Ads from Google

Saturday, December 1, 2007

configuring SAP SSL in webdispatcher, SAP Portal, Netweaver/J2EE engine, SRM, BW

configuring SAP SSL in webdispatcher, SAP Portal, Netweaver/J2EE engine, SRM, BW

There are some information of SSL configuration in SAP in below links as addition to SSL in Enerprise Portal.

http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/content.htm

The SAP Web dispatcher supports SSL in two manners:
·        End-to-End-SSL. The SAP Web dispatcher forwards the HTTPS request without decrypting it to an (HTTPS-enabled) SAP Web AS.
  • SSL termination. The SAP Web dispatcher decrypts the HTTPS request and then selects the server. (Server Selection). You can define whether the request should be SSL-encrypted again before forwarding it.
The following scenarios are possible:
SSL Scenarios
The Web Dispatcher Receives:
…… And Forwards:
Configuration (see graphic below.)
HTTP
HTTP
icm/server_port_= ... PROT=HTTP ...
HTTP
HTTPS
icm/server_port_= ... PROT=HTTP ...
wdisp/ssl_encrypt=2
HTTPS
HTTP
icm/server_port_= ... PROT=HTTPS ...
wdisp/ssl_encrypt=0
HTTPS
HTTPS
icm/server_port_= ... PROT=HTTPS ...
wdisp/ssl_encrypt=1
HTTPS
HTTPS without unpacking End-to-End SSL
icm/server_port_= ... PROT=ROUTER ...
The following graphic shows the various configurations.
This graphic is explained in the accompanying text
The option PROT in parameter icm/server_port_ specifies whether SSL is terminated in the SAP Web dispatcher:
·        HTTP: The SAP Web dispatcher receives HTTP requests at the port (1 and 2 in the graphic).
·        HTTPS: The SAP Web dispatcher receives HTTPS requests at the port. It decrypts the request, before it forwards it to an application server (3 and 4 on the graphic)
·        ROUTER: The SAP Web dispatcher receives an HTTPS and forwards the request without unpacking it. (5): End-to-End SSL.
The wdisp/ssl_encrypt determines whether the SAP Web dispatcher encrypts the request again with SSL before forwarding it. (See graphic and SAP Web Dispatcher Profile Parameters).
If you want your SAP Web dispatcher to unpack SSL or encrypt HTTP requests with SSL (2,3 and 4 in the graphic), you have to install the relevant SSL libraries and follow the configuration procedure. This is described in Configuring SAP Web Dispatcher for Supporting SSL.

Metadata Exchange Using SSL

The Web Dispatcher receives details of the active application servers and logon groups from the message server and the application servers.
You can also use HTTPS for this communication. Section Metadata Exchange Using SSL explains how to do this.

http://help.sap.com/saphelp_nw04s/helpdata/en/20/37c33ae8361838e10000000a11402f/content.htm

Creating the SSL Server PSE  Locate the document in its SAP Library structure

Use

The SSL Server PSE contains the application server's security information that it needs to communicate using SSL. If you have a system with multiple application servers, then the following options are available:
·        Use a single system-wide SSL server PSE for all servers.
·        Use server-specific SSL server PSEs for individual application servers.
·        Use a combination of both types. (Some application servers use a system-wide SSL server PSE, and other application servers use server-specific SSL server PSEs.)
Note
Use a system-wide PSE for those application servers that are accessed via a Network Address Translator (NAT). Use the NAT's fully-qualified host name as the Common Name (CN) part of the Distinguished Name.

Prerequisites

·        The SAP Cryptographic Library is installed in the $(DIR_EXECUTABLE) directory on the application server.
Note
If the SAP Cryptographic Library is not installed, then the SSL Server PSE and SSL Client PSE nodes are not included in the trust manager's PSE status section.
·        You know the naming convention to use for the server's Distinguished Name. The syntax of the Distinguished Name depends on the Certification Authority (CA) you use.
Example
For example, if you use the SAP CA, the naming convention is CN=, OU=I-, OU=SAP Web AS, O=SAP Trust Community, C=DE.
Note
For more information about the SAP CA naming conventions, see the SAP Trust Center Service at http://service.sap.com/tcs.

Procedure

From the Trust Manager screen:
...
       1.      Select the SSL Server PSE node.
       2.      Using the context menu, choose Create (if no PSE exists) or Replace.
The  PSE dialog appears.
       3.      Enter the Distinguished Name parts for a default SSL server PSE in the corresponding fields. For the default SSL server PSE, use a wildcard character (*) as the host name in the Name field. For example:
¡        Name = *.mycompany.com
¡        Org. (opt.) = Test
¡        Comp./Org. = MyCompany
¡        Country = US
Note
If you want to use a reference to a CA name space, then elements contained in the CA's name space are automatically used for the server's Distinguished Name. In addition, you cannot modify the Country field. Use the toggle function (This graphic is explained in the accompanying text) to activate or deactivate the reference to a CA name space.
The system uses these components to build a default Distinguished Name to use for a system-wide PSE, as well as for building the server-specific names for individual PSEs.
The SSL Server screen then appears. In this screen, you can decide whether the individual application servers should use the default Distinguished Name and system-wide SSL server PSE or individual PSEs. The default Distinguished Name appears in the Default PSE DN field. The server-specific Distinguished Names appear in the table in the Distinguished Name column.
       4.      If necessary, modify or delete any of the individual application server's Distinguished Names to meet you own needs.
For example:
¡        Delete the Distinguished Name entry for any servers that should receive the default Distinguished Name.
¡        Assign the same Distinguished Name to all servers that are to be accessed via a NAT.
¡        Modify the Distinguished Name to adhere to your CA's naming convention (for example, adding an attribute such as L=).
Note
If the system could not determine a Distinguished Name for the server, then an error has occurred either in the connection or the target server’s configuration is not set up correctly.
       5.      Choose Enter.
You return to the Trust Manager screen.

Result

The system creates the SSL server PSEs and distributes them to the individual application servers.

http://wiki.sdn.sap.com/wiki/display/EP/Configuring+the+Use+of+SSL+on+the+SAP+J2EE+Engine  by Bala Duvvuri

Configuring the Use of SSL on the SAP J2EE Engine

 Deploying the SAP Java Cryptographic Toolkit

Prerequisites

1. You have obtained the SAP Java Cryptographic Toolkit package that corresponds to your SAP J2EE Engine release.
2. This package is available on the SAP Service Marketplace at service.sap.com/download under Download ® SAP Cryptographic Software.
3.  The SAP Java Cryptographic Toolkit package contains the corresponding Software Delivery Archives (SDAs) for both J2SE 1.3.x and J2SE 1.4.x. The SDAs contain the file iaik_jce.jar, which replaces the export version of the toolkit iaik_jce_export.jar.
4.    If you use J2SE 1.4 or higher, then you also have to install and use the unlimited strength jurisdiction policy files from your J2SE vendor to be able to use the strong cryptography functions used by the Secure Storage and SSL Provider services. (Per default, only limited policy files are delivered with the J2SE 1.4 packages.)
The use of these policy files can underlie import regulations. Make sure you are allowed to use these files before you download and install them.
The policy files you use need to be provided by the same vendor as your J2SE package.
The policy files to use with the Sun Java Development Kit are available from Sun Microsystems, Inc. at java.sun.com.
For other vendors, see their corresponding documentation.
-         The SAP J2EE Engine and the Software Deployment Manager (SDM) are running.
    Goto the link : service.sap.com/download     

Procedure

     1.      Unpack the SAP Cryptographic Toolkit package into a local directory.
      2.      Using the SDM Remote GUI, connect to the SAP J2EE Engine and deploy the SAP Java Cryptographic Toolkit SDA that applies to your J2SE version (1.3.x or 1.4.x).
For more information about using the SDM see the Software Deployment Manager in the Development Manual.
The SAP Java Cryptographic Toolkit package contains the corresponding Software Delivery Archives (SDAs) for both J2SE 1.3.x and J2SE 1.4.x. The SDAs contain the file iaik_jce.jar, which replaces the export version of the toolkit iaik_jce_export.jar. (depending on the JDK you have installed during the installation of the portal use the appropriate version)
Deploy the SDA files as shown below:
1/2
2/2 You can now change the startup mode for the SSL Provider so that it automatically starts when the server is started. Use the Configuration Adapter in the Visual Administrator and set the startup mode to Always instead of Manual. For more information, see Changing the Startup Mode for the SSL Provider.
      3.      Restart the J2EE dispatcher and server. Also restart any tools such as the Visual Administrator or the Config Tool that are running.
You can verify that the correct library has been loaded underDispatcher  ®Libraries_ _ ® core_lib in the Visual Administrator. The iaik_jce.jar should be included in the list of loaded jars and not iaik_jce_export.jar. 

Result

The SAP Java Cryptographic Toolkit replaces the export version of the toolkit on the J2EE dispatcher and server.
You should periodically check for an updated version of this library on the SAP Service Marketplace, for example, when you install support packages.      Go to the Visual Administrator and generate the corresponding SSL keystore certificates.
Generate a certificate signing request. Select your entry, choose Generate CSR Request and save it to a file.
4.     If the corresponding certificate has not yet been signed by a CA, then:
                          a.      Generate a certificate signing request. Select your entry, choose Generate CSR Request and save it to a file.
                           b.      Send the certificate signing request to a CA to be signed.
The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAPTrustCenter Service at service.sap.com/tcs.
                           c.      Save the certificate request response to a file in the file system. Use the extension.crt(DER-encoded or Base-64 encoded) or .cert (Base-64 encoded).
                           d.      Import the corresponding certificate request response. Choose Import CSR Response and load the response from the file system.
For more information about managing keys and certificates in the Key Storage service,     Go to the following link
service.sap.com/tcs.
           Send the certificate signing request to a CA to be signed.
The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAPTrustCenter Service at service.sap.com/tcs              Since the file is "save as type - text document and u need to save it as . cert use the double quotes. The SSLCERT is shown above.                                     Check the link to determine if the SSL is working or not:
  1. Use the URL https instead of the http.    Hence the SSL is set up for the J2ee server. 2.   If SSL is configured correctly, then the SAP J2EE Engine's start page appears in your Web browser. Many Web browsers also display a lock in their footer. Select the lock with a double-click to view the server's certificate.           3. Also test by using the following URL: Test the SSL connection with https://: For eg: https://localhost:50001 URL with SSL    For more information check the following link :
http://help.sap.com/SAPHELP_470/Helpdata/EN/d8/a922d7f45f11d5996e00508b5d5211/content.htm

SAP Web Dispatcher and SSL Locate the document in its SAP Library structureUnlike HTTP, with HTTPS (end-to-end SSL) the SAP Web dispatcher cannot read any request data and therefore cannot interpret any session cookies that may be available (with stateful applications). The necessary information for forwarding the request to the correct server is therefore missing. The SAP Web dispatcher cannot decide whether the request belongs to a stateless or a stateful application.
As a result, the SAP Web dispatcher forwards the encoded data unchanged to the application server, where the data is finally decoded.
The only distinguishing criterion that is available to the SAP Web dispatcher is the client IP address. As a result, the SAP Web dispatcher manages a mapping table between the client IP address and the application server. If a request from a client IP address is sent to application server X, all subsequent requests from this client IP address must also be sent to this sever, since it could well be a stateful application. Load balancing therefore only takes place upon the very first client request.
ProblemsThis process hides the following problems.
  • All companies use proxies. This means that requests that are sent via a proxy are sent to one server. As a result, this cancels load balancing with the first request.
  • Large companies use several parallel proxies (which in turn also balance load) as access to the Internet. This means that a request from the same client is sent via proxy A, and a later request from the same client, belonging to the same session, is sent via proxy B to the SAP Web dispatcher, and therefore has a different client IP address.
SolutionYou can use profile parameter wdisp/HTTPS/sticky_mask to group several client IP addresses into a logical address. Profile Parameter of the SAP Web Dispatcher describes the exact functions of this parameter.
The default is: Mask 255.255.240.0 is joined with the real IP address UND; this hides the lowest 12 Bits, that is, 124.94.55.1 and 124.94.55.99 are then interpreted as the same.Mapping TableThe mapping table, which is used by the SAP Web dispatcher to manage client IP addresses and the application severs that are assigned, has the following properties.
  • The size of the mapping table depends on the sticky mask. The more bits that are hidden, the smaller the mapping table becomes. Profile parameter wdisp/HTTPS/max_client_ip_entries defines the maximum number of entries that this table can hold. Profile Parameter of the SAP Web Dispatcher describes the exact functions of this parameter.
CautionNote: If the mapping table is full, that is, the value of wdisp/HTTPS/max_client_ip_entries has been reached, the SAP Web dispatcher no longer balances the load! The parameter should therefore always be set according to your needs and resources.
  • There is no timeout for the entries in the mapping table. If a server is shut down, the context is deleted on this server. The system looks for a new server for the client IP address.
Selecting a Suitable Application ServerHTTP-Enabled Application ServerWith parameter wdisp/HTTPS/dest_logon_group (see Profile Parameter of the SAP Web Dispatcher) you define a logon group with HTTPS-enabled application servers, to which all HTTPS request are then sent.
ABAP or J2EE ServerSince the SAP Web dispatcher cannot decide whether a request should be processed by an ABAP or a J2EE server, all servers in the logon group for HTTPS requests must provide the same services. Of course, all servers must be HTTPS-enabled, and one of the following points must apply:
  • All servers offer J2EE and ABAP
  • All servers offer ABAP only
  • All servers offer J2EE only

No comments: