100%(1)100% found this document useful (1 vote) 384 views20 pagesHow To Guide - Configure SSL in ABAP System
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content,
claim it here.
Available Formats
Download as PDF or read online on Scribd
How-To Guide
SAP NetWeaver
Document Version: 1.0 - 2017-03-07�Document History
‘Document Version
Description
1.0
First official release of this guide
How To Guise Contgra SSLinAGAP Sytem�Table of Contents
1 Business Scenario. 4
2 Background Information 4
3 Prorequisites. 4
4 Step-by-Step Procedure 4
4.1 _ Install the SAP Cryptographic Libraries. 4
4.2. Add Required Profile Parameters. 6
4.3 Configure SSL Server PSE for Incoming Request 7
4.4 Create Trust Center in Database to Import Root GA Certificate, 8
4.5. Generate Certificate Request for SSL Server PS. 1
4.6 Import Certificate Request Response. 13
4.7 Configure SSL Client PSE for Outgoing Requests. 14
4.8 Import certificate request response 18
4.9 Test Connection 19
How TGs Contre SSLin�1 Business Scenario
As part of a systom implementation, there is a requiremont to establish SSL (Secure Sockets Layer) security
for an ABAP-based system that requires secure, encrypted communications.
2 Background Information
SSL (Secure Sockets Layer) is a communication method whereby secure communication betweet
‘entities is accomplished by the use of encryption facilitated by X.509 certificates published by Corti
‘Authorities (CA) in tandem with public and private decryption keys.
system
ate
3 Prerequisites
‘These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual
understanding of SSL and cortficate-basod encryption concepts,
4 Step-by-Step Procedure
41 Install the SAP Cryptographic Libraries
Download the latest SAP Crypto Libraries from the SAP Marketplace. Access URL
http: /service sap.com/swdc, and follow path Support Packages and Patches > Browse our Download
Catalog > SAP Cryptographic Software > SAPCryptolib for Installations > SAPCryptoLibs
Select the desired platform, and download the latest version of the software.
3. Login with adm into the server and extract the content of the dow
loaded SAR file containing the
SAPCryptolibrarias.
How To Guise Contgra SSLinAGAP Sytem�4. Copy the library fila and the binary file sapgenpse to the DIR_EXECUTABLE directory, in unixis,
/usr/sap//SYS/exo/run on windows is :\usr\sap\\SYS\exa\run|\
Besrepitoss sage2ai30eve wet
(lempayeo ZAR ASIA
jemeen nianzo.a0a01 ale
Teapetevfcsece zacesnis0ss2 Apple
[ilsepevents.d oncazaisoso1 apple
nicazas0aio ape
nicazas0%o ape
Diserfiowrs ‘1.08.201808;00 Ao:
a abe: BB shared Ske: 2,230
5. Verify the filos have the right permissions with execution permissions for adm and
SAPService
6. Copy the ticket file to the *sac* directory of the instance directory
7. Set the environment variable SECUDIR to the “sec” directory of the instance directory, this is used by
the application server to find the ticket file and locate its credentials at runtime, By example in
Windows:
Ho To Gls Conte SL ABAP Seem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.�Right click in my computer > Properties Advance system settings Environment Variables > set
the variable under System variables
a * ||
Corps Name | Hanae Advanced | Femets |
varblensme: [SUG
Yaitle vate: [DynroapCROIDVESUESOO|Sed
oe] Brat
> Sistem vorales
Vote Va =
conspec i\vandonssysten2ad exe
dew stow.
FPNOHOST.C.. NO
NEER_OF Pan 4 al
4.2 Add Required Profile Parameters
1. Set the following profile parameters:
ssl/s_fib
sec/libsapsecu
sssf/ssfapi_lib
ssf/name
icm/HTTPS/verify_client
For example:
#88L Configuration
‘ssl/s_lib = D:\usr\sap\CRD\DVEBMGS00 \oxe\sapcrypto all
‘sec/libsapsecu = D:\usr\sap\CRD\DVEBMGS00 \exe\saperypto.l
‘ssf/ssfapi_lib = D:\usr\sap\CRD\DVEBMGS00 \exo\ saperypto.dll
ssf/name = SAPSECULIB
iem/HTTPS/verify_client=
In case of dual stack add the following parameter
ssl/pse_provider = ABAP
2. After the parameters are added, restart the ABAP system.
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.�4.3 Configure SSL Server PSE for Incoming Request
1. Create SSL Server PSE by calling transaction STRUST.
2. Select the SSL Server Standard and right click and solect Create.
Trust Manager
» Ci system PSE aa
» SNC SAPCryptolib | ail
» Sissi cier reste | owner
> SSL dient BOM
be
+ 3€ SSL client SSL Glant (Standa
» Cassi cient PAYPAL Catia
3. Enter the distinguished name, the name of the server on how it willbe access over HTTPS protocol, by
default the system assigns a wildcard for the hostname and the rest of by example:
Name= *.mycompany.com
rg. (opt.)= Test
Comp. /Org.= MyCompany
Country US
we emrehatsoae
i
INITIAL,
Ora. (Opt)
Comp.JOrg. [SAP Web AS
Country
a
Aigorthm |
key Length [1024 ¥
4, Ifnecessary, modify the distinguished name for the individuel application servers, For example,
.companyname.com
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.�5. Press enter and then Save the configuration.
nc aca
Im uted ane o
i —— a =:
VaR Rx)
4.4 Create Trust Center in Database to Import Root CA
Certificate
Create Trust center in database to import root CA certificate, In the case where the certificate authority that
will bo used to sign the SSL Server certificatesis not available in the system, create a trust center and load the
root certificate as follows:
1. Within transaction STRUST, click on menu certificates > database.
© se Edt Got
e
Trust Manager
(eertiate } Environment system Heb
SAP Portal CA (OSA)
» Ga suc sapcryptot
2. Create a nawentry from the create icon
Data Browser: Table VSTRUSTCERT Select Entries 27
@ *}(5'C0@ FHB BHoS A
ta Browser: Table VSTRUSTCERT Select Entries 27
(a) JeoGeP?RROR
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.�3. Enter the name under the customer namespace, the catagory and a description,
DESCRPT _[SAPNET Cortfcste Authorty
mactve [|
4, Import the CA root certificate from the file system in STRUST click in menu certificate > Import
Emonment System Heb
HR aaan
Database
Addrass Book
SAP Portal CA (DSA)
, e SNC SAPCyprolb ne
» CUSSL server Standard
» SSL clent S51 clent (Anon!
5. From the fle system selact the root carti
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.�6. Click in the menu Certificate > Export.
psc Ede Goto [ Certiheste | Envronment system Heb
HR apes
es SAP Portal CA (DSA)
» Cisse ase een
» Gisvic SaPCryptot eects
7. Clickin the tab Database and select the Trust Centar that was created before, and hit enter.
Trust Center
category ‘CA Root CA a
Descrotion _“SAPNNET Cereficate Authorty
8. Click Yes during the quastion of overwrite in the database,
Se
ene 234 Uren 428
lent PAYPAL
lent WSSE Web|
ecurty Standard]
ecurity Other
ecurty WS Secu
Do You Want to Overwrte the Certificate in the
Database?
Description
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue
10
(© 207 SAPAG fan SAP tate company. Ag seed.�Cy
4.5 Generate Certificate Request for SSL Server PS
4. Open transaction STRUST
Trust Manager
Gssystem ps | System PSE
Bisuc sapcyptoib oa
asst server Standard
S5L cent SSL Cent (Anony: || Owner i
Cassi dent aon (Se¥-Signed)
% SSL cent SSL Cent (Stands
SL cent PAYPAL TT
SSL lent WSSE Web Servic
Paws serunty standard |owner
2. For each of the SSL Server PSE do the following:
a. Select the application server
Trust Manager
» syanese st oe Sons
* sresrente Se
7 Sen ane ons
(ideacaeaa a
(ets
b. Inthemaintenance section select the icon to create certificate requast
a
ee Ss
©. Copy the output to the clipboard or save it asa P10 file
Savitananege) eee ones OACREGRO Ea vOIWLRIACAMEPIRVT/ROLTESE
T3entaqautswvtancraxe torr vontig/ soe Tago 7CpesmT7 forte]
20380 822598 rnin ChvEAAABBIAGCS96STDSOQERBIARAGAARCSCBL/
‘MATE oteRzbT Graig / ake vOhEPELegVeAVEPAKGTEDLETCIveLIRA
[LECIIW981 16:KDENGB od mE /YE/omTVSBGRY ATS We /YH6/SCT3#LT EE
Soeiui3o9 0r/syavelsncozendezky
END CERTIFICATE REQUEST
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue
ROT SAPAGoransAP ata company Atrgnscesenes 11�Example: How to sign certificate request with SAP CA
For testing purposes we can use the SSL Test Server Certificates trust center from the SAP Support
Portal, this will provide a signed certificate that will ast 8 wesks. For a permanent solution other cartificate
authority can be used,
3. The trust manager requiras that the certificate request response adheres to the PKCS#7 certificate
chain format. Connect to the support portal in the following alias to accass the SAP Trust Center
Services htip:!/service.sap.com/ trust
4, Clink in the link SSL Test Server Certificates.
‘SSL TEST SERVER CERTIFICATES
SAP TRUST CENTER SERVICES
‘S8L server cortices once
Emery your data raster
‘oot fora SSL Test Server Cerise foray server vl
How Toul -Contgre SSL ABAPSysem
Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed.
2�5. Clickin Test IT Now! And paste the output from the create certificate request from STRUST, select
the sorver type "SAP Wab Application Server 6.20 and newer” and click continue
(ORDER SSL SERVER TEST CERTIFICATE
6. Select the output and save it toa file or in clipboard
ORDER SSL SERVER TEST CERTIFICATE
crew erate Request gy et contre
‘import Ceriicate nto Webverver.
eon tet rete you SAP We olen Save Pe sve eet eae
4.6 Import Certificate Request Response
The CA will send a certificate request response that contains the signed public key for the application server,
‘we need to import this response into the corresponding PSE.
1. Expand the SSL server PSE. For each of the application servers, import the response by clicking the
icon Import Certificate response,
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue ROT SAPAG HansAPatmae company. teams resenes 13�2. Paste the entire content from the response that was signed by the certificate authority. In the
previous example we used SAP Trust Center, and hit enter.
iis econ” amar
Gist cer vse vb sev
[hs secay Sean
3. Click Save
4.7 Configure SSL Client PSE for Outgoing Requests
1. Create SSL Client PSE by calling transaction STRUST.
2. Select the $81 Client Standard and right click and select Create.
Trust
‘System PSE
SNC SAPCryptoli
SSL server Standard
‘SSL cient SSL Clent (Anonyr
SSL cient BOM
WS Securty Stancard
WS Security Other System E
WS Security WS Securky Ker
1% SMIME Standard
+ Orie
» Gissr crmstw
,
,
»
,
,
How Toul -Contgre SSL ABAPSysem
Step by sup Proceaue ROT SAPAGoransAP atta compar. Ateghsreered 14,�3. Enter the distinguished name for the system, something unique that identifies the system as
dlient to access other systems:
Kame
Ora. (Ont) mri
Comp./Org. [SAP Web AS
Country C_*?YI
cA [O=SAP Trust Communty, C=DE
Algorithm (RRSA |
‘Key Length [1024
4, Select SSL Client Standard PSE do the following:
a. Inthe maintenance section select the icon to oreate certificate request.
*certeate ut
b. Copy the output to the clipboard or save it asa file P10
aoe - a2 2a)
Sseenaanges sot ontoy Nose wesAOrEerIM TAQ AMRPGRVT/ SLSR
TStnteqaiganotxatiarTwning ase ISSgagoTCpnTT Eon
£0) xa0Se259e4rnsutCeeaAaARVASOES ges TE SOQERO GAM DAAC D2)
“Tete R brags / Raker ghe Peg VEAVEPLgIEpL ETC LRA
‘ERC SEN 195K mE /YE/omTVSRgRY AT pole yH6/SCT LT EEm
p81 707/3/ wee TARAOTERBARY
END CERTIFICATE REQUEST —
Example: how to sign certificate request with SAP CA.
For testing purposes we can use the SSL Test Server Certificates trust center from the SAP.
Support Portal, this will provide a signed certificate that will last 8 week. For a permanent
solution other certificate authority can be used.
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue ROT SAPAGoransAP ata compar. Atrghsreered 15,�The trust manager requires that the certificate request response adheres to the PKCS#7
certificate chain format.
5, Connect to the support portal in the following alias to access the SAP Trust Center Services
htto://service.sap.com/trust
6. Clink in the link SSL Test Server Certificates
‘SSL TEST SERVER CERTIFICATES
SAP TRUST CENTER SERVICES
‘exis caunncane | S70Y fora SSL Test Server Crtieate for any server val
am
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue OT SAPAGHanSAP ata company. Ategnscsenes 16�7. Click in Test IT Now! And paste the output from the create certificate request from STRUST,
select the server type “SAP Web Application Server 6.20 and newer” and click continue.
Soe
8. Select the output and save it toa file or in clipboard,
ORDER SSL SERVER TEST CERTIFICATE
Import Certieate to Webserver
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue ROT SAPAGwansAPatmae company. ag resenes 17�4.8 Import certificate request response
The CA will send a certificate request response that contains the signed public key for the application
server, we need to import this response into the corresponding PSE.
1. Expand the SSL Cliont PSE
| SSL clent SSL Gient (Standar
1 levees
(Salf-sianed)
1] Certficate Response
(Certificate List
2. Paste the entire content from the response that was signed by the certificate authority in our previous
‘example we use SAP Trust Center and hit enter.
weceytoeesseesctesshgenwiseiitneracynraiPat
3. Click Save
Ho To Gis -Cont re SL ABAP Seem
Step by sup Proceaue ROT SAPAGHanSAP ata company. Atcgnsrsenes 18�Cy
4.9 Test Connection
Test the SSL connection by example hiting the following URL on your SAP ABAP system from an intemet
browser.
https:/ /:/ sap(bD tibiZ)PTgwMA%
‘bc! bsp/ sap /it00/default.htm
Step by sup Proceaue
Conte SSL ABAP Shee
AP AGoansePatitteconpary.Alrghsrenrea 19�www.sap.com/contactsap
se omgny Aig eeres
