Scribd Logo
Hochladen

Willkommen bei Scribd!

  • How To Enable SSL On NetWeaver Application Server

    Hochgeladen von

    prasannaerp
    688 Ansichten7 Seiten
    This document provides steps to enable SSL on a NetWeaver Application Server. It involves installing client certificates, testing the SSL connection, checking the trace file if errors occur, and enabling TLS version 1.2 by adding parameters to the DEFAULT profile and restarting the server. Once TLS 1.2 is enabled, the SSL connection test should succeed.

    Originalbeschreibung:

    How to Enable SSL on NetWeaver Application Server

    Originaltitel

    How to Enable SSL on NetWeaver Application Server

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document provides steps to enable SSL on a NetWeaver Application Server. It involves installing client certificates, testing the SSL connection, checking the trace file if errors occur, and enabling TLS version 1.2 by adding parameters to the DEFAULT profile and restarting the server. Once TLS 1.2 is enabled, the SSL connection test should succeed.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    688 Ansichten7 Seiten

    How To Enable SSL On NetWeaver Application Server

    Hochgeladen von

    prasannaerp
    This document provides steps to enable SSL on a NetWeaver Application Server. It involves installing client certificates, testing the SSL connection, checking the trace file if errors occur, and enabling TLS version 1.2 by adding parameters to the DEFAULT profile and restarting the server. Once TLS 1.2 is enabled, the SSL connection test should succeed.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 7

    2/22/2020 How to Enable SSL on NetWeaver Application Server

    How to Enable SSL on NetWeaver


    Application Server
    1. Install Client Certificates
    1) Open website you want to connect to e.g. github.com with your browser

    2) Export all client certificates in the chain with your browser

    3) Go to transaction STRUST

    4) Double click node SSL Client (Anonymous)

    5) Import certificate exported from 2)

    6) Add to Certificate List

    7) Repeat until all certificates are added

    8) Save

    2. Test SSL Connection


    1) Create a new ABAP program ZABAPGIT_TEST_SSL and copy source code from here

    2) Run the program and try to connect

    3) If you see Success, it works then you’re good.

    If you see error something like below, please see the next section.

    SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)


    SAPCRYPTO:SSL_read() failed
    SapSSLSessionStartNB()==SSSLERR_SSL_READ
    SSL:SSL_read() failed (536875120/0x20001070)
    => "received a fatal TLS1.0 protocol version alert message from the peer"
    SSL:SSL_get_state()==0x2120 "TLS read server hello A"
    SSL NI-hdl 99: local=10.0.0.59:15728 peer=192.30.253.113:443
    cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 1/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server
    session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
    Client SSL_CTX 7f26940019d0 pvflags=128 (TLSv1.0)
    Target Hostname="github.com"
    >> SecuSSL ErrStack:
    0x20001070 SAPCRYPTOLIB SSL_read
    SSL API error
    received a fatal TLS1.0 protocol version alert message from the peer
    0xa0600278 SSL ssl3_read_bytes
    received a fatal TLS1.0 protocol version alert message from the peer
    0xa0600278 SSL ssl3_connect
    received a fatal TLS1.0 protocol version alert message from the peer
    0xa0600278 SSL ssl3_read_bytes
    received a fatal TLS1.0 protocol version alert message from the peer
    <<
    Also check transaction SMICM -> Goto -> Trace File -> Display End

    3. Check Trace File


    1) Go to transaction SMICM

    2) Go to menu Goto -> Trace File -> Display End

    3) If you see message complaining about TLS version then proceed the next section

    [Thr 139804692911872] Target Hostname="github.com"


    [Thr 139804692911872] SSL NI-hdl 99: local=10.0.0.59:15728 peer=192.30.253.113:443
    [Thr 139804692911872] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f2694001670)==SSSLERR_SSL_READ
    [Thr 139804692911872] *** ERROR => SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)
    [Thr 139804692911872] SAPCRYPTO:SSL_read() failed
    [Thr 139804692911872]
    [Thr 139804692911872] SapSSLSessionStartNB()==SSSLERR_SSL_READ
    [Thr 139804692911872] SSL:SSL_read() failed (536875120/0x20001070)
    [Thr 139804692911872] => "received a fatal TLS1.0 protocol version alert message from the peer"
    [Thr 139804692911872] SSL:SSL_get_state()==0x2120 "TLS read server hello A"
    [Thr 139804692911872] SSL NI-hdl 99: local=10.0.0.59:15728 peer=192.30.253.113:443
    [Thr 139804692911872] cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
    [Thr 139804692911872] session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
    [Thr 139804692911872] Client SSL_CTX 7f26940019d0 pvflags=128 (TLSv1.0)
    [Thr 139804692911872] Target Hostname="github.com"
    [Thr 139804692911872] >> SecuSSL ErrStack:
    [Thr 139804692911872] 0x20001070 SAPCRYPTOLIB SSL_read
    [Thr 139804692911872] SSL API error
    [Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
    [Thr 139804692911872] 0xa0600278 SSL ssl3_read_bytes
    [Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
    [Thr 139804692911872] 0xa0600278 SSL ssl3_connect

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 2/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server

    [Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
    [Thr 139804692911872] 0xa0600278 SSL ssl3_read_bytes
    [Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
    [Thr 139804692911872] <<
    [Thr 139804692911872]
    [Thr 139804692911872] {00000109} {root-id=000D3A282AC01EE899FB2148C2A4B9FE} [icxxconn.c 2423]
    [Thr 139804692911872] GUI T12_U2540_M0, 001, DEVELOPER, CX360WINSG, time=09:24:28, W1,
    program=ZABAPGIT_TEST_SSL, high priority, memory=0, tasks=1, appl info=, tcode=SADT_START
    [Thr 139804692911872] role: Client, protocol: HTTPS, local: 10.0.0.59:15728, peer:
    192.30.253.113:443

    4. Enable TLS v1.2


    1) Go to transaction RZ10

    2) Open DEFAULT profile, select Extended maintenance and click Change

    3) Add these two parameters:

    Over the course of year 2016, a growing number of TLS servers were reconfigured to abort/reject
    TLSv1.0 handshakes, or they are requring forward secrecy (PFS) cipher suites for access. The
    currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib
    8.4.38, recommending at least 8.4.49):

    ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

    ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 3/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server
    For a SAP Solution Manager System 7.[012], please use the following value for
    ssl/client_ciphersuites instead:

    ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH

    Source: SAP Note 510007

    4) Click Copy and Save (There might be a warning, proceed saving anyway.)

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 4/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server

    5) Restart server

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 5/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server

    $ su -l npladm
    $ stopsap
    $ startsap
    $ sapcontrol -nr 00 -function GetProcessList

    6) Go back SMICM and see trace file again. If you see two new parameters then they are configured properly.

    [Thr 139810885523200] =================================================


    [Thr 139810885523200] = SSL Initialization platform tag=(linuxx86_64_gcc43)
    [Thr 139810885523200] = (753_REL,Aug 18 2017,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
    [Thr 139810885523200] = resulting Filename = "/usr/sap/NPL/D00/exe/libsapcrypto.so"
    [Thr 139810885523200] = disabled FIPS 140-2 crypto kernel
    [Thr 139810885523200] = found CommonCryptoLib 8.5.14 (Jul 27 2017) [AES-NI,CLMUL,SSE3,SSSE3]
    [Thr 139810885523200] = current UserID: "npladm", env-var USER="npladm"
    [Thr 139810885523200] = found SECUDIR environment variable
    [Thr 139810885523200] = using SECUDIR=/usr/sap/NPL/D00/sec
    [Thr 139810885523200] = [dpf] ssl/ciphersuites=135:PFS:HIGH::EC_P256:EC_HIGH
    [Thr 139810885523200] = NOT creating Envvar SAPSSL_CIPHERSUITES=135:PFS:HIGH::EC_P256:EC_HIGH
    [Thr 139810885523200] = [dpf] ssl/client_ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
    [Thr 139810885523200] = NOT creating Envvar
    SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
    [Thr 139810885523200] = Success SapCryptoLib SSL ready!
    [Thr 139810885523200] =================================================

    7) Test SSL connection again and it should be okay now


    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 6/7
    2/22/2020 How to Enable SSL on NetWeaver Application Server

    References
    SAP Note 510007
    TLS 1.2 Support in SAP - SCN

    Revision #6
    Created Tue, May 1, 2018 7:32 AM by Chairat (Par)
    Updated Tue, Nov 13, 2018 7:53 AM by Chairat (Par)

    file:///C:/Users/M1054831/Downloads/how-to-enable-ssl-on-netweaver-application-server.html 7/7

    Das könnte Ihnen auch gefallen