cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sapjco3: How to add certificate for SNC connection

Go to solution
Niko1
Explorer

3 weeks ago

0 Kudos

Hi experts!

I am trying to set up an SNC connection to my SAP Netweaver system, using SAP Jco in Java (Ubuntu).

I have managed to make an SNC connection with SAP GUI, so the SNC infrastructure should be mostly in place. I am unsure how to add the SNC certificate to the SAP Jco, because, I am getting this error when I try to run my Java program: 

ERROR       GSS-API(maj): No credentials were supplied
            Unable to establish the security context
            target="p:CN=NPL"

Can the certificate be linked by adding some property here?

sapProperties.setProperty(DestinationDataProvider.JCO_SNC_MODE, "1");
sapProperties.setProperty(DestinationDataProvider.JCO_SNC_PARTNERNAME, "p:CN=NPL");
sapProperties.setProperty(DestinationDataProvider.JCO_SNC_MYNAME, "p:CN=NPL");
sapProperties.setProperty(DestinationDataProvider.JCO_SNC_QOP, "1");

Help is much appreciated!

Show replies
Show replies
Answer
View Entire Topic
HAL9000
Product and Topic Expert
Product and Topic Expert
3 weeks ago

Your question shows a basic misunderstanding. You do not add any SNC certificates to JCo, instead these are imported and managed by the respective SNC environment alone. JCo will never see the certificates themselves, that are used in SNC communication. JCo can only pass certificate subject names to an SNC library requesting which certificate the SNC library shall choose from its own PSE certificate store.

Hence, your question is more about configuring your PSE, not so much about configuring JCo. Please see KBA 2642538 for a short how-to description with using the SAP Common Cryptography Library as the SNC library of choice. This KBA is also linked from the JCo SDK JavaDoc at interface DestinationDataProvider.
For troubleshooting problems with PSE credentials, I recommend to have a look into KBA 1525059.

Furthermore, if using the SAP Common Crypto Library, I recommend not to specify JCO_SNC_MYNAME in JCo, but to let the Common Crypto Lib choose its default identity based on the OS user under which the Java process is currently running.
I hope that helps.

Show replies
Show replies
Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
3 weeks ago

> I have managed to make an SNC connection with SAP GUI, so the SNC infrastructure should be mostly in place.

As you can see in the documentation and KBAs referenced by HAL 9000, the error message 

GSS-API(maj): No credentials were supplied

means, that the SNC infrastructure does not have the required permission to access its certificate store. Which in turn means, that the SNC infrastructure is not yet completely set up.

If you are getting this error in a JCo application, while it works ok with SAP GUI, then I can only assume, that the Java application (java.exe process) is running under a different Windows OS user than the SAP GUI process. It works a bit differently for every SNC solution, but for example when using the sapcrypto.dll as SNC lib, the certificates used by SNC can be stored in two different places: the Windows Certificate Store (this is used by the "Secure Logon Client" and as far as I know, can only be used by one Windows user) and in PSE files. PSE files can be set up for different Windows users using the "sapgenpse seclogin" command, but only one single user identity/PSE can be used per operating system process. (So if you need to perform RFC calls under different ABAP users, then you need to start different java.exe processes under different Windows users, each of which has its own PSE. -- Unless you use Principal Propagation, which is a whole new animal on top of SNC....)

Niko1
Explorer
3 weeks ago
0 Kudos
Thank you so much both for the insight! I will try read these articles and come back to accept the solution!
Niko1
Explorer
2 weeks ago
0 Kudos
Thank you again, following 2642538 worked
Ask a Question