Technical Articles
SAP’s New Cryptographic Library “CommonCryptoLib”
In November, 2013, SAP has released a new cryptographic library called CommonCryptoLib. CommonCryptoLib is the technical successor of the well-known SAP Cryptographic Library (SAPCRYPTOLIB). In the following blog, I will outline the differences between the various security libraries available from SAP and explain how you will benefit from the release of the new CommonCryptoLib with your SAP Single Sign-On installation.
Previously Available Security Libraries
In the past, the ABAP kernel came with the SAP Cryptographic Library (SAPCRYPTOLIB). It was the default security product provided by SAP to use for encryption with SAP systems. The SAP Cryptographic Library not only supports the use of digital signatures in SAP Systems, but also provides encryption functions. You can use it, for example, as the security provider for Secure Network Communications (SNC) or for Secure Sockets Layer (SSL) support with the SAP NetWeaver Application Server.
Besides, there was the so-called Secure Login Library. This library was a component of the SAP Single Sign-On product. It is used as cryptography and security library for SAP NetWeaver Application Server ABAP providing single sign-on through Secure Network Communications (SNC) using Kerberos tokens or X.509 certificates as well as supporting digital signatures according to the Secure Store and Forward (SSF) interface.
Furthermore, there was also the SAP Security Library (SAPSECULIB) that was limited to digital signatures using the SSF interface, i.e. functions for creating and verifying digital signatures within SAP systems, but not for encrypting data. Besides, SAPSECULIB only supports the DSA algorithm for digital signatures (512 bit key length). To have the systems encrypt data and/or to use the RSA algorithm for digital signatures, you had to replace the SAPSECULIB with the SAP Cryptographic Library (SAPCRYPTOLIB) described above.
The New CommonCryptoLib Does it All
Having several different security libraries, it was not always easy for SAP Single Sign-On customers to understand when to use which library on SAP NetWeaver Application Server ABAP. So, SAP now provides just one single security library, the CommonCryptoLib, which can be used in all scenarios supported by the previous SAP Cryptographic Library and Secure Login Library.
But there is even more good news: CommonCryptoLib not only merges the features from the SAP Cryptographic Library and Secure Login Library, but provides new features as well. You can optionally use so-called hardware security modules (HSM) to store and protect your private keys in hardware. Besides, CommonCryptoLib received FIPS 140-2 certification (for details see the related blog in SAP Community).
Please be aware that using the CommonCryptoLib for single sign-on (Kerberos, X.509) or SPNEGO for ABAP as well as usage of hardware security modules requires a license for the SAP Single Sign-On product. For an overview of the supported features by each of the mentioned security libraries above, see the following table:
Deployment Options for the CommonCryptoLib
The new CommonCryptoLib replaces the SAP Cryptographic Library. Basically, there are two deployment options for CommonCryptoLib:
- Via the ABAP kernel
- Via download from SAP Service Marketplace
So, the deployment of the CommonCryptoLib is very easy for you, since it already comes with the kernel of SAP NetWeaver Application Server ABAP. For the according ABAP kernel patch levels, refer to SAP Note 1848999.
Alternatively, you can download the current version of CommonCryptoLib from the SAP Support Portal (see https://launchpad.support.sap.com/#/softwarecenter -> Software Downloads -> By Category -> SAP Cryptographic Software -> SAPCRYPTOLIB -> COMMONCRYPTOLIB 8) and deploy the library.
CommonCryptoLib is fully backward compatible with previous versions of SAP Cryptographic Library and no adjustment efforts are required by customers using the SAP NetWeaver platform. The DLL has the same technical name as its predecessor: SAPCRYPTOLIB. In case you want to dive into the details, have a look at SAP Note 2004653 and learn what cryptographic algorithms are implemented in CommonCryptoLib.
SAP NetWeaver Application Server Java also uses the new CommonCryptoLib for cryptographic functions such as secure communication via SSL and secure communication via SNC (for RFC server connections). As with AS ABAP, there are two deployment options for CommonCryptoLib: via the Java kernel or via download from the SAP Support Portal. Please note that CommonCryptoLib does not require a ticket file anymore as indicated in the current documentation (as a workaround you can use a dummy file named “ticket”).
Besides the SAP NetWeaver Application Server, SAP HANA also supports SAP’s new cryptographic library CommonCryptoLib since Support Package Stack 07. SAP HANA uses the CommonCryptoLib for operations that require cryptography, for example data volume encryption and SSL communication encryption.
Simplify Your SAP Single Sign-On Installation
Beginning with SAP Single Sign-On 2.0 SP3, the Secure Login Library is no longer required since its features are now all included in the CommonCryptoLib. This means that as of release 2.0 SP3, a newly installed SAP Single Sign-On uses the CommonCryptoLib as the default cryptographic library for SNC and SPNEGO for ABAP. So you only have to deal with one single security library instead of two in the past which makes your SAP Single Sign-On installation much simpler than before. You no longer need to install a separate cryptographic library on the ABAP servers.
As mentioned before, the CommonCryptoLib already comes with the kernel of SAP NetWeaver Application Server ABAP. Alternatively, you can download the current version from the SAP Support Portal (see above).
If you are currently not using the SAP Single Sign-On product, but use the “old” SAP Cryptographic Library (SAPCRYPTOLIB), for example for SSL communication, we still recommend that you migrate to the CommonCryptoLib since future enhancements will only be implemented in this new library.
Only Minor Adjustments to Your Existing SAP Single Sign-On Installation
If you are already running SAP Single Sign-On with Secure Login Library, you have two options:
- You can simply upgrade your Secure Login Library to 2.0 SP3. In this case, you continue using your existing configuration. The instance profile parameter containing the path to Secure Login Library remains unchanged.
- You can easily migrate to the new CommonCryptoLib and use it as the default cryptographic library for SNC and SPNEGO for ABAP. Migration is possible both from Secure Login Library 1.0 or Secure Login Library 2.0 SP2 or lower. Just start the migration from a system that is using Secure Login Library as default cryptographic library and follow the steps outlined in the migration documentation.
Configuration of CommonCryptoLib for Usage with SAP Single Sign-On
Please be aware that Secure Login Library comes with configuration files whereas CommonCryptoLib is delivered as is and configuration files are not part of the installation. However, the CommonCryptoLib supports all configurable features of the “old” Secure Login Library. If you want to use these features, you can just adapt the configuration files accordingly. For example, revocation check with certificate revocation lists (CRLs) and the configuration of the SNC communication protocol parameters require such additional configuration files. You can download templates from SAP Note 1996839.
Even if CommonCryptoLib supports the same features as Secure Login Library, there are a few minor differences concerning compatibility of these libraries, such as usage of different name schemas for SNC. For more details and migration guidelines, refer to the documentation.
Make Use of the Full Power of CommonCryptoLib
As mentioned before, CommonCryptoLib not only merges the features of SAP’s previous security libraries, but provides new features as well. The optional component called “NWSSO for CommonCryptoLib 2.0”, which is a component of SAP Single Sign-On, enables you to use the following functions in conjunction with CommonCryptoLib:
- Hardware security module (HSM) support using the PKCS#11 interface of this device
- Revocation check with certificate revocation lists (CRLs)
Please be aware that the usage of these functions of the CommonCryptoLib requires a license for the SAP Single Sign-On product.
You can use a HSM together with a Secure Login Server that is acting as Certificate Authority (CA). By storing the private keys in hardware you protect your CA. In addition, you can also store the private keys in hardware that are used for digital signatures (Secure Store and Forward, SSF). You might also benefit from performance acceleration.
For more information, refer to the documentation.
Even more features are planned for the future, so stay tuned. It is worthwhile to migrate to the new CommonCryptoLib since all future enhancements will only be part of this library and not the “old” SAP Cryptographic Library (SAPCRYPTOLIB).
Summary
By merging the features of the previously available cryptographic libraries into the new CommonCryptoLib, SAP considerately simplifies deployment for its customers. In addition, you can benefit from new features available with CommonCryptoLib, such as hardware security module support.
For more information about CommonCryptoLib, see SAP Note 1848999 “Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)”.
Visit us in SAP Community:
Thanks Martina, very useful information especially to those wondering about the different features of the available security libraries.
Maybe it's good to note that it comes with the kernel of AS ABAP starting from specific SP levels and those SP levels can be found in SAP note 1848999. Can you also include a chapter or at least a paragraph on using CommonCryptoLib in AS JAVA?
It would also be good to note one little quirk with setting up SSL on AS Java using CommonCryptoLib (at least in AS Java 7.4). The documentation about CommonCryptoLib ( Installing the SAP Cryptographic Library for SSL - Network and Transport Layer Security - SAP Library) pretty clearly implies that it comes with a ticket file, but in fact it does not. Per Stephan André the ticket file is no longer required, but AS Java 7.4 still expects there to be one (see his response to my question about this at ). My experience bears out his answer -- without a ticket file, the NetWeaver Administrator complains about it missing and won't allow configuration of SSL, but creating a dummy file makes NWA happy.
Otherwise, though, thank you for the helpful information (especially the bits about when an NWSSO license is required, and when it is not).
Regards,
Matt
Thanks for pointing this out, Matt. We´ll care for an update.
-- Stephan
that is the power of the SCN !
Andy.
Unfortunately the problem with the ticket file is still existing in SAP NW AS Java 7.5.
If you enter the SSL configuration of a fresh installed system it complains 'Ticket file not found'...
I download the latest available COMMONCRYPTOLIB but it did not contain the ticket file.
As far as I have seen and please correct me if I am wrong, SAP HELP does not tell anything about the ticket file.
I know the workaround with the dummy ticket file but if this is a solution for the problem, then please update SAP HELP and make this workaround part of the documentation.
To be honest, I don't get it, why this problem is still existing.
It was reported already a long time ago and I guess every administrator is having the issue with each installation.
Would be great if this could be fixed.
Regards
Marcel
Sorry for this...
But in fact, no real license ticket is required anymore, and CCL will not come with a dummy file. It is also searched in SECUDIR, not in the CCL installation folder "exe", which would be an argument for adding it to the CC SAR.
The trick is to create this dummy file named "ticket" with some dummy content in SECUDIR manually or as part of your installation routine. Something like:
> echo "dummy" > /usr/sap/SID/SYS/sec/ticket
Hope it helps.
-- Stephan
Thanks, Samuli, for your suggestion. I have just added a paragraph about using CommonCryptoLib with AS Java.
Best regards,
Martina
Thanks Martina, very helpful information.
Hi Martina,
thank you for a very useful article.
Question:
Let's assume we are a customer using SNC between SAP systems with the old SAP Crypto Lib and tickets generated with that library and secudir environment variable set etc.
Is there any guidance from SAP on what needs to be done and what does not need to be done when migrating from using SAPCryptoLib to the new CommonCryptoLib.
For example immediate questions come to mind, crypto algorithms, tickets generation, different versions of libraries. Do we need to re-implement SNC if we can to use the CommonCryptoLib ?
Best regards,
Andy.
Hi Andy,
CommonCryptoLib is fully backward compatible with previous versions of SAP Cryptographic Library and no migration is required for the scenario described by you above.
You only need to:
a) install ABAP kernel update or
b) install CommonCryptoLib (download from SAP Service Marketplace).
Best regards,
Martina
Hi Martina,
thank you for confirming.
Kind regards,
Andy.
This has been my experience as well, in NW 7.0x systems, that CommonCryptoLib is a drop-in replacement for SAPCryptoLib, at least in SSL and STRUST scenarios.
Hi Martina,
As newbie, I want to know which is better between the secure login library and common cryptolib?
Hi Freya,
the Secure Login Library only includes a subset of the features of the CommonCryptoLib.
Beginning with SAP Single Sign-On 2.0 SP3, the Secure Login Library is no longer required since its features are now all included in the CommonCryptoLib which makes your SAP Single Sign-On installation much simpler than before.
Best regards,
Martina
Hi Martina,
Thank you very much for this information.
Could you please share where to check which cryptographic library is installed in a system?
Best regards,
Martina
Martina,
for ABAP and JAVA stacks on OS level, go to the exe folder in /usr/sap/SID/SYS, and type: "./sapgenpse".
In ABAP, use transaction STRUST, and run the window menu "Environment > Display SSF Version".
-- Stephan
Thanks Stephan!!! 🙂
Hi Martina,
Would NTLM SSO require SAP licensing:
Single Sign-On with Microsoft NT LAN Manager SSP - User Authentication and Single Sign-On - SAP Library?
What about SSO licensing with SAP Portal and NTLM or with Kerberos?
Thanks.
-Mel Calucin
Hello Mel,
Please, refer to my post to the same question posted by you here: SAPGUI NTLM SSO licensing .
Best regards,
Donka Dimitrova
Why is it that the documentation for setting up SSL in netweaver 7.4 makes ZERO mention of this and still points you to downloading and installing SAPCRYPTO?
Installing the SAP Cryptographic Library on the AS ABAP - Network and Transport Layer Security - SAP Library
Hello Thomas,
At the very beginning of the documentation page, you mentioned, there is such statement:
"The SAP Cryptographic Library is available with this release of SAP NetWeaver Application Server ABAP. For more information, see SAP Note 1848999
. "
The SAP note mentioned is the following:
1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)
Best regards,
Donka Dimitrova
In that case a more descriptive sentence at the very beginning would be: "CommonCryptoLib is supplied with the Netweaver 7.4 Kernel and supersedes Sapcrypto. The instructions below are no longer relevant."
Saying "Available" makes it sound like the old way of downloading a separate Sapcrypto. This is confusing.
Nowhere does SAP clarify the steps to setup the new CommonCryptoLib. Do you still have to setup SECUDIR environmental variable? Do you still have to setup RZ10 profile parameters?
Rapid deployment documents for setting up SSL with Fiori (2014) all reference the old sapcrypto download and setup procedure.
Hello Thomas,
where did you find the rapid deployment documents for "setting up SSL with Fiori"? Please give me a path (URL) where the document is located.
Best regards,
martin
https://service.sap.com/rds -> User Experience -> Fiori -> Download Package
and
OSS Note
Thanks Martina, Useful and very clear information.
When we use commoncryptolib 8.4 for snc, I found commoncryptolib only support cl-rsa, kerberos for key exchange. Can I configure commoncryptolib use sr-rsa for key exchange ?
I checked gss.xml parameter but I can't found such parameter.
Regards, Arnold.
No, only cl-rsa and kerberos are supported
Best regards,
Thomas
Thanks, Thomas.
Then, Can we configure SNC without SSO ?
If yes, how can we configure ?
Regards, Arnold
Hello Arnold,
Please, find the documentation for Using SNC Client Encryption for Password Logon - Transport Layer Security on SAP NetWeaver AS for ABAP - SAP Library
Regards,
Donka Dimitrova
Arnold,
In addition to the official documentation, there's a nice blog about configuring SNC client encryption without SSO at Is your SAP GUI Connection encrypted? Can someone eavesdrop your passwords?.
Cheers,
Matt
Is there a difference between between Common Crypto and Common Crypto Library?
If yes, can anyone elaborate on this?
Secondly, is the following statement correct:
Common Crypto is not proprietary to SAP. However, SAP has its own proprietary Common Crypto Library.
Thank you for clarify the issue. It is very helpful to understand the change of Cryprolib.
In the old days, when we were using SAP Cryptographic Library and Secure Login Library, I’ve once heard we don't need any license to use single sign on. So my understanding is that we can only use SAP common cryptolib when we install newly latest SAP systems(S/4HANA) and we cannot use old cryptographic library. So when we need to use Single sign on in newly systems, we must have SAP single sign on license. Is this correct?
hello,
"So the deployment of the CommonCryptoLib is very easy for you, since it already comes with the kernel of SAP NetWeaver Application Server ABAP. For the according ABAP kernel patch levels, refer to SAP Note 1848999.", what about Saplogon (SAPGUI) ?
thanks
Hello Martina,
many thanks for this article. Is the table about SAO Single Sign-On License requirements still valid in 2023 or is there an update on possibilities and license requirements (or best license free solutions).
Many thanks for update
Roman