Enabling SSL (HTTPS) on SAP Gateway
Enabling SSL (HTTPS) on SAP Gateway
Topics
- CommonCryptoLib
- Maintain Instance Profile Parameter
- Maintain Certificates in STRUST
- Testing OData Service with HTTPS connection
- Proper System Certificate Signing
Introduction
There are already many guides out there how to configure the SAP Netweaver Gateway so that you can use HTTPS connections. Anyway this here is my documentation, it should also serve as a documentation for myself.
In the first step the netweaver gateway needs to be setup for https/ssl.
So that you can call e.g. OData services by calling
https://gateway:port/sap/opu/…
Transport Layer Security on SAP NetWeaver AS for ABAP
CommonCryptoLib 8
Successor of SAPCryptoLib
Inside NetWeaver 74X SAPCRYPTOLIB is available in the new variant CommonCryptoLib 8
Following steps are based on SAP Note: 510007 – Setting up SSL on Application Server ABAP
http://service.sap.com/sap/support/notes/510007
Before adding and modifiying necessary profile parameter, we should check
if the CommonCryptoLib and its variable is available
SE38 and execute report RSPARAM
Check if $(SAPCRYPTOLIB) is defined
You can also check if you find the sapcrypto files on the file system
(e.g. on Windows sapcrypto.dll)
Maintain Instance Profile Parameter
Go to transaction RZ10 and open the Instance profile with “Extended
maintenance”
(Info: You also can check a single parameter in transaction RZ11)
| Note: SAP system starts in a sequence:
Parameters in Default profile are the ones which are applicable to all instances, i.e. a set of common system parameters for e.g. message server hostname… Instance profiles contains parameters that only take effect for that particular instance for e.g. number of dialog work processes If a parameter is defined in both the profiles, then the value of the parameter in instance profile will be effective for that instance. |
Make sure following values are set (if not set, add them as new parameter)
|
Parameter |
Value |
Description |
|
ssf/name |
SAPSECULIB |
CommonCryptoLib |
|
ssf/ssfapi_lib |
$(SAPCRYPTOLIB) |
CommonCryptoLib |
|
sec/libsapsecu |
$(SAPCRYPTOLIB) |
CommonCryptoLib |
|
ssl/ssl_lib |
$(SAPCRYPTOLIB) |
CommonCryptoLib |
|
icm/server_port_1 |
PROT=HTTPS, PORT=8200 |
HTTPS Port |
|
icm/HTTPS/verify_client |
1 |
Permit use of client |
|
icm/host_name_full |
$(SAPLOCALHOST).dhcp.wdf.sap.corp |
Full qualified domain name |
|
login/certificate_mapping_rulebased |
1 |
Use dynamic mapping |
If variable $(SAPCRYPTOLIB) is not set (verified in last step), use $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) instead
icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>
Replace the X with the number of configured ports (usually https port is 1)
Set icm/HTTPS/verify_client for handling user certificates, it can be set to 0 (suppress) / 1 (default) (permit) or 2 (enforce)
The value login/certificate_mapping_rulebased will enable the use of dynamic mapping through transaction CERTRULE, might be not supported by old
netweaver systems. By setting this parameter to 1 old entries entered manually into table VUSREXTID will not be used any longer.
Note! After changing the profile parameter you need to restart the
netweaver system
Maintain Certificates in STRUST
Go to transaction STRUST
Right click on “SSL server Standard” and choose “Create”
Enter values for your default certificate Organizational Unit and Company Name. Do not change the asterix ( * ) inside name. Best Practice to create at first a default wildcard certificate. Use a key length of 2048. The value in field CA should match your CA’s values. Same CA that will be used later to sign this certificate.
I will use my own CA for this testing…
My CA certificate:
The instance specific PSEs will be created automatically. In this test landscape I only have one instance.
Now it should be possible already to access your server via browser and https:
Testing OData Service with HTTPS connection
We can enable the ping service for further testing. Go to transaction SICF and enable the node /sap/bc/ping
Test Ping Service in browser by accessing https://<gw server>:<https port>/sap/bc/ping
You should get asked for user and password…
After authenticating we can see a success screen
Proper System Certificate Signing
Until now the HTTPS certificate is still self-signed in STRUST we can create a certificate signing request (copy it into clipboard or export it as csr file), that can be signed by a CA.
Because I am using XCA (freeware tool) to simulate my own CA, I can import the certificate request there and sign it. I exported the CSR response “PEM
with Certificate chain”. This will also include the public certificate of the signing CA.
Tip:
I prefer setting also the Issuer Alternative Name to IP:<ip address of server> . By doing so the browser will be also trusting the certificate if the ip adress instead of the fqdn is called).
Finally import the certificate response in STRUST
After that you should see, that the CA is now the new issuer of the server’s certificate.
Save it. And call the ping service again inside your browser. If you have imported the CA certificate into your system store (under Trusted Certificate Authorities), you should see that now the browser is trusting your server.
The SAP Gateway is now prepared for proper HTTPS communication …
Hello
What about wildcard certificates. I found not a note for the szenario ?
thanks a lot
"CN=*.dhcp.wdf.sap.corp" is a wildcard certificate.
Actually it's not a good idea to use server-specific (non-wildcard) certificates in addition - that's only required when your CA is refusing to issue wildcard SSL server certificates.
So, the easiest (and fastet) way is: delete those additional server-specific (non-wildcard) certificates by selecting "SSL-Server Standard" PSE (left pane), press right mouse button and choose option "Change". A new display (as shown above) comes up; there mark the lines with the server-specific certificates and press the "waste-bin" button to delete them.
How do I sign this with XCA or otherwise?
Is possible you can explain how use XCA tool to create certificate CA with more details?, in my case when I use it and export file an try to sign an error is send it on XCA "The Key you selected for singning is not a private one" any one can help?