question

Andre V. avatar image
Andre V. asked ·

How to confirm SAP SNC decryption is working

How does one confirm that SAP SNC traffic is correctly decrypted, once the steps are completed to create the keytab file and enable the AMD to use them?


I don't see any change in the monitoring data and I still see SNCFRAME in the packets when inspecting them via Wireshark (captured on AMD with keytab files present and config done as per docs).
configurationnam probesap
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1 Answer

Jacek J. avatar image
Jacek J. answered ·

Hello Andre,


Please, have a look at https://www.dynatrace.com/support/doc/nam/sap-monitoring/kerberos-keys-for-sap-snc-decryption-on-amd/

If more detailed help is needed, please, report support ticket and you'll receive assistance from our support and development teams.


Best Regards,


Jacek

7 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hi Jacek, thanks I'm aware of the documentation and followed the steps but it's not clear if it's working, so I've already opened a support ticket :-)

Cheers, André

0 Likes 0 · ·

keep us posted on the progress please. Having a similar issue.

0 Likes 0 · ·

If you're using HS AMD (12.4.15 or later), you can use the 'rcon' command:

sncdecr status

to help figure out if your keytab files are being used/recognized. That command is not available in Classic AMD though.

0 Likes 0 · ·

And then probably you do not want to see this:

>$ sncdecr status
SNC DECRYPTION STATUS:
        CONFIGURATION:
                Keys recognized=0
                Available keys:
                        NO KEYS AVAILABLE


0 Likes 0 · ·

Indeed, not what you want to see! ;-)

This is more what you want:

rcon
Dynatrace RTM Console, ver. ndw.12.4.15.25 RHEL7_x86_64
Log file: /var/log/adlex/rcon.log
>$ sncdecr status
SNC DECRYPTION STATUS:
        CONFIGURATION:
                Keys recognized=1

NO KEYS AVAILABLE tells me that the keys are either not present, or not loaded in memory. Did you follow the steps in the docs, how to create the keylist file etc.? That's assuming the keytab files you have, are correct and of a supported SNC library, of course. Something like SAP's GSS-API v2 over NTLM (SSPI) is not a supported library, since NTLM is not supported, only Kerberos.

0 Likes 0 · ·

We have a SAP SCM implementation that is monitored with SAP GUI and SAP GUI over HTTP decodes. Also for those we like to know if decryption is working.
I am not familiar to SAP. Perhaps the keys are not needed there?

0 Likes 0 · ·

I'm learning as I go along, I'm no SAP expert myself, not by a long shot!

What I can say is that from what I've seen, if you have SNC traffic on the wire, and you're using a 2017 or newer AMD, you will see SAP-SNC-Encrypted traffic if you look at the SAP GUI software service's Operations.

If you don't see that, chances are good SNC is not used; the SAP BASIS team should also be able to confirm if SNC is implemented or not.

If you do see SNC traffic in NAM (DCRUM), you'll need the keytab files to decrypt the SNC traffic on the AMD. But they have to use Kerberos, as NTLM is not supported.

0 Likes 0 · ·