cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to tell which SAP system uses what cipher (SNC)?

bart_engels
Participant

We have many systems using SAP SNC. All SPN's are added to keytab files and in general this is working fine. Some clients seems to use an unsupported cipher (DH), but how to find out for which SAP SID or users use an unsupported cipher?

Output from sncdecr status:

Cipher suite diagnostic:


Well know ciphers:


010000010000010102020201=172


010000010000010202020201=446247


Unknown ciphers:


0101000900004000=1 (Diffie-Hellman)


Well know mechanisms:


OID=1.3.36.3.1.37.1 ref=446546


Unknown mechanisms:

I cannot find any solution on the probe or in the reports for this. Any suggestion anyone?


4 REPLIES 4

Krzysztof_Ziemi
Dynatrace Pro
Dynatrace Pro

"find out which SAP SID or users use an unsupported cipher" is catch-22: you can't get to know SID and user name without decryption.

Use "sncdecr status alll" to get more information on servers for which DH is enabled. Since encryption is typically configure per server, that should suffice.

Hope this helps


bart_engels
Participant

The difficulty is that we are using a SAP Router. Meaning all traffic is to one server only, so I am unable to tell the difference from the "sncdecr status all" command.

I was hoping there would be a way to identify the user or client IP address that is using the unsupported cipher. Would that be possible you think?


Krzysztof_Ziemi
Dynatrace Pro
Dynatrace Pro

Hi Bart,

If router is involved, that's not possible with the current version. But it will be possible in one of upcoming updates to release 2019 (yes we plan updates already, even though 2019 GA is a month away:-)

In the mean time, you may open a Support call with this request, development may be able to provide you with a custom AMD build with that new feature added for testing/debug in your environment (assuming AMDs you have are not too old).

Best regards


bart_engels
Participant

Thanks Kris. Great to hear that it will be available in the 2019 updates. I'll check with support to see if we can get a custom build. Our AMD is fully up-to-date 🙂