Skip to Content

I did a Weblog on Setup HTTPS for the SAP NetWeaver Testdrive SR1 on Linux some time ago. Now here is the Guide for the NetWeaver 04 ABAP Edition on Windows.

Update: Correction according to SAP Note No. 510007.

Prerequisites

  • Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows up and running
  • You can logon via SAP GUI to the application Server
  • SAP Cryptolib downloaded from http://service.sap.com/swdc/ -> Download -> SAP Cryptographic Software -> SAP Cryptographic Library Microsoft Win32 for x86/IA32. I’ve saved the file as “SAPCryptoLibWin32.CAR” in C:     emp

Unpack and install SAP Cryptolib

Copy the SAP Cryptolib to temporary directory and extract it with SAPCAR on the Command Line (Start -> Run -> cmd):

c:
cd      emp
mkdir sap-crypto
cd sap-crypto
SAPCAR -vxf ..sap-crypto-lib.CAR
cd ntintel
copy * usrsapNSPSYSexe
un

Setup

Now shutdown your Application Server via the SAP Management Console.

Now set the Environment Variable “SECUDIR” via Start -> Control Panel -> System -> Extended -> Environment Variables. Add a new System Variable SECUDIR with Value C:usrsapNSPDVEBMGS00sec:

Close the command line and start it again. The Command “echo %SECUDIR%” must return “C:usrsapNSPDVEBMGS00sec”. Now edit the instance profile file “C:usrsapNSPSYSprofile NSP_DVEBMGS00_hostname” and add these lines:

# SSL
sec/libsapsecu = C:usrsapNSPSYSexe
unsapcrypto.dll
ssf/ssfapi_lib = C:usrsapNSPSYSexe
unsapcrypto.dll
ssf/name = SAPSECULIB
snc/gssapi_lib = C:usrsapNSPSYSexe
unsapcrypto.dll
sec/rsakeylengthdefault = 2048
icm/server_port_1 = PROT=HTTPS,PORT=8443
icm/HTTPS/verify_client = 0

Now you can start your application server again with the SAP Management Console.

Create Certificate

Logon to your SAP System via SAP GUI and start Transaction STRUSTSSO2

Execute a right click on the SSL-Server and choose “create” do not replace the “*”. Enter Org. and Comp. and Country. To enter the Country you had to click on the toggle Button:

image

Press enter to save the settings. Press enter to close this screen which shows you the Instance PSE’s:

image

Now expand the SSL Server node and doubleclick on your hostname:

image

You will notice that the Certificate is currently self signed. When you have a Service Marketplace Account, then you can get a test certificate from http://service.sap.com/SSLTest. Export the Certificate Request by clicking on the “Create Certificate Request” button:

Copy the Request into the clipboard and paste it into the Text field on the Service Marketplace. Choose server type “SAP Web Application Server 6.20 and newer”. Copy the returned certificate and import it via the “Import Cert. Response”:

Finally go to the download Area of the SAP Trust Centre and download the “mySAP.com Test CA Certificate” and also the “SAP Server CA Certificate”. I’ve saved them to C:     empsap-cryptogetCert.cer and “getCertSAP Server CA Certificate.cer”. Import it into your Certificate store:

And add it to the Certificate List:

Also add these Certificates to your local Certificate store via double click on them in the Windows Explorer. So you will not get any error Messages from your Browser that the Certificate is not valid.

Start SSL Server

If the SSL Server is not already running try to start it via SMICM:

  • Click on Services (Shift + F1)
  • Choose the Line “HTTPS”
  • Choose Service -> Activate

Test

Test your settings on the command line with

   netstat -an

It should find one line like:

TCP    0.0.0.0:8443           0.0.0.0:0              ABHÖREN

Start BSP Application which needs HTTPS

SE80, open the BSP-Application “HTMLB_samples” and run the test by pressing F8. To force that HTTPS is used you can set this in SE80 via Menu Utilities -> Settings. In the Tab “Business Server Pages” enter Log, Application Server and Port:

Save the setting and run the application via F8. Your browser will start and

More detailed information about the SSL Configuration of the Web AS can be found in the Help at Configuring  the SAP Web AS for Supporting SSL. Also have a look at SAP Note 510007.

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Anonymous
    Gregor,

    Your weblog has been very helpful in my trying to understand SAP’s SSO…even though I’m still not grasping everything.

    (0) 
    1. Gregor Wolf Post author
      Hello Greg,

      please be aware of the update I’ve made. You should not replace the ‘*’ with the Hostname. The Certifiacte for the Application server sould be created for every instance.

      Regards
      Gregor

      (0) 
      1. David Bann
        This is a great Blog! Very helpful – I don’t normally deal with basis type stuff though, and I dont understand how the domain workd with regards to the *.siteco.net…

        I am running windows XP pro – what do I need to do to set up this domain? I usually log into a local admin account. Do I use my computer name or IP address? Or some ficticious domain name? If so, do I need ot edit the host files or something?

        Thanks again for the good article!

        (0) 
        1. Gregor Wolf Post author
          Hi David,

          *.siteco.net is used for the Standard PSE. Every Application Server get it’s own Certificate where the * is replaced by the Hostname. On Windows you can edit your hosts file and add a line like:

          127.0.0.1   hostname.domain.local

          And then use *.domain.local in the Name.

          Regards
          Gregor

          (0) 
  2. Subrahmanyeswara Nutakki
    Hi Greg,
    Your weblog has been very helpful but i have some issues like if we activate this HTTPS on our existing WAS 6.40 , will there be any effect for the existing http links which will be used by users with in our domain(intranet).

    Our requirment is
    1. currently our internet users(outside our compnay domain) also using http prot only , so we would like to activate https link for internet users. if we proceed for this

    will there be any problem for intranet users(with in domain) I mean will they access our site with http prot

    please advice me

    thanks
    Subbu

    (0) 
    1. Satish Arram
      Hi,

      I have seen that you got the error “Operation failed (rc=1)” when you tried to activate HTTPS. Has this issue fixed? If so, could you please let me know the procedure that you followed?  Because, I am getting the same error when I tried to activate HTTPS. I am using ITS 7.0.

      Thanks in advance.

      Regards,
      Satish.

      (0) 
    2. Danny Sanchez
      Hi All

      I followed exactly the instructions in this block, but at the time of activation HTTPS I have exactly the same message:” I cannot activate HTTPS – Operation failed (rc=1)”

      It takes more configurations or activate another service to solve these problems? thank you very much

      Regards

      (0) 
  3. asma syeda
    I’m img ABAP Trial NW 2004s. I don’t have a service market place id is there a way I can still download Crypto libs to test HTTPS?

    Pls.suggest. Great Job!

    (0) 
    1. Gregor Wolf Post author
      Hello,

      I think there is no other way to get the SAP Crypto Libs. Please contact your basis admin. Perhaps he can get them for you.

      Best regards
      Gregor

      (0) 
  4. Anonymous
    Hi Gregor,

    Thanks for this extremely useful blog…saved atleast couple of days work.

    Regards,
    Kaushik

    (0) 
    1. Gregor Wolf Post author

      Hi Thomas,

      I think for Windows the procedure is still the same. Any concrete thing where the instructions are incorrect?

      Best regards

      Gregor

      (0) 
      1. Thomas Bezak

        For instance this being one of the top results on SCN for HTTPS setup I think it may prompt many users to download the old sapcrypto while they have the newer version already built in to the kernel. Also since sapcrypto is now delivered standard on a new install with the kernel are the other steps like setting the system variable SECUDIR still required? SAP documentation is not clear on this.

        If SAP now provides sapcrypto as standard should the system not come with more of the setup completed out of the box to ensure that HTTPS is implemented correctly, uniformly, and securely?

        (0) 
          1. Thomas Bezak

            It would be great if someone could produce an updated document. I don’t think the top search result for something critical like HTTPS security setup should be 10 years old.

            (0) 

Leave a Reply