Configuring Control-M for SAP to work with Secure Network Communications (SNC). |
The configuration procedure is based on the following assumptions: 1. Control-M for SAP uses SAP provided crypto lib as the SNC implementation software library. The SAP server needs to be pre-configured with sap crypto lib. 2. Control-M for SAP uses 2 separate keys, one for the SAP server, and another for any Control-M for SAP that connects to this server.
Installing the SAP crypto lib on the Control-M/Agent account: 1. On UNIX, log in to the Agent account and execute the following command to create the SNC directory: mkdir -p $HOME/SNC/sec 2. On Windows, create the SNC\sec directory anywhere on the same computer where the Control-M/Agent resides, for example: c:\SNC\sec 3. Download the sap crypto lib from https://support.sap.com/swdc 4. Extract the downloaded SAR/CAR file using SAPCAR tool (also available from SAP download site). 5. The extraction creates several sub-directories, which all contain different versions of the lib, according to 32/64 bit and the specific OS version.
6. Copy the following files from the temporary location as follows:
Configuring the SNC protocol on UNIX and Windows: There are 2 configuration types: 1. The first client, which creates a distinguished key to be exported to the Server. 2. Additional clients, which use the already created key by the first client.
1. First client configuration:
1.8. SAP server side actions: 1.8.1. Import the client’s certificate file into the SAP Server: 1.8.1.1. Copy the bmc.crt file to a workstation with SAP Logon GUI and log on to SAP 1.8.1.2. Run transaction strustsso2 1.8.1.3. Select the SNC (SAP Cryptolib) container on the left menu 1.8.1.4. From the menu bar, select Certificate->import, select BASE64 file format and import the file bmc.crt Click “Add to Certificate List” 1.8.1.5. Click Save
1.8.2. Adding the client distinguished name into table usraclext and vsncsysacl: 1.8.2.1. Run transaction sm30 1.8.2.2. Select table vsncsysacl, and then click Maintain. 1.8.2.3. Select E for entry 1.8.2.4. Type the SNC name p:<distinguished name (which you previously created at the client)>’ , (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL) and select the RFC checkbox. 1.8.2.5. Click Save. 1.8.2.6. Go back to transaction sm30. 1.8.2.7. Select table usraclext , and then click Maintain. 1.8.2.8. In the field userid, type * or a specific user name. If the user id is *, and you are using JCO ver 3.0.14 or later, you need to have Control-M for SAP v9.0.01.012 or later, and do the following: 1.8.2.9. In the SNC Name field, type p:<distinguished name (which you previously created at the client)> (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL) 1.8.2.10. Click Save.
1.8.3. Creating the SAP server certificate file: 1.8.3.1. Run transaction strustsso2 1.8.3.2. Select the SNC container Double click the owner certificate entry and make sure the certificate details are shown in the certificate table. 1.8.3.3. Select Export to File (for example <SID>.crt)
1.9. Importing the SAP server certificate to the client: 1.9.1. UNIX: 1.9.1.1. Copy the SAP server certificate file from the workstation with SAP GUI to the following location on the client’s computer <SECUDIR value location >/<SID>.crt 1.9.1.2. Change directory to SECUDIR value location and run the following command: ./sapgenpse maintain_pk -a <SID>.crt -p bmc.pse
1.9.2. Windows: 1.9.2.1. Copy the SAP server certificate file from the workstation with SAP GUI to the following location on the client’s computer <SECUDIR value location>\<SID>.crt 1.9.2.2. Change directory to SECUDIR value location and run the following command: sapgenpse maintain_pk -a <SID>.crt -p bmc.pse
2. Additional clients configuration:
Configuring the Control-M for SAP account to use SNC: 1 Open the relevant Control-M for SAP Connection Profile from the Control-M Configuration Manager. 2 Enable SNC on an existing profile as follows: 2.1 Display the profile details. 2.2 From the Logon Type tab, set the Activate Secured Network Communication checkbox. 2.3 Select the SNC details tab. 2.4 Fill in the following fields: 2.4.1 SNC Partner name: The SNC name of the application server (REQUIRED) 2.4.2 SNC lib: The client full path and file name - to SAP crypto lib (REQUIRED) 2.4.3 Quality of protection (protection level). Select a value from the dropdown list 2.4.4 SNC My name: SNC name of the user sending the RFC. Optional. Default: The name provided by the security product for the logged-on user. 2.5 Click OK to save the new account. 3 Enable SNC on a new account, as follows 3.1 Click on the Add account icon. 3.2 On the Set Logon Type step, select the Activate Secured Network Communication checkbox. 3.3 Advance to the SNC details step. 3.4 Fill in the following fields: 3.4.1 SNC Partner name: The SNC name of the application server (REQUIRED) 3.4.2 SNC lib: The client full path and file name - to SAP crypto lib (REQUIRED) 3.4.3 Quality of protection (protection level). Select a value from the drop down list 3.4.4 SNC My name: SNC name of the user sending the RFC. (OPTIONAL) |