Académique Documents
Professionnel Documents
Culture Documents
The following document will describe how the NCC portal security was implemented.
This documented should be used for SAP Consulting knowledge sharing purposes
only. Do not distribute this to non-SAP parties as it contains sensitive information like
the hostnames of our architecture.
There was also a need to provide SSL communications to the end user along with Client
Certificate authentication. Each end user would have a unique client X.509 certificate
which would be forwarded by the browser. The following is an example.
Design:
The SAP WebDispatcher would have to accept and decrypt incoming SSL requests which
have the X.509 client certificate as well. Once it receives this, the SAP WebDispatcher
would have to:
1. Extract the X.509 certificate information and add them to the HTTP header
request to be forwarded to the backend application.
2. Re-encrypt the outgoing request with another SSL certificate and forward it to the
backend application. This is would be a self-signed certificate.
3. The backend J2EE engine is configured to receive the request, decrypt it, use the
X.509 certificate information from the HTTP header variables, trust the enduser’s
identity from the client certificate’s information and authenticate them into the
application.
#
# SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
# Communication Buffer
mpi/total_size_MB = 100
mpi/buffer_size = 65536
The text highlighted in Yellow is to accept incoming SSL requests from end-users.
The text highlighted in Green is to re-encrypt and forward the SSL request to the backend
application.
The text highlighted in Dark Yellow is read the X.509 client certificate from the
incoming request and forward it to the backend application in the request header.
Most of the SSL set up is documented on the SAP Online Help Portal. Please follow the
following link to find out more.
http://help.sap.com/saphelp_erp2005/helpdata/en/39/09a63d7af20450e10000000a114084
/frameset.htm
Steps performed:
• Created SAPSSLS.pse and a certificate request for the PSE. This certificate was
externally signed by CA and imported into the SAPSSLS.pse. Follow the link above.
• Configured both the J2EE dispatchers to use the self signed certificates for all its
connections.
To Read X.509 certificate from incoming request to SAP WebDispatcher:
• Added the SSO root certificate to the public key list of SAPSSLS.pse of
WebDispatcher.
1. -------------------------------------------------------------
Version: 2 (X.509v3-1996)
SubjectName: CN=SSO_CA, O=SAP-AG, C=DE
IssuerName: CN=SSO_CA, O=SAP-AG, C=DE
SerialNumber: 00
Validity - NotBefore: Mon May 04 08:59:33 1998
(980504125933Z)
NotAfter: Mon May 03 08:59:33 2010 (100503125933Z)
Public Key Fingerprint: 0437 9264 5918 EB82 F7A2 A8C2 D5F2
A32F
SubjectKey: Algorithm RSA (OID 1.2.840.113549.1.1.1),
NULL
Certificate extensions:
AuthorityKeyIdentifier:
Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF 36BC
4838 D2A0
Subject Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF
36BC 48
38 D2A0
Key Usage: (CRITICAL) digitalSignature
nonRepudiation
keyEncipherment dataEncipherment keyCertSign cRLSign
Basic Constraints: allowed to act as a CA !
The following screenshots about the J2EE configurations will provide you more
information:
Replacing expired SSL Cert:
The current SSL certificate in SAPSSLS.pse was the test SSL certificate from the CA
which was valid for only 2 months. A CSR was created from SAPSSLS2.pse for which a
valid SSL cert valid for 1 year was received. The following steps describe how the 2 certs
were exchanged.
D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath,
need
certificate of CA : "EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 2 CA,
O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg,
SP=Hamburg,
C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath,
need
certificate of CA : "EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 2
CA, O=TC TrustCenter for Security in Data Networks GmbH,
L=Hamburg, SP=Hamburg,
C=DE
"
The above result determined that the root certificate was also needed to be imported to
satisfy the certificate chain. Hence, got CA certs from www.trustcenter.de -
TC_RootServer_DER_Class2.cer and TC_RootServer_PEM_Class2.cer for server
carriers and tried importing them into SAPSSLS2. The results are:
D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\TC_RootServer_PEM_Class2.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates
failed
ERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates
failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints
ERROR in check_basicConstraints: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints
AND
D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse –c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\TC_RootServer_DER_Class2.cer -x <password>
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates
failed
ERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates
failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one
certificate
of path failed because there are no basic constraints
ERROR in check_basicConstraints: (12851/0x3233) Verification of one
Certificate of path failed because there are no basic constraints
Decided to download the certificate from IE 6.0. Went to IE 6.0 and exported the
TrustCenter Root Cert.
IE -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root
Certificate Authorities -> TC TrustCenter Class 2 CA -> Export -> Save as
Base 64 encoded (.CER) file.
D:\sapwebdispatcher>sapgenpse import_own_cert –p
D:\sapwebdispatcher\sec\SAPSSLS2.pse -c
D:\sapwebdispatcher\sec\Validcert.cer –r
D:\NCC_Certs\FromBrowser.cer -x <password>
CA-Response successfully imported into PSE
"D:\sapwebdispatcher\sec\SAPSSLS2.pse
"
Restarted WebDispatcher. Everything worked fine. Logs did not complain about
initializing the SAPSSLS.pse. Log onto EP and double-click the SSL lock icon in the
bottom part of IE. You can check the “Certification Path” tab and see that the certificate
chain is now completely implemented as shown below.
But client authentication did not work. Had to add the SSO-CA.cer to the PK
List of the "new" SAPSSLS.pse.