SAP SSO 'SNC' Setup Guide

Server-Side Trusted Connections to SAP BW

This document covers single sign-on support for SAP BW from Windows machines hosting Pyramid servers using SNC.

NOTE: The same overall technique is possible for Linux servers too.

Required SAP Software

  • 64-bit SAP Cryptolib libraries for Windows
  • SAP GUI for Windows 7.4x or higher
  • BI 7.0 ADDON FOR SAP GUI 7.4x or higher

Pyramid Server Installs

Before you being, ensure a Server-Side Trust relationship has been created on the BW instance (See detail here in section 9.5.6). One completed, follow these steps to implement.

  1. On each Pyramid Runtime and Task Server machine install the SAP GUI with these components
    1. SAP GUI
    2. SAP Logon
    3. Unicode RFC Libraries
    4. Business Explorer
  2. Run the BI 7.0 ADDON FOR SAP GUI 7.40
  3. Deploy the CRYPTO library
    1. Move SAPCAR_xxx.EXE and SAPCRYPTOLIBP_xxx.SAR to an empty directory.
    2. Extract the files: SAPCAR_xxx.EXE -xvf SAPCRYPTOLIBP_xxx.SAR
    3. Copy the files to a permanent location (e.g. C:\Program Files\SAP\Crypto)
    4. Add a Windows environment variable called SNC_LIB for the file sapcrypto.dll (e.g. C:\Program Files\SAP\Crypto\sapcrypto.dll).
    5. Create a sub-directory under the directory from step c above, named sec. Add another Windows environment variable named SECUDIR that points to this directory.

Certificate Setup

  1. Activate SNC
    1. Open Properties for your BW instance and establish the following in SAP Logon (Make sure to run SAP Logon with Administrator rights)
    2. Under System Entry Properties, Network, check "Activate Secure Network Communications"

    3. Take note of the BW Instance SNC Name(p:xxxxx).
  2. Open a command prompt in the SECUDIR directory on the Pyramid machine(s) to generate the Personal Security Environment (PSE) certificate
    1. Generate the pse file: ..\sapgenpse.exe gen_pse -v -p {name}.pse. (Take note of the "Distinguished name of the PSE owner" for later steps)
    2. Generate the crt file: ..\sapgenpse.exe export_own_cert -v -p {name}.pse -o {name}.crt
  3. Import the crt file
    1. Log in to the BW instance and start transaction STRUST in SAP Logon.

    2. Double-click the entry under SNC_SAPCryptolib on the left.
    3. Verify that the "Own Certificate" subject value changes to the Distinguished Name of the BW Instance Identity (e.g. CN=SAPService)
    4. Double-click the "Own Certificate" value to show details of the certificate below.
    5. Import {name}.crt:
      1. Enable editing by clicking the 'eyeglass' button in the top left-hand corner
      2. Click the import button at the bottom left-hand corner of the Certificate pane.
      3. Browse to your SECUDIR directory in the dialog and select the crt file.
      4. Click the green OK check button.
    6. Next, click the "Add to Certificate List" button at the bottom of the Certificate pane
      1. Check that the certificate now appears in the Certificate List

    7. Click the Save button next to the transaction box to commit your changes.
  4. Export the BW Instance Identity's certificate to SECUDIR
    1. From transaction STRUST, double-click the entry under SNC_SAPCryptolib item in the tree on the left pane.
    2. Then double-click the "Own Certificate" subject value (e.g. CN=SAPService)
      1. In the Certificate pane, verify that the subject value matches the "Own Certificate" subject value.
    3. Export the BW certificate:
      1. First, if required, click the eyeglass icon in the top left to enable editing
      2. Click the export button - right of the import button in the bottom left corner of the Certificate pane
      3. In the dialog browse to the SECUDIR directory, enter a name for the BW certificate ({BW}.crt) in the File name box. Select "Base64" below that.
      4. Click the green OK check button.
      5. The exported certificate should be in the SECUDIR directory
    4. Exit Transaction STRUST
  5. Add the Pyramid Server Identity to BW's Access Control List (ACL):
    1. Start transaction SNC0
    2. Click New Entries near the top of the screen

    3. In the System ID box enter a value for the Pyramid Server ID (e.g. pyramidsso)
    4. Click the pencil Edit button to the right of the SNC Name text box.
      1. In the dialog enter the SNC Name of the Pyramid Server Identity using the distinguished name generated by step 2.a above with the "p:" prefix (e.g. p:CN=pyramidsso, DC=mysite, DC=com).
      2. Then click the green OK check mark.
    5. In the SNC data portion of the New Entries form in the bottom left hand pane, a green check mark will be shown next to "Canonical Name Determined".
    6. Check the following boxes:
      1. Entry for RFC activated
      2. Entry for CPIC activated
      3. Entry for certificate activated
      4. Entry for ext. ID activated
    7. Commit the changes by clicking the save icon.
    8. Exit Transaction SNC0
  6. Import the BW certificate:
    1. Run the following in a command prompt from the SECUDIR directory ..\sapgenpse.exe maintain_pk -v -a {BW}.crt -p {name}.pse
    2. Run the following in a command prompt from the SECUDIR directory ..\sapgenpse.exe seclogin -p pyr_dev_run.pse -O "domain\user" (user is the user that is running the pyramid services)
    3. Check that the directory now contains a cred_v2 file
    4. Show the contents of the PSE by running the following command ..\sapgenpse.exe maintain_pk -l
      1. You should see a PKList having the subject and issuer values matching the distinguished name of the BW Identity.