Use of SHA-2 algorithm family in SSL PSEs
It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.
Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).
1. Prerequisites
The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.
It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:
sapgenpse
in the command line interface (running as SIDadm) or via report RSBDCOS0.
Example:
“…
Loaded CommonCryptoLib from sapgenpse folder
“/usr/sap/SID/DVEBMGS00/exe/libsapcrypto.so”
Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)
Versions: SAPGENPSE 8.4.35 (Mar 16 2015)
FILE-Version 8.4.35.0
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe
USER=”sidadm”
Environment variable $SECUDIR is defined:
“/usr/sap/SID/DVEBMGS00/sec”
…”
It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.
In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.
2. Replacing a PSE in STRUST
Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.
Now select the relevant algorithm in the dropdown box, as shown below:
Enter the remaining details and confirm.
If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.
You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:
After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.
3. Creating a PSE using sapgenpse
In a command line interface execute the following command:
sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>
(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).
Inform the relevant DN and see the CSR as output.
In order to verify the algorithm, just execute:
sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>
In section “My Certificate” should be presented:
“…
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
…”
4. Reference Documents
2147844 – STRUST | ICM is not always notified when SSL Server PSEs are created or deleted
1740744 – SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256
1739681 – Kernel: Support creation of RSA-PSEs with SHA-256
1689776 – SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support
1178155 – Replacing PSEs in productive SSL Servers
Very clear information. Thanks.
If we want to replace the SSL Server certificates to use SHA-2, is it necessary to change the system PSE too? Can the system PSE stay at DSA-1 while SSL Server moves to SHA-2? Are there any security risks?
Hi Erika,
No, you only need to replace the SSL-related PSEs. The System PSE uses DSA algorithm. There is no need to change it.
Kind regards,
Cris
HI Cristiano Hansen,
We are pllaning to upgrade our internal Microsoft windows server CA from SHA1 to SHA2 (256), will this upgrade effect SAP server certificates/
Regards,
Abuzar
Hello Abuzar,
If you have imported the Microsoft Windows Server CA certificate into a SAP system (as, e.g., a client certificate) then you need to update the certificate in SAP side too.
If you don't have any connection between your Windows Server and the SAP system, then there is no issue I can see.
Regards,
Cris
Hi Cristiano,
Thanks for the informative post.
We are looking to change all SHA1 certificates to SHA2 in our SAP systems.
Using the steps mentioned in your post I am able to see the drop down option for RSA with SHA-256 using the replace option for SSL standard.
I would like to change to SHA-256 for the System PSE as well but I do get any option in the dropdown. Would be able to assist me in how I can change to SHA-256 for system PSE as well. Currently the algorithm for System PSE is DSA with SHA1
Regards,
Sheldon D'Souza
Hi Sheldon,
The System PSE must use DSA algorithm. Do not change it to RSA, as there are issues that can happen.
Kind regards,
Cris
Hi Cristiano,
Thanks for the information.
Would there be a way then to switch to SHA-2 for DSA algorithm ?
Regards,
Sheldon
Hi Sheldon,
This is not possible. You can use SHA-1 + DSA + maximum 1024 bits key size for the System PSE.
Regards,
Cris
Thanks Cris,
I have received confirmation from SAP as well.
*****
It is not recommended to change the characteristics of the SYSTEM PSE in AS ABAP.
The hashing algorithm of a self-signed certificate has no influence on the cryptographic system, it is simply ignored during ticket verification.
And even if such certificate would have been issued by a trusted PKI certificate authority, the generated tickets would still use SHA1.
Also attach a article for your reference.
2418807 - SAP NetWeaver: Cryptography Enhancements for SAP Logon Ticket Technology
******
Regards,
Sheldon D'Souza
Hi Cris,
We are looking to switch the SSL certificates of SAP Java systems as well to SHA256. I do not see a way in NWA->SSL to switch/replace with SHA256. Even when I create a new option there isn't a field to select the algorithm type. By default it creates a SHA1 cert. I did come across SAP KB 2172534, would you say this is the right way to switch to SHA256 for Java Systems ?
Regards,
Sheldon D'Souza
Hi Sheldon,
Yes, I think so. If you face any issue, then you can contact the SAP Product Support, using BC-JAS-SEC component.
Regards,
Cris