how to switch to https transport layer security.pdf
TRANSCRIPT
How to Switch to
HTTPS Transport
Layer Security
Document Version 1.0
November 2010
SAP NetWeaver
SAP AG
Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,
WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States
and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of
the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver,
and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
SAP AG in Germany and in several other countries all over the
world. All other product and service names mentioned are the
trademarks of their respective companies. Data contained in this
document serves informational purposes only. National product
specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies
("SAP Group") for informational purposes
only, without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with respect to
the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty
statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
T yp o g r a p h i c C o n ve n t i o n s
Type Style Represents
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and table titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
I c o ns
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
History of Changes
Version Change
1.0 Initial release
Contents
1 INTRODUCTION ................................................................................................................ 1
1.1 No HTTPS Configuration .......................................................................................... 1 1.2 Prepare HTTPS Configuration .................................................................................. 1 1.3 Consume HTTPS Configuration................................................................................ 2 1.4 Only HTTPS Configuration ........................................................................................ 2 1.5 Overview ................................................................................................................... 3
2 PREPARE HTTPS CONFIGURATION .............................................................................. 4
2.1 Tasks ......................................................................................................................... 5 2.2 Checks ...................................................................................................................... 6
3 CONSUME HTTPS CONFIGURATION ............................................................................. 8
3.1 Tasks ......................................................................................................................... 8 3.2 Checks ...................................................................................................................... 9
4 ONLY HTTPS CONFIGURATION ................................................................................... 14
4.1 Tasks ....................................................................................................................... 14 4.2 Checks .................................................................................................................... 14
Introduction November 2010
No HTTPS Configuration
How to Switch to HTTPS Transport Layer Security 1
How to Switch to HTTPS Transport Layer Security
1 Introduction This chapter gives you some best practices on how to increase your security in the HTTP transport layer in a step-by-step approach. This is not a configuration guide, which means you do not have to do it way. It describes one possible path from a landscape with minimal security settings to a landscape with very high security settings for the HTTP transport layer.
The focus of this chapter is only the transport layer change from HTTP to HTTPS, keeping existing authentication methods. It does not describe the tasks needed to switch from user-and-password-based authentication to certificate-based authentication.
1.1 No HTTPS Configuration This is the starting point. The characteristics of this security level are:
A) HTTP provider is configured only for HTTP B) HTTP consumers are configured for HTTP communication
1.2 Prepare HTTPS Configuration
This configuration level is a preparation of the landscape for HTTPS-based communication. The focus of this configuration level is to prepare the systems and the configuration in a way that HTTPS-based configuration would be possible for some dedicated scenarios.
A) HTTP provider is configured for HTTP and HTTPS Enablement of HTTPS for ready for consumption
B) HTTP consumers are configured for HTTP communication Less impact on existing scenarios due to less configuration changes
Introduction November 2010
Consume HTTPS Configuration
How to Switch to HTTPS Transport Layer Security 2
1.3 Consume HTTPS Configuration This configuration level consumes HTTPS transport security. This means you must focus on all HTTP consumers and change the attributes of the consumers to HTTPS.
A) HTTP provider is configured for HTTP and HTTPS
Enablement of HTTPS is done B) HTTP consumers are configured for HTTPS communication
System and scenarios are configured to use HTTPS transport security
1.4 Only HTTPS Configuration This configuration level is the highest level concerning HTTPS transport security. It ensures that only HTTPS is possible because non secure access to the HTTP service providers is not allowed and not possible.
A) HTTP provider is configured only for HTTPS
Ensures that HTTPS is used B) HTTP consumers are configured for HTTPS communication
Every HTTP consumer must be configured for HTTPS
Introduction November 2010
Overview
How to Switch to HTTPS Transport Layer Security 3
1.5 Overview
Configuration
HTTP Consumer Configuration (Scenario)
HTTP Provider Configuration (System)
Description
NoHTTPS HTTP-based HTTP-only Only HTTP configured
PrepareHTTPS HTTP-based HTTP and HTTPS
HTTP and HTTPS are configured in the landscape. Most of the scenarios or all scenarios are configured for HTTP.
ConsumeHTTPS HTTPS-based HTTP and HTTPS
HTTP and HTTPS are configured in the landscape. Most of the scenarios or all scenarios are configured for HTTPS
OnlyHTTPS HTTPS-based HTTPS-only
Only HTTPS is configured. No HTTP access possible. All scenarios are configured for HTTPS.
Prepare HTTPS Configuration November 2010
Overview
How to Switch to HTTPS Transport Layer Security 4
2 Prepare HTTPS Configuration
The goal of this step is to have the landscape with all involved technical systems (ABAP, Java, standalone engines, tools, and other servers) enabled for SSL-based transport security via HTTPS.
Prepare HTTPS Configuration November 2010
Tasks
How to Switch to HTTPS Transport Layer Security 5
2.1 Tasks The following checklist gives you some hints how to perform the tasks:
Task ABAP System Java System
SAP Cryptographic Library Configuring the SAP Web AS for Supporting SSL
Installing the SAP Cryptographic Library on the AS ABAP
Configuring the Use of SSL on the J2EE Engine
Create the server’s key pair to use for SSL.
Assign the key pair to use for the specific SSL port.
HTTPS port configuration (provider system)
Setting Profile Parameter
Example: icm/server_port_0
PROT=HTTP,PORT=8000
icm/server_port_1
PROT=HTTPS,PORT=8001
HTTP proxy configuration (optional)
Configuring Proxies
SSL server standard PSE configuration
Creating the SSL Server PSE Generating Certificate Requests
Sending Certificate Request to CA Importing Certificate Response Maintaining Certificate List
SSL client PSE configuration
We recommend that also the Standard SSL Client PSE and the Anonymous SSL Client PSE configuration will be performed.
If you are using client certificates for user authentication, then configure their use on the J2EE Engine.
SAP NetWeaver infrastructure SSL configuration
Ensure that the infrastructure is also enabled for SSL.
1. SAP Management Console 2. Message Server 3. IGS
See note 965076.
SAP NetWeaver PI SSL enablement
See SAP NetWeaver PI Security Guide.
SAP NetWeaver TREX SSL enablement
See TREX Advanced Configuration Configuration of the TREX Security Settings
Business Communication Broker
The BCB administration page is usually accessible from http://<host>:<port>/bcb on the SAP CRM Java system. From there you can navigate to the settings.
Prepare HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 6
2.2 Checks
2.2.1 ABAP SSL Server PSE Correctness
1. Log on to the ABAP system.
2. Enter transaction /nstrust.
3. Double-click SSL Server Standard.
4. Double-click Owner “CN=….”
5. Verify that Own Certificate Owner contains the fully qualified hostname.
6. Verify that Own Certificate is signed by the issuer CN.
7. Verify that the Valid From Period is valid.
2.2.2 ABAP HTTPS Port Configuration
1. Log on to the ABAP system.
2. Enter transaction /nsmicm.
3. Select Goto Services.
4. Verify that HTTP and HTTPS services exist and both are active.
2.2.3 ABAP ICF Service Test To test the HTTPS service and the STRUST configuration, do the following:
1. Log on to the ABAP system.
2. Enter transaction /nsicf.
3. Enter the service name of a service used on this system and press Enter (F8).
4. Position the cursor on the service and ensure that it is activated.
5. From the context menu, choose Test Service.
6. Change the URL to the fully qualified hostname and to the HTTPS port and Enter
(F8).
7. Verify that the browser displays a correct SSL connection .
8. Verify that Issued to is the fully qualified hostname.
9. Verify that Own Certificate is signed by the issuer CN
10. Verify that the validity period is OK.
2.2.4 ABAP Session Management (Only on 702, 720, 730 systems)
1. Log on to the ABAP system.
2. Enter transaction /nsicf_session.
3. Verify that the relevant profile parameters shown have the expected target values for
your landscape.
4. Verify that all target clients for session management have an active state.
Prepare HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 7
2.2.5 AS Java SSL Server Correctness
To test the HTTPS provider and the keystore, do the following:
1. Enter the following HTTPS based URL:
https://<fully qualified hostname>:<port>
2. Verify that the browser displays a correct SSL connection .
3. Verify that Issued to is the fully qualified hostname.
4. Verify that Issued by is Server CA.
5. Verify that the validity period is OK.
2.2.6 SAP NetWeaver Infrastructure SSL Enablement
To test SAP NetWeaver Infrastructure enablement:
1. Call the URL http://<host>:<port>
where:
o <host> is the host where the application server is installed.
o <port> is the sapstartsrv service port. The port number is 5<instance>13.
2. Open the path SAP Systems <SID> <Instance> Access Points.
3. Verify that for all process names with HTTP protocol, a corresponding HTTPS port is
configured.
Consume HTTPS Configuration November 2010
Tasks
How to Switch to HTTPS Transport Layer Security 8
3 Consume HTTPS Configuration
The goal of this step is to have the scenario configuration changed from consuming HTTP services to HTTPS services. This is a more critical task because now it becomes more scenario specific and scenario-related technical configuration know-how is needed.
3.1 Tasks Ensure that the configuration of a business scenario is consuming HTTPS-based connectivity. In general, you have to perform two tasks:
1. Identify all HTTP-related configurations for your scenario.
2. Change the communication from HTTP to HTTPS.
o Switch the protocol from HTTP to HTTPS.
o Change the hostname to the fully-qualified hostname.
o Change the HTTP port to the HTTPS port.
Configuration Area Description
ABAP HTTP destination Ensure that HTTP destinations used from the scenario are configured for HTTPS communication. (Set SSL flag.)
ABAP Web service consumer proxy
Ensure that the Web service consumer proxies used are configured for transport binding with HTTPS.
ABAP configuration tables (IMG, views)
Search and identify all ABAP table-based configurations for HTTP based connectivity. Depending on your solutions, IMG activities or customizing tables or table maintenance views must be checked.
ABAP configuration transactions/reports
Search and identify all ABAP transactions and reports for your scenario which allow HTTP-based configuration.
AS Java HTTP destinations
Ensure that HTTP destinations used from the scenario are configured for HTTPS communication.
AS Java Web service consumer configuration
Ensure that the Web service consumers used are configured for transport binding with HTTPS.
Enterprise Portal systems Ensure that the ITS and the Web AS hostname and protocol is changed for HTTPS communication.
Exchange Infrastructure Ensure that scenario-related communication channels using URL-based addressing are changed for HTTPS communication.
Consume HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 9
3.2 Checks
3.2.1 ABAP HTTP Destination
1. Log on to the ABAP system.
2. Enter transaction /nsm59.
3. Verify that the fully qualified hostname and the HTTPS port are configured.
4. Verify that HTTP-based destinations have activated SSL within the Security Options.
3.2.2 ABAP Web Service Consumer Proxy
1. Log on to the ABAP system.
2. Enter transaction /nsoamanager.
3. Select the configured Web service consumer proxy.
4. Verify that within the Transport Settings, HTTPS protocol is selected.
5. Verify that the fully qualified hostname and the HTTPS port are configured
Consume HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 10
3.2.3 ABAP Configuration Table 1. Log on to the ABAP system.
2. Enter transaction /nspro or /nsm30 or /nsm34 to maintain the target table or
maintenance view.
3. Verify that within the Transport Settings, HTTPS protocol is selected.
4. Verify that the fully qualified hostname and the HTTPS port are configured.
3.2.4 ABAP Configuration Transactions / Reports 1. Log on to the ABAP system.
2. Enter the configuration transaction or the configuration report.
3. Navigate to the HTTP configuration.
4. Verify that within the Transport Settings, HTTPS protocol is selected.
5. Verify that the fully qualified hostname and the HTTPS port are configured.
Examples for this kind of configuration are:
o /nsldapicust for SLD Data Supplier
o /nsxmb_adm for SAP NetWeaver PI configuration
Configuration needs to be adapted from http to https
Consume HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 11
3.2.5 AS Java HTTP Destinations 1. Enter the following URL: http://<hostname>:<port>/nwa
2. On the Configuration tab, choose Destinations.
3. Use the filter to filter the Destination Type on the value HTTP.
4. Verify that the URL contains https://, the fully qualified hostname, and the HTTPS
port.
5. Choose the Accept certificates in keystore view radio button and select Trusted CAs
as keystore view for enabling the SSL transport security.
6. Choose Ping Destination to ensure the connection is working.
3.2.6 AS Java Web Service Consumer Configuration
1. Start the visual administrator.
2. Choose the Web Service Security service.
3. In the list of the Web service proxies, choose the proxy in the Web Service Clients
tree.
4. Choose the Transport Security tab.
5. Verify that the URL within the Connection Settings contains https:// and the fully
qualified hostname and the HTTPS port.
Consume HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 12
3.2.7 Enterprise Portal Systems 1. Enter the following URL: http://<hostname>:<port>/irj
2. Choose System Administration System Configuration.
3. Select the Search tab.
4. Select Entire Portal Catalog and object type System and choose Search.
5. In the context menu of a system, choose Open Object.
Select Property Category: Show All.
6. Verify the properties concerning HTTP/HTTPS parameters and fully qualified
hostname.
Typical parameters to change are:
o ITS Hostname
o ITS Protocol
o Web AS Hostname
o Web AS Protocol
7. Perform a connection test and verify that the HTTPS connection was used.
Consume HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 13
3.2.8 Exchange Infrastructure Integration Directory 1. Log on to the integration directory.
1. Enter the following URL: https://<host>:<port>/rep
2. Choose Integration Directory.
2. Log on to the Integration Directory within WebStart.
3. Choose Menu Object Find.
1. Enter Object Type = Communication Channel.
2. Choose Search.
4. Open every communication channel and ensure that HTTPS is used.
If Addressing Type = URL Address:
Verify Transport Protocol is using HTTPS 1.0.
Verify Target Host is using a fully qualified hostname.
Verify Service Number is using the HTTPS port.
5. Choose Change Lists to activate all your changes.
Only HTTPS Configuration November 2010
Tasks
How to Switch to HTTPS Transport Layer Security 14
4 Only HTTPS Configuration
The goal of this step is to ensure that all scenarios, without exception, on the consumer systems and all services on the provider system are only communicating with HTTPS.
4.1 Tasks Ensure by configuration that only HTTPS-based communication is allowed.
Configuration Area Description
ABAP ICM Remove all HTTP-based port configurations and allow only HTTPS ports.
ABAP ICF Services Change the security requirement from Standard to SSL.
ABAP Service Provider / Endpoint
Change Communication Security from None (HTTP) to SSL (HTTPS,
Transport Channel Security).
4.2 Checks
4.2.1 ABAP ICM 1. Log on to the ABAP system.
2. Enter transaction /nsmicm.
3. Choose Goto Services.
4. Verify that only HTTPS-based ports are configured and no HTTP ports.
Only HTTPS Configuration November 2010
Checks
How to Switch to HTTPS Transport Layer Security 15
4.2.2 ABAP ICF Framework 1. Log on to the ABAP system.
2. Enter transaction /nsicf.
3. Double-click the service you want to change.
4. Choose the Logon Data tab.
5. Verify that the Security Requirement is set to SSL.
4.2.3 ABAP Web Service Provider and Web Service Endpoint
1. Log on to the ABAP system.
2. Enter transaction /nsoamanager.
3. Select the configured Web service provider or Web service endpoint.
Verify that under Communication Security, the SSL (HTTPS, Transport Channel Security) radio button is selected and the None (HTTP) radio button is disabled.