SAP Agent is not connecting via SNC: "Unencrypted communication is rejected"

book

Article ID: 196819

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic Workload Automation - Automation Engine

Issue/Introduction

While trying to implement SNC communication with the SAP Agent towards a SAP System with SNC enabled, the Agent refuses to connect to SAP as the certificate seems not to be used by the Agent.
Error in the Agent log:

20200707/174311.357 - U02004172 Error while calling function module 'RFC_SYSTEM_INFO'.
20200707/174311.357 -  Initialization of repository destination XX failed: Unencrypted communication is rejected by this system on SAP_SYSTEM


Cause

Agent SAP had been started by a Service Manager that had not set the necessary environment variables (SECUDIR among others)

Environment

Release : 12.x

Component : AUTOMATION ENGINE

Subcomponent: Agent SAP

Resolution

To fix the problem, please start the SAP Agent manually from a shell where the SECUDIR and other related SAP SNC variables are set or from  a Service Manager that has these variables set.

In order to find out what are the environment variables of a process on AIX, try the command:

ps eww PID_OF_THE_PROCESS | tr ' ' '\n' | grep = | sort

For example:
[email protected]:/automic/uc4/agents/FRSTAIX727_WO122_SAP121/bin#export SECUDIR=/tmp
[email protected]:/automic/uc4/agents/FRSTAIX727_WO122_SAP121/bin#java -jar ucxjr3x.jar &
[1] 13107356
[email protected]:/automic/uc4/agents/FRSTAIX727_WO122_SAP121/bin#ps eww 13107356 | tr ' ' '\n' | grep = | sort
SECULIB=/tmp

Additional Information

You can set the SECUDIR and its environment variables by following these steps:

1. Created SECUDIR in my users home dir. eg. /home/uc4/sec

2. Set the ENV variable of SECUDIR=/home/uc4/sec

3. Placed my libsapcrypto.so in the SECUDIR directory.

4. Used sapgenpse utility to create the SAPSNCS.pse with the root signed ca cert.

5. Initialized the .pse with user uc4 (user who starts the agent). ./sapgenpse seclogin -p SAPSNCS.pse

Return:

running seclogin with USER="uc4"
 Added SSO-credentials for PSE "/home/uc4/sec/SAPSNCS.pse"

6. Enable SNC in connection object and add the library for the cryto:

/home/uc4/sec/libsapcrypto.so

7. lastly partner name in connection was provided by SAP team as their application give that output.

 

Check SAP notes:

https://launchpad.support.sap.com/#/notes/1827566