Skip to Content
Author's profile photo Cristiano Hansen

Use of SHA-2 algorithm family in SSL PSEs

It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.

Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).

1. Prerequisites

The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.

It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:

sapgenpse

in the command line interface (running as SIDadm) or via report RSBDCOS0.

Example:

“…

Loaded CommonCryptoLib from sapgenpse folder

“/usr/sap/SID/DVEBMGS00/exe/libsapcrypto.so”

Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)

Versions: SAPGENPSE 8.4.35 (Mar 16 2015)

            FILE-Version 8.4.35.0

            CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe

USER=”sidadm”

Environment variable $SECUDIR is defined:

“/usr/sap/SID/DVEBMGS00/sec”

…”

It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.

In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.

2. Replacing a PSE in STRUST

Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.

Now select the relevant algorithm in the dropdown box, as shown below:

STRUST SHA-256.jpg

Enter the remaining details and confirm.

If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.

You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:

STRUST SHA-256 Certificate.jpg

After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.

3. Creating a PSE using sapgenpse

In a command line interface execute the following command:

sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>

(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).

Inform the relevant DN and see the CSR as output.

In order to verify the algorithm, just execute:

sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>

In section “My Certificate” should be presented:

“…

  Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

…”

4. Reference Documents

2147844 – STRUST | ICM is not always notified when SSL Server PSEs are created or deleted

1740744 – SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256

1739681 – Kernel: Support creation of RSA-PSEs with SHA-256

1689776 – SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

1178155 – Replacing PSEs in productive SSL Servers

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Erika Bustamante
      Erika Bustamante

      Very clear information.  Thanks.

      If we want to replace the SSL Server certificates to use SHA-2, is it necessary to change the system PSE too?  Can the system PSE stay at DSA-1 while SSL Server moves to SHA-2?  Are there any security risks?

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Erika,

       

      No, you only need to replace the SSL-related PSEs. The System PSE uses DSA algorithm. There is no need to change it.

       

      Kind regards,

      Cris

      Author's profile photo Muhammad Bilal Barlas
      Muhammad Bilal Barlas

      HI Cristiano Hansen,

      We are pllaning to upgrade our internal Microsoft windows server CA from SHA1 to SHA2 (256), will this upgrade effect SAP server certificates/

       

      Regards,

      Abuzar

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hello Abuzar,

       

      If you have imported the Microsoft Windows Server CA certificate into a SAP system (as, e.g., a client certificate) then you need to update the certificate in SAP side too.

      If you don't have any connection between your Windows Server and the SAP system, then there is no issue I can see.

       

      Regards,

      Cris

      Author's profile photo Sheldon D'Souza
      Sheldon D'Souza

      Hi Cristiano,

      Thanks for the informative post.

      We are looking to change all SHA1 certificates to SHA2 in our SAP systems.

      Using the steps mentioned in your post I am able to see the drop down option for RSA with SHA-256 using the replace option for SSL standard.

      I would like to change to SHA-256 for the System PSE as well but I do get any option in the dropdown. Would be able to assist me in how I can change to SHA-256 for system PSE as well. Currently the algorithm for System PSE is DSA with SHA1

      Regards,

      Sheldon D'Souza

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Sheldon,

       

      The System PSE must use DSA algorithm. Do not change it to RSA, as there are issues that can happen.

      Kind regards,

      Cris

      Author's profile photo Sheldon D'Souza
      Sheldon D'Souza

      Hi Cristiano,

       

      Thanks for the information.

      Would there be a way then to switch to SHA-2 for DSA algorithm ?

       

      Regards,

      Sheldon

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Sheldon,

      This is not possible. You can use SHA-1 + DSA + maximum 1024 bits key size for the System PSE.

      Regards,

      Cris

      Author's profile photo Sheldon D'Souza
      Sheldon D'Souza

       

      Thanks Cris,

       

      I have received confirmation from SAP as well.

      *****

      It is not recommended to change the characteristics of the SYSTEM PSE in AS ABAP.

      The hashing algorithm of a self-signed certificate has no influence on the cryptographic system, it is simply ignored during ticket verification.

      And even if such certificate would have been issued by a trusted PKI certificate authority, the generated tickets would still use SHA1.

      Also attach a article for your reference.

      2418807 - SAP NetWeaver: Cryptography Enhancements for SAP Logon Ticket Technology

      ******

      Regards,

      Sheldon D'Souza

      Author's profile photo Sheldon D'Souza
      Sheldon D'Souza

      Hi Cris,

      We are looking to switch the SSL certificates of SAP Java systems as well to SHA256. I do not see a way in NWA->SSL to switch/replace with SHA256. Even when I create a new option there isn't a field to select the algorithm type. By default it creates a SHA1 cert. I did come across SAP KB 2172534, would you say this is the right way to switch to SHA256 for Java Systems ?

      Regards,

      Sheldon D'Souza

       

       

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Sheldon,

      Yes, I think so. If you face any issue, then you can contact the SAP Product Support, using BC-JAS-SEC component.

      Regards,

      Cris