Communication using Secure Network Communications (Configuring Secure Network Communications for SAP)

Configuring Secure Network Communications for SAP

Communication using Secure Network Communications

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor). For example, when a SAPGUI starts a dialog with the SAP System, the SAPGUI is the initiator of the communication and the application server is the acceptor. Both sides of the communication link need to specify SNC options.

The initiator must specify:

Whether the communication should use SNC protection.
The SNC name of the communication partner (the target name).
The location of its own external library.
The data protection level to apply.

Table 1–1 SNC Parameters (Outbound)


Name	Description	Value
SNC_MODE	The SNC activation indicator.	0 — Do not apply SNC to connections. 1 — Apply SNC to connections.
SNC_MYNAME	The Initiator's SNC name.	A valid SNC name.
SNC_PARTNERNAME	The communication partner's SNC name.	A valid SNC partner's name.
SNC_QOP	The quality of protection level.	Enter one of the following values: 1 — Apply authentication only. 2 — Apply integrity protection (authentication). 3 — Apply privacy protection (integrity and authentication). 8 — Apply the default protection. 9 — Apply the maximum protection.
SNC_LIB	The external security product's library.	The path and filename of the library.

The acceptor must specify:

Whether or not it should only accept SNC-protected communications.
Its own SNC name.
The location of its own external library.
The data protection levels to accept.

Table 1–2 SNC Parameters (Inbound)


Name	Description	Value
SNC_MYNAME	The Acceptor's SNC name.	A valid SNC name.
SNC_QOP	The quality of protection level.	Enter one of the following values: 1 — Apply authentication only. 2 — Apply integrity protection (authentication). 3 — Apply privacy protection (integrity and authentication). 8 — Apply the default protection. 9 — Apply the maximum protection.
SNC_LIB	The external security product's library.	The path and filename of the library.

When SNC is initialized, the system dynamically loads the functions provided by the external library. Afterwards, when two components communicate using SNC, the SNC layer first processes the messages being sent and then sends them over the network using the SAP Network Interface. During this step, the SNC layer uses the functions provided by the external library to process the messages accordingly (for example, to apply encryption). The SNC layer accesses the external library using the GSS-API V2 interface. After processing the messages, the system sends them over the SAP Network Interface in the usual manner. Upon receipt, the SAP System component receiving the messages applies the corresponding external library functions in a similar manner, but reverses the process (for example, decryption)

For example when secure network communication occurs between SAPGUI and the SAP Server (where SNC is already enabled) sapgui.exe hs0017 01 SNC_PARTNERNAME="p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE" SNC_QOP=9 SNC_LIB="C:\SECUDE\LIB\SECUDE.DLL"

The connection is established to the application server hs0017. The application server's SNC name is: p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE. The level of protection is 9, indicating that the maximum level of protection should be applied to the connection, and the shared library is located at: C:\SECUDE\LIB\SECUDE.DLL.