To enable Secure Network Communications (SNC) on the R3 server
You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights to make these changes.
snc/enable = 1 snc/data_protection/min = 1 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic = 1 snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/r3int_rfc_qop = 3 snc/permit_insecure_start = 1 snc/identity/as = p:sAMAccountName@REALM snc/gssapi_lib = /opt/quest/lib/
The actual path of the GSSAPI library varies by platform. The following table lists the path and file name of snc/gssapi_lib in the last line of the SNC parameters listed above.
Platform | Path | Filename |
Any 32-bit (except HP-UX) | /opt/quest/lib | |
HPUX 32-bit | /opt/quest/lib | |
AIX 64 | /opt/quest/lib | |
Linux-x86_64 | /opt/quest/lib64 | |
Oracle Solaris-SPARC 64 | /opt/quest/lib/sparcv9 | |
Oracle Solaris-x86_64 | /opt/quest/lib/64 | |
HP-UX pa-risc 64 | /opt/quest/lib/pa20_64 | |
HP-UX ia64 | /opt/quest/lib/hpux64 | |
The snc/identity/as parameter, sAMAccountName@REALM, corresponds to the KRB5 principal name of the SAP Server. You can determine the sAMAccountName@REALM (or KRB5 principal name) by examining the Kerberos ticket cache using the vastool klist command.
chgrp sapsys /etc/opt/quest/vas/host.keytab
Modify the permissions so that the sapsys group has read access:
chmod 640 /etc/opt/quest/vas/host.keytab
If problems occur with the startup of the SNC, they are logged into the work directory of the SAP Application Server in the /usr/sap/SID/instance/work/dev_w0 file.
Here is a sample work process log containing SNC activation messages:
N SncInit(): Initializing Secure Network Communication (SNC) N Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32) N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level) N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level) N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level) N SncInit(): found snc/gssapi_lib=/opt/quest/lib/ N N Tue Sep 30 17:11:14 2008 N File "/opt/quest/lib/" dynamically loaded as GSSAPI v2 library. N The internal Adapter for the loaded GSSAPI mechanism identifies as: N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSSAPI v2 N SncInit(): found snc/identity/as=p:sAMAccountName@REALM N SncInit(): Accepting Credentials available, lifetime=Indefinite N N Tue Sep 30 17:11:15 2008 N SncInit(): Initiating Credentials available, lifetime=09h 57m 07s M ***LOG R1Q=> 1& [thxxsnc.c 252] M SNC (Secure Network Communication) enabled
Each user must have a unique Kerberos Principal Name (KPN) associated with their SAP account to use Single Sign-on for SAP.
To configure a SAP user to enable SNC authentication
Enter SU01 and click Enter or access the user management functions under SAP Menu | Tools | Administration | User Maintenance | Users.
In the User field, enter a user name and click the pencil icon.
Select the SNC tab of the User Management screen.
Note: You must put a "p:" in front of the user's KPN, as follows: p:sAMAccountName@realm
The SNC data properties displays a check mark next to the Canonical name determined message.
You can install Safeguard Authentication Services Single Sign-on for SAP from the installation setup wizard. From the Autorun Setup page, select Single Sign-on for SAP from the Related Products tab to install this add-on or follow the steps below.
Note: If you do not have local administrator rights, the SNC_LIB system environment variable will not be set during the installation. To resolve this issue, you can set the environment variable path for SNC_LIB to <install folder>/qgsskrb5.dll.
To install Safeguard Authentication Services Single Sign-on for SAP
where "x.x.x.x" is the latest version number.
Note: You must have a license file to install.
Note: If you are running the installer as a non-administrator, One Identity recommends that you specify an alternate location where you have rights to copy files.
Note: You may be prompted for permission to install. In that case, click Allow.
The Single Sign-on for SAP package includes a transform file called qas-sso-for-sap.mst along with the main MSI installer file. This transform file together with a special .cab file allows you to perform a silent installation of the Single Sign-on for SAP package using your license file.
When deploying Single Sign-on for SAP using Group Policy you must first create a CAB from your license file.
