FAQ - SSL on ABAP Server
SSL on ABAP Server and the related topics will be discussed here
Question: Where can I find information on setting up SSL
Answer: SAP Note 510007 details the main steps to settup SSL ie installing the sapcryptolib library and configuration on the ABAP stack.
Question: I don't know which OS version of sapcryptolib to use on my ABAP Server
Answer: the sapcryptolib security library must be compatible with the SAP Kernel that will run it. In this case check transaction SM51 -> Release notes -> SAP Release Information and check the field 'Created in'. The operating system version here should match the os version of the sapcryptolib library. Note: the OS version of the host server and executables may not match always. This is because the version of sapcryptolib depends on the compiled version of the SAP Kernel rather than the actual host.
Question: Where can I find error information if there is a problem with Sapcryptolib
Answer: Run report SSF02 in transaction SE38 and choose the option 'Determine version' which will show the version of sapcryptolib installed. if this abends then check that all the profile parameters in note 510007 are set. Also check the developer work trace files (dev_w* traces) which shows the initialization of the sapcryptolib library on the server at startup. If there is an error then this can be found here.
Question:I have tested the https connection to my SAP Web application Server but this fails. What can I check
Answer: Check first that the https service is active in transaction SMICM. The ICM trace will provide details on any errors activating https. In SMICM choose the path SMICM -> Goto -> Trace File -> Display All . Then check that the STRUST configuration for the SSL Server PSE is completed as per note 510007. Finally check the dev_w* traces for the successful loading of sapcryptolib.
Question: Why do I need to have my SSL Server certificate signed by a Certificate Authority
Answer: All webbrowsers when invoking an SSL connection will check the presented SSL Server certificate against the Root certificates of all Certificate Authority (CA) stored in the browser. If the certificate is not signed by a CA (whose root certificate is stored in the browser) then the browser will give an unwanted security warning that the SSL Server certificate of the SAP Web application server is not trusted. You can use the SAP CA service at www.service.sap.com/tcs to test this or purchase a signed certificate to use on your server. Server to Server SSL connections also make the same checks which may then require a signed certificate.
Question: The url the users will enter into the browser will not match the CN of the Certificate of my AS ABAP Server
Answer: In transaction STRUST you can edit the CN of the certificate of the SSL Server. To do this highlight the SSL Server Standard folder and right click the mouse. In the context menu choose the option to change. This presents a dialog where you can edit the CN of the SAP Systems SSL certificate so that it matches the url the end users will use. This will avoid certificate errors in the end users browser.
Question: Does the SAP Web Application Server Java support SANs (Subject Alternative Names)
Answer: Only the client PSE in STRUST supports the use of Subject Alternative Names. Make sure that all your SSL *clients* ie.
browser, systems are able to use SANs for their match target procedure (using an ABAP system as SSL Client can use SAN as of SAP note 1386889.
Question: I already have a signed certiifcate and private key in a PKCS#12 format. Can I use this as the SSL Server Standard PSE
Answer: Yes. The PKCS#12 file first must be converted into the SAP proprietary PSE format using the sapgenpse tool command import_p12. Once created import the new PSE file as per the instructions in note 1473710 - STRUST: How to Export/Import a PSE from/to STRUST
Question: Does SAP provide any trust Server services e.g. Trusted Certificate Signing
Answer: Yes. information regarding this can be found at www.service.sap.com/tcs
Question: Can I obtain a test certificate from SAP Trust Services
Answer: Yes.At the same link you can apply for a test SSL server certifcate valid for a limited time