Introduction
SAP ECC RFC and SAP ECC IDOC spokes introduce SNC support in version 2.3.1, released April 2024. A number of steps are necessary for correct configuration on the MID server, the ServiceNow instance and the SAP ECC instance.
For one recent Expert Services project, we successfully integrated SNC, and would like to share some of the knowledge we gained in the process, as the documentation does not always clearly show the same information in a concise step-by-step nature.
It is important to realize that high level, we will undertake the following steps:
- Prepare the MID server(s) for use of the SAP cryptographic library for SNC
- Exchange certificates with the SAP administrator and ask to configure SAP accordingly
- Configure the ServiceNow instance accordingly
- Test the connection
In essence, the SAP ECC spoke acts as a JCo client - a Java-based SAP connector. This client is run on a MID server, which will need the necessary infrastructural tooling, a cryptographic library and a public/private keypair generated and locally configured.
This mental model of the SN instance simply acting as a JCo client, helps in debugging any possible issues as the online information on SNC for ServiceNow is (as of writing) sparse, but there is much information online about JCo client connectivity into SAP.
Prerequisites
We will need a number of files:
- A .cer file for this SAP instance - please obtain this from the SAP administrator
- SSH access to the MID server
- A ZIP file of the SAPCRYPTOLIBP library
- e.g. SAPCRYPTOLIBP_8551-20011697.zip
- Can be downloaded from the SAP Marketplace by an administrator
- SAP NetWeaver RFC SDK (nwrfcsdk)
- Can be obtained by the SAP administrator as well (https://support.sap.com/en/product/connectors/nwrfcsdk.html)
Preparing the MID server for SNC
The steps I outline below are essentially a reproduction of this SAP Help Portal knowledge base article: Configuring the Use of SAP Cryptographic Library for SNC.
We can come up with a number of command line steps to perform on the MID server as follows:
- Make sure the mentioned .cer and .zip files (saplibcrypto, nwrfc) are transferred and available
- Create a sec folder which will be our basis for this installation. This folder location will be permanent, so select it wisely (e.g. not on a network/virtual drive or inpersistent storage)
- For the purpose of this article, we will place it at /opt/sn/sec/
- Copy the .cer and .zip files to the sec folder
- Extract the contents of the .zip files inside the current folder
- You will end up with a number of .so files (from the saplibcryptop zip) in the /opt/sn/sec
- You will end up with a nwrfcsdk/ folder in /opt/sn/sec/
- Make the .so files accessible:
-
chmod 775 *.so
-
- Make the sapgenpse executable:
-
chmod +x sapgenpse
-
- Confirm the following files and folders:
- /opt/sn/sec/
- /opt/sn/sec/libsapcrypto.so
- /opt/sn/sec/sapgenpse
- /opt/sn/sec/nwrfcsdk/
- We will need to set a number of environment variables. We will need to repeat this step later so that the instance has access to it, but for now we set it in the local terminal session. This step is dependent on the shell that is being used. We will assume bash, and add these lines to ~/.bashrc:
-
export SECUDIR=/opt/sn/sec
export SNC_LIB=/opt/sn/sec/libsapcrypto.so
export PATH=$PATH:$SECUDIR
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SECUDIR - Load the changes into memory by running the below or restarting the session:
-
. ~/.basrhc
-
-
- Next, we will generate the keys for this ServiceNow instance. If you are performing this installation on multiple MID servers (e.g. for failover purposes), this below certificate needs to be generated only ONCE for each MID server that is being shared. Between various SN instances, please do generate new certificates to adhere to security best practices.
-
./sapgenpse get_pse -p sn.pse -x password
- Replace `password` with a password of your choosing and store it securely
- Upon being asked for a CN, create a useful identifier. e.g.
-
CN=ServiceNowDev, OU=ServiceNow, O=<company name>, C=<country code>
-
- Next, we export our own certificate (public key) that we will provide to the SAP administrators:
-
./sapgenpse export_own_cert -v -p sn.pse -o sn.crt
-
- Provide this certificate to the SAP administrator and let's merge it with the SAP certificate to create a pair that we can store inside the local machine. We assume that sap.cer is the cer file (could be a .crt file as well) that we obtained from the SAP administrator, representing that instance.
-
./sapgenpse maintain_pk -v -a sap.cer -p sn.pse
-
- Generate the cred_v2 file that encrypts the pair and stores it into memory:
-
./sapgenpse seclogin -p sn.pse -x <password> -O <mid_server_user>
- We need to replace the password with the earlier created password and the mid_server_user with the local user that the ServiceNow MID server agent runs under
-
- Finally, we need to expose the environment variables to the MID java agent. Navigate to ./conf/wrapper-override.conf of the MID server installation folder, and add the following lines:
-
set.SECUDIR=/opt/sn/sec/
set.SNC_LIB=/opt/sn/libsapcrypto.so
set.PATH=/opt/sn/sec
set.LD_LIBRARY_PATH=/opt/sn/sec/nwrfcsdk:/opt/sn/sec
wrapper.java.library.path.append_system_path=TRUE
-
-
Go into the SN instance and to the MID server record, and click the related link "Restart MID server"
We have now successfully configured the MID server.
Adding additional MID servers to the same certificate
In order to add additional MID server machines to the same certificate (highly recommended for production failover scenarios), which will allow us to auth into the SAP instance using those same keys, we need to perform these steps:
- Copy the entire /sec/ folder to the same location, including all generated files
- Set the environment variables in ~/.bashrc (or other shell rc file) and load them
- Do NOT re-run the get_pse, export_own_cert, or maintain_pk commands. Instead, just re-run:
-
./sapgenpse seclogin -p sn.pse -x <password> -O <mid_server_user>
-
- This will now install the same PSE file (private key) to the MID server user on this machine.
That's all!
Configuring the ServiceNow instance
Next up, we will need to create a Connection & Credentials record that we can use. A number of Connection Attributes are required. An alias is provided with the SAP ECC RFC spoke installation, with ID "sn_sap_ecc_rfc_spo.SAP_ECC". Either reuse that, which is what we did since we had only a single SAP instance to connect to, or make a new alias (e.g. in case several are required) and be sure to copy the Connection Attributes from that alias.
After creating a new connection for the alias, we will need to configure a number of attributes:
- Use MID server = true
- MID selection = Specific MID server
- Alternatively, create and use a new Capacity that you can tag all the MID servers into dynamically
- Credential = <empty> (not required due to using certificates installed on the MID server locally)
- Host = <hostname of the SAP instance>
- SNC mode = 1
- SNC my name = p:<CN that you entered in the certificate creation step>
- Please be sure to add the p: in front
- SNC connection = yes
- Language = EN
- SNC partner name = p:<CN of the SAP instance, please obtain from the administrator>
- Certificate value = <contents of the SN certificate .crt file that was generated and provided to the administrator, but concatenated into one long line without any line breaks>
- Client = <obtain from SAP administrator>
- SNC QOP = 3
- System number = <obtain from SAP administrator>
- SNC library path = /opt/sn/sec/libsapcrypto.so
Testing the connection
The big moment 🙂 We need an RFC or IDOC that we want to call. There is an RFC that is installed with every SAP instance, RFCPING, which can be good to test. However, the SAP user that the administrator has configured our certificate to authenticate into, must be allowed to access this module. If there is a different module that is known to be accessible, that is fine as well.
First, let's configure the RFC, by adding it to SAP ECC RFC Spoke > SAP ECC RFCs. Create a new record and put the name of the RFC in there.
Open Flow Designer and go to Actions, then look for Execute RFC. Set your Connection Alias, the RFC to execute, and fire it. Hopefully, by this point it should work!
Troubleshooting
If the RFC call was not successful, the error message should be fairly descriptive about what is missing. The one error message that seems to come up relatively often but is cryptic, is this one:
ERROR GSS-API(maj): No credentials were supplied Unable to establish the security context”
This error message indicates a problem in the MID server setup, where either:
- The SECUDIR environment variable is not set and/or not readable by the MID agent. Try restarting the MID server, confirming whether the env variables were set in wrapper-override, etc.
- Credentials were not made by using seclogin for the correct user or in the correct location (this can happen if the sec folder moves or your MID server is running under a different user)
- OS level permissions for the PSE file are incorrect
- Error in the certificate. This can happen when the certificate still has new lines and/or ----BEGIN CERTIFICATE--- type strings in it. Make sure that it is one long string without line breaks or spaces. Alternatively, the CN does not match.
Other errors could be related to the RFC not being accessible, which should be fairly straightforward to request the SAP administrator to look into.
Conclusion
SNC is a secure, key-based mechanism that allows us to authenticate into an SAP instance. However, it does come with some complexity and steps. Hopefully, this article has given you a nice step by step approach at configuring it properly.
Happy implementing!
