Enabling X.509 based SSO for the SAP Web AS ABAP with your own CA based on OpenSSL for Windows

The below is an end-to-end working example to enable SSO based on OpenSSL for Windows on a SAP Web AS ABAP sandbox system to learn and understand the concepts. Neither key lengths nor other security considerations except for making this example work have been considered.

Enabling X.509 based SSO on SAP Web AS ABAP with your own CA based on OpenSSL requires 6 steps:

• Installing the SAP Cryptographic Library
• Configuring the Web AS ABAP
• Setting-up your own CA
• Creating a server certificate
• Creating a client certificate
• Creating a user certificate

Installing the SAP Cryptographic Library

Please see the SAP online help for this prerequisite:

http://help.sap.com/saphelp_nw73/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm.

To summarize:

1. Go to http://service.sap.com/swdc.
2. Navigate to Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software
3. Copy:

• sapcrypto.dll
• sapcrypto.lst
• sapgenpse.exe

to $(DIR_EXECUTABLE) and restart the system.

Configuring the Web AS ABAP

Please see the SAP online help for this step:

http://help.sap.com/saphelp_nw73/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm.

To summarize:

Set profile parameters:

• ssl/ssl_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
• sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll
• ssf/ssfapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
• ssf/name = SAPSECULIB
• icm/server_port_ xx= PROT=HTTPS, PORT=port,TIMEOUT=timeout_in_seconds

Setting-up your own CA

1. Install OpenSSL.
2. Add the …\openssl-win32\bin directory to the Windows PATH variable
3. Goto the …\openssl-win32 directory
4. Create a .\demoCA directory
5. Copy .\bin\pem\democa\serial  to .\demoCA
6. Create an empty index.txt file via
   notepad .\demoCA\index.txt
7. Change
   organizationName = optional
   in .\bin\openssl.cfg
8. Create your own secure 4096 bit private key
   openssl genrsa -des3 -out rootca.pem 4096
9. Create your secure SHA-256 root CA certificate via
   openssl req -new -x509 -sha256 -extensions v3_ca -key rootca.pem -out rootca.crt -days 365
10. Import rootca.crt into your browser as a Trusted Root Certificate Authority.

Creating a server certificate

1. In STRUST create a new SSL server Standard certificate.
2. Create Certificate Request (so far indicated as self-signed) as sslreq.csr
3. Sign the certificate via
   openssl ca -cert rootca.crt -keyfile rootca.pem -out sslreq.crt -infiles sslreq.csr
4. Add rootca.crt to sslreq.crt by appending it to its end.
5. Import Certificate Response sslreq.crt.

Creating a client certificate

1. In STRUST create a new SSL client SSL Client (Standard) certificate.
2. Create Certificate Request (so far indicated as self-signed) as clienteq.csr
3. Sign the certificate via
   openssl ca -cert rootca.crt -keyfile rootca.pem -out clientreq.crt -infiles clientreq.csr
4. Add rootca.crt to clientreq.crt by appending it to its end.
5. Import Certificate Response clientreq.crt.

Creating a user certificate

1. Generate a user key via
   openssl genrsa -des3 -out user.pem 4096
2. Create a certificate request via
   openssl req -key user.pem -new -out user.csr
3. Sign the generated private key via
   openssl x509 -req -days 365 -in user.csr -CA rootca.crt -CAkey rootca.pem -set_serial 01 -out user.crt
4. Export the private key of the certificate via
   openssl pkcs12 -export -out user.pfx -inkey user.pem -in user.crt
5. Import user.pfx into your browser as a Personal certificate.
6. Call SM30 to Maintain table VUSREXTID.
7. External ID type is DN.
8. Chose NewEntries and import your user.crt.
9. Maintain the associated User.

Result

From now on a pop-up will appear once you want to get onto a web based transaction like SOAMANAGER to select your certificate which will then authenticate you without further password request. Also your communication will be secure as per the TSL standard.