Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Purpose

How to configure SSL with ASE.

Overview

There are many ways to do this.
With ASE 15.7 SP100  and earlier ASE use to use the Certicom certificates. Both Openssl and Certicom binaries are in this version.
Certicom binaries where pulled from the ASE and SDK 15.7 SP122 and higher.Starting with ASE 15.7 SP122 and ASE 16.0 SP00 ssl binaries were moved to OpenSSL certificates.
Starting with AT 16.0 SP03 ssl was moved to use proprietary SAP Common Crypto Library to make the certificates.

You can always look in the $sybase/OCS-##_#/lib3p directory to see what version to use.
Windows

  • SAP CCL: slcryptokernel.dll
  • Openssl sybcsi_openessl##.dll
  • Certicom:

Unix

  • SAP CCL: libslcryptokernel.so
  • Openssl: libsybcsi_opnessl##_##.so
  • Certicom: libsybcsi_certicom_fips##_##.so

ASE setups 

  • SAP CCL
    • KBA 1899365 How to setup self-assigned test SSL with ASE and SDK, please note its towards the beginning of the KBA
    • Books ASE 16.0 SP03 PL06 SSL Overview
  • OpenSSL
    • KBA 1899365 How to setup self-assigned test SSL with ASE and SDK, please note its towards the end of the KBA 
    • Books ASE 16.0 SP02 PL07 SSL Overview
  • Certicom
  • Signed certificate from other vendor
    • KBA 2430055 How to setup 3rd party/CA signed SSL with ASE and SDK
    • If certificate is not PEM format convert pk12 certificate to PEM format (PEM format is the only format currently supported by ASE):

      • openssl pkcs12 -in certificate.pfx -out asename.pem -nodes

      • Add: root.cert into $SYBASE/$SYBASE_ASE/certificates/asename.txt

      • Also add: ase private and public certificate into $SYBASE/$SYBASE_ASE/certificates/asename.crt  

Converting PKCS12 to PEM format

If the ssl certificates are in PKCS12 format ASE will not be able to read them.  This needs to be converted to PEM format.  Use this command to convert PKCS12 to PEM format:
openssl pkcs12 -in certificate.pfx -out asename.pem -nodes

This output 3 certificates into asename.pem.  ASE private key, ase certificate, and root certificate. Use these to generate asename.crt and asename.txt.
asename.crt - ase private key and ase certificate
asename.txt - root certificate

Verify SSL Certificates

  • To verify ssl public certificate is from the private key
    • The modulus should be the same
      cat asename.crt | openssl rsa -modulus -noout
      cat asename.crt | openssl x509 -modulus -noout 
      • asename.crt - private and public ase certificate
    • This can be ran with 2 different files as well.
      x509 command is for the public certificate
      rsa command is for the private key
  • To verify openssl chain is valid:
    openssl verify -CAfile root.crt-untrusted interm.crt ase.crt
    • root.crt - root public certificate
    • interm.crt - intermediate certificate (usually when you have a chain of certificates)
    • ase.crt - ASE database public certificate

 Related Content

Related Documents

Related sap notes/kbas

 

  • No labels