IPC security: Maintaining parameters for SNC

advertisement
IPC security: Maintaining parameters for SNC-RFC
connections
1. You want to use secured RFC connections for incoming calls to your IPC Server (as of 4.0 SP06
please install first the support for secured socket connections).
To use secured socket connections, please refer to note 720523.
2. You get one of the following error messages:

SNC required (SNC_MODE=ON defined) for conversation...

SNC disabled for conversation...

A token had an invalid signature

No credentials were supplied

Unable to load the GSS-API DLL# named <path>
Other terms
security, security error, authorization failed, authorization, SNC, SNC required, registration, handle=0,
security level, secured connection, RFC
Reason and Prerequisites
You are using IPC 4.0 SP05 or higher.
As of IPC 4.0 SP06 you have to install the support for secured socket connections first (note 720523).
New security features have been implemented:

Client calls to the IPC Server via RFC connections can be authenticated.

Client calls can use secured RFC connections with SNC.
Solution
No action is required if you don't want to use secured RFC connections for your IPC.
If you encounter one of the above-mentioned errors see chapter
"Troubleshooting" in this note.
If you want to use secured RFC connections you have to do the following steps (see the appropriate
chapters in this note).
Note: Because of communication encryption the performance can be noticeable affected!
1. Install and set up a security product for your ABAP system.
2. Install a security product for the IPC Server.
3. Set up the security product for the IPC Server.
4. Set up the IPC Server for the security enhancements.
5. Set up the RFC Destinations in order to use SNC.
1. Install and set up a security product for your ABAP system.
See note 66687, 39267 and "SNC User's Guide".
You can download it from SAP Service Marketplace -> Alias "security" -> Security in Detail -> Secure
System Management -> Secure Network Communications.
2. Install a security product for the IPC Server.
Install a security product for the IPC Server or use your already installed security product.
For example you can use the SAP Cryptographic Library.
3. Set up the security product for the IPC Server.
In this note we describe the setup of the SAP Cryptographic Library (SAPCRYPTOLIB). If you use a
different security product, then see your security product's documentation for any product-specific
configuration steps.
1. Download the SAP Cryptographic Library installation package, which is available for authorized
customers on the SAP Service Marketplace at http://service.sap.com/download. See notes 597059,
397175.
2. Extract the contents of the SAP Cryptographic Library installation package. The package contains the
following files:

The SAP Cryptographic Library (sapcrypto.dll for Windows NT or libsapcrypto.<ext> for
UNIX)

A corresponding license ticket (ticket)

The configuration tool sapgenpse.exe
3. Copy the library and the configuration tool to a local directory, e.g. a sub-directory of the IPC
installation directory (check the directory/file permissions: only the user under which the IPC Server
runs must be able to execute the library's functions).
4. Create sub-directory "sec" and place the license ticket there. This is also the directory where the IPC
Server's PSE (Personal Security Environment) and credentials are to be located.
5. Set environment variable "SECUDIR" for the IPC Server's user to the "sec" sub-directory.
6. Create a SNC PSE-file (Personal Security Environment) for the IPC Server. This PSE contains the
IPC Server's public-key information, which includes its private key, its public-key certificate and the list
of public-key certificates that it trusts. Use the following command line to create the PSE:
sapgenpse get_pse -p <IPC_PSE_file_name> -x <PIN> <Distinguished_Name>
The Distinguished Name consists of the following elements:

CN = <Common_Name>

OU = <Organizational_Unit>

O = <Organization>

C = <Country>
Example for a Distinguished Name: "CN=MyIPCServer, O=MyCompany, C=US"
7. Create credentials for the IPC Server. The IPC Server must have active credentials at run-time to be
able to access its PSE. Therefore, use the configuration tool's command line seclogin to "open" the PSE:
sapgenpse seclogin -p <IPC_PSE_file_name> -x <PIN> -O <IPC_user>
The credentials are located in the file cred_v2 in the IPC Server's SECUDIR directory. Make sure that
only the user under which the IPC Server runs has access to this file (including read access).
8. Exchange the certificates of the ABAP system and the IPC Server:

Export the certificate of the IPC-Server:
sapgenpse export_own_cert -o <output_file> -p <IPC_PSE_file_name> -x<PIN>

Import it into the security product of the ABAP system:
sapgenpse maintain_pk -a <IPC_cert_file> -p <ABAP_PSE_file_name> -x <PIN>

Export the root-certificate of the ABAP-System and import it into the security product of the
IPC Server.
For a more detailed description see note 645876 (this note describes the installation for a J2EE engine,
but it can be used accordingly for the IPC Server).
4. Set up the IPC Server for the security enhancements.
Use the IPC Administrator to set the security parameters. Navigate to the security settings page. There
you can maintain the security relevant parameters.

"Security Level" is the level of security, which is used for the IPC Server. Value "1" or higher switches
the secure mode on.

"SNC library path" is the path and name of the security library you installed with the security product for
the IPC (e.g. C:\IPC\sapcryptolib\sapcrypto.dll).

In the field "SNC name of IPC Server" you enter the SNC name, which you have chosen during the
creation of the PSE for the IPC (Distinguished Name). The syntax is "p:<distinguished_name>" (e.g.
"p:CN=MyIPCServer, O=MyCompany, C=US").

"Name of allowed clients": Enter the SNC name of the authorized client, which is allowed to connect to
the IPC Server via the RFC connection. Here you enter the SNC name of the ABAP system with the
following syntax: "p:<distinguished_name>".

The field "Level of SNC protection" is optional. It specifies the level of protection to use for the
connection. By default level "3" is set.
5. Set up the RFC Destinations in order to use SNC.

Go to the appropriate RFC destination (both IPC Server and IPC Dispatcher RFC Destinations have to
be edited) in the sm59 transaction.

Choose "Destination" -> "SNC options" from menu.

Enter the SNC name of the IPC Server in the "Partners" field. The value has to be the same as the value
you entered in the field "SNC name of IPC Server" in the IPC Administrator.

Save.

Go to tab "Logon/Security". Set "Security Options" to "active".

Save.

Do these steps for the IPC Dispatcher's and for the IPC Server's RFC Destinations.
For details see "SNC User's Guide".
Troubleshooting
Test the RFC Destination in transaction sm59 if you get a pop-up with the following error message in
transaction crmd_order or commpr01:
"IPC: No registration exists (handle=0)"
Some hints for the error messages, which were returned by the connection test of sm59:
1.
"SNC required (SNC_MODE=ON defined) for conversation..."

2.
IPC Server runs in secure mode, but the use of SNC has not been activated in the RFC
Destination (Dispatcher and Server).
"SNC disabled for conversation..."

The RFC Destination has been activated for the use of SNC, but the IPC Server doesn't run in
secure mode.

IPC Server runs in secure mode and the RFC Destination has been activated for the use of
SNC, but the parameters "SNC library path" and "SNC name of IPC Server" are not
maintained (correctly) on the IPC Server side.
3.
"A token had an invalid signature"

Check whether the certificate of the IPC Server has been imported into the ABAP system.
4.
"No credentials were supplied"

Check whether the parameter "SNC name of IPC Server" is equal to the SNC name of the used
IPC Server certificate.

Check the syntax of the value.
5.
"Unable to load the GSS-API DLL# named <path>"

The security library has not been found in the given <path>. Check/set the "SNC library path"
parameter in the IPC Administrator.
Use of network security products
Inquiries:

Preconditions when using network security products

Secure authentication and confidentiality
Other terms
Security, Secure Single Sign-On, encryption, data security, DCE, smart cards, secure authentication,
privacy
Reason and Prerequisites
The SNC functions are officially available in SAP Systems as of Release 3.1G.
Solution
The SNC (Secure Network Communications) functions allow you to use an external security product to
secure the communications between SAP System components (for example, between application
servers and frontend clients).
1. What is the aim of the SNC functions?
=====================================
With SNC, you can use encryption to provide:

Secure user authentication

Integrity and privacy protection for data transfer

End-to-end security at the application level
The SNC functions can be used by security products that have implemented the standardized interface
GSS-AP1 v2 and whose services are available to the SAP System in the form of a shared library or DLL
(see Internet RFC 2078).
In Germany, SNC is particularly interesting to customers using the SAP module HR (Human Resources)
who are interested in additional security due to the German Data Protection Act (BDSG).
In Releases 3.1G/H/I, the communications between SAP System application servers and the SAPgui or
SAPlpd can be secured.
As of R/3 Release 4.0A, all online communication lines from or to the application server (except for
communications to the database server) can be secured using SNC. This includes SAPgui, SAPlpd, CPIC
and RFC connections.
As of Release 4.5B, you can also use SNC between the SAP System application servers and the Internet
Transaction Server (ITS) components (WGate and AGate).
2. Certification of external security products with GSS-API
====================================================
====
Products need to be certified by the SAP Software Program.
"Certified" means that the security product has been tested for interoperability with SAP Systems by the
SAP Software Partner Program. The requirements are based on the standardized interface GSS-API v2.
For more information on the Software Partner Programm, see:

http://www.sap.com/softwarepartner
For more information on existing security software partners, see:

http://service.sap.com/security
--> folder: Security Partners
Products to be certified should generally be supported by all SAP System platforms. On the application
side, these are various UNIX varieties, Windows NT and AS/400. On the frontend side these are the
platforms Windows 95, Windows NT, OS/2, Motif and Macintosh.
Note also that SNC support is only available for 32-bit frontends (not Windows 3.1).
The network security products can be purchased from any manufacturer. It is the customer's
responsibility to make sure to what extent local laws may restrict the use of cryptography.
Notes:
a) SNC-capable SAProuter
=====================
As of Releases 3.1I and 4. 0A, an SNC-capable SAProuter is also available (SAProuter version
31, see Note 30289). In this way, partial sections of SAP System communications can be secured (for
example, for communications in Releases < 3.1G).
This applies to customers which will upgrade later to Releases 3.1/4.0. They can now start using the
same security products as when they do upgrade to R/3 3.1/4.0, using the state-of-the-art safety
mechanismen "Application Level Security". It is planned to make the SNC-capable SAProuter appliable
together with a modificated SECUDE version for future Remote Support connections.
a) White Paper and SNC User's Guide
================================
SAP has produced a White Paper on SNC (Secure Online Network Communications and SSF
(Secure Store & Forward mechanisms) and the SNC User's Guide. These documents are available at the
SAP Service Marketplace:
http://service.sap.com/security
> Security in Detail> Secure System Management
Both documents are available in German and English.
White Paper Material Numbers: 50014335 (E)
50014336 (D)
a) Restrictions when using SAPgui with SNC
=======================================
As of SAPlogon Release 4.0A and Kernel Release 3. 1H, SNC is supported when using load
distribution (Group selection) to start a SAPgui.
However, SNC is not possible when you use the Session Manager.
Download