Hi All,
I am facing with SECUDIR path identification by secondary servers of same SID.
As a part of SNC implementation for RFC connections, I am enabling SNC with activation of sap cryptolibrary certificate from STRUST.
System is Netweaver 7.4.
Steps:
1. I implamented parameters reqiored for SNC communication except snc/enable=0.
2. Restarted the system and the created SNC cryptolib certificate from STRUST.Certificate got created in OS level at /usr/sap//sec in promary & secondary servers.
3. I enabled SNC using snc/enable =1
4. I faced an issue that my primary server was trying to read certificates from HOME i.e. /global/adm, so I set parameter SETENV03 = SECUDIR=$(DIR_INSTANCE)/sec in primary instance. I restarted the instance & it worked.
5. But for secondary instance, even if I have set profile parameter SETENV for SECUDIR, it still looks for certificate at home directory.
Please see logs below:
case1- SECUDIR is taken correctly in one instance
SncInit(): Initializing Secure Network Communication (SNC) N IBM RS/6000 with AIX (mt,ascii,SAP_UC/size_t/void* = 16/64/64) N UserId="adm" (1304), envvar USER="adm" N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level) N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level) N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level) N SncInit(): found snc/gssapi_lib=/sapmnt//exe/libsapcrypto.so N File "/sapmnt//exe/libsapcrypto.so" dynamically loaded as GSS-API v2 library. N N Sun Jun 19 06:36:09 2016 N SECUDIR="/usr/sap//DVEBMGS05/sec" (from $SECUDIR) N The internal Adapter for the loaded GSS-API mechanism identifies as: N Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.43 pl40 (Oct 8 2015) MT-safe N SncInit(): found snc/identity/as=p:CN=SAP/KerberosN SncInit(): Accepting Credentials available, lifetime=Indefinite N SncInit(): Initiating Credentials available, lifetime=Indefinite M ***LOG R1Q=> p:CN=SAP/Kerberos [thxxsnc.c 301] M SNC (Secure Network Communication) enabled
case 2-SECUDIR is taking from HOME for this instance
SncInit(): Initializing Secure Network Communication (SNC) N IBM RS/6000 with AIX (mt,ascii,SAP_UC/size_t/void* = 16/64/64) N UserId="adm" (1304), envvar USER="adm" N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level) N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level) N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level) N SncInit(): found snc/gssapi_lib=/sapmnt//exe/libsapcrypto.so N N Sun Jun 19 07:16:53 2016 N File "/sapmnt//exe/libsapcrypto.so" dynamically loaded as GSS-API v2 library. N SECUDIR="/home/adm/sec" (from HOME) N The internal Adapter for the loaded GSS-API mechanism identifies as: N Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.43 pl40 (Oct 8 2015) MT-safe N SncInit(): found snc/identity/as=p:CN=SAP/KerberosN SncInit(): Accepting Credentials available, lifetime=Indefinite N SncInit(): Initiating Credentials available, lifetime=Indefinite M ***LOG R1Q=> p:CN=SAP/Kerberos [thxxsnc.c 301] M SNC (Secure Network Communication) enabled Thanks, Devendra