This article details the steps to configure a Secure Network Communications (SNC) connection between a Syniti Replicate Server installed on MS Windows and an SAP ECC or S/4HANA server. This is an advanced topic, and an experienced SAP Basis resource will be required.
You can download a complete guide for Data Replication from SAP Systems using RFC
The SAP side of the configuration is typically the responsibility of the SAP Basis team. The steps for configuring different versions of SAP may differ so the steps below are intended for guidance only.
NOTE: The SAP server must have SNC enabled.
Download and Extract the Files
To download and extract the files:
- Retrieve the SAP Cryptographic Library files. The latest version can be downloaded from the SAP Marketplace. Download:
- SAPCAR.EXE—Utility to uncompress .SAR files
- SAPCRYPTOLIBP_<version number>.SAR - Compressed file with the SAP crypto library, for example SAPCRYPTOLIBP_8536-20011729.SAR
- On the Replicate server, create a folder for the Cryptographic Library, for example C:\SAP_SNC
- Copy the files downloaded in step 1 to this folder
- Extract the files from the .SAR file by executing the SAPCAR application. Open a command prompt with Administrator privileges
- Move to the C:\SAP_SNC folder and run the following command:
sapcar -xvf SAPCRYPTOLIBP_8536-20011729.sar
NOTE: Eight files are extracted, including the sapcrypto.dll and sapgenpse.exe.
Add System Environment Variables
You must be an Administrator on the Replicate server to perform this action.
To add the environment variables:
1. Add a System environment variable named SECUDIR with a value of the folder path where the SAP Cryptographic Library files have been extracted. The screenshot below shows an example where the files were extracted to C:\SAP_SNC
2. Add another System environment variable named SNC_LIB with a value of the SAP Cryptographic Library full path, for example C:\SAP_SNC\sapcrypto.dll
If the Replicate services or applications were active during the creation of the environment variables, restart them to read the newly created variables.
Generate the Personal Security Environment and Certificate
A prerequisite to configuring an SAP NetWeaver connection, the Replicate application server must have a Personal Security Environment (PSE) with a certificate accepted by the SAP server.
To generate the PSE and the certificate:
1. At the command prompt, run the following command to generate the PSE on the SST server:
sapgenpse gen_pse -v -p C:\SAP_SNC\RFC.pse
NOTE: Replace C:\SAP_SNC\ in the above command with your file path if it is different.
2. The process prompts you for a PIN code. A password is not required. Either:
- Do not enter a PIN and press the Enter key
- Enter a PIN, and note it as it will be needed again
The process prompts ‘get_pse: Distinguished name of PSE owner’. Enter
CN=ServerName
where ServerName is a name to identify the SST server in SAP, for example CN=RepProd.
NOTE: As a result of this command, an RFC.pse is created in the SECUDIR folder.
- At the command prompt, run the following command to generate the SST server certificate:
sapgenpse export_own_cert -v -p C:\SAP_SNC\RFC.pse -o C:\SAP_SNC\RFC.crt
NOTE: Replace C:\SAP_SNC\ in the above command with your file path if it is different.
NOTE: As a result of this command, the RFC.crt certificate file is created.
Import the Certificate to the Server and Client PSEs
To continue setting up the SNC connection, import the certificate into the Server and the Client Personal Security Environments (PSEs).
To import the certificate into the Server PSE:
1. Navigate to the SAP System that Replicate should connect to via SNC
2. Open the STRUST transaction
3. Expand the SNC SAPCryptolib folder in the left panel and click the node below it
NOTE: You may be asked for a password to proceed.
4. Click the Import Certificate button which is left of the Add to Certificate List button; a pop up opens
5. Select your certificate file RFC.crt and click the Continue button. The certificate data displays
6. Click the Add to Certificate List button. The certificate displays in the Certificate List
NOTE: If the Add to Certificate List button is disabled, click the Display <-> Change button in the upper left corner to review the settings
7. Click the Save button (Ctrl + S).
Next, import the Server Certificate to the Client PSE:
1. Still in the STRUST transaction on the SNC SAPCrytpolib folder, double-click the Own Certificate Subject in the upper part of the screen, as shown in the screenshot below
The Own Certificate data displays.
2. Click the Export Certificate button.
3. Assign a name to the exported certificate that identifies the SAP System where the certificate came from.
4. Select the Base64 option and click Continue (F8).
5. Open a command prompt, move to the SECUDIR folder, and execute the following commands:
sapgenpse maintain_pk -v -a <full path and name of certificate> -p <full path and name of environment>
For example:
sapgenpse maintain_pk -v -a C:\SAP_SNC\RQ1.crt -p C:\SAP_SNC\RFC.pse
A message similar to this one displays:
Adding new certificate from file "[YourCertificate]"
The certificate downloaded from SAP has been incorporated into your PSE environment.
Create the Credentials File
Using the commands in this section, you can create the cred_v2 file that contains the secure credentials used in the SNC connections between Replicate and SAP. The cred_v2 file must be created in the SECUDIR directory (to continue the example from above C:\SAP_SNC). The operating system users that run the Replicate Service and Application must have entries in the file.
To generate the file and grant access to the users, the following command must be run from a command prompt with Administrator privileges:
sapgenpse seclogin -p RFC.pse -O <User>
The command must be run for each user that needs to have access. For example, if the Replicate services are run by the LocalAccount or NetworkServices, the following commands should be executed:
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O Administrator
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O System
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O NetworkService
If Windows user Bob is running the Replicate Management Center he must also be added
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O Bob
The tool will ensure a valid Windows user and the correct Domain and Username is added. Upon completion, this message displays:
D:\snc_lib>sapgenpse seclogin -p RFC.pse -O Bob
running seclogin with USER="Bob"
creating credentials for user "WIN-S4DMXYZ\Bob" (yourself)...
Adjusting credentials and PSE ACLs to include " WIN-S4DMXYZ\Bob"...
d:\snc_lib\cred_v2 ... ok.
d:\snc_lib\RFC.pse ... ok.
Added SSO-credentials for PSE "d:\snc_lib\RFC.pse"
SNC Configuration in SAP
Using transaction snc0 add an entry for the Replicate server. System ID is the Replicate server’s hostname and SNC Name is the Distinguished name of PSE owner from the step Generate the Personal Security Environment above.
Configuring a NetWeaver Connection to use SNC
Follow the instructions here to create a NetWeaver connection.
A basic connection uses the following connection properties.
Under the Advanced -> Security section of the connection, SNC can be configured. In the basic example below SNC Partner name is obtained from the SAP system and prefixed with p:. If SNC Name is empty, User and Password are used.
Note that using SNC Name is an advanced option requiring additional SAP configuration. SNC Name is configured for SAP logons in the SAP system.