EDUCAÇÃO E TECNOLOGIA

demystifying TLS/SSL Settings for NetWeaver

last Changed: 11th of January 2022

demystifying TLS/SSL Settings for NetWeaver

the correct TLS/SSL Setting in SAP NetWeaver based Systems (ABAP, BI-JAVA, SolMan 7.2) are the most mandantory pre requisites to connect the System to the SAP Analytics Cloud (SAC).

However, despite countless SAP KBA Notes you can still see a tremendous amount of unsolved Problems in this Area and might also prevent a lot of the SAP Customers to switch from RFC SAP Note Download to the Secure HTTPS Notes Download.

A long time ago, I wrote a Blog which is timeless till today as it still has issues to recognized correctly even in the latest NetWeaver Systems like SAP BW/4 2021 (based on SAP NetWeaver 7.56)

login/accept_sso2_ticket = 1
login/create_sso2_ticket = 3

Blog – BI-JAVA, BEx Web and EP: the real connection…


correct clipper settings for TLS/SSL

these settings must reside in the DEFAULT.pfl Profile, while the SETENV Values are added to the assigned Instance Profile. This was also a long time misinterpreted by myself until I had a long chat with the Author of the SAP Notes in this Area. This makes a huge difference in the functionality, as it also has an influence to the ASCS Instance.

ssl/ciphersuites and ssl/client_ciphersuites are recognized by all 7xx Kernels!
Only parameter ssl/client_sni_enabled needs a fairly recent kernel: 721 patchno 920, 722 patchno 223 (SAP Note 2384290), 745 patchno 623, 749 patchno 415, 753 patchno 110 (SAP Note 2582368).  Parameter icm/HTTPS/client_sni_enabled is limited to NetWeaver 742+ kernels plus recent 722 kernels (SAP Note 2124480)

Note 455033 – SAPCRYPTOLIB versions, bugs and fixes
Note 511150 – SAPCRYPTOLIB 555pl10: feature update
Note 510007 – Additional considerations for setting up SSL on Application Server ABAP
Note 1433874 – SapSSLReloadCred fix, SSLv3/TLSv1.0 configurability
Note 2180024 – HANA & ABAP: New Option to Enable/Disable FIPS 140-2 Certified Crypto Kernel
Note 2284059 – Update of SSL library within NW Java server
Note 2384243 – NetWeaver Application Server: How to configure strict TLS 1.2
Note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients
Note 3115847 – CLM: SSF_CERT_RENEW cannot renew certificates where subject and SANs extend 255 characters

Blog – Preparation – SolMan 7.2 Configuration

It it is possible, activate TLSv1.2 on the Server side without being downwards compatible. The only excuse is the SAP SolMan 7.2 were the Client Clipper Settings can be enhanced to support as much as possible. The Complete Parameters are mentioned in the Blog above.

### >>> these following Parameters are added to the Instance Profile <<<
SETENV_06 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_16 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
SETENV_17 = SAPSSL_CLIENT_CIPHERSUITES=918:PFS:HIGH::EC_P256:EC_HIGH
SETENV_18 = SAPSSL_CIPHERSUITES=801:PFS:HIGH::EC_P256:EC_HIGH
### >>> these following Parameters must reside in the DEFAULT.pfl <<<
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 801:PFS:HIGH::EC_P256:EC_HIGH

you can test the Clipper Settings for Client and Server as follows:

sapgenpse tlsinfo -v -c 918:PFS:HIGH::EC_P256:EC_HIGH
sapgenpse tlsinfo -v -p /usr/sap/B43/D03/sec/SAPSSLS.pse 801:PFS:HIGH::EC_P256:EC_HIGH

Blog – Update Certificates in ABAP and JAVA

STRUST%28SSO2%29%20Configuration

STRUST(SSO2) Configuration for the SSL Server


check TLS/SSL Messages

after the System in started, you can use the following Transactions to check the Logfiles for any errors and Informations

  • SMMS => Log
  • SMGW => Log
  • SMICM => Log

Message Server Log

 ================================================= = SSL Initialization platform tag=(linuxx86_64_gcc43) = (753_REL patchno 917,Dec 25 2021,mt,ascii-uc, 16/64/64) = Initialization with _no_ default credentials = resulting Filename = "/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so" = disabled FIPS 140-2 crypto kernel = found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3] = current UserID: "bixadm", env-var USER="bixadm" = found SECUDIR environment variable = using SECUDIR=/usr/sap/<SID>/ASCS<nr>/sec = [dpf] ssl/client_sni_enabled=TRUE = creating Envvar SAPSSL_CLIENT_SNI_ENABLED=1 = automagic TLS extension SNI enabled = [dpf] ssl/ciphersuites=801:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CIPHERSUITES=801:PFS:HIGH::EC_P256:EC_HIGH = [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CLIENT_CIPHERSUITES=918:PFS:HIGH::EC_P256:EC_HIGH = Success SapCryptoLib SSL ready! ================================================= ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so")==0 (SSF_SUP_OK) found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3] SSL for internal communication enabled MsSAutoReloadCredHdl: reload thread for system pki started, check #_MemPSE_#977588676159946000000001 every 60 seconds load acl file = /usr/sap/<SID>/SYS/global/ms_acl_info List of entries found in /usr/sap/<SID>/SYS/global/ms_acl_info [001] localhost [::] (VALID) [002] server.domain.ext [10.xxx.xxx.xxx] (VALID) [003] * [::] (VALID) MsGetOwnIpAddr: my host addresses are : 1 : [10.xxx.xxx.xxx] (HOSTNAME) 2 : [127.0.0.1] (LOCALHOST) 3 : [169.xxx.xxx.xxx] (NILIST) MsHttpInit: full qualified hostname = server.domain.ext HTTP logging is switch off set HTTP state to LISTEN *** HTTP port 8211 state LISTEN *** MsSAutoReloadSSLHdl: reload thread for SSL started, check /usr/sap/<SID>/ASCS<nr>/sec/SAPSSLC.pse and /usr/sap/<SID>/ASCS<nr>/sec/SAPSSLS.pse every 60 set HTTPS state to LISTEN Tue Jan 11 12:18:44:801 2022 *** HTTPS port 8311 state LISTEN *** MsHttpOwnDomain: own domain[1] = wdf.sap.corp *** I listen to port sapms<SID> (3611) *** *** I listen to internal port 3911 (3911), ssl protected *** *** HTTP port 8211 state LISTEN *** *** HTTPS port 8311 state LISTEN *** CUSTOMER KEY: >Z0911157974< compatibility level = 1 build version=753.2021.07.20 read logon groups from previously stored file <SID>_msg_server_adtl_storage Server state ACTIVE

Gateway Server Log

***LOG S00=> GwInitReader, gateway started ( 157507) [gwxxrd.c 2442]
gateway (version=753.2021.08.31 (with SSL support))
gw/delete_local_comm_adm : 1
gw/logging : ACTION=Ss LOGFILE=gw_log-%y-%m-%d SWITCHTF=day MAXSIZEKB=100
gw/sim_mode : set to 1
gw/reg_no_conn_info = 129
NI buffering disabled
CCMS: initialize CCMS Monitoring for ABAP instance with J2EE addin.
CCMS: SemInMgt: Initializing Semaphore Management in AlAttachShm_Doublestack.
CCMS: SemInit: Semaphore 38 initialized by AlAttachShm_Doublestack. Tue Jan 11 12:18:58:747 2022
GwIInitSecInfo: secinfo version = 2
GwIRegInitRegInfo: reg_info file /usr/sap/<SID>/SYS/global/reginfo not found
================================================= = SSL Initialization platform tag=(linuxx86_64_gcc43) = (753_REL patchno 917,Dec 25 2021,mt,ascii-uc, 16/64/64) = Initialization with _no_ default credentials = resulting Filename = "/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so" = disabled FIPS 140-2 crypto kernel = found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3] = current UserID: "bixadm", env-var USER="bixadm" = found SECUDIR environment variable = using SECUDIR=/usr/sap/<SID>/ASCS<nr>/sec = [dpf] ssl/client_sni_enabled=TRUE = creating Envvar SAPSSL_CLIENT_SNI_ENABLED=1 = automagic TLS extension SNI enabled = [dpf] ssl/ciphersuites=801:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CIPHERSUITES=801:PFS:HIGH::EC_P256:EC_HIGH = [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CLIENT_CIPHERSUITES=918:PFS:HIGH::EC_P256:EC_HIGH = Success SapCryptoLib SSL ready! =================================================
ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/D12/exe/libsapcrypto.so")==0 (SSF_SUP_OK) found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3]
gateway ssl port 3411 defined in profile
Bind service sapgw12 (socket) to port 3312
Bind service 3411 (socket/ssl) to port 3411

Internet Communication Manager Log

IcmAddHiddenService: Hidden service WEBSOCKET started
IcmAddHiddenService: Hidden service H2 started
Started service PORT=8012,PROT=HTTP,TIMEOUT=1800,PROCTIMEOUT=180
IcmAddHiddenService: Hidden service WEBSOCKETS started
Added service PORT=8112,PROT=HTTPS,TIMEOUT=1800,PROCTIMEOUT=180,VCLIENT=1,SSLCONFIG=ssl_config_1
Started service PORT=2512,PROT=SMTP,TIMEOUT=1800,PROCTIMEOUT=180
Tue Jan 11 12:18:59:413 2022
IcmNetCheck: network check passed without detecting problems
Tue Jan 11 12:19:03:050 2022
================================================= = SSL Initialization platform tag=(linuxx86_64_gcc43) = (753_REL patchno 917,Dec 25 2021,mt,ascii-uc, 16/64/64) = Initialization with _no_ default credentials = resulting Filename = "/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so" = disabled FIPS 140-2 crypto kernel = found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3] = current UserID: "bixadm", env-var USER="bixadm" = found SECUDIR environment variable = using SECUDIR=/usr/sap/<SID>/ASCS<nr>/sec = [dpf] ssl/client_sni_enabled=TRUE = creating Envvar SAPSSL_CLIENT_SNI_ENABLED=1 = automagic TLS extension SNI enabled = [dpf] ssl/ciphersuites=801:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CIPHERSUITES=801:PFS:HIGH::EC_P256:EC_HIGH = [dpf] ssl/client_ciphersuites=918:PFS:HIGH::EC_P256:EC_HIGH = creating Envvar SAPSSL_CLIENT_CIPHERSUITES=918:PFS:HIGH::EC_P256:EC_HIGH = Success SapCryptoLib SSL ready! =================================================
Activated service PORT=8112,PROT=HTTPS,TIMEOUT=1800,PROCTIMEOUT=180,VCLIENT=1,SSLCONFIG=ssl_config_1
SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default, a
Tue Jan 11 12:19:03:202 2022
*** ICM up and operational (pid: 157508, HTTP: 8012, HTTPS: 8112) ***
HttpExtractArchive: files from archive /usr/sap/<SID>/D<nr>/exe/ITS.SAR in directory /usr/sap/BIX/D12/data/icmandi
***LOG IM3=> ICM, Startup (ICM&157508&) [IoEngine.cpp 89]
Tue Jan 11 12:19:54:737 2022
ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/D<nr>/exe/libsapcrypto.so")==0 (SSF_SUP_OK) found CommonCryptoLib 8.5.41 (Nov 25 2021) [AES-NI,CLMUL,SSE3,SSSE3]

no more TLS/SSL Drama …

If the SAP TechEd Cat would knew this earlier …


Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance

“I have no special talent, I am only passionately curious.”