snc configuration between oracle identity manager and sap
TRANSCRIPT
Monday, April 04, 2016
SNC Configuration between
Oracle Identity Manager and SAP
Using SAP Cryptographic Library
Bristlecone Team
1
Contents
Overview ................................................................................................................................................................................. 2
Configuring SAP Server-side trust ........................................................................................................................................... 3
Install the SAP Cryptographic Library.................................................................................................................................. 3
Steps of Installation (On SAP OS) .................................................................................................................................... 3
Set the trust manager profile parameters ...................................................................................................................... 3
Configuring IDM Server-side trust .......................................................................................................................................... 6
Create PSE for the IDM Server and Export the Certificate .................................................................................................. 6
Steps for creating PSE on IDM Server ............................................................................................................................. 6
Import the SAP Server Certificate to the IDM Server ..................................................................................................... 7
Create Credentials ........................................................................................................................................................... 7
Enable SAP User to Communicate using SNC ......................................................................................................................... 7
Testing SNC Configuration .................................................................................................................................................. 8
2
Overview The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP Systems. You can use it for providing Secure Network Communications (SNC) between various SAP server components or for using the Secure Sockets Layer (SSL) protocol with the SAP Web Application Server.
The server and its communication partners must have configured for using SNC as: 1. The server must possess a public - private key pair and public-key certificate, which is stored in the server's
Personal Security Environment (PSE). Although, you may obtain a certificate from a trusted Certification Authority (CA). For easier administration, we recommend using a certificate that is signed by the server itself (self-signed). This documentation refers only to configuring the server using a self-signed certificate.
2. At run-time, the server must have active credentials. This is accomplished by using the configuration tool to "open" the server's PSE.
3. The server must be able to verify its communication partner's identity. This is accomplished by importing the partner's public-key certificate into the server's own certificate list. As an alternative, you can use the same PSE for all server components
Please note that throughout the document, used user name, server’s name (SAP and OIM) and IPs are just to explain the
configuration parameters. As per your landscape, you have to change them accordingly. We have tried to show challenges
using certain error messages. How to resolve those errors, is also described.
3
Configuring SAP Server-side trust
Install the SAP Cryptographic Library.
The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace at http://service.sap.com/download. The SAP Cryptographic Library installation package sapcrypto.car contains the following files:
1. The SAP Cryptographic Library ( sapcrypto.dll for Windows NT or libsapcrypto.<ext> for UNIX) 2. A corresponding license ticket ( ticket) 3. The configuration tool sapgenpse.exe
Steps of Installation (On SAP OS)
As user <sid>adm: 1. Extract the contents of the SAP Cryptographic Library installation package. 2. Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the application
server's profile parameter DIR_EXECUTABLE. In the following, we represent this directory with the notation $(DIR_EXECUTABLE). Example: Windows NT DIR_EXECUTABLE: <DRIVE>:/sapmnt/LI1/exe Location of SAP Cryptographic Library: <DRIVE>:/sapmnt/LI1/exe/sapcrypto.dll
3. Check the file permissions for the SAP Cryptographic Library. 4. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE).
Example: Windows NT: DIR_INSTANCE: <DRIVE>:/usr/sap/<SID>/<instance> Location of the ticket: <DRIVE>:/usr/sap/<SID>/<instance>/sec/ticket
5. Set the environment variable SECUDIR to the sec sub-directory. The application server uses this variable to locate the ticket and its credentials at run-time.
Set the trust manager profile parameters
Set the profile parameters so that the trust manager can access the SAP Cryptographic Library. Set the following profile parameters on each SAP AS ABAP instance and restart the application server.
Profile Parameters Value Examples sec/libsapsecu Path and file name of the SAP
Cryptographic Library UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows NT: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll
ssf/ssfapi_lib Path and file name of the SAP UNIX:
4
Create a PSE and self-signed public-key certificate.
Note: If the component has several hosts, then you can create a single PSE on one host and copy it to the other hosts. Steps: Using the trust manager (transaction STRUST)
1. Select the SNC PSE node. 2. Using the context menu, choose Create (if no PSE exists) or Replace.
a. The <Create/Replace> PSE dialog appears. 3. If the server's SNC name is defined in the profile parameter snc/identity/as, then the system automatically
determines the Distinguished Name accordingly. Otherwise, enter the Distinguished Name parts in the corresponding fields, for example:
a. Name = <SID> b. Org. (opt.) = Test c. Comp./Org. = MyCompany d. Country = US
4. Choose Enter. You return to the Trust Manager screen. 5. For SNC, you must assign a password to the PSE. Choose Assign password. The PSE dialog appears. 6. Enter a password for the PSE and choose Enter. You return to the Trust Manager screen.
Export the SAP SNC Certificate
Export the SAP Certificate from the application server to be imported on Web logic Server. Steps: Using the trust manager (transaction STRUST):
1. Select the SNC PSE. The SNC PSE information appears in the PSE maintenance section. 2. Choose PSE Export.( Base 64 format) 3. Save the PSE to the file system.
The SNC PSE is available in the file system. Copy it to the appropriate location on the communication partner's host
Import an Certificate generated from IDM Server (Covered in IDM Side Trust)
Steps: Using the trust manager (transaction STRUST):
1. Choose Certificate Import. 2. Select the .CRT generated by IDM server, from the file system.
Note: This CRT was generated from web logic server. 3. The PSE information appears in the PSE maintenance section as a file .CRT. (Base 64 format) 4. Choose Certificate, Save As.
a. The Certificate Save as dialog appears. 5. Select the SNC (SAPCryptolib) PSE and choose Enter.
Cryptographic Library /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows NT: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll
ssf/name SAPSECULIB SAPSECULIB
5
6. In the next dialog, choose Yes to verify that you want to replace or create the SNC CRT. a. The trust manager saves the PSE as the SNC PSE and distributes it to the application servers.
7. For SNC, you must assign a password to the PSE. Choose Assign password. a. The PSE dialog appears.
8. Enter a password for the PSE and choose Enter. a. You return to the Trust Manager screen.
Now the SNC PSE is imported. The system automatically distributes it to the individual application servers. The PSE is also protected with a password and credentials exist for the server so that it can access the PSE at run-time.
Set the SNC profile parameters
The last step in the configuration procedure on the application server is to set the SNC-relevant profile parameters. Setting the profile parameter snc/enable to 1 activates SNC on the application server. If this parameter is set but the SNC PSE and credentials do not exist, then the application server will not start. Therefore, setting the SNC parameters should be the last step in the configuration procedure.
Procedure:
Set the below profile parameters on the application server so that the server can communicate using SNC and restart the SAP System. Note: There are additional parameters, but the most important ones are listed below. SNC Profile Parameters
Profile Parameters Value Examples snc/enable 1 1
snc/gssapi_lib Path and file name where the SAP Cryptographic Library is located
UNIX: usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows NT: D:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll
snc/identity/as Application server's SNC name Syntax: p:<Distinguished_Name> The Distinguished Name part must match the Distinguished Name that you specify when creating the SNC PSE.
p:CN=ABC, OU=Test, O=MyCompany, C=US
snc/data_protection/max 1: Authentication only 2: Integrity protection 3: Privacy protection
3
snc/data_protection/min 1: Authentication only 2: Integrity protection 3: Privacy protection
1
snc/data_protection/use 1: Authentication only 2: Integrity protection 3: Privacy protection 9: Use the value from snc/data_protection/max
9
6
snc/accept_insecure_cpic 0: do not accept 1: accept
1
snc/accept_insecure_gui 0: do not accept 1: accept
1
snc/accept_insecure_r3int_rfc 0: do not accept 1: accept
1
snc/accept_insecure_rfc 0: do not accept 1: accept
1
Configuring IDM Server-side trust
Create PSE for the IDM Server and Export the Certificate
Steps for creating PSE on IDM Server
1. Create a directory on Web Logic Server to store the PSE. 2. Copy the ticket license file and the SAP Certified Client Cryptographic library (ex. SECUDE) to the directory you
just created. Make sure you set the SECUDIR environment variable to this directory, and also add this path to your "PATH" system environment variable.
Execute the following command to generate the PSE
3. The client PSE is named as RFC.pse. From the command line, you can specify the distinguished name. sapgenpse gen_pse -v -p RFC.pse Got absolute PSE path "<your path>/RFC.pse". Please enter PIN: ******** Please reenter PIN: ******** get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE" Generating key (RSA, 1024-bits) ... succeeded. Certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. PKCS#10 certificate request for "<your path>/RFC.pse"
4. Execute the following command to export the Client Certificate of the newly created PSE.
sapgenpse export_own_cert -v -p RFC.pse -o RFC.crt Opening PSE your path>/RFC.pse"... No SSO credentials found for this PSE. Please enter PIN: ********
7
PSE open ok. Retrieving my certificate... ok. Writing to file ...... ok
The exported certificate is named as RFC.crt.
Import the SAP Server Certificate to the IDM Server
Place the SAP Server certificate in the directory created in the step 1 above , and import using below procedures. On the command line run:
> sapgenpse maintain_pk -v -a <SID>.crt -p RFC.pse Opening PSE your path>/RFC.pse"... No SSO credentials found for this PSE. Please enter PIN: ******** PSE open ok. Adding new certificate from file "<SID>.crt" ---------------------------------------------------------------------------- Subject : CN=IDS, OU=IT, O=CSW, C=DE Issuer : CN=IDS, OU=IT, O=CSW, C=DE Serialno: 00 KeyInfo : RSA, 2048-bit Validity - NotBefore: Wed Mar 6 21:37:32 2008 (060927193732Z) NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z) ----------------------------------------------------------------------------- PKList updated (1 entries total, 1 newly added)
Create Credentials
Steps to Create Credentials
1. Create the cred_v2 file. After setting up the client PSE you must create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE. 2. On the command line run:
sapgenpse seclogin –p <PSE_Name> -x <PIN> -O [<NT_Domain>\]<user_ID> creatingcredentials for yourself (USER=)... Please enter PIN: ********
Added SSO-credentials for PSE "<your path>/RFC.pse" "CN=RFC, OU=IT, O=CSW, C=DE"
Enable SAP User to Communicate using SNC Login into SAP GUI and perform the following steps. 1. Go to T-code SU01 -> SNC Tab. 2. Give the SNC Name of Web Logic Server and Check the Option ‘Unsecure Communication Permitted (User-
specific)’as Shown in the below screen Shot.
8
Testing SNC Configuration
Login to IDM
Maintain following parameters in SAP UM IT Resource. useSNC sncLib sncName sncPartnerName sncProtectionLevel sncX509Cert
9
Execute Scheduled job
10
ERROR: Following error could occur when you execute the job.
Solution: Map the X.509 Certificate to the User. The X.509 Certificate must be accepted for a successful Login.
1. Start Transaction SM30. 2. Enter VUSREXTID and click Maintain.
Using the view VUSREXTID, you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User.
3. Choose the Distinguished Name for the IDM ID type.
11
4. Create a new entry and activate it.
5. Now try executing the job again. Error: Following error could occur when you execute the job.
Solution: Allow SNC RFC Connection.
Now you need to map the x.509 certificates that were created for the user accounts on the SAP Server.
1. Start Transaction SM30 and enter the view VSNCSYSACL.
12
This view is used to restrict the SNC RFC Connections by an Access Control List (ACL). You will see an alert window pop-up, just click on the "right" symbol.
2. Choose "E" for the Type of ACL entry. 3. Enter System ID and SNC name.
Note –Do not forget the "p:" in front of the DN.
4. Save the entry. 5. Following result would be displayed in Job History if the scheduled job is executed successfully.
13