Issues with SNC certificates as server identifies incorrect SECUDIR path.

Hi All,

I am facing with SECUDIR path identification by secondary servers of same SID.

As a part of SNC implementation for RFC connections, I am enabling SNC with activation of sap cryptolibrary certificate from STRUST.

System is Netweaver 7.4.

Steps:

1. I implamented parameters reqiored for SNC communication except snc/enable=0.

2. Restarted the system and the created SNC cryptolib certificate from STRUST.Certificate got created in OS level at /usr/sap//sec in promary & secondary servers.

3. I enabled SNC using snc/enable =1

4. I faced an issue that my primary server was trying to read certificates from HOME i.e. /global/adm, so I set parameter SETENV03 = SECUDIR=$(DIR_INSTANCE)/sec in primary instance. I    restarted the instance & it worked. 

5. But for secondary instance, even if I have set profile parameter SETENV for SECUDIR, it still looks for certificate at home directory.

Please see logs below:

case1- SECUDIR is taken correctly in one instance

SncInit(): Initializing Secure Network Communication (SNC) N        IBM RS/6000 with AIX (mt,ascii,SAP_UC/size_t/void* = 16/64/64) N        UserId="adm" (1304), envvar USER="adm" N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level) N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level) N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level) N  SncInit(): found  snc/gssapi_lib=/sapmnt//exe/libsapcrypto.so N    File "/sapmnt//exe/libsapcrypto.so" dynamically loaded as GSS-API v2 library. N N Sun Jun 19 06:36:09 2016 N    SECUDIR="/usr/sap//DVEBMGS05/sec" (from $SECUDIR) N    The internal Adapter for the loaded GSS-API mechanism identifies as: N    Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib N    Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.43 pl40 (Oct  8 2015) MT-safe N  SncInit():  found snc/identity/as=p:CN=SAP/KerberosN  SncInit(): Accepting  Credentials available, lifetime=Indefinite N  SncInit(): Initiating Credentials available, lifetime=Indefinite M  ***LOG R1Q=> p:CN=SAP/Kerberos [thxxsnc.c    301] M  SNC (Secure Network Communication) enabled

case 2-SECUDIR is taking from HOME for this instance

SncInit(): Initializing Secure Network Communication (SNC) N        IBM RS/6000 with AIX (mt,ascii,SAP_UC/size_t/void* = 16/64/64) N        UserId="adm" (1304), envvar USER="adm" N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level) N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level) N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level) N  SncInit(): found  snc/gssapi_lib=/sapmnt//exe/libsapcrypto.so N N Sun Jun 19 07:16:53 2016 N    File "/sapmnt//exe/libsapcrypto.so" dynamically loaded as GSS-API v2 library. N    SECUDIR="/home/adm/sec" (from HOME) N    The internal Adapter for the loaded GSS-API mechanism identifies as: N    Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib N    Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.43 pl40 (Oct  8 2015) MT-safe N  SncInit():  found snc/identity/as=p:CN=SAP/KerberosN  SncInit(): Accepting  Credentials available, lifetime=Indefinite N  SncInit(): Initiating Credentials available, lifetime=Indefinite M  ***LOG R1Q=> p:CN=SAP/Kerberos [thxxsnc.c    301] M  SNC (Secure Network Communication) enabled Thanks, Devendra