Security and Identity Management
Page tree
Skip to end of metadata
Go to start of metadata
FAQ - SSL on ABAP Server

SSL on ABAP Server and the related topics will be discussed here

Question: Where can I find information on setting up SSL

Answer: SAP Note 510007 details the main steps to settup SSL ie installing the sapcryptolib library and configuration on the ABAP stack. 

Question: I don't know which OS version of sapcryptolib to use on my ABAP Server

Answer: the sapcryptolib security library must be compatible with the SAP Kernel that will run it. In this case check transaction SM51 -> Release notes -> SAP Release Information and check the field 'Created in'. The operating system version here should  match the os version of the sapcryptolib library. Note: the OS version of the host server and executables may not match always. This is because the version of sapcryptolib depends on the compiled version of the SAP Kernel rather than the actual host.

Question: Where can I find error information if there is a problem with Sapcryptolib

Answer: Run report SSF02 in transaction SE38 and choose the option 'Determine version' which will show the version of sapcryptolib installed. if this abends then check that all the profile parameters in note 510007 are set. Also check the developer work trace files (dev_w* traces) which shows the initialization of the sapcryptolib library on the server at startup. If there is an error then this can be found here.

Question:I have tested the https connection to my SAP Web application Server but this fails. What can I check

Answer: Check first that the https service is active in transaction SMICM. The ICM trace will provide details on any errors activating https. In SMICM choose the path SMICM -> Goto -> Trace File -> Display All . Then check that the STRUST configuration for the SSL Server PSE is completed as per note 510007. Finally check the dev_w* traces for the successful loading of sapcryptolib.

Question: Why do I need to have my SSL Server certificate signed by a Certificate Authority

Answer: All webbrowsers when invoking an SSL connection will check the presented SSL Server certificate against the Root certificates of all Certificate Authority (CA) stored in the browser. If the certificate is not signed by a CA (whose root certificate is stored in the browser) then the browser will give an unwanted security warning that the SSL Server certificate of the SAP Web application server is not trusted. You can use the SAP CA service at www.service.sap.com/tcs to test this or purchase a signed certificate to use on your server. Server to Server SSL connections also make the same checks which may then require a signed certificate.

Question: The url the users will enter into the browser will not match the CN of the Certificate of my AS ABAP Server

Answer: In transaction STRUST you can edit the CN of the certificate of the SSL Server. To do this  highlight the SSL Server Standard folder and right click the mouse. In the context menu choose the option to change. This presents a dialog where you can edit the CN of the SAP Systems SSL certificate so that it matches the url the end users will use. This will avoid certificate errors in the end users browser. 

Question: Does the SAP Web Application Server Java support SANs (Subject Alternative Names)
 

Answer: Only the client PSE in STRUST supports the use of Subject Alternative Names. Make sure that all your SSL *clients* ie.
browser, systems are able to use SANs for their match target procedure (using an ABAP system as SSL Client can use SAN as of SAP note 1386889.

Question: I already have a signed certiifcate and private key in a PKCS#12 format. Can I use this as the SSL Server Standard PSE

Answer: Yes. The PKCS#12 file first must be converted into the SAP proprietary PSE format using the sapgenpse tool command import_p12. Once created import the new PSE file as per the instructions in note 1473710  - STRUST: How to Export/Import a PSE from/to STRUST

Question: Does SAP provide any trust Server services e.g. Trusted Certificate Signing

Answer: Yes. information regarding this can be found at www.service.sap.com/tcs

Question: Can I obtain a test certificate from SAP Trust Services

Answer: Yes.At the same link you can apply for a test SSL server certifcate valid for a limited time