To enable Secure Network Communications (SNC) on the R3 server
- Add and configure the SNC-specific parameters to the instance profile of the SAP Server.
You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights to make these changes.
- Add the following SNC parameters to the instance profile of the application server. These settings enable the SNC features without impacting existing operations.
snc/enable = 1 snc/data_protection/min = 1 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic = 1 snc/accept_insecure_rfc = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/r3int_rfc_qop = 3 snc/permit_insecure_start = 1 snc/identity/as = p:sAMAccountName@REALM snc/gssapi_lib = /opt/quest/lib/libvas-gssapi.so
The actual path of the GSSAPI library varies by platform. The following table lists the path and file name of snc/gssapi_lib in the last line of the SNC parameters listed above.
Table 2: Object: User-Display Platform Path Filename Any 32-bit (except HP-UX) /opt/quest/lib libvas-gssapi.so HPUX 32-bit /opt/quest/lib libvas-gssap.sl AIX 64 /opt/quest/lib libvas-gssapi64.so Linux-x86_64 /opt/quest/lib64 libvas-gssapi.so Oracle Solaris-SPARC 64 /opt/quest/lib/sparcv9 libvas-gssapi.so Oracle Solaris-x86_64 /opt/quest/lib/64 libvas-gssapi.so HP-UX pa-risc 64 /opt/quest/lib/pa20_64 libvas-gssapi.sl HP-UX ia64 /opt/quest/lib/hpux64 libvas-gssapi.so The snc/identity/as parameter, sAMAccountName@REALM, corresponds to the KRB5 principal name of the SAP Server. You can determine the sAMAccountName@REALM (or KRB5 principal name) by examining the Kerberos ticket cache using the vastool klist command.
- Change the group ownership of /etc/opt/quest/vas/host.keytab to sapsys by running:
chgrp sapsys /etc/opt/quest/vas/host.keytab
Modify the permissions so that the sapsys group has read access:
chmod 640 /etc/opt/quest/vas/host.keytab
- Restart the SAP Application Server.
If problems occur with the startup of the SNC, they are logged into the work directory of the SAP Application Server in the /usr/sap/SID/instance/work/dev_w0 file.
Here is a sample work process log containing SNC activation messages:
N SncInit(): Initializing Secure Network Communication (SNC) N Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32) N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level) N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level) N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level) N SncInit(): found snc/gssapi_lib=/opt/quest/lib/libvas-gssapi.so N N Tue Sep 30 17:11:14 2008 N File "/opt/quest/lib/libvas-gssapi.so" dynamically loaded as GSSAPI v2 library. N The internal Adapter for the loaded GSSAPI mechanism identifies as: N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSSAPI v2 N SncInit(): found snc/identity/as=p:sAMAccountName@REALM N SncInit(): Accepting Credentials available, lifetime=Indefinite N N Tue Sep 30 17:11:15 2008 N SncInit(): Initiating Credentials available, lifetime=09h 57m 07s M ***LOG R1Q=> 1& [thxxsnc.c 252] M SNC (Secure Network Communication) enabled
