Configuring Control-M for SAP to work with Secure Network Communications (SNC).
The configuration procedure is based on the following assumptions:
1. Control-M for SAP uses SAP provided crypto lib as the SNC implementation software library. The SAP server needs to be pre-configured with sap crypto lib.
2. Control-M for SAP uses 2 separate keys, one for the SAP server, and another for any Control-M for SAP that connects to this server.
Installing the SAP crypto lib on the Control-M/Agent account:
1. On UNIX, log in to the agent account and execute the following command to create the SNC directory: mkdir –p $HOME/SNC/sec.
2. On Windows, create the SNC\sec directory anywhere on the same computer where the Control-M/Agent resides, for example: c:\SNC\sec
3. Download the sap crypto lib from https://support.sap.com/swdc
4. Extract the downloaded SAR/CAR file using SAPCAR tool (also available from SAP download site).
5. The extraction creates several sub-directories, which all contain different versions of the lib, according to 32/64 bit and the specific OS version.
6. Copy the following files from the temporary location as follows:
Configuring the SNC protocol on UNIX and Windows:
There are 2 configuration types:
1. The first client, which creates a distinguished key to be exported to the Server.
2. Additional clients, which use the already created key by the first client.
1. First client configuration:
1.8. SAP server side actions:
1.8.1. Import the client’s certificate file into the SAP Server:
184.108.40.206. Copy the bmc.crt file to a workstation with SAP Logon GUI and
log on to SAP
220.127.116.11. Run transaction strustsso2
18.104.22.168. Select the SNC (SAP Cryptolib) container on the left menu
22.214.171.124. From the menu bar, select Certificate->import, select BASE64 file
format and import the file bmc.crt
Click “Add to Certificate List”
126.96.36.199. Click Save
1.8.2. Adding the client distinguished name into table usraclext and vsncsysacl:
188.8.131.52. Run transaction sm30
184.108.40.206. Select table vsncsysacl, and then click Maintain.
220.127.116.11. Select E for entry
18.104.22.168. Type the SNC name p:<distinguished name (which you previously created at the client)>’ , (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL) and select the RFC checkbox.
22.214.171.124. Click Save.
126.96.36.199. Go back to transaction sm30.
188.8.131.52. Select table usraclext , and then click Maintain.
184.108.40.206. In the field userid, type * or a specific user name. If the user id is *, and you are using JCO ver 3.0.14 or later, you need to have Control-M for SAP v9.0.01.012 or later, and do the following:
220.127.116.11. In the SNC Name field, type p:<distinguished name (which you previously created at the client)> (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL)
18.104.22.168. Click Save.
1.8.3. Creating the SAP server certificate file:
22.214.171.124. Run transaction strustsso2
126.96.36.199. Select the SNC container
Double click the owner certificate entry and make sure the
certificate details are shown in the certificate table.
188.8.131.52. Select Export to File (for example <SID>.crt)
1.9. Importing the SAP server certificate to the client:
184.108.40.206. Copy the SAP server certificate file from the workstation with SAP GUI to the following location on the client’s computer <SECUDIR value location >/<SID>.crt
220.127.116.11. Change directory to SECUDIR value location and run the following command: ./sapgenpse maintain_pk -a <SID>.crt -p bmc.pse
18.104.22.168. Copy the SAP server certificate file from the workstation with SAP GUI to the following location on the client’s computer <SECUDIR value location>\<SID>.crt
22.214.171.124. Change directory to SECUDIR value location and run the following command: sapgenpse maintain_pk -a <SID>.crt -p bmc.pse
2. Additional clients configuration:
Configuring the Control-M for SAP account to use SNC:
1 Run the Control-M for SAP account utility from the Control-M Configuration Manager.
2 Enable SNC on an existing account as follows:
2.1 Display the account details.
2.2 From the Logon Type tab, set the Activate Secured Network Communication checkbox.
2.3 Select the SNC details tab.
2.4 Fill in the following fields:
2.4.1 SNC Partner name: The SNC name of the application server (for example p:CN=LE1,OU=BPM,O=BMC,C=US). Required.
2.4.2 SNC lib: The client full path and file name - to SAP crypto lib (for example: /home1/agsapfp/SNC/libsapcrypto.sl). Required.
2.4.3 Quality of protection (protection level). Select a value from the dropdown list (possible values: 1, 2, 3, 8, and 9).
2.4.4 SNC My name: SNC name of the user sending the RFC. Optional. Default: The name provided by the security product for the logged-on user.
2.5 Click OK to save the new account.
3 Enable SNC on a new account, as follows
3.1 Click on the Add account icon.
3.2 On the Set Logon Type step, select the Activate Secured Network Communication checkbox.
3.3 Advance to the SNC details step.
3.4 Fill in the following fields:
3.4.1 SNC Partner name: The SNC name of the application server (for example p:CN=LE1,OU=BPM,O=BMC,C=US). Required.
3.4.2 SNC lib: The client full path and file name - to SAP crypto lib (for example: /home1/agsapfp/SNC/libsapcrypto.sl). Required.
3.4.3 Quality of protection (protection level). Select a value from the drop down list (possible values: 1, 2, 3, 8, and 9).
3.4.4 SNC My name: SNC name of the user sending the RFC. Optional. Default: The name provided by the security product for the logged-on user.