Verify SAP SNC connections with SncVerify

Configuring SNC (Secure Network Communications) for SAP typically involves multiple steps across different tools: creating a PSE with sapgenpse, exchanging certificates via STRUST, configuring RFC destinations, and hoping everything works when you finally try to connect. When it doesn't, the error messages from sapnwrfc are often cryptic and hard to diagnose.

SncVerify is a free, open-source tool that simplifies this process. It provides an interactive setup wizard, automated certificate exchange, and diagnostic checks — all from a single command-line tool that SAP Basis administrators can use without development knowledge.

What you need

Download the latest release of SncVerify from releases.dbosoft.eu/sncverify.

Then get the following downloads from the SAP Software Center (x64 for your OS):

Extract all files from the SAP NW RFC SDK (not just sapnwrfc.dll — the SDK includes additional required libraries like icudt50.dll, libsapucum.dll, etc.) and all files from SAPCRYPTOLIB (sapcrypto.dll, sapgenpse.exe, etc.) into the same directory as the sncverify executable.

Running the setup wizard

The setup wizard guides you through the entire SNC configuration:

sncverify setup

The wizard will:

1. Check SAP libraries — verifies that all required SAP files are present
2. Ask for your scenario — client only (RFC client with SNC) or server (RFC server registration, includes client)
3. Collect SAP connection parameters — application server, system number, client, etc.
4. Collect SNC settings — your SNC name and the quality of protection level
5. Create a PSE — automatically generates a secure PSE with a complex PIN and SSO credentials
6. Export your certificate — ready for import into SAP STRUST
7. Connect to SAP — optionally reads SAP's SNC configuration and exchanges certificates

SAP-side configuration

After the setup wizard completes, you need to configure the SAP system. The exact steps depend on your scenario.

Importing the certificate into STRUST

1. Open transaction STRUST
2. Navigate to the SNC SAPCryptolib node (SAPSNCS)
3. Import the certificate file shown by the setup wizard (or run sncverify own_cert show to see the path)
4. Add the certificate to the Certificate List (trusted certificates)

Client mode setup

For client mode (e.g., testing SNC from an external tool to SAP):

1. Open transaction SU01 and select the SAP user
2. On the SNC tab, enter the SNC name shown during setup (e.g., p:CN=SNCVERIFY, O=dbosoft)
3. Save the user

Server mode setup

For server mode (e.g., receiving IDocs via SNC):

1. Open transaction SM59 and create a TCP/IP RFC destination
2. Set the program ID (e.g., SNCVERIFY)
3. On the Logon & Security tab, enable SNC and enter the SNC name
4. Assign a communication user to the destination
5. In SMGW, configure the gateway security (reginfo) to allow your program ID

Verifying the setup

Once the SAP-side configuration is complete, use the check and run commands to verify everything works.

Running diagnostics

sncverify check

This connects to SAP (prompting for credentials) and verifies:

• SNC is enabled on the SAP system (snc/enable = 1)
• SAP's SNC identity is configured (snc/identity/as)
• SAP's SNC crypto library is set (snc/gssapi_lib)
• SAP's server certificate is imported in your local PSE
• Your certificate is trusted by SAP (in STRUST)

Each check runs independently — if one fails, you get specific instructions on what to fix, and the remaining checks still run.

For a quick local-only check (no SAP connection):

sncverify check --local-only

Testing the client connection

sncverify run client

This connects to SAP with SNC enabled and SSO (no password prompt). It performs an RFC ping and calls BAPI_USER_GET_DETAIL to confirm the data exchange works. If this succeeds, your SNC client setup is complete.

Testing the server registration

sncverify run server

This registers at the SAP gateway as an IDOC receiver with SNC. The tool shows real-time state changes (starting, running, broken, stopped) and any errors from the gateway.

To verify the connection from the SAP side, open transaction SE37, enter function module IDOC_INBOUND_ASYNCHRONOUS, and run it (F8) specifying your RFC destination. It doesn't matter that no real IDoc data is sent — the tool will log the incoming call, confirming that the SNC server connection works.

Press any key to stop the server. If registration is rejected (e.g., due to gateway security), the tool shows the error and exits automatically.

Certificate management

The setup wizard handles certificate exchange automatically when possible. For manual certificate management, use these commands:

# Show your own certificate details and file path
sncverify own_cert show

# Export your certificate (for import into SAP STRUST)
sncverify own_cert export

# Import SAP's certificate (exported from STRUST)
sncverify sap_cert import <certfile>

# Show certificates trusted in your local PSE
sncverify sap_cert show

Configuration

All settings are stored in sncverify.json in the user profile directory (%APPDATA%\sncverify\sec on Windows, ~/.sncverify/sec on Linux) alongside the PSE. You can view and edit them:

# Show all settings
sncverify config list

# Change a single setting
sncverify config set ASHOST newserver.example.com
sncverify config set SNC_QOP 9

The configuration uses the same parameter names as the SAP NW RFC SDK: ASHOST, SYSNR, CLIENT, LANG, SAPROUTER, GWHOST, GWSERV, PROGRAM_ID, SNC_QOP, SNC_MYNAME, SNC_PARTNERNAME, SNC_SSO, PCS.

Troubleshooting

Summary

Setting up SNC for SAP no longer has to be a trial-and-error process. With SncVerify, you get a guided setup that handles PSE creation and certificate management automatically, diagnostic checks that tell you exactly what's missing or misconfigured, and verification commands that prove the SNC connection actually works — both as client and server.

Download SncVerify from releases.dbosoft.eu/sncverify, place it next to your SAP libraries, run sncverify setup, and follow the prompts. The tool takes care of the rest.