04 May, 2015

SNC configuration between SAP BW and BOBJ BI systems

After BW system refresh 

1. comment out snc/enable =1 profile parameterand you can leave other snc related parameters ; Restart BW application 
2. delete the SNC entry in STRUSTSS02 , make sure to save it - Do not replace - it may not work.  Once deleted ; you will notice the Source (Production) pse will be removed  eg:/usr/sap/BIQ/DVEBMGS23/sec/SAPSNCS.pse 
3. Enable the SNC profile parameters (if not)

First enable these parameters and restart the BW ABAP instance

sapcryptolib path can be /sapmnt/BIQ/exe/uc/linuxx86_64/libsapcrypto.so 
  
ssf/name SAPSECULIB

ssf/ssfapi_lib Full path to sapcrypto lib
sec/libsapsecu Full path to sapcrypto lib
snc/gssapi_lib Full path to sapcrypto lib
snc/identity/as Your SAP system's DN
 

Right-click the SNC node and click Create,

The identity you specified in RZ10 should now appear.



To assign a password to the SNC PSE, click the lock icon ; make sure to save the entry. 

Enable the remaining parameters:
snc/accept_insecure_rfc 1

snc/accept_insecure_r3int_rfc 1
snc/accept_insecure_gui 1
snc/accept_insecure_cpic 1
snc/permit_insecure_start 1
snc/data_protection/min 1
snc/data_protection/max 3
snc/enable 1

Restart the system. 


4. you can set the SNC password by clicking on the lock button in SNC STRUST body part. Import the own SNC certificate into the Certificates list.
5. Export the SNC BW certificate from STRUSTSS02 --> double click on the owner certificate and you will be able to export the certificate  and also you can verify the certificate list in BW system (Base 64)

tahoe.corp.intusurg.com:biqadm 84> cdexe
tahoe.corp.intusurg.com:biqadm 85> ./sapgenpse maintain_pk -l
 maintain_pk for PSE "/usr/sap/BIQ/DVEBMGS23/sec/SAPSNCS.pse"
PKList:
  element#no="1":
      Subject     :CN=BIQ, OU=BW, O=ISRG, C=US
      Issuer      :CN=BIQ, OU=BW, O=ISRG, C=US
      Serial number:0x20150503212001
      Validity:
        Not before  :Sun May  3 13:20:01 2015
        Not after   :Thu Dec 31 16:00:01 2037
      Key:
        Key type    :rsaEncryption (1.2.840.113549.1.1.1)
        Key size    :1024
      PK_Fingerprint_MD5:300C 6E15 3D83 F14A B04C 45A5 3FA1 E648
    Fingerprint_MD5:5F:94:C4:F6:4B:AC:3C:D7:B5:A4:8E:5C:DA:CB:66:47
    Fingerprint_SHA1:C01D A0D5 DA04 29A0 2E3B 6883 F6DE 6FF5 3D57 648A


6. go to BOXI server and list down the cerficates and remove any old certificates from BIQ system in BOXI QA system. 

sapgenpse.exe maintain_pk –d “CN=BIQ, OU=BW, O=ISRG, C=US”

list the certificates :
sapgenpse.exe maintain_pk –l 

7.  Place the exported BIQ certificate into the BOXI QA server and Add the new BIQ certificate (make sure to import the BIQ certificate into all the CMS node servers of the cluster):

/home/boxiadm:BOQ>env |grep -i sec
SECUDIR=/home/boxiadm/app/CRYPTO64/linux-x86_64-glibc2.3/sec

cd /home/boxiadm/app/CRYPTO64/linux-x86_64-glibc2.3/sec

/home/boxiadm:BOQ>./sapgenpse maintain_pk -v -a BW_BIQ_SNC_certificate.crt -p /home/boxiadm/app/CRYPTO64/linux-x86_64-glibc2.3/sec/BOE.pse
 Opening PSE "/home/boxiadm/app/CRYPTO64/linux-x86_64-glibc2.3/sec/BOE.pse"...
 PSE (v2) open ok.
 retrieving PKList
 Adding new certificate from file "BW_BIQ_SNC_certificate.crt"
----------
Subject : CN=BIQ, OU=BW, O=ISRG, C=US
Issuer  : CN=BIQ, OU=BW, O=ISRG, C=US
Serialno: 20:15:05:03:21:20:01
KeyInfo : RSA, 1024-bit
Validity  -  NotBefore:   Sun May  3 14:20:01 2015 (150503212001Z)
              NotAfter:   Thu Dec 31 16:00:01 2037 (380101000001Z)
----------------------------------------------------------------------------

 PKList updated (1 entries total, 1 newly added)


8. Export BOXI cerficate to import into BIQ system 

./sapgenpse export_own_cert -v -p /home/boxiadm/app/CRYPTO64/linux-x86_64-glibc2.3/sec/BOE.pse -o MyBOE_BOQ_Cert.crt


9. Import the MyBOE_BOQ_Cert.crt certificate in BIQ system using STRUSTSSO2 (Base 64) under SNC tree ; make sure to add to the certificates list. 

9. go to t-code SNC0 in BW system and delete the old (production) entry and add the corresponding non-production BOXI system entry. 

System ID: can be seen from the imported BOXI certificate from STRUSTSS02
eg: MyBOE01
SNC Name : can be seen from the imported BOXI certificate from STRUSTSS02

eg: p:CN=MyBOE01, OU=BO, O=ISRG, C=US 

and please make sure to select the checkboxes 
. entry for RFC activated
. entry for CPIC activated
. entry for ext.ID activated





3 comments: