xxx
-----END CERTIFICATE REQUEST-----
Now export the client certificate for later:
D:usrsapSAPCryptolib>sapgenpse export_own_cert -v -p SP2-ASJava.pse -o SP2-ASJava.crt
Opening PSE "D:usrsapSAPCryptolibsecSP2-ASJava.pse"...
No SSO credentials found for this PSE.
Please enter PIN:
PSE (v2) open ok.
Retrieving my certificate... ok.
Writing to file (PEM-framed base64-encoded)... ok.
SP2-ASJava.crt is created.
Then import the CRT via STRUST in the SNC store of the ABAP system:
Before we export the ABAP SNC server certificate we can set the ACL for this J2EE certificate (SM30 -> table SNCSYSACL, view VSNCSYSACL, type=E):
Next export the SNC server certificate:
Then import this certificate to the Client PSE:
D:usrsapSAPCryptolib>sapgenpse maintain_pk -v -a E05-SNC.crt -p SP2-ASJava.pse
Opening PSE "D:usrsapSAPCryptolibsecSP2-ASJava.pse"...
No SSO credentials found for this PSE.
Please enter PIN:
PSE (v2) open ok.
retrieving PKList
Adding new certificate from file "E05-SNC.crt"
---------
Subject : CN=E05, OU=ISAP-INTERN, OU=SAP Web AS, O=SAP Trust Community, C=DE
Issuer : CN=E05, OU=ISAP-INTERN, OU=SAP Web AS, O=SAP Trust Community, C=DE
Serialno: 00
KeyInfo : RSA, 1024-bit
Validity - NotBefore: Sun Aug 16 09:41:04 2009 (090816084104Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
--------------------------------------------------------------------------- PKList updated (1 entries total, 1 newly added) Then create a cred_v2 file: D:usrsapSAPCryptolib>sapgenpse seclogin -p SP2-ASJava.pse -O devwdf16SAPServiceSP2 running seclogin with USER="SAPServiceSP2" creating credentials for user "DEVWDF16SAPServiceSP2"... Please enter PIN: Adjusting credentials and PSE ACLs to include "DEVWDF16SAPServiceSP2"... Oh, you supplied your own name explicitly ... ok. D:usrsapSAPCryptolibseccred_v2 ... ok. D:usrsapSAPCryptolibsecSP2-ASJava.pse ... ok. Added SSO-credentials for PSE "D:usrsapSAPCryptolibsecSP2-ASJava.pse" "CN=ASJAVA, O=RIG, C=DE" That should be it. h6. Links for securing JCo 0.1. [Configuring SNC: AS Java à AS ABAP | http://help.sap.com/saphelp_nw70/helpdata/en/c3/d2281db19ec347a2365fba6ab3b22b/frameset.htm] 0.2. [Setup data encryption between RFC Client and Web AS ABAP with SNC | Setup data encryption between RFC Client and Web AS ABAP with SNC] 0.3. {code:html}Note 66687 - Use of network security products{code}0.1. [Secure Network Communications Test Plan | https://weblogs.sdn.sap.com/cs/blank/edit/wlg/] h5. h5. Preparing the IIS In order to enable the IIS for SSL you have to create a certificate request first which you then have to sign by a certificate authority. The steps are all outlined in “{code:html}How to implement SSL in IIS{code}” mentioned below. For my test I was using a self signed certificate which I created with the help of SSLDiag.exe which is part of the IIS Diagnostics Toolkit / {code:html}http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-73c9156706e7&displa...{code}. For this I just ran SSLDiag.exe /s:X /selfssl /n:CN=myduet.server.com Where X is the number of the WebSite that is used by the Duet components (1 to 4 in my case) After that make sure that you set a SSL port in each web Site property Now restart the IIS and you should be able to access all MSFT Duet WebServices on the IIS via HTTPS. {code:html}https://IIS-Server:1081/RequestHandler/RequestHandler.asmx{code} [https://vmw2626.wdf.sap.corp:8091/DuetReadService.asmx | https://vmw2626.wdf.sap.corp:8091/DuetReadService.asmx] [https://vmw2626:8092/DuetServiceProvider.asmx | https://vmw2626:8092/DuetServiceProvider.asmx] [https://vmw2626:8093/DuetAzManService.asmx | https://vmw2626:8093/DuetAzManService.asmx] h6. Links for securing IIS 0.1. {code:html}How to implement SSL in IIS{code} Now all components should be ready for a secure connection. Since we did not configure the components to only accept secure calls you can still run the landscape in “non-ssl mode”. So I would always recommend to start with a non-secure setup and only once that is working continue with the following steps in which we connect the components. ---- h5. J2EE to ABAP h6. HTTP Connection Like previously mentioned the J2EE Engine uses HTTP and JCo to connect to the ABAP system. So let’s start with HTTP. With Duet 1.5 SP3, configuring HTTPS is quite simple. At first you have to exchange the certificates. For this go to STRUST on the ABAP system and export the SSL server Standard certificate (you do not have to do this if the certificate is signed and the J2EE engine already trusts the signer) Then go to the J2EE -> Visual Admin and import the certificate as a trustedCA Now the SSL connection should work. If you want, you can verify these settings by performing the following steps (they are not required for setting up a secure Deut landscape, but show that SSL is working now): Go to Destinations in the Visual Admin and create a dummy HTTP conection under HTTP and enter the URL {code:html}http://%3Cabap-sever%3E/sap/bc/bsp/sap/it00/default.htm{code} After entering a username and password, a "Save and Test" should work fine. Now change the URL to HTTPS and don’t forget to adjust the port to the SSL port on the ABAP system (that’s the one that was visible in SMICM before). A test should still work. As a final step you have to tell Duet to use SSL now. To do that go to System Environment -> Landscape -> SAP Systems and select the backend system that you want to connect to via SSL. The SSL port should be fetched automatically and it should be displayed under Port. As a final test, lets call the Web Service navigator and call a simple URL: {code:html}http://J2EE-Engine:50000/wsnavigator{code}. In my case I have Leave Management deployed, so I select the LeaveManagementFacadeWS -> Test -> getLeaveInfo After entering end-users credentials you should get a valid response. If you want to be very thourough you can also monitor the call with a HTTP tracer like YaTT. Here the SSL port has to be used and you should not be able to see anything (in contrast to a HTTP call where you would see the clear response & reply): h6. Links for HTTP Connection 0.1. [Configuration of the Web Service SSL Connection | http://help.sap.com/saphelp_nw70/helpdata/en/90/71d273fa724cc9bb644ab00405e6f8/content.htm] h6. JCO -> Calls We have already exchanged the certificates on the J2EE and the ABAP System. So the final step is to change the configuration: If the configuration for SNC as mentioned before is done, then this step is fairly simple: Go to Visual Admin -> Server -> Services -> Destinations -> RFC -> (Select your System you want to connect to) When you go to the SNC tab select “Active” and enter the data for My SNC name, SNC partner name and SNC Library Path. Click on “Save and Test” and you should be done. h6. Links for JCO -> Calls 0.1. [Configuring an RFC Destination to use a Secure Network Connection (SNC) | http://help.sap.com/saphelp_nw70/helpdata/en/32/958f404880b118e10000000a1550b0/frameset.htm] 0.2. [Tracing JCo Calls | http://help.sap.com/saphelp_nw70/helpdata/en/44/0dae09247a3989e10000000a114cbd/frameset.htm] 0.3. [Security Trace | https://service.sap.com/sap/support/notes/495911] 0.4. {code:html}Note 800240 - FAQ: SAP Cryptographic Library error analysis (App. Server){code}0.1. {code:html}Note 912405 - SSF_ERRORMESSAGE: handling of unknown error codes{code} h5. ABAP to J2EE This way should be fairly simple again. During your Duet configuration you have setup at least one RFC destination via SM59 that points to the J2EE Engine. Right now it probably points to the default HTTP port 50000. All we have to do is change this to the SSL port defined earlier. So go to Visual Admin and export the certificate (the one that you chose in Server Identity tab when preparing J2EE Engine) by clicking on Export: On the ABAP side go to STRUST and add this certificate to SSL Client (Standard) Then go to SM59, select the RFC destination, click on the tab „Technical Settings” and change the port. Then go to Logon & Security and under Status of Secure Protocol click on Active. Since we exchanged the SSL Certificates under Standard, select this entry in the drop down Now you should test the connection. If you get an ICM error, go to SMICM -> Goto -> Trace File -> Display End. Here you will see more details, e.g. In this example I have not imported the J2EE certificate to the ABAP system. So something must have gone wrong when using STRUST. Go back and make sure that the J2EE certificate is really under SSL client SSL Client (Standard) like mentioned before. You might also want to restart ICM via SMICM -> Administration -> ICM -> Exit Soft -> Global to check if this has any effect. h6. Links for ABAP to J2EE 0.1. [ADS SSL configuration journal I. / ABAP -> JAVA / 640 - 70x | ADS SSL configuration journal I. / ABAP -> JAVA / 640 - 70x] 0.2. [http://help.sap.com/saphelp_nw70/helpdata/en/2e/797bf5543d4f38aecdd2cabd5206ae/content.htm | http://help.sap.com/saphelp_nw70/helpdata/en/2e/797bf5543d4f38aecdd2cabd5206ae/content.htm] h5. J2EE to IIS The J2EE connects to the IIS via three web sites: the Request Handler, the Service Provider and the AzMan service. We already enabled SSL for all of them so we just have to trust the certificate of the IIS and change the configuration of these services from the Duet Admin page. For the trusting part, just export the certificate used by the IIS and import it to the Key Store via Visual admin (same as before with the J2EE to ABAP HTTP connection). To change the configuration go to /duet -> System Environment -> Landscape -> Microsoft Components -> Request Handler. Here select Use SSL and change the port to the SSL port. Currently we do have an issue with configuring the Metadata service via SSL to the IIS via the UI. So you have to go to the Visual Admin and change the corresponding destinations manually: Go to Server -> Services -> Destinations -> WebServices and select sap.com/xapps~osp~fw~wsproxies/com.sap.xapps.osp.fw.wsproxies.azman.AzmanService/*DuetAZMan*ServiceProviderSoap
Now in the URL change the protocol to HTTPs and the port to the SSL-Port
Click on Save and Test to make sure the settings are correct.
Do the same for sap.com/xapps~osp~fw~wsproxies/com.sap.xapps.osp.fw.wsproxies.msft.ServiceProvider/*ServiceProvider*ServiceSoap Again click Save and Test to make sure the settings are correct. h5. ---- h5. Clients To J2EE In the Duet Administration go to System Environment -> Landscape and enter the settings for HTTPS Port for Duet Server and Duet Server AddOn. Then go to General Settings and Tools and under General -> Authentication select the Authentication method: Kerberos with SSL That should be it. The next time the client fetches new metadata it will then retrieve the data via HTTPS from the J2EE Engine. h5. ---- There are only very few items left: the connection from the J2EE to the Active Directory and the connection from the Request Handler to the Exchange. I have not covered the part where the Client gets the data from the Read Service via SSL. Ideally you should only have to configure the IIS on the ReadService to use SSL and then change the URL in the Group Policies for the ReadService to SSL -- unfortunately we have currently an issue here which will be fixed with the next patch. If you still want/have to use this, there is a workaround in place. h5. J2EE to ADS To finish your secure Duet landscape you should also encrypt the communication from the J2EE Engine to the ADS. This is again quite well documented (and simple), so I am just referring to the links mentioned below. Basically you just have to exchange certificates again and then via Config Tool change the port and enable SSL: h6. Links J2EE to ADS 0.1. [Configuring SSL Between the UME and an LDAP Directory | http://help.sap.com/saphelp_nw70/helpdata/en/7d/77fa735e5f47a2a50b5336fd1b5a61/frameset.htm] 0.2. [Configuring SSL between Microsoft Active directory and Enterprise portal | Configuring SSL between Microsoft Active directory and Enterprise portal] h5. RequestHandler to Exchange Once you have installed the Request Handler (if you have not yet installed with SSL from the beginning) you can open and edit the file C:InetpubRequestHandlerRootRequestHandlerweb.config. There you just have to change the configuration in two or three places: