Scribd
Upload
160 views

How To Guide - Configure SSL in ABAP System

Uploaded by

ramesh bandari bandari
Copyright
© © All Rights Reserved
Available Formats
Download as PDF or read online on Scribd
160 views

How To Guide - Configure SSL in ABAP System

Uploaded by

ramesh bandari bandari
Copyright
© © All Rights Reserved
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 20
How-To Guide SAP NetWeaver Document Version: 1.0 - 2017-03-07 Document History ‘Document Version Description 1.0 First official release of this guide How To Guise Contgra SSLinAGAP Sytem Table of Contents 1 Business Scenario. 4 2 Background Information 4 3 Prorequisites. 4 4 Step-by-Step Procedure 4 4.1 _ Install the SAP Cryptographic Libraries. 4 4.2. Add Required Profile Parameters. 6 4.3 Configure SSL Server PSE for Incoming Request 7 4.4 Create Trust Center in Database to Import Root GA Certificate, 8 4.5. Generate Certificate Request for SSL Server PS. 1 4.6 Import Certificate Request Response. 13 4.7 Configure SSL Client PSE for Outgoing Requests. 14 4.8 Import certificate request response 18 4.9 Test Connection 19 How TGs Contre SSLin 1 Business Scenario As part of a systom implementation, there is a requiremont to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. 2 Background Information SSL (Secure Sockets Layer) is a communication method whereby secure communication betweet ‘entities is accomplished by the use of encryption facilitated by X.509 certificates published by Corti ‘Authorities (CA) in tandem with public and private decryption keys. system ate 3 Prerequisites ‘These tasks should be performed by a qualified SAP Basis Administrator, with a solid conceptual understanding of SSL and cortficate-basod encryption concepts, 4 Step-by-Step Procedure 41 Install the SAP Cryptographic Libraries Download the latest SAP Crypto Libraries from the SAP Marketplace. Access URL http: /service sap.com/swdc, and follow path Support Packages and Patches > Browse our Download Catalog > SAP Cryptographic Software > SAPCryptolib for Installations > SAPCryptoLibs Select the desired platform, and download the latest version of the software. 3. Login with adm into the server and extract the content of the dow loaded SAR file containing the SAPCryptolibrarias. How To Guise Contgra SSLinAGAP Sytem 4. Copy the library fila and the binary file sapgenpse to the DIR_EXECUTABLE directory, in unixis, /usr/sap//SYS/exo/run on windows is :\usr\sap\\SYS\exa\run|\ Besrepitoss sage2ai30eve wet (lempayeo ZAR ASIA jemeen nianzo.a0a01 ale Teapetevfcsece zacesnis0ss2 Apple [ilsepevents.d oncazaisoso1 apple nicazas0aio ape nicazas0%o ape Diserfiowrs ‘1.08.201808;00 Ao: a abe: BB shared Ske: 2,230 5. Verify the filos have the right permissions with execution permissions for adm and SAPService 6. Copy the ticket file to the *sac* directory of the instance directory 7. Set the environment variable SECUDIR to the “sec” directory of the instance directory, this is used by the application server to find the ticket file and locate its credentials at runtime, By example in Windows: Ho To Gls Conte SL ABAP Seem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. Right click in my computer > Properties Advance system settings Environment Variables > set the variable under System variables a * || Corps Name | Hanae Advanced | Femets | varblensme: [SUG Yaitle vate: [DynroapCROIDVESUESOO|Sed oe] Brat > Sistem vorales Vote Va = conspec i\vandonssysten2ad exe dew stow. FPNOHOST.C.. NO NEER_OF Pan 4 al 4.2 Add Required Profile Parameters 1. Set the following profile parameters: ssl/s_fib sec/libsapsecu sssf/ssfapi_lib ssf/name icm/HTTPS/verify_client For example: #88L Configuration ‘ssl/s_lib = D:\usr\sap\CRD\DVEBMGS00 \oxe\sapcrypto all ‘sec/libsapsecu = D:\usr\sap\CRD\DVEBMGS00 \exe\saperypto.l ‘ssf/ssfapi_lib = D:\usr\sap\CRD\DVEBMGS00 \exo\ saperypto.dll ssf/name = SAPSECULIB iem/HTTPS/verify_client= In case of dual stack add the following parameter ssl/pse_provider = ABAP 2. After the parameters are added, restart the ABAP system. Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. 4.3 Configure SSL Server PSE for Incoming Request 1. Create SSL Server PSE by calling transaction STRUST. 2. Select the SSL Server Standard and right click and solect Create. Trust Manager » Ci system PSE aa » SNC SAPCryptolib | ail » Sissi cier reste | owner > SSL dient BOM be + 3€ SSL client SSL Glant (Standa » Cassi cient PAYPAL Catia 3. Enter the distinguished name, the name of the server on how it willbe access over HTTPS protocol, by default the system assigns a wildcard for the hostname and the rest of by example: Name= *.mycompany.com rg. (opt.)= Test Comp. /Org.= MyCompany Country US we emrehatsoae i INITIAL, Ora. (Opt) Comp.JOrg. [SAP Web AS Country a Aigorthm | key Length [1024 ¥ 4, Ifnecessary, modify the distinguished name for the individuel application servers, For example, .companyname.com Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. 5. Press enter and then Save the configuration. nc aca Im uted ane o i —— a =: VaR Rx) 4.4 Create Trust Center in Database to Import Root CA Certificate Create Trust center in database to import root CA certificate, In the case where the certificate authority that will bo used to sign the SSL Server certificatesis not available in the system, create a trust center and load the root certificate as follows: 1. Within transaction STRUST, click on menu certificates > database. © se Edt Got e Trust Manager (eertiate } Environment system Heb SAP Portal CA (OSA) » Ga suc sapcryptot 2. Create a nawentry from the create icon Data Browser: Table VSTRUSTCERT Select Entries 27 @ *}(5'C0@ FHB BHoS A ta Browser: Table VSTRUSTCERT Select Entries 27 (a) JeoGeP?RROR Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. 3. Enter the name under the customer namespace, the catagory and a description, DESCRPT _[SAPNET Cortfcste Authorty mactve [| 4, Import the CA root certificate from the file system in STRUST click in menu certificate > Import Emonment System Heb HR aaan Database Addrass Book SAP Portal CA (DSA) , e SNC SAPCyprolb ne » CUSSL server Standard » SSL clent S51 clent (Anon! 5. From the fle system selact the root carti Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. 6. Click in the menu Certificate > Export. psc Ede Goto [ Certiheste | Envronment system Heb HR apes es SAP Portal CA (DSA) » Cisse ase een » Gisvic SaPCryptot eects 7. Clickin the tab Database and select the Trust Centar that was created before, and hit enter. Trust Center category ‘CA Root CA a Descrotion _“SAPNNET Cereficate Authorty 8. Click Yes during the quastion of overwrite in the database, Se ene 234 Uren 428 lent PAYPAL lent WSSE Web| ecurty Standard] ecurity Other ecurty WS Secu Do You Want to Overwrte the Certificate in the Database? Description Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue 10 (© 207 SAPAG fan SAP tate company. Ag seed. Cy 4.5 Generate Certificate Request for SSL Server PS 4. Open transaction STRUST Trust Manager Gssystem ps | System PSE Bisuc sapcyptoib oa asst server Standard S5L cent SSL Cent (Anony: || Owner i Cassi dent aon (Se¥-Signed) % SSL cent SSL Cent (Stands SL cent PAYPAL TT SSL lent WSSE Web Servic Paws serunty standard |owner 2. For each of the SSL Server PSE do the following: a. Select the application server Trust Manager » syanese st oe Sons * sresrente Se 7 Sen ane ons (ideacaeaa a (ets b. Inthemaintenance section select the icon to create certificate requast a ee Ss ©. Copy the output to the clipboard or save it asa P10 file Savitananege) eee ones OACREGRO Ea vOIWLRIACAMEPIRVT/ROLTESE T3entaqautswvtancraxe torr vontig/ soe Tago 7CpesmT7 forte] 20380 822598 rnin ChvEAAABBIAGCS96STDSOQERBIARAGAARCSCBL/ ‘MATE oteRzbT Graig / ake vOhEPELegVeAVEPAKGTEDLETCIveLIRA [LECIIW981 16:KDENGB od mE /YE/omTVSBGRY ATS We /YH6/SCT3#LT EE Soeiui3o9 0r/syavelsncozendezky END CERTIFICATE REQUEST Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue ROT SAPAGoransAP ata company Atrgnscesenes 11 Example: How to sign certificate request with SAP CA For testing purposes we can use the SSL Test Server Certificates trust center from the SAP Support Portal, this will provide a signed certificate that will ast 8 wesks. For a permanent solution other cartificate authority can be used, 3. The trust manager requiras that the certificate request response adheres to the PKCS#7 certificate chain format. Connect to the support portal in the following alias to accass the SAP Trust Center Services htip:!/service.sap.com/ trust 4, Clink in the link SSL Test Server Certificates. ‘SSL TEST SERVER CERTIFICATES SAP TRUST CENTER SERVICES ‘S8L server cortices once Emery your data raster ‘oot fora SSL Test Server Cerise foray server vl How Toul -Contgre SSL ABAPSysem Step by sup Proceaue (© 207 SAPAG fan SAP tate company. Ag seed. 2 5. Clickin Test IT Now! And paste the output from the create certificate request from STRUST, select the sorver type "SAP Wab Application Server 6.20 and newer” and click continue (ORDER SSL SERVER TEST CERTIFICATE 6. Select the output and save it toa file or in clipboard ORDER SSL SERVER TEST CERTIFICATE crew erate Request gy et contre ‘import Ceriicate nto Webverver. eon tet rete you SAP We olen Save Pe sve eet eae 4.6 Import Certificate Request Response The CA will send a certificate request response that contains the signed public key for the application server, ‘we need to import this response into the corresponding PSE. 1. Expand the SSL server PSE. For each of the application servers, import the response by clicking the icon Import Certificate response, Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue ROT SAPAG HansAPatmae company. teams resenes 13 2. Paste the entire content from the response that was signed by the certificate authority. In the previous example we used SAP Trust Center, and hit enter. iis econ” amar Gist cer vse vb sev [hs secay Sean 3. Click Save 4.7 Configure SSL Client PSE for Outgoing Requests 1. Create SSL Client PSE by calling transaction STRUST. 2. Select the $81 Client Standard and right click and select Create. Trust ‘System PSE SNC SAPCryptoli SSL server Standard ‘SSL cient SSL Clent (Anonyr SSL cient BOM WS Securty Stancard WS Security Other System E WS Security WS Securky Ker 1% SMIME Standard + Orie » Gissr crmstw , , » , , How Toul -Contgre SSL ABAPSysem Step by sup Proceaue ROT SAPAGoransAP atta compar. Ateghsreered 14, 3. Enter the distinguished name for the system, something unique that identifies the system as dlient to access other systems: Kame Ora. (Ont) mri Comp./Org. [SAP Web AS Country C_*?YI cA [O=SAP Trust Communty, C=DE Algorithm (RRSA | ‘Key Length [1024 4, Select SSL Client Standard PSE do the following: a. Inthe maintenance section select the icon to oreate certificate request. *certeate ut b. Copy the output to the clipboard or save it asa file P10 aoe - a2 2a) Sseenaanges sot ontoy Nose wesAOrEerIM TAQ AMRPGRVT/ SLSR TStnteqaiganotxatiarTwning ase ISSgagoTCpnTT Eon £0) xa0Se259e4rnsutCeeaAaARVASOES ges TE SOQERO GAM DAAC D2) “Tete R brags / Raker ghe Peg VEAVEPLgIEpL ETC LRA ‘ERC SEN 195K mE /YE/omTVSRgRY AT pole yH6/SCT LT EEm p81 707/3/ wee TARAOTERBARY END CERTIFICATE REQUEST — Example: how to sign certificate request with SAP CA. For testing purposes we can use the SSL Test Server Certificates trust center from the SAP. Support Portal, this will provide a signed certificate that will last 8 week. For a permanent solution other certificate authority can be used. Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue ROT SAPAGoransAP ata compar. Atrghsreered 15, The trust manager requires that the certificate request response adheres to the PKCS#7 certificate chain format. 5, Connect to the support portal in the following alias to access the SAP Trust Center Services htto://service.sap.com/trust 6. Clink in the link SSL Test Server Certificates ‘SSL TEST SERVER CERTIFICATES SAP TRUST CENTER SERVICES ‘exis caunncane | S70Y fora SSL Test Server Crtieate for any server val am Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue OT SAPAGHanSAP ata company. Ategnscsenes 16 7. Click in Test IT Now! And paste the output from the create certificate request from STRUST, select the server type “SAP Web Application Server 6.20 and newer” and click continue. Soe 8. Select the output and save it toa file or in clipboard, ORDER SSL SERVER TEST CERTIFICATE Import Certieate to Webserver Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue ROT SAPAGwansAPatmae company. ag resenes 17 4.8 Import certificate request response The CA will send a certificate request response that contains the signed public key for the application server, we need to import this response into the corresponding PSE. 1. Expand the SSL Cliont PSE | SSL clent SSL Gient (Standar 1 levees (Salf-sianed) 1] Certficate Response (Certificate List 2. Paste the entire content from the response that was signed by the certificate authority in our previous ‘example we use SAP Trust Center and hit enter. weceytoeesseesctesshgenwiseiitneracynraiPat 3. Click Save Ho To Gis -Cont re SL ABAP Seem Step by sup Proceaue ROT SAPAGHanSAP ata company. Atcgnsrsenes 18 Cy 4.9 Test Connection Test the SSL connection by example hiting the following URL on your SAP ABAP system from an intemet browser. https:/ /:/ sap(bD tibiZ)PTgwMA% ‘bc! bsp/ sap /it00/default.htm Step by sup Proceaue Conte SSL ABAP Shee AP AGoansePatitteconpary.Alrghsrenrea 19 www.sap.com/contactsap se omgny Aig eeres

You might also like