Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs
Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine SSL scenarios Use the Key Storage and the SSL Provider Services Configure SAP J2EE Engine for using SSL Configure the use of client certificates for authentication
SAP J2EE Engine - SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication
SSL Transport Layer Scenarios SAP J2EE Engine as server component HTTPS (SSL) SAP Java Cryptographic Toolkit SAP J2EE Engine as client component HTTPS (SSL) WEB Server SAP Java Cryptographic Toolkit Using an Intermediary Proxy Server HTTPS (SSL) WEB Proxy HTTPS (SSL) SAP Java Cryptographic Toolkit
SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication
SAP J2EE Security Services Overview Secure Storage Service Security Provider Service User Storage Service SAML Authentication Service Security- Related Services Virus Scan Provider Key Storage Service SSL Provider Service
Key Storage Service Manages certificates and credentials used by SAP J2EE Engine Is an enabler to generate keys and certificates needed for encryption, identification, and verification. Compatible with the Java Cryptography Architecture (JCA) Keystore entries are stored in a distributed database with particular access rights on it
Key Storage Service Public-key certificates are to be stored in a keystore entry in the Key Storage Service You need to configure the Key Storage Service if you want to: establish an SSL connection authenticate users via an X.509 client certificate use logon tickets for Single Sign-On
SSL Provider Service Uses the certificates created using Key Storage Service Maps SSL sockets and entry points to certain credentials. Manages the credentials and trusted certificates to use SSL
SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication
Configuring the SAP J2EE Engine to use SSL Prerequisites for SSL Configuration: download and deploy the SAP Cryptographic Toolkit download and apply the Java Unlimited Strength Jurisdiction Policy Files Steps for configuring SSL: 1. Change startup-mode for SSL Provider Service; SSL Provider Service in running mode. 2. Create Server s Public/Private key pair 3. Generate Certificate Signing Request (CSR); Sign CSR from a Certification Authority (CA); Import Sighed Certificate 4. Bind the key pair to specific SSL Port
Prerequisite SAP Cryptographic Toolkit 1/3 Restrictions from SAP The distribution of SAP cryptographic software is controlled by German export regulations Therefore SAP delivers per default only cryptographic functions for Digital Signatures For using SSL, the SAP Java Cryptographic Toolkit must be installed. It can be downloaded from the Service Marketplace if the customer meets certain legal requirements
Prerequisite SAP Cryptographic Toolkit 2/3
Prerequisite SAP Cryptographic Toolkit 3/3
Prerequisite Java Cryptography Extension (JCE) 1/2 Restrictions from SUN The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. JCE was previously an optional package (extension) to the Java 2 SDK, Standard Edition (Java 2 SDK), versions 1.2.x and 1.3.x. JCE has now been integrated into the Java 2 SDK, v 1.4. Starting from J2SE 1.4 it is also necessary to install the JCE Unlimited Strength Jurisdiction Policy Files from Sun in order to use the strong cryptographic functions necessary for SSL.
Prerequisite Java Cryptography Extension (JCE) 2/2
1. Change startup-mode for SSL Provider service 1/2 Use the Config tool for changing the startup-mode of the SSL Provider Service
1. SSL Provider Service in running mode 2/2
2. Creation of a Server s Public-Private Key Pair 1/2
3. Creation of a Server s Public-Private Key Pair 2/2
3. Generate, Sign, Import CSR
3. View after Import of the Certificate
4. Bind the key pair to specific SSL Port 1/2
4. Bind the key pair to specific SSL Port 2/2
Add or Remove Cipher Suites (optional)
Testing the SSL Connection Test the SSL connection with https://<servername>:<ssl port>
SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication
Configuring the Use of Client Certificates Prerequisite The SAP J2EE Engine is enabled for SSL Steps for Configuring the Use of Client Certificates 1. Set the UME property ume.logon.allow_cert to true. 2. Create client key pair and certificate; Generate, Sign, and Import CSR 3. Specify request for client certificate for specific SSL socket Managing Client Authentication 4. Map Client Certificate to UME User 5. Adjust the login module stacks for those applications that will be accepting client certificates 6. Export of the generated Private Key to file (password protected) 7. Import of the Private Key to the browser personal certificates.
1. ume.logon.allow_cert = true Set the UME property ume.logon.allow_cert to true
2. Create client key pair and certificate; handle CSR Check Store Certificate Create Client Certificate and Key-Pair under TrustedCAs View
4. Managing Client Authentication 1/2
4. Managing Client Authentication 2/2 Option Do not request client certificate Description The system does not require the client to give a client certificate during the handshake, although the client can provide it. Request client certificate Require client certificate The server requests a certificate but the certificate is not required. If the client has a certificate it is sent with the request; otherwise, the system reverts to Basic Authentication. The server only accepts certificates that have been issued by a trusted CA. The server requests a certificate and the client must send one. Also, the certificate that the client sends must have been issued by a trusted CA.
4. Map Client Certificate to UME user 1/2
4. Map Client Certificate to UME user 2/2
5. Adjust the applications login module stacks 1/3
5. Adjust the applications login module stacks 2/3
5. Adjust the applications login module stacks 3/3
6. Export of the generated Private Key to file
7. Import private key into browser 1/2
7. Import private key into browser 2/2 optional (If provided) Install the trusted public certificate under the Trusted Root Certification Authorities store
Objectives You should now be able to: Understand the different SAP J2EE Engine SSL scenarios Use the Key Storage and the SSL Provider Services Configure SAP J2EE Engine for using SSL Configure the use of client certificates for authentication
Information sources http://service.sap.com/security http://sdn.sap.corp -> Web AS -> Security