SAP systems include the basic security measures of SAP authorization and user authentication by password. This blog explains how to use Secure Network Connection (SNC) to extend SAP system security beyond these basic measures to include the additional protection of stronger authentication methods and encryption. This blog explains connectivity mechanisms provided by Workload Automation for SAP Software to establish a secure connection via SNC to SAP.


Workload Automation does not provide or ship SNC software, it enables to use 3rd party SNC products to secure the RFC communication.


SNC is a software layer in the SAP system architecture that provides an interface to external security products. With SNC, is possible strengthen the security of your SAP system by implementing additional security functions and protections. SNC provides application-level, end-to-end security to ensure reliable, consistent, and secure connections.

SNC is used to secure Remote Function Call (RFC) connections to SAP Advanced Business Application Programming (ABAP) systems. SNC support is implemented as a layer between the SAP kernel and an external security library that implements the Generic Security Services API (GSS-API). SAP also provides the SAP Cryptographic Library, which you can download from SAP.

Workload Automation enables you to connect to SAP systems by establishing a secure RFC connection called as SNC.

There are three levels of security protection you can apply.

Authentication only: When using the Authentication only protection level, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.

Integrity protection: When using Integrity protection, the system detects any changes or manipulation of the data which may have occurred between the two end points of a communication.

Privacy protection: When using Privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.

In this document Authentication only will be considerate.


  • The SAP Cryptographic Library has been installed on the application server.
  • The SNC PSE has been created or installed on the application server.
  • If you use individual PSEs, then you have exchanged the Client and the application server’s public-key certificates.
  • The SNC profile parameters have been set and SNC has been activated on the application server



How to configure SAP Cryptographic Library is the default SAP security product performing encryption functions in SAP systems. It meets the requirements of the GSS-API V2 Interface. Download SAP Cryptographic Library (SAP authorization required).

The SAP Cryptographic Library installation package contains the following files:

  • SAP Cryptographic Library (dll for Microsoft® Windows®/ for UNIX®)
  • A corresponding license ticket
  • The configuration tool exe/sapgenpse

When using SAP Cryptographic Library for SNC, the SAP server and its communication partner system (where the Tivoli Workload Scheduler for Application r3batch runtime is installed) must both be configured for SNC.

Personal Security Environment (PSE) must be configured.

It is used by both components to verify and authenticate the remote component, and to store public-private key pairs and public-key certificates. For SNC, it is better for each component to have its own individual PSE, because.

In this document, individual PSEs are used by both systems.

Creating and configuring server PSE is required to set SAP instance profile parameters to enable SNC and specify the SNC name.

Follow the instructions below to configure PSE and activate SNC on the SAP server:

Using the trust manager (transaction STRUST):

Expand the node for the SNC PSE. If the PSE does not exist, then you must create it.

Creating the SNC PSE:

Using the trust manager (transaction STRUST):

Select the SNC PSE node.

Using the context menu, choose Create (if no PSE exists) or Replace.

The <Create/Replace> PSE dialog appears.

If the server’s SNC name is defined in the profile parameter snc/identity/as, then the system automatically determines the Distinguished Name accordingly.

Otherwise, enter the Distinguished Name parts in the corresponding fields, for example:


        Name = <SID>

        Org. (opt.) = Test

        Comp./Org. = MyCompany

        Country = US


Note: If you want to use a reference to a CA name space, then the elements contained in the CA field are automatically used for the server’s Distinguished Name.

In addition, you cannot modify the Country field.

Use the toggle function (This graphic is explained in the accompanying text) to activate or deactivate the reference to a CA name space.

Note: In addition, the application server’s Distinguished Name to use for SNC must be unique.

You cannot specify a Distinguished Name that the server uses in a different PSE, for example, the system PSE.

Choose Enter.

You return to the Trust Manager screen.

For SNC, you must assign a password to the PSE. Choose

This graphic is explained in the accompanying text Assign password.

The PSE dialog appears.

Enter a password for the PSE and choose Enter.

You return to the Trust Manager screen.

The system creates the SNC PSE and distributes it to the individual application servers. The system protects the PSE with a password and creates credentials for the server so that it can access the PSE at run-time.

Using individual PSEs, then the next step is to exchange the servers’ public-key certificates.


Green lights indicate that the SNC PSE exists and has been distributed to the application server instances.

Select one of the instances with a double-click.

The server’s Distinguished Name to use with this PSE appears in the Own certif. field. Unless you receive errors during this procedure, the SNC PSE exists on the application server and is accessible at run-time.



How to configure Workload Automation

The client system in this case is the machine where Workload Automation, r3batch, is deployed. You need to do a one-time setup process of creating a PSE on the client and creating and exchanging cryptographic key material.

Set the environment variables SECUDIR.

For example:


SECUDIR contains the license ticket obtained previously and contains the sapcrypto.dll and sapgenpse.exe file.

Create a PSE using

sapgenpse.exe: sapgenpse gen_pse -v -p PSE_FILE_NAME.

You will be asked to set a PIN, which serves as the PSE password. Then you need to enter distinguished name for the PSE owner.

Configure the PSE and create a credentials file named cred_v2 for the user. It lets client applications access the key store. This file is usable only for the current operating system user:
sapgenpse seclogin -p PSE_FILE_NAME -O USERNAME.

The SAP ABAP system and the client need to exchange the certificates in order to trust each other and communicate securely.


Export the client certificate from PSE using the following command:

sapgenpse export_own_cert -v -p PSE_FILE_NAME -o CLIENT_CERT_NAME.


Go to configured PSE on the SAP server and import the client certificate into SAP using the SAP transaction code STRUST.

Then use Import Certificate to select the certificate exported in the above step and add it to the certificate list.

Export the SAP certificate from the server: Select the server certificate and click Export:

Import the SAP certificate into the client PSE using the following command:


sapgenpse maintain_pk -v -a SERVER_CERT_NAME -p PSE_FILE_NAME


SNC has an access control list, so you need to create an entry for your client for the SAP system to allow SNC connection for RFC. On SAP, go to Transaction SM30, enter VSNCSYSACL and click Maintain.

Then click

The table is cross-client information”.



Choose “E” for the type of Type of ACL entry:

Comment wrap
Further Reading
Automation | May 17, 2022
HCL Workload Automation Observability for Splunk
The Observability is the evolution of monitoring into a process that offers insight into digital business applications, speeds innovation and enhances customer experience, basically it is an emerging set of practices, platforms, and tools that goes beyond monitoring to provide insight into the internal state of systems by analyzing external outputs.
Automation | March 4, 2022
Accelerate IT and Business Automation with Streamlined Modelling, Advanced AI and Open Integration for Observability | HCL Workload Automation Version 10
HCL Software is pleased to announce a new release for Workload Automation, Version 10. With HCL Workload Automation Orchestrate complex workflows across multiple platforms and applications with best-in-class automation solution. Boost your business with the most advanced workload scheduling, managed file transfer, and real-time monitoring capabilities for continuous automation. Keep control on your automation processes from a single point of access and monitoring!
Automation | January 6, 2022
Case Study: Regulatory Compliance Workflow through HCL Workload Automation:
In this Blog, we would go through a Regulatory Compliance UseCase where a Customer wanting to perform a Transaction at a Gaming Kiosk undergoes a series of Background Checks and Validations to know if he is eligible to proceed with the Transaction, the checks while happening in the background through HCL Workload Automation in real time within a few seconds would seamlessly allow the Customer to proceed with the Transaction. Incase the Customer is blacklisted then he is blocked from performing the Transaction, likewise incase there is suspicion of Money Laundering, the Customer is blocked from progressing with the Transaction.
Filters result by