App Connect

App Connect

Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Configure SNC between ACE on container and SAP

By Jobin Jose posted Wed December 11, 2024 01:58 AM

  

Objective

This is a tutorial to guide users on how to configure Secure network communication(SNC) between ACE integration server running on CP4I and SAP server.

To set up an ACE container with the required client configuration for SNC support with an SAP server, we need to create a custom image. This blog will focus on the steps to build this custom image, ensuring it includes all necessary configurations for establishing an SNC connection between the ACE container and the SAP server.

Enabling SNC configuration between on-premises ACE server and SAP server is well documented in Configure SNC between ACE/IIB and SAP. We will refer to this documentation, as we will be following the same steps for configuring the SAP server.

Prerequisites

  1. SAP Cryptographic library from SAP website.
  2. Preferred Containerisation tool like Docker or Podman to build and run the custom image.

Overview of configuration steps

  1. SAP Server side configuration (should be followed as in Configure SNC between ACE/IIB and SAP )
  2. Setting up project to create an image ( Client side configuration)
  3. Writing the shell script “sapdocker.sh” for client configuration
  4. Preparation of Dockerfile
  5. Import client certificate into SAP system

Step 1: SAP Server side configuration

The steps are same as provided in Configure SNC between ACE/IIB and SAP ). The SAP Cryptographic library files like libsapcrypto.so and sapgenpse can be downloaded from SAP site.

After completion of server side configuration steps, the user should have set the configurations necessary for SNC on SAP server. The customer needs to Export the SAP server certificate which is later imported to the client PSE file(explained later in client side configuration).

Follow (4.3) : Export SAP (Server) Certificate

Export the SAP certificate from the server: Select the server certificate and click Export:

Export SAP certificate ( ( icon with left arrow at the bottom of image )

Choose Base64 for the File format and provide a name for the file:

Step 2: Setting up project to create an image ( Client side configuration)

The project directory structure

Creation of project is necessary to build the image with necessary configurations to establish SNC connection from client(ACE) to SAP server.

  • The “sapcrypto” directory constitutes the SAP Cryptographic library (downloaded from SAP website) and this directory have the necessary tools to generate PSE(Personal Security Agent) file.
  • The SERVER.crt file is the exported SAP server certificate from the server which we did at the end of SAP Server side configuration.
  • “sapdocker.sh” is the shell script file setting the necessary environment variables and executing the necessary commands to generate PSE files for the container. We will be going through each steps done in the Shell script in later part of this blog.
  • “Dockerfile” is used to build the custom image, that is copying the cryptographic libraires to the container and running necessary commands to generate the PSE file and client side certificate which needs to be configured in the SAP server.

Step 3: Writing the shell script “sapdocker.sh” for client configuration

The sequences of steps executed in the shell script “sapdocker.sh” is very much similar to steps followed in client side configuration in on-premise setup.

3.1. Defining SECUDIR and PATH variable.

SECUDIR points to the location where the client PSE files will be created using sapgenpse command line tool which is included in the SAP cryptographic library. The PATH variable needs to pint to the SAP cryptographic library to execute sapgenpse tool.

# Define environment variables

export SECUDIR=/app/sap/sec

export PATH=$PATH:/app/sap/sapcrypto

3.2. Creating Private Key (PSE file)

For inbound and outbound secure communication, we need to create a private key on ACE side(PSE file). The distinguished name should be same as the one provided

# Create the private key (.pse file)

sapgenpse gen_pse -v -p CLIENT.pse -x PASS_PHRASE "CN=CLIENT, OU=ACE, O=ISL, C=IN"

3.3. Generate cred_v2 file for username

To let client applications access the keystore created above, we need to generate a credential file cred_v2 for the user using the PSE file created in the above step.

#Generate cred_v2 credential file

sapgenpse seclogin -p CLIENT.pse -O sapservicetst -x PASS_PHRASE

3.4. Export certificate from client keystore(PSE) file

The client certificate needs to be exported to the SAP server side for authentication. This steps needs to be completed after running a container. The container should have the extracted certificate to be copied to the SAP server.

#Export certificate(.crt) from client keystore

sapgenpse export_own_cert -v -p CLIENT.pse -o CLIENT.crt  -x PASS_PHRASE

3.5. Import SAP server certificate to client PSE file

The server certificate needs to be extracted to the client keystore file(pse file).

# Import the SAP system certificate to client keystore

sapgenpse maintain_pk -v -a SERVER.crt -p CLIENT.pse -x PASS_PHRASE

You can find the sample shell script executing these steps in here.

Step 4: Preparation of Dockerfile

The Dockerfile is defined for building the custom ACE image with the SAP SNC client side certificates and files.

To build ACE image we need to provide the ACE image source at the beginning of the docker file.

As mentioned above “sapcrypto” directory of the project have the SAP cryptographic library to create the client PSE file and the SERVER.crt exported from SAP server needs to be imported the created client PSE file. All the certificate generation and configuration steps are done by executing the “sapdocker.sh” shell script. So we should define commands to copy the entire “sap” directory (which have all these files) to the container directory in dockerFile.

#creating directories to copy files from host

RUN mkdir /home/aceuser/app

RUN mkdir /home/aceuser/app/sap

#Copying the entire SAP folder containing the SAP cryptographic library, The shell script to configure client side and the certificate imported from SAP server to be imported to client PSE file.

COPY /sap /home/aceuser/app/sap

After copying the files, we should execute the shell script in the Dockerfile.

#Run script

#providing execute permission to the shell script

RUN chmod +x /home/aceuser/app/sap/sapdocker.sh

#executing the shell script

RUN ./app/sap/sapdocker.sh

You can find the sample docker file in the same repo.

Step 5: Import client certificate into SAP system

Having Docker file and shell script ready, we will be able to build an image and run a container with necessary client configuration.

The last step to complete the SNC connection configuration between SAP server and ACE client is to import and configure the generated client certificate in the ACE container into the SAP server system. To achieve this we can follow the same steps in https://community.ibm.com/community/user/integration/blogs/dilip-kumar1/2021/01/29/snc-configuration-with-sap (4.2).

Conclusion

With docker project ready, we will be able to build the image and run the ACE container. 

This article is about how to create an App Connect Enterprise image with correct configurations to setup Secure Network Communication (SNC) communication between SAP Server and ACE SAP Adapters.


#Highlights-home
0 comments
29 views

Permalink

https://community.ibm.com/community/user/blogs/jobin-jose/2024/12/09/configure-snc-between-ace-on-container-and-sap