Setting up secured connections is required for provisioning passwords to an AS ABAP Server from the SAP Netweaver Identity Management solution 7.1.
We will look at the various steps required to install the security libaries on the IDM system to enable SNC.
SAP provides its own cryptographic library Sapcryptolib and a command line tool SAPGENPSE in order to setup your SNC PSE (Personal Security Environment) on the IDM server. You can download these from Service Marketplace. See note 397175 .
The steps to setup SNC are as follows:
The sapcryptolib dll and SAPGENPSE.exe files are copied to the IDM server eg D:\usr\sap\IdM\IdentityCenter\SAPCrypto and a sub directoy D:\usr\sap\IdM\Identity Center\SAPCrypto\sec. The sapcryptolib license file is then placed in the sec directory (.lst file on windows)
Set the environmental variable SECUDIR to point to the D:\usr\sap\IdM\Identity Center\SAPCrypto\sec directory. This is so that the SYSTEM user running the IDM solution can access the PSE and credential files required at runtime
To check your installation run the command SAPGENPSE which will output the version of sapcryptolib installed and the value of the SECUDIR variable.
Generate PSE files for SNC
Now create the PSE file required for SNC. The SAPGENPSE.exe tool resides in the sapcrypto folder therefore using the command line from this directory call the sapgenpse command sapgenpse get_pse -p IC.pse "CN=IDM, OU=SAP, C=DE -> you can press the enter key when prompted for PIN both times if you do not wish to PIN protect the PSE file however you can enter a PIN in this step.
For the Identity Centre to access the PSE at runtime it requires a credential (stored in the file cred_v2) therefore this can be created by running the command sapgenpse seclogin -p ic.pse -O SYSTEM
Now the public key certificate must be exported from the Identity Center's PSE file so that it can be imported to the ABAP stack. Run the command sapgenpse export_own_cert - o idm.crt which creates the certificate in the same folder as the sapgenpse tool
Configure the SNC settings in the AS ABAP server
Now login to the ABAP stack and open transaction STRUST -> expand the SNC folder and double clicked on the server name so that it is selected. The button import certificate is chosen which allows the selection of the certificate of the Identity Center that had been exported in the previous step. The Add certificate to list
button ensured that the certificate was saved to the SNC PSE of the ABAP stack
Using the same screen double clicked on the Own certificate and chose the button Export certificate and saved the ABAP cert to my pc for export to the Identity Center choosing Base 64 as the file format.
The ABAP certificate must now be imported into the IDM PSE file. I placed the ABAP certificate in the same directory as sapgenpse and then ran the command sapgenpse maintain_pk -a p12.crt -p ic.pse
Now both systems have their SNC certiifcates exchanged. The ABAP stack now needs to have the IDM system added to the USRACLEXT table to allow connections. Call transaction SM30 and maintain table USRACLEXT. Add a new entry -> enter the communication user used to connect to the ABAP system in the user field. The SNC name will be the unique distinguished name name given when the IDM PSE was created eg CN=IDM, OU=SAP, C=DE . Make sure to place a p: before the SNC name ie p:CN=IDM, OU=SAP, C=DE.
SNC is now enabled. The repository constants for SNC then need to be updated with the specific details. See the Identity Management for SAP System Landscapes: Configuration Guide in the appendix setttings for more details.