Overview
Secure Network Communications (SNC) relies on valid X.509 certificates for encrypted communication between the Syniti Knowledge Platform (SKP) and SAP systems. This section provides comprehensive guidance on managing the complete SNC certificate lifecycle, including generation, deployment, rotation, and troubleshooting.
This process involves the following steps:
Before configuring SNC certificate management, the following fields must be configured in the SKP’s SAP NetWeaver connection properties:
System ID (SID): The 3-character SAP system identifier.
SNC Mode: SNC Mode must be enabled and the SNC parameters must be configured.
SNC Certificate Setup
SKP Client Certificate Generation
To generate a new Personal Security Environment (PSE) certificate:
In the SKP, open the SAP NetWeaver connection and access the SNC Certificate Setup section.
Click Generate New PSE to create a new Personal Security Environment.
Enter a descriptive name for the certificate.
Click Generate PSE to create the certificate. The SKP PSE client certificate is now generated and selected.
Click Download to save the certificate.
Copy the displayed SNC My Name value for later import into SAP.
Import SKP Certificate in SAP
Once SKP has generated its certificate, import it into SAP:
In SAP, access the STRUST transaction.
In the left panel, expand the SNC SAPCryptolib folder and click the node below it and open it in the Change mode.
Click the Import Certificate button before the Add to Certificate List button.
An Import Certificate dialog box is displayed.
Import the downloaded SKP client certificate and click Save. The SKP certificate information is displayed.
Click Add to Certificate List. The newly added certificate is displayed on the Certificate List.
Click Save.
Export SAP Server Certificate and Add SNC Name in SAP
In SAP, access the STRUST transaction.
In the left panel, expand the SNC SAPCryptolib folder and click the node below it.
In the Own Certificate section, double-click the subject name to select the server certificate.
Access the Certificate section and click the Export Certificate button.
An Import Certificate dialog box is displayed.
Assign a name to the exported certificate that identifies the SAP System where the certificate came from.
Select the Base64 option and click Continue. The SAP Server certificate is now downloaded.
Access the SU01, SNCWIZ, or SNCSYSACL transaction and enter your username.
Enter into the Change mode and click the SNC access control (ACL) tab.
Edit the SNC Name field to paste the SNC My Name value copied from the SKP > SAP NetWeaver connection page.
Ensure RFC authorization is enabled.
Click Save.
Upload SAP Server Certificate in the SKP
Open the SKP > SAP NetWeaver connection and access the the SNC Certificate Setup section.
Select SAP Server Certificate to open Select SAP Server Certificate dialog box.
Click the Upload New Certificate tab to upload the downloaded certificate from SAP and click Confirm.
Select the exported certificate file and click Save.
Click Test Connection to verify the connection status.
Click Save to complete the SAP NetWeaver connection configuration.
Certificate Rotation Workflow
As a security best practice, rotate SKP client certificates at regular intervals. To rotate certificates without service interruption:
Initiate Rotation: Modify the existing SAP NetWeaver connection in the SKP and click Rotate PSE. A new certificate version (v2) is generated while v1 remains active.
Note
If you interrupt the certificate rotation process, the newly generated certificate will be marked as Transitioning. You can resume using the Continue Rotation button.
Download New Certificate: Download the new certificate from SKP and note the updated SNC My Name.
Cross-Certify in SAP: Import the new v2 certificate into SAP STRUST alongside the existing v1 certificate (both coexist).
Update ACL: In SU01, SNCWIZ, or SNCSYSACL transaction, add the new v2 SNC My Name as an authorized partner. Both v1 and v2 are now allowed.
Test Connection: Verify the connection still works in SKP using both the old and new credentials.
Activate New Certificate: In the SNC Certificate Setup section, click View Versions, select the v2 certificate version, and then click Save to make it the primary certificate.
Cleanup: You can remove any unused certificates marked as Deprecated in the SKP Admin module’s Certificates page.
Note
During certificate rotation, both the old and new certificates must coexist in SAP and have corresponding ACL entries. Removing the old certificate before the new one is fully activated will cause connection failures and service interruption.
Certificate Metadata Management
You can update certificate name and description in the SKP without regenerating the certificate.
Access the SNC Certificate Setup section and click Edit Metadata.
Update the name or description and click Save.
The certificate identity and key information remain unchanged.
Troubleshoot SNC Certificate Setup
Error | Cause | Resolution |
|---|---|---|
SNC options missing in the SKP | System ID not entered | Enter System ID and save |
Certificates missing | Incomplete handshake | Exchange certificates properly |
SNCERR_GSS_NOT_SUPPORTED | Invalid library path | Verify cryptographic library path |
Connection fails after rotation | ACL not updated | Update SNC ACL entries in SU01, SNCWIZ, or SNCSYSACL transaction |
SNC Name Unknown | SNC name mismatch | Verify the SNC Name in SAP matches exactly with the SNC My Name in the SKP |