From Version 2022.15(2022 QRC3), SAP Analytics Cloud(SAC) supports to create an import connection to SAP BW using Secure Network Communication (SNC) to encrypt communication between the cloud agent and SAP BW. In SAP Note 3234061, it includes the general steps to complete this configuration.
This blog is to record some detailed steps of how I implemented it in my internal test SAC tenant, Cloud Agent server and BW server. The whole scenario accsumes SNC has been enabled in the ABAP server side. If not, maybe you need to refer this KBA 2979858 first.
Also, all the steps below are only verified in the internal systems currently. Some of them could be changed in the future and you may need to adjust them according to different system conditions.
Disclaimer: All screenshots, commands and other information were taking from a sample test system and do not represent actual data (any resemblance as such is purely coincidental).
Let’s start now!
Step 1: Set up local SAP Crypto Libraries
First of all, we need to prepare SAP Crypto Libraries in the machine where SAP Cloud Agent is running.
- Update SAC Cloud Agent to the newest version follow this guide.
- Get SAP Crypto Libraries files by either of the two methods below:
- You can find them in the folder extracted from the downloaded SAC Cloud Agent above. The relative path is C4AAGENT355_0-80000881win64_x64tp.sap.cryptolib.
- Download SAP Crypto libraries following KBA 1954305.
- Or you can merge these files to avoid any potential issues 🙂
- Create a local directory to store the SAP Crypto libraries. (Here I use C:UsersAdministratorDesktopSAPCRYPTO)
- Copy all the files in Step 2 to this location (C:UsersAdministratorDesktopSAPCRYPTO)
- Create a sub-directory called “sec” (C:UsersAdministratorDesktopSAPCRYPTOsec)
- Create a sub-directory called “cpic” (C:UsersAdministratorDesktopSAPCRYPTOcpic)
-
Create Windows system environement variables as below:
Variable name Variable value SNC_LIB C:UsersAdministratorDesktopSAPCRYPTO SECUDIR C:UsersAdministratorDesktopSAPCRYPTOsec CPIC_TRACE C:UsersAdministratorDesktopSAPCRYPTOcpic CPIC_TRACE 0 CPIC_TRACE_DIR C:UsersAdministratorDesktopSAPCRYPTOcpic -
Edit the Windows system environment variable Path and add the root directory containing your sapcrypto libraries (it is C:UsersAdministratorDesktopSAPCRYPTO in this case)
- Go to Windows Start Menu->Tomcat configuration->Log on. Then change/make sure the logon user is OS Administrator(instead of Localsystem).
- Reboot the whole OS to make sure all the changes can take effect.
Step 2: Generate PSE Certificates
- Open Windows Command Line and switch to the folder containing sapgenpse.exe.(C:UsersAdministratorDesktopSAPCRYPTO in this case)
- Run the command sapgenpse gen_pse -v -p <NAME_OF_PSE>
- Change <NAME_OF_PSE> to the file name you want to assign to the PSE file. I will use CloudAgent.pse here.
- When prompted, provide a PSE PIN/Passphrase
- When prompted, provide a distinguished name for the server.
- Here I use CN=Cloud Agent.
- You can use DN of your server.
- When complete, the result should look similar to this and the pse file will be generated under the sec folder.
- Run command: sapgenpse export_own_cert -x <PSE PIN/Passphrase> -v -p <NAME_OF_PSE> -o <NAME_OF_CLIENT_CERT>
- Change <PSE PIN/Passphrase> to the password your just set.
- Change <NAME_OF_PSE> to the PSE file name above.
- Change <NAME_OF_CLIENT_CERT> to the file name you want to assign to the CRT file. I use the certificate name “CloudAgent.crt“
- When complete, the results should look similar to this and the crt file should be generated in the root folder(C:UsersAdministratorDesktopSAPCRYPTO).
Step 3: Exchange Certificates
Importing Cloud Agent certificate in to SAP BW Server
- Log into BW/ABAP and run STRUST transaction.
- Expand the “SNC (SAPCryptolib)” item and click Certificate > Import Certificate in the menu bar.
- Select the CRT that was created previously (CloudAgent.crt) and click the green checkmark to import.
- Click “Add to Certificate list” to add the certificate to the SAP PSE file.
Exporting SAP Certificate from SAP System
- Double-click the Subject DN in the “Own Certificate” section to actively select the certificate (it will change the details in the “Certificate” section”).
- Click the “Export Certificate” button at the bottom.
- Provide a path and filename for the exported certificate (I give it the name as G75.crt)
- Select “Base64” in the File Format section.
- Click the green checkmark to complete the export. Copy the file to the root folder(C:UsersAdministratorDesktopSAPCRYPTO).
- Back on the “Trust Manager” window, click the SAVE icon to commit all of the changes.(Do not forget this step!!!)
Adding SNC ACL Entry in SAP System
- Go to SNC0 and click “New Entries”.
- Provide a System ID (e.g CloudAgent)
- Provide the SNC name of the Cloud Agent certificate, starting with p: (It should be the value set in Step2.4 and it is p:CN=CloudAgent here).
- Check the “Entry for RFC activated,” “Entry for CPIC activated” and “Entry for ext. ID activated” boxes.
- Save it and the SNC data status box should change to “Canonical name defined“.
Complete the Trust relationship on the Cloud Agent server
- Open Windows Command Line and switch to the folder containing sapgenpse.exe.(C:UsersAdministratorDesktopSAPCRYPTO in this case)
- Run sapgenpse maintain_pk -v -a <NAME_OF_SERVER_CERT> -p <NAME_OF_PSE>
- Change <NAME_OF_SERVER_CERT> to the file name of the certificate we just exported from BW. It is G75.crt here.
- Change <NAME_OF_PSE> to the PSE file we generated in Step 2.2 and it is CloudAgent.pse here.
- When prompted, provide the PSE PIN/Passphrase
- When completed, the results should appear similar to
- Run sapgenpse seclogin -x <PSE PIN/Passphrase> -p <NAME_OF_PSE>
- Currently you should run the Windows command line using the OS account that is used to start Tomcat.
- Change <PSE PIN/Passphrase> to the value you set in Step2.3.
- Change <NAME_OF_PSE> to the PSE file we generated in Step 2.2 and it is CloudAgent.pse here.
- Run sapgenpse get_my_name -p <NAME_OF_PSE>
- Run sapgenpse maintain_pk -l -p <NAME_OF_PSE>
- When completed, the results should appear similar to the screenshots below:
- Restart Tomcat.
Step4: Enable SNC support for SAC
-
- Log into to SAC and go to System > Administration > Date Source Configuration.
- Create a new or edit an existing Cloud agent location.
- Enable SNC support toggle.
- Enter full path of SAP crypto library on the Cloud agent system. In this blog, it is C:UsersAdministratorDesktopSAPCRYPTOsapcrypto.dll
- Enter SNC name of Cloud agent. It is set in Step 3 > Adding SNC ACL Entry in SAP System > 3. It is p:CN=CloudAgent here.
- Enter SNC quality of protection or leave it as default.
- Go to SAC > Connections.
- Create new or edit existing BW Import connection.
- Select Cloud agent location that we just set to support SNC.
- Check Enable Secure Network Communication (SNC)
- Enter SNC name of the BW system. You can find it in the subject DN in STRUST or in the result of the command sapgenpse maintain_pk -v -a <NAME_OF_SERVER_CERT> -p <NAME_OF_PSE>. It is p:CN=G75 OU=XX C=XX here.
- Enter all other fields and create connection.
After that, you can create a model using this connection and see if it works now! Any question, please leave comments here!