This article describes the steps to configure a Secure Network Communications (SNC) connection between a Replicate Server installed on Windows and an SAP ECC or S/4HANA server. This is an advanced topic, and an experienced SAP Basis resource will be required.
The SAP side of the configuration is typically the responsibility of the SAP Basis team. The steps for configuring different versions of SAP may differ so the steps below are intended for guidance only.
Note
The SAP server must have SNC enabled.
Download and Extract the Files
To download and extract the files:
Retrieve the SAP Cryptographic Library files. The latest version can be downloaded from the SAP Marketplace. Download:
SAPCAR.EXE: Utility to uncompress .SAR files
SAPCRYPTOLIBP_<version number>.SAR: Compressed file with the SAP crypto library, for example SAPCRYPTOLIBP_8536-20011729.SAR.
On the Replicate server, create a folder for the Cryptographic Library, for example C:\SAP_SNC.
Copy the files downloaded in step 1 to this folder.
Extract the files from the .SAR file by executing the SAPCAR application. Open a command prompt with Administrator privileges.
Move to the C:\SAP_SNC folder and run the following command:
sapcar -xvf SAPCRYPTOLIBP_8536-20011729.sar
Note
Eight files are extracted, including the sapcrypto.dll and sapgenpse.exe.
Add System Environment Variables
You must be an Administrator on the Replicate server to perform this action.
To add the environment variables:
Add a System environment variable named SECUDIR with a value of the folder path where the SAP Cryptographic Library files have been extracted. The screenshot below shows an example where the files were extracted to C:\SAP_SNC.
Add another System environment variable named SNC_LIB with a value of the SAP Cryptographic Library full path, for example C:\SAP_SNC\sapcrypto.dll.
If the Replicate services or applications were active during the creation of the environment variables, restart them to read the newly created variables.
Generate the Personal Security Environment and Certificate
A prerequisite to configuring an SAP NetWeaver connection, the Replicate application server must have a Personal Security Environment (PSE) with a certificate accepted by the SAP server.
To generate the PSE and the certificate:
At the command prompt, run the following command to generate the PSE on the SST server:
sapgenpse gen_pse -v -p C:\SAP_SNC\RFC.pse
Note
Replace C:\SAP_SNC\ in the above command with your file path if it is different.
The process prompts you for a PIN code. A password is not required. Either:
Do not enter a PIN and press the Enter key.
Enter a PIN, and note it as it will be needed again.
The process prompts ‘get_pse: Distinguished name of PSE owner’. Enter CN=ServerName
where ServerName is a name to identify the SST server in SAP, for example CN=RepProd.
Note
As a result of this command, an RFC.pse is created in the SECUDIR folder.
At the command prompt, run the following command to generate the SST server certificate:
sapgenpse export_own_cert -v -p C:\SAP_SNC\RFC.pse -o C:\SAP_SNC\RFC.crt
Note
Replace C:\SAP_SNC\ in the above command with your file path if it is different.
As a result of this command, the RFC.crt certificate file is created.
Import the Certificate to the Server and Client PSEs
To continue setting up the SNC connection, import the certificate into the Server and the Client Personal Security Environments (PSEs).
To import the certificate into the Server PSE:
Navigate to the SAP System that Replicate should connect to via SNC.
Open the STRUST transaction.
Expand the SNC SAPCryptolib folder in the left panel and click the node below it.
Note that you may be asked for a password to proceed.
Click the Import Certificate button which is left of the Add to Certificate List button; a pop up opens.
Select your certificate file RFC.crt and click the Continue button. The certificate data displays.
Click the Add to Certificate List button. The certificate displays in the Certificate List.
Note
If the Add to Certificate List button is disabled, click the Display <-> Change button in the upper left corner to review the settings
Press Ctrl + S to save.
Import the Server Certificate to the Client PSE:
Still in the STRUST transaction on the SNC SAPCrytpolib folder, double-click the Own Certificate Subject in the upper part of the screen, as shown in the screenshot below. The Own Certificate data displays.
Click the Export Certificate button.
Assign a name to the exported certificate that identifies the SAP System where the certificate came from.
Select the Base64 option and click Continue (F8).
Open a command prompt, move to the SECUDIR folder, and execute the following commands:
sapgenpse maintain_pk -v -a <full path and name of certificate> -p <full path and name of environment>
For example,
sapgenpse maintain_pk -v -a C:\SAP_SNC\RQ1.crt -p C:\SAP_SNC\RFC.pse
The following message displays: Adding new certificate from file "[YourCertificate]"
The certificate downloaded from SAP has been incorporated into your PSE environment.
Create the Credentials File
Using the commands in this section, you can create the cred_v2 file that contains the secure credentials used in the SNC connections between Replicate and SAP. The cred_v2 file must be created in the SECUDIR directory (to continue the example from above C:\SAP_SNC). The operating system users that run the Replicate Service and Application must have entries in the file.
To generate the file and grant access to the users, the following command must be run from a command prompt with Administrator privileges:
sapgenpse seclogin -p RFC.pse -O <User>
The command must be run for each user that needs to have access. For example, if the Replicate services are run by the LocalAccount or NetworkServices, the following commands should be executed:
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O Administrator
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O System
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O NetworkService
If Windows user Bob is running the Replicate Management Center he must also be added
sapgenpse seclogin -p C:\SAP_SNC\RFC.pse -O Bob
The tool will ensure a valid Windows user and the correct Domain and Username is added. Upon completion, this message displays:
D:\snc_lib>sapgenpse seclogin -p RFC.pse -O Bob
running seclogin with USER="Bob"
creating credentials for user "WIN-S4DMXYZ\Bob" (yourself)...
Adjusting credentials and PSE ACLs to include " WIN-S4DMXYZ\Bob"...
d:\snc_lib\cred_v2 ... ok.
d:\snc_lib\RFC.pse ... ok.
Added SSO-credentials for PSE "d:\snc_lib\RFC.pse"
SNC Configuration in SAP
Using transaction snc0 add an entry for the Replicate server. System ID is the Replicate server’s hostname and SNC Name is the Distinguished name of PSE owner from the step Generate the Personal Security Environment above.
Configuring a NetWeaver Connection to use SNC
Follow the instructions here to create a NetWeaver connection.
A basic connection uses the following connection properties.
Under the Advanced -> Security section of the connection, SNC can be configured. In the basic example below, the SNC Partner name is obtained from the SAP system and prefixed with p:. If SNC Name is empty, User and Password are used.
Note that using SNC Name is an advanced option requiring additional SAP configuration. SNC Name is configured for SAP logons in the SAP system.
Troubleshooting
ERROR: Cursor already closed or not open yet
Overview
There was an issue identified in the kernel of SAP S/4HANA that prevented Syniti Replicate streaming functionality from working causing a “Cursor already closed or not open yet” error to be raised. This issue has now been identified and resolved by SAP to allow streaming to work successfully when SNC is enabled on the RFC Destination.
How To Resolve
To resolve the above issue, there are several steps that need to be followed to deploy the SAP and Syniti Replicate patches and to configure both SAP and Syniti Replicate to support SNC enabled RFC Destinations.
Installation
1. Please reference SAP Note 3642178 which contains instructions for deploying the resolution on SAP kernel version 793. The note contains reference to patch 324, which needs to be deployed onto the S/4HANA system to resolve the bug on the SAP side. Once deployed please proceed with the following steps.
Note
If SAP is managing your S/4HANA private cloud environment, please raise an incident with SAP ECS to handle the kernel patch deployment. If another partner/hyperscaler is managing your S/4HANA system, please follow their standard upgrade support path.
2. Request Syniti Replicate version 11.0.0.22 or higher, which includes the right SAP Data Provider version.
Configuration
1. Follow the online help for SNC Configuration. In the step Generate Personal Security Environment and Certificate, make a note of the Distinguished name of PSE owner, for example CN=RepProd. This will be used in the following steps.
2. Follow the online help to configure the destination. Before saving, apply the SNC configuration in the next steps.
3. To configure SNC in the destination, switch to the Logon & Security tab and set SNC to Active.
Click on the SNC button and complete the SNC names - > Partners using the Distinguished name of PSE owner from step a. The distinguished name must be prefixed with p:. In our example below the distinguished name is CN=inttest, so we entered p:CN=inttest as the partner name.
Follow the online help to configure a source connection in Replicate. In SNC My Name, use the distinguished name from step 4 to specify the SNC name. In our example, we specified the value SNC My Name="p:CN=inttest"; note the p: prefix and the double-quote delimiters.
On Destination SNC Mode, select the option True.
Note
When using the Test button on a connection in Replicate, it only tests the SNC setup from Replicate to the target S/4HANA system. It does not test the SNC setup in the destination configured in S/4HANA.