Overview of Secure Network Communications for SAP

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems provide basic security measures like SAP authorization and user authentication based on passwords.

With SNC you can include protection by an external security product. SNC provides application-level, end-to-end security. It secures all communications between two SNC-protected components. For example, between SAPGUI and a SAP System Application Server. SNC protection only applies to connections that use SAP protocols (dialog, RFC or CPIC protocols). For example, from a SAP Application System Server to an External RFC or CPIC program like SAP Java Connector.

SNC secures the data communication paths between the various SAP System components. There are three levels of security protection you can apply.

• Authentication only — When using the Authentication only protection level, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.

• Integrity protection — When using Integrity protection, the system detects any changes or manipulation of the data which may have occurred between the two end points of a communication.

• Privacy protection — When using Privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.

Communication using Secure Network Communications

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor). For example, when a SAPGUI starts a dialog with the SAP System, the SAPGUI is the initiator of the communication and the application server is the acceptor. Both sides of the communication link need to specify SNC options.

The initiator must specify:

• Whether the communication should use SNC protection.

• The SNC name of the communication partner (the target name).

• The location of its own external library.

• The data protection level to apply.

Table 1 SNC Parameters (Outbound)

The acceptor must specify:

• Whether or not it should only accept SNC-protected communications.

• Its own SNC name.

• The location of its own external library.

• The data protection levels to accept.

Table 2 SNC Parameters (Inbound)

When SNC is initialized, the system dynamically loads the functions provided by the external library. Afterwards, when two components communicate using SNC, the SNC layer first processes the messages being sent and then sends them over the network using the SAP Network Interface. During this step, the SNC layer uses the functions provided by the external library to process the messages accordingly (for example, to apply encryption). The SNC layer accesses the external library using the GSS-API V2 interface. After processing the messages, the system sends them over the SAP Network Interface in the usual manner. Upon receipt, the SAP System component receiving the messages applies the corresponding external library functions in a similar manner, but reverses the process (for example, decryption).

For example when secure network communication occurs between SAPGUI and the SAP Server (where SNC is already enabled) sapgui.exe hs0017 01 SNC_PARTNERNAME="p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE" SNC_QOP=9 SNC_LIB="C:\SECUDE\LIB\SECUDE.DLL"

The connection is established to the application server hs0017. The application server's SNC name is: p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE. The level of protection is 9, indicating that the maximum level of protection should be applied to the connection, and the shared library is located at: C:\SECUDE\LIB\SECUDE.DLL.