SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure

Applies to:

All releases of SAP ECC and NetWeaver systems except PI as of release 7.1x. We have a separate procedure for PI systems as of release 7.10.

Summary

This document will guide you to setup Secure Socket Layer (SSL) configuration, nothing but enabling secure data transfer (through HTTPS) between server and client in both ABAP AS and JAVA AS.

Benefits

It allows the exchange of encrypted information through SAP systems Secure Socket Layer (SSL). SSL use asymmetric method for interchange the secret key, this method use a private key and public key. The private key is in server side and the public key is used by client for encrypt or decrypt the messages.

HTTPS redirect configuration is not covered in this document.

Pre-requisites

1. Update the instance profile with the following parameters.

Parameter Name	Value
ssf/name	SAPSECULIB
ssl/ssl_lib	/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
sec/libsapsecu	/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
ssf/ssfapi_lib	/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
icm/HTTPS/verify_client	0 (zero)
icm/server_port_<x>	PROT=HTTPS,PORT=84$$,TIMEOUT=900,PROCTIMEOUT=600

Note: PORT value is a unique number. It means HTTPS, SMTP and HTTP port numbers should not be same.

2. Create directory sec under /usr/sap/<SID>/<Instance> and update SAP environment variable .sapenv_<hostname>.sh (or .sapenv_<hostname>.sh) with the following value with user SIDADM.

SECUDIR=/usr/sap/<SID>/<Instance>/sec; export SECUDIR

Installation in ABAP Application Server

I. Create Private key and Certificates and generate CSR certificate
     1. Execute transaction STRUSTSSO2 and right click on “SSL server Standard” and click on “Create”.

   Provide the details like DN, Algorithm and Key Length as shown below:

  

    Note: CN=<Fully Qualified Name>, O=<Ogranisation>, L=<City>, SP=<State>, C=<Country>

Click Continue.

 

  2. Now you should be able to see the instance in GREEN as shown below.

      3. Now we need to create a CSR request for CA.

4. Click on the first arrow mark icon under Own Certificate --> Owner. Save the file with .csr extension.
     

    

     5. We have to send this file to Certificate Authority (CA) to get it signed.

II. Import digitally signed entrust certificates into ABAP AS.
    1. Go to STRUSTSSO2 and open SSL Server Standard and double click on instance.
    2. Under Owner click on ‘Import Cert. Response’
      
    3. Once it is imported, Add to Certificate List and SAVE.
    4. Now you should be able to see the screen like below

       

     5. Go to SMICM and restart ICM
        Administration --> ICM --> Exit Hard --> Global
       
     6. Go to SMICM again and make sure HTTPS service is ACTIVE as shown below.
       
       
     7. Verify SSL configuration as follows.
        Open https://<fullyqualifiedname>:<HTTPS_Port> and click on LOCK icon at the bottom of the browser.
        The certificate should show Issued by: <Your Certificate Authority Name>
Installation in JAVA Application Server
I. Create Private key and Certificates and generate CSR certificate
     1. Open Visual Administration. Go to serveràservicesà Keystorageàservice_ssl

Note: Existing (or default) ssl-credentials which got generated during SAP installation may not have correct CN and DN values. In this case, we need to rename the existing ssl-credentials to old and create new ssl-credentials with CN and DN values.

     Click on create button at the bottom of the screen
    
     2. Click on Generate CSR Request button at the bottom of the page.
    
     3. Send the CSR certificate to CA to generate digitally signed Entrust certificates.
III. Import digitally signed entrust certificates into ABAP AS.

      1. Visual Admin --> server<x>-->services--> service_ssl àssl-credentials

Click on Import CSR Response at the right bottom, and then it prompts for the certificate name.

     2. Once CSR response is imported, you should see ‘Issuer DN’ is signed by your Certificate Authority.
    
     3. Now we need to restart SSL Provider service to take effect of changes we made.
    
     4. Verify SSL configuration as follows.
     Open https://<fullyqualifiedname>:5<inst num>01 and click on LOCK icon at the bottom of the browser.
     The certificate should show Issued by: <Your Certificate Authority Name>
Related Content
http://help.sap.com/saphelp_nw70/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/en/52/31683ab81fd846e10000000a11402f/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/5b/2e423c0bcc4a7ee10000000a114084/frameset.htm