SNC on RFCs between AS ABAP
1. Help to secure RFC connection
I hope this document will help you with the RFC setup with snc.