Configuring Control-M for SAP to work with Secure Network Communications (SNC)

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Control-M for SAP


    COMPONENT:

    Control-M/CM for SAP


    APPLIES TO:

    Control-M for SAP ; version 7.0.00 and higher



    PROBLEM:

     

    Configuring Control-M for SAP to work with Secure Network Communications (SNC).

    Control-M for SAP now supports the SNC protocol, which enables you to encrypt data between Control-M and the SAP system.

     


    CAUSE:

    CAR00040095


    SOLUTION:

     

     

      

     

      

    The configuration procedure is based on the following assumptions:

      

    1.       Control-M for SAP uses SAP provided crypto lib as the SNC implementation software library. The SAP server needs to be pre-configured with sap crypto lib.

      

    2.       Control-M for SAP uses 2 separate keys, one for the SAP server, and another for any Control-M for SAP that connects to this server. 

      

     

      

    Installing the SAP crypto lib on the Control-M/Agent account:

      

    1.       On UNIX, log in to the agent account and execute the following command to create the SNC directory: mkdir –p $HOME/SNC/sec.

      

    2.       On Windows, create the SNC\sec directory anywhere on the same computer where the Control-M/Agent resides, for example: c:\SNC\sec

      

    3.       Download the sap crypto lib from https://support.sap.com/swdc 
    Select the SAP crypto lib which matches your OS, and download into a temporary location.

      

    4.       Extract the downloaded SAR/CAR file using SAPCAR tool (also available from SAP download site).

      

    5.       The extraction creates several sub-directories, which all contain different versions of the lib, according to 32/64 bit and the specific OS version. 
    As a general rule, you need to refer to the sub-directory, which best matches your OS version.

      

     

      

    6.       Copy the following files from the temporary location as follows:

                                                                                                          

    File

    Source location

    Destination location

    ticket

    Main extracted folder

    SNC/sec

    sapgenpse

    OS specific sub directory

    SNC/sec

    sapcrypto lib

    OS specific sub directory

    SNC

      

     

      

     

      

     

      

    Configuring the SNC protocol on UNIX and Windows:

      

    There are 2 configuration types:

      

    1. The first client, which creates a distinguished key to be exported to the Server.

      

    2. Additional clients, which use the already created key by the first client.

      

     

      

    1. First client configuration:

      

     
     

      
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

    Action

    UNIX

    Windows

     

    1         Log on to the CONTROL-M/Agent computer

    Log on to the CONTROL-M/Agent account

    1.       Change the Control-M/Agent service to log on as a domain user, and not the default as Local System account

     

     

     

     

    2.       Log on as the domain user which the CONTROL-M/Agent service uses.

     

    2         Set environment variable SECUDIR

    <agent home>/SNC/sec

    SNC\sec (for example c:\SNC\sec)

     

    3         Set the lib path environment variable

    Add <agent home>/SNC according to the OS: either SHLIB_PATH or LD_LIBRARY_PATH or LIBPATH

    Add the SNC directory to the PATH environment var sec (for example c:\SNC)

     

    4         Change directory to the SECUDIR value

     

     

     

    5         Generate a PSE file

    1.       ./sapgenpse gen_pse -noreq -p bmc.pse

    1.       sapgenpse gen_pse -noreq -p bmc.pse

     

     

    2.       Enter a pin (can be empty)

    2.       Enter a pin (can be empty)

     

     

    3.       Enter a distinguished name for example: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL

    3.       Enter a distinguished name for example: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL

     

    NOTE: This is case sensitive, please make sure to deifne same account used in step 1.

     

    6         Create the credentials file

    1.       ./sapgenpse seclogin -p bmc.pse [-x (pin code if not empty)]

    sapgenpse seclogin -p bmc.pse [-x (pin code if not empty)]

     

     

    2.       ./sapgenpse seclogin –p bmc.pse -x (pin code if not empty) –O root

     

     

    7         Create the client certificate file

    ./sapgenpse export_own_cert  -o bmc.crt -p bmc.pse

    sapgenpse export_own_cert  -o bmc.crt –p bmc.pse

           
      
      

     

      

     

      

    1.8. SAP server side actions:

      

    1.8.1. Import the client’s certificate file into the SAP Server:

      

    1.8.1.1.              Copy the bmc.crt file to a workstation with SAP Logon GUI and

      

       log on to SAP

      

    1.8.1.2.              Run transaction strustsso2

      

    1.8.1.3.              Select the SNC (SAP Cryptolib) container on the left menu

      

    1.8.1.4.              From the menu bar, select Certificate->import, select BASE64 file

      

       format and import the file bmc.crt

      

                        Click “Add to Certificate List”

      

    1.8.1.5.              Click Save

      

     

      

    1.8.2. Adding the client distinguished name into table usraclext and vsncsysacl:

      

    1.8.2.1.              Run transaction sm30

      

    1.8.2.2.              Select table vsncsysacl, and then click Maintain.

      

    1.8.2.3.              Select E for entry

      

    1.8.2.4.              Type the SNC name p:<distinguished name (which you previously created at the client)>’ , (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL) and select  the RFC checkbox.

      

    1.8.2.5.              Click Save.

      

    1.8.2.6.              Go back to transaction sm30.

      

    1.8.2.7.              Select table usraclext , and then click Maintain.

      

    1.8.2.8.              In the field userid, press *.

      

    1.8.2.9.              In the SNC Name field, type p:<distinguished name (which you previously created at the client)> (for example: p: CN=CONTROLM_AGENT ,OU=BPM,O=BMC,C=IL)

      

    1.8.2.10.           Click Save.

      

     

      

    1.8.3. Creating the SAP server certificate file:

      

    1.8.3.1.              Run transaction strustsso2

      

    1.8.3.2.              Select the SNC container

      

                        Double click the owner certificate entry and make sure the  

      

                          certificate details are shown in the certificate table.

      

    1.8.3.3.              Select Export to File (for example <SID>.crt)

      

     

      

    1.9. Importing the SAP server certificate to the client:

      

    1.9.1. UNIX:

      

    1.9.1.1.             Copy the SAP server certificate file from the workstation with SAP GUI to the following location on the client’s computer <SECUDIR value location >/<SID>.crt

      

    1.9.1.2.              Change directory to SECUDIR value location and run the following command: ./sapgenpse maintain_pk -a <SID>.crt -p bmc.pse

      

     

      

    1.9.2. Windows:

      

    1.9.2.1.              Copy the SAP server certificate file from the workstation with SAP GUI  to  the following location on the client’s computer <SECUDIR value location>\<SID>.crt

      

    1.9.2.2.             Change directory to SECUDIR value location and run the following command: sapgenpse maintain_pk -a <SID>.crt -p bmc.pse

      

     

      

    2. Additional clients configuration:

      

     

      
                                                                                                                                                                                                                                                                                                                                                                                        

    Action

    UNIX

    Windows

     

    1         Log on to the Control-M/Agent computer

    Log on to the Control-M/Agent account

    1.       Change the Control-M/Agent service to log on as a domain user, and not the default as Local System account

     

     

     

     

    2.       Log on as the domain user which the Control-M/Agent service uses.

     

    2         Set environment variable SECUDIR

    <agent home>/SNC/sec

    SNC\sec (for example: c:\SNC\sec)

     

    3         Set the lib path environment variable

    Add <agent home>/SNC according to the OS: either SHLIB_PATH or LD_LIBRARY_PATH or LIBPATH

    Add the SNC directory to the PATH environment var sec (for example c:\SNC)

     

    4         Change directory to the SECUDIR value

     

     

     

    5         Copy bmc.pse file from the first client SECUDIR to the new client SECUDIR

    Ensure bmc.pse has reading permission.

     

     

    6         Create the credentials file

    1.       ./sapgenpse seclogin -pbmc.pse [-x (pin code if not empty)]

    sapgenpse seclogin -pbmc.pse -x (pin code if not empty)

     

     

    2.       ./sapgenpse seclogin -pbmc.pse -x (pin code if not empty) –O root

     

           
      
      

     

      

     

      

     

      

    Configuring the Control-M for SAP account to use SNC:

      

    1         Run the Control-M for SAP account utility from the Control-M Configuration Manager.

      

    2         Enable SNC on an existing account as follows:

      
       

    2.1          Display the account details.

      
      
       

    2.2          From the Logon Type tab, set the Activate Secured Network Communication checkbox.

      
      
       

    2.3          Select the SNC details tab.

       

    2.4          Fill in the following fields:

      
      

    2.4.1            SNC Partner name: The SNC name of the application server (for example p:CN=LE1,OU=BPM,O=BMC,C=US). Required.

      

    2.4.2            SNC lib: The client full path and file name - to SAP crypto lib (for example: /home1/agsapfp/SNC/libsapcrypto.sl). Required.

      

    2.4.3            Quality of protection (protection level). Select a value from the dropdown list (possible values: 1, 2, 3, 8, and 9).

      

    2.4.4            SNC My name: SNC name of the user sending the RFC. Optional. Default: The name provided by the security product for the logged-on user.

      
       

    2.5       Click OK to save the new account.

      
      

    3         Enable SNC on a new account, as follows

      
       

    3.1          Click on the Add account icon.

       

    3.2          On the Set Logon Type step, select the Activate Secured Network Communication checkbox.

       

    3.3          Advance to the SNC details step.

       

    3.4          Fill in the following fields:

      
      

    3.4.1            SNC Partner name: The SNC name of the application server (for example p:CN=LE1,OU=BPM,O=BMC,C=US). Required.

      

    3.4.2            SNC lib: The client full path and file name - to SAP crypto lib (for example: /home1/agsapfp/SNC/libsapcrypto.sl). Required.

      

    3.4.3            Quality of protection (protection level). Select a value from the drop down list (possible values: 1, 2, 3, 8, and 9).

      

    3.4.4            SNC My name: SNC name of the user sending the RFC. Optional. Default: The name provided by the security product for the logged-on user.

     


    Article Number:

    000111305


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles