Skip to Content

Enabling X.509 based SSO for the SAP Web AS ABAP with your own CA based on OpenSSL for Windows

The below is an end-to-end working example to enable SSO based on OpenSSL for Windows on a SAP Web AS ABAP sandbox system to learn and understand the concepts. Neither key lengths nor other security considerations except for making this example work have been considered.

Enabling X.509 based SSO on SAP Web AS ABAP with your own CA based on OpenSSL requires 6 steps:

  • Installing the SAP Cryptographic Library
  • Configuring the Web AS ABAP
  • Setting-up your own CA
  • Creating a server certificate
  • Creating a client certificate
  • Creating a user certificate

Installing the SAP Cryptographic Library

Please see the SAP online help for this prerequisite:

http://help.sap.com/saphelp_nw73/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm.

To summarize:

  1. Go to http://service.sap.com/swdc.
  2. Navigate to Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software
  3. Copy:
    • sapcrypto.dll
    • sapcrypto.lst
    • sapgenpse.exe

to $(DIR_EXECUTABLE) and restart the system.

Configuring the Web AS ABAP

Please see the SAP online help for this step:

http://help.sap.com/saphelp_nw73/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm.

To summarize:

Set profile parameters:

  • ssl/ssl_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
  • sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll
  • ssf/ssfapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
  • ssf/name = SAPSECULIB
  • icm/server_port_ xx= PROT=HTTPS, PORT=port,TIMEOUT=timeout_in_seconds

Setting-up your own CA

  1. Install OpenSSL.
  2. Add the …\openssl-win32\bin directory to the Windows PATH variable
  3. Goto the …\openssl-win32 directory
  4. Create a .\demoCA directory
  5. Copy .\bin\pem\democa\serial  to .\demoCA
  6. Create an empty index.txt file via
    notepad .\demoCA\index.txt
  7. Change
    organizationName = optional
    in .\bin\openssl.cfg
  8. Create your own secure 4096 bit private key
    openssl genrsa -des3 -out rootca.pem 4096
  9. Create your secure SHA-256 root CA certificate via
    openssl req -new -x509 -sha256 -extensions v3_ca -key rootca.pem -out rootca.crt -days 365
  10. Import rootca.crt into your browser as a Trusted Root Certificate Authority.

Creating a server certificate

  1. In STRUST create a new SSL server Standard certificate.
  2. Create Certificate Request (so far indicated as self-signed) as sslreq.csr
  3. Sign the certificate via
    openssl ca -cert rootca.crt -keyfile rootca.pem -out sslreq.crt -infiles sslreq.csr
  4. Add rootca.crt to sslreq.crt by appending it to its end.
  5. Import Certificate Response sslreq.crt.

Creating a client certificate

  1. In STRUST create a new SSL client SSL Client (Standard) certificate.
  2. Create Certificate Request (so far indicated as self-signed) as clienteq.csr
  3. Sign the certificate via
    openssl ca -cert rootca.crt -keyfile rootca.pem -out clientreq.crt -infiles clientreq.csr
  4. Add rootca.crt to clientreq.crt by appending it to its end.
  5. Import Certificate Response clientreq.crt.

Creating a user certificate

  1. Generate a user key via
    openssl genrsa -des3 -out user.pem 4096
  2. Create a certificate request via
    openssl req -key user.pem -new -out user.csr
  3. Sign the generated private key via
    openssl x509 -req -days 365 -in user.csr -CA rootca.crt -CAkey rootca.pem -set_serial 01 -out user.crt
  4. Export the private key of the certificate via
    openssl pkcs12 -export -out user.pfx -inkey user.pem -in user.crt
  5. Import user.pfx into your browser as a Personal certificate.
  6. Call SM30 to Maintain table VUSREXTID.
  7. External ID type is DN.
  8. Chose NewEntries and import your user.crt.
  9. Maintain the associated User.

Result

From now on a pop-up will appear once you want to get onto a web based transaction like SOAMANAGER to select your certificate which will then authenticate you without further password request. Also your communication will be secure as per the TSL standard.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.