Setting up the agents with SNC
To use Secure Network Communications (SNC) for SAP, use the scripts provided in the on-prem clients installation package.
Before you begin
Make sure that you have connected the agent to Celonis Platform.
Stop the agent before configuring the SNC.
Creating your own Personal Security Environment (PSE) file and certificate in Windows is nearly identical to the process of doing it on Linux. See Linux. The difference is that you'll have to use batch files (defined under Shared/snc) instead of shell scripts. Once the certificates have been exchanged, the agent can be executed using the start_agent_with_snc.bat batch
file. Here's an overview:
cd <on_prem_clients_path>/Shared/snc snc_create_pse.bat "CN=<some_name>,OU=<org_unit>,O=<organization>,C=<country>" <your_password> snc_add_pse_cert.bat <server_certificate_path> <your_password> SYSTEM
The last argument (SYSTEM
) will use the Local System account to add the credentials. By default, if no username is provided, the script will use the logged-in user to add the certificate. If you decide to start the agent as a Windows service without providing the SYSTEM
option, the service won't be able to use SNC because the service uses the Local System account while the credentials have been created with a different user. In which case you would have to go to Windows services, select the agent service, go to Properties > Log On > This account and use the user you've run the script with.
To run the agent as a Windows service, you must use the install_and_start_with_snc.bat
script:
cd "<on_prem_clients_path>/Automation Agent" install_and_start_with_snc.bat
Alternatively, you can start the agent directly by executing a batch file (start_agent_with_snc.bat)
which you can find in either agent folder:
cd "<on_prem_clients_path>/Automation Agent" start_agent_with_snc.bat
Run the following command to create the Personal Security Environment (PSE) file:
./snc_create_pse.sh "CN=<some_name>,OU=<org_unit>,O=<organization>,C=<country>" <your_password>
This will create the RFC.pse and the RFC.crt files in the shared/sec directory. RFC.crt is the certificate that will act as a sort of public key which you'll have to import into your SAP system.
After importing the agent's certificate into your SAP server, you can export the server's certificate and store it in a file.
Once the server's certificate has been acquired, add it your newly-created PSE by running the following script in the
shared/snc
directory:./snc_add_pse_cert.sh <server_certificate_path> <you_password>
After the certificates have been exchanged between the agent and the SAP server, the Extraction agent can be started using the following script (defined in the extraction-agent directory):
./start-celonis-agent-with-snc.sh