The below is an end-to-end working example to enable SSO based on OpenSSL for Windows on a SAP Web AS ABAP sandbox system to learn and understand the concepts. Neither key lengths nor other security considerations except for making this example work have been considered.
Enabling X.509 based SSO on SAP Web AS ABAP with your own CA based on OpenSSL requires 6 steps:
- Installing the SAP Cryptographic Library
- Configuring the Web AS ABAP
- Setting-up your own CA
- Creating a server certificate
- Creating a client certificate
- Creating a user certificate
Installing the SAP Cryptographic Library
Please see the SAP online help for this prerequisite:
- Go to http://service.sap.com/swdc.
- Navigate to Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software
to $(DIR_EXECUTABLE) and restart the system.
Configuring the Web AS ABAP
Please see the SAP online help for this step:
Set profile parameters:
- ssl/ssl_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
- sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll
- ssf/ssfapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll
- ssf/name = SAPSECULIB
- icm/server_port_ xx= PROT=HTTPS, PORT=port,TIMEOUT=timeout_in_seconds
Setting-up your own CA
- Install OpenSSL.
- Add the …\openssl-win32\bin directory to the Windows PATH variable
- Goto the …\openssl-win32 directory
- Create a .\demoCA directory
- Copy .\bin\pem\democa\serial to .\demoCA
- Create an empty index.txt file via
organizationName = optional
- Create your own secure 4096 bit private key
openssl genrsa -des3 -out rootca.pem 4096
- Create your secure SHA-256 root CA certificate via
openssl req -new -x509 -sha256 -extensions v3_ca -key rootca.pem -out rootca.crt -days 365
- Import rootca.crt into your browser as a Trusted Root Certificate Authority.
Creating a server certificate
- In STRUST create a new SSL server Standard certificate.
- Create Certificate Request (so far indicated as self-signed) as sslreq.csr
- Sign the certificate via
openssl ca -cert rootca.crt -keyfile rootca.pem -out sslreq.crt -infiles sslreq.csr
- Add rootca.crt to sslreq.crt by appending it to its end.
- Import Certificate Response sslreq.crt.
Creating a client certificate
- In STRUST create a new SSL client SSL Client (Standard) certificate.
- Create Certificate Request (so far indicated as self-signed) as clienteq.csr
- Sign the certificate via
openssl ca -cert rootca.crt -keyfile rootca.pem -out clientreq.crt -infiles clientreq.csr
- Add rootca.crt to clientreq.crt by appending it to its end.
- Import Certificate Response clientreq.crt.
Creating a user certificate
- Generate a user key via
openssl genrsa -des3 -out user.pem 4096
- Create a certificate request via
openssl req -key user.pem -new -out user.csr
- Sign the generated private key via
openssl x509 -req -days 365 -in user.csr -CA rootca.crt -CAkey rootca.pem -set_serial 01 -out user.crt
- Export the private key of the certificate via
openssl pkcs12 -export -out user.pfx -inkey user.pem -in user.crt
- Import user.pfx into your browser as a Personal certificate.
- Call SM30 to Maintain table VUSREXTID.
- External ID type is DN.
- Chose NewEntries and import your user.crt.
- Maintain the associated User.
From now on a pop-up will appear once you want to get onto a web based transaction like SOAMANAGER to select your certificate which will then authenticate you without further password request. Also your communication will be secure as per the TSL standard.