Creating an SNC RFC connection with ERP-Scale

You are here:

This guide documents the steps required to create a Secure Network Communications (SNC) connection to the SAP gateway. It takes inspiration from this SAP Blog.

For SNC connections, ERP-Scale V4.0.2 build B22073 or later must be installed.
This guide assumes that SNC has been configured and activated on the AS ABAP. See SAP Help Portal: Secure Network Communications (SNC)
This guide assumes a certificate has been loaded for SNC SAPCryptolib. See: SAP Help Portal: Configuring the ABAP Platform to Support TLS.
You will need to install the SAP Cryptographic Library (SAPcryptolib) and set the system environment variable SECUDIR . See  SAP Help Portal: The SAP Cryptographic Library Installation Package 

Step 1. Export the AS ABAP public key

  1. On the AS ABAP, start transaction STRUST.
  2. Select the SNC SAPCryptolib entry.
  3. Double click on the certificate in the certificate list to select it.
  4. Ensure the certificate details are displayed in the lower portion of the screen.
  5. Export the certificate using the menu option More>Certificate>Export or clicking on the button shown:

  6. Enter the path and filename and select Base64 as the file format:

Step 2. Create a folder for the secure connection files on the ERP-Scale PC

We will need to a folder to store the encryption files on PC where ERP-Scale is being installed.

  1. Create a folder on the PC.
  2. Create the system environment variable SECUDIR pointing to this folder:

    After adding the system environment variable, you will need to restart the PC.
We were able to complete steps 3 – 5 on a separate Windows PC from the ERP-Scale installation. If this does not work, create the PSE and certificate directly on the PC where ERP-Scale is being installed.

Step 3. Create a PSE for ERP-Scale

In the folder where the SAPCryptolib has been installed execute the following command:
sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]

The CN element of the distinguished name must match the hostname of the PC where ERP-Scale will be installed
Example:
sapgenpse get_pse -p "SNC.pse" -x passw1234 "CN=DESKTOP-ES12"
The PSE will be generated in the folder pointed to by the SECUDIR system environment variable.

Step 4. Add the AS ABAP primary key to the ERP-Scale PSE

In order for the PSE to have the correct certification path, we must import public key from the AS ABAP certificate to the ERP-Scale PSE.

In the folder where the SAPCryptolib has been installed execute the following command:
sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]
Example:
sapgenpse maintain_pk -a ".\AsAbap.crt" -p "SNC.pse" -x passw1234

Step 5. Create a certificate from the ERP-Scale PSE

We need to add a certificate to STRUST for each installation of ERP-Scale. First we create this certificate from the ERP-Scale PSE.

In the folder where the SAPCryptolib has been installed execute the following command:
sapgenpse export_own_cert -o <output_file> -p <PSE_name> [- x <PIN>]
Example:
sapgenpse.exe export_own_cert -o ".\DESKTOP-ES12.crt" -p "SNC.pse" -x passw1234

Step 6. Import the ERP-Scale certificate into AS ABAP

We need to import the certificate to STRUST for each installation of ERP-Scale.

  1. On the AS ABAP, start transaction STRUST.
  2. Select the SNC SAPCryptolib entry.
  3. Import the certificate using the menu option More>Certificate>Export or clicking on the button shown:

  4. Select the certificate created in step 5:

  5. The certificate will be displayed in the lower half of the screen:

  6. The click “Add to certificate list” and save.
  7. The certificate for the ERP-Scale PC will now be displayed in the upper half of the screen:

Step 7. Configure the RFC connection in AS ABAP to use SNC

After uploading the certificate to STRUST, we can now configure the RFC connection using SM59.

  1. On the AS ABAP, start transaction SM59.
  2. Select the RFC destination and click edit.
  3. Select the “Logon & Security” tab:

  4. Click on SNC and configure the SNC connection:

    The distinguished name entered in the Partners field must exactly match the subject of the certificate created for installation of ERP-Scale relevant for the RFC destination (prefixed with p:).

  5. Set the SNC connection to Active and save the changes:

Step 8. Copy the files to the PC where ERP-Scale is being installed

Add a copy of sapcrypto.dll to the folder created in step 2.

If the PSE was generated on a  different PC, you will also need to manually copy it to this folder.

Step 9. Add user credentials to the ERP-Scale PSE

Add login credentials for the user account under which the Pocket Programs SapScaleService Windows service is run.

This step must be completed on the PC where ERP-Scale is being installed.

In the folder where the SAPCryptolib has been installed execute the following command:
sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]

Standard installations of ERP-Scale use Local System account as the login for for the Pocket Programs SapScaleService.
Example:
sapgenpse seclogin -p "SNC.pse" -x passw1234 -O SYSTEM

Step 10. Configure the RFC connection in ERP-Scale to use SNC

After creating the PSE and adding it to the ERP-Scale PC, we can now configure the RFC connection in ERP-Scale to use SNC.

  1.  Start the ERP-Scale configuration utility.
  2. If it does not already exist, add the RFC destination:

  3. Click on the SNC button and add the settings for SNC:

    The SNC library location should point to the library used to secure the connection. This is typically sapscrypto.dll
    SNC my name in ERP-Scale must match Partners in the RFC destination in SM59

  4. Save the SNC settings and upload the RFC destination to the SapScaleServer:

Restart the SapScaleServer

Step 11: Test the connection

  1. On the AS ABAP, start transaction SM59.
  2. Select the RFC destination and click Connection Test.

Was this article helpful?
Dislike 0
Views: 126
Still have questions? Create a support ticket