This blog will give tips and tricks around the topic SNC encryption.
SNC encryption exists for both SAP GUI and RFC connections.
Formal documentation about SNC can be found on help.sap.com.
SAP GUI client encryption
Central OSS notes for SAP GUI client encryption:
- 2425150 – Release Note SNC Client Encryption 2.0
- 2440692 – Central Note for SNC Client Encryption 2.0
How to check if all GUI’s are using SNC encryption? The audit log can register unencrypted us of the GUI: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections. Activate this in the main client(s) as well as in client 000 (3577840 – Information about Security Audit Log event BUJ are required).
Use of insecure SAP GUI
Use of insecure SAP GUI can be detected by using the SAP audit log events. Event BUJ is recording the insecure use: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections and 3577840 – Information about Security Audit Log event BUJ are required.
See OSS note 3552348 – Record failed SAP GUI SNC logon attempts in Security Audit Log for attempts.
SAP GUI SNC log on enforcing
As explained in OSS note 3249205 – Difference between snc/only_encrypted_gui and snc/accept_insecure_gui – SAP for Me parameter snc/only_encrypted_gui can be set to 1 to reject any non-SNC GUI connection. Parameter snc/accept_insecure_gui determines if user password logon is still allowed (using SNC), or only password less SSO.
SAP RFC encryption
Generic SAP to SAP RFC encryption is explained in OSS note 2653733 – Enabling SNC on RFCs between AS ABAP and 3373138 – SNC for SM59 destinations that use load balancing.
Specific use case: SNC for STMS
Note 3025554 – SNC for STMS explains the SNC setup for RFC needed in STMS. If not setup properly, you might get the error as described in this OSS note 3477342 – RFC communication error with system/destination : 00024 error during logon.
Specific use case: SNC for JAVA and MII
Note 3394750 – SNC configuration issue between SAP MII Java and ERP explains the SNC setup for RFC needed in JAVA MII. Which refers also to the generic JAVA to ABAP SNC setup note 2573413 – How to configure SNC from 7.1x onwards AS Java to AS ABAP.
Specific use case: CPI-DS
Note 3280758 – Enabling SNC between CPI-DS and ABAP backend fails with “Test failed for the default configuration ‘default'” gives hints on SNC for CPI-DS.
Specific use case: SNC for SAP Router
For SNC for SAP router read this OSS note: 525751 – Installation of the SNC SAPRouter as NT Service.
Good blog on SNC setup for SAP router: link, and standard SAP help content on SCN for SAP router.
Specific note: 3464887 – SAPRouter SNC error -> SNCERR_BAD_NT_PREFIX.
SNC issue solving notes
List of notes to help solve issues:
- 1867829 – List of SNC Error Codes
- 2414090 – STRUST wizard to replace existing key pairs
- 2516117 – SNC Error Code A2210223: Server does not trust my certificate path – SAP Single Sign-On
- 2689597 – STRUST overwrites maintained SNC mechanism prefix in the default profile
- 2962106 – SNC Error Code A2200220:Peer certificate expired
- 3074756 – SAP Logon: Secure Network Settings Page – activate SNC / SSO based on customer configuration
- 3426823 – Accept RFC connections from ABAP clients for virtual users without SNC also if snc/accept_insecure_rfc is not set to 1
- 3517471 – The specified QOP is not supported by the mechanism in JCO SNC connection
- 3522798 – “CPIC-CALL: ‘ThSAPOCMINIT’, communication rc: CM_SECURITY_NOT_VALID (cmRc=6), ta” error when creating new SNC enabled connection in SMT1
- 3545535 – How to export a certificate from a STRUST PSE
- 3664739 – RFC SNC SCC mapping virtual host not coming with Secured port sapgw<NR>s