Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enabling SSL (HTTPS) on SAP Gateway

marvin_hoffmann
Active Participant
‎07-04-2015 9:19 PM

Enabling SSL (HTTPS) on SAP Gateway

Topics

Introduction

There are already many guides out there how to configure the SAP Netweaver Gateway so that you can use HTTPS connections. Anyway this here is my documentation, it should also serve as a documentation for myself.

In the first step the netweaver gateway needs to be setup for https/ssl.
So that you can call e.g. OData services by calling
https://gateway:port/sap/opu/...

Transport Layer Security on SAP NetWeaver AS for ABAP

https://help.sap.com/saphelp_nw74/helpdata/en/5d/cb88b33cad4f5da9dd77a3802e172f/content.htm?frameset...

CommonCryptoLib 8


Successor of SAPCryptoLib
Inside NetWeaver 74X SAPCRYPTOLIB is available in the new variant CommonCryptoLib 8

Following steps are based on SAP Note: 510007 - Setting up SSL on Application Server ABAP

http://service.sap.com/sap/support/notes/510007

Before adding and modifiying necessary profile parameter, we should check
if the CommonCryptoLib and its variable is available

SE38 and execute report RSPARAM

Check if $(SAPCRYPTOLIB) is defined

You can also check if you find the sapcrypto files on the file system
(e.g. on Windows sapcrypto.dll)

Maintain Instance Profile Parameter

Go to transaction RZ10 and open the Instance profile with “Extended
maintenance”

(Info: You also can check a single parameter in transaction RZ11)

Note:

SAP system starts in a sequence:

  1. The Kernel Codes are ready
  2. The default Profile
  3. The Instance Profile

Parameters in Default profile are the ones which are applicable to all instances, i.e. a set of common system parameters for e.g. message server hostname...

Instance profiles contains parameters that only take effect for that particular instance for e.g. number of dialog work processes


If a parameter is defined in both the profiles, then the value of the parameter in instance profile will be effective for that instance.

Make sure following values are set (if not set, add them as new parameter)

Parameter

Value

Description

ssf/name

SAPSECULIB

CommonCryptoLib

ssf/ssfapi_lib

$(SAPCRYPTOLIB)

CommonCryptoLib

sec/libsapsecu

$(SAPCRYPTOLIB)

CommonCryptoLib

ssl/ssl_lib

$(SAPCRYPTOLIB)

CommonCryptoLib

icm/server_port_1

PROT=HTTPS, PORT=8200

HTTPS Port

icm/HTTPS/verify_client

1

Permit use of client
  certificates

icm/host_name_full

$(SAPLOCALHOST).dhcp.wdf.sap.corp

Full qualified domain name

login/certificate_mapping_rulebased

1

Use dynamic mapping

If variable $(SAPCRYPTOLIB) is not set (verified in last step), use $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) instead

icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>

Replace the X with the number of configured ports (usually https port is 1)

Set icm/HTTPS/verify_client for handling user certificates, it can be set to 0 (suppress) / 1 (default) (permit) or 2 (enforce)

The value login/certificate_mapping_rulebased will enable the use of dynamic mapping through transaction CERTRULE, might be not supported by old
netweaver systems. By setting this parameter to 1 old entries entered manually into table VUSREXTID will not be used any longer.

Note! After changing the profile parameter you need to restart the
netweaver system

Maintain Certificates in STRUST

Go to transaction STRUST

Right click on “SSL server Standard” and choose “Create”

Enter values for your default certificate Organizational Unit and Company Name. Do not change the asterix ( * ) inside name. Best Practice to create at first a default wildcard certificate. Use a key length of 2048. The value in field CA should match your CA’s values. Same CA that will be used later to sign this certificate.

I will use my own CA for this testing…

My CA certificate:

The instance specific PSEs will be created automatically. In this test landscape I only have one instance.

Now it should be possible already to access your server via browser and https:

Testing OData Service with HTTPS connection

We can enable the ping service for further testing. Go to transaction SICF and enable the node /sap/bc/ping

Test Ping Service in browser by accessing https://<gw server>:<https port>/sap/bc/ping

You should get asked for user and password…

After authenticating we can see a success screen

Proper System Certificate Signing

Until now the HTTPS certificate is still self-signed in STRUST we can create a certificate signing request (copy it into clipboard or export it as csr file), that can be signed by a CA.

Because I am using XCA (freeware tool) to simulate my own CA, I can import the certificate request there and sign it. I exported the CSR response “PEM

with Certificate chain”. This will also include the public certificate of the signing CA.

Tip:

I prefer setting also the Issuer Alternative Name to IP:<ip address of server> . By doing so the browser will be also trusting the certificate if the ip adress instead of the fqdn is called).

Finally import the certificate response in STRUST

After that you should see, that the CA is now the new issuer of the server’s certificate.

Save it. And call the ping service again inside your browser. If you have imported the CA certificate into your system store (under Trusted Certificate Authorities), you should see that now the browser is trusting your server.

The SAP Gateway is now prepared for proper HTTPS communication ...

5 Comments
Labels in this area
Popular Blog Posts