Professional Documents
Culture Documents
Enabling SSL and Client Certificates PDF
Enabling SSL and Client Certificates PDF
Enabling SSL and Client Certificates PDF
Client Certificates on
the SAP J2EE Engine
Angel Dichev
RIG, SAP Labs
SAP AG
Learning Objectives
SAP AG
SAP AG
as server
component
HTTPS (SSL)
SAP Java
Cryptographic Toolkit
as client
component
WEB
Server
Intermediary
Proxy Server
HTTPS (SSL)
WEB
Proxy
z Using an
HTTPS (SSL)
SAP Java
Cryptographic Toolkit
SAP AG
SAP AG
Secure
Storage
Service
SecurityRelated
Services
SAML
Authentication
Service
Key
Storage
Service
Virus
Scan
Provider
SSL
Provider
Service
Providing security for the applications that run on the J2EE Engine is an important aspect in the
overall architecture of the SAP Web Application Server. You need to be able to identify the users
that access the server and you need to protect access to individual resources. In addition,
confidentiality is also important when dealing with sensitive information. The J2EE Engine services
help to perform the various security-related administration tasks.
For using SSL, the services Key Storage Service and SSL Provider Service are used.
SAP AG
Engine
z Is an enabler to generate keys and certificates needed for
The Key Storage Service of the SAP J2EE Engine enables you to manage certificates and
The Key Storage Service enables you to generate keys and certificates. You can use them for
encryption, identification, and verification. The Keystore entries are stored in a distributed database
and can be assigned particular access rights. The service is compatible with the Java Cryptography
Architecture.
To take full advantage of the Key Storage service functionality that is provided by the Visual
Administrator tool, a full version of the IAIK package must be used. IAIK package can be
downloaded from the service marketplace.
SAP AG
Public-key certificates are to be stored in a keystore entry in the Key Storage Service. These include
the trusted CAs' certificate to use to verify the target server's server certificate and, if applicable, the
user's X.509 client certificate to use for authentication.
HTTP destinations can also use the Secure Sockets Layer (SSL) protocol to establish secure
connections to the target server. The Destination service uses the secure connection factory to
establish these connections.
So if you either want to establish an SSL connection or authenticate users via X.509 client
certificates you have to use and properly configure the Key Storage Service.
The Key Storage Service and its proper configuration is also mandatory for using the Secure
Storage service.
The Key Storage Service is found in SAP J2EE Engine Administrator -> Cluster -> Services -> Key
Storage
The role KeystoreAdministrator is required for performing Key Storage Service maintenance on
SAP AG
The SSL Provider Service offers the selection of the key pair that the server uses for SSL. If you are
using client certificates for user authentication, then you also maintain the list of CAs who you trust
as issuers of client certificates.
The SSL Provider Service is able to manage Cipher Suites (e.g. SSL_RSA_WITH_RC4_128_SHA
Managing Cipher Suites: If the client has the same cipher suites as the ones included in the SSL
Provider, you can use it during the handshake phase. On the Cipher Suite tab you can add or remove
such suites. Also you can set their priority, that is, you can define the order in which the cipher
suites are used.
SAP AG
SAP AG
10
SAP AG
11
SAP AG
12
Prerequisites and step by step instruction to download the SAP Cryptographic Toolkit:
You have authorized access to the SAP Service Marketplace with a SAP s-user ID.
You have installed the SAP Download Manager in your system (For more information on
downloading, installing, and configuring the SAP download manager, visit the Software
Distribution Center (http://service.sap.com/download) in the SAP Service Marketplace).
You have installed the SAP archiving tool SAPCAR (see SAP note 212876 for more information on
Log on with your SAP s-user ID to http://service.sap.com/download and navigate to Download ->
In the SAP Download Area, choose SAP JAVA Cryptographic Toolkit and download the file using
Store the files in a temporary directory in your system, and unpack them using SAPCAR.
After unpacking youll see 2
SAP AG
13
Prerequisites and step by step instruction to deploy the SAP Cryptographic Toolkit:
You have copied the files from the SAP JAVA Cryptographic Toolkit to your host and can now install
After unpacking, use the Software Delivery Manager (SDM) to deploy the correspondent
You should have your Web AS and SDM server up and running.
Start SDM client from <usr>/sap/<SID>/JC00/SDM/program/RemoteGui.bat
Use your SDM client password for logging to the Remote SDM Gui.
Navigate to Deployment Tab, Click on Add SCA/SDA to deployment list icon and navigate to SAP
crypto sda file (tc_sec_java_crypto_signed_fs_lib.sda); Click Next, Next, Start Deployment; Restart
Web AS
You can verify that the correct library has been properly deployed and loaded under Dispatcher/Server
Libraries core_lib in the Visual Administrator. The iaik_jce.jar should be included in the list of
loaded jars and not iaik_jce_export.jar
Result
The SAP Java Cryptographic Toolkit replaces the export version of the toolkit on the J2EE dispatcher
and server.
You should periodically check for an updated version of this library on the SAP Service Marketplace,
SAP AG
14
Prerequisites and step by step instruction to download the Java Cryptography Extension (JCE)
Due to import regulations in various countries, Sun Microsystems, Inc. differentiates between
limited and unlimited strength cryptography in its J2SE 1.4.x packages by providing different
strength policy files (limited and unlimited). Per default, the limited policy files are delivered
with the J2SE packages.
Therefore, to use the strong cryptography functions provided with the Secure Storage FS and SSL
Provider services, you have to use the unlimited strength cryptographic functions. In this case,
download and install the unlimited strength jurisdiction policy files from Sun Microsystems, Inc.
Due to import control restrictions of some countries, the JCE jurisdiction policy files shipped with
the Java 2 SDK, v 1.4 allow "strong" but limited cryptography to be used. An "unlimited strength"
version of these files indicating no restrictions on cryptographic strengths is available for those
living in eligible countries (which are most countries). You can download this version and replace
the strong cryptography versions supplied with the Java 2 SDK, v 1.4 with the unlimited ones.
The policy files are available from Sun Microsystems, Inc. at http://java.sun.com.
SAP AG
15
Prerequisites and step by step instruction to download the Java Cryptography Extension (JCE)
y
y
y
y
y If you are using JRE you should replace the JCE jurisdiction policy JAR files under <Program
Files>\Java\lib\security
SAP AG
16
The default setting for the SSL Provider Service for the Server is automatic start.
The default setting for the SSL Provider Service for the Dispatcher is a manual start. If you want to
enable SSL on your J2EE engine you should configure the Service for automatic startup.
The next time the J2EE Engine is started, the SSL Provider service will also be automatically
started.
The default setting for the Keystorage Service for both Dispatcher and Server nodes is automatic
Note: If for any reason the Keystorage service (Dispatcher and Server) and SSL Provider Service
(Server) and not running, please proceed with the same steps. You should have both services
Keystorage and SSL Provider always up and running on all Dispatcher and Server nodes you
want to enable for SSL usage.
SAP AG
17
This Window should appear after restarting the J2EE engine when the startup mode of the SSL
Provider Service is changed to always, or just after starting the SSL Provider Service under the
Dispatcher node.
SAP AG
18
To create the Public-Private-Key Pair go to Server Services Key Storage and click on the
view service_ssl
The available views appear. Entries corresponding to the selected view appear in the Entries pane.
An entry may be either a public-key certificate only or the complete key pair. The type of entry is
shown in the information pane with the indicator PRIVATE KEY or CERTIFICATE along with the
rest of the information pertaining to the entry.
Press the button Create (under Entry) and proceed on the new opened Key and Certificate
Note: Per default, the SAP J2EE Engine uses the ssl-credentials entry for SSL, which contains a
public-key certificate that has been signed by a test CA. Although this certificate can be used for
testing purposes, a certificate that has been signed by a well-known, productive CA should be used
when in production mode.
SAP AG
19
To create the Public-Private-Key Pair go to Server Services Key Storage and click on the
view service_ssl
Press the button Create (under Entry) and you will see the screen depicted on the Slide
Fill out the subject properties. Important is the Common Name, which must be the fully qualified
domain name which will be used in the HTTP-Requests (e.g. if your J2EE engine will be accessed
via https://sapwas123.sap.corp:50001/.. then you must use sapwas123.sap.corp as the Common
Name). Otherwise, certain Web browsers will produce a warning if the host name that users use to
access the server does not match the host name found in the servers public-key certificate.
You can add more properties after clicking on the empty field.
The Entry Name is just a name for identifying the key pair in the key store.
Specify Validity period; Select RSA as secure algorithm to use; Select 1024 as Key Length
Choose Store Certificate, to generate a Certificate as well.
Press Generate
Note: During the Installation of the SAP J2EE Engine a private key and a certificate issued by a test
CA for the Common Name localhost (entry names ssl_credentials and
ssl_credentials_certificate) are created. These entries should be used only for testing purposes.
SAP AG
20
Save the certificate request response to a file in the file system. Use the extension .crt (DER-
Import the corresponding certificate request response. Choose Import CSR Response and load the
To verify that the import was successful, select the entry. Now the certificate should contain the
Note: If you want to load the public-key certificate as a separate entry, then rename the file before
loading. Otherwise, the SAP J2EE Engine will replace the existing PRIVATE KEY entry with a
CERTIFICATE entry and the private key will be lost since it uses the file name as the alias when
loading.
SAP AG
21
SAP AG
22
In the next step you have to bind the key pair and certificate to a port.
Go to the Server Service SSL Provider, select the appropriate dispatcher; the available sockets
Select the socket that corresponds to the SSL port you want to configure; click on Server Identity
tab and choose the Button Add. Then you see the potential entries in the key store which might be
used. Choose the correspondent entry (available under the service_ssl view in the Keystorage).
Press OK.
If the server process is to accept the use of client certificates for authentication, then set this option
SAP AG
23
This is the final view. The J2EE Engine will use the specified key pair for SSL connections to the
SAP AG
24
If the client has the same cipher suites as the ones included in the SSL Provider, you can use it
during the handshake phase. On the Cipher Suite tab you can add or remove such suites. Also you
can set their priority, that is, you can define the order in which the cipher suites are used.
SAP AG
25
If a HTTP 403 error code appears the client does not support the required ciphers as chosen in the
SSL Provider Service cipher suites (for example: SAP J2EE demands 128 bit RC4 but the Client
only supports only 40 bit).
If SSL is configured correctly, then the SAP J2EE Engines start page appears in your Web
browser. Many Web browsers also display a lock in their footer. Select the lock with a double-click
to view the servers certificate.
However, we recommend correcting the problem that caused the warning. For example, if the CAs
root certificate is not considered trusted, but you do trust this CA, then import the CAs root
certificate into your Web browser.
SAP AG
26
SAP AG
27
z Prerequisite
z The SAP J2EE Engine is enabled for SSL
SAP AG
28
1. ume.logon.allow_cert = true
Set the UME property ume.logon.allow_cert to true
Note: You can use ConfigTool for changing the property as well.
SAP AG
29
To create the Public-Private-Key Pair go to Server Services Key Storage and click on the
view TrustedCAs
case User1)
The Entry Name is just a name for identifying the key pair in the key store.
Specify Validity period; Select RSA as secure algorithm to use; Select 1024 as Key Length
Choose Store Certificate check box.
Press Generate
Sign the generated client key pair by a CA, to do so proceed in the same way as for signing server
certificate from CA
Choose the client Private Key -> click on Generate CSR Request -> export the request to a file -
> Send the file to your CA -> Import the signed response to the Key Pair
Note: You can also load a user public-key certificate, if the key is stored with either the extension .crt
(DER encoded or Base-64 encoded) or .cert (Base 64 encoded).
SAP AG
30
Note: SSL should already be activate, and the Root Server certificate installed under the Server
Identity tab
SAP AG
31
Option
Description
Do not request
client certificate
Request client
certificate
Require client
certificate
SAP AG
32
create new one in the desired user group - in this case User1 created with Administrator role under
the Administrators group)
SAP AG
33
create new one in the desired user group - in this case User1 created with Administrator role under
the Administrators group)
Note: You can add more than one certificate with different privileges to one and same user.
SAP AG
34
SAP AG
35
click OK, The Client Certificate Login Module appear in the Component Login Modules.
SAP AG
36
Choose the Security roles tab and manage the users, roles, groups allowed to access this application.
Programmatic secure roles, credentials may required.
Note: In this case this is no need to maintain security roles as User1 belongs to the Administrator
group.
SAP AG
37
To export the Client Public-Private-Key Pair go to Server Services Key Storage and click on
Navigate to the generated and signed from a CA private key pair -> Click Export -> choose
The exported key, the password used to generate the key, and the public CA certificate used for
signing the client certificate (if available) should be provided to the user in secure manner.
Note: The server can export Private Key in Information Syntax Standard (PKCS) #8 and #12, please
consider that different Web Browsers support different cryptography standards.
y PKCS #12 - Personal Information Exchange: specifies a portable format for storing or
transporting a user's private keys, certificates, miscellaneous secrets, etc. (This format preserves
the chain of certification authorities)
y PKCS #8 - describes a format for private key information. This information includes a private key
for some public-key algorithm, and optionally a set of attributes. (Doesnt preserve the chain of
CAs, youll need to provide all chained X.509 CAs certificates during export)
SAP AG
38
PKCS#12 file -> Provide the password (Specified during key export)
SAP AG
39
To enable trust to this client certificate you can install the root certificate (if provided from your
CA) used to sign the client certificate under the Trusted Root Certification Authorities store
If the client certificate is self signed, just install it again in the trusted certificates store.
SAP AG
40
Objectives
SAP AG
41
Information sources
http://service.sap.com/security
http://sdn.sap.corp -> Web AS -> Security
SAP AG
42