Skip to end of metadata
Go to start of metadata

Purpose

Setting up secured connections is required for provisioning passwords to an AS ABAP Server from the SAP Netweaver Identity Management solution 7.1.

 Overview

 We will look at the various steps required to install the security libaries on the IDM system to enable SNC.

Install SAPcryptolib 

SAP provides its own cryptographic library Sapcryptolib and a command line tool SAPGENPSE in order to setup your SNC PSE (Personal Security Environment) on the IDM server. You can download these from Service Marketplace. See note  397175 .

The steps to setup SNC are as follows:

The sapcryptolib dll and SAPGENPSE.exe files are copied to the IDM server eg D:\usr\sap\IdM\IdentityCenter\SAPCrypto and a sub directoy D:\usr\sap\IdM\Identity Center\SAPCrypto\sec. The sapcryptolib license file is then placed in the sec directory (.lst file on windows)

Set the environmental variable SECUDIR to point to the D:\usr\sap\IdM\Identity Center\SAPCrypto\sec directory. This is so that the SYSTEM user running the IDM solution can access the PSE and credential files required at runtime


To check your installation run the command SAPGENPSE which will output the version of sapcryptolib installed and the value of the SECUDIR variable.


Generate PSE files for SNC

Now create the PSE file required for SNC. The SAPGENPSE.exe tool resides in the sapcrypto folder therefore using the command line from this directory call the sapgenpse command sapgenpse get_pse -p IC.pse "CN=IDM, OU=SAP, C=DE -> you can press the enter key when prompted for PIN both times if you do not wish to PIN protect the PSE file however you can enter a PIN in this step.

For the Identity Centre to access the PSE at runtime it requires a credential (stored in the file cred_v2) therefore this can be created by running the command sapgenpse seclogin -p ic.pse -O SYSTEM


Now the public key certificate must be exported from the Identity Center's PSE file so that it can be imported to the ABAP stack. Run the command sapgenpse export_own_cert - o idm.crt which creates the certificate in the same folder as the sapgenpse tool

 

Configure the SNC settings in the AS ABAP server

Now login to the ABAP stack and open transaction STRUST -> expand the SNC folder and double clicked on the server name so that it is selected. The button import certificate is chosen which allows the selection of the certificate of the Identity Center that had been exported in the previous step. The Add certificate to list

 button ensured that the certificate was saved to the SNC PSE of the ABAP stack

 

Using the same screen double clicked on the Own certificate and chose the button Export certificate and saved the ABAP cert to my pc for export to the Identity Center choosing Base 64 as the file format.

 

The ABAP certificate must now be imported into the IDM PSE file. I placed the ABAP certificate in the same directory as sapgenpse and then ran the command sapgenpse maintain_pk -a p12.crt -p ic.pse

 


Now both systems have their SNC certiifcates exchanged. The ABAP stack now needs to have the IDM system added to the USRACLEXT table to allow connections. Call transaction SM30 and maintain table USRACLEXT. Add a new entry -> enter the communication user used to connect to the ABAP system in the user field. The SNC name will be the unique distinguished name name given when the IDM PSE was created eg CN=IDM, OU=SAP, C=DE . Make sure to place a p: before the SNC name ie p:CN=IDM, OU=SAP, C=DE.

 
 
SNC is now enabled. The repository constants for SNC then need to be updated with the specific details. See the Identity Management for SAP System Landscapes: Configuration Guide in the appendix setttings for more details. 
 

Related Content

Related Documents

http://scn.sap.com/docs/DOC-8397

Related Notes