SAP S4/Hana ABAP RFC connection via SNC

February 9, 2023
Sara Sampaio
Technical Articles

Under this blog I have outlined ABAP RFC connection via SNC, so we have used RFC with SNC (Secure Network Communications)2.0 setup.

SNC is a software layer in the SAP system that provides an interface to an external security product. SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide.

Dia from help.sap.com

DISCLAIMER
The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.

Purpose

This document tried to include all Basis steps for enabling SNC for ABAP RFCs for secure connections.
SAP S4/Hana ABAP connection via SNC

Steps: –
• Setup SNC in both systems
• Generate SNC certificate from both systems and map in strustsso2  SNC SAPCryptolib
• Create a user (sidadm or any name) in AD Users and update service principal name same as SNC cert in Attribute Editor (SAP/ SNC certificate name) as per note 1696905 (Optional if you are using AD connection)
• ACL mode either 0 or whitelist hostname
• Update SNC0 with target system certificate details
• Update SM54 with the destination
• Verify SM30 VSNCSYSACL (I= internal and E= external) systems SNC cert name
• Create RFC with SNC config and test

Setup SNC in both systems

We will use SNCWIZARD for SNC setup

Check all SNC-related parameters below

In the below screen, it will give all your instance details which need to restart.

If you do not want to configure Kerberos credentials, choose Skip

We will use this cert for RFC communication

Strustsso2

Repeat the same steps in the target system

Check all SNC parameters in the default profile

snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/data_protection/max = 2
snc/data_protection/min = 1
snc/enable = 1
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/identity/as = SNC cer name
snc/permit_insecure_start = 1
spnego/enable = 1

Restart the application server

After restart check SNC status via SM51 SNC check

SNC certificate from both systems and map in strustsso2 (SNC SAPCryptolib)

Goto strustsso2:- below certificate generated during SNC setup. Click on edit and export below certificate as base64 and import into target system (Repeat same steps in target system)

ACL mode either 0 or whitelist hostname

Gateway ACL mode 0
The following values are possible:

0: There is no restriction with starting external servers or registering servers. This setting should not be used in production operations.

1: External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files.

The default value of the parameter is 1.

If you are using 1 then go to SMGW and allow the target hostname.

SMGW  Goto  expert functions  external security  maintain ACL list (secinfo and reginfo)

Update SNC0 with target system cert details

Update target system SID and SNC certificate details with p: (update SNC canonical name)
Active entry for RFC, entry for CPIC, Entry for the certificate (same on the target system)

The SNCSYSACL entries that you make using transaction SNC0 are saved as external RFC destinations (type = E). Internal destinations (type = I) are automatically generated and not shown in transaction SNC0.

Update SM54 with the destination

Update destination SID, login type I, and update target SNC cert name with p: It will update the VSNCSYSACL table.