JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Configuring Secure Network Communications for SAP     Java CAPS Documentation
search filter icon
search icon

Document Information

Configuring Secure Network Communications for SAP

Overview of Secure Network Communications for SAP

Communication using Secure Network Communications

Configuring the SAP Server and Java CAPS

Setting up Secure Network Communications on the SAP Server

To Install the SAP Cryptographic Library

To Create the PSE for the Server

To Set Additional Parameters

Profile Parameter Settings on the Gateway

To Create the for the Client

Using Secure Network Communications in Java CAPS

To Create a SAP BAPI OTD Using Secure Network Communications

To Create a SAP IDOC OTD Using Secure Network Communications

Specifying SAP BAPI Outbound Properties

Specifying SAP BAPI Inbound Properties

Overview of Secure Network Communications for SAP

Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product. SAP Systems provide basic security measures like SAP authorization and user authentication based on passwords.

With SNC you can include protection by an external security product. SNC provides application-level, end-to-end security. It secures all communications between two SNC-protected components. For example, between SAPGUI and a SAP System Application Server. SNC protection only applies to connections that use SAP protocols (dialog, RFC or CPIC protocols). For example, from a SAP Application System Server to an External RFC or CPIC program like SAP Java Connector.

SNC secures the data communication paths between the various SAP System components. There are three levels of security protection you can apply.

Communication using Secure Network Communications

SNC protects the logical link between the end points of a communication. The link is initiated from one side (the initiator) and accepted by the other side (the acceptor). For example, when a SAPGUI starts a dialog with the SAP System, the SAPGUI is the initiator of the communication and the application server is the acceptor. Both sides of the communication link need to specify SNC options.

The initiator must specify:

Table 1 SNC Parameters (Outbound)

Name
Description
Value
SNC_MODE
The SNC activation indicator.
  • 0 — Do not apply SNC to connections.
  • 1 — Apply SNC to connections.

SNC_MYNAME
The Initiator's SNC name.
A valid SNC name.
SNC_PARTNERNAME
The communication partner's SNC name.
A valid SNC partner's name.
SNC_QOP
The quality of protection level.
Enter one of the following values:
  • 1 — Apply authentication only.

  • 2 — Apply integrity protection (authentication).

  • 3 — Apply privacy protection (integrity and authentication).

  • 8 — Apply the default protection.

  • 9 — Apply the maximum protection.

SNC_LIB
The external security product's library.
The path and filename of the library.

The acceptor must specify:

Table 2 SNC Parameters (Inbound)

Name
Description
Value
SNC_MYNAME
The Acceptor's SNC name.
A valid SNC name.
SNC_QOP
The quality of protection level.
Enter one of the following values:
  • 1 — Apply authentication only.

  • 2 — Apply integrity protection (authentication).

  • 3 — Apply privacy protection (integrity and authentication).

  • 8 — Apply the default protection.

  • 9 — Apply the maximum protection.

SNC_LIB
The external security product's library.
The path and filename of the library.

When SNC is initialized, the system dynamically loads the functions provided by the external library. Afterwards, when two components communicate using SNC, the SNC layer first processes the messages being sent and then sends them over the network using the SAP Network Interface. During this step, the SNC layer uses the functions provided by the external library to process the messages accordingly (for example, to apply encryption). The SNC layer accesses the external library using the GSS-API V2 interface. After processing the messages, the system sends them over the SAP Network Interface in the usual manner. Upon receipt, the SAP System component receiving the messages applies the corresponding external library functions in a similar manner, but reverses the process (for example, decryption).

For example when secure network communication occurs between SAPGUI and the SAP Server (where SNC is already enabled) sapgui.exe hs0017 01 SNC_PARTNERNAME="p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE" SNC_QOP=9 SNC_LIB="C:\SECUDE\LIB\SECUDE.DLL"

The connection is established to the application server hs0017. The application server's SNC name is: p:CN=sap01.hs0017, OU=TEST01, O=SAP, C=DE. The level of protection is 9, indicating that the maximum level of protection should be applied to the connection, and the shared library is located at: C:\SECUDE\LIB\SECUDE.DLL.