Tuesday, 7 August 2012

How To Configure SSL

Document Version
Description
1.00
First official release of this guide

How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
1
1. Scenario
2. Background Information
SAP NetWeaver Mobile 7.1 uses HTTP protocol as default data communications between the DOE
and clients. Use of HTTP protocol may not meet your security requirement since the business data
may be intercepted by unauthorized parties.
You can configure to use The SSL based HTTPS protocol, in which the data exchange is encrypted
and requiring a certificate.
In this document, HTTPS connection configurations are explained.
3. Prerequisites
Software
 You have downloaded SAP Cryptographic Software from the SAP software distribution center,
and you have unpacked the software.
 Download  SAP Cryptographic software
 JDK 1.5 or above has been installed on your computer.
 SAP NetWeaver Mobile client has been installed on your computer for laptop.
Relevant SAP Notes
 Your country and company meets the export /import regulation of SAP Cryptographic Library.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
2
4. Step-by-Step Procedure
We first start with installation of the cryptographic library and setting server
’s parameters. Then import
a server certificate to the saver. Finally, obtain and import the certificate into the client.
4.1 Install SAP Cryptographic Library
...
1. Check the server
’s profile parameter DIR_EXECUTABLE.
a. Call the transaction,
RZ11
b. Enter
DIR_EXECUTABLE in Pram. Name and press Display
c. Make a note of the Current value.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
3
d. Similarly, repeat the steps above for the parameter, DIR_INSTANCE
e. Copy the library file and the configuration tool to the directory specified in
DIR_EXECUTABLE.
Note
Operating system
Library file name
Configuration tool
UNIX
libsapcrypto.<ext>
sapgenpse
Windows
sapcrypto.dll
sapgenpse.exe
Important
For UNIX, make sure to set the file permissions to be executable. For Windows, make
sure that <sid>adm has the execution rights.
f. Copy the ticket file to the directory, $(DIR_INSTANCE)\sec.
Note
If there is no directory named sec under $(DIR_INSTANCE), create it
g. Create an environment variable SECUDIR that refers to the ticket's file path from the
previous step. This environment variable needs to be accessible
to the user account that
is used to execute the Dispatcher process for the SAP system.
4.2 Configure Profile Parameters
...
1. Call the transaction,
RZ10.
2. Select the instance profile and check Extended maintenance, then press Change button.
3. Press
4. Enter each of the following parameter name and value and press Copy button twice. Then
press
button
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
4
Parameter name
Parameter Value
(Windows)
Parameter Value
(UNIX)
Ssl/ssl_lib
$(DIR_EXECUTABLE)\
sapcrypto.dll
$(DIR_EXECUTABLE)/
libsapcrypto.<ext>
Sec/libsapsecu
$(DIR_EXECUTABLE)\
sapcrypto.dll
$(DIR_EXECUTABLE)/
libsapcrypto.<ext>
Ssf/ssfapi_lib
$(DIR_EXECUTABLE)\
sapcrypto.dll
$(DIR_EXECUTABLE)/
libsapcrypto.<ext>
Ssf/name
SAPSECULIB
Icm/ssl_config_<xx>
CRED=<credential> [, CASHESIZE=<cashe size>,
LIFETIME=<max lifetime>,VCLIENT=<SSL client
verification>, CIPHERS=<Cipher Suites>]
Icm/server_port_<xx>
PROT=HTTPS, PORT=<port number>
[,TIMEOUT=<timeout in seconds>,
PROCTIMEOUT=<proctimeout in seconds>,
EXTBIND=1, HOST=<host name>.
VCLIENT=<SSL Client Verification>,
SSLCONFIG=ssl_config_<xx>]
Icm/HTTPS/verify_client
0: Do not use certificate
1: Allow certificates (default)
2: Require certificate
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
5
5. Press Yes to save changes.
6. Press Save button.
Note
You can ignore the warning of unknown parameter.
7. Press Yes to activate the profile
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
6
8. The information pop up followed by caution pop up will be displayed.
9. Restart the application server to take effect of the profile change.
4.3 Generate the Server Certificate
...
1. Call the transaction code,
STRUST.
2. Select SSL server Standard right click to display the context menu. Then select Create, or
Replace if the PSE already exists.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
7
3. Edit the certificate attributes.
Important
The name must match the client
’s synchronization host name. You can leave the default
value (*.<domain>) here, and the trust manager automatically switch to the right name.
Note
Your CA may require additional attributes, for example, State or Province(S) and Locality
or City(L). Contact your Certification Authority for the requirements. If this is the case,
enter those attributes in the CA field.
4. Press <Enter>
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
8
You have created the server certificate.
5. Expand the SSL server Standard node and double click on the server certificate you just created.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
9
6. Double click on the certificate and press
.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
10
7. Save it to a file by pressing
.
8. Send this request to your Certification Authority.
9. Once you receive the response, press
.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
11
10. Copy and paste or import from a local file
Note
If the response is not in PKCS#7 certificate chain format, and your Certification Authority
uses intermediate certificates, then each certificate must be combined before importing
to the server.
-----BEGIN CERTIFICATE-----
<contents of the re-issued certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<contents of the certificate of the intermediate CA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<contents of the certificate of the root CA>
-----END CERTIFICATE-----
11. Press <Enter>.
12. The certificate response is imported successfully.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
12
4.4 Export the Server Certificate
...
...
1. Call the transaction code,
STRUST.
2. Expand SSL server Standard and double click the certificate.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
13
3. Double click the Owner in the SSL server Standard
– Own Certificate section.
You will see the information of the certificate in the Certificate section.
4. Press
in the Certificate section.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
14
5. Enter the file path with the file name being <System ID>.cer for the certificate and press
<Enter>
4.5 Import the Certificate to the Client
...
1. Open the command prompt on your pc.
2. Go to <SAP NetWeaver Mobile client installed directory>\settings.
Note
For the non-laptop client, copy the truststore file located under <SAP NetWeaver Mobile
client installed directory>\settings to your pc and work on this copied file. Once it is done,
put it back to the original location.
3. Execute the following command.
<JAVA_HOME>\bin\keytool
–import –alias <certificate file name> -file <full path of certificate
file> -keystore truststore
–storepass access
Example
System ID is MI1
Certificate file was saved as
“C:\TEMP\MI1.cer
“C:\Program Files\Java\jdk1.5.0_12\bin\keytool” –import –alias
MI1.cer –file C:\TEMP\MI1.cer –keystore truststore –storepass
access
4. Enter
yes for the prompt
“Trust this certificate? [no]”.
5. Certificate was added to keystore message appears.
6. Restart SAP NetWeaver Mobile client.
background image
How To Configure SSL for SAP NetWeaver Mobile 7.1
December 2009
15
5. Appendix
Appendix A - Troubleshooting
background image
www.sdn.sap.com/irj/sdn/howtoguides

2 comments: