This chapter describes how to enable the Access Enforcer, SAP, and SAP HR resource adapters to communicate with SAP systems securely using Secure Network Communications (SNC). You must obtain SECUDE Secure Login, a separate third-party product. For more information about this product, go to http://www.secude.com .
You must install this product and create a Personal Security Environment (PSE) for Identity Manager before you can enable SNC connections. Refer to the Secude Secure Login product documentation for information about accomplishing these tasks.
Perform the following tasks to enable SNC connections:
For SNC to operate properly, you must generate a credentials file named cred_v2, which is placed in the directory specified by the CREDDIR environment variable. Use the secude seclogin command to create the credentials contained in this file.
$ secude seclogin -p idm.pse -a "Identity Manager" -O OS_User -1
The -a “Identity Manager” argument is optional. The -O argument should be the name of the operating system user that will execute the application server.
SNC requires a certificate to configure a secure connection with the SAP system. This certificate can be obtained from the Identity Manager PSE. The certificate must be exported from the Identity Manager PSE and converted to a base64 encoding.
Use the following commands to obtain a base64-encoded certificate for use in the Identity Manager adapter configuration. The first command exports the certificate into a PKCS12 encoding. The second command converts this certificate into the required base64 encoding.
$ secude psemaint-p idm.pse export Cert PKCS12_File $ secude encode -i 2048 PKCS12_File Base64_File
The certificate contained in the Identity Manager PSE was determined when the PSE was created. To obtain the DN for Identity Manager from the PSE, use one of the following commands.
$ secude psemaint -p idm.pse show Cert 2>&1 | grep SubjectName
C:> secude psemaint -p idm.pse show Cert | findstr SubjectName
The DN for the SAP system is contained in the certificate that is installed on the SAP system. To obtain this DN, use the SAP GUI to login to the SAP system.
Select the STRUST transaction.
Expand the SNC (SAP Cryptolib) node.
Select the SAP system certificate by double clicking it.
In the bottom pane on the right side, the Owner field is the DN.
Identity Manager’s application server must have the following environment variables defined. In addition, it must have read and write permissions to the directory specified by the CREDDIR variable.
CREDDIR =PathToPSELocation (All)
LD_LIBRARY_PATH =PathToSecudeLibraries (Solaris and Linux only)
LIBPATH =PathToSecudeLibraries (AIX only)
SHLIB_PATH =PathToSecudeLibraries (HP-UX only)
PATH =PathToSecudeLibraries (Windows only)
The SAP adapters require several resource parameters that must be configured for SNC to operate correctly. This step requires the Identity Manager certificate, the Identity Manager DN, and the SAP system DN.
SNC Protection Level. A number (1 to 9) that indicates the level of privacy. This value must match the value set on the SAP system.
SNC Name. The Identity Manager distinguished name (DN) prepended with p:. For example, p:CN=IdentityManager,OU=IDM,O=Example,C=US.
SNC Partner Name. The SAP DN, prepended with p:. For example, p:CN=SAPHost,OU=IDM,o=Example,c=us.
SNC X509 Certificate. Enter the Identity Manager certificate. You must delete the BEGIN and END CERTIFICATE lines and remove all newline characters.
SNC Library Path. The full path to the SNC cryptographic library file, including the file extension (.so, .a, or .dll)