Kerberos keys for SAP SNC decryption on NAM Probe

To monitor encrypted SAP SNC traffic, the NAM Probe needs a copy of the Kerberos keys that are used by the SAP system. These keys are stored in keytab files on Kerberos servers.

Note

NAM supports the following SNC decryption for Kerberos - Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2. We do not support other SNC libraries.

Keytab overview

A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). The most common personal use of keytab files is to allow machines to authenticate to Kerberos without requiring human interaction or storing a password in a plaintext file.

The NAM Probe needs these files so it can decrypt SAP traffic for full monitoring of all clients and transactions.

For security reasons, any authentication or encryption keys stored on the disk by the NAM Probe should be kept in an encrypted form. You need to set up an appropriate decryption mechanism to make these keys available to the NAM Probe process at run-time.

Using encrypted Kerberos SNC keys

To use encrypted Kerberos SNC keys, you need to:

  1. Extract the Kerberos SNC keys from the Kerberos system to be monitored.
    See Obtaining Kerberos keys for SNC decryption for more information.
  2. Encrypt the Kerberos SNC keys using the kpaencrypt command.
    See Encrypting Kerberos SNC keys for secure storage on NAM Probe for more information.
  3. List the Kerberos SNC Keys in the NAM Probe configuration.
    See Listing Kerberos SNC keys in NAM Probe configuration for more information.
  4. Make the encrypted keys available to the NAM Probe process at run time.