Change Root Certificate in Secure Login Server
Best Practice
   
Version 1.0 / September 2013

SAP NetWeaver Single Sign-On 2.0
SAP AG

 
 
 
General Information
This document is based on the Online Help (Version from 2013-09-27):
http://help.sap.com/nwsso
Central SAP Note SAP NetWeaver Single Sign-On:
https://service.sap.com/sap/support/notes/1912175
Overview Presentation SAP NetWeaver Single Sign-On:
http://scn.sap.com/docs/DOC-4408
Community Network (SCN) SAP NetWeaver Single Sign-On:
http://scn.sap.com/community/netweaver-sso
 
 
 
Context
Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.
Secure Login provides strong encryption, secure communication, and single sign-on between a wide variety of SAP components.
In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.
To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.
Secure Login allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.
This document describes how to change the root certificate and provides further information need to be considered. Please take note that this documentation does not take into account all customer environments (e.g. customer specific processes). Please ask for consulting if further support is required.
 
 
 
Situation
Whenever using a Public Key Infrastructure (PKI) solution one question will always arise:
What should I do if the Root Certificate is not valid anymore?
This question is also valid for the out-of-the-box PKI from SAP NetWeaver Single Sign-On (Secure Login Server component) which is using X.509 certificates to enable strong authentication and secure communication.
The short answer is:
Create in advance a new Root CA Certificate and distribute the new Root CA Certificate to all communication partners (Client and Server).
This document will describe with an example how to plan and proceed.
 
 
 
Example
Let’s use the following use case (example configuration) to explain how to proceed:
  • Secure Login Server will be used to issue short lived User Certificates (Validity: 10 Hours)
  • Secure Login Server will be used to issue long term Server Certificates (Validity: 2 Years) for SAP Application Server
  • Sub CA Certificates have a validity of 4 years
  • Root CA Certificate has a validity of 12 years
PKI_Overview.jpg
During the term of the Root CA Certificate there is no issue when creating new Sub CA Certificates, SAP/SSL Server Certificates or User Certificates.

But before the Root CA Certificate is not valid anymore it is required to create a new Root CA Certificate and distribute to all communication partners (Client / Server).
 

Transition Time
The question ”When should I start to create a new Root CA Certificate?“ depends to the customer environment (customer workflow and processes). This means it needs to be estimated how long it takes to distribute the new Root CA Certificate (Public Certificate) to all Client PCs and all SAP Backend Systems.
Transition.jpg
Once the new Root CA Certificate is distributed to all communication partners, it is possible to switch to the new Root CA Certificate. This means it is possible to create new Sub CA Certificates, SAP Application Server Certificates or User Certificates using the new Root CA Certificate.
For example if a time frame of 12 month is defined, this means 12 month before the “old” Root CA Certificate is not valid anymore a new Root CA Certificate will be created and there are 12 month left to distribute the new Root CA Certificate to all Client PC’s and SAP Backend Systems.
Please check the online documentation http://help.sap.com/nwsso for how to create and export certificates using Secure Login Server Administration Console.

 
 
How to deploy new Root CA Certificate to Client PCs
Within Microsoft Active Directory System environment this step can be done centrally using Microsoft Group Policies. Therefore copy the new Root CA Certificate to the desired group policy in:
Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies – Trusted Root Certification Authorities
Every Windows Domain Computer will receive the new Root CA certificate automatically.

 
 
 
How to deploy new Root CA Certificate to SAP AS ABAP
This example describes the import for SNC Server Certificate. It is the similar approach for all other Server Certificates (e.g. SSL Server Certificate).
Login to the desired SAP AS ABAP system, start the transaction STRUST and choose the certificate in the folder SNC SAPCryptolib.
STRUST_1.jpg
Choose in menu Certificate – Import (or use the button in the UI), choose the new Root CA Certificate and press the button Add to Certificate List.
STRUST_2.jpg
STRUST_3.jpg
Save the configuration.
If required import the new Root CA Certificate to other SAP Server Certificates (e.g. SSL Server).
 
 
 
How to deploy new Root CA Certificate to SAP AS JAVA
Login to the SAP NetWeaver Administrator of the desired SAP AS JAVA System.
Choose the tab Configuration and choose the option SSL.
Choose the tab Trusted CAs and import the new Root CA Certificate.
AS-JAVA_1.jpg
AS-JAVA_2.jpg
Save the configuration.
  
  
 
How to switch to new User CA in Secure Login Server
In case the new Root CA Certificate is distributed to all communication partners it is possible to switch to the new User CA in Secure Login Server.
Therefore open Secure Login Administration Console and create a new User CA Certificate (using the new Root CA Certificate).
Choose the desired Client Authentication Profile and assign the new User CA Certificate:
Tab Client Management – Choose the desired Authentication Profile – Tab User Certificate Configuration – User Certificate Issuer – User CA for Issuing User Certificates

SLS_1.jpg

Perform this configuration step also to other Client Authentication Profiles (if required).
 

Summary
Short summary which steps are required to change the Root CA Certificate in Secure Login Server
  • Estimate time frame for distributing new Root CA Certificate in your environment.
    Calculate organizational delays and unexpected issues (calculate buffer time).
    If required contact Security Consulting for support.
  • Start the process with creating the new Root CA Certificate and distributing (Public Part)
    to all communication partners (all Client PCs and SAP Backend Systems).
  • Create a new User CA Certificate (using the new Root CA Certificate) and perform tests.
    Start a test environment and request a new User Certificate from new User CA and verify
    if the authentication to the SAP Server System still works.
  • Organize an appointment (e.g. in weekend or after working hours) to switch to the new User CA.
    So typically the next working day users will receive a new User Certificate issued by the new User CA Certificate.
  • After switching to the new Root CA Certificate it is possible to create new Sub CA or Server Certificates (if required).
 
To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply