Scribd Logo
Upload

Welcome to Scribd!

  • How To Configure The SAP J2EE Engine For Using SSL - PDF - 0 - PDF

    Uploaded by

    asomuncu1886
    76 views42 pages

    Original Title

    How to configure the SAP J2EE Engine for using SSL - PDF_0_.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views42 pages

    How To Configure The SAP J2EE Engine For Using SSL - PDF - 0 - PDF

    Uploaded by

    asomuncu1886

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 42

    Enabling SSL and

    Client Certificates on
    the SAP J2EE Engine

    Angel Dichev

    RIG, SAP Labs


    Learning Objectives

    As a result of this session, you will be able to:


    z Understand the different SAP J2EE Engine SSL
    scenarios

    z Use the Key Storage and the SSL Provider Services

    z Configure SAP J2EE Engine for using SSL

    z Configure the use of client certificates for


    authentication

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    SAP J2EE Engine - SSL Scenarios

    Key Storage and SSL Provider Services

    Enabling SSL on SAP J2EE Engine

    Client Certificates for Authentication


    SSL Transport Layer Scenarios

    z SAP J2EE Engine


    as server HTTPS (SSL)
    component
    SAP Java
    Cryptographic Toolkit

    z SAP J2EE Engine


    as client

    Server
    WEB
    HTTPS (SSL)
    component
    SAP Java
    Cryptographic Toolkit

    z Using an
    Intermediary HTTPS (SSL) HTTPS (SSL)
    Proxy
    WEB
    Proxy Server
    SAP Java
    Cryptographic Toolkit

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    SAP J2EE Engine SSL Scenarios

    Key Storage and SSL Provider Services

    Enabling SSL on SAP J2EE Engine

    Client Certificates for Authentication


    SAP J2EE Security Services Overview

    Security
    Provider
    Service
    Secure User
    Storage Storage
    Service Service

    Security-
    Related
    SAML Services Virus
    Authentication Scan
    Service Provider

    Key SSL
    Storage Provider
    Service Service

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Key Storage Service

    z Manages certificates and credentials used by SAP J2EE


    Engine

    z Is an enabler to generate keys and certificates needed for


    encryption, identification, and verification.

    z Compatible with the Java Cryptography Architecture (JCA)

    z Keystore entries are stored in a distributed database with


    particular access rights on it

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Key Storage Service

    Public-key certificates are to be stored in a keystore entry in the


    Key Storage Service

    You need to configure the Key Storage Service if you want to:
    establish
    an SSL connection
    authenticate
    users via an X.509
    client certificate
    use logon tickets
    for Single Sign-On

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    SSL Provider Service

    z Uses the certificates created using Key Storage Service

    z Maps SSL sockets and entry points to certain credentials.

    z Manages the credentials and trusted certificates to use SSL

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    SAP J2EE Engine SSL Scenarios

    Key Storage and SSL Provider Services

    Enabling SSL on SAP J2EE Engine

    Client Certificates for Authentication


    Configuring the SAP J2EE Engine to use SSL

    z Prerequisites for SSL Configuration:


    z download and deploy the SAP Cryptographic Toolkit
    z download and apply the Java Unlimited Strength Jurisdiction
    Policy Files

    z Steps for configuring SSL:


    1. Change startup-mode for SSL Provider Service; SSL Provider
    Service in running mode.
    2. Create Servers Public/Private key pair
    3. Generate Certificate Signing Request (CSR); Sign CSR from a
    Certification Authority (CA); Import Sighed Certificate
    4. Bind the key pair to specific SSL Port

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Prerequisite SAP Cryptographic Toolkit 1/3

    Restrictions from SAP

    z The distribution of SAP cryptographic software is controlled by


    German export regulations

    z Therefore SAP delivers per default only cryptographic functions for


    Digital Signatures

    z For using SSL, the SAP Java Cryptographic Toolkit must be


    installed. It can be downloaded from the Service Marketplace if the
    customer meets certain legal requirements

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Prerequisite SAP Cryptographic Toolkit 2/3

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Prerequisite SAP Cryptographic Toolkit 3/3

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Prerequisite Java Cryptography Extension (JCE) 1/2

    Restrictions from SUN

    z The Java Cryptography Extension (JCE) Unlimited Strength


    Jurisdiction Policy Files is a set of packages that provide a
    framework and implementations for encryption, key generation and
    key agreement, and Message Authentication Code (MAC) algorithms.

    z JCE was previously an optional package (extension) to the Java 2


    SDK, Standard Edition (Java 2 SDK), versions 1.2.x and 1.3.x. JCE
    has now been integrated into the Java 2 SDK, v 1.4.

    z Starting from J2SE 1.4 it is also necessary to install the JCE


    Unlimited Strength Jurisdiction Policy Files from Sun in order to use
    the strong cryptographic functions necessary for SSL.

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Prerequisite Java Cryptography Extension (JCE) 2/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    1. Change startup-mode for SSL Provider service 1/2

    Use the Config tool for changing the startup-mode of the SSL
    Provider Service

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    1. SSL Provider Service in running mode 2/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    2. Creation of a Servers Public-Private Key Pair 1/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    3. Creation of a Servers Public-Private Key Pair 2/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    3. Generate, Sign, Import CSR

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    3. View after Import of the Certificate

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Bind the key pair to specific SSL Port 1/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Bind the key pair to specific SSL Port 2/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Add or Remove Cipher Suites (optional)

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Testing the SSL Connection

    Test the SSL connection with https://<servername>:<SSL port>

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    SAP J2EE Engine SSL Scenarios

    Key Storage and SSL Provider Services

    Enabling SSL on SAP J2EE Engine

    Client Certificates for Authentication


    Configuring the Use of Client Certificates

    z Prerequisite
    z The SAP J2EE Engine is enabled for SSL

    z Steps for Configuring the Use of Client Certificates


    1. Set the UME property ume.logon.allow_cert to true.
    2. Create client key pair and certificate; Generate, Sign, and Import
    CSR
    3. Specify request for client certificate for specific SSL socket
    Managing Client Authentication
    4. Map Client Certificate to UME User
    5. Adjust the login module stacks for those applications that will
    be accepting client certificates
    6. Export of the generated Private Key to file (password protected)
    7. Import of the Private Key to the browser personal certificates.

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    1. ume.logon.allow_cert = true

    Set the UME property ume.logon.allow_cert to true

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    2. Create client key pair and certificate; handle CSR

    Check Store Certificate

    Create Client Certificate


    and Key-Pair under
    TrustedCAs View

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Managing Client Authentication 1/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Managing Client Authentication 2/2

    Option Description
    The system does not require the client to give
    Do not request a client certificate during the handshake,
    client certificate although the client can provide it.

    The server requests a certificate but the


    certificate is not required. If the client has a
    Request client certificate it is sent with the request;
    certificate otherwise, the system reverts to Basic
    Authentication. The server only accepts
    certificates that have been issued by a trusted
    CA.
    The server requests a certificate and the client
    Require client must send one. Also, the certificate that the
    certificate client sends must have been issued by a
    trusted CA.

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Map Client Certificate to UME user 1/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    4. Map Client Certificate to UME user 2/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    5. Adjust the applications login module stacks 1/3

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    5. Adjust the applications login module stacks 2/3

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    5. Adjust the applications login module stacks 3/3

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    6. Export of the generated Private Key to file

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    7. Import private key into browser 1/2

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    7. Import private key into browser 2/2 optional

    (If provided) Install the trusted public


    certificate under the
    Trusted Root Certification Authorities store

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Objectives

    You should now be able to:


    z Understand the different SAP J2EE Engine SSL
    scenarios

    z Use the Key Storage and the SSL Provider Services

    z Configure SAP J2EE Engine for using SSL

    z Configure the use of client certificates for


    authentication

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine


    Information sources

    http://service.sap.com/security
    http://sdn.sap.corp -> Web AS -> Security

    SAP AG 2005, Enabling SSL on the SAP J2EE Engine

    You might also like