To set up a server to use the SAP Cryptographic Library for SNC, you can use the below configurations and tools depending of your server type.
Main steps of the configurations are ;
1- Installing the SAP Cryptographic Library on your server.
2- Creating a PSE and self-signed public-key certificate ( If you have several hosts, then you can create a single PSE and copy it to other hosts).
3- Creating credentials for the server.
4- Providing the server’s security informations to its communication partners.
Following graphic shows a clear picture for us ;
We can install SAP Cryptographic Library package seperately, for detail informations you can check the following central note for SAP Cryptographic library.
1848999 – Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)
SAPCRYPTO.SAR package contains the following files ;
- sapcrypto.dll for Windows
- libsapcrypto.so for UNIX
- sapcrypto.mf contains information about which platforms and kernels are supported.
- The configuration tool sapgenpse.exe.
For kernels 7.41, 7.42 or later, CommonCryptoLib fixes can be patched independently from SAP Kernel Packages. The updating process using dw_utils.sar
Detail informations can be found in following ossnote ;
2125088 – CommonCryptoLib in dw_utils.sar
Recommended locations of files are ;
- SAP Cryptographic Library and SAPGENPSE files are (profile parameter DIR_EXECUTABLE).
- Windows:<DRIVE>:\usr\sap\<SID>\SYS\exe\run
- UNIX:/usr/sap/<SID>/SYS/exe/run
- License ticket, server’s SNC PSE and credentials are (DIR_INSTANCE directory).
- Windows:<DRIVE>:\usr\sap\<SID>\<instance>\sec
- UNIX:/usr/sap/<SID>/<instance>/sec
- Parameter to set the location of the SAP Cryptographic Library (Profile parameter snc/gssapi_lib).
- Windows:<DRIVE>:\usr\sap\<SID>\SYS\exe\ run\sapcrypto.dll
- UNIX:/usr/sap/<SID>/SYS/exe/run/ libsapcrypto.<ext>
- Parameter to set the location of the license ticket and credentials.
for Windows NT
- Registry key: KEY_LOCAL_MACHINE\Software\ SAP\<SID>\environment\ SECUDIR
- Value : <DRIVE>:\usr\sap\<SID>\ <instance>\sec
for Unix
- Login file for<sid>adm
- Value : /usr/sap/<SID>/<instance>/sec