SAP Note Setting up SSL on Web Application Server ABAP

Transcription

1 Note Language: English Version: 14 Validity: Valid Since Summary Symptom You encounter problems when you set up SSL on the Web Application Server ABAP. Other terms SSL, HTTPS, coding, trust manager, STRUST Reason and Prerequisites Solution This note provides a brief description of the steps required to set up SSL on the Web Application. 1. Install the SAPCRYPTOLIB on all application servers into the $DIR_EXECUTABLE directory. The library must not be older than version PL 10. Note describes the prerequisites for downloading the library. If you are using a 6.10 kernel, copy the license ticket SAPCRYPTOLIB (file "ticket") into the $DIR_INSTANCE/sec directory on all application servers. As of kernel release 6.20, the license ticket is automatically generated at the system start. On all application servers, set the environment variable SECUDIR to the directory $DIR_INSTANCE/sec. If you want to protect the PSEs (key files) with a password, set the environment variable USER on all UNIX systems to the name of the UNIX user under whom the SAP system is running. 2. Set the following profile parameters in the instance profile of all application servers and start the system: ssf/name = SAPSECULIB ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB> sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB> ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB> icm/server_port_x = PROT=HTTPS,PORT=<Port number of the HTTPS log> If you want to suppress/permit/enforce user logon by client certificate in the SSL log: icm/https/verify_client = 0 / 1 (default) / 2 If you want to use a key length of 1024 bits (only with kernel release 6.20 and higher, see Note ): sec/rsakeylengthdefault = Call transaction STRUST (trust manager) to create the SSL server PSEs. a) Create the default PSE (serves as a fallback for all instances without their own PSE). Choose "Create" in the context menu of the "SSL server" node. As far as possible, the trust manager provides the correct entries so that you can then send the certificates to the SAP Trust Center Service for signing. In particular, set the following values: Name = *.<WebAS domain> Page 1 of 5

2 Do not replace the "*" with a host name. The default PSE must also exist even if PSEs are created for all instances. b) Create individual PSEs for all instances: A list of all active instances is displayed in a second dialog box. The default Distinguished Name (DN) contains the following entry: CN = <host name>.<webas domain> Make sure that each instance is assigned the fully qualified host name that is used in the HTTPS log. You can assign a DN to several instances simultaneously, for example, when using a Network Address Translator (then, you must specify the fully qualified host name of the NAT as CN). All instances with empty an DN will use the default PSE (in Release 6.10, the "Create" parameter determines if the instance is assigned its own PSE). Note that no DNs must be more than 255 characters long. c) Create certificate requests for all instance PSEs. Expand the "SSL server" node in the tree control, double-click to load the instance PSE into the relevant node and select the "Generate certificate request" function. For the default PSE, you must only create a certificate request if there are instances without their own PSEs (in this case, double-click to load the default PSE into the "SSL server" node). Send the certificate requests to a CA, for example, the SAP Trust Center Service ( ). The certificate response must either be a PKCS#7 package with a complete upward path or a file that contains a list of required certificates in PEM format (that is, with a "-----BEGIN CERTIFICATE-----" header line and a "-----END CERTIFICATE-----" footer). As of Release 6.20, you can also import the certificate response as an individual PEM certificate if the CA certificate is saved in the database (to search for certificates, select "Import certificate", category = "Server CA"). Using the SAP Trust Center Service ensures that the certificate response has a valid format. Always import the certificate response into the PSE from which the original certificate request was generated (double-click on the corresponding nodes and call the "Import certificate response" function) and save the changes. d) If you want to allow logon via the client certificate, import the root certificate of the CA user into one of the SSL server PSEs. When saving, the system updates the certificate list of all SSL server PSEs. The certificate list contains the root certificates of those CAs whose user certificates are to be accepted. 4. Creating the SSL client PSE (default). This PSE is used in the SSL log if the WebAS issues a HTTPS request as client. For technical reasons, there must always be a SSL client PSE even if the system does not issue any client requests (the SSL implementation cannot be started if the PSE is missing). When creating the PSE, you can specify the following name: Name = <system SID> SSL client default If the system is to issue client requests, create a certificate request from the PSE and import the certificate response of the CA into the PSE. Then import the root certificates of the server CAs into Page 2 of 5

3 the PSE certificate list whose certificates are to be accepted. To load the root certificate of the SAP Trust Center Service, select "Import certificate", database, Trust Center (short name) = "SAPTRUST", category = "Server CA". To import the certificate into the PSE, select "Import into certificate list". 5. Creating additional PSEs (optional): With a SSL client PSE (anonymous), the system can issue HTTPS requests without client authentification. If you require this PSE, only maintain the PSE certificate list. You can also define additional SSL client identities (Environment -> SSL client-> Identities). If you create new identities, they are displayed in the trust manager. You can now create the relevant PSEs, have the certificates signed by a CA and maintain the PSE certificate list. Note that the changes made to SSL PSEs in the trust manager (for example, implementing the response of a CA and the certificate list changes) in a SAP WebAS before NetWeaver 710 will only take effect after you restart the ICMAN process (transaction SMICM, Administration -> ICMAN -> Exit Soft). 6. You can change the available "SSL ciphersuites" for SAP WebAS, WebDispatcher and, as ofrelease 710, the incoming SSL connections of the SAP AS Java using the SAP profile parameter ssl/ciphersuites= as a process-wide or system-wide default (and therefore control the compiled default value). When searching for a shared ciphersuite using the client, the preference sequence of the server is important for SAPCRYPTOLIB. For inbound SSL connections (SSL server), you can also define the available ciphersuites individually for each service in the SSL configuration icm/ssl_config_<xx> for an ICM server port definition icm/server_port_<xx> using the following string parameter: CIPHERS= The same rules apply to the value or content of this parameter as apply to the profile parameter ssl/ciphersuites. The following table displays an overview of the SAPCRYPTOLIB ciphersuites that are currently available in order of preference. Ciphersuites marked with (+) were added with SAPCRYPTOLIB pl28: Category Position Name of SSL ciphersuite MEDIUM 1. SSL_RSA_WITH_RC4_128_SHA MEDIUM 2. SSL_RSA_WITH_RC4_128_MD5 (+)HIGH 3. TLS_RSA_WITH_AES128_CBC_SHA (+)HIGH 4. TLS_RSA_WITH_AES256_CBC_SHA HIGH 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA LOW 6. SSL_RSA_WITH_DES_CBC_SHA EXPORT 7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXPORT 8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXPORT 9. SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXPORT 10. SSL_RSA_WITH_NULL_SHA EXPORT 11. SSL_RSA_WITH_NULL_MD Page 3 of 5

4 The above list (in the specified sequence) is the compiled default setting for SAP BASIS 640 and corresponds to the profile parameter value: ssl/ciphersuites=medium:high:low:export The compiled default setting for SAP BASIS 700 is: ssl/ciphersuites=medium:high:low:export:!enull and contains only ciphersuites 1 to 9 from the above list. If you want the ciphersuite with 3DES coding to be at the first position of the preferred ciphersuites, and if you do not want to use any EXPORT ciphersuites, LOW ciphersuites, and ciphersuites with MD5 as the hash function, you can use the following value for the configuration: ssl/ciphersuites=high:medium:!mmd5. In this case, the result is a list containing the four ciphersuites. (3), (4), (5), and (1) from the above list. The parameter parts for the configuration of the ciphersuites are based on a combination of simple set theory and the preferred ciphersuites sequence. The syntax of this ciphersuites parameter is based on a previous version of OpenSSL and less flexible than the current OpenSSL versions. You can use the category to define which ciphersuites are relevant and you can use the category sequence to define which are the preferred ciphersuites; you can specify "!mmd5", "!msha1", or "!enull", "!erc4", "!edes", "!erc2" to remove specific ciphersuites from the selected categories in the list of selectable ciphersuites. Header Data Release Status: Released for Customer Released on: :51:48 Master Language: German Priority: Recommendations/additional info Category: Consulting Primary Component: BC-SEC-SSL Secure Sockets Layer Protocol Secondary Components: BC-MID-ICF Internet Communication Framework SV-SMG Solution Manager Valid Releases Page 4 of 5

5 Software Component Release From Release To Release SAP_BASIS SAP_BASIS SAP_BASIS X Related Notes and Subsequent Number Short Text Prerequisites for analyzing support messages on STRUST Enabling Payment Cards Encryption ELENA: Set Up HTTP(S) Connection for Communication Server Select the right version of an SAP security toolkit Collective Note: Analyzing issues with Single Sign On (SSO) Replacing PSEs in productive SSL Servers Login ticket and ICM information is missing in SSO profile Certificate extension problems, Verisign (Japan) iseries: Installing sapcrypto library for R/ Security Guide: mysap Supply Chain Management Trust manager: New root certificates SSF Encryption Using the SAPCryptolib Portal Content performance - composite SAP Note Portal content performance on EP 5.0 SP 6 - Sammelhinweis Digital signatures with SAPCRYPTOLIB Logging on to BSP applications Trust manager: Generating PSEs with a key length > 512 bits Trust Manager: Problems importing certificate responses SAPCRYPTOLIB versions, bugs and fixes SAP Cryptographic Software - Export control Collective note SAPSECULIB Attributes Attribute Transaction codes Transaction codes Value SMICM STRUST Page 5 of 5