In above example
Alice (1) initiate a communication with Bob and requests some data about
customers from him.
Bob gathers the requested data and responds to Alice's request.
The entire exchange is eavesdropped by Mallory.
He now knows about the discussed information.
Transferring that in the TCP/IP world means, Alice, which is a web browser
for example requests some data via an http-request transferred with the
TCP/IP protocol.
The server (here represented through Bob) responds and transfers some
sensitive customer data from the server to the client via the TCP/IP protocol.
Mallory, an attacker is on the same network and therefore is able to
eavesdrop that TCP/IP communication.
The solution for securing that communication is the encryption of the
transferred data, in means making the conversation not understandable to the
attacker but understandable for exactly the participants involved in that
conversation.
1 | Page
2 | Page
3 | Page
4 | Page
Process:
The client (browser) contacts the SAP NetWeaver Application Server Java
The Application Server responds and sends its Public Key
Client-side a Secret Key is created and encrypted with the Public Key the
server
Sent before
The client sends back the encrypted Secret Key
On the server the Secret Key is decrypted using the Private Key. Only the
server
Can decrypt the received Secret Key cause its holding the Private Key which
is
Necessary for the decrypting.
The communication partners perform a Handshake.
5 | Page
6 | Page
8 | Page
Alice contacts the SAP NetWeaver Application Server Java using a browser
The Application Server responds and sends its Public Key with a digitallysigned message. The client-side server's identity is verified by checking the
validity of the certificate. The certificate is only accepted if the client trusts
the CA that issued that certificate to the SAP NetWeaver AS Java. This is
done with the CA root certificate.
The Secret Key is created and encrypted with the Public Key the server sent
before
The client sends back the encrypted Secret Key
On the server the Secret Key is decrypted using the Private Key. Only the
server can decrypt the received Secret Key because its holding the Private
Key which is necessary for the decrypting.
The communication partners perform a Handshake.
Further communication between the client and the server is encrypted using
the Secret Key
9 | Page
Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
Trust Manager Parameters
Profile Parameter
Value
Examples
ssl/ssl_lib
Path and
file name
of the SAP
Cryptograp
hic Library
UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll
sec/libsapsecu
Path and
file name
of the SAP
Cryptograp
hic Library
UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll
ssf/ssfapi_lib
Path and
file name
of the SAP
Cryptograp
hic Library
UNIX:/usr/sap/<SID>/SYS/exe/run/libsapcrypto.s
o
Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\ru
n\sapcrypto.dll
ssf/name
SAPSECU SAPSECULIB
LIB
ICM Parameters
Profile
Paramet
er
Value
Examples
icm/serve PROT=HTTPS,
PROT=HTTPS, PORT=1443,
r_port_< PORT=<port>,TIMEOUT=<timeout_in_ TIMEOUT=900
xx>
seconds>
icm/HTT 0: Do not use certificates
PS/verify 1: Allow certificates (default)
_client
2: Require certificates
PREFIX=/, CONN=010,PORT=50000,SPORT=500
03,SSLENC=1,TYPE=2,CRE
D=SAPSSLC.pse
11 | P a g e
2. Now you should be able to see the instance in GREEN as shown below.
12 | P a g e
13 | P a g e
14 | P a g e
II.
15 | P a g e
16 | P a g e
III.
1.
Go to Transaction STRUST
2.
3.
17 | P a g e
Insert the contents of the certificate request response into the dialog's
text box (using (Paste)) or select the response from the file system by
using (Load local file).
The signed public-key certificate is imported into the server's SSL server
PSE, which is displayed in the PSE maintenance section. You can view the
certificate by selecting it with a double-click. The certificate information is
then shown in the certificate maintenance section.
4.
18 | P a g e
19 | P a g e
IV.
Note* : If users (or other clients) are to be authenticated on the AS ABAP using
client certificates, then you must maintain the server's certificate list, which is
contained in the server's SSL server PSE. The application server uses this list to
determine which CAs the server trusts. Only clients that present client certificates
issued by these CAs can be authenticated based on their certificates.
21 | P a g e
Choose Enter.
The certificate appears in the certificate maintenance section.
Choose (Add to Certificate List).
The certificate is added to the certificate list for the PSE displayed in
the PSE maintenance section.
Save the data.
3. Importing the CA's Root Certificate from a Different PSE
If the CA's public-key certificate is located in a different PSE:
Expand the node for the PSE that contains the certificate and select one
of the application servers with a double-click.
The PSE and its certificate list appear in the PSE maintenance section.
Select the certificate with a double-click.
The certificate appears in the certificate maintenance section.
22 | P a g e
23 | P a g e
24 | P a g e
V.
25 | P a g e
26 | P a g e
VI.
1. Create the anonymous SSL client PSE in the same way you created the SSL
server PSE. Take into account that the Distinguished Name is automatically set
to CN=anonymous by the system and cannot be changed.
For more information, see Creating the SSL Server PSE.
2. Maintain the PSE's certificate list. : (please refer step iv Maintaining the SSL
Server PSE's Certificate List step )
Import the root certificates from the CAs that have issued the public-key
certificates to the Web servers that the AS ABAP accesses using the anonymous
SSL client PSE.
27 | P a g e
28 | P a g e
VII.
29 | P a g e
Example *: For example, if you enter the value CHECK, then the user must
have the following authorization: S_ICF-ICF_FIELD = 'DEST' and S_ICFICF_VALUE = 'CHECK' to be able to use the HTTP destination.
30 | P a g e
VIII.
1.
3.
32 | P a g e
IX.
Reference :
SAP Note 510007.
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1
902e10000000a42189c/content.htm?
frameset=/en/49/26b01739242583e10000000a421937/frameset.htm&c
urrent_toc=/en/cd/a3937849b043509786c5b42171e5d3/plain.htm&no
de_id=10&show_children=false
33 | P a g e