last Changed: 16th of May 2023
demystifying TLS/SSL Settings for NetWeaver
the correct TLS/SSL Setting in SAP NetWeaver based Systems (ABAP, BI-JAVA, SolMan 7.2) are the most mandantory pre requisites to enable the SAP Secure Notes Download, connect the System to the SAP Analytics Cloud (SAC) or to other Cloud Solution like Ariba, SuccessFactors and Concur.
Blog - Steps to enable and configure TLS 1.2 in a Double Stack SAP PI System and connect with CIG Ariba
Blog - SSL Setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance
Blog - Preparing Managed System Note Assistant (SNOTE) for Digitally Signed SAP Notes
However, despite countless SAP KBA Notes you can still see a tremendous amount of unsolved Problems in this Area and might also prevent a lot of the SAP Customers to switch from RFC SAP Note Download to the Secure HTTPS Notes Download.
A long time ago, I wrote a Blog which is timeless till today as it still has issues to recognized correctly even in the latest NetWeaver Systems like SAP BW/4 2021 (based on SAP NetWeaver 7.56)
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 3Blog - BI-JAVA, BEx Web and EP: the real connection…
correct cipher settings for TLS/SSL
these settings must reside in the DEFAULT.pfl Profile, while the SETENV Values are added to the assigned Instance Profile. This was also a long time misinterpreted by myself until I had a long chat with the Author of the SAP Notes in this Area. This makes a huge difference in the functionality, as it also has an influence to the ASCS Instance.
ssl/ciphersuites and ssl/client_ciphersuites are recognized by all 7xx Kernels!
Only parameter ssl/client_sni_enabled needs a fairly recent kernel: 721 patchno 920, 722 patchno 223 (SAP Note 2384290), 745 patchno 623, 749 patchno 415, 753 patchno 110 (SAP Note 2582368). Parameter icm/HTTPS/client_sni_enabled is limited to NetWeaver 742+ kernels plus recent 722 kernels (SAP Note 2124480)
Note 455033 - SAPCRYPTOLIB versions, bugs and fixes
Note 511150 - SAPCRYPTOLIB 555pl10: feature update
Note 510007 - Additional considerations for setting up SSL on Application Server ABAP
Note 1433874 - SapSSLReloadCred fix, SSLv3/TLSv1.0 configurability
Note 2180024 - HANA & ABAP: New Option to Enable/Disable FIPS 140-2 Certified Crypto Kernel
Note 2284059 - Update of SSL library within NW Java server
Note 2384243 – NetWeaver Application Server: How to configure strict TLS 1.2
Note 2384290 – SapSSL update to facilitate TLSv1.2-only conf., TLSext SNI for 721+722 clients
Note 2562127 - R/3 Support with SNC/SSO
Note 2631190 - Download location of SSL certificates required for Support Hub Connectivity conf.
Note 2827658 - Automated Configuration of new Support Backbone Communication - Update 02
Note 3115847 - CLM: SSF_CERT_RENEW cannot renew certificates where subject and SANs extend 255 chara...
Note 3198232 - How to reuse SSL key pair of ABAP system in 7.1x onwards Java system
Blog - Preparation – SolMan 7.2 Configuration
It it is possible, activate TLSv1.2 on the Server side without being downwards compatible. The only excuse is the SAP SolMan 7.2 were the Client Clipper Settings can be enhanced to support as much as possible. The Complete Parameters are mentioned in the Blog above.
### >>> these following Parameters are added to the Instance Profile <<<
SETENV_06 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_16 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
SETENV_17 = SAPSSL_CLIENT_CIPHERSUITES=918:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
SETENV_18 = SAPSSL_CIPHERSUITES=903:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
### >>> these following Parameters must reside in the DEFAULT.pfl <<<
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
ssl/client_ciphersuites = 918:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
ssl/ciphersuites = 903:PFS:HIGH::EC_X25519:EC_P256:EC_HIGHyou can test the Clipper Settings for Client and Server as follows:
sapgenpse tlsinfo -v -c 918:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
sapgenpse tlsinfo -v -p /usr/sap/B4H/D03/sec/SAPSSLS.pse 903:PFS:HIGH::EC_X25519:EC_P256:EC_HIGHBlog - Update Certificates in ABAP and JAVA
STRUST(SSO2) Configuration for the SSL Server
Logon Ticket Administration for SSO
check TLS/SSL Messages
after the System in started, you can use the following Transactions to check the Logfiles for any errors and Informations
- SMMS => Log
- SMGW => Log
- SMICM => Log
Message Server Log
=================================================
= SSL Initialization platform tag=(linuxx86_64_gcc43)
= (753_REL patchno 917,Dec 25 2021,mt,ascii-uc, 16/64/64)
= Initialization with _no_ default credentials
= resulting Filename = "/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so"
= disabled FIPS 140-2 crypto kernel
= found CommonCryptoLib 8.5.42 (Jan 25 2022) [AES-NI,CLMUL,SSE3,SSSE3]
= current UserID: "b4hadm", env-var USER="b4hadm"
= found SECUDIR environment variable
= using SECUDIR=/usr/sap/<SID>/ASCS<nr>/sec
= [dpf] ssl/ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= Server SSL_CTX 7ff8c0025e50 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
= Server ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= Client SSL_CTX 7ff8c00414e0 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
= Client ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= AnonClient SSL_CTX 7ff8c005b970 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
= AnonClient ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= Success SapCryptoLib SSL ready!
=================================================
ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so")==0 (SSF_SUP_OK)
found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3]
SSL for internal communication enabled
MsSAutoReloadCredHdl: reload thread for system pki started, check #_MemPSE_#977588676159946000000001 every 60 seconds
load acl file = /usr/sap/<SID>/SYS/global/ms_acl_info
List of entries found in /usr/sap/<SID>/SYS/global/ms_acl_info
[001] localhost [::] (VALID)
[002] server.domain.ext [10.x.y.z] (VALID)
[003] * [::] (VALID)
MsGetOwnIpAddr: my host addresses are :
1 : [10.x.y.z] (HOSTNAME)
2 : [127.0.0.1] (LOCALHOST)
3 : [169.x.y.z] (NILIST)
MsHttpInit: full qualified hostname = server.domain.ext
HTTP logging is switch off
set HTTP state to LISTEN
*** HTTP port 8211 state LISTEN ***
MsSAutoReloadSSLHdl: reload thread for SSL started, check /usr/sap/<SID>/ASCS<nr>/sec/SAPSSLC.pse and /usr/sap/<SID>/ASCS<nr>/sec/SAPSSLS.pse every 60
set HTTPS state to LISTEN
Tue Jan 11 12:18:44:801 2022
*** HTTPS port 8311 state LISTEN ***
MsHttpOwnDomain: own domain[1] = wdf.sap.corp
*** I listen to port sapms<SID> (3611) ***
*** I listen to internal port 3911 (3911), ssl protected ***
*** HTTP port 8211 state LISTEN ***
*** HTTPS port 8311 state LISTEN ***
CUSTOMER KEY: >Z0911157974<
compatibility level = 1
build version=753.2021.07.20
read logon groups from previously stored file <SID>_msg_server_adtl_storage
Server state ACTIVEGateway Server Log
***LOG S00=> GwInitReader, gateway started ( 157507) [gwxxrd.c 2442]
gateway (version=753.2021.08.31 (with SSL support))
gw/delete_local_comm_adm : 1
gw/logging : ACTION=Ss LOGFILE=gw_log-%y-%m-%d SWITCHTF=day MAXSIZEKB=100
gw/sim_mode : set to 1
gw/reg_no_conn_info = 129
NI buffering disabled
CCMS: initialize CCMS Monitoring for ABAP instance with J2EE addin.
CCMS: SemInMgt: Initializing Semaphore Management in AlAttachShm_Doublestack.
CCMS: SemInit: Semaphore 38 initialized by AlAttachShm_Doublestack.
Tue Jan 11 12:18:58:747 2022
GwIInitSecInfo: secinfo version = 2
GwIRegInitRegInfo: reg_info file /usr/sap/<SID>/SYS/global/reginfo not found
=================================================
= SSL Initialization platform tag=(linuxx86_64_gcc43)
= (785_REL patchno 116,Apr 1 2022,mt,ascii-uc, 16/64/64)
= Initialization with _no_ default credentials
= resulting Filename = "/usr/sap/B4H/D03/exe/libsapcrypto.so"
= disabled FIPS 140-2 crypto kernel
= found CommonCryptoLib 8.5.42 (Jan 25 2022) [AES-NI,CLMUL,SSE3,SSSE3]
= current UserID: "b4hadm", env-var USER="b4hadm"
= found SECUDIR environment variable
= using SECUDIR=/usr/sap/B4H/D03/sec
= [dpf] ssl/client_pse=/usr/sap/B4H/D03/sec/SAPSSLC.pse
= resulting Filename = "/usr/sap/B4H/D03/sec/SAPSSLC.pse"
= Envvar SAPSSL_CLIENT_SNI_ENABLED=TRUE
= automagic TLS extension SNI enabled
= [dpf] ssl/ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= Success SapCryptoLib SSL ready!
=================================================
ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/B4H/D03/exe/libsapcrypto.so")==0 (SSF_SUP_OK)
found CommonCryptoLib 8.5.42 (Jan 25 2022) [AES-NI,CLMUL,SSE3,SSSE3]
= Server SSL_CTX 558a3cc2dfc0 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
= Server ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= Client SSL_CTX 558a3cc33910 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
= Client ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
gateway ssl port 3403 defined in profile
Bind service sapgw03 (socket) to port 3303
Bind service 3403 (socket/ssl) to port 3403
GW_ADM publishedInternet Communication Manager Log
IcmAddHiddenService: Hidden service WEBSOCKET started
IcmAddHiddenService: Hidden service H2 started
Started service PORT=8003,PROT=HTTP,TIMEOUT=2000,PROCTIMEOUT=600
IcmAddHiddenService: Hidden service WEBSOCKETS started
Added service PORT=8103,PROT=HTTPS,TIMEOUT=2000,PROCTIMEOUT=600,VCLIENT=1,SSLCONFIG=ssl_config_1
Started service PORT=2503,PROT=SMTP,TIMEOUT=2000,PROCTIMEOUT=600
IcmNetCheck: network check passed without detecting problems
Wed Apr 13 11:36:58:143 2022
=================================================
= SSL Initialization platform tag=(linuxx86_64_gcc43)
= (785_REL patchno 116,Apr 1 2022,mt,ascii-uc, 16/64/64)
= resulting Filename = "/usr/sap/B4H/D03/exe/libsapcrypto.so"
= disabled FIPS 140-2 crypto kernel
= found CommonCryptoLib 8.5.42 (Jan 25 2022) [AES-NI,CLMUL,SSE3,SSSE3]
= current UserID: "b4hadm", env-var USER="b4hadm"
= found SECUDIR environment variable
= using SECUDIR=/usr/sap/B4H/D03/sec
= [dpf] ssl/client_pse=/usr/sap/B4H/D03/sec/SAPSSLC.pse
= resulting Filename = "/usr/sap/B4H/D03/sec/SAPSSLC.pse"
= Envvar SAPSSL_CLIENT_SNI_ENABLED=TRUE
= automagic TLS extension SNI enabled
= [dpf] ssl/ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= Server SSL_CTX 7ff8c0025e50 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
= Server ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
= Client SSL_CTX 7ff8c00414e0 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
= Client ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= AnonClient SSL_CTX 7ff8c005b970 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
= AnonClient ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH
= Success SapCryptoLib SSL ready!
=================================================
= Server SSL_CTX 7ff8c0078f20 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
= Server ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
SSL/TLS: Caller requests enabling of automagic addition of TLSextSNI
= Server SSL_CTX 7ff8c00943c0 pvflags=897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
= Server ciphersuites=903:PFS:HIGH::EC_P256:EC_HIGH
Activated service PORT=8103,PROT=HTTPS,TIMEOUT=2000,PROCTIMEOUT=600,VCLIENT=1,SSLCONFIG=ssl_config_1
SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default, alpn:sap-h2:h2:http/1.1
*** ICM up and operational (pid: 137335, HTTP: 8003, HTTPS: 8103) ***
HttpExtractArchive: files from archive /usr/sap/B4H/D03/exe/ITS.SAR in directory /usr/sap/B4H/D03/data/icmandir are up to date
***LOG IM3=> ICM, Startup (ICM&137335&) [IoEngine.cpp 134]no more TLS/SSL Drama ...
If the SAP TechEd Cat would knew this earlier ...
Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance
“I have no special talent, I am only passionately curious.”
- SAP Managed Tags:
2 Comments
