After setting up SAP SNC Encryption no target system browsing in Sync-Editor possible any more

Use a remote connection (via the JobService) to connect to the SAP system.

Use a remote connection (via the JobService) to connect to the SAP system.

Hi Markus, thank you for your answer.

I tried to connect via remote connection.

I folowed the instructions under [1].

Under "To set up a remote connection for an existing synchronization project." in list point 3a it says, i can choose a jobserver, that " has the server function One Identity Manager Service installed" assigned. I have to Jobservers with this function, but i cannot choose them.

In list point 3b it says: 

"Select remote connection server manually.

• Server: Full server name or the IP address of the server.

• Port: The RemoteConnectPlugin uses port 2880."

What Server do i have to provide here? A One Identity Jobserver, from which a connection to the target system is possible or the target system itself?

If i provide a jobserver, from which a connection to the target system is possible, and i try to connect it says:

"Unable to connect to the remote server, No connection could be made because the target machine, actively refused it XXX.XXX.XXX.XXX:2880"

So there seems to be a firewall rule missing. 

Do i understand this right, that i have to open the port 2880 on jobserver X to access it via remote connection from the synceditor who too is installed on jobserver X?

[1] https://support.oneidentity.com/de-de/technical-documents/identity-manager/9.2/target-system-synchronization-reference-guide/4#TOPIC-2079333

Let's start with the version of OneIM you are using?  

Alexander Seidl said:

What Server do i have to provide here? A One Identity Jobserver, from which a connection to the target system is possible or the target system itself?

Yes, you have to select a Job Service who is able to connect to the target system (SAP in your case) and who has the remote connection plugin configured.

And yes, you may need to configure the port in the firewall as the https connection request is not magically mapped to localhost just because you are sitting on the same host with your Synchronization Editor.

In addition you need to specify the certificate to use for both ports manually like explained here for the remote connection plugin. As the remote connection is always secured by TLS.

Identity Manager 9.2 - Target System Synchronization Reference Guide (oneidentity.com)

Permissions for the One Identity Manager Service user account.

The RemoteConnectPlugin uses an internal HTTPS server for remote access. The user account's permissions for the One Identity Manager Service must be extended accordingly.

• Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

  netsh http add urlacl url=https://+:<port number>/Remoting/ user=<domain>\<user name> listen=yes

• If the One Identity Manager Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

  netsh http add urlacl url=https://+:<port number>/Remoting/ user="NT AUTHORITY\NETWORKSERVICE" listen=yes

• You can check the result with the following command line call:

  netsh http show urlacl

The RemoteConnectPlugin port certificate

• The RemoteConnectPlugin port must be assigned a certificate because the RemoteConnectPlugin uses HTTPS for remote access. This can be run with the following command line call:

  netsh http add sslcert ipport=0.0.0.0:<port number> certhash=<certificate thumbprint> appid="{F06D38CA-DF0F-4D72-BC33-D3F6472A8DEE}"

• You can check the result with the following command line call:

  netsh http show sslcert

The RemoteConnectPlugin uses System.Net.HttpListener for the web interface.

Hi Markus,

wie use OI Version 9.1.1.158.

I provided the permissions to the One Identity Manager Service as described in "Permissions for the One Identity Manager Service user account.".

The RemoteConnectPlugin needs a acertificate assigned as described in "The RemoteConnectPlugin port certificate".

Do i have to create a new certificate? And if so what kind of certificate do i have to create?

Regards,

Alexander

Markus Weiss-Ehlers said:

The RemoteConnectPlugin port must be assigned a certificate because the RemoteConnectPlugin uses HTTPS for remote access

I further stumpled upon this line here.

This means that an ISS Server has to serve https request on the Jobserver that can connect with SAP and that a want to connect to via remote connection, right?

This has nothing to do with the IIS. If you look at the documentation section I've posted, you can see that you need to configure the port 2880 with netsh to allow TLS and assign a certificate (like you would for any HTTPS-Service).

Hi Markus,

thank you very much for your assistence.

I am not a certificate expert.

The command that you posted to assign a certificate to RemoteConnectionPlugin needs a "certificate thumbprint".

You write I have to assign a certifiate like I would do for any HTTPS Service.

I googled a bit to find solutions, but creating the right cert for a special port (or perhaps using an existing one) seems not to be trivial.

Is there perhaps a knowledge base article or any other related source that describes how exactly i can assign a RemoteConnectPlugin port certificate?

Thanks in advance,

Alexander

I managed to "Bind an SSL certificate to a port number" [1]

I used an existing server certificates thumbprint.

I first encountered "SSL Certificate add failed, Error 1312 A specified logon session does not exist. It may already have been terminated." I could bypass it by providing an additional parameter to the netsh command that specifies the certificate store:

[2]

SSL Certificate bindings:

IP:port: 0.0.0.0:2880
Certificate Hash:8eb2b9e344ea2bbffb246451d5c29d01d0bf2b97
Application ID:{f06d38ca-df0f-4d72-bc33-d3f6472a8dee}
Certificate Store Name:Remote Desktop
Verify Client Certificate Revocation: Enabled
Verify Revocation Using Cached Client Certificate Only: Disabled
Usage Check: Enabled
Revocation Freshness Time: 0
URL Retrieval Timeout: 0
Ctl Identifier: (null)
Ctl Store Name: (null)
DS Mapper Usage: Disabled
Negotiate Client Certificate: Disabled
Reject Connections: Disabled
Disable HTTP2: Not set
Disable QUIC: Not set
Disable TLS1.2: Not set
Disable TLS1.3: Not set
Disable OCSP Stapling: Not set
Disable Legacy TLS Versions: Not set

[2]

support.oneidentity.com/.../3