Skip to Content

31 Comments

You must be Logged on to comment or reply to a post.

  1. Samuli Kaski

    Thanks Martina, very useful information especially to those wondering about the different features of the available security libraries.

    As mentioned before, the CommonCryptoLib already comes with the kernel of SAP NetWeaver Application Server ABAP.

    Maybe it’s good to note that it comes with the kernel of AS ABAP starting from specific SP levels and those SP levels can be found in SAP note 1848999. Can you also include a chapter or at least a paragraph on using CommonCryptoLib in AS JAVA?

    (0) 
    1. Matt Fraser

      It would also be good to note one little quirk with setting up SSL on AS Java using CommonCryptoLib (at least in AS Java 7.4).  The documentation about CommonCryptoLib ( Installing the SAP Cryptographic Library for SSL – Network and Transport Layer Security – SAP Library) pretty clearly implies that it comes with a ticket file, but in fact it does not.  Per Stephan André the ticket file is no longer required, but AS Java 7.4 still expects there to be one (see his response to my question about this at CommonCryptolib 8.4.17 – Ticket File Missing).  My experience bears out his answer — without a ticket file, the NetWeaver Administrator complains about it missing and won’t allow configuration of SSL, but creating a dummy file makes NWA happy.

      Otherwise, though, thank you for the helpful information (especially the bits about when an NWSSO license is required, and when it is not).

      Regards,

      Matt

      (0) 
          1. Marcel Dyba

            Unfortunately the problem with the ticket file is still existing in SAP NW AS Java 7.5.
            If you enter the SSL configuration of a fresh installed system it complains ‘Ticket file not found’…
            I download the latest available COMMONCRYPTOLIB but it did not contain the ticket file.

            As far as I have seen and  please correct me if I am wrong, SAP HELP does not tell anything about the ticket file.

            I know the workaround with the dummy ticket file but if this is a solution for the problem, then please update SAP HELP and make this workaround part of the documentation.

            To be honest, I don’t get it, why this problem is still existing.

            It was reported already a long time ago and I guess every administrator is having the issue with each installation.

            Would be great if this could be fixed.

            Regards

            Marcel

            (0) 
            1. Stephan André

              Sorry for this…

              But in fact, no real license ticket is required anymore, and CCL will not come with a dummy file. It is also searched in SECUDIR, not in the CCL installation folder “exe”, which would be an argument for adding it to the CC SAR.

              The trick is to create this dummy file named “ticket” with some dummy content in SECUDIR manually or as part of your installation routine. Something like:

              > echo “dummy” > /usr/sap/SID/SYS/sec/ticket

              Hope it helps.

              — Stephan

              (0) 
  2. Andy Silvey

    Hi Martina,

    thank you for a very useful article.

    Question:

    Let’s assume we are a customer using SNC between SAP systems with the old SAP Crypto Lib and tickets generated with that library and secudir environment variable set etc.

    Is there any guidance from SAP on what needs to be done and what does not need to be done when migrating from using SAPCryptoLib to the new CommonCryptoLib.

    For example immediate questions come to mind, crypto algorithms, tickets generation, different versions of libraries. Do we need to re-implement SNC if we can to use the CommonCryptoLib ?

    Best regards,

    Andy.

    (0) 
    1. Martina Kirschenmann Post author

      Hi Andy,

      CommonCryptoLib is fully backward compatible with previous versions of SAP Cryptographic Library and no migration is required for the scenario described by you above.

      You only need to:

      a) install ABAP kernel update or

      b) install CommonCryptoLib (download from SAP Service Marketplace).

      Best regards,

      Martina

      (0) 
      1. Matt Fraser

        This has been my experience as well, in NW 7.0x systems, that CommonCryptoLib is a drop-in replacement for SAPCryptoLib, at least in SSL and STRUST scenarios.

        (0) 
    1. Martina Kirschenmann Post author

      Hi Freya,

      the Secure Login Library only includes a subset of the features of the CommonCryptoLib.

      Beginning with SAP Single Sign-On 2.0 SP3, the Secure Login Library is no longer required since its features are now all included in the CommonCryptoLib which makes your SAP Single Sign-On installation much simpler than before.

      Best regards,

      Martina

      (0) 
    1. Stephan André

      Martina,

      for ABAP and JAVA stacks on OS level, go to the exe folder in /usr/sap/SID/SYS, and type: “./sapgenpse”.

      In ABAP, use transaction STRUST, and run the window menu “Environment > Display SSF Version”.

      — Stephan

      (0) 
      1. Thomas Bezak

        In that case a more descriptive sentence at the very beginning would be: “CommonCryptoLib is supplied with the Netweaver 7.4 Kernel and supersedes Sapcrypto. The instructions below are no longer relevant.”

        Saying “Available” makes it sound like the old way of downloading a separate Sapcrypto. This is confusing.

        Nowhere does SAP clarify the steps to setup the new CommonCryptoLib. Do you still have to setup SECUDIR environmental variable? Do you still have to setup RZ10 profile parameters?

        Rapid deployment documents for setting up SSL with Fiori (2014) all reference the old sapcrypto download and setup procedure.

        (0) 
        1. Martin Blust

          Hello Thomas,

          where did you find the rapid deployment documents for “setting up SSL with Fiori”? Please give me a path (URL) where the document is located.

          Best regards,

          martin

          (0) 
  3. Dong Ha Shin

    Thanks Martina, Useful and very clear information.


    When we use commoncryptolib 8.4 for snc, I found commoncryptolib only support cl-rsa, kerberos for key exchange. Can I configure commoncryptolib use sr-rsa for key exchange ?

    I checked gss.xml parameter but I can’t found such parameter.


    Regards, Arnold.

    (0) 
  4. Utpal Bhatt

    Is there a difference between between Common Crypto and Common Crypto Library?

    If yes, can anyone elaborate on this?

    Secondly, is the following statement correct:

    Common Crypto is not proprietary to SAP. However, SAP has its own proprietary Common Crypto Library.

    (1) 

Leave a Reply