Skip to Content

Enabling SSL (HTTPS) on SAP Gateway

Topics

Introduction

There are already many guides out there how to configure the SAP Netweaver Gateway so that you can use HTTPS connections. Anyway this here is my documentation, it should also serve as a documentation for myself.

In the first step the netweaver gateway needs to be setup for https/ssl.
So that you can call e.g. OData services by calling
https://gateway:port/sap/opu/

Transport Layer Security on SAP NetWeaver AS for ABAP

https://help.sap.com/saphelp_nw74/helpdata/en/5d/cb88b33cad4f5da9dd77a3802e172f/content.htm?frameset=/en/77/6fb4308dbe40d6b6ac5903e95c2521/frameset.htm

CommonCryptoLib 8

Successor of SAPCryptoLib
Inside NetWeaver 74X SAPCRYPTOLIB is available in the new variant CommonCryptoLib 8

Following steps are based on SAP Note: 510007 – Setting up SSL on Application Server ABAP

http://service.sap.com/sap/support/notes/510007

Before adding and modifiying necessary profile parameter, we should check
if the CommonCryptoLib and its variable is available

SE38 and execute report RSPARAM

/wp-content/uploads/2015/07/image3_739717.png

Check if $(SAPCRYPTOLIB) is defined

/wp-content/uploads/2015/07/image4_739826.png

You can also check if you find the sapcrypto files on the file system
(e.g. on Windows sapcrypto.dll)

/wp-content/uploads/2015/07/image5_739827.png

Maintain Instance Profile Parameter

Go to transaction RZ10 and open the Instance profile with “Extended
maintenance”

(Info: You also can check a single parameter in transaction RZ11)

/wp-content/uploads/2015/07/image6_739828.png

Note:

SAP system starts in a sequence:

  1. The Kernel Codes are ready
  2. The default Profile
  3. The Instance Profile

Parameters in Default profile are the ones which are applicable to all instances, i.e. a set of common system parameters for e.g. message server hostname…

Instance profiles contains parameters that only take effect for that particular instance for e.g. number of dialog work processes

If a parameter is defined in both the profiles, then the value of the parameter in instance profile will be effective for that instance.

Make sure following values are set (if not set, add them as new parameter)

Parameter

Value

Description

ssf/name

SAPSECULIB

CommonCryptoLib

ssf/ssfapi_lib

$(SAPCRYPTOLIB)

CommonCryptoLib

sec/libsapsecu

$(SAPCRYPTOLIB)

CommonCryptoLib

ssl/ssl_lib

$(SAPCRYPTOLIB)

CommonCryptoLib

icm/server_port_1

PROT=HTTPS, PORT=8200

HTTPS Port

icm/HTTPS/verify_client

1

Permit use of client
  certificates

icm/host_name_full

$(SAPLOCALHOST).dhcp.wdf.sap.corp

Full qualified domain name

login/certificate_mapping_rulebased

1

Use dynamic mapping

If variable $(SAPCRYPTOLIB) is not set (verified in last step), use $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) instead

icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>

Replace the X with the number of configured ports (usually https port is 1)

Set icm/HTTPS/verify_client for handling user certificates, it can be set to 0 (suppress) / 1 (default) (permit) or 2 (enforce)

The value login/certificate_mapping_rulebased will enable the use of dynamic mapping through transaction CERTRULE, might be not supported by old
netweaver systems. By setting this parameter to 1 old entries entered manually into table VUSREXTID will not be used any longer.

/wp-content/uploads/2015/07/image7_739829.png

Note! After changing the profile parameter you need to restart the
netweaver system

Maintain Certificates in STRUST

Go to transaction STRUST

Right click on “SSL server Standard” and choose “Create”

/wp-content/uploads/2015/07/image9_739830.png

Enter values for your default certificate Organizational Unit and Company Name. Do not change the asterix ( * ) inside name. Best Practice to create at first a default wildcard certificate. Use a key length of 2048. The value in field CA should match your CA’s values. Same CA that will be used later to sign this certificate.

/wp-content/uploads/2015/07/image10_739831.png

I will use my own CA for this testing…

My CA certificate:

/wp-content/uploads/2015/07/image11_739850.png

The instance specific PSEs will be created automatically. In this test landscape I only have one instance.

/wp-content/uploads/2015/07/image12_739851.png

/wp-content/uploads/2015/07/image13_739852.png

Now it should be possible already to access your server via browser and https:

/wp-content/uploads/2015/07/image14_739856.png

Testing OData Service with HTTPS connection

We can enable the ping service for further testing. Go to transaction SICF and enable the node /sap/bc/ping

/wp-content/uploads/2015/07/image15_739857.png

Test Ping Service in browser by accessing https://<gw server>:<https port>/sap/bc/ping

You should get asked for user and password…

/wp-content/uploads/2015/07/image16_739858.png

After authenticating we can see a success screen

/wp-content/uploads/2015/07/image17_739859.png

Proper System Certificate Signing

Until now the HTTPS certificate is still self-signed in STRUST we can create a certificate signing request (copy it into clipboard or export it as csr file), that can be signed by a CA.

/wp-content/uploads/2015/07/image18_739860.png

Because I am using XCA (freeware tool) to simulate my own CA, I can import the certificate request there and sign it. I exported the CSR response “PEM

with Certificate chain”. This will also include the public certificate of the signing CA.

Tip:

I prefer setting also the Issuer Alternative Name to IP:<ip address of server> . By doing so the browser will be also trusting the certificate if the ip adress instead of the fqdn is called).

Finally import the certificate response in STRUST

/wp-content/uploads/2015/07/image24_739861.png

After that you should see, that the CA is now the new issuer of the server’s certificate.

/wp-content/uploads/2015/07/image25_739862.png

Save it. And call the ping service again inside your browser. If you have imported the CA certificate into your system store (under Trusted Certificate Authorities), you should see that now the browser is trusting your server.

/wp-content/uploads/2015/07/image26_739863.png

The SAP Gateway is now prepared for proper HTTPS communication …

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

    1. Wolfgang Janzen

      “CN=*.dhcp.wdf.sap.corp” is a wildcard certificate.
      Actually it’s not a good idea to use server-specific (non-wildcard) certificates in addition – that’s only required when your CA is refusing to issue wildcard SSL server certificates.

      So, the easiest (and fastet) way is: delete those additional server-specific (non-wildcard) certificates by selecting “SSL-Server Standard” PSE (left pane), press right mouse button and choose option “Change”. A new display (as shown above) comes up; there mark the lines with the server-specific certificates and press the “waste-bin” button to delete them.

      (0) 
  1. Vladislav Volodin
    This information can be lost, that is why I have decided to add it here. When you use GW_CLIENT, and check the URL with HTTPS, you will probably have an error that is reviewed here: Troubleshooting Guide - How to troubleshoot the SSSLERR_PEER_CERT_UNTRUSTED (peer certificate (chain) is not trusted) issue
    After you read it, and take a look at the dev_icm file, you should see lines similar to mine (I hope, you will see them):
    
    [Thr 7824] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL [Thr 7824]    session uses PSE file "E:\usr\sap\ERP\DVEBMGS00\sec\SAPSSLA.pse" [Thr 7824] SecuSSL_SessionStart: SSL_connnect() failed  (536872221/0x2000051d) [Thr 7824]    => "SSL API error" [Thr 7008]   SSL_get_state()==0x1180 "SSLv3 read client certificate A" [Thr 7008] *** ERROR during SecuSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL [Thr 7008]    session uses PSE file "E:\usr\sap\ERP\DVEBMGS00\sec\SAPSSLS.pse" [Thr 7008] SecuSSL_SessionStart: SSL_accept() failed  (536875078/0x20001046) [Thr 7008]    => "SSL API error" What is important is the PSE file name. In my case there are two files: SAPSSLA.pse and SAPSSLS.pse. To find what PSEs should have the root certificate (in my case, this is a global certificate whom I trust), you should click this button (in STRUST):
    The new window will show you the table:

    Everything you have to do is to import the root certificate into your PSE (SSL client Anonymous in my case), and GW_CLIENT will trust HTTPS automatically.
    That's it! Happy debugging :)
    (0) 
  2. Yuriana Guerra

    Is possible you can explain how use XCA tool to create certificate CA with more details?, in my case when I use it and export file an try to sign an error is send it on XCA  “The Key you selected for singning is not a private one” any one can help?

    (0) 

Leave a Reply