SAP SSL (X509) Authorization Setup guide

Note: Introducing Cryptography:

Cryptography is the science of encrypting information
The standard protocol used for transporting http requests, TCP/IP, is a
insecure transport mechanism.
For a better understanding we describe here a possible attack against the
TCP/IP protocol and the data transferred with this protocol.

In above example
Alice (1) initiate a communication with Bob and requests some data about
customers from him.
Bob gathers the requested data and responds to Alice's request.
The entire exchange is eavesdropped by Mallory.
He now knows about the discussed information.
Transferring that in the TCP/IP world means, Alice, which is a web browser
for example requests some data via an http-request transferred with the
TCP/IP protocol.
The server (here represented through Bob) responds and transfers some
sensitive customer data from the server to the client via the TCP/IP protocol.
Mallory, an attacker is on the same network and therefore is able to
eavesdrop that TCP/IP communication.
The solution for securing that communication is the encryption of the
transferred data, in means making the conversation not understandable to the
attacker but understandable for exactly the participants involved in that
conversation.

1 | Page

SAP SSL (X509) Authorization Setup guide

2 | Page

SAP SSL (X509) Authorization Setup guide

1. Symmetric Key Encryption is the classical cryptography method for

encrypting and decrypting messages. In this case, both the sender and receiver
of a message share a secret called a secret key. The sender uses this key to
encrypt the message. The receiver also uses this key to decrypt the message.

2. Asymmetric Key Encryption uses a different algorithm than Symmetric Key

Encryption. Asymmetric Key Encryption uses a key pair that consists of a
private and a public key. These keys belong to each other. A message that is
encrypted with the public key can only be decrypted with the matching private
key. The public key can be made public. The owner of the key pair publishes
the public key and can distribute it as required. The private key must be kept
secret.

3 | Page

SAP SSL (X509) Authorization Setup guide

3. Hybrid Encryption Process is the combination of both above explained

encryption processes. The Hybrid Encryption Process make use of the
advantages of both process types. For the better understanding we describe this
process in the following example.

4 | Page

SAP SSL (X509) Authorization Setup guide

Process:
The client (browser) contacts the SAP NetWeaver Application Server Java
The Application Server responds and sends its Public Key
Client-side a Secret Key is created and encrypted with the Public Key the
server
Sent before
The client sends back the encrypted Secret Key
On the server the Secret Key is decrypted using the Private Key. Only the
server
Can decrypt the received Secret Key cause its holding the Private Key which
is
Necessary for the decrypting.
The communication partners perform a Handshake.
5 | Page

SAP SSL (X509) Authorization Setup guide

Further communication between the client and the server is encrypted using
the
Secret Key

4. Authentication and Digital Signatures: what happens if Mallory interferes

with the communication and pretends to be Bob?
He may even provide Alice a public key, saying that is Bob's key.
The question here is now, how can we make sure that Alice is really
communicating with Bob and therefore the public key she received is really Bob's
public key?

The problem is also covered by cryptography and is called Authentication.

Authentication normally takes place using the user ID and password.
But with cryptographic mechanisms it is possible to authenticate communication
partners, in means of verifying that the communication partner is the one she or he
pretends to be.

6 | Page

SAP SSL (X509) Authorization Setup guide

Basis for the authentication of communication partners are Digital Certificates.

5. Digital Certificates and Digital Signature:

The digital certificate is the individual's digital identity card on the
Internet.
Compared to the real world digital certificates can be compared to a
passport which contains information about owner, issuer, serial
number, and validity period.
The format of the certificate is specified by the X.509 standard for
digital certificates.
The certificate is issued to a person or server by an authorized entity
called a Certification Authority (CA).
The CA ensures by digitally signing the certificate that the public key,
which matches to a private key, belongs to a specific person or server.
7 | Page

SAP SSL (X509) Authorization Setup guide

Thus, the CA ensures that the certificate cannot be "faked".
The complete infrastructure that manages the issue and verification of
certificates is called the Public Key Infrastructure (PKI)
Process:
a. A public and private key pair is generated on the server
b. The public key is sent to the CA (it is called a Certificate
Signing Request - short CSR)
c. The CA digitally signs the server's public key and sends it back
to the requestor
d. Import of the CSR response, the digitally signed certificate,
into the server
The server is now sending the digitally signed certificate, which includes the
public key, to the communication partner. This kind of authentication is
called Server Authentication.
But how can the communication partner ensure, that the digitally
signed certificate is signed from a trusted CA?
The communication partner has to have a trust relationship to the CA which
issued the certificate. Technically this can be achieved by importing a digital
certificate of the institution (CA) issued the certificate for the server. This is
the so-called root certificate. The most common root certificates are preinstalled in most Web browsers.

8 | Page

SAP SSL (X509) Authorization Setup guide

6. Process of SSL Server Authentication :

Alice contacts the SAP NetWeaver Application Server Java using a browser
The Application Server responds and sends its Public Key with a digitallysigned message. The client-side server's identity is verified by checking the
validity of the certificate. The certificate is only accepted if the client trusts
the CA that issued that certificate to the SAP NetWeaver AS Java. This is
done with the CA root certificate.
The Secret Key is created and encrypted with the Public Key the server sent
before
The client sends back the encrypted Secret Key
On the server the Secret Key is decrypted using the Private Key. Only the
server can decrypt the received Secret Key because its holding the Private
Key which is necessary for the decrypting.
The communication partners perform a Handshake.
Further communication between the client and the server is encrypted using
the Secret Key
9 | Page

SAP SSL (X509) Authorization Setup guide

7. Setting up SSL For AS ABAP :
Pre-requisites
1.
Set The Profile parameter :
Set the profile parameters in AS ABAP's instance profile as shown in the tables
below. If you used the recommended directory DIR_EXECUTABLE, then use the
following values for the location of the SAP Cryptographic Library:

Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
Trust Manager Parameters
Profile Parameter

Value

Examples

ssl/ssl_lib

Path and
file name
of the SAP
Cryptograp
hic Library

UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll

sec/libsapsecu

Path and
file name
of the SAP
Cryptograp
hic Library

UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll

ssf/ssfapi_lib

Path and
file name
of the SAP
Cryptograp
hic Library

UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll

ssf/name

SAPSECU SAPSECULIB
LIB

ssl/ciphersuites (opt List of

!eNULL:MEDIUM:HIGH:LOW:EXPORT
ional)
available
cipher
suites.
For more
informatio
n, see SAP
Note51000
7.
10 | P a g e

SAP SSL (X509) Authorization Setup guide

ICM Parameters
Profile
Paramet
er

Value

Examples

icm/serve PROT=HTTPS,
PROT=HTTPS, PORT=1443,
r_port_< PORT=<port>,TIMEOUT=<timeout_in_ TIMEOUT=900
xx>
seconds>
icm/HTT 0: Do not use certificates
PS/verify 1: Allow certificates (default)
_client
2: Require certificates

icm/http/j PREFIX=<uri-prefix>, [HOST=<host>,]

2ee_<xx CONN=<no_of_connects>,PORT=<port
>
>[, SSLENC=<n>,TYPE=<t>,CRED=<fi
le>,SPORT=<HTTPS-port> ]

PREFIX=/, CONN=010,PORT=50000,SPORT=500
03,SSLENC=1,TYPE=2,CRE
D=SAPSSLC.pse

Installation in ABAP Application Server

I. Create Private key and Certificates and generate CSR certificate
1. Execute transaction STRUST and right click on SSL server Standard and
click on Create/Replace.
Provide the details like DN, Algorithm and Key Length as shown below:

Note: CN=<Fully Qualified Name>, O=<Ogranisation>, L=<City>,

SP=<State>, C=<Country>
Click Continue.

11 | P a g e

SAP SSL (X509) Authorization Setup guide

2. Now you should be able to see the instance in GREEN as shown below.

12 | P a g e

SAP SSL (X509) Authorization Setup guide

3. Now we need to create a CSR request for CA.

4. Click on the first arrow mark icon under Own Certificate --> Owner. Save
the file with .csr extension.

13 | P a g e

SAP SSL (X509) Authorization Setup guide

14 | P a g e

SAP SSL (X509) Authorization Setup guide

II.

Send the CSR request To CA and get it signed.

1. Go to https://support.sap.com/support-programsservices/services/trust-center/ssl-server-certificates.html --> Click
here to order your SSL server certificate.
2. Copy paste the ssr content.

3. Select the web server and continue.

15 | P a g e

SAP SSL (X509) Authorization Setup guide

4. Provide contact information :

16 | P a g e

SAP SSL (X509) Authorization Setup guide

5. Provide the Payment option :

III.

6. Confirm -> Complete.

Import digitally signed entrust certificates into ABAP AS.

1.

Go to Transaction STRUST

2.

Expand the SSL server PSE node.

3.

For each application server that is to receive a signed certificate:

Select the application server with a double-click.

The application server's SSL server PSE is displayed in the PSE maintenance
section.

In the PSE maintenance section, choose

(Import Cert. Response).

The dialog for the certificate request response appears.

17 | P a g e

SAP SSL (X509) Authorization Setup guide

Insert the contents of the certificate request response into the dialog's
text box (using (Paste)) or select the response from the file system by
using (Load local file).
The signed public-key certificate is imported into the server's SSL server
PSE, which is displayed in the PSE maintenance section. You can view the
certificate by selecting it with a double-click. The certificate information is
then shown in the certificate maintenance section.

4.

Save the data.

1. Now you should be able to see the screen like below

18 | P a g e

SAP SSL (X509) Authorization Setup guide

2. Go to SMICM and restart ICM

Administration --> ICM --> Exit Hard --> Global

3. Go to SMICM again and make sure HTTPS service is ACTIVE as

shown below.

19 | P a g e

SAP SSL (X509) Authorization Setup guide

4. Verify SSL configuration as follows.

Open https://<fullyqualifiedname>:<HTTPS_Port> and click on LOCK icon
at the bottom of the browser.
20 | P a g e

SAP SSL (X509) Authorization Setup guide

The certificate should show Issued by: <Your Certificate Authority Name>

IV.

Maintaining the SSL Server PSE's Certificate List

Note* : If users (or other clients) are to be authenticated on the AS ABAP using
client certificates, then you must maintain the server's certificate list, which is
contained in the server's SSL server PSE. The application server uses this list to
determine which CAs the server trusts. Only clients that present client certificates
issued by these CAs can be authenticated based on their certificates.
21 | P a g e

SAP SSL (X509) Authorization Setup guide

1. Importing the CA's Root Certificate From the Certificate Database
If the CA's public-key certificate is located in the certificate database:
In the certificate section, choose (Import certificate).
The Import Certificate dialog appears.
Select the Database tab strip.
Select the certificate from the certificate database and choose Enter.
The certificate appears in the certificate section.
Choose (Add to Certificate List).
The certificate is added to the certificate list for the PSE displayed in
the PSE maintenance section.
Save the data.
2. Importing the CA's Root Certificate from the File System
If the CA's public-key certificate is located in the file system:
In the certificate section, choose (Import certificate).
The Import Certificate dialog appears.
Enter the corresponding file name from the file system.
Select the certificate's file format.
Note* To determine which format to select, open the certificate in a text browser
that does not use formatting, for example, Notepad. If the contents are readable
(although encoded), then the format is Base 64. Otherwise the format is binary.

Choose Enter.
The certificate appears in the certificate maintenance section.
Choose (Add to Certificate List).
The certificate is added to the certificate list for the PSE displayed in
the PSE maintenance section.
Save the data.
3. Importing the CA's Root Certificate from a Different PSE
If the CA's public-key certificate is located in a different PSE:
Expand the node for the PSE that contains the certificate and select one
of the application servers with a double-click.
The PSE and its certificate list appear in the PSE maintenance section.
Select the certificate with a double-click.
The certificate appears in the certificate maintenance section.
22 | P a g e

SAP SSL (X509) Authorization Setup guide

Select one of the application servers under the SSL server PSE node
with a double-click.
Choose (Add to Certificate List).
The certificate is added to the certificate list for the PSE displayed in
the PSE maintenance section.
Save the data.
4. Importing the SAP CA's Root Certificate
To import the SAP CA's root certificate:
Choose Certificate SAP Portal CA (DSA) .
The SAP CA's certificate appears in the certificate maintenance
section.
Choose (Add to Certificate List).
The certificate is added to the certificate list for the PSE displayed in
the PSE maintenance section.
Save the data.
Repeat the procedure for all CA root certificates that the server should
trust.

23 | P a g e

SAP SSL (X509) Authorization Setup guide

24 | P a g e

SAP SSL (X509) Authorization Setup guide

V.

Creating the Standard SSL Client PSE

Note *: To establish outgoing connections that use SSL, the AS ABAP must
possess an SSL client PSE. There are different types of SSL client PSEs that the
server can use (that is, standard, individual, or anonymous). The standard SSL
client PSE is used by default, so we recommend creating this PSE, even if it is
not explicitly being used at this time. The procedure is similar to that for
generating and maintaining SSL server PSEs. Exceptions are indicated as
necessary.

Using the trust manager:

1.
Create the standard SSL client PSE in the same way as you created the SSL
server PSE.
2.
Select SSL Client node
Note *: In this case, you specify the CN part of the Distinguished Name (default
= system ID). You only create one PSE, which is then distributed to the rest of
the application servers.
3.
Generate a certificate request for the standard SSL client PSE.
The SSL client PSE is system-specific and not server-specific, therefore, you
only need to create a single certificate request and import it once.
4.
Send the certificate request to a CA to be signed.
5.
Import the certificate request response into the server's standard SSL client
PSE.
6.
Maintain the standard SSL client PSE's certificate list.
The SSL client PSE's certificate list is typically less restrictive than the list
contained in the SSL server PSE.

25 | P a g e

SAP SSL (X509) Authorization Setup guide

26 | P a g e

SAP SSL (X509) Authorization Setup guide

VI.

Creating the Anonymous SSL Client PSE

Note*: The AS ABAP uses the anonymous SSL client PSE when accessing other
Web servers using the SSL protocol. Note that the server does not use the
information contained in this PSE for its own authentication; it only uses the
PSE's information to authenticate the Web server that it is accessing. Therefore,
you do not need to have the corresponding public-key certificate signed by a CA
and the steps for generating and importing a certificate request are not necessary.

1. Create the anonymous SSL client PSE in the same way you created the SSL
server PSE. Take into account that the Distinguished Name is automatically set
to CN=anonymous by the system and cannot be changed.
For more information, see Creating the SSL Server PSE.
2. Maintain the PSE's certificate list. : (please refer step iv Maintaining the SSL
Server PSE's Certificate List step )
Import the root certificates from the CAs that have issued the public-key
certificates to the Web servers that the AS ABAP accesses using the anonymous
SSL client PSE.

27 | P a g e

SAP SSL (X509) Authorization Setup guide

28 | P a g e

SAP SSL (X509) Authorization Setup guide

VII.

Specifying that a Connection Should Use SSL

1. Using the maintenance transaction for RFC destinations (SM59):
2. From the RFC destination tree, select the HTTP destination to modify.
a. Details about the RFC destination appear.
3. Select the Logon/Security tabstrip.
4. If the target system is an SAP system, then select the logon method to use.
5. When you activate SSL with client authentication (see step 4), then the
logon method that you specify here is only used if the server that you are
connecting to is not configured to accept client authentication. The following
options are available:
a. Basic Authentication
b. SAP Standard (logon tickets)
c. SAP Trusted System (RFC trusted systems)
6. Under SSL, select Active and enter the name of the SSL client PSE to use in
the field provided, for
example, DFAULT (standard), ANONYM (anonymous), or the name of one
of your individual SSL client PSEs.

29 | P a g e

SAP SSL (X509) Authorization Setup guide

Note*: If you select the standard or an individual SSL client PSE, then the
system will attempt to use SSL with mutual authentication. However, if the
server you are connecting to is only configured for SSL with server
authentication, then the system reverts to the logon method that you specified
above (in step 3).
If you select the anonymous SSL client PSE, then the SSL connection is set up
for SSL with server authentication only and the system will use the logon
method that you specified above.
1. If you want to protect the use of the connection with an authorization, enter
the value of the activity allowed in the Authorization field. The system then
checks for the authorization when the destination is used. The authorization
object used is S_ICF.

Example *: For example, if you enter the value CHECK, then the user must
have the following authorization: S_ICF-ICF_FIELD = 'DEST' and S_ICFICF_VALUE = 'CHECK' to be able to use the HTTP destination.

2. If the connection is set up for client authentication (not anonymous), then

note the Distinguished Name for the server that applies to the PSE you
selected.
Call the trust manager (transaction STRUST).
Select the PSE that you specified to use for the connection with
a double-click.
The server's Distinguished Name appears in the Owner field in
the Own Certificate section.
Note this Distinguished Name. You will need it in the next step

30 | P a g e

SAP SSL (X509) Authorization Setup guide

VIII.

Testing the SSL Configuration.

To test the SSL configuration:

1.

Make sure the SSL port is set up correctly.

Start the ICM Monitor (transaction SMICM).
From the ICM Monitor screen, choose Goto -> Services.
The ICM Monitor - Service Display screen appears, which shows the
protocols and ports that are set up on the AS ABAP.
31 | P a g e

SAP SSL (X509) Authorization Setup guide

If there is no port entry for HTTPS, then make sure the profile parameters
are set correctly and restart the ICM.
2.

Test the SSL connection for server authentication.

Start a Business Server Page (BSP) using an HTTPS connection and the SSL
port.
Note *: For example, start the standard BSP test application IT 00
with the URL
https://host123.mycompany.com:443/sap/bc/bsp/sap/it00/default.h
tm. If your Web browser cannot completely verify the AS ABAP's
server certificate, then you receive a dialog that states the reason why.
For example, if your Web browser does not possess the issuing CA's
root certificate as a trusted root certificate, then you are informed and
have the chance to trust the server at this time.

If you trust the server's certificate (either automatically or manually), then

the next step is to authenticate yourself. If you have also set up the AS
ABAP for using client certificates .then you can also use a public-key
certificate for authentication. Otherwise, you are prompted for user ID and
password.
After you have authenticated yourself, the BSP appears.

3.

Test the SSL connection for client authentication.

Note *: Prerequisites
The SSL client PSE exists.
The HTTP destination is set up to use SSL.
There is a mapping in table USREXTID that maps the Distinguished Name
from the client PSE used to a user ID on the AS ABAP system.

32 | P a g e

SAP SSL (X509) Authorization Setup guide

IX.

Start the maintenance transaction for RFC destinations (SM59).

From the RFC destination tree, select the HTTP destination to test.
Details about the RFC destination appear.
Choose Test connection.

Reference :
SAP Note 510007.
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1
902e10000000a42189c/content.htm?
frameset=/en/49/26b01739242583e10000000a421937/frameset.htm&c
urrent_toc=/en/cd/a3937849b043509786c5b42171e5d3/plain.htm&no
de_id=10&show_children=false

33 | P a g e