Configure a secure network connection using certificates

The following approach describes how to configure a secure network connection between a LiveCompare server and an SAP system, based on certificates. The approach involves adding a trusted root certificate to the SAP system, and then using a LiveCompare server certificate that derives from the same trusted root certificate.

This approach doesn't require the LiveCompare server certificate to be imported into SAP, and can save time if you need to configure a large number of SAP systems. To create a secure network connection using certificates, follow these steps.

Prepare the LiveCompare server

Prepare the LiveCompare Server by downloading the SAPCRYPTOLIB library and installing the SAPCRYPTOLIB components.

Export the certificates

To export the certificates you will need, follow these steps.

  1. Run Certificate Manger (certIm.msc) on the LiveCompare server.

  2. Export the LiveCompare server certificate, including the private key, to a .pfx file.

  3. Use the certificationPath of the LiveCompare server certificate to navigate to the root Certificate Authority (CA).

  4. Export the Root CA and any other intermediate certificates to a .cer file.

Create a PSE file

To create a PSE file and import the Root CA, follow these steps on the LiveCompare server.

  1. Open a command prompt.

  2. Check that the SECUDIR environment points to C:\SNC\SEC, and that the PATH environment variable includes C:\SNC\BIN.

  3. Run the following from the command prompt.

sapgenpse import_p12 -r <Root CA .cer file> -p <LiveCompare server certificate .pse file> <.pfx file name>

Example: sapgenpse import_p12 -r root.cer -p lcserver.pse lcserver.mydomain.com.pfx

Export the certificate

Optionally, run the following from the command prompt to export the certificate to a test .crt file.

sapgenpse export_own_cert -p lcserver.pse -o test.crt

Allow the LiveCompare service account to access the private key

To allow the LiveCompare service account to access the private key, run the following from the command prompt on the LiveCompare server.

sapgenpse seclogin -p lcserver.pse -O <LiveCompare server name>\<LiveCompare service account>

Example: sapgenpse seclogin -p lcserver.pse -O lcserver\livecompare

Obtain the value to be used in the My Name field

To obtain the value to be used in the My Name field when creating an RFC Destination for the SAP system in LiveCompare, run the following from the command prompt on the LiveCompare server.

sapgenpse seclogin -l -O <LiveCompare service account> -p <.pse file name>

Example: sapgenpse seclogin -l -O livecompare -p lcserver.pse

View the results and find the line that begins with 0 (LPS:OFF):. Copy the text, starting with CN and continuing to the end of the line. Paste the text into a temporary text file.

Import the root certificate authority into your SAP system

To import the Root Certificate Authority into your SAP system, follow these steps. Note that it is not necessary to import the LiveCompare server certificate.

  1. Run transaction STRUST. In the Trust Manager: Display screen, expand the SNC SAPCryptolib folder.

  2. In the SNC SAPCryptolib hierarchy folder, double-click the object corresponding to your SAP server, and enter your SNC SAPCryptolib password.

  3. Click Display/Change tool button. to enter Change mode.

  4. Click Import Certificate tool button., and import the Root Certificate Authority’s .cer file.

  5. Click Add to Certificate List in the Trust Manager: Change screen.

  6. Confirm that the certificate is in the Certificate List then click Save tool button..

Create an RFC Destination in LiveCompare

To create an RFC Destination for the SAP system in LiveCompare, follow these steps.

  1. Sign in as a LiveCompare Administrator.

  2. Select the RFC Destinations tab and click Add button. to display the RFC Destination dialog.

  3. Complete the fields as follows.

Field What to do
Name Enter a unique name that will identify the RFC Destination.
Description Enter a description for the RFC Destination.

RFC Parameters

Field What to do
Connection Type Select ‘Custom Application Server’.
SAP Router Enter an SAP router string if required.
Application Server Enter the DNS name, domain name, or IP address of the SAP Application Server.
Instance Number Enter the application instance number of the SAP system to be used for the connection.
Client Enter the SAP client number to be used for the connection.
Language Enter the SAP code for the logon language (for example, EN for English).
User Enter the SAP user ID to be used for the connection.
Password Enter the SAP password for this user ID.

SNC Parameters

Field What to do
My Name Paste the text that was saved here.
Partner Name Enter the partner name to be used for the connection, prefixed with p: and ending with ”, for example, p:CN=SAPService<SID>@domain.com”.

  1. Click Save to create the RFC Destination.

Test the RFC Destination

To test the RFC Destination, click its Test icon. icon in the Guided Configuration screen’s RFC Destinations tab. Verify that the connection test is successful.

Related topics

Create secure RFC Destinations