Secure Output from SAP Spool¶

SNC (Secure Network Communications) can be used to protect the communication via RFC. Additionally, SSO (single sign-on) can be activated for RFC communication, which allows logon via certificate instead of password. The connection establishment and the communication via SNC is about 5 - 10 % slower than the uncoded variant.

To secure the BC-XOM connection, follow all the instructions below.

Requirements¶

PLOSSYS Output Engine as of 7.2.0
BC-XOM as of 4.9.0 configured, refer to Configure Output from SAP Spool
SAP Cryptographic Library installed on SAP server and downloaded onto Output Engine server
Literature - SAP Cryptographic Library

SAP Cryptographic Library is available via the SAP Service Marketplace. The installation package SAPCRYPTO.SAR contains
- sapcrypto.dll for Windows
- libsapcrypto.so for UNIX
- configuration tool sapgenpse.exe
- sapcrypto.mf with information about supported platforms and kernels
SNC activated on the SAP server

Literature - SNC Activation and Test

Refer to SAP Basis Configuration - SNC/SSO and RFC, Chapter SNC Activation and Test for more information.

Create PSE for SNC and Certificate¶

This is how you create the PSE (Personal Security Environment) for SNC on the SEAL server with certificate request:

On the Output Engine open a PowerShell.
Create the SECUDIR directory if it does not exist yet:
```
C:\ProgramData\SEAL Systems\config\sec
```
Caution - pre-existing directory

If the directory already exists, move or delete old PSE files from the directory to prevent undesired effects.
Install the SAP Cryptographic Library to the SECUDIR directory.

Create the following Windows environment variables for the sapgenpse configuration tool:

SECUDIR
SNC_LIB_64

$env:SECUDIR='C:\ProgramData\SEAL Systems\config\sec'
$env:SNC_LIB_64='C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll'

Create the PSE with certificate request
```
sapgenpse.exe gen_pse -p SEALRFC.pse -x <PIN> -r SEALRFC.csr "CN=SEALRFC, OU=<Department>, O=<Company> C=DE"
```
Example - SEAL Systems
```
sapgenpse.exe gen_pse -p SEALRFC.pse -x <PIN>-r SEALRFC.csr "CN=SEALRFC, OU=SEALSAP, O=SEAL, C=DE“
```
Hint - CN name

If a certificate is not yet available, the CN name (Common Name) for the secured RFC connection must first be clarified. There may be specifications that the computer name or the system user must be included in the name. If there are no specifications, the following recommendation applies to all SEAL servers: CN=SEALRFC

Caution - PIN

A PIN may be entered for the creation. Remember the PIN for further configuration.

Provide Certificate¶

This section describes how to create a self-signed certificate from the SAP system.

Hint - alternative

You can also use the signed certificate of a regular certificate authority. The client's certification authority receives the certificate request from Create PSE (Personal Security Environment) for SNC and Certificate.

A separate certificate must be provided as a file in X.509-Base64 format for each member of the certificate chain (CA and SubCAs). Alternatively, a certificate bundle *.p7b with all certificates of the certificate chain can be provided.

Store the certificates in the SECUDIR directory, commonly C:\ProgramData\SEAL Systems\config\sec.

This is how you provide a self-signed certificate from the SAP system:

On the SAP system, start the transaction strust.
On the left, double-click the respective SAP server under SNC SAPCryptolib.
On the right, double-click the subject under Own Certificate. Do not select a subject in the Certificate List.
Click at the bottom to export the certificate and save the certificate in Base64 format.
Copy the certificate to the SECUDIR on the Output Engine server.
To check the certificate, double-click it in Explorer. In the certificate display, switch to the Certification Path tab and check the Certificate status on the bottom.

Import the SAP Certificate to PSE¶

Open the SECUDIR in a Powershell.

cd "C:\ProgramData\SEAL Systems\config\sec"

Include the SNC SAPCryptolib certificate in the PSE:
```
sapgenpse.exe maintain_pk -p SEALRFC.pse -x <PIN> -a <Certificate>.crt
```
<Certificate>.crt is the certificate which you exported from SAP in the previous section.

Export the public key for the upload to SAP:

sapgenpse.exe export_own_cert -p SEALRFC.pse -x <Code> -o sealrfc.crt

Configure SAP NetWeaver RFC¶

On the Output Engine server, edit sapnwrfc.ini:

C:\ProgramData\SEAL Systems\config\sapnwrfc.ini

For the RFC destinations for which you want to activate SNC, enter:
- SNC_MODE=1 Protects the RFC communication via SNC
- SNC_MYNAME=p:DistinguishedName SNC name for PLOSSYS Output Engine
- SNC_PARNTERNAME=p:DistinguishedName optional, only for TYPE=A RFC connections needed
- SNC_SSO=0 optional, only necessary when logging on with user and password instead of SSO
- SNC_QOP optional, quality of protection, default: 3
Example
```
SNC_MODE=1
SNC_MYNAME=p:CN=SEALRFC, OU=SEALSAP, O=SEAL, C=DE
SNC_PARTNERNAME=p:CN=roesap005.sealsystems.local, OU=SEAL-SAP, O=SEAL, C=DE
SNC_QOP=3
```
Hint - determine SAP SNC name

To determine the SNC name of the SAP system, call System > Status in the SAP menu. Click on the bottom right to access other kernel infos. In the following dialog, you find the SNC Name listed in the System information.

Configure seal-co-notifier Service¶

Create the following environment keys for seal-co-notifier service:
- SECUDIR: directory used to storage PSE, commonly C:\ProgramData\SEAL Systems\config\sec
- SNC_LIB_64: path to the SAP Cryptographic Library, commonly C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll
```
plossys config set SNC_LIB_64 "C:\ProgramData\SEAL Systems\config\sec\sapcrypto.dll" --service co-notifier --insecure
plossys config set SECUDIR "C:\ProgramData\SEAL Systems\config\sec" --service co-notifier --insecure
```
Restart seal-co-notifier service.