Skip to main content

Celonis Product Documentation

Setting up the agents with SNC

To use Secure Network Communications (SNC) for SAP, use the scripts provided in the on-prem clients installation package.

Before you begin

  • Make sure that you have connected the agent to Celonis Platform.

  • Stop the agent before configuring the SNC.

Creating your own Personal Security Environment (PSE) file and certificate in Windows is nearly identical to the process of doing it on Linux. See Linux. The difference is that you'll have to use batch files (defined under Shared/snc) instead of shell scripts. Once the certificates have been exchanged, the agent can be executed using the start_agent_with_snc.bat batch file. Here's an overview:

cd <on_prem_clients_path>/Shared/snc
snc_create_pse.bat "CN=<some_name>,OU=<org_unit>,O=<organization>,C=<country>" <your_password>
snc_add_pse_cert.bat <server_certificate_path> <your_password> SYSTEM

The last argument (SYSTEM) will use the Local System account to add the credentials. By default, if no username is provided, the script will use the logged-in user to add the certificate. If you decide to start the agent as a Windows service without providing the SYSTEM option, the service won't be able to use SNC because the service uses the Local System account while the credentials have been created with a different user. In which case you would have to go to Windows services, select the agent service, go to Properties > Log On > This account and use the user you've run the script with.

To run the agent as a Windows service, you must use the install_and_start_with_snc.bat script:

cd "<on_prem_clients_path>/Automation Agent"
install_and_start_with_snc.bat

Alternatively, you can start the agent directly by executing a batch file (start_agent_with_snc.bat) which you can find in either agent folder:

cd "<on_prem_clients_path>/Automation Agent"
start_agent_with_snc.bat
  1. Run the following command to create the Personal Security Environment (PSE) file:

    ./snc_create_pse.sh "CN=<some_name>,OU=<org_unit>,O=<organization>,C=<country>" <your_password>

    This will create the RFC.pse and the RFC.crt files in the shared/sec directory. RFC.crt is the certificate that will act as a sort of public key which you'll have to import into your SAP system.

    After importing the agent's certificate into your SAP server, you can export the server's certificate and store it in a file.

  2. Once the server's certificate has been acquired, add it your newly-created PSE by running the following script in the shared/snc directory:

    ./snc_add_pse_cert.sh <server_certificate_path> <you_password>
  3. After the certificates have been exchanged between the agent and the SAP server, the Extraction agent can be started using the following script (defined in the extraction-agent directory):

    ./start-celonis-agent-with-snc.sh