Symptom
This note concerns the setting up of Secure Sockets Layer (SSL) on the SAP Web Application Server ABAP.
Other Terms
SSL, TLS, Transport Layer Security, HTTPS, encryption, trust manager, STRUST, cipher suites
Reason and Prerequisites
This note provides a brief description of the steps required to set up SSL on the Web Application Server ABAP.
- 1. Install the SAPCRYPTOLIB on all application servers into the $DIR_EXECUTABLE directory. Note 397175 describes the prerequisites for downloading the library. If you are using a 6.10 kernel, copy the license ticket SAPCRYPTOLIB (file "ticket") into the $DIR_INSTANCE/sec directory on all application servers. As of kernel release 6.20, the license ticket is automatically generated at the system start. As of SAPCRYPTOLIB pl32, you no longer require a license ticket file. On all application servers, set the environment variable SECUDIR to the directory $DIR_INSTANCE/sec. If you want to protect the PSEs (key files) with a password, set the environment variable USER on all UNIX systems to the name of the UNIX user under whom the SAP system is running.
- 2. Set the following profile parameters in the instance profile of all application servers and start the system:
ssf/name = SAPSECULIB
ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>
sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>
ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB>
icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>
If you want to suppress/permit/enforce user logon by client certificate in the SSL log:
icm/HTTPS/verify_client = 0 / 1 (default) / 2
If you want to use a key length of 1024 bits (only with kernel release 6.20 and higher, see Note 509495): sec/rsakeylengthdefault = 1024
- 3. Call transaction STRUST (trust manager) to create the SSL server PSEs.
- a) Create the default PSE (serves as a fallback for all instances without their own PSE).
Choose "Create" in the context menu of the "SSL server" node. As far as possible, the trust manager provides the correct entries so that you can then send the certificates to the SAP Trust Center Service for signing. In particular, set the following values:
Name = *.<WebAS domain>
Do not replace the "*" with a host name. The default PSE must also exist even if PSEs are created for all instances.
- b) Create individual PSEs for all instances: A list of all active instances is displayed in a second dialog box. The default Distinguished Name (DN) contains the following entry:
CN = <host name>.<WebAS domain>
Make sure that each instance is assigned the fully qualified host name that is used in the HTTPS log. You can assign a DN to several instances simultaneously, for example, when using a Network Address Translator (then, you must specify the fully qualified host name of the NAT as CN). All instances with empty an DN will use the default PSE (in Release 6.10, the "Create" parameter determines if the instance is assigned its own PSE). Note that no DNs must be more than 255 characters long.
- c) Create certificate requests for all instance PSEs. Expand the "SSL server" node in the tree control, double-click to load the instance PSE into the relevant node and select the "Generate certificate request" function. For the default PSE, you must only create a certificate request if there are instances without their own PSEs (in this case, double-click to load the default PSE into the "SSL server" node). Send the certificate requests to a CA, for example, the SAP Trust Center Service (http://service.sap.com/tcs ).
The certificate response must either be a PKCS#7 package with a complete upward path or a text file that contains a list of all required certificates in PEM format (that is, with a "-----BEGIN CERTIFICATE-----" header line and an "-----END CERTIFICATE-----" footer). As of Release 6.20, you can also import the certificate response as an individual PEM certificate if the CA certificate is saved in the database (to search for certificates, select "Import certificate", category = "Server CA"). Using the SAP Trust Center Service ensures that the certificate response has a valid format. Always import the certificate response into the PSE from which the original certificate request was generated (double-click on the corresponding nodes and call the "Import certificate response" function) and save the changes.
- d) If you want to allow logon via the client certificate, import the root certificate of the CA user into one of the SSL server PSEs. When saving, the system updates the certificate list of all SSL server PSEs. The certificate list contains the root certificates of those CAs whose user certificates are to be accepted.
- 4. Creating the SSL client PSE (default).
This PSE is used in the SSL log if the WebAS issues a HTTPS request as client. For technical reasons, there must always be a SSL client PSE even if the system does not issue any client requests (the SSL implementation cannot be started if the PSE is missing). When creating the PSE, you can specify the following name:
Name = <system SID> SSL client default
If the system is to issue client requests, create a certificate request from the PSE and import the certificate response of the CA into the PSE. Then import the root certificates of the server CAs into the PSE certificate list whose certificates are to be accepted. To load the root certificate of the SAP Trust Center Service, select "Import certificate", database, Trust Center (short name) = "SAPTRUST", category = "Server CA". To import the certificate into the PSE, select "Import into certificate list".
- 5. Creating additional SSL client PSEs (optional)
With a SSL client PSE (anonymous), the system can issue HTTPS requests without client authentification. If you require this PSE, only maintain the PSE certificate list. You can also define additional SSL client identities (Environment -> SSL client-> Identities). If you create new identities, they are displayed in the trust manager. You can now create the relevant PSEs, have the certificates signed by a CA and maintain the PSE certificate list.
Note that the changes made to SSL PSEs in the trust manager (for example, implementing the response of a CA and the certificate list changes) in a SAP WebAS before NetWeaver 710 will only take effect after you restart the ICMAN process (transaction SMICM, Administration -> ICMAN -> Exit Soft).
When, as of NetWeaver 710, you save or overwrite an SSL PSE, STRUST signals the PSE change to the icman, whereby the PSEs used for SSL are reloaded at runtime. Existing communication connections are not impaired as a result. However, all SSL session caches are emptied in icman so that all new SSL connections go through a complete SSL Handshake. On servers with a very large number of simultaneous connections, this could lead to an increase in the CPU load and increased response times.
- 6. (Optional) Configuration of available SSL cipher suites
You can change the available "SSL cipher suites" for SAP WebAS ( icman, sapwebdisp, msg_server und sap_http) and (as of Release 710) the incoming SSL-secured connections of the SAP AS Java using the SAP profile parameter
ssl/ciphersuites=
as a process-wide or system-wide default (and therefore control the compiled default value). When searching for a shared ciphersuite using the client, the preference sequence of the server is important for SAPCRYPTOLIB.
For inbound SSL connections (SSL server), you can also define the available cipher suites individually for each service in the SSL configuration icm/ssl_config_<xx> for an ICM server port definition icm/server_port_<xx> using the string parameter CIPHERS:
icm/server_port_<xx>= ..., SSLCONFIG=ssl_config_<yy>
icm/ssl_config_<yy>= ..., CIPHERS=...
The same rules apply to the value or content of the parameter CIPHERS as apply to the profile parameter ssl/ciphersuites.
The following table displays an overview of the SAPCRYPTOLIB ciphersuites that are currently available in order of preference. Ciphersuites marked with (+) were added with SAPCRYPTOLIB pl28:
Category Position Name of SSL ciphersuite
----------------------------------------------------
MEDIUM 1. SSL_RSA_WITH_RC4_128_SHA
MEDIUM 2. SSL_RSA_WITH_RC4_128_MD5
(+)HIGH 3. TLS_RSA_WITH_AES128_CBC_SHA
(+)HIGH 4. TLS_RSA_WITH_AES256_CBC_SHA
HIGH 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA
LOW 6. SSL_RSA_WITH_DES_CBC_SHA
EXPORT 7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
EXPORT 8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
EXPORT 9. SSL_RSA_EXPORT_WITH_RC4_40_MD5
EXPORT 10. SSL_RSA_WITH_NULL_SHA
EXPORT 11. SSL_RSA_WITH_NULL_MD5
The above list (in the specified sequence) is the compiled default setting for SAP BASIS 640 and corresponds to the profile parameter value:
ssl/ciphersuites=MEDIUM:HIGH:LOW:EXPORT
The compiled default setting for SAP BASIS 700 is:
ssl/ciphersuites=MEDIUM:HIGH:LOW:EXPORT:!eNULL
and contains only ciphersuites 1 to 9 from the above list.
With the kernel correction described in SAP Note 1433874, the compiled default setting for SAP BASIS 700 or higher was changed to:
ssl/ciphersuites=HIGH:MEDIUM:+e3DES:LOW:EXPORT:!aNULL:!eNULL
and a new profile parameter was added:
ssl/client_ciphersuites=
If required, you can also configure the SSL cipher suites for outgoing SSL-secured connections of SAP AS ABAP regardless of the incoming connections. If you do not set this parameter, the default value of the profile parameter ssl/ciphersuites also applies for outgoing SSL-secured connections.
The aforementioned kernel correction results in the following sequence of SSL cipher suites, whereby the AES-based cipher suites require a SAPCRYPTOLIB pl28+.
Category Position Name of SSL ciphersuite
-----------------------------------------------------------
HIGH 1. TLS_RSA_WITH_AES128_CBC_SHA
HIGH 2. TLS_RSA_WITH_AES256_CBC_SHA
MEDIUM 3. SSL_RSA_WITH_RC4_128_SHA
MEDIUM 4. SSL_RSA_WITH_RC4_128_MD5
HIGH 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA
LOW 6. SSL_RSA_WITH_DES_CBC_SHA
EXPORT 7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
EXPORT 8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
EXPORT 9. SSL_RSA_EXPORT_WITH_RC4_40_MD5
If you want the cipher suite with 3DES coding to be in first position of the preferred cipher suites, and if you do not want to use any EXPORT cipher suites, LOW cipher suites, and cipher suites with MD5 as the hash function, you can use the following value for the configuration:
ssl/ciphersuites=HIGH:MEDIUM:!mMD5.
and you obtain a list with the four cipher suites (1), (2),(5) and (3) from the list displayed above as the result.
The parameter parts for the configuration of the ciphersuites are based on a combination of simple set theory and the preferred ciphersuites sequence. The syntax of this ciphersuites parameter is based on a previous version of OpenSSL and less flexible than the current OpenSSL versions.
You can use the category to define which ciphersuites are relevant and you can use the category sequence to define which are the preferred ciphersuites; you can specify
"!mMD5", "!mSHA1", or "!eNULL", "!eRC4", "!eDES", "!eRC2"
to remove specific ciphersuites from the selected categories in the list of selectable ciphersuites.
- 7. (Optional) Configuration of available TLS protocol versions
Depending on the version, SAPCRYPTOLIB supports the following protocol versions of the SSL protocol or TLS protocol:
SAPCRYPTOLIB <= pl26 SSLv3, "BC"
SAPCRYPTOLIB >= pl28 SSLv3, TLSv1.0, "BC"
The new protocol Version TLSv1. introduced with Version pl28+ is proposed by default or used if the communication parner also supports it.
There is also the protocol option "BC" for "Backwards Compatibility" that permits a Version 2.0 CLIENT-HELLO as the first message of an SSLv3 or TLS handshake, see
http://tools.ietf.org/html/rfc6176#section-3
http://tools.ietf.org/html/rfc5246#page-89
A configuration option for the supported TLS protocol version was added to the kernel correction described in SAP Note 1433874. A single number must be placed before the configuration parameter for the SSL cipher suites, which is added from the following bit value:
Value Meaning
-----------------------------------------------------------
1 "BC" option (allow version 2.0 CLIENT-HELLO)
64 SSLv3
128 TLSv1.0
Both protocol versions and the BC option are active in the default setting, which results in a value of (128+64+1) = 193 for the protocol version flags (pvflags).
If you want an FIPS-compliant SSL configuration, that is, only TLSv1.0 (128+1)=129 and only SSL cipher suites with 3DES or AES encryption (HIGH), you can achieve this with the following setting:
ssl/ciphersuites=129:HIGH
- 8. Information about interoperability with SSL and TLS
- a) The protocol option "BC" (Backwards Compatibility) is required for interoperability with Microsoft Internet Explorer (MSIE) Version 6 on Windows XP and Windows 2003, Firefox up to Version 3.0 and possibly other, mostly older, browser and SSL clients.
Background: XP and 2003 were delivered with MSIE Version 6 and SSLv2 is activated and TLSv1.0 is deactivated there by default. When you upgrade MSIE to Version 7 or 8, SSLv2 is deactivated and TLSv1.0 is activated. However, the basic attributes of the "SChannel" component of the underlying Windows version are not changed by an MSIE upgrade.
- b) The attributes that can be used by Microsoft Internet Explorer for SSL or TLS are determined by the capabilities and attributes of the underlying operating system version, especially the security provider "SChannel" and the Microsoft CryptoAPI -- regardless of which browser version you have installed.
Some attributes are available on older platforms only after a Microsoft HotFix has been installed manually:
SChannel support for AES cipher suites:
XP 32-bit: ---
2003, XP 64-bit: http://support.microsoft.com/kb/948963
MS CryptoAPI support for SHA256-based digital signatures, includes SSL server certificates:
XP 32+64, 2003: http://support.microsoft.com/kb/968730
Microsoft "SChannel" supports the use of AES-based cipher suite (rfc3268) of SAPCRYTPOLIB pl28+ only in connection with the protocol Version TLSv1.0 and only as of Vista (and Windows 2003 after manually installing HotFix 948963).
Firefox 3+, Google Chrome and OpenSSL 0.9.8+ support AES-based cipher suites both on Windows XP as well as in connection with SSLv3.
References
This document refers to:
SAP Notes
This document is referenced by:
SAP Notes (35)
Sap Basis And Security: Sap Note 510007 - Setting Up Ssl On Web Application Server Abap >>>>> Download Now
ReplyDelete>>>>> Download Full
Sap Basis And Security: Sap Note 510007 - Setting Up Ssl On Web Application Server Abap >>>>> Download LINK
>>>>> Download Now
Sap Basis And Security: Sap Note 510007 - Setting Up Ssl On Web Application Server Abap >>>>> Download Full
>>>>> Download LINK