Month: January 2026

SNC encryption tips and tricks

This blog will give tips and tricks around the topic SNC encryption.

SNC encryption exists for both SAP GUI and RFC connections.

Formal documentation about SNC can be found on help.sap.com.

SAP GUI client encryption

Central OSS notes for SAP GUI client encryption:

How to check if all GUI’s are using SNC encryption? The audit log can register unencrypted us of the GUI: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections. Activate this in the main client(s) as well as in client 000 (3577840 – Information about Security Audit Log event BUJ are required).

Use of insecure SAP GUI

Use of insecure SAP GUI can be detected by using the SAP audit log events. Event BUJ is recording the insecure use: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections and 3577840 – Information about Security Audit Log event BUJ are required.

See OSS note 3552348 – Record failed SAP GUI SNC logon attempts in Security Audit Log for attempts.

SAP GUI SNC log on enforcing

As explained in OSS note 3249205 – Difference between snc/only_encrypted_gui and snc/accept_insecure_gui – SAP for Me parameter snc/only_encrypted_gui can be set to 1 to reject any non-SNC GUI connection. Parameter snc/accept_insecure_gui determines if user password logon is still allowed (using SNC), or only password less SSO.

SAP RFC encryption

Generic SAP to SAP RFC encryption is explained in OSS note 2653733 – Enabling SNC on RFCs between AS ABAP and 3373138 – SNC for SM59 destinations that use load balancing.

Specific use case: SNC for STMS

Note 3025554 – SNC for STMS explains the SNC setup for RFC needed in STMS. If not setup properly, you might get the error as described in this OSS note 3477342 – RFC communication error with system/destination : 00024 error during logon.

Specific use case: SNC for JAVA and MII

Note 3394750 – SNC configuration issue between SAP MII Java and ERP explains the SNC setup for RFC needed in JAVA MII. Which refers also to the generic JAVA to ABAP SNC setup note 2573413 – How to configure SNC from 7.1x onwards AS Java to AS ABAP.

Specific use case: CPI-DS

Note 3280758 – Enabling SNC between CPI-DS and ABAP backend fails with “Test failed for the default configuration ‘default'” gives hints on SNC for CPI-DS.

Specific use case: SNC for SAP Router

For SNC for SAP router read this OSS note: 525751 – Installation of the SNC SAPRouter as NT Service.

Good blog on SNC setup for SAP router: link, and standard SAP help content on SCN for SAP router.

Specific note: 3464887 – SAPRouter SNC error -> SNCERR_BAD_NT_PREFIX.

SNC issue solving notes

List of notes to help solve issues:

Idoc change pointer setup (ALE)

Idoc change pointers can be used to set up master data distribution. Most used objects are materials, customers, vendors, GL accounts. This setup is also known as the ALE (Application Link Enabling) setup.

General activation of change pointers

Start transaction BD61 to activate change pointers in general (this is once off general activation):

Per message type the change pointer activation is done in transaction BD51:

In transaction BD52 you can see which field trigger a change pointer for that specific message type:

If you want to know (or steer) the processing function module behind, start transaction BD60 and check the details:

Distribution model and Idoc partner profile setup

In transaction BD54 you define logical systems. In our example we will use the definition SOURCE and TARGET:

The SOURCE system definition is normally connected to the main client in the SCC4 transaction:

Now we can model the data flow in BD64 distribution model.

Create the Model View first:

Then add the message type with sender, receiver and message type:

So the end result looks like this:

In WE20 in the source system, now we set up the partner profile:

The receiver port must be defined in WE21 (ports in idoc processing):

The RFC destination is maintained in SM59 as usual and contains the technical data of the target system.

In the target system the setup of the ALE model needs to be done as well, and the partner profile needs to be on the inbound side:

Testing the setup

To test the setup create a material or change one. This should trigger a change pointer.

Run program RBDMIDOC or start transaction BD21 to evaluate the change pointers:

If you run first time, best to clear all the old items with program RBDCPCLR2.If the activation was done years ago, you otherwise end up with a lot of unwanted Idocs.

When running the program for each material master change (not only yours) an Idoc is created. You can check in WE02, WE05 or WLF_IDOC if the Idoc is created correctly.

OSS notes:

And look for application specific issues in ALE: (example note):

Generic clean up

With this setup there are two generic clean ups needed:

  • Clean up old change pointers (program RBDCPCLR2)
  • Clean up old Idocs (program RSETESTD)

See blog SAP database growth control: technical cleanup – Saptechnicalguru.com for reference.

ABAP Clean Core development

ABAP Clean Core is a development concept. It is not to be confused with ABAP clean code.

The ABAP Clean Core is fully explained in this very extensive SAP document: Extend SAP S/4HANA in the cloud and on premise with ABAP based extensions.

SAP has a positioning of development patterns and tools from the past. This is written in OSS note 3578329 – Frameworks, Technologies and Development Patterns in Context of Clean Core Extensibility.

This blog will focus on the initial phase to get insights into your existing code and to brief you on the main changes.

Prepare the ATC run for Clean Core

First step is to prepare the ATC runs by applying OSS note 3565942 – ATC Checks “Usage of APIs” and “Allowed Enhancement Technologies” (don’t forget this action After implementation, press ‘Import Parameters’ for the ATC check object SYCM_USAGE_OF_APIS (in ADT for Eclipse).).

Then use the Notes Analyzer to apply correction notes from OSS note 3627152 – SAP Note Analyzer Files for ATC Checks Related to Clean Core.

ABAP CVA security checks is part of this variant. If you run on SAP cloud this is part of license, on premise it is not (so you need separate license). If you don’t have the license use ABAP Eclipse ADT to remove the check from ATC variant ABAP_CLOUD_DEVELOPMENT_DEFAULT.

To make sure all new items are loaded, start transaction SCI and choose the option Utilities / Import Check Variants.

ATC runs for Clean Core

Run the ATC for variant ABAP_CLOUD_DEVELOPMENT_DEFAULT.

Remark: please read the document Extend SAP S/4HANA in the cloud and on premise with ABAP based extensions if there a newer version defined!

Now run this one (or older ABAP_CLOUD_READINESS) on this simple test program:

REPORT ztest.

DATA: zlt_mara TYPE TABLE OF mara.
DATA: zls_mara TYPE mara.

SELECT * FROM mara INTO zls_mara.
ENDSELECT.

Result:

Already in this small piece of code 2 showstoppers:

  • You cannot use SE38 programs any more with REPORT statement
  • Direct table reads (in this case MARA) are forbidden in Clean Core

When you run on your existing code base, you will find many issues. On average a single old fashioned written ABAP code easily generates 100 clean core findings or more.

Forbidden to use in Clean Core

What else is not allowed?

Short list:

  • ALV grid output
  • Enjoy screens
  • SAP script
  • Smartforms
  • Webdynpro
  • Non released function modules
  • Batch input
  • Many more

New technology

So what do I need to use?

  • Data selection: CDS views
  • User interaction: FIORI (or FIORI elements) including FIORI key user extensibility
  • Data and processing logic: RAP (restful application programming) framework
  • Use released API’s (see the Cloudification Repository Viewer, link and explanation)
  • SAP extension points

BTP side by side developments

BTP side by side developments are an option. These developments are meant for loosely coupled scenarios. Also check if the BTP platform availability restrictions meet your SLA requirements.

Summary

Starting with a Green Field new SAP implementation, there is a good chance you will succeed in applying the Clean Core principles.

With an existing implementation there are a couple of bottlenecks:

  • Most likely skill set of you current ABAP developers is not up to par to meet the Clean Core development skill set
  • Small changes to existing code you will keep doing old style, since the effort to convert is out of balance with the effort of doing old style
  • The new style of coding is more structured and takes more initial effort (which will be regained at the end in the maintenance phase), but this can be a hard sell. Old fashioned ABAP with selection screen, direct SQL and ALV output is very effective and efficient to write in terms of man days work.
Tip: try the new development style for a completely new development. The chance of success will rise.