NWBC security setting on server

Downloading the SAP Cryptographic Library

Procedure

...

1. Start your Web browser and navigate to the page http://service.sap.com/swcenter.

2. Log on with your SAP s-user ID and navigate to Download ® SAP Cryptographic Software.

Install SAP Cryptographic Library

...

1. Check the server’s profile parameter DIR_EXECUTABLE ,

DIR_INSTANCE. (if not exist create the parameter)

a. Call the transaction, RZ11

b. Enter DIR_EXECUTABLE and DIR_INSTANCE in Pram. Name and press Display

Operating system	Library file name	Configuration tool
UNIX	libsapcrypto.<ext>	sapgenpse

As user <sid>adm:

...

1. Extract the file using …

SAPCAR –xvf <downloaded file name>.CAR

2. Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the application server's profile parameter DIR_EXECUTABLE. In the following, we represent this directory with the notation$(DIR_EXECUTABLE).

3. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE)

Examples

UNIX:

· DIR_EXECUTABLE: /usr/sap/<SID>/SYS/exe/run/

· Location of SAP Cryptographic Library: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so

Location of Ticet

Examples

UNIX:

· DIR_INSTANCE: /usr/sap/<SID>/<instance>

· Location of the ticket: /usr/sap/<SID>/<instance>/sec/ticket

Set the environment variable SECUDIR to the sec subdirectory. The application server uses this variable to locate the ticket and its credentials at runtime

SECUDIR=\usr\sap\<SID>\<instance>\sec

· Update “.sapenv_<hostname>.csh with following entries :

o setenv SECUDIR /usr/sap/<SID>/DV*/sec

o setenv USER <sid>adm

· Update “.sapenv_<hostname>.sh” with following entries :

o SECUDIR=/usr/sap/<SID>/DV*/sec; export SECUDIR

o USER=<sid>adm; export USER

HTTP/HTTPS Settings in the ICM

Create parameter for HTTPS

icm/server_port_2 = PROT=HTTPS, PORT=84<instance No>, TIMEOUT=900 PROCTIMEOUT=900

Check parameter icm/host_name_full in RZ11 if not exist create it.

Setting the Profile Parameters for Using SSL

Set the profile parameters in AS ABAP's instance profile

Profile Parameter	Value	Examples
ssl/ssl_lib	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
sec/libsapsecu	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
ssf/ssfapi_lib	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
ssf/name	SAPSECULIB	SAPSECULIB

Enable SSO2 cookie acceptance and creation, Please check if the below parameters exist, if not create them

login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2

The following four certificates must be created:

System PSE
SNC SAPCryptolib
SSL server Standard
SSL client SSL Client (Standard)

Once parameters are effective, blank entries will be there under Trust Manager (T-Code STRUST). Create PSE files for all nodes (click node, right mouse-button, create)

· Highlight “System PSE” and right click – select “Create”

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSL Server” and right click – select “Create”

Provide required inputs..

Name : *.<Web AS Domain>

Org(Opt) : SAP

Comp/Org : <company name>

Country : <country name>

Click “Enter” icon

In Distinguished Name – make following entries (if not available)

CN-<hostname>.<Web AS Domain<, OU=SAP, O=<company name>, C=<country)

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSLClient (Anonymous)” and right click – select “Create”

Provide similar info (as mentioned above), given “CN=anonymous”

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSL Client (Standard)” and right click – select “Create”

Provide similar info (provide Name : <hostname>.<Web AS Domain>

Double click on node and verify own certificate is set to “Self sighed”

Downloading the SAP Cryptographic Library

Procedure

...

1. Start your Web browser and navigate to the page http://service.sap.com/swcenter.

2. Log on with your SAP s-user ID and navigate to Download ® SAP Cryptographic Software.

Install SAP Cryptographic Library

...

1. Check the server’s profile parameter DIR_EXECUTABLE ,

DIR_INSTANCE. (if not exist create the parameter)

a. Call the transaction, RZ11

b. Enter DIR_EXECUTABLE and DIR_INSTANCE in Pram. Name and press Display

Operating system	Library file name	Configuration tool
UNIX	libsapcrypto.<ext>	sapgenpse

As user <sid>adm:

...

1. Extract the file using …

SAPCAR –xvf <downloaded file name>.CAR

2. Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the application server's profile parameter DIR_EXECUTABLE. In the following, we represent this directory with the notation$(DIR_EXECUTABLE).

3. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE)

Examples

UNIX:

· DIR_EXECUTABLE: /usr/sap/<SID>/SYS/exe/run/

· Location of SAP Cryptographic Library: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so

Location of Ticet

Examples

UNIX:

· DIR_INSTANCE: /usr/sap/<SID>/<instance>

· Location of the ticket: /usr/sap/<SID>/<instance>/sec/ticket

Set the environment variable SECUDIR to the sec subdirectory. The application server uses this variable to locate the ticket and its credentials at runtime

SECUDIR=\usr\sap\<SID>\<instance>\sec

· Update “.sapenv_<hostname>.csh with following entries :

o setenv SECUDIR /usr/sap/<SID>/DV*/sec

o setenv USER <sid>adm

· Update “.sapenv_<hostname>.sh” with following entries :

o SECUDIR=/usr/sap/<SID>/DV*/sec; export SECUDIR

o USER=<sid>adm; export USER

HTTP/HTTPS Settings in the ICM

Create parameter for HTTPS

icm/server_port_2 = PROT=HTTPS, PORT=84<instance No>, TIMEOUT=900 PROCTIMEOUT=900

Check parameter icm/host_name_full in RZ11 if not exist create it.

Setting the Profile Parameters for Using SSL

Set the profile parameters in AS ABAP's instance profile

Profile Parameter	Value	Examples
ssl/ssl_lib	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
sec/libsapsecu	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
ssf/ssfapi_lib	Path and file name of the SAP Cryptographic Library	$(DIR_EXECUTABLE)/libsapcrypto.so
ssf/name	SAPSECULIB	SAPSECULIB

Enable SSO2 cookie acceptance and creation, Please check if the below parameters exist, if not create them

login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2

The following four certificates must be created:

System PSE
SNC SAPCryptolib
SSL server Standard
SSL client SSL Client (Standard)

Once parameters are effective, blank entries will be there under Trust Manager (T-Code STRUST). Create PSE files for all nodes (click node, right mouse-button, create)

· Highlight “System PSE” and right click – select “Create”

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSL Server” and right click – select “Create”

Provide required inputs..

Name : *.<Web AS Domain>

Org(Opt) : SAP

Comp/Org : <company name>

Country : <country name>

Click “Enter” icon

In Distinguished Name – make following entries (if not available)

CN-<hostname>.<Web AS Domain<, OU=SAP, O=<company name>, C=<country)

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSLClient (Anonymous)” and right click – select “Create”

Provide similar info (as mentioned above), given “CN=anonymous”

Double click on node and verify own certificate is set to “Self sighed”

· Highlight “SSL Client (Standard)” and right click – select “Create”

Provide similar info (provide Name : <hostname>.<Web AS Domain>

Double click on node and verify own certificate is set to “Self sighed”

Now you observe all 4 certificates are active in strust

And HTTPS is active in SMICM