Secure Output from SAP Spool¶

SNC (Secure Network Communications) can be used to protect the communication via RFC. Additionally, SSO (single sign-on) can be activated for RFC communication, which allows logon via certificate instead of password. The connection establishment and the communication via SNC is about 5 - 10 % slower than the uncoded variant.

To secure the BC-XOM connection, follow all the instructions below.

Literature

Refer to SAP Basis Configuration - SNC/SSO and RFC for additional information.

Requirements¶

PLOSSYS Output Engine as of 7.2.0
BC-XOM as of 4.9.0 configured, refer to Configure Output from SAP Spool for Windows or Linux
SAP Cryptographic Library installed on SAP server and downloaded onto Output Engine server
Hint - SAP Cryptographic Library

SAP Cryptographic Library is available via the SAP Service Marketplace. The installation package SAPCRYPTO.SAR contains
- sapcrypto.dll for Windows
- libsapcrypto.so for UNIX
- configuration tool sapgenpse.exe for Windows and Linux
- sapcrypto.mf with information about supported platforms and kernels

Create PSE for SNC and Certificate¶

This is how you create the PSE (Personal Security Environment) for SNC on the SEAL server with certificate request:

On the Output Engine open a PowerShell (Windows) or Terminal (Linux).
Create the SECUDIR directory if it does not exist yet:
- Windows: C:\ProgramData\SEAL Systems\config\sec
- Linux: /opt/seal/etc/sec
Caution - pre-existing directory

If the directory already exists, move or delete old PSE files from the directory to prevent undesired effects.
Install the SAP Cryptographic Library to the SECUDIR directory.
Create the following system environment variables for the sapgenpse configuration tool:
- SECUDIR
  - Windows: C:\ProgramData\SEAL Systems\config\sec
  - Linux: /opt/seal/etc/sec
- SNC_LIB_64
  - Windows: C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll
  - Linux: /usr/local/sap/sec/libsapcrypto.so
Example - setting Windows environment variables in PowerShell
```
$env:SECUDIR='C:\ProgramData\SEAL Systems\config\sec'
$env:SNC_LIB_64='C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll'
```
When working on Linux, the user seal and the user performing the administration for the SEAL Systems software require read/write/execute permissions on the directories defined by SECUDIR and SNC_LIB_64.
Create the PSE with certificate request.
```
sapgenpse.exe gen_pse -p SEALRFC.pse -x <PIN> -r SEALRFC.csr "CN=SEALRFC, OU=<Department>, O=<Company> C=DE"
```
Example - SEAL Systems
```
sapgenpse.exe gen_pse -p SEALRFC.pse -x <PIN>-r SEALRFC.csr "CN=SEALRFC, OU=SEALSAP, O=SEAL, C=DE“
```
Hint - CN name

If a certificate is not yet available, the CN name (Common Name) for the secured RFC connection must first be clarified. There may be specifications that the computer name or the system user must be included in the name. If there are no specifications, the following recommendation applies to all SEAL servers: CN=SEALRFC

Caution - PIN

A PIN may be entered for the creation. Remember the PIN for further configuration.

Provide Certificate¶

This section describes how to create a self-signed certificate from the SAP system.

Hint - alternative

You can also use the signed certificate of a regular certificate authority. The client's certification authority receives the certificate request from Create PSE (Personal Security Environment) for SNC and Certificate.

A separate certificate must be provided as a file in X.509-Base64 format for each member of the certificate chain (CA and SubCAs). Alternatively, a certificate bundle *.p7b with all certificates of the certificate chain can be provided.

Store the certificates in the SECUDIR directory.

This is how you provide a self-signed certificate from the SAP system:

On the SAP system, start the transaction strust.
On the left, double-click the respective SAP server under SNC SAPCryptolib.
On the right, double-click the subject under Own Certificate. Do not select a subject in the Certificate List.
Click at the bottom to export the certificate and save the certificate in Base64 format.
Copy the certificate to the SECUDIR on the Output Engine server.
To check the certificate, double-click it in Explorer. In the certificate display, switch to the Certification Path tab and check the Certificate status on the bottom.

Import the SAP Certificate to PSE¶

Open the SECUDIR in a PowerShell (Windows) or Terminal (Linux).
- Windows: cd "C:\ProgramData\SEAL Systems\config\sec"
- Linux: cd /opt/seal/etc/sec
Include the SNC SAPCryptolib certificate in the PSE:
```
sapgenpse.exe maintain_pk -p SEALRFC.pse -x <PIN> -a <Certificate>.crt
```
<Certificate>.crt is the certificate which you exported from SAP in the previous section.
Hint - signed certificate from a certification authority

Import the response to the certification request with:
```
sapgenpse.exe -log import_own_crt -p SEALRFC.pse -c <RequestAnswerFile>.crt [-r <CACertificateFile>.crt]
```
If <RequestResponseFile.crt> does not contain the root certificate, the root certificate and all certificates of the intermediate certification authority must be specified individually with the -r option.

You import a certificate bundle with:
```
sapgenpse.exe -log import_own_crt -p SEALRFC.pse -c <Certificatebundlefile.p7b>
```
Export the public key for the upload to SAP:
```
sapgenpse.exe export_own_cert -p SEALRFC.pse -x <Code> -o sealrfc.crt
```
Hint - signed certificate of a regular certificate authority

If a signed certificate from a regular certification authority is provided, the certificate for the RFC programs only needs to be exported if you use the logon via certificate.
On the SAP system, start the transaction strust.
On the left, double-click the SAP server under SNC SAPCryptolib.
On the bottom of the right side, click Import Certificate. Then select the certificate from the previous step sealrfc.crt and confirm via Add to Certificate List.
Hint - distribution to other SEAL servers

A PSE which is created for the RFC programs may be distributed to other SEAL Systems servers by copying the following files:
- SEALRFC.pse
- *.crt
- ticket (optionally depending on the version of the SAP Cryptographic Library)

Create Server Credentials¶

Server credentials must be created for the system user and the service user. The server credentials ensure that the user is authorized to use the private key (PSE).

This is how you create the server credentials:

On the Output Engine server, open the SECUDIR in a PowerShell (Windows) or Terminal (Linux).
- Windows: cd "C:\ProgramData\SEAL Systems\config\sec"
- Linux: cd /opt/seal/etc/sec
Create server credentials for the following users:
- Logged-on system user used for administration
```
sapgenpse.exe seclogin -p SEALRFC.pse -x <Code>
```
- Service user, e.g. LocalService (Windows) resp. seal (Linux)
```
sapgenpse.exe seclogin -p SEALRFC.pse -x <PIN> -O <ServiceUser>
```
Hint - control

Display the server credentials for checking with:
```
sapgenpse.exe seclogin -p SEALRFC.pse -x <PIN> -l
```
Check the item in the PSE with:
```
sapgenpse.exe get_my_name -p SEALRFC.pse -x <PIN>
```
Hint - no distribution

Contrary to PSE, the cred_v2 file must not be copied and must be created anew on each server.

Configure SAP NetWeaver RFC¶

On the Output Engine server, edit sapnwrfc.ini:

C:\ProgramData\SEAL Systems\config\sapnwrfc.ini

For the RFC destinations for which you want to activate SNC, enter:
- SNC_MODE=1 Protects the RFC communication via SNC
- SNC_MYNAME=p:DistinguishedName SNC name for PLOSSYS Output Engine
- SNC_SSO=0 optional, only necessary when logging on with user and password instead of SSO, refer to Activate SSO
- SNC_QOP optional, quality of protection, default: 3
Example
```
SNC_MODE=1
SNC_MYNAME=p:CN=SEALRFC, OU=SEALSAP, O=SEAL, C=DE
SNC_QOP=3
```

Configure seal-co-notifier Service¶

Create the following environment keys for seal-co-notifier service:
- SECUDIR: SECUDIR directory used to storage PSE
  - Windows: C:\ProgramData\SEAL Systems\config\sec
  - Linux: /opt/seal/etc/sec
- SNC_LIB_64: path to the SAP Cryptographic Library
  - Windows: C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll
  - Linux: /usr/local/sap/sec/libsapcrypto.so
Example - setting the keys with PLOSSYS CLI under Windows
```
plossys config set SNC_LIB_64 "C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll" --service co-notifier --insecure
plossys config set SECUDIR "C:\ProgramData\SEAL Systems\config\sec" --service co-notifier --insecure
```
Example - setting the keys with PLOSSYS CLI under Linux
```
plossys config set SNC_LIB_64 "/usr/local/sap/sec/libsapcrypto.so" --service co-notifier --insecure
plossys config set SECUDIR "/opt/seal/etc/sec" --service co-notifier --insecure
```
Restart seal-co-notifier service.

Activate SNC on the SAP System¶

In SAP, start the transaction sm59 and select the RFC destination for which you want to specify SNC.
Switch to the Logon & Security tab.
In Security Options under Status of Secure Protocol, click the SNC button.
Enter the certification partner under SNC at Partners and save the settings. The partner name must match the SNC_MYNAME specified in sapnwrfc.ini on the Output Engine server und starts with p:.

Hint - quality of protection

You may use QoP in order to specify the quality of protection. The default setting is 3. The value must match the configuration in the sapnwrfc.ini on the Output Engine server.
Activate SNC with the saved settings by clicking Activate.
To test the RFC connection, click Connection Test on the top of the page.

Activate SSO (Single Sign On)¶

This section is optional and only needed if you want to activate SSO instead of login via username and password.

On the Output Engine server, edit sapnwrfc.ini and specify the following parameters for the RFC destination:
- PASSWD=CERT The password evaluation recognizes SSO, if CERT is set as an identifier.
- SNC_SSO=1 optional, when set to 0 SSO is deactivated
In SAP, start the transaction su01. Use the system user specified in sapnwrfc.ini.
Switch to the SNC tab and enter the SNC data:
- SNC-NAME SNC name as specified in sapnwrfc.ini beginning with the prefix p:.
- Permit Password Logon for SAP GUI: Deactivate