Sun Identity Manager 8.1 Resources Reference

Chapter 54 Enabling Secure Network Communications (SNC) Connections

This chapter describes how to enable the Access Enforcer, SAP, and SAP HR resource adapters to communicate with SAP systems securely using Secure Network Communications (SNC). You must obtain SECUDE Secure Login, a separate third-party product. For more information about this product, go to .

You must install this product and create a Personal Security Environment (PSE) for Identity Manager before you can enable SNC connections. Refer to the Secude Secure Login product documentation for information about accomplishing these tasks.

Perform the following tasks to enable SNC connections:

Create the Credentials for the SNC Communication

For SNC to operate properly, you must generate a credentials file named cred_v2, which is placed in the directory specified by the CREDDIR environment variable. Use the secude seclogin command to create the credentials contained in this file.

$ secude seclogin -p idm.pse -a "Identity Manager" -O OS_User -1

The -a “Identity Manager” argument is optional. The -O argument should be the name of the operating system user that will execute the application server.

Obtain a Certificate for Identity Manager

SNC requires a certificate to configure a secure connection with the SAP system. This certificate can be obtained from the Identity Manager PSE. The certificate must be exported from the Identity Manager PSE and converted to a base64 encoding.

Use the following commands to obtain a base64-encoded certificate for use in the Identity Manager adapter configuration. The first command exports the certificate into a PKCS12 encoding. The second command converts this certificate into the required base64 encoding.

$ secude psemaint-p idm.pse export Cert PKCS12_File
$ secude encode -i 2048 PKCS12_File Base64_File

Obtain the Distinguished Name (DN) for Identity Manager

The certificate contained in the Identity Manager PSE was determined when the PSE was created. To obtain the DN for Identity Manager from the PSE, use one of the following commands.


$ secude psemaint -p idm.pse show Cert 2>&1 | grep SubjectName

On Windows:

C:> secude psemaint -p idm.pse show Cert | findstr SubjectName

Obtain the Distinguished Name (DN) for the SAP System

The DN for the SAP system is contained in the certificate that is installed on the SAP system. To obtain this DN, use the SAP GUI to login to the SAP system.

ProcedureObtaining the DN for the SAP System

  1. Select the STRUST transaction.

  2. Expand the SNC (SAP Cryptolib) node.

  3. Select the SAP system certificate by double clicking it.

  4. In the bottom pane on the right side, the Owner field is the DN.

Configure the Identity Manager Application Server

Identity Manager’s application server must have the following environment variables defined. In addition, it must have read and write permissions to the directory specified by the CREDDIR variable.

CREDDIR =PathToPSELocation (All)

SNC_LIB=PathToSecudeLibrary/secude_library (All)

LD_LIBRARY_PATH =PathToSecudeLibraries (Solaris and Linux only)

LIBPATH =PathToSecudeLibraries (AIX only)

SHLIB_PATH =PathToSecudeLibraries (HP-UX only)

PATH =PathToSecudeLibraries (Windows only)

Configure the Adapter

The SAP adapters require several resource parameters that must be configured for SNC to operate correctly. This step requires the Identity Manager certificate, the Identity Manager DN, and the SAP system DN.