Skip to main content

Setting up the agents with SNC

Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an extra level of security by protecting the data communication paths between various SAP components.

While standard connections might send data in a relatively open format, SNC integrates your SAP system with an external security product (using the GSS-API V2 interface). This allows you to apply enterprise-grade security logic to traffic that doesn't stay within a single protected network segment.

Implementing SNC is critical for three main reasons:

  • Data encryption: it ensures that sensitive business data (like financial records or PII) is encrypted while in transit between the Celonis agent and your SAP server, preventing "man-in-the-middle" sniffing.

  • Authentication: It provides strong proof of identity for both the client and the server, ensuring that the Celonis agent is only talking to your authorized SAP instance.

  • Data integrity: It guarantees that the data sent by SAP reaches the Celonis agent without being altered or tampered with during transmission.

By setting up SNC, you move from a basic connection to a hardened, production-ready integration that meets modern IT compliance standards.

Before you begin

Before you can set up the agents with SNC:

  • Make sure that you have connected the agent to Celonis Platform.

  • We recommend that you run SAP automation without SNC. This will allow you to isolate any potential issues to the SNC component.

Setting up the agents with SNC on Windows

While you might be working in a Windows environment, the process for creating your Personal Security Environment (PSE) and certificates is nearly identical to the Linux workflow. The main difference you'll notice is that you will execute batch files instead of shell scripts.

To configure your Windows agent:

  1. Navigate to your directory: Open your command prompt and go to:

    <on_prem_clients_path>/Shared/snc

  2. Create your PSE: Run the following command, replacing the placeholders with your specific organizational details and a secure password:

    snc_create_pse.bat "CN=<your_name>,OU=<your_unit>,O=<your_org>,C=<your_country>" <your_password>

  3. Add your server certificate: Finalize the setup by linking your SAP server certificate. If you plan to run the agent as a background service, ensure you include the LOCALSERVICE argument:

    snc_add_pse_cert.bat <server_certificate_path> <your_password> LOCALSERVICE

Important things for you to remember:

  • Use Relative Paths: We recommend that you use a relative path for your <server_certificate_path>.If you move or rename your directory later, your certificate link will break, and you'll have to generate a new one.

  • Check your Service Permissions: If you forget to add the LOCALSERVICE argument when running your script, your Windows service won't be able to access the SNC credentials. If this happens, you don't need to start over; simply go to your Windows Services, open the Agent Properties, and update the Log On tab to use the specific user account you used to run the scripts.

  • Verify without SNC first: Before you flip the switch on security, make sure your agent connects to the Celonis Platform successfully over a standard connection. This helps you isolate any troubleshooting to just the SNC configuration.

Setting up the agents with SNC on Linux

If you are operating in a Linux environment, you will use shell scripts to configure your security layer. The logic remains the same as other operating systems, but you must ensure your script permissions are correctly set before beginning.

To configure your Linux agent:

  1. Create your PSE file: Run the following command to generate your Personal Security Environment. Replace the placeholders with your specific organizational details and a secure password:

    ./snc_create_pse.sh "CN=<your_name>,OU=<your_unit>,O=<your_org>,C=<your_country>" <your_password>

    Note

    This command creates the RFC.pse and RFC.crt files in your shared/sec directory. Your RFC.crt acts as a public key; you must now import this file into your SAP system.

  2. Exchange Certificates: After you have successfully imported the agent's certificate into your SAP server, export the server's own certificate and save it to a local file.

  3. Add the server certificate to your PSE: Once you have acquired the server's certificate, add it to your newly-created PSE by running the following script from your shared/snc directory:

    ./snc_add_pse_cert.sh <server_certificate_path> <your_password>

When setting up your Linux environment, we recommend:

  • Permissions Check: Before running the scripts, ensure they are executable. If you encounter a "Permission Denied" error, you can grant the necessary rights by running chmod +x *.sh in the script directory.

  • Keep your Password Secure: You will need the password you created in Step 1 to finalize the connection in Step 3. Ensure you store this in your password manager, as a lost PSE password requires you to delete the files and start the process over.

  • Environment Variables: Ensure your SECUDIR environment variable is pointing to the correct directory where your libsapcrypto.so is located, otherwise, the scripts may fail to find the cryptographic library.

Related topics