In November, 2013, SAP has released a new cryptographic library called CommonCryptoLib. CommonCryptoLib is the technical successor of the well-known SAP Cryptographic Library (SAPCRYPTOLIB). In the following blog, I will outline the differences between the various security libraries available from SAP and explain how you will benefit from the release of the new CommonCryptoLib with your SAP Single Sign-On installation.
Previously Available Security Libraries
In the past, the ABAP kernel came with the SAP Cryptographic Library (SAPCRYPTOLIB). It was the default security product provided by SAP to use for encryption with SAP systems. The SAP Cryptographic Library not only supports the use of digital signatures in SAP Systems, but also provides encryption functions. You can use it, for example, as the security provider for Secure Network Communications (SNC) or for Secure Sockets Layer (SSL) support with the SAP NetWeaver Application Server.
Besides, there was the so-called Secure Login Library. This library was a component of the SAP Single Sign-On product. It is used as cryptography and security library for SAP NetWeaver Application Server ABAP providing single sign-on through Secure Network Communications (SNC) using Kerberos tokens or X.509 certificates as well as supporting digital signatures according to the Secure Store and Forward (SSF) interface.
Furthermore, there was also the SAP Security Library (SAPSECULIB) that was limited to digital signatures using the SSF interface, i.e. functions for creating and verifying digital signatures within SAP systems, but not for encrypting data. Besides, SAPSECULIB only supports the DSA algorithm for digital signatures (512 bit key length). To have the systems encrypt data and/or to use the RSA algorithm for digital signatures, you had to replace the SAPSECULIB with the SAP Cryptographic Library (SAPCRYPTOLIB) described above.
The New CommonCryptoLib Does it All
Having several different security libraries, it was not always easy for SAP Single Sign-On customers to understand when to use which library on SAP NetWeaver Application Server ABAP. So SAP now provides just one single security library, the CommonCryptoLib, which can be used in all scenarios supported by the previous SAP Cryptographic Library and Secure Login Library.
But there is even more good news: CommonCryptoLib not only merges the features from the SAP Cryptographic Library and Secure Login Library, but provides new features as well. You can optionally use so-called hardware security modules (HSM) to store and protect your private keys in hardware. Besides, CommonCryptoLib is currently undergoing FIPS 140-2 certification (for details see the related blog on SCN).
Please be aware that using the CommonCryptoLib for single sign-on (Kerberos, X.509) or SPNEGO for ABAP as well as usage of hardware security modules requires a license for the SAP Single Sign-On product. For an overview of the supported features by each of the mentioned security libraries above, see the following table:
Deployment Options for the CommonCryptoLib
The new CommonCryptoLib replaces the SAP Cryptographic Library. Basically, there are two deployment options for CommonCryptoLib:
- Via the ABAP kernel
- Via download from SAP Service Marketplace
So the deployment of the CommonCryptoLib is very easy for you, since it already comes with the kernel of SAP NetWeaver Application Server ABAP. For the according ABAP kernel patch levels, refer to SAP Note 1848999.
Alternatively, you can download the current version of CommonCryptoLib from the SAP Service Marketplace (see http://service.sap.com/swdc -> Browse our Download Catalog -> SAP Cryptographic Software -> SAPCRYPTOLIB -> COMMONCRYPTOLIB 8) and deploy the library.
CommonCryptoLib is fully backward compatible with previous versions of SAP Cryptographic Library and no adjustment efforts are required by customers using the SAP NetWeaver platform. The DLL has the same technical name as its predecessor: SAPCRYPTOLIB. In case you want to dive into the details, have a look at SAP Note 2004653 and learn what cryptographic algorithms are implemented in CommonCryptoLib.
SAP NetWeaver Application Server Java also uses the new CommonCryptoLib for cryptographic functions such as secure communication via SSL and secure communication via SNC (for RFC server connections). As with AS ABAP, there are two deployment options for CommonCryptoLib: via the Java kernel or via download from SAP Service Marketplace. Please note that CommonCryptoLib does not require a ticket file anymore as indicated in the current documentation (as a workaround you can use a dummy file named “ticket”).
Besides the SAP NetWeaver Application Server, SAP HANA also supports SAP’s new cryptographic library CommonCryptoLib since Support Package Stack 07. SAP HANA uses the CommonCryptoLib for operations that require cryptography, for example data volume encryption and SSL communication encryption.
Simplify Your SAP Single Sign-On Installation
Beginning with SAP Single Sign-On 2.0 SP3, the Secure Login Library is no longer required since its features are now all included in the CommonCryptoLib. This means that as of release 2.0 SP3, a newly installed SAP Single Sign-On uses the CommonCryptoLib as the default cryptographic library for SNC and SPNEGO for ABAP. So you only have to deal with one single security library instead of two in the past which makes your SAP Single Sign-On installation much simpler than before. You no longer need to install a separate cryptographic library on the ABAP servers.
As mentioned before, the CommonCryptoLib already comes with the kernel of SAP NetWeaver Application Server ABAP. Alternatively, you can download the current version from the SAP Service Marketplace (see above).
If you are currently not using the SAP Single Sign-On product, but use the “old” SAP Cryptographic Library (SAPCRYPTOLIB), for example for SSL communication, we still recommend that you migrate to the CommonCryptoLib since future enhancements will only be implemented in this new library.
Only Minor Adjustments to Your Existing SAP Single Sign-On Installation
If you are already running SAP Single Sign-On with Secure Login Library, you have two options:
- You can simply upgrade your Secure Login Library to 2.0 SP3. In this case, you continue using your existing configuration. The instance profile parameter containing the path to Secure Login Library remains unchanged.
- You can easily migrate to the new CommonCryptoLib and use it as the default cryptographic library for SNC and SPNEGO for ABAP. Migration is possible both from Secure Login Library 1.0 or Secure Login Library 2.0 SP2 or lower. Just start the migrationfrom a system that is using Secure Login Library as default cryptographic library and follow the steps outlined in the migration documentation.
Configuration of CommonCryptoLib for Usage with SAP Single Sign-On
Please be aware that Secure Login Library comes with configuration files whereas CommonCryptoLib is delivered as is and configuration files are not part of the installation. However, the CommonCryptoLib supports all configurable features of the “old” Secure Login Library. If you want to use these features, you can just adapt the configuration files accordingly. For example, revocation check with certificate revocation lists (CRLs) and the configuration of the SNC communication protocol parameters require such additional configuration files. You can download templates from SAP Note 1996839.
Even if CommonCryptoLib supports the same features as Secure Login Library, there are a few minor differences concerning compatibility of these libraries, such as usage of different name schemas for SNC. For more details and migration guidelines, refer to the documentation.
Make Use of the Full Power of CommonCryptoLib
As mentioned before, CommonCryptoLib not only merges the features of SAP’s previous security libraries, but provides new features as well. The optional component called “NWSSO for CommonCryptoLib 2.0”, which is a component of SAP Single Sign-On, enables you to use the following functions in conjunction with CommonCryptoLib:
- Hardware security module (HSM) support using the PKCS#11 interface of this device
- Revocation check with certificate revocation lists (CRLs)
Please be aware that the usage of these functions of the CommonCryptoLib requires a license for the SAP Single Sign-On product.
You can use a HSM together with a Secure Login Server that is acting as Certificate Authority (CA). By storing the private keys in hardware you protect your CA. In addition, you can also store the private keys in hardware that are used for digital signatures (Secure Store and Forward, SSF). You might also benefit from performance acceleration.
For more information, refer to the documentation
Even more features are planned for the future, so stay tuned. It is worthwhile to migrate to the new CommonCryptoLib since all future enhancements will only be part of this library and not the “old” SAP Cryptographic Library (SAPCRYPTOLIB).
By merging the features of the previously available cryptographic libraries into the new CommonCryptoLib, SAP considerately simplifies deployment for its customers. In addition, you can benefit from new features available with CommonCryptoLib, such as hardware security module support.
For more information about CommonCryptoLib, see SAP Note 1848999 “Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)”.